Updates from: 03/06/2021 04:14:34
Category Microsoft Docs article Related commit history on GitHub Change details
admin Microsoft Office Activations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft-office-activations.md
The Office Activation report gives you a view of which users have activated thei
## How to get to the Office activations report
-1. In the admin center, go to the **Reports** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2074756" target="_blank">Usage</a> page.
+1. In the admin center, go to the **Reports** \> <a href="https://admin.microsoft.com/Adminportal/Home?source=applauncher#/reportsUsage" target="_blank">Usage</a> page.
2. From the **Select a report** drop-down, select **Office 365** \> **Activations**.
admin Manage Addins In The Admin Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/manage-addins-in-the-admin-center.md
If the deployed add-in doesn't support add-in commands or if you want to view al
Learn more about creating and building [Office Add-ins](https://docs.microsoft.com/office/dev/add-ins/overview/office-add-ins).
-[Use Centralized Deployment PowerShell cmdlets to manage add-ins](https://docs.microsoft.com/office365/enterprise/use-the-centralized-deployment-powershell-cmdlets-to-manage-add-ins).
+[Use Centralized Deployment PowerShell cmdlets to manage add-ins](https://docs.microsoft.com/microsoft-365/enterprise/use-the-centralized-deployment-powershell-cmdlets-to-manage-add-ins).
[Troubleshoot: User not seeing add-ins](https://docs.microsoft.com/office365/troubleshoot/access-management/user-not-seeing-add-ins)
admin Manage Deployment Of Add Ins https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/manage-deployment-of-add-ins.md
Title: "Deploy add-ins in the admin center" f1.keywords: - NOCSH--++ audience: Admin
description: "Learn to deploy add-ins to users and groups in your organization b
::: moniker-end
-Office add-ins help you personalize your documents and streamline the way you access information on the web (see [Start using your Office Add-in](https://support.microsoft.com/office/82e665c4-6700-4b56-a3f3-ef5441996862)). As an admin, you can deploy Office add-ins for the users in your organization by using the Centralized Deployment feature in the Microsoft 365 admin center. Centralized Deployment is the recommended and most feature-rich way for most admins to deploy add-ins to users and groups within an organization.
+Office add-ins help you personalize your documents and streamline the way you access information on the web (see [Start using your Office Add-in](https://support.microsoft.com/office/82e665c4-6700-4b56-a3f3-ef5441996862)). As an admin, you can deploy Office add-ins for the users in your organization by using the Centralized Deployment feature in the Microsoft 365 admin center. Centralized Deployment is the recommended and most feature-rich way for most admins to deploy add-ins to users and groups within an organization.
For more information on how to determine if your organization can support Centralized Deployment, see [Determine if Centralized Deployment of add-ins works for your organization](centralized-deployment-of-add-ins.md).
Depending on the size of the target audience, you can add or remove roll-out ste
Before you begin, see [Determine if Centralized Deployment of add-ins works for your organization](centralized-deployment-of-add-ins.md). 1. In the admin center, go to the **Settings** \> **Add-ins** page. If you don't see the **Add-in** Page, go to the **Settings** \> **Integrated apps** \> **Add-ins** page.
-
+ 2. Select **Deploy Add-in** at the top of the page, and then select **Next**.
-
+ > [!NOTE] > The admin center is getting updated to deployment experience with Integrated Apps. Integrated Apps is only visible to Global administrators, while for others the old experience still exists. If you don't see the above steps, go to the Centralized Deployment section by going to **Settings** > **Integrated apps**. On the top of the **Integrated apps** page, choose **Add-ins**.
-
+ 3. Select an option and follow the instructions. 4. If you selected the option to add an add-in from the Office Store, make your add-in selection. </br> You can view available add-ins by categories: **Suggested for you**, **Rating**, or **Name**. Only free add-ins are available from the Office Store. Paid add-ins aren't supported currently. After you select an add-in, accept the terms and conditions to proceed. <br/>
- > [!NOTE]
+ > [!NOTE]
> With the Office Store option, updates and enhancements are automatically deployed to users. 5. On the next page, select **Everyone**, **Specific users/groups**, or **Just me** to specify who the add-in is deployed to. Use the Search box to find specific users or groups. <br/>
- > [!NOTE]
+ > [!NOTE]
> To learn about other states that apply to an add-in, see [Add-in states](https://docs.microsoft.com/microsoft-365/admin/manage/manage-addins-in-the-admin-center.md). 6. Select **Deploy**.
Before you begin, see [Determine if Centralized Deployment of add-ins works for
> [!NOTE] > Users might need to relaunch Office to view the add-in icon on the app ribbon. Outlook add-ins can take up to 24 hours to appear on app ribbons.
-
+ 8. When finished, select **Next**. If you've deployed to just yourself, you can select **Change who has access to add-in** to deploy to more users. If you've deployed the add-in to other members of your organization, follow the instructions to announce the deployment of the add-in. <br/>
Before you begin, see [Determine if Centralized Deployment of add-ins works for
Global admins and Exchange admins can assign an add-in to everyone or to specific users and groups. Each option has implications: -- **Everyone** This option assigns the add-in to every user in the organization. Use this option sparingly and only for add-ins that are truly universal to your organization.
-
+- **Everyone** This option assigns the add-in to every user in the organization. Use this option sparingly and only for add-ins that are truly universal to your organization.
+ - **Users** If you assign an add-in to an individual user, and then deploy the add-in to a new user, you must first add the new user.
-
-- **Groups** If you assign an add-in to a group, users who are added to the group are automatically assigned the add-in. When a user is removed from a group, the user loses access to the add-in. In either case, no additional action is required from the admin. +
+- **Groups** If you assign an add-in to a group, users who are added to the group are automatically assigned the add-in. When a user is removed from a group, the user loses access to the add-in. In either case, no additional action is required from the admin.
- **Just me** If you assign an add-in to just yourself, the add-in is assigned to only your account, which is ideal for testing the add-in.
-
+ The right option for your organization depends on your configuration. However, we recommend making assignments by using groups. As an admin, you might find it easier to manage add-ins by using groups and controlling the membership of those groups rather than assigning individual users each time. In some situations, you might want to restrict access to a small set of users by making assignments to specific users by assigning users manually. ## More about Office add-ins security
The right option for your organization depends on your configuration. However, w
Office add-ins combine an XML manifest file that contains some metadata about the add-in, but most importantly points to a web application which contains all the code and logic. Add-ins can range in their capabilities. For example, add-ins can: - Display data.
-
+ - Read a user's document to provide contextual services.
-
+ - Read and write data to and from a user's document to provide value to that user.
-
+ For more information about the types and capabilities of Office add-ins, see [Office Add-ins platform overview](https://docs.microsoft.com/office/dev/add-ins/overview/office-add-ins), especially the section "Anatomy of an Office Add-in." To interact with the user's document, the add-in needs to declare what permission it needs in the manifest. A five-level JavaScript API access-permissions model provides the basis for privacy and security for users of task pane add-ins. The majority of the add-ins in the Office Store are level ReadWriteDocument with almost all add-ins supporting at least the ReadDocument level. For more information about the permission levels, see [Requesting permissions for API use in content and task pane add-ins](https://docs.microsoft.com/office/dev/add-ins/develop/requesting-permissions-for-api-use-in-content-and-task-pane-add-ins).
When updating a manifest, the typical changes are to an add-in's icon and text.
Updates for add-ins happen as follows: -- **Line-of-business add-in:** In this case, where an admin explicitly uploaded a manifest, the add-in requires that the admin upload a new manifest file to support metadata changes. The next time the relevant Office applications start, the add-in will update. The web application can change at any time.
+- **Line-of-business add-in:** In this case, where an admin explicitly uploaded a manifest, the add-in requires that the admin upload a new manifest file to support metadata changes. The next time the relevant Office applications start, the add-in will update. The web application can change at any time.
> [!NOTE]
- > Admin does not need to remove a LOB Add-in for doing an update. In the Add-ins section, Admin can simply click on the LOB Add-in and choose the **Update Button** in the bottom right corner. Update will work only if the version of the new add-in is greater than that of the existing add-in.
-
-- **Office Store add-in:** When an admin selected an add-in from the Office Store, if an add-in updates in the Office Store, the add-in will update later in Centralized Deployment. The next time the relevant Office applications start, the add-in will update. The web application can change at any time.
+ > Admin does not need to remove a LOB Add-in for doing an update. In the Add-ins section, Admin can simply click on the LOB Add-in and choose the **Update Button** in the bottom right corner. Update will work only if the version of the new add-in is greater than that of the existing add-in.
+
+- **Office Store add-in:** When an admin selected an add-in from the Office Store, if an add-in updates in the Office Store, the add-in will update later in Centralized Deployment. The next time the relevant Office applications start, the add-in will update. The web application can change at any time.
## Learn more
admin Set Password Expiration Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/set-password-expiration-policy.md
Follow the steps below if you want to set user passwords to expire after a speci
5. Type how often passwords should expire. Choose a number of days from 14 to 730. 6. In the second box type when users are notified that their password will expire, and then select **Save**. Choose a number of days from 1 to 30.-
-7. When the user's password expires, they'll get a notification that appears in the lower right corner of their screen.
## Important things you need to know about the password expiration feature
admin Productivity Score https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/productivity/productivity-score.md
The details pages are:
- [Mobility ΓÇô people experiences](mobility.md) - [Teamwork ΓÇô people experiences](teamwork.md) - [Microsoft 365 Apps health ΓÇô technology experiences](apps-health.md)
+- [Endpoint Analytics](https://docs.microsoft.com/mem/analytics/productivity-score)
## Business continuity special report
admin Set Up Multi Factor Authentication https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication.md
For more information about the Azure AD P1 and P2, see [Azure Active Directory p
### Turn on Modern authentication for your organization
-For most subscriptions modern authentication is automatically turned on, but if you purchased your subscription a long time ago, it might not be. This has to be turned on before MFA works appropriately with Office apps.
+For most subscriptions modern authentication is automatically turned on, but if you purchased your subscription before August 2017, it is likely that you will need to turn on Modern Authentication in order to get features like Multi-Factor Authentication to work in Windows clients like Outlook.
+ 1. In the Microsoft 365 admin center, in the left nav choose **Settings** \> **Org settings**.
-1. Under **Services** tab, choose **Modern authentication**, and in the **Modern authentication** pane, make sure **Enable Modern authentication** is selected. Choose **Save changes**.
+2. Under the **Services** tab, choose **Modern authentication**, and in the **Modern authentication** pane, make sure **Enable Modern authentication** is selected. Choose **Save changes**.
### Turn off legacy per-user MFA
If you have previously turned on per-user MFA, you must turn it off before enabl
[Video: Turn on multi-factor authentication](https://docs.microsoft.com/microsoft-365/business-video/turn-on-mfa)
-[Video: Turn on multi-factor authentication for your phone](https://docs.microsoft.com/microsoft-365/business-video/set-up-mfa)
+[Video: Turn on multi-factor authentication for your phone](https://docs.microsoft.com/microsoft-365/business-video/set-up-mfa)
business-video Track Info Lists https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-video/track-info-lists.md
+
+ Title: "Use Microsoft Lists to track business info"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
++
+- Adm_O365
+
+- AdminSurgePortfolio
+- adminvideo
+
+description: "Learn about Microsoft Lists. With Microsoft Lists, you can track customer details, like customer type, order fulfillment and order progress."
++
+# Use Microsoft Lists to track business info
+
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4MnGM?autoplay=false]
+
+## Try it
+
+Track information and organize work with Microsoft Lists. Create a list from scratch, from Excel, from an existing list, or from a template. You can get started from Microsoft 365, Microsoft Teams, or SharePoint.
+
+### Add an item to the list
+
+1. Select **New**.
+1. Add details about the order.
+1. Select **Save**.
+
+### Share the list with partners or coworkers
+
+1. Above the list, select **Share**.
+1. Enter who you want to share with; it can be an individual or a group.
+1. Choose the permissions.
+1. Select **Grant access**.
+
+### Add formatting to your list
+
+Format a column to highlight the details in it:
+
+1. Select the column heading, select the option you want, such as a background color or rounded corners.
+1. Select **Save** to apply the changes.
+
+### Add rules to alert coworkers about list updates
+
+1. Above the list, select **Automate**.
+1. Select **Create a rule**.
+1. Choose the appropriate condition to trigger the rule you want to make.
+1. Customize the rule with the specific info you need, such as the names of people to be notified when the list is updated.
+1. Select **Create** to save the rule.
+
+### Sort and group list items
+
+You can prioritize a list of orders in a few different ways:
+
+- To sort by deadline, select the Fulfill order by column and then select Older to Newer.
+- To group orders by customer, select the Customer type column, and select Group by Customer type.
+
+### Update an item's status
+
+You can track progress instantly:
+
+- Double-click an item to open it, and update the order's progress.
+
+## Related topics
+
+[Create a list from the Lists app](https://support.microsoft.com/office/create-a-list-from-the-lists-app-b5e0b7f8-136f-425f-a108-699586f8e8bd)
commerce Manage Billing Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/manage-billing-notifications.md
+
+ Title: "Manage billing notifications and invoice attachments"
+f1.keywords:
+- CSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- M365-subscription-management
+- Adm_O365
+
+- okr_SMB
+- AdminSurgePortfolio
+- commerce
+search.appverid:
+- MET150
+description: "Learn how to manage who receives billing notification emails and invoice attachments."
++
+# Manage billing notifications and invoice attachments
+
+The **Billing notifications** page lets you manage who receives billing notification emails for your organization. The page also provides the option to [receive your organization's invoices as email attachments](#receive-your-organizations-invoices-as-email-attachments).
+
+## Before you begin
+
+You must be a Global admin to do the steps described in this article. Billing admins can make some of these changes, as noted in the sections below. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
+
+## Change the language you receive email in
+
+> [!NOTE]
+> Billing admins can also do the steps in this section.
+
+Billing notification emails are sent in your organizationΓÇÖs preferred language. To change the preferred language, use the following steps.
+
+1. In the Microsoft 365 admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=853212" target="_blank">Billing notifications</a> page.
+2. In the **Billing notification settings** section, select **Edit notification settings**.
+3. In the **Billing notification settings** pane, under **Preferred language** select the language you want to use, then select **Save**.
+
+## Change who receives billing notifications
+
+Your organization's billing notifications are sent to the primary and alternate email address of every Global and Billing admin. To change which users have the Global or Billing admin role, use the following steps.
+
+### Assign admin roles by using the Billing notifications page
+
+1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=853212" target="_blank">Billing notifications</a> page.
+2. In the **Admins receiving billing notifications** section, select the **Billing administrator** or **Global administrator** link in the description text.
+3. In the right pane, on the **Assigned admins** tab, select **Add**.
+4. In the **Add admins** pane, type the userΓÇÖs display name or username, and then select the user from the list of suggestions.
+5. Add multiple users until youΓÇÖre done.
+6. Select **Save**. The user is added to the list of assigned admins.
+
+### Remove admin roles by using the Billing notifications page
+
+1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=853212" target="_blank">Billing notifications</a> page.
+2. In the **Admins receiving billing notifications** section, select the **Billing administrator** or **Global administrator** link in the description text.
+3. In the right pane, on the **Assigned admins** tab, select the users to remove from the role, and then select **Remove**.
+4. In the confirmation box, select **Remove**. The user is removed from the list of assigned admins.
+
+## Change the email addresses for admins
+
+To change the primary and alternate email address of other admins in your organization, use the following steps.
+
+> [!NOTE]
+> Billing admins can change their own primary and alternate email addresses, but not for other admins.
+
+1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=853212" target="_blank">Billing notifications</a> page.
+2. In the **Admins receiving billing notifications** section, select a name.
+3. In the right pane, add or update the primary and alternate email address as needed, then select **Save**.
+
+## Change your organization's contact email
+
+In addition to your Global and Billing admins, we send billing notifications to your organization's contact email address. To change the email address, use the following steps.
+
+1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=853212" target="_blank">Billing notifications</a> page.
+2. Under **Organization contact receiving billing notifications**, select the organization contact.
+3. In the right pane, type the email address that you want to use, then select **Save**.
+
+## Receive your organization's invoices as email attachments
+
+> [!NOTE]
+> Billing admins can also do the steps in this section.
+
+You can have a copy of your organization's invoice attached as a PDF file to invoice notification emails when a new invoice is ready. Use the following steps to receive invoices as attachments.
+
+1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=853212" target="_blank">Billing notifications</a> page.
+2. Under **Billing notification settings**, select **Edit notification settings**.
+3. In the **Billing notification settings** pane, under **Attach a PDF to your invoice emails**, check the checkbox, then select **Save**.
+
+To stop receiving the invoice attachment at any time, follow the steps above and clear the **Attach a PDF to your invoice emails** checkbox in step 3.
+
+## What if I have a billing profile?
+
+If you have a billing profile, some of the steps described in this article might be slightly different for some of your subscriptions. This section describes those differences. [How do I know if I have a billing profile?](manage-billing-profiles.md)
+
+### Who receives Billing notifications?
+
+Billing notification emails are sent to the primary and alternate email addresses for users who are assigned one of the following roles:
+
+- Billing profile owner
+- Billing profile contributor
+- Invoice manager
+
+To learn more about billing profile roles and how to manage them, see [Understand Microsoft Customer Agreement administrative roles in Azure](https://docs.microsoft.com/azure/cost-management-billing/manage/understand-mca-roles).
+
+To change who receives your organizationΓÇÖs billing notifications, use the following steps to change the roles assigned to users.
+
+1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">Bills & payments</a> page.
+2. On the **Billing profile** tab, select a billing profile.
+3. In the **Billing profile roles** section, assign or remove roles for **Billing profile owner**, **Billing profile contributor**, or **Invoice manager**.
+
+### Receive invoices as email attachments
+
+To receive your invoices as attachments to your invoice notifications, use the following steps to turn on this setting for a specific billing profile.
+
+1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">Bills & payments</a> page.
+2. Select the **Billing profiles** tab, then select a billing profile from the list.
+3. On the billing profile details page, under **Get invoices in email attachments**, switch the toggle to **On**.
+
+## Related content
+
+[View your bill or invoice](view-your-bill-or-invoice.md) (article)\
+[Understand your bill or invoice for Microsoft 365 for business](understand-your-invoice2.md) (article)\
+[Add users and assign licenses at the same time](../../admin/add-users/add-users.md) (article)
contentunderstanding Accessibility Mode https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/accessibility-mode.md
For keyboard users using accessibility mode, if you are labeling text in an exam
- Tab: Moves you forward and selects the next word. - Tab + Shift: Moves you backwards and selects the previous word. - Enter: Label or removes a label from the selected word.-- Forward arrow: Moves you forward through individual characters in a selected word.-- Backward arrow: Moves you backward through individual characters in a selected word.
+- Right arrow: Moves you forward through individual characters in a selected word.
+- Left arrow: Moves you backward through individual characters in a selected word.
> [!NOTE] > If you are labeling multiple words for a single label, you need to label each word.
For Narrator users using accessibility mode, use the same keyboard navigation de
As you navigate through the sample documents and label string values, Narrator will give user the following audio prompts: - When you use the keyboard to navigate through the document viewer, Narrator audio will state the selected string.-- Within a selected string, Narrator audio will state each character in the string as you select them by using the forward or backward arrow.
+- Within a selected string, Narrator audio will state each character in the string as you select them by using the left or right arrow keys.
- If you select a string that has been labeled, Narrator will state the value and then "labeled". For example, if the label value is "Contoso", it will state "Costoso labeled". - In the training tab, if you select a string in the document viewer that has only been predicted, Narrator audio will state the value, and then "predicted". This occurs when training predicts a value in the file that does not match what has been labeled by the user. - In the training tab, if you select a string in the document viewer that has been labeled and predicted, Narrator audio will state the value, and then "labeled and predicted". This occurs when training is successful and there is a match between a predicted value and the user label.
contentunderstanding Create A Content Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/create-a-content-center.md
To create and manage document understanding models, you first need a content cen
You create a default content center during [setup](set-up-content-understanding.md). But a SharePoint admin can also choose to create additional centers as needed. While a single content center may be fine for environments for which you want a roll-up of all model activity, you may want to have additional centers for multiple departments within your organization, which may have different needs and permission requirements for their models. > [!NOTE]
-> A SharePoint admin can create a content center site like they would [create any other SharePoint site](https://docs.microsoft.com/sharepoint/create-site-collection) through the admin center site provisioning panel.
+> In a [Microsoft 365 Multi-Geo environment](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-multi-geo), if you have a single default content center in your central location, you can only provide a roll-up of model activity from within that location. You currently cannot get a roll-up of model activity across farm-boundaries in Multi-Geo environment.
++
+## Create a content center
+
+A SharePoint admin can create a content center site like they would [create any other SharePoint site](https://docs.microsoft.com/sharepoint/create-site-collection) through the admin center site provisioning panel.
To create a new content center: 1. On the Microsoft 365 admin center, go to the SharePoint admin center.+ 2. On the SharePoint admin center, under **Sites**, select **Active Sites**.+ 3. On the **Active Sites** page, click **Create**, and then select **Other options**.+ 4. On the **Choose a template** menu, select **Content Center**.+ 5. For the new site, provide a **Site Name**, **Primary administrator**, and a **Language**.</br>
-> [!NOTE]
-> You can select a content center site to render in any of the available languages, but note that currently models can only be created for English files. Also note that like other site templates, the default site language isn't editable after the site is created.</br>
+ > [!NOTE]
+ > You can select a content center site to render in any of the available languages, but note that currently models can only be created for English files. Also note that like other site templates, the default site language isn't editable after the site is created.</br>
6. Select **Finished**.
contentunderstanding Form Processing Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/form-processing-overview.md
An Office 365 admin needs to [enable Form processing](https://docs.microsoft.com
When using form processing models, make sure to note the [requirements and limitations for file usage](https://docs.microsoft.com/ai-builder/form-processing-model-requirements).
+### Multi-Geo environments
+
+When setting up SharePoint Syntex in a [Microsoft 365 Multi-Geo environment](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-multi-geo), you can only configure it to use form processing in the central location. If you want to use form processing in a satellite location, contact Microsoft support.
++++ ## See Also
contentunderstanding Set Up Content Understanding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/set-up-content-understanding.md
Prior to setup, make sure to plan for the best way to set up and configure conte
As an admin, you can also make changes to your selected settings anytime after setup, and throughout the content understanding management settings in the Microsoft 365 Admin Center.
+### Licensing
+
+To use SharePoint Syntex, your organization must have a subscription to SharePoint Syntex, and each user must have the following licenses assigned:
+
+- SharePoint Syntex
+- SharePoint Syntex - SPO type
+- Common Data Service for SharePoint Syntex
+
+If you cancel your SharePoint Syntex subscription at a future date (or your trial expires), users will no longer be able to create or run document understanding or form processing models, and the content center template will no longer be available. Additionally, term store reports, SKOS taxonomy import, and Content type push will no longer be available. No content will be deleted and site permissions will not be changed.
+ ## To set up SharePoint Syntex 1. In the Microsoft 365 admin center, select **Setup**, and then view the **Files and content** section.
enterprise Assign Per User Skype For Business Online Policies With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/assign-per-user-skype-for-business-online-policies-with-microsoft-365-powershell.md
Using PowerShell for Microsoft 365 is an efficient way to assign per-user commun
Use these instructions to get set up to run the commands (skip the steps you have already completed):
-1. Download and install the [Skype for Business Online Connector module](https://www.microsoft.com/download/details.aspx?id=39366).
+ > [!Note]
+ > Skype for Business Online Connector is currently part of the latest Teams PowerShell module. If you're using the latest Teams PowerShell public release, you don't need to install the Skype for Business Online Connector.
+
+1. Install the [Teams PowerShell module](https://docs.microsoft.com/microsoftteams/teams-powershell-install).
2. Open a Windows PowerShell command prompt and run the following commands:
-```powershell
-Import-Module LyncOnlineConnector
-$userCredential = Get-Credential
-$sfbSession = New-CsOnlineSession -Credential $userCredential
-Import-PSSession $sfbSession
-```
+ ```powershell
+ Import-Module MicrosoftTeams
+ Connect-MicrosoftTeams
+ ```
-When prompted, enter your Skype for Business Online administrator account name and password.
+ When prompted, enter your Skype for Business Online administrator account name and password.
## Updating external communication settings for a user account
This command sets the name of the external access policy assigned to Alex to a n
To manage large numbers of users (1000 or more), you need to batch the commands via a script block using the [Invoke-Command](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7) cmdlet. In previous examples, each time a cmdlet is executed, it must set up the call and then wait for the result before sending it back. When using a script block, this allows the cmdlets to be executed remotely, and once completed, send the data back. ```powershell
-Import-Module LyncOnlineConnector
-$sfbSession = New-CsOnlineSession
$users = Get-CsOnlineUser -Filter { ClientPolicy -eq $null } -ResultSize 500 $batch = 50
enterprise Connect To All Microsoft 365 Services In A Single Windows Powershell Window https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/connect-to-all-microsoft-365-services-in-a-single-windows-powershell-window.md
Follow these steps to connect to all the services in a single PowerShell window
> Skype for Business Online Connector is currently part of the latest Teams PowerShell module. If you're using the latest Teams PowerShell public release, you don't need to install the Skype for Business Online Connector. ```powershell
- $sfboSession = New-CsOnlineSession -Credential $credential
- Import-PSSession $sfboSession
+ Import-Module MicrosoftTeams
+ $credential = Get-Credential
+ Connect-MicrosoftTeams -Credential $credential
``` 6. Run these commands to connect to Exchange Online.
Follow these steps to connect to all the services in a single PowerShell window
```powershell Import-Module MicrosoftTeams
- Connect-MicrosoftTeams
+ $credential = Get-Credential
+ Connect-MicrosoftTeams -Credential $credential
``` > [!Note] > To connect to Microsoft Teams clouds other than *Worldwide*, see [Connect-MicrosoftTeams](https://docs.microsoft.com/powershell/module/teams/connect-microsoftteams).
+
+ ### Azure Active Directory PowerShell for Graph module
Connect-AzureAD -Credential $credential
Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking Connect-SPOService -Url https://$orgName-admin.sharepoint.com -credential $credential #Skype for Business Online
-$sfboSession = New-CsOnlineSession -Credential $credential
-Import-PSSession $sfboSession
+Import-Module MicrosoftTeams
+Connect-MicrosoftTeams -Credential $credential
#Exchange Online Import-Module ExchangeOnlineManagement Connect-ExchangeOnline -ShowProgress $true
Connect-ExchangeOnline -ShowProgress $true
Connect-IPPSSession -UserPrincipalName $acctName #Teams Import-Module MicrosoftTeams
-Connect-MicrosoftTeams
+Connect-MicrosoftTeams -Credential $credential
``` ### Microsoft Azure Active Directory Module for Windows PowerShell module
Connect-MsolService -Credential $credential
Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking Connect-SPOService -Url https://$orgName-admin.sharepoint.com -credential $credential #Skype for Business Online
-$sfboSession = New-CsOnlineSession -Credential $credential
-Import-PSSession $sfboSession
+Import-Module MicrosoftTeams
+Connect-MicrosoftTeams -Credential $credential
#Exchange Online Import-Module ExchangeOnlineManagement Connect-ExchangeOnline -ShowProgress $true
Connect-ExchangeOnline -ShowProgress $true
Connect-IPPSSession -UserPrincipalName $acctName #Teams Import-Module MicrosoftTeams
-Connect-MicrosoftTeams
+Connect-MicrosoftTeams -Credential $credential
``` ## Connection steps when using multi-factor authentication
Connect-AzureAD
#SharePoint Online Connect-SPOService -Url https://$orgName-admin.sharepoint.com #Skype for Business Online
-$sfboSession = New-CsOnlineSession
-Import-PSSession $sfboSession
+Import-Module MicrosoftTeams
+Connect-MicrosoftTeams
#Exchange Online Import-Module ExchangeOnlineManagement Connect-ExchangeOnline -UserPrincipalName $acctName -ShowProgress $true
Connect-MsolService
#SharePoint Online Connect-SPOService -Url https://$orgName-admin.sharepoint.com #Skype for Business Online
-$sfboSession = New-CsOnlineSession
-Import-PSSession $sfboSession
+Import-Module MicrosoftTeams
+Connect-MicrosoftTeams
#Exchange Online Import-Module ExchangeOnlineManagement Connect-ExchangeOnline -UserPrincipalName $acctName -ShowProgress $true
enterprise Manage Skype For Business Online Policies With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/manage-skype-for-business-online-policies-with-microsoft-365-powershell.md
Use these instructions to get set up to run the commands (skip the steps you hav
```powershell Import-Module MicrosoftTeams $userCredential = Get-Credential
- $sfbSession = New-CsOnlineSession -Credential $userCredential
- Import-PSSession $sfbSession
+ Connect-MicrosoftTeams -Credential $userCredential
``` When prompted, enter your Skype for Business Online administrator account name and password.
enterprise Manage Skype For Business Online With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/manage-skype-for-business-online-with-microsoft-365-powershell.md
Install the [Teams PowerShell module](https://docs.microsoft.com/microsoftteams/
```powershell Import-Module MicrosoftTeams $userCredential = Get-Credential
- $sfbSession = New-CsOnlineSession -Credential $userCredential
- Import-PSSession $sfbSession
+ Connect-MicrosoftTeams -Credential $userCredential
``` 2. In the **Windows PowerShell Credential Request** dialog box, type your administrator account name and password, and then select **OK**.
Install the [Teams PowerShell module](https://docs.microsoft.com/microsoftteams/
```powershell Import-Module MicrosoftTeams
- $sfbSession = New-CsOnlineSession
- Import-PSSession $sfbSession
+ Connect-MicrosoftTeams
```
-2. When prompted by the **New-CsOnlineSession** command, enter your Skype for Business Online administrator account name.
+2. When prompted enter your Skype for Business Online administrator account name.
3. In the **Sign in to your account** dialog box, type your Skype for Business Online administrator password and select **Sign in**.
enterprise Ms Cloud Germany Transition Add Experience https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-add-experience.md
If you're using a hybrid, on-premises deployment:
|Stop or delete any onboarding or offboarding moves of mailboxes. | This ensures the move requests don't fail with an error. | Exchange Online customers with hybrid (on-premises) deployments | Required action. Failure to do so may result in failure of the service or of software clients. | |||||
-### Dynamics (Phase 8 of 9)
-
-| Step(s) | Description | Applies to | Impact |
-|:-|:--|:-|:-|
-| Microsoft Dynamics resources | Customers with Microsoft Dynamics will be engaged by Engineering or FastTrack to transition Dynamics to the Office 365 services instance.* | Microsoft Dynamics 365 customers | - After migration, the admin validates the organization. <br><br> - The admin modifies workflows, as necessary. <br><br> - The admin clears AdminOnly mode as appropriate. <br><br> - The admin changes the organization type from _Sandbox_, as appropriate <br><br> - Notify end users of the new URL to access the instance (org). <br><br> - Update any inbound connections to the new endpoint URL. <br><br> - The Dynamics service will be unavailable to users during the transition. <br><br> - Users are required to validate the org health and features after migration of each org. |
-|||||
-
-\* (i) Customers with Microsoft Dynamics 365 must take action in this migration scenario as defined by the migration process provided. (ii) Failure by the customer to take action will mean that Microsoft will be unable to complete the migration. (iii) When Microsoft is unable to complete the migration due to the customer's inaction, then the customer's subscription will expire on October 29, 2021.
--
-### Power BI (Phase 8 of 9)
-
-| Step(s) | Description | Applies to | Impact |
-|:-|:--|:-|:-|
-| Migration of Power BI resources | Customers with Microsoft Power BI will be engaged by Engineering or FastTrack after manually triggering an existing PBI migration tool to transition Power BI to the Office 365 services instance.\*\* | Microsoft Power BI customers | - The following Power BI items will _not_ be transitioned, and they'll have to be re-created: <br><br> - Real-time datasets (for example, streaming or push datasets). <br> - Power BI on-premises data gateway configuration and data source. <br> - Reports built on top of the real-time datasets won't be available after migration and are required to be recreated. <br><br> - Power BI services will be unavailable to users during the transition. The unavailability of the service shouldn't be more than 24 hours. <br><br> - Users will be required to reconfigure data sources and their on-premise data gateways with the Power BI service after migration. Until they do so, users will be unable to use these data sources to perform scheduled refresh and/or direct queries against these data sources. <br><br> - Capacities and premium workspaces cannot be migrated. Customers need to delete all capacities before migration and re-create them after migration. Move workspaces back to capacities as desired. |
-|||||
-
-\*\*
- (i) Customers with Microsoft Power BI must take action in this migration scenario as defined by the Migration process provided. (ii) Failure by the customer to take action will mean that Microsoft will be unable to complete the migration. (iii) When Microsoft is unable to complete the migration due to the customer's inaction, then the customer's subscription will expire on October 29, 2021.
--- ## During migration ### SharePoint Online (Phase 4 of 9)
For eDiscovery:
### Azure AD (Phase 9 of 9)
-For hybrid:
+For hybrid Azure customers:
| Step(s) | Description | Applies to | Impact | |:-|:--|:-|:-| | Update Azure AD Connect. | After the cut over to Azure AD is complete, the organization is fully using Office 365 services and is no longer connected to Microsoft Cloud Deutschland. At this point, the customer needs to ensure that the delta sync process has been finalized, and after that, change the string value of `AzureInstance` from 3 (Microsoft Cloud Deutschland) to 0 in the registry path `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Azure AD Connect`. | Hybrid Azure ADΓÇôconnected organizations | Change the value of `AzureInstance`, the registry key. Failing to do so, will lead to objects not being synchronized after the Microsoft Cloud Deutschland endpoints are no longer available. | |||||
-For federated authentication:
+For customers utilizing federated authentication:
| Step(s) | Description | Applies to | Impact | |:-|:--|:-|:-|
For Azure AD:
| Requests to join an Azure AD group in the last 30 days before migration will need to be requested again if the original request wasn't approved. | End-user customers will need to use the Access panel to submit request to join an Azure AD group again if those requests weren't approved in the last 30 days before the migration. | End users whose Azure AD group approval requests weren't approved in last 30 days before migration | As an end user: <ol><li>Navigate to [Access panel](https://account.activedirectory.windowsazure.com/r#/joinGroups).</li><li>Find an Azure AD group for which membership approval was pending in 30 days before migration.</li><li>Request to join the Azure AD group again.</li></ol> Requests to join a group that are active less than 30 days before migration cannot be approved, unless they're re-requested after migration. | |||||
-For DNS:
+For customer managed DNS zones:
| Step(s) | Description | Applies to | Impact | |:-|:--|:-|:-|
enterprise Ms Cloud Germany Transition Phases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-phases.md
Title: "Migration phases actions and impacts for the migration from Microsoft Cl
Previously updated : 01/26/2021 Last updated : 03/05/2021 audience: ITPro
description: "Summary: Understand the migration phases actions and impacts of mo
# Migration phases actions and impacts for the migration from Microsoft Cloud Deutschland (general)
-Tenant migrations from Microsoft Cloud Deutschland to the Germany region of Microsoft's Office 365 services are executed as a set of phases and their configured actions for each workload. This figure shows the nine phases of migration to the new German datacenters.
+Tenant migrations from Microsoft Cloud Deutschland to the Germany region of Microsoft's Office 365 services are executed as a set of phases and their configured actions for each workload. This figure shows the nine phases of migration to the new German datacenters.
![The nine phases of migration to the new Germany datacenters](../media/ms-cloud-germany-migration-opt-in/migration-organization.png)
+The migration process will complete over many weeks depending on the overall size and complexity of the organization. While the migration is underway, users and administrators are able to continue utilizing the services with notable changes detailed in this documentation. The graphic and table define phases and steps during the migration.
+
+|Step|Duration|Responsible party|Description|
+|:--|:--|:--|:--|
+|Opt-In|Hours|Customer|Opt your organization into the migration.|
+|Pre-Work|Days|Customer|Complete the work needed to prepare users, workstations, and network for migration.|
+|Azure Active Directory (Azure AD)|1-2 days|Microsoft|Migrate Azure AD organization to worldwide.|
+|Azure|Weeks|Customer|Create new worldwide Azure subscriptions and transition Azure services.|
+|Subscription & License Transition|1-2 days|Microsoft|Purchase worldwide subscriptions, cancel Microsoft Cloud Deutschland subscriptions, and transition user licenses.|
+|SharePoint and OneDrive|15+ days|Microsoft|Migrate SharePoint and OneDrive for Business content, persisting sharepoint.de URLs.|
+|Exchange Online|15+ days|Microsoft|Migrate Exchange Online content and transition to worldwide URLs.|
+|Security & Compliance|1-2 days|Microsoft|Transition security & compliance policies and content.|
+|Skype for Business|1-2 days|Microsoft|Transition from Skype for Business to Microsoft Teams.|
+|Power BI & Dynamics 365|15+ days|Microsoft|Migrate Power BI and Dynamics 365 content.|
+|Finalize Azure AD|1-2 days|Microsoft|Complete tenant cutover to worldwide.|
+|Clean-Up|1-2 days|Customer|Clean up legacy connections to Microsoft Cloud Deutschland, such as Active Directory Federation Services (AD FS) Relying Party Trust, Azure AD Connect, and Office client restarts.|
+ The phases and their actions ensure that critical data and experiences are migrated to the Office 365 services. After your tenant is added to the migration queue, each workload will be completed as a set of steps that are executed on the backend service. Some workloads may require actions by the administrator (or user), or the migration may affect usage for the phases that are executed and discussed in [How is the migration organized?](ms-cloud-germany-transition.md#how-is-the-migration-organized) The following sections contain actions and effects for workloads as they progress through various phases of the migration. Review the tables and determine which actions or effects are applicable to your organization. Ensure that you're prepared to execute the steps in the respective phases as required. Failure to complete necessary steps may result in service outage and might delay completion of the migration to the Office 365 services.
+## Opt-In
+| Step(s) | Description | Impact |
+|:-|:--|:-|
+| We can't migrate customers without consent. | Microsoft gains the right to migrate in one of two ways, which enables Microsoft to orchestrate the transition of data and services to the Office 365 services instance. <br> The admin opts-in to the Microsoft-driven migration. <br> Customers renew any subscriptions in their Microsoft Cloud Deutschland tenant after May 1, 2020. We'll notify these customers of the migration right each month, wait 30 days to give customers a chance to cancel, and then directly opt-in, tracked in ICM. | All Office Customers | - Tenant is marked as consented for migration, and Admin Center displays confirmation. <br><br> - Acknowledgment is posted to Cloud Germany Message Center Tenant. Service configuration continues from Microsoft Cloud Deutschland endpoints. <br><br> - Monitor Message Center for updates on Migration phase status. |
++
+## Subscription (Phase 3)
+
+| Step(s) | Description | Applies to | Impact |
+|:-|:--|:-|:-|
+| Subscriptions are transferred, and licenses are reassigned. | After the tenant is transitioned to Office 365 services, corresponding Office 365 services subscriptions are purchased for the transferred Microsoft Cloud Deutschland subscriptions. Users with assigned Microsoft Cloud Deutschland licenses will be assigned Office 365 services licenses. Legacy Microsoft Cloud Deutschland subscriptions are removed from the Office 365 services tenant on completion. | All Office customers | - Changes to existing subscriptions will be blocked (for example, no new subscription purchases or seat count changes) during this phase. <br><br> - License assignment changes will be blocked. <br><br> - The Microsoft Cloud Deutschland subscription will be migrated to corresponding Office 365 services subscription. The Office 365 services offer of that subscription is defined by Microsoft (also known as _Offer mapping_). <br><br> - The number of features (service plans) offered by Office 365 services can be larger than in the original Microsoft Cloud Deutschland offer. User licenses in Office 365 services will be equivalently assigned to similar Microsoft Cloud Deutschland features (service plans). User licenses of all users will be automatically assigned to the new features. The admin needs to take an explicit action to disable those licenses, if needed. <br><br> - When subscription migration is complete, both Office 365 services and Germany subscriptions will be visible in the Office 365 Admin Portal, with the status of Germany subscriptions as _deprovisioned_. <br><br> - Users will be reassigned licenses that are tied to the new Office 365 services subscriptions. Any customer processes that have dependencies on Germany subscriptions or SKU GUIDs will be broken and need to be revised with the Office 365 services offering. <br><br> - New subscriptions in the Office 365 services will be purchased with the new term (monthly/quarterly/yearly), and the customer will receive a prorated refund for the unused balance of the Microsoft Cloud Deutschland subscription. <br><br> - Partner Microsoft Cloud Deutschland tenants won't be migrated. CSP customers will be migrated to Office 365 services under the new Office 365 services tenant of the same partner. After customer migration, the partner can manage this customer only from the Office 365 services tenant. <br><br> - Additional functionality is available (for example, Microsoft Planner and Microsoft Flow), unless disabled by tenant admin. For information about how to disable service plans that are assigned to users' licenses, see [Disable access to Microsoft 365 services while assigning user licenses](disable-access-to-services-while-assigning-user-licenses.md). |
+|||||
++ ## SharePoint Online (Phase 4) **Applies to**: SharePoint Online+ | Step(s) | Description | Impact | |:-|:--|:-|
-| SharePoint and OneDrive are transitioned | SharePoint Online and OneDrive for Business are migrated from Microsoft Cloud Deutschland to Office 365 Global services in this phase.<br><ul><li>Existing Microsoft Cloud Deutschland URLs are preserved (for example, `contoso.sharepoint.de`).</li><li>Existing sites are preserved.</li><li>Client side authentication tokens that were issued by the Security Token Service (STS) in the Microsoft Cloud Deutschland or Office 365 Global services instance are valid during the transition.</li></ul>|<ul><li>Content will be read-only for two brief periods during migration. During this time, expect a "you can't edit content" banner in SharePoint.</li><li>The search index won't be preserved, and may take up to 10 days to be rebuilt.</li><li>SharePoint Online and OneDrive for Business content will be read-only for two brief periods during migration. Users will see a "you can't edit content" banner briefly during this time.</li><li>Upon completion of the SharePoint Online migration, the search results for SharePoint Online and OneDrive for Business content may be unavailable while the index is rebuilt. During this period, search queries might not return complete results. Features that are dependent on search indexes, such as SharePoint Online News, may be affected while reindexing completes.</li></ul>|
+| SharePoint and OneDrive are transitioned | SharePoint Online and OneDrive for Business are migrated from Microsoft Cloud Deutschland to Office 365 Global services in this phase.<br><ul><li>Existing Microsoft Cloud Deutschland URLs are preserved (for example, `contoso.sharepoint.de`).</li><li>Existing sites are preserved.</li><li>Client-side authentication tokens that were issued by the Security Token Service (STS) in the Microsoft Cloud Deutschland or Office 365 Global services instance are valid during the transition.</li></ul>|<ul><li>Content will be read-only for two brief periods during migration. During this time, expect a "you can't edit content" banner in SharePoint.</li><li>The search index won't be preserved, and may take up to 10 days to be rebuilt.</li><li>SharePoint Online and OneDrive for Business content will be read-only for two brief periods during migration. Users will see a "you can't edit content" banner briefly during this time.</li><li>Upon completion of the SharePoint Online migration, the search results for SharePoint Online and OneDrive for Business content may be unavailable while the index is rebuilt. During this period, search queries might not return complete results. Features that are dependent on search indexes, such as SharePoint Online News, may be affected while reindexing completes.</li></ul>|
|||| Additional considerations:
Additional considerations:
**Applies to:** Exchange Online
-If you're using Exchange Online hybrid: Exchange Online Hybrid customers must execute the Hybrid Configuration wizard (HCW) multiple times as part of this transition. <br>
-As described in the migration [prework](ms-cloud-germany-transition-add-pre-work.md#Exchange-Online-Hybrid-configuration), **before the migration step phase 5 begins,** Exchange Online hybrid customers need to run the latest version of the HCW in Office 365 Germany mode to prepare the on-premises configuration for the migration to Office 365 global.
+If you're using Exchange Online hybrid: Exchange Online Hybrid customers must execute the Hybrid Configuration wizard (HCW) multiple times as part of this transition.
+
+As described in the migration [prework](ms-cloud-germany-transition-add-pre-work.md#exchange-online), **before the migration step phase 5 begins,** Exchange Online hybrid customers need to run the latest version of the HCW in Office 365 Germany mode to prepare the on-premises configuration for the migration to Office 365 global.
Upon **completion of the migration phase 5** (when the Message Center notice is published), you need to run the HCW again using Office 365 Worldwide settings to point your on-premises systems to the Office 365 Global service. Additional DNS updates may be required if you use custom domains. + | Step(s) | Description | Impact | |:-|:-|:-| | Exchange Online mailboxes are moved from Microsoft Cloud Deutschland to Office 365 Global services.| Exchange Online configuration adds the new go-local German region to the transitioning organization. The Office 365 Global services region is set as default, which enables the internal load-balancing service to redistribute mailboxes to the appropriate default region in Office 365 services. In this transition, users on either side (Germany or Global services) are in the same organization and can use either URL endpoint. |<ul><li>Transition users and services from your legacy Germany URLs (outlook.office.de) to new Office 365 services URLs (`https://outlook.office365.com`).</li><li>Users may continue to access the service through legacy Germany URLs during the migration, however they need to stop using the legacy URLs on completion of the migration.</li><li>Users should transition to using the worldwide Office portal for Office Online features (Calendar, Mail, People). Navigation to services that aren't yet migrated to Office 365 services won't function until they are migrated. </li><li>The Outlook Web App won't provide the public folder experience during migration. </li></ul>|
Upon **completion of the migration phase 5** (when the Message Center notice is
Additional considerations: -- `myaccount.msft.com` will only work after the cutover of Office 365. Links will produce "something went wrong" error messages until that time.
+- `myaccount.microsoft.com` will only work after the cutover of Office 365. Links will produce "something went wrong" error messages until that time.
- Users of Outlook Web App that access a shared mailbox in the other environment (for example, a user in the Germany environment accesses a shared mailbox in the global environment) will be prompted to authenticate a second time. The user must first authenticate and access their mailbox in `outlook.office.de`, then open the shared mailbox that is in `outlook.office365.com`. They'll need to authenticate a second time when accessing the shared resources that are hosted in the other service.
Additional considerations:
To find out more about the differences for organizations in migration and after Exchange Online resources are migrated, review the information in [Customer experience during the migration to Office 365 services in the new German datacenter regions](ms-cloud-germany-transition-experience.md).
-## Exchange Online Protection (Phase 6)
+## Exchange Online Protection / Security and Compliance (Phase 6)
Back-end Exchange Online Protection (EOP) features are copied to new Germany region.
Back-end Exchange Online Protection (EOP) features are copied to new Germany reg
| Migration of Skype for Business to Teams. | Existing Skype for Business customers are migrated to Office 365 services in Europe and then transitioned to Microsoft Teams in the Germany region of Office 365 services. | Skype for Business customers | - Users won't be able to sign in to Skype for Business on the migration date. Ten days before migration, we'll post to the Admin center to let you know about when the migration will take place, and again when we begin the migration. <br><br> - Policy configuration is migrated. <br><br> - Users will be migrated to Teams and will no longer have Skype for Business after migration. <br><br> - Users must have the Teams desktop client installed. Installation will happen during the 10 days via policy on the Skype for Business infrastructure, but if this fails, users will still need to download the client or connect with a supported browser. <br><br> - Contacts and meetings will be migrated to Teams. <br><br> - Users won't be able to sign in to Skype for Business between time service transitions to Office 365 services, and not until customer DNS entries are completed. <br><br> - Contacts and existing meetings will continue to function as Skype for Business meetings. | |||||
-## Office Apps (Phase 8)
+## Dynamics 365 (Phase 8)
+Customers with Dynamics 365 require additional engagement to migrate the organization's Dynamics organizations independently.
+
+| Step(s) | Description | Applies to | Impact |
+|:-|:--|:-|:-|
+| Microsoft Dynamics resources | Customers with Microsoft Dynamics will be engaged by Engineering or FastTrack to transition Dynamics to the Office 365 services instance.* | Microsoft Dynamics 365 customers | - After migration, the admin validates the organization. <br><br> - The admin modifies workflows, as necessary. <br><br> - The admin clears AdminOnly mode as appropriate. <br><br> - The admin changes the organization type from _Sandbox_, as appropriate <br><br> - Notify end users of the new URL to access the instance (org). <br><br> - Update any inbound connections to the new endpoint URL. <br><br> - The Dynamics service will be unavailable to users during the transition. <br><br> - Users are required to validate the org health and features after migration of each org. |
+|||||
+
+\*
+(i) Customers with Microsoft Dynamics 365 must take action in this migration scenario as defined by the migration process provided. (ii) Failure by the customer to take action will mean that Microsoft will be unable to complete the migration. (iii) When Microsoft is unable to complete the migration due to the customer's inaction, then the customer's subscription will expire on October 29, 2021.
++
+## Power BI (Phase 8 of 9)
| Step(s) | Description | Applies to | Impact | |:-|:--|:-|:-|
-| Clients, Office Online during Office client cutover, Azure AD finalizes the tenant scope to point to the Office 365 services. | This configuration change enables Office clients to update and point to the Office 365 services endpoints. | All Office customers | - Notify users to close _all_ Office apps and then sign back in (or force clients to restart and users to sign in) to enable Office clients to pick up the change. <br><br> - Notify users and help desk staff that users *may* see an Office banner that prompts them to reactivate Office apps within 72 hours of the cutover. <br><br> - All Office applications on personal machines must be closed, and users must sign out then sign in again. In the Yellow activation bar, sign in to reactivate against Office 365 services. <br><br> - Shared machines will require actions that are similar to personal machines, and won't require a special procedure. <br><br> - On mobile devices, users must sign out of apps, close them, and then sign in again. |
+| Migration of Power BI resources | Customers with Microsoft Power BI will be engaged by Engineering or FastTrack after manually triggering an existing PBI migration tool to transition Power BI to the Office 365 services instance.\*\* | Microsoft Power BI customers | - The following Power BI items will _not_ be transitioned, and they'll have to be re-created: <br><br> - Real-time datasets (for example, streaming or push datasets). <br> - Power BI on-premises data gateway configuration and data source. <br> - Reports built on top of the real-time datasets won't be available after migration and are required to be recreated. <br><br> - Power BI services will be unavailable to users during the transition. The unavailability of the service shouldn't be more than 24 hours. <br><br> - Users will be required to reconfigure data sources and their on-premise data gateways with the Power BI service after migration. Until they do so, users will be unable to use these data sources to perform scheduled refresh and/or direct queries against these data sources. <br><br> - Capacities and premium workspaces cannot be migrated. Customers need to delete all capacities before migration and re-create them after migration. Move workspaces back to capacities as desired. |
|||||
-## Office Services
+\*\*
+ (i) Customers with Microsoft Power BI must take action in this migration scenario as defined by the Migration process provided. (ii) Failure by the customer to take action will mean that Microsoft will be unable to complete the migration. (iii) When Microsoft is unable to complete the migration due to the customer's inaction, then the customer's subscription will expire on October 29, 2021.
-The most recently used (MRU) service in Office is a cutover from the Germany service to Office 365 services, not a migration. Only MRU links from the Office 365 services side will be visible after migration from the Office.com portal. MRU links from the Germany service aren't visible as MRU links in Office 365 services. In Office 365, MRU links are accessible only after the tenant migration is complete.
-## Subscription
+## Office Apps
+Office customers transitioning to the Germany region are required to close and sign out and back in for all Office applications (Word, PowerPoint, Outlook, etc.) and OneDrive for Business client after the migration is complete. Signing out and in, allows the Office services to obtain new authentication tokens from the global Azure AD service.
+
| Step(s) | Description | Applies to | Impact | |:-|:--|:-|:-|
-| We can't migrate customers without consent. | Microsoft gains the right to migrate in one of two ways, which enables Microsoft to orchestrate the transition of data and services to the Office 365 services instance. <br> The admin opts-in to the Microsoft-driven migration. <br> Customers renew any subscriptions in their Microsoft Cloud Deutschland tenant after May 1, 2020. We'll notify these customers of the migration right each month, wait 30 days to give customers a chance to cancel, and then directly opt-in, tracked in ICM. | All Office Customers | - Tenant is marked as consented for migration, and Admin Center displays confirmation. <br><br> - Acknowledgment is posted to Cloud Germany Message Center Tenant. Service configuration continues from Microsoft Cloud Deutschland endpoints. <br><br> - Monitor Message Center for updates on Migration phase status. |
-| Subscriptions are transferred, and licenses are reassigned. | After the tenant is transitioned to Office 365 services, corresponding Office 365 services subscriptions are purchased for the transferred Microsoft Cloud Deutschland subscriptions. Users with assigned Microsoft Cloud Deutschland licenses will be assigned Office 365 services licenses. Legacy Microsoft Cloud Deutschland subscriptions are removed from the Office 365 services tenant on completion. | All Office customers | - Changes to existing subscriptions will be blocked (for example, no new subscription purchases or seat count changes) during this phase. <br><br> - License assignment changes will be blocked. <br><br> - The Microsoft Cloud Deutschland subscription will be migrated to corresponding Office 365 services subscription. The Office 365 services offer of that subscription is defined by Microsoft (also known as _Offer mapping_). <br><br> - The number of features (service plans) offered by Office 365 services can be larger than in the original Microsoft Cloud Deutschland offer. User licenses in Office 365 services will be equivalently assigned to similar Microsoft Cloud Deutschland features (service plans). User licenses of all users will be automatically assigned to the new features. The admin needs to take an explicit action to disable those licenses, if needed. <br><br> - When subscription migration is complete, both Office 365 services and Germany subscriptions will be visible in the Office 365 Admin Portal, with the status of Germany subscriptions as _deprovisioned_. <br><br> - Users will be reassigned licenses that are tied to the new Office 365 services subscriptions. Any customer processes that have dependencies on Germany subscriptions or SKU GUIDs will be broken and need to be revised with the Office 365 services offering. <br><br> - New subscriptions in the Office 365 services will be purchased with the new term (monthly/quarterly/yearly), and the customer will receive a prorated refund for the unused balance of the Microsoft Cloud Deutschland subscription. <br><br> - Partner Microsoft Cloud Deutschland tenants won't be migrated. CSP customers will be migrated to Office 365 services under the new Office 365 services tenant of the same partner. After customer migration, the partner can manage this customer only from the Office 365 services tenant. <br><br> - Additional functionality is available (for example, Microsoft Planner and Microsoft Flow), unless disabled by tenant admin. For information about how to disable service plans that are assigned to users' licenses, see [Disable access to Microsoft 365 services while assigning user licenses](disable-access-to-services-while-assigning-user-licenses.md). |
+| Clients, Office Online during Office client cutover, Azure AD finalizes the tenant scope to point to the Office 365 services. | This configuration change enables Office clients to update and point to the Office 365 services endpoints. | All Office customers | - Notify users to close _all_ Office apps and then sign back in (or force clients to restart and users to sign in) to enable Office clients to pick up the change. <br><br> - Notify users and help desk staff that users *may* see an Office banner that prompts them to reactivate Office apps within 72 hours of the cutover. <br><br> - All Office applications on personal machines must be closed, and users must sign out then sign in again. In the Yellow activation bar, sign in to reactivate against Office 365 services. <br><br> - Shared machines will require actions that are similar to personal machines, and won't require a special procedure. <br><br> - On mobile devices, users must sign out of apps, close them, and then sign in again. |
|||||
+## Office Services
+
+The most recently used (MRU) service in Office is a cutover from the Germany service to Office 365 services, not a migration. Only MRU links from the Office 365 services side will be visible after migration from the Office.com portal. MRU links from the Germany service aren't visible as MRU links in Office 365 services. In Office 365, MRU links are accessible only after the tenant migration is complete.
++ ## Next step [Perform additional pre-work](ms-cloud-germany-transition-add-pre-work.md)
managed-desktop Index https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/index.md
Now that you've enrolled in the service, follow these steps to confirm admin con
> This is the recommended order to follow, but you do have some flexibility in the sequence. 1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md)
-2. [Adjust conditional access](conditional-access.md)
+2. [Adjust settings after enrollment](conditional-access.md)
3. [Assign licenses](assign-licenses.md) 4. [Deploy Intune Company Portal](company-portal.md) 5. [Enable Enterprise State Roaming](enterprise-state-roaming.md)
security Advanced Hunting Schema Changes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-schema-changes.md
Naming changes are automatically applied to queries that are saved in the securi
## February 2021
-1. In the [EmailAttachmentInfo](advanced-hunting-emailattachmentinfo-table.md) and [EmailEvents](advanced-hunting-emailevents-table.md) tables, we deprecated the `MalwareFilterVerdict`and `PhishFilterVerdict` columns and replaced them with the `ThreatTypes` column. We also deprecated the `MalwareDetectionMethod` and `PhishDetectionMethod` columns and replaced them with the `DetectionMethods` column. This streamlining allows us to provide more information under the new columns. The mapping is provided below.
+1. In the [EmailAttachmentInfo](advanced-hunting-emailattachmentinfo-table.md) and [EmailEvents](advanced-hunting-emailevents-table.md) tables, the `MalwareFilterVerdict`and `PhishFilterVerdict` columns have been replaced by the `ThreatTypes` column. The `MalwareDetectionMethod` and `PhishDetectionMethod` columns were also replaced by the `DetectionMethods` column. This streamlining allows us to provide more information under the new columns. The mapping is provided below.
| Table name | Original column name | New column name | Reason for change |--|--|--|--|
Naming changes are automatically applied to queries that are saved in the securi
| `EmailEvents` | `MalwareFilterVerdict` <br>`PhishFilterVerdict` | `ThreatTypes` | Include more threat types |
-2. In the `EmailAttachmentInfo` and `EmailEvents` tables, we added the column `ThreatNames` to give more information about the email threat. This column contains values like Spam or Phish.
+2. In the `EmailAttachmentInfo` and `EmailEvents` tables, the `ThreatNames` column was added to give more information about the email threat. This column contains values like Spam or Phish.
-3. In the [DeviceInfo](advanced-hunting-deviceinfo-table.md) table, we replaced the `DeviceObjectId` column with `AadDeviceId` based on customer feedback.
+3. In the [DeviceInfo](advanced-hunting-deviceinfo-table.md) table, the `DeviceObjectId` column was replaced by the `AadDeviceId` column based on customer feedback.
-4. In the [DeviceEvents](advanced-hunting-deviceevents-table.md) table, we updated several ActionType names to better reflect the description of the action. Details can be found below.
+4. In the [DeviceEvents](advanced-hunting-deviceevents-table.md) table, several ActionType names were modified to better reflect the description of the action. Details of the changes can be found below.
| Table name | Original ActionType name | New ActionType name | Reason for change |--|--|--|--|
security Microsoft 365 Security Center Mde https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/microsoft-365-security-center-mde.md
Microsoft Defender for Endpoint in the Microsoft 365 security center supports [g
> [!IMPORTANT] > What you see in the Microsoft 365 security center depends on your current subscriptions. For example, if you don't have a license for Microsoft Defender for Office 365, then the Email & Collaboration section will not be shown.
+>[!Note]
+>The new unified portal is not available for:
+>US Government Community Cloud (GCC)
+>US Government Community Cloud High (GCC High)
+>US Department of Defense
+>All US government institutions with commercial licenses
+ Take a look at the improved Microsoft 365 security center: [https://security.microsoft.com](https://security.microsoft.com). Learn more about the benefits: [Overview of the Microsoft 365 security center](overview-security-center.md)
security Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/whats-new.md
The following features are generally available (GA) in the latest release of Mic
RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader: ```http
-https://docs.microsoft.com/api/search/rss?search=%22Lists+the+new+features+and+functionality+in+Microsoft+Threat+Protection%22&locale=en-us
+https://docs.microsoft.com/api/search/rss?search=%22Lists+the+new+features+and+functionality+in+Microsoft+365+defender%22&locale=en-us
``` ## February 2021
security Attack Simulation Training https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training.md
Select from 4 different techniques, curated from the [MITRE ATT&CK® framework](
- **Malware attachment** adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that will help the attacker compromise the target's device. - **Link in attachment** is a type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest. - **Link to malware** will run some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user will contain a link to this malicious file. Opening the file and help the attacker compromise the target's device.
+- **Drive-by URL** is where the malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code code on the user's device.
> [!TIP] > Clicking on **View details** within the description of each technique will display further information and the simulation steps for the technique.
security Email Validation And Authentication https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-validation-and-authentication.md
As of March 2018, only 9% of domains of companies in the Fortune 500 publish str
The proportion of small-to-medium sized companies that publish strong email authentication policies is smaller. And the number is even smaller for email domains outside North America and western Europe.
-Lack of strong email authentication policies is a large problem. W while organizations might not understand how email authentication works, attackers fully understand, and they take advantage. Because of phishing concerns and the limited adoption of strong email authentication policies, Microsoft uses *implicit email authentication* to check inbound email.
+Lack of strong email authentication policies is a large problem. While organizations might not understand how email authentication works, attackers fully understand, and they take advantage. Because of phishing concerns and the limited adoption of strong email authentication policies, Microsoft uses *implicit email authentication* to check inbound email.
Implicit email authentication is an extension of regular email authentication policies. These extensions include: sender reputation, sender history, recipient history, behavioral analysis, and other advanced techniques. In the absence of other signals from these extensions, messages sent from domains that don't use email authentication policies will be marked as spoof.
security Report Junk Email And Phishing Scams In Outlook For Ios And Android https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/report-junk-email-and-phishing-scams-in-outlook-for-iOS-and-Android.md
ms.prod: m365-security
- [Microsoft Defender for Office 365 plan 1 and plan 2](office-365-atp.md) - [Microsoft 365 Defender](../mtp/microsoft-threat-protection.md)
-In Microsoft 365 organizations with mailboxes in Exchange Online or on-premises mailboxes using [hybrid modern authentication](../../enterprise/hybrid-modern-auth-overview.md), you can use the built-in reporting options in Outlook for iOS and Android to submit false positives (good email marked as spam), false negatives (bad email allowed), and phishing messages to Exchange Online Protection (EOP).
+In Microsoft 365 organizations with mailboxes in Exchange Online or on-premises mailboxes using [hybrid modern authentication](../../enterprise/hybrid-modern-auth-overview.md), you can submit false positives (good email marked as spam), false negatives (bad email allowed), and phishing messages to Exchange Online Protection (EOP).
## What do you need to know before you begin
In Microsoft 365 organizations with mailboxes in Exchange Online or on-premises
- For more information about reporting messages to Microsoft, see [Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md). > [!NOTE]
- > If junk email reporting is disabled for Outlook in the user submission policy, junk or phishing messages will be moved to the Junk folder and not reported to your admin or Microsoft.
+ > If junk email reporting is disabled for Outlook in the user submission policy, junk or phishing messages will be moved to the Junk folder and not reported to your admin or Microsoft.
security Set Up Anti Phishing Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/set-up-anti-phishing-policies.md
The rest of this article describes the settings that are available in anti-phish
The following policy settings are available in anti-phishing policies in EOP and Microsoft Defender for Office 365: -- **Name**: You can't rename the default anti-phishing policy, but you can name and rename custom policies that you create.
+- **Name**: You can't rename the default anti-phishing policy. After you create a custom anti-phishing policy, you can't rename the policy in the Security & Compliance Center.
- **Description** You can't add a description to the default anti-phishing policy, but you can add and change the description for custom policies that you create.
security Tenant Allow Block List https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list.md
This article describes how to configure entries in the Tenant Allow/Block List i
- You specify files by using the SHA256 hash value of the file. To find the SHA256 hash value of a file in Windows, run the following command in a Command Prompt:
- ```dos
+ ```console
certutil.exe -hashfile "<Path>\<Filename>" SHA256 ```
This article describes how to configure entries in the Tenant Allow/Block List i
- The Tenant Allow/Block List allows a maximum of 500 entries for URLs, and 500 entries for file hashes. -- An entry should be active within 15 minutes.
+- The maximum number of characters for each entry is:
+ - File hashes = 64
+ - URL = 250
+
+- An entry should be active within 30 minutes.
- By default, entries in the Tenant Allow/Block List will expire after 30 days. You can specify a date or set them to never expire.
This article describes how to configure entries in the Tenant Allow/Block List i
For more information, see [Permissions in Exchange Online](https://docs.microsoft.com/exchange/permissions-exo/permissions-exo).
- **Notes**:
-
- - Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
- - The **View-Only Organization Management** role group in [Exchange Online](https://docs.microsoft.com/Exchange/permissions-exo/permissions-exo#role-groups) also gives read-only access to the feature.
+ > [!NOTE]
+ >
+ > - Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
+ > - The **View-Only Organization Management** role group in [Exchange Online](https://docs.microsoft.com/Exchange/permissions-exo/permissions-exo#role-groups) also gives read-only access to the feature.
## Use the Security & Compliance Center to create URL entries in the Tenant Allow/Block List
For details about the syntax for URL entries, see the [URL syntax for the Tenant
- Verify the setting is turned off (![Toggle off](../../media/scc-toggle-off.png)) and use the **Expires on** box to specify the expiration date for the entries.
- or
+ or
- Move the toggle to the right to configure the entries to never expire: ![Toggle on](../../media/scc-toggle-on.png).
You can't modify the existing blocked URL or file values within an entry. To mod
- Verify the setting is turned off (![Toggle off](../../media/scc-toggle-off.png)) and use the **Expires on** box to specify the expiration date for the entry.
- or
+ or
- Move the toggle to the right to configure the entry to never expire: ![Toggle on](../../media/scc-toggle-on.png).
New-TenantAllowBlockListItems -ListType <Url | FileHash> -Block -Entries <String
This example adds a block URL entry for contoso.com and all subdomains (for example, contoso.com, www.contoso.com, and xyz.abc.contoso.com). Because we didn't use the ExpirationDate or NoExpiration parameters, the entry expires after 30 days. ```powershell
-New-TenantAllowBlockListItem -ListType Url -Block -Entries ~contoso.com
+New-TenantAllowBlockListItems -ListType Url -Block -Entries ~contoso.com
``` This example adds a block file entry for the specified files that never expires. ```powershell
-New-TenantAllowBlockListItem -ListType FileHash -Block -Entries "768a813668695ef2483b2bde7cf5d1b2db0423a0d3e63e498f3ab6f2eb13ea3","2c0a35409ff0873cfa28b70b8224e9aca2362241c1f0ed6f622fef8d4722fd9a" -NoExpiration
+New-TenantAllowBlockListItems -ListType FileHash -Block -Entries "768a813668695ef2483b2bde7cf5d1b2db0423a0d3e63e498f3ab6f2eb13ea3","2c0a35409ff0873cfa28b70b8224e9aca2362241c1f0ed6f622fef8d4722fd9a" -NoExpiration
``` For detailed syntax and parameter information, see [New-TenantAllowBlockListItems](https://docs.microsoft.com/powershell/module/exchange/new-tenantallowblocklistitems).
solutions Configure Teams Highly Sensitive Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/configure-teams-highly-sensitive-protection.md
To create a sensitivity label
17. Click **Next**. 18. On the **Define external sharing and device access settings** page, select **Control external sharing from labeled SharePoint sites**. 19. Under **Content can be shared with**, choose **New and existing guests** if you're allowing guest access or **Only people in your organization** if not.
-20. Under **Access from unmanaged devices**, choose **Block access**.
+20. Under **Access from unmanaged devices**, choose **Block access**. (If you're allowing guests and they don't have managed devices, you may want to choose **Allow limited, web-only access**.)
21. Click **Next**. 22. On the **Auto-labeling for database columns** page, click **Next**. 23. Click **Create label**, and then click **Done**.
solutions Configure Teams Three Tiers Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/configure-teams-three-tiers-protection.md
See the following references to create a secure and productive guest sharing env
For the sensitive and highly sensitive tiers, we restrict access to SharePoint content with sensitivity labels. Azure AD conditional access offers many options for determining how people access Microsoft 365, including limitations based on location, risk, device compliance, and other factors. We recommend you read [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) and consider which additional policies might be appropriate for your organization.
+Note that guests often don't have devices that are managed by your organization. If you allow guests in any of the tiers, consider what kinds of devices they'll be using to access teams and sites and set your unmanaged device policies accordingly.
+ ## Next step Start by [configuring the baseline level of protection](configure-teams-baseline-protection.md). If needed you can add [sensitive protection](configure-teams-sensitive-protection.md) and [highly sensitive protection](configure-teams-highly-sensitive-protection.md) on top of the baseline.