- **[Check the Domains FAQ](../setup/domains-faq.yml)** if you don't find what you're looking for.

-

-

-After you add these records at 123-reg.co.uk, your domain will be set up to work with Microsoft services.

-

-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Find and fix issues after adding your domain or DNS records](../get-help-with-domains/find-and-fix-issues.md).

-

-

-> This record is used only to verify that you own your domain; it doesn't affect anything else. You can delete it later, if you like.

-

-

-

-4. On the Manage your DNS page, select the **Advanced DNS** tab.

-

-

-5. In the **Type** box for the new record choose **TXT/SPF** from the drop-down list, and then type or copy and paste the other values from the following table.

- ||||

- |:--|:--|:--|

- |**Hostname** <br/> |**Type** <br/> |**Destination TXT/SPF** <br/> |

- |@ <br/> |TXT/SPF <br/> |MS=ms *XXXXXXXX* <br/> **Note:** This is an example. Use your specific **Destination or Points to Address** value here, from the table. [How do I find this?](../get-help-with-domains/information-for-dns-records.md) |

-

-

-

-1. On the Domains page, select the domain that you're verifying, and select **Start setup**.

-

-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).

-

-2. On the Domain name overview page, select the name of the domain that you want to edit.

-

-

-4. On the Manage your DNS page, select the **Advanced DNS** tab.

-

- |**Hostname**|**Type**|**Priority**|**Destination MX**|

- |:--|:--|:--|:--|

- |@ <br/> |MX <br/> |1 <br/> For more information about priority, see [What is MX priority?](../setup/domains-faq.yml) <br/> | *\<domain-key\>* .mail.protection.outlook.com. <br/> **This value MUST end with a period (.)** <br/> **Note:** Get your \<domain-key\> from your Microsoft account. [How do I find this?](../get-help-with-domains/information-for-dns-records.md) |

-

-2. On the Domain name overview page, select the name of the domain that you want to edit.

-

-

-4. On the Manage your DNS page, select the **Advanced DNS** tab.

-

- |**Hostname**|**Type**|**Destination CNAME**|

- |:--|:--|:--|

- |autodiscover <br/> |CNAME <br/> |autodiscover.outlook.com. <br/> **This value MUST end with a period (.)** <br/> |

-> You cannot have more than one TXT record for SPF for a domain. If your domain has more than one SPF record, you'll get email errors, as well as delivery and spam classification issues. If you already have an SPF record for your domain, don't create a new one for Microsfot. Instead, add the required Microsoft values to the current record so that you have a *single* SPF record that includes both sets of values. Need examples? Check out these [External Domain Name System records for Microsoft](../../enterprise/external-domain-name-system-records.md). To validate your SPF record, you can use one of these [SPF validation tools](../setup/domains-faq.yml).

-

-2. On the Domain name overview page, select the name of the domain that you want to edit.

-

-

-4. On the Manage your DNS page, select the **Advanced DNS** tab.

-

- |**Hostname**|**Type**|**Destination TXT/SPF**|

- |:--|:--|:--|

- |@ <br/> |TXT/SPF <br/> |v=spf1 include:spf.protection.outlook.com -all <br/> **Note:** We recommend copying and pasting this entry, so that all of the spacing stays correct. |

-

-Only select this option if your organization uses ΓÇÄSkype for BusinessΓÇÄ for online communication services like chat, conference calls, and video calls, in addition to ΓÇÄMicrosoft TeamsΓÇÄ. ΓÇÄSkypeΓÇÄ needs 4 records: 2 SRV records for user-to-user communication, and 2 CNAME records to sign-in and connect users to the service.

-2. On the Domain name overview page, select the name of the domain that you want to edit.

-

-

-4. On the Manage your DNS page, select the **Advanced DNS** tab.

-

- ||||||

- |:--|:--|:--|:--|:--|

- |**Hostname**|**Type**|**Priority**|**TTL**|**Destination SRV**|

- |_sip._tls|SRV|100|3600|1 443 sipdir.online.lync.com. **This value MUST end with a period (.)**<br> **Note:** We recommend copying and pasting this entry, so that all of the spacing stays correct. |

- |_sipfederationtls._tcp|SRV|100|3600|1 5061 sipfed.online.lync.com. **This value MUST end with a period (.)** <br> **Note:** We recommend copying and pasting this entry, so that all of the spacing stays correct. |

-

-

-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Find and fix issues after adding your domain or DNS records](../get-help-with-domains/find-and-fix-issues.md).

-### Add the two required CNAME records

-1. On the Domain name overview page, select the name of the domain that you want to edit.

-

-

-1. On the Manage your DNS page, select the **Advanced DNS** tab.

-

- | **Hostname** |**Type**|**Destination CNAME**|

- |:--|:--|:--|

- |sip <br/>|CNAME <br/> |sipdir.online.lync.com. <br/> **This value MUST end with a period (.)** <br/> |

- |lyncdiscover <br/>|CNAME <br/> |webdir.online.lync.com. <br/> **This value MUST end with a period (.)** <br/> |

-

-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).

-

-This service helps you secure and remotely manage mobile devices that connect to your domain. ΓÇÄMobile Device ManagementΓÇÄ needs two CNAME records so that users can enroll devices to the service.

-### Add the two required CNAME records

-1. On the Domain name overview page, select the name of the domain that you want to edit.

-

-

-1. On the Manage your DNS page, select the **Advanced DNS** tab.

-

- | **Hostname**|**Type**|**Destination CNAME**|

- |:--|:--|:--|

- | enterpriseregistration <br/> | CNAME <br/> |enterpriseregistration.windows.net. <br/> **This value MUST end with a period (.)** <br/> |

- |enterpriseenrollment <br/> | CNAME <br/> |enterpriseenrollment.manage.microsoft.com. <br/> **This value MUST end with a period (.)** <br/> |

-

-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).

- **[Check the Domains FAQ](../setup/domains-faq.yml)** if you don't find what you're looking for.

-

-

-

-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Find and fix issues after adding your domain or DNS records](../get-help-with-domains/find-and-fix-issues.md).

-

-

-> This record is used only to verify that you own your domain; it doesn't affect anything else. You can delete it later, if you like.

-

- **Note**: If you haven't created a hosted zone for your domain, select **Create hosted zone** and complete the steps before moving to the next step.

-1. Select **Manage DNS**.

- > The quotation marks required by the onscreen instructions are supplied automatically. You don't need to type them manually.

-

- ||||||

- |**Record name** <br/> |**Record type** <br/> |**Value** <br/> |**TTL (Seconds)** <br/> |**Routing policy** <br/> |

- |(Leave this field empty.) <br/> |TXT - Used to verify email senders <br/> |MS=ms *XXXXXXXX* <br/>**Note:** This is an example. Use your specific **Destination or Points to Address** value here, from the table in Microsoft 365. [How do I find this?](../get-help-with-domains/information-for-dns-records.md) |300 <br/> |Simple <br/> |

-

-

-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Find and fix issues after adding your domain or DNS records](../get-help-with-domains/find-and-fix-issues.md).

-

- **Note**: If you haven't created a hosted zone for your domain, select **Create hosted zone** and complete the steps before moving to the next step.

-1. Select **Manage DNS**.

- :::image type="content" source="../../media/dns-aws/aws-domains-create-record.png" alt-text="Select Create record.":::

-1. In the boxes for the new record, type or copy and paste the values from the following table.

- (Choose the **Type** and **Routing policy** values from the drop-down lists.)

- > The quotation marks required by the onscreen instructions are supplied automatically. You don't need to type them manually.

- |**Record name**|**Record type**|**Value**|**TTL (Seconds)**|**Routing policy**|

- |(Leave this field empty.) <br/> |MX - Specifies mail servers <br/> |0 *\<domain-key\>* .mail.protection.outlook.com. <br/> The 0 is the MX priority value. Add it to the beginning of the MX value, separated from the remainder of the value by a space. <br/> **This value MUST end with a period (.)** <br/> **Note:** Get your \<*domain-key*\> from your Microsoft 365 account. [How do I find this?](../get-help-with-domains/information-for-dns-records.md) | 300 <br/> | Simple routing <br/> |

-

-

- **Note**: If you haven't created a hosted zone for your domain, select **Create hosted zone** and complete the steps before moving to the next step.

-1. Select **Manage DNS**.

-1. In the boxes for the new record, type or copy and paste the values from the following table.

- (Choose the **Type** and **Routing policy** values from the drop-down lists.)

- |**Record name**|**Record type**|**Value**| **TTL** |**Routing policy**|

- |autodiscover <br/> |CNAME - Routes traffic to another domain name <br/> | autodiscover.outlook.com. <br/> **This value MUST end with a period (.)** <br/> | 300 <br/> |Simple <br/> |

-

-> You cannot have more than one TXT record for SPF for a domain. If your domain has more than one SPF record, you'll get email errors, as well as delivery and spam classification issues. If you already have an SPF record for your domain, don't create a new one for Microsoft. Instead, add the required Microsoft values to the current record so that you have a *single* SPF record that includes both sets of values. Need examples? Check out these [External Domain Name System records for Microsoft](../../enterprise/external-domain-name-system-records.md). To validate your SPF record, you can use one of these[SPF validation tools](../setup/domains-faq.yml).

-

- **Note**: If you haven't created a hosted zone for your domain, select **Create hosted zone** and complete the steps before moving to the next step.

-1. Select **Manage DNS**.

-1. In the boxes for the new record, type or copy and paste the values from the following table.

- (Choose the **Type** value from the drop-down lists.)

- |**Record type** | **Value**|

- |TXT- Used to verify email senders and for application-specific values |v=spf1 include:spf.protection.outlook.com -all <br/> (The quotation marks required by the onscreen instructions are supplied automatically. You don't need to type them manually.) <br/> **Note:** We recommend copying and pasting this entry, so that all of the spacing stays correct. |

-

-Only select this option if your organization uses ΓÇÄSkype for BusinessΓÇÄ for online communication services like chat, conference calls, and video calls, in addition to ΓÇÄMicrosoft TeamsΓÇÄ. ΓÇÄSkypeΓÇÄ needs 4 records: 2 SRV records for user-to-user communication, and 2 CNAME records to sign-in and connect users to the service.

- **Note**: If you haven't created a hosted zone for your domain, select **Create hosted zone** and complete the steps before moving to the next step.

-1. Select **Manage DNS**.

- :::image type="content" source="../../media/dns-aws/aws-domains-create-record.png" alt-text="Select Create record.":::

-1. In the boxes for the new record, type or copy and paste the values from the following table.

- (Choose the **Type** and **Routing Policy** values from the drop-down lists.)

- |**Record name**|**Record type**|**Value**|**TTL (Seconds)**|**Routing policy**|

- |_sip._tls|SRV - Application-specific values that id servers|100 1 443 sipdir.online.lync.com. **This value MUST end with a period (.)**><br> **Note:** We recommend copying and pasting this entry, so that all of the spacing stays correct. | 300 |Simple|

- |_sipfederationtls._tcp|SRV - Application-specific values that id servers|100 1 5061 sipfed.online.lync.com. **This value MUST end with a period (.)**<br> **Note:** We recommend copying and pasting this entry, so that all of the spacing stays correct. | 300 |Simple|

-

-1. To add the other SRV record, select **Add another record**, create a record using the values from the next row in the table, and then again select **Create records**.

-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Find and fix issues after adding your domain or DNS records](../get-help-with-domains/find-and-fix-issues.md).

-### Add the two required CNAME records

-1. Select **Manage DNS**.

-1. Select **Create record**.

- |**Record name**|**Record type**|**Value**| **TTL** |**Routing policy**|

- |sip <br/> |CNAME - Canonical name <br/> |sipdir.online.lync.com. <br/> **This value MUST end with a period (.)** <br/> |300 <br/> |Simple <br/> |

- |lyncdiscover <br/> |CNAME - Canonical name <br/> |webdir.online.lync.com. <br/> **This value MUST end with a period (.)** <br/> |300 <br/> ||Simple <br/> |

-

-1. To add the other CNAME record, select **Add another record**, create a record using the values from the next row in the table.

-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).

-

-This service helps you secure and remotely manage mobile devices that connect to your domain. ΓÇÄMobile Device ManagementΓÇÄ needs two CNAME records so that users can enroll devices to the service.

-### Add the two required CNAME records

- **Note**: If you haven't created a hosted zone for your domain, select **Create hosted zone** and complete the steps before moving to the next step.

- |**Record name**|**Record type**|**Value**| **TTL** |**Routing policy**|

- |enterpriseregistration <br/> |CNAME - Canonical name <br/> |enterpriseregistration.windows.net. <br/> **This value MUST end with a period (.)** <br/> |300 <br/> |Simple <br/> |

- |enterpriseenrollment <br/> |CNAME - Canonical name <br/> | enterpriseenrollment-s.manage.microsoft.com. <br/> **This value MUST end with a period (.)** <br/>|300 <br/> | |Simple <br/> |

-

-1. To add the other CNAME record, select **Add another record**, create a record using the values from the next row in the table.

- **[Check the Domains FAQ](../setup/domains-faq.yml)** if you don't find what you're looking for.

-1. In the Microsoft 365 admin center, select **Settings** > <a href="https://go.microsoft.com/fwlink/p/?linkid=834818" target="_blank">**Domains**</a>, and select the domain you want to set up.

-1. Select the three dots (more actions) > choose **Start setup**.

- This completes your domain setup for Microsoft 365.

-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).

-

-> You must perform this procedure at the domain registrar where you purchased and registered your domain.

-

-When you signed up for Cloudflare, you added a domain by using the Cloudflare Setup process.

-

-

-

- ||

- |:--|:--|

- |First nameserver <br/> |Use the nameserver value provided by Cloudflare. <br/> |

- |Second nameserver <br/> |Use the nameserver value provided by Cloudflare. <br/> |

- > You should use at least two name server records. If there are any other name servers listed, you should delete them.

-

-> Your nameserver record updates may take up to several hours to update across the Internet's DNS system. Then your Microsoft email and other services will be all set to work with your domain.

-

-

-> This record is used only to verify that you own your domain; it doesn't affect anything else. You can delete it later, if you like.

-

-

-1. On the Home page, select the domain that you want to update.

-

-1. Select the TXT type from the drop-down list, and type or copy and paste the values from this table.

- | **Type** | **Name** | **TTL** | **Content** |

- |:--|:--|:--|:-|

- |TXT <br/> |@ <br/> |30 minutes <br/> |MS=ms *XXXXXXXX* <br/> **Note:** This is an example. Use your specific **Destination or Points to Address** value here, from the table. [How do I find this?](../get-help-with-domains/information-for-dns-records.md) |

-

-

-1. On the Domains page, select the domain that you're verifying, and select **Start setup**.

-

-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).

-

-1. On the Home page, select the domain that you want to update.

-1. Select the MX type from the drop-down list, and type or copy and paste the values from this table.

- | **Type** | **Name** | **Mail server** | **TTL** | **Priority** |

- |:--|:--|:--|:--|:--|

- |MX <br/> |@ <br/> |*\<domain-key\>* .mail.protection.outlook.com <br/> **Note:** Get your *\<domain-key\>* from your Microsoft 365 account. [How do I find this?](../get-help-with-domains/information-for-dns-records.md) |30 minutes <br/> | 1 <br/> For more information about priority, see [What is MX priority?](../setup/domains-faq.yml) <br/>|

- :::image type="content" source="../../media/dns-cloudflare/cloudflare-domains-mx-save.png" alt-text="Select Add record.":::

-1. If there are any other MX records listed in the **MX Records** section, delete them by selecting **Edit**, and then select **Delete**.

- :::image type="content" source="../../media/dns-cloudflare/cloudflare-domains-mx-delete.png" alt-text="Select Delete.":::

-1. In the confirmation dialog box, select **Delete** to confirm your changes.

-1. On the Home page, select the domain that you want to update.

-1. Select the CNAME type from the drop-down list, and type or copy and paste the values from this table.

- | Type | Name | Target | TTL |

- |:--|:--|:--|:--|

- | CNAME <br/> | autodiscover <br/> | autodiscover.outlook.com <br/> | Auto <br/> |

-

- :::image type="content" source="../../media/dns-cloudflare/cloudflare-domains-cname-save.png" alt-text="Select Save.":::

-> You cannot have more than one TXT record for SPF for a domain. If your domain has more than one SPF record, you'll get email errors, as well as delivery and spam classification issues. If you already have an SPF record for your domain, don't create a new one for Microsoft 365. Instead, add the required Microsoft 365 values to the current record so that you have a *single* SPF record that includes both sets of values.

-

-1. To get started, go to your domains page at Cloudflare by using [this link](https://www.cloudflare.com/a/login). You'll be prompted to log in first.

-

-1. On the Home page, select the domain that you want to update.

-1. Select the TXT type from the drop-down list, and type or copy and paste the values from this table.

- | Type | Name | TTL | Content |

- |:--|:--|:--|:--|

- |TXT <br/> |@ <br/> |30 minutes <br/> |v=spf1 include:spf.protection.outlook.com -all <br/> **Note:** We recommend copying and pasting this entry, so that all of the spacing stays correct. |

- :::image type="content" source="../../media/dns-cloudflare/cloudflare-domains-TXT-save.png" alt-text="Select Save.":::

-Only select this option if your organization uses ΓÇÄSkype for BusinessΓÇÄ for online communication services like chat, conference calls, and video calls, in addition to ΓÇÄMicrosoft TeamsΓÇÄ. ΓÇÄSkypeΓÇÄ needs 4 records: 2 SRV records for user-to-user communication, and 2 CNAME records to sign-in and connect users to the service.

-> Keep in mind that Cloudflare is responsible for making this functionality available. In case you see discrepancies between the steps below and the current Cloudflare GUI (Graphical User Interface), leverage the [Cloudflare Community](https://community.cloudflare.com/).

-1. On the Home page, select the domain that you want to update.

-

-

- | **Type** | **Name** | **Service** | **Protocol** | **TTL** | **Priority** | **Weight** | **Port** | **Target** |

- |:--|:--|:--|:--|:--|:--|:--|:--|:--|

- |SRV| Use your *domain_name*; for example, contoso.com | _sip |TLS |30 minutes | 100|1 |443 |sipfed.online.lync.com |

- |SRV|_sipfederationtls | TCP|Use your *domain_name*; for example, contoso.com |30 minutes |100 |1 |5061 | sipfed.online.lync.com |

-

- :::image type="content" source="../../media/dns-cloudflare/cloudflare-domains-srv-save.png" alt-text="Select Save.":::

-1. Add the other SRV record by copying the values from the second row of the table.

-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).

-

-1. On the Home page, select the domain that you want to update.

- |**Type**|**Name**|**Target**|**TTL**|

- |:--|:--|:--|:--|

- |CNAME <br/> |sip <br/> |sipdir.online.lync.com. <br/> **This value MUST end with a period (.)** <br/> |1 Hour <br/> |

- |CNAME <br/> |lyncdiscover <br/> |webdir.online.lync.com. <br/> **This value MUST end with a period (.)** <br/> |1 Hour <br/> |

-

-1. Select the **Save**.

- :::image type="content" source="../../media/dns-cloudflare/cloudflare-domains-cname-save.png" alt-text="Select Save.":::

-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).

-

-This service helps you secure and remotely manage mobile devices that connect to your domain. ΓÇÄMobile Device ManagementΓÇÄ needs 2 CNAME records so that users can enroll devices to the service.

-### Add the two required CNAME records

-1. On the Home page, select the domain that you want to update.

- |**Type**|**Name**|**Target**|**TTL**|

- |:--|:--|:--|:--|

- |CNAME <br/> |enterpriseregistration <br/> |enterpriseregistration.windows.net. <br/> **This value MUST end with a period (.)** <br/> |1 Hour <br/> |

- |CNAME <br/> |enterpriseenrollment <br/> |enterpriseenrollment-s.manage.microsoft.com. <br/> **This value MUST end with a period (.)** <br/> |1 Hour <br/> |

-

- :::image type="content" source="../../media/dns-cloudflare/cloudflare-domains-cname-save.png" alt-text="Select Save.":::

-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).

- **[Check the Domains FAQ](../setup/domains-faq.yml)** if you don't find what you're looking for.

-

-

-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).

-

-> You must perform this procedure at the domain registrar where you purchased and registered your domain.

-

-When you signed up for web.com, you added a domain by using the web.com **Setup** process.

-

-

-

- |||

- |:--|:--|

- |First nameserver <br/> |Use the nameserver value provided by web.com. <br/> |

- |Second nameserver <br/> |Use the nameserver value provided by web.com. <br/> |

- > You should use at least two name server records. If there are any other name servers listed, you should delete them.

-

-> Your nameserver record updates may take up to several hours to update across the Internet's DNS system. Then your Microsoft email and other services will be all set to work with your domain.

-

-

-> This record is used only to verify that you own your domain; it doesn't affect anything else. You can delete it later, if you like.

-

-

-

- :::image type="content" source="../../media/dns-webcom/webcom-domains-1.png" alt-text="Select Manage from the drop-down list.":::

-

-

- |**Refers**|**TXT value**|**TTL**|

- |:--|:--|:-|

- |@ <br/> |MS=ms *XXXXXXXX* <br/> **Note:** This is an example. Use your specific **Destination or Points to Address** value here, from the table. [How do I find this?](../get-help-with-domains/information-for-dns-records.md) |1 Hour <br/> |

-

-

-

-

-1. On the Domains page, select the domain that you're verifying, and select **Start setup**.

-

-

-

-1. On the landing page, select **Domain Names**.

-

-

-

-1. Select, or copy and paste, the values from the following table.

- | **Refers to** | **Mail server**|**Priority**|**TTL**|

- |:--|:--|:--|:--|

- | @ |*\<domain-key\>* .mail.protection.outlook.com <br/> **Note:** Get your *\<domain-key\>* from the Microsoft admin center. [How do I find this?](../get-help-with-domains/information-for-dns-records.md) | For more information about priority, see [What is MX priority?](../setup/domains-faq.yml) <br/> 1| 1 Hour <br/> |

-1. If there are any other MX records, delete all of them by selecting the edit tool, and then **Delete** for each record.

-

-1. On the landing page, select **Domain Names**.

-

-

-1. Select, or copy and paste, the values from the following table.

- |**Refers to** | **Host name** | **Alias to**|**TTL**|

- |:--|:--|:--|:--|

- | Other Host <br/>| autodiscover <br/>| autodiscover.outlook.com <br/> | 1 Hour <br/> |

-

-

-> You cannot have more than one TXT record for SPF for a domain. If your domain has more than one SPF record, you'll get email errors, as well as delivery and spam classification issues. If you already have an SPF record for your domain, don't create a new one for Microsoft. Instead, add the required Microsoft values to the current record so that you have a *single* SPF record that includes both sets of values.

-

-

-1. On the landing page, select **Domain Names**.

-

-

-

-1. Select, or copy and paste, the values from the following table.

- |**Refers to**|**TXT value**|**TTL**|

- |:--|:--|:--|

- |@ <br/> |v=spf1 include:spf.protection.outlook.com -all <br/> **Note:** We recommend copying and pasting this entry, so that all of the spacing stays correct. | 1 Hour <br/>

-

-Only select this option if your organization uses ΓÇÄSkype for BusinessΓÇÄ for online communication services like chat, conference calls, and video calls, in addition to ΓÇÄMicrosoft TeamsΓÇÄ. ΓÇÄSkypeΓÇÄ needs 4 records: 2 SRV records for user-to-user communication, and 2 CNAME records to sign-in and connect users to the service.

-

-1. On the landing page, select **Domain Names**.

-

-

-

- | **Type** |**Service**|**Protocol**|**Weight**|**Port**|**Target**|**Priority**|**TTL**|

- |:--|:--|:--|:--|:--|:--|:--|:--|

- | SRV |_sip <br/> |TLS <br/> |100 <br/> |443 <br/> |sipdir.online.lync.com <br/> **This value CANNOT end with a period (.)** <br/> | 1 <br/> | 1 Hour <br/> |

- | SRV |_sipfederationtls <br/> |TCP <br/> |100 <br/> |5061 <br/> |sipfed.online.lync.com <br/> **This value CANNOT end with a period (.)** <br/> |1 <br/> | 1 Hour <br/> |

-

-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Find and fix issues after adding your domain or DNS records](../get-help-with-domains/find-and-fix-issues.md).

-

-

-1. Select, or copy and paste, the values from the following table.

- | **Type**|**Refers to | Host Name**|**Alias to**| **TTL** |

- |:--|:--|:--|:--|:--|

- | CNAME | Other Host | sip <br/> |sipdir.online.lync.com <br/> **This value CANNOT end with a period (.)** <br/> |1 Hour <br/> |

- | CNAME| Other Host | lyncdiscover <br/> |webdir.online.lync.com <br/> **This value CANNOT end with a period (.)** <br/> | 1 Hour <br/> |

-

-

-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).

-

-This service helps you secure and remotely manage mobile devices that connect to your domain. ΓÇÄMobile Device ManagementΓÇÄ needs 2 CNAME records so that users can enroll devices to the service.

-### Add the two required CNAME records

-

-

-

- | **Type**|**Refers to | Host Name**|**Alias to**| **TTL** |

- |:--|:--|:--|:--|:--|

- | CNAME | Other Host | enterpriseregistration <br/> |enterpriseregistration.windows.net <br/> **This value CANNOT end with a period (.)** <br/> | 1 Hour <br/> |

- | CNAME | Other Host |enterpriseenrollment <br/> |enterpriseenrollment-s.manage.microsoft.com <br/> **This value CANNOT end with a period (.)** <br/> | 1 Hour <br/> |

-

-

-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).

-**[Check the Domains FAQ](../setup/domains-faq.yml)** if you don't find what you're looking for.

-

-

-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).

-

-> This record is used only to verify that you own your domain; it doesn't affect anything else. You can delete it later if you like.

-

-2. Select **Domains** > **...**, and then select **Manage DNS Records** from the dropdown list.

- ||||

- |:--|:--|:--|

- | **Host Name **<br/> | **TXT Value** <br/> | **TTL** <br/> |

- |Automatically populated (leave blank) <br/> |MS=ms *XXXXXXXX* <br/> **Note:** This is an example. Use your specific **Destination or Points to Address** value here, from the table. [How do I find this?](../get-help-with-domains/information-for-dns-records.md)|1 Hour <br/> | |

-Now that you've added the record at your domain registrar's site, you'll go back to Microsoft and request the record. When Microsoft finds the correct TXT record, your domain is verified.

-

-1. On the Domains page, select the domain that you're verifying, and select **Start setup**.

-

-

-1. Select **Domains** > **...**, and then select **Manage DNS Records** from the dropdown list.

-1. Under **MX (Mail exchange)**, select **Edit MX Records**.

- | **Host Name** | **Points to** | **Priority** | **TTL** |

- |:--|:--|:--|:--|

- |Automatically populated <br/> | *\<domain-key\>* .mail.protection.outlook.com <br/> **Note:** Get your *\<domain-key\>* from your Microsoft account. [How do I find this?](../get-help-with-domains/information-for-dns-records.md) |0 <br/> For more information about priority, see [What is MX priority?](../setup/domains-faq.yml) | 1 Hour|

- :::image type="content" source="../../media/dns-wix/wix-domains-mx-delete.png" alt-text="Select Delete.":::

-2. Select **Domains** > **...**, and then select **Manage DNS Records** from the dropdown list.

- | **Host Name** | **Value** | **TTL** |

- |:--|:--|:--|

- |autodiscover <br/> |autodiscover.outlook.com <br/> |1 Hour <br/> |

-> You cannot have more than one TXT record for SPF for a domain. If your domain has more than one SPF record, you'll get email errors, as well as delivery and spam classification issues. If you already have an SPF record for your domain, don't create a new one for Microsoft. Instead, add the required Microsoft values to the current record so that you have a *single* SPF record that includes both sets of values.

-

-2. Select **Domains** > **...**, and then select **Manage DNS Records** from the dropdown list.

- **Note**: Wix provides an SPF row in the DNS editor. Ignore that row and use the **TXT (Text)** row to enter the SPF values below.

- | **Host Name** | **Value** | **TTL** |

- |:--|:--|:--|

- |[leave this blank] <br/> |v=spf1 include:spf.protection.outlook.com -all <br/> **Note:** We recommend copying and pasting this entry, so that all of the spacing stays correct.<br/> | 1 Hour |

-Only select this option if your organization uses ΓÇÄSkype for BusinessΓÇÄ for online communication services like chat, conference calls, and video calls, in addition to ΓÇÄMicrosoft TeamsΓÇÄ. ΓÇÄSkypeΓÇÄ needs four records: two SRV records for user-to-user communication, and two CNAME records to sign-in and connect users to the service.

-1. Select **Domains** > **...**, and then select **Manage DNS Records** from the dropdown list.

- | **Service** | **Protocol** | **Host name** | **Weight** | **Port** | **Target** | **Priority** | **TTL** |

- |:--|:--|:--|:--|:--|:--|:--|:--|

- |sip |tls |Automatically populated |1 |443 |sipdir.online.lync.com |100 |1 Hour |

- |sipfed|tcp |Automatically populated|1 |5061 |sipfed.online.lync.com|100 | 1 Hour |

-

-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Find and fix issues after adding your domain or DNS records](../get-help-with-domains/find-and-fix-issues.md).

- |**Type**|**Host**|**Value**|**TTL**|

- |:--|:--|:--|:--|

- |CNAME <br/> |sip <br/> |sipdir.online.lync.com. <br/> **This value MUST end with a period (.)** <br/> |1 Hour <br/> |

- |CNAME <br/> |lyncdiscover <br/> |webdir.online.lync.com. <br/> **This value MUST end with a period (.)** <br/> |1 Hour <br/> |

-

-

-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).

-

-This service helps you secure and remotely manage mobile devices that connect to your domain. ΓÇÄMobile Device ManagementΓÇÄ needs two CNAME records so that users can enroll devices to the service.

-### Add the two required CNAME records

-1. Select **Domains** > **...**, and then select **Manage DNS Records** from the dropdown list.

- |**Type**|**Host**|**Value**|**TTL**|

- |:--|:--|:--|:--|

- |CNAME <br/> |enterpriseregistration <br/> |enterpriseregistration.windows.net. <br/> **This value MUST end with a period (.)** <br/> |1 Hour <br/> |

- |CNAME <br/> |enterpriseenrollment <br/> |enterpriseenrollment.manage.microsoft.com. <br/> **This value MUST end with a period (.)** <br/> |1 Hour <br/> |

-

-

-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).

-> [!NOTE]

-> We display your company name in the admin center. This is where you manage Microsoft 365 users, licenses and other features and services. We also include it in any internal SharePoint site URLs.

-||**Option 1** ΓÇô Sign in with Outlook, Hotmail, Yahoo, Gmail or other email account|**Option 2** ΓÇô Add a business domain |

-|:--|:--|:--|

-|Available apps and services <br/> |Use Word, Excel, PowerPoint, OneDrive, Teams, Access. This set of apps is best for very small businesses who don't need branded email immediately, or who already use branded email from a different provider and do not intend to switch to use Microsoft Exchange. YouΓÇÖll use Outlook with your existing email account (be it outlook.com, Hotmail, Yahoo, Gmail or other). <br/> |Use Word, Excel, PowerPoint, OneDrive, Teams, Access. Option 2 also lets you access a wide range of additional

-|Required knowledge <br/> |LetΓÇÖs you get started without technical know-how. <br/> |Requires you to buy a domain, or to own a domain. You may need technical knowledge to prove ownership of the domain. <br/> |

-|Data handling <br/> |Available under the Supplement to the [Microsoft Services Agreement](https://go.microsoft.com/fwlink/p/?linkid=2180702) and is best for businesses that want some remote work and collaboration tools and are comfortable with Microsoft acting as controller for your data under the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?LinkId=521839). Subscribers to services using this option will not have access to an individualΓÇÖs user content or data until a domain is attached. Subscribers should evaluate data ownership and intellectual property rights considerations based on their needs. For example, if you are working collaboratively with other users on a document stored in their account, they may choose to make those documents inaccessible to you. As such, you should evaluate data ownership and intellectual property rights considerations accordingly. Separately, users may choose not to transfer documents in their Simplified Sign-Up account to your Domain Account subscription, even after you invite them to do so. This means their documents may also not be accessible to you even if you add a domain account later <br/> |Available under the [Microsoft Online Subscription Agreement](https://go.microsoft.com/fwlink/p/?linkid=2180430) and is best for businesses that need Microsoft to act as a processor for their data under Microsoft's [Data Protection Addendum](https://go.microsoft.com/fwlink/p/?linkid=2180314) and need our full suite of remote work and collaboration tools. Subscribers who are in regulated industries or seek more control, both over the use of the services by your employees and over processing of related data by Microsoft, should choose Option 2 and attach a domain and sign up under the Domain Account enterprise-level agreement. <br/> |

-Remember this option doesn't provide branded email, admin control for use of the services by other users, or industry specific compliance support. Subscribers don't have any access or control over other usersΓÇÖ (employees) usage or documents under this option. Users may choose not to transfer data created in storage such as OneDrive to your upgraded, enterprise-level domain account should you not choose **Option 2**.

-Should you choose not to accept terms, your subscription will not automatically renew, and at the end of your current subscription contract, you will lose access to the Office apps. Your OneDrive data will be retained for 90 days for you to make copies of it, and then it will be deleted.

-> [!NOTE]

-> We display your company name in the admin center. This is where you manage Microsoft 365 users, licenses and other features and services. We also include it in any internal SharePoint site URLs.

-||**Option 1** ΓÇô Sign in with Outlook, Hotmail, Yahoo, Gmail or other email account [(Simplified Sign-up)](#terms-of-service-update-for-simplified-sign-up-mode)|**Option 2** ΓÇô Add a business domain and create a new business email account |

-|:--|:--|:--|

-|Available apps and services <br/> |Use Word, Excel, PowerPoint, OneDrive, Teams, Access. This set of apps is best for very small businesses who don't need branded email immediately, or who already use branded email from a different provider and do not intend to switch to use Microsoft Exchange. YouΓÇÖll use Outlook with your existing email account (be it outlook.com, Hotmail, Yahoo, Gmail or other). <br/> |Use Word, Excel, PowerPoint, OneDrive, Teams, Access. Microsoft 365 Business Standard with Option 2 also lets you access a wide range of additional

-|Required knowledge <br/> |LetΓÇÖs you get started without technical know-how. <br/> |Requires you to buy a domain, or to own a domain. You may need technical knowledge to prove ownership of the domain. <br/> |

-|Data handling <br/> |Available under the Supplement to the [Microsoft Services Agreement](https://go.microsoft.com/fwlink/p/?linkid=2180702) and is best for businesses that want some remote work and collaboration tools and are comfortable with Microsoft acting as controller for your data under the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?LinkId=521839). Subscribers to services using this option will not have access to an individualΓÇÖs user content or data until a domain is attached. Subscribers should evaluate data ownership and intellectual property rights considerations based on their needs. For example, if you are working collaboratively with other users on a document stored in their account, they may choose to make those documents inaccessible to you. As such, you should evaluate data ownership and intellectual property rights considerations accordingly. Separately, users may choose not to transfer documents in their Simplified Sign-Up account to your Domain Account subscription, even after you invite them to do so. This means their documents may also not be accessible to you even if you add a domain account later <br/> |Available under the [Microsoft Online Subscription Agreement](https://go.microsoft.com/fwlink/p/?linkid=2180430) and is best for businesses that need Microsoft to act as a processor for their data under Microsoft's [Data Protection Addendum](https://go.microsoft.com/fwlink/p/?linkid=2180314) and need our full suite of remote work and collaboration tools. Subscribers who are in regulated industries or seek more control, both over the use of the services by your employees and over processing of related data by Microsoft, should choose Option 2 and attach a domain and sign up under the Domain Account enterprise-level agreement. <br/> |

-Remember this option doesn't provide branded email, admin control for use of the services by other users, or industry specific compliance support. Subscribers don't have any access or control over other usersΓÇÖ (employees) usage or documents under this option Users may choose not to transfer data created in storage such as OneDrive/Teams to your upgraded, enterprise-level domain account should you not choose option 2 immediately.

-With this option, youΓÇÖll be able to use Microsoft 365 Exchange as your professional, branded email provider. All your users will have a shared domain email address. For example, their username, followed by @contoso.com. You and your users sign into Microsoft 365 with this new email address. When you follow this process (add a domain and create new business email accounts), youΓÇÖll get access to all the features provided in Microsoft 365 Business Standard. For steps on how to buy or add a domain, see [Set up Microsoft 365 Business Standard](../setup/setup-business-standard.md).

-Should you choose not to accept the updated terms for Simplified Sign Up or to add a business domain, your subscription will not automatically renew, and at the end of your current subscription contract, you will lose access to the Office apps. Your OneDrive data will be retained for 90 days for you to make copies of it, and then it will be deleted.

-If you choose to use a domain you already own, you can use it for your email address with Microsoft 365. As part of sign up process, we ask you to verify the domain so you can send emails via Microsoft 365. This confirms that you are the owner of the domain that is sending emails with that identity, which enhances security and prevents fraudulent activity.

-||**Option 1 - Microsoft Teams Essentials** |**Option 2 - Microsoft 365 Business Basic** |

-|:--|:--|:--|

-|Available apps and services <br/> |Sign in with your existing email account (Hotmail, Gmail, Yahoo) using the new Business Standard signup process. Microsoft Teams with cloud storage in OneDrive. Free web versions of Word, Excel, PowerPoint on Office.com to edit files shared in Teams. <br/> **This set of apps is best for very small businesses who need to collaborate effectively over video meetings and chat**. |Microsoft Teams and OneDrive. Microsoft Exchange, SharePoint, Bookings, Planner and Lists. Premium Office web versions of Word, Excel, PowerPoint on Office.com. <br/> **Microsoft 365 Business Basic also lets you access a wide range of web-based services**: <br/> <br/> - New, branded business email accounts with Outlook, shared calendars within your business. <br/> - Bookings, appointment scheduling and Meeting recordings. <br/> - Shared document storage and SharePoint sites. <br/> - Microsoft Planner and Microsoft Lists. <br/> Microsoft 365 Business Basic offer additional services within Teams with Domain Account Sign-up: <br/> - Meeting recordings and anonymous call access in Microsoft Teams. <br/> - Easier document sharing within your business. <br/> - Support for the compliance needs for your industry. <br/> - Access and control over your employeesΓÇÖ use of services. <br/> - The widest range of integrations of non-Microsoft apps (e.g. Salesforce, Adobe) that work within Teams and Office. <br/> |

-|Required knowledge <br/> |LetΓÇÖs you get started without technical know-how required to run a domain. <br/> |Requires you to buy a domain, or to own a domain. If you want to use an existing domain, you will need access credentials for the domain and you may need technical knowledge to prove ownership. <br/> |

-|Governing Agreement and data handling <br/> |Available under the Supplement to the [Microsoft Services Agreement](https://go.microsoft.com/fwlink/p/?linkid=2180702) and **is best for businesses that want some remote work and collaboration tools and are comfortable with Microsoft acting as controller** for your data under the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?LinkId=521839). Subscribers ("you") to services using this option will not have access to content or data of another invited user ("invited users). <br/> For example, if you are working collaboratively with other invited users on a document stored in their account, they may choose to make those documents inaccessible to you. <br/> Separately, invited users may choose not to transfer documents in their Simplified Sign-Up account to your Domain Account subscription, even after you invite them to do so. This means their documents may also not be accessible to you even if you add a domain account later. As such, you should evaluate data ownership and intellectual property rights considerations accordingly. <br/> |Available under the [Microsoft Online Subscription Agreement](https://go.microsoft.com/fwlink/p/?linkid=2180430) and is **best for businesses that need Microsoft to act as a processor** for their data under our [Data Protection Addendum](https://go.microsoft.com/fwlink/p/?linkid=2180314) and need our full suite of remote work and collaboration tools. **Subscribers who are in regulated industries or seek more control, both over the use of the services by your employees and over processing of related data by Microsoft, should choose Domain Account sign up with Microsoft Business Business Basic**, and sign up under the Domain Account enterprise-level agreement. <br/> |

-1. [Onboard macOS devices into Microsoft 365 overview (preview)](device-onboarding-macos-overview.md#onboard-macos-devices-into-microsoft-365-overview-preview)

-

-### Ensure your sensitive data table doesnΓÇÖt have formatting issues.

-Before you hash and upload your sensitive data, do a search to validate the presence of special characters that may cause problems in parsing the content.

-EdmUploadAgent.exe /ValidateData /DataFile [data file] /Schema [schema file]

-If the tool indicates a mismatch in number of columns it might be due to the presence of commas or quote characters within values in the table which are being confused with column delimiters. Unless they are surrounding a whole value, single and double quotes can cause the tool to misidentify where an individual column starts or ends.

-> [!TIP]

-> [!IMPORTANT]

-> You must run the **EdmUploadAgent** from the folder where it's installed, and indicate the full path to your data files.

- > [!NOTE]

-> The default format for the sensitive data file is comma-separated values. You can specify a tab-separated file by indicating the "{Tab}" option with the /ColumnSeparator parameter, or you can specify a pipe-separated file by indicating the "|" option.

- Example: **EdmUploadAgent.exe /UploadData /DataStoreName PatientRecords /DataFile C:\Edm\Hash\PatientRecords.csv /HashLocation C:\Edm\Hash /Schema edm.xml /AllowedBadLinesPercentage 5**

-If your sensitive information table has some incorrectly formatted values, but you want to import the remaining data while ignoring invalid rows anyway, you can use the */AllowedBadLinesPercentage* parameter in the command. The example above specifies a five percent threshold. This means that the tool will hash and upload the sensitive information table even if up to five percent of the rows are invalid.

-This command will automatically add a randomly generated salt value to the hash for greater security. Optionally, if you want to use your own salt value, add the **/Salt <saltvalue>** to the command. This value must be 64 characters in length and can only contain the a-z characters and 0-9 characters.

- Example: **EdmUploadAgent.exe /GetSession /DataStoreName PatientRecords**

- Look for the status to be in **ProcessingInProgress**. Check again every few minutes until the status changes to **Completed**. Once the status is completed, your EDM data is ready for use. Depending on the size of your sensitive information source table file, this can take from a few minutes to several hours.

-> [!NOTE]

-> The default format for the sensitive data file is comma-separated values. You can specify a tab-separated file by indicating the "{Tab}" option with the /ColumnSeparator parameter, or you can specify a pipe-separated file by indicating the "|" option.

- This will output a hashed file and a salt file with these extensions if you didn't specify the **/Salt <saltvalue>** option:

- `EdmUploadAgent.exe /Authorize`

-> [!IMPORTANT]

-> You must run the **EdmUploadAgent** from the folder where it's installed, and indicate the full path to your data files.

-

-||Location of chat messages and posts |Location of files and attachments |

-|:|:|:|

-|Teams 1:1 chats |Messages in 1:1 chats are stored in the Exchange Online mailbox of all chat participants. |Files shared in a 1:1 chat are stored in the OneDrive for Business account of the person who shared the file. |

-|Teams group chats |Messages in group chats are stored in the Exchange Online mailbox of all chat participants. |Files shared in group chats are stored in the OneDrive for Business account of the person who shared the file. |

-|Teams channels |All channel messages and posts are stored in the Exchange Online mailbox associated with the team.|Files shared in a channel are stored in the SharePoint Online site associated with the team. |

-|Private channels |Messages sent in a private channel are stored in the Exchange Online mailboxes of all members of the private channel.|Files shared in a private channel are stored in a dedicated SharePoint Online site associated with the private channel.|

-|Shared channels |Messages sent in a shared channel are stored in a system mailbox associated with the shared channel.¹|Files shared in a shared channel are stored in a dedicated SharePoint Online site associated with the shared channel.|

-||||

-| Teams content type|Group by family |Group by conversation |

-|:|:|:|

-|Teams 1:1 and group chats | A transcript and all of its attachments and extracted items share the same **FamilyId**. Each transcript has a unique **FamilyId**. |All transcript files and their family items within the same conversation share the same **ConversationId**. This includes the following items:<br/><br/> - All extracted items and attachments of all transcripts that share the same **ConversationId**. <br/> - All transcripts for the same chat conversation<br/> - All custodian copies of each transcript<br/> - Transcripts from subsequent collections from the same chat conversation <br/><br/> For Teams 1:1 and group chat conversations, you might have multiple transcript files, each one corresponding to a different time frame within the conversation. Because these transcript files are from the same conversation with the same participants, they share the same **ConversationId**.|

-|Standard, private, and shared channel chats | Each post and all replies and attachments are saved to its own transcript. This transcript and all of its attachments and extracted items share the same **FamilyId**. |Each post and its attachments and extracted items have a unique **ConversationId**. If there are subsequent collections or new replies from the same post, the delta transcripts resulting from those collections will also have the same **ConversationId**.|

-||||

-| Teams content type|Queries with search parameters |Queries with date ranges |

-|:|:|:|

-|Teams 1:1 and group chats |Messages that were posted 12 hours before and 12 hours after responsive items are grouped with the responsive item in a single transcript file. |Messages in a 24-hour window are grouped in a single transcript file.|

-|Standard, private, and shared Teams channel chats |Each post that contains responsive items and all corresponding replies are grouped in a single transcript file. |Each post that contains responsive items and all corresponding replies are grouped in a single transcript file.|

-||||

-|Metadata property |Description |

-|:|:|

-|ContainsEditedMessage | Indicates whether a transcript file contains an edited message. Edited messages are identified when viewing the transcript file.|

-|Conversation name | The name of the conversation the transcript file or attachment is associated with. For Teams 1:1 and group chats, the value of this property is the UPN of all participants of the conversation are concatenated. For example, `User3 <User3@contoso.onmicrosoft.com>,User4 <User4@contoso.onmicrosoft.com>,User2 <User2@contoso.onmicrosoft.com>`. Teams channel (standard, private, and shared) chats use the following format for conversation name: `<Team name>,<Channel name>`.ΓÇ» For example, `eDiscovery vNext, General`. |

-|ConversationType | Indicates the type of Team chat. For Teams 1:1 and group chats, the value for this property is `Group`. For standard, private, and shared channel chats, the value is `Channel`.|

-|Date | The time stamp of the first message in the transcript file.|

-|FileClass |Indicates that type of content. Items from Teams chats have the value `Conversation`. In contrast, Exchange email messages have the value `Email`.| |

-|MessageKind | The message kind property. Teams content has the value `microsoftteams , im`. |

-|Recipients | A list of all users who received a message within the transcript conversation.|

-|TeamsChannelName | The Teams channel name of the transcript.|

-|||

-To help in creating a successful portal, follow the basic principles, practices, and recommendations detailed in the [Creating, launching, and maintaining a healthy portal](/sharepoint/portal-health)

-Use the portal launch scheduler to release your portal to users in your organization in scheduled phases. Learn more:

- [Portal Launch Scheduler](https://docs.microsoft.com/microsoft-365/enterprise/portallaunchscheduler)

-A key part of a successful launch is the "wave" or "phased roll-out" approach detailed below.

-SharePoint Online is a shared multi-tenanted environment that is balanced across farms and scale is adjusted in an on-going basis. Load testing an environment, like SharePoint Online, whose scale changes continuously will not only give you unexpected results but it is not permitted.

-### What to do:

-

-

-

-

-### What to do:

-Every Office 365 customer needs to add two records to their external DNS. The first CNAME record ensures that Office 365 can direct workstations to authenticate with the appropriate identity platform. The second required record is to prove you own your domain name.

-|**DNS record** <br/> |**Purpose** <br/> |**Value to use** <br/> |

-|-|--||

-|**CNAME** <br/> **(Suite)** <br/> |Used by Office 365 to direct authentication to the correct identity platform. [More information](../admin/services-in-chin?viewFallbackFrom=o365-worldwide) <br/> **Note:** This CNAME only applies to Office 365 operated by 21Vianet. If present and your Office 365 is not operated by 21Vianet, users on your custom domain will get a "*custom domain* isn't in our system" error and won't be able to activate their Office 365 license. [More information](/office365/servicedescriptions/office-365-platform-service-description/office-365-operated-by-21vianet) |**Alias:** msoid <br/> **Target:** clientconfig.partner.microsoftonline-p.net.cn <br/> |

-|**TXT** <br/> **(Domain verification)** <br/> |Used by Office 365 to verify only that you own your domain. It doesn't affect anything else. <br/> |**Host:** @ (or, for some DNS hosting providers, your domain name) <br/> **TXT Value:** _A text string provided by_ Office 365 <br/> The Office 365 **domain setup wizard** provides the values that you use to create this record. <br/> |

-You can use Exchange Online monitoring in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a> to monitor the health of the Exchange service for your organization's Microsoft 365 subscription. Exchange Online monitoring provides you with information about incidents and advisories that are collected in these categories:

-Here is an example of the **Service health** page in the Microsoft 365 admin center, available from **Health > Service health** for organization and [priority account](../admin/setup/priority-accounts.md) scenarios.

-

-**Issues in your organization** will be identified and used by organizational-level monitoring and priority account monitoring.

-The value of the **Health** column under **Issues in your organization** indicates whether your organization's infrastructure or third-party software affects the service health experience of your organization's users and/or priority accounts in Exchange Online. Advisories or incidents require *your* actions to resolve.

-The value of the **Health** column under **Microsoft service health** indicates that the service is healthy or has advisories or incidents based on the cloud services that Microsoft maintains.

-Here is an example of the Exchange Online monitoring page in the Microsoft 365 admin center that shows the health of organization-level and priority account scenarios available from **Health > Service health > Exchange Online**.

-

-With the **Exchange Online** monitoring page, you can see whether the Exchange Online service is healthy or not and whether there are any associated incidents or advisories. With Exchange Online monitoring, you can look at the service health for specific email scenarios and view near real-time signals to determine the impact by organization-level scenario. You can also see health of priority account scenarios.

-## Requirements

-This preview is enabled for customers who meet these requirements:

- For example, your organization can have 3,000 Office 365 E3 licenses and 2,500 Microsoft 365 E5, for a total of 5,500 licenses from the qualifying products.

-## Organization-level scenarios

-With Exchange Online monitoring supports the following scenarios:

- 

-The Exchange licensing scenario checks if the priority account is not able to log in due to invalid license issues, which can be addressed by the tenant admin.

-For these scenarios, you can see active and resolved advisories and incidents affecting your priority accounts. Identifiable information for the priority accounts will be displayed in the advisory or incident details along with recommendations. Here is an example from the page at **Health > Service health > Exchange Online**.

-Here is an example.

-An advisory or incident will be resolved after no accounts remain in the **Active** state.

-## Send us feedback

-There are two ways you can provide feedback:

- 

-#### 1. Why don't I see "Exchange Online monitoring" under Health in the Microsoft 365 admin center?

-First, make sure you've enabled the new admin center on the **Home** page of the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>.

-Then make sure you meet both of the following requirements:

-If the license count for your organization falls below 5,000 users and the monthly active users falls below 50 users in the core services, Exchange Online monitoring won't be enabled until these requirements are met.

-#### 2. The active user count in the dashboard for each client appears to be low. We have a lot of active licenses assigned to users. What does this mean?

-#### 3. Will there be other monitoring scenarios for other services such as Teams and SharePoint?

-Microsoft is integrating this experience directly inside the Service Health dashboard in the Microsoft 365 admin center. This will provide opportunities for Microsoft to extend monitoring scenarios for other services, which will be announced when there is news to share.

-#### 4. What is the plan for general availability of this experience?

-Microsoft has integrated Exchange Online monitoring directly on the <a href="https://go.microsoft.com/fwlink/p/?linkid=842900" target="_blank">**Service Health** dashboard</a> in the Microsoft 365 admin center.

-With this new integrated experience, Microsoft's plan is to collect your feedback and then define our plan for general availability.

-#### 5. Is this a free (included) or paid (extra) feature?

-This is a free feature that is in preview and only available for customers that meet the requirements in question 1. There isn't a paid option to receive this content.

-#### 6. How do I provide feedback?

-For general feedback, use the **Give feedback** icon on the bottom-right corner of the **Exchange Online** monitoring page.

-For feedback on incidents or advisories, use the **Is this post helpful?** link.

-#### 7. Where is the data instrumented for the scenarios that show activity trends?

-The data is instrumented in the Exchange Online service. If there is a failure that happens before the request reaches Exchange Online or there is a failure in Exchange Online, you will see a drop in the activity signal.

-#### 8. Are there any privacy concerns?

-Monitoring focuses on service metadata and user content is not monitored.

-## See also

-# Move a OneDrive site to a different geo location

-`Connect-SPOService -url https://<tenantName>-admin.sharepoint.com`

-`Connect-SPOService -url https://contosoenergyeur-admin.sharepoint.com`

-`Get-SPOGeoMoveCrossCompatibilityStatus`

-`Start-SPOUserAndContentMove -UserPrincipalName <UPN> -DestinationDataLocation <DestinationDataLocation> -ValidationOnly`

-To start the move, run:

-`Start-SPOUserAndContentMove -UserPrincipalName <UserPrincipalName> -DestinationDataLocation <DestinationDataLocation>`

-`Start-SPOUserAndContentMove -UserPrincipalName matt@contosoenergy.onmicrosoft.com -DestinationDataLocation AUS`

-## Cancel a OneDrive geo move

-`Stop-SPOUserAndContentMove ΓÇô UserPrincipalName <UserPrincipalName>`

-<table>

-<thead>

-<tr class="header">

-<th align="left">Status</th>

-<th align="left">Description</th>

-</tr>

-</thead>

-<tbody>

-<tr class="odd">

-<td align="left">NotStarted</td>

-<td align="left">The move has not started.</td>

-</tr>

-<tr class="even">

-<td align="left">InProgress (<em>n</em>/4)</td>

-<td align="left">The move is in progress in one of the following states: Validation (1/4), Backup (2/4), Restore (3/4), Cleanup (4/4).</td>

-</tr>

-<tr class="odd">

-<td align="left">Success</td>

-<td align="left">The move has completed successfully.</td>

-</tr>

-<tr class="even">

-<td align="left">Failed</td>

-<td align="left">The move failed.</td>

-</tr>

-</tbody>

-</table>

-To find the status of a specific user's move, use the UserPrincipalName parameter:

-`Get-SPOUserAndContentMoveState -UserPrincipalName <UPN>`

-To find the status of all of the moves in or out of the geo location that you're connected to, use the MoveState parameter with one of the following values: NotStarted, InProgress, Success, Failed, All.

-`Get-SPOUserAndContentMoveState -MoveState <value>`

-You can also add the `-Verbose` parameter for more verbose descriptions of the move state.

-### OneDrive sync app

-### Sharing links

-### OneNote Experience

-### OneDrive Mobile App (iOS)

-Provisioning may take from a few hours up to 72 hours, depending on the size of your tenant. Once provisioning of a satellite location has completed, you will receive an email confirmation. When the new geo location appears in blue on the map on the **Geo locations** tab in the OneDrive admin center, you can proceed to set users' preferred data location to that geo location.

-<span id="_Setting_a_User's" class="anchor"><span id="_Toc508109326" class="anchor"></span></span>

-### Synchronize user's Preferred Data Location using Azure AD Connect

-### Setting Preferred Data Location for cloud only users

-1. [Connect and sign in](/powershell/connect-to-microsoft-365-powershell.md#connect-with-the-microsoft-azure-active-directory-module-for-windows-powershell) with a set of global administrator credentials for your tenant.

-2. Use the [Set-MsolUser](/powershell/msonline/v1/set-msoluser) cmdlet to set the preferred data location for each of your users. For example:

- `Set-MsolUser -userprincipalName Robyn.Buckley@Contoso.com -PreferredDatalocation EUR`

- `(Get-MsolUser -userprincipalName Robyn.Buckley@Contoso.com).PreferredDatalocation`

-**OneDrive for Business**

-**OneDrive Mobile App**

-**OneDrive sync client**

-**Office applications**

-Confirm that you can access OneDrive for Business by logging in from an Office application, such as Word. Open the Office application and select "OneDrive ΓÇô <TenantName>". Office will detect your OneDrive location and show you the files that you can open.

-**Sharing**

-

-

-

-

- [PDF](https://go.microsoft.com/fwlink/p/?LinkId=392555) | [Visio](https://go.microsoft.com/fwlink/p/?LinkId=392554)

-

-

-

-

-

-

-

-|**Type of recovery environment**|**Description**|

-|:--|:--|

-|Hot <br/> |A fully sized farm is provisioned, updated, and running on standby. <br/> |

-|Warm <br/> |The farm is built and virtual machines are running and updated. <br/> Recovery includes attaching content databases, provisioning service applications, and crawling content. <br/> The farm can be a smaller version of the production farm and then scaled out to serve the full user base. <br/> |

-|Cold <br/> |The farm is fully built, but the virtual machines are stopped. <br/> Maintaining the environment includes starting the virtual machines from time to time, patching, updating, and verifying the environment. <br/> Start the full environment in the event of a disaster. <br/> |

-

-

-

-

-

-

-

-

-

-

-SQL Server log shipping with Distributed File System Replication (DFSR) is used to copy database backups and transaction logs to the recovery farm in Azure:

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-|**Item**|**Description**|

-|:--|:--|

-|Sites and content <br/> |Sites and content are available in the recovery environment. <br/> |

-|A new instance of search <br/> |In this warm standby solution, search is not restored from search databases. Search components in the recovery farm are configured as similarly as possible to the production farm. After the sites and content are restored, a full crawl is started to rebuild the search index. You do not need to wait for the crawl to complete to make the sites and content available. <br/> |

-|Services <br/> | Services that store data in databases are restored from the log-shipped databases. Services that do not store data in databases are simply started. <br/> Not all services with databases need to be restored. The following services do not need to be restored from databases and can simply be started after failover: <br/> Usage and Health Data Collection <br/> State service <br/> Word automation <br/> Any other service that doesn't use a database <br/> |

-

-

-|**Item**|**Description**|

-|:--|:--|

-|Synchronizing custom farm solutions <br/> |Ideally, the recovery farm configuration is identical to the production farm. You can work with a consultant or partner to evaluate whether custom farm solutions are replicated and whether the process is in place for keeping the two environments synchronized. <br/> |

-|Connections to data sources on-premises <br/> |It might not be practical to replicate connections to back-end data systems, such as backup domain controller (BDC) connections and search content sources. <br/> |

-|Search restore scenarios <br/> |Because enterprise search deployments tend to be fairly unique and complex, restoring search from databases requires a greater investment. You can work with a consultant or partner to identify and implement search restore scenarios that your organization might require. <br/> |

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-|**Phase**|**Description**|

-|:--|:--|

-|Phase 1 <br/> |Design the disaster recovery environment. <br/> |

-|Phase 2 <br/> |Create the Azure virtual network and VPN connection. <br/> |

-|Phase 3 <br/> |Deploy Windows Active Directory and Domain Name Services to the Azure virtual network. <br/> |

-|Phase 4 <br/> |Deploy the SharePoint recovery farm in Azure. <br/> |

-|Phase 5 <br/> |Set up DFSR between the farms. <br/> |

-|Phase 6 <br/> |Set up log shipping to the recovery farm. <br/> |

-|Phase 7 <br/> | Validate failover and recovery solutions. This includes the following procedures and technologies: <br/> Stop log shipping. <br/> Restore the backups. <br/> Crawl content. <br/> Recover services. <br/> Manage DNS records. <br/> |

-

-

-

-To support log shipping in a disaster-recovery solution, a file share virtual machine is added to the subnet where the database roles reside. The file share also serves as the third node of a Node Majority for the SQL Server AlwaysOn availability group. This is the recommended configuration for a standard SharePoint farm that uses SQL Server AlwaysOn availability groups.

-

-> It is important to review the prerequisites for a database to participate in a SQL Server AlwaysOn availability group. For more information, see [Prerequisites, Restrictions, and Recommendations for AlwaysOn Availability Groups](/sql/database-engine/availability-groups/windows/prereqs-restrictions-recommendations-always-on-availability).

-

-

-

-

-

-Configure the recovery farm as identically as possible to the production farm so that it meets your service level agreement (SLA) requirements and provides the functionality that you need to support your business. When you design the disaster recovery environment, also look at your change management process for your production environment. We recommend that you extend the change management process to the recovery environment by updating the recovery environment at the same interval as the production environment. As part of the change management process, we recommend maintaining a detailed inventory of your farm configuration, applications, and users.

-

-

-

-

-

-

-

-

-

-

-

-

-Before this phase, you didn't deploy virtual machines to the Virtual Network. The virtual machines for hosting Active Directory and DNS are likely not the largest virtual machines you need for the solution. Before you deploy these virtual machines, first create the largest virtual machine that you plan to use in your Virtual Network. This helps ensure that your solution lands on a tag in Azure that allows the largest size you need. You do not need to configure this virtual machine at this time. Simply create it, and set it aside. If you do not do this, you might run into a limitation when you try to create larger virtual machines later, which was an issue at the time this article was written.

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-|**Title**|**Description**|

-|:--|:--|

-|[Replication](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770278(v=ws.11)) <br/> |DFS Management TechNet topic with links for replication <br/> |

-|[DFS Replication: Survival Guide](https://go.microsoft.com/fwlink/p/?LinkId=392737) <br/> |Wiki with links to DFS information <br/> |

-|[DFS Replication: Frequently Asked Questions](/previous-versions/windows/it-pro/windows-server-2003/cc773238(v=ws.10)) <br/> |DFS Replication TechNet topic <br/> |

-|[Jose Barreto's Blog](/archive/blogs/josebda/) <br/> |Blog written by a Principal Program Manager on the File Server team at Microsoft <br/> |

-|[The Storage Team at Microsoft - File Cabinet Blog](https://go.microsoft.com/fwlink/p/?LinkId=392740) <br/> |Blog about file services and storage features in Windows Server <br/> |

-

-Log shipping is the critical component for setting up disaster recovery in this environment. You can use log shipping to automatically send transaction log files for databases from a primary database server instance to a secondary database server instance. To set up log shipping, see [Configure log shipping in SharePoint 2013](/sharepoint/administration/configure-log-shipping).

-

-> Log shipping support in SharePoint Server is limited to certain databases. For more information, see [Supported high availability and disaster recovery options for SharePoint databases (SharePoint 2013)](/SharePoint/administration/supported-high-availability-and-disaster-recovery-options-for-sharepoint-databas).

-

-

-

-

-Exec ( 'Select ''exec master..sp_delete_log_shipping_secondary_database '' + '''''''' + prm.primary_database + ''''''''

-Exec ( 'Select ''exec master..sp_delete_log_shipping_primary_secondary '' + '''''''' + prm.Primary_Database + '''''', '''''' + sec.Secondary_Server + '''''', '''''' + sec.Secondary_database + ''''''''

-Exec ( 'Select ''exec master..sp_delete_log_shipping_primary_database '' + '''''''' + prm.primary_database + ''''''''

-Exec ( 'Select ''exec master..sp_delete_log_shipping_secondary_primary '' + '''''''' + prm.primary_server + '''''', '''''' + prm.primary_database + ''''''''

-

-

-

-

-```

-restore database WSS_Content with recovery

-

-

-You must start a full crawl for each content source to restore the Search Service. Note that you lose some analytics information from the on-premises farm, such as search recommendations. Before you start the full crawls, use the Windows PowerShell cmdlet **Restore-SPEnterpriseSearchServiceApplication** and specify the log-shipped and replicated Search Administration database, **Search_Service__DB_<GUID>**. This cmdlet gives the search configuration, schema, managed properties, rules, and sources and creates a default set of the other components.

-

-

-

-

-

-> Restoring an on-premises SharePoint database into the Azure environment will not recover any SharePoint services that you did not already install in Azure manually.

-

-|**Restore these services from log-shipped databases**|**These services have databases, but we recommend that you start these services without restoring their databases**|**These services do not store data in databases; start these services after failover**|

-|:--|:--|:--|

-| Machine Translation Service <br/> Managed Metadata Service <br/> Secure Store Service <br/> User Profile. (Only the Profile and Social Tagging databases are supported. The Synchronization database is not supported.) <br/> Microsoft SharePoint Foundation Subscription Settings Service <br/> | Usage and Health Data Collection <br/> State service <br/> Word automation <br/> | Excel Services <br/> PerformancePoint Services <br/> PowerPoint Conversion <br/> Visio Graphics Service <br/> Work Management <br/> |

-

-

-

-

-

-

-

-

-

-

-In most cases where you have multiple front-end web servers, it makes sense to take advantage of the Network Load Balancing feature in Windows Server 2012 or a hardware load balancer to distribute requests among the web-front-end servers in your farm. Network load balancing can also help reduce risk by distributing requests to the other servers if one of your web-front-end servers fails.

-

-

-

-

-

-

-

-

-

-|**Server name**|**Role**|**Configuration**|

-|:--|:--|:--|

-|DC1 <br/> |Domain controller with Active Directory. <br/> |Two processors <br/> From 512 MB through 4 GB of RAM <br/> 1 x 127-GB hard disk <br/> |

-|RRAS <br/> |Server configured with the Routing and Remote Access Service (RRAS) role. <br/> |Two processors <br/> 2-8 GB of RAM <br/> 1 x 127-GB hard disk <br/> |

-|FS1 <br/> |File server with shares for backups and an end point for DFSR. <br/> |Four processors <br/> 2-12 GB of RAM <br/> 1 x 127-GB hard disk <br/> 1 x 1-TB hard disk (SAN) <br/> 1 x 750-GB hard disk <br/> |

-|SP-WFE1, SP-WFE2 <br/> |Front-end web servers. <br/> |Four processors <br/> 16 GB of RAM <br/> |

-|SP-APP1, SP-APP2, SP-APP3 <br/> |Application servers. <br/> |Four processors <br/> 2-16 GB of RAM <br/> |

-|SP-SQL-HA1, SP-SQL-HA2 <br/> |Database servers, configured with SQL Server 2012 AlwaysOn availability groups to provide high availability. This configuration uses SP-SQL-HA1 and SP-SQL-HA2 as the primary and secondary replicas. <br/> |Four processors <br/> 2-16 GB of RAM <br/> |

-

-

-|**Drive letter**|**Size**|**Directory name**|**Path**|

-|:--|:--|:--|:--|

-|C <br/> |80 <br/> |System drive <br/> |<DriveLetter>:\\Program Files\\Microsoft SQL Server\\ <br/> |

-|E <br/> |80 <br/> |Log drive (40 GB) <br/> |<DriveLetter>:\\Program Files\\Microsoft SQL Server\\MSSQL10_50.MSSQLSERVER\\MSSQL\\DATA <br/> |

-|F <br/> |80 <br/> |Page (36 GB) <br/> |<DriveLetter>:\\Program Files\\Microsoft SQL Server\\MSSQL\\DATA <br/> |

-

-

-|**Drive letter**|**Size**|**Directory name**|**Path**|

-|:--|:--|:--|:--|

-|C <br/> |80 <br/> |Data root directory <br/> |<DriveLetter>:\\Program Files\\Microsoft SQL Server\\ <br/> |

-|E <br/> |500 <br/> |User database directory <br/> |<DriveLetter>:\\Program Files\\Microsoft SQL Server\\MSSQL10_50.MSSQLSERVER\\MSSQL\\DATA <br/> |

-|F <br/> |500 <br/> |User database log directory <br/> |<DriveLetter>:\\Program Files\\Microsoft SQL Server\\MSSQL10_50.MSSQLSERVER\\MSSQL\\DATA <br/> |

-|G <br/> |500 <br/> |Temp DB directory <br/> |<DriveLetter>:\\Program Files\\Microsoft SQL Server\\MSSQL10_50.MSSQLSERVER\\MSSQL\\DATA <br/> |

-|H <br/> |500 <br/> |Temp DB log directory <br/> |<DriveLetter>:\\Program Files\\Microsoft SQL Server\\MSSQL10_50.MSSQLSERVER\\MSSQL\\DATA <br/> |

-

-

-

-

-

-

-

-

-

-We created the database servers with SQL Server installed before creating the SharePoint 2013 servers. Because this was a new deployment, we created the availability groups before deploying SharePoint. We created three groups based on MCS best practice guidance.

-

-

-

-

-

-

-

-We used the _skipRegisterAsDistributedCachehost_ parameter when we ran **psconfig.exe** at the command line. For more information, see [Plan for feeds and the Distributed Cache service in SharePoint Server 2013](/sharepoint/administration/plan-for-feeds-and-the-distributed-cache-service).

-

-

-

-

-

-

-

-

-|**Server name**|**Role**|**Configuration**|**Subnet**|**Availability set**|

-|:--|:--|:--|:--|:--|

-|spDRAD <br/> |Domain controller with Active Directory <br/> |Two processors <br/> From 512 MB through 4 GB of RAM <br/> 1 x 127-GB hard disk <br/> |sp-ADservers <br/> ||

-|AZ-SP-FS <br/> |File server with shares for backups and an endpoint for DFSR <br/> | A5 configuration: <br/> Two processors <br/> 14 GB of RAM <br/> 1 x 127-GB hard disk <br/> 1 x 135-GB hard disk <br/> 1 x 127-GB hard disk <br/> 1 x 150-GB hard disk <br/> |sp-databaseservers <br/> |DATA_SET <br/> |

-|AZ-WFE1, AZ -WFE2 <br/> |Front End Web servers <br/> | A5 configuration: <br/> Two processors <br/> 14 GB of RAM <br/> 1 x 127-GB hard disk <br/> |sp-webservers <br/> |WFE_SET <br/> |

-|AZ -APP1, AZ -APP2, AZ -APP3 <br/> |Application servers <br/> | A5 configuration: <br/> Two processors <br/> 14 GB of RAM <br/> 1 x 127-GB hard disk <br/> |sp-applicationservers <br/> |APP_SET <br/> |

-|AZ -SQL-HA1, AZ -SQL-HA2 <br/> |Database servers and primary and secondary replicas for AlwaysOn availability groups <br/> | A5 configuration: <br/> Two processors <br/> 14 GB of RAM <br/> |sp-databaseservers <br/> |DATA_SET <br/> |

-

-

-

-

-

-

-Our failover tests involved the following databases:

-

-

-

-

-

-

-

-The section explains the problems we encountered during our testing and their solutions.

-

-

-Check for a missing service application association between your content site collection and your content type hub. In addition, under the **Managed Metadata - <site collection name> Connection** properties screen, make sure this option is enabled: **This service application is the default storage location for column specific term sets.**

-

-

-```

-Import-module servermanager

-Import-module activedirectory

-### Availability group creation fails at Starting the 'AlwaysOn_health' XEvent session on '<server name>'

-Ensure that both nodes of your failover cluster are in the Status "Up" and not "Paused" or "Stopped".

-

-

-This happens because the default backup preference for an availability group is **Prefer Secondary**. Ensure that you run the log shipping job from the secondary server for the availability group instead of the primary; otherwise, the job will fail silently.

-

-

-

-```

-

-

-[Microsoft 365 solution and architecture center](../solutions/index.yml)

-<!--Worldwide endpoints version 2022022800-->

-<!--File generated 2022-02-28 17:00:02.6221-->

-32 | Default<BR>Optional<BR>**Notes:** OneDrive for Business: supportability, telemetry, APIs, and embedded email links | No | `*.log.optimizely.com, ssw.live.com, storage.live.com` | **TCP:** 443

-29 | Default<BR>Optional<BR>**Notes:** Yammer third-party integration | No | `*.tenor.com` | **TCP:** 443, 80

-52 | Default<BR>Optional<BR>**Notes:** OneNote 3rd party supporting services and CDNs | No | `s.ytimg.com, www.youtube.com` | **TCP:** 443

-53 | Default<BR>Required | No | `ajax.aspnetcdn.com, apis.live.net, cdn.optimizely.com, officeapps.live.com, www.onedrive.com` | **TCP:** 443

-68 | Default<BR>Optional<BR>**Notes:** Portal and shared: 3rd party office integration. (including CDNs) | No | `*.helpshift.com, connect.facebook.net, firstpartyapps.oaspapps.com, prod.firstpartyapps.oaspapps.com.akadns.net, telemetryservice.firstpartyapps.oaspapps.com, wus-firstpartyapps.oaspapps.com` | **TCP:** 443

-105 | Default<BR>Optional<BR>**Notes:** Outlook for Android and iOS: Outlook Privacy | No | `bit.ly, www.acompli.com` | **TCP:** 443

-110 | Default<BR>Optional<BR>**Notes:** Outlook for Android and iOS: Adjust integration | No | `app.adjust.com` | **TCP:** 443

-> The current Teams classes LTI only supports syncing Canvas users with Microsoft Azure Active Directory (AAD) in a limited scope.

-**To enable Microsoft Teams Sync and approve access for the app**

-

-7. Fill out the following fields with the appropriate information. These fields will be used for matching users in Canvas with users in AAD.

- * The **Tenant Name** is your Microsoft tenant name.

- * The **Login Attribute** is one of the following Canvas user attributes used for mapping:

- * **Email** is the Canvas user's default email address. If users change their default email address in Canvas, their enrollment in a course could be blocked from syncing to Teams.

- * **Unique User ID** is the user's Canvas login ID.

- * **SIS User ID** is the ID value that is populated from the Student Information System (SIS) and is viewable on the user's profile page.

- * **Integration ID** is only populated via SIS imports and is viewable on the user's profile page. Typically, this unique identifier is provided by the institution and used in account trusts or consortia situations to identify users across multiple accounts.

- * The **Suffix** field is optional and lets you specify a domain when there isn't an exact mapping between Canvas attributes and Microsoft AAD fields. For example, if your Canvas email is 'name@example.edu' while the UPN in Microsoft AAD is 'name', you can match users by entering '@example.edu' in the suffix field. The domain should be entered in this field with the preceding @.

- * The Active Directory Lookup Attribute is the field in AAD to which Canvas attributes are matched. Select in between UPN, primary email address, or the email alias.

-> [!NOTE]

-> This step must be performed by a Microsoft tenant admin that can approve apps.

-**To add the Teams classes LTI app to the Canvas environment**

-3. For **Configuration Type**, select **By Client ID**.

-4. For **Client ID**, enter **170000000000570** for the Microsoft Teams classes LTI, and then select **Submit**.

-5. In the confirmation that appears, verify the app name (Microsoft Teams classes), and then select **Install**.

-

-> The current Teams Meetings LTI only supports syncing Canvas users with Microsoft Azure Active Directory (AAD) in a limited scope.

-

-4. Enter your Microsoft tenant name, login attribute, domain suffix, and AAD lookup attribute. These fields will be used for matching users in Canvas with users in Microsoft Azure Active Directory.

- * The Login Attribute is the Canvas user attribute utilized for matching.

- * The Suffix field is optional and lets you specify a domain when there isn't an exact mapping between Canvas attributes and Microsoft AAD fields. For example, if your Canvas email is 'name@example.edu' while the UPN in Microsoft AAD is 'name', you can match users by entering 'example.edu' in the suffix field.

- * The Active Directory Lookup Attribute is the field on the Microsoft side which Canvas attributes are matched to. Select in between UPN, primary email address, or the email alias.

-7. Select **Accept**.

-> [!NOTE]

-> Sync is a functionality that is managed by LMS partner and is used to sync membership at a course level to the Teams team using Microsoft graph APIs. This is primarily a functionality that an educator switches on as true at a course level. Subsequently any membership change done on LMS side for the addition or deletion of the members gets reflected using the Sync implemented by the LMS partner. Even before this process is enabled for an Educator the M365 education institute admin allows their educators to access sync using the Sync permission modal found below. These permissions are granted to the LMS partner to enable educators to sync membership between the LMS course and Teams Class teams.

-

-Please refer your instructors to [educator documentation](https://support.microsoft.com/en-us/topic/use-microsoft-teams-classes-in-your-lms-preview-ac6a1e34-32f7-45e6-b83e-094185a1e78a#ID0EBD=Instructure_Canvas) for enabling the LTI for each course and finishing the integration setup.

-description:

- - Publisher details (for example: ΓÇ£O=<publisher name>,L=<location>,S=State,C=CountryΓÇ¥)

-|Deployment group |Policy type |Timing |

-||||

-|Test | Audit | Day 0 |

-|First | Enforced | Day 1 |

-|Fast | Enforced | Day 2 |

-|Broad | Enforced | Day 3 |

- - Publisher details (for example: ΓÇ£O=<publisher name>, L=<location>, S=State, C=CountryΓÇ¥)

-#### [Tune performance of Microsoft Defender Antivirus](tune-performance-defender-antivirus.md)

-#### Troubleshooting Microsoft Defender Antivirus

-##### [Troubleshoot performance issues](troubleshoot-performance-issues.md)

-#### [Device health and compliance reports](machine-reports.md)

-Before you start, review [Overview of attack surface reduction](overview-attack-surface-reduction.md), and [Demystifying attack surface reduction rules - Part 1](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-1/ba-p/1306420) for foundational information. To understand the areas of coverage and potential impact, familiarize yourself with the current set of ASR rules; see [Attack surface reduction rules reference](attack-surface-reduction-rules-reference.md).

- - GUIDs

-Dependencies:

-|Serial NumberId|[Removable storage Access Control](device-control-removable-storage-access-control.md)|Windows <p> macOS |For example, <SerialNumberId>002324B534BCB431B000058A</SerialNumberId>|

-|11|Technical support|By using Microsoft Defender for Endpoint together with Microsoft Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/troubleshoot-mdatp)and [review event logs and error codes with Microsoft Defender Antivirus](troubleshoot-microsoft-defender-antivirus.md).|

-description: Enroll your endpoint devices in Microsoft Intune as part of your Zero Trust security architecture, protecting against ransomware while building in protection for remote workers.

-keywords:

-A core component of enterprise-level security includes managing and protecting devices. Whether youΓÇÖre building a Zero Trust security architecture, hardening your environment against ransomware, or building in protections to support remote workers, managing devices is part of the strategy.

-On the other hand, if your environment includes plans for co-management including Microsoft Endpoint Configuration Manager, see [Co-management documentation](/mem/configmgr/comanage/) to develop the best path for your organization. If your environment includes plans for Windows 365 Cloud PC, see [Windows 365 Enterprise documentation](/windows-365/enterprise/) to develop the best path for your organization.

-The modern enterprise has an incredible diversity of endpoints accessing their data. This setup creates a massive attack surface, and as a result, endpoints can easily become the weakest link in your Zero Trust security strategy.

-The following diagram illustrates building blocks to achieve a Zero Trust security posture for Microsoft 365 and other SaaS apps that you introduce to this environment. The elements related to devices are numbered 1 through 7. These are the layers of protection device admins will coordinate with other administrators to accomplish.

-In this illustration:

-|&nbsp;|Step |Description |Licensing requirements |

-|||||

-|1 | Configure starting-point Zero Trust identity and device access policies | Work with your identity administrator to [Implement Level 2 App Protection Policies (APP) data protection](manage-devices-with-intune-app-protection.md). These policies do not require that you manage devices. You configure the APP policies in Intune. Your identity admin configures a Conditional Access policy to require approved apps. |E3, E5, F1, F3, F5 |

-|2 | Enroll devices into management | This task requires more planning and time to implement. Microsoft recommends using Intune to enroll devices because this tool provides optimal integration. There are several options for enrolling devices, depending on the platform. For example, Windows devices can be enrolled by using Azure AD Join or by using Autopilot. You need to review the options for each platform and decide which enrollment option is best for your environment. See [Step 3ΓÇöEnroll devices into management](manage-devices-with-intune-enroll.md) for more information. | E3, E5, F1, F3, F5 |

-|3 | Configure compliance policies | You want to be sure devices that are accessing your apps and data meet minimum requirements, for example devices are password or pin-protected and the operating system is up to date. Compliance policies are the way to define the requirements that devices must meet. [Step 3. Set up compliance policies](manage-devices-with-intune-compliance-policies.md) helps you configure these policies. | E3, E5, F3, F5 |

-|4 | Configure Enterprise (recommended) Zero Trust identity and device access policies |Now that your devices are enrolled, you can work with your identity admin to [tune Conditional Access policies to require healthy and compliant devices](manage-devices-with-intune-require-compliance.md). | E3, E5, F3, F5 |

-|5 |Deploy configuration profiles | As opposed to device compliance policies that simply mark a device as compliant or not based on criteria you configure, configuration profiles actually change the configuration of settings on a device. You can use configuration policies to harden devices against cyberthreats. See [Step 5. Deploy configuration profiles](manage-devices-with-intune-configuration-profiles.md). | E3, E5, F3, F5 |

-|6 |Monitor device risk and compliance with security baselines | In this step, you connect Intune to Microsoft Defender for Endpoint. With this integration, you can then monitor device risk as a condition for access. Devices that are found to be in a risky state will be blocked. You can also monitor compliance with security baselines. See [Step 6. Monitor device risk and compliance to security baselines](manage-devices-with-intune-monitor-risk.md). | E5, F5 |

-|7 |Implement data loss prevention (DLP) with information protection capabilities | If your organization has put the work into identifying sensitive data and labeling documents, you can work with your information protection admin to [protect sensitive information and documents on your devices](manage-devices-with-intune-dlp-mip.md). | E5, F5 compliance add-on |

-| | | | |

-This guidance is tightly coordinated with the recommended [Zero Trust identity and device access policies](../security/office-365-security/microsoft-365-policies-configurations.md). You will be working with your identity team to carry through protection that you configure with Intune into Conditional Access policies in Azure AD.

-HereΓÇÖs an illustration of the recommended policy set with step callouts for the work you will do in Intune/MEM and the related Conditional Access policies you will help coordinate in Azure AD.

-<br>

-

-Note that only Intune is managing devices. Onboarding refers to the ability for a device to share information with a specific service. The following table summarizes the differences between enrolling devices into management and onboarding devices for a specific service.

-| |Enroll |Onboard |

-||||

-|Description | Enrollment applies to managing devices. Devices are enrolled for management with Intune or Configuration Manager. | Onboarding configures a device to work with a specific set of capabilities in Microsoft 365. Currently, onboarding applies to Microsoft Defender for Endpoint and Microsoft compliance capabilities. <br><br>On Windows devices, onboarding involves toggling a setting in Windows Defender that allows Defender to connect to the online service and accept policies that apply to the device. |

-|Scope | These device management tools manage the entire device, including configuring the device to meet specific objectives, like security. |Onboarding only affects the services that apply. |

-|Recommended method | Azure Active Directory join automatically enrolls devices into Intune. | Intune is the preferred method for onboarding devices to Windows Defender for Endpoint, and consequently Microsoft 365 compliance capabilities.<br><br>Note that devices that are onboarded to Microsoft 365 compliance capabilities using other methods are not automatically enrolled for Defender for Endpoint. |

-|Other methods | Other methods of enrollment depend on the platform of the device and whether it is BYOD or managed by your organization. | Other methods for onboarding devices include, in recommended order:<br><li>Configuration Manager<li>Other mobile device management tool (if the device is managed by one)<li>Local script<li>VDI configuration package for onboarding non-persistent virtual desktop infrastructure (VDI) devices<li>Group Policy|

-| | | |

-Run the following script, changing */<GroupName/>* to the name of the group where you want to block guest access.