Updates from: 04/12/2022 02:02:46
Category Microsoft Docs article Related commit history on GitHub Change details
admin Active Users Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/active-users-ww.md
For example, you can use the **Active Users** report to find out how many produc
## How to get to the Active Users report 1. In the admin center, go to the **Reports** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2074756" target="_blank">Usage</a> page.
-2. From the dashboard homepage, click on the **View more** button on the Active users - Microsoft 365 Services card.
+2. From the dashboard homepage, click on the **View more** button on the Active users - Microsoft 365 Services card.
## Interpret the Active Users report
The Activity chart shows you daily activity count in the reporting period separa
The Services chart shows you count of users by activity type and Service. - On the Users chart, the x axis shows the selected reporting time period and the y axis displays the daily active users separated and color coded by license type.
-On the Activity chart, the x axis shows the selected reporting time period and the y axis displays the daily activity count separated and color coded by license type.
+On the Activity chart, the x axis shows the selected reporting time period and the y axis displays the daily activity count separated and color coded by license type.
On the Services activity chart, the X axis displays the individual services your users are enabled for in the given time period and the Y axis is the Count of users by activity status, color coded by activity status. - You can filter the series you see on the chart by selecting an item in the legend. Changing this selection doesn't change the info in the grid table.
On the Services activity chart, the X axis displays the individual services your
- You can change what information is displayed in the grid table with column controls. If your subscription is operated by 21Vianet, then you will not see Yammer. -- If your organization's policies prevents you from viewing reports where user information is identifiable, you can change the privacy setting for all these reports. Check out the **How do I hide user level details?** section in [Activity Reports in the Microsoft 365 admin center](activity-reports.md).
admin Browser Usage Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/browser-usage-report.md
The Microsoft 365 Reports dashboard shows you an activity overview across the pr
1. In the admin center, go to the **Reports** \> <b><a href="https://go.microsoft.com/fwlink/p/?linkid=2074756" target="_blank">Usage</a></b> page.
-2. From the dashboard homepage, click on the **View more** button on the Microsoft browser usage card.
+2. From the dashboard homepage, click on the **View more** button on the Microsoft browser usage card.
## How to notify users to upgrade their browser
admin Forms Activity Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/forms-activity-ww.md
For example, you can understand the activity of every user licensed to use Micro
## How to get to the Forms activity report 1. In the admin center, go to the **Reports** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2074756" target="_blank">Usage</a> page.
-2. From the dashboard homepage, click on the **View more** button on the Forms card.
+2. From the dashboard homepage, click on the **View more** button on the Forms card.
## Interpret the Forms activity report
admin Forms Pro Activity Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/forms-pro-activity-ww.md
For example, you can understand the activity of every user licensed to use Micro
## How to get to the Dynamics 365 Customer Voice activity report 1. In the admin center, go to the **Reports** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2074756" target="_blank">Usage</a> page.
-2. From the dashboard homepage, click on the **View more** button on the Dynamics 365 Customer Voice card.
+2. From the dashboard homepage, click on the **View more** button on the Dynamics 365 Customer Voice card.
## Interpret the Dynamics 365 Customer Voice activity report
admin Microsoft Office Activations Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft-office-activations-ww.md
The Office Activation report gives you a view of which users have activated thei
## How to get to the Office activations report 1. In the admin center, go to the **Reports** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2074756" target="_blank">Usage</a> page.
-2. From the dashboard homepage, click on the **View more** button on the Office activations card.
+2. From the dashboard homepage, click on the **View more** button on the Office activations card.
## Interpret the Office activations report
admin Microsoft Teams Device Usage Preview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft-teams-device-usage-preview.md
The Microsoft 365 Reports dashboard shows you the activity overview across the p
## How to get to the Microsoft Teams app usage report 1. In the admin center, go to the **Reports** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2074756" target="_blank">Usage</a> page.
-2. From the dashboard homepage, click on the **View more** button on the Microsoft Teams activity card.
+2. From the dashboard homepage, click on the **View more** button on the Microsoft Teams activity card.
## Interpret the Microsoft Teams app usage report
admin Microsoft Teams Usage Activity https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft-teams-usage-activity.md
ms.localizationpriority: medium -+ - M365-subscription-management - Adm_O365 - Adm_NonTOC
description: "Learn how to get the Microsoft Teams usage activity report and gai
# Microsoft 365 Reports in the admin center - Microsoft Teams usage activity
-The Microsoft 365 Reports dashboard shows you the activity overview across the products in your organization. It enables you to drill in to individual product level reports to give you more granular insight about the activities within each product. Check out [the Reports overview topic](activity-reports.md). <br/>
+The Microsoft 365 Reports dashboard shows you the activity overview across the products in your organization. It enables you to drill in to individual product level reports to give you more granular insight about the activities within each product. Check out [the Reports overview topic](activity-reports.md).
-The brand-new **Teams usage report** gives you an overview of the usage activity in Teams, including the number of active users, channels and messages so you can quickly see how many users across your organization are using Teams to communicate and collaborate. It also includes other Teams specific activities, such as the number of active guests, meetings, and messages.
-
-<br/>![Microsoft 365 reports - Microsoft Teams activity report.](../../media/teams-usage.png)
+The brand-new **Teams usage report** gives you an overview of the usage activity in Teams, including the number of active users, channels and messages so you can quickly see how many users across your organization are using Teams to communicate and collaborate. It also includes other Teams specific activities, such as the number of active guests, meetings, and messages.
+![Microsoft 365 reports - Microsoft Teams activity report.](../../media/teams-usage.png)
## How to get to the Microsoft Teams usage activity report 1. In the admin center, go to the **Reports** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2074756" target="_blank">Usage</a> page.
-2. From the dashboard homepage, click on the **View more** button on the **Microsoft Teams activity** card.<br/>
-<br/>![Microsoft 365 reports - Microsoft Teams activity card.](../../media/teams-usage-card.png)<br/>
+2. From the dashboard homepage, click on the **View more** button on the **Microsoft Teams activity** card.
-3. On the **Microsoft Teams** reports page, select the **Teams Usage** tab.
+ ![Microsoft 365 reports - Microsoft Teams activity card.](../../media/teams-usage-card.png)<br/>
+3. On the **Microsoft Teams** reports page, select the **Teams Usage** tab.
## Interpret the Microsoft Teams usage activity report You can view the user activity in the Teams report by choosing the **Teams Usage** tab. This will display the following charts: -- **Channel usage**: Tracks the number of channel uses, by activity type, over time.<br/>
- <br/> ![Teams usage activity report - channel usage.](../../media/teams-usage-channel.png)<br/>
+- **Channel usage**: Tracks the number of channel uses, by activity type, over time.
-- **Team usage**: Tracks the number of teams, by type and activity, over time.<br/>
- <br/> ![Teams usage activity report - team usage.](../../media/teams-usage-usage.png)<br/>
+ ![Teams usage activity report - channel usage.](../../media/teams-usage-channel.png)
+
+- **Team usage**: Tracks the number of teams, by type and activity, over time.
+
+ ![Teams usage activity report - team usage.](../../media/teams-usage-usage.png)
Additionally, the chart includes usage details for individual teams, such as last activity date, active users, active channels, and other data.
-<br/>![Microsoft 365 reports - Microsoft Teams usage activity table.](../../media/teams-usage-table.png)
+![Microsoft 365 reports - Microsoft Teams usage activity table.](../../media/teams-usage-table.png)
+
+In the table, select **Choose columns** to add or remove columns from the report.
-In the table, select **Choose columns** to add or remove columns from the report. <br/> <br/>
![Teams usage activity report - choose columns.](../../media/teams-usage-columns.png) You can also export the report data into an Excel .csv file by selecting the **Export** link. This exports data of all users and enables you to do simple sorting and filtering for further analysis. If you have less than 2000 users, you can sort and filter within the table in the report itself. If you have more than 2000 users, in order to filter and sort, you will need to export the data. The exported format for **audio time**, **video time**, and **screen share time** follows ISO8601 duration format.
To ensure data quality, we perform daily data validation checks for the past thr
> [!Important] > Data for a given day will show up within 48 hours. For example, data for January 10th should show up in the report by January 12th. - ### Channel usage metrics The Channel usage chart shows data on the following metrics.
The Channel usage chart shows data on the following metrics.
|Item|Description| |:--|:--| |**Metric**|**Definition**|
-|Active channel users <br/> |This is the total of internal active users, active guests, and external active users. <br/><br/> **Internal active users** - Users that have at least one panel action in the specified time period. This excludes guests. <br/> **Active guests** - Guests that have at least one panel action in the specified time period. A guest is a person from outside your organization who accesses shared resources by signing in to a guest account in my directory. <br/> **External active user** - External participants that have at least one panel action in the specified time period. An external participant is a person from outside your organization who is participating in a resource ΓÇô such as a shared channel ΓÇô using their own identity and not a guest account in your directory. <br/>|
-|Active channels <br/> |Valid channels in active teams that have at least one active user in the specified time period. This includes public, private, or shared channels. <br/> |
-|Channel messages <br/> |The number of unique messages that the user posted in a private chat during the specified time period. <br/> |
+|Active channel users|This is the total of internal active users, active guests, and external active users. <br/><br/> **Internal active users** - Users that have at least one panel action in the specified time period. This excludes guests. <br/> **Active guests** - Guests that have at least one panel action in the specified time period. A guest is a person from outside your organization who accesses shared resources by signing in to a guest account in my directory. <br/> **External active user** - External participants that have at least one panel action in the specified time period. An external participant is a person from outside your organization who is participating in a resource ΓÇô such as a shared channel ΓÇô using their own identity and not a guest account in your directory.|
+|Active channels|Valid channels in active teams that have at least one active user in the specified time period. This includes public, private, or shared channels.|
+|Channel messages|The number of unique messages that the user posted in a private chat during the specified time period.|
### Team usage metrics
The Teams usage chart shows data on the following metrics.
|Item|Description| |:--|:--| |**Metric**|**Definition**|
-|Private teams <br/> |A private team that is either active or inactive. |
-|Public teams <br/> |A public team that is either active or inactive. |
-|Active private teams <br/> |A team that is private and active. |
-|Active public teams <br/> |A team that is public and active. |
+|Private teams|A private team that is either active or inactive.|
+|Public teams|A public team that is either active or inactive.|
+|Active private teams|A team that is private and active.|
+|Active public teams|A team that is public and active.|
### Teams details
Data for following metrics are available for individual teams.
|Item|Description| |:--|:--| |**Metric**|**Definition**|
-|Team ID <br/> |Team identifier <br/>|
-|Internal active users <br/> |Users that have at least one panel action in the specified time period including guests. <br/> <br/> Internal users and guests that reside in the same tenant. Internal users exclude guests. |
-|Active guests <br/> |Guests that have at least one panel action in the specified time period. <br/> <br/> A guest is defined as persons from outside your organization who accesses shared resources by signing in to a guest account in my directory. |
-|External active users <br/> |External participants that have at least one panel action in the specified time period.<br/><br/> An external participant is defined as a person from outside your organization who is participating in a resource ΓÇô such as a shared channel ΓÇô using their own identity and not a guest account in your directory. |
-|Active channels <br/> |Valid channels in active teams that have at least one active user in the specified time period. This includes public, private, or shared channels. <br/> |
-|Active shared channels <br/> |Valid shared channels in active teams that have at least one active user in the specified time. <br/> <br/>A shared channel is defined as a Teams channel that can be shared with people outside the team. These people can be inside your organization or from other Azure AD organizations. |
-|Total organized meetings <br/> |The sum of one-time scheduled, recurring, ad hoc and unclassified meetings a user organized during the specified time period. <br/>|
-|Posts <br/> |Count of all the post messages in channels in the specified time period. |
-|Replies <br/> |Count of all the reply messages in channels in the specified time period. |
-|Mentions <br/> |Count of all mentions made in the specified time period. <br/>|
-|Reactions <br/> |Number of reactions an active user made in the specified time period. |
-|Urgent messages <br/> |Count of urgent messages in the specified time period. |
-|Channel messages <br/> |The number of unique messages that the user posted in a team chat during the specified time period. <br/>|
-|Last activity date <br/> |The latest date that any member of the team has committed an action. |
+|Team ID|Team identifier|
+|Internal active users|Users that have at least one panel action in the specified time period including guests. <br/> <br/> Internal users and guests that reside in the same tenant. Internal users exclude guests.|
+|Active guests|Guests that have at least one panel action in the specified time period. <br/> <br/> A guest is defined as persons from outside your organization who accesses shared resources by signing in to a guest account in my directory.|
+|External active users|External participants that have at least one panel action in the specified time period.<br/><br/> An external participant is defined as a person from outside your organization who is participating in a resource ΓÇô such as a shared channel ΓÇô using their own identity and not a guest account in your directory.|
+|Active channels|Valid channels in active teams that have at least one active user in the specified time period. This includes public, private, or shared channels.|
+|Active shared channels|Valid shared channels in active teams that have at least one active user in the specified time. <br/> <br/>A shared channel is defined as a Teams channel that can be shared with people outside the team. These people can be inside your organization or from other Azure AD organizations.|
+|Total organized meetings|The sum of one-time scheduled, recurring, ad hoc and unclassified meetings a user organized during the specified time period.|
+|Posts|Count of all the post messages in channels in the specified time period.|
+|Replies|Count of all the reply messages in channels in the specified time period.|
+|Mentions|Count of all mentions made in the specified time period.|
+|Reactions|Number of reactions an active user made in the specified time period.|
+|Urgent messages|Count of urgent messages in the specified time period.|
+|Channel messages|The number of unique messages that the user posted in a team chat during the specified time period.|
+|Last activity date|The latest date that any member of the team has committed an action.|
## Make the user-specific data anonymous
To make the data in Teams user activity report anonymous, you have to be a globa
3. Select **Save changes**. ---- ## See also+ [Microsoft Teams device usage report](../activity-reports/microsoft-teams-device-usage-preview.md) [Microsoft Teams user activity report](../activity-reports/microsoft-teams-user-activity-preview.md)---------
admin Microsoft Teams User Activity Preview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft-teams-user-activity-preview.md
The Microsoft 365 Reports dashboard shows you the activity overview across the p
## How to get to the Microsoft Teams user activity report 1. In the admin center, go to the **Reports** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2074756" target="_blank">Usage</a> page.
-2. From the dashboard homepage, click on the **View more** button on the Microsoft Teams activity card.
+2. From the dashboard homepage, click on the **View more** button on the Microsoft Teams activity card.
## Interpret the Microsoft Teams user activity report
admin Microsoft365 Apps Usage Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft365-apps-usage-ww.md
description: "Learn how to get a Microsoft 365 Apps for usage report using the M
The Microsoft 365 Reports dashboard shows you the activity overview across the products in your organization. It enables you to drill in to individual product level reports to give you more granular insight about the activities within each product. Check out [the Reports overview topic](activity-reports.md).
- For example, you can understand the activity of each user licensed to use Microsoft 365 Apps apps by looking at their activity across the apps and how they are utilized across platforms.
-
- > [!NOTE]
- > Shared computer activations are not included in this report.
+For example, you can understand the activity of each user licensed to use Microsoft 365 Apps apps by looking at their activity across the apps and how they are utilized across platforms.
+
+> [!NOTE]
+> Shared computer activations are not included in this report.
## How to get to the Microsoft 365 Apps usage report 1. In the admin center, go to the **Reports** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2074756" target="_blank">Usage</a> page.
-2. From the dashboard homepage, click on the **View more** button on the Active users - Microsoft 365 Apps card.
+2. From the dashboard homepage, click on the **View more** button on the Active users - Microsoft 365 Apps card.
## Interpret the Microsoft 365 Apps usage report
You can get a view into your user's Microsoft 365 Apps activity by looking at th
> ![Microsoft 365 Apps usage report.](../../media/0bcf67e6-a6e4-4109-a215-369f9f20ad84.png) |Item|Description|
- |:--|:--|
- |1. <br/> |The **Microsoft 365 Apps usage** report can be viewed for trends over the last 7 days, 30 days, 90 days, or 180 days. However, if you select a particular day in the report, the table will show data for up to 28 days from the current date (not the date the report was generated). <br/> |
- |2. <br/> |The data in each report usually covers up to the last two days. Every six day, we will refresh the report with minor updates to ensure data quality. <br/> |
- |3. <br/> |The **Users** view shows the trend in the number of active users for each app ΓÇô Outlook, Word, Excel, PowerPoint, OneNote, and Teams. "Active users" are any who perform any intentional actions within these apps. <br/> |
- |4. <br/> |The **Platforms** view shows the trend of active users across all apps for each platform ΓÇô Windows, Mac, Web, and Mobile. <br/> |
- |5.<br/>|On the **Users** chart, the Y-axis is the number of unique active users for the respective app. On the **Platforms** chart, the Y-axis is the number of unique users for the respective platform. The X-axis on both charts is the date on which an app was used on a given platform.<br/>|
- 6.<br/>|You can filter the series you see on the chart by selecting an item in the legend. For example, on the **Users** chart, select Outlook, Word, Excel, PowerPoint, OneDrive, or Teams to see only the info related to each one. Changing this selection doesn't change the info in the grid table below it.|
- |7.<br/>|The table shows you a breakdown of data at the per-user level. You can add or remove columns from the table. <br/><br/>**Username** is the email address of the user who performed the activity on Microsoft Apps.<br><br/>**Last activation date (UTC)** is the latest date on which the user activated their Microsoft 365 Apps subscription on a machine or logs on shared computer and starts the app with their account. <br/><br/>**Last activity date (UTC)** is the latest date an intentional activity was performed by the user. To see activity that occurred on a specific date, select the date directly in the chart.<br/><br/>The other columns identify if the user was active on that platform for that app (within Microsoft 365 Apps) in the period selected. |
- |8.<br/>|Select the **Choose columns** icon to add or remove columns from the report.|
- |9.<br/>|You can also export the report data into an Excel .csv file by selecting the **Export** link. This exports data for all users and enables you to do simple aggregation, sorting, and filtering for further analysis. If you have less than 100 users, you can sort and filter within the table in the report itself. If you have more than 100 users, in order to filter and sort, you will need to export the data.|
+|||
+|1.|The **Microsoft 365 Apps usage** report can be viewed for trends over the last 7 days, 30 days, 90 days, or 180 days. However, if you select a particular day in the report, the table will show data for up to 28 days from the current date (not the date the report was generated).|
+|2.|The data in each report usually covers up to the last two days. Every six day, we will refresh the report with minor updates to ensure data quality.|
+|3.|The **Users** view shows the trend in the number of active users for each app ΓÇô Outlook, Word, Excel, PowerPoint, OneNote, and Teams. "Active users" are any who perform any intentional actions within these apps.|
+|4.|The **Platforms** view shows the trend of active users across all apps for each platform ΓÇô Windows, Mac, Web, and Mobile.|
+|5.|On the **Users** chart, the Y-axis is the number of unique active users for the respective app. On the **Platforms** chart, the Y-axis is the number of unique users for the respective platform. The X-axis on both charts is the date on which an app was used on a given platform.|
+ 6.|You can filter the series you see on the chart by selecting an item in the legend. For example, on the **Users** chart, select Outlook, Word, Excel, PowerPoint, OneDrive, or Teams to see only the info related to each one. Changing this selection doesn't change the info in the grid table below it.|
+|7.|The table shows you a breakdown of data at the per-user level. You can add or remove columns from the table. <br/><br/>**Username** is the email address of the user who performed the activity on Microsoft Apps.<br><br/>**Last activation date (UTC)** is the latest date on which the user activated their Microsoft 365 Apps subscription on a machine or logs on shared computer and starts the app with their account. <br/><br/>**Last activity date (UTC)** is the latest date an intentional activity was performed by the user. To see activity that occurred on a specific date, select the date directly in the chart.<br/><br/>The other columns identify if the user was active on that platform for that app (within Microsoft 365 Apps) in the period selected.|
+|8.|Select the **Choose columns** icon to add or remove columns from the report.|
+|9.|You can also export the report data into an Excel .csv file by selecting the **Export** link. This exports data for all users and enables you to do simple aggregation, sorting, and filtering for further analysis. If you have less than 100 users, you can sort and filter within the table in the report itself. If you have more than 100 users, in order to filter and sort, you will need to export the data.|
admin Office 365 Groups Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/office-365-groups-ww.md
The Microsoft 365 Reports dashboard shows you the activity overview across the p
1. In the admin center, go to the **Reports** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2074756" target="_blank">Usage</a> page.
-2. From the dashboard homepage, click on the **View more** button on the Active users - Microsoft 365 Apps or the Active users - Microsoft 365 Services card to get to the Office 365 report page.
+2. From the dashboard homepage, click on the **View more** button on the Active users - Microsoft 365 Apps or the Active users - Microsoft 365 Services card to get to the Office 365 report page.
## Interpret the groups report
admin Onedrive For Business Activity Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/onedrive-for-business-activity-ww.md
For example, you can understand the activity of every user licensed to use OneDr
## How do I get to the OneDrive Activity report? 1. In the admin center, go to the **Reports** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2074756" target="_blank">Usage</a> page.
-2. From the dashboard homepage, click on the **View more** button on the OneDrive card.
+2. From the dashboard homepage, click on the **View more** button on the OneDrive card.
## Interpret the OneDrive for Business activity report
admin Onedrive For Business Usage Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/onedrive-for-business-usage-ww.md
For example, the OneDrive card on the dashboard gives you a high-level view of t
## How do I get to the OneDrive usage report? 1. In the admin center, go to the **Reports** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2074756" target="_blank">Usage</a> page.
-2. From the dashboard homepage, click on the **View more** button on the OneDrive card.
+2. From the dashboard homepage, click on the **View more** button on the OneDrive card.
## Interpret the OneDrive usage report
admin Sharepoint Activity Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/sharepoint-activity-ww.md
For example, you can understand the activity of every user licensed to use Share
## How do I get to the to the SharePoint activity report? 1. In the admin center, go to the **Reports** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2074756" target="_blank">Usage</a> page.
-2. From the dashboard homepage, click on the **View more** button on the SharePoint card.
+2. From the dashboard homepage, click on the **View more** button on the SharePoint card.
## Interpret the SharePoint activity report
admin Sharepoint Site Usage Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/sharepoint-site-usage-ww.md
As a Microsoft 365 admin, the Reports dashboard shows you the activity overview
## How to get to the SharePoint site usage report 1. In the admin center, go to the **Reports** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2074756" target="_blank">Usage</a> page.
-2. From the dashboard homepage, click on the **View more** button on the SharePoint card.
+2. From the dashboard homepage, click on the **View more** button on the SharePoint card.
## Show user details in the reports
admin Viva Insights Activity https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/viva-insights-activity.md
For example, you can understand the adoption of Viva Insights by looking at the
## Interpret the Microsoft 365 Apps usage report
-You can get a view into your user's Viva Insights activity by looking at the **Active users chart**. The Viva Insights active user chart can be viewed for trends over the last 7 days, 30 days, 90 days, or 180 days.
+You can get a view into your user's Viva Insights activity by looking at the **Active users chart**. The Viva Insights active user chart can be viewed for trends over the last 7 days, 30 days, 90 days, or 180 days.
> [!div class="mx-imgBorder"] > ![Microsoft 365 Apps usage report with Viva Insights.](../../media/viva-insights-chart.png)
admin Yammer Activity Report Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/yammer-activity-report-ww.md
As Microsoft 365 admin, the Reports dashboard shows you data on the usage of the
## How do I get to the Yammer activity report? 1. In the admin center, go to the **Reports** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2074756" target="_blank">Usage</a> page.
-2. From the dashboard homepage, click on the **View more** button on the Yammer card.
+2. From the dashboard homepage, click on the **View more** button on the Yammer card.
## Interpret the Yammer activity report
admin Yammer Device Usage Report Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/yammer-device-usage-report-ww.md
The Yammer device usage reports give you information about which devices your us
## How do I get to the Yammer device usage report? 1. In the admin center, go to the **Reports** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2074756" target="_blank">Usage</a> page.
-2. From the dashboard homepage, click on the **View more** button on the Yammer card.
+2. From the dashboard homepage, click on the **View more** button on the Yammer card.
## Interpret the Yammer device usage report
admin Yammer Groups Activity Report Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/yammer-groups-activity-report-ww.md
The Microsoft 365 Reports dashboard shows you the activity overview across the p
## How do I get to the Yammer groups activity report? 1. In the admin center, go to the **Reports** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2074756" target="_blank">Usage</a> page.
-2. From the dashboard homepage, click on the **View more** button on the Yammer card.
+2. From the dashboard homepage, click on the **View more** button on the Yammer card.
## Interpret the Yammer groups activity report
admin Capabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/capabilities.md
If people in your organization use mobile devices that aren't supported by Basic
The supported apps for the different types of mobile devices in the following table prompt users to enroll in Basic Mobility and Security where there is a new mobile device management policy that applies to a userΓÇÖs device and the user hasnΓÇÖt previously enrolled the device. If a userΓÇÖs device doesnΓÇÖt comply with a policy, depending on how you set the policy up, a user might be blocked from accessing Microsoft 365 resources in these apps, or they might have access but Microsoft 365 reports a policy violation.
-|**Product**|**iOS**|**Android**|
-|:--|:--|:--|
-|**Exchange** Exchange ActiveSync includes built-in email and third-party apps, like TouchDown, that use Exchange ActiveSync Version 14.1 or later. |Mail |Email |
-|**Office** and **OneDrive for Business** |Outlook </br>OneDrive </br>Word </br>Excel </br>PowerPoint|**On phones and tablets**:<br/>Outlook <br/> OneDrive <br/> Word <br/> Excel <br/> PowerPoint <br/> **On phones only:** <br/> Office Mobile |
+|Product|iOS|Android|
+||||
+|**Exchange** Exchange ActiveSync includes built-in email and third-party apps, like TouchDown, that use Exchange ActiveSync Version 14.1 or later.|Mail|Email|
+|**Office** and **OneDrive for Business**|Outlook </br>OneDrive </br>Word </br>Excel </br>PowerPoint|**On phones and tablets**:<br/>Outlook <br/> OneDrive <br/> Word <br/> Excel <br/> PowerPoint <br/> **On phones only:** <br/> Office Mobile|
> [!NOTE] >
-> - Support for iOS 10.0 and later versions includes iPhone and iPad devices.
+> - Support for iOS 10.0 and later versions includes iPhone and iPad devices.
> - Management of BlackBerry OS devices isnΓÇÖt supported by Basic Security and Mobility. Use BlackBerry Business Cloud Services (BBCS) from BlackBerry to manage BlackBerry OS devices. Blackberry devices running Android OS are supported as standard Android devices > - Users wonΓÇÖt be prompted to enroll and wonΓÇÖt be blocked or reported for policy violation if they use the mobile browser to access Microsoft 365 SharePoint sites, documents in Office Online, or email in Outlook Web App.
The following diagram shows what happens when a user with a new device signs in
:::image type="content" source="../../media/basic-mobility-security/bms-1-access-control.png" alt-text="Basic Mobility and Security access control."::: > [!NOTE]
-> Policies and access rules created in Basic Mobility and Security for Microsoft 365 Business Standard will override Exchange ActiveSync mobile device mailbox policies and device access rules created in the Exchange admin center. After a device is enrolled in Basic Mobility and Security for Microsoft 365 Business Standard, any Exchange ActiveSync mobile device mailbox policy or device access rule applied to the device will be ignored. To learn more about Exchange ActiveSync, seeΓÇ»[Exchange ActiveSync in Exchange Online](/exchange/clients-and-mobile-in-exchange-online/exchange-activesync/exchange-activesync).
+> Policies and access rules created in Basic Mobility and Security for Microsoft 365 Business Standard will override Exchange ActiveSync mobile device mailbox policies and device access rules created in the Exchange admin center. After a device is enrolled in Basic Mobility and Security for Microsoft 365 Business Standard, any Exchange ActiveSync mobile device mailbox policy or device access rule applied to the device will be ignored. To learn more about Exchange ActiveSync, see [Exchange ActiveSync in Exchange Online](/exchange/clients-and-mobile-in-exchange-online/exchange-activesync/exchange-activesync).
## Policy settings for mobile devices
-If you create a policy to block access with certain settings turned on, users are blocked from accessing Microsoft 365 resources when using a supported app that is listed in [Access control for Microsoft 365 email and documents](capabilities.md).
+If you create a policy to block access with certain settings turned on, users are blocked from accessing Microsoft 365 resources when using a supported app that is listed in [Access control for Microsoft 365 email and documents](capabilities.md).
The settings that can block users from accessing Microsoft 365 resources are in these sections:
The following sections list the policy settings you can use to help secure and m
## Security settings
-|**Setting name**|**iOS** |**Android**|**Samsung Knox**|
-|:--|:--|:--|:--|
+|Setting name|iOS|Android|Samsung Knox|
+|||||
|Require a password|Yes|Yes|Yes| |Prevent simple password|Yes|No|No| |Require an alphanumeric password|Yes|No|No|
-|Minimum password length |Yes|Yes|Yes|
-|Number of sign-in failures before device is wiped |Yes|Yes|Yes|
-|Minutes of inactivity before device is locked |Yes|Yes|Yes|
-|Password expiration (days) |Yes|Yes|Yes|
-|Remember password history and prevent reuse |Yes|Yes|Yes|
+|Minimum password length|Yes|Yes|Yes|
+|Number of sign-in failures before device is wiped|Yes|Yes|Yes|
+|Minutes of inactivity before device is locked|Yes|Yes|Yes|
+|Password expiration (days)|Yes|Yes|Yes|
+|Remember password history and prevent reuse|Yes|Yes|Yes|
## Encryption settings
-|**Setting name**|**iOS** |**Android**|**Samsung Knox**|
-|:--|:--|:--|:--|
-|Require data encryption on devices<sup>1</sup> |No|Yes|Yes|
+|Setting name|iOS|Android|Samsung Knox|
+|||||
+|Require data encryption on devices<sup>1</sup>|No|Yes|Yes|
<sup>1</sup>With Samsung Knox, you can also require encryption on storage cards. ## Jail broken setting
-|**Setting name**|**iOS** |**Android**|**Samsung Knox**|
-|:--|:--|:--|:--|
-|Device cannot be jail broken or rooted |Yes|Yes|Yes|
+|Setting name|iOS|Android|Samsung Knox|
+|||||
+|Device cannot be jail broken or rooted|Yes|Yes|Yes|
## Managed email profile option The following option can block users from accessing their Microsoft 365 email if theyΓÇÖre using a manually created email profile. Users on iOS devices must delete their manually created email profile before they can access their email. After they delete the profile, a new profile is automatically created on the device. For instructions on how end users can get compliant, see [An existing email account was found](/intune-user-help/existing-company-email-account-found).
-|**Setting name**|**iOS** |**Android**|**Samsung Knox**|
-|:--|:--|:--|:--|
-|Email profile is managed |Yes|No|No|
+|Setting name|iOS|Android|Samsung Knox|
+|||||
+|Email profile is managed|Yes|No|No|
## Cloud settings
-|**Setting name**|**iOS** |**Android**|**Samsung Knox**|
-|:--|:--|:--|:--|
-|Require encrypted backup |Yes|No|No|
-|Block cloud backup |Yes|No|No|
-|Block document synchronization |Yes|No|No|
-|Block photo synchronization |Yes|No|No|
-|Allow Google backup |N/A|No|Yes|
-|Allow Google account auto sync |N/A|No|Yes|
+|Setting name|iOS|Android|Samsung Knox|
+|||||
+|Require encrypted backup|Yes|No|No|
+|Block cloud backup|Yes|No|No|
+|Block document synchronization|Yes|No|No|
+|Block photo synchronization|Yes|No|No|
+|Allow Google backup|N/A|No|Yes|
+|Allow Google account auto sync|N/A|No|Yes|
## System settings
-|**Setting name**|**iOS** |**Android**|**Samsung Knox**|
-|:--|:--|:--|:--|
-|Block screen capture |Yes|No|Yes|
-|Block sending diagnostic data from device |Yes|No|Yes|
+|Setting name|iOS|Android|Samsung Knox|
+|||||
+|Block screen capture|Yes|No|Yes|
+|Block sending diagnostic data from device|Yes|No|Yes|
## Application settings
-|**Setting name**|**iOS** |**Android**|**Samsung Knox**|
-|:--|:--|:--|:--|
-|Block video conferences on device |Yes|No|No|
-|Block access to application store |Yes|No|Yes|
-|Require password when accessing application store |No|Yes|Yes|
+|Setting name|iOS|Android|Samsung Knox|
+|||||
+|Block video conferences on device|Yes|No|No|
+|Block access to application store|Yes|No|Yes|
+|Require password when accessing application store|No|Yes|Yes|
## Device capabilities settings
-|**Setting name**|**iOS** |**Android**|**Samsung Knox**|
-|:--|:--|:--|:--|
-|Block connection with removable storage |Yes|Yes|No|
-|Block Bluetooth connection |Yes|Yes|No|
+|Setting name|iOS|Android|Samsung Knox|
+|||||
+|Block connection with removable storage|Yes|Yes|No|
+|Block Bluetooth connection|Yes|Yes|No|
## Additional settings
-You can set the following additional policy settings by using Security & Compliance Center PowerShell cmdlets. For more information, seeΓÇ»[Security & Compliance Center PowerShell](/powershell/exchange/scc-powershell).
+You can set the following additional policy settings by using Security & Compliance Center PowerShell cmdlets. For more information, see [Security & Compliance Center PowerShell](/powershell/exchange/scc-powershell).
-|**Setting name**|**iOS** |**Android**|
-|:--|:--|:--|
+|Setting name|iOS|Android|
+||||
|CameraEnabled|Yes|Yes| |RegionRatings|Yes|No| |MoviesRatings|Yes|No|
-|TVShowsRating |Yes|No|
-|AppsRatings |Yes|No|
-|AllowVoiceDialing |Yes|No|
-|AllowVoiceAssistant |Yes|No|
-|AllowAssistantWhileLocked |Yes|No|
-|AllowPassbookWhileLocked |Yes|No|
-|MaxPasswordGracePeriod |Yes|No|
-|PasswordQuality |No|Yes|
-|SystemSecurityTLS |Yes|No|
-|WLANEnabled |No|No|
+|TVShowsRating|Yes|No|
+|AppsRatings|Yes|No|
+|AllowVoiceDialing|Yes|No|
+|AllowVoiceAssistant|Yes|No|
+|AllowAssistantWhileLocked|Yes|No|
+|AllowPassbookWhileLocked|Yes|No|
+|MaxPasswordGracePeriod|Yes|No|
+|PasswordQuality|No|Yes|
+|SystemSecurityTLS|Yes|No|
+|WLANEnabled|No|No|
## Settings supported by Windows
-You can manage Windows 10 devices by enrolling them as mobile devices. After an applicable policy is deployed, users with Windows 10 devices will be required to enroll in Basic Mobility and Security the first time they use the built-in email app to access their Microsoft 365 email (requires Azure AD premium subscription).
+You can manage Windows 10 devices by enrolling them as mobile devices. After an applicable policy is deployed, users with Windows 10 devices will be required to enroll in Basic Mobility and Security the first time they use the built-in email app to access their Microsoft 365 email (requires Azure AD premium subscription).
The following settings are supported for Windows 10 devices that are enrolled as mobile devices. These setting wonΓÇÖt block users from accessing Microsoft 365 resources.
You can set these additional policy settings by using PowerShell cmdlets:
If a device is lost or stolen, you can remove sensitive organizational data and help prevent access to your Microsoft 365 organization resources by doing a wipe from Security & Compliance center > **Data loss prevention** > **Device management**. You can do a selective wipe to remove only organizational data or a full wipe to delete all information from a device and restore it to its factory settings.
-For more information, seeΓÇ»[Wipe a mobile device in Basic Mobility and Security](wipe-mobile-device.md).
+For more information, see [Wipe a mobile device in Basic Mobility and Security](wipe-mobile-device.md).
## Related content
admin Choose Between Basic Mobility And Security And Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/choose-between-basic-mobility-and-security-and-intune.md
Basic Mobility and Security remote actions include retire, wipe and full wipe. F
With Intune you have the following set of actions: - [Autopilot reset](/mem/autopilot/windows-autopilot-reset) (Windows only)-- [Bitlocker key recovery](https://support.microsoft.com/windows/finding-your-bitlocker-recovery-key-in-windows-6b71ad27-0b89-ea08-f143-056f5ab347d6)ΓÇ»(Windows only)
+- [Bitlocker key recovery](https://support.microsoft.com/windows/finding-your-bitlocker-recovery-key-in-windows-6b71ad27-0b89-ea08-f143-056f5ab347d6) (Windows only)
- [Use wipe, retire, or manually unenrolling the device](/mem/intune/remote-actions/devices-wipe#delete-devices-from-the-intune-portal)-- [Disable activation lock](/mem/intune/remote-actions/device-activation-lock-disable)ΓÇ»(iOS only)-- [Fresh start](/mem/intune/remote-actions/device-fresh-start)ΓÇ»(Windows only)-- [Full scan](/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus)ΓÇ»(Windows 10 only)-- [Locate device](/mem/intune/remote-actions/device-locate)ΓÇ»(iOS only)-- [Lost mode](/mem/intune/remote-actions/device-lost-mode)ΓÇ»(iOS only)- [Quick scan](/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus)(Windows 10 only)
+- [Disable activation lock](/mem/intune/remote-actions/device-activation-lock-disable) (iOS only)
+- [Fresh start](/mem/intune/remote-actions/device-fresh-start) (Windows only)
+- [Full scan](/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus) (Windows 10 only)
+- [Locate device](/mem/intune/remote-actions/device-locate) (iOS only)
+- [Lost mode](/mem/intune/remote-actions/device-lost-mode) (iOS only)- [Quick scan](/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus)(Windows 10 only)
- [Remote control for Android](/mem/intune/remote-actions/teamviewer-support) - [Remote lock](/mem/intune/remote-actions/device-remote-lock) - [Rename device](/mem/intune/remote-actions/device-rename)-- [Reset passcode](/mem/intune/remote-actions/device-passcode-reset) [Restart](/mem/intune/remote-actions/device-restart)ΓÇ»(Windows only)
+- [Reset passcode](/mem/intune/remote-actions/device-passcode-reset) [Restart](/mem/intune/remote-actions/device-restart) (Windows only)
- [Update Windows Defender Security Intelligence](https://www.microsoft.com/en-us/wdsi/defenderupdates) (Windows only) - [Windows 10 PIN reset](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset) (Windows only)-- [Send custom notifications](/mem/intune/remote-actions/custom-notifications#send-a-custom-notification-to-a-single-device)ΓÇ»(Android, iOS, iPad OS)
+- [Send custom notifications](/mem/intune/remote-actions/custom-notifications#send-a-custom-notification-to-a-single-device) (Android, iOS, iPad OS)
- [Synchronize device](/mem/intune/remote-actions/device-sync) For more information on Intune actions, see [Microsoft Intune documentation](/mem/intune/).
admin Create An Apns Certificate For Ios Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/create-an-apns-certificate-for-ios-devices.md
To manage iOS devices such as iPads and iPhones in Basic Mobility and Security,
1. Sign in to Microsoft 365 with your global admin account.
-2. In your browser, typeΓÇ»<https://protection.office.com/>.
+2. In your browser, type <https://protection.office.com/>.
-3. Select ΓÇ»**Data loss prevention**ΓÇ»>ΓÇ»**Device management**, and choose **APNs Certificate for iOS devices**.
+3. Select **Data loss prevention** \> **Device management**, and choose **APNs Certificate for iOS devices**.
-4. On the Apple Push Notification Certificate Settings page, choose **Next**.
+4. On the Apple Push Notification Certificate Settings page, choose **Next**.
-5. Select Download your CSR file and save the certificate signing request to somewhere on your computer that you'll remember. Select  **Next**.
+5. Select Download your CSR file and save the certificate signing request to somewhere on your computer that you'll remember. Select **Next**.
-6. On the Create an APNs certificate page:
+6. On the Create an APNs certificate page:
- 1. SelectΓÇ» Apple APNS Portal to open the Apple Push Certificates Portal.
+ 1. Select Apple APNS Portal to open the Apple Push Certificates Portal.
2. Sign in with an Apple ID. > [!IMPORTANT] > Use a company Apple ID associated with an email account that will remain with your organization even if the user who manages the account leaves. Save this ID because you'll need to use the same ID when it's time to renew the certificate.
- 3. Select  **Create a Certificate**  and accept the Terms of Use.
+ 3. Select **Create a Certificate** and accept the Terms of Use.
4. Browse to the certificate signing request you downloaded to your computer from Microsoft 365, and select **Upload**.
To manage iOS devices such as iPads and iPhones in Basic Mobility and Security,
> [!TIP] > If you're having trouble downloading the certificate, refresh your browser.
-7. Go back to Microsoft 365, and select **Next**  to get to the  **Upload APNS certificate** page.
+7. Go back to Microsoft 365, and select **Next** to get to the **Upload APNS certificate** page.
8. Browse to the APN certificate you downloaded from the Apple Push Certificates Portal.
-9. SelectΓÇ» **Finish**.
+9. Select **Finish**.
-To complete setup, go back to the Security & Compliance Center > **Security policies** > **Device management** > **Manage settings**.
+To complete setup, go back to the Security & Compliance Center \> **Security policies** \> **Device management** \> **Manage settings**.
admin Enroll Your Mobile Device https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/enroll-your-mobile-device.md
description: "Before you can use Microsoft 365 services with your device, you mi
Using your phone, tablet, and other mobile devices for work is a great way to stay informed and work on business projects while youΓÇÖre away from the office. Before you can use Microsoft 365 services with your device, you might need to first enroll it in Basic Mobility and Security for Microsoft 365 using Microsoft Intune Company Portal.
-Organizations choose Basic Mobility and Security so that employees can use their mobile devices to securely access work email, calendars, and documents while the business secures important data and meets their compliance requirements. To learn more, see [Overview of Basic Mobility and Security for Microsoft 365](overview.md). For more info, see [What information can my organization see when I enroll my device?](/intune-user-help/what-info-can-your-company-see-when-you-enroll-your-device-in-intune).
+Organizations choose Basic Mobility and Security so that employees can use their mobile devices to securely access work email, calendars, and documents while the business secures important data and meets their compliance requirements. To learn more, see [Overview of Basic Mobility and Security for Microsoft 365](overview.md). For more info, see [What information can my organization see when I enroll my device?](/intune-user-help/what-info-can-your-company-see-when-you-enroll-your-device-in-intune).
> [!IMPORTANT] > When you enroll your device in Basic Mobility and Security for Microsoft 365, you might be required to set up a password, together with allowing the option for your work organization to wipe the device. A device wipe can be performed from the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>, for example, to remove all data from the device if the password is entered incorrectly too many times or if usage terms are broken.
Basic Mobility and Security for Microsoft 365 hosted by the Intune service works
If your device is not listed above, and you need to use it with Basic Mobility and Security, contact your work or school administrator. > [!TIP]
-> If you're having trouble enrolling your device, seeΓÇ»[Troubleshoot Basic Mobility and Security](troubleshoot.md).
+> If you're having trouble enrolling your device, see [Troubleshoot Basic Mobility and Security](troubleshoot.md).
## Set up your mobile device with Intune and Basic Mobility and Security
To connect and configure your Android phone or tablet with the Company portal to
Go to the Microsoft Store, and download and install Intune Company Portal
-To connect and configure your Windows phone or PC with the Company portal to Microsoft 365, see [Windows device enrollment in Intune Company Portal](/intune-user-help/windows-enrollment-company-portal).
+To connect and configure your Windows phone or PC with the Company portal to Microsoft 365, see [Windows device enrollment in Intune Company Portal](/intune-user-help/windows-enrollment-company-portal).
## Next steps
admin Get Details About Managed Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/get-details-about-managed-devices.md
This article shows you how to use Windows PowerShell to get details about the de
Here's a breakdown for the device details available to you.
-|**Detail**|**What to look for in PowerShell**|
-|:-|:|
-|Device is enrolled in Basic Mobility and Security. For more info, see [Enroll your mobile device using Basic Mobility and Security](enroll-your-mobile-device.md)|The value of the *isManaged* parameter is:<br/>**True**= device is enrolled.<br/>**False**= device is not enrolled. |
-|Device is compliant with your device security policies. For more info, see [Create device security policies](create-device-security-policies.md)|The value of the *isCompliant* parameter is:<br/>**True** = device is compliant with policies.<br/>**False** = device is not compliant with policies.|
+|Detail|What to look for in PowerShell|
+|||
+|Device is enrolled in Basic Mobility and Security. For more info, see [Enroll your mobile device using Basic Mobility and Security](enroll-your-mobile-device.md)|The value of the *isManaged* parameter is:<br/>**True**= device is enrolled.<br/>**False**= device is not enrolled.|
+|Device is compliant with your device security policies. For more info, see [Create device security policies](create-device-security-policies.md)|The value of the *isCompliant* parameter is:<br/>**True** = device is compliant with policies.<br/>**False** = device is not compliant with policies.|
:::image type="content" source="../../media/basic-mobility-security/bms-7-powershell-parameters.png" alt-text="Basic Mobility and Security PowerShell parameters."::: > [!NOTE]
-> The commands and scripts in this article also return details about any devices managed byΓÇ»[Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune).
+> The commands and scripts in this article also return details about any devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune).
## Before you begin
There are a few things you need to set up to run the commands and scripts descri
### Step 1: Download and install the Azure Active Directory Module for Windows PowerShell
-For more info on these steps, seeΓÇ»[Connect to Microsoft 365 with PowerShell](/office365/enterprise/powershell/connect-to-office-365-powershell).
+For more info on these steps, see [Connect to Microsoft 365 with PowerShell](/office365/enterprise/powershell/connect-to-office-365-powershell).
-1. Go to [Microsoft Online Services Sign-In Assistant for IT Professionals RTWl](https://download.microsoft.com/download/7/1/E/71EF1D05-A42C-4A1F-8162-96494B5E615C/msoidcli_32bit.msi) and select  **Download for Microsoft Online Services Sign-in Assistant**.
+1. Go to [Microsoft Online Services Sign-In Assistant for IT Professionals RTWl](https://download.microsoft.com/download/7/1/E/71EF1D05-A42C-4A1F-8162-96494B5E615C/msoidcli_32bit.msi) and select **Download for Microsoft Online Services Sign-in Assistant**.
2. Install the Microsoft Azure Active Directory Module for Windows PowerShell with these steps:
For more info on these steps, seeΓÇ»[Connect to Microsoft 365 with PowerShell](/
$UserCredential = Get-Credential ```
-2. In the Windows PowerShell Credential Request dialog box, type the user name and password for your Microsoft 365 global admin account, and then select **OK**.
+2. In the Windows PowerShell Credential Request dialog box, type the user name and password for your Microsoft 365 global admin account, and then select **OK**.
3. Run the following command.
For more info on these steps, seeΓÇ»[Connect to Microsoft 365 with PowerShell](/
> [!NOTE] > You can skip this step if youΓÇÖre already set up to run PowerShell scripts.
-To run the Get-MsolUserDeviceComplianceStatus.ps1 script, you need to enable the running of PowerShell scripts.
+To run the Get-MsolUserDeviceComplianceStatus.ps1 script, you need to enable the running of PowerShell scripts.
-1. From your Windows Desktop, select **Start**, and then type Windows PowerShell. Right-click Windows PowerShell, and then select **Run as administrator**.
+1. From your Windows Desktop, select **Start**, and then type Windows PowerShell. Right-click Windows PowerShell, and then select **Run as administrator**.
2. Run the following command. ```powershell
- Set-ExecutionPolicy RemoteSigned
+ Set-ExecutionPolicy RemoteSigned
```
-3. When prompted, type Y and then press Enter.
+3. When prompted, type Y and then press Enter.
#### Run the Get-MsolDevice cmdlet to display details for all devices in your organization
To run the Get-MsolUserDeviceComplianceStatus.ps1 script, you need to enable
Get-MsolDevice -All -ReturnRegisteredOwners | Where-Object {$_.RegisteredOwners.Count -gt 0} ```
-For more examples, see ΓÇ»[Get-MsolDevice](https://go.microsoft.com/fwlink/?linkid=2157939).
+For more examples, see [Get-MsolDevice](https://go.microsoft.com/fwlink/?linkid=2157939).
## Run a script to get device details
First, save the script to your computer.
} ```
-2. Save it as a Windows PowerShell script file by using the file extension .ps1; for example, Get-MsolUserDeviceComplianceStatus.ps1.
+2. Save it as a Windows PowerShell script file by using the file extension .ps1; for example, Get-MsolUserDeviceComplianceStatus.ps1.
## Run the script to get device information for a single user account 1. Open the Microsoft Azure Active Directory Module for Windows PowerShell.
-2. Go to the folder where you saved the script. For example, if you saved it to C:\PS-Scripts, run the following command.
+2. Go to the folder where you saved the script. For example, if you saved it to C:\PS-Scripts, run the following command.
```powershell cd C:\PS-Scripts
The information is exported to your Windows Desktop as a CSV file. You can use a
1. Open the Microsoft Azure Active Directory Module for Windows PowerShell.
-2. Go to the folder where you saved the script. For example, if you saved it to C:\PS-Scripts, run the following command.
+2. Go to the folder where you saved the script. For example, if you saved it to C:\PS-Scripts, run the following command.
```powershell cd C:\PS-Scripts
admin Manage Device Access Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/manage-device-access-settings.md
description: "Basic Mobility and Security can help you secure and manage mobile
# Manage device access settings in Basic Mobility and Security
-If you're using Basic Mobility and Security, there might be devices that you can't manage with Basic Mobility and Security. If so, you should block Exchange ActiveSync app access to Microsoft 365 email for mobile devices that aren't supported by Basic Mobility and Security. This helps secure your organization information across more devices.
+If you're using Basic Mobility and Security, there might be devices that you can't manage with Basic Mobility and Security. If so, you should block Exchange ActiveSync app access to Microsoft 365 email for mobile devices that aren't supported by Basic Mobility and Security. This helps secure your organization information across more devices.
Use these steps: 1. Sign in to Microsoft 365 with your global admin account.
-2. In your browser, type:ΓÇ»[https://protection.office.com](https://protection.office.com/).
+2. In your browser, type: [https://protection.office.com](https://protection.office.com/).
> [!IMPORTANT] > If this is the first time you're using Basic Mobility and Security for Microsoft 365 Business Standard, activate it here: [Activate Basic Security and Mobility](https://admin.microsoft.com/EAdmin/Device/IntuneInventory.aspx). After you've activated it, manage your devices with [Office 365 Security & Compliance](https://protection.office.com/).
-3. Go to Data loss prevention > **Device management** > **Device policies**, and select **Manage organization-wide device access settings**.
+3. Go to Data loss prevention > **Device management** > **Device policies**, and select **Manage organization-wide device access settings**.
-4. SelectΓÇ»**Block**.
+4. Select **Block**.
:::image type="content" source="../../media/basic-mobility-security/bms-5-block-access.png" alt-text="Basic Mobility and Security block access checkbox.":::
-5. SelectΓÇ»**Save**.
+5. Select **Save**.
-To learn what devices Basic Mobility and Security supports, seeΓÇ»[Capabilities of Basic Mobility and Security](capabilities.md).
+To learn what devices Basic Mobility and Security supports, see [Capabilities of Basic Mobility and Security](capabilities.md).
admin Manage Enrolled Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/manage-enrolled-devices.md
description: "Basic Mobility and Security can help you secure and manage your or
The built-in mobile device management for Microsoft 365 helps you secure and manage your users' mobile devices like iPhones, iPads, Androids, and Windows phones. The first step is to sign in to Microsoft 365 and set up Basic Mobility and Security. For more info, see [Set up Basic Mobility and Security](set-up.md).
-After you've set it up, the people in your organization must enroll their devices in the service. For more info, see [Enroll your mobile device using Basic Mobility and Security](enroll-your-mobile-device.md). Then you can use Basic Mobility and Security to help manage devices in your organization. For example, you can use device security policies to help limit email access or other services, view devices reports, and remotely wipe a device. You'll typically go to the Security & Compliance Center to do these tasks. For more info, see [Microsoft 365 compliance center](../../compliance/microsoft-365-compliance-center.md).
+After you've set it up, the people in your organization must enroll their devices in the service. For more info, see [Enroll your mobile device using Basic Mobility and Security](enroll-your-mobile-device.md). Then you can use Basic Mobility and Security to help manage devices in your organization. For example, you can use device security policies to help limit email access or other services, view devices reports, and remotely wipe a device. You'll typically go to the Security & Compliance Center to do these tasks. For more info, see [Microsoft 365 compliance center](../../compliance/microsoft-365-compliance-center.md).
## Device management tasks To get to the device management panel, follow these steps:
-1. Go to theΓÇ»[Microsoft 365 admin center](../../admin/admin-overview/about-the-admin-center.md).
+1. Go to the [Microsoft 365 admin center](../../admin/admin-overview/about-the-admin-center.md).
-2. Type Mobile Device Management into the search field, and select **Mobile Device Management** from the list of results.
+2. Type Mobile Device Management into the search field, and select **Mobile Device Management** from the list of results.
:::image type="content" source="../../media/basic-mobility-security/bms-6-mobile-device-management-option.png" alt-text="Mobile device management option.":::
-3. SelectΓÇ» **Let's get started**.
+3. Select **Let's get started**.
## Manage mobile devices After you've got Basic Mobility and Security set up, here are some ways you can manage the mobile devices in your organization.
-|**To do this**|**Do this**|
-|:-|:|
-|Wipe a device |In the Device Management panel, select *device name*, then  **Full wipe**  to delete all information or  **Selective wipe**  to delete only organizational information on the device. For more info, see [Wipe a mobile device in Basic Mobility and Security](wipe-mobile-device.md).|
-|Block unsupported devices from accessing Exchange email using Exchange ActiveSync |In the Device Management panel, selectΓÇ» **Block**. |
-|Set up device policies like password requirements and security settings |In the Device Management panel, select **Device security policies**ΓÇ»>ΓÇ»**Add +**. For more info, seeΓÇ»[Create device security policies in Basic Mobility and Security](create-device-security-policies.md).|
-|View list of blocked devices |In the Device Management panel, underΓÇ» **Select a view**ΓÇ» selectΓÇ» **Blocked**. |
-|Unblock noncompliant or unsupported device for a user or group of users |Pick one of the following to unblock devices:<br/>- Remove the user or users from the security group the policy has been applied to. Go to Microsoft 365 admin center > <a href="https://go.microsoft.com/fwlink/p/?linkid=2052855" target="_blank">**Groups**</a>, and then select group name. Select **Edit members and admins**.<br/>- Remove the security group the users are a member of from the device policy. Go to Security & Compliance Center > **Security policies** > **Device security policies**. Select device policy name, and then select **Edit** > **Deployment**.<br/>- Unblock all noncompliant devices for a device policy. Go to Security & Compliance Center > **Security policies** > **Device security policies**. Select device policy name and then select **Edit** > **Access requirements**. Select  **Allow access and report violation**.<br/>- To unblock a noncompliant or unsupported device for a user or a group of users, go to Security & Compliance Center > **Security policies** > **Device management** > **Manage device access settings**. Add a security group with the members you want to exclude from being blocked access to Microsoft 365. For more info, see [Create, edit, or delete a security group in the Microsoft 365 admin center](../../admin/email/create-edit-or-delete-a-security-group.md).|
-|Remove users so their devices are no longer managed by Basic Mobility and Security |To remove the user, edit the security group that has device management policies for Basic Mobility and Security. For more info, seeΓÇ» [Create, edit, or delete a security group in the Microsoft 365 admin center](../../admin/email/create-edit-or-delete-a-security-group.md).<br/>To remove Basic Mobility and Security from all your Microsoft 365 users, see [Turn off Basic Mobility and Security](turn-off.md).|
+|To do this|Do this|
+|||
+|Wipe a device|In the Device Management panel, select *device name*, then **Full wipe** to delete all information or **Selective wipe** to delete only organizational information on the device. For more info, see [Wipe a mobile device in Basic Mobility and Security](wipe-mobile-device.md).|
+|Block unsupported devices from accessing Exchange email using Exchange ActiveSync|In the Device Management panel, select **Block**.|
+|Set up device policies like password requirements and security settings|In the Device Management panel, select **Device security policies** > **Add +**. For more info, see [Create device security policies in Basic Mobility and Security](create-device-security-policies.md).|
+|View list of blocked devices|In the Device Management panel, under **Select a view** select **Blocked**.|
+|Unblock noncompliant or unsupported device for a user or group of users|Pick one of the following to unblock devices:<br/>- Remove the user or users from the security group the policy has been applied to. Go to Microsoft 365 admin center > <a href="https://go.microsoft.com/fwlink/p/?linkid=2052855" target="_blank">**Groups**</a>, and then select group name. Select **Edit members and admins**.<br/>- Remove the security group the users are a member of from the device policy. Go to Security & Compliance Center > **Security policies** > **Device security policies**. Select device policy name, and then select **Edit** > **Deployment**.<br/>- Unblock all noncompliant devices for a device policy. Go to Security & Compliance Center > **Security policies** > **Device security policies**. Select device policy name and then select **Edit** > **Access requirements**. Select **Allow access and report violation**.<br/>- To unblock a noncompliant or unsupported device for a user or a group of users, go to Security & Compliance Center > **Security policies** > **Device management** > **Manage device access settings**. Add a security group with the members you want to exclude from being blocked access to Microsoft 365. For more info, see [Create, edit, or delete a security group in the Microsoft 365 admin center](../../admin/email/create-edit-or-delete-a-security-group.md).|
+|Remove users so their devices are no longer managed by Basic Mobility and Security|To remove the user, edit the security group that has device management policies for Basic Mobility and Security. For more info, see [Create, edit, or delete a security group in the Microsoft 365 admin center](../../admin/email/create-edit-or-delete-a-security-group.md).<br/>To remove Basic Mobility and Security from all your Microsoft 365 users, see [Turn off Basic Mobility and Security](turn-off.md).|
-Live (v14)
+Live (v14)
admin Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/overview.md
You can manage and secure mobile devices when they're connected to your Microsof
You can use Basic Mobility and Security to manage many types of mobile devices like Windows Phone, Android, iPhone, and iPad. To manage mobile devices used by people in your organization, each person must have an applicable Microsoft 365 license and their device must be enrolled in Basic Mobility and Security.
-To see what Basic Mobility and Security supports for each type of device, seeΓÇ»[Capabilities of Basic Mobility and Security](capabilities.md).
+To see what Basic Mobility and Security supports for each type of device, see [Capabilities of Basic Mobility and Security](capabilities.md).
## Setup steps for Basic Mobility and Security
-A Microsoft 365 global admin must complete the following steps to activate and set up Basic Mobility and Security. For detailed steps, follow the guidance in [Set up Basic Mobility and Security](set-up.md).
+A Microsoft 365 global admin must complete the following steps to activate and set up Basic Mobility and Security. For detailed steps, follow the guidance in [Set up Basic Mobility and Security](set-up.md).
Here's a summary of the steps:
-**Step 1:** Activate Basic Mobility and Security by following steps in theΓÇ»[Set up Basic Mobility and Security](set-up.md).
+**Step 1:** Activate Basic Mobility and Security by following steps in the [Set up Basic Mobility and Security](set-up.md).
**Step 2:** Set up Basic Mobility and Security by, for example, creating an APNs certificate to manage iOS devices and adding a Domain Name System (DNS) record for your domain to support Windows phones.
-**Step 3:** Create device policies and apply them to groups of users. When you do this, your users get an enrollment message on their device, and when they've completed enrollment, their devices are restricted by the policies you've set up for them. For more info, see [Enroll your mobile device using Basic Mobility and Security](enroll-your-mobile-device.md).
+**Step 3:** Create device policies and apply them to groups of users. When you do this, your users get an enrollment message on their device, and when they've completed enrollment, their devices are restricted by the policies you've set up for them. For more info, see [Enroll your mobile device using Basic Mobility and Security](enroll-your-mobile-device.md).
:::image type="content" source="../../media/basic-mobility-security/bms-4-policy.png" alt-text="Basic Security and Mobility policy settings.":::
After you've got Basic Mobility and Security set up and your users have enrolled
## Other ways to manage devices and apps
-If you just need mobile app management (MAM), perhaps for people updating work projects on their own devices, Intune provides another option besides enrolling and managing devices. An Intune subscription allows you to set up MAM policies by using the Azure portal, even if people's devices aren't enrolled in Intune. For more info, seeΓÇ»[App protection policies overview](/mem/intune/apps/app-protection-policy).
+If you just need mobile app management (MAM), perhaps for people updating work projects on their own devices, Intune provides another option besides enrolling and managing devices. An Intune subscription allows you to set up MAM policies by using the Azure portal, even if people's devices aren't enrolled in Intune. For more info, see [App protection policies overview](/mem/intune/apps/app-protection-policy).
## Related content
admin Privacy And Security https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/privacy-and-security.md
description: "After you activate Basic Mobility and Security, you can create mob
Basic Mobility and Security is a cloud-based service powered by Microsoft Intune that helps you manage and secure mobile devices in your organization. After you activate Basic Mobility and Security, you can create mobile device management policies. These policies can then be deployed to mobile devices that have been enrolled by licensed Microsoft 365 users in your organization.
-Microsoft Intune sends information to Microsoft 365 about the compliance status of each managed device, and then you can generate reports that show whether managed devices in your organization are compliant based upon the policies that were set. To learn more about Microsoft's commitment to the privacy and security, see theΓÇ»[Microsoft Trust Center](https://www.microsoft.com/trust-center).
+Microsoft Intune sends information to Microsoft 365 about the compliance status of each managed device, and then you can generate reports that show whether managed devices in your organization are compliant based upon the policies that were set. To learn more about Microsoft's commitment to the privacy and security, see the [Microsoft Trust Center](https://www.microsoft.com/trust-center).
admin Set Up https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/set-up.md
description: "Set up Basic Mobility and Security to secure and manage your users
The built-in Basic Mobility and Security for Microsoft 365 helps you secure and manage users' mobile devices such as iPhones, iPads, Androids, and Windows phones. You can create and manage device security policies, remotely wipe a device, and view detailed device reports.
-Have questions? For a FAQ to help address common questions, see [Basic Mobility and Security Frequently-asked questions (FAQ)](frequently-asked-questions.yml). Be aware that you cannot use a delegated administrator account to manage Basic Mobility and Security. For more info, see [Partners: Offer delegated administration](https://support.microsoft.com/office/partners-offer-delegated-administration-26530dc0-ebba-415b-86b1-b55bc06b073e). 
+Have questions? For a FAQ to help address common questions, see [Basic Mobility and Security Frequently-asked questions (FAQ)](frequently-asked-questions.yml). Be aware that you cannot use a delegated administrator account to manage Basic Mobility and Security. For more info, see [Partners: Offer delegated administration](https://support.microsoft.com/office/partners-offer-delegated-administration-26530dc0-ebba-415b-86b1-b55bc06b073e).
Device management is part of the Security & Compliance Center so you'll need to go there to kick off Basic Mobility and Security setup. ## Activate the Basic Mobility and Security service
-1. Sign in to Microsoft 365 with your global admin account.
+1. Sign in to Microsoft 365 with your global admin account.
2. Go to [Activate Basic Mobility and Security](https://admin.microsoft.com/EAdmin/Device/IntuneInventory.aspx).
When the service is ready, complete the following steps to finish setup.
If you don't have a custom domain associated with Microsoft 365 or if you're not managing Windows devices, you can skip this section. Otherwise, you'll need to add DNS records for the domain at your DNS host. If you've added the records already, as part of setting up your domain with Microsoft 365, you're all set. After you add the records, Microsoft 365 users in your organization who sign in on their Windows device with an email address that uses your custom domain are redirected to enroll in Basic Mobility and Security.
-Need help setting up the records? Find your domain registrar and select the registrar name to go to step-by-step help for creating DNS record in the list provided inΓÇ»[Add DNS records to connect your domain](/office365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider). Use those instructions to create CNAME records described in [Simplify Windows enrollment without Azure AD Premium](/mem/intune/enrollment/windows-enroll#simplify-windows-enrollment-without-azure-ad-premium).
+Need help setting up the records? Find your domain registrar and select the registrar name to go to step-by-step help for creating DNS record in the list provided in [Add DNS records to connect your domain](/office365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider). Use those instructions to create CNAME records described in [Simplify Windows enrollment without Azure AD Premium](/mem/intune/enrollment/windows-enroll#simplify-windows-enrollment-without-azure-ad-premium).
-After you add the two CNAME records, go back to the Security & Compliance Center and go to **Data loss prevention** > **Device management** to complete the next step.
+After you add the two CNAME records, go back to the Security & Compliance Center and go to **Data loss prevention** > **Device management** to complete the next step.
### Step 2: (Required) Configure an APNs Certificate for iOS devices To manage iOS devices like iPad and iPhones, you need to create an APNs certificate.
-1. Sign in to Microsoft 365 with your global admin account.
+1. Sign in to Microsoft 365 with your global admin account.
-2. In your browser type:ΓÇ»[https://protection.office.com](https://protection.office.com/).
+2. In your browser type: [https://protection.office.com](https://protection.office.com/).
-3. SelectΓÇ»**Data loss prevention**ΓÇ»>ΓÇ»**Device management**, and choose **APNs Certificate for iOS devices**.
+3. Select **Data loss prevention** > **Device management**, and choose **APNs Certificate for iOS devices**.
-4. On the Apple Push Notification Certificate Settings page, choose **Next**.
+4. On the Apple Push Notification Certificate Settings page, choose **Next**.
-5. Select **Download your CSR file** and save the Certificate signing request to somewhere on your computer that you'll remember. Select **Next**.
+5. Select **Download your CSR file** and save the Certificate signing request to somewhere on your computer that you'll remember. Select **Next**.
-6. On the Create an APNs certificate page:
+6. On the Create an APNs certificate page:
- - Select Apple APNS Portal to open the Apple Push Certificates Portal.
+ - Select Apple APNS Portal to open the Apple Push Certificates Portal.
- Sign in with an Apple ID. > [!IMPORTANT] > Use a company Apple ID associated with an email account that will remain with your organization even if the user who manages the account leaves. Save this ID because you'll need to use the same ID when it's time to renew the certificate.
- - Select Create a Certificate and accept the Terms of Use.
+ - Select Create a Certificate and accept the Terms of Use.
- Browse to the Certificate signing request you downloaded to your computer from Microsoft 365 and selectUpload. - Download the APN certificate created by the Apple Push Certificate Portal to your computer.
To manage iOS devices like iPad and iPhones, you need to create an APNs certific
8. Browse to the APN certificate you downloaded from the Apple Push Certificates Portal.
-9. SelectΓÇ» **Finish**.
+9. Select **Finish**.
### Step 3: (Recommended) Set up multi-factor authentication MFA helps secure the sign in to Microsoft 365 for mobile device enrollment by requiring a second form of authentication. Users are required to acknowledge a phone call, text message, or app notification on their mobile device after correctly entering their work account password. They can enroll their device only after this second form of authentication is completed. After user devices are enrolled in Basic Mobility and Security, users can access Microsoft 365 resources with only their work account.
-To learn how to turn on MFA in the Azure AD portal, seeΓÇ»[Set up multi-factor authentication](../security-and-compliance/set-up-multi-factor-authentication.md).
+To learn how to turn on MFA in the Azure AD portal, see [Set up multi-factor authentication](../security-and-compliance/set-up-multi-factor-authentication.md).
-After you set up MFA, go back to the Security & Compliance Center and navigate to **Data loss prevention** > **Device management** > **Device policies** to complete the next step.
+After you set up MFA, go back to the Security & Compliance Center and navigate to **Data loss prevention** > **Device management** > **Device policies** to complete the next step.
### Step 4: (Recommended) Manage device security policies
The next step is to create and deploy device security policies to help protect y
1. Sign in to Microsoft 365 with your global admin account.
-2. SelectΓÇ»[Activate Mobile Device Management](https://admin.microsoft.com/EAdmin/Device/IntuneInventory.aspx). If the service is activated, instead the activation steps you'll see a link toΓÇ»[Manage Devices](https://admin.microsoft.com/adminportal/home#/MifoDevices)ΓÇ».
+2. Select [Activate Mobile Device Management](https://admin.microsoft.com/EAdmin/Device/IntuneInventory.aspx). If the service is activated, instead the activation steps you'll see a link to [Manage Devices](https://admin.microsoft.com/adminportal/home#/MifoDevices) .
-3. Go toΓÇ»**Device policies**.
+3. Go to **Device policies**.
:::image type="content" source="../../media/basic-mobility-security/bms-4-policy.png" alt-text="Basic Security and Mobility policy settings.":::
-4. Create and deploy device security policies appropriate for your organization following the steps inΓÇ»[Create device security policies in Basic Mobility and Security](create-device-security-policies.md).
+4. Create and deploy device security policies appropriate for your organization following the steps in [Create device security policies in Basic Mobility and Security](create-device-security-policies.md).
> [!TIP] >
Users with Android or iOS devices are required to install the Company Portal app
## Related content [Capabilities of Basic Mobility and Security](capabilities.md) (article)\
-[Create device security policies in Basic Mobility and Security](create-device-security-policies.md) (article)
+[Create device security policies in Basic Mobility and Security](create-device-security-policies.md) (article)
admin Troubleshoot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/troubleshoot.md
To start, check the following:
## iOS phone or tablet -- Make sure that you've set up an APNs certificate. For more info, see [Create an APNs Certificate for iOS devices](create-an-apns-certificate-for-ios-devices.md).
+- Make sure that you've set up an APNs certificate. For more info, see [Create an APNs Certificate for iOS devices](create-an-apns-certificate-for-ios-devices.md).
-- In **Settings** > **General** > **Profile (or Device Management)**, make sure that a Management Profile is not already installed. If it is, remove it.
+- In **Settings** > **General** > **Profile (or Device Management)**, make sure that a Management Profile is not already installed. If it is, remove it.
- If you see the error message, "Device failed to enroll," sign in to Microsoft 365 and make sure that a license that includes Exchange Online has been assigned to the user who is signed in to the device.
To start, check the following:
## Windows RT -- Make sure that your domain is set up in Microsoft 365 to work with Basic Mobility and Security. For more info, see [Set up Basic Mobility and Security](set-up.md).
+- Make sure that your domain is set up in Microsoft 365 to work with Basic Mobility and Security. For more info, see [Set up Basic Mobility and Security](set-up.md).
-- Make sure that the user is choosing **Turn On** rather than choosing **Join**.
+- Make sure that the user is choosing **Turn On** rather than choosing **Join**.
## Windows 10 PC -- Make sure that your domain is set up in Microsoft 365 to work with Basic Mobility and Security. For more info, see [Set up Basic Mobility and Security](set-up.md).
+- Make sure that your domain is set up in Microsoft 365 to work with Basic Mobility and Security. For more info, see [Set up Basic Mobility and Security](set-up.md).
-- Unless you have Azure Active Directory Premium, make sure that the user is choosing **Enroll in Device Management only** rather than choosing **Connect**.
+- Unless you have Azure Active Directory Premium, make sure that the user is choosing **Enroll in Device Management only** rather than choosing **Connect**.
## Android phone or tablet
To start, check the following:
- If you see the error message, "We couldn't enroll this device," sign in to Microsoft 365 and make sure that a license that includes Exchange Online has been assigned to the user who is signed in to the device. -- Check the Notification Area on the device to see if any required end-user actions are pending, and if they are, complete the actions.
+- Check the Notification Area on the device to see if any required end-user actions are pending, and if they are, complete the actions.
admin Turn Off https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/turn-off.md
To effectively turn off Basic Mobility and Security, you remove groups of people
These options remove Basic Mobility and Security enforcement for devices in your organization. Unfortunately, you can't simply "unprovision" Basic Mobility and Security after you've set it up. > [!IMPORTANT]
-> Be aware of the impact on users' devices when you remove user security groups from policies or remove the policies themselves. For example, email profiles and cached emails might be removed, depending on the device. For more info, seeΓÇ» [What happens when you delete a policy or remove a user from the policy?](../../admin/basic-mobility-security/create-device-security-policies.md)
+> Be aware of the impact on users' devices when you remove user security groups from policies or remove the policies themselves. For example, email profiles and cached emails might be removed, depending on the device. For more info, see [What happens when you delete a policy or remove a user from the policy?](../../admin/basic-mobility-security/create-device-security-policies.md)
## Remove user security groups from Basic Mobility and Security device policies
-1. In your browser type:ΓÇ»[https://protection.office.com/devicev2](https://protection.office.com/devicev2).
+1. In your browser type: [https://protection.office.com/devicev2](https://protection.office.com/devicev2).
2. Select a device policy, and select **Edit policy**.
-3. On the  **Deployment**  page, select **Remove**.
+3. On the **Deployment** page, select **Remove**.
-4. UnderΓÇ» **Groups**, select a security group.
+4. Under **Groups**, select a security group.
-5. Select ΓÇ»**Remove**, and select **Save**.
+5. Select **Remove**, and select **Save**.
## Remove Basic Mobility and Security device policies
-1. In your browser type:ΓÇ»[https://protection.office.com/devicev2](https://protection.office.com/devicev2).
+1. In your browser type: [https://protection.office.com/devicev2](https://protection.office.com/devicev2).
-2. Select a device policy, and then select ΓÇ»**Delete policy**.
+2. Select a device policy, and then select **Delete policy**.
-3. In the Warning dialog box, select **Yes**.
+3. In the Warning dialog box, select **Yes**.
> [!NOTE]
-> For more steps to unblock devices if your organization devices are still in a blocked state, see the blog post [Removing Access Control from Mobile Device Management for Office 365](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Removing-Access-Control-from-Mobile-Device-Management-for-Office/ba-p/279934).
+> For more steps to unblock devices if your organization devices are still in a blocked state, see the blog post [Removing Access Control from Mobile Device Management for Office 365](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Removing-Access-Control-from-Mobile-Device-Management-for-Office/ba-p/279934).
admin Wipe Mobile Device https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/wipe-mobile-device.md
You can use built-in Basic Mobility and Security for Microsoft 365 to remove onl
## Before you begin
-Mobile devices can store sensitive organizational information and provide access to your organization's Microsoft 365 resources. To help protect your organization's information, you can do Factory reset or Remove company data:
+Mobile devices can store sensitive organizational information and provide access to your organization's Microsoft 365 resources. To help protect your organization's information, you can do Factory reset or Remove company data:
- **Factory reset**: Deletes all data on a user's mobile device, including installed applications, photos, and personal information. When the wipe is complete, the device is restored to its factory settings. - **Remove company data**: Removes only organization data and leaves installed applications, photos, and personal information on a user's mobile device. - **When a device is wiped (Factory Reset or Remove Company Data)**, the device is removed from the list of managed devices.
-
-- **Automatically reset a device**: You can set up a Basic Mobility and Security policy that automatically factory resets a device after the user unsuccessfully tries to enter the device password a specific number of times. To do this, follow the steps inΓÇ»[Create device security policies in basic mobility and security](create-device-security-policies.md).
-
-- **If you want to know the user experience** when you wipe their device, seeΓÇ» [What's the user and device impact?](#whats-the-user-and-device-impact).+
+- **Automatically reset a device**: You can set up a Basic Mobility and Security policy that automatically factory resets a device after the user unsuccessfully tries to enter the device password a specific number of times. To do this, follow the steps in [Create device security policies in basic mobility and security](create-device-security-policies.md).
+
+- **If you want to know the user experience** when you wipe their device, see [What's the user and device impact?](#whats-the-user-and-device-impact).
## Wipe a mobile device
-1. Go to theΓÇ»[Microsoft 365 admin center](../../admin/admin-overview/about-the-admin-center.md).
+1. Go to the [Microsoft 365 admin center](../../admin/admin-overview/about-the-admin-center.md).
2. Type Mobile Device Management into the search field, and select **Mobile Device Management** from the list of results.
Wipe a device for these reasons:
The wipe is sent immediately to the mobile device and the device is marked as not compliant in Azure active directory. While all data is removed when a device is reset to factory defaults, the following table describes what content is removed for each device type when a device when you remove company data.
-|**Content impact**|**iOS**|**Android**|
-|:--|:--|:--|
+|Content impact|iOS|Android|
+||||
|Microsoft 365 app data is wiped if the device is protected by Intune App Protection policies. The apps aren't removed. For devices not protected by Mobile Application Management (MAM) policies, Outlook and OneDrive won't remove cached data.<br/>**Note** For applying Intune App protection policies you must have an Intune license.|Yes|Yes| |Policy settings applied by Basic Mobility and Security to devices are no longer enforced; users can change the settings.|Yes|Yes| |Email profiles created by Basic Mobility and Security are removed and cached email on the device is deleted.|Yes|N/A|
admin Create Dns Records At 1 1 Internet https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/dns/create-dns-records-at-1-1-internet.md
ms.localizationpriority: medium -+ - M365-subscription-management - Adm_O365 - Adm_NonTOC
description: "Learn to verify your domain and set up DNS records for email, Skyp
# Connect your DNS records at IONOS by 1&1 to Microsoft 365
- **[Check the Domains FAQ](../setup/domains-faq.yml)** if you don't find what you're looking for.
+ **[Check the Domains FAQ](../setup/domains-faq.yml)** if you don't find what you're looking for.
If IONOS by 1&1 is your DNS hosting provider, follow the steps in this article to verify your domain and set up DNS records for email, Skype for Business Online, and so on.
If IONOS by 1&1 is your DNS hosting provider, follow the steps in this article t
You have two options for setting up DNS records for your domain: -- [**Use Domain Connect**](#use-domain-connect-to-verify-and-set-up-your-domain) If you haven't set up your domain with another email service provider, use the Domain Connect steps to automatically verify and set up your new domain to use with Microsoft 365.
+- [**Use Domain Connect**](#use-domain-connect-to-verify-and-set-up-your-domain) If you haven't set up your domain with another email service provider, use the Domain Connect steps to automatically verify and set up your new domain to use with Microsoft 365.
OR -- [**Use the manual steps**](#create-dns-records-with-manual-setup) Verify your domain using the manual steps below and choose when and which records to add to your domain registrar. This allows you to set up new MX (mail) records, for example, at your convenience.
+- [**Use the manual steps**](#create-dns-records-with-manual-setup) Verify your domain using the manual steps below and choose when and which records to add to your domain registrar. This allows you to set up new MX (mail) records, for example, at your convenience.
## Use Domain Connect to verify and set up your domain
Follow these steps to automatically verify and set up your IONOS by 1&1 domain w
:::image type="content" source="../../media/dns-IONOS/IONOS-DomainConnects-2.png" alt-text="Select Start setup.":::
-1. On the How do you want to connect your domain? page, select **Continue**.
+1. On the How do you want to connect your domain? page, select **Continue**.
1. On the Add DNS records page, select **Add DNS records**.
Follow these steps to automatically verify and set up your IONOS by 1&1 domain w
:::image type="content" source="../../media/dns-IONOS/IONOS-DomainConnects-3.png" alt-text="Select Connect, and then Allow.":::
- This completes your domain setup for Microsoft 365.
+ This completes your domain setup for Microsoft 365.
## Create DNS records with manual setup After you add these records at IONOS by 1&1, your domain will be set up to work with Microsoft services.
-
+ > [!CAUTION] > Note that IONOS by 1&1 doesn't allow a domain to have both an MX record and a top-level Autodiscover CNAME record. This limits the ways in which you can configure Exchange Online for Microsoft. There is a workaround, but we recommend employing it **only** if you already have experience with creating subdomains at IONOS by 1&1. > If despite this [service limitation](../setup/domains-faq.yml) you choose to manage your own Microsoft DNS records at IONOS by 1&1, follow the steps in this article to verify your domain and to set up DNS records for email, Skype for Business Online, and so on.
-
+ > [!NOTE] > Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Find and fix issues after adding your domain or DNS records](../get-help-with-domains/find-and-fix-issues.md).
-
+ ### Add a TXT record for verification Before you use your domain with Microsoft, we have to make sure that you own it. Your ability to log in to your account at your domain registrar and create the DNS record proves to Microsoft that you own the domain.
-
+ > [!NOTE] > This record is used only to verify that you own your domain; it doesn't affect anything else. You can delete it later, if you like.
-
+ 1. To get started, go to your domains page at IONOS by 1&1 by using [this link](https://my.1and1.com/). You'll be prompted to log in. 1. Select **Menu**, and then select **Domains and SSL**.
-
+ :::image type="content" source="../../media/dns-IONOS/IONOS-domains-1.png" alt-text="Select Domains and SSL.":::
-
+ 1. Under **Actions** for the domain that you want to update, select the gear control, and then select **DNS**. :::image type="content" source="../../media/dns-IONOS/IONOS-domains-2.png" alt-text="Select DNS from the drop-down list.":::
Before you use your domain with Microsoft, we have to make sure that you own it.
1. On the Add a DNS record page, in the boxes for the new record, type or copy and paste the values from the following table.
- |**Host name** <br/> |**Value** <br/> | **TTL**
- |:--|:--|:--|
- |(Leave this field blank) <br/> |MS=ms *XXXXXXXX* <br/> NOTE: This is an example. Use your specific **Destination or Points to Address** value here, from the table. [How do I find this?](../get-help-with-domains/information-for-dns-records.md) | 1 hour |
+ |Host name|Value|TTL|
+ ||||
+ |(Leave this field blank)|MS=ms *XXXXXXXX* <br/> NOTE: This is an example. Use your specific **Destination or Points to Address** value here, from the table. [How do I find this?](../get-help-with-domains/information-for-dns-records.md)|1 hour|
1. Select **Save**.
-
+ :::image type="content" source="../../media/dns-IONOS/IONOS-domains-5.png" alt-text="Select Save.":::
-
+ Wait a few minutes before you continue, so that the record you just created can update across the Internet. Now that you've added the record at your domain registrar's site, you'll go back to Microsoft 365 and request Microsoft 365 to look for the record. When Microsoft finds the correct TXT record, your domain is verified. To verify the record in Microsoft 365:
-
+ 1. In the admin center, go to the **Settings** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834818" target="_blank">**Domains**</a>. 1. On the Domains page, select the domain that you're verifying, and select **Start setup**.
To verify the record in Microsoft 365:
:::image type="content" source="../../media/dns-IONOS/IONOS-DomainConnects-2.png" alt-text="Select Start setup."::: 1. Select **Continue**.
-
+ 1. On the **Verify domain** page, select **Verify**. > [!NOTE] > Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).
-
+ ### Add an MX record so email for your domain will come to Microsoft
-
+ > [!NOTE]
-> If you've registered with 1und1.de, [sign in here](https://go.microsoft.com/fwlink/?linkid=859152).
+> If you've registered with 1und1.de, [sign in here](https://go.microsoft.com/fwlink/?linkid=859152).
1. To get started, go to your domains page at IONOS by 1&1 by using [this link](https://my.1and1.com/). You'll be prompted to log in. 1. Select **Menu**, and then select **Domains and SSL**.
-
+ :::image type="content" source="../../media/dns-IONOS/IONOS-domains-1.png" alt-text="Select Domains and SSL.":::
-
+ 1. Under **Actions** for the domain that you want to update, select the gear control, and then select **DNS**. :::image type="content" source="../../media/dns-IONOS/IONOS-domains-2.png" alt-text="Select DNS from the drop-down list.":::
To verify the record in Microsoft 365:
1. Select the **MX** section. :::image type="content" source="../../media/dns-IONOS/IONOS-domains-MX.png" alt-text="Select the MX section.":::
-
+ 1. On the Add a DNS record page, in the boxes for the new record, type or copy and paste the values from the following table.
- | **Host name**| **Points to** |**Priority**| **TTL** |
- |:--|:--|:--| :--|
- | @ | *\<domain-key\>* .mail.protection.outlook.com <br/> NOTE: Get your \<domain-key\> from your Microsoft account. [How do I find this?](../get-help-with-domains/information-for-dns-records.md) |10 <br/> For more information about priority, see [What is MX priority?](../setup/domains-faq.yml) | 1 hour |
-
+ |Host name|Points to|Priority|TTL|
+ |||||
+ |@|*\<domain-key\>*.mail.protection.outlook.com <br/> NOTE: Get your \<domain-key\> from your Microsoft account. [How do I find this?](../get-help-with-domains/information-for-dns-records.md)|10 <br/> For more information about priority, see [What is MX priority?](../setup/domains-faq.yml)|1 hour|
+ 1. Select **Save**. :::image type="content" source="../../media/dns-IONOS/IONOS-domains-MX-Save.png" alt-text="Select Save.":::
To verify the record in Microsoft 365:
### Add the CNAME record required for Microsoft > [!NOTE]
-> If you've registered with 1und1.de, [sign in here](https://go.microsoft.com/fwlink/?linkid=859152).
-
+> If you've registered with 1und1.de, [sign in here](https://go.microsoft.com/fwlink/?linkid=859152).
+ 1. To get started, go to your domains page at IONOS by 1&1 by using [this link](https://my.1and1.com/). You'll be prompted to log in. 1. Select **Menu**, and then select **Domains and SSL**.
-
+ :::image type="content" source="../../media/dns-IONOS/IONOS-domains-1.png" alt-text="Select Domains and SSL.":::
-
+ 1. Under **Actions** for the domain that you want to update, select the gear control, and then select **DNS**. :::image type="content" source="../../media/dns-IONOS/IONOS-domains-2.png" alt-text="Select DNS from the drop-down list.":::
- Now you'll create two subdomains and set an **Alias** value for each.<br/>(This is required because 1&1 IONOS supports only one top-level CNAME record, but Microsoft requires several CNAME records.)<br/>First, you'll create the Autodiscover subdomain.
+ Now you'll create two subdomains and set an **Alias** value for each.
+
+ (This is required because 1&1 IONOS supports only one top-level CNAME record, but Microsoft requires several CNAME records.)
+
+ First, you'll create the Autodiscover subdomain.
1. Select **Subdomains**.
-
+ :::image type="content" source="../../media/dns-IONOS/IONOS-domains-Subdomains.png" alt-text="Select Subdomain.":::
-
+ 1. Select **Add subdomain**. :::image type="content" source="../../media/dns-IONOS/IONOS-domains-add-subdomains.png" alt-text="Select Add subdomains.":::
-
+ 1. In the **Add subdomain** box for the new subdomain, type or copy and paste only the **Add subdomain** value from the following table. (You'll add the **Alias** value in a later step.)
- |**Add subdomain**| **Alias** |
- |:--|:--|
- |autodiscover <br/> | autodiscover.outlook.com |
+ |Add subdomain|Alias|
+ |||
+ |autodiscover|autodiscover.outlook.com|
-1. Under **Actions** for the **autodiscover** subdomain that you just created, select the gear control, and then select **DNS** from the drop-down list. <br/>
+1. Under **Actions** for the **autodiscover** subdomain that you just created, select the gear control, and then select **DNS** from the drop-down list.
1. Select **Add record**, and then select the **CNAME** section.
-1. In the **Alias:** box, type or copy and paste only the **Alias** value from the following table. <br/>
+1. In the **Alias:** box, type or copy and paste only the **Alias** value from the following table.
+
+ |Add subdomain|Alias|
+ |||
+ |autodiscover|autodiscover.outlook.com|
- |**Add subdomain**| **Alias** |
- |:--|:--|
- |autodiscover <br/> | autodiscover.outlook.com |
-
1. Select **Save**. ## Add a TXT record for SPF to help prevent email spam > [!IMPORTANT]
-> You cannot have more than one TXT record for SPF for a domain. If your domain has more than one SPF record, you'll get email errors, as well as delivery and spam classification issues. If you already have an SPF record for your domain, don't create a new one for Microsoft. Instead, add the required Microsoft values to the current record so that you have a *single* SPF record that includes both sets of values. Need examples? Check out these [External Domain Name System records for Microsoft](../../enterprise/external-domain-name-system-records.md). To validate your SPF record, you can use one of these[SPF validation tools](../setup/domains-faq.yml).
-
+> You cannot have more than one TXT record for SPF for a domain. If your domain has more than one SPF record, you'll get email errors, as well as delivery and spam classification issues. If you already have an SPF record for your domain, don't create a new one for Microsoft. Instead, add the required Microsoft values to the current record so that you have a *single* SPF record that includes both sets of values. Need examples? Check out these [External Domain Name System records for Microsoft](../../enterprise/external-domain-name-system-records.md). To validate your SPF record, you can use one of these[SPF validation tools](../setup/domains-faq.yml).
+ > [!NOTE]
-> If you've registered with 1und1.de, [sign in here](https://go.microsoft.com/fwlink/?linkid=859152).
-
+> If you've registered with 1und1.de, [sign in here](https://go.microsoft.com/fwlink/?linkid=859152).
+ 1. To get started, go to your domains page at IONOS by 1&1 by using [this link](https://my.1and1.com/). You'll be prompted to log in. 1. Select **Menu**, and then select **Domains and SSL**.
-
+ :::image type="content" source="../../media/dns-IONOS/IONOS-domains-1.png" alt-text="Select Domains and SSL.":::
-
+ 1. Under **Actions** for the domain that you want to update, select the gear control, and then select **DNS**. :::image type="content" source="../../media/dns-IONOS/IONOS-domains-2.png" alt-text="Select DNS from the drop-down list.":::
To verify the record in Microsoft 365:
:::image type="content" source="../../media/dns-IONOS/IONOS-domains-SPFTXT.png" alt-text="Select the SPF (TXT) section.":::
-1. In the boxes for the new record, type or copy and paste the values from the following table. <br/>
+1. In the boxes for the new record, type or copy and paste the values from the following table.
+
+ |Type|Host name|Value|TTL|
+ |||||
+ |SPF (TXT)|(Leave this field empty.)|v=spf1 include:spf.protection.outlook.com -all <br/> **Note:** We recommend copying and pasting this entry, so that all of the spacing stays correct.|1 hour|
- |**Type**|**Host name**|**Value**| **TTL** |
- |:--|:--|:--|:--|
- |SPF (TXT) <br/> |(Leave this field empty.) <br/> |v=spf1 include:spf.protection.outlook.com -all <br/> **Note:** We recommend copying and pasting this entry, so that all of the spacing stays correct. | 1 hour |
-
1. Select **Save**. :::image type="content" source="../../media/dns-IONOS/IONOS-domains-SPFTXT-Save.png" alt-text="Select Save."::: ## Advanced option: Skype for Business
-Only select this option if your organization uses ΓÇÄSkype for BusinessΓÇÄ for online communication services like chat, conference calls, and video calls, in addition to ΓÇÄMicrosoft TeamsΓÇÄ. ΓÇÄSkypeΓÇÄ needs 4 records: 2 SRV records for user-to-user communication, and 2 CNAME records to sign-in and connect users to the service.
+Only select this option if your organization uses Skype for Business for online communication services like chat, conference calls, and video calls, in addition to Microsoft Teams. Skype needs 4 records: 2 SRV records for user-to-user communication, and 2 CNAME records to sign-in and connect users to the service.
### Add two additional CNAME records
-
+ 1. To get started, go to your domains page at IONOS by 1&1 by using [this link](https://my.1and1.com/). You'll be prompted to log in. 1. Select **Menu**, and then select **Domains and SSL**.
-
+ :::image type="content" source="../../media/dns-IONOS/IONOS-domains-1.png" alt-text="Select Domains and SSL.":::
-
+ 1. Under **Actions** for the domain that you want to update, select the gear control, and then select **DNS**. :::image type="content" source="../../media/dns-IONOS/IONOS-domains-2.png" alt-text="Select DNS from the drop-down list.":::
- Now you'll create two subdomains and set an **Alias** value for each.<br/>(This is required because 1&1 IONOS supports only one top-level CNAME record, but Microsoft requires several CNAME records.)<br/>First, you'll create the lyncdiscover subdomain.
+ Now you'll create two subdomains and set an **Alias** value for each.
+
+ (This is required because 1&1 IONOS supports only one top-level CNAME record, but Microsoft requires several CNAME records.)
+
+ First, you'll create the lyncdiscover subdomain.
1. Select **Subdomains**.
-
+ :::image type="content" source="../../media/dns-IONOS/IONOS-domains-Subdomains.png" alt-text="Select Subdomain.":::
-
+ 1. Select **Add subdomain**. :::image type="content" source="../../media/dns-IONOS/IONOS-domains-add-subdomains.png" alt-text="Select Add subdomains.":::
-1. In the **Add subdomain** box for the new subdomain, type or copy and paste only the **Add subdomain** value from the following table. (You'll add the **Alias** value in a later step.)<br/>
+1. In the **Add subdomain** box for the new subdomain, type or copy and paste only the **Add subdomain** value from the following table. (You'll add the **Alias** value in a later step.)
- |**Add subdomain**|**Alias**|
- |:--|:--|
+ |Add subdomain|Alias|
+ |||
|lyncdiscover |webdir.online.lync.com |
-1. Under **Actions** for the **lyncdiscover** subdomain that you just created, select the gear control, and then select **DNS** from the drop-down list. <br/>
+1. Under **Actions** for the **lyncdiscover** subdomain that you just created, select the gear control, and then select **DNS** from the drop-down list.
1. Select **Add record**, and then select the **CNAME** section.
-1. In the **Alias:** box, type or copy and paste only the **Alias** value from the following table. <br/>
+1. In the **Alias:** box, type or copy and paste only the **Alias** value from the following table.
- |**Create Subdomain**|**Alias**|
- |:--|:--|
- |lyncdiscover <br/> |webdir.online.lync.com <br/> |
+ |Create Subdomain|Alias|
+ |||
+ |lyncdiscover|webdir.online.lync.com|
-1. Create another subdomain (SIP): <br/>Select **Add subdomain**.
+1. Create another subdomain (SIP): Select **Add subdomain**.
-1. In the **Add subdomain** box for the new subdomain, type or copy and paste only the **Add subdomain** value from the following table. (You'll add the **Alias** value in a later step.) <br/>
+1. In the **Add subdomain** box for the new subdomain, type or copy and paste only the **Add subdomain** value from the following table. (You'll add the **Alias** value in a later step.)
- |**Add subdomain**|**Alias**|
- |:--|:--|
- |sip <br/> |sipdir.online.lync.com <br/> |
+ |Add subdomain|Alias|
+ |||
+ |sip|sipdir.online.lync.com|
-1. Under **Actions** for the subdomain that you just created, select the gear control, and then select **DNS** from the drop-down list. <br/>
+1. Under **Actions** for the subdomain that you just created, select the gear control, and then select **DNS** from the drop-down list.
1. Select **Add record**.
Only select this option if your organization uses ΓÇÄSkype for BusinessΓÇÄ for o
1. Select the **CNAME** section.
-1. in the **Alias:** box, type or copy and paste only the **Alias** value from the following table.
+1. in the **Alias:** box, type or copy and paste only the **Alias** value from the following table.
- |**Create Subdomain**|**Alias**|
- |:--|:--|
- |sip <br/> |sipdir.online.lync.com <br/> |
+ |Create Subdomain|Alias|
+ |||
+ |sip|sipdir.online.lync.com|
1. Select the check box for the **I am aware** disclaimer, and then select **Save**. ## Add the two SRV records required for Microsoft
-
+ > [!NOTE]
-> If you've registered with 1und1.de, [sign in here](https://go.microsoft.com/fwlink/?linkid=859152).
-
+> If you've registered with 1und1.de, [sign in here](https://go.microsoft.com/fwlink/?linkid=859152).
+ 1. To get started, go to your domains page at IONOS by 1&1 by using [this link](https://my.1and1.com/). You'll be prompted to log in. 1. Select **Menu**, and then select **Domains and SSL**.
-
+ :::image type="content" source="../../media/dns-IONOS/IONOS-domains-1.png" alt-text="Select Domains and SSL.":::
-
+ 1. Under **Actions** for the domain that you want to update, select the gear control, and then select **DNS**. :::image type="content" source="../../media/dns-IONOS/IONOS-domains-2.png" alt-text="Select DNS from the drop-down list.":::
Only select this option if your organization uses ΓÇÄSkype for BusinessΓÇÄ for o
:::image type="content" source="../../media/dns-IONOS/IONOS-domains-SRV.png" alt-text="Select the SRV section.":::
-1. In the boxes for the new record, type or copy and paste the values from the following table. <br/>
+1. In the boxes for the new record, type or copy and paste the values from the following table.
+
+ |Type|Service|Protocol|Host name|Points to|Priority|Weight|Port|TTL|
+ ||||||||||
+ |SRV|_sip|tls|(Leave this field empty.)|sipdir.online.lync.com|100|1|443|1 hour|
+ |SRV|_sipfederationtls|tcp|(Leave this field empty.)|sipfed.online.lync.com|100|1|5061|1 hour|
- |**Type**|**Service**|**Protocol**|**Host name**|**Points to**|**Priority**|**Weight**|**Port**|**TTL**|
- |:--|:--|:--|:--|:--|:--|:--|:--|:--|
- |SRV <br/> |_sip <br/> |tls <br/> |(Leave this field empty.) <br/> |sipdir.online.lync.com <br/> |100 <br/> |1 <br/> |443 <br/> |1 hour <br/> |
- |SRV <br/> |_sipfederationtls <br/> |tcp <br/> |(Leave this field empty.) <br/> |sipfed.online.lync.com <br/> |100 <br/> |1 <br/> |5061 <br/> |1 hour <br/> |
-
1. Select **Save**. :::image type="content" source="../../media/dns-IONOS/IONOS-domains-SRV-Save.png" alt-text="Select Save.":::
Only select this option if your organization uses ΓÇÄSkype for BusinessΓÇÄ for o
1. Add the other SRV record. > [!NOTE]
-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Find and fix issues after adding your domain or DNS records](../get-help-with-domains/find-and-fix-issues.md).
+> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Find and fix issues after adding your domain or DNS records](../get-help-with-domains/find-and-fix-issues.md).
## Advanced option: Intune and Mobile Device Management for Microsoft 365
-This service helps you secure and remotely manage mobile devices that connect to your domain. ΓÇÄMobile Device ManagementΓÇÄ needs 2 CNAME records so that users can enroll devices to the service.
+This service helps you secure and remotely manage mobile devices that connect to your domain. Mobile Device Management needs 2 CNAME records so that users can enroll devices to the service.
### Add the two required CNAME records > [!IMPORTANT]
-> Follow the subdomain procedure that you used for the other CNAME records, and supply the values from the following table.
-
+> Follow the subdomain procedure that you used for the other CNAME records, and supply the values from the following table.
+ 1. To get started, go to your domains page at IONOS by 1&1 by using [this link](https://my.1and1.com/). You'll be prompted to log in. 1. Select **Menu**, and then select **Domains and SSL**.
-
+ :::image type="content" source="../../media/dns-IONOS/IONOS-domains-1.png" alt-text="Select Domains and SSL.":::
-
+ 1. Under **Actions** for the domain that you want to update, select the gear control, and then select **DNS**. :::image type="content" source="../../media/dns-IONOS/IONOS-domains-2.png" alt-text="Select DNS from the drop-down list.":::
- Now you'll create two subdomains and set an **Alias** value for each.<br/>(This is required because 1&1 IONOS supports only one top-level CNAME record, but Microsoft requires several CNAME records.)<br/>First, you'll create the lyncdiscover subdomain.
+ Now you'll create two subdomains and set an **Alias** value for each.
+
+ (This is required because 1&1 IONOS supports only one top-level CNAME record, but Microsoft requires several CNAME records.)
+
+ First, you'll create the lyncdiscover subdomain.
1. Select **Subdomains**.
-
+ :::image type="content" source="../../media/dns-IONOS/IONOS-domains-Subdomains.png" alt-text="Select Subdomain.":::
-
+ 1. Select **Add subdomain**. :::image type="content" source="../../media/dns-IONOS/IONOS-domains-add-subdomains.png" alt-text="Select Add subdomains.":::
-1. In the **Add subdomain** box for the new subdomain, type or copy and paste only the **Add subdomain** value from the following table. (You'll add the **Alias** value in a later step.)<br/>
+1. In the **Add subdomain** box for the new subdomain, type or copy and paste only the **Add subdomain** value from the following table. (You'll add the **Alias** value in a later step.)
- |**Add subdomain**|**Alias**|
- |:--|:--|
- |enterpriseregistration <br/> |enterpriseregistration.windows.net <br/> |
+ |Add subdomain|Alias|
+ |||
+ |enterpriseregistration|enterpriseregistration.windows.net|
-1. Under **Actions** for the **enterpriseregistration** subdomain that you just created, select the gear control, and then select **DNS** from the drop-down list. <br/>
+1. Under **Actions** for the **enterpriseregistration** subdomain that you just created, select the gear control, and then select **DNS** from the drop-down list.
1. Select **Add record**, and then select the **CNAME** section.
-1. In the **Alias:** box, type or copy and paste only the **Alias** value from the following table. <br/>
+1. In the **Alias:** box, type or copy and paste only the **Alias** value from the following table.
- |**Add subdomain**|**Alias**|
- |:--|:--|
- |enterpriseregistration <br/> |enterpriseregistration.windows.net <br/> |
+ |Add subdomain|Alias|
+ |||
+ |enterpriseregistration|enterpriseregistration.windows.net|
-1. Create another subdomain: <br/>Select **Add subdomain**.
+1. Create another subdomain: Select **Add subdomain**.
-1. In the **Add subdomain** box for the new subdomain, type or copy and paste only the **Add subdomain** value from the following table. (You'll add the **Alias** value in a later step.) <br/>
+1. In the **Add subdomain** box for the new subdomain, type or copy and paste only the **Add subdomain** value from the following table. (You'll add the **Alias** value in a later step.)
- |**Add subdomain**|**Alias**|
- |:--|:--|
- |enterpriseenrollment <br/> |enterpriseenrollment-s.manage.microsoft.com <br/> |
+ |Add subdomain|Alias|
+ |||
+ |enterpriseenrollment|enterpriseenrollment-s.manage.microsoft.com|
-1. Under **Actions** for the **enterpriseenrollment** subdomain that you just created, select the gear control, and then select **DNS** from the drop-down list. <br/>
+1. Under **Actions** for the **enterpriseenrollment** subdomain that you just created, select the gear control, and then select **DNS** from the drop-down list.
1. Select **Add record**.
This service helps you secure and remotely manage mobile devices that connect to
1. Select the **CNAME** section.
-1. in the **Alias:** box, type or copy and paste only the **Alias** value from the following table.
+1. in the **Alias:** box, type or copy and paste only the **Alias** value from the following table.
- |**Create Subdomain**|**Alias**|
- |:--|:--|
- |enterpriseenrollment <br/> |enterpriseenrollment-s.manage.microsoft.com <br/> |
+ |Create Subdomain|Alias|
+ |||
+ |enterpriseenrollment|enterpriseenrollment-s.manage.microsoft.com|
-1. Select the check box for the **I am aware** disclaimer, and then select **Save**.
+1. Select the check box for the **I am aware** disclaimer, and then select **Save**.
admin Create Dns Records At Aws https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/dns/create-dns-records-at-aws.md
Only select this option if your organization uses Skype for Business for online
> [!NOTE] > Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Find and fix issues after adding your domain or DNS records](../get-help-with-domains/find-and-fix-issues.md).
-### Add the two required CNAME records
+### Add the two required CNAME records for Skype for Business
1. To get started, go to your domains page at AWS by using [this link](https://console.aws.amazon.com/route53/home). You'll be prompted to log in first.
admin Create Dns Records At Cloudflare https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/dns/create-dns-records-at-cloudflare.md
Only select this option if your organization uses Skype for Business for online
> [!NOTE] > Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).
-### Add the two required CNAME records
+### Add the two required CNAME records for Skype for Business
1. To get started, go to your domains page at Cloudflare by using [this link](https://www.cloudflare.com/a/login). You'll be prompted to log in first.
admin Create Dns Records At Godaddy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/dns/create-dns-records-at-godaddy.md
Follow these steps to automatically verify and set up your GoDaddy domain with M
1. On the GoDaddy login page, sign in to your account, and select **Authorize**.
- This completes your domain setup for Microsoft 365.
+ This completes your domain setup for Microsoft 365.
## Create DNS records with manual setup
Before you use your domain with Microsoft, we have to make sure that you own it.
1. In the boxes for the new record, type or copy and paste the values from the table.
- |**Type** |**Host**|**TXT Value**|**TTL** |
- |:--|:--|:--|:--|
- |TXT |@|MS=ms *XXXXXXXX*<br>**Note**: This is an example. Use your specific **Destination or Points to Address** value here, from the table. [How do I find this?](../get-help-with-domains/information-for-dns-records.md)|1 hour <br>|
+ |Type|Host|TXT Value|TTL|
+ |||||
+ |TXT|@|MS=ms *XXXXXXXX*<br>**Note**: This is an example. Use your specific **Destination or Points to Address** value here, from the table. [How do I find this?](../get-help-with-domains/information-for-dns-records.md)|1 hour <br>|
:::image type="content" source="../../media/dns-godaddy/godaddy-domains-TXT-values.png" alt-text="Fill in the values from the table for the TXT record.":::
To verify the record in Microsoft 365:
5. In the boxes for the new record, type or copy and paste the values from the following table.
- (Choose the **Type** and **TTL** values from the drop-down list.)
+ (Choose the **Type** and **TTL** values from the drop-down list.)
- |**Type**|**Host**|**Points to**|**Priority**|**TTL**|
- |:--|:--|:--|:--|:--|
- |MX <br/> |@ <br/> | *\<domain-key\>* .mail.protection.outlook.com <br/> **Note:** Get your *\<domain-key\>* from your Microsoft account. [How do I find this?](../get-help-with-domains/information-for-dns-records.md) |10 <br/> For more information about priority, see [What is MX priority?](../setup/domains-faq.yml) <br/> |1 hour <br/> |
+ |Type|Host|Points to|Priority|TTL|
+ ||||||
+ |MX|@| *\<domain-key\>*.mail.protection.outlook.com <br/> **Note:** Get your *\<domain-key\>* from your Microsoft account. [How do I find this?](../get-help-with-domains/information-for-dns-records.md)|10 <br/> For more information about priority, see [What is MX priority?](../setup/domains-faq.yml)|1 hour|
:::image type="content" source="../../media/dns-godaddy/godaddy-domains-Type.png" alt-text="Fill in the values from the table for the MX record.":::
To verify the record in Microsoft 365:
5. Create the CNAME record.
- In the boxes for the new record, type or copy and paste the values from the first row of the following table.
+ In the boxes for the new record, type or copy and paste the values from the first row of the following table.
- (Choose the **TTL** value from the drop-down list.)
+ (Choose the **TTL** value from the drop-down list.)
- |**Type**|**Host**|**Points to**|**TTL**|
- |:--|:--|:--|:--|
- |CNAME <br/> |autodiscover <br/> |autodiscover.outlook.com <br/> |1 hour <br/> |
+ |Type|Host|Points to|TTL|
+ |||||
+ |CNAME|autodiscover|autodiscover.outlook.com|1 hour|
:::image type="content" source="../../media/dns-godaddy/godaddy-domains-CNAME-values.png" alt-text="Fill in the values from the table for the CNAME record.":::
To verify the record in Microsoft 365:
5. In the boxes for the new record, type or copy and paste the following values.
- (Choose the **TTL** value from the drop-down lists.)
+ (Choose the **TTL** value from the drop-down lists.)
- |**Type**|**Host**|**TXT Value**|**TTL**|
- |:--|:--|:--|:--|
- |TXT <br/> |@ <br/> |v=spf1 include:spf.protection.outlook.com -all <br/> **Note:** We recommend copying and pasting this entry, so that all of the spacing stays correct. |1 hour <br/> |
+ |Type|Host|TXT Value|TTL|
+ |||||
+ |TXT|@|v=spf1 include:spf.protection.outlook.com -all <br/> **Note:** We recommend copying and pasting this entry, so that all of the spacing stays correct.|1 hour|
:::image type="content" source="../../media/dns-godaddy/godaddy-domains-TXT-values.png" alt-text="Fill in the values from the table for the TXT record.":::
To verify the record in Microsoft 365:
## Advanced option: Skype for Business
-Only select this option if your organization uses ΓÇÄSkype for BusinessΓÇÄ for online communication services like chat, conference calls, and video calls, in addition to ΓÇÄMicrosoft TeamsΓÇÄ. ΓÇÄSkypeΓÇÄ needs 4 records: 2 SRV records for user-to-user communication, and 2 CNAME records to sign-in and connect users to the service.
+Only select this option if your organization uses Skype for Business for online communication services like chat, conference calls, and video calls, in addition to Microsoft Teams. Skype needs 4 records: 2 SRV records for user-to-user communication, and 2 CNAME records to sign-in and connect users to the service.
### Add the two required SRV records
Only select this option if your organization uses ΓÇÄSkype for BusinessΓÇÄ for o
1. Create the first SRV record.
- In the boxes for the new record, type or copy and paste the values from the first row of the following table.
+ In the boxes for the new record, type or copy and paste the values from the first row of the following table.
- (Choose the **Type** and **TTL** values from the drop-down lists.)
+ (Choose the **Type** and **TTL** values from the drop-down lists.)
- |**Type**|**Service**|**Protocol**| **Name** | **Target**|**Priority**|**Weight**|**Port**|**TTL**|
- |:--|:--|:--|:--|:--|:--|:--|:--|:--|
- |SRV <br/> |_sip <br/> |_tls <br/> |@ <br/> |sipdir.online.lync.com <br/> |100 <br/> | 1 <br/> |443 <br/> |1 Hour <br/> |
- |SRV <br/> |_sipfederationtls <br/> |_tcp <br/> |@ <br/> | sipfed.online.lync.com <br/> | 100 <br/> |1 <br/> |5061 <br/> |1 Hour <br/> |
+ |Type|Service|Protocol|Name|Target|Priority|Weight|Port|TTL|
+ ||||||||||
+ |SRV|_sip|_tls|@|sipdir.online.lync.com|100| 1|443|1 Hour|
+ |SRV|_sipfederationtls|_tcp|@| sipfed.online.lync.com| 100|1|5061|1 Hour|
:::image type="content" source="../../media/dns-godaddy/godaddy-domains-SRV-values.png" alt-text="Fill in the values from the table for the SRV record.":::
Only select this option if your organization uses ΓÇÄSkype for BusinessΓÇÄ for o
> [!NOTE] > Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).
-### Add the two required CNAME records
+### Add the two required CNAME records for Skype for Business
1. To get started, go to your domains page at GoDaddy by using [this link](https://account.godaddy.com/products/?go_redirect=disabled). If you're prompted to log in, use your login credentials, select your login name in the upper right, and then select **My Products**.
-2. Under **Domains**, select the three dots next to the domain you want to verify, and then select **Manage DNS**.
+1. Under **Domains**, select the three dots next to the domain you want to verify, and then select **Manage DNS**.
:::image type="content" source="../../media/dns-godaddy/godaddy-domains-1.png" alt-text="Select Manage DNS from the drop-down list.":::
Only select this option if your organization uses ΓÇÄSkype for BusinessΓÇÄ for o
1. In the empty boxes for the new records, type or copy and paste the values from the first row in the following table.
- |**Type**|**Host**|**Points to**|**TTL**|
- |:--|:--|:--|:--|
- |CNAME <br/> |sip <br/> |sipdir.online.lync.com. <br/> **This value MUST end with a period (.)** <br/> |1 Hour <br/> |
- |CNAME <br/> |lyncdiscover <br/> |webdir.online.lync.com. <br/> **This value MUST end with a period (.)** <br/> |1 Hour <br/> |
+ |Type|Host|Points to|TTL|
+ |||||
+ |CNAME|sip|sipdir.online.lync.com. <br/> **This value MUST end with a period (.)**|1 Hour|
+ |CNAME|lyncdiscover|webdir.online.lync.com. <br/> **This value MUST end with a period (.)**|1 Hour|
:::image type="content" source="../../media/dns-godaddy/godaddy-domains-CNAME-values.png" alt-text="Fill in the values from the table for the CNAME record.":::
Only select this option if your organization uses ΓÇÄSkype for BusinessΓÇÄ for o
## Advanced option: Intune and Mobile Device Management for Microsoft 365
-This service helps you secure and remotely manage mobile devices that connect to your domain. ΓÇÄMobile Device ManagementΓÇÄ needs 2 CNAME records so that users can enroll devices to the service.
+This service helps you secure and remotely manage mobile devices that connect to your domain. Mobile Device Management needs 2 CNAME records so that users can enroll devices to the service.
-### Add the two required CNAME records
+### Add the two required CNAME records Mobile Device Management
1. To get started, go to your domains page at GoDaddy by using [this link](https://account.godaddy.com/products/?go_redirect=disabled).
This service helps you secure and remotely manage mobile devices that connect to
1. In the empty boxes for the new records, type or copy and paste the values from the first row in the following table.
- |**Type**|**Host**|**Points to**|**TTL**|
- |:--|:--|:--|:--|
- |CNAME <br/> |enterpriseregistration <br/> |enterpriseregistration.windows.net. <br/> **This value MUST end with a period (.)** <br/> |1 Hour <br/> |
- |CNAME <br/> |enterpriseenrollment <br/> |enterpriseenrollment-s.manage.microsoft.com. <br/> **This value MUST end with a period (.)** <br/> |1 Hour <br/> |
+ |Type|Host|Points to|TTL|
+ |||||
+ |CNAME|enterpriseregistration|enterpriseregistration.windows.net. <br/> **This value MUST end with a period (.)**|1 Hour|
+ |CNAME|enterpriseenrollment|enterpriseenrollment-s.manage.microsoft.com. <br/> **This value MUST end with a period (.)**|1 Hour|
:::image type="content" source="../../media/dns-godaddy/godaddy-domains-CNAME-values.png" alt-text="Fill in the values from the table for the CNAME record.":::
admin Create Dns Records At Namecheap https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/dns/create-dns-records-at-namecheap.md
ms.localizationpriority: medium -+ - M365-subscription-management - Adm_O365 - Adm_NonTOC
description: "Learn to verify your domain and set up DNS records for email, Skyp
# Connect your DNS records at Namecheap to Microsoft 365
- **[Check the Domains FAQ](../setup/domains-faq.yml)** if you don't find what you're looking for.
-
+ **[Check the Domains FAQ](../setup/domains-faq.yml)** if you don't find what you're looking for.
+ If Namecheap is your DNS hosting provider, follow the steps in this article to verify your domain and set up DNS records for email, Skype for Business Online, and so on.
-
+ After you add these records at Namecheap, your domain will be set up to work with Microsoft services.
-
+ > [!NOTE]
-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).
-
+> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).
+ ## Add a TXT record for verification Before you use your domain with Microsoft, we have to make sure that you own it. Your ability to log in to your account at your domain registrar and create the DNS record proves to Microsoft that you own the domain.
-
+ > [!NOTE]
-> This record is used only to verify that you own your domain; it doesn't affect anything else. You can delete it later, if you like.
-
+> This record is used only to verify that you own your domain; it doesn't affect anything else. You can delete it later, if you like.
+ 1. To get started, go to your domains page at Namecheap by using [this link](https://www.namecheap.com/myaccount/login.aspx?ReturnUrl=%2f). You'll be prompted to Sign in and Continue. :::image type="content" source="../../media/1827f9fc-4dc9-4f9d-a392-7817c47b00b3.png" alt-text="Sign in to Namecheap.":::
-1. On the landing page, under **Account**, choose **Domain List** from the drop-down list.
+1. On the landing page, under **Account**, choose **Domain List** from the drop-down list.
:::image type="content" source="../../media/3f457d64-4589-422c-ae34-fc24b0e819eb.png" alt-text="Select Domain List from the drop-down list.":::
Before you use your domain with Microsoft, we have to make sure that you own it.
:::image type="content" source="../../media/8849abfe-deb6-4f6a-b56d-e69be9a28b0f.png" alt-text="Select ADD NEW RECORD."::: 1. In the **Type** drop-down, select **TXT Record**.
-
+ > [!NOTE]
- > The **Type** drop-down automatically appears when you select **ADD NEW RECORD**.
+ > The **Type** drop-down automatically appears when you select **ADD NEW RECORD**.
:::image type="content" source="../../media/a5b40973-19b5-4c32-8e1b-1521aa971836.png" alt-text="Select TXT Record."::: 1. In the boxes for the new record, type or copy and paste the values from the following table.
-
- (Choose the **TTL** value from the drop-down list.)
-
- |**Type**|**Host**|**Value**|**TTL**|
- |:--|:--|:--|:--|
- |TXT <br/> |@ <br/> |MS=ms *XXXXXXXX* <br/>**Note:** This is an example. Use your specific **Destination or Points to Address** value here, from the table. [How do I find this?](../get-help-with-domains/information-for-dns-records.md) |30 min <br/> |
+
+ (Choose the **TTL** value from the drop-down list.)
+
+ |Type|Host|Value|TTL|
+ |||||
+ |TXT|@|MS=ms *XXXXXXXX* <br/>**Note:** This is an example. Use your specific **Destination or Points to Address** value here, from the table. [How do I find this?](../get-help-with-domains/information-for-dns-records.md)|30 min|
:::image type="content" source="../../media/fe75c0fd-f85c-4bef-8068-edaf9779b7f1.png" alt-text="Copy and paste the values from the table.":::
-1. Select the **Save Changes** (check mark) control.
+1. Select the **Save Changes** (check mark) control.
:::image type="content" source="../../media/b48d2c67-66b5-4aa4-8e59-0c764f236fac.png" alt-text="Select the Save Changes control."::: 1. Wait a few minutes before you continue, so that the record you just created can update across the Internet.
-
-Now that you've added the record at your domain registrar's site, you'll go back to Microsoft and request the record. When Microsoft finds the correct TXT record, your domain is verified.
+
+Now that you've added the record at your domain registrar's site, you'll go back to Microsoft and request the record. When Microsoft finds the correct TXT record, your domain is verified.
To verify the record in Microsoft 365:
-
+ 1. In the admin center, go to the **Settings** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834818" target="_blank">**Domains**</a>.
-
-1. On the Domains page, select the domain that you're verifying, and select **Start setup**.
+
+1. On the Domains page, select the domain that you're verifying, and select **Start setup**.
:::image type="content" source="../../media/dns-IONOS/IONOS-DomainConnects-2.png" alt-text="Select Start setup."::: 1. Select **Continue**.
-
+ 1. On the **Verify domain** page, select **Verify**.
-
+ > [!NOTE]
-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).
-
+> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).
+ ## Add an MX record so email for your domain will come to Microsoft
-
+ 1. To get started, go to your domains page at Namecheap by using [this link](https://www.namecheap.com/myaccount/login.aspx?ReturnUrl=%2f). You'll be prompted to Sign in and Continue. :::image type="content" source="../../media/1827f9fc-4dc9-4f9d-a392-7817c47b00b3.png" alt-text="Sign in to Namecheap.":::
-1. On the landing page, under **Account**, choose **Domain List** from the drop-down list.
+1. On the landing page, under **Account**, choose **Domain List** from the drop-down list.
:::image type="content" source="../../media/3f457d64-4589-422c-ae34-fc24b0e819eb.png" alt-text="Choose Domain List from the drop-down list.":::
To verify the record in Microsoft 365:
:::image type="content" source="../../media/05a4f0b9-1d27-448e-9954-2b23304c5f65.png" alt-text="Select Advanced DNS.":::
-1. In the **MAIL SETTINGS** section, select **Custom MX** from the **Email Forwarding** drop-down list.
-
+1. In the **MAIL SETTINGS** section, select **Custom MX** from the **Email Forwarding** drop-down list.
+ (You may have to scroll down.)
- :::image type="content" source="../../media/40199e2c-42cf-4c3f-9936-3cbe5d4e81a4.png" alt-text="Select Custom MX.":::
+ :::image type="content" source="../../media/40199e2c-42cf-4c3f-9936-3cbe5d4e81a4.png" alt-text="Select Custom MX.":::
1. Select **Add New Record**. :::image type="content" source="../../media/8d169b81-ba48-4d51-84ea-a08fa1616457.png" alt-text="ADD NEW RECORD."::: 1. In the boxes for the new record, type or copy and paste the values, from the following table.
-
- (The **Priority** box is the unnamed box to the right of the **Value** box. Choose the **TTL** value from the drop-down list.)
-
- |**Type**|**Host**|**Value**|**Priority**|**TTL**|
- |:--|:--|:--|:--|:--|
- |MX Record <br/> |@ <br/> |\<*domain-key*\>.mail.protection.outlook.com. <br/> **This value MUST end with a period (.)** <br/> **Note:** Get your *\<domain-key\>* from your Microsoft account. [How do I find this?](../get-help-with-domains/information-for-dns-records.md) |0 <br/> For more information about priority, see [What is MX priority?](../setup/domains-faq.yml) <br/> |30 min <br/> |
+
+ (The **Priority** box is the unnamed box to the right of the **Value** box. Choose the **TTL** value from the drop-down list.)
+
+ |Type|Host|Value|Priority|TTL|
+ ||||||
+ |MX Record|@|\<*domain-key*\>.mail.protection.outlook.com. <br/> **This value MUST end with a period (.)** <br/> **Note:** Get your *\<domain-key\>* from your Microsoft account. [How do I find this?](../get-help-with-domains/information-for-dns-records.md)|0 <br/> For more information about priority, see [What is MX priority?](../setup/domains-faq.yml)|30 min|
:::image type="content" source="../../media/f3b76d62-5022-48c1-901b-8615a8571309.png" alt-text="Copy and paste the values from the table.":::
-1. Select the **Save Changes** (check mark) control.
+1. Select the **Save Changes** (check mark) control.
:::image type="content" source="../../media/ef4e3112-36d2-47c8-a478-136a565dd71d.png" alt-text="Select the Save Changes control."::: 1. If there are any other MX records, use the following two-step process to remove each of them:
-
- First, select **Delete** (trash can) for the record that you want to remove.
+
+ First, select **Delete** (trash can) for the record that you want to remove.
:::image type="content" source="../../media/7a7a751f-29c2-495f-8f55-98ca37ce555a.png" alt-text="Select Delete.":::
- Second, select **Yes** to confirm the deletion.
+ Second, select **Yes** to confirm the deletion.
:::image type="content" source="../../media/85ebc0c7-8787-43ee-9e7b-647375b3345c.png" alt-text="Select Yes."::: Remove all MX records except for the one that you added earlier in this procedure.
-
+ ## Add the CNAME record required for Microsoft 1. To get started, go to your domains page at Namecheap by using [this link](https://www.namecheap.com/myaccount/login.aspx?ReturnUrl=%2f). You'll be prompted to Sign in and Continue. :::image type="content" source="../../media/1827f9fc-4dc9-4f9d-a392-7817c47b00b3.png" alt-text="Sign in to Namecheap.":::
-1. On the landing page, under **Account**, choose **Domain List** from the drop-down list.
+1. On the landing page, under **Account**, choose **Domain List** from the drop-down list.
:::image type="content" source="../../media/3f457d64-4589-422c-ae34-fc24b0e819eb.png" alt-text="Select Domain List.":::
To verify the record in Microsoft 365:
:::image type="content" source="../../media/8849abfe-deb6-4f6a-b56d-e69be9a28b0f.png" alt-text="Select ADD NEW RECORD."::: 1. In the **Type** drop-down, select **CNAME Record**.
-
+ > [!NOTE]
- > The **Type** drop-down automatically appears when you select **ADD NEW RECORD**.
+ > The **Type** drop-down automatically appears when you select **ADD NEW RECORD**.
:::image type="content" source="../../media/0898f3b2-06ab-4364-a86a-a603a25b39f4.png" alt-text="Select CNAME Record."::: 1. In the empty boxes for the new record, select **CNAME** for the **Record Type**, and then type or copy and paste the values from the first row in the following table.
-
- |**Type**|**Host**|**Value**|**TTL**|
- |:--|:--|:--|:--|
- |CNAME <br/> |autodiscover <br/> |autodiscover.outlook.com. <br/> **This value MUST end with a period (.)** <br/> |Automatic <br/> |
+
+ |Type|Host|Value|TTL|
+ |||||
+ |CNAME|autodiscover|autodiscover.outlook.com. <br/> **This value MUST end with a period (.)**|Automatic|
:::image type="content" source="../../media/f79c5679-34eb-4544-8517-caa2e8a4111a.png" alt-text="Copy and paste the values from the table.":::
-1. Select the **Save Changes** (check mark) control.
+1. Select the **Save Changes** (check mark) control.
:::image type="content" source="../../media/91a5cce4-ca41-41ec-b976-aafe681a4d68.png" alt-text="Select the Save Changes control."::: ## Add a TXT record for SPF to help prevent email spam > [!IMPORTANT]
-> You cannot have more than one TXT record for SPF for a domain. If your domain has more than one SPF record, you'll get email errors, as well as delivery and spam classification issues. If you already have an SPF record for your domain, don't create a new one for Microsoft. Instead, add the required Microsoft values to the current record so that you have a *single* SPF record that includes both sets of values.
+> You cannot have more than one TXT record for SPF for a domain. If your domain has more than one SPF record, you'll get email errors, as well as delivery and spam classification issues. If you already have an SPF record for your domain, don't create a new one for Microsoft. Instead, add the required Microsoft values to the current record so that you have a *single* SPF record that includes both sets of values.
1. To get started, go to your domains page at Namecheap by using [this link](https://www.namecheap.com/myaccount/login.aspx?ReturnUrl=%2f). You'll be prompted to Sign in and Continue.
-
-1. On the landing page, under **Account**, choose **Domain List** from the drop-down list.
+
+1. On the landing page, under **Account**, choose **Domain List** from the drop-down list.
:::image type="content" source="../../media/3f457d64-4589-422c-ae34-fc24b0e819eb.png" alt-text="Select Domain List.":::
To verify the record in Microsoft 365:
:::image type="content" source="../../media/8849abfe-deb6-4f6a-b56d-e69be9a28b0f.png" alt-text="Select ADD NEW RECORD."::: 1. In the **Type** drop-down, select **TXT Record**.
-
+ > [!NOTE]
- > The **Type** drop-down automatically appears when you select **ADD NEW RECORD**.
+ > The **Type** drop-down automatically appears when you select **ADD NEW RECORD**.
:::image type="content" source="../../media/c5d1fddb-28b5-48ec-91c9-3e5d3955ac80.png" alt-text="Select TXT Record."::: 1. In the boxes for the new record, type or copy and paste the following values from the following table.
-
- (Choose the **TTL** value from the drop-down list.)
-
- |**Type**|**Host**|**Value**|**TTL**|
- |:--|:--|:--|:--|
- |TXT <br/> |@ <br/> |v=spf1 include:spf.protection.outlook.com -all <br/> **Note:** We recommend copying and pasting this entry, so that all of the spacing stays correct. |30 min <br/> |
+
+ (Choose the **TTL** value from the drop-down list.)
+
+ |Type|Host|Value|TTL|
+ |||||
+ |TXT|@|v=spf1 include:spf.protection.outlook.com -all <br/> **Note:** We recommend copying and pasting this entry, so that all of the spacing stays correct.|30 min|
:::image type="content" source="../../media/ea0829f1-990b-424b-b26e-9859468318dd.png" alt-text="Copy and paste the values from the table.":::
-1. Select the **Save Changes** (check mark) control.
+1. Select the **Save Changes** (check mark) control.
:::image type="content" source="../../media/f2846c36-ace3-43d8-be5d-a65e2c267619.png" alt-text="Select the Save Changes control."::: ## Advanced option: Skype for Business
-Only select this option if your organization uses ΓÇÄSkype for BusinessΓÇÄ for online communication services like chat, conference calls, and video calls, in addition to ΓÇÄMicrosoft TeamsΓÇÄ. ΓÇÄSkypeΓÇÄ needs 4 records: 2 SRV records for user-to-user communication, and 2 CNAME records to sign-in and connect users to the service.
+Only select this option if your organization uses Skype for Business for online communication services like chat, conference calls, and video calls, in addition to Microsoft Teams. Skype needs 4 records: 2 SRV records for user-to-user communication, and 2 CNAME records to sign-in and connect users to the service.
### Add the two required SRV records
Only select this option if your organization uses ΓÇÄSkype for BusinessΓÇÄ for o
:::image type="content" source="../../media/1827f9fc-4dc9-4f9d-a392-7817c47b00b3.png" alt-text="Sign in to Namecheap.":::
-1. On the landing page, under **Account**, choose **Domain List** from the drop-down list.
+1. On the landing page, under **Account**, choose **Domain List** from the drop-down list.
:::image type="content" source="../../media/3f457d64-4589-422c-ae34-fc24b0e819eb.png" alt-text="Choose Domain List.":::
Only select this option if your organization uses ΓÇÄSkype for BusinessΓÇÄ for o
:::image type="content" source="../../media/8849abfe-deb6-4f6a-b56d-e69be9a28b0f.png" alt-text="Select ADD NEW RECORD."::: 1. In the **Type** drop-down, select **SRV Record**.
-
+ > [!NOTE]
- > The **Type** drop-down automatically appears when you select **ADD NEW RECORD**.
+ > The **Type** drop-down automatically appears when you select **ADD NEW RECORD**.
:::image type="content" source="../../media/fd55cd7c-2243-4de1-8d39-2c3f7ea3ae51.png" alt-text="Select the SRV Record type."::: 1. In the empty boxes for the new records, type or copy and paste the values from the first row in the following table.
-
- |**Service**|**Protocol**|**Priority**|**Weight**|**Port**|**Target**|**TTL**|
- |:--|:--|:--|:--|:--|:--|:--|
- |_sip <br/> |_tls <br/> |100 <br/> |1 <br/> |443 <br/> |sipdir.online.lync.com. <br/> **This value MUST end with a period (.)** <br/> |Automatic <br/> |
- |_sipfederationtls <br/> |_tcp <br/> |100 <br/> |1 <br/> |5061 <br/> |sipfed.online.lync.com. <br/> **This value MUST end with a period (.)** <br/> |Automatic <br/> |
-
+
+ |Service|Protocol|Priority|Weight|Port|Target|TTL|
+ ||||||||
+ |_sip|_tls|100|1|443|sipdir.online.lync.com. <br/> **This value MUST end with a period (.)**|Automatic|
+ |_sipfederationtls|_tcp|100|1|5061|sipfed.online.lync.com. <br/> **This value MUST end with a period (.)**|Automatic|
+ :::image type="content" source="../../media/ff9566ea-0096-4b7f-873c-027080a23b56.png" alt-text="Copy and paste the values from the table.":::
-1. Select the **Save Changes** (check mark) control.
+1. Select the **Save Changes** (check mark) control.
:::image type="content" source="../../media/48a8dee4-c66d-449d-8759-9e9784c82b13.png" alt-text="Select the Save Changes control."::: 1. Add the other SRV record by choosing the values from the second row of the table.
-
+ > [!NOTE]
-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).
+> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).
+
+### Add the two required CNAME records for Skype for Business
-### Add the two required CNAME records
-
1. In the **HOST RECORDS** section, select **ADD NEW RECORD**.
-
+ :::image type="content" source="../../media/8849abfe-deb6-4f6a-b56d-e69be9a28b0f.png" alt-text="Select ADD NEW NAME."::: 1. In the **Type** drop-down, select **CNAME**.
-
+ > [!NOTE]
- > The **Type** drop-down automatically appears when you select **ADD NEW RECORD**.
+ > The **Type** drop-down automatically appears when you select **ADD NEW RECORD**.
:::image type="content" source="../../media/fd55cd7c-2243-4de1-8d39-2c3f7ea3ae51.png" alt-text="Select CNAME."::: 1. In the empty boxes for the new records, type or copy and paste the values from the first row in the table.
-
- |**Type**|**Host**|**Value**|**TTL**|
- |:--|:--|:--|:--|
- |CNAME <br/> |sip <br/> |sipdir.online.lync.com. <br/> **This value MUST end with a period (.)** <br/> |Automatic <br/> |
- |CNAME <br/> |lyncdiscover <br/> |webdir.online.lync.com. <br/> **This value MUST end with a period (.)** <br/> |Automatic <br/> |
+
+ |Type|Host|Value|TTL|
+ |||||
+ |CNAME|sip|sipdir.online.lync.com. <br/> **This value MUST end with a period (.)**|Automatic|
+ |CNAME|lyncdiscover|webdir.online.lync.com. <br/> **This value MUST end with a period (.)**|Automatic|
:::image type="content" source="../../media/91a5cce4-ca41-41ec-b976-aafe681a4d68.png" alt-text="Copy and paste the CNAME values from the table.":::
-1. Select the **Save Changes** (check mark) control.
+1. Select the **Save Changes** (check mark) control.
:::image type="content" source="../../media/91a5cce4-ca41-41ec-b976-aafe681a4d68.png" alt-text="Select the Save Changes control."::: 1. Add the other CNAME record by choosing the values from the second row of the table.
-
+ > [!NOTE]
-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).
-
+> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).
+ ## Advanced option: Intune and Mobile Device Management for Microsoft 365
-This service helps you secure and remotely manage mobile devices that connect to your domain. ΓÇÄMobile Device ManagementΓÇÄ needs two CNAME records so that users can enroll devices to the service.
+This service helps you secure and remotely manage mobile devices that connect to your domain. Mobile Device Management needs two CNAME records so that users can enroll devices to the service.
-### Add the two required CNAME records
+### Add the two required CNAME records for Mobile Device Management
1. To get started, go to your domains page at Namecheap by using [this link](https://www.namecheap.com/myaccount/login.aspx?ReturnUrl=%2f). You'll be prompted to sign in. :::image type="content" source="../../media/1827f9fc-4dc9-4f9d-a392-7817c47b00b3.png" alt-text="Sign in to Namecheap.":::
-1. On the landing page, under **Account**, choose **Domain List** from the drop-down list.
+1. On the landing page, under **Account**, choose **Domain List** from the drop-down list.
:::image type="content" source="../../media/3f457d64-4589-422c-ae34-fc24b0e819eb.png" alt-text="Select Domain List."::: 1. On the **Domain List** page, select the domain that you want to edit, and then select **Manage**.
-
+ :::image type="content" source="../../media/fb2020d8-707c-4148-835e-304ac6244d66.png" alt-text="Select Manage."::: 1. Select **Advanced DNS**.
This service helps you secure and remotely manage mobile devices that connect to
:::image type="content" source="../../media/05a4f0b9-1d27-448e-9954-2b23304c5f65.png" alt-text="Select Manage DNS Records from the drop-down list."::: 1. In the **HOST RECORDS** section, select **ADD NEW RECORD**.
-
+ :::image type="content" source="../../media/8849abfe-deb6-4f6a-b56d-e69be9a28b0f.png" alt-text="Select ADD NEW RECORD."::: 1. In the **Type** drop-down, select **CNAME Record**.
-
+ > [!NOTE]
- > The **Type** drop-down automatically appears when you select **ADD NEW RECORD**.
-
+ > The **Type** drop-down automatically appears when you select **ADD NEW RECORD**.
+ :::image type="content" source="../../media/0898f3b2-06ab-4364-a86a-a603a25b39f4.png" alt-text="Select CNAME Record."::: 1. In the empty boxes for the new records, type or copy and paste the values from the first row in the table.
-
- |**Type**|**Host**|**Value**|**TTL**|
- |:--|:--|:--|:--|
- |CNAME <br/> |enterpriseregistration <br/> |enterpriseregistration.windows.net. <br/> **This value MUST end with a period (.)** <br/> |Automatic <br/> |
- |CNAME <br/> |enterpriseenrollment <br/> |enterpriseenrollment-s.manage.microsoft.com. <br/> **This value MUST end with a period (.)** <br/> |Automatic <br/> |
-
+
+ |Type|Host|Value|TTL|
+ |||||
+ |CNAME|enterpriseregistration|enterpriseregistration.windows.net. <br/> **This value MUST end with a period (.)**|Automatic|
+ |CNAME|enterpriseenrollment|enterpriseenrollment-s.manage.microsoft.com. <br/> **This value MUST end with a period (.)**|Automatic|
+ :::image type="content" source="../../media/f79c5679-34eb-4544-8517-caa2e8a4111a.png" alt-text="Copy and paste the values from the table.":::
-1. Select the **Save Changes** control.
+1. Select the **Save Changes** control.
:::image type="content" source="../../media/91a5cce4-ca41-41ec-b976-aafe681a4d68.png" alt-text="Select the Save Changes control."::: 1. Add the other CNAME record by choosing the values from the second row of the table.
-
-> [!NOTE]
-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).
-
+> [!NOTE]
+> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).
admin Create Dns Records At Network Solutions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/dns/create-dns-records-at-network-solutions.md
ms.localizationpriority: medium -+ - M365-subscription-management - Adm_O365 - Adm_NonTOC
description: "Learn to verify your domain and set up DNS records for email, Skyp
# Connect your DNS records at Network Solutions to Microsoft 365
- **[Check the Domains FAQ](../setup/domains-faq.yml)** if you don't find what you're looking for.
-
+ **[Check the Domains FAQ](../setup/domains-faq.yml)** if you don't find what you're looking for.
+ If Network Solutions is your DNS hosting provider, follow the steps in this article to verify your domain and set up DNS records for email, Skype for Business Online, and so on. After you add these records at Network Solutions, your domain will be set up to work with Microsoft services.
-
+ > [!NOTE]
-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).
-
+> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).
+ ## Add a TXT record for verification Before you use your domain with Microsoft, we have to make sure that you own it. Your ability to log in to your account at your domain registrar and create the DNS record proves to Microsoft that you own the domain.
-
+ > [!NOTE]
-> This record is used only to verify that you own your domain; it doesn't affect anything else. You can delete it later, if you like.
-
+> This record is used only to verify that you own your domain; it doesn't affect anything else. You can delete it later, if you like.
+ 1. To get started, go to your domains page at Network Solutions by using [this link](https://www.networksolutions.com/manage-it). You'll be prompted to log in.
-
+ 1. On the landing page, select **Domain Names**. 1. Select the check box next to the domain that you want to modify.
-
+ 1. Under **Actions**, select the three dots, and then select **Manage** from the drop-down list.
- :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-1.png" alt-text="Select Manage from the drop-down list.":::
-
+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-1.png" alt-text="Select Manage from the drop-down list.":::
+ 1. Scroll down to select **Advanced Tools**, and next to **Advanced DNS Records**, select **MANAGE**.
- :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-2.png" alt-text="Next to Advanced DNS records, select MANAGE.":::
+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-2.png" alt-text="Next to Advanced DNS records, select MANAGE.":::
+
+ You might have to select **Continue** to get to the Manage Advanced DNS Records page.
- You might have to select **Continue** to get to the Manage Advanced DNS Records page.
-
1. On the Manage Advanced DNS Records page, select **+ADD RECORD**.
- :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-add-record.png" alt-text="Select +ADD RECORD.":::
+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-add-record.png" alt-text="Select +ADD RECORD.":::
1. Under **Type**, select **TXT** from the drop-down list.
-
+ 1. In the boxes for the new record, type or copy and paste the values in the following table.
-
- | Refers to | TXT Value | TTL |
- |:--|:--|:--|
- |@ <br/> (The system will change this value to **@ (None)** when you save the record.) |MS=ms *XXXXXXXX* <br/> **Note:** This is an example. Use your specific **Destination or Points to Address** value here, from the table. [How do I find this?](../get-help-with-domains/information-for-dns-records.md) |3600 <br/> |
+
+ |Refers to|TXT Value|TTL|
+ ||||
+ |@ <br/> (The system will change this value to **@ (None)** when you save the record.)|MS=ms *XXXXXXXX* <br/> **Note:** This is an example. Use your specific **Destination or Points to Address** value here, from the table. [How do I find this?](../get-help-with-domains/information-for-dns-records.md)|3600|
1. Select **ADD**.
- :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-add.png" alt-text="Select ADD.":::
+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-add.png" alt-text="Select ADD.":::
+
+ > [!NOTE]
+ > Select **Classic View** in the upper right to view the TXT record you created.
- > [!NOTE]
- > Select **Classic View** in the upper right to view the TXT record you created.
-
- Wait a few minutes before you continue, so that the record you just created can update across the Internet.
+ Wait a few minutes before you continue, so that the record you just created can update across the Internet.
Now that you've added the record at your domain registrar's site, you'll go back to Microsoft and request the record. When Microsoft finds the correct TXT record, your domain is verified. To verify the record in Microsoft 365:
-
+ 1. In the admin center, go to the **Settings** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834818" target="_blank">**Domains**</a>.
-1. On the Domains page, select the domain that you're verifying, and select **Start setup**.
+1. On the Domains page, select the domain that you're verifying, and select **Start setup**.
- :::image type="content" source="../../media/dns-IONOS/IONOS-DomainConnects-2.png" alt-text="Select Start setup.":::
+ :::image type="content" source="../../media/dns-IONOS/IONOS-DomainConnects-2.png" alt-text="Select Start setup.":::
1. Select **Continue**.
-
+ 1. On the **Verify domain** page, select **Verify**. > [!NOTE] > Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).
-
+ ## Add an MX record so email for your domain will come to Microsoft
-
+ 1. To get started, go to your domains page at Network Solutions by using [this link](https://www.networksolutions.com/manage-it). You'll be prompted to log in.
-
+ 1. On the landing page, select **Domain Names**. 1. Select the check box next to the domain that you want to modify.
-
+ 1. Under **Actions**, select the three dots, and then select **Manage** in the drop-down list.
- :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-1.png" alt-text="Select Manage from the drop-down list.":::
-
+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-1.png" alt-text="Select Manage from the drop-down list.":::
+ 1. Scroll down to select **Advanced Tools**, and next to **Advanced DNS Records**, select **MANAGE**.
- :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-2.png" alt-text="Next to Advanced DNS records, select MANAGE.":::
+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-2.png" alt-text="Next to Advanced DNS records, select MANAGE.":::
- You might have to select **Continue** to get to the Manage Advanced DNS Records page.
+ You might have to select **Continue** to get to the Manage Advanced DNS Records page.
1. On the Manage Advanced DNS Records page, select **+ADD RECORD**.
- :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-add-record.png" alt-text="Select +ADD RECORD.":::
+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-add-record.png" alt-text="Select +ADD RECORD.":::
1. Under **Type**, select **MX** from the drop-down list.
-
- 1. In the boxes for the new record, type or copy and paste the values from the following table.
-
- | Refers to | Mail server | Priority | TTL |
- |:--|:--|:--|:--|
- | @ | *\<domain-key\>* .mail.protection.outlook.com <br/> **This value CANNOT end with a period (.)** <br/> **Note:** Get your *\<domain-key\>* from your Microsoft account. [How do I find this?](../get-help-with-domains/information-for-dns-records.md) | 0 <br/> For more information about priority, see [What is MX priority?](../setup/domains-faq.yml) | 1 Hour |
-
+
+ |Refers to|Mail server|Priority|TTL|
+ |||||
+ |@|*\<domain-key\>*.mail.protection.outlook.com <br/> **This value CANNOT end with a period (.)** <br/> **Note:** Get your *\<domain-key\>* from your Microsoft account. [How do I find this?](../get-help-with-domains/information-for-dns-records.md)|0 <br/> For more information about priority, see [What is MX priority?](../setup/domains-faq.yml)|1 Hour|
+ 1. Select **ADD**.
-
- :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-MX-add.png" alt-text="Select ADD.":::
- > [!NOTE]
- > Select **Classic View** in the upper right to view the TXT record you created.
+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-MX-add.png" alt-text="Select ADD.":::
+
+ > [!NOTE]
+ > Select **Classic View** in the upper right to view the TXT record you created.
1. If there are any other MX records, delete all of them by selecting the edit tool, and then **Delete** for each record.
- :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-edit.png" alt-text="Select the Edit tool.":::
-
+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-edit.png" alt-text="Select the Edit tool.":::
+ ## Add the CNAME record required for Microsoft 1. To get started, go to your domains page at Network Solutions by using [this link](https://www.networksolutions.com/manage-it). You'll be prompted to log in.
-
+ 1. On the landing page, select **Domain Names**. 1. Select the check box next to the domain that you want to modify.
-
+ 1. Under **Actions**, select the three dots, and then select **Manage** in the drop-down list.
- :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-1.png" alt-text="Select Manage from the drop-down list.":::
-
+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-1.png" alt-text="Select Manage from the drop-down list.":::
+ 1. Select **Advanced Tools**, and next to **Advanced DNS Records**, select **MANAGE**.
- :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-2.png" alt-text="Next to Advanced DNS records, select MANAGE.":::
+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-2.png" alt-text="Next to Advanced DNS records, select MANAGE.":::
- You might have to select **Continue** to get to the Manage Advanced DNS Records page.
+ You might have to select **Continue** to get to the Manage Advanced DNS Records page.
1. On the Manage Advanced DNS Records page, select **+ADD RECORD**.
- :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-add-record.png" alt-text="Select +ADD RECORD.":::
+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-add-record.png" alt-text="Select +ADD RECORD.":::
1. Under **Type**, select **CNAME** from the drop-down list.
-
- :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-cname.png" alt-text="Select CNAME type from the drop-down list.":::
-
+
+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-cname.png" alt-text="Select CNAME type from the drop-down list.":::
+ 1. In the boxes for the CNAME record, type or copy and paste the values from the following table.
-
- | Refers to | Host Name | Alias to | TTL |
- |:--|:--|:--|:--|
- |Other Host| autodiscover | autodiscover.outlook.com **This value CANNOT end with a period (.)** <br/> 1 Hour |
- :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-cname-values.png" alt-text="Type or copy and paste the CNAME values from the table into the window.":::
-
+ |Refers to|Host Name|Alias to|TTL|
+ |||||
+ |Other Host|autodiscover|autodiscover.outlook.com **This value CANNOT end with a period (.)** <br/> 1 Hour|
+
+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-cname-values.png" alt-text="Type or copy and paste the CNAME values from the table into the window.":::
+ 1. Select **ADD**.
- > [!NOTE]
- > Select **Classic View** in the upper right to view the record you created.
-
+ > [!NOTE]
+ > Select **Classic View** in the upper right to view the record you created.
+ ## Add a TXT record for SPF to help prevent email spam > [!IMPORTANT]
-> You cannot have more than one TXT record for SPF for a domain. If your domain has more than one SPF record, you'll get email errors, as well as delivery and spam classification issues. If you already have an SPF record for your domain, don't create a new one for Microsoft. Instead, add the required Microsoft values to the current record so that you have a *single* SPF record that includes both sets of values.
-
+> You cannot have more than one TXT record for SPF for a domain. If your domain has more than one SPF record, you'll get email errors, as well as delivery and spam classification issues. If you already have an SPF record for your domain, don't create a new one for Microsoft. Instead, add the required Microsoft values to the current record so that you have a *single* SPF record that includes both sets of values.
+ 1. To get started, go to your domains page at Network Solutions by using [this link](https://www.networksolutions.com/manage-it). You'll be prompted to log in.
-
+ 1. On the landing page, select **Domain Names**. 1. Select the check box next to the domain that you want to modify. 1. Under **Actions**, select the three dots, and then select **Manage** in the drop-down list.
- :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-1.png" alt-text="Select Manage from the drop-down list.":::
+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-1.png" alt-text="Select Manage from the drop-down list.":::
1. Select **Advanced Tools**, and next to **Advanced DNS Records**, select **MANAGE**.
- :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-2.png" alt-text="Next to Advanced DNS records, select MANAGE.":::
+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-2.png" alt-text="Next to Advanced DNS records, select MANAGE.":::
- You might have to select **Continue** to get to the Manage Advanced DNS Records page.
+ You might have to select **Continue** to get to the Manage Advanced DNS Records page.
1. On the Manage Advanced DNS Records page, select **+ADD RECORD**.
- :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-add-record.png" alt-text="Select +ADD RECORD.":::
+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-add-record.png" alt-text="Select +ADD RECORD.":::
1. Under **Type**, select **TXT** from the drop-down list.
- :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-TXT.png" alt-text="Select TXT from the Type drop-down list.":::
+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-TXT.png" alt-text="Select TXT from the Type drop-down list.":::
1. In the boxes for the new record, type or copy and paste the following values.
-
- | Refers to | TXT Value | TTL
- |:--|:--|:--|
- |@ <br/> (The system will change this value to **@ (None)** when you save the record.) |v=spf1 include:spf.protection.outlook.com -all <br/> **Note:** We recommend copying and pasting this entry, so that all of the spacing stays correct. | 1 Hour |
-
+
+ |Refers to|TXT Value|TTL
+ ||||
+ |@ <br/> (The system will change this value to **@ (None)** when you save the record.)|v=spf1 include:spf.protection.outlook.com -all <br/> **Note:** We recommend copying and pasting this entry, so that all of the spacing stays correct.|1 Hour|
+ 1. Select **ADD**.
-
- :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-add.png" alt-text="Select ADD.":::
- > [!NOTE]
- > Select **Classic View** in the upper right to view the record you created.
-
+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-add.png" alt-text="Select ADD.":::
+
+ > [!NOTE]
+ > Select **Classic View** in the upper right to view the record you created.
+ ## Advanced option: Skype for Business
-Only select this option if your organization uses ΓÇÄSkype for BusinessΓÇÄ for online communication services like chat, conference calls, and video calls, in addition to ΓÇÄMicrosoft TeamsΓÇÄ. ΓÇÄSkypeΓÇÄ needs 4 records: 2 SRV records for user-to-user communication, and 2 CNAME records to sign-in and connect users to the service.
+Only select this option if your organization uses Skype for Business for online communication services like chat, conference calls, and video calls, in addition to Microsoft Teams. Skype needs 4 records: 2 SRV records for user-to-user communication, and 2 CNAME records to sign-in and connect users to the service.
### Add the two required SRV records 1. To get started, go to your domains page at Network Solutions by using [this link](https://www.networksolutions.com/manage-it). You'll be prompted to log in.
-
+ 1. On the landing page, select **Domain Names**. 1. Select the check box next to the domain that you want to modify. 1. Under **Actions**, select the three dots, and then select **Manage** in the drop-down list.
-
- :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-1.png" alt-text="Select Manage from the drop-down list.":::
+
+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-1.png" alt-text="Select Manage from the drop-down list.":::
1. Select **Advanced Tools**, and next to **Advanced DNS Records**, select **MANAGE**.
- :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-2.png" alt-text="Next to Advanced DNS records, select MANAGE.":::
+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-2.png" alt-text="Next to Advanced DNS records, select MANAGE.":::
- You might have to select **Continue** to get to the Manage Advanced DNS Records page.
+ You might have to select **Continue** to get to the Manage Advanced DNS Records page.
1. On the Manage Advanced DNS Records page, select **+ADD RECORD**.
- :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-add-record.png" alt-text="Select +ADD RECORD.":::
+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-add-record.png" alt-text="Select +ADD RECORD.":::
1. Under **Type**, select **SRV** from the drop-down list.
- :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-srv.png" alt-text="Select SRV from the Type drop-down list.":::
+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-srv.png" alt-text="Select SRV from the Type drop-down list.":::
1. In the boxes for the two new records, type or copy and paste the values from the following table.
- (Choose the **Service** and **Protocol** values from the drop-down lists.)
-
- | Type | Service | Protocol | Weight | Port | Target | Priority | TTL |
- |:--|:--|:--|:--|:--|:--|:--|:--|
- | SRV |_sip |TLS |100 |443 |sipdir.online.lync.com <br/> **This value CANNOT end with a period (.)** | 1 | 1 Hour |
- | SRV |_sipfederationtls |TCP |100 |5061 |sipfed.online.lync.com <br/> **This value CANNOT end with a period (.)** |1 | 1 Hour |
-
+ (Choose the **Service** and **Protocol** values from the drop-down lists.)
+
+ |Type|Service|Protocol|Weight|Port|Target|Priority|TTL|
+ |||||||||
+ |SRV|_sip|TLS|100|443|sipdir.online.lync.com <br/> **This value CANNOT end with a period (.)**|1|1 Hour|
+ |SRV|_sipfederationtls|TCP|100|5061|sipfed.online.lync.com <br/> **This value CANNOT end with a period (.)**|1|1 Hour|
+ 1. Select **ADD**.
- :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-srv-add.png" alt-text="Select ADD.":::
+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-srv-add.png" alt-text="Select ADD.":::
- > [!NOTE]
- > Select **Classic View** in the upper right to view the record you created.
+ > [!NOTE]
+ > Select **Classic View** in the upper right to view the record you created.
1. Add the other SRV record by copying the values from the second row of the table. > [!NOTE]
-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Find and fix issues after adding your domain or DNS records](../get-help-with-domains/find-and-fix-issues.md).
+> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Find and fix issues after adding your domain or DNS records](../get-help-with-domains/find-and-fix-issues.md).
-### Add the two required CNAME records
+### Add the two required CNAME records for Skype for Business
1. To get started, go to your domains page at Network Solutions by using [this link](https://www.networksolutions.com/manage-it). You'll be prompted to log in.
-
+ 1. On the landing page, select **Domain Names**. 1. Select the check box next to the domain that you want to modify. 1. Under **Actions**, select the three dots, and then select **Manage** in the drop-down list.
- :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-1.png" alt-text="Select Manage from the drop-down list.":::
+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-1.png" alt-text="Select Manage from the drop-down list.":::
1. Select **Advanced Tools**, and next to **Advanced DNS Records**, select **MANAGE**.
- :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-2.png" alt-text="Next to Advanced DNS records, select MANAGE.":::
+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-2.png" alt-text="Next to Advanced DNS records, select MANAGE.":::
- You might have to select **Continue** to get to the Manage Advanced DNS Records page.
+ You might have to select **Continue** to get to the Manage Advanced DNS Records page.
1. On the Manage Advanced DNS Records page, select **+ ADD RECORD**.
- :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-add-record.png" alt-text="Select +ADD RECORD.":::
+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-add-record.png" alt-text="Select +ADD RECORD.":::
1. Under **Type**, select **CNAME** from the drop-down list.
-
- :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-cname.png" alt-text="Select CNAME type from the drop-down list.":::
-
+
+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-cname.png" alt-text="Select CNAME type from the drop-down list.":::
+ 1. In the boxes for the CNAME record, type or copy and paste the values from the following table.
- | Type | Refers to | Host Name | Alias to | TTL |
- |:--|:--|:--|:--|:--|
- | CNAME | Other Host | sip <br/> |sipdir.online.lync.com <br/> **This value CANNOT end with a period (.)** |1 Hour |
- | CNAME| Other Host | lyncdiscover <br/> |webdir.online.lync.com <br/> **This value CANNOT end with a period (.)** | 1 Hour |
+ |Type|Refers to|Host Name|Alias to|TTL|
+ ||||||
+ |CNAME|Other Host|sip|sipdir.online.lync.com <br/> **This value CANNOT end with a period (.)**|1 Hour|
+ |CNAME|Other Host|lyncdiscover|webdir.online.lync.com <br/> **This value CANNOT end with a period (.)**|1 Hour|
- :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-cname-values.png" alt-text="Type or copy and paste the CNAME values from the table into the window.":::
+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-cname-values.png" alt-text="Type or copy and paste the CNAME values from the table into the window.":::
1. Select **ADD**.
- > [!NOTE]
- > Select **Classic View** in the upper right to view the record you created.
+ > [!NOTE]
+ > Select **Classic View** in the upper right to view the record you created.
1. Add the other CNAME record by copying the values from the second row of the table. > [!NOTE]
-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).
-
+> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).
+ ## Advanced option: Intune and Mobile Device Management for Microsoft 365
-This service helps you secure and remotely manage mobile devices that connect to your domain. ΓÇÄMobile Device ManagementΓÇÄ needs 2 CNAME records so that users can enroll devices to the service.
+This service helps you secure and remotely manage mobile devices that connect to your domain. Mobile Device Management needs 2 CNAME records so that users can enroll devices to the service.
-### Add the two required CNAME records
+### Add the two required CNAME records for Mobile Device Management
1. To get started, go to your domains page at Network Solutions by using [this link](https://www.networksolutions.com/manage-it). You'll be prompted to log in.
-
+ 1. On the landing page, select **Domain Names**. 1. Select the check box next to the domain that you want to modify. 1. Under **Actions**, select the three dots, and then select **Manage** in the drop-down list.
- :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-1.png" alt-text="Select Manage from the drop-down list.":::
+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-1.png" alt-text="Select Manage from the drop-down list.":::
1. Select **Advanced Tools**, and next to **Advanced DNS Records**, select **MANAGE**.
- :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-2.png" alt-text="Next to Advanced DNS records, select MANAGE.":::
+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-2.png" alt-text="Next to Advanced DNS records, select MANAGE.":::
- You might have to select **Continue** to get to the Manage Advanced DNS Records page.
+ You might have to select **Continue** to get to the Manage Advanced DNS Records page.
1. On the Manage Advanced DNS Records page, select **+ADD RECORD**.
- :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-add-record.png" alt-text="Select +ADD RECORD.":::
-
+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-add-record.png" alt-text="Select +ADD RECORD.":::
+ 1. Under **Type**, select **CNAME** from the drop-down list.
-
- :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-cname.png" alt-text="Select CNAME type from the drop-down list.":::
-
+
+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-cname.png" alt-text="Select CNAME type from the drop-down list.":::
+ 1. In the boxes for the CNAME record, type or copy and paste the values from the following table.
- | Type | Refers to | Host Name | Alias to | TTL |
- |:--|:--|:--|:--|:--|
- | CNAME | Other Host | enterpriseregistration |enterpriseregistration.windows.net <br/> **This value CANNOT end with a period (.)** | 1 Hour |
- | CNAME | Other Host |enterpriseenrollment |enterpriseenrollment-s.manage.microsoft.com <br/> **This value CANNOT end with a period (.)** | 1 Hour |
+ |Type|Refers to|Host Name|Alias to|TTL|
+ ||||||
+ |CNAME|Other Host|enterpriseregistration|enterpriseregistration.windows.net <br/> **This value CANNOT end with a period (.)**|1 Hour|
+ |CNAME|Other Host|enterpriseenrollment|enterpriseenrollment-s.manage.microsoft.com <br/> **This value CANNOT end with a period (.)**|1 Hour|
- :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-cname-values.png" alt-text="Type or copy and paste the CNAME values from the table into the window.":::
+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-cname-values.png" alt-text="Type or copy and paste the CNAME values from the table into the window.":::
1. Select **ADD**.
- > [!NOTE]
- > Select **Classic View** in the upper right to view the record you created.
+ > [!NOTE]
+ > Select **Classic View** in the upper right to view the record you created.
1. Add the other CNAME record by copying the values from the second row of the table.
admin Create Dns Records At Ovh https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/dns/create-dns-records-at-ovh.md
ms.localizationpriority: medium -+ - M365-subscription-management - Adm_O365 - Adm_NonTOC
description: "Learn to verify your domain and set up DNS records for email, Skyp
# Connect your DNS records at OVH to Microsoft 365 [Check the Domains FAQ](../setup/domains-faq.yml) if you don't find what you're looking for.
-
+ If OVH is your DNS hosting provider, follow the steps in this article to verify your domain and set up DNS records for email, Skype for Business Online, and so on. After you add these records at OVH, your domain will be set up to work with Microsoft services. > [!NOTE]
-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).
-
+> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).
+ ## Add a TXT record for verification Before you use your domain with Microsoft, we have to make sure that you own it. Your ability to log in to your account at your domain registrar and create the DNS record proves to Microsoft that you own the domain.
-
+ > [!NOTE]
-> This record is used only to verify that you own your domain; it doesn't affect anything else. You can delete it later, if you like.
-
+> This record is used only to verify that you own your domain; it doesn't affect anything else. You can delete it later, if you like.
+ 1. To get started, go to your domains page in OVH by using [this link](https://www.ovh.com/manager/). You'll be prompted to log in. ![OVH login.](../../media/1424cc15-720d-49d1-b99b-8ba63b216238.png) 1. On the dashboard landing page, under **View all my activity**, select the name of the domain that you want edit.
-
+ 1. Select **DNS zone**. ![OVH Select DNS zone.](../../media/45218cbe-f3f8-4804-87f9-cfcef89ea113.png)
-
+ 1. Select **Add an entry**. ![OVH Add an entry.](../../media/13ded54b-9e48-4c98-8e1b-8c4a99633bc0.png)
-
+ 1. Select **TXT** ![OVH select TXT entry.](../../media/3aaa9dae-0b1d-436b-a980-b67a970f31a9.png)
-
-1. In the boxes for the new record, type or copy and paste the values from the following table. To assign a TTL value, choose **Custom** from the drop-down list, and then type the value in the text box.
- |**Record type**|**Sub-domain**|**TTL**|**Value**|
- |:--|:--|:--|:--|
- |TXT <br/> |(leave blank) <br/> |3600 (seconds) <br/> |MS=msxxxxxxxx <br/> **Note:** This is an example. Use your specific **Destination or Points to Address** value here, from the table. [How do I find this?](../get-help-with-domains/information-for-dns-records.md) |
+1. In the boxes for the new record, type or copy and paste the values from the following table. To assign a TTL value, choose **Custom** from the drop-down list, and then type the value in the text box.
+
+ |Record type|Sub-domain|TTL|Value|
+ |||||
+ |TXT|(leave blank)|3600 (seconds)|MS=msxxxxxxxx <br/> **Note:** This is an example. Use your specific **Destination or Points to Address** value here, from the table. [How do I find this?](../get-help-with-domains/information-for-dns-records.md)|
1. Select **Next**. 1. Select **Confirm**. ![OVH confirm TXT for verification.](../../media/bde45596-9a55-4634-b5e7-16d7cde6e1b8.png)
-
+ 1. Wait a few minutes before you continue, so that the record you just created can update across the Internet. Now that you've added the record at your domain registrar's site, you'll go back to Microsoft and request the record. When Microsoft finds the correct TXT record, your domain is verified. To verify the record in Microsoft 365:
-
+ 1. In the admin center, go to the **Settings** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834818" target="_blank">**Domains**</a>.
-1. On the Domains page, select the domain that you're verifying, and select **Start setup**.
+1. On the Domains page, select the domain that you're verifying, and select **Start setup**.
:::image type="content" source="../../media/dns-IONOS/IONOS-DomainConnects-2.png" alt-text="Select Start setup."::: 1. Select **Continue**.
-
+ 1. On the **Verify domain** page, select **Verify**. > [!NOTE]
-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).
-
+> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).
+ ## Add an MX record so email for your domain will come to Microsoft 1. To get started, go to your domains page in OVH by using [this link](https://www.ovh.com/manager/). You'll be prompted to log in. ![OVH login.](../../media/1424cc15-720d-49d1-b99b-8ba63b216238.png)
-
+ 1. On the dashboard landing page, under **View all my activity**, select the name of the domain that you want edit.
-
+ 1. Select **DNS zone**. ![OVH Select DNS zone.](../../media/45218cbe-f3f8-4804-87f9-cfcef89ea113.png)
-
+ 1. Select **Add an entry**. ![OVH Add an entry.](../../media/13ded54b-9e48-4c98-8e1b-8c4a99633bc0.png)
-
+ 1. Select **MX**. ![OVH MX record type.](../../media/29b5e54e-440a-41f2-9eb9-3de573922ddf.png)
-
-1. In the boxes for the new record, type or copy and paste the values from the following table. To assign a TTL value, choose **Custom** from the drop-down list, and then type the value in the text box.
+
+1. In the boxes for the new record, type or copy and paste the values from the following table. To assign a TTL value, choose **Custom** from the drop-down list, and then type the value in the text box.
> [!NOTE]
- > By default OVH uses relative notation for the target, which adds the domain name to the end of the target record. To use absolute notation instead, add a dot to the target record as shown in the table below.
-
- |**Sub-domain**|**TTL**|**Priority**|**Target**|
- |:--|:--|:--|:--|
- |(leave blank) <br/> |3600 (seconds) <br/> |0 <br/> For more information about priority, see [What is MX priority?](../setup/domains-faq.yml) <br/> |\<domain-key\>.mail.protection.outlook.com. <br/> **Note:** Get your *\<domain-key\>* from your Microsoft account. [How do I find this?](../get-help-with-domains/information-for-dns-records.md) |
+ > By default OVH uses relative notation for the target, which adds the domain name to the end of the target record. To use absolute notation instead, add a dot to the target record as shown in the table below.
+
+ |Sub-domain|TTL|Priority|Target|
+ |||||
+ |(leave blank)|3600 (seconds)|0 <br/> For more information about priority, see [What is MX priority?](../setup/domains-faq.yml)|\<domain-key\>.mail.protection.outlook.com. <br/> **Note:** Get your *\<domain-key\>* from your Microsoft account. [How do I find this?](../get-help-with-domains/information-for-dns-records.md)|
![OVH MX record for mail.](../../media/6e2f5655-93e2-4620-8f19-c452e7edf8f0.png)
-
+ 1. Select **Next**. ![OVH MX record select Next.](../../media/4db62d07-0dc4-49f6-bd19-2b4a07fd764a.png)
-
+ 1. Select **Confirm**. ![OVH MX record select Confirm.](../../media/090bfb11-a753-4af0-8982-582a4069a169.png)
To verify the record in Microsoft 365:
1. Delete any other MX records in the list on the **DNS zone** page. Select each record and, in the **Actions** column, select the trash-can **Delete** icon. ![OVH delete MX record.](../../media/892b328b-7057-4828-b8c5-fe26284dc8c2.png)
-
+ 1. Select **Confirm**. ## Add the CNAME record required for Microsoft
To verify the record in Microsoft 365:
1. To get started, go to your domains page in OVH by using [this link](https://www.ovh.com/manager/). You'll be prompted to log in. ![OVH login.](../../media/1424cc15-720d-49d1-b99b-8ba63b216238.png)
-
+ 1. On the dashboard landing page, under **View all my activity**, select the name of the domain that you want edit.
-
+ 1. Select **DNS zone**. ![OVH Select DNS zone.](../../media/45218cbe-f3f8-4804-87f9-cfcef89ea113.png)
-
+ 1. Select **Add an entry**. ![OVH Add an entry.](../../media/13ded54b-9e48-4c98-8e1b-8c4a99633bc0.png)
-
+ 1. Select **CNAME**. ![OVH Add CNAME record type.](../../media/33c7ac74-18d7-4ae1-9e27-1c0f9773a3c3.png)
-1. In the boxes for the new record, type or copy and paste the values from the first row of the following table. To assign a TTL value, choose **Custom** from the drop-down list, and then type the value in the text box.
+1. In the boxes for the new record, type or copy and paste the values from the first row of the following table. To assign a TTL value, choose **Custom** from the drop-down list, and then type the value in the text box.
- |**Sub-domain**|**TTL**|**Target**|
- |:--|:--|:--|
- |autodiscover <br/> |3600 (seconds) <br/> |autodiscover.outlook.com. <br/> |
+ |Sub-domain|TTL|Target|
+ ||||
+ |autodiscover|3600 (seconds)|autodiscover.outlook.com.|
![OVH CNAME record.](../../media/516938b3-0b12-4736-a631-099e12e189f5.png)
-
+ 1. Select **Next**. ![OVH Add CNAME values and select Next.](../../media/f9481cb1-559d-4da1-9643-9cacb0d80d29.png)
-
+ 1. Select **Confirm**. ## Add a TXT record for SPF to help prevent email spam > [!IMPORTANT]
-> You cannot have more than one TXT record for SPF for a domain. If your domain has more than one SPF record, you'll get email errors, as well as delivery and spam classification issues. If you already have an SPF record for your domain, don't create a new one for Microsoft. Instead, add the required Microsoft values to the current record so that you have a *single* SPF record that includes both sets of values.
-
+> You cannot have more than one TXT record for SPF for a domain. If your domain has more than one SPF record, you'll get email errors, as well as delivery and spam classification issues. If you already have an SPF record for your domain, don't create a new one for Microsoft. Instead, add the required Microsoft values to the current record so that you have a *single* SPF record that includes both sets of values.
+ 1. To get started, go to your domains page in OVH by using [this link](https://www.ovh.com/manager/). You'll be prompted to log in. ![OVH login.](../../media/1424cc15-720d-49d1-b99b-8ba63b216238.png)
-
+ 1. On the dashboard landing page, under **View all my activity**, select the name of the domain that you want edit.
-
+ 1. Select **DNS zone**. ![OVH Select DNS zone.](../../media/45218cbe-f3f8-4804-87f9-cfcef89ea113.png)
-
+ 1. Select **Add an entry**. ![OVH Add an entry.](../../media/13ded54b-9e48-4c98-8e1b-8c4a99633bc0.png)
-
+ 1. Select **TXT**.
-1. In the boxes for the new record, type or copy and paste the following values. To assign a TTL value, choose **Custom** from the drop-down list, and then type the value in the text box.
+1. In the boxes for the new record, type or copy and paste the following values. To assign a TTL value, choose **Custom** from the drop-down list, and then type the value in the text box.
- |**Sub-domain**|**TTL**|**Value**|
- |:--|:--|:--|
- |(leave blank) <br/> |3600 (seconds) <br/> |v=spf1 include:spf.protection.outlook.com -all <br/**Note:** We recommend copying and pasting this entry, so that all of the spacing stays correct. |
+ |Sub-domain|TTL|Value|
+ ||||
+ |(leave blank)|3600 (seconds)|v=spf1 include:spf.protection.outlook.com -all <br/**Note:** We recommend copying and pasting this entry, so that all of the spacing stays correct.|
![OVH Add TXT record for SPF.](../../media/f50466e9-1557-4548-8a39-e98978a5ee2e.png)
-
+ 1. Select **Next**. ![OVH Add TXT record for SPF and select Next.](../../media/7937eb7c-114f-479f-a916-bcbe476d6108.png)
-
+ 1. Select **Confirm**. ![OVH Add TXT record for SPF and Confirm.](../../media/649eefeb-3227-49e3-98a0-1ce19c42fa54.png)
-
+ ## Advanced option: Skype for Business
-Only select this option if your organization uses ΓÇÄSkype for BusinessΓÇÄ for online communication services like chat, conference calls, and video calls, in addition to ΓÇÄMicrosoft TeamsΓÇÄ. ΓÇÄSkypeΓÇÄ needs 4 records: 2 SRV records for user-to-user communication, and 2 CNAME records to sign-in and connect users to the service.
+Only select this option if your organization uses Skype for Business for online communication services like chat, conference calls, and video calls, in addition to Microsoft Teams. Skype needs 4 records: 2 SRV records for user-to-user communication, and 2 CNAME records to sign-in and connect users to the service.
### Add the two required SRV records 1. To get started, go to your domains page in OVH by using [this link](https://www.ovh.com/manager/). You'll be prompted to log in. ![OVH login.](../../media/1424cc15-720d-49d1-b99b-8ba63b216238.png)
-
+ 1. On the dashboard landing page, under **View all my activity**, select the name of the domain that you want edit.
-
+ 1. Select **DNS zone**. ![OVH Select DNS zone.](../../media/45218cbe-f3f8-4804-87f9-cfcef89ea113.png)
-
+ 1. Select **Add an entry**. ![OVH Add an entry.](../../media/13ded54b-9e48-4c98-8e1b-8c4a99633bc0.png) 1. Select **SRV**.
-1. In the boxes for the new record, type or copy and paste the following values. To assign a TTL value, choose **Custom** from the drop-down list, and then type the value in the text box.
+1. In the boxes for the new record, type or copy and paste the following values. To assign a TTL value, choose **Custom** from the drop-down list, and then type the value in the text box.
+
+ |Sub-domain|TTL (Seconds)|Priority|Weight|Port|Target|
+ |||||||
+ |_sip._tls|3600 (s.)|100|1|443|sipdir.online.lync.com. **This value MUST end with a period (.)**><br> **Note:** We recommend copying and pasting this entry, so that all of the spacing stays correct.|
+ |_sipfederationtls._tcp|3600 (s.)|100|1|5061|sipfed.online.lync.com. **This value MUST end with a period (.)**<br> **Note:** We recommend copying and pasting this entry, so that all of the spacing stays correct.|
- |**Sub-domain**|**TTL (Seconds)**| **Priority** | **Weight** | **Port**|**Target**|
- |:--|:--|:--|:--|:--|:--|
- |_sip._tls|3600 (s.) |100 | 1 | 443 |sipdir.online.lync.com. **This value MUST end with a period (.)**><br> **Note:** We recommend copying and pasting this entry, so that all of the spacing stays correct. |
- |_sipfederationtls._tcp| 3600 (s.)|100 | 1 | 5061 | sipfed.online.lync.com. **This value MUST end with a period (.)**<br> **Note:** We recommend copying and pasting this entry, so that all of the spacing stays correct. |
-
1. To add the other SRV record, select **Add another record**, create a record using the values from the next row in the table, and then select **Create records**. > [!NOTE]
-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Find and fix issues after adding your domain or DNS records](../get-help-with-domains/find-and-fix-issues.md).
+> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Find and fix issues after adding your domain or DNS records](../get-help-with-domains/find-and-fix-issues.md).
-### Add the two required CNAME records
+### Add the two required CNAME records for Skype for Business
1. To get started, go to your domains page in OVH by using [this link](https://www.ovh.com/manager/). You'll be prompted to log in. ![OVH login.](../../media/1424cc15-720d-49d1-b99b-8ba63b216238.png)
-
+ 1. On the dashboard landing page, under **View all my activity**, select the name of the domain that you want edit.
-
+ 1. Select **DNS zone**. ![OVH Select DNS zone.](../../media/45218cbe-f3f8-4804-87f9-cfcef89ea113.png)
-
+ 1. Select **Add an entry**. ![OVH Add an entry.](../../media/13ded54b-9e48-4c98-8e1b-8c4a99633bc0.png)
Only select this option if your organization uses ΓÇÄSkype for BusinessΓÇÄ for o
![OVH Add CNAME record type.](../../media/33c7ac74-18d7-4ae1-9e27-1c0f9773a3c3.png)
-1. In the boxes for the new record, type or copy and paste the values from the first row of the following table. To assign a TTL value, choose **Custom** from the drop-down list, and then type the value in the text box.
+1. In the boxes for the new record, type or copy and paste the values from the first row of the following table. To assign a TTL value, choose **Custom** from the drop-down list, and then type the value in the text box.
+
+ |Sub-domain|TTL|Target|
+ ||||
+ |sip|3600 (s.)|sipdir.online.lync.com. <br/> **This value MUST end with a period (.)**|
+ |lyncdiscover|3600 (s.)|webdir.online.lync.com. <br/> **This value MUST end with a period (.)**|
- |**Sub-domain**| **TTL** | **Target** |
- |:--|:--|:--|
- |sip <br/> | 3600 (s.) <br/> |sipdir.online.lync.com. <br/> **This value MUST end with a period (.)** <br/> |
- |lyncdiscover <br/> |3600 (s.) |webdir.online.lync.com. <br/> **This value MUST end with a period (.)** <br/> |
-
1. Select **Next**. ![OVH Add CNAME values and select Next.](../../media/f9481cb1-559d-4da1-9643-9cacb0d80d29.png)
-
+ 1. Select **Confirm**. 1. Add the other CNAME record. > [!NOTE]
-> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).
-
+> Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md).
+ ## Advanced option: Intune and Mobile Device Management for Microsoft 365
-This service helps you secure and remotely manage mobile devices that connect to your domain. ΓÇÄMobile Device ManagementΓÇÄ needs two CNAME records so that users can enroll devices to the service.
+This service helps you secure and remotely manage mobile devices that connect to your domain. Mobile Device Management needs two CNAME records so that users can enroll devices to the service.
-### Add the two required CNAME records
+### Add the two required CNAME records for Mobile Device Management
1. To get started, go to your domains page in OVH by using [this link](https://www.ovh.com/manager/). You'll be prompted to log in. ![OVH login.](../../media/1424cc15-720d-49d1-b99b-8ba63b216238.png)
-
+ 1. On the dashboard landing page, under **View all my activity**, select the name of the domain that you want edit.
-
+ 1. Select **DNS zone**. ![OVH Select DNS zone.](../../media/45218cbe-f3f8-4804-87f9-cfcef89ea113.png)
-
+ 1. Select **Add an entry**. ![OVH Add an entry.](../../media/13ded54b-9e48-4c98-8e1b-8c4a99633bc0.png)
-
+ 1. Select **CNAME**. ![OVH Add CNAME record type.](../../media/33c7ac74-18d7-4ae1-9e27-1c0f9773a3c3.png)
-1. In the boxes for the new record, type or copy and paste the values from the first row of the following table. To assign a TTL value, choose **Custom** from the drop-down list, and then type the value in the text box.
-
- |**Sub-domain**| **TTL** | **Target** |
- |:--|:--|:--|
- |enterpriseregistration <br/>| 3600 (s.) <br/> |enterpriseregistration.windows.net. <br/> **This value MUST end with a period (.)** <br/> |
- |enterpriseenrollment <br/> |3600 (s.) |enterpriseenrollment-s.manage.microsoft.com. <br/> **This value MUST end with a period (.)** <br/>|
+1. In the boxes for the new record, type or copy and paste the values from the first row of the following table. To assign a TTL value, choose **Custom** from the drop-down list, and then type the value in the text box.
+
+ |Sub-domain|TTL|Target|
+ ||||
+ |enterpriseregistration <br/>|3600 (s.)|enterpriseregistration.windows.net. <br/> **This value MUST end with a period (.)**|
+ |enterpriseenrollment|3600 (s.)|enterpriseenrollment-s.manage.microsoft.com. <br/> **This value MUST end with a period (.)**|
1. Select **Next**. ![OVH Add CNAME values and select Next.](../../media/f9481cb1-559d-4da1-9643-9cacb0d80d29.png)
-
+ 1. Select **Confirm**. 1. Add the other CNAME record.
admin Create Dns Records At Web Com https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/dns/create-dns-records-at-web-com.md
Only select this option if your organization uses Skype for Business for online
> [!NOTE] > Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Find and fix issues after adding your domain or DNS records](../get-help-with-domains/find-and-fix-issues.md).
-### Add the two required CNAME records
+### Add the two required CNAME records for Skype for Business
1. To get started, go to your domains page at web.com by using [this link](https://checkout.web.com/manage-it/index.jsp). Log in first.
admin Create Dns Records At Wix https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/dns/create-dns-records-at-wix.md
Only select this option if your organization uses Skype for Business for online
> [!NOTE] > Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Find and fix issues after adding your domain or DNS records](../get-help-with-domains/find-and-fix-issues.md).
-### Add the two required CNAME records
+### Add the two required CNAME records for Skype for Business
1. Select **+ Add another** in the **CNAME (Aliases)** row of the DNS editor, and enter the values from the first row in the following table.
admin Add Another Email Alias For A User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/add-another-email-alias-for-a-user.md
You must have Global Admin rights to add email aliases to a user.
> [!IMPORTANT]
- > If you get the error message **This user is synchronized with your local Active DirectoryΓÇÄ. Some details can be edited only through your local Active Directory**, It means that the Active Directory is authoritative for attributes on synchronized users, you need to modify the attributes in your on-premises Active Directory.
+ > If you get the error message **This user is synchronized with your local Active Directory. Some details can be edited only through your local Active Directory**, It means that the Active Directory is authoritative for attributes on synchronized users, you need to modify the attributes in your on-premises Active Directory.
> [!TIP] > The email alias must end with a domain from the drop-down list. To add another domain name to the list, see [Add a domain to Microsoft 365](../setup/add-domain.md).
admin Manage Email App Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/manage-email-app-access.md
description: "Learn how to choose which mobile apps people can use to access ema
Use the mobile email access settings to choose which mobile apps people in your organization can use to access their work or school account to access email, calendar and contacts. > [!IMPORTANT]
-> Your organization will have access to this setting unless you're using Microsoft Intune or you've configured mobile device management settings in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a>.
+> Your organization will have access to this setting unless you're using Microsoft Intune or you've configured mobile device management settings in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a>.
## Manage email app options > [!IMPORTANT]
->  If you don't use this feature, there'll be no changes to your users' experience. They'll be able to use any mobile email app to access their work or school account for email, calendar, and contacts from their mobile device.
-
-1. In the admin center, go to the **Settings** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2053743" target="_blank">Services &amp; add-ins</a> page.
+> If you don't use this feature, there'll be no changes to your users' experience. They'll be able to use any mobile email app to access their work or school account for email, calendar, and contacts from their mobile device.
+
+1. In the admin center, go to the **Settings** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2053743" target="_blank">Services &amp; add-ins</a> page.
2. On the **Mobile email access options** page, select the check box, and then choose how users in your organization use email apps on their devices: Choose the option to set how users in your organization access their work or school account from their mobile devices -- **Outlook only** - users in your organization will be required to use the Outlook for Android or Outlook for iOS app on their mobile device.
-
-- **Any email app** - all users in your organization will be prompted to use Outlook, but they can choose to use any email app.
-
-- **Any email app** - new users or devices in your organization will be prompted once to use Outlook, but they can choose to use any email app.
-
+- **Outlook only** - users in your organization will be required to use the Outlook for Android or Outlook for iOS app on their mobile device.
+
+- **Any email app** - all users in your organization will be prompted to use Outlook, but they can choose to use any email app.
+
+- **Any email app** - new users or devices in your organization will be prompted once to use Outlook, but they can choose to use any email app.
+ For more details, check out [Options for accessing email from your mobile device](access-email-from-a-mobile-device.md). ## New user or device is activated in your organization
As soon as a user in your organization adds their work or school email to a thir
## Previously configured users in your organization
-If you decide to recommend Outlook to everyone in your organization, in addition to the experience described above for new users, users who have previously connected their work or school email account to a third-party app will receive an email from **Microsoft on behalf of your organization** within 48 hours of this setting being enabled. The email will let them know about the benefits of using the Outlook mobile app and provide a link to the download location. Your users can then choose whether to continue using the third-party app or choose to use the Outlook mobile app. During the 24 hours after the user first receives this email, their device will be in quarantine, and email, calendar, and contact data won't be updated. If they choose to use the Outlook mobile app, the third-party app will remain quarantined and data will only sync with the Outlook mobile app. If they decide to continue using the third-party app, data will start to sync instantly. If no action is taken during those first 24 hours, the email will be removed from their inbox and data will start to sync from the server automatically.
-
-
+If you decide to recommend Outlook to everyone in your organization, in addition to the experience described above for new users, users who have previously connected their work or school email account to a third-party app will receive an email from **Microsoft on behalf of your organization** within 48 hours of this setting being enabled. The email will let them know about the benefits of using the Outlook mobile app and provide a link to the download location. Your users can then choose whether to continue using the third-party app or choose to use the Outlook mobile app. During the 24 hours after the user first receives this email, their device will be in quarantine, and email, calendar, and contact data won't be updated. If they choose to use the Outlook mobile app, the third-party app will remain quarantined and data will only sync with the Outlook mobile app. If they decide to continue using the third-party app, data will start to sync instantly. If no action is taken during those first 24 hours, the email will be removed from their inbox and data will start to sync from the server automatically.
admin Transfer A Domain From Microsoft To Another Host https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/get-help-with-domains/transfer-a-domain-from-microsoft-to-another-host.md
description: "Find the steps here to transfer a domain from Microsoft to another
You can't transfer a Microsoft 365 domain to another registrar for 60 days after you purchase the domain from Microsoft. > [!NOTE]
-> A _Whois_ query shows a Microsoft purchased domain registrar as Wild West Domains LLC. However, only Microsoft should be contacted regarding your Microsoft 365 purchased domain.
+> A _Whois_ query shows a Microsoft purchased domain registrar as Wild West Domains LLC. However, only Microsoft should be contacted regarding your Microsoft 365 purchased domain.
Follow these steps to get a code at Microsoft 365, and then go to the other domain registrar website to set up transferring your domain name to the new registrar. ## Transfer a domain
-1. In the admin center, go toΓÇ» **Settings**ΓÇ»> **Domains**.
+1. In the admin center, go to **Settings** \> **Domains**.
2. On the **Domains** page, select the Microsoft 365 domain that you want to transfer to another domain registrar, and then select **Check health**.
Follow these steps to get a code at Microsoft 365, and then go to the other doma
8. Go to the website of the domain registrar you want to manage your domain name going forward. Follow directions for transferring a domain (search for help on their website). This usually means paying transfer fees and giving the Authcode to the new registrar so they can initiate the transfer. Microsoft will email you to confirm weΓÇÖve received the transfer request, and the domain will transfer within 5 days.
- You can find the authorization code **Registration** tab on the ΓÇ»**Domains** page in Microsoft 365.
-
+ You can find the authorization code **Registration** tab on the **Domains** page in Microsoft 365.
+ > [!TIP] > .uk domains require a different procedure. Contact Microsoft Support and request an **IPS Tag change** to match the registrar you want to manage your domain going forward. Once the tag changes, the domain immediately transfers to the new registrar. You will then need to work with the new registrar to complete the transfer, likely paying transfer fees and adding the transferred domain to your account with your new registrar. 9. After the transfer is complete, you'll renew your domain at the new domain registrar.
-10. To finish the process, go back to the **Domains** page in the admin center, and then selectΓÇ» **Complete domain transfer**. This will mark the domain as no longer purchased from Microsoft 365, and will disable the domain subscription. It will not remove the domain from the tenant, and will not affect existing users and mailboxes on the domain.
+10. To finish the process, go back to the **Domains** page in the admin center, and then select **Complete domain transfer**. This will mark the domain as no longer purchased from Microsoft 365, and will disable the domain subscription. It will not remove the domain from the tenant, and will not affect existing users and mailboxes on the domain.
> [!NOTE] > Microsoft 365 purchased domains are not eligible for nameserver changes or transferring the domain between Microsoft 365 organizations. If either of these are required, the domain registration must be transferred to another registrar.
admin Manage Industry News https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/manage-industry-news.md
To provide your users with up-to-date news headlines about your industry and inf
You have the option to send your users a daily Industry Updates email with headlines and links to full articles. Users can customize their email updates by following additional topics, choosing when the update is delivered, excluding articles behind paywalls, and selecting the number of articles they want to see.
-Signed-in users who go to the Bing homepage see your industry's news feed under the personalized info for your organization.
+Signed-in users who go to the Bing homepage see your industry's news feed under the personalized info for your organization.
:::image type="content" source="../../media/manage-industry-news-2.jpg" alt-text="Screenshot of image carousel with industry news from the web.":::
admin Minors And Acquiring Addins From The Store https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/minors-and-acquiring-addins-from-the-store.md
audience: Admin
ms.localizationpriority: medium--- M365-subscription-management +
+- M365-subscription-management
- Adm_O365 - Adm_NonTOC
description: "Learn about the General Data Protection Regulation (GDPR) regulati
# Minors and acquiring add-ins from the Store The General Data Protection Regulation (GDPR) is a European Union regulation that becomes effective May 25, 2018. It gives users rights to and protection of their data. One of the aspects of the GDPR is that minors cannot have their personal data sent to parties that their parent or guardian hasn't approved. The specific age defined as a minor depends on the region where the individual is located.
-
+ Regions that have statutory regulations about parental consent include the United States, South Korea, the United Kingdom, and the European Union. For those regions, a minor will be blocked (via Azure Active Directory) from getting any new Office add-ins from the Store and running add-ins that were previously acquired. For countries without statutory regulations, there will be no download restrictions.
-
+ A user is determined to be a minor based on data specified in Azure Active Directory. The organization admin is responsible for declaring the legal age group and the parental consent for that user.
-
+ If the parent/guardian consents to a minor using a specific add-In, then the organization admin can use centralized deployment to deploy that add-In to all minors who have consent.
-
+ To be GDPR compliant for minors you need to ensure that one of following builds of Office is deployed in your school/organization.
-
- **For Word, Excel, PowerPoint, and Project**:
-
-|**Platform** <br/> |**Build number** <br/> |
-|:--|:--|
-|Microsoft 365 Apps for enterprise (Current Channel) <br/> |9001.2138ΓÇ» <br/> |
-|Microsoft 365 Apps for enterprise (Semi-Annual Enterprise Channel) <br/> |8431.2159 <br/> |
-|Office 2016 for Windows <br/> |16.0.4672.1000 <br/> |
-|Office 2013 for Windows <br/> |15.0.5023.1000 <br/> |
-|Office 2016 for Mac <br/> |16.11.18020200 <br/> |
-|Office for the web <br/> |N/A <br/> |
-
- **For Outlook**:
-
-|**Platform** <br/> |**Build number** <br/> |
-|:--|:--|
-|Outlook 2016 for Windows (MSI) <br/> |Build No TBD <br/> |
-|Outlook 2016 for Windows (C2R) <br/> |16.0.9323.1000 <br/> |
-|Office 2016 for Mac <br/> |16.0.9318.1000 <br/> |
-|Outlook mobile for iOS <br/> |2.75.0 <br/> |
-|Outlook mobile for Android <br/> |2.2.145 <br/> |
-|Outlook.com <br/> |N/A <br/> |
+
+ **For Word, Excel, PowerPoint, and Project**:
+
+|Platform|Build number|
+|||
+|Microsoft 365 Apps for enterprise (Current Channel)|9001.2138|
+|Microsoft 365 Apps for enterprise (Semi-Annual Enterprise Channel)|8431.2159|
+|Office 2016 for Windows|16.0.4672.1000|
+|Office 2013 for Windows|15.0.5023.1000|
+|Office 2016 for Mac|16.11.18020200|
+|Office for the web|N/A|
+
+ **For Outlook**:
+
+|Platform|Build number|
+|||
+|Outlook 2016 for Windows (MSI)|Build No TBD|
+|Outlook 2016 for Windows (C2R)|16.0.9323.1000|
+|Office 2016 for Mac|16.0.9318.1000|
+|Outlook mobile for iOS|2.75.0|
+|Outlook mobile for Android|2.2.145|
+|Outlook.com|N/A|
**Office 2013 requirements**
-
+ Word, Excel, and PowerPoint 2013 for Windows will support the same minors checks if Active Directory Authentication Library (ADAL) is enabled. There are two options for compliance, as explained next.
-
+ - **Enable ADAL**. This article explains how to enable ADAL for Office 2013: [Using Microsoft 365 modern authentication with Office clients](../../enterprise/modern-auth-for-office-2013-and-2016.md).<br/>You also need to set the registry keys to enable ADAL as explained in [Enable Modern Authentication for Office 2013 on Windows devices](../security-and-compliance/enable-modern-authentication.md).<br/>Additionally, you need to install the following April updates for Office 2013:
-
+ - [Description of the security update for Office 2013: April 10, 2018](https://support.microsoft.com/help/4018330/description-of-the-security-update-for-office-2013-april-10-2018)
-
+ - [April 3, 2018, update for Office 2013 (KB4018333)](https://support.microsoft.com/help/4018333/april-3-2018-update-for-office-2013-kb4018333)
-
+ - **Don't enable ADAL**. If you're unable to enable ADAL in Office 2013, then our recommendation is to use Group Policy to turn off the Store for the Office clients. Information on how to turn off the app for Office settings is located [here](/previous-versions/office/office-2013-resource-kit/cc178992(v=office.15)). ## Related articles
admin Test And Deploy Microsoft 365 Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/test-and-deploy-microsoft-365-apps.md
You won't be able to deploy a single store app or Microsoft 365 Apps by partner
## Prepare to deploy add-ins in Integrated apps
-Office add-ins help you personalize your documents and streamline the way you access information on the web (see Start using your Office Add-in).
+Office add-ins help you personalize your documents and streamline the way you access information on the web (see Start using your Office Add-in).
Add-ins provides the following benefits:
For Outlook, your users must be using one of the following:
### Exchange Online requirements Microsoft Exchange stores the add-in manifests within your organization's tenant. The admin deploying add-ins and the users receiving those add-ins must be on a version of Exchange Online that supports OAuth authentication.
-Check with your organization's Exchange admin to find out which configuration is in use. OAuth connectivity per user can be verified by using the [Test-OAuthConnectivity](/powershell/module/exchange/test-oauthconnectivity) PowerShell cmdlet.
+Check with your organization's Exchange admin to find out which configuration is in use. OAuth connectivity per user can be verified by using the [Test-OAuthConnectivity](/powershell/module/exchange/test-oauthconnectivity) PowerShell cmdlet.
### User and group assignments The deployment of add-in is currently supported to the majority of groups supported by Azure Active Directory, including Microsoft 365 groups, distribution lists, and security groups. Deployment supports users in top-level groups or groups without parent groups, but not users in nested groups or groups that have parent groups.
In the following example, Sandra, Sheila, and the Sales Department group are ass
### Find out if a group contains nested groups
-The easiest way to detect if a group contains nested groups is to view the group contact card within Outlook. If you enter the group name within the **To** field of an email and then select the group name when it resolves, it will show you if it contains users or nested groups. In the example below, the **Members** tab of the Outlook contact card for the Test Group shows no users and only two sub groups.
+The easiest way to detect if a group contains nested groups is to view the group contact card within Outlook. If you enter the group name within the **To** field of an email and then select the group name when it resolves, it will show you if it contains users or nested groups. In the example below, the **Members** tab of the Outlook contact card for the Test Group shows no users and only two sub groups.
![Members tab of Outlook contact card.](../../media/d9db88c4-d752-426c-a480-b11a5b3adcd6.png)
-You can do the opposite query by resolving the group to see if it's a member of any group. In the example below, you can see under the <b>Membership</b> tab of the Outlook contact card that Sub Group 1 is a member of the Test Group.
+You can do the opposite query by resolving the group to see if it's a member of any group. In the example below, you can see under the <b>Membership</b> tab of the Outlook contact card that Sub Group 1 is a member of the Test Group.
![Membership tab of the Outlook contact card.](../../media/a9f9b6ab-9c19-4822-9e3d-414ca068c42f.png)
-Note that you can use the Azure Active Directory Graph API to run queries to find the list of groups within a group. For more information, seeΓÇ»[Operations on groups | Graph API reference](/previous-versions/azure/ad/graph/api/groups-operations).
+Note that you can use the Azure Active Directory Graph API to run queries to find the list of groups within a group. For more information, see [Operations on groups | Graph API reference](/previous-versions/azure/ad/graph/api/groups-operations).
## Recommended approach for deploying Office add-ins To roll out add-ins by using a phased approach, we recommend the following:
Depending on the size of the target audience, you can add or remove roll-out ste
1. In the admin center, select **Settings**, then select **Integrated apps**.
-2. SelectΓÇ»**Get apps** at the top of the page. AppSource will load in an embedded format. Either search for an add-in or find it through clicking on Product on the left nav. If the add-in has been linked by the ISV to a SaaS app or other apps and add-ins and if the SaaS app is a paid app then you will be shown a dialog box to either buy the license or Deploy. Irrespective of whether you have bought the license or not you can go ahead with the deployment. Select **Deploy**.
+2. Select **Get apps** at the top of the page. AppSource will load in an embedded format. Either search for an add-in or find it through clicking on Product on the left nav. If the add-in has been linked by the ISV to a SaaS app or other apps and add-ins and if the SaaS app is a paid app then you will be shown a dialog box to either buy the license or Deploy. Irrespective of whether you have bought the license or not you can go ahead with the deployment. Select **Deploy**.
3. You will see the **Configuration** page where all the apps are listed. If you donΓÇÖt have permissions or the right access to deploy the app, the respective information will be highlighted. You can select the apps you want to deploy. By selecting **Next**, you will view the **Users** page. If the add-in hasnΓÇÖt been linked by the ISV, you will be routed to the Users page.
-4. Select **Everyone**, **Specific users/groups**, or **Just me** to specify whom the add-in is deployed to. Use the Search box to find specific users or groups. If you are testing the add-in, select **Is this a test deployment**.
+4. Select **Everyone**, **Specific users/groups**, or **Just me** to specify whom the add-in is deployed to. Use the Search box to find specific users or groups. If you are testing the add-in, select **Is this a test deployment**.
5. Select **Next**. All the app capabilities and permissions are displayed in a single pane along with certification info if the app has Microsoft 365 certification. Selecting the certification logo lets the user see more details about the certification.
It's good practice to inform users and groups that the deployed add-in is availa
Global admins and Exchange admins can assign an add-in to everyone or to specific users and groups. Each option has implications: -- **Everyone** This option assigns the add-in to every user in the organization. Use this option sparingly and only for add-ins that are truly universal to your organization.
+- **Everyone** This option assigns the add-in to every user in the organization. Use this option sparingly and only for add-ins that are truly universal to your organization.
-- **Users** If you assign an add-in to an individual user, and then deploy the add-in to a new user, you must first add the new user.
+- **Users** If you assign an add-in to an individual user, and then deploy the add-in to a new user, you must first add the new user.
-- **Groups** If you assign an add-in to a group, users who are added to the group are automatically assigned the add-in. When a user is removed from a group, the user loses access to the add-in. In either case, no additional action is required from the admin.
+- **Groups** If you assign an add-in to a group, users who are added to the group are automatically assigned the add-in. When a user is removed from a group, the user loses access to the add-in. In either case, no additional action is required from the admin.
-- **Just me** If you assign an add-in to just yourself, the add-in is assigned to only your account, which is ideal for testing the add-in.
+- **Just me** If you assign an add-in to just yourself, the add-in is assigned to only your account, which is ideal for testing the add-in.
The right option for your organization depends on your configuration. However, we recommend making assignments by using groups. As an admin, you might find it easier to manage add-ins by using groups and controlling the membership of those groups rather than assigning individual users each time. In some situations, you might want to restrict access to a small set of users by making assignments to specific users by assigning users manually.
Office add-ins combine an XML manifest file that contains some metadata about th
- Read a user's document to provide contextual services. - Read and write data to and from a user's document to provide value to that user.
-For more information about the types and capabilities of Office add-ins, seeΓÇ»[Office Add-ins platform overview](/office/dev/add-ins/overview/office-add-ins), especially the section "Anatomy of an Office Add-in."
+For more information about the types and capabilities of Office add-ins, see [Office Add-ins platform overview](/office/dev/add-ins/overview/office-add-ins), especially the section "Anatomy of an Office Add-in."
-To interact with the user's document, the add-in needs to declare what permission it needs in the manifest. A five-level JavaScript API access-permissions model provides the basis for privacy and security for users of task pane add-ins. The majority of the add-ins in the Office Store are level ReadWriteDocument with almost all add-ins supporting at least the ReadDocument level. For more information about the permission levels, seeΓÇ»[Requesting permissions for API use in content and task pane add-ins](/office/dev/add-ins/develop/requesting-permissions-for-api-use-in-content-and-task-pane-add-ins).
+To interact with the user's document, the add-in needs to declare what permission it needs in the manifest. A five-level JavaScript API access-permissions model provides the basis for privacy and security for users of task pane add-ins. The majority of the add-ins in the Office Store are level ReadWriteDocument with almost all add-ins supporting at least the ReadDocument level. For more information about the permission levels, see [Requesting permissions for API use in content and task pane add-ins](/office/dev/add-ins/develop/requesting-permissions-for-api-use-in-content-and-task-pane-add-ins).
When updating a manifest, the typical changes are to an add-in's icon and text. Occasionally, add-in commands change. However, the permissions of the add-in do not change. The web application where all the code and logic for the add-in runs can change at any time, which is the nature of web applications. Updates for add-ins happen as follows: -- **Line-of-business add-in**: In this case, where an admin explicitly uploaded a manifest, the add-in requires that the admin upload a new manifest file to support metadata changes. The next time the relevant Office applications start, the add-in will update. The web application can change at any time.
+- **Line-of-business add-in**: In this case, where an admin explicitly uploaded a manifest, the add-in requires that the admin upload a new manifest file to support metadata changes. The next time the relevant Office applications start, the add-in will update. The web application can change at any time.
-- **Office Store add-in**: When an admin selected an add-in from the Office Store, if an add-in updates in the Office Store, the next time the relevant Office applications start, the add-in will update. The web application can change at any time.
+- **Office Store add-in**: When an admin selected an add-in from the Office Store, if an add-in updates in the Office Store, the next time the relevant Office applications start, the add-in will update. The web application can change at any time.
> [!NOTE]
-> For Word, Excel and PowerPoint use a [SharePoint App Catalog](https://dev.office.com/docs/add-ins/publish/publish-task-pane-and-content-add-ins-to-an-add-in-catalog) to deploy add-ins to users in an on-premises environment with no connection to Microsoft 365 and/or support for SharePoint add-ins required. For Outlook use Exchange control panel to deploy in an on-premises environment without a connection to Microsoft 365.
+> For Word, Excel and PowerPoint use a [SharePoint App Catalog](https://dev.office.com/docs/add-ins/publish/publish-task-pane-and-content-add-ins-to-an-add-in-catalog) to deploy add-ins to users in an on-premises environment with no connection to Microsoft 365 and/or support for SharePoint add-ins required. For Outlook use Exchange control panel to deploy in an on-premises environment without a connection to Microsoft 365.
## Add-in states
-An add-in can be in either the **On** or **Off** state.
+An add-in can be in either the **On** or **Off** state.
| State | How the state occurs | Impact | |:--|:--|:--|
Post deployment, admins can also manage user access to add-ins.
1. In the admin center, select **Settings**, then select **Integrated apps**. 2. On the Integrated apps page, it will display a list of apps will be either single add-ins or add-ins that have been linked with other apps.
-3. Select an app with **Status** of **More apps available** to open the **Manage** pane. The status of **more apps available** lets you know that there are more integrations from the ISVs that aren't yet deployed.
-4. On the **Overview** tab, select **Deploy**. Some apps require you to add users before you can select Deploy.
-5. Select **Users**, select **Is this a test deployment**, and then select either **Entire organization**, **Specific users/groups** or **Just me**. You can also select **Test deployment** if you prefer to wait to deploy the app to the entire organization. Specific users or groups can be a Microsoft 365 group, a security group, or a distribution group.
-6. Select **Update** and then select **Done**. You can now select **Deploy** on the **Overview** tab.
-7. Review the app information, and then selectΓÇ»**Deploy**.
-8. Select **Done** on the **Deployment completed** page, and review the details of the test or full deployment on the **Overview** tab.
-9. If the app has a status ofΓÇ»**Update pending**, you can click on the app to open the **Manage** pane and update the app.
+3. Select an app with **Status** of **More apps available** to open the **Manage** pane. The status of **more apps available** lets you know that there are more integrations from the ISVs that aren't yet deployed.
+4. On the **Overview** tab, select **Deploy**. Some apps require you to add users before you can select Deploy.
+5. Select **Users**, select **Is this a test deployment**, and then select either **Entire organization**, **Specific users/groups** or **Just me**. You can also select **Test deployment** if you prefer to wait to deploy the app to the entire organization. Specific users or groups can be a Microsoft 365 group, a security group, or a distribution group.
+6. Select **Update** and then select **Done**. You can now select **Deploy** on the **Overview** tab.
+7. Review the app information, and then select **Deploy**.
+8. Select **Done** on the **Deployment completed** page, and review the details of the test or full deployment on the **Overview** tab.
+9. If the app has a status of **Update pending**, you can click on the app to open the **Manage** pane and update the app.
10. To just update users, select the **Users** tab and make the appropriate change. Select **Update** after making your changes. ## Delete an add-in
admin Upgrade Distribution Lists https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/upgrade-distribution-lists.md
Upgrade-DistributionGroup -DlIdentities <DL SMTP address1>, <DL SMTP address2>,
For example, if you want to upgrade five DLs with SMTP address `dl1@contoso.com` and `dl2@contoso.com`, `dl3@contoso.com`, `dl4@contoso.com` and `dl5@contoso.com`, run the following command:
-`Upgrade-DistributionGroup -DlIdentities dl1@contoso.com, dl2@contoso.com, dl3@contoso.com, dl4@contoso.com, dl5@contoso.com`
+```powershell
+Upgrade-DistributionGroup -DlIdentities dl1@contoso.com, dl2@contoso.com, dl3@contoso.com, dl4@contoso.com, dl5@contoso.com
+```
### Upgrade all eligible DLs
There are two ways in which you can upgrade all the eligible DLs.
1. Get the eligible DLs in the tenant and upgrade them using the upgrade command:
-```PowerShell
-Get-EligibleDistributionGroupForMigration | Foreach-Object{
- Upgrade-DistributionGroup -DlIdentities $_.PrimarySMTPAddress
-}
-```
+ ```PowerShell
+ Get-EligibleDistributionGroupForMigration | Foreach-Object{
+ Upgrade-DistributionGroup -DlIdentities $_.PrimarySMTPAddress
+ }
+ ```
2. Get the list of all DLs and upgrade only the eligible DLs:
-```PowerShell
-Get-DistributionGroup| Foreach-Object{
- Upgrade-DistributionGroup -DlIdentities $_.PrimarySMTPAddress
-}
-```
+ ```PowerShell
+ Get-DistributionGroup| Foreach-Object{
+ Upgrade-DistributionGroup -DlIdentities $_.PrimarySMTPAddress
+ }
+ ```
## FAQ about upgrading distribution lists to Microsoft 365 Groups in Outlook
Get-DistributionGroup| Foreach-Object{
You can only upgrade cloud-managed, simple, non-nested distribution lists. The table below lists distribution lists that **CANNOT** be upgraded.
-|**Property**|**Eligible?**|
-|:--|:--|
-|On-premises managed distribution list. <br/> |No <br/> |
-|Nested distribution lists. Distribution list either has child groups or is a member of another group. <br/> |No <br/> |
-|Distribution lists with member **RecipientTypeDetails** other than **UserMailbox**, **SharedMailbox**, **TeamMailbox**, **MailUser** <br/> |No <br/> |
-|Distribution list that has more than 100 owners <br/> |No <br/> |
-|Distribution list that only has members but no owner <br/> |No <br/> |
-|Distribution list that has alias containing special characters <br/> |No <br/> |
-|If the distribution list is configured to be a forwarding address for Shared Mailbox <br/> |No <br/> |
-|If the DL is part of **Sender Restriction** in another DL. <br/> |No <br/> |
-|Security groups <br/> |No <br/> |
-|Dynamic Distribution lists <br/> |No <br/> |
-|Distribution lists that were converted to **RoomLists** <br/> |No <br/> |
+|Property|Eligible?|
+|||
+|On-premises managed distribution list.|No|
+|Nested distribution lists. Distribution list either has child groups or is a member of another group.|No|
+|Distribution lists with member **RecipientTypeDetails** other than **UserMailbox**, **SharedMailbox**, **TeamMailbox**, **MailUser**|No|
+|Distribution list that has more than 100 owners|No|
+|Distribution list that only has members but no owner|No|
+|Distribution list that has alias containing special characters|No|
+|If the distribution list is configured to be a forwarding address for Shared Mailbox|No|
+|If the DL is part of **Sender Restriction** in another DL.|No|
+|Security groups|No|
+|Dynamic Distribution lists|No|
+|Distribution lists that were converted to **RoomLists**|No|
### Check which DLs are eligible for upgrade If you want to check whether a DL is eligible or not, you can run the below command:
-`Get-DistributionGroup <DL SMTP address> | Get-EligibleDistributionGroupForMigration`
+```PowerShell
+Get-DistributionGroup <DL SMTP address> | Get-EligibleDistributionGroupForMigration
+```
If you want to check which DLs are eligible for upgrade just run the following command:
-`Get-EligibleDistributionGroupForMigration`
+```PowerShell
+Get-EligibleDistributionGroupForMigration
+```
### Who can run the upgrade scripts?
There are some cases in which though DL is eligible but could not be upgraded. T
- DLs with **MemberJoinRestriction** or **MemberDepartRestriction** set to **Closed**, could not be upgraded -- The Microsoft 365 Group creation is allowed only to few users, using the steps from [this article](/microsoft-365/solutions/manage-creation-of-groups). In this scenario, if the owner of distribution list is not allowed to create Microsoft 365 Group, the distribution list will not upgrade to Microsoft 365 Group.
+- The Microsoft 365 Group creation is allowed only to few users, using the steps from [this article](/microsoft-365/solutions/manage-creation-of-groups). In this scenario, if the owner of distribution list is not allowed to create Microsoft 365 Group, the distribution list will not upgrade to Microsoft 365 Group.
Workaround: Use one of the following workaround for the above scenario:
-1) Ensure all the users mentioned as owners of the DL are allowed to create M365 Group, i.e. are member of the security group that is allowed to M365 Group.
-OR
-2) Temporarily, replace the owner of the DL that is not allowed to create M365 Group with user that is allowed to create M365 Group
+
+1. Ensure all the users mentioned as owners of the DL are allowed to create M365 Group, i.e. are member of the security group that is allowed to M365 Group.
+
+ OR
+
+2. Temporarily, replace the owner of the DL that is not allowed to create M365 Group with user that is allowed to create M365 Group.
### What happens to the DL if the upgrade from EAC fails?
admin Cortana Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/cortana-integration.md
audience: Admin
ms.localizationpriority: medium--- M365-subscription-management +
+- M365-subscription-management
- Adm_O365 - Adm_NonTOC-+ - AdminTemplateSet - admindeeplinkMAC search.appverid:
When signed in with valid work or school accounts, users can get cloud-based ass
- Existing consumer experiences, including Cortana in Windows 10 (version 1909 and earlier), are governed by the [Microsoft Services Agreement](https://www.microsoft.com/licensing/product-licensing/products) and [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) (see ΓÇ£Existing services for consumersΓÇ¥ section below). These terms will also govern Cortana enterprise services provided to the user when signed in with their consumer credentials.
-## What data is processed by Cortana enterprise services?
+## What data is processed by Cortana enterprise services?
Cortana enterprise services process queries from the user, Office data needed to fulfill the user's request, and other telemetry generated by Microsoft systems to run the service. The data collected by Cortana enterprise services include the text representation of the userΓÇÖs spoken queries (i.e., transcriptions from speech recognition). This text data is Customer Data, and it is managed in accordance with the [Online Services Terms](https://www.microsoft.com/licensing/product-licensing/products). It is only used to develop and improve machine learning models consistent with the Online Service Terms.
Consistent with other Office 365 services, Cortana enterprise services are secur
The table below describes the data handling for Cortana enterprise services.
-| Name | Description |
-|:--|:--|
-|**Storage** <br/> |Customer Data is stored on Microsoft servers inside the Office 365 cloud. Your data is part of your tenant. <br/><br/>Speech audio is not retained. <br/> |
-|**Stays in Geo** <br/> |Customer Data is stored on Microsoft servers inside the Office 365 cloud in Geo. Your data is part of your tenant. <br/> |
-|**Retention** <br/> |Customer Data is deleted when the account is closed by the tenant administrator or when a GDPR Data Subject Rights deletion request is made. <br/><br/>Speech audio is not retained. <br/> |
-|**Processing and Confidentiality** <br/> |Personnel engaged in the processing of Customer Data and personal data (i) will process such data only on instructions from Customer, and (ii) will be obligated to maintain the confidentiality and security of such data even after their engagement ends. <br/> |
-|**Usage** <br/> |Microsoft uses Customer Data only to provide the services agreed upon, and for purposes that are compatible with those services. Machine learning to develop and improve models is one of those purposes. Machine learning is done inside the Office 365 cloud, and there is no human viewing, review or labeling of your Customer Data. <br/><br/>Your data is not used to target advertising. <br/> |
+|Name|Description|
+|||
+|**Storage**|Customer Data is stored on Microsoft servers inside the Office 365 cloud. Your data is part of your tenant. <br/><br/>Speech audio is not retained.|
+|**Stays in Geo**|Customer Data is stored on Microsoft servers inside the Office 365 cloud in Geo. Your data is part of your tenant.|
+|**Retention**|Customer Data is deleted when the account is closed by the tenant administrator or when a GDPR Data Subject Rights deletion request is made. <br/><br/>Speech audio is not retained.|
+|**Processing and Confidentiality**|Personnel engaged in the processing of Customer Data and personal data (i) will process such data only on instructions from Customer, and (ii) will be obligated to maintain the confidentiality and security of such data even after their engagement ends.|
+|**Usage**|Microsoft uses Customer Data only to provide the services agreed upon, and for purposes that are compatible with those services. Machine learning to develop and improve models is one of those purposes. Machine learning is done inside the Office 365 cloud, and there is no human viewing, review or labeling of your Customer Data. <br/><br/>Your data is not used to target advertising.|
## Cortana enterprise services in Microsoft 365 experiences
Beginning with Windows 10, version 2004, Cortana is a Universal Windows Platform
> [!NOTE] > Cortana voice assistance is supported in Microsoft Teams mobile apps for iOS and Android and [Microsoft Teams displays](/microsoftteams/devices/teams-displays) in the English language for users in the United States, United Kingdom, Canada, India, and Australia. Microsoft Teams Rooms on Windows is only supported for users in the United States. Cortana voice assistance isn't currently available for GCC, GCC-High, DoD, EDU tenants. Expansion to additional languages and regions will happen as part of future releases and admin customers will be notified through Message Center and the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=65346).
-Cortana voice assistance in the Teams mobile app and on Microsoft Teams display devices enables Microsoft 365 Enterprise users to streamline communication, collaboration, and meeting-related tasks using spoken natural language. Users can speak to Cortana by selecting the microphone button located in the upper right of the Teams mobile app, or by saying &#8220;Cortana&#8221; in the Microsoft Teams display. To quickly connect with their team hands-free and while on the go, users can say queries such as &#8220;call Megan&#8221; or &#8220;send a message to my next meeting&#8221;. Users can also join meetings by saying &#8220;join my next meeting&#8221; and use voice assistance to share files, check their calendar, and more. These voice assistance experiences are delivered using Cortana enterprise-grade services that fully comply with Office 365's privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/licensing/product-licensing/products).
+Cortana voice assistance in the Teams mobile app and on Microsoft Teams display devices enables Microsoft 365 Enterprise users to streamline communication, collaboration, and meeting-related tasks using spoken natural language. Users can speak to Cortana by selecting the microphone button located in the upper right of the Teams mobile app, or by saying "Cortana" in the Microsoft Teams display. To quickly connect with their team hands-free and while on the go, users can say queries such as "call Megan" or "send a message to my next meeting". Users can also join meetings by saying "join my next meeting" and use voice assistance to share files, check their calendar, and more. These voice assistance experiences are delivered using Cortana enterprise-grade services that fully comply with Office 365's privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/licensing/product-licensing/products).
#### Admin control
-Cortana voice assistance will be enabled by default for tenants. Admins can control who in their tenant can use Cortana voice assistance in Teams via a policy (TeamsCortanaPolicy). This policy can be set at either a user account level or tenant level. Admins can also use the CortanaVoiceInvocationMode field within this policy control to determine whether Cortana is disabled, enabled with push button invocation only, or enabled with wake word invocation as well (applicable to devices that support it, like the Microsoft Teams display).
+Cortana voice assistance will be enabled by default for tenants. Admins can control who in their tenant can use Cortana voice assistance in Teams via a policy (TeamsCortanaPolicy). This policy can be set at either a user account level or tenant level. Admins can also use the CortanaVoiceInvocationMode field within this policy control to determine whether Cortana is disabled, enabled with push button invocation only, or enabled with wake word invocation as well (applicable to devices that support it, like the Microsoft Teams display).
#### User control
-Individual users can try out Cortana voice assistance in the Teams mobile app by clicking on the mic button. They can try out Cortana voice assistance on Microsoft Teams display devices by simply saying &#8220;Cortana.&#8221; They can also control whether Cortana responds to the wake word invocation.
+Individual users can try out Cortana voice assistance in the Teams mobile app by clicking on the mic button. They can try out Cortana voice assistance on Microsoft Teams display devices by simply saying "Cortana." They can also control whether Cortana responds to the wake word invocation.
1. Open Teams mobile 2. Go to **Settings**
Individual users can try out Cortana voice assistance in the Teams mobile app by
### Cortana voice assistance in Teams Meeting Room
-Cortana voice assistance in Teams Meeting Rooms goes beyond what can be done with Teams on personal devices by providing unique in-room capabilities, like one-touch join, content cameras to share physical whiteboards into the meeting in an intelligent way, and proximity features like seamlessly transferring the room into a Teams meeting from your own personal device. Users can use push to talk (PTT) by pressing the microphone to initiate Cortana then saying, ΓÇ£Start my meeting.ΓÇ¥ With Keyword Spotting (KWS) enabled Cortana will start listening when users say "Cortana."
+Cortana voice assistance in Teams Meeting Rooms goes beyond what can be done with Teams on personal devices by providing unique in-room capabilities, like one-touch join, content cameras to share physical whiteboards into the meeting in an intelligent way, and proximity features like seamlessly transferring the room into a Teams meeting from your own personal device. Users can use push to talk (PTT) by pressing the microphone to initiate Cortana then saying, ΓÇ£Start my meeting.ΓÇ¥ With Keyword Spotting (KWS) enabled Cortana will start listening when users say "Cortana."
#### Admin control
-Cortana voice assistance in Teams is delivered using services that fully comply with the Office 365 enterprise-level privacy, security, and compliance promises. For more information on data processing in Cortana enterprise services see, Cortana in Microsoft 365. Cortana is enabled by default in Teams Meetings Rooms for tenants. IT admins can opt out of voice assistance for Teams Meeting Room in the Microsoft 365 admin center.
-
+Cortana voice assistance in Teams is delivered using services that fully comply with the Office 365 enterprise-level privacy, security, and compliance promises. For more information on data processing in Cortana enterprise services see, Cortana in Microsoft 365. Cortana is enabled by default in Teams Meetings Rooms for tenants. IT admins can opt out of voice assistance for Teams Meeting Room in the Microsoft 365 admin center.
+ How to opt out of all Cortana features in Teams Meeting Rooms:
-1. Sign in to the [Microsoft 365 admin center](https://admin.microsoft.com/adminportal/home?ref=Domains)
-2. Select **Devices**
-3. Select **Teams Rooms**
-4. Choose one or multiple devices you want to make changes to
-5. Select **Edit Settings**
-6. Go to **Cortana** and select Replace existing value with **Off**
-7. Select Apply
+
+1. Sign in to the [Microsoft 365 admin center](https://admin.microsoft.com/adminportal/home?ref=Domains)
+2. Select **Devices**
+3. Select **Teams Rooms**
+4. Choose one or multiple devices you want to make changes to
+5. Select **Edit Settings**
+6. Go to **Cortana** and select Replace existing value with **Off**
+7. Select Apply
How to opt out of voice activation in Teams Meeting Rooms:
-1. Sign in to the [Microsoft 365 admin center](https://admin.microsoft.com/adminportal/home?ref=Domains)
-2. Select **Devices**
-3. Select **Teams Rooms**
-4. Choose one or multiple devices you want to make changes to
-5. Select **Edit Settings**
-6. Uncheck the **Wake word detection** box
-7. Select **Apply**
+
+1. Sign in to the [Microsoft 365 admin center](https://admin.microsoft.com/adminportal/home?ref=Domains)
+2. Select **Devices**
+3. Select **Teams Rooms**
+4. Choose one or multiple devices you want to make changes to
+5. Select **Edit Settings**
+6. Uncheck the **Wake word detection** box
+7. Select **Apply**
#### Configure Cortana remotely using an XML configuration file
-For information on how to Manage a Microsoft Teams Rooms console settings remotely with an XML configuration file see, [Remotely manage Microsoft Teams Rooms device settings](/microsoftteams/rooms/xml-config-file).
+For information on how to Manage a Microsoft Teams Rooms console settings remotely with an XML configuration file see, [Remotely manage Microsoft Teams Rooms device settings](/microsoftteams/rooms/xml-config-file).
[Learn more about Cortana voice assistance in Teams](/microsoftteams/cortana-in-teams)
Individuals can opt out of Play My Emails using the following steps.
1. Open Outlook mobile. 2. Go to **Settings**.
-
+ 3. Select **Play My Emails**. 4. Move the toggle to off on the accounts you want to disable.
We'll continue to introduce more experiences like the above to help increase you
Here are the two ways to think of how Cortana works in your enterprise:
-**New experiences for organizations with Cortana enterprise services**: Cortana enterprise services are designed to meet the security and compliance needs of organizations:
+**New experiences for organizations with Cortana enterprise services**: Cortana enterprise services are designed to meet the security and compliance needs of organizations:
1. This is a new service and is discussed here in this document. 2. For services subject to the Online Services Terms, Microsoft is a data processor: Microsoft collects and uses Customer Data from customers only to provide the online services requested by our customers and for the purposes instructed by our customers. Under the EUΓÇÖs General Data Protection Regulation (GDPR), the customer is the data controller of their data. See the [Online Services Terms](https://www.microsoft.com/licensing/product-licensing/products) and [Introducing more privacy transparency for our commercial cloud customers](https://blogs.microsoft.com/eupolicy/2019/11/18/introducing-privacy-transparency-commercial-cloud-customers/).
-3. As an example, Play My Emails is a Cortana service that your users can connect to through Outlook for iOS and utilizes Cortana enterprise services.
+3. As an example, Play My Emails is a Cortana service that your users can connect to through Outlook for iOS and utilizes Cortana enterprise services.
-4. IT admins will always have controls for optional connected experiences for Cortana, similar to optional connected experiences while using Office ProPlus applications.
+4. IT admins will always have controls for optional connected experiences for Cortana, similar to optional connected experiences while using Office ProPlus applications.
**Existing services for consumers**: Cortana optional connected services are designed primarily for consumer experiences and are currently delivered in Windows 10 (version 1909 and earlier) and the Cortana app on iOS and Android.
Turn off Cortana access to your organization's Microsoft hosted data
3. Select **Save changes**.
-For services governed by the [Microsoft Services Agreement](https://go.microsoft.com/fwlink/p/?LinkId=2109174) andΓÇ»[Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement), Microsoft is the data controller. As the data controller, Microsoft uses data to improve products and services in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement).
+For services governed by the [Microsoft Services Agreement](https://go.microsoft.com/fwlink/p/?LinkId=2109174) and [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement), Microsoft is the data controller. As the data controller, Microsoft uses data to improve products and services in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement).
## Related content
-
+ [Cortana voice assistance in Teams](/microsoftteams/cortana-in-teams) (article)\ [Configure Cortana in Windows 10](/windows/configuration/cortana-at-work/cortana-at-work-overview) (article)\ [What can you do with Play My Emails from Cortana?](https://support.microsoft.com/help/4558256)-
admin Empower Your Small Business With Remote Work https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/empower-your-small-business-with-remote-work.md
description: "Find the latest how-to information, tips, resources, and guidance
As businesses adapt to the increased need to have people work remotely and connect with their customers virtually, this site is updated with the latest how-to information, tips, resources, and guidance on remote work for businesses using Microsoft 365. > [!TIP]
-> Don't have Microsoft_Teams? Get 6 months of Microsoft Teams in Office for free (when you sign up for 1 year). Get the technologies described in this article as part of the offer. For details, see [Try 1 month free](https://aka.ms/SMBTeamsOffer).
+> Don't have Microsoft_Teams? Get 6 months of Microsoft Teams in Office for free (when you sign up for 1 year). Get the technologies described in this article as part of the offer. For details, see [Try 1 month free](https://aka.ms/SMBTeamsOffer).
## Remote work for your small business (video)
As businesses adapt to the increased need to have people work remotely and conne
## Transitioning to a remote workforce
-In light of the COVID-19 (Novel Coronavirus) outbreak, many business owners are finding themselves with a completely remote work staff. Here's what you can do to make a transition to remote work safe, secure, and productive.
+In light of the COVID-19 (Novel Coronavirus) outbreak, many business owners are finding themselves with a completely remote work staff. Here's what you can do to make a transition to remote work safe, secure, and productive.
For more information, see [Get started with Microsoft Teams in your small business](https://support.microsoft.com/office/6723dc43-dbc0-46e6-af49-8a2d1c5cb937).
-Already have a subscription but need to get set up? See [Microsoft 365 small business training](../../business-video/index.yml).
+Already have a subscription but need to get set up? See [Microsoft 365 small business training](../../business-video/index.yml).
## Connect with employees and customers
-You can still connect with employees, customers, clients, and partners, even if you can’t meet face to face. Use Microsoft Teams to continue doing business and connecting with your customers.
+You can still connect with employees, customers, clients, and partners, even if you canΓÇÖt meet face to face. Use Microsoft Teams to continue doing business and connecting with your customers.
### Meet up in Teams
For more information, see [Create a team](https://support.microsoft.com/office/f
## Manage and secure your business to run remotely
-Just a few steps can help you keep your business secure, even with remote employees and guest users.
+Just a few steps can help you keep your business secure, even with remote employees and guest users.
### Secure your users
For more information, see [Manage devices](../../business-video/secure-win-10-pr
### More for admins and partners
-Technical documentation hub for Microsoft 365 Business is updated with new secure remote work guidance.
+Technical documentation hub for Microsoft 365 Business is updated with new secure remote work guidance.
For details, see [Microsoft 365 Business resources](/microsoft-365/business). ## Need to ask a question?
-Ask in the [Teams forum](https://answers.microsoft.com/msteams/forum) or the [Office Admins forum](https://answers.microsoft.com).
+Ask in the [Teams forum](https://answers.microsoft.com/msteams/forum) or the [Office Admins forum](https://answers.microsoft.com).
> [!NOTE] > Most of the tasks in this article and video can be accomplished with a subscription to Microsoft 365 Business Basic (formerly Office 365 Business Essentials), but some require a premium subscription.
admin Apps Health https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/productivity/apps-health.md
description: "Details of the Microsoft 365 Apps health - technology experiences
Productivity Score provides insights into your organization's digital transformation journey through its use of Microsoft 365 and the technology experiences that support it. Your organization's score reflects people and technology experience measurements and can be compared to benchmarks from organizations similar to yours. The apps health category is part of the measurements that falls under technology experiences. To learn more, check out the [Productivity Score overview](productivity-score.md) and read [Microsoft's Privacy Statement](https://privacy.microsoft.com/privacystatement).
-## Why your organization&#39;s Microsoft 365 apps health score matters
+## Why your organization's Microsoft 365 apps health score matters
Your organizational productivity is dependent on healthy application environment. Devices running most current versions of Microsoft 365 apps on recommended channel are more secure and help people in your organization get the most out of the features in Microsoft 365.
This section helps you act on the metrics you want to focus on by providing rele
The following columns are presented in the table at the channel/version level: -- **Channel** : Current Microsoft 365 apps channel on the devices.-- **Status:**   Microsoft 365 apps support state of the devices based on current channel and version.-- **Versions:**  Current Microsoft 365 apps versions on the devices.-- **# of devices:** Number of devices.
+- **Channel**: Current Microsoft 365 apps channel on the devices.
+- **Status**: Microsoft 365 apps support state of the devices based on current channel and version.
+- **Versions**: Current Microsoft 365 apps versions on the devices.
+- **# of devices**: Number of devices.
## Related content
admin Parity Between Azure Information Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/services-in-china/parity-between-azure-information-protection.md
For the encryption to work correctly, RMS must be enabled for the tenant.
1. Check if RMS is enabled: 1. Launch PowerShell as an administrator.
- 2. If the AIPService module isn't installed, run `Install-Module AipService`.
+ 2. If the AIPService module isn't installed, run `Install-Module AipService`.
3. Import the module using `Import-Module AipService`.
- 4. Connect to the service using `Connect-AipService -environmentname azurechinacloud`.
- 5. Run `(Get-AipServiceConfiguration).FunctionalState` and check if the state is `Enabled`.
+ 4. Connect to the service using `Connect-AipService -environmentname azurechinacloud`.
+ 5. Run `(Get-AipServiceConfiguration).FunctionalState` and check if the state is `Enabled`.
-2. If the functional state is `Disabled`, run `Enable-AipService`.
+2. If the functional state is `Disabled`, run `Enable-AipService`.
### Step 2: Add the Microsoft Information Protection Sync Service service principal
Also, the assumption is that users will log in with a username based off the ten
1. Get the RMS ID: 1. Launch PowerShell as an administrator.
- 2. If the AIPService module isn't installed, run `Install-Module AipService`.
- 3. Connect to the service using `Connect-AipService -environmentname azurechinacloud`.
- 4. Run `(Get-AipServiceConfiguration).RightsManagementServiceId` to get the RMS ID.
+ 2. If the AIPService module isn't installed, run `Install-Module AipService`.
+ 3. Connect to the service using `Connect-AipService -environmentname azurechinacloud`.
+ 4. Run `(Get-AipServiceConfiguration).RightsManagementServiceId` to get the RMS ID.
2. Log in to your DNS provider, navigate to the DNS settings for the domain, and then add a new SRV record.
- - Service = `_rmsredir`
- - Protocol = `_http`
- - Name = `_tcp`
- - Target = `[GUID].rms.aadrm.cn` (where GUID is the RMS ID)
+ - Service = `_rmsredir`
+ - Protocol = `_http`
+ - Name = `_tcp`
+ - Target = `[GUID].rms.aadrm.cn` (where GUID is the RMS ID)
- Priority, Weight, Seconds, TTL = default values
-3. Associate the custom domain with the tenant in the [Azure portal](https://portal.azure.cn/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Domains). This will add an entry in DNS, which might take several minutes to get verified after you add the value to the DNS settings.
+3. Associate the custom domain with the tenant in the [Azure portal](https://portal.azure.cn/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Domains). This will add an entry in DNS, which might take several minutes to get verified after you add the value to the DNS settings.
4. Log in to the Microsoft 365 admin center with the corresponding global admin credentials and add the domain (for example, `contoso.cn`) for user creation. In the verification process, additional DNS changes might be required. Once verification is done, users can be created.
Also, the assumption is that users will log in with a username based off the ten
Log in to your DNS provider, navigate to the DNS settings for the domain, and then add a new SRV record. -- Service = `_rmsdisco`-- Protocol = `_http`-- Name = `_tcp`-- Target = `api.aadrm.cn`-- Port = `80`
+- Service = `_rmsdisco`
+- Protocol = `_http`
+- Name = `_tcp`
+- Target = `api.aadrm.cn`
+- Port = `80`
- Priority, Weight, Seconds, TTL = default values
admin Services In China https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/services-in-china/services-in-china.md
audience: Admin
ms.localizationpriority: medium--- M365-subscription-management +
+- M365-subscription-management
- Adm_O365 - Adm_NonTOC - SPO_Content-+ - AdminSurgePortfolio - AdminTemplateSet search.appverid:
monikerRange: 'o365-21vianet'
# Office 365 operated by 21Vianet Office 365 operated by 21Vianet is designed to meet the needs for secure, reliable and scalable cloud services in China. This service is powered by technology that Microsoft has licensed to 21Vianet.
-
+ Microsoft does not operate the service itself. 21Vianet operates, provides, and manages delivery of the service. 21Vianet is the largest carrier-neutral Internet data center services provider in China, providing hosting, managed network services, and cloud computing infrastructure services. By licensing Microsoft technologies, 21Vianet operates local Office 365 datacenters to provide you the ability to use Office 365 services while keeping your data within China. 21Vianet also provides your subscription and billing services, as well as support.
-
+ > [!NOTE]
-> These services are subject to Chinese laws.
-
+> These services are subject to Chinese laws.
+ **Follow us on WeChat**
-
+ Scan this QR code to follow us on WeChat and get the latest updates for Office 365 operated by 21Vianet.
-
+ ![Scan this QR code to follow us on WeChat.](../../media/9bbbdf3b-b3ab-4355-82a0-37a84d70735b.png)
-
+ **About services in Office 365 operated by 21Vianet**
-
+ The sections below highlight some of the differences you will find in each service. Ultimately our goal is to achieve parity with global services. However, due to the unique nature of the China services - operated by a partner from datacenters inside China - there are some features that have not yet been enabled. Customers will see the services come closer to full feature parity over time. For a more detailed look at services available for each Office 365 plan operated by 21Vianet, see the [Office 365 Service Description](/office365/servicedescriptions/office-365-platform-service-description/office-365-operated-by-21vianet).
-
-
+ If you would like to learn how to get started with general Office 365 services, see [Get started](../admin-overview/get-started-with-office-365.md).
-
+ ## Office 365 Suite |Function|Availability|
-|:--|:--|
-|Custom domains <br/> |Administrators can create and/or use custom domains registered through Chinese-specific domain providers. If you don't have a custom domain, you can [How to buy a domain name](../get-help-with-domains/buy-a-domain-name.md) from a domain name registrar. If you already have one, [Find your domain registrar or DNS hosting provider](../get-help-with-domains/find-your-domain-registrar.md). <br/> Additionally, if you create a public website using the Office 365 SharePoint Online service, China Internet compliance policy requires that you get an Internet Content Provider (ICP) number. **Note:** Automatic validation for disallowed words in custom domain names is not available. |
-|Subscriptions, billing, and technical support <br/> |Provided by 21Vianet. For information on how to contact support, see [Contact Office 365 for business support](../../business-video/get-help-support.md). <br/> |
-|Self-service password reset <br/> |Available for admins only. For more information, see [Change or reset your password in Office 365 operated by 21Vianet](https://support.microsoft.com/office/d8eb5b62-9d0e-4267-a9bf-2aa491ee6d0b). <br/> |
-|Security, privacy, compliance, and details on levels of support <br/> |Provided by 21Vianet. <br/> |
-|Office Desktop Setup <br/> |Office desktop setup is not available for Office 2010 and Office 2007. However, administrators can [Configure current Office desktop applications to work with Office 365](https://support.microsoft.com/office/85646aba-7e6c-4e24-a047-8fd9ce4f9d2e). <br/> |
-|Mobile and device support\* <br/> | Coming soon are the following mobile features: <br/> Mobile Device Management (MDM) <br/> Blackberry Business Cloud Services (BBCS) is not available, but you can use Exchange ActiveSync devices or an offering from Research in Motion (RIM, the BlackBerry wireless email solution) to run Blackberry Enterprise Server (BES). <br/> For more information on mobile support, see [Set up and manage mobile access for your users](https://support.microsoft.com/office/01fff219-4492-40f2-82d3-fd2ffc0ad802). <br/> |
-|Office Lens <br/> |Not available. <br/> |
-|Microsoft Planner <br/> |Coming soon. <br/> |
-|Microsoft Teams <br/> |Not available. <br/> |
-|Sway <br/> |Coming soon. <br/> |
-|Help in multiple languages <br/> |Help is available in Simplified Chinese and English only. <br/> |
-|Community-provided help <br/> |Community-provided help is not available yet, but you can select the Help button ( **?** ) in the upper right corner of your portal to see help articles. <br/> |
-
+|||
+|Custom domains|Administrators can create and/or use custom domains registered through Chinese-specific domain providers. If you don't have a custom domain, you can [How to buy a domain name](../get-help-with-domains/buy-a-domain-name.md) from a domain name registrar. If you already have one, [Find your domain registrar or DNS hosting provider](../get-help-with-domains/find-your-domain-registrar.md). <br/> Additionally, if you create a public website using the Office 365 SharePoint Online service, China Internet compliance policy requires that you get an Internet Content Provider (ICP) number. **Note:** Automatic validation for disallowed words in custom domain names is not available.|
+|Subscriptions, billing, and technical support|Provided by 21Vianet. For information on how to contact support, see [Contact Office 365 for business support](../../business-video/get-help-support.md).|
+|Self-service password reset|Available for admins only. For more information, see [Change or reset your password in Office 365 operated by 21Vianet](https://support.microsoft.com/office/d8eb5b62-9d0e-4267-a9bf-2aa491ee6d0b).|
+|Security, privacy, compliance, and details on levels of support|Provided by 21Vianet.|
+|Office Desktop Setup|Office desktop setup is not available for Office 2010 and Office 2007. However, administrators can [Configure current Office desktop applications to work with Office 365](https://support.microsoft.com/office/85646aba-7e6c-4e24-a047-8fd9ce4f9d2e).|
+|Mobile and device support\*|Coming soon are the following mobile features: <br/> Mobile Device Management (MDM) <br/> Blackberry Business Cloud Services (BBCS) is not available, but you can use Exchange ActiveSync devices or an offering from Research in Motion (RIM, the BlackBerry wireless email solution) to run Blackberry Enterprise Server (BES). <br/> For more information on mobile support, see [Set up and manage mobile access for your users](https://support.microsoft.com/office/01fff219-4492-40f2-82d3-fd2ffc0ad802).|
+|Office Lens|Not available.|
+|Microsoft Planner|Coming soon.|
+|Microsoft Teams|Not available.|
+|Sway|Coming soon.|
+|Help in multiple languages|Help is available in Simplified Chinese and English only.|
+|Community-provided help|Community-provided help is not available yet, but you can select the Help button ( **?** ) in the upper right corner of your portal to see help articles.|
+ \*Optional services provided directly by Microsoft, and subject to Microsoft's Terms of Service and privacy statements.
-
+ ## SharePoint Online |Function|Availability|
-|:--|:--|
-|Sharing a document, library, or site by email with someone outside of your organization <br/> |This feature is available, but off by default as using it could make files shared accessible outside of your country. Administrators do have the ability to turn it on, but will get a warning message indicating that it could make files shared accessible outside of your country. Users who attempt to share with someone outside of the organization will also receive a warning. For more information, see [Share SharePoint files or folders in Office 365](https://support.microsoft.com/office/1fe37332-0f9a-4719-970e-d2578da4941c). <br/> |
-|Access Services <br/> |Access 2013 is supported, but adding new Access apps may not be available as this feature will be retired from Office 365 and SharePoint Online. Creation of new Access-based web apps and Access web databases in Office 365 and SharePoint Online will stop starting in June 2017 and any remaining web apps and web databases by April 2018. Additionally, Access 2010 functionality is not supported, and attempting to use an Access 2010 database will result in errors and possible data loss. <br/> |
-|Microsoft Power Apps <br/> |Microsoft Power Apps and Microsoft Power Automate are now available to customers in regulated industries and commercial organizations that do business with tables in China and require local data residency. <br/> |
-|Information Rights Management (IRM) <br/> |The ability to set IRM capabilities to SharePoint for your organization is coming soon. <br/> |
-|Ability to translate text or pages <br/> |Available, but off by default. Tenant admins can turn this ability on, but the translation cloud service may be located outside your country. If you do not want users to send content to a translation cloud service, you may keep these features disabled. <br/> |
-|Public website ICP registration <br/> |China Internet compliance policy requires that you get an Internet Content Provider (ICP) number for your public website. |
-|Public website features <br/> |Public websites are available only if you purchased Office 365 before March 9, 2015. However, Bing maps, external sharing, and comments are not available in a public web site as these features may send data outside of your country. <br/> |
-|Newsfeed and Yammer (enterprise social networks) <br/> |Newsfeed (the social hub where you'll see updates from the people, documents, sites, and tags you're following) is available. Yammer is unavailable. <br/> |
-|Autohosted apps <br/> |You can deploy a provider-hosted app that uses SharePoint and SQL Azure. For more information, see [Create a basic provider hosted app for SharePoint](/sharepoint/dev/sp-add-ins/get-started-creating-provider-hosted-sharepoint-add-ins). Coming soon is the ability for developers to deploy an app that uses an autohosted web site. <br/> |
-|InfoPath <br/> |Not available. <br/> |
-|SharePoint Store <br/> |The Office and SharePoint App Stores are optional services operated by Microsoft Corporation or its affiliate from any of Microsoft's worldwide facilities. The apps available in the Store are provided by various app publishers, and are subject to the app publisher's terms and conditions and privacy statement. Your use of any of these apps may result in your data being transferred to, stored, or processed in any country where the app publisher, its affiliates or service providers maintain facilities. Please carefully review the app publisher's terms and conditions and privacy statements before downloading and using such apps. <br/> |
-|Office 365 Developer Site: Publish to SharePoint Store using the Seller Dashboard\* <br/> |Learn about the [requirements for submitting apps for SharePoint](/office/dev/store/submit-sharepoint-add-ins-for-office-365-operated-by-21vianet-in-china) for distribution to users of Office 365 operated by 21Vianet. <br/> |
-
+|||
+|Sharing a document, library, or site by email with someone outside of your organization|This feature is available, but off by default as using it could make files shared accessible outside of your country. Administrators do have the ability to turn it on, but will get a warning message indicating that it could make files shared accessible outside of your country. Users who attempt to share with someone outside of the organization will also receive a warning. For more information, see [Share SharePoint files or folders in Office 365](https://support.microsoft.com/office/1fe37332-0f9a-4719-970e-d2578da4941c).|
+|Access Services|Access 2013 is supported, but adding new Access apps may not be available as this feature will be retired from Office 365 and SharePoint Online. Creation of new Access-based web apps and Access web databases in Office 365 and SharePoint Online will stop starting in June 2017 and any remaining web apps and web databases by April 2018. Additionally, Access 2010 functionality is not supported, and attempting to use an Access 2010 database will result in errors and possible data loss.|
+|Microsoft Power Apps|Microsoft Power Apps and Microsoft Power Automate are now available to customers in regulated industries and commercial organizations that do business with tables in China and require local data residency.|
+|Information Rights Management (IRM)|The ability to set IRM capabilities to SharePoint for your organization is coming soon.|
+|Ability to translate text or pages|Available, but off by default. Tenant admins can turn this ability on, but the translation cloud service may be located outside your country. If you do not want users to send content to a translation cloud service, you may keep these features disabled.|
+|Public website ICP registration|China Internet compliance policy requires that you get an Internet Content Provider (ICP) number for your public website.|
+|Public website features|Public websites are available only if you purchased Office 365 before March 9, 2015. However, Bing maps, external sharing, and comments are not available in a public web site as these features may send data outside of your country.|
+|Newsfeed and Yammer (enterprise social networks)|Newsfeed (the social hub where you'll see updates from the people, documents, sites, and tags you're following) is available. Yammer is unavailable.|
+|Autohosted apps|You can deploy a provider-hosted app that uses SharePoint and SQL Azure. For more information, see [Create a basic provider hosted app for SharePoint](/sharepoint/dev/sp-add-ins/get-started-creating-provider-hosted-sharepoint-add-ins). Coming soon is the ability for developers to deploy an app that uses an autohosted web site.|
+|InfoPath|Not available.|
+|SharePoint Store|The Office and SharePoint App Stores are optional services operated by Microsoft Corporation or its affiliate from any of Microsoft's worldwide facilities. The apps available in the Store are provided by various app publishers, and are subject to the app publisher's terms and conditions and privacy statement. Your use of any of these apps may result in your data being transferred to, stored, or processed in any country where the app publisher, its affiliates or service providers maintain facilities. Please carefully review the app publisher's terms and conditions and privacy statements before downloading and using such apps.|
+|Office 365 Developer Site: Publish to SharePoint Store using the Seller Dashboard\*|Learn about the [requirements for submitting apps for SharePoint](/office/dev/store/submit-sharepoint-add-ins-for-office-365-operated-by-21vianet-in-china) for distribution to users of Office 365 operated by 21Vianet.|
+ \*Optional services provided directly by Microsoft, and subject to Microsoft's Terms of Service and privacy statements.
-
+ ## Outlook Web App |Function|Availability|
-|:--|:--|
-|Blackberry Business Cloud Services (BBCS) <br/> |Not available, but you can use Exchange ActiveSync devices or an offering from Research in Motion (RIM, the BlackBerry wireless email solution) to run Blackberry Enterprise Server (BES). <br/> |
-|Information Rights Management <br/> |Coming soon. <br/> |
-|Free/Busy information <br/> |Free/Busy information between on-premises and Exchange Online mailboxes is available. <br/> |
-|Sharing your calendar <br/> |Calendar sharing between on-premises and Exchange Online mailboxes is available. <br/> |
-|Sharing contacts <br/> |Coming soon. <br/> |
-|Message tracking <br/> |Coming soon. <br/> |
-|Apps <br/> |Coming soon. <br/> |
-|Places feature <br/> |This feature shows maps of addresses in email; because it may allow data outside of your country, it is not available. <br/> |
-|Connected Accounts <br/> |Connecting to other accounts such as Hotmail (Outlook.com) is coming soon. <br/> |
-
+|||
+|Blackberry Business Cloud Services (BBCS)|Not available, but you can use Exchange ActiveSync devices or an offering from Research in Motion (RIM, the BlackBerry wireless email solution) to run Blackberry Enterprise Server (BES).|
+|Information Rights Management|Coming soon.|
+|Free/Busy information|Free/Busy information between on-premises and Exchange Online mailboxes is available.|
+|Sharing your calendar|Calendar sharing between on-premises and Exchange Online mailboxes is available.|
+|Sharing contacts|Coming soon.|
+|Message tracking|Coming soon.|
+|Apps|Coming soon.|
+|Places feature|This feature shows maps of addresses in email; because it may allow data outside of your country, it is not available.|
+|Connected Accounts|Connecting to other accounts such as Hotmail (Outlook.com) is coming soon.|
+ ## Exchange
- New with Exchange 2013 Cumulative Update 5 (CU5), full-featured hybrid deployments between on-premises Exchange 2013 organizations and Office 365 services are now supported. Leveraging new improvements in the Hybrid Configuration wizard, Exchange 2013 CU5 supports the following hybrid features between your on-premises and Exchange Online organizations:
--- Secure mail routing between on-premises and Exchange Online organizations. -- Mail routing with a shared domain namespace. For example, both on-premises and Exchange Online organizations use the @contoso.com SMTP domain. -- A unified global address list (GAL), also called a "shared address book." -- Free/busy and calendar sharing between on-premises and Exchange Online organizations. -- Centralized control of inbound and outbound mail flow. You can configure all inbound and outbound Exchange Online messages to be routed through the on-premises Exchange organization. -- A single Office Outlook Web App URL for both the on-premises and Exchange Online organizations. -- The ability to move existing on-premises mailboxes to the Exchange Online organization. Exchange Online mailboxes can also be moved back to the on-premises organization if needed. -- Centralized mailbox management using the on-premises Exchange admin center (EAC). -- MailTips, HD photo support for Outlook contacts, and multi-mailbox search between on-premises and Exchange Online organizations. -- Cloud-based message archiving for on-premises Exchange mailboxes. -
-For organizations running older or mixed versions of Exchange Server, some hybrid features aren't fully supported for Office 365 tenants hosted by 21Vianet. Use the following table to learn more about hybrid feature support in different Exchange deployment scenarios: <br/>
--
-|**On-Premises Exchange Version**|**Exchange Hybrid Server Version**|**Hybrid Configuration Wizard Supported?**|**Supported Hybrid Features**|
-|:--|:--|:--|:--|
-| 2016 <br/> | N/A <br/> | Yes <br/> | All <br/> |
-| 2013 CU5 <br/> | N/A <br/> | Yes <br/> | All <br/> |
-| 2013 SP1 <br/> | 2013 CU5 <br/> | Yes <br/> | All <br/> |
-| 2013 SP1 <br/> | 2013 SP1 <br/> | Yes <br/> | All <br/> |
-| Mixed 2013 SP1/2010 SP3 <br/> | 2013 CU5 <br/> | Yes <br/> | All, except In-place eDiscovery/Archiving, OWA access (see table below) <br/> |
-| Mixed 2013 SP1/2010 SP3 <br/> | 2013 SP1 <br/> | Yes <br/> | Only manually configured free/busy <br/> |
-| 2010 SP3 <br/> | 2010 SP3 <br/> | No <br/> | None <br/> |
-| 2007 <br/> | 2013 CU5 <br/> | Yes <br/> | Only free/busy <br/> |
-| 2007 <br/> | 2013 SP1 or 2010 SP3No <br/> | N/A <br/> | Not supported <br/> |
-| 2003 <br/> | 2013 SP1/CU5 <br/> | N/A <br/> | Not supported <br/> |
-| 2003 <br/> | 2010 SP3 <br/> | No <br/> | None <br/> |
-
-
+ New with Exchange 2013 Cumulative Update 5 (CU5), full-featured hybrid deployments between on-premises Exchange 2013 organizations and Office 365 services are now supported. Leveraging new improvements in the Hybrid Configuration wizard, Exchange 2013 CU5 supports the following hybrid features between your on-premises and Exchange Online organizations:
+
+- Secure mail routing between on-premises and Exchange Online organizations.
+- Mail routing with a shared domain namespace. For example, both on-premises and Exchange Online organizations use the @contoso.com SMTP domain.
+- A unified global address list (GAL), also called a "shared address book."
+- Free/busy and calendar sharing between on-premises and Exchange Online organizations.
+- Centralized control of inbound and outbound mail flow. You can configure all inbound and outbound Exchange Online messages to be routed through the on-premises Exchange organization.
+- A single Office Outlook Web App URL for both the on-premises and Exchange Online organizations.
+- The ability to move existing on-premises mailboxes to the Exchange Online organization. Exchange Online mailboxes can also be moved back to the on-premises organization if needed.
+- Centralized mailbox management using the on-premises Exchange admin center (EAC).
+- MailTips, HD photo support for Outlook contacts, and multi-mailbox search between on-premises and Exchange Online organizations.
+- Cloud-based message archiving for on-premises Exchange mailboxes.
+
+For organizations running older or mixed versions of Exchange Server, some hybrid features aren't fully supported for Office 365 tenants hosted by 21Vianet. Use the following table to learn more about hybrid feature support in different Exchange deployment scenarios:
+
+|On-Premises Exchange Version|Exchange Hybrid Server Version|Hybrid Configuration Wizard Supported?|Supported Hybrid Features|
+|||||
+|2016|N/A|Yes|All|
+|2013 CU5|N/A|Yes|All|
+|2013 SP1|2013 CU5|Yes|All|
+|2013 SP1|2013 SP1|Yes|All|
+|Mixed 2013 SP1/2010 SP3|2013 CU5|Yes|All, except In-place eDiscovery/Archiving, OWA access (see table below)|
+|Mixed 2013 SP1/2010 SP3|2013 SP1|Yes|Only manually configured free/busy|
+|2010 SP3|2010 SP3|No|None|
+|2007|2013 CU5|Yes|Only free/busy|
+|2007|2013 SP1 or 2010 SP3No|N/A|Not supported|
+|2003|2013 SP1/CU5|N/A|Not supported|
+|2003|2010 SP3|No|None|
+ > [!IMPORTANT]
-> Delegate calendar access, when a user or set of users is provided access to another user's calendar, isn't supported in hybrid deployments with Office 365 tenants hosted by 21Vianet.
-
+> Delegate calendar access, when a user or set of users is provided access to another user's calendar, isn't supported in hybrid deployments with Office 365 tenants hosted by 21Vianet.
+ Additionally, some Exchange messaging policy and compliance features aren't fully supported in hybrid deployments with Office 365 tenants hosted by 21Vianet. These features include: -- [Messaging Records Management (MRM)](/exchange/security-and-compliance/messaging-records-management/messaging-records-management) -- [In-Place eDiscovery](/exchange/security-and-compliance/in-place-ediscovery/in-place-ediscovery) -- [In-Place Hold](/exchange/security-and-compliance/in-place-and-litigation-holds)
+- [Messaging Records Management (MRM)](/exchange/security-and-compliance/messaging-records-management/messaging-records-management)
+- [In-Place eDiscovery](/exchange/security-and-compliance/in-place-ediscovery/in-place-ediscovery)
+- [In-Place Hold](/exchange/security-and-compliance/in-place-and-litigation-holds)
- [In-Place Archiving](/exchange/in-place-archiving-in-exchange-2013-exchange-2013-help) - [Mailbox auditing](/exchange/security-and-compliance/exchange-auditing-reports/exchange-auditing-reports)-- Accessing online archives with [Outlook Web App (OWA)](/exchange/clients-and-mobile-in-exchange-online/outlook-on-the-web/outlook-on-the-web)
+- Accessing online archives with [Outlook Web App (OWA)](/exchange/clients-and-mobile-in-exchange-online/outlook-on-the-web/outlook-on-the-web)
+
+Use the following table to learn more about feature support in different Exchange deployment scenarios:
-Use the following table to learn more about feature support in different Exchange deployment scenarios:
+|On-Premises Exchange Version|MRM (split archive)|OWA access (split archive)|In-Place eDiscovery|Mailbox Auditing|In-Place Hold/Archiving|
+|||||||
+|All 2013 CU5|Supported|Not supported|Supported|Supported|Supported|
+|All 2010 SP3|Not supported|Not supported|Supported<sup>1</sup>|Supported|Supported|
+|At least one pre-2013 CU5 server|Supported<sup>2</sup>|Not supported|Not supported|Supported|Supported|
-|**On-Premises Exchange Version**|**MRM (split archive)**|**OWA access (split archive)**|**In-Place eDiscovery**|**Mailbox Auditing**|**In-Place Hold/Archiving**|
-|:--|:--|:--|:--|:--|:--|
-| All 2013 CU5 <br/> | Supported <br/> | Not supported <br/> | Supported <br/> | Supported <br/> | Supported <br/> |
-| All 2010 SP3 <br/> | Not supported <br/> | Not supported <br/> | Supported<sup>1</sup> <br/> | Supported <br/> | Supported <br/> |
-| At least one pre-2013 CU5 server <br/> | Supported<sup>2</sup> <br/> | Not supported <br/> | Not supported <br/> | Supported <br/> | Supported <br/> |
-|||
+<sup>1</sup> Separate searches are required for on-premises and Exchange Online mailboxes.
-<sup>1</sup> Separate searches are required for on-premises and Exchange Online mailboxes. <br/> <sup>2</sup> MRM move-to-archive policies can be used for mailboxes located on an Exchange 2013 CU5 or greater server.
+<sup>2</sup> MRM move-to-archive policies can be used for mailboxes located on an Exchange 2013 CU5 or greater server.
+
+To learn more about configuring a hybrid deployment with Office 365 tenants hosted by 21Vianet, see the following topics:
-To learn more about configuring a hybrid deployment with Office 365 tenants hosted by 21Vianet, see the following topics:
- [Hybrid Deployment Prerequisites](/exchange/hybrid-deployment-prerequisites)-- [Certificate Requirements for Hybrid Deployments](/exchange/certificate-requirements)
+- [Certificate Requirements for Hybrid Deployments](/exchange/certificate-requirements)
- [Create a Hybrid Deployment with the Hybrid Configuration Wizard](/exchange/hybrid-deployment/deploy-hybrid) > [!IMPORTANT]
-> The [Exchange Server Deployment Assistant](https://go.microsoft.com/fwlink/?LinkId=506768) is a free web-based tool that helps you configure a hybrid deployment between your on-premises organization and Office 365, or to migrate completely to Office 365. The tool asks you a small set of simple questions and then, based on your answers, creates a customized checklist with instructions to configure your hybrid deployment. We strongly recommend using the Deployment Assistant to configure a hybrid deployment. > For organizations not wishing to upgrade to or add Exchange 2013 CU5 servers, Exchange 2013 SP1 organizations can configure shared calendar free/busy sharing between their on-premises and Exchange Online organizations. To configure this hybrid deployment feature, see [Configuring Exchange hybrid deployment features with Office 365 operated by 21Vianet](https://support.microsoft.com/office/26e7cc26-c980-4cc5-a082-c333de544b6d).
+> The [Exchange Server Deployment Assistant](https://go.microsoft.com/fwlink/?LinkId=506768) is a free web-based tool that helps you configure a hybrid deployment between your on-premises organization and Office 365, or to migrate completely to Office 365. The tool asks you a small set of simple questions and then, based on your answers, creates a customized checklist with instructions to configure your hybrid deployment. We strongly recommend using the Deployment Assistant to configure a hybrid deployment. > For organizations not wishing to upgrade to or add Exchange 2013 CU5 servers, Exchange 2013 SP1 organizations can configure shared calendar free/busy sharing between their on-premises and Exchange Online organizations. To configure this hybrid deployment feature, see [Configuring Exchange hybrid deployment features with Office 365 operated by 21Vianet](https://support.microsoft.com/office/26e7cc26-c980-4cc5-a082-c333de544b6d).
|Function|Availability|
-|:--|:--|
-|Coexistence and Free/Busy Sharing|Sharing calendar free/busy information between two or more on-premises Exchange organizations or sharing between two 21Vianet Office 365 tenants isn't supported. This feature is coming soon! |
-|Calendar sharing|Exchange 2013 SP1 and greater supports manually configuring Internet calendar sharing with other on-premises Exchange or Exchange Online organizations. For more details about configuring this feature manually, see [Enable Internet Calendar Publishing](/exchange/enable-internet-calendar-publishing-exchange-2013-help). |
-Sharing Exchange contact data on Apple mobile devices to the Apple iCloud. |This setting/feature is enabled by default. Administrators should turn this feature off to help prevent users from sharing Exchange data outside of your organization. |
-|Exchange Hosted Email Encryption |Not available. |
-|Office 365 Message Encryption |Coming soon. |
-
+|||
+|Coexistence and Free/Busy Sharing|Sharing calendar free/busy information between two or more on-premises Exchange organizations or sharing between two 21Vianet Office 365 tenants isn't supported. This feature is coming soon!|
+|Calendar sharing|Exchange 2013 SP1 and greater supports manually configuring Internet calendar sharing with other on-premises Exchange or Exchange Online organizations. For more details about configuring this feature manually, see [Enable Internet Calendar Publishing](/exchange/enable-internet-calendar-publishing-exchange-2013-help).|
+Sharing Exchange contact data on Apple mobile devices to the Apple iCloud.|This setting/feature is enabled by default. Administrators should turn this feature off to help prevent users from sharing Exchange data outside of your organization.|
+|Exchange Hosted Email Encryption|Not available.|
+|Office 365 Message Encryption|Coming soon.|
+ ## Office |Function|Availability|
-|:--|:--|
-|Open an Office application from the **File** \> **Open in**… button <br/> |Available. The ability to do so while roaming is coming soon. <br/> |
-|Save to OneDrive for Business while signed in with a Microsoft account <br/> |To keep your data within your country, you cannot save a document to your organization site (OneDrive for Business) when you are signed in to Office with a Microsoft account. <br/> |
-|Ability to translate text or pages <br/> |This feature is available, but off by default. Administrators do have the ability to turn it on, but will get a warning message indicating that it could make data accessible outside of your country. <br/> |
-
+|||
+|Open an Office application from the **File** \> **Open in**... button|Available. The ability to do so while roaming is coming soon.|
+|Save to OneDrive for Business while signed in with a Microsoft account|To keep your data within your country, you cannot save a document to your organization site (OneDrive for Business) when you are signed in to Office with a Microsoft account.|
+|Ability to translate text or pages|This feature is available, but off by default. Administrators do have the ability to turn it on, but will get a warning message indicating that it could make data accessible outside of your country.|
+ ## Office client |Function|Availability|
-|:--|:--|
-|Manage account (from within the Office client) <br/> |This feature, and others like it that are intended to go to your Office 365 portal, currently point to the worldwide Office 365 portal, and you cannot sign in with your Office 365 operated by 21Vianet account. This is a known issue that is being fixed. In the meantime, you can use the URL https://portal.partner.microsoftonline.cn/ to sign into your account and manage settings from there. For more information, see [Manage your Microsoft 365 Apps for enterprise account for Office 365 operated by 21Vianet](https://support.microsoft.com/office/fbe473d3-69de-4d0c-aecb-b9c2d0d45bc8). <br/> |
-
+|||
+|Manage account (from within the Office client)|This feature, and others like it that are intended to go to your Office 365 portal, currently point to the worldwide Office 365 portal, and you cannot sign in with your Office 365 operated by 21Vianet account. This is a known issue that is being fixed. In the meantime, you can use the URL <https://portal.partner.microsoftonline.cn/> to sign into your account and manage settings from there. For more information, see [Manage your Microsoft 365 Apps for enterprise account for Office 365 operated by 21Vianet](https://support.microsoft.com/office/fbe473d3-69de-4d0c-aecb-b9c2d0d45bc8).|
+ ## OneNote |Function|Availability|
-|:--|:--|
-|Insert and playback online video <br/> |Not available. <br/> |
-|Research pane integration to Bing services <br/> |Not available. <br/> |
-|Accessibility checker <br/> |Not available. <br/> |
-|Class notebook <br/> |Not available. <br/> |
-|Forms <br/> |Not available. <br/> |
-|Immersive reader <br/> |Not available. <br/> |
-|Insert online picture <br/> |Not available. <br/> |
-|Meeting details <br/> |Not available. <br/> |
-|Researcher <br/> |Not available. <br/> |
-|Stickers <br/> |Not available. <br/> |
-|Live Search (ability to search in online notebooks that are not opened in the client) <br/> |Not available. <br/> |
-|Integration with Mac and iOS platform smart look up service <br/> |Not available. <br/> |
-|Share notebook experience and sharing notification <br/> |Not available. <br/> |
-
+|||
+|Insert and playback online video|Not available.|
+|Research pane integration to Bing services|Not available.|
+|Accessibility checker|Not available.|
+|Class notebook|Not available.|
+|Forms|Not available.|
+|Immersive reader|Not available.|
+|Insert online picture|Not available.|
+|Meeting details|Not available.|
+|Researcher|Not available.|
+|Stickers|Not available.|
+|Live Search (ability to search in online notebooks that are not opened in the client)|Not available.|
+|Integration with Mac and iOS platform smart look up service|Not available.|
+|Share notebook experience and sharing notification|Not available.|
+ ## Skype for Business |Function|Availability|
-|:--|:--|
-|Domain providers to support Skype for Business <br/> |You will need to register your domain with a Chinese-specific domain provider that supports SRV records. For more information on how to register domains, see [Find your domain registrar or DNS hosting provider](../get-help-with-domains/find-your-domain-registrar.md). <br/> |
-|Dial-in conferencing (the ability to add telephone access to meetings for users who can't get to a computer) <br/> |You may see options in Skype for Business and in the Skype for Business Admin Center for Dial-in conferencing and providers, but these features are not yet available. They are coming soon. <br/> |
-|Skype for Business desktop help <br/> |You can find help for Skype for Business desktop [here](https://support.microsoft.com/office/6ae5853c-f0fd-4710-aecf-f46def8377ad). However, desktop help is not available from the product unless you are using Office Click-To-Run. <br/> |
-|Lync 2010 <br/> |Not available. <br/> |
-|Ability to join a meeting from your calendar when you're using a Samsung-based device with Google Chrome <br/> |Coming soon. In the meantime, you can open Skype for Business, go to the Meetings view, and join the meeting from there. <br/> |
-|Desk Phone Devices like Polycom, Ares, and Tanjay <br/> |Not available. <br/> |
-|Syndication partners <br/> |Not available. <br/> |
-|Voice features, such as voice mail, ability to make and receive calls from PSTN numbers, call transferring, call forwarding <br/> |Not available. These features require syndication partners. <br/> |
-|Archiving, or ability to tag a user and archive that user's emails and IMs in Exchange <br/> |Not available. <br/> |
-|Skype for Business Web client (LWA) browser support for Firefox 29 <br/> |Not available, but you can use an older version of Firefox. <br/> |
-|Unified Contact Store (UCS) <br/> |The ability for users to keep all of their Skype for Business contact information in Microsoft Exchange Server 2013 is disabled. <br/> |
-| Conferencing devices: <br/> Polycom CX5100 Unified Conference Station <br/> Logitech ConferenceCam CC3000e <br/> Polycom CX7000 <br/> Polycom CX3000 <br/> Logitech BCC950 ConferenceCam <br/> Polycom CX5000 HD <br/> |Not available. <br/> |
-
+|||
+|Domain providers to support Skype for Business|You will need to register your domain with a Chinese-specific domain provider that supports SRV records. For more information on how to register domains, see [Find your domain registrar or DNS hosting provider](../get-help-with-domains/find-your-domain-registrar.md).|
+|Dial-in conferencing (the ability to add telephone access to meetings for users who can't get to a computer)|You may see options in Skype for Business and in the Skype for Business Admin Center for Dial-in conferencing and providers, but these features are not yet available. They are coming soon.|
+|Skype for Business desktop help|You can find help for Skype for Business desktop [here](https://support.microsoft.com/office/6ae5853c-f0fd-4710-aecf-f46def8377ad). However, desktop help is not available from the product unless you are using Office Click-To-Run.|
+|Lync 2010|Not available.|
+|Ability to join a meeting from your calendar when you're using a Samsung-based device with Google Chrome|Coming soon. In the meantime, you can open Skype for Business, go to the Meetings view, and join the meeting from there.|
+|Desk Phone Devices like Polycom, Ares, and Tanjay|Not available.|
+|Syndication partners|Not available.|
+|Voice features, such as voice mail, ability to make and receive calls from PSTN numbers, call transferring, call forwarding|Not available. These features require syndication partners.|
+|Archiving, or ability to tag a user and archive that user's emails and IMs in Exchange|Not available.|
+|Skype for Business Web client (LWA) browser support for Firefox 29|Not available, but you can use an older version of Firefox.|
+|Unified Contact Store (UCS)|The ability for users to keep all of their Skype for Business contact information in Microsoft Exchange Server 2013 is disabled.|
+|Conferencing devices: <br/> Polycom CX5100 Unified Conference Station <br/> Logitech ConferenceCam CC3000e <br/> Polycom CX7000 <br/> Polycom CX3000 <br/> Logitech BCC950 ConferenceCam <br/> Polycom CX5000 HD|Not available.|
+ ## Data Subject Requests for GDPR GDPR grants individuals (or, data subjects) certain rights in connection with the processing of their personal data, including the right to correct inaccurate data, erase data or restrict its processing, receive their data and fulfill a request to transmit their data to another controller. The Tenant Administrator role for Office 365 operated by 21Vianet can request data on behalf of a data subject in the following ways:
-
+ - Using the Azure Active Directory Admin Center, a Tenant Administrator can permanently delete a data subject from Azure Active Directory and related services.
-
+ - System generated logs for Microsoft services operated by 21Vianet can be exported by Tenant Administrators using the Data Log Export.
-
+ For details and instructions, see [Data Subject Requests (DSR) for GDPR](https://www.trustcenter.cn/privacy/gdpr-office365.mdl). ## Related content
admin Customize Your Organization Theme https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/customize-your-organization-theme.md
You can add or update a default theme that applies to everyone within your org.
All organization themes can be customized using the following tabs.
-|**Tab**|**What can you do?**|
-|:--|:--|
-|[General](#general-modify-a-theme) <br/> |Modify a theme name and assign to up to five groups (if applicable). <br/> |
-|[Logos](#logos-specify-your-theme-logos) <br/> |Add your organization logo, including alternate logo for dark theme. <br/> |
-|[Colors](#colors-choose-theme-colors) <br/> |Customize a color scheme by specifying navigation bar, accent, text and icon colors. <br/> |
+|Tab|What can you do?|
+|||
+|[General](#general-modify-a-theme)|Modify a theme name and assign to up to five groups (if applicable).|
+|[Logos](#logos-specify-your-theme-logos)|Add your organization logo, including alternate logo for dark theme.|
+|[Colors](#colors-choose-theme-colors)|Customize a color scheme by specifying navigation bar, accent, text and icon colors.|
## General: Modify a theme
On the **Colors** page, you can set the default colors and choose which logo sho
### My organization already has a theme for all employees. How will this change?
-The default theme will continue to be shown to all employees. Adding a new group theme will only be made available to the Microsoft 365 groups associated with that theme.
+The default theme will continue to be shown to all employees. Adding a new group theme will only be made available to the Microsoft 365 groups associated with that theme.
-### Why don’t I see group themes in the Admin Center?
+### Why donΓÇÖt I see group themes in the Admin Center?
-Only global admins can customize company themes. Global readers have read-only access.
+Only global admins can customize company themes. Global readers have read-only access.
### How many different themes can I set up for my organization?
Up to five themes can be created. A default theme and four group themes.
### Can I use security groups or distribution groups instead of Microsoft 365 Groups?
-No, new group themes must be mapped to one or more Microsoft 365 groups and not security groups or distribution groups.
+No, new group themes must be mapped to one or more Microsoft 365 groups and not security groups or distribution groups.
> [!NOTE] > You can convert [distribution groups to Microsoft 365 groups](../manage/upgrade-distribution-lists.md) in Outlook.
-### Can I manually assign a theme independent of Microsoft 365 Groups? 
+### Can I manually assign a theme independent of Microsoft 365 Groups?
-No, new group themes must be mapped to one or more Microsoft 365 groups. Users who are members of the Microsoft 365 group will get the theme applied to their group. You can [create and add new members to a Microsoft 365 Group](../create-groups/create-groups.md) by going to the **Settings** > **Groups** in the admin center.
+No, new group themes must be mapped to one or more Microsoft 365 groups. Users who are members of the Microsoft 365 group will get the theme applied to their group. You can [create and add new members to a Microsoft 365 Group](../create-groups/create-groups.md) by going to the **Settings** > **Groups** in the admin center.
### What happens if a user is assigned to multiple group themes? Users who are assigned to multiple group themes will be shown the default theme.
-### Why canΓÇÖt I delete the default theme?ΓÇ»
+### Why canΓÇÖt I delete the default theme?
The default theme can only be deleted once all group themes are deleted. Make sure you delete all group themes before you try to delete the group theme.
-### Why am I receiving an error message every time I upload a logo URL. 
+### Why am I receiving an error message every time I upload a logo URL.
-Make sure the logo you’re using is specified as a publicly addressable URL. Follow these steps for [uploading logos to Azure Blob Storage](/azure/storage/blobs/storage-upload-process-images?tabs=dotnet) or the [Office 365 Content Delivery Network with SharePoint Online](../../enterprise/use-microsoft-365-cdn-with-spo.md).
+Make sure the logo youΓÇÖre using is specified as a publicly addressable URL. Follow these steps for [uploading logos to Azure Blob Storage](/azure/storage/blobs/storage-upload-process-images?tabs=dotnet) or the [Office 365 Content Delivery Network with SharePoint Online](../../enterprise/use-microsoft-365-cdn-with-spo.md).
-### Why am I receiving the message “Doesn’t meet minimum color contrast ratio of 4.5:1”?
+### Why am I receiving the message ΓÇ£DoesnΓÇÖt meet minimum color contrast ratio of 4.5:1ΓÇ¥?
The recommended contrast ratio between text, icon or button color and background color is 4.5:1. You can override this recommendation and still save your theme as this is not a requirement.
admin Migrate Data Business Standard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/simplified-signup/migrate-data-business-standard.md
Follow the steps in this article to move your OneDrive, Outlook and Teams data t
## Move files to OneDrive for business
-This section describes how to move the files stored in your Microsoft 365 personal account to your Microsoft 365 business account. With both OneDrive accounts synced to your device, you can easily drag and drop the files between two OneDrive folders.
+This section describes how to move the files stored in your Microsoft 365 personal account to your Microsoft 365 business account. With both OneDrive accounts synced to your device, you can easily drag and drop the files between two OneDrive folders.
-1. Select the OneDrive white cloud icon in the Windows notification area and make sure your OneDrive personal account is synced to your device.
+1. Select the OneDrive white cloud icon in the Windows notification area and make sure your OneDrive personal account is synced to your device.
:::image type="content" source="../../media/ssu-onedrive-icons.png" alt-text="Screenshot: Select white cloud icon in the Windows notification area":::
This section describes how to move the files stored in your Microsoft 365 person
:::image type="content" source="../../media/ssu-onedrive-help-settings.png" alt-text="Screenshot: Select Help & Settings to add an account":::
-3. In **Settings**, select **Account** > **Add an account**.
+3. In **Settings**, select **Account** > **Add an account**.
-4. When OneDrive Setup starts, enter your new business account, and then select **Sign in**.
+4. When OneDrive Setup starts, enter your new business account, and then select **Sign in**.
:::image type="content" source="../../media/ssu-setup-onedrive.png" alt-text="Screenshot: Enter your email address on the OneDrive set up page"::: > [!NOTE]
- > If you haven't set up OneDrive with your current Microsoft 365 personal account before, follow the steps above to set up your personal account on your device and sync your files before moving to the next steps.
+ > If you haven't set up OneDrive with your current Microsoft 365 personal account before, follow the steps above to set up your personal account on your device and sync your files before moving to the next steps.
### Drag and drop files in OneDrive
-With both your Microsoft 365 personal and business accounts synced to your device, you can now move your files from your personal OneDrive folder to your new business OneDrive folder.
+With both your Microsoft 365 personal and business accounts synced to your device, you can now move your files from your personal OneDrive folder to your new business OneDrive folder.
1. In File Explorer, open your synced OneDrive folder that contains your files.
-2. Select and drag the files you want from your OneDrive personal folder to your new OneDrive business folder.
+2. Select and drag the files you want from your OneDrive personal folder to your new OneDrive business folder.
:::image type="content" source="../../media/ssu-onedrive-files-to-work-folder.png" alt-text="Screenshot: Drag and drop files to you new OneDrive for business folder":::
-### Notes about moving files from OneDrive personal to OneDrive for work
+### Notes about moving files from OneDrive personal to OneDrive for work
- If you’re moving a large number of files, we recommend that you move files in batches of no more than 100 files each. -- Files you move from OneDrive personal to OneDrive for work are recognized as new files, and as a result, these files don’t retain metadata details such as Modified and Modified By.
+- Files you move from OneDrive personal to OneDrive for work are recognized as new files, and as a result, these files donΓÇÖt retain metadata details such as Modified and Modified By.
-- If you shared files in OneDrive before, you'll need to share these files again in your new OneDrive for work after you move them. Also, once you share these files, we recommend that you delete the original files from OneDrive. This way, people won’t be able to refer to out-of-date copies of files you’d shared with them earlier.
+- If you shared files in OneDrive before, you'll need to share these files again in your new OneDrive for work after you move them. Also, once you share these files, we recommend that you delete the original files from OneDrive. This way, people wonΓÇÖt be able to refer to out-of-date copies of files youΓÇÖd shared with them earlier.
## Step: Set up Outlook for email
admin Signup Teams Business Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/simplified-signup/signup-teams-business-subscription.md
If you choose to use a domain you already own, you can use it for your email add
### How does recurring billing work?
-When Recurring billing is on, your subscription will continue to be billed each month (or year, depending on your billing plan) on the day you subscribed. You can turn it off or back on again in the admin center if your subscription is active. Learn more atΓÇ»[Turn Recurring billing off or on](../../commerce/subscriptions/renew-your-subscription.md#turn-recurring-billing-off-or-on).
+When Recurring billing is on, your subscription will continue to be billed each month (or year, depending on your billing plan) on the day you subscribed. You can turn it off or back on again in the admin center if your subscription is active. Learn more at [Turn Recurring billing off or on](../../commerce/subscriptions/renew-your-subscription.md#turn-recurring-billing-off-or-on).
### What do I do if I want to change my business name?
-Contact our small business support experts who can help you change your business name. Learn more atΓÇ»[Get support](../get-help-support.md).
+Contact our small business support experts who can help you change your business name. Learn more at [Get support](../get-help-support.md).
compliance Add Custodians To Case https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/add-custodians-to-case.md
To add custodians to a case, you must be a member of the eDiscovery Manager role
1. Go to [https://compliance.microsoft.com](https://compliance.microsoft.com) and sign in with a user account that has been assigned the appropriate eDiscovery permissions.
-2. In the left navigation pane of the Microsoft 365 compliance center, select **eDiscovery** > **Advanced eDiscovery**, and select the [**Cases**](https://go.microsoft.com/fwlink/p/?linkid=2173764) tab.
+2. In the left navigation pane of the Microsoft 365 compliance center, select **eDiscovery** > **Advanced eDiscovery**, and select the [**Cases**](https://go.microsoft.com/fwlink/p/?linkid=2173764) tab.
3. Select the case that you want to add custodians to.
compliance Apply Retention Labels Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-retention-labels-automatically.md
The following query contains typical keywords to help identify documents or emai
(resume AND staff AND employee AND salary AND recruitment AND candidate) ```
-Note that this final example uses the best practice of always including operators between keywords. A space between keywords (or two property:value expressions) is the same as using AND. By always adding operators, it's easier to see that this example query will identify only content that contains all these keywords, instead of content that contains any of the keywords. If your intention is to identify content that contains any of the keywords, specify OR instead of AND. As this example shows, when you always specify the operators, it's easier to correctly interpret the query.
+Note that this final example uses the best practice of always including operators between keywords. A space between keywords (or two property:value expressions) is the same as using AND. By always adding operators, it's easier to see that this example query will identify only content that contains all these keywords, instead of content that contains any of the keywords. If your intention is to identify content that contains any of the keywords, specify OR instead of AND. As this example shows, when you always specify the operators, it's easier to correctly interpret the query.
##### Microsoft Teams meeting recordings
compliance Archive 17A 4 Blackberry Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-blackberry-data.md
The following overview explains the process of using a data connector to archive
The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for BlackBerry data.
-1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **BlackBerry DataParser**.
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **BlackBerry DataParser**.
2. On the **BlackBerry DataParser** product description page, click **Add connector**.
compliance Archive 17A 4 Bloomberg Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-bloomberg-data.md
The following overview explains the process of using a data connector to archive
The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for Bloomberg data.
-1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **Bloomberg DataParser**.
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **Bloomberg DataParser**.
2. On the **Bloomberg DataParser** product description page, click **Add connector**.
compliance Archive 17A 4 Cisco Jabber Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-cisco-jabber-data.md
The following overview explains the process of using a data connector to archive
The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for Cisco Jabber data.
-1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **Cisco Jabber DataParser**.
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **Cisco Jabber DataParser**.
2. On the **Cisco Jabber DataParser** product description page, click **Add connector**.
compliance Archive 17A 4 Factset Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-factset-data.md
The following overview explains the process of using a data connector to archive
The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for FactSet data.
-1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **FactSet DataParser**.
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **FactSet DataParser**.
2. On the **FactSet DataParser** product description page, click **Add connector**.
compliance Archive 17A 4 Fuze Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-fuze-data.md
The following overview explains the process of using a data connector to archive
The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for Fuze data.
-1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **Fuze DataParser**.
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **Fuze DataParser**.
2. On the **Fuze DataParser** product description page, click **Add connector**.
compliance Archive 17A 4 Fxconnect Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-fxconnect-data.md
The following overview explains the process of using a data connector to archive
The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for FX Connect data.
-1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **FX Connect DataParser**.
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **FX Connect DataParser**.
2. On the **FX Connect DataParser** product description page, click **Add connector**.
compliance Archive 17A 4 Ice Im Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-ice-im-data.md
The following overview explains the process of using a data connector to archive
The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for ICE Connect Chat data.
-1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **ICE DataParser**.
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **ICE DataParser**.
2. On the **ICE DataParser** product description page, click **Add connector**.
compliance Archive 17A 4 Investedge Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-investedge-data.md
The following overview explains the process of using a data connector to archive
The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for InvestEdge data.
-1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **InvestEdge DataParser**.
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **InvestEdge DataParser**.
2. On the **InvestEdge DataParser** product description page, click **Add connector**.
compliance Archive 17A 4 Liveperson Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-liveperson-data.md
The following overview explains the process of using a data connector to archive
The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for LivePerson Conversational Cloud data.
-1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **LivePerson Conversational Cloud DataParser**.
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **LivePerson Conversational Cloud DataParser**.
2. On the **LivePerson Conversational Cloud DataParser** product description page, click **Add connector**.
compliance Archive 17A 4 Quip Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-quip-data.md
The following overview explains the process of using a data connector to archive
The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for Quip data.
-1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **Quip DataParser**.
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **Quip DataParser**.
2. On the **Quip DataParser** product description page, click **Add connector**.
compliance Archive 17A 4 Refinitiv Messenger Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-refinitiv-messenger-data.md
The following overview explains the process of using a data connector to archive
The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for Refinitiv Eikon Messenger data.
-1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **Refinitiv Eikon Messenger DataParser**.
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **Refinitiv Eikon Messenger DataParser**.
2. On the **Refinitiv Eikon Messenger DataParser** product description page, click **Add connector**.
compliance Archive 17A 4 Servicenow Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-servicenow-data.md
The following overview explains the process of using a data connector to archive
The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for ServiceNow data.
-1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **ServiceNow DataParser**.
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **ServiceNow DataParser**.
2. On the **ServiceNow DataParser** product description page, click **Add connector**.
compliance Archive 17A 4 Skype For Business Server Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-skype-for-business-server-data.md
The following overview explains the process of using a data connector to archive
The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for Skype for Business Server data.
-1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **Skype for Business Server DataParser**.
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **Skype for Business Server DataParser**.
2. On the **Skype for Business Server DataParser** product description page, click **Add connector**.
compliance Archive 17A 4 Slack Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-slack-data.md
The following overview explains the process of using a data connector to archive
The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for Slack data.
-1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **Slack DataParser**.
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **Slack DataParser**.
2. On the **Slack DataParser** product description page, click **Add connector**.
compliance Archive 17A 4 Sql Database Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-sql-database-data.md
The following overview explains the process of using a data connector to archive
The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for SQL data.
-1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **SQL DataParser**.
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **SQL DataParser**.
2. On the **SQL DataParser** product description page, click **Add connector**.
compliance Archive 17A 4 Symphony Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-symphony-data.md
The following overview explains the process of using a data connector to archive
The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for Symphony data.
-1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **Symphony DataParser**.
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **Symphony DataParser**.
2. On the **Symphony DataParser** product description page, click **Add connector**.
compliance Archive 17A 4 Webex Teams Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-webex-teams-data.md
The following overview explains the process of using a data connector to archive
The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for Cisco Webex data.
-1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **Cisco Webex DataParser**.
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **Cisco Webex DataParser**.
2. On the **Cisco Webex DataParser** product description page, click **Add connector**.
compliance Archive 17A 4 Zoom Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-zoom-data.md
The following overview explains the process of using a data connector to archive
The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for Zoom data.
-1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **Zoom DataParser**.
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **Zoom DataParser**.
2. On the **Zoom DataParser** product description page, click **Add connector**.
compliance Archive Ciscojabberonoracle Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-ciscojabberonoracle-data.md
The following overview explains the process of using a connector to archive the
- Create a Merge1 account for Microsoft connectors. To do this, contact [Veritas Customer Support](https://www.veritas.com/content/support/en_US). You need to sign into this account when you create the connector in Step 1. -- The user who creates the Cisco Jabber on Oracle connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).
+- The user who creates the Cisco Jabber on Oracle connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).
- This Veritas data connector is in public preview in GCC environments in the Microsoft 365 US Government cloud. Third-party applications and services might involve storing, transmitting, and processing your organization's customer data on third-party systems that are outside of the Microsoft 365 infrastructure and therefore are not covered by the Microsoft 365 compliance and data protection commitments. Microsoft makes no representation that use of this product to connect to third-party applications implies that those third-party applications are FEDRAMP compliant.
compliance Archive Data From Celltrustsl2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-data-from-celltrustsl2.md
CellTrust's SL2 platform captures communication data from multiple sources. SL2
The first step is to create a data connector in the Microsoft 365 compliance center.
-1. Go to <https://compliance.microsoft.com> and click **Data connectors** on the left navigation pane.
+1. Go to <https://compliance.microsoft.com> and click **Data connectors** on the left navigation pane.
2. On the **Overview** tab, click **Filter** and select **By CellTrust**, and then apply the filter.
compliance Archive Ringcentral Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-ringcentral-data.md
The following overview explains the process of using a connector to archive the
- Create a RingCentral application to fetch data from your RingCentral account. For step-by step instructions about creating the application, see [Merge1 Third-Party Connectors User Guide](https://docs.ms.merge1.globanetportal.com/Merge1%20Third-Party%20Connectors%20RingCentral%20User%20Guide.pdf). -- The user who creates the RingCentral connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).
+- The user who creates the RingCentral connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).
- This Veritas data connector is in public preview in GCC environments in the Microsoft 365 US Government cloud. Third-party applications and services might involve storing, transmitting, and processing your organization's customer data on third-party systems that are outside of the Microsoft 365 infrastructure and therefore are not covered by the Microsoft 365 compliance and data protection commitments. Microsoft makes no representation that use of this product to connect to third-party applications implies that those third-party applications are FEDRAMP compliant.
compliance Archive Rogers Network Archiver Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-rogers-network-archiver-data.md
After you've completed the prerequisites described in the previous section, you
5. After the connector is created, you can close the pop-up window and go to the next page.
-6. On the **User mapping** page, enable automatic user mapping. To enable custom mapping, upload a CSV file that contains the user mapping information, and then click **Next**.
+6. On the **User mapping** page, enable automatic user mapping. To enable custom mapping, upload a CSV file that contains the user mapping information, and then click **Next**.
-7. Review your settings, and then click **Finish** to create the connector.
+7. Review your settings, and then click **Finish** to create the connector.
-8. Go to the Connectors tab in **Data connectors** page to see the progress of the import process for the new connector.
+8. Go to the Connectors tab in **Data connectors** page to see the progress of the import process for the new connector.
## Known issues
compliance Archive Salesforcechatter Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-salesforcechatter-data.md
description: "Admins can set up a connector to import and archive Salesforce Cha
# Set up a connector to archive Salesforce Chatter data
-Use a Veritas connector in the Microsoft 365 compliance center to import and archive data from the Salesforce Chatter platform to user mailboxes in your Microsoft 365 organization. Veritas provides a [Salesforce Chatter](http://globanet.com/chatter/) connector that captures items from the third-party data source and imports those items to Microsoft 365. The connector converts the content such as chats, attachments, and posts from Salesforce Chatter to an email message format and then imports those items to the userΓÇÖs mailbox in Microsoft 365.
+Use a Veritas connector in the Microsoft 365 compliance center to import and archive data from the Salesforce Chatter platform to user mailboxes in your Microsoft 365 organization. Veritas provides a [Salesforce Chatter](http://globanet.com/chatter/) connector that captures items from the third-party data source and imports those items to Microsoft 365. The connector converts the content such as chats, attachments, and posts from Salesforce Chatter to an email message format and then imports those items to the user's mailbox in Microsoft 365.
After Salesforce Chatter data is stored in user mailboxes, you can apply Microsoft 365 compliance features such as Litigation Hold, eDiscovery, retention policies and retention labels. Using a Salesforce Chatter connector to import and archive data in Microsoft 365 can help your organization stay compliant with government and regulatory policies.
The following overview explains the process of using a connector to archive the
- Create a Salesforce application and acquire a token at [https://salesforce.com](https://salesforce.com). You'll need to log into the Salesforce account as an admin and get a user personal token to import data. Also, triggers need to be published on the Chatter site to capture updates, deletes, and edits. These triggers will create a post on a channel, and Merge1 will capture the information from the channel. For step-by-step instructions about how to create the application and acquire the token, see [Merge1 Third-Party Connectors User Guide](https://docs.ms.merge1.globanetportal.com/Merge1%20Third-Party%20Connectors%20SalesForce%20Chatter%20User%20Guide%20.pdf). -- The user who creates the Salesforce Chatter connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).
+- The user who creates the Salesforce Chatter connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).
- This Veritas data connector is in public preview in GCC environments in the Microsoft 365 US Government cloud. Third-party applications and services might involve storing, transmitting, and processing your organization's customer data on third-party systems that are outside of the Microsoft 365 infrastructure and therefore are not covered by the Microsoft 365 compliance and data protection commitments. Microsoft makes no representation that use of this product to connect to third-party applications implies that those third-party applications are FEDRAMP compliant.
After you click **Save & Finish,** the **User mapping** page in the connector wi
To map users and complete the connector setup in the Microsoft 365 compliance center, follow these steps:
-1. On the **Map Salesforce Chatter users to Microsoft 365 users** page, enable automatic user mapping. The Salesforce Chatter items include a property called *Email*, which contains email addresses for users in your organization. If the connector can associate this address with a Microsoft 365 user, the items are imported to that userΓÇÖs mailbox.
+1. On the **Map Salesforce Chatter users to Microsoft 365 users** page, enable automatic user mapping. The Salesforce Chatter items include a property called *Email*, which contains email addresses for users in your organization. If the connector can associate this address with a Microsoft 365 user, the items are imported to that user's mailbox.
2. click **Next**, review your settings, and then go to the **Data connectors** page to see the progress of the import process for the new connector.
compliance Archive Servicenow Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-servicenow-data.md
The following overview explains the process of using a connector to archive the
- Create a ServiceNow application to fetch data from your ServiceNow account. For step-by step instructions about creating the application, see [Merge1 Third-Party Connectors User Guide](https://docs.ms.merge1.globanetportal.com/Merge1%20Third-Party%20Connectors%20ServiceNow%20User%20Guide%20.pdf). -- The user who creates the ServiceNow connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).
+- The user who creates the ServiceNow connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).
- This Veritas data connector is in public preview in GCC environments in the Microsoft 365 US Government cloud. Third-party applications and services might involve storing, transmitting, and processing your organization's customer data on third-party systems that are outside of the Microsoft 365 infrastructure and therefore are not covered by the Microsoft 365 compliance and data protection commitments. Microsoft makes no representation that use of this product to connect to third-party applications implies that those third-party applications are FEDRAMP compliant.
compliance Archive Signal Archiver Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-signal-archiver-data.md
After Signal Archiver connector data is stored in user mailboxes, you can apply
## Overview of archiving Signal communications data
-The following overview explains the process of using a connector to archive  Signal communication data in Microsoft 365.
+The following overview explains the process of using a connector to archive Signal communication data in Microsoft 365.
![Signal communications archiving workflow.](../media/SignalConnectorWorkflow.png)
The following overview explains the process of using a connector to archive  Si
4. The connector imports the mobile communication items to the mailbox of a specific user. A new folder named Signal Archiver will be created in the specific user's mailbox and the items will be imported to it. The connector does the mapping by using the value of the *User's Email address* property. Every email message contains this property, which is populated with the email address of every participant of the email message.
- In addition to automatic user mapping using the value of the *User's Email address* property, you can also define a custom mapping by uploading a CSV mapping file. This mapping file should contain User's mobile Number and the corresponding Microsoft 365 mailbox address for each user. If you enable automatic user mapping and provide a custom mapping, for every email item the connector will first look at custom mapping file. If it doesn't find a valid Microsoft 365 user that corresponds to a user's mobile number, the connector will use the User ΓÇÿs email address property of the email item. If the connector doesn't find a valid Microsoft 365 user in either the custom mapping file or the *user's email address* property of the email item, the item won't be imported.
+ In addition to automatic user mapping using the value of the *User's Email address* property, you can also define a custom mapping by uploading a CSV mapping file. This mapping file should contain User's mobile Number and the corresponding Microsoft 365 mailbox address for each user. If you enable automatic user mapping and provide a custom mapping, for every email item the connector will first look at custom mapping file. If it doesn't find a valid Microsoft 365 user that corresponds to a user's mobile number, the connector will use the User's email address property of the email item. If the connector doesn't find a valid Microsoft 365 user in either the custom mapping file or the *user's email address* property of the email item, the item won't be imported.
## Before you set up a connector
After you've completed the prerequisites described in the previous section, you
5. After the connector is created, you can close the pop-up window and go to the next page.
-6. On the **User mapping** page, enable automatic user mapping. To enable custom mapping, upload a CSV file that contains the user mapping information, and then click **Next**.
+6. On the **User mapping** page, enable automatic user mapping. To enable custom mapping, upload a CSV file that contains the user mapping information, and then click **Next**.
-7. Review your settings, and then click **Finish** to create the connector.
+7. Review your settings, and then click **Finish** to create the connector.
-8. Go to the Connectors tab in **Data connectors** page to see the progress of the import process for the new connector.
+8. Go to the Connectors tab in **Data connectors** page to see the progress of the import process for the new connector.
## Known issues
compliance Archive Skypeforbusiness Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-skypeforbusiness-data.md
description: "Learn how to set up and use a connector in the Microsoft 365 compl
# Set up a connector to archive Skype for Business data
-Use a Veritas connector in the Microsoft 365 compliance center to import and archive data from the Skype for Business platform to user mailboxes in your Microsoft 365 organization. Veritas provides a [Skype for Business](https://www.veritas.com/en/au/insights/merge1/skype-for-business) connector that is configured to capture items from the third-party data source (on a regular basis) and import those items to Microsoft 365. The connector converts the content such as messages between users, persistent chats, and conference messages from Skype for Business to an email message format and then imports those items to the userΓÇÖs mailbox in Microsoft 365.
+Use a Veritas connector in the Microsoft 365 compliance center to import and archive data from the Skype for Business platform to user mailboxes in your Microsoft 365 organization. Veritas provides a [Skype for Business](https://www.veritas.com/en/au/insights/merge1/skype-for-business) connector that is configured to capture items from the third-party data source (on a regular basis) and import those items to Microsoft 365. The connector converts the content such as messages between users, persistent chats, and conference messages from Skype for Business to an email message format and then imports those items to the user's mailbox in Microsoft 365.
After Skype for Business data is stored in user mailboxes, you can apply Microsoft 365 compliance features such as Litigation Hold, eDiscovery, retention policies and retention labels. Using a Skype for Business connector to import and archive data in Microsoft 365 can help your organization stay compliant with government and regulatory policies.
The following overview explains the process of using a connector to archive the
- Create a Merge1 account for Microsoft connectors. To do this, contact [Veritas Customer Support](https://www.veritas.com/form/requestacall/ms-connectors-contact.html). You need to sign into this account when you create the connector in Step 1. -- The user who creates the Skype for Business connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).
+- The user who creates the Skype for Business connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).
- This Veritas data connector is in public preview in GCC environments in the Microsoft 365 US Government cloud. Third-party applications and services might involve storing, transmitting, and processing your organization's customer data on third-party systems that are outside of the Microsoft 365 infrastructure and therefore are not covered by the Microsoft 365 compliance and data protection commitments. Microsoft makes no representation that use of this product to connect to third-party applications implies that those third-party applications are FEDRAMP compliant.
After you click **Save & Finish**, the **User mapping** page in the connector wi
To map users and complete the connector setup in the Microsoft 365 compliance center, follow these steps:
-1. On the **Map Skype for Business users to Microsoft 365 users** page, enable automatic user mapping. The Skype for Business items include a property called *Email*, which contains email addresses for users in your organization. If the connector can associate this address with a Microsoft 365 user, the items are imported to that userΓÇÖs mailbox.
+1. On the **Map Skype for Business users to Microsoft 365 users** page, enable automatic user mapping. The Skype for Business items include a property called *Email*, which contains email addresses for users in your organization. If the connector can associate this address with a Microsoft 365 user, the items are imported to that user's mailbox.
2. Click **Next**, review your settings, and then go to the **Data connectors** page to see the progress of the import process for the new connector.
compliance Archive Slack Data Microsoft https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-slack-data-microsoft.md
The following overview explains the process of using a Microsoft data connector
## Step 1: Create a Slack eDiscovery connector
-1. Go to <https://compliance.microsoft.com> and click **Data connectors** on the left navigation pane.
+1. Go to <https://compliance.microsoft.com> and click **Data connectors** on the left navigation pane.
2. On the **Overview** tab, click **Filter** and select **By Microsoft**, and then apply the filter.
compliance Archive Telegram Archiver Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-telegram-archiver-data.md
After Telegram Archiver connector data is stored in user mailboxes, you can appl
## Overview of archiving Telegram communications data
-The following overview explains the process of using a connector to archive  Telegram communications data in Microsoft 365.
+The following overview explains the process of using a connector to archive Telegram communications data in Microsoft 365.
![Telegram communications archiving workflow.](../media/TelegramConnectorWorkflow.png)
The following overview explains the process of using a connector to archive  Te
4. The connector imports the mobile communication items to the mailbox of a specific user. A new folder named Telegram Archiver will be created in the specific user's mailbox and the items will be imported to it. The connector does this mapping by using the value of the *User's Email address* property. Every email message contains this property, which is populated with the email address of every participant of the email message.
-> In addition to automatic user mapping using the value of the *User's Email address* property, you can also define a custom mapping by uploading a CSV mapping file. This mapping file should contain User's mobile Number and the corresponding Microsoft 365 mailbox address for each user. If you enable automatic user mapping and provide a custom mapping, for every email item the connector will first look at custom mapping file. If it doesn't find a valid Microsoft 365 user that corresponds to a user's mobile number, the connector will use the User ΓÇÿs email address property of the email item. If the connector doesn't find a valid Microsoft 365 user in either the custom mapping file or the *user's email address* property of the email item, the item won't be imported.
+> In addition to automatic user mapping using the value of the *User's Email address* property, you can also define a custom mapping by uploading a CSV mapping file. This mapping file should contain User's mobile Number and the corresponding Microsoft 365 mailbox address for each user. If you enable automatic user mapping and provide a custom mapping, for every email item the connector will first look at custom mapping file. If it doesn't find a valid Microsoft 365 user that corresponds to a user's mobile number, the connector will use the User's email address property of the email item. If the connector doesn't find a valid Microsoft 365 user in either the custom mapping file or the *user's email address* property of the email item, the item won't be imported.
## Before you set up a connector
After you've completed the prerequisites described in the previous section, you
5. After the connector is created, you can close the pop-up window and go to the next page.
-6. On the **User mapping** page, enable automatic user mapping. To enable custom mapping, upload a CSV file that contains the user mapping information, and then click **Next**.
+6. On the **User mapping** page, enable automatic user mapping. To enable custom mapping, upload a CSV file that contains the user mapping information, and then click **Next**.
-7. Review your settings, and then click **Finish** to create the connector.
+7. Review your settings, and then click **Finish** to create the connector.
-8. Go to the Connectors tab in **Data connectors** page to see the progress of the import process for the new connector.
+8. Go to the Connectors tab in **Data connectors** page to see the progress of the import process for the new connector.
## Known issues
compliance Archive Veritas Twitter Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-veritas-twitter-data.md
The following overview explains the process of using a connector to archive Twit
- Create a Twitter application at <https://developer.twitter.com> to fetch data from your Twitter account. For step-by step instructions about creating the application, see [Merge1 Third-Party Connectors User Guide](https://docs.ms.merge1.globanetportal.com/Merge1%20Third-Party%20Connectors%20Twitter%20User%20Guide.pdf). -- The user who creates the YouTube connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).
+- The user who creates the YouTube connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).
- This Veritas data connector is in public preview in GCC environments in the Microsoft 365 US Government cloud. Third-party applications and services might involve storing, transmitting, and processing your organization's customer data on third-party systems that are outside of the Microsoft 365 infrastructure and therefore are not covered by the Microsoft 365 compliance and data protection commitments. Microsoft makes no representation that use of this product to connect to third-party applications implies that those third-party applications are FEDRAMP compliant.
compliance Archive Youtube Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-youtube-data.md
The following overview explains the process of using a connector to archive the
- Create a YouTube application to fetch data from your YouTube account. For step-by step instructions about creating the application, see [Merge1 Third-Party Connectors User Guide](https://docs.ms.merge1.globanetportal.com/Merge1%20Third-Party%20Connectors%20YouTube%20User%20Guide.pdf). -- The user who creates the YouTube connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).
+- The user who creates the YouTube connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the security and compliance centers" section in [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).
## Step 1: Set up the YouTube connector
After you click **Save & Finish,** the **User mapping** page in the connector wi
To map users and complete the connector setup in the Microsoft 365 compliance center, follow these steps:
-1. On the **Map YouTube users to Microsoft 365 users** page, enable automatic user mapping. The YouTube items include a property called *Email*, which contains email addresses for users in your organization. If the connector can associate this address with a Microsoft 365 user, the items are imported to that userΓÇÖs mailbox.
+1. On the **Map YouTube users to Microsoft 365 users** page, enable automatic user mapping. The YouTube items include a property called *Email*, which contains email addresses for users in your organization. If the connector can associate this address with a Microsoft 365 user, the items are imported to that user's mailbox.
2. Click **Next**, review your settings, and then go to the **Data connectors** page to see the progress of the import process for the new connector.
compliance Classifier Learn About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/classifier-learn-about.md
These appear in the **Microsoft 365 compliance center** > **Data classification*
Pre-trained classifiers can scan content in these languages:
-ΓÇó Chinese (Simplified)
-ΓÇó English
-ΓÇó French
-ΓÇó German
-ΓÇó Italian
-ΓÇó Japanese
-ΓÇó Portuguese
-ΓÇó Spanish
+- Chinese (Simplified)
+- English
+- French
+- German
+- Italian
+- Japanese
+- Portuguese
+- Spanish
### Custom classifiers
compliance Compliance Easy Trials Compliance Manager Assessment Playbook https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-easy-trials-compliance-manager-assessment-playbook.md
description: "Microsoft Compliance Manager premium assessments trial playbook."
Welcome to the Microsoft Compliance Manager premium assessment trial playbook.
-This playbook will help you make the most of your 90-day free trial by teaching you how to use the comprehensive set of premium assessment templates (add-on).ΓÇï
+This playbook will help you make the most of your 90-day free trial by teaching you how to use the comprehensive set of premium assessment templates (add-on).
Using Microsoft recommendations, you'll quickly see how the premium assessment templates can help your organization assess risks and efficiently respond to global, regional and industrial regulatory requirements.
Using Microsoft recommendations, you'll quickly see how the premium assessment t
Our [Compliance Manager overview page](compliance-manager.md) is the best first stop for a comprehensive review of what Compliance Manager is and how it works. You may also want to jump right to key sections of our documentation using the links below:
-1. [Understand your compliance scoreΓÇï](compliance-manager.md#understanding-your-compliance-score)
-1. [Overview of key elements: controls, assessments, templates, and improvement actionsΓÇï](compliance-manager.md#key-elements-controls-assessments-templates-improvement-actions)
-1. [Understand the Compliance Manager dashboardΓÇï](compliance-manager-setup.md#understand-the-compliance-manager-dashboard)
-1. [Filter your dashboard viewΓÇï](compliance-manager-setup.md#filtering-your-dashboard-view)
-1. [Learn about improvement actionsΓÇï](compliance-manager-setup.md#improvement-actions-page)
-1. [Understand assessmentsΓÇï](compliance-manager.md#assessments)
+1. [Understand your compliance score](compliance-manager.md#understanding-your-compliance-score)
+1. [Overview of key elements: controls, assessments, templates, and improvement actions](compliance-manager.md#key-elements-controls-assessments-templates-improvement-actions)
+1. [Understand the Compliance Manager dashboard](compliance-manager-setup.md#understand-the-compliance-manager-dashboard)
+1. [Filter your dashboard view](compliance-manager-setup.md#filtering-your-dashboard-view)
+1. [Learn about improvement actions](compliance-manager-setup.md#improvement-actions-page)
+1. [Understand assessments](compliance-manager.md#assessments)
1. [Do a quick scan of your environment using the Microsoft Compliance Configuration Manager](compliance-manager-mcca.md) ## Step 2: Configure Compliance Manager Start working with assessments and taking improvement actions to implement controls and improve your compliance score.
-1. [Choose a pre-built template to create and manage your first assessmentΓÇï](compliance-manager-assessments.md)
-1. [Understand how to use templates for building assessmentsΓÇï](compliance-manager-templates.md)
-1. [Perform implementation and testing work on improvement actions to complete controls in your assessmentsΓÇï](compliance-manager-improvement-actions.md)
+1. [Choose a pre-built template to create and manage your first assessment](compliance-manager-assessments.md)
+1. [Understand how to use templates for building assessments](compliance-manager-templates.md)
+1. [Perform implementation and testing work on improvement actions to complete controls in your assessments](compliance-manager-improvement-actions.md)
1. [Better understand how different actions impact your compliance score](compliance-score-calculation.md) ## Step 3: Review included assessment templates
After starting the premium assessment trial, you will see a summary on the dashb
## Additional resources
-**Microsoft Docs**: Get detailed information on how Compliance Manager premium assessments work and how to best implement them for your organization. Visit [Docs](compliance-manager-templates.md).ΓÇï
+**Microsoft Docs**: Get detailed information on how Compliance Manager premium assessments work and how to best implement them for your organization. Visit [Docs](compliance-manager-templates.md).
**How to videos**: Check out the following videos to learn more: -- [Create assessments and monitor your progress with Compliance ManagerΓÇï](https://techcommunity.microsoft.com/t5/video-hub/create-assessments-and-monitor-your-progress-with-compliance/ba-p/1687992?search-action-id=375363186777&search-result-uid=1687992)-- [Extend and customize assessments to suit your needs in Compliance ManagerΓÇï](https://techcommunity.microsoft.com/t5/video-hub/extend-and-customize-assessments-to-suit-your-needs-in/ba-p/1687991?search-action-id=375363186777&search-result-uid=1687991)
+- [Create assessments and monitor your progress with Compliance Manager](https://techcommunity.microsoft.com/t5/video-hub/create-assessments-and-monitor-your-progress-with-compliance/ba-p/1687992?search-action-id=375363186777&search-result-uid=1687992)
+- [Extend and customize assessments to suit your needs in Compliance Manager](https://techcommunity.microsoft.com/t5/video-hub/extend-and-customize-assessments-to-suit-your-needs-in/ba-p/1687991?search-action-id=375363186777&search-result-uid=1687991)
**Purchase premium assessments**: Get information on available plans and pricing. [Visit Microsoft 365 admin center - Purchase services](https://admin.microsoft.com/#/catalog/offer-details/compliance-manager-premium-assessment-add-on/46E9BF2A-3C8D-4A69-A7E7-3DA04687636D)
compliance Compliance Easy Trials Compliance Playbook https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-easy-trials-compliance-playbook.md
Communication compliance helps you intelligently identify communication violatio
> Trial best practice: Day 1 [Assign all compliance users to the Communication Compliance role group](communication-compliance-configure.md#step-1-required-enable-permissions-for-communication-compliance).+ ### Step 2: [Enable the audit logΓÇï](communication-compliance-configure.md#step-2-required-enable-the-audit-log) > [!TIP]
Trainable classifiers are tools that recognize various types of content, based o
### More information: Auto-apply retention labels + disposition review
-**Apply labels automatically to retain what you need…**
+**Apply labels automatically to retain what you need...**
Retention labels can be automatically applied to content when it contains: - [Specific types of sensitive information](apply-retention-labels-automatically.md#auto-apply-labels-to-content-with-specific-types-of-sensitive-information) - [Specific keywords or searchable properties that match a query you create](apply-retention-labels-automatically.md#auto-apply-labels-to-content-with-keywords-or-searchable-properties) - [A match for trainable classifiers](apply-retention-labels-automatically.md#auto-apply-labels-to-content-by-using-trainable-classifiers)
-**…then dispose of it safely at the end.**
+**...then dispose of it safely at the end.**
When a disposition review is triggered at the end of the retention period, the reviewers you choose receive an email notification that they have content to review.
compliance Compliance Manager Assessments https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-assessments.md
audience: Admin
ms.localizationpriority: medium-+ - M365-security-compliance - m365solution-compliancemanager - m365initiative-compliance
+search.appverid:
- MOE150 - MET150 description: "Build assessments in Microsoft Compliance Manager to help you meet the requirements of regulations and certifications that are important to your organization."
description: "Build assessments in Microsoft Compliance Manager to help you meet
## Introduction to assessments
-Compliance Manager helps you create assessments that evaluate your compliance with industry and regional regulations that apply to your organization. Assessments are built upon the framework of assessment templates, which contain the necessary controls, improvement actions, and, where applicable, Microsoft actions for completing the assessment. Setting up the most relevant assessments for your organization can help you implement policies and operational procedures to limit your compliance risk.
+Compliance Manager helps you create assessments that evaluate your compliance with industry and regional regulations that apply to your organization. Assessments are built upon the framework of assessment templates, which contain the necessary controls, improvement actions, and, where applicable, Microsoft actions for completing the assessment. Setting up the most relevant assessments for your organization can help you implement policies and operational procedures to limit your compliance risk.
All of your assessments are listed on the assessments tab of Compliance Manager. Learn more about [how to filter your view of your assessments and interpret status states](compliance-manager-setup.md#assessments-page).
All of your assessments are listed on the assessments tab of Compliance Manager.
To get you started, Microsoft provides a **default** assessment in Compliance Manager for the **Microsoft 365 data protection baseline**. This baseline assessment has a set of controls for key regulations and standards for data protection and general data governance. This baseline draws elements primarily from NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) and ISO (International Organization for Standardization), as well as from FedRAMP (Federal Risk and Authorization Management Program) and GDPR (General Data Protection Regulation of the European Union).
-This assessment is used to calculate your initial compliance score the first time you come to Compliance Manager, before you configure any other assessments. Compliance Manager collects initial signals from your Microsoft 365 solutions. YouΓÇÖll see at a glance how your organization is performing relative to key data protection standards and regulations, and see suggested improvement actions to take.
+This assessment is used to calculate your initial compliance score the first time you come to Compliance Manager, before you configure any other assessments. Compliance Manager collects initial signals from your Microsoft 365 solutions. You'll see at a glance how your organization is performing relative to key data protection standards and regulations, and see suggested improvement actions to take.
Compliance Manager becomes more helpful as you build and manage your own assessments to meet your organization's particular needs. ## Understand groups before creating assessments
-When you create an assessment, youΓÇÖll need to assign it to a group. Groups are containers that allow you to organize assessments in a way that is logical to you, such as by year or regulation, or based on your organization's divisions or geographies. This is why we recommend planning a grouping strategy before you create assessments.
+When you create an assessment, you'll need to assign it to a group. Groups are containers that allow you to organize assessments in a way that is logical to you, such as by year or regulation, or based on your organization's divisions or geographies. This is why we recommend planning a grouping strategy before you create assessments.
Below are examples of two groups and their underlying assessments:
You can create a group while creating a new assessment. Groups can't be created
## Understand templates before creating assessments
-Assessment templates contain the controls and action recommendations for assessments, based on certifications for different privacy regulations and standards. Your organizationΓÇÖs available templates may include one or more templates that were included as part of your licensing agreement, along with any additional premium templates that you have purchased.
+Assessment templates contain the controls and action recommendations for assessments, based on certifications for different privacy regulations and standards. Your organization's available templates may include one or more templates that were included as part of your licensing agreement, along with any additional premium templates that you have purchased.
Each template, whether included or premium, exists in two versions: one for use with Microsoft 365 (or other Microsoft products as available), and a universal version that can be tailored to assess other products that you use. You can choose the appropriate template type for the product you want to assess.
To create an assessment, you'll use a guided process to select a template and de
#### Create assessments based on recommendations for your org type
-Compliance Manager can indicate which assessments may be most relevant to your organization. When you provide basic information about your organization's industry and locations, we'll recommend which templates to use from our library of over 300 templates. Simply choose among the recommended templates for quick setup of multiple assessments all at once.
+Compliance Manager can indicate which assessments may be most relevant to your organization. When you provide basic information about your organization's industry and locations, we'll recommend which templates to use from our library of over 300 templates. Simply choose among the recommended templates for quick setup of multiple assessments all at once.
To create one or more assessments based on our recommendations, select **Add Recommended Assessments** from your **Assessments** page and follow these steps:
- - Select one or more industries that identify your organization, then select **Next**
- - Select one or more regions for your organization's location, then select **Next**
- - On the **Choose assessment** screen, select the dropdown arrow next to **Recommended templates** to see the list of assessments we think apply to your organization. Check the boxes next to the templates you want to use for creating assessments, then select **Next**.
- - Review your final selections and select **Add Recommended Assessments** to create your new assessments.
+
+- Select one or more industries that identify your organization, then select **Next**
+- Select one or more regions for your organization's location, then select **Next**
+- On the **Choose assessment** screen, select the dropdown arrow next to **Recommended templates** to see the list of assessments we think apply to your organization. Check the boxes next to the templates you want to use for creating assessments, then select **Next**.
+- Review your final selections and select **Add Recommended Assessments** to create your new assessments.
#### Create an assessment using a guided process
To create one or more assessments based on our recommendations, select **Add Rec
4. **Product, name, and group:** Set these properties to identify your assessment, choose which product it will be evaluating, and assign it to a group.
- - **Product**: Select the product you want your assessment to apply to. If you are using a Microsoft template, such as one designed for Microsoft 365, this field will be populated for you to indicate the appropriate product and cannot be changed. If youΓÇÖre using a universal template, select whether youΓÇÖre creating this assessment for a new product or a custom product you have already defined in Compliance Manager. If you choose a new product, enter its name. Note that you cannot select a pre-defined Microsoft product when using a universal template.
- - **Assessment name**: Enter a name for your assessment in the **Assessment name** field. Assessment names must be unique within groups. If the name of your assessment matches the name of another assessment in any given group, youΓÇÖll receive an error asking you to create a different name.
+ - **Product**: Select the product you want your assessment to apply to. If you are using a Microsoft template, such as one designed for Microsoft 365, this field will be populated for you to indicate the appropriate product and cannot be changed. If you're using a universal template, select whether you're creating this assessment for a new product or a custom product you have already defined in Compliance Manager. If you choose a new product, enter its name. Note that you cannot select a pre-defined Microsoft product when using a universal template.
+ - **Assessment name**: Enter a name for your assessment in the **Assessment name** field. Assessment names must be unique within groups. If the name of your assessment matches the name of another assessment in any given group, you'll receive an error asking you to create a different name.
- **Group**: Assign your assessment to a group. You can either:
- - Select **Use existing group** to assign it to a group youΓÇÖve already created; or
+ - Select **Use existing group** to assign it to a group you've already created; or
- Select **Create new group** to create a new group and assign this assessment to it: - Determine a name for your group and enter it in the field beneath the radio button. - You can **copy data from an existing group**, such as implementation and testing details and documents, by selecting the appropriate boxes.
The controls tab displays detailed information for each control mapped to the as
Beneath the chart, a table lists detailed information about each control within the assessment. Controls are grouped by control family. Expand each family name to reveal the individual controls it contains. The information listed for each control includes: - **Control title**-- **Status**: reflects the test status of the improvement actions within the control
- - **Passed** - all improvement actions have a test status of ΓÇ£passed,ΓÇ¥ or at least one is passed and the rest are ΓÇ£out of scopeΓÇ¥
- - **Failed** - at least one improvement action has a test status of ΓÇ£failedΓÇ¥
- - **None** - all improvement actions have not been tested
- - **Out of scope** - all improvement actions are out of scope for this assessment
- - **In progress** - improvement actions have a status other than the ones listed above, which could include ΓÇ£in progress,ΓÇ¥ ΓÇ£partial credit,ΓÇ¥ or ΓÇ£undetectedΓÇ¥
-- **Control ID**: the controlΓÇÖs identification number, assigned by its corresponding regulation, standard, or policy-- **Points achieved**: the number of points earned by completing actions, out of the total number of achievable points
+- **Status**: reflects the test status of the improvement actions within the control
+ - **Passed** - all improvement actions have a test status of "passed," or at least one is passed and the rest are "out of scope"
+ - **Failed** - at least one improvement action has a test status of "failed"
+ - **None** - all improvement actions have not been tested
+ - **Out of scope** - all improvement actions are out of scope for this assessment
+ - **In progress** - improvement actions have a status other than the ones listed above, which could include "in progress," "partial credit," or "undetected"
+- **Control ID**: the control's identification number, assigned by its corresponding regulation, standard, or policy
+- **Points achieved**: the number of points earned by completing actions, out of the total number of achievable points
- **Your actions**: the number of your actions completed out of the total number of actions to be done - **Microsoft actions**: the number of actions completed by Microsoft
-To view a controlΓÇÖs details, select it from its row in the table. The control details page shows a graph indicating the test status of the actions within that control. A table below the graph shows key improvement actions for that control.
+To view a control's details, select it from its row in the table. The control details page shows a graph indicating the test status of the actions within that control. A table below the graph shows key improvement actions for that control.
-Select an improvement action from the list to drill into the improvement actionΓÇÖs details page. The details page shows test status and implementation notes, and launch into the recommended solution.
+Select an improvement action from the list to drill into the improvement action's details page. The details page shows test status and implementation notes, and launch into the recommended solution.
### Your improvement actions tab
Select an improvement action to view its details page, and select the **Launch n
### Microsoft actions tab
-The Microsoft actions tab appears for assessments based on templates that support Microsoft products. It lists all the actions in the assessment that are managed by Microsoft. The list shows key action details, including: test status, points that contribute to your overall compliance score, associated regulations and standards, applicable solution, action type, and control family. Select an improvement action to view its details page.
+The Microsoft actions tab appears for assessments based on templates that support Microsoft products. It lists all the actions in the assessment that are managed by Microsoft. The list shows key action details, including: test status, points that contribute to your overall compliance score, associated regulations and standards, applicable solution, action type, and control family. Select an improvement action to view its details page.
Learn more about [how controls and improvement actions are tracked and scored.](compliance-score-calculation.md) ## Accept updates to assessments
-When an update is available for an assessment, youΓÇÖll see a notification and have the option to accept the update or defer it for a later time.
+When an update is available for an assessment, you'll see a notification and have the option to accept the update or defer it for a later time.
Updates are available for assessments based on Microsoft templates, such as those designed for use with Microsoft 365. If your organization is using universal templates for assessing other products, inheritance may not be supported. For more information, see [Extend assessment templates](compliance-manager-templates-extend.md).
If Microsoft updates a Compliance Manager template that you extended, your asses
Custom assessments that you create do not receive any template updates from Microsoft. Custom assessments can receive improvement action updates, but any Microsoft updates to control mapping between assessments and improvement actions don't apply to custom templates. > [!NOTE]
-> Updates to assessments apply only at the group level. If you have two assessments built from the same template that exist in two different groups, each assessment will have a pending update notification, and youΓÇÖll need to accept the update to each assessment in its respective group individually.
+> Updates to assessments apply only at the group level. If you have two assessments built from the same template that exist in two different groups, each assessment will have a pending update notification, and you'll need to accept the update to each assessment in its respective group individually.
-#### Where youΓÇÖll see assessment update notifications
+#### Where you'll see assessment update notifications
The assessment details page also shows a **Pending update** label next to the assessment with an update. Select that assessment to get to its details page.
Selecting the **Updated template** link will download an Excel file containing c
To accept the update and make the changes to your assessment, select **Accept update**. Accepted changes are permanent.
-If you select **Cancel**, the update won't be applied to the assessment. However, youΓÇÖll continue to see the **Pending update** notification until you accept the update.
+If you select **Cancel**, the update won't be applied to the assessment. However, you'll continue to see the **Pending update** notification until you accept the update.
**Why we recommend accepting updates**
Accepting updates helps ensure you have the most updated guidance on using solut
**Why you might want to defer an update**
-If youΓÇÖre in the middle of completing an assessment, you may want to ensure youΓÇÖve finished work on it before you accept an update to the assessment that could disrupt control mapping. You can defer the update for a later time by selecting **Cancel** on the review update flyout pane.
+If you're in the middle of completing an assessment, you may want to ensure you've finished work on it before you accept an update to the assessment that could disrupt control mapping. You can defer the update for a later time by selecting **Cancel** on the review update flyout pane.
## Export an assessment report
Deleting an assessment removes it from the list on your assessments page. Note t
To delete an assessment, follow the steps below:
-1. From your **assessments** page, select the assessment you wish to delete to open that assessmentΓÇÖs details page.
+1. From your **assessments** page, select the assessment you wish to delete to open that assessment's details page.
2. Select **Delete assessment** in the upper-right corner of your screen.
-3. A window will appear asking you to confirm that you want to permanently delete the assessment. Select **Delete assessment** to close the window. YouΓÇÖll get a confirmation window that your assessment was deleted from Compliance Manager.
+3. A window will appear asking you to confirm that you want to permanently delete the assessment. Select **Delete assessment** to close the window. You'll get a confirmation window that your assessment was deleted from Compliance Manager.
> [!NOTE] > You can't delete all of your assessments. Organizations need at least one assessment for Compliance Manager to function properly. If the assessment you want to delete is the only one, add another assessment before deleting the other assessment.
compliance Compliance Manager Templates List https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-templates-list.md
The templates listed below may be purchased by your organization.
- [Australian Information Security Registered Assessor Program (IRAP) Version 3](/compliance/regulatory/offering-ccsl-irap-australia) - [Australian Prudential Regulation Authority CPS](/compliance/regulatory/offering-apra-australia) - Victorian Protective Data Security Standards V2.0 (VPDSS 2.0) -- Information Management Standard for Australian Government - National Archives of Australia (NAA)
+- Information Management Standard for Australian Government - National Archives of Australia (NAA)
- China - Personal Information Security Specification - Cybersecurity Law of the People's Republic of China - Hong Kong - Personal Data (Privacy) Ordinance
compliance Compliance Manager Templates Modify https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-templates-modify.md
description: "Understand how to modify assessment templates in Microsoft Complia
# Modify assessment templates in Microsoft Compliance Manager
-When working with assessments in Compliance Manager, you may want to modify an assessment template that youΓÇÖve created. The process is similar to the [template creation](compliance-manager-templates-create.md) process in that youΓÇÖll upload a formatted Excel file with your template data.
+When working with assessments in Compliance Manager, you may want to modify an assessment template that you've created. The process is similar to the [template creation](compliance-manager-templates-create.md) process in that you'll upload a formatted Excel file with your template data.
-However, there are details to be aware of as you format your file with changes to existing template data. **We recommend you review these instructions carefully to ensure you donΓÇÖt overwrite any existing data that you want to retain.**
+However, there are details to be aware of as you format your file with changes to existing template data. **We recommend you review these instructions carefully to ensure you don't overwrite any existing data that you want to retain.**
To learn more about the format of this spreadsheet, see [Format your template data with Excel](compliance-manager-templates-format-excel.md). ## Format your Excel file to modify an existing template
-From your **assessment templates** page, select the template you want to modify, which will bring up its details page. Then select **Export to Excel**. An Excel file with all your template data will download. Save the file to your local machine.
+From your **assessment templates** page, select the template you want to modify, which will bring up its details page. Then select **Export to Excel**. An Excel file with all your template data will download. Save the file to your local machine.
To work with this file, jump to a section below to quickly find the instructions you need: - [Edit the main template attributes](#edit-the-main-template-attributes) - [Add an improvement action](#add-an-improvement-action)-- [Edit an improvement actionΓÇÖs information](#edit-an-improvement-actions-information)-- [Change an improvement actionΓÇÖs name](#change-an-improvement-actions-name)
+- [Edit an improvement action's information](#edit-an-improvement-actions-information)
+- [Change an improvement action's name](#change-an-improvement-actions-name)
- [Remove an improvement action](#remove-an-improvement-action) - [Remove a control](#remove-a-control)
You can change any improvement action's information *except for its title*. You
You cannot edit the **actionTitle** (column A) because if you do, Compliance Manager considers this to be a new improvement action. If you want to change an improvement action's name, see the instructions immediately below.
-### Change an improvement actionΓÇÖs name
+### Change an improvement action's name
If you want to change the name of an improvement action, you have to explicitly designate in the spreadsheet that you are replacing an existing name with a new name. Follow these steps:
When you import your spreadsheet back into the template, your control will be re
After your Excel file is completed and saved, follow these steps.
-1. Open the assessment template page again and select your template. At your templateΓÇÖs details page, select **Modify template** to initiate the modification wizard.
+1. Open the assessment template page again and select your template. At your template's details page, select **Modify template** to initiate the modification wizard.
2. At the **Upload file** screen, select **Browse** to find and upload your Excel file. 3. If there are no problems with your file, the next screen shows the name of the file uploaded. Select **Next** to continue (if you need to change the file, select **Upload a different file**).
- - If thereΓÇÖs a problem with your file, an error message at the top explains whatΓÇÖs wrong. YouΓÇÖll need to fix your file and upload it again. Errors will result if your spreadsheet is formatted improperly, or if thereΓÇÖs invalid information in certain fields.
+ - If there's a problem with your file, an error message at the top explains what's wrong. You'll need to fix your file and upload it again. Errors will result if your spreadsheet is formatted improperly, or if there's invalid information in certain fields.
4. The **Review and finish** screen shows the number of improvement actions and controls and the maximum score for the template. When ready to approve, select **Next**. 5. The last screen confirms that the template has been modified. Select **Done** to exit the wizard.
-Your template will now include the changes you made. Any assessments that use this modified template will now show pending updates, and youΓÇÖll need to accept the updates to the assessments to reflect the changes made in the template. Learn more about [updates to assessments](compliance-manager-assessments.md#accept-updates-to-assessments).
+Your template will now include the changes you made. Any assessments that use this modified template will now show pending updates, and you'll need to accept the updates to the assessments to reflect the changes made in the template. Learn more about [updates to assessments](compliance-manager-assessments.md#accept-updates-to-assessments).
> [!NOTE]
-> If you use Compliance Manager in a language other than English, youΓÇÖll notice that some text appears in English when you export a template to Excel. The titles of actions (both your improvement actions and, where applicable, Microsoft actions) must be in English to be recognized by controls. If you make changes to an action title, be sure to write it in English so that the file imports correctly.
+> If you use Compliance Manager in a language other than English, you'll notice that some text appears in English when you export a template to Excel. The titles of actions (both your improvement actions and, where applicable, Microsoft actions) must be in English to be recognized by controls. If you make changes to an action title, be sure to write it in English so that the file imports correctly.
compliance Compliance Manager Templates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-templates.md
A template is a framework of controls for creating an assessment in Compliance M
We refer to templates by the same name as their underlying certification or regulation, such as the EU GDPR template and the ISO/IEC 27701:2019 template.
-Compliance Manger can be used to assess different types of products. All templates apart from the baseline come in at least one version that applies to a pre-defined product, such as Microsoft 365, and a universal version that can be tailored to suit other products. Assessments from universal templates are more generalized but offer expanded versatility, since they can help you easily track your organization's compliance across multiple products.
+Compliance Manger can be used to assess different types of products. All templates apart from the baseline come in at least one version that applies to a pre-defined product, such as Microsoft 365, and a universal version that can be tailored to suit other products. Assessments from universal templates are more generalized but offer expanded versatility, since they can help you easily track your organization's compliance across multiple products.
Note that US Government Community (GCC) Moderate, GCC High, and Department of Defense (DoD) customers cannot currently use universal templates.
If your organization is under a GCC or DOD license, choose the appropriate trial
Templates will display an activation status as either active or inactive: - A template is considered **active** once you create an assessment from that template.-- A template is considered **inactive** if your organization isnΓÇÖt using it for an assessment.
+- A template is considered **inactive** if your organization isn't using it for an assessment.
If you link any assessments to a purchased premium template, that template will be active for one year. Your purchase will automatically renew unless you cancel.
To create your own new template for custom assessments in Compliance Manager, yo
## Modify an assessment template
-When working with assessments in Compliance Manager, you may want to modify an assessment template that youΓÇÖve created. The process is similar to the template creation process in that youΓÇÖll upload a formatted Excel file with your template data. To learn more about how to make changes and how to preserve data you still want to maintain, see [Modify an assessment template](compliance-manager-templates-modify.md).
+When working with assessments in Compliance Manager, you may want to modify an assessment template that you've created. The process is similar to the template creation process in that you'll upload a formatted Excel file with your template data. To learn more about how to make changes and how to preserve data you still want to maintain, see [Modify an assessment template](compliance-manager-templates-modify.md).
## Extend an assessment template
-Compliance Manager offers the option to add your own controls and improvement actions to an existing template. This process is called extending a template. To extend a template, you will use special instructions for adding to template data, depending on whether youΓÇÖre extending Microsoft assessment templates or universal assessment templates. To learn more, see [Extend an assessment template](compliance-manager-templates-extend.md).
+Compliance Manager offers the option to add your own controls and improvement actions to an existing template. This process is called extending a template. To extend a template, you will use special instructions for adding to template data, depending on whether you're extending Microsoft assessment templates or universal assessment templates. To learn more, see [Extend an assessment template](compliance-manager-templates-extend.md).
## Format assessment template data in Excel
When creating, modifying, or extending assessment templates in Compliance Manage
## Export a template
-You can export an Excel file that contains all of a templateΓÇÖs data. YouΓÇÖll need to export a template in order to modify it, since this will be the Excel file you edit and upload in the [modification process](compliance-manager-templates-modify.md). You can also export a template for reference if you want to use data from it while constructing a new custom template.
+You can export an Excel file that contains all of a template's data. You'll need to export a template in order to modify it, since this will be the Excel file you edit and upload in the [modification process](compliance-manager-templates-modify.md). You can also export a template for reference if you want to use data from it while constructing a new custom template.
To export your template, go to your template details page and select the **Export to Excel** button.
-Note that when exporting a template you extended from a Compliance Manager template, the exported file will only contain the attributes you added to the template. The exported file wonΓÇÖt include the original template data provided by Microsoft. To get such a report, see the instructions for [exporting an assessment report](compliance-manager-assessments.md#export-an-assessment-report).
+Note that when exporting a template you extended from a Compliance Manager template, the exported file will only contain the attributes you added to the template. The exported file won't include the original template data provided by Microsoft. To get such a report, see the instructions for [exporting an assessment report](compliance-manager-assessments.md#export-an-assessment-report).
compliance Create A Custom Sensitive Information Type https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-a-custom-sensitive-information-type.md
audience: Admin Previously updated : Last updated : ms.localizationpriority: medium-+ - M365-security-compliance
+search.appverid:
- MOE150 - MET150 description: "Learn how to create, modify, remove, and test custom sensitive information types in the Compliance Center."
There are two ways to create a new sensitive information type:
## Before you begin - You should be familiar with sensitive information types and what they are composed of. See, [Learn about sensitive information types](sensitive-information-type-learn-about.md). It is critical to understand the roles of:
- - [regular expressions](https://www.boost.org/doc/libs/1_68_0/libs/regex/doc/html/) - Microsoft 365 sensitive information types uses the Boost.RegEx 5.1.3 engine
- - keyword lists - you can create your own as you define your sensitive information type or choose from existing keyword lists
- - [keyword dictionary](create-a-keyword-dictionary.md)
- - [Sensitive information type functions](sit-functions.md)
- - [confidence levels](sensitive-information-type-learn-about.md#more-on-confidence-levels)
-
-- You must have Global admin or Compliance admin permissions to create, test, and deploy a custom sensitive information type through the UI. See [About admin roles](/office365/admin/add-users/about-admin-roles) in Office 365.
+ - [regular expressions](https://www.boost.org/doc/libs/1_68_0/libs/regex/doc/html/) - Microsoft 365 sensitive information types uses the Boost.RegEx 5.1.3 engine
+ - keyword lists - you can create your own as you define your sensitive information type or choose from existing keyword lists
+ - [keyword dictionary](create-a-keyword-dictionary.md)
+ - [Sensitive information type functions](sit-functions.md)
+ - [confidence levels](sensitive-information-type-learn-about.md#more-on-confidence-levels)
-- Your organization must have a subscription, such as Office 365 Enterprise, that includes Data Loss Prevention (DLP). See [Messaging Policy and Compliance ServiceDescription](/office365/servicedescriptions/exchange-online-protection-service-description/messaging-policy-and-compliance-servicedesc).
+- You must have Global admin or Compliance admin permissions to create, test, and deploy a custom sensitive information type through the UI. See [About admin roles](/office365/admin/add-users/about-admin-roles) in Office 365.
+- Your organization must have a subscription, such as Office 365 Enterprise, that includes Data Loss Prevention (DLP). See [Messaging Policy and Compliance ServiceDescription](/office365/servicedescriptions/exchange-online-protection-service-description/messaging-policy-and-compliance-servicedesc).
> [!IMPORTANT] > Microsoft Customer Service & Support can't assist with creating custom classifications or regular expression patterns. Support engineers can provide limited support for the feature, such as, providing sample regular expression patterns for testing purposes, or assisting with troubleshooting an existing regular expression pattern that's not triggering as expected, but can't provide assurances that any custom content-matching development will fulfill your requirements or obligations. ## Create a custom sensitive information type
-Use this procedure to create a new sensitive information type that you fully define.
+Use this procedure to create a new sensitive information type that you fully define.
1. In the Compliance Center, go to **Data classification** \> **Sensitive info types** and choose **Create sensitive info type**.
Use this procedure to create a new sensitive information type that you fully def
6. Fill in a value for **Character proximity**.
-7. (Optional) Add supporting elements if you have any. Supporting elements can be a regular expression with an optional validator, a keyword list, a keyword dictionary or one of the pre-defined functions. Supporting elements can have their own **Character proximity** configuration.
+7. (Optional) Add supporting elements if you have any. Supporting elements can be a regular expression with an optional validator, a keyword list, a keyword dictionary or one of the pre-defined functions. Supporting elements can have their own **Character proximity** configuration.
8. (Optional) Add any [**additional checks**](sit-regex-validators-additional-checks.md#sensitive-information-type-additional-checks) from the list of available checks.
Use this procedure to create a new sensitive information type that you fully def
### Copy and modify a sensitive information type
-Use this procedure to create a new sensitive information type that is based on an existing sensitive information type.
+Use this procedure to create a new sensitive information type that is based on an existing sensitive information type.
> [!NOTE] > These SITs can't be copied:
+>
> - Canada driver's license number > - EU driver's license number > - EU national identification number
Use this procedure to create a new sensitive information type that is based on a
> - U.S. driver's license number You can also create custom sensitive information types by using PowerShell and Exact Data Match capabilities. To learn more about those methods, see:+ - [Create a custom sensitive information type in Security & Compliance Center PowerShell](create-a-custom-sensitive-information-type-in-scc-powershell.md) - [Learn about exact data match based sensitive information types](sit-learn-about-exact-data-match-based-sits.md#learn-about-exact-data-match-based-sensitive-information-types)
You can also create custom sensitive information types by using PowerShell and E
2. In the flyout, choose **Copy**.
-3. Choose **Refresh** in the list of sensitive information types and either browse or search for the copy you just made. Partial sting searches work, so you could just search for `copy` and search would return all the sensitive information types with the word `copy` in the name.
+3. Choose **Refresh** in the list of sensitive information types and either browse or search for the copy you just made. Partial sting searches work, so you could just search for `copy` and search would return all the sensitive information types with the word `copy` in the name.
4. Fill in values for **Name** and **Description** and choose **Next**.
-5. Choose your sensitive information type copy and choose **Edit**.
+5. Choose your sensitive information type copy and choose **Edit**.
6. Give your new sensitive information type a new **Name** and **Description**.
You can test any sensitive information type in the list. We suggest that you tes
To ensure high performance and lower latency, there are limitations in custom SITs configurations. |Limit|Value|
-|--|--|
+|||
|maximum number of custom SITs created through the Compliance center| 500 | |maximum length of regular expression| 1024 characters| |maximum length for a given term in a keyword list| 50 characters|
To ensure high performance and lower latency, there are limitations in custom SI
|maximum size of a keyword dictionary (post compression)| 1MB (~1,000,000 characters)| |maximum number of keyword dictionary based SITs in a tenant|50 |
-> [!NOTE]
+> [!NOTE]
> If you have a business need to create more than 500 custom SITs, please raise a support ticket. ### Instance count supported values for SIT
The SIT instance count limit applies when SITs are used in these solutions:
For a scanned item to satisfy rule criteria, the number of unique instances of a SIT in any single item must fall between the min and max values. This is called the **Instance count**. - **Min** field: the lower limit (minimum number) of unique instances of a SIT that must be found in an item to trigger a match. The min field supports values of:
- - 1 to 500
+ - 1 to 500
- **Max** field: the upper limit on the number of unique instances of a SIT that can be found in an item and still trigger a match. The max field supports values of:
- - 1 to 500 - Use this when you want to set a specific upper limit that is 500 or less on the number of instances of a SIT in an item.
- - Any - Use `Any` when you want the unique instance count criteria to be satisfied when an undefined number of unique instances of a SIT are found in a scanned item and that number of unique instances meets or exceeds the minimum number of unique instances value. In other words, the unique instance count criteria are met as long as the min value is met.
+ - 1 to 500 - Use this when you want to set a specific upper limit that is 500 or less on the number of instances of a SIT in an item.
+ - Any - Use `Any` when you want the unique instance count criteria to be satisfied when an undefined number of unique instances of a SIT are found in a scanned item and that number of unique instances meets or exceeds the minimum number of unique instances value. In other words, the unique instance count criteria are met as long as the min value is met.
For example, if you want the rule to trigger a match when at least 500 unique instances of a SIT are found in a single item, set the **min** value to `500` and the **max** value to `Any`. > [!NOTE] > Microsoft 365 Information Protection supports double byte character set languages for:
+>
> - Chinese (simplified) > - Chinese (traditional) > - Korean > - Japanese >
->This support is available for sensitive information types. See, [Information protection support for double byte character sets release notes (preview)](mip-dbcs-relnotes.md) for more information.
+> This support is available for sensitive information types. See, [Information protection support for double byte character sets release notes (preview)](mip-dbcs-relnotes.md) for more information.
> [!TIP]
-> To detect patterns containing Chinese/Japanese characters and single byte characters or to detect patterns containing Chinese/Japanese and English, define two variants of the keyword or regex.
+> To detect patterns containing Chinese/Japanese characters and single byte characters or to detect patterns containing Chinese/Japanese and English, define two variants of the keyword or regex.
+>
> - For example, to detect a keyword like "机密的document", use two variants of the keyword; one with a space between the Japanese and English text and another without a space between the Japanese and English text. So, the keywords to be added in the SIT should be "机密的 document" and "机密的document". Similarly, to detect a phrase "東京オリンピック2020", two variants should be used; "東京オリンピック 2020" and "東京オリンピック2020". >
-> Along with Chinese/Japanese/double byte characters, if the list of keywords/phrases also contain non Chinese/Japanese words also (like English only), it is recommended to create two dictionaries/keyword lists. One for keywords containing Chinese/Japanese/double byte characters and another one for English only.
-> - For example, if you want to create a keyword dictionary/list with three phrases "Highly confidential", "機密性が高い" and "机密的document", the it you should create two keyword lists.
-> 1. Highly confidential
-> 2. 機密性が高い, 机密的document and 机密的 document
+> Along with Chinese/Japanese/double byte characters, if the list of keywords/phrases also contain non Chinese/Japanese words also (like English only), it is recommended to create two dictionaries/keyword lists. One for keywords containing Chinese/Japanese/double byte characters and another one for English only.
+>
+> - For example, if you want to create a keyword dictionary/list with three phrases "Highly confidential", "機密性が高い" and "机密的document", the it you should create two keyword lists.
+> 1. Highly confidential
+> 2. 機密性が高い, 机密的document and 机密的 document
> > While creating a regex using a double byte hyphen or a double byte period, make sure to escape both the characters like one would escape a hyphen or period in a regex. Here is a sample regex for reference:
-> - (?<!\d)([4][0-9]{3}[\-?\-\t]*[0-9]{4})
+>
+> `(?<!\d)([4][0-9]{3}[\-?\-\t]*[0-9]{4})`
> > Double-byte special characters should not be used in the keyword.
->
+>
> We recommend using a string match instead of a word match in a keyword list.
compliance Create A Dlp Policy From A Template https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-a-dlp-policy-from-a-template.md
Here are the different statuses and what they mean.
|Status|Explanation| |||
-|**Turning on…**|The policy is being deployed to the content sources that it includes. The policy is not yet enforced on all sources.|
+|**Turning on...**|The policy is being deployed to the content sources that it includes. The policy is not yet enforced on all sources.|
|**Testing, with notifications**|The policy is in test mode. The actions in a rule are not applied, but policy matches are collected and can be viewed by using the DLP reports. Notifications about policy matches are sent to the specified recipients.| |**Testing, without notifications**|The policy is in test mode. The actions in a rule are not applied, but policy matches are collected and can be viewed by using the DLP reports. Notifications about policy matches are not sent to the specified recipients.| |**On**|The policy is active and enforced. The policy was successfully deployed to all its content sources.|
compliance Create A Keyword Dictionary https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-a-keyword-dictionary.md
Paste the identity into your custom sensitive information type's XML and upload
> Along with Chinese/Japanese/double byte characters, if the list of keywords/phrases also contain non Chinese/Japanese words also (like English only), it is recommended to create two dictionaries/keyword lists. One for keywords containing Chinese/Japanese/double byte characters and another one for English only. > > - For example, if you want to create a keyword dictionary/list with three phrases "Highly confidential", "機密性が高い" and "机密的document", the it you should create two keyword lists.
-> 1. Highly confidential
-> 2. 機密性が高い, 机密的document and 机密的 document
+> 1. Highly confidential
+> 2. 機密性が高い, 机密的document and 机密的 document
> > While creating a regex using a double byte hyphen or a double byte period, make sure to escape both the characters like one would escape a hyphen or period in a regex. Here is a sample regex for reference: >
-> - `(?<!\d)([4][0-9]{3}[\-?\-\t]*[0-9]{4}`
+> - `(?<!\d)([4][0-9]{3}[\-?\-\t]*[0-9]{4}`
> > We recommend using a string match instead of a word match in a keyword list.
compliance Create Info Mgmt Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-info-mgmt-policies.md
Adding an information management policy to a content type makes it easy to assoc
3. The **Start a workflow** option is available only if you are defining a policy for a list, library, or content type that already has a workflow associated with it. You will then be given a choice of workflows to choose from.
- 4. In the **Recurrence** section, select **Repeat this stage's action…**, and then enter how often you want the action to reoccur.
+ 4. In the **Recurrence** section, select **Repeat this stage's action...**, and then enter how often you want the action to reoccur.
> [!NOTE] > This option is only available if the action you selected can be repeated. For example, you cannot set recurrence for the action **Permanently Delete**.
You need at least the Manage Lists permission to change the information manageme
5. On the Edit Policy page, under **Library Based Retention Schedule**, enter a brief description for the policy you are creating.
-6. Choose **Add a retention stage…**
+6. Choose **Add a retention stage...**
Note that under Records, you can choose to define different retention policies for records by selecting the Define different retention stages for records option.
You need at least the Manage Lists permission to change the information manageme
8. The **Start a workflow** option is available only if you are defining a policy for a list, library, or content type that already has a workflow associated with it. You will then be given a choice of workflows to choose from.
-9. Under **Recurrence**, choose **Repeat this stage's action…** and enter how often you want the action to reoccur.
+9. Under **Recurrence**, choose **Repeat this stage's action...** and enter how often you want the action to reoccur.
> [!NOTE] > This option is only available if the action you selected can be repeated. For example, you cannot set recurrence for the action **Permanently Delete**.
compliance Customer Key Availability Key Roll https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/customer-key-availability-key-roll.md
search.appverid:
- MET150 - M365-security-compliance
-description: "Learn how to roll the customer root keys stored in Azure Key Vault that are used with the Customer Key. Services include Exchange Online, Skype for Business, SharePoint Online, OneDrive for Business, and Teams files."
+description: "Learn how to roll the customer root keys stored in Azure Key Vault that are used with the Customer Key. Services include Exchange Online, Skype for Business, SharePoint Online, OneDrive for Business, and Teams files."
# Roll or rotate a Customer Key or an availability key
description: "Learn how to roll the customer root keys stored in Azure Key Vault
Microsoft does not expose direct control of the availability key to customers. For example, you can only roll (rotate) the keys that you own in Azure Key Vault. Microsoft 365 rolls the availability keys on an internally-defined schedule. There is no customer-facing, service-level agreement (SLA) for these key rolls. Microsoft 365 rotates the availability key using Microsoft 365 service code in an automated, non-manual process. Microsoft administrators may initiate the roll process. The key is rolled using automated mechanisms without direct access to the key store. Access to the availability key secret store is not provisioned to Microsoft administrators. Availability key rolling leverages the same mechanism used to initially generate the key. For more information about the availability key, see [Understand the availability key](customer-key-availability-key-understand.md). > [!IMPORTANT]
-> Exchange Online and Skype for Business availability keys can be effectively rolled by customers creating a new DEP, since a unique availability key is generated for each DEP you create. Availability keys for SharePoint Online, OneDrive for Business, and Teams files exist at the forest level and are shared across DEPs and customers, which means rolling only occurs at a Microsoft internally defined schedule. To mitigate the risk of not rolling the availability key each time a new DEP is created, SharePoint, OneDrive, and Teams roll the tenant intermediate key (TIK), the key wrapped by the customer root keys and availability key, each time a new DEP is created.
+> Exchange Online and Skype for Business availability keys can be effectively rolled by customers creating a new DEP, since a unique availability key is generated for each DEP you create. Availability keys for SharePoint Online, OneDrive for Business, and Teams files exist at the forest level and are shared across DEPs and customers, which means rolling only occurs at a Microsoft internally defined schedule. To mitigate the risk of not rolling the availability key each time a new DEP is created, SharePoint, OneDrive, and Teams roll the tenant intermediate key (TIK), the key wrapped by the customer root keys and availability key, each time a new DEP is created.
## Request a new version of each existing root key you want to roll
To instruct Customer Key to use the new key to encrypt mailboxes, run the Set-Da
2. To check the value for the DataEncryptionPolicyID property for the mailbox, use the steps in [Determine the DEP assigned to a mailbox](customer-key-manage.md#determine-the-dep-assigned-to-a-mailbox). The value for this property changes once the service applies the updated key.
-## Update the keys for SharePoint Online, OneDrive for Business, and Teams files
+## Update the keys for SharePoint Online, OneDrive for Business, and Teams files
SharePoint Online only allows you to roll one key at a time. If you want to roll both keys in a key vault, wait for the first operation to complete. Microsoft recommends that you stagger your operations to avoid this issue. When you roll either of the Azure Key Vault keys associated with a DEP used with SharePoint Online and OneDrive for Business, you must update the DEP to point to the new key. This does not rotate the availability key.
SharePoint Online only allows you to roll one key at a time. If you want to roll
## Related articles -- [Service encryption with Customer Key for Office 365](customer-key-overview.md)
+- [Service encryption with Customer Key for Office 365](customer-key-overview.md)
-- [Set up Customer Key for Office 365](customer-key-set-up.md)
+- [Set up Customer Key for Office 365](customer-key-set-up.md)
-- [Manage Customer Key for Office 365](customer-key-manage.md)
+- [Manage Customer Key for Office 365](customer-key-manage.md)
-- [Learn about the availability key](customer-key-availability-key-understand.md)
+- [Learn about the availability key](customer-key-availability-key-understand.md)
compliance Customer Key Availability Key Understand https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/customer-key-availability-key-understand.md
Storage and control of the availability key are deliberately different from Azur
- The availability key provides a recovery, "break-glass" capability if control over both Azure Key Vault keys is lost. - The separation of logical controls and secure storage locations provides defense-in-depth and protects against the loss of all keys, and your data, from a single attack or point of failure.-- The availability key provides a high-availability capability if Microsoft 365 services are unable to reach keys hosted in Azure Key Vault due to transient errors. This rule only applies to Exchange Online and Skype for Business service encryption. SharePoint Online, OneDrive for Business, and Teams files never use the availability key unless you explicitly instruct Microsoft to initiate the recovery process.
+- The availability key provides a high-availability capability if Microsoft 365 services are unable to reach keys hosted in Azure Key Vault due to transient errors. This rule only applies to Exchange Online and Skype for Business service encryption. SharePoint Online, OneDrive for Business, and Teams files never use the availability key unless you explicitly instruct Microsoft to initiate the recovery process.
Sharing the responsibility to protect your data, using various protections and processes for key management, ultimately reduces the risk that all keys (and therefore your data) will be permanently lost or destroyed. Microsoft provides you with sole authority over the disablement or destruction of the availability key when you leave the service. By design, no one at Microsoft has access to the availability key: it is only accessible by Microsoft 365 service code.
In addition to the recovery capability, Exchange Online and Skype for Business u
Automated systems in Exchange Online and Skype for Business may use the availability key during transient errors to support automated back-end services such as anti-virus, e-discovery, data loss prevention, mailbox moves, and data indexing.
-### SharePoint Online, OneDrive for Business, and Teams files uses
+### SharePoint Online, OneDrive for Business, and Teams files uses
-For SharePoint Online, OneDrive for Business, and Teams files, the availability key is NEVER used outside of the recovery capability and customers must explicitly instruct Microsoft to initiate use of the availability key during a recovery scenario. Automated service operations solely rely on your Customer Keys in Azure Key vault. For in-depth information about how the key hierarchy works for these services, see [How SharePoint Online, OneDrive for Business, and Teams files use the availability key](#how-sharepoint-online-onedrive-for-business-and-teams-files-use-the-availability-key).
+For SharePoint Online, OneDrive for Business, and Teams files, the availability key is NEVER used outside of the recovery capability and customers must explicitly instruct Microsoft to initiate use of the availability key during a recovery scenario. Automated service operations solely rely on your Customer Keys in Azure Key vault. For in-depth information about how the key hierarchy works for these services, see [How SharePoint Online, OneDrive for Business, and Teams files use the availability key](#how-sharepoint-online-onedrive-for-business-and-teams-files-use-the-availability-key).
## Availability key security
Microsoft shares the responsibility of data protection with you by instantiating
Microsoft protects availability keys in access-controlled, internal secret stores like the customer-facing Azure Key Vault. We implement access controls to prevent Microsoft administrators from directly accessing the secrets contained within. Secret Store operations, including key rotation and deletion, occur through automated commands that never involve direct access to the availability key. Secret store management operations are limited to specific engineers and require privilege escalation through an internal tool, Lockbox. Privilege escalation requires manager approval and justification prior to being granted. Lockbox ensures access is time bound with automatic access revocation upon time expiration or engineer log out.
-**Exchange Online and Skype for Business** availability keys are stored in an Exchange Online Active Directory secret store. Availability keys are securely stored inside tenant specific containers within the Active Directory Domain Controller. This secure storage location is separate and isolated from the SharePoint Online, OneDrive for Business, and Teams files secret store.
+**Exchange Online and Skype for Business** availability keys are stored in an Exchange Online Active Directory secret store. Availability keys are securely stored inside tenant specific containers within the Active Directory Domain Controller. This secure storage location is separate and isolated from the SharePoint Online, OneDrive for Business, and Teams files secret store.
-**SharePoint Online, OneDrive for Business, and Teams files** availability keys are stored in an internal secret store managed by the service team. This secured, secrets storage service has front-end servers with application endpoints and a SQL Database as the back end. Availability keys are stored in the SQL Database and are wrapped (encrypted) by secret store encryption keys that use a combination of AES-256 and HMAC to encrypt the availability key at rest. The secret store encryption keys are stored in a logically isolated component of the same SQL Database and are further encrypted with RSA-2048 keys contained in certificates managed by the Microsoft certificate authority (CA). These certificates are stored in the secret store front-end servers that perform operations against the database.
+**SharePoint Online, OneDrive for Business, and Teams files** availability keys are stored in an internal secret store managed by the service team. This secured, secrets storage service has front-end servers with application endpoints and a SQL Database as the back end. Availability keys are stored in the SQL Database and are wrapped (encrypted) by secret store encryption keys that use a combination of AES-256 and HMAC to encrypt the availability key at rest. The secret store encryption keys are stored in a logically isolated component of the same SQL Database and are further encrypted with RSA-2048 keys contained in certificates managed by the Microsoft certificate authority (CA). These certificates are stored in the secret store front-end servers that perform operations against the database.
### Defense-in-depth
To encrypt your data with new Customer Keys, create new keys in Azure Key Vault,
This re-encryption process can take up to 72 hours. This is the standard duration when you change a DEP.
-### Recovery procedure for SharePoint Online, OneDrive for Business, and Teams files
+### Recovery procedure for SharePoint Online, OneDrive for Business, and Teams files
-For SharePoint Online, OneDrive for Business, and Teams files, the availability key is NEVER used outside of the recovery capability. You must explicitly instruct Microsoft to initiate use of the availability key during a recovery scenario. To initiate the recovery process, contact Microsoft to activate the availability key. Once activated, the availability key is automatically used to decrypt your data allowing you to encrypt the data with a newly-created DEP associated to new Customer Keys.
+For SharePoint Online, OneDrive for Business, and Teams files, the availability key is NEVER used outside of the recovery capability. You must explicitly instruct Microsoft to initiate use of the availability key during a recovery scenario. To initiate the recovery process, contact Microsoft to activate the availability key. Once activated, the availability key is automatically used to decrypt your data allowing you to encrypt the data with a newly-created DEP associated to new Customer Keys.
This operation is proportional to the number of sites in your organization. Once you call Microsoft to use the availability key, you should be fully online within about four hours.
In case you lose access to your customer keys, Microsoft 365 also encrypts the T
For availability and scale reasons, decrypted TIKs are cached in a time-limited memory cache. Two hours before a TIK cache is set to expire, Microsoft 365 attempts to decrypt each TIK. Decrypting the TIKs extends the lifetime of the cache. If TIK decryption fails for a significant amount of time, Microsoft 365 generates an alert to notify engineering prior to the cache expiration. Only if the customer calls Microsoft will Microsoft 365 initiate the recovery operation, which involves decrypting the TIK with the availability key stored in Microsoft's secret store and onboarding the tenant again using the decrypted TIK and a new set of customer-supplied Azure Key Vault keys.
-As of today, Customer Key is involved in the encryption and decryption chain of SharePoint Online file data stored in the Azure blob store, but not SharePoint Online list items or metadata stored in the SQL Database. Microsoft 365 does not use the availability key for Exchange Online, Skype for Business, SharePoint Online, OneDrive for Business, and Teams files other than the case described above, which is customer-initiated. Human access to customer data is protected by Customer Lockbox.
+As of today, Customer Key is involved in the encryption and decryption chain of SharePoint Online file data stored in the Azure blob store, but not SharePoint Online list items or metadata stored in the SQL Database. Microsoft 365 does not use the availability key for Exchange Online, Skype for Business, SharePoint Online, OneDrive for Business, and Teams files other than the case described above, which is customer-initiated. Human access to customer data is protected by Customer Lockbox.
## Availability key triggers
Microsoft 365 triggers the availability key only in specific circumstances. Thes
### Triggers for SharePoint Online, OneDrive for Business, and Teams files
-For SharePoint Online, OneDrive for Business, and Teams files, the availability key is NEVER used outside of the recovery capability and customers must explicitly instruct Microsoft to initiate use of the availability key during a recovery scenario.
+For SharePoint Online, OneDrive for Business, and Teams files, the availability key is NEVER used outside of the recovery capability and customers must explicitly instruct Microsoft to initiate use of the availability key during a recovery scenario.
## Audit logs and the availability key
Microsoft 365 uses the availability key to wrap the tier of keys lower in the ke
## Related articles -- [Service encryption with Customer Key](customer-key-overview.md)
+- [Service encryption with Customer Key](customer-key-overview.md)
-- [Set up Customer Key](customer-key-set-up.md)
+- [Set up Customer Key](customer-key-set-up.md)
-- [Manage Customer Key](customer-key-manage.md)
+- [Manage Customer Key](customer-key-manage.md)
-- [Roll or rotate a Customer Key or an availability key](customer-key-availability-key-roll.md)
+- [Roll or rotate a Customer Key or an availability key](customer-key-availability-key-roll.md)
compliance Customer Key Manage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/customer-key-manage.md
To create a DEP, you need to remotely connect to SharePoint Online by using Wind
Example: ```powershell
- Register-SPODataEncryptionPolicy -PrimaryKeyVaultName 'stageRG3vault' -PrimaryKeyName 'SPKey3' -PrimaryKeyVersion 'f635a23bd4a44b9996ff6aadd88d42ba' -SecondaryKeyVaultName 'stageRG5vault' -SecondaryKeyName 'SPKey5' -SecondaryKeyVersion '2b3e8f1d754f438dacdec1f0945f251aΓÇÖ
+ Register-SPODataEncryptionPolicy -PrimaryKeyVaultName 'stageRG3vault' -PrimaryKeyName 'SPKey3' -PrimaryKeyVersion 'f635a23bd4a44b9996ff6aadd88d42ba' -SecondaryKeyVaultName 'stageRG5vault' -SecondaryKeyName 'SPKey5' -SecondaryKeyVersion '2b3e8f1d754f438dacdec1f0945f251a'
``` When you register the DEP, encryption begins on the data in the geo. Encryption can take some time. For more information on using this parameter, see [Register-SPODataEncryptionPolicy](/powershell/module/sharepoint-online/register-spodataencryptionpolicy?preserve-view=true&view=sharepoint-ps).
Use the Get-MailboxStatistics cmdlet to determine if a mailbox is encrypted.
Get-MailboxStatistics -Identity <GeneralMailboxOrMailUserIdParameter> | fl IsEncrypted ```
-The IsEncrypted property returns a value of **true** if the mailbox is encrypted and a value of **false** if the mailbox isn't encrypted. The time to complete mailbox moves depends on the number of mailboxes to which you assign a DEP for the first time, and the size of the mailboxes. If the mailboxes haven't been encrypted after a week from the time you assigned the DEP, contact Microsoft.
+The IsEncrypted property returns a value of **true** if the mailbox is encrypted and a value of **false** if the mailbox isn't encrypted. The time to complete mailbox moves depends on the number of mailboxes to which you assign a DEP for the first time, and the size of the mailboxes. If the mailboxes haven't been encrypted after a week from the time you assigned the DEP, contact Microsoft.
The New-MoveRequest cmdlet is no longer available for local mailbox moves. Refer to [this announcement](https://techcommunity.microsoft.com/t5/exchange-team-blog/disabling-new-moverequest-for-local-mailbox-moves/bc-p/1332141) for additional information.
-### Verify encryption completes for SharePoint Online, OneDrive for Business, and Teams files
+### Verify encryption completes for SharePoint Online, OneDrive for Business, and Teams files
Check on the status of encryption by running the Get-SPODataEncryptionPolicy cmdlet as follows:
If you need to revert to Microsoft-managed keys, you can. When you offboard, you
> [!IMPORTANT] > Offboarding is not the same as a data purge. A data purge permanently crypto-deletes your organization's data from Microsoft 365, offboarding does not. You can't perform a data purge for a multiple workload policy.
-If you decide not to use Customer Key for assigning multi-workload DEPs anymore then you'll need to reach out to Microsoft support with a request to ΓÇ£offboardΓÇ¥ from Customer Key. Ask the support team to file a service request against Microsoft 365 Customer Key team. Reach out to m365-ck@service.microsoft.com if you have any questions.
+If you decide not to use Customer Key for assigning multi-workload DEPs anymore then you'll need to reach out to Microsoft support with a request to "offboard" from Customer Key. Ask the support team to file a service request against Microsoft 365 Customer Key team. Reach out to m365-ck@service.microsoft.com if you have any questions.
If you do not want to encrypt individual mailboxes using mailbox level DEPs anymore, then you can unassign mailbox level DEPs from all your mailboxes.
To initiate the data purge path, complete these steps:
Set-DataEncryptionPolicy <Policy ID> -PermanentDataPurgeRequested -PermanentDataPurgeReason <Reason> -PermanentDataPurgeContact <ContactName> ```
- If the command fails, ensure that you've removed the Exchange Online permissions from both keys in Azure Key Vault as specified earlier in this task. Once you've set the PermanentDataPurgeRequested switch using the Set-DataEncryptionPolicy cmdlet, you'll no longer be able to assign this DEP to mailboxes.
+ If the command fails, ensure that you've removed the Exchange Online permissions from both keys in Azure Key Vault as specified earlier in this task. Once you've set the PermanentDataPurgeRequested switch using the Set-DataEncryptionPolicy cmdlet, you'll no longer be able to assign this DEP to mailboxes.
4. Contact Microsoft support and request the Data Purge eDocument.
To initiate the data purge path, complete these steps:
Once Microsoft receives the legal document, Microsoft runs cmdlets to trigger the data purge which first deletes the policy, marks the mailboxes for permanent deletion, then deletes the availability key. Once the data purge process completes, the data has been purged, is inaccessible to Exchange Online, and is not recoverable.
-### Revoke your Customer Keys and the availability key for SharePoint Online, OneDrive for Business, and Teams files
+### Revoke your Customer Keys and the availability key for SharePoint Online, OneDrive for Business, and Teams files
-To initiate the data purge path for SharePoint Online, OneDrive for Business, and Teams files, complete these steps:
+To initiate the data purge path for SharePoint Online, OneDrive for Business, and Teams files, complete these steps:
1. Revoke Azure Key Vault access. All key vault admins must agree to revoke access.
To initiate the data purge path for SharePoint Online, OneDrive for Business
## Related articles -- [Service encryption with Customer Key](customer-key-overview.md)
+- [Service encryption with Customer Key](customer-key-overview.md)
-- [Learn about the availability key](customer-key-availability-key-understand.md)
+- [Learn about the availability key](customer-key-availability-key-understand.md)
-- [Set up Customer Key](customer-key-set-up.md)
+- [Set up Customer Key](customer-key-set-up.md)
-- [Roll or rotate a Customer Key or an availability key](customer-key-availability-key-roll.md)
+- [Roll or rotate a Customer Key or an availability key](customer-key-availability-key-roll.md)
- [Customer Lockbox](customer-lockbox-requests.md)
compliance Customer Key Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/customer-key-overview.md
description: "In this article, you will learn about how service encryption works
# Service encryption with Customer Key
-Microsoft 365 provides baseline, volume-level encryption enabled through BitLocker and Distributed Key Manager (DKM). Microsoft 365 offers an added layer of encryption for your content. This content includes data from Exchange Online, Skype for Business, SharePoint Online, OneDrive for Business, and Microsoft Teams.
+Microsoft 365 provides baseline, volume-level encryption enabled through BitLocker and Distributed Key Manager (DKM). Microsoft 365 offers an added layer of encryption for your content. This content includes data from Exchange Online, Skype for Business, SharePoint Online, OneDrive for Business, and Microsoft Teams.
## How service encryption, BitLocker, and Customer Key work together
The key hierarchy used for DEPs that encrypt data for multiple Microsoft 365 wor
## Related articles -- [Set up Customer Key](customer-key-set-up.md)
+- [Set up Customer Key](customer-key-set-up.md)
-- [Manage Customer Key](customer-key-manage.md)
+- [Manage Customer Key](customer-key-manage.md)
-- [Roll or rotate a Customer Key or an availability key](customer-key-availability-key-roll.md)
+- [Roll or rotate a Customer Key or an availability key](customer-key-availability-key-roll.md)
-- [Learn about the availability key](customer-key-availability-key-understand.md)
+- [Learn about the availability key](customer-key-availability-key-understand.md)
- [Customer Lockbox](customer-lockbox-requests.md)
compliance Customer Key Set Up https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/customer-key-set-up.md
Once you've completed the steps in this article, you're ready to create and assi
## Related articles -- [Service encryption with Customer Key](customer-key-overview.md)
+- [Service encryption with Customer Key](customer-key-overview.md)
-- [Manage Customer Key](customer-key-manage.md)
+- [Manage Customer Key](customer-key-manage.md)
-- [Roll or rotate a Customer Key or an availability key](customer-key-availability-key-roll.md)
+- [Roll or rotate a Customer Key or an availability key](customer-key-availability-key-roll.md)
-- [Learn about the availability key](customer-key-availability-key-understand.md)
+- [Learn about the availability key](customer-key-availability-key-understand.md)
- [Service Encryption](office-365-service-encryption.md)
compliance Customer Lockbox Requests https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/customer-lockbox-requests.md
description: "Learn about Customer Lockbox requests that allow you to control ho
This article provides deployment and configuration guidance for Customer Lockbox. Customer Lockbox supports requests to access data in Exchange Online, SharePoint Online, OneDrive for Business, and Teams. To recommend support for other services, submit a request at [Feedback Portal](https://feedbackportal.microsoft.com).
-To see the options for licensing your users to benefit from Microsoft 365 compliance offerings, see the [Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).
+To see the options for licensing your users to benefit from Microsoft 365 compliance offerings, see the [Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).
Customer Lockbox ensures that Microsoft can't access your content to do service operations without your explicit approval. Customer Lockbox brings you into the approval workflow process that Microsoft uses to ensure only authorized requests allow access to your content. To learn more about Microsoft's workflow process, see [Privileged access management in Microsoft 365](privileged-access-management-solution-overview.md).
Customer Lockbox is currently supported in Exchange Online, SharePoint Online, O
### Is Customer Lockbox available to all customers?
-Customer Lockbox is included with the Microsoft 365 or Office 365 E5 subscriptions and can be added to other plans with an Information Protection and Compliance or an Advanced Compliance add-on subscription. See [Plans and pricing](https://products.office.com/business/office-365-enterprise-e5-business-software) for more information.
+Customer Lockbox is included with the Microsoft 365 or Office 365 E5 subscriptions and can be added to other plans with an Information Protection and Compliance or an Advanced Compliance add-on subscription. See [Plans and pricing](https://products.office.com/business/office-365-enterprise-e5-business-software) for more information.
### What is customer content?
compliance Data Classification Content Explorer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-classification-content-explorer.md
A [DLP policy](dlp-learn-about-dlp.md) can help protect sensitive information, w
### Sensitivity labels
-A [sensitivity label](sensitivity-labels.md) is simply a tag that indicates the value of the item to your organization. It can be applied manually, or automatically. Once applied it gets embedded in the document and will follow it everywhere it goes. A sensitivity label enables various protective behaviors, such as mandatory watermarking or encryption.
+A [sensitivity label](sensitivity-labels.md) is simply a tag that indicates the value of the item to your organization. It can be applied manually, or automatically. Once applied, the label gets embedded in the document and will follow the document everywhere it goes. A sensitivity label enables various protective behaviors, such as mandatory watermarking or encryption.
Sensitivity labels must be enabled for files that are in SharePoint and OneDrive in order for the corresponding data to surface in the data classification page. For more information, see [Enable sensitivity labels for Office files in SharePoint and OneDrive](sensitivity-labels-sharepoint-onedrive-files.md).
compliance Data Spillage Scenariosearch And Purge https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-spillage-scenariosearch-and-purge.md
description: "Use eDiscovery and search tools to manage and respond to a data sp
# eDiscovery solution series: Data spillage scenario - Search and purge
- **What is data spillage and why should you care?** Data spillage is when a confidential document is released into an untrusted environment. When a data spillage incident is detected, it's important to quickly assess the size and locations of the spillage, examine user activities around it,  and then permanently purge the spilled data from the system.
+ **What is data spillage and why should you care?** Data spillage is when a confidential document is released into an untrusted environment. When a data spillage incident is detected, it's important to quickly assess the size and locations of the spillage, examine user activities around it, and then permanently purge the spilled data from the system.
## Data spillage scenario
compliance Device Onboarding Offboarding Macos Jamfpro https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/device-onboarding-offboarding-macos-jamfpro.md
audience: ITPro
ms.localizationpriority: medium--- M365-security-compliance +
+- M365-security-compliance
search.appverid:-- MET150
+- MET150
description: Learn how to onboard and offboard macOS devices into Microsoft 365 Compliance solutions using JAMF Pro (preview)
You can use JAMF Pro to onboard macOS devices into Microsoft 365 compliance solu
## Before you begin - Make sure your [macOS devices are managed through JAMF pro](https://www.jamf.com/resources/product-documentation/jamf-pro-installation-guide-for-mac/) and are associated with an identity (Azure AD joined UPN) through JAMF Connect or Intune.-- Install the v95+ Edge browser on your macOS devices
+- Install the v95+ Edge browser on your macOS devices
## Onboard devices into Microsoft 365 Compliance solutions using JAMF Pro 1. You'll need these files for this procedure.
-|File needed for |Source |
-|||
-|Onboarding package |Downloaded from the compliance portal **Onboarding package**, file name *DeviceComplianceOnboarding.plist* |
-|accessibility |[accessibility.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/accessibility.mobileconfig)|
-full disk access |[fulldisk.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig)|
+|File needed for|Source|
+|||
+|Onboarding package|Downloaded from the compliance portal **Onboarding package**, file name *DeviceComplianceOnboarding.plist*|
+|accessibility|[accessibility.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/accessibility.mobileconfig)|
+full disk access|[fulldisk.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig)|
|Network filter| [netfilter.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/netfilter.mobileconfig)
-|System extensions |[sysext.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/sysext.mobileconfig)
-|MDE preference |[schema.json](https://github.com/microsoft/mdatp-xplat/blob/master/macos/settings/data_loss_prevention/schema.json)|
+|System extensions|[sysext.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/sysext.mobileconfig)
+|MDE preference|[schema.json](https://github.com/microsoft/mdatp-xplat/blob/master/macos/settings/data_loss_prevention/schema.json)|
|MAU preference|[com.microsoft.autoupdate2.plist](https://github.com/microsoft/mdatp-xplat/blob/master/macos/settings/microsoft_auto_update/com.microsoft.autoupdate2.plist)|
-|Installation package |downloaded from the compliance portal **Installation package**, file name *\*wdav.pkg*\* |
+|Installation package|downloaded from the compliance portal **Installation package**, file name *\*wdav.pkg*\*|
> [!TIP] > You can download the *.mobileconfig* files individually or in [single combined file](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/combined/mdatp-nokext.mobileconfig) that contains:
+>
> - accessibility.mobileconfig > - fulldisk.mobileconfig > - netfilter.mobileconfig
Onboarding a macOS device into Compliance solutions is a multiphase process.
### Get the device onboarding package 1. In **Compliance center** open **Settings** > **Device Onboarding** and choose **Onboarding**.
-
+ 1. For **Select operating system to start onboarding process** choose **macOS**
-
+ 1. For **Deployment method** choose **Mobile Device Management/Microsoft Intune**
-
+ 1. Choose **Download onboarding package**
-
+ 1. Extract the contents of the device onboarding package. In the JAMF folder, you should see the *DeviceComplainceOnboarding.plist* file. ### Create a JAMF Pro configuration profile for the onboarding package
Onboarding a macOS device into Compliance solutions is a multiphase process.
1. Choose **Save**. 1. Under **Preference Domain Properties** choose these settings
- - Features
+ - Features
- Use System Extensions: `enabled` - required for network extensions on Catalina - Use Data Loss Prevention: `enabled` - Antivirus engine > Passive mode: `true|false`. Use `true`if deploying DLP only. Use `false` or do not assign a value if deploying DLP and Microsoft Defender for Endpoint (MDE).
Onboarding a macOS device into Compliance solutions is a multiphase process.
1. Choose the groups to deploy this configuration profile to.
-1. Choose **Save**.
-
+1. Choose **Save**.
### Create and deploy a configuration profile for Microsoft AutoUpdate (MAU)
Onboarding a macOS device into Compliance solutions is a multiphase process.
1. Choose **Done**. - ### Create and deploy a configuration profile for Grant full disk access 1. Use the **fulldisk.mobileconfig** file.
Onboarding a macOS device into Compliance solutions is a multiphase process.
### Configure Network extension
-1. Use the **netfilter.mobileconfig** file that you downloaded from GitHub.
+1. Use the **netfilter.mobileconfig** file that you downloaded from GitHub.
-2. Upload to JAMF as described in [Deploying Custom Configuration Profiles using Jamf Pro](https://www.jamf.com/jamf-nation/articles/648/deploying-custom-configuration-profiles-using-jamf-pro).
+2. Upload to JAMF as described in [Deploying Custom Configuration Profiles using Jamf Pro](https://www.jamf.com/jamf-nation/articles/648/deploying-custom-configuration-profiles-using-jamf-pro).
### Grant accessibility access to DLP 1. Use the **accessibility.mobileconfig** file that you downloaded from GitHub.
-2. Upload to JAMF as described in [Deploying Custom Configuration Profiles using Jamf Pro](https://www.jamf.com/jamf-nation/articles/648/deploying-custom-configuration-profiles-using-jamf-pro).
+2. Upload to JAMF as described in [Deploying Custom Configuration Profiles using Jamf Pro](https://www.jamf.com/jamf-nation/articles/648/deploying-custom-configuration-profiles-using-jamf-pro).
### Get the installation package 1. In **Compliance center** open **Settings** > **Device Onboarding** and choose **Onboarding**.
-
+ 1. For **Select operating system to start onboarding process** choose **macOS**
-
+ 1. For **Deployment method** choose **Mobile Device Management/Microsoft Intune**
-
-1. Choose **Download installation package**. This will give you the *wdav.pkg* file.
+1. Choose **Download installation package**. This will give you the *wdav.pkg* file.
### Deploy the installation package
Onboarding a macOS device into Compliance solutions is a multiphase process.
1. Choose **Add**.
-1. Choose **Save**.
+1. Choose **Save**.
1. Choose the **Scope** tab.
Onboarding a macOS device into Compliance solutions is a multiphase process.
1. Choose **Done**.
-### Check the macOS device
+### Check the macOS device
1. Restart the macOS device.
compliance Device Onboarding Sccm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/device-onboarding-sccm.md
For each device, you can set a configuration value to state whether samples can
You can set a compliance rule for configuration item in Configuration Manager to change the sample share setting on a device.
-This rule should be a *remediating* compliance rule configuration item that sets the value of a registry key on targeted devices to make sure theyΓÇÖre complaint.
+This rule should be a *remediating* compliance rule configuration item that sets the value of a registry key on targeted devices to make sure they're complaint.
The configuration is set through the following registry key entry:
-```
-Path: ΓÇ£HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat ProtectionΓÇ¥
+```text
+Path: "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection"
Name: "AllowSampleCollection" Value: 0 or 1 ```
-Where:<br>
-Key type is a D-WORD. <br>
+
+Where:
+
+Key type is a D-WORD.
+ Possible values are:+ - 0 - doesn't allow sample sharing from this device - 1 - allows sharing of all file types from this device
-The default value in case the registry key doesnΓÇÖt exist is 1.
+The default value in case the registry key doesn't exist is 1.
For more information about System Center Configuration Manager Compliance, see [Introduction to compliance settings in System Center 2012 R2 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682139(v=technet.10)). ## Other recommended configuration settings+ After onboarding devices to the service, it's important to take advantage of the included threat protection capabilities by enabling them with the following recommended configuration settings. ### Device collection configuration
-If you're using Endpoint Configuration Manager, version 2002 or later, you can choose to broaden the deployment to include servers or down-level clients.
+If you're using Endpoint Configuration Manager, version 2002 or later, you can choose to broaden the deployment to include servers or down-level clients.
### Next generation protection configuration
Configure all available rules to Audit.
Prior to enabling network protection in audit or block mode, ensure that you've installed the antimalware platform update, which can be obtained from the [support page](https://support.microsoft.com/en-us/help/4560203/windows-defender-anti-malware-platform-binaries-are-missing). - **Controlled folder access** Enable the feature in audit mode for at least 30 days. After this period, review detections and create a list of applications that are allowed to write to protected directories. For more information, see [Evaluate controlled folder access](/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access). - ## Offboard devices using Configuration Manager For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package, you will be notified of the packages expiry date and it will also be included in the package name.
If you use Microsoft Endpoint Configuration Manager current branch, see [Create
> [!IMPORTANT] > Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months. - ## Monitor device configuration If you're using Microsoft Endpoint Configuration Manager current branch, use the built-in Microsoft Defender for Endpoint dashboard in the Configuration Manager console. For more information, see [Microsoft Defender Advanced Threat Protection - Monitor](/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#monitor).
You can set a compliance rule for configuration item in System Center 2012 R2 Co
This rule should be a *non-remediating* compliance rule configuration item that monitors the value of a registry key on targeted devices. Monitor the following registry key entry:+
+```text
+Path: "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status"
+Name: "OnboardingState"
+Value: "1"
```
-Path: ΓÇ£HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\StatusΓÇ¥
-Name: ΓÇ£OnboardingStateΓÇ¥
-Value: ΓÇ£1ΓÇ¥
-```
+ For more information, see [Introduction to compliance settings in System Center 2012 R2 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682139(v=technet.10)). ## Related topics+ - [Onboard Windows 10 and Windows 11 devices using Group Policy](device-onboarding-gp.md) - [Onboard Windows 10 and Windows 11 devices using Mobile Device Management tools](device-onboarding-mdm.md) - [Onboard Windows 10 and Windows 11 devices using a local script](device-onboarding-script.md) - [Onboard non-persistent virtual desktop infrastructure (VDI) devices](device-onboarding-vdi.md) - [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](/windows/security/threat-protection/microsoft-defender-atp/run-detection-test)-- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding)
+- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding)
compliance Device Onboarding Vdi https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/device-onboarding-vdi.md
As a best practice, we recommend using offline servicing tools to patch golden i
For example, you can use the below commands to install an update while the image remains offline:
-```console
+```DOS
DISM /Mount-image /ImageFile:"D:\Win10-1909.vhdx" /index:1 /MountDir:"C:\Temp\OfflineServicing" DISM /Image:"C:\Temp\OfflineServicing" /Add-Package /Packagepath:"C:\temp\patch\windows10.0-kb4541338-x64.msu" DISM /Unmount-Image /MountDir:"C:\Temp\OfflineServicing" /commit
If offline servicing is not a viable option for your non-persistent VDI environm
2. Ensure the sensor is stopped by running the command below in a CMD window:
- ```console
+ ```DOS
sc query sense ```
If offline servicing is not a viable option for your non-persistent VDI environm
4. Run the below commands using PsExec.exe (which can be downloaded from https://download.sysinternals.com/files/PSTools.zip) to cleanup the cyber folder contents that the sensor may have accumulated since boot:
- ```console
+ ```DOS
PsExec.exe -s cmd.exe cd "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Cyber" del *.* /f /s /q
- REG DELETE ΓÇ£HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection" /v senseGuid /f
+ REG DELETE "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection" /v senseGuid /f
exit ```
compliance Differences Between Estimated And Actual Ediscovery Search Results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/differences-between-estimated-and-actual-ediscovery-search-results.md
description: "Understand why estimated and actual search results may vary in sea
# Differences between estimated and actual eDiscovery search results
-This topic applies to searches that you can run using one of the following Microsoft 365 eDiscovery tools:
+This article applies to searches that you can run using one of the following Microsoft 365 eDiscovery tools:
- Content search - Core eDiscovery
Here are some reasons for these differences:
- **The way results are estimated**. An estimate of the search results is just that, an estimate (and not an actual count) of the items that meet the search query criteria. To compile the estimate of Exchange items, a list of the message IDs that meet the search criteria is requested from the Exchange database by the eDiscovery tool you're using. But when you export the search results, the search is rerun and the actual messages are retrieved from the Exchange database. So these differences might result because of how the estimated number of items and the actual number of items are determined. -- **Changes that happen between the time when estimating and exporting search results**. When you export search results, the search is restarted to collect that most recent items in the search index that meet the search criteria. It's possible there are additional items were created, sent, or received that meet the search criteria in the time between when the estimated search results were collected and when the search results were exported. It's also possible that items that were in the search index when the search results were estimated are no longer there because they were purged from the content location before the search results are exported. One way to mitigate this issue is to specify a date range for an eDiscovery search. Another way is to place a hold on content locations so that items are preserved and can't be purged.
+- **Changes that happen between the time when estimating and exporting search results**. When you export search results, the search is restarted to collect that most recent items in the search index that meet the search criteria. It's possible there are additional items were created, sent, or received that meet the search criteria in the time between when the estimated search results were collected and when the search results were exported. It's also possible that items that were in the search index when the search results were estimated are no longer there because they were purged from the content location before the search results are exported. One way to mitigate this issue is to specify a date range for an eDiscovery search. Another way is to place a hold on content locations so that items are preserved and can't be purged.
- Although rare, even in the case when a hold is applied, maintenance of built-in calendar items (which aren't editable by the user, but are included in many search results) may be removed from time to time. This periodic removal of calendar items will result in fewer items that are exported.
+ Here are other issues that can result is differences between estimated and exported search results:
+
+ - In increase in items when using a date query. This is typically cause by the following two things:
+
+ - Hold versioning in SharePoint. If a document is deleted from a site that's on hold and document versioning is enabled, all versions of the deleted document will be preserved.
+
+ - Calendar items. Accept and reject messages and recurring meetings will automatically continue creating new items in the background with old dates.
+
+ - With holds, there can be cases where the same item is preserved in a user's primary mailbox and in their archive mailbox. This can happen when a user manually moves an item to their archive.
+
+ - Although rare, even in the case when a hold is applied, maintenance of built-in calendar items (which aren't editable by the user, but are included in many search results) may be removed from time to time. This periodic removal of calendar items will result in fewer items that are exported.
- **Unindexed items**. Items that are unindexed for search can cause differences between estimated and actual search results. You can include unindexed items when you export the search results. If you include unindexed items when exporting search results, there might be more items that are exported. This will cause a difference between the estimated and exported search results.
Here are some reasons for these differences:
- **Document versions in SharePoint and OneDrive**. When searching SharePoint sites and OneDrive accounts, multiple versions of a document aren't included in the count of estimated search results. But you have the option to include all document versions when you export the search results. If you include document versions when exporting search results, the actual number (and total size) of the exported items will be increased. -- **SharePoint folders**. If the name of folders in SharePoint matches a search query, the search estimate will include a count of those folders (but not the items in those folders). When you export the search results, the items in folder are exported but the actual folder is not exported. The result is that the number of exported items will be more than the number of estimated search results. If a folder is empty, then the number of actual search results exported will be reduced by one item, because the actual folder isn't exported.
+- **SharePoint folders**. If folders in SharePoint match a search query, for example, searching by date, the search estimate will include a count of those folders with the last modified date range (but not the items in those folders). When you export the search results, the items in folder are exported but the actual folder isn't exported. The result is that the number of exported items will be more than the number of estimated search results. If a folder is empty, then the number of actual search results exported will be reduced by one item, because the actual folder isn't exported.
> [!NOTE] > When running a query-based search, you can exclude SharePoint folders by adding the following condition to the query: `NOT(ContentType:folder)`. - **SharePoint lists**. If the name of a SharePoint list matches a search query, the search estimate will include a count of all the items in the list. When you export the search results, the list (and the list items) is exported as a single CSV file. This will reduce the actual number of items actually exported. If the list contains attachments, the attachments will be exported as separate documents, which will also increase the number of items exported.
+ > [!NOTE]
+ > When running a query-based search, you can exclude SharePoint lists by adding the following condition to the query: `NOT(ContentType:list)`.
+ - **Raw file formats versus exported file formats**. For Exchange items, the estimated size of the search results is calculated by using the raw Exchange message sizes. However, email messages are exported in a PST file or as individual messages (which are formatted as EML files). Both of these export options use a different file format than raw Exchange messages, which results in the total exported file size being different than the estimated file size. - **De-duplication of Exchange items during export**. For Exchange items, de-duplication reduces the number of items that are exported. You have the option to de-duplicate the search results when you export them. For Exchange messages, this means that only a single instance of a message is exported, even though that message might be found in multiple mailboxes. The estimated search results include every instance of a message. So if you choose the de-duplication option when exporting search results, the actual number of items that are exported might be considerably less than the estimated number of items.
compliance Dlp Conditions And Exceptions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-conditions-and-exceptions.md
Conditions and exceptions in DLP policies identify sensitive items that the poli
- Exceptions define what to exclude. - Actions define what happens as a consequence of condition or exception being met
-Most conditions and exceptions have one property that supports one or more values. For example, if the DLP policy is being applied to Exchange emails, the **The sender** is condition requires the sender of the message. Some conditions have two properties. For example, the **A message header includes any of these words** condition requires one property to specify the message header field, and a second property to specify the text to look for in the header field. Some conditions or exceptions donΓÇÖt have any properties. For example, the **Attachment is password protected** condition simply looks for attachments in messages that are password protected.
+Most conditions and exceptions have one property that supports one or more values. For example, if the DLP policy is being applied to Exchange emails, the **The sender** is condition requires the sender of the message. Some conditions have two properties. For example, the **A message header includes any of these words** condition requires one property to specify the message header field, and a second property to specify the text to look for in the header field. Some conditions or exceptions don't have any properties. For example, the **Attachment is password protected** condition simply looks for attachments in messages that are password protected.
Actions typically require additional properties. For example, when the DLP policy rule redirects a message, you need to specify where the message is redirected to. <!-- Some actions have multiple properties that are available or required. For example, when the rule adds a header field to the message header, you need to specify both the name and value of the header. When the rule adds a disclaimer to messages, you need to specify the disclaimer text, but you can also specify where to insert the text, or what to do if the disclaimer can't be added to the message. Typically, you can configure multiple actions in a rule, but some actions are exclusive. For example, one rule can't reject and redirect the same message.-->
If you use the sender address as a condition or exception the actual field where
At the tenant level, you can configure a sender address location to be used across all rules, unless overridden by a single rule. To set tenant DLP policy configuration to evaluate the sender address from the Envelope across all rules, you can run the following command: ```PowerShell
-Set-PolicyConfig ΓÇôSenderAddressLocation Envelope
+Set-PolicyConfig -SenderAddressLocation Envelope
```
-To configure the sender address location at a DLP rule level, the parameter is _SenderAddressLocation_. The available values are:
+To configure the sender address location at a DLP rule level, the parameter is *SenderAddressLocation*. The available values are:
- **Header**: Only examine senders in the message headers (for example, the **From**, **Sender**, or **Reply-To** fields). This is the default value. - **Envelope**: Only examine senders from the message envelope (the **MAIL FROM** value that was used in the SMTP transmission, which is typically stored in the **Return-Path** field). - **Header or envelope** (`HeaderOrEnvelope`) Examine senders in the message header and the message envelope.
-<br>
|condition or exception in DLP|condition/exception parameters in Microsoft 365 PowerShell|property type|description| |||||
-|Sender is|condition: *From* <br/> exception: *ExceptIfFrom*|Addresses|Messages that are sent by the specified mailboxes, mail users, mail contacts, or Microsoft 365 groups in the organization.|
-|The sender is a member of |_FromMemberOf_ <br/> _ExceptIfFromMemberOf_|Addresses|Messages that are sent by a member of the specified distribution group, mail-enabled security group, or Microsoft 365 group.|
-|Sender IP address is|condition: *SenderIPRanges*<br/> exception: *ExceptIfSenderIPRanges*|IPAddressRanges|Messages where the sender's IP address matches the specified IP address, or falls within the specified IP address range.|
-|Sender address contains words|condition: *FromAddressContainsWords* <br/> exception: *ExceptIfFromAddressContainsWords*|Words|Messages that contain the specified words in the sender's email address.|
-|Sender address matches patterns|condition: *FromAddressMatchesPatterns* <br/> exception: *ExceptFromAddressMatchesPatterns*|Patterns|Messages where the sender's email address contains text patterns that match the specified regular expressions.|
-|Sender domain is|condition: *SenderDomainIs* <br/> exception: *ExceptIfSenderDomainIs*|DomainName|Messages where the domain of the sender's email address matches the specified value. If you need to find sender domains that *contain* the specified domain (for example, any subdomain of a domain), use **The sender address matches**(*FromAddressMatchesPatterns*) condition and specify the domain by using the syntax: '\.domain\.com$'.|
-|Sender scope|condition: *FromScope* <br/> exception: *ExceptIfFromScope*|UserScopeFrom|Messages that are sent by either internal or external senders.|
-|The sender's specified properties include any of these words|condition: *SenderADAttributeContainsWords* <br/> exception: *ExceptIfSenderADAttributeContainsWords*|First property: `ADAttribute` <p> Second property: `Words`|Messages where the specified Active Directory attribute of the sender contains any of the specified words.|
-|The sender's specified properties match these text patterns|condition: *SenderADAttributeMatchesPatterns* <br/> exception: *ExceptIfSenderADAttributeMatchesPatterns*|First property: `ADAttribute` <p> Second property: `Patterns`|Messages where the specified Active Directory attribute of the sender contains text patterns that match the specified regular expressions.|
-|
+|Sender is|condition: *From* <br/><br/> exception: *ExceptIfFrom*|Addresses|Messages that are sent by the specified mailboxes, mail users, mail contacts, or Microsoft 365 groups in the organization.|
+|The sender is a member of |*FromMemberOf* <br/><br/> *ExceptIfFromMemberOf*|Addresses|Messages that are sent by a member of the specified distribution group, mail-enabled security group, or Microsoft 365 group.|
+|Sender IP address is|condition: *SenderIPRanges*<br/><br/> exception: *ExceptIfSenderIPRanges*|IPAddressRanges|Messages where the sender's IP address matches the specified IP address, or falls within the specified IP address range.|
+|Sender address contains words|condition: *FromAddressContainsWords* <br/><br/> exception: *ExceptIfFromAddressContainsWords*|Words|Messages that contain the specified words in the sender's email address.|
+|Sender address matches patterns|condition: *FromAddressMatchesPatterns* <br/><br/> exception: *ExceptFromAddressMatchesPatterns*|Patterns|Messages where the sender's email address contains text patterns that match the specified regular expressions.|
+|Sender domain is|condition: *SenderDomainIs* <br/><br/> exception: *ExceptIfSenderDomainIs*|DomainName|Messages where the domain of the sender's email address matches the specified value. If you need to find sender domains that *contain* the specified domain (for example, any subdomain of a domain), use **The sender address matches**(*FromAddressMatchesPatterns*) condition and specify the domain by using the syntax: '\.domain\.com$'.|
+|Sender scope|condition: *FromScope* <br/><br/> exception: *ExceptIfFromScope*|UserScopeFrom|Messages that are sent by either internal or external senders.|
+|The sender's specified properties include any of these words|condition: *SenderADAttributeContainsWords* <br/><br/> exception: *ExceptIfSenderADAttributeContainsWords*|First property: `ADAttribute` <br/><br/> Second property: `Words`|Messages where the specified Active Directory attribute of the sender contains any of the specified words.|
+|The sender's specified properties match these text patterns|condition: *SenderADAttributeMatchesPatterns* <br/><br/> exception: *ExceptIfSenderADAttributeMatchesPatterns*|First property: `ADAttribute` <br/><br/> Second property: `Patterns`|Messages where the specified Active Directory attribute of the sender contains text patterns that match the specified regular expressions.|
### Recipients
-<br>
-
-****
- |condition or exception in DLP|condition/exception parameters in Microsoft 365 PowerShell|property type|description| |||||
-|Recipient is|condition: *SentTo* <br/> exception: *ExceptIfSentTo*|Addresses|Messages where one of the recipients is the specified mailbox, mail user, or mail contact in the organization. The recipients can be in the **To**, **Cc**, or **Bcc** fields of the message.|
-|Recipient domain is|condition: *RecipientDomainIs* <br/> exception: *ExceptIfRecipientDomainIs*|DomainName|Messages where the domain of the recipient's email address matches the specified value.|
-|Recipient address contains words|condition: *AnyOfRecipientAddressContainsWords* <br/> exception: *ExceptIfAnyOfRecipientAddressContainsWords*|Words|Messages that contain the specified words in the recipient's email address. <br/>**Note**: This condition doesn't consider messages that are sent to recipient proxy addresses. It only matches messages that are sent to the recipient's primary email address.|
-|Recipient address matches patterns|condition: *AnyOfRecipientAddressMatchesPatterns* <br/> exception: *ExceptIfAnyOfRecipientAddressMatchesPatterns*|Patterns|Messages where a recipient's email address contains text patterns that match the specified regular expressions. <br/> **Note**: This condition doesn't consider messages that are sent to recipient proxy addresses. It only matches messages that are sent to the recipient's primary email address.|
-|Sent to member of|condition: *SentToMemberOf* <br/> exception: *ExceptIfSentToMemberOf*|Addresses|Messages that contain recipients who are members of the specified distribution group, mail-enabled security group, or Microsoft 365 group. The group can be in the **To**, **Cc**, or **Bcc** fields of the message.|
-|The recipient's specified properties include any of these words |_RecipientADAttributeContainsWords_ <br/> _ExceptIfRecipientADAttributeContainsWords_|First property: `ADAttribute` <p> Second property: `Words`|Messages where the specified Active Directory attribute of a recipient contains any of the specified words. <p> Note that the **Country** attribute requires the two-letter country code value (for example, DE for Germany).|
-|The recipient's specified properties match these text patterns |_RecipientADAttributeMatchesPatterns_ <br/> _ExceptIfRecipientADAttributeMatchesPatterns_|First property: `ADAttribute` <p> Second property: `Patterns`|Messages where the specified Active Directory attribute of a recipient contains text patterns that match the specified regular expressions.|
-|
+|Recipient is|condition: *SentTo* <br/><br/> exception: *ExceptIfSentTo*|Addresses|Messages where one of the recipients is the specified mailbox, mail user, or mail contact in the organization. The recipients can be in the **To**, **Cc**, or **Bcc** fields of the message.|
+|Recipient domain is|condition: *RecipientDomainIs* <br/><br/> exception: *ExceptIfRecipientDomainIs*|DomainName|Messages where the domain of the recipient's email address matches the specified value.|
+|Recipient address contains words|condition: *AnyOfRecipientAddressContainsWords* <br/><br/> exception: *ExceptIfAnyOfRecipientAddressContainsWords*|Words|Messages that contain the specified words in the recipient's email address. <br/><br/>**Note**: This condition doesn't consider messages that are sent to recipient proxy addresses. It only matches messages that are sent to the recipient's primary email address.|
+|Recipient address matches patterns|condition: *AnyOfRecipientAddressMatchesPatterns* <br/><br/> exception: *ExceptIfAnyOfRecipientAddressMatchesPatterns*|Patterns|Messages where a recipient's email address contains text patterns that match the specified regular expressions. <br/><br/> **Note**: This condition doesn't consider messages that are sent to recipient proxy addresses. It only matches messages that are sent to the recipient's primary email address.|
+|Sent to member of|condition: *SentToMemberOf* <br/><br/> exception: *ExceptIfSentToMemberOf*|Addresses|Messages that contain recipients who are members of the specified distribution group, mail-enabled security group, or Microsoft 365 group. The group can be in the **To**, **Cc**, or **Bcc** fields of the message.|
+|The recipient's specified properties include any of these words |*RecipientADAttributeContainsWords* <br/><br/> *ExceptIfRecipientADAttributeContainsWords*|First property: `ADAttribute` <br/><br/> Second property: `Words`|Messages where the specified Active Directory attribute of a recipient contains any of the specified words. <br/><br/> Note that the **Country** attribute requires the two-letter country code value (for example, DE for Germany).|
+|The recipient's specified properties match these text patterns |*RecipientADAttributeMatchesPatterns* <br/><br/> *ExceptIfRecipientADAttributeMatchesPatterns*|First property: `ADAttribute` <br/><br/> Second property: `Patterns`|Messages where the specified Active Directory attribute of a recipient contains text patterns that match the specified regular expressions.|
### Message subject or body
-<br>
-
-****
- |condition or exception in DLP|condition/exception parameters in Microsoft 365 PowerShell|property type|description| |||||
-|Subject contains words or phrases|condition: *SubjectContainsWords* <br/> exception: *ExceptIf SubjectContainsWords*|Words|Messages that have the specified words in the Subject field.|
-|Subject matches patterns|condition: *SubjectMatchesPatterns* <br/> exception: *ExceptIf SubjectMatchesPatterns*|Patterns|Messages where the Subject field contain text patterns that match the specified regular expressions.|
-|Content contains|condition: *ContentContainsSensitiveInformation* <br/> exception *ExceptIfContentContainsSensitiveInformation*|SensitiveInformationTypes|Messages or documents that contain sensitive information as defined by data loss prevention (DLP) policies.|
-|Subject or Body matches pattern|condition: *SubjectOrBodyMatchesPatterns* <br/> exception: *ExceptIfSubjectOrBodyMatchesPatterns*|Patterns|Messages where the subject field or message body contains text patterns that match the specified regular expressions.|
-|Subject or Body contains words|condition: *SubjectOrBodyContainsWords* <br/> exception: *ExceptIfSubjectOrBodyContainsWords*|Words|Messages that have the specified words in the subject field or message body|
-|
+|Subject contains words or phrases|condition: *SubjectContainsWords* <br/><br/> exception: *ExceptIf SubjectContainsWords*|Words|Messages that have the specified words in the Subject field.|
+|Subject matches patterns|condition: *SubjectMatchesPatterns* <br/><br/> exception: *ExceptIf SubjectMatchesPatterns*|Patterns|Messages where the Subject field contain text patterns that match the specified regular expressions.|
+|Content contains|condition: *ContentContainsSensitiveInformation* <br/><br/> exception *ExceptIfContentContainsSensitiveInformation*|SensitiveInformationTypes|Messages or documents that contain sensitive information as defined by data loss prevention (DLP) policies.|
+|Subject or Body matches pattern|condition: *SubjectOrBodyMatchesPatterns* <br/><br/> exception: *ExceptIfSubjectOrBodyMatchesPatterns*|Patterns|Messages where the subject field or message body contains text patterns that match the specified regular expressions.|
+|Subject or Body contains words|condition: *SubjectOrBodyContainsWords* <br/><br/> exception: *ExceptIfSubjectOrBodyContainsWords*|Words|Messages that have the specified words in the subject field or message body|
### Attachments
-<br>
-
-****
- |condition or exception in DLP|condition/exception parameters in Microsoft 365 PowerShell|property type|description| |||||
-|Attachment is password protected|condition: *DocumentIsPasswordProtected* <br/> exception: *ExceptIfDocumentIsPasswordProtected*|none|Messages where an attachment is password protected (and therefore can't be scanned). Password detection only works for Office documents, .zip files, and .7z files.|
-|AttachmentΓÇÖs file extension is|condition: *ContentExtensionMatchesWords* <br/> exception: *ExceptIfContentExtensionMatchesWords*|Words|Messages where an attachment's file extension matches any of the specified words.|
-|Any email attachmentΓÇÖs content could not be scanned|condition: *DocumentIsUnsupported* <br/>exception: *ExceptIf DocumentIsUnsupported*|n/a|Messages where an attachment isn't natively recognized by Exchange Online.|
-|Any email attachmentΓÇÖs content didnΓÇÖt complete scanning|condition: *ProcessingLimitExceeded* <br/> exception: *ExceptIfProcessingLimitExceeded*|n/a|Messages where the rules engine couldn't complete the scanning of the attachments. You can use this condition to create rules that work together to identify and process messages where the content couldn't be fully scanned.|
-|Document name contains words|condition: *DocumentNameMatchesWords* <br/> exception: *ExceptIfDocumentNameMatchesWords*|Words|Messages where an attachment's file name matches any of the specified words.|
-|Document name matches patterns|condition: *DocumentNameMatchesPatterns* <br/> exception: *ExceptIfDocumentNameMatchesPatterns*|Patterns|Messages where an attachment's file name contains text patterns that match the specified regular expressions.|
-|Document property is|condition: *ContentPropertyContainsWords* <br/> exception: *ExceptIfContentPropertyContainsWords*|Words|Messages or documents where an attachment's file extension matches any of the specified words.|
-|Document size equals or is greater than|condition: *DocumentSizeOver* <br/> exception: *ExceptIfDocumentSizeOver*|Size|Messages where any attachment is greater than or equal to the specified value.|
-|Any attachment's content includes any of these words|condition: *DocumentContainsWords* <br/> exception: *ExceptIfDocumentContainsWords*|`Words`|Messages where an attachment contains the specified words.|
-|Any attachments content matches these text patterns|condition: *DocumentMatchesPatterns* <br/> exception: *ExceptIfDocumentMatchesPatterns*|`Patterns`|Messages where an attachment contains text patterns that match the specified regular expressions.|
-|
+|Attachment is password protected|condition: *DocumentIsPasswordProtected* <br/><br/> exception: *ExceptIfDocumentIsPasswordProtected*|none|Messages where an attachment is password protected (and therefore can't be scanned). Password detection only works for Office documents, .zip files, and .7z files.|
+|Attachment's file extension is|condition: *ContentExtensionMatchesWords* <br/><br/> exception: *ExceptIfContentExtensionMatchesWords*|Words|Messages where an attachment's file extension matches any of the specified words.|
+|Any email attachment's content could not be scanned|condition: *DocumentIsUnsupported* <br/><br/>exception: *ExceptIf DocumentIsUnsupported*|n/a|Messages where an attachment isn't natively recognized by Exchange Online.|
+|Any email attachment's content didn't complete scanning|condition: *ProcessingLimitExceeded* <br/><br/> exception: *ExceptIfProcessingLimitExceeded*|n/a|Messages where the rules engine couldn't complete the scanning of the attachments. You can use this condition to create rules that work together to identify and process messages where the content couldn't be fully scanned.|
+|Document name contains words|condition: *DocumentNameMatchesWords* <br/><br/> exception: *ExceptIfDocumentNameMatchesWords*|Words|Messages where an attachment's file name matches any of the specified words.|
+|Document name matches patterns|condition: *DocumentNameMatchesPatterns* <br/><br/> exception: *ExceptIfDocumentNameMatchesPatterns*|Patterns|Messages where an attachment's file name contains text patterns that match the specified regular expressions.|
+|Document property is|condition: *ContentPropertyContainsWords* <br/><br/> exception: *ExceptIfContentPropertyContainsWords*|Words|Messages or documents where an attachment's file extension matches any of the specified words.|
+|Document size equals or is greater than|condition: *DocumentSizeOver* <br/><br/> exception: *ExceptIfDocumentSizeOver*|Size|Messages where any attachment is greater than or equal to the specified value.|
+|Any attachment's content includes any of these words|condition: *DocumentContainsWords* <br/><br/> exception: *ExceptIfDocumentContainsWords*|`Words`|Messages where an attachment contains the specified words.|
+|Any attachments content matches these text patterns|condition: *DocumentMatchesPatterns* <br/><br/> exception: *ExceptIfDocumentMatchesPatterns*|`Patterns`|Messages where an attachment contains text patterns that match the specified regular expressions.|
### Message Headers
-<br>
-
-****
- |condition or exception in DLP|condition/exception parameters in Microsoft 365 PowerShell|property type|description| |||||
-|Header contains words or phrases|condition: *HeaderContainsWords* <br/> exception: *ExceptIfHeaderContainsWords*|Hash Table|Messages that contain the specified header field, and the value of that header field contains the specified words.|
-|Header matches patterns|condition: *HeaderMatchesPatterns* <br/> exception: *ExceptIfHeaderMatchesPatterns*|Hash Table|Messages that contain the specified header field, and the value of that header field contains the specified regular expressions.|
+|Header contains words or phrases|condition: *HeaderContainsWords* <br/><br/> exception: *ExceptIfHeaderContainsWords*|Hash Table|Messages that contain the specified header field, and the value of that header field contains the specified words.|
+|Header matches patterns|condition: *HeaderMatchesPatterns* <br/><br/> exception: *ExceptIfHeaderMatchesPatterns*|Hash Table|Messages that contain the specified header field, and the value of that header field contains the specified regular expressions.|
### Message properties
-<br>
-
-****
- |condition or exception in DLP|condition/exception parameters in Microsoft 365 PowerShell|property type|description| |||||
-|With importance|condition: *WithImportance* <br/> exception: *ExceptIfWithImportance*|Importance|Messages that are marked with the specified importance level.|
-|Content character set contains words|condition: *ContentCharacterSetContainsWords* <br/> *ExceptIfContentCharacterSetContainsWords*|CharacterSets|Messages that have any of the specified character set names.|
-|Has sender override|condition: *HasSenderOverride* <br/> exception: *ExceptIfHasSenderOverride*|n/a|Messages where the sender has chosen to override a data loss prevention (DLP) policy. For more information about DLP policies see [Learn about data loss prevention](./dlp-learn-about-dlp.md)|
-|Message type matches|condition: *MessageTypeMatches* <br/> exception: *ExceptIfMessageTypeMatches*|MessageType|Messages of the specified type. **Note**: The available message types are Automatic reply, Auto-forward, Encrypted (S/MIME), Calendaring, Permission controlled (rights management), Voicemail, Signed, Read receipt, and Approval request. |
-|The message size is greater than or equal to|condition: *MessageSizeOver* <br/> exception: *ExceptIfMessageSizeOver*|`Size`|Messages where the total size (message plus attachments) is greater than or equal to the specified value. **Note**: Message size limits on mailboxes are evaluated before mail flow rules. A message that's too large for a mailbox will be rejected before a rule with this condition is able to act on the message.|
-|
+|With importance|condition: *WithImportance* <br/><br/> exception: *ExceptIfWithImportance*|Importance|Messages that are marked with the specified importance level.|
+|Content character set contains words|condition: *ContentCharacterSetContainsWords* <br/><br/> *ExceptIfContentCharacterSetContainsWords*|CharacterSets|Messages that have any of the specified character set names.|
+|Has sender override|condition: *HasSenderOverride* <br/><br/> exception: *ExceptIfHasSenderOverride*|n/a|Messages where the sender has chosen to override a data loss prevention (DLP) policy. For more information about DLP policies see [Learn about data loss prevention](./dlp-learn-about-dlp.md)|
+|Message type matches|condition: *MessageTypeMatches* <br/><br/> exception: *ExceptIfMessageTypeMatches*|MessageType|Messages of the specified type. **Note**: The available message types are Automatic reply, Auto-forward, Encrypted (S/MIME), Calendaring, Permission controlled (rights management), Voicemail, Signed, Read receipt, and Approval request. |
+|The message size is greater than or equal to|condition: *MessageSizeOver* <br/><br/> exception: *ExceptIfMessageSizeOver*|`Size`|Messages where the total size (message plus attachments) is greater than or equal to the specified value. **Note**: Message size limits on mailboxes are evaluated before mail flow rules. A message that's too large for a mailbox will be rejected before a rule with this condition is able to act on the message.|
## Actions for DLP policies This table describes the actions that are available in DLP.
-<br>
-
-****
- |action in DLP|action parameters in Microsoft 365 PowerShell|property type|description| |||||
-|Set header|SetHeader|First property: *Header Name* </br> Second property: *Header Value*|The SetHeader parameter specifies an action for the DLP rule that adds or modifies a header field and value in the message header. This parameter uses the syntax "HeaderName:HeaderValue". You can specify multiple header name and value pairs separated by commas|
-|Remove header|RemoveHeader|First property: *MessageHeaderField*</br> Second property: *String*|The RemoveHeader parameter specifies an action for the DLP rule that removes a header field from the message header. This parameter uses the syntax ΓÇ£HeaderNameΓÇ¥ or "HeaderName:HeaderValue".You can specify multiple header names or header name and value pairs separated by commas|
+|Set header|SetHeader|First property: *Header Name* <br/><br/> Second property: *Header Value*|The SetHeader parameter specifies an action for the DLP rule that adds or modifies a header field and value in the message header. This parameter uses the syntax "HeaderName:HeaderValue". You can specify multiple header name and value pairs separated by commas|
+|Remove header|RemoveHeader|First property: *MessageHeaderField*<br/><br/> Second property: *String*|The RemoveHeader parameter specifies an action for the DLP rule that removes a header field from the message header. This parameter uses the syntax "HeaderName" or "HeaderName:HeaderValue".You can specify multiple header names or header name and value pairs separated by commas|
|Redirect the message to specific users|*RedirectMessageTo*|Addresses|Redirects the message to the specified recipients. The message isn't delivered to the original recipients, and no notification is sent to the sender or the original recipients.|
-|Forward the message for approval to senderΓÇÖs manager|Moderate|First property: *ModerateMessageByManager*</br> Second property: *Boolean*|The Moderate parameter specifies an action for the DLP rule that sends the email message to a moderator. This parameter uses the syntax: @{ModerateMessageByManager = <$true \|$false>;|
-|Forward the message for approval to specific approvers|Moderate|First property: *ModerateMessageByUser*</br>Second property: *Addresses*|The Moderate parameter specifies an action for the DLP rule that sends the email message to a moderator. This parameter uses the syntax: @{ ModerateMessageByUser = @("emailaddress1","emailaddress2",..."emailaddressN")}|
-|Add recipient|AddRecipients|First property: *Field*</br>Second property: *Addresses*|Adds one or more recipients to the To/Cc/Bcc field of the message. This parameter uses the syntax: @{<AddToRecipients \|CopyTo \|BlindCopyTo> = "emailaddress"}|
-|Add the senderΓÇÖs manager as recipient|AddRecipients|First property: *AddedManagerAction*</br>Second property: *Field*|Adds the sender's manager to the message as the specified recipient type (To, Cc, Bcc), or redirects the message to the sender's manager without notifying the sender or the recipient. This action only works if the sender's Manager attribute is defined in Active Directory. This parameter uses the syntax: @{AddManagerAsRecipientType = "<To \|Cc \|Bcc>"}|
-Prepend subject|PrependSubject|String|Adds the specified text to the beginning of the Subject field of the message. Consider using a space or a colon (:) as the last character of the specified text to differentiate it from the original subject text.</br>To prevent the same string from being added to messages that already contain the text in the subject (for example, replies), add the "The subject contains words" (ExceptIfSubjectContainsWords) exception to the rule.|
-|Apply HTML disclaimer|ApplyHtmlDisclaimer|First property: *Text*</br>Second property: *Location*</br>Third property: *Fallback action*|Applies the specified HTML disclaimer to the required location of the message.</br>This parameter uses the syntax: @{ Text = ΓÇ£ ΓÇ¥ ; Location = <Append \|Prepend>; FallbackAction = <Wrap \|Ignore \|Reject> }|
+|Forward the message for approval to sender's manager|Moderate|First property: *ModerateMessageByManager*<br/><br/> Second property: *Boolean*|The Moderate parameter specifies an action for the DLP rule that sends the email message to a moderator. This parameter uses the syntax: @{ModerateMessageByManager = <$true \|$false>;|
+|Forward the message for approval to specific approvers|Moderate|First property: *ModerateMessageByUser*<br/><br/>Second property: *Addresses*|The Moderate parameter specifies an action for the DLP rule that sends the email message to a moderator. This parameter uses the syntax: @{ ModerateMessageByUser = @("emailaddress1","emailaddress2",..."emailaddressN")}|
+|Add recipient|AddRecipients|First property: *Field*<br/><br/>Second property: *Addresses*|Adds one or more recipients to the To/Cc/Bcc field of the message. This parameter uses the syntax: @{<AddToRecipients \<CopyTo \| BlindCopyTo\> = "emailaddress"}|
+|Add the sender's manager as recipient|AddRecipients|First property: *AddedManagerAction*<br/><br/>Second property: *Field*|Adds the sender's manager to the message as the specified recipient type (To, Cc, Bcc), or redirects the message to the sender's manager without notifying the sender or the recipient. This action only works if the sender's Manager attribute is defined in Active Directory. This parameter uses the syntax: @{AddManagerAsRecipientType = "\<To \| Cc \| Bcc\>"}|
+Prepend subject|PrependSubject|String|Adds the specified text to the beginning of the Subject field of the message. Consider using a space or a colon (:) as the last character of the specified text to differentiate it from the original subject text.<br/><br/>To prevent the same string from being added to messages that already contain the text in the subject (for example, replies), add the "The subject contains words" (ExceptIfSubjectContainsWords) exception to the rule.|
+|Apply HTML disclaimer|ApplyHtmlDisclaimer|First property: *Text*<br/><br/>Second property: *Location*<br/><br/>Third property: *Fallback action*|Applies the specified HTML disclaimer to the required location of the message.<br/><br/>This parameter uses the syntax: @{ Text = " " ; Location = \<Append \| Prepend\>; FallbackAction = \<Wrap \| Ignore \| Reject\> }|
|Remove Office 365 Message Encryption and rights protection|RemoveRMSTemplate|n/a|Removes Office 365 encryption applied on an email|
-|Deliver the message to the hosted quarantine |_Quarantine_|n/a| This action is currently in **public preview**. During this phase, emails quarantined by DLP policies will show policy type as ExchangeTransportRule.</br> Delivers the message to the quarantine in EOP. For more information, see [Quarantined email messages in EOP](/microsoft-365/security/office-365-security/quarantine-email-messages).|
-|
-
-<!--|Modify Subject|ModifySubject|PswsHashTable | Remove text from the subject line that matches a specific pattern and replace it with different text. See the example below. You can: </br>- **Replace** all matches in the subject with the replacement text </br>- **Append** to remove all matches in the subject and inserts the replacement text at the end of the subject. </br>- **Prepend** to remove all matches and inserts the replacement text at the beginning of the subject. See ModifySubject parameter in, /powershell/module/exchange/new-dlpcompliancerule|-->
+|Deliver the message to the hosted quarantine |*Quarantine*|n/a| This action is currently in **public preview**. During this phase, emails quarantined by DLP policies will show policy type as ExchangeTransportRule.<br/><br/> Delivers the message to the quarantine in EOP. For more information, see [Quarantined email messages in EOP](/microsoft-365/security/office-365-security/quarantine-email-messages).|
+<!--|Modify Subject|ModifySubject|PswsHashTable | Remove text from the subject line that matches a specific pattern and replace it with different text. See the example below. You can: <br/><br/>- **Replace** all matches in the subject with the replacement text <br/><br/>- **Append** to remove all matches in the subject and inserts the replacement text at the end of the subject. <br/><br/>- **Prepend** to remove all matches and inserts the replacement text at the beginning of the subject. See ModifySubject parameter in, /powershell/module/exchange/new-dlpcompliancerule|-->
compliance Dlp Migrate Exo Policy To Unified Dlp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-migrate-exo-policy-to-unified-dlp.md
f1.keywords:
Previously updated : Last updated : audience: ITPro f1_keywords: - 'ms.o365.cc.DLPLandingPage' ms.localizationpriority: medium-+ - M365-security-compliance - SPO_Content
+search.appverid:
- MET150 description: "Learn how to plan for and migrate your Exchange online data loss prevention policies into Microsoft 365 DLP."
description: "Learn how to plan for and migrate your Exchange online data loss p
The migration wizard works by reading the configuration of your DLP policies in Exchange and then creating duplicate policies in the Compliance center. By default the wizard creates the new versions of the policies in **Test** mode, so you can see what impact they'd have in your environment without enforcing any of the actions. Once you're ready to fully transition to the Compliance center versions, ***you must***: 1. Deactivate or delete the source policy in the Exchange Admin Center (EAC).
-1. Edit the Compliance center version of the policy and change its status from **Test** to **Enforce**.
+1. Edit the Compliance center version of the policy and change its status from **Test** to **Enforce**.
> [!WARNING] > If you do not delete or deactivate the source policy in the EAC before you set the Compliance center version to **Enforce** both sets of policies will be attempting to enforce actions and you will receive duplicate events. ***This is an unsupported configuration.*** - The migration wizard only migrates EXO policies and associated mail flow rules. Standalone Exchange mail flow rules aren't migrated. ## Migration workflow
-There are four phases to migrating DLP policies from Exchange into the Unified DLP management console in the Compliance center.
+There are four phases to migrating DLP policies from Exchange into the Unified DLP management console in the Compliance center.
1. Prepare for migration 1. Evaluate and compare your Exchange Online (EXO) DLP policies and your Compliance Center DLP policies for duplicate functionality.
There are four phases to migrating DLP policies from Exchange into the Unified D
### Licensing and versions
-Before you get started with migrating DLP policies, you should confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=1) and any add-ons.
+Before you get started with migrating DLP policies, you should confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=1) and any add-ons.
To access and use the policy migration wizard, you must have one of these subscriptions or add-ons
To access and use the policy migration wizard, you must have one of these subscr
For a detailed list of DLP licensing requirements, see [Microsoft 365 Licensing guidance for security & compliance, data loss prevention](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#information-protection) - ### Permissions The account that you use to run the migration wizard must have access to both the Exchange Admin Console DLP page and to the Unified DLP console in the Compliance center.
The account that you use to run the migration wizard must have access to both th
1. [Create, Test, and Tune a DLP policy](create-test-tune-dlp-policy.md) 1. Evaluate your Exchange DLP and Compliance center policies by asking these questions: -
-|Question |Action | Migration procedure|
-||||
-|Is the policy still needed? |If not, delete or deactivate it |don't migrate|
-|Does it overlap with any other Exchange or Compliance center DLP policies? |If yes, can you consolidate the overlapping policies? |- If it overlaps with another Exchange policy, manually create the consolidated DLP policy in the Exchange Admin center, then use the migration wizard. </br> - If it overlaps with an existing Compliance Center policy, you can modify the existing Compliance center policy to match, don't migrate the Exchange version|
-|Is the Exchange DLP policy tightly scoped and does it have well-defined conditions, actions, inclusions, and exclusions? |If yes, it is a good candidate to migrate with the wizard, make note of the policy so that you remember to come back to delete it later | migrate with the wizard|
+|Question|Action|Migration procedure|
+||||
+|Is the policy still needed?|If not, delete or deactivate it|don't migrate|
+|Does it overlap with any other Exchange or Compliance center DLP policies?|If yes, can you consolidate the overlapping policies?|- If it overlaps with another Exchange policy, manually create the consolidated DLP policy in the Exchange Admin center, then use the migration wizard. </br> - If it overlaps with an existing Compliance Center policy, you can modify the existing Compliance center policy to match, don't migrate the Exchange version|
+|Is the Exchange DLP policy tightly scoped and does it have well-defined conditions, actions, inclusions, and exclusions?|If yes, it is a good candidate to migrate with the wizard, make note of the policy so that you remember to come back to delete it later|migrate with the wizard|
## Migration
After you have evaluated all your Exchange and Compliance center DLP policies fo
6. Select the mode you want the new Compliance center policy created in, **Active**, **Test**, or **Disabled**. The default is **Test**. Select **Next**. 7. If desired, you can create more policies that are based on the Exchange DLP policies for other unified DLP locations. This will result in one new unified DLP policy for the migrated Exchange policy and one new unified DLP policy for any other locations that you pick here.
-> [!IMPORTANT]
-> Any Exchange DLP policy conditions and actions that are not supported by other DLP locations, like Devices, SharePoint, OneDrive, On-premises, MCAS or Teams chat and channel messages will be dropped from the additional policy. Also, there is pre-work that must be done for the other locations. See:
->- [Learn about Microsoft 365 Endpoint data loss prevention](endpoint-dlp-learn-about.md#learn-about-microsoft-365-endpoint-data-loss-prevention)
->- [Get started with Endpoint data loss prevention](endpoint-dlp-getting-started.md#get-started-with-endpoint-data-loss-prevention)
->- [Using Endpoint data loss prevention](endpoint-dlp-using.md#using-endpoint-data-loss-prevention)
->- [Learn about the Microsoft 365 data loss prevention on-premises scanner](dlp-on-premises-scanner-learn.md#learn-about-the-microsoft-365-data-loss-prevention-on-premises-scanner)
->- [Get started with the data loss prevention on-premises scanner](dlp-on-premises-scanner-get-started.md#get-started-with-the-data-loss-prevention-on-premises-scanner)
->- [Use the Microsoft 365 data loss prevention on-premises scanner](dlp-on-premises-scanner-use.md#use-the-microsoft-365-data-loss-prevention-on-premises-scanner)
->- [Use data loss prevention policies for non-Microsoft cloud apps](dlp-use-policies-non-microsoft-cloud-apps.md#use-data-loss-prevention-policies-for-non-microsoft-cloud-apps)
-
+ > [!IMPORTANT]
+ > Any Exchange DLP policy conditions and actions that are not supported by other DLP locations, like Devices, SharePoint, OneDrive, On-premises, MCAS or Teams chat and channel messages will be dropped from the additional policy. Also, there is pre-work that must be done for the other locations. See:
+ >
+ > - [Learn about Microsoft 365 Endpoint data loss prevention](endpoint-dlp-learn-about.md#learn-about-microsoft-365-endpoint-data-loss-prevention)
+ > - [Get started with Endpoint data loss prevention](endpoint-dlp-getting-started.md#get-started-with-endpoint-data-loss-prevention)
+ > - [Using Endpoint data loss prevention](endpoint-dlp-using.md#using-endpoint-data-loss-prevention)
+ > - [Learn about the Microsoft 365 data loss prevention on-premises scanner](dlp-on-premises-scanner-learn.md#learn-about-the-microsoft-365-data-loss-prevention-on-premises-scanner)
+ > - [Get started with the data loss prevention on-premises scanner](dlp-on-premises-scanner-get-started.md#get-started-with-the-data-loss-prevention-on-premises-scanner)
+ > - [Use the Microsoft 365 data loss prevention on-premises scanner](dlp-on-premises-scanner-use.md#use-the-microsoft-365-data-loss-prevention-on-premises-scanner)
+ > - [Use data loss prevention policies for non-Microsoft cloud apps](dlp-use-policies-non-microsoft-cloud-apps.md#use-data-loss-prevention-policies-for-non-microsoft-cloud-apps)
+ 8. Review the migration wizard session settings. Select **Next**.
-9. Review the migration report. Pay attention to any failures involving Exchange mailflow rules. You can fix them and remigrate the associated policies.
+9. Review the migration report. Pay attention to any failures involving Exchange mail flow rules. You can fix them and remigrate the associated policies.
-The migrated policies will now appear in the list of DLP policies in the Compliance center DLP console.
+The migrated policies will now appear in the list of DLP policies in the Compliance center DLP console.
## Common errors and mitigation
-|Error message |Reason | Mitigation/Recommended steps|
-||||
-|A compliance policy with name `<Name of the policy>` already exists in scenario(s) `Dlp`. |It is likely that this policy migration was done earlier and then reattempted in the same session |Refresh the session to update the list of policies available for migration. All previously migrated policies should be in the `Already migrated` state.|
-|A compliance policy with name `<Name of the policy>` already exists in scenario(s) `Hold`. |A retention policy with the same name exists in the same tenant. |- Rename the DLP policy in EAC to a different name. </br> - Retry the migration for the impacted policy. |
-|`DLP-group@contoso.com` canΓÇÖt be used as a value for the Shared By condition because itΓÇÖs a distribution group or mail-enabled security group. Use Shared by Member of predicate to detect activities by members of certain groups. |Transport rules allow groups to be used in the `sender is` condition but unified DLP does not allow it. | Update the transport rule to remove all group email addresses from the `sender is` condition and add the group to the `sender is a member of` condition if necessary. Retry the migration for the impacted policy|
-|Could not find recipient `DLP-group@contoso.com`. If newly created, retry the operation after sometime. If deleted or expired please reset with valid values and try again. |It is likely that the group address used in `sender is a member of` or `recipient is a member of` condition is expired or invalid. | - Remove/replace all the invalid group email addresses in the transport rule in Exchange admin center. </br> - Retry the migration for the impacted policy.|
-|The value specified in `FromMemberOf` predicate must be mail enabled security group. |Transport rules allow individual users to be used in the `sender is a member of` condition but unified DLP does not allow it. | - Update the transport rule to remove all individual user email addresses from the `sender is a member of` condition and add the users to the `sender is` condition if necessary. </br> - Retry the migration for the impacted policy.|
-|The value specified in `SentToMemberOf` predicate must be mail enabled security group. |Transport rules allow individual users to be used under the `recipient is a member of` condition but unified DLP does not allow it. | - Update the transport rule to remove all individual user email addresses from the `recipient is a member of` condition and add the users to the `recipient is` condition if necessary. </br> - Retry the migration for the impacted policy.|
-|Using the `<Name of condition>` parameter is supported only for Exchange. Either remove this parameter or turn on only Exchange location. | It is likely that another policy with the same name exists in Compliance center with other locations like SPO/ODB/Teams for which the mentioned condition is not supported. | Rename the DLP policy in Exchange admin center and retry the migration.|
+
+|Error message|Reason|Mitigation/Recommended steps|
+||||
+|A compliance policy with name `<Name of the policy>` already exists in scenario(s) `Dlp`.|It is likely that this policy migration was done earlier and then reattempted in the same session|Refresh the session to update the list of policies available for migration. All previously migrated policies should be in the `Already migrated` state.|
+|A compliance policy with name `<Name of the policy>` already exists in scenario(s) `Hold`.|A retention policy with the same name exists in the same tenant.|- Rename the DLP policy in EAC to a different name. </br> - Retry the migration for the impacted policy.|
+|`DLP-group@contoso.com` can't be used as a value for the Shared By condition because it's a distribution group or mail-enabled security group. Use Shared by Member of predicate to detect activities by members of certain groups.|Transport rules allow groups to be used in the `sender is` condition but unified DLP does not allow it.|Update the transport rule to remove all group email addresses from the `sender is` condition and add the group to the `sender is a member of` condition if necessary. Retry the migration for the impacted policy|
+|Could not find recipient `DLP-group@contoso.com`. If newly created, retry the operation after sometime. If deleted or expired please reset with valid values and try again.|It is likely that the group address used in `sender is a member of` or `recipient is a member of` condition is expired or invalid.|- Remove/replace all the invalid group email addresses in the transport rule in Exchange admin center. </br> - Retry the migration for the impacted policy.|
+|The value specified in `FromMemberOf` predicate must be mail enabled security group.|Transport rules allow individual users to be used in the `sender is a member of` condition but unified DLP does not allow it.|- Update the transport rule to remove all individual user email addresses from the `sender is a member of` condition and add the users to the `sender is` condition if necessary. </br> - Retry the migration for the impacted policy.|
+|The value specified in `SentToMemberOf` predicate must be mail enabled security group.|Transport rules allow individual users to be used under the `recipient is a member of` condition but unified DLP does not allow it.|- Update the transport rule to remove all individual user email addresses from the `recipient is a member of` condition and add the users to the `recipient is` condition if necessary. </br> - Retry the migration for the impacted policy.|
+|Using the `<Name of condition>` parameter is supported only for Exchange. Either remove this parameter or turn on only Exchange location.|It is likely that another policy with the same name exists in Compliance center with other locations like SPO/ODB/Teams for which the mentioned condition is not supported.|Rename the DLP policy in Exchange admin center and retry the migration.|
## Testing and validation <!--PRATEEK AND AAKASH TO PROVIDE A LIST OF SUPPORTED PREDICATES AND KNOWN ISSUES BEFORE PUBLISHING-->
To ensure that the migrated policies behave as expected, you can export the repo
1. Connect to [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). 2. Export the [EAC DLP report](/powershell/module/exchange/get-maildetaildlppolicyreport). You can copy this cmdlet and insert the appropriate values:
-```powershell
-Get-MailDetailDlpPolicyReport -StartDate <dd/mm/yyyy -EndDate <dd/mm/yyyy> -PageSize 5000 | select Date, MessageId, DlpPolicy, TransportRule -Unique | Export-CSV <"C:\path\filename.csv">
-```
+ ```powershell
+ Get-MailDetailDlpPolicyReport -StartDate <dd/mm/yyyy -EndDate <dd/mm/yyyy> -PageSize 5000 | select Date, MessageId, DlpPolicy, TransportRule -Unique | Export-CSV <"C:\path\filename.csv">
+ ```
3. Export the [Unified DLP report](/powershell/module/exchange/get-dlpdetailreport). You can copy this cmdlet and insert the appropriate values:
-```powershell
-Get-DlpDetailReport -StartDate <dd/mm/yyyy> -EndDate <dd/mm/yyyy> -PageSize 5000 | select Date, Location, DlpCompliancePolicy, DlpComplianceRule -Unique | Export-CSV <"C:\path\filename.csv">
-```
+ ```powershell
+ Get-DlpDetailReport -StartDate <dd/mm/yyyy> -EndDate <dd/mm/yyyy> -PageSize 5000 | select Date, Location, DlpCompliancePolicy, DlpComplianceRule -Unique | Export-CSV <"C:\path\filename.csv">
+ ```
## Activate your migrated policies
compliance Dlp Policy Design https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-policy-design.md
f1.keywords:
Previously updated : Last updated : audience: ITPro ms.localizationpriority: medium-+ - M365-security-compliance
+search.appverid:
- MET150 description: "Learn how to design a data loss prevention (DLP) policy"
If you are new to Microsoft 365 DLP, it's helpful to work through these articles
- [Learn about data loss prevention](dlp-learn-about-dlp.md#learn-about-data-loss-prevention) - this article introduces you to the data loss prevention discipline and Microsoft's implementation of DLP - [Plan for data loss prevention (DLP)](dlp-overview-plan-for-dlp.md#plan-for-data-loss-prevention-dlp) - by working through this article you will:
- - [Identify stakeholders](dlp-overview-plan-for-dlp.md#identify-stakeholders)
- - [Describe the categories of sensitive information to protect](dlp-overview-plan-for-dlp.md#describe-the-categories-of-sensitive-information-to-protect)
- - [Set goals and strategy](dlp-overview-plan-for-dlp.md#set-goals-and-strategy)
+ - [Identify stakeholders](dlp-overview-plan-for-dlp.md#identify-stakeholders)
+ - [Describe the categories of sensitive information to protect](dlp-overview-plan-for-dlp.md#describe-the-categories-of-sensitive-information-to-protect)
+ - [Set goals and strategy](dlp-overview-plan-for-dlp.md#set-goals-and-strategy)
- [Data Loss Prevention policy reference](dlp-policy-reference.md#data-loss-prevention-policy-reference) - this article introduces all the components of a DLP policy and how each one influences the behavior of a policy ## Policy design overview
-[Designing a policy](#policy-design-process) is mostly about clearly [defining your business needs, documenting them in a policy intent statement](#define-intent-for-the-policy) and then [mapping those needs to policy configuration](#map-business-needs-to-policy-configuration). You'll use the decisions you made in your planning phase to inform some of your policy design decisions.
+[Designing a policy](#policy-design-process) is mostly about clearly [defining your business needs, documenting them in a policy intent statement](#define-intent-for-the-policy) and then [mapping those needs to policy configuration](#map-business-needs-to-policy-configuration). You'll use the decisions you made in your planning phase to inform some of your policy design decisions.
-### Define intent for the policy
+### Define intent for the policy
-You should be able to summarize the business intent for every policy you have in a single statement. Developing this statement will drive conversations in your organization and, when fully fleshed out, this statement directly links the policy to a business purpose and provides a roadmap for policy design. The steps in the [Plan for data loss prevention (DLP)](dlp-overview-plan-for-dlp.md#overview-of-planning-process) article will help you get started on your policy intent statement.
+You should be able to summarize the business intent for every policy you have in a single statement. Developing this statement will drive conversations in your organization and, when fully fleshed out, this statement directly links the policy to a business purpose and provides a roadmap for policy design. The steps in the [Plan for data loss prevention (DLP)](dlp-overview-plan-for-dlp.md#overview-of-planning-process) article will help you get started on your policy intent statement.
Remember from [DLP policy configuration overview](dlp-learn-about-dlp.md#dlp-policy-configuration-overview) that all DLP policies require that you: - Choose what you want to monitor - Choose where you want to monitor - Choose the conditions that must be matched for a policy to be applied to an item-- Choose the action to take when the policy conditions are met
+- Choose the action to take when the policy conditions are met
-For example, here's a fictitious first draft of an intent statement that provides answers to all four questions:
+For example, here's a fictitious first draft of an intent statement that provides answers to all four questions:
-*"We are a U.S. based organization, and we need to detect Office documents that contain sensitive health care information covered by HIPPA that are stored in OneDrive/SharePoint and protect against that information being shared in Teams chat and channel messages and restrict everyone from sharing them with unauthorized third parties".*
+*"We are a U.S. based organization, and we need to detect Office documents that contain sensitive health care information covered by HIPPA that are stored in OneDrive/SharePoint and protect against that information being shared in Teams chat and channel messages and restrict everyone from sharing them with unauthorized third parties".*
As you develop a policy design, you'll likely modify and extend the statement.
As you develop a policy design, you'll likely modify and extend the statement.
Let's break the example draft statement down and map it to DLP policy configuration points.
-|Statement |Configuration question answered and configuration mapping |
-|||
-| "We are a U.S. based organization, and we need to detect Office documents that contain sensitive health care information covered by HIPPA... |- **What to monitor**: Office docs, use the [U.S. Health Insurance Act (HIPAA)](what-the-dlp-policy-templates-include.md#us-health-insurance-act-hipaa) template </br>- **Conditions for a match**: (preconfigured but editable) - item contains U.S. SSN and Drug Enforcement Agency (DEA) number, International Classification of Diseases (ICD-9-CM), International Classification of Diseases (ICD-10-CM), content is shared with people outside my organization </br> - drives conversations to clarify the triggering threshold for detection like [confidence levels](sensitive-information-type-learn-about.md#more-on-confidence-levels), and [instance count](dlp-policy-reference.md#content-contains) (called leakage tolerance).|
-|...that are stored in OneDrive/SharePoint and protect against that information being shared Teams chat and channel messages... |- **Where to monitor**: [Location scoping](dlp-policy-reference.md#locations) by including or excluding OneDrive and SharePoint sites and Teams chat/channel accounts or distribution groups. |
-|...and restrict everyone from sharing those items with unauthorized third parties." | - **Actions to take**: [You add](dlp-policy-reference.md#actions) *Restrict access or encrypt the content in Microsoft 365 locations* </br> - drives conversation on what actions to take when a policy is triggered including protective actions like sharing restrictions, awareness actions like notifications and alerts, and user empowerment actions like allow user overrides of a blocking action |
+|Statement|Configuration question answered and configuration mapping|
+|||
+|"We are a U.S. based organization, and we need to detect Office documents that contain sensitive health care information covered by HIPPA...|- **What to monitor**: Office docs, use the [U.S. Health Insurance Act (HIPAA)](what-the-dlp-policy-templates-include.md#us-health-insurance-act-hipaa) template </br>- **Conditions for a match**: (preconfigured but editable) - item contains U.S. SSN and Drug Enforcement Agency (DEA) number, International Classification of Diseases (ICD-9-CM), International Classification of Diseases (ICD-10-CM), content is shared with people outside my organization </br> - drives conversations to clarify the triggering threshold for detection like [confidence levels](sensitive-information-type-learn-about.md#more-on-confidence-levels), and [instance count](dlp-policy-reference.md#content-contains) (called leakage tolerance).|
+|...that are stored in OneDrive/SharePoint and protect against that information being shared Teams chat and channel messages...|- **Where to monitor**: [Location scoping](dlp-policy-reference.md#locations) by including or excluding OneDrive and SharePoint sites and Teams chat/channel accounts or distribution groups.|
+|...and restrict everyone from sharing those items with unauthorized third parties."|- **Actions to take**: [You add](dlp-policy-reference.md#actions) *Restrict access or encrypt the content in Microsoft 365 locations* </br> - drives conversation on what actions to take when a policy is triggered including protective actions like sharing restrictions, awareness actions like notifications and alerts, and user empowerment actions like allow user overrides of a blocking action|
This example doesn't cover all the configuration points of a DLP policy, it would need to be expanded. But it should get you thinking in the right direction as you develop your own DLP policy intent statements.
This example doesn't cover all the configuration points of a DLP policy, it woul
## Policy Design Process
-1. Complete the steps in:
- 1. [Plan for data loss prevention (DLP)](dlp-overview-plan-for-dlp.md#plan-for-data-loss-prevention-dlp) - by working through this article you will:
- 1. [Identify your stakeholders](dlp-overview-plan-for-dlp.md#identify-stakeholders)
- 1. [Describe the categories of sensitive information to protect](dlp-overview-plan-for-dlp.md#describe-the-categories-of-sensitive-information-to-protect)
- 1. [Set goals and strategy](dlp-overview-plan-for-dlp.md#set-goals-and-strategy)
- 1. [Define your policy deployment plan](dlp-overview-plan-for-dlp.md#policy-deployment)
+1. Complete the steps in [Plan for data loss prevention (DLP)](dlp-overview-plan-for-dlp.md#plan-for-data-loss-prevention-dlp) - by working through this article you will:
+ 1. [Identify your stakeholders](dlp-overview-plan-for-dlp.md#identify-stakeholders)
+ 1. [Describe the categories of sensitive information to protect](dlp-overview-plan-for-dlp.md#describe-the-categories-of-sensitive-information-to-protect)
+ 1. [Set goals and strategy](dlp-overview-plan-for-dlp.md#set-goals-and-strategy)
+ 1. [Define your policy deployment plan](dlp-overview-plan-for-dlp.md#policy-deployment)
-1. Familiarize yourself with [Data Loss Prevention policy reference](dlp-policy-reference.md#data-loss-prevention-policy-reference) so that you understand all the components of a DLP policy and how each one influences the behavior of a policy.
+2. Familiarize yourself with [Data Loss Prevention policy reference](dlp-policy-reference.md#data-loss-prevention-policy-reference) so that you understand all the components of a DLP policy and how each one influences the behavior of a policy.
-1. Familiarize yourself with [What the DLP policy templates include](what-the-dlp-policy-templates-include.md#what-the-dlp-policy-templates-include).
+3. Familiarize yourself with [What the DLP policy templates include](what-the-dlp-policy-templates-include.md#what-the-dlp-policy-templates-include).
-1. Develop your policy intent statement with your key stakeholders. Refer to the example earlier in this article.
+4. Develop your policy intent statement with your key stakeholders. Refer to the example earlier in this article.
-1. Determine how this policy fits into your overall DLP policy strategy.
+5. Determine how this policy fits into your overall DLP policy strategy.
-> [!IMPORTANT]
-> Policies can't be renamed once they are created. If you must rename a policy, you will have to create a new one with the desired name and retire the old one. So decide on the naming structure that all your policies will use now.
+ > [!IMPORTANT]
+ > Policies can't be renamed once they are created. If you must rename a policy, you will have to create a new one with the desired name and retire the old one. So decide on the naming structure that all your policies will use now.
6. Map the items in your policy intent statement to configuration options. 7. Decide which policy template you will start from, predefined or custom.
-8. Go through the template and assemble all information required before you create the policy. It's likely that you will find that there are some configuration points that aren't covered in your policy intent statement. That's ok. Go back to your stakeholders to iron out the requirements for any missing configuration points.
+8. Go through the template and assemble all information required before you create the policy. It's likely that you will find that there are some configuration points that aren't covered in your policy intent statement. That's ok. Go back to your stakeholders to iron out the requirements for any missing configuration points.
9. Document the configuration of all the policy settings and review them with your stakeholders. You can re-use your policy intent statement mapping to configuration points, which is now fully fleshed out.
This example doesn't cover all the configuration points of a DLP policy, it woul
<!--## Policy design examples
-|Customer business needs description | approach |
-|||
-|**Contoso Bank** is in a highly regulated industry and has many different types of sensitive items in many different locations. </br> - knows which types of sensitive information are top priority. </br> - must minimize business disruption as policies are rolled out. </br> - has IT resources and can hire experts to help plan, design deploy </br> - has a premier support contract with Microsoft| - Take the time to understand what regulations they must comply with and how they are going to comply. </br> -Take the time to understand the better together value of the Microsoft 365 Information Protection stack </br> - Develop sensitivity labeling scheme for prioritized items and apply </br> - Involve business process owners </br>- Design/code policies, deploy in test mode, train users </br>- repeat|
-|**TailSpin Toys** doesnΓÇÖt know what they have or where it is, and have little to no resource depth. They use Teams, OneDrive for Business and Exchange extensively. |- Start with simple policies on the prioritized locations. </br>- Monitor what gets identified </br>- Apply sensitivity labels accordingly </br>- Refine policies, train users |
-|**Fabrikam** is a small startup and wants to protect its intellectual property, and must move quickly. They are willing to dedicate some resources, but can't afford to hire outside experts. </br>- Sensitive items are all in Microsoft 365 OneDrive for Business/SharePoint </br>- Adoption of OneDrive for Business and SharePoint is slow, employees/shadow IT use DropBox and Google drive to share/store items </br>- Employees value speed of work over data protection discipline </br>- Customer splurged and bought all 18 employees new Windows 10 devices |- Take advantage of the default DLP policy in Teams </br>- Use restricted by default setting for SharePoint items </br>- Deploy policies that prevent external sharing </br>- Deploy policies to prioritized locations </br>- Deploy policies to Windows 10 devices </br>- Block uploads to non-OneDrive for Business cloud storage |
-
+|Customer business needs description|approach|
+|||
+|**Contoso Bank** is in a highly regulated industry and has many different types of sensitive items in many different locations. </br> - knows which types of sensitive information are top priority. </br> - must minimize business disruption as policies are rolled out. </br> - has IT resources and can hire experts to help plan, design deploy </br> - has a premier support contract with Microsoft|- Take the time to understand what regulations they must comply with and how they are going to comply. </br> -Take the time to understand the better together value of the Microsoft 365 Information Protection stack </br> - Develop sensitivity labeling scheme for prioritized items and apply </br> - Involve business process owners </br>- Design/code policies, deploy in test mode, train users </br>- repeat|
+|**TailSpin Toys** doesnΓÇÖt know what they have or where it is, and have little to no resource depth. They use Teams, OneDrive for Business and Exchange extensively.|- Start with simple policies on the prioritized locations. </br>- Monitor what gets identified </br>- Apply sensitivity labels accordingly </br>- Refine policies, train users|
+|**Fabrikam** is a small startup and wants to protect its intellectual property, and must move quickly. They are willing to dedicate some resources, but can't afford to hire outside experts. </br>- Sensitive items are all in Microsoft 365 OneDrive for Business/SharePoint </br>- Adoption of OneDrive for Business and SharePoint is slow, employees/shadow IT use DropBox and Google drive to share/store items </br>- Employees value speed of work over data protection discipline </br>- Customer splurged and bought all 18 employees new Windows 10 devices|- Take advantage of the default DLP policy in Teams </br>- Use restricted by default setting for SharePoint items </br>- Deploy policies that prevent external sharing </br>- Deploy policies to prioritized locations </br>- Deploy policies to Windows 10 devices </br>- Block uploads to non-OneDrive for Business cloud storage|
1. For example: 1. Identify your volume thresholds that your company deems to be low-risk (leakage tolerance), perhaps from unintentional sharing and is an opportunity to educate users and the threshold that is concerning or high-risk for your company that may need immediate attention. - example volume: ΓÇ£Low riskΓÇ¥ for Contoso is 1 credit card number, perhaps it was a personal card that was shared carelessly - example volume: ΓÇ£High riskΓÇ¥ for Contoso is 2 or more credit card numbers. It doesnΓÇÖt feel like a common scenario that an employee would engage in accidentally --
-ΓÇô For each of the sensitive information types listed out, list out **who should have access to that data when itΓÇÖs generated** and **what type of activities should be allowable with that data**
-
+ΓÇô For each of the sensitive information types listed out, list out **who should have access to that data when itΓÇÖs generated** and **what type of activities should be allowable with that data**
<!--(Perhaps this is where we can provide some basic categories, templates, activities and actions that are supported by Microsoft. Some of these items are not discoverable until you are deeper within a policy creation flow. If we provide, we should time stamp it for ΓÇ£last updatedΓÇ¥ or ΓÇ£as of xx/xx/xxxΓÇ¥)
-ΓÇô (Show table with parent-child relationships between categories, templates and sensitive info types that Microsoft supports) Should be gathered from GA Compliance environment-->
+ΓÇô (Show table with parent-child relationships between categories, templates and sensitive info types that Microsoft supports) Should be gathered from GA Compliance environment-->
<!-- - > [!TIP] The more locations you include ensures broader application of the policy and more consistent coverage. If you include locations that are mostly used for internal collaboration, the responsiveness of collaboration may be impacted. - - whether the protective actions you need are supported throught the associated location or if you need to compromise to extend coverage
- - also usefule for identifying the most restrictive actions available
+ - also usefule for identifying the most restrictive actions available
- (we shouldn't mention here that the "content contains" condition is the primary staple for a DLP policy and should be utilized as a starting point for policy creation. The other workload-specific conditions can be ustilized as an extended or granular control of company's DLP policy. Useful for when "too much" data is being restricted and known sensitive data typically falls under certain conditions.) - (We can mention here that their quantitative goal such as "protect X% of data across all locations while maintaining x productivity" can be monitored throught alerts or reports. If protection is too high of working against their established goals, they can come back to policy and tweak their conditions/actions)-- Finally, you should have a union of what, hwo and when to be covered which will easily map to generating a live policy via Microsoft DLP. --
+- Finally, you should have a union of what, hwo and when to be covered which will easily map to generating a live policy via Microsoft DLP.
+-
5. At this stage you should asses how you should start this policy. ***LINK OUT TO DEPLOYING A POLICY COVERED IN THE PLANNING TOPIC TOO*** - Test: your company is very large, conservative or the actions established are pretty restrictive - Test w/ notifications: same as above, but you get to test out investigation cadence or volume
Here are some examples of more detailed policy intent statement to configuration
*We are a national healthcare provider based in the U.S. We need to protect our patientΓÇÖs personal information and prevent it from egressing outside of our companyΓÇÖs borders. We want to limit access to our patientΓÇÖs personal information to only authorized personnel, like our physicians and billing department from our on-premises devices. We've determined that any single instance of any of each information type in any item is not a data risk, but it is a risk when two or more occur in a single item. We have a Microsoft 365 E5 subscription and want to protect all locations and first party apps that are available to us because we canΓÇÖt afford to have any data leaks. If an event occurs or is prevented, we want to alert our compliance admin and educate our end-users where necessary.*
-|Statement |Configuration question answered and configuration mapping |
-|||
-| We are a national healthcare provider based in the U.S. We need to protect our patientΓÇÖs personal information...|- **What to monitor**: All available item types, use the [U.S. Health Insurance Act (HIPAA)](what-the-dlp-policy-templates-include.md#us-health-insurance-act-hipaa) template. </br>- **Conditions for a match**: (preconfigured but editable) - item contains full names, physical addresses, driver's license number, U.S. SSN
-| ...and prevent it from egressing outside of our companyΓÇÖs borders... |- **Actions to take**: Block anyone outside the organization from accessing items, block unintentional sharing by internal users with anyone outside the org.|
-|...We want to limit access to our patientΓÇÖs personal information to only authorized personnel, like our physicians and billing department from our on-premises devices...| - **Actions to take**: - Block access to items, block all activities (upload to cloud, copy to clipboard, copy to USB, copy to network share, access by restricted app, print, copy/move via Bluetooth, copy/move via remote desktop) from Windows devices. </br> - **Where to monitor**: in all Microsoft 365 locations
-| ...We've determined that any single instance of any of each information type in any item is not a data risk, but it is a risk when two or more occur in a single item....| - **Conditions for a match**: (preconfigured but editable) any single item contains more than one of these or any two or more of these: Full Name, U.S. Social Security Number, Drug Enforcement Agency (DEA) number, International Classification of Diseases (ICD-9-CM), International Classification of Diseases (ICD-10-CM), Physical Address, U.S. driver's license number. For example, two instanced of Full Name or one instance of a U.S. Social Security Number along with one instance of Drug Enforcement Agency (DEA) number will trigger a match.
+|Statement|Configuration question answered and configuration mapping|
+|||
+|We are a national healthcare provider based in the U.S. We need to protect our patientΓÇÖs personal information...|- **What to monitor**: All available item types, use the [U.S. Health Insurance Act (HIPAA)](what-the-dlp-policy-templates-include.md#us-health-insurance-act-hipaa) template. </br>- **Conditions for a match**: (preconfigured but editable) - item contains full names, physical addresses, driver's license number, U.S. SSN
+|...and prevent it from egressing outside of our companyΓÇÖs borders...|- **Actions to take**: Block anyone outside the organization from accessing items, block unintentional sharing by internal users with anyone outside the org.|
+|...We want to limit access to our patientΓÇÖs personal information to only authorized personnel, like our physicians and billing department from our on-premises devices...|- **Actions to take**: - Block access to items, block all activities (upload to cloud, copy to clipboard, copy to USB, copy to network share, access by restricted app, print, copy/move via Bluetooth, copy/move via remote desktop) from Windows devices. </br> - **Where to monitor**: in all Microsoft 365 locations
+|...We've determined that any single instance of any of each information type in any item is not a data risk, but it is a risk when two or more occur in a single item....|- **Conditions for a match**: (preconfigured but editable) any single item contains more than one of these or any two or more of these: Full Name, U.S. Social Security Number, Drug Enforcement Agency (DEA) number, International Classification of Diseases (ICD-9-CM), International Classification of Diseases (ICD-10-CM), Physical Address, U.S. driver's license number. For example, two instanced of Full Name or one instance of a U.S. Social Security Number along with one instance of Drug Enforcement Agency (DEA) number will trigger a match.
, content is shared with people outside my organization </br> - drives conversations to clarify the triggering threshold for detection like [confidence levels](sensitive-information-type-learn-about.md#more-on-confidence-levels), and [instance count](dlp-policy-reference.md#content-contains) (called leakage tolerance).|
-|...that are stored in OneDrive/SharePoint and protect against that information being shared Teams chat and channel messages... |- **Where to monitor**: [Location scoping](dlp-policy-reference.md#locations) by including or excluding OneDrive and SharePoint sites and Teams chat/channel accounts or distribution groups. |
-|...and restrict everyone from sharing those items with unauthorized third parties." | - **Actions to take**: [You add](dlp-policy-reference.md#actions) *Restrict access or encrypt the content in Microsoft 365 locations* </br> - drives conversation on what actions to take when a policy is triggered including protective actions like sharing restrictions, awareness actions like notifications and alerts, and user empowerment actions like allow user overrides of a blocking action |
+|...that are stored in OneDrive/SharePoint and protect against that information being shared Teams chat and channel messages...|- **Where to monitor**: [Location scoping](dlp-policy-reference.md#locations) by including or excluding OneDrive and SharePoint sites and Teams chat/channel accounts or distribution groups.|
+|...and restrict everyone from sharing those items with unauthorized third parties."|- **Actions to take**: [You add](dlp-policy-reference.md#actions) *Restrict access or encrypt the content in Microsoft 365 locations* </br> - drives conversation on what actions to take when a policy is triggered including protective actions like sharing restrictions, awareness actions like notifications and alerts, and user empowerment actions like allow user overrides of a blocking action|
--> - ## See Also - [Learn about data loss prevention](dlp-learn-about-dlp.md#learn-about-data-loss-prevention)
compliance Exchange Online Uses Tls To Secure Email Connections https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/exchange-online-uses-tls-to-secure-email-connections.md
The certificate information used by Exchange Online is described in the followin
| Attribute | Value | |:--|:--|
-|Certificate authority root issuer|DigiCert CA ΓÇô 1|
+|Certificate authority root issuer|DigiCert CA - 1|
|Certificate name|mail.protection.outlook.com| |Organization|Microsoft Corporation| |Organization unit|www.digicert.com|
compliance How Smtp Dane Works https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/how-smtp-dane-works.md
description: "Learn how SMTP DNS-based Authentication of Named Entities (DANE) w
# How SMTP DNS-based Authentication of Named Entities (DANE) works
-The SMTP protocol is the main protocol used to transfer messages between mail servers and is, by default, not secure. The Transport Layer Security (TLS) protocol was introduced years ago to support encrypted transmission of messages over SMTP. ItΓÇÖs commonly used opportunistically rather than as a requirement, leaving much email traffic in clear text, vulnerable to interception by nefarious actors. Furthermore, SMTP determines the IP addresses of destination servers through the public DNS infrastructure, which is susceptible to spoofing and Man-in-the-Middle (MITM) attacks. This has led to many new standards being created to increase security for sending and receiving email, one of those is DNS-based Authentication of Named Entities (DANE).
-
-DANE for SMTP [RFC 7672](https://tools.ietf.org/html/rfc7672) uses the presence of a Transport Layer Security Authentication (TLSA) record in a domain's DNS record set to signal a domain and its mail server(s) support DANE. If there is no TLSA record present, DNS resolution for mail flow will work as usual without any DANE checks being attempted. The TLSA record securely signals TLS support and publishes the DANE policy for the domain. So, sending mail servers can successfully authenticate legitimate receiving mail servers using SMTP DANE. This makes it resistant to downgrade and MITM attacks. DANE has direct dependencies on DNSSEC, which works by digitally signing records for DNS lookups using public key cryptography. DNSSEC checks occur on recursive DNS resolvers, the DNS servers that make DNS queries for clients. DNSSEC ensures that DNS records arenΓÇÖt tampered with and are authentic.
+The SMTP protocol is the main protocol used to transfer messages between mail servers and is, by default, not secure. The Transport Layer Security (TLS) protocol was introduced years ago to support encrypted transmission of messages over SMTP. It's commonly used opportunistically rather than as a requirement, leaving much email traffic in clear text, vulnerable to interception by nefarious actors. Furthermore, SMTP determines the IP addresses of destination servers through the public DNS infrastructure, which is susceptible to spoofing and Man-in-the-Middle (MITM) attacks. This has led to many new standards being created to increase security for sending and receiving email, one of those is DNS-based Authentication of Named Entities (DANE).
-Once the MX, A/AAAA and DNSSEC-related resource records for a domain are returned to the DNS recursive resolver as DNSSEC authentic, the sending mail server will ask for the TLSA record corresponding to the MX host entry or entries. If the TLSA record is present and proven authentic using another DNSSEC check, the DNS recursive resolver will return the TLSA record to the sending mail server.
+DANE for SMTP [RFC 7672](https://tools.ietf.org/html/rfc7672) uses the presence of a Transport Layer Security Authentication (TLSA) record in a domain's DNS record set to signal a domain and its mail server(s) support DANE. If there is no TLSA record present, DNS resolution for mail flow will work as usual without any DANE checks being attempted. The TLSA record securely signals TLS support and publishes the DANE policy for the domain. So, sending mail servers can successfully authenticate legitimate receiving mail servers using SMTP DANE. This makes it resistant to downgrade and MITM attacks. DANE has direct dependencies on DNSSEC, which works by digitally signing records for DNS lookups using public key cryptography. DNSSEC checks occur on recursive DNS resolvers, the DNS servers that make DNS queries for clients. DNSSEC ensures that DNS records aren't tampered with and are authentic.
-After receiving the authentic TLSA record, the sending mail server establishes an SMTP connection to the MX host associated with the authentic TLSA record. The sending mail server will try to set up TLS and compare the server's TLS certificate with the data in the TLSA record to validate that the destination mail server connected to the sender is the legitimate receiving mail server. The message will be transmitted (using TLS) if authentication succeeds. When authentication fails or if TLS isnΓÇÖt supported by the destination server, Exchange Online will retry the entire validation process beginning with a DNS query for the same destination domain again after 15 minutes, then 15 minutes after that, then every hour for the next 24 hours. If authentication continues to fail after 24 hours of retrying, the message will expire and an NDR with error details will be generated and sent to the sender.
+Once the MX, A/AAAA and DNSSEC-related resource records for a domain are returned to the DNS recursive resolver as DNSSEC authentic, the sending mail server will ask for the TLSA record corresponding to the MX host entry or entries. If the TLSA record is present and proven authentic using another DNSSEC check, the DNS recursive resolver will return the TLSA record to the sending mail server.
+
+After receiving the authentic TLSA record, the sending mail server establishes an SMTP connection to the MX host associated with the authentic TLSA record. The sending mail server will try to set up TLS and compare the server's TLS certificate with the data in the TLSA record to validate that the destination mail server connected to the sender is the legitimate receiving mail server. The message will be transmitted (using TLS) if authentication succeeds. When authentication fails or if TLS isn't supported by the destination server, Exchange Online will retry the entire validation process beginning with a DNS query for the same destination domain again after 15 minutes, then 15 minutes after that, then every hour for the next 24 hours. If authentication continues to fail after 24 hours of retrying, the message will expire and an NDR with error details will be generated and sent to the sender.
## What are the components of DANE? ### TLSA Resource Record
-The TLS Authentication (TLSA) record is used to associate a serverΓÇÖs X.509 certificate or public key value with the domain name that contains the record. TLSA records can only be trusted if DNSSEC is enabled on your domain. If youΓÇÖre using a DNS provider to host your domain, this may be a setting offered when configuring a domain with them. To learn more about DNSSEC zone signing, visit this link: [Overview of DNSSEC | Microsoft Docs](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj200221(v=ws.11)).
-
+The TLS Authentication (TLSA) record is used to associate a server's X.509 certificate or public key value with the domain name that contains the record. TLSA records can only be trusted if DNSSEC is enabled on your domain. If you're using a DNS provider to host your domain, this may be a setting offered when configuring a domain with them. To learn more about DNSSEC zone signing, visit this link: [Overview of DNSSEC | Microsoft Docs](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj200221(v=ws.11)).
+ Example TLSA record:
-
+ :::image type="content" source="../media/compliance-trial/example-TLSA-record.png" alt-text="Example TLSA record" lightbox="../media/compliance-trial/example-TLSA-record.png":::
-There are four configurable fields unique to the TLSA record type:
+There are four configurable fields unique to the TLSA record type:
-**Certificate Usage Field**: Specifies how the sending email server should verify the destination email serverΓÇÖs certificate.
+**Certificate Usage Field**: Specifies how the sending email server should verify the destination email server's certificate.
-|Value |Acronym |Description |
-||||
-|0<sup>1</sup> |PKIX-TA |Certificate used is the trust-anchor Public CA from the X.509 trust-chain. |
-|1<sup>1</sup> |PKIX-EE |Certificate checked is the destination server; DNSSEC checks must verify its authenticity. |
-|2 |DANE-TA |Use serverΓÇÖs private key from the X.509 tree that must be validated by a trust anchor in the chain of trust. The TLSA record specifies the trust anchor to be used for validating the TLS certificates for the domain. |
-|3 |DANE-EE |Only match against the destination serverΓÇÖs certificate. |
+|Value|Acronym|Description|
+||||
+|0<sup>1</sup>|PKIX-TA|Certificate used is the trust-anchor Public CA from the X.509 trust-chain.|
+|1<sup>1</sup>|PKIX-EE|Certificate checked is the destination server; DNSSEC checks must verify its authenticity.|
+|2|DANE-TA|Use server's private key from the X.509 tree that must be validated by a trust anchor in the chain of trust. The TLSA record specifies the trust anchor to be used for validating the TLS certificates for the domain.|
+|3|DANE-EE|Only match against the destination server's certificate.|
-<sup>1</sup> Exchange Online follows RFC implementation guidance that Certificate Usage Field values of 0 or 1 shouldnΓÇÖt be used when DANE is implemented with SMTP. When a TLSA record that has a Certificate Usage field value of 0 or 1 is returned to Exchange Online, Exchange Online will treat it as not usable. If all TLSA records are found unusable, Exchange Online wonΓÇÖt perform the DANE validation steps for 0 or 1 when sending the email. Instead, because of the presence of a TLSA record, Exchange Online will enforce the use of TLS for sending the email, sending the email if the destination email server supports TLS or dropping the email and generating an NDR if the destination email server doesnΓÇÖt support TLS.
+<sup>1</sup> Exchange Online follows RFC implementation guidance that Certificate Usage Field values of 0 or 1 shouldn't be used when DANE is implemented with SMTP. When a TLSA record that has a Certificate Usage field value of 0 or 1 is returned to Exchange Online, Exchange Online will treat it as not usable. If all TLSA records are found unusable, Exchange Online won't perform the DANE validation steps for 0 or 1 when sending the email. Instead, because of the presence of a TLSA record, Exchange Online will enforce the use of TLS for sending the email, sending the email if the destination email server supports TLS or dropping the email and generating an NDR if the destination email server doesn't support TLS.
-In the example TLSA record, the Certificate Usage Field is set to ‘3’, so the Certificate Association Data (‘abc123…xyz789’) would be matched against the destination server’s certificate only.
+In the example TLSA record, the Certificate Usage Field is set to '3', so the Certificate Association Data ('abc123...xyz789') would be matched against the destination server's certificate only.
-**Selector field**: Indicates which parts of the destination serverΓÇÖs certificate should be checked.
+**Selector field**: Indicates which parts of the destination server's certificate should be checked.
-|Value |Acronym |Description |
-||||
-|0 |Cert |Use full certificate. |
-|1 |SPKI (Subject Public Key Info) |Use certificateΓÇÖs public key and the algorithm with which the public key is identified to use. |
+|Value|Acronym|Description|
+||||
+|0|Cert|Use full certificate.|
+|1|SPKI (Subject Public Key Info)|Use certificate's public key and the algorithm with which the public key is identified to use.|
-In the example TLSA record, the Selector Field is set to ΓÇÿ1ΓÇÖ so the Certificate Association Data would be matched using the destination server certificateΓÇÖs public key and the algorithm with which the public key is identified to use.
+In the example TLSA record, the Selector Field is set to '1' so the Certificate Association Data would be matched using the destination server certificate's public key and the algorithm with which the public key is identified to use.
-**Matching Type Field**: Indicates the format the certificate will be represented in the TLSA record.
+**Matching Type Field**: Indicates the format the certificate will be represented in the TLSA record.
-|Value |Acronym |Description |
-||||
-|0 |Full |The data in the TSLA record is the full certificate or SPKI. |
-|1 |SHA-256 |The data in the TSLA record is a SHA-256 hash of either the certificate or the SPKI. |
-|2 |SHA-512 |The data in the TSLA record is a SHA-512 hash of either the certificate or the SPKI. |
+|Value|Acronym|Description|
+||||
+|0|Full|The data in the TSLA record is the full certificate or SPKI.|
+|1|SHA-256|The data in the TSLA record is a SHA-256 hash of either the certificate or the SPKI.|
+|2|SHA-512|The data in the TSLA record is a SHA-512 hash of either the certificate or the SPKI.|
-In the example TLSA record, the Matching Type Field is set to ΓÇÿ1ΓÇÖ so the Certificate Association Data is a SHA-256 hash of the Subject Public Key Info from the destination server certificate
+In the example TLSA record, the Matching Type Field is set to '1' so the Certificate Association Data is a SHA-256 hash of the Subject Public Key Info from the destination server certificate
**Certificate Association Data**: Specifies the certificate data that is used for matching against the destination server certificate. This data depends on the Selector Field value and the Matching Type Value.
-In the example TLSA record, the Certificate Association data is set to ‘abc123…xyz789’. Since the Selector Field value in the example is set to '1’, it would reference the destination server certificate’s public key and the algorithm that is identified to be used with it. And since the Matching Type field value in the example is set to ‘1’, it would reference the SHA-256 hash of the Subject Public Key Info from the destination server certificate.
+In the example TLSA record, the Certificate Association data is set to 'abc123..xyz789'. Since the Selector Field value in the example is set to '1', it would reference the destination server certificate's public key and the algorithm that is identified to be used with it. And since the Matching Type field value in the example is set to '1', it would reference the SHA-256 hash of the Subject Public Key Info from the destination server certificate.
## How can Exchange Online customers use SMTP DANE Outbound?
-As an Exchange Online customer, there isn't anything you need to do to configure this enhanced email security for your outbound email. This is something we have built for you and it is on by default for all Exchange Online customers and is used when the destination domain advertises support for DANE. To reap the benefits of sending email with DNSSEC and DANE checks, communicate to your business partners with whom you exchange email that they need to implement DNSSEC and DANE so they can receive email using these standards.
+As an Exchange Online customer, there isn't anything you need to do to configure this enhanced email security for your outbound email. This is something we have built for you and it is on by default for all Exchange Online customers and is used when the destination domain advertises support for DANE. To reap the benefits of sending email with DNSSEC and DANE checks, communicate to your business partners with whom you exchange email that they need to implement DNSSEC and DANE so they can receive email using these standards.
## How can Exchange Online customers use SMTP DANE inbound?
-Currently, inbound SMTP DANE isnΓÇÖt supported for Exchange Online. Support is anticipated to be released at the end of 2022.
+Currently, inbound SMTP DANE isn't supported for Exchange Online. Support is anticipated to be released at the end of 2022.
## What is the recommended TLSA record configuration?
-Per RFC implementation guidance for SMTP DANE, a TLSA record composed of the Certificate Usage field set to 3, the Selector field set to 1, and the Matching Type field set to 1 is recommended.
+Per RFC implementation guidance for SMTP DANE, a TLSA record composed of the Certificate Usage field set to 3, the Selector field set to 1, and the Matching Type field set to 1 is recommended.
-## Exchange Online Mail Flow with SMTP DANE
+## Exchange Online Mail Flow with SMTP DANE
-The mail flow process for Exchange Online with SMTP DANE, shown in the flow chart below, validates domain and resource record security through DNSSEC, TLS support on the destination mail server, and that the destination mail serverΓÇÖs certificate matches what is expected based on its associated TLSA record.
+The mail flow process for Exchange Online with SMTP DANE, shown in the flow chart below, validates domain and resource record security through DNSSEC, TLS support on the destination mail server, and that the destination mail server's certificate matches what is expected based on its associated TLSA record.
There are only two scenarios where an SMTP DANE failure will result in the email being blocked: -- The destination domain signaled DNSSEC support but one or more records were returned as inauthentic.
+- The destination domain signaled DNSSEC support but one or more records were returned as inauthentic.
-- All MX records for the destination domain have TLSA records and none of the destination serverΓÇÖs certificates match what was expected per the TSLA record data, or a TLS connection isnΓÇÖt supported by the destination server.
+- All MX records for the destination domain have TLSA records and none of the destination server's certificates match what was expected per the TSLA record data, or a TLS connection isn't supported by the destination server.
:::image type="content" source="../media/compliance-trial/mail-flow-smtp-dane.png" alt-text="Exchange online mail flow with SMTP DANE" lightbox="../media/compliance-trial/mail-flow-smtp-dane.png":::
-## Related Technologies
+## Related Technologies
-|Technology |Additional Information |
-|||
-|**Mail Transfer Agent ΓÇô Strict Transport Security (MTA-STS)** helps thwart downgrade and Man-in-the-Middle attacks by providing a mechanism for setting domain policies that specify whether the destination email server supports TLS and what to do when TLS canΓÇÖt be negotiated, for example stop the transmission. |More information about Exchange OnlineΓÇÖs upcoming support for inbound and outbound MTA-STS will be published later this year. [Exchange Online Transport News from Microsoft Ignite 2020 - Microsoft Tech Community](https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-online-transport-news-from-microsoft-ignite-2020/ba-p/1687699)<br /><br />[rfc8461 (ietf.org)](https://datatracker.ietf.org/doc/html/rfc8461) |
-|**Sender Policy Framework (SPF)** uses IP information to ensure that destination email systems trust messages sent from your custom domain. | [How Sender Policy Framework (SPF) prevents spoofing - Office 365 - Microsoft Docs](/microsoft-365/security/office-365-security/how-office-365-uses-spf-to-prevent-spoofing) |
-|**DomainKeys Identified Mail (DKIM)** uses X.509 certificate information to ensure that destination email systems trust messages sent outbound from your custom domain. | [How to use DKIM for email in your custom domain - Office 365 - Microsoft Docs](/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email) |
-|**Domain-based Message Authentication, Reporting, and Conformance (DMARC)** works with Sender Policy Framework and DomainKeys Identified Mail to authenticate mail senders and ensure that destination email systems trust messages sent from your domain. | [Use DMARC to validate email, setup steps - Office 365 - Microsoft Docs](/microsoft-365/security/office-365-security/use-dmarc-to-validate-email) |
+|Technology|Additional Information|
+|||
+|**Mail Transfer Agent - Strict Transport Security (MTA-STS)** helps thwart downgrade and Man-in-the-Middle attacks by providing a mechanism for setting domain policies that specify whether the destination email server supports TLS and what to do when TLS can't be negotiated, for example stop the transmission.|More information about Exchange Online's upcoming support for inbound and outbound MTA-STS will be published later this year. <br/><br/> [Exchange Online Transport News from Microsoft Ignite 2020 - Microsoft Tech Community](https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-online-transport-news-from-microsoft-ignite-2020/ba-p/1687699) <br/><br/> [rfc8461 (ietf.org)](https://datatracker.ietf.org/doc/html/rfc8461)|
+|**Sender Policy Framework (SPF)** uses IP information to ensure that destination email systems trust messages sent from your custom domain.|[How Sender Policy Framework (SPF) prevents spoofing - Office 365 - Microsoft Docs](/microsoft-365/security/office-365-security/how-office-365-uses-spf-to-prevent-spoofing)|
+|**DomainKeys Identified Mail (DKIM)** uses X.509 certificate information to ensure that destination email systems trust messages sent outbound from your custom domain.|[How to use DKIM for email in your custom domain - Office 365 - Microsoft Docs](/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email)|
+|**Domain-based Message Authentication, Reporting, and Conformance (DMARC)** works with Sender Policy Framework and DomainKeys Identified Mail to authenticate mail senders and ensure that destination email systems trust messages sent from your domain.|[Use DMARC to validate email, setup steps - Office 365 - Microsoft Docs](/microsoft-365/security/office-365-security/use-dmarc-to-validate-email)|
## Troubleshooting Sending Emails with SMTP DANE Currently, there are four error codes for DANE when sending emails with Exchange Online. Microsoft is actively updating this error code list. The errors will be visible in:
-1. The Exchange Admin Center portal through the Message Trace Details view.
-2. NDRs generated when a message isnΓÇÖt sent due to a DANE or DNSSEC failure.
-3. Remote Connectivity Analyzer tool [Microsoft Remote Connectivity Analyzer](https://testconnectivity.microsoft.com/tests/o365).
-|NDR Code |Description |
-|||
-|5.7.321 |starttls-not-supported: Destination mail server must support TLS to receive mail. |
-|5.7.322 |certificate-expired: Destination mail server's certificate is expired. |
-|5.7.323 |tlsa-invalid: The domain failed DANE validation. |
-|5.7.324 |dnssec-invalid: Destination domain returned invalid DNSSEC records. |
+1. The Exchange Admin Center portal through the Message Trace Details view.
+2. NDRs generated when a message isn't sent due to a DANE or DNSSEC failure.
+3. Remote Connectivity Analyzer tool [Microsoft Remote Connectivity Analyzer](https://testconnectivity.microsoft.com/tests/o365).
+
+|NDR Code|Description|
+|||
+|5.7.321|starttls-not-supported: Destination mail server must support TLS to receive mail.|
+|5.7.322|certificate-expired: Destination mail server's certificate is expired.|
+|5.7.323|tlsa-invalid: The domain failed DANE validation.|
+|5.7.324|dnssec-invalid: Destination domain returned invalid DNSSEC records.|
### Troubleshooting 5.7.321 starttls-not-supported This usually indicates an issue with the destination mail server. After receiving the message:
-1. Check that the destination email address was entered correctly.
-2. Alert the destination email administrator that you received this error code so they can determine if the destination server is configured correctly to receive messages using TLS.
-3. Retry sending the email and review the Message Trace Details for the message in the Exchange Admin Center portal.
+
+1. Check that the destination email address was entered correctly.
+2. Alert the destination email administrator that you received this error code so they can determine if the destination server is configured correctly to receive messages using TLS.
+3. Retry sending the email and review the Message Trace Details for the message in the Exchange Admin Center portal.
### Troubleshooting 5.7.322 certificate-expired A valid X.509 certificate that hasn't expired must be presented to the sending email server. X.509 certificates must be renewed after their expiration, commonly annually. After receiving the message:
-1. Alert the destination email administrator that you received this error code and provide the error code string.
-2. Allow time for the destination server certificate to be renewed and the TLSA record to be updated to reference the new certificate. Then, retry sending the email and review the Message Trace Details for the message in the Exchange Admin Center portal.
+1. Alert the destination email administrator that you received this error code and provide the error code string.
+2. Allow time for the destination server certificate to be renewed and the TLSA record to be updated to reference the new certificate. Then, retry sending the email and review the Message Trace Details for the message in the Exchange Admin Center portal.
### Troubleshooting 5.7.323 tlsa-invalid This error code is related to a TLSA record misconfiguration and can only be generated after a DNSSEC-authentic TLSA record has been returned. There are many scenarios during the DANE validation that occur after the record has been returned that can result in the code being generated. Microsoft is actively working on the scenarios that are covered by this error code, so that each scenario has a specific code. Currently, one or more of these scenarios could cause the generation of the error code:
-1. The destination mail server's certificate doesnΓÇÖt match with what is expected per the authentic TLSA record.
-2. Authentic TLSA record is misconfigured.
-3. The destination domain is being attacked.
-4. Any other DANE failure.
+1. The destination mail server's certificate doesn't match with what is expected per the authentic TLSA record.
+2. Authentic TLSA record is misconfigured.
+3. The destination domain is being attacked.
+4. Any other DANE failure.
After receiving the message:
After receiving the message:
### Troubleshooting 5.7.324 dnssec-invalid
-This error code is generated when the destination domain indicated it was DNSSEC-authentic but Exchange Online wasnΓÇÖt able to verify it as DNSSEC-authentic.
+This error code is generated when the destination domain indicated it was DNSSEC-authentic but Exchange Online wasn't able to verify it as DNSSEC-authentic.
After receiving the message: 1. Alert the destination email administrator that you received this error code and provide them the error code string.
-2. Allow time for the destination email admin to review their domainΓÇÖs DNSSEC configuration. Then, retry sending the email and review the Message Trace Details for the message in the Exchange Admin Center portal.
+2. Allow time for the destination email admin to review their domain's DNSSEC configuration. Then, retry sending the email and review the Message Trace Details for the message in the Exchange Admin Center portal.
## Troubleshooting Receiving Emails with SMTP DANE
-Currently, there are two methods an admin of a receiving domain can use to validate and troubleshoot their DNSSEC and DANE configuration to receive email from Exchange Online using these standards.
+Currently, there are two methods an admin of a receiving domain can use to validate and troubleshoot their DNSSEC and DANE configuration to receive email from Exchange Online using these standards.
-1. Adopt SMTP TLS-RPT (Transport Layer Security Reporting) introduced in [RFC8460](https://datatracker.ietf.org/doc/html/rfc8460)
+1. Adopt SMTP TLS-RPT (Transport Layer Security Reporting) introduced in [RFC8460](https://datatracker.ietf.org/doc/html/rfc8460)
2. Use the Remote Connectivity Analyzer tool [Microsoft Remote Connectivity Analyzer](https://testconnectivity.microsoft.com/tests/o365)
-TLS-RPT [https://datatracker.ietf.org/doc/html/rfc8460](https://datatracker.ietf.org/doc/html/rfc8460) is a reporting mechanism for senders to provide details to destination domain administrators about DANE and MTA-STS successes and failures with those respective destination domains. To receive TLS-RPT reports, you only need to add a TXT record in your domain's DNS records that includes the email address or URI you would like the reports to be sent to. Exchange Online will send TLS-RPT reports in JSON format.
+TLS-RPT [https://datatracker.ietf.org/doc/html/rfc8460](https://datatracker.ietf.org/doc/html/rfc8460) is a reporting mechanism for senders to provide details to destination domain administrators about DANE and MTA-STS successes and failures with those respective destination domains. To receive TLS-RPT reports, you only need to add a TXT record in your domain's DNS records that includes the email address or URI you would like the reports to be sent to. Exchange Online will send TLS-RPT reports in JSON format.
Example record: :::image type="content" source="../media/compliance-trial/example-record.png" alt-text="Example record" lightbox="../media/compliance-trial/example-record.png":::
-The second method is to use the Remote Connectivity Analyzer [Microsoft Remote Connectivity Analyzer](https://testconnectivity.microsoft.com/tests/o365), which can do the same DNSSEC and DANE checks against your DNS configuration that Exchange Online will do when sending email outside the service. This is the most direct way of troubleshooting errors in your configuration to receive email from Exchange Online using these standards.
+The second method is to use the Remote Connectivity Analyzer [Microsoft Remote Connectivity Analyzer](https://testconnectivity.microsoft.com/tests/o365), which can do the same DNSSEC and DANE checks against your DNS configuration that Exchange Online will do when sending email outside the service. This is the most direct way of troubleshooting errors in your configuration to receive email from Exchange Online using these standards.
When troubleshooting, the below error codes may be generated:
-|NDR Code |Description |
-|||
-|4/5.7.321 |starttls-not-supported: Destination mail server must support TLS to receive mail. |
-|4/5.7.322 |certificate-expired: Destination mail server's certificate has expired. |
-|4/5.7.323 |tlsa-invalid: The domain failed DANE validation. |
-|4/5.7.324 |dnssec-invalid: Destination domain returned invalid DNSSEC records. |
+|NDR Code|Description|
+|||
+|4/5.7.321|starttls-not-supported: Destination mail server must support TLS to receive mail.|
+|4/5.7.322|certificate-expired: Destination mail server's certificate has expired.|
+|4/5.7.323|tlsa-invalid: The domain failed DANE validation.|
+|4/5.7.324|dnssec-invalid: Destination domain returned invalid DNSSEC records.|
### Troubleshooting 5.7.321 starttls-not-supported > [!NOTE] > These steps are for email administrators troubleshooting receiving email from Exchange Online using SMTP DANE.
-This usually indicates an issue with the destination mail server. The mail server that the Remote Connectivity Analyzer is testing connecting with. There are generally two scenarios that generate this code:
+This usually indicates an issue with the destination mail server. The mail server that the Remote Connectivity Analyzer is testing connecting with. There are generally two scenarios that generate this code:
+
+1. The destination mail server doesn't support secure communication at all, and plain, non-encrypted communication must be used.
+2. The destination server is configured improperly and ignores the STARTTLS command.
-1. The destination mail server doesnΓÇÖt support secure communication at all, and plain, non-encrypted communication must be used.
-2. The destination server is configured improperly and ignores the STARTTLS command.
-
After receiving the message: 1. Check the email address. 2. Locate the IP address that is associated with the error statement so you can identify the mail server the statement is associated with.
-3. Check your mail serverΓÇÖs setting to make sure itΓÇÖs configured to listen for SMTP traffic (commonly ports 25 and 587).
+3. Check your mail server's setting to make sure it's configured to listen for SMTP traffic (commonly ports 25 and 587).
4. Wait a few minutes, then retry the test with the Remote Connectivity Analyzer tool. 5. If it still fails, then try removing the TLSA record and run the test with the Remote Connectivity Analyzer tool again.
-6. If there are no failures, this may indicate the mail server youΓÇÖre using to receive mail doesnΓÇÖt support STARTTLS and you may need to upgrade to one that does in order to use DANE.
+6. If there are no failures, this may indicate the mail server you're using to receive mail doesn't support STARTTLS and you may need to upgrade to one that does in order to use DANE.
### Troubleshooting 5.7.322 certificate-expired > [!NOTE] > These steps are for email administrators troubleshooting receiving email from Exchange Online using SMTP DANE.
-A valid X.509 certificate that hasnΓÇÖt expired must be presented to the sending email server. X.509 certificates must be renewed after their expiration, commonly annually. After receiving the message:
+A valid X.509 certificate that hasn't expired must be presented to the sending email server. X.509 certificates must be renewed after their expiration, commonly annually. After receiving the message:
-1. Check the IP that is associated with the error statement, so you can identify the mail server itΓÇÖs associated with. Locate the expired certificate on the email server you identified.
+1. Check the IP that is associated with the error statement, so you can identify the mail server it's associated with. Locate the expired certificate on the email server you identified.
2. Log in to your certificate provider's website. 3. Select the expired certificate and follow the instructions to renew and to pay for the renewal. 4. After your provider has verified the purchase, you may download a new certificate. 5. Install the renewed certificate into its associated mail server.
-6. Update the mail serverΓÇÖs associated TLSA record with the new certificateΓÇÖs data.
+6. Update the mail server's associated TLSA record with the new certificate's data.
7. After waiting an appropriate amount of time, retry the test with the Remote Connectivity Analyzer tool. ### Troubleshooting 5.7.323 tlsa-invalid
A valid X.509 certificate that hasnΓÇÖt expired must be presented to the sending
This error code is related to a TLSA record misconfiguration and can only be generated after a DNSSEC-authentic TSLA record has been returned. But, there are many scenarios during the DANE validation that occur after the record has been returned that can result in the code being generated. Microsoft is actively working on the scenarios that are covered by this error code, so that each scenario has a specific code. Currently, one or more of these scenarios could cause the generation of the error code: 1. Authentic TLSA record is misconfigured.
-2. The certificate isnΓÇÖt yet time valid/configured for a future time window.
+2. The certificate isn't yet time valid/configured for a future time window.
3. Destination domain is being attacked. 4. Any other DANE failure. After receiving the message:
-1. Check the IP that is associated with the error statement to identify the mail server itΓÇÖs associated with.
-2. Identify the TLSA record that is associated with the identified mail server.
-3. Verify the configuration of the TLSA record to ensure that it signals the sender to perform the preferred DANE checks and that the correct certificate data has been included in the TLSA record.
- 1. If you have to make any updates to the record for discrepancies, then wait a few minutes then rerun the test with the Remote Connectivity Analyzer tool.
+1. Check the IP that is associated with the error statement to identify the mail server it's associated with.
+2. Identify the TLSA record that is associated with the identified mail server.
+3. Verify the configuration of the TLSA record to ensure that it signals the sender to perform the preferred DANE checks and that the correct certificate data has been included in the TLSA record.
+ 1. If you have to make any updates to the record for discrepancies, then wait a few minutes then rerun the test with the Remote Connectivity Analyzer tool.
4. Locate the certificate on the identified mail server.
-5. Check the time window for which the certificate is valid. If itΓÇÖs set to start validity at a future date, it needs to be renewed for the current date.
+5. Check the time window for which the certificate is valid. If it's set to start validity at a future date, it needs to be renewed for the current date.
1. Log in to your certificate provider's website. 2. Select the expired certificate and follow the instructions to renew and to pay for the renewal. 3. After your provider has verified the purchase, you may download a new certificate.
After receiving the message:
> [!NOTE] > These steps are for email administrators troubleshooting receiving email from Exchange Online using SMTP DANE.
-This error code is generated when the destination domain indicated itΓÇÖs DNSSEC-authentic but Exchange Online isnΓÇÖt able to verify it as DNSSEC-authentic. This section wonΓÇÖt be comprehensive for troubleshooting DNSSEC issues and focuses on scenarios where domains previously passed DNSSEC authentication but not now.
+This error code is generated when the destination domain indicated it's DNSSEC-authentic but Exchange Online isn't able to verify it as DNSSEC-authentic. This section won't be comprehensive for troubleshooting DNSSEC issues and focuses on scenarios where domains previously passed DNSSEC authentication but not now.
After receiving the message:
-1. If youΓÇÖre using a DNS provider, for example GoDaddy, alert your DNS provider of the error so they can work on the troubleshooting and configuration change.
-2. If youΓÇÖre managing your own DNSSEC infrastructure, there are many DNSSEC misconfigurations that may generate this error message. Some common problems to check for if your zone was previously passing DNSSEC authentication:
- 1. Broken trust chain, when the parent zone holds a set of DS records that point to something that doesnΓÇÖt exist in the child zone. This results in the child zone being marked as bogus by validating resolvers.
- - Resolve by reviewing the child domains RRSIG key IDs and ensuring that they match with the key IDs in the DS records published in the parent zone.
- 2. RRSIG resource record for the domain isnΓÇÖt time valid, it has either expired or its validity period hasnΓÇÖt begun.
- - Resolve by generating new signatures for the domain using valid timespans.
+1. If you're using a DNS provider, for example GoDaddy, alert your DNS provider of the error so they can work on the troubleshooting and configuration change.
+2. If you're managing your own DNSSEC infrastructure, there are many DNSSEC misconfigurations that may generate this error message. Some common problems to check for if your zone was previously passing DNSSEC authentication:
+ 1. Broken trust chain, when the parent zone holds a set of DS records that point to something that doesn't exist in the child zone. This results in the child zone being marked as bogus by validating resolvers.
+ - Resolve by reviewing the child domains RRSIG key IDs and ensuring that they match with the key IDs in the DS records published in the parent zone.
+ 2. RRSIG resource record for the domain isn't time valid, it has either expired or its validity period hasn't begun.
+ - Resolve by generating new signatures for the domain using valid timespans.
## Frequently Asked Questions ### As an Exchange Online customer, can I opt out of using DNSSEC and/or DANE?
-We strongly believe DNSSEC and DANE will significantly increase the security position of our service and benefit all of our customers. WeΓÇÖve worked diligently over the last year to reduce the risk and severity of the potential impact this deployment might have for M365 customers. WeΓÇÖll be actively monitoring and tracking the deployment to ensure negative impact is minimized as it rolls out. Because of this, tenant-level exceptions or opt-out wonΓÇÖt be available.
-If you experience any issues related to the enablement of DNSSEC and/or DANE, the different methods for investigating failures noted in this document will help you identify the source of the error. In most cases, the issue will be with the external destination party and youΓÇÖll need to communicate to these business partners that they need to correctly configure DNSSEC and DANE in order to receive email from Exchange Online using these standards.
+We strongly believe DNSSEC and DANE will significantly increase the security position of our service and benefit all of our customers. We've worked diligently over the last year to reduce the risk and severity of the potential impact this deployment might have for M365 customers. We'll be actively monitoring and tracking the deployment to ensure negative impact is minimized as it rolls out. Because of this, tenant-level exceptions or opt-out won't be available.
+If you experience any issues related to the enablement of DNSSEC and/or DANE, the different methods for investigating failures noted in this document will help you identify the source of the error. In most cases, the issue will be with the external destination party and you'll need to communicate to these business partners that they need to correctly configure DNSSEC and DANE in order to receive email from Exchange Online using these standards.
### How does DNSSEC relate to DANE?
-DNSSEC adds a layer of trust into DNS resolution by leveraging the public key infrastructure to ensure the records returned in response to a DNS query are authentic. DANE ensures that the receiving mail server is the legitimate and expected mail server for the authentic MX record.
+DNSSEC adds a layer of trust into DNS resolution by leveraging the public key infrastructure to ensure the records returned in response to a DNS query are authentic. DANE ensures that the receiving mail server is the legitimate and expected mail server for the authentic MX record.
### What is the difference between MTA-STS and DANE for SMTP?
-DANE and MTA-STS serve the same purpose, but DANE requires DNSSEC for DNS authentication while MTA-STS relies on certificate authorities.
+DANE and MTA-STS serve the same purpose, but DANE requires DNSSEC for DNS authentication while MTA-STS relies on certificate authorities.
### Why isn't Opportunistic TLS sufficient?
-Opportunistic TLS will encrypt communication between two endpoints if both agree to support it. However, even if TLS encrypts the transmission, a domain could be spoofed during DNS resolution such that it points to a malicious actor's endpoint instead of the real endpoint for the domain. This is a gap in email security that is addressed by implementing MTA-STS and/or SMTP DANE with DNSSEC.
+Opportunistic TLS will encrypt communication between two endpoints if both agree to support it. However, even if TLS encrypts the transmission, a domain could be spoofed during DNS resolution such that it points to a malicious actor's endpoint instead of the real endpoint for the domain. This is a gap in email security that is addressed by implementing MTA-STS and/or SMTP DANE with DNSSEC.
### Why isn't DNSSEC sufficient?
-DNSSEC isnΓÇÖt fully resistant to Man-in-the-Middle attacks and downgrade (from TLS to clear text) attacks for mail flow scenarios. The addition of MTA-STS and DANE along with DNSSEC provides a comprehensive security method to thwart both MITM and downgrade attacks.
+DNSSEC isn't fully resistant to Man-in-the-Middle attacks and downgrade (from TLS to clear text) attacks for mail flow scenarios. The addition of MTA-STS and DANE along with DNSSEC provides a comprehensive security method to thwart both MITM and downgrade attacks.
-## Additional Links
+## Additional Links
[Find and fix issues after adding your domain or DNS records](/microsoft-365/admin/get-help-with-domains/find-and-fix-issues)
-[Overview of DNSSEC | Microsoft Docs ](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj200221(v=ws.11))
+[Overview of DNSSEC | Microsoft Docs](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj200221(v=ws.11))
[Use DMARC to validate email, setup steps - Office 365 | Microsoft Docs](/microsoft-365/security/office-365-security/use-dmarc-to-validate-email)
DNSSEC isnΓÇÖt fully resistant to Man-in-the-Middle attacks and downgrade (from
[Exchange Online Transport News from Microsoft Ignite 2020 - Microsoft Tech Community](https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-online-transport-news-from-microsoft-ignite-2020/ba-p/1687699)
-[rfc8461 (ietf.org)](https://datatracker.ietf.org/doc/html/rfc8461)
+[rfc8461 (ietf.org)](https://datatracker.ietf.org/doc/html/rfc8461)
compliance Import Hr Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/import-hr-data.md
Here's an example of a CSV file for job level changes data.
```text EmailAddress,EffectiveDate,OldLevel,NewLevel
-sarad@contoso.com,2019-04-23T15:18:02.4675041+05:30,Level 61 ΓÇô Sr. Manager,Level 60- Manager
-pillar@contoso.com,2019-04-23T15:18:02.4675041+05:30,Level 62 ΓÇô Director,Level 60- Sr. Manager
+sarad@contoso.com,2019-04-23T15:18:02.4675041+05:30,Level 61 - Sr. Manager,Level 60- Manager
+pillar@contoso.com,2019-04-23T15:18:02.4675041+05:30,Level 62 - Director,Level 60- Sr. Manager
``` The following table describes each column in the CSV file for job level changes data.
compliance Insider Risk Management Activities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-activities.md
The **User activity** chart is one of the most powerful tools for internal risk
- The **risk activity category**. For example, *Email(s) with attachments sent outside the organization* or *File(s) downloaded from SharePoint Online*. - **Risk score** for the alert. This score is the numerical score for the alert risk severity level. - Number of events associated with the alert. Links to each file or email associated with the risk activity are also available.
-3. **Filters and sorting (preview)**:
+3. **Filters and sorting (preview)**:
- **Risk category**: Filter activities by the following risk categories: *Activities with risk scores > 15 (unless in a sequence)* and *Sequence activities*. - **Activity Type**: Filter activities by the following types: *Access*, *Deletion*, *Collection*, *Exfiltration*, *Infiltration*, *Obfuscation*, and *Security*. - **Sort by**: List the timeline activities by *Date occurred* or *Risk score*.
The **User activity** chart is one of the most powerful tools for internal risk
- **Number of events associated with each alert in the sequence**. Links to each file or email associated with each risk activity are also available. - **Show activities in sequence**. Displays sequence as a highlight line on the bubble chart and expands the alert details to display all related alerts in the sequence.
-4. **Risk activity legend**: Across the bottom of the user activity chart, a color-coded legend helps you quickly determine risk category for each alert.
-5. **Risk activity chronology**: The full chronology of all risk alerts associated with the case are listed, including all the details available in the corresponding alert bubble.
-6. **Case actions**: Options for resolving the case are on the case action toolbar. When viewing in a case, you can resolve a case, send an email notice to the user, or escalate the case for a data or user investigation.
+5. **Risk activity legend**: Across the bottom of the user activity chart, a color-coded legend helps you quickly determine risk category for each alert.
+6. **Risk activity chronology**: The full chronology of all risk alerts associated with the case are listed, including all the details available in the corresponding alert bubble.
+7. **Case actions**: Options for resolving the case are on the case action toolbar. When viewing in a case, you can resolve a case, send an email notice to the user, or escalate the case for a data or user investigation.
## Activity explorer
To filter alerts on the Activity explorer for column information, select the Fil
Use the Activity scope and Risk insight filters to display and sort activities and insights for the following areas. - **Activity scope filters**: Filters all scored activities for the user.
- - All scored activity for this user
- - Only scored activity in this alert
+ - All scored activity for this user
+ - Only scored activity in this alert
- **Risk factor filters**: Filters for risk factor activity applicable for all policies assigning risk scores This includes all activity for all policies for in-scope users.
- - Unusual activity
- - Includes events with priority content
- - Includes events with unallowed domain
- - Sequence activities
- - Cumulative exfiltration activities
- - Health record access activities
+ - Unusual activity
+ - Includes events with priority content
+ - Includes events with unallowed domain
+ - Sequence activities
+ - Cumulative exfiltration activities
+ - Health record access activities
![Insider risk management activity explorer overview.](../media/insider-risk-activity-explorer.png)
As insider risk management alerts age, their value to minimize risky activity di
To help minimize the number of older items that provide limited current value, the following retention and limits apply for insider risk management alerts, cases, and user activity reports:
-|**Item**|**Retention/Limit**|
-|:-|:|
-| Alerts with Needs review status | 120 days from alert creation, then automatically deleted |
-| Active cases (and associated artifacts) | Indefinite retention, never expire |
-| Resolved cases (and associated artifacts) | 120 days from case resolution, then automatically deleted |
-| Maximum number of active cases | 100 |
-| User activities reports | 120 days from activity detection, then automatically deleted |
+|Item|Retention/Limit|
+|||
+|Alerts with Needs review status|120 days from alert creation, then automatically deleted|
+|Active cases (and associated artifacts)|Indefinite retention, never expire|
+|Resolved cases (and associated artifacts)|120 days from case resolution, then automatically deleted|
+|Maximum number of active cases|100|
+|User activities reports|120 days from activity detection, then automatically deleted|
## Get help managing your insider risk alert queue
compliance Insider Risk Management Browser Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-browser-support.md
Before adding the Microsoft DLP Chrome extension to the list of force installed
- OMA-URI: *./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist* - Data type: *String*
- - Value: *\<enabled/\>\<data id=”ExtensionInstallForcelistDesc” value=”1&\#xF000; echcggldkblhodogklpincgchnpgcdco;https://clients2.google.com/service/update2/crx″/\>*
+ - Value: *\<enabled/\>\<data id="ExtensionInstallForcelistDesc" value="1&\#xF000; echcggldkblhodogklpincgchnpgcdco;https://clients2.google.com/service/update2/crx"/\>*
9. Select **Create**.
compliance Insider Risk Management Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-configure.md
Depending on how you wish to manage insider risk management policies and alerts,
You'll choose from these role group options and solution actions when working with insider risk management:
-|**Actions**|**Insider Risk Management**|**Insider Risk Management Admin**|**Insider Risk Management Analysts**|**Insider Risk Management Investigators**|**Insider Risk Management Auditors**|
-|:-|:--|:--|:--|:-|:--|
-| Configure policies and settings | Yes | Yes | No | No | No |
-| Access analytics insights | Yes | Yes | Yes | No | No |
-| Access & investigate alerts | Yes | No | Yes | Yes | No |
-| Access & investigate cases | Yes | No | Yes | Yes | No |
-| Access & view the Content Explorer | Yes | No | No | Yes | No |
-| Configure notice templates | Yes | No | Yes | Yes | No |
-| View & export audit logs | Yes | No | No | No | Yes |
-
->[!IMPORTANT]
->Make sure you always have at least one user in the *Insider Risk Management* or *Insider Risk Management Admin* role groups (depending on the option you choose) so that your insider risk management configuration doesn't get in to a 'zero administrator' scenario if specific users leave your organization.
+|Actions|Insider Risk Management|Insider Risk Management Admin|Insider Risk Management Analysts|Insider Risk Management Investigators|Insider Risk Management Auditors|
+|||||||
+|Configure policies and settings|Yes|Yes|No|No|No|
+|Access analytics insights|Yes|Yes|Yes|No|No|
+|Access & investigate alerts|Yes|No|Yes|Yes|No|
+|Access & investigate cases|Yes|No|Yes|Yes|No|
+|Access & view the Content Explorer|Yes|No|No|Yes|No|
+|Configure notice templates|Yes|No|Yes|Yes|No|
+|View & export audit logs|Yes|No|No|No|Yes|
+
+> [!IMPORTANT]
+> Make sure you always have at least one user in the *Insider Risk Management* or *Insider Risk Management Admin* role groups (depending on the option you choose) so that your insider risk management configuration doesn't get in to a 'zero administrator' scenario if specific users leave your organization.
Members of the following roles can assign users to insider risk management role groups and have the same solution permissions included with the *Insider Risk Management Admin* role group:
DLP policies help identify users to activate risk scoring in insider risk manage
> [!IMPORTANT] >Make sure you've completed the following: >
->- You understand and properly configure the in-scope users in both the DLP and insider risk management policies to produce the policy coverage you expect.
->- Make sure the **Incident reports** setting in the DLP policy for insider risk management used with these templates are configured for *High* severity level alerts. Insider risk management alerts won't be generated from DLP policies with the **Incident reports** field set at *Low* or *Medium*.
+> - You understand and properly configure the in-scope users in both the DLP and insider risk management policies to produce the policy coverage you expect.
+> - Make sure the **Incident reports** setting in the DLP policy for insider risk management used with these templates are configured for *High* severity level alerts. Insider risk management alerts won't be generated from DLP policies with the **Incident reports** field set at *Low* or *Medium*.
A DLP policy is optional when using the following policy templates:
Insider risk management policies include assigned users and define which types o
- **Sensitive info type**: Select **Add sensitive info type** and select the sensitivity types you want to prioritize. For example, *"U.S. Bank Account Number"* and *"Credit Card Number"*. - **Sensitivity labels**: Select **Add sensitivity label** and select the labels you want to prioritize. For example, *"Confidential"* and *"Secret"*.
- >[!NOTE]
- >Users configuring the policy and selecting priority Share Point sites can select SharePoint sites that they have permission to access. If SharePoint sites aren't available for selection in the policy by the current user, another user with the required permissions can select the sites for the policy later or the current user should be given access to the required sites.
+ > [!NOTE]
+ > Users configuring the policy and selecting priority Share Point sites can select SharePoint sites that they have permission to access. If SharePoint sites aren't available for selection in the policy by the current user, another user with the required permissions can select the sites for the policy later or the current user should be given access to the required sites.
12. Select **Next** to continue. 13. If you've selected the *General data leaks* or *Data leaks by priority users* templates, you'll see options on the **Triggers** for this policy page for custom-triggering events and policy indicators. You have the choice to select a DLP policy or indicators for triggering events that bring users assigned to the policy in-scope for activity scoring. If you select the **User matches a data loss prevention (DLP) policy triggering event** option, you must select a DLP policy from the DLP policy dropdown list to enable triggering indicators for the DLP Policy for this insider risk management policy. If you select the **User performs an exfiltration activity triggering event** option, you must select one or more of the listed indicators for the policy triggering event.
- >[!IMPORTANT]
- >If you're unable to select a listed indicator, it's because they aren't enabled for your organization. To make them available to select and assign to the policy, enable the indicators in **Insider risk management** > **Settings** > **Policy indicators**.
+
+ > [!IMPORTANT]
+ > If you're unable to select a listed indicator, it's because they aren't enabled for your organization. To make them available to select and assign to the policy, enable the indicators in **Insider risk management** > **Settings** > **Policy indicators**.
If you've selected other policy templates, custom triggering events aren't supported. The built-in policy triggering events apply and you'll continue to Step 23 without defining policy attributes. 14. Select **Next** to continue.
-15. If you've selected the *General data leaks* or *Data leaks by priority users* templates and have selected the **User performs an exfiltration activity and associated indicators**, you can choose custom or default thresholds for the indicator triggering events that you've selected. Choose either the **Use default thresholds (Recommended)** or **Use custom thresholds for the triggering events**.
+15. If you've selected the *General data leaks* or *Data leaks by priority users* templates and have selected the **User performs an exfiltration activity and associated indicators**, you can choose custom or default thresholds for the indicator triggering events that you've selected. Choose either the **Use default thresholds (Recommended)** or **Use custom thresholds for the triggering events**.
16. Select **Next** to continue.
-17. If you've selected **Use custom thresholds for the triggering events**, for each triggering event indicator that you selected in Step 13, choose the appropriate level to generate the desired level of activity alerts.
+17. If you've selected **Use custom thresholds for the triggering events**, for each triggering event indicator that you selected in Step 13, choose the appropriate level to generate the desired level of activity alerts.
18. Select **Next** to continue. 19. On the **Policy indicators** page, you'll see the [indicators](insider-risk-management-settings.md#indicators) that you've defined as available on the **Insider risk settings** > **Indicators** page. Select the indicators you want to apply to the policy.
Insider risk management policies include assigned users and define which types o
If you've selected a *Data theft* or *Data leaks* policy template, select one or more **Sequence detection** methods and a **Cumulative exfiltration detection** method to apply to the policy. 20. Select **Next** to continue.
-21. On the **Decide whether to use default or custom indicator thresholds** page, choose custom or default thresholds for the policy indicators that you've selected. Choose either the **Use default thresholds for all indicators** or **Specify custom thresholds** for the selected policy indicators. If you've selected Specify custom thresholds, choose the appropriate level to generate the desired level of activity alerts for each policy indicator.
+21. On the **Decide whether to use default or custom indicator thresholds** page, choose custom or default thresholds for the policy indicators that you've selected. Choose either the **Use default thresholds for all indicators** or **Specify custom thresholds** for the selected policy indicators. If you've selected Specify custom thresholds, choose the appropriate level to generate the desired level of activity alerts for each policy indicator.
22. Select **Next** to continue. 23. On the **Review** page, review the settings you've chosen for the policy and any suggestions or warnings for your selections. Select **Edit** to change any of the policy values or select **Submit** to create and activate the policy.
compliance Insider Risk Management Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-policies.md
Depending on the template you choose for an insider risk management policy, the
The following table lists the triggering events and prerequisites for policies created from each insider risk management policy template:
-| **Policy template** | **Triggering events for policies** | **Prerequisites** |
-| : | : | :- |
-| **Data theft by departing users** | Resignation or termination date indicator from HR connector or Azure Active Directory account deletion | (optional) Microsoft 365 HR connector configured for termination and resignation date indicators |
-| **General data leaks** | Data leak policy activity that creates a *High severity* alert or built-in exfiltration event triggers | DLP policy configured for *High severity* alerts <br><br> OR <br><br> Customized triggering indicators |
-| **Data leaks by priority users** | Data leak policy activity that creates a *High severity* alert or built-in exfiltration event triggers | DLP policy configured for *High severity* alerts <br><br> OR <br><br> Customized triggering indicators <br><br> Priority user groups configured in insider risk settings |
-| **Data leaks by disgruntled users** | Performance improvement, poor performance, or job level change indicators from HR connector | Microsoft 365 HR connector configured for disgruntlement indicators |
-| **General security policy violations** | Defense evasion of security controls or unwanted software detected by Microsoft Defender for Endpoint | Active Microsoft Defender for Endpoint subscription <br><br> Microsoft Defender for Endpoint integration with Microsoft 365 compliance center configured |
-| **General patient data misuse** | Defense evasion of security controls from EMR systems <br><br> User and patient address matching indicators from HR systems | Healthcare access indicators selected in policy or insider risk settings <br><br> Microsoft 365 HR connector configured for address matching <br><br> Microsoft Healthcare or Epic connector configured |
-| **Security policy violations by departing users** | Resignation or termination date indicators from HR connector or Azure Active Directory account deletion | (optional) Microsoft 365 HR connector configured for termination and resignation date indicators <br><br> Active Microsoft Defender for Endpoint subscription <br><br> Microsoft Defender for Endpoint integration with Microsoft 365 compliance center configured |
-| **Security policy violations by priority users** | Defense evasion of security controls or unwanted software detected by Microsoft Defender for Endpoint | Active Microsoft Defender for Endpoint subscription <br><br> Microsoft Defender for Endpoint integration with Microsoft 365 compliance center configured <br><br> Priority user groups configured in insider risk settings |
-| **Security policy violations by disgruntled user** | Performance improvement, poor performance, or job level change indicators from HR connector | Microsoft 365 HR connector configured for disgruntlement indicators <br><br> Active Microsoft Defender for Endpoint subscription <br><br> Microsoft Defender for Endpoint integration with Microsoft 365 compliance center configured |
+|Policy template|Triggering events for policies|Prerequisites|
+||||
+|**Data theft by departing users**|Resignation or termination date indicator from HR connector or Azure Active Directory account deletion|(optional) Microsoft 365 HR connector configured for termination and resignation date indicators|
+|**General data leaks**|Data leak policy activity that creates a *High severity* alert or built-in exfiltration event triggers|DLP policy configured for *High severity* alerts <br><br> OR <br><br> Customized triggering indicators|
+|**Data leaks by priority users**|Data leak policy activity that creates a *High severity* alert or built-in exfiltration event triggers|DLP policy configured for *High severity* alerts <br><br> OR <br><br> Customized triggering indicators <br><br> Priority user groups configured in insider risk settings|
+|**Data leaks by disgruntled users**|Performance improvement, poor performance, or job level change indicators from HR connector|Microsoft 365 HR connector configured for disgruntlement indicators|
+|**General security policy violations**|Defense evasion of security controls or unwanted software detected by Microsoft Defender for Endpoint|Active Microsoft Defender for Endpoint subscription <br><br> Microsoft Defender for Endpoint integration with Microsoft 365 compliance center configured|
+|**General patient data misuse**|Defense evasion of security controls from EMR systems <br><br> User and patient address matching indicators from HR systems|Healthcare access indicators selected in policy or insider risk settings <br><br> Microsoft 365 HR connector configured for address matching <br><br> Microsoft Healthcare or Epic connector configured|
+|**Security policy violations by departing users**|Resignation or termination date indicators from HR connector or Azure Active Directory account deletion|(optional) Microsoft 365 HR connector configured for termination and resignation date indicators <br><br> Active Microsoft Defender for Endpoint subscription <br><br> Microsoft Defender for Endpoint integration with Microsoft 365 compliance center configured|
+|**Security policy violations by priority users**|Defense evasion of security controls or unwanted software detected by Microsoft Defender for Endpoint|Active Microsoft Defender for Endpoint subscription <br><br> Microsoft Defender for Endpoint integration with Microsoft 365 compliance center configured <br><br> Priority user groups configured in insider risk settings|
+|**Security policy violations by disgruntled user**|Performance improvement, poor performance, or job level change indicators from HR connector|Microsoft 365 HR connector configured for disgruntlement indicators <br><br> Active Microsoft Defender for Endpoint subscription <br><br> Microsoft Defender for Endpoint integration with Microsoft 365 compliance center configured|
## Prioritize content in policies
For more details about any recommendations or warnings, select a policy on the *
Use the following table to learn more about recommendations and warning notifications and actions to take to resolve potential issues.
-|**Notification messages**|**Policy templates**|**Causes / Try this action to fix**|
-|:|:-|:|
-| Policy isn't assigning risk scores to activity | All policy templates | You may want to review your policy scope and triggering event configuration so that the policy can assign risk scores to activity <br><br> 1. Review the users that are selected for the policy. If you have few users selected, you may want to select additional users. <br> 2. If you're using an HR connector, check that your HR connector is sending the correct data. <br> 3. If you're using a DLP policy as your triggering event, check your DLP policy configuration to ensure it's configured to be used in this policy. <br> 4. For security violation policies, review the Microsoft Defender for Endpoint alert triage status selected in Insider risk settings > Intelligent detections. Confirm that the alert filter isn't too narrow. |
-| Policy hasn't generated any alerts | All policy templates | You may want to review your policy configuration so that you're analyzing the scoring the activity that you care about. <br><br> 1. Confirm that you've selected indicators that you want to score. The more indicators selected, the more activities are assigned risk scores. <br> 2. Review threshold customization for policy. If the thresholds selected don't align with your organization's risk tolerance, adjust the selections so that alerts are created based on your preferred thresholds. <br> 3. Review the users and groups selected for the policy. Confirm you've selected all of the applicable users and groups. <br> 4. For security violation policies, confirm you've selected the alert triage status that you want to score for Microsoft Defender for Endpoint alerts in Intelligent Detections in settings.|
-| No users or groups are included in this policy | All policy templates | Users or groups aren't assigned to the policy. <br><br> Edit your policy and select users or groups for the policy. |
-| No indicators have been selected for this policy | All policy templates | Indicators haven't been selected for the policy <br><br> Edit your policy and select appropriate policy indicators for the policy. |
-| No priority user groups are included in this policy | - Data leaks by priority users <br> - Security policy violations by priority users | Priority user groups aren't assigned to the policy. <br><br> Configure priority user groups in Insider risk management settings and assign priority user groups to the policy. |
-| No triggering event has been selected for this policy | All policy templates | A triggering event isn't configured for the policy <br><br> Risk scores won't be assigned to user activities until you edit the policy and select a triggering event. |
-| HR connector isn't configured or working as expected | - Data theft by departing user <br> - Security policy violations by departing user <br> - Data leaks by disgruntled users <br> - Security policy violations by disgruntled users | There's an issue with the HR connector. <br><br> 1. If you're using an HR connector, check that your HR connector is sending correct data <br><br> OR <br><br> 2. Select the Azure AD account deleted triggering event. |
-| No devices are onboarded | - Data theft by departing users <br> - General data leaks <br> - Data leaks by disgruntled users <br> - Data Leaks by priority users | Device indicators are selected but there aren't any devices onboarded to the Microsoft 365 <br><br> Check whether devices are onboarded and meet requirements. |
-| HR connector hasn't uploaded data recently | - Data theft by departing user <br> - Security policy violations by departing user <br> - Data leaks by disgruntled users <br> - Security policy violations by disgruntled users | HR connector hasn't imported data in more than 7 days. <br><br> Check that your HR connector is configured correctly and sending data. |
-| We're unable to check the status of your HR connector right now, please check again later | - Data theft by departing user <br> - Security policy violations by departing user <br> - Data leaks by disgruntled users <br> - Security policy violations by disgruntled users | The insider risk management solution is unable to check the status of your HR connector. <br><br> Check that your HR connector is configured correctly and sending data, or come back and check the policy status. |
-| DLP policy isn't selected as the triggering event | - General Data leaks <br> - Data leaks by priority users | A DLP policy hasn't been selected as a triggering event or the selected DLP policy has been deleted. <br><br> Edit the policy and either select an active DLP policy or 'User performs an exfiltration activity' as the triggering event in the policy configuration. |
-| DLP policy used in this policy is turned off | - General Data leaks <br> - Data leaks by priority users | DLP policy used in this policy is turned off. <br><br> 1. Turn the DLP policy assigned to this policy on. <br><br> OR <br><br> 2. Edit this policy and either select a new DLP policy or 'User performs an exfiltration activity' as the triggering event in the policy configuration. |
-| DLP policy doesn't meet requirements | - General Data leaks <br> - Data leaks by priority users | DLP policies used as triggering events must be configured to generate high severity alerts. <br><br> 1. Edit your DLP policy to assign applicable alerts as *High severity*. <br><br> OR <br><br> 2. Edit this policy and select *User performs an exfiltration activity* as the triggering event. |
-| Your organization doesn't have a Microsoft Defender for Endpoint subscription | - General security policy violations <br> - Security policy violations by departing users <br> - Security policy violations by disgruntled users <br> - Security policy violations by priority users | An active Microsoft Defender for Endpoint subscription wasn't detected for your organization. <br><br> Until a Microsoft Defender for Endpoint subscription is added, these policies won't assign risk scores to user activity. |
-| Microsoft Defender for Endpoint alerts aren't being shared with the compliance center | - General security policy violations <br> - Security policy violations by departing users <br> - Security policy violations by disgruntled users <br> - Security policy violations by priority users | Microsoft Defender for Endpoint alerts aren't being shared with the compliance center. <br><br> Configure sharing of Microsoft Defender for Endpoint alerts. |
-| You're approaching the maximum limit of users being actively scored for this policy template. | All policy templates | Each policy template has a maximum number of in-scope users. See the template limit section details. <br><br> Review the users in the Users tab and remove any users who don't need to be scored anymore. |
-| Triggering event is repeatedly occurring for over 15% of users in this policy. | All policy templates | Adjust the triggering event to help reduce how often users are brought into the policy scope. |
+|Notification messages|Policy templates|Causes / Try this action to fix|
+||||
+|Policy isn't assigning risk scores to activity|All policy templates|You may want to review your policy scope and triggering event configuration so that the policy can assign risk scores to activity <br><br> 1. Review the users that are selected for the policy. If you have few users selected, you may want to select additional users. <br> 2. If you're using an HR connector, check that your HR connector is sending the correct data. <br> 3. If you're using a DLP policy as your triggering event, check your DLP policy configuration to ensure it's configured to be used in this policy. <br> 4. For security violation policies, review the Microsoft Defender for Endpoint alert triage status selected in Insider risk settings > Intelligent detections. Confirm that the alert filter isn't too narrow.|
+|Policy hasn't generated any alerts|All policy templates|You may want to review your policy configuration so that you're analyzing the scoring the activity that you care about. <br><br> 1. Confirm that you've selected indicators that you want to score. The more indicators selected, the more activities are assigned risk scores. <br> 2. Review threshold customization for policy. If the thresholds selected don't align with your organization's risk tolerance, adjust the selections so that alerts are created based on your preferred thresholds. <br> 3. Review the users and groups selected for the policy. Confirm you've selected all of the applicable users and groups. <br> 4. For security violation policies, confirm you've selected the alert triage status that you want to score for Microsoft Defender for Endpoint alerts in Intelligent Detections in settings.|
+|No users or groups are included in this policy|All policy templates|Users or groups aren't assigned to the policy. <br><br> Edit your policy and select users or groups for the policy.|
+|No indicators have been selected for this policy|All policy templates|Indicators haven't been selected for the policy <br><br> Edit your policy and select appropriate policy indicators for the policy.|
+|No priority user groups are included in this policy|- Data leaks by priority users <br> - Security policy violations by priority users|Priority user groups aren't assigned to the policy. <br><br> Configure priority user groups in Insider risk management settings and assign priority user groups to the policy.|
+|No triggering event has been selected for this policy|All policy templates|A triggering event isn't configured for the policy <br><br> Risk scores won't be assigned to user activities until you edit the policy and select a triggering event.|
+|HR connector isn't configured or working as expected|- Data theft by departing user <br> - Security policy violations by departing user <br> - Data leaks by disgruntled users <br> - Security policy violations by disgruntled users|There's an issue with the HR connector. <br><br> 1. If you're using an HR connector, check that your HR connector is sending correct data <br><br> OR <br><br> 2. Select the Azure AD account deleted triggering event.|
+|No devices are onboarded|- Data theft by departing users <br> - General data leaks <br> - Data leaks by disgruntled users <br> - Data Leaks by priority users|Device indicators are selected but there aren't any devices onboarded to the Microsoft 365 <br><br> Check whether devices are onboarded and meet requirements.|
+|HR connector hasn't uploaded data recently|- Data theft by departing user <br> - Security policy violations by departing user <br> - Data leaks by disgruntled users <br> - Security policy violations by disgruntled users|HR connector hasn't imported data in more than 7 days. <br><br> Check that your HR connector is configured correctly and sending data.|
+|We're unable to check the status of your HR connector right now, please check again later|- Data theft by departing user <br> - Security policy violations by departing user <br> - Data leaks by disgruntled users <br> - Security policy violations by disgruntled users|The insider risk management solution is unable to check the status of your HR connector. <br><br> Check that your HR connector is configured correctly and sending data, or come back and check the policy status.|
+|DLP policy isn't selected as the triggering event|- General Data leaks <br> - Data leaks by priority users|A DLP policy hasn't been selected as a triggering event or the selected DLP policy has been deleted. <br><br> Edit the policy and either select an active DLP policy or 'User performs an exfiltration activity' as the triggering event in the policy configuration.|
+|DLP policy used in this policy is turned off|- General Data leaks <br> - Data leaks by priority users|DLP policy used in this policy is turned off. <br><br> 1. Turn the DLP policy assigned to this policy on. <br><br> OR <br><br> 2. Edit this policy and either select a new DLP policy or 'User performs an exfiltration activity' as the triggering event in the policy configuration.|
+|DLP policy doesn't meet requirements|- General Data leaks <br> - Data leaks by priority users|DLP policies used as triggering events must be configured to generate high severity alerts. <br><br> 1. Edit your DLP policy to assign applicable alerts as *High severity*. <br><br> OR <br><br> 2. Edit this policy and select *User performs an exfiltration activity* as the triggering event.|
+|Your organization doesn't have a Microsoft Defender for Endpoint subscription|- General security policy violations <br> - Security policy violations by departing users <br> - Security policy violations by disgruntled users <br> - Security policy violations by priority users|An active Microsoft Defender for Endpoint subscription wasn't detected for your organization. <br><br> Until a Microsoft Defender for Endpoint subscription is added, these policies won't assign risk scores to user activity.|
+|Microsoft Defender for Endpoint alerts aren't being shared with the compliance center|- General security policy violations <br> - Security policy violations by departing users <br> - Security policy violations by disgruntled users <br> - Security policy violations by priority users|Microsoft Defender for Endpoint alerts aren't being shared with the compliance center. <br><br> Configure sharing of Microsoft Defender for Endpoint alerts.|
+|You're approaching the maximum limit of users being actively scored for this policy template.|All policy templates|Each policy template has a maximum number of in-scope users. See the template limit section details. <br><br> Review the users in the Users tab and remove any users who don't need to be scored anymore.|
+|Triggering event is repeatedly occurring for over 15% of users in this policy.|All policy templates|Adjust the triggering event to help reduce how often users are brought into the policy scope.|
## Policy template limits
The limit for each policy is calculated based on the total number of unique user
Use the following table to determine the maximum number of in-scope users supported for each policy template:
-|**Policy template**|**Current in-scope user maximum**|
-|:|:--|
-| General data leak | 15,000 |
-| Data leak by disgruntled users | 7,500 |
-| Data leak by priority users | 1,000 |
-| Data theft by departing users | 20,000 |
-| General security policy violations | 1,000 |
-| General patient data misuse | 5,000 |
-| Security policy violation by priority users | 1,000 |
-| Security policy violations by departing users | 15,000 |
-| Security policy violations by disgruntled users | 7,500 |
+|Policy template|Current in-scope user maximum|
+|||
+|General data leak|15,000|
+|Data leak by disgruntled users|7,500|
+|Data leak by priority users|1,000|
+|Data theft by departing users|20,000|
+|General security policy violations|1,000|
+|General patient data misuse|5,000|
+|Security policy violation by priority users|1,000|
+|Security policy violations by departing users|15,000|
+|Security policy violations by disgruntled users|7,500|
## Create a new policy
Complete the following steps to create a new policy:
If you've selected other policy templates, custom triggering events aren't supported. The built-in policy triggering events apply and you'll continue to Step 23 without defining policy attributes. 14. Select **Next** to continue.
-15. If you've selected the *General data leaks* or *Data leaks by priority users* templates and have selected the **User performs an exfiltration activity and associated indicators**, you can choose custom or default thresholds for the indicator triggering events that you've selected. Choose either the **Use default thresholds (Recommended)** or **Use custom thresholds for the triggering events**.
+15. If you've selected the *General data leaks* or *Data leaks by priority users* templates and have selected the **User performs an exfiltration activity and associated indicators**, you can choose custom or default thresholds for the indicator triggering events that you've selected. Choose either the **Use default thresholds (Recommended)** or **Use custom thresholds for the triggering events**.
16. Select **Next** to continue.
-17. If you've selected **Use custom thresholds for the triggering events**, for each triggering event indicator that you selected in Step 13, choose the appropriate level to generate the desired level of activity alerts.
+17. If you've selected **Use custom thresholds for the triggering events**, for each triggering event indicator that you selected in Step 13, choose the appropriate level to generate the desired level of activity alerts.
18. Select **Next** to continue. 19. On the **Policy indicators** page, you'll see the [indicators](insider-risk-management-settings.md#indicators) that you've defined as available on the **Insider risk settings** > **Indicators** page. Select the indicators you want to apply to the policy.
Complete the following steps to create a new policy:
If you've selected a *Data theft* or *Data leaks* policy template, select one or more **Sequence detection** methods and a **Cumulative exfiltration detection** method to apply to the policy. 20. Select **Next** to continue.
-21. On the **Decide whether to use default or custom indicator thresholds** page, choose custom or default thresholds for the policy indicators that you've selected. Choose either the **Use default thresholds for all indicators** or **Specify custom thresholds** for the selected policy indicators. If you've selected Specify custom thresholds, choose the appropriate level to generate the desired level of activity alerts for each policy indicator.
+21. On the **Decide whether to use default or custom indicator thresholds** page, choose custom or default thresholds for the policy indicators that you've selected. Choose either the **Use default thresholds for all indicators** or **Specify custom thresholds** for the selected policy indicators. If you've selected Specify custom thresholds, choose the appropriate level to generate the desired level of activity alerts for each policy indicator.
22. Select **Next** to continue. 23. On the **Review** page, review the settings you've chosen for the policy and any suggestions or warnings for your selections. Select **Edit** to change any of the policy values or select **Submit** to create and activate the policy.
Complete the following steps to manage an existing policy:
If you've selected other policy templates, custom triggering events aren't supported. The built-in policy triggering events apply and you'll continue to Step 23 without defining policy attributes. 14. Select **Next** to continue.
-15. If you've selected the *General data leaks* or *Data leaks by priority users* templates and have selected the **User performs an exfiltration activity and associated indicators**, you can choose custom or default thresholds for the indicator triggering events that you've selected. Choose either the **Use default thresholds (Recommended)** or **Use custom thresholds for the triggering events**.
+15. If you've selected the *General data leaks* or *Data leaks by priority users* templates and have selected the **User performs an exfiltration activity and associated indicators**, you can choose custom or default thresholds for the indicator triggering events that you've selected. Choose either the **Use default thresholds (Recommended)** or **Use custom thresholds for the triggering events**.
16. Select **Next** to continue.
-17. If you've selected **Use custom thresholds for the triggering events**, for each triggering event indicator that you selected in Step 13, choose the appropriate level to generate the desired level of activity alerts.
+17. If you've selected **Use custom thresholds for the triggering events**, for each triggering event indicator that you selected in Step 13, choose the appropriate level to generate the desired level of activity alerts.
18. Select **Next** to continue. 19. On the **Policy indicators** page, you'll see the [indicators](insider-risk-management-settings.md#indicators) that you've defined as available on the **Insider risk settings** > **Indicators** page. Select the indicators you want to apply to the policy.
Complete the following steps to manage an existing policy:
If you've selected a *Data theft* or *Data leaks* policy template, select one or more **Sequence detection** methods and a **Cumulative exfiltration detection** method to apply to the policy. 20. Select **Next** to continue.
-21. On the **Decide whether to use default or custom indicator thresholds** page, choose custom or default thresholds for the policy indicators that you've selected. Choose either the **Use default thresholds for all indicators** or **Specify custom thresholds** for the selected policy indicators. If you've selected Specify custom thresholds, choose the appropriate level to generate the desired level of activity alerts for each policy indicator.
+21. On the **Decide whether to use default or custom indicator thresholds** page, choose custom or default thresholds for the policy indicators that you've selected. Choose either the **Use default thresholds for all indicators** or **Specify custom thresholds** for the selected policy indicators. If you've selected Specify custom thresholds, choose the appropriate level to generate the desired level of activity alerts for each policy indicator.
22. Select **Next** to continue. 23. On the **Review** page, review the settings you've chosen for the policy and any suggestions or warnings for your selections. Select **Edit** to change any of the policy values or select **Submit** to create and activate the policy.
compliance Limits Ediscovery20 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/limits-ediscovery20.md
This article describes the limits in the Advanced eDiscovery solution in Microso
The following table lists the limits for cases and review sets in Advanced eDiscovery.
-| Description of limit | Limit |
-|:--|:--|
-|Total number of documents that can be added to a case (for all review sets in a case). <br/> |3 million <br/> |
-|Total file size per load set. This includes loading non-Office 365 into a review set. <br/> |300 GB <br/> |
-|Total amount of data loaded into all review sets in the organization per day.<br/> |2 TB <br/> |
-|Maximum number of load sets per case. <br/> |200 <br/> |
-|Maximum number of review sets per case. <br/> |20 <br/> |
-|Maximum number of tag groups per case. <br/> |1,000 |
-|Maximum number of unique tags per case. <br/> |1,000<sup>1</sup> |
-|Maximum concurrent jobs in your organization to add content to a review set. These jobs are named **Adding data to a review set** and are displayed on the **Jobs** tab in a case.| 10<sup>2</sup> |
-|Maximum concurrent jobs to add content to a review set per user. These jobs are named **Adding data to a review set** and are displayed on the **Jobs** tab in a case. | 3 |
+|Description of limit|Limit|
+|||
+|Total number of documents that can be added to a case (for all review sets in a case).|3 million|
+|Total file size per load set. This includes loading non-Office 365 into a review set.|300 GB|
+|Total amount of data loaded into all review sets in the organization per day.<br/>|2 TB|
+|Maximum number of load sets per case.|200|
+|Maximum number of review sets per case.|20|
+|Maximum number of tag groups per case.|1,000|
+|Maximum number of unique tags per case.|1,000<sup>1</sup>|
+|Maximum concurrent jobs in your organization to add content to a review set. These jobs are named **Adding data to a review set** and are displayed on the **Jobs** tab in a case.|10<sup>2</sup>|
+|Maximum concurrent jobs to add content to a review set per user. These jobs are named **Adding data to a review set** and are displayed on the **Jobs** tab in a case.|3|
## Hold limits The following table lists the limits for holds associated with an Advanced eDiscovery case.
-| Description of limit | Limit |
-|:--|:--|
-|Maximum number of hold policies for an organization. This limit includes the combined total of hold policies in Core eDiscovery and Advanced eDiscovery cases. <br/> |10,000<sup>3</sup> <br/> |
-|Maximum number of mailboxes in a single case hold. This limit includes the combined total of user mailboxes, and the mailboxes associated with Microsoft 365 Groups, Microsoft Teams, and Yammer Groups. <br/> |1,000 <br/> |
-|Maximum number of sites in a single case hold. This limit includes the combined total of OneDrive for Business sites, SharePoint sites, and the sites associated with Microsoft 365 Groups, Microsoft Teams, and Yammer Groups. <br/> |100 <br/> |
+|Description of limit|Limit|
+|||
+|Maximum number of hold policies for an organization. This limit includes the combined total of hold policies in Core eDiscovery and Advanced eDiscovery cases.|10,000<sup>3</sup>|
+|Maximum number of mailboxes in a single case hold. This limit includes the combined total of user mailboxes, and the mailboxes associated with Microsoft 365 Groups, Microsoft Teams, and Yammer Groups.|1,000|
+|Maximum number of sites in a single case hold. This limit includes the combined total of OneDrive for Business sites, SharePoint sites, and the sites associated with Microsoft 365 Groups, Microsoft Teams, and Yammer Groups.|100|
## Indexing limits The following table lists the indexing limits in Advanced eDiscovery.
-| Description of limit | Limit |
-|:--|:--|
-|Maximum number of characters extracted from a single file. <br/> |10 million<sup>4</sup> <br/> |
-|Maximum size of a single file. <br/> |150 MB<sup>4</sup> <br/> |
-|Maximum depth of embedded items in a document. <br/> |25<sup>4</sup> <br/> |
-|Maximum size of files processed by Optical Character Recognition (OCR). <br/> |24 MB<sup>4</sup> <br/>
+|Description of limit|Limit|
+|||
+|Maximum number of characters extracted from a single file.|10 million<sup>4</sup>|
+|Maximum size of a single file.|150 MB<sup>4</sup>|
+|Maximum depth of embedded items in a document.|25<sup>4</sup>|
+|Maximum size of files processed by Optical Character Recognition (OCR).|24 MB<sup>4</sup> <br/>
## Search limits The limits described in this section are related to using the search tool on the **Searches** tab to collect data for a case. For more information, see [Collect data for a case in Advanced eDiscovery](collecting-data-for-ediscovery.md).
-| Description of limit | Limit |
-|:--|:--|
-|Maximum number of mailboxes or sites that can be searched in a single search. |No limit|
-|Maximum number of searches that can run at the same time. |No limit |
-|Maximum number of searches that a single user can start at the same time. |10 |
-|Maximum number of characters for a search query (including operators and conditions). |10,000<sup>5</sup>|
-|Maximum number of characters for a search query for SharePoint and OneDrive for Business sites (including operators and conditions). |10,000<br>4,000 with Wildcards<sup>5</sup>|
-|Minimum number of alpha characters for prefix wildcards; for example, **one\*** or **set\***.|3 |
-|Maximum variants returned when using prefix wildcard to search for an exact phrase or when using a prefix wildcard and the **NEAR** Boolean operator. |10,000<sup>6</sup>|
-|Maximum number of items per user mailbox that are displayed on preview page for searches. The newest items are displayed. |100|
+|Description of limit|Limit|
+|||
+|Maximum number of mailboxes or sites that can be searched in a single search.|No limit|
+|Maximum number of searches that can run at the same time.|No limit|
+|Maximum number of searches that a single user can start at the same time.|10|
+|Maximum number of characters for a search query (including operators and conditions).|10,000<sup>5</sup>|
+|Maximum number of characters for a search query for SharePoint and OneDrive for Business sites (including operators and conditions).|10,000<br>4,000 with Wildcards<sup>5</sup>|
+|Minimum number of alpha characters for prefix wildcards; for example, **one\*** or **set\***.|3|
+|Maximum variants returned when using prefix wildcard to search for an exact phrase or when using a prefix wildcard and the **NEAR** Boolean operator.|10,000<sup>6</sup>|
+|Maximum number of items per user mailbox that are displayed on preview page for searches. The newest items are displayed.|100|
|Maximum number of items from all mailboxes displayed on preview page for searches.|1,000| |Maximum number of mailboxes that can be previewed for search results. If there are more than 1,000 mailboxes that contain items that match the search query, only the top 1,000 mailboxes with the most results are available for preview.|1,000|
-|Maximum number of items from SharePoint and OneDrive for Business sites displayed on preview page for searches. The newest items are displayed. |200|
+|Maximum number of items from SharePoint and OneDrive for Business sites displayed on preview page for searches. The newest items are displayed.|200|
|Maximum number of SharePoint and OneDrive for Business sites that can be previewed for search results. If there are more than 200 sites that contain items that match the search query, only the top 200 sites with the most results are available for preview.|200|
-|Maximum number of items per public folder mailbox displayed on preview page for searches. |100|
-|Maximum number of items found in all public folder mailbox items displayed on preview page for searches. |200|
+|Maximum number of items per public folder mailbox displayed on preview page for searches.|100|
+|Maximum number of items found in all public folder mailbox items displayed on preview page for searches.|200|
|Maximum number of public folder mailboxes that can be previewed for search results. If there are more than 500 public folder mailboxes that contain items that match the search query, only the top 500 mailboxes with the most results are available for preview.|500| |The maximum size of an item that can be viewed on the sample page of a draft collection.|10,000,000 bytes (approximately 9.5 MB)|
The limits described in this section are related to using the search tool on the
Microsoft collects performance information for searches run by all organizations. While the complexity of the search query can impact search times, the biggest factor that affects how long searches take is the number of mailboxes searched. Although Microsoft doesn't provide a Service Level Agreement for search times, the following table lists average search times for collection searches based on the number of mailboxes included in the search.
-| Number of mailboxes | Average search time |
-|:--|:--|
-|100 <br/> |30 seconds <br/> |
-|1,000 <br/> |45 seconds <br/> |
-|10,000 <br/> |4 minutes <br/> |
-|25,000 <br/> |10 minutes <br/> |
-|50,000 <br/> |20 minutes <br/> |
-|100,000 <br/> |25 minutes <br/> |
+|Number of mailboxes|Average search time|
+|||
+|100|30 seconds|
+|1,000|45 seconds|
+|10,000|4 minutes|
+|25,000|10 minutes|
+|50,000|20 minutes|
+|100,000|25 minutes|
## Viewer limits
-| Description of limit | Limit |
-|:--|:--|
-|Maximum size of Excel file that can be viewed in the native viewer. <br/> |4 MB <br/> |
+|Description of limit|Limit|
+|||
+|Maximum size of Excel file that can be viewed in the native viewer.|4 MB|
## Export limits - Final export out of Review Set The limits described in this section are related to exporting documents out of a review set.
-| Description of limit | Limit |
-|:--|:--|
+|Description of limit|Limit|
+|||
|Maximum size of a single export.|5 million documents or 500 GB, whichever is smaller|
-|Maximum concurrent exports per review set. | 1 |
+|Maximum concurrent exports per review set.|1|
## Review set download limits
-| Description of limit | Limit |
-|:--|:--|
-|Total file size or maximum number of documents downloaded from a review set. <br/> |3 MB or 50 documents<sup>7</sup>|
+|Description of limit|Limit|
+|||
+|Total file size or maximum number of documents downloaded from a review set.|3 MB or 50 documents<sup>7</sup>|
## Notes
The limits described in this section are related to exporting documents out of a
> > <sup>4</sup> Any item that exceeds a single file limit will show up as a processing error. >
-> <sup>5</sup> When searching SharePoint and OneDrive for Business locations, the characters in the URLs of the sites being searched count against this limit. The total number of characters consists of:<br>
+> <sup>5</sup> When searching SharePoint and OneDrive for Business locations, the characters in the URLs of the sites being searched count against this limit. The total number of characters consists of:
+>
> - All characters in both the Users and Filters fields. > - All search permissions filters that apply to the user. > - The characters from any location properties in the search; this includes ExchangeLocation,PublicFolderLocation,SharPointLocation,ExchangeLocationExclusion,PublicFolderLocationExclusion,SharePointLocationExclusion, OneDriveLocationExclusion. > For example, including all SharePoint sites and OneDrive accounts in the search will count as six characters, as the word "ALL" will appear for both the SharePointLocation and OneDriveLocation field. >
-> <sup>6</sup> For non-phrase queries (a keyword value that doesn't use double quotation marks) we use a special prefix index. This tells us that a word occurs in a document, but not where it occurs in the document. To do a phrase query (a keyword value with double quotation marks), we need to compare the position within the document for the words in the phrase. This means that we can't use the prefix index for phrase queries. In this case, we internally expand the query with all possible words that the prefix expands to; for example, **time\*** can expand to **"time OR timer OR times OR timex OR timeboxed OR …"**. The limit of 10,000 is the maximum number of variants the word can expand to, not the number of documents matching the query. There is no upper limit for non-phrase terms.
+> <sup>6</sup> For non-phrase queries (a keyword value that doesn't use double quotation marks) we use a special prefix index. This tells us that a word occurs in a document, but not where it occurs in the document. To do a phrase query (a keyword value with double quotation marks), we need to compare the position within the document for the words in the phrase. This means that we can't use the prefix index for phrase queries. In this case, we internally expand the query with all possible words that the prefix expands to; for example, **time\*** can expand to **"time OR timer OR times OR timex OR timeboxed OR ..."**. The limit of 10,000 is the maximum number of variants the word can expand to, not the number of documents matching the query. There is no upper limit for non-phrase terms.
> > <sup>7</sup> This limit applies to downloading selected documents from a review set. It doesn't apply to exporting documents from a review set. For more information about downloading and exporting documents, see [Export case data in Advanced eDiscovery](exporting-data-ediscover20.md).
compliance Managing Jobs Ediscovery20 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/managing-jobs-ediscovery20.md
description: "Advanced eDiscovery jobs help you track the status of long-running
Here's a list of the jobs (which are typically long-running processes) that are tracked on the **Jobs** tab of a case in Advanced eDiscovery. These jobs are triggered by user actions when using and managing cases.
-| Job type | Description |
-| :-- | :- |
-|Adding data to a review set | A user adds a collection to a review set. This job consists of two sub jobs: </br>ΓÇó **Export** - A list of items in the collection is generated. </br>ΓÇó **Ingestion & Indexing** - The items in the collection that match the search query are copied to an Azure Storage location (in a process called *ingestion*) and then those items in the Azure Storage location are reindexed. This new index is used when querying and analyzing items in the data set. </br></br>For more information, see [Add search results to a review set](add-data-to-review-set.md). |
-|Adding data to another review set | A user adds documents from one review set to a different review set in the same case. For more information, see [Add data to a review set from another review set](add-data-to-review-set-from-another-review-set.md).|
-|Adding non-Microsoft 365 data to a review set | A user uploads non-Microsoft 365 data to a review set. The data is also indexed during this process. For example, files from an on-premises file server or a client computer are uploaded to a review set. For more information, see [Load non-Microsoft 365 data into a review set](load-non-office-365-data-into-a-review-set.md).|
-|Adding remediated data to a review set | Data with processing errors is remediated and loaded back into a review set. For more information, see:</br>ΓÇó [Error remediation when processing data](error-remediation-when-processing-data-in-advanced-ediscovery.md)</br>ΓÇó [Single item error remediation](single-item-error-remediation.md)|
-|Comparing load sets | A user looks at the differences between different load sets in a review set. A load set is an instance of adding data to a review set. For example, if you add the results of two different searches to the same review set, each would represent a load set. |
+|Job type|Description|
+|||
+|Adding data to a review set|A user adds a collection to a review set. This job consists of two sub jobs: <ul><li>**Export** - A list of items in the collection is generated.</li><li>**Ingestion & Indexing** - The items in the collection that match the search query are copied to an Azure Storage location (in a process called *ingestion*) and then those items in the Azure Storage location are reindexed. This new index is used when querying and analyzing items in the data set.</li></ul> </br></br> For more information, see [Add search results to a review set](add-data-to-review-set.md).|
+|Adding data to another review set|A user adds documents from one review set to a different review set in the same case. For more information, see [Add data to a review set from another review set](add-data-to-review-set-from-another-review-set.md).|
+|Adding non-Microsoft 365 data to a review set|A user uploads non-Microsoft 365 data to a review set. The data is also indexed during this process. For example, files from an on-premises file server or a client computer are uploaded to a review set. For more information, see [Load non-Microsoft 365 data into a review set](load-non-office-365-data-into-a-review-set.md).|
+|Adding remediated data to a review set|Data with processing errors is remediated and loaded back into a review set. For more information, see: <ul><li>[Error remediation when processing data](error-remediation-when-processing-data-in-advanced-ediscovery.md)</li><li>[Single item error remediation](single-item-error-remediation.md)</li></ul>|
+|Comparing load sets|A user looks at the differences between different load sets in a review set. A load set is an instance of adding data to a review set. For example, if you add the results of two different searches to the same review set, each would represent a load set.|
|Conversation reconstruction|When a user adds the results of a search to a conversation review set, instant message conversations (also called *threaded conversations*) in services like Microsoft Teams are reconstructed in a PDF file. This job is also triggered when a user clicks **Action > Create conversation PDFs** in a review set. For more information, see [Review conversations in Advanced eDiscovery](conversation-review-sets.md).
-|Converting redacted documents to PDF|After a user annotates a document in a review set and redacts a portion of it, they can choose to convert the redacted document to a PDF file. This ensures that the redacted portion will not be visible if the document is exported for presentation. For more information, see [View documents in a review set](view-documents-in-review-set.md). |
-|Estimating search results | After a user creates and runs or reruns a draft collection, the search tool searches the index for items that match the search query and prepares an estimate that includes the number and total size of all items by the search, and the number of data sources searched. For more information, see [Collect data for a case](collecting-data-for-ediscovery.md). |
-|Preparing data for export | A user exports documents from a review set. When the export process is complete, they can download the exported data to a local computer. For more information, see [Export case data](exporting-data-ediscover20.md). |
-|Preparing for error resolution |When a user selects a file and creates a new error remediation in the Error view on the **Processing** tab of a case, the first step in the process is to upload the file that has the processing error to an Azure Storage location in the Microsoft cloud. This job tracks the progress of the upload process. For more information about the error remediation workflow, see [Error remediation when processing data](error-remediation-when-processing-data-in-advanced-ediscovery.md). |
-|Preparing search preview | After a user creates and runs a new draft collection (or reruns an existing draft collection), the search tool prepares a sample subset of items (that match the search query) that can be previewed. Previewing search results help you determine the effectiveness of the search. For more information, see [Collect data for a case](collecting-data-for-ediscovery.md#view-search-results-and-statistics). |
-|Re-indexing custodian data | When you add a custodian to a case, all partially indexed items in the custodian's selected data sources are reindexed by a process called *Advanced indexing*. This job is also triggered when you click **Update index** on the **Processing** tab of a case, and when you update the index for a specific custodian on the custodian properties flyout page. For more information, see [Advanced indexing of custodian data](indexing-custodian-data.md).
-|Running analytics | A user analyzes data in a review set by running Advanced eDiscovery analytics tools such as near duplicate detection, email threading analysis, and themes analysis. For more information, see [Analyze data in a review set](analyzing-data-in-review-set.md). |
-|Tagging documents | This job is triggered when a user clicks **Start tagging job** in the **Tagging panel** when reviewing documents in a review set. A user can start this job after tagging documents in a review set and then bulk-selecting them in the view document panel. For more information, see [Tag documents in a review set](tagging-documents.md). |
-|||
+|Converting redacted documents to PDF|After a user annotates a document in a review set and redacts a portion of it, they can choose to convert the redacted document to a PDF file. This ensures that the redacted portion will not be visible if the document is exported for presentation. For more information, see [View documents in a review set](view-documents-in-review-set.md).|
+|Estimating search results|After a user creates and runs or reruns a draft collection, the search tool searches the index for items that match the search query and prepares an estimate that includes the number and total size of all items by the search, and the number of data sources searched. For more information, see [Collect data for a case](collecting-data-for-ediscovery.md).|
+|Preparing data for export|A user exports documents from a review set. When the export process is complete, they can download the exported data to a local computer. For more information, see [Export case data](exporting-data-ediscover20.md).|
+|Preparing for error resolution|When a user selects a file and creates a new error remediation in the Error view on the **Processing** tab of a case, the first step in the process is to upload the file that has the processing error to an Azure Storage location in the Microsoft cloud. This job tracks the progress of the upload process. For more information about the error remediation workflow, see [Error remediation when processing data](error-remediation-when-processing-data-in-advanced-ediscovery.md).|
+|Preparing search preview|After a user creates and runs a new draft collection (or reruns an existing draft collection), the search tool prepares a sample subset of items (that match the search query) that can be previewed. Previewing search results help you determine the effectiveness of the search. For more information, see [Collect data for a case](collecting-data-for-ediscovery.md#view-search-results-and-statistics).|
+|Re-indexing custodian data|When you add a custodian to a case, all partially indexed items in the custodian's selected data sources are reindexed by a process called *Advanced indexing*. This job is also triggered when you click **Update index** on the **Processing** tab of a case, and when you update the index for a specific custodian on the custodian properties flyout page. For more information, see [Advanced indexing of custodian data](indexing-custodian-data.md).
+|Running analytics|A user analyzes data in a review set by running Advanced eDiscovery analytics tools such as near duplicate detection, email threading analysis, and themes analysis. For more information, see [Analyze data in a review set](analyzing-data-in-review-set.md).|
+|Tagging documents|This job is triggered when a user clicks **Start tagging job** in the **Tagging panel** when reviewing documents in a review set. A user can start this job after tagging documents in a review set and then bulk-selecting them in the view document panel. For more information, see [Tag documents in a review set](tagging-documents.md).|
## Job status The following table describes the different status states for jobs.
-| Status | Description |
-| :-- | :- |
-| Submitted | A new job was created. The date and time that the job was submitted is displayed in the **Created** column on the **Jobs** tab. |
-| Submission failed | The job submission failed. You should attempt to rerun the action that triggered the job. |
-| In progress | The job is in progress, you can monitor the progress of the job in the **Jobs** tab. |
-| Successful | The job was successfully completed. The date and time that the job completed is displayed in the **Completed** column on the **Jobs** tab. |
-| Partially successful | The job was successful. This status is typically returned when the job didn't find any partially indexed data (also called *unindexed data*) in some of the custodian data sources. |
-| Failed | The job failed. You should attempt to rerun the action that triggered the job. If the job fails a second time, we recommend that you contact Microsoft Support and provide the support information from the job. |
-|||
+|Status|Description|
+|||
+|Submitted|A new job was created. The date and time that the job was submitted is displayed in the **Created** column on the **Jobs** tab.|
+|Submission failed|The job submission failed. You should attempt to rerun the action that triggered the job.|
+|In progress|The job is in progress, you can monitor the progress of the job in the **Jobs** tab.|
+|Successful|The job was successfully completed. The date and time that the job completed is displayed in the **Completed** column on the **Jobs** tab.|
+|Partially successful|The job was successful. This status is typically returned when the job didn't find any partially indexed data (also called *unindexed data*) in some of the custodian data sources.|
+|Failed|The job failed. You should attempt to rerun the action that triggered the job. If the job fails a second time, we recommend that you contact Microsoft Support and provide the support information from the job.|
compliance New Defender Alert Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/new-defender-alert-policies.md
We'll be introducing four new default alert policies related to post-delivery de
The following table lists the new alert policies and the existing alert policies that will be removed. See the [How this will affect your organization](#how-this-will-affect-your-organization) section for details about the rollout.
-| New or existing alert policy | Alert policy name | Alert policy ID|
-|:--|:-|:--|
-| New| **Email messages containing malicious URL removed after delivery** | 8e6ba277-ef39-404e-aaf1-294f6d9a2b88 |
-| New| **Email messages containing malicious file removed after delivery** | 4b1820ec-39dc-45f3-abf6-5ee80df51fd2 |
-| New| **Email messages from a campaign were delivered and later removed** | c8522cbb-9368-4e25-4ee9-08d8d899dfab |
-| New|**Email messages removed after delivery** | b8f6b088-5487-4c70-037c-08d8d71a43fe |
-| Existing (will be removed)| **Email messages containing phish URLs removed after delivery**| EA8169FA-0678-4751-8854-AEBEA7ADECEB |
-| Existing (will be removed)| **Email messages containing malware removed after delivery**| 0179B3F7-3FDA-40C3-8F24-278563978DBB |
-||||
+|New or existing alert policy|Alert policy name|Alert policy ID|
+||||
+|New|**Email messages containing malicious URL removed after delivery**|8e6ba277-ef39-404e-aaf1-294f6d9a2b88|
+|New|**Email messages containing malicious file removed after delivery**|4b1820ec-39dc-45f3-abf6-5ee80df51fd2|
+|New|**Email messages from a campaign were delivered and later removed**|c8522cbb-9368-4e25-4ee9-08d8d899dfab|
+|New|**Email messages removed after delivery**|b8f6b088-5487-4c70-037c-08d8d71a43fe|
+|Existing (will be removed)|**Email messages containing phish URLs removed after delivery**|EA8169FA-0678-4751-8854-AEBEA7ADECEB|
+|Existing (will be removed)|**Email messages containing malware removed after delivery**|0179B3F7-3FDA-40C3-8F24-278563978DBB|
## Alert severity enhancements For the following table identifies the default alert policies whose severity classifications are being modified. We're changing the severity classification for these alert policies to better align with the potential risk and impact on your organization and to help your security teams prioritize the alerts generated by these policies.
-| Alert| Alert policy ID| Old severity| New severity |
-|:-|:|:|:--|
-| **Suspicious email forwarding activity**| BFD48F06-0865-41A6-85FF-ADB746423EBF | Medium| High|
-| **Email reported by user as malware or phish** | B26A5770-0C38-434A-9380-3A3C2C27BBB3 | Informational | Low|
-| **Unusual increase in email reported as phish** | A00D8C62-9320-4EEA-A7E5-966B9AC09558 | High| Medium |
-| **Admin Submission result completed** | AE9B83DD-6039-4EA9-B675-6B0AC3BF4A41 | Low| Informational |
-| **Creation of forwarding/redirect rule** | D59A8FD4-1272-41EE-9408-86F7BCF72479 | Low| Informational |
-| **eDiscovery search started or exported** | 6FDC5710-3998-47F0-AFBB-57CEFD7378A | Meduim | Informational |
-|||||
+|Alert|Alert policy ID|Old severity|New severity|
+|||||
+|**Suspicious email forwarding activity**|BFD48F06-0865-41A6-85FF-ADB746423EBF|Medium|High|
+|**Email reported by user as malware or phish**|B26A5770-0C38-434A-9380-3A3C2C27BBB3|Informational|Low|
+|**Unusual increase in email reported as phish**|A00D8C62-9320-4EEA-A7E5-966B9AC09558|High|Medium|
+|**Admin Submission result completed**|AE9B83DD-6039-4EA9-B675-6B0AC3BF4A41|Low|Informational|
+|**Creation of forwarding/redirect rule**|D59A8FD4-1272-41EE-9408-86F7BCF72479|Low|Informational|
+|**eDiscovery search started or exported**|6FDC5710-3998-47F0-AFBB-57CEFD7378A|Meduim|Informational|
## When will these changes happen The following table identifies when the new alert policies will begin triggering post-delivery alerts. The table also identifies when the two existing alert policies will be removed.
-| Alert policy| Date |
-|:|:--|
-| **Email messages containing malicious URL removed after delivery** (new) | Alerts will start triggering on April 11, 2021|
-| **Email messages containing malicious file removed after delivery** (new) | Alerts will start triggering on April 11, 2021 |
-| **Emails messages from a campaign were delivered and later removed** (new) | Alerts will start triggering on May 28, 2021|
-| **Malicious emails were delivered and later removed** (new) | Alerts will start triggering on May 28, 2021|
-| **Email messages containing phish URLs removed after delivery** (existing, will be removed)| The alert policy was removed in June 2021. See the [What you need to do to prepare for these changes](#what-you-need-to-do-to-prepare-for-these-changes) section.|
-| **Email messages containing malware removed after delivery** (existing, will be removed) | The alert policy was removed in June 2021. See the [What you need to do to prepare for these changes](#what-you-need-to-do-to-prepare-for-these-changes) section. |
-|||
+|Alert policy|Date|
+|||
+|**Email messages containing malicious URL removed after delivery** (new)|Alerts will start triggering on April 11, 2021|
+|**Email messages containing malicious file removed after delivery** (new)|Alerts will start triggering on April 11, 2021|
+|**Emails messages from a campaign were delivered and later removed** (new)|Alerts will start triggering on May 28, 2021|
+|**Malicious emails were delivered and later removed** (new)|Alerts will start triggering on May 28, 2021|
+|**Email messages containing phish URLs removed after delivery** (existing, will be removed)|The alert policy was removed in June 2021. See the [What you need to do to prepare for these changes](#what-you-need-to-do-to-prepare-for-these-changes) section.|
+|**Email messages containing malware removed after delivery** (existing, will be removed)|The alert policy was removed in June 2021. See the [What you need to do to prepare for these changes](#what-you-need-to-do-to-prepare-for-these-changes) section.|
The alert severity changes will be rolled out to all organizations by May 14, 2021.
compliance Office 365 Service Encryption https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/office-365-service-encryption.md
To learn how to set up Customer Key for Microsoft 365 for Exchange Online, Micro
- [Service encryption with Customer Key](customer-key-overview.md) -- [Set up Customer Key](customer-key-set-up.md)
+- [Set up Customer Key](customer-key-set-up.md)
- [Manage Customer Key](customer-key-manage.md)
compliance Ome Sensitive Info Types https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ome-sensitive-info-types.md
You may want to update any applicable end-user documentation and training materi
Microsoft 365 audits this activity and makes it available to administrators. The operation is 'New-TransportRule' and a snippet of a sample audit entry from the Audit Log Search in Security & Compliance Center is below: ```text
-*{"CreationTime":"2018-11-28T23:35:01","Id":"a1b2c3d4-daa0-4c4f-a019-03a1234a1b0c","Operation":"New-TransportRule","OrganizationId":"123456-221d-12345 ","RecordType":1,"ResultStatus":"True","UserKey":"Microsoft Operator","UserType":3,"Version":1,"Workload":"Exchange","ClientIP":"123.456.147.68:17584","ObjectId":"","UserId":"Microsoft Operator","ExternalAccess":true,"OrganizationName":"contoso.onmicrosoft.com","OriginatingServer":"CY4PR13MBXXXX (15.20.1382.008)","Parameters": {"Name":"Organization","Value":"123456-221d-12346"{"Name":"ApplyRightsProtectionTemplate","Value":"Encrypt"},{"Name":"Name","Value":"Encrypt outbound sensitive emails (out of box rule)"},{"Name":"MessageContainsDataClassifications"…etc.*
+*{"CreationTime":"2018-11-28T23:35:01","Id":"a1b2c3d4-daa0-4c4f-a019-03a1234a1b0c","Operation":"New-TransportRule","OrganizationId":"123456-221d-12345 ","RecordType":1,"ResultStatus":"True","UserKey":"Microsoft Operator","UserType":3,"Version":1,"Workload":"Exchange","ClientIP":"123.456.147.68:17584","ObjectId":"","UserId":"Microsoft Operator","ExternalAccess":true,"OrganizationName":"contoso.onmicrosoft.com","OriginatingServer":"CY4PR13MBXXXX (15.20.1382.008)","Parameters": {"Name":"Organization","Value":"123456-221d-12346"{"Name":"ApplyRightsProtectionTemplate","Value":"Encrypt"},{"Name":"Name","Value":"Encrypt outbound sensitive emails (out of box rule)"},{"Name":"MessageContainsDataClassifications"...etc.*
``` ## To disable or customize the sensitive information types policy
compliance Prepare Tls 1.2 In Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/prepare-tls-1.2-in-office-365.md
Title: Preparing for TLS 1.2 in Office 365 and Office 365 GCC description: How to prepare to use TLS 1.2 for all client-server and browser-server combinations in Office 365 and Office 365 GCC after support for TLS 1.0 and 1.1 is disabled.-+ ms.localizationpriority: medium
+search.appverid:
- MET150 audience: ITPro
appliesto:
## Summary
-To provide the best-in-class encryption to our customers, Microsoft plans to deprecate Transport Layer Security (TLS) versions 1.0 and 1.1 in Office 365 and Office 365 GCC. We understand that the security of your data is important, and we're committed to transparency about changes that may affect your use of the TLS service.
+To provide the best-in-class encryption to our customers, Microsoft plans to deprecate Transport Layer Security (TLS) versions 1.0 and 1.1 in Office 365 and Office 365 GCC. We understand that the security of your data is important, and we're committed to transparency about changes that may affect your use of the TLS service.
-The [Microsoft TLS 1.0 implementation](https://support.microsoft.com/help/3117336/schannel-implementation-of-tls-1-0-in-windows-security-status-update-n) has no known security vulnerabilities. But because of the potential for future protocol downgrade attacks and other TLS vulnerabilities, we are discontinuing support for TLS 1.0 and 1.1 in Microsoft Office 365 and Office 365 GCC.
+The [Microsoft TLS 1.0 implementation](https://support.microsoft.com/help/3117336/schannel-implementation-of-tls-1-0-in-windows-security-status-update-n) has no known security vulnerabilities. But because of the potential for future protocol downgrade attacks and other TLS vulnerabilities, we are discontinuing support for TLS 1.0 and 1.1 in Microsoft Office 365 and Office 365 GCC.
-For information about how to remove TLS 1.0 and 1.1 dependencies, see the following white paper: [Solving the TLS 1.0 problem](https://www.microsoft.com/download/details.aspx?id=55266).
+For information about how to remove TLS 1.0 and 1.1 dependencies, see the following white paper: [Solving the TLS 1.0 problem](https://www.microsoft.com/download/details.aspx?id=55266).
After you upgrade to TLS 1.2, make sure that the cipher suites you're using are supported by Azure Front Door. Microsoft 365 and Azure Front Door have slight differences in cipher suite support. For details, see [What are the current cipher suites supported by Azure Front Door?](/azure/frontdoor/front-door-faq#what-are-the-current-cipher-suites-supported-by-azure-front-door-).
We have already begun deprecation of TLS 1.0 and 1.1 as of January 2020. Any cli
We recommend that all client-server and browser-server combinations use TLS 1.2 (or a later version) in order to maintain connection to Office 365 services. You might have to update certain client-server and browser-server combinations. > [!NOTE]
- > For SMTP Inbound mail flow, after deprecation of TLS 1.0 and 1.1, we will accept only TLS 1.2 connection. However, we will continue accepting SMTP Connection which is unencrypted without any TLS. Although we do not recommend email transmission without any encryption.
+ > For SMTP Inbound mail flow, after deprecation of TLS 1.0 and 1.1, we will accept only TLS 1.2 connection. However, we will continue accepting SMTP Connection which is unencrypted without any TLS. Although we do not recommend email transmission without any encryption.
You'll need to update applications that call Microsoft 365 APIs over TLS 1.0 or TLS 1.1 to use TLS 1.2. .NET 4.5 defaults to TLS 1.1. To update your .NET configuration, see [How to enable Transport Layer Security (TLS) 1.2 on clients](/mem/configmgr/core/plan-design/security/enable-tls-1-2-client).
-The following clients are known to be unable to use TLS 1.2. Update these clients to ensure uninterrupted access to the service.
+The following clients are known to be unable to use TLS 1.2. Update these clients to ensure uninterrupted access to the service.
-- Android 4.3 and earlier versions-- Firefox version 5.0 and earlier versions-- Internet Explorer 8-10 on Windows 7 and earlier versions-- Internet Explorer 10 on Windows Phone 8
+- Android 4.3 and earlier versions
+- Firefox version 5.0 and earlier versions
+- Internet Explorer 8-10 on Windows 7 and earlier versions
+- Internet Explorer 10 on Windows Phone 8
- Safari 6.0.4/OS X10.8.4 and earlier versions ### TLS 1.2 for Microsoft Teams Rooms and Surface Hub
If you are using any on-premises infrastructure for hybrid scenarios or Active D
## References
-The following resources provide guidance to help make sure that your clients are using TLS 1.2 or a later version and to disable TLS 1.0 and 1.1.
+The following resources provide guidance to help make sure that your clients are using TLS 1.2 or a later version and to disable TLS 1.0 and 1.1.
-- For Windows 7 clients that connect to Office 365, make sure that TLS 1.2 is the default secure protocol in WinHTTP in Windows. For more information see [KB 3140245 - Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP in Windows](https://support.microsoft.com/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in).
+- For Windows 7 clients that connect to Office 365, make sure that TLS 1.2 is the default secure protocol in WinHTTP in Windows. For more information see [KB 3140245 - Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP in Windows](https://support.microsoft.com/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in).
- [TLS cipher suites supported by Office 365](/microsoft-365/compliance/technical-reference-details-about-encryption#tls-cipher-suites-supported-by-office-365) - To start addressing weak TLS use by removing TLS 1.0 and 1.1 dependencies, see [TLS 1.2 support at Microsoft](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/20/tls-1-2-support-at-microsoft/). - [New IIS functionality](https://cloudblogs.microsoft.com/microsoftsecure/2017/09/07/new-iis-functionality-to-help-identify-weak-tls-usage/) makes it easier to find clients on [Windows Server 2012 R2](https://support.microsoft.com/help/4025335/windows-8-1-windows-server-2012-r2-update-kb4025335) and [Windows Server 2016](https://support.microsoft.com/help/4025334/windows-10-update-kb4025334) that connect to the service by using weak security protocols.-- Get more information about how to [solve the TLS 1.0 problem](https://www.microsoft.com/download/details.aspx?id=55266).
+- Get more information about how to [solve the TLS 1.0 problem](https://www.microsoft.com/download/details.aspx?id=55266).
- For general information about our approach to security, go to the [Office 365 Trust Center](https://www.microsoft.com/trustcenter/cloudservices/office365). - To identify the TLS version that is used by SMTP clients, see [SMTP Auth clients insight and report in the Security & Compliance Center](../security/office-365-security/mfi-smtp-auth-clients-report.md). - [Preparing for TLS 1.0/1.1 Deprecation - Office 365 Skype for Business](https://techcommunity.microsoft.com/t5/Skype-for-Business-Blog/Preparing-for-TLS-1-0-1-1-Deprecation-O365-Skype-for-Business/ba-p/222247)
compliance Preserve Bcc And Expanded Distribution Group Recipients For Ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/preserve-bcc-and-expanded-distribution-group-recipients-for-ediscovery.md
description: "In-Place Hold, Litigation Hold, and Microsoft 365 retention polici
# Preserve Bcc and expanded distribution group recipients for eDiscovery
-
+ Litigation holds, eDiscovery holds, and [Microsoft 365 retention policies](./retention.md) (created in the Microsoft 365 compliance center) allow you to preserve mailbox content to meet regulatory compliance and eDiscovery requirements. Information about recipients directly addressed in the To and Cc fields of a message is included in all messages by default. But your organization may require the ability to search for and reproduce details about all recipients of a message. This includes:
-
-- **Recipients addressed using the Bcc field of a message:** Bcc recipients are stored in the message in the sender's mailbox, but not included in headers of the message delivered to recipients.
-
-- **Expanded distribution group recipients:** Recipients who receive the message because they're members of a distribution group to which the message was addressed, either in the To, Cc or Bcc fields.
-
-Exchange Online and Exchange Server 2013 (Cumulative Update 7 and later versions) retain information about Bcc and expanded distribution group recipients. You can search for this information by using an eDiscovery tool in the Microsoft 365 compliance center.
-
+
+- **Recipients addressed using the Bcc field of a message:** Bcc recipients are stored in the message in the sender's mailbox, but not included in headers of the message delivered to recipients.
+
+- **Expanded distribution group recipients:** Recipients who receive the message because they're members of a distribution group to which the message was addressed, either in the To, Cc or Bcc fields.
+
+Exchange Online and Exchange Server 2013 (Cumulative Update 7 and later versions) retain information about Bcc and expanded distribution group recipients. You can search for this information by using an eDiscovery tool in the Microsoft 365 compliance center.
+ ## How Bcc recipients and expanded distribution group recipients are preserved
-As stated earlier, information about Bcc'ed recipients is stored with the message in the sender's mailbox. This information is indexed and available to eDiscovery searches and holds.
-
-Information about expanded distribution group recipients is stored with the message after you place a mailbox on In-Place Hold or Litigation Hold. In Office 365, this information is also stored when a Microsoft 365 retention policy is applied to a mailbox. Distribution group membership is determined at the time the message is sent. The expanded recipients list stored with the message is not impacted by changes to membership of the group after the message is sent.
-
-| Information about… | Is stored in… | Is stored by default? | Is accessible to… |
-|:--|:--|:--|:--|
-|To and Cc recipients <br/> |Message properties in the sender and recipients' mailboxes. <br/> |Yes <br/> |Sender, recipients, and compliance officers <br/> |
-|Bcc recipients <br/> |Message property in the sender's mailbox. <br/> |Yes <br/> |Sender and compliance officers <br/> |
-|Expanded distribution group recipients <br/> |Message properties in the sender's mailbox. <br/> |No. Expanded distribution group recipient information is stored after a mailbox is placed on In-Place Hold or Litigation Hold, or assigned to a Microsoft 365 retention policy. <br/> |Compliance officers <br/> |
-
+As stated earlier, information about Bcc'ed recipients is stored with the message in the sender's mailbox. This information is indexed and available to eDiscovery searches and holds.
+
+Information about expanded distribution group recipients is stored with the message after you place a mailbox on In-Place Hold or Litigation Hold. In Office 365, this information is also stored when a Microsoft 365 retention policy is applied to a mailbox. Distribution group membership is determined at the time the message is sent. The expanded recipients list stored with the message is not impacted by changes to membership of the group after the message is sent.
+
+|Information about...|Is stored in...|Is stored by default?|Is accessible to...|
+|||||
+|To and Cc recipients|Message properties in the sender and recipients' mailboxes.|Yes|Sender, recipients, and compliance officers|
+|Bcc recipients|Message property in the sender's mailbox.|Yes|Sender and compliance officers|
+|Expanded distribution group recipients|Message properties in the sender's mailbox.|No. Expanded distribution group recipient information is stored after a mailbox is placed on In-Place Hold or Litigation Hold, or assigned to a Microsoft 365 retention policy.|Compliance officers|
+ ## Searching for messages sent to Bcc and expanded distribution group recipients When searching for messages sent to a recipient, eDiscovery search results now include messages sent to a distribution group that the recipient is a member of. The following table shows the scenarios where messages sent to Bcc and expanded distribution group recipients are returned in eDiscovery searches.
-
+ Scenario 1: John is a member of the US-Sales distribution group. This table shows eDiscovery search results when Bob sends a message to John directly or indirectly via a distribution group.
-
-| When you search Bob's mailbox for messages sent… | And the message is sent with… | Results include message? |
-|:--|:--|:--|
-|To:John <br/> |John on TO <br/> |Yes <br/> |
-|To:John <br/> |US-Sales on TO <br/> |Yes <br/> |
-|To:US-Sales <br/> |US-Sales on TO <br/> |Yes <br/> |
-|Cc:John <br/> |John on CC <br/> |Yes <br/> |
-|Cc:John <br/> |US-Sales on CC <br/> |Yes <br/> |
-|Cc:US-Sales <br/> |US-Sales on CC <br/> |Yes <br/> |
-
+
+|When you search Bob's mailbox for messages sent...|And the message is sent with...|Results include message?|
+||||
+|To:John|John on TO|Yes|
+|To:John|US-Sales on TO|Yes|
+|To:US-Sales|US-Sales on TO|Yes|
+|Cc:John|John on CC|Yes|
+|Cc:John|US-Sales on CC|Yes|
+|Cc:US-Sales|US-Sales on CC|Yes|
+ Scenario 2: Bob sends an email to John (To/Cc) and Jack (Bcc directly, or indirectly via a distribution group). The table below shows eDiscovery search results.
-
-| When you search… | For messages sent… | Results include message? | Notes |
-|:--|:--|:--|:--|
-|Bob's mailbox <br/> |To/Cc:John <br/> |Yes <br/> |Presents an indication that Jack was Bcc'ed. <br/> |
-|Bob's mailbox <br/> |Bcc:Jack <br/> |Yes <br/> |Presents an indication that Jack was Bcc'ed. <br/> |
-|Bob's mailbox <br/> |Bcc:Jack (via distribution group) <br/> |Yes <br/> |List of members of the Bcc'ed distribution group, expanded when the message was sent, is visible in eDiscovery search preview, export, and logs. <br/> |
-|John's mailbox <br/> |To/Cc:John <br/> |Yes <br/> |No indication of Bcc recipients. <br/> |
-|John's mailbox <br/> |Bcc:Jack (directly or via distribution group) <br/> |No <br/> |Bcc information is not stored in the message delivered to recipients. You must search the sender's mailbox. <br/> |
-|Jack's mailbox <br/> |To/Cc:John (directly or via distribution group) <br/> |Yes <br/> |To/Cc information is included in message delivered to all recipients. <br/> |
-|Jack's mailbox <br/> |Bcc:Jack (directly or via distribution group) <br/> |No <br/> |Bcc information is not stored in the message delivered to recipients. You must search the sender's mailbox. <br/> |
-
+
+|When you search...|For messages sent...|Results include message?|Notes|
+|||||
+|Bob's mailbox|To/Cc:John|Yes|Presents an indication that Jack was Bcc'ed.|
+|Bob's mailbox|Bcc:Jack|Yes|Presents an indication that Jack was Bcc'ed.|
+|Bob's mailbox|Bcc:Jack (via distribution group)|Yes|List of members of the Bcc'ed distribution group, expanded when the message was sent, is visible in eDiscovery search preview, export, and logs.|
+|John's mailbox|To/Cc:John|Yes|No indication of Bcc recipients.|
+|John's mailbox|Bcc:Jack (directly or via distribution group)|No|Bcc information is not stored in the message delivered to recipients. You must search the sender's mailbox.|
+|Jack's mailbox|To/Cc:John (directly or via distribution group)|Yes|To/Cc information is included in message delivered to all recipients.|
+|Jack's mailbox|Bcc:Jack (directly or via distribution group)|No|Bcc information is not stored in the message delivered to recipients. You must search the sender's mailbox.|
+ ## Frequently asked questions **Q. When and where is Bcc recipient information stored?**
-
+ A. Bcc recipient information is preserved by default in the original message in sender's mailbox. If the Bcc recipient is a distribution group, distribution group membership is only expanded if the sender's mailbox is on hold or assigned to a Microsoft 365 retention policy.
-
+ **Q. When and where is the list of expanded distribution group recipients stored?**
-
+ A. Group membership is expanded at the time the message is sent. The list of expanded distribution group members is stored in the original message in the sender's mailbox. The sender's mailbox must be on In-Place Hold, Litigation Hold, or assigned to a Microsoft 365 retention policy.
-
+ **Q. Can the To/Cc recipients see which recipients were Bcc'ed?**
-
+ A. No. This information is not included in message headers, and isn't visible to To/Cc recipients. The sender can see the Bcc field stored in the original message stored in their mailbox. Compliance officers can see this information when searching the sender's mailbox.
-
+ **Q. How can I ensure that expanded distribution group recipients are always preserved?**
-
-A. To ensure that expanded distribution group members are always preserved with a message, [Place all mailboxes on hold](/Exchange/policy-and-compliance/holds/place-all-mailboxes-on-hold) or create an organization-wide Microsoft 365 retention policy.
-
+
+A. To ensure that expanded distribution group members are always preserved with a message, [Place all mailboxes on hold](/Exchange/policy-and-compliance/holds/place-all-mailboxes-on-hold) or create an organization-wide Microsoft 365 retention policy.
+ **Q. Which types of groups are supported?**
-
-A. Distribution groups, mail-enabled security groups, and dynamic distribution groups are supported.
-
+
+A. Distribution groups, mail-enabled security groups, and dynamic distribution groups are supported.
+ **Q. Is there a limit on the number of distribution group recipients that are expanded and stored in the message?**
-
+ A. Up to 10,000 members of a distribution group is preserved.
-
+ **Q. Are nested distribution groups supported?**
-
+ A. Yes, 25 levels of nested distribution groups are expanded.
-
+ **Q. Where is the Bcc and expanded distribution group recipient information visible?**
-
+ A. Bcc and expanded distribution group recipients information is visible to Compliance officers when performing an eDiscovery search. Bcc and expanded distribution group recipients are included in search results copied to a Discovery mailbox or exported to a PST file and in the eDiscovery log included in search results. Bcc recipient information is also available in search preview.
-
+ **Q. What happens if a member of a distribution group is hidden from the organization's global address list (GAL)?**
-
-A. There's no impact. If recipients are hidden from the GAL, they are still included in the list of recipients for the expanded distribution group.
+
+A. There's no impact. If recipients are hidden from the GAL, they are still included in the list of recipients for the expanded distribution group.
compliance Retention Limits https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-limits.md
f1.keywords:
Previously updated : Last updated : audience: Admin ms.localizationpriority: high-+ - M365-security-compliance - SPO_Content
+search.appverid:
- MOE150 - MET150 hideEdit: true
A single tenant can have a maximum of 10,000 policies (any configuration). This
Within this 10,000 policies limit, there are also some limits on the maximum number of policies for retention per workload: - Exchange (any configuration): 1,800
- - Per mailbox: 25 is the recommended maximum before performance might be impacted; 50 is the supported limit.
+ - Per mailbox: 25 is the recommended maximum before performance might be impacted; 50 is the supported limit.
- SharePoint or OneDrive: (all sites automatically included): 13 - SharePoint or OneDrive (specific locations included or excluded): 2,600
Grouping attributes or properties within a group isn't supported. This means tha
> [!IMPORTANT] > Applicable only if you use [static policy scopes rather than adaptive policy scopes](retention.md#adaptive-or-static-policy-scopes-for-retention).
-If you use static scopes and the optional configuration to include or exclude specific users, specific Microsoft 365 groups, or specific sites, there are some limits per policy to be aware of.
+If you use static scopes and the optional configuration to include or exclude specific users, specific Microsoft 365 groups, or specific sites, there are some limits per policy to be aware of.
Maximum numbers of items per policy for retention for static scopes:
Exchange example:
- **Requirement**: In an organization that has over 40,000 user mailboxes, most users must have their email retained for 7 years but a subset of identified users (425) must have their email retained for only 5 years. -- **Solution**: Create one retention policy for Exchange email with a retention period of 7 years and exclude the subset of users. Then create a second retention policy for Exchange email with a retention period of 5 years and include the subset of users.
-
+- **Solution**: Create one retention policy for Exchange email with a retention period of 7 years and exclude the subset of users. Then create a second retention policy for Exchange email with a retention period of 5 years and include the subset of users.
+ In both cases, the number included and excluded is below the maximum number of specified mailboxes for a single policy, and the subset of users must be explicitly excluded from the first policy because it has a [longer retention period](retention.md#the-principles-of-retention-or-what-takes-precedence) than the second policy. If the subset of users required a longer retention policy, you wouldn't need to exclude them from the first policy.
-
+ With this solution, if anybody new joins the organization, their mailbox is automatically included in the first policy for 7 years and there is no impact to the maximum numbers supported. However, new users that require the 5-year retention period add to the include and exclude numbers, and this limit would be reached at 1,000. SharePoint example:
SharePoint example:
- **Requirement**: An organization has several thousand SharePoint sites but only 2,000 sites require a retention period of 10 years, and 8,000 sites require a retention period of 4 years. - **Solution**: Create 20 retention policies for SharePoint with a retention period of 10 years that includes 100 specific sites, and create 80 retention policies for SharePoint with a retention period of 4 years that includes 100 specific sites.
-
+ Because you don't need to retain all SharePoint sites, you must create retention policies that specify the specific sites. Because a retention policy doesn't support more than 100 specified sites, you must create multiple policies for the two retention periods. These retention policies have the maximum number of included sites, so the next new site that needs retaining would require a new retention policy, irrespective of the retention period. ## Maximum number of items for disposition
SharePoint example:
For the [disposition of content](disposition.md), there are some limits to be aware of: - Maximum numbers per tenant:
-
- - 16,000,000 items in either of the following disposition review states: pending disposition or approved disposition
-
- - 16,000,000 items marked as records automatically disposed (no disposition review)
+ - 16,000,000 items in either of the following disposition review states: pending disposition or approved disposition
+ - 16,000,000 items marked as records automatically disposed (no disposition review)
- Maximum numbers for each retention label:
-
- - 1,000,000 items pending disposition per stage for each retention label
-
- - Proof of disposition for up to seven years after the item was disposed, with a limit of 1,000,000 items per retention label for that period.
-
- If you need proof of disposition higher than this limit of 1,000,000 for items that are marked as records, contact [Microsoft Support](../admin/get-help-support.md).
+ - 1,000,000 items pending disposition per stage for each retention label
+ - Proof of disposition for up to seven years after the item was disposed, with a limit of 1,000,000 items per retention label for that period.
+
+ If you need proof of disposition higher than this limit of 1,000,000 for items that are marked as records, contact [Microsoft Support](../admin/get-help-support.md).
compliance Retention Preservation Lock https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-preservation-lock.md
All policies for retention and with any configuration support Preservation Lock.
3. To place a Preservation Lock on your policy, run the [Set-RetentionCompliancePolicy](/powershell/module/exchange/set-retentioncompliancepolicy) cmdlet with the name of the policy, and the *RestrictiveRetention* parameter set to true: ```powershell
- Set-RetentionCompliancePolicy -Identity "<Name of Policy>" ΓÇôRestrictiveRetention $true
+ Set-RetentionCompliancePolicy -Identity "<Name of Policy>" -RestrictiveRetention $true
``` For example:
compliance Retention Regulatory Requirements https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-regulatory-requirements.md
Applicable workloads: SharePoint, OneDrive, Teams, Exchange, and Skype for Busin
Released November 2020, this report has been produced in partnership with Cohasset Associates, Inc. (Cohasset) to assess the capabilities of Microsoft 365 services for recording, storing, and managing requirements for electronic records, as specified by: -- Securities and Exchange Commission (SEC) in 17 CFR § 240.17a-4(f), which regulates exchange members, brokers or dealers.
+- Securities and Exchange Commission (SEC) in 17 CFR § 240.17a-4(f), which regulates exchange members, brokers or dealers.
- Financial Industry Regulatory Authority (FINRA) Rule 4511(c), which defers to the format and media requirements of SEC Rule 17a-4(f). -- The principles-based electronic records requirements of the Commodity Futures Trading Commission (CFTC) in 17 CFR § 1.31(c)-(d).
+- The principles-based electronic records requirements of the Commodity Futures Trading Commission (CFTC) in 17 CFR § 1.31(c)-(d).
The opinion from Cohasset is that when compliance features are properly configured and carefully applied and managed as described in their report, the assessed Microsoft 365 services meet the five requirements related to the recording and non-rewriteable, non-erasable storage of electronic records.
compliance Retention https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention.md
f1.keywords:
Previously updated : Last updated : audience: Admin ms.localizationpriority: high-+ - M365-security-compliance - SPO_Content - m365initiative-compliance
+search.appverid:
- MOE150 - MET150 description: Learn about retention policies and retention labels that help you to retain what you need and delete what you don't.
description: Learn about retention policies and retention labels that help you t
> [!NOTE] > If you're seeing messages about retention policies in Teams or have questions about retention labels in your apps, contact your IT department for information about how they have been configured for you. In the meantime, you might find the following articles helpful:
-> - [Teams messages about retention policies](https://support.microsoft.com/office/teams-messages-about-retention-policies-c151fa2f-1558-4cf9-8e51-854e925b483b)
+>
+> - [Teams messages about retention policies](https://support.microsoft.com/office/teams-messages-about-retention-policies-c151fa2f-1558-4cf9-8e51-854e925b483b)
> - [Apply retention labels to files in SharePoint or OneDrive](https://support.microsoft.com/office/apply-retention-labels-to-files-in-sharepoint-or-onedrive-11a6835b-ec9f-40db-8aca-6f5ef18132df) > > The information on this page is for IT administrators who can create retention policies and retention labels for compliance reasons.
Use the following sections to learn more about how retention policies and retent
## How retention settings work with content in place When content has retention settings assigned to it, that content remains in its original location. Most of the time, people continue to work with their documents or mail as if nothing's changed. But if they edit or delete content that's included in the retention policy, a copy of the content is automatically retained.
-
+ - For SharePoint and OneDrive sites: The copy is retained in the **Preservation Hold** library. -- For Exchange mailboxes: The copy is retained in the **Recoverable Items** folder.
+- For Exchange mailboxes: The copy is retained in the **Recoverable Items** folder.
- For Teams and Yammer messages: The copy is retained in a hidden folder named **SubstrateHolds** as a subfolder in the Exchange **Recoverable Items** folder. > [!NOTE] > Because the Preservation Hold library is included in the site's storage quota, you might need to increase your storage when you use retention settings for SharePoint and Microsoft 365 groups.
->
+>
These secure locations and the retained content are not visible to most people. In most cases, people do not even need to know that their content is subject to retention settings. For more detailed information about how retention settings work for different workloads, see the following articles:
To assign your retention settings to content, use **retention policies** and **r
Use a retention policy to assign the same retention settings for content at a site or mailbox level, and use a retention label to assign retention settings at an item level (folder, document, email).
-For example, if all documents in a SharePoint site should be retained for 5 years, it's more efficient to do this with a retention policy than apply the same retention label to all documents in that site. However, if some documents in that site should be retained for 5 years and others retained for 10 years, a retention policy wouldn't be able to do this. When you need to specify retention settings at the item level, use retention labels.
+For example, if all documents in a SharePoint site should be retained for 5 years, it's more efficient to do this with a retention policy than apply the same retention label to all documents in that site. However, if some documents in that site should be retained for 5 years and others retained for 10 years, a retention policy wouldn't be able to do this. When you need to specify retention settings at the item level, use retention labels.
+
+Unlike retention policies, retention settings from retention labels travel with the content if it's moved to a different location within your Microsoft 365 tenant. In addition, retention labels have the following capabilities that retention policies don't support:
-Unlike retention policies, retention settings from retention labels travel with the content if itΓÇÖs moved to a different location within your Microsoft 365 tenant. In addition, retention labels have the following capabilities that retention policies don't support:
-
- Options to start the retention period from when the content was labeled or based on an event, in addition to the age of the content or when it was last modified. - Use [trainable classifiers](classifier-learn-about.md) to identify content to label. - Apply a default label for SharePoint documents. -- Support [disposition review](./disposition.md) to review the content before it's permanently deleted.
+- Support [disposition review](./disposition.md) to review the content before it's permanently deleted.
-- Mark the content as a [record](records-management.md#records) as part of the label settings, and always have [proof of disposition](disposition.md#disposition-of-records) when content is deleted at the end of its retention period.
+- Mark the content as a [record](records-management.md#records) as part of the label settings, and always have [proof of disposition](disposition.md#disposition-of-records) when content is deleted at the end of its retention period.
### Retention policies Retention policies can be applied to the following locations:+ - Exchange email - SharePoint site - OneDrive accounts
Items inherit the retention settings from their container specified in the reten
### Retention labels Use retention labels for different types of content that require different retention settings. For example:
-
-- Tax forms that need to be retained for a minimum period of time.
-
-- Press materials that need to be permanently deleted when they reach a specific age.
-
-- Competitive research that needs to be retained for a specific period and then permanently deleted.
-
-- Work visas that must be marked as a record so that they can't be edited or deleted.
-
+
+- Tax forms that need to be retained for a minimum period of time.
+
+- Press materials that need to be permanently deleted when they reach a specific age.
+
+- Competitive research that needs to be retained for a specific period and then permanently deleted.
+
+- Work visas that must be marked as a record so that they can't be edited or deleted.
+ In all these cases, retention labels let you apply retention settings for governance control at the item level (document or email).
-
+ With retention labels, you can:
-
-- **Enable people in your organization to apply a retention label manually** to content in Outlook and Outlook on the web, OneDrive, SharePoint, and Microsoft 365 groups. Users often know best what type of content they're working with, so they can classify it and have the appropriate retention settings applied.
-
-- **Apply retention labels to content automatically** if it matches specific conditions, that include cloud attachments that are shared in email or Teams, or when the content contains:
- - Specific types of sensitive information.
- - Specific keywords that match a query you create.
- - Pattern matches for a trainable classifier.
+
+- **Enable people in your organization to apply a retention label manually** to content in Outlook and Outlook on the web, OneDrive, SharePoint, and Microsoft 365 groups. Users often know best what type of content they're working with, so they can classify it and have the appropriate retention settings applied.
+
+- **Apply retention labels to content automatically** if it matches specific conditions, that include cloud attachments that are shared in email or Teams, or when the content contains:
+ - Specific types of sensitive information.
+ - Specific keywords that match a query you create.
+ - Pattern matches for a trainable classifier.
- **Start the retention period from when the content was labeled** for documents in SharePoint sites and OneDrive accounts, and for email items.
Retention labels, unlike [sensitivity labels](sensitivity-labels.md), do not per
#### Classifying content without applying any actions Although the main purpose of retention labels is to retain or delete content, you can also use retention labels without turning on any retention or other actions. In this case, you can use a retention label simply as a text label, without enforcing any actions.
-
+ For example, you can create and apply a retention label named "Review later" with no actions, and then use that label to find that content later.
-
+ ![Label settings to classify-only.](../media/retention-label-retentionoff.png) #### Using a retention label as a condition in a DLP policy
You can also create one or more **auto-apply retention label policies**, each wi
#### Retention label policies and locations Retention labels can be published to different locations, depending on what the retention label does.
-
-| If the retention label is… | Then the label policy can be applied to… |
+
+| If the retention label is... | Then the label policy can be applied to... |
|:--|:--| |Published to admins and end users |Exchange, SharePoint, OneDrive, Microsoft 365 Groups | |Auto-applied based on sensitive information types or trainable classifiers |Exchange, SharePoint, OneDrive |
An email or document can have only a single retention label applied to it at a t
For standard retention labels (they don't mark items as a [record or regulatory record](records-management.md#records)): -- Admins and end users can manually change or remove an existing retention label that's applied on content.
+- Admins and end users can manually change or remove an existing retention label that's applied on content.
+
+- When content already has a retention label applied, the existing label won't be automatically removed or replaced by another retention label with one possible exception: The existing label was applied as a default label. When you use a default label, there are some scenarios when it can be replaced by another default label, or automatically removed.
+
+ For more information about the label behavior when it's applied by using a default label:
-- When content already has a retention label applied, the existing label won't be automatically removed or replaced by another retention label with one possible exception: The existing label was applied as a default label. When you use a default label, there are some scenarios when it can be replaced by another default label, or automatically removed.
-
- For more information about the label behavior when it's applied by using a default label:
- - Default label for SharePoint: [Label behavior when you use a default label for SharePoint](create-apply-retention-labels.md#label-behavior-when-you-use-a-default-label-for-sharepoint)
- - Default label for Outlook: [Applying a default retention label to an Outlook folder](create-apply-retention-labels.md#applying-a-default-retention-label-to-an-outlook-folder)
+ - Default label for SharePoint: [Label behavior when you use a default label for SharePoint](create-apply-retention-labels.md#label-behavior-when-you-use-a-default-label-for-sharepoint)
+ - Default label for Outlook: [Applying a default retention label to an Outlook folder](create-apply-retention-labels.md#applying-a-default-retention-label-to-an-outlook-folder)
- If there are multiple auto-apply label policies that could apply a retention label, and content meets the conditions of multiple policies, the retention label for the oldest auto-apply label policy (by date created) is applied.
You can then drill down into details by using [content explorer](data-classifica
After retention labels are applied to content, either by users or auto-applied, you can use content search to find all items that have a specific retention label applied. When you create a content search, choose the **Retention label** condition, and then enter the complete retention label name or part of the label name and use a wildcard. For more information, see [Keyword queries and search conditions for Content Search](keyword-queries-and-search-conditions.md).
-
-![Retention label condition.](../media/retention-label-condition.png)
+![Retention label condition.](../media/retention-label-condition.png)
## Compare capabilities for retention policies and retention labels
Often, the policies will take effect and labels will be visible quicker than 7 d
When you create a retention policy or retention label policy, you must choose between adaptive and static to define the scope of the policy. - An **adaptive scope** uses a query that you specify, so the membership isn't static but dynamic by running daily against the attributes or properties that you specify for the selected locations. You can use multiple adaptive scopes with a single policy.
-
+ Example: Emails and OneDrive documents for executives require a longer retention period than standard users. You create a retention policy with an adaptive scope that uses the Azure AD attribute job title of "Executive", and then select the Exchange email and OneDrive accounts locations for the policy. There's no need to specify email addresses or OneDrive URLs for these users because the adaptive scope automatically retrieves these values. For new executives, there's no need to reconfigure the retention policy because these new users with their corresponding values for email and OneDrive are automatically picked up. - A **static scope** doesn't use queries and is limited in configuration in that it can apply to all instances for a specified location, or use inclusion and exclusions for specific instances for that location. These three choices are sometimes referred to as "org-wide", "includes", and "excludes" respectively.
-
+ Example: Emails and OneDrive documents for executives require a longer retention period than standard users. You create a retention policy with a static scope that selects the Exchange email and OneDrive accounts locations for the policy. For the Exchange email location, you're able to identify a group that contains just the executives, so you specify this group for the retention policy, and the group membership with the respective email addresses is retrieved when the policy is created. For the OneDrive accounts location, you must identify and then specify individual OneDrive URLs for each executive. For new executives, you must reconfigure the retention policy to add the new email addresses and OneDrive URLs. You must also update the OneDrive URLs anytime there is a change in an executive's UPN.
-
+ OneDrive URLs are particularly challenging to reliably specify because by default, these URLs aren't created until the user accesses their OneDrive for the first time. And if a user's UPN changes, which you might not know about, their OneDrive URL automatically changes. Advantages of using adaptive scopes:
Advantages of using adaptive scopes:
- Query-based membership provides resilience against business changes that might not be reliably reflected in group membership or external processes that rely on cross-department communication. - A single retention policy can include locations for both Microsoft Teams and Yammer, whereas when you use a static scope, these locations require their own retention policy.
-
+ - You can apply specific retention settings to just inactive mailboxes. This configuration isn't possible with a static scope because at the time the policy is assigned, static scopes don't support the specific inclusion of recipients with inactive mailboxes. Advantages of using static scopes: - Simpler configuration if you want all instances automatically selected for a workload.
-
+ For "includes" and "excludes", this choice can be a simpler configuration initially if the numbers of instances that you have to specify are low and do not change. However, when these number of instances start to increase and you have frequent changes in your organization that require you to reconfigure your policies, adaptive scopes can be simpler to configure and much easier to maintain. -- The **Skype for Business** and **Exchange public folders** locations don't support adaptive scopes. For those locations, you must use a static scope.
+- The **Skype for Business** and **Exchange public folders** locations don't support adaptive scopes. For those locations, you must use a static scope.
For configuration information, see [Configuring adaptive scopes](retention-settings.md#configuration-information-for-adaptive-scopes).
Before explaining each principle in more detail, it's important to understand th
To apply the principles in action with a series of Yes and No questions, you can also use the [retention flowchart](retention-flowchart.md). Explanation for the four different principles:
-
+ 1. **Retention wins over deletion.** Content won't be permanently deleted when it also has retention settings to retain it. While this principle ensures that content is preserved for compliance reasons, the delete process can still be initiated (user-initiated or system-initiated) and consequently, might remove the content from users' main view. However, permanent deletion is suspended. For more information about how and where content is retained, use the following links for each workload:
-
+ - [How retention works for SharePoint and OneDrive](retention-policies-sharepoint.md#how-retention-works-for-sharepoint-and-onedrive) - [How retention works with Microsoft Teams](retention-policies-teams.md#how-retention-works-with-microsoft-teams) - [How retention works with Yammer](retention-policies-yammer.md#how-retention-works-with-yammer) - [How retention works for Exchange](retention-policies-exchange.md#how-retention-works-for-exchange)
-
+ **Example for this first principle**: An email message is subject to a retention policy for Exchange that is configured to delete items three years after they are created, and it also has a retention label applied that is configured to retain items five years after they are created.
-
+ The email message is retained for five years because this retention action takes precedence over deletion. The email message is permanently deleted at the end of the five years because of the delete action that was suspended while the retention action was in effect. 2. **The longest retention period wins.** If content is subject to multiple retention settings that retain content for different periods of time, the content will be retained until the end of the longest retention period for the item.
-
+ > [!NOTE] > It's possible for a retention period of 5 years in a retention policy or label wins over a retention period of 7 years in a retention policy or label, because the 5-year period is configured to start based on when the file is last modified, and the 7-year period is configured to start from when the file is created.
-
+ **Example for this second principle**: Documents in the Marketing SharePoint site are subject to two retention policies. The first retention policy is configured for all SharePoint sites to retain items for five years after they are created. The second retention policy is configured for specific SharePoint sites to retain items for ten years after they are created.
-
+ Documents in this Marketing SharePoint site are retained for ten years because that's the longest retention period for the item.
-3. **Explicit wins over implicit for deletions.** With conflicts now resolved for retention, only conflicts for deletions remain:
-
+3. **Explicit wins over implicit for deletions.** With conflicts now resolved for retention, only conflicts for deletions remain:
+ 1. A retention label (however it was applied) provides explicit retention in comparison with retention policies, because the retention settings are applied to an individual item rather than implicitly assigned from a container. This means that a delete action from a retention label always takes precedence over a delete action from any retention policy.
-
+ **Example for this third principle (label)**: A document is subject to two retention policies that have a delete action of five years and ten years respectively, and also a retention label that has a delete action of seven years.
-
+ The document is permanently deleted after seven years because the delete action from the retention label takes precedence.
-
+ 2. When you have retention policies only: If a retention policy for a location uses an adaptive scope or a static scope that includes specific instances (such as specific users for Exchange email) that retention policy takes precedence over a static scope that is configured for all instances for the same location.
-
+ A static scope that is configured for all instances for a location is sometimes referred to as an "org-wide policy". For example, **Exchange email** and the default setting of **All recipients**. Or, **SharePoint sites** and the default setting of **All sites**. When retention policies aren't org-wide but have been configured with an adaptive scope or a static scope that includes specific instances, they have equal precedence at this level.
-
+ **Example 1 for this third principle (policies)**: An email message is subject to two retention policies. The first retention policy is unscoped and deletes items after ten years. The second retention policy is scoped to specific mailboxes and deletes items after five years.
-
+ The email message is permanently deleted after five years because the deletion action from the scoped retention policy takes precedence over the org-wide retention policy.
-
+ **Example 2 for this third principle (policies)**: A document in a user's OneDrive account is subject to two retention policies. The first retention policy is scoped to include this user's OneDrive account and has a delete action after 10 years. The second retention policy is scoped to include this user's OneDrive account and has a delete action after seven years.
-
+ When this document will be permanently deleted can't be determined at this level because both retention policies are scoped to include specific instances. 4. **The shortest deletion period wins.** Applicable to determine when items will be deleted from retention policies and the outcome couldn't be resolved from the previous level: Content is permanently deleted at the end of the shortest retention period for the item.
-
+ > [!NOTE] > It's possible that a retention policy that has a retention period of 7 years wins over a retention policy of 5 years because the first policy is configured to start the retention period based on when the file is created, and the second retention policy from when the file is last modified.
-
+ **Example for this fourth principle**: A document in a user's OneDrive account is subject to two retention policies. The first retention policy is scoped to include this user's OneDrive account and has a delete action of 10 years after the file is created. The second retention policy is scoped to include this user's OneDrive account and has a delete action of seven years after the file is created.
-
+ This document will be permanently deleted after seven years because that's the shortest retention period for the item from these two scoped retention policies. Items subject to eDiscovery hold also fall under the first principle of retention; they cannot be permanently deleted by any retention policy or retention label. When that hold is released, the principles of retention continue to apply to them. For example, they could then be subject to an unexpired retention period or a delete action.
Items subject to eDiscovery hold also fall under the first principle of retentio
The following examples are more complex to illustrate the principles of retention when different retain and delete actions are combined. To make the examples easier to follow, all retention policies and labels use the default setting of starting the retention period when the item is created so the end of the retention period is the same for the item. 1. An item has the following retention settings applied to it:
-
+ - A retention policy for delete-only after five years - A retention policy that retains for three years and then deletes - A retention label that retains-only for seven years
-
+ **Outcome**: The item is retained for seven years because retention takes precedence over deletion and seven years is the longest retention period for the item. At the end of this retention period, the item is permanently deleted because of the delete action from the retention policies.
-
- Although the two retention policies have different dates for the delete actions, the earliest that the item can be permanently deleted is at the end of the longest retention period, which is longer than both deletion dates.
-2. An item has the following retention settings applied to it:
-
+ Although the two retention policies have different dates for the delete actions, the earliest that the item can be permanently deleted is at the end of the longest retention period, which is longer than both deletion dates.
+
+2. An item has the following retention settings applied to it:
+ - An org-wide retention policy that deletes-only after ten years - A retention policy scoped with specific instances that retains for five years and then deletes - A retention label that retains for three years and then deletes
-
+ **Outcome**: The item is retained for five years because that's the longest retention period for the item. At the end of that retention period, the item is permanently deleted because of the delete action of three years from the retention label. Deletion from retention labels takes precedence over deletion from all retention policies. In this example, all conflicts are resolved by the third level. ## Use Preservation Lock to restrict changes to policies
-Some organizations might need to comply with rules defined by regulatory bodies such as the Securities and Exchange Commission (SEC) Rule 17a-4, which requires that after a policy for retention is turned on, it cannot be turned off or made less restrictive.
+Some organizations might need to comply with rules defined by regulatory bodies such as the Securities and Exchange Commission (SEC) Rule 17a-4, which requires that after a policy for retention is turned on, it cannot be turned off or made less restrictive.
Preservation Lock ensures your organization can meet such regulatory requirements because it locks a retention policy or retention label policy so that no oneΓÇöincluding an administratorΓÇöcan turn off the policy, delete the policy, or make it less restrictive.
-
+ You apply Preservation Lock after the retention policy or retention label policy is created. For more information and instructions, see [Use Preservation Lock to restrict changes to retention policies and retention label policies](retention-preservation-lock.md). ## Releasing a policy for retention Providing your policies for retention don't have a Preservation Lock, you can delete your policies at any time, which effectively turns off the retention settings for a retention policy, and retention labels can no longer be applied from retention label policies. Any previously applied retention labels remain with their configured retention settings and for these labels, you can still update the retention period when it's not based on when items were labeled.
-You can also keep a policy, but change the location status to off, or disable the policy. Another option is to reconfigure the policy so it no longer includes specific users, sites, groups, and so on.
+You can also keep a policy, but change the location status to off, or disable the policy. Another option is to reconfigure the policy so it no longer includes specific users, sites, groups, and so on.
Additional information for specific locations: - **SharePoint sites and OneDrive accounts:**
-
+ When you release a retention policy for SharePoint sites and OneDrive accounts, any content that's subject to retention from the policy continues to be retained for 30 days to prevent inadvertent data loss. During this 30-day grace period deleted files are still retained (files continue to be added to the Preservation Hold library), but the timer job that periodically cleans up the Preservation Hold library is suspended for these files so you can restore them if necessary.
-
+ An exception to this 30-day grace period is when you update the policy to exclude one or more sites for SharePoint or accounts for OneDrive; in this case, the timer job deletes files for these locations in the Preservation Hold library without the 30-day delay.
-
+ For more information about the Preservation Hold library, see [How retention works for SharePoint and OneDrive](retention-policies-sharepoint.md#how-retention-works-for-sharepoint-and-onedrive).
-
+ Because of the behavior during the grace period, if you re-enable the policy or change the location status back to on within 30 days, the policy resumes without any permanent data loss during this time. - **Exchange email and Microsoft 365 Groups**
-
- When you release a retention policy for mailboxes that are [inactive](inactive-mailboxes-in-office-365.md) at the time the policy is released:
-
- - If the retention policy is explicitly applied to a mailbox, the retention settings no longer apply. With no retention settings applied, an inactive mailbox becomes eligible for automatic deletion in the usual way.
-
- An explicit retention policy requires either an adaptive policy scope, or a static policy scope with an include configuration that specified an active mailbox at the time the policy was applied and later became inactive
-
- - If the retention policy is implicitly applied to a mailbox and the configured retention action is to retain, the retention policy continues to apply and an inactive mailbox never becomes eligible for automatic deletion. When the retain action no longer applies because the retention period has expired, the Exchange admin can now [manually delete the inactive mailbox](delete-an-inactive-mailbox.md)
-
- An implicit retention policy requires a static policy scope with the **All recipients** (for Exchange email) or **All groups** (for Microsoft 365 Groups) configuration.
-
+
+ When you release a retention policy for mailboxes that are [inactive](inactive-mailboxes-in-office-365.md) at the time the policy is released:
+
+ - If the retention policy is explicitly applied to a mailbox, the retention settings no longer apply. With no retention settings applied, an inactive mailbox becomes eligible for automatic deletion in the usual way.
+
+ An explicit retention policy requires either an adaptive policy scope, or a static policy scope with an include configuration that specified an active mailbox at the time the policy was applied and later became inactive
+
+ - If the retention policy is implicitly applied to a mailbox and the configured retention action is to retain, the retention policy continues to apply and an inactive mailbox never becomes eligible for automatic deletion. When the retain action no longer applies because the retention period has expired, the Exchange admin can now [manually delete the inactive mailbox](delete-an-inactive-mailbox.md)
+
+ An implicit retention policy requires a static policy scope with the **All recipients** (for Exchange email) or **All groups** (for Microsoft 365 Groups) configuration.
+ For more information about inactive mailboxes that have retention policies applied, see [Inactive mailboxes and Microsoft 365 retention](inactive-mailboxes-in-office-365.md#inactive-mailboxes-and-microsoft-365-retention). ## Auditing retention configuration and actions
For the full list of auditing events, see [Retention policy and retention label
Retention actions that are logged as auditing events are available only for retention labels and not for retention policies: - When a retention label is applied, changed, or removed from an item in SharePoint or OneDrive:
- - From **File and page activities**, select **Changed retention label for a file**
+ - From **File and page activities**, select **Changed retention label for a file**
- When a labeled item in SharePoint is marked as a record, and it is unlocked or locked by a user:
- - From **File and page activities**, select **Changed record status to unlocked** and **Changed record status to locked**
+ - From **File and page activities**, select **Changed record status to unlocked** and **Changed record status to locked**
- When a retention label that marks content as a record or regulatory record is applied to an item in Exchange:
- - From **Exchange mailbox activities**, select **Labeled message as a record**
+ - From **Exchange mailbox activities**, select **Labeled message as a record**
- When a labeled item in SharePoint, OneDrive, or Exchange is marked as a record or regulatory record, and it is permanently deleted:
- - From **File and page activities**, select **Deleted file marked as a record**
+ - From **File and page activities**, select **Deleted file marked as a record**
- When a disposition reviewer takes action for an item that's reached the end of its retention period:
- - From **Disposition review activities**, select **Approved disposal**, **Extended retention period**, **Relabeled item**, or **Added reviewers**
+ - From **Disposition review activities**, select **Approved disposal**, **Extended retention period**, **Relabeled item**, or **Added reviewers**
## PowerShell cmdlets for retention policies and retention labels
To use the retention cmdlets, you must first [connect to the Office 365 Security
- [Set-RetentionComplianceRule](/powershell/module/exchange/set-retentioncompliancerule) - ## When to use retention policies and retention labels or eDiscovery holds Although retention settings and [holds that you create with an eDiscovery case](create-ediscovery-holds.md) can both prevent data from being permanently deleted, they are designed for different scenarios. To help you understand the differences and decide which to use, use the following guidance:
If content is subject to both retention settings and an eDiscovery hold, preserv
If you are using older eDiscovery tools to preserve data, see the following resources: -- Exchange:
- - [In-Place Hold and Litigation Hold](/exchange/security-and-compliance/in-place-and-litigation-holds)
- - [How to identify the type of hold placed on an Exchange Online mailbox](./identify-a-hold-on-an-exchange-online-mailbox.md)
+- Exchange:
+ - [In-Place Hold and Litigation Hold](/exchange/security-and-compliance/in-place-and-litigation-holds)
+ - [How to identify the type of hold placed on an Exchange Online mailbox](./identify-a-hold-on-an-exchange-online-mailbox.md)
-- SharePoint and OneDrive:
- - [Add content to a case and place sources on hold in the eDiscovery Center](/SharePoint/governance/add-content-to-a-case-and-place-sources-on-hold-in-the-ediscovery-center)
+- SharePoint and OneDrive:
+ - [Add content to a case and place sources on hold in the eDiscovery Center](/SharePoint/governance/add-content-to-a-case-and-place-sources-on-hold-in-the-ediscovery-center)
- [Retirement of legacy eDiscovery tools](legacy-ediscovery-retirement.md)
If you currently use these older features, they will continue to work side by si
**Older features from Exchange Online:** - [Retention tags and retention policies](/exchange/security-and-compliance/messaging-records-management/retention-tags-and-policies), also known as [messaging records management (MRM)](/exchange/security-and-compliance/messaging-records-management/messaging-records-management) (deletion only)
-
- However, if you use the following MRM features, be aware that they aren't currently supported by Microsoft 365 retention policies:
-
- - An archive policy for [archive mailboxes](enable-archive-mailboxes.md) to automatically move emails from a user's primary mailbox to their archive mailbox after a specified period of time. An archive policy (with any settings) can be used in conjunction with a Microsoft 365 retention policy that applies to a user's primary and archive mailbox.
-
- - Retention policies applied by an admin to specific folders within a mailbox. A Microsoft 365 retention policy applies to all folders in the mailbox. However, an admin can configure different retention settings by using retention labels that a user can apply to folders in Outlook as a [default retention label](create-apply-retention-labels.md#applying-a-default-retention-label-to-an-outlook-folder).
+
+ However, if you use the following MRM features, be aware that they aren't currently supported by Microsoft 365 retention policies:
+
+ - An archive policy for [archive mailboxes](enable-archive-mailboxes.md) to automatically move emails from a user's primary mailbox to their archive mailbox after a specified period of time. An archive policy (with any settings) can be used in conjunction with a Microsoft 365 retention policy that applies to a user's primary and archive mailbox.
+
+ - Retention policies applied by an admin to specific folders within a mailbox. A Microsoft 365 retention policy applies to all folders in the mailbox. However, an admin can configure different retention settings by using retention labels that a user can apply to folders in Outlook as a [default retention label](create-apply-retention-labels.md#applying-a-default-retention-label-to-an-outlook-folder).
- [Litigation hold](create-a-litigation-hold.md) (retention only)
-
- Although Litigation holds are still supported, we recommend you use Microsoft 365 retention or eDiscovery holds, [as appropriate](#when-to-use-retention-policies-and-retention-labels-or-ediscovery-holds).
+
+ Although Litigation holds are still supported, we recommend you use Microsoft 365 retention or eDiscovery holds, [as appropriate](#when-to-use-retention-policies-and-retention-labels-or-ediscovery-holds).
**Older features from SharePoint and OneDrive:** - [Document deletion policies](https://support.office.com/article/Create-a-document-deletion-policy-in-SharePoint-Server-2016-4fe26e19-4849-4eb9-a044-840ab47458ff) (deletion only)
-
-- [Configuring in place records management](https://support.office.com/article/7707a878-780c-4be6-9cb0-9718ecde050a) (retention only)
-
+
+- [Configuring in place records management](https://support.office.com/article/7707a878-780c-4be6-9cb0-9718ecde050a) (retention only)
+ - [Use policies for site closure and deletion](https://support.microsoft.com/en-us/office/use-policies-for-site-closure-and-deletion-a8280d82-27fd-48c5-9adf-8a5431208ba5) (deletion only)
-
+ - [Information management policies](intro-to-info-mgmt-policies.md) (deletion only)
-
-If you have configured SharePoint sites for content type policies or information management policies to retain content for a list or library, those policies are ignored while a retention policy is in effect.
+
+If you have configured SharePoint sites for content type policies or information management policies to retain content for a list or library, those policies are ignored while a retention policy is in effect.
## Related information - [SharePoint Online Limits](/office365/servicedescriptions/sharepoint-online-service-description/sharepoint-online-limits)-- [Limits and specifications for Microsoft Teams](/microsoftteams/limits-specifications-teams)
+- [Limits and specifications for Microsoft Teams](/microsoftteams/limits-specifications-teams)
- [Resources to help you meet regulatory requirements for information governance and records management](retention-regulatory-requirements.md) ## Configuration guidance
compliance Revoke Ome Encrypted Mail https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/revoke-ome-encrypted-mail.md
To verify whether you can revoke a particular email message by using Windows Pow
```console Subject IsRevocable - --
- "Test message" True
+ "Test message" True
``` ### Step 3. Revoke the mail
compliance Search The Audit Log In Security And Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance.md
The following table describes the configuration activities for [retention polici
|Friendly name|Operation|Description| |:--|:--|:--|
-| Changed adaptive scope membership |ApplicableAdaptiveScopeChange |Users, sites, or groups were added to or removed from the adaptive scope. These changes are the results of running the scopeΓÇÖs query. Because the changes are system-initiated, the reported user displays as a GUID rather than a user account.|
+| Changed adaptive scope membership |ApplicableAdaptiveScopeChange |Users, sites, or groups were added to or removed from the adaptive scope. These changes are the results of running the scope's query. Because the changes are system-initiated, the reported user displays as a GUID rather than a user account.|
| Configured settings for a retention policy |NewRetentionComplianceRule |Administrator configured the retention settings for a new retention policy. Retention settings include how long items are retained, and what happens to items when the retention period expires (such as deleting items, retaining items, or retaining and then deleting them). This activity also corresponds to running the [New-RetentionComplianceRule](/powershell/module/exchange/new-retentioncompliancerule) cmdlet.| | Created adaptive scope |NewAdaptiveScope |Administrator created an adaptive scope.| | Created retention label |NewComplianceTag |Administrator created a new retention label.|
compliance Sensitive Information Type Entity Definitions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitive-information-type-entity-definitions.md
Title: "Sensitive information type entity definitions" f1.keywords:+ - CSH
audience: Admin
search.appverid: MET150 f1_keywords:+ - 'ms.o365.cc.UnifiedDLPRuleContainsSensitiveInformation' ms.localizationpriority: medium + - M365-security-compliance hideEdit: true feedback_system: None
This article lists all sensitive information type entity definitions. Each defin
> [!NOTE] > Mapping of confidence level (high/medium/low) with accuracy number (numeric value of 1 to 100)
+>
> - Low confidence: 65 or below > - Medium confidence: 75 > - High confidence: 85 - ## ABA routing number ### Format
nine digits that may be in a formatted or unformatted pattern
- an optional hyphen - a digit - ### Checksum Yes
Yes
### Definition A policy has medium confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:+ - The function Func_aba_routing finds content that matches the pattern. - A keyword from Keyword_ABA_Routing is found. A DLP policy has low confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:+ - The function Func_aba_routing finds content that matches the pattern. ```xml
A DLP policy has low confidence that it's detected this type of sensitive inform
#### Keyword_aba_routing -- aba number
+- aba number
- aba# - aba - abarouting#
A DLP policy has low confidence that it's detected this type of sensitive inform
- americanbankassociationroutingnumber - bankrouting# - bankroutingnumber-- routing #-- routing no-- routing number-- routing transit number
+- routing #
+- routing no
+- routing number
+- routing transit number
- routing# - RTN - ## All full names All full names is a bundled named entity. It detects full names for people from all supported countries/regions, which include Australia, China, Japan, U.S., and countries in the EU. Use this SIT to detect all possible matches of full names.
No.
This named entity SIT matches personal names that a human would identify as a name with high confidence. For example, if a string is found consisting of a given name and is followed by a family name then a match is made with high confidence. It uses three primary resources: -- A dictionary of given names.-- A dictionary of family names.-- Patterns of how names are formed.
+- A dictionary of given names.
+- A dictionary of family names.
+- Patterns of how names are formed.
The three resources are different for each country. The strings *Olivia Wilson* would trigger a match. Common given/family names are given a higher confidence than rarer names. However, the pattern also allows partial matches. If a given name from the dictionary is found and it's followed by a family name that isn't in the dictionary, then a partial match is triggered. For example, *Tomas Richard* would trigger a partial match. Partial matches are given lower confidence.
In addition, patterns that a human would see as indicative of names are also mat
- Swedish - Turkish - ## All medical terms and conditions All medical terms and conditions is a bundled named entity that detects medical terms and medical conditions. It detects English terms only. Use this SIT to detect all possible matches of medical terms and conditions.
This bundled named entity matches text that mentions medical conditions that are
This bundled named entity SIT contains these individual SITs. -- Blood test terms
+- Blood test terms
- Types of medication - Diseases - Generic medication names
This bundled named entity SIT contains these individual SITs.
- Surgical procedures - Brand medication names - ## All Physical Addresses All physical addresses is a bundled entity SIT, which detects patterns related to physical addresses from all supported countries/regions.
No
The matching of street addresses is designed to match strings that a human would identify as a street address. To do this, it uses several primary resources: -- A dictionary of settlements, counties and regions.-- A dictionary of street suffixes, like Road, Street, or Avenue.-- Patterns of postal codes.-- Patterns of address formats.
+- A dictionary of settlements, counties and regions.
+- A dictionary of street suffixes, like Road, Street, or Avenue.
+- Patterns of postal codes.
+- Patterns of address formats.
The resources are different for each country. The primary resources are the patterns of address formats that are used in a given country. Different formats are chosen to make sure that as many addresses as possible are matched. These formats allow flexibility, for example, an address may omit the postal code or omit a town name or have a street with no street suffix. In all cases, such matches are used to increase the confidence of the match.
This bundled named entity SIT contains these individual SITs:
- Swedish - Turkish - ## Argentina national identity (DNI) number ### Format
Eight digits with or without periods
### Pattern Eight digits:+ - two digits - an optional period - three digits
No
### Definition A DLP policy has medium confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:+ - The regular expression Regex_argentina_national_id finds content that matches the pattern. - A keyword from Keyword_argentina_national_id is found.
A DLP policy has medium confidence that it's detected this type of sensitive inf
- registro nacional de las personas - rnp - ## Argentina Unique Tax Identification Key (CUIT/CUIL) ### Format
A DLP policy has medium confidence that it's detected this type of sensitive inf
### Pattern 11 digits with a dash:+ - two digits in 20, 23, 24, 27, 30, 33 or 34 - a hyphen (-) - eight digits
Yes
### Definition A DLP policy has high confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:+ - The function `Func_Argentina_Unique_Tax_Key` finds content that matches the pattern. - A keyword from `Keyword_Argentina_Unique_Tax_Key` is found. A DLP policy has medium confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:+ - The function `Func_Argentina_Unique_Tax_Key` finds content that matches the pattern. ```xml
A DLP policy has medium confidence that it's detected this type of sensitive inf
#### Keyword_Argentina_Unique_Tax_Key -- Clave Unica de Identificacion Tributaria
+- Clave Unica de Identificacion Tributaria
- CUIT-- unique code of labour identification -- Clave Única de Identificación Tributaria-- unique labour identification code
+- unique code of labour identification
+- Clave Única de Identificación Tributaria
+- unique labour identification code
- CUIL-- Unique Tax Identification Key-- Unique Labour Identification Key-- Unique Key of Labour Identification-- Unique Work Identification Code-- Unique Code of Work Identification-- Unique Work Identification Key-- Unique Key of Work Identification-- Unique Code of Tax Identification-- Unique Key of Tax Identification-- Unique Labor Identification Code-- Unique Code of Labor Identification-- Unique Labor Identification Key-- Unique Key of Labor Identification-- tax ID
+- Unique Tax Identification Key
+- Unique Labour Identification Key
+- Unique Key of Labour Identification
+- Unique Work Identification Code
+- Unique Code of Work Identification
+- Unique Work Identification Key
+- Unique Key of Work Identification
+- Unique Code of Tax Identification
+- Unique Key of Tax Identification
+- Unique Labor Identification Code
+- Unique Code of Labor Identification
+- Unique Labor Identification Key
+- Unique Key of Labor Identification
+- tax ID
- taxID# - taxId - taxidnumber-- tax number-- tax no-- tax #
+- tax number
+- tax no
+- tax #
- tax#-- taxpayer ID-- taxpayer number-- taxpayer no-- taxpayer #
+- taxpayer ID
+- taxpayer number
+- taxpayer no
+- taxpayer #
- taxpayer#-- tax identity-- tax identification-- Número de Identificación Fiscal-- número de contribuyente-
+- tax identity
+- tax identification
+- N├║mero de Identificaci├│n Fiscal
+- n├║mero de contribuyente
## Australia bank account number
six to 10 digits with or without a bank state branch number
Account number is 6 to 10 digits. Australia bank state branch number:+ - three digits - a hyphen - three digits
No
### Definition A DLP policy has high confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:+ - The regular expression Regex_australia_bank_account_number finds content that matches the pattern. - A keyword from Keyword_australia_bank_account_number is found. - The regular expression Regex_australia_bank_account_number_bsb finds content that matches the pattern. A DLP policy has medium confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:+ - The regular expression Regex_australia_bank_account_number finds content that matches the pattern. - A keyword from Keyword_australia_bank_account_number is found.
A DLP policy has medium confidence that it's detected this type of sensitive inf
- full names - iaea - ## Australia business number This sensitive information type is only available for use in:
Yes
### Definition A DLP policy has high confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:+ - The function Func_australian_business_number finds content that matches the pattern. - A keyword from Keywords_australian_business_number is found. A DLP policy has medium confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:+ - The function Func_australian_business_number finds content that matches the pattern. ```xml
A DLP policy has medium confidence that it's detected this type of sensitive inf
#### Keyword_australia_business_number -- australia business no-- business number
+- australia business no
+- business number
- abn# - businessid#-- business id
+- business id
- abn - businessno# - ## Australia company number This sensitive information type is only available for use in:
nine digits with delimiters:
- a space - three digits - ### Checksum Yes
Yes
### Definition A DLP policy has high confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:+ - The function Func_Australian_Company_Number finds content that matches the pattern. - A keyword from Keyword_Australian_Company_Number is found. A DLP policy has low confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:+ - The function Func_Australian_Company_Number finds content that matches the pattern. ```xml
A DLP policy has low confidence that it's detected this type of sensitive inform
#### Keyword_australia_company_number - acn-- australia company no-- australia company no#-- australia company number-- australian company no-- australian company no#-- australian company number-
+- australia company no
+- australia company no#
+- australia company number
+- australian company no
+- australian company no#
+- australian company number
## Australia driver's license number
No
### Definition A DLP policy has medium confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:+ - The regular expression Regex_australia_drivers_license_number finds content that matches the pattern. - A keyword from Keyword_australia_drivers_license_number is found. - No keyword from Keyword_australia_drivers_license_number_exclusions is found.
A DLP policy has medium confidence that it's detected this type of sensitive inf
- Driver's License# - Driver's Licenses# - ## Australia medical account number ### Format
A DLP policy has medium confidence that it's detected this type of sensitive inf
### Pattern 10-11 digits:+ - First digit is in the range 2-6 - Ninth digit is a check digit - Tenth digit is the issue digit
Yes
### Definition A DLP policy has high confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:+ - The function Func_australian_medical_account_number finds content that matches the pattern. - A keyword from Keyword_Australia_Medical_Account_Number is found. - The checksum passes. - ```xml <!-- Australia Medical Account Number --> <Entity id="104a99a0-3d3b-4542-a40d-ab0b9e1efe63" recommendedConfidence="85" patternsProximity="300">
A DLP policy has high confidence that it's detected this type of sensitive infor
- local service - medicare - ## Australia passport number ### Format
No
### Definition A DLP policy has medium confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:+ - The regular expression `Regex_australia_passport_number` finds content that matches the pattern. - A keyword from `Keyword_australia_passport_number` is found. A DLP policy has low confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:+ - The regular expression `Regex_australia_passport_number` finds content that matches the pattern. ```xml
A DLP policy has low confidence that it's detected this type of sensitive inform
#### Keyword_australia_passport_number - passport#-- passport #
+- passport #
- passportid - passports - passportno-- passport no
+- passport no
- passportnumber-- passport number
+- passport number
- passportnumbers-- passport numbers-- passport details-- immigration and citizenship-- commonwealth of australia-- department of immigration-- national identity card-- travel document-- issuing authority-
+- passport numbers
+- passport details
+- immigration and citizenship
+- commonwealth of australia
+- department of immigration
+- national identity card
+- travel document
+- issuing authority
-## Australia physical addresses
+## Australia physical addresses
Unbundled named entity, detects patterns related to physical address from Australia. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT. ### Confidence level medium - ## Australia tax file number ### Format
eight to nine digits
### Pattern eight to nine digits typically presented with spaces as follows:+ - three digits - an optional space - three digits
Yes
### Definition A DLP policy has high confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:+ - The function Func_australian_tax_file_number finds content that matches the pattern. - No keyword from Keyword_Australia_Tax_File_Number or Keyword_number_exclusions is found. - The checksum passes.
A DLP policy has high confidence that it's detected this type of sensitive infor
- tax file number - tfn - ## Austria driver's license number ### Format
No
A DLP policy has medium confidence that it's detected this type of sensitive information if, within a proximity of 300 characters: -- The regular expression `Regex_austria_eu_driver's_license_number` finds content that matches the pattern.-- A keyword from `Keywords_eu_driver's_license_number` or `Keywords_austria_eu_driver's_license_number` is found.
+- The regular expression `Regex_austria_eu_driver's_license_number` finds content that matches the pattern.
+- A keyword from `Keywords_eu_driver's_license_number` or `Keywords_austria_eu_driver's_license_number` is found.
```xml <!-- Austria Driver's License Number -->
A DLP policy has medium confidence that it's detected this type of sensitive inf
- driverlicenses - driverlicence - driverlicences-- driver lic-- driver lics-- driver license-- driver licenses-- driver licence-- driver licences
+- driver lic
+- driver lics
+- driver license
+- driver licenses
+- driver licence
+- driver licences
- driverslic - driverslics - driverslicence - driverslicences - driverslicense - driverslicenses-- drivers lic-- drivers lics-- drivers license-- drivers licenses-- drivers licence-- drivers licences
+- drivers lic
+- drivers lics
+- drivers license
+- drivers licenses
+- drivers licence
+- drivers licences
- driver'lic - driver'lics - driver'license - driver'licenses - driver'licence - driver'licences-- driver' lic-- driver' lics-- driver' license-- driver' licenses-- driver' licence-- driver' licences
+- driver' lic
+- driver' lics
+- driver' license
+- driver' licenses
+- driver' licence
+- driver' licences
- driver'slic - driver'slics - driver'slicense - driver'slicenses - driver'slicence - driver'slicences-- driver's lic-- driver's lics-- driver's license-- driver's licenses-- driver's licence-- driver's licences
+- driver's lic
+- driver's lics
+- driver's license
+- driver's licenses
+- driver's licence
+- driver's licences
- dl# - dls# - driverlic#
A DLP policy has medium confidence that it's detected this type of sensitive inf
- driverlicenses# - driverlicence# - driverlicences#-- driver lic#-- driver lics#-- driver license#-- driver licenses#-- driver licences#
+- driver lic#
+- driver lics#
+- driver license#
+- driver licenses#
+- driver licences#
- driverslic# - driverslics# - driverslicense# - driverslicenses# - driverslicence# - driverslicences#-- drivers lic#-- drivers lics#-- drivers license#-- drivers licenses#-- drivers licence#-- drivers licences#
+- drivers lic#
+- drivers lics#
+- drivers license#
+- drivers licenses#
+- drivers licence#
+- drivers licences#
- driver'lic# - driver'lics# - driver'license# - driver'licenses# - driver'licence# - driver'licences#-- driver' lic#-- driver' lics#-- driver' license#-- driver' licenses#-- driver' licence#-- driver' licences#
+- driver' lic#
+- driver' lics#
+- driver' license#
+- driver' licenses#
+- driver' licence#
+- driver' licences#
- driver'slic# - driver'slics# - driver'slicense# - driver'slicenses# - driver'slicence# - driver'slicences#-- driver's lic#-- driver's lics#-- driver's license#-- driver's licenses#-- driver's licence#-- driver's licences#-- driving licence -- driving license
+- driver's lic#
+- driver's lics#
+- driver's license#
+- driver's licenses#
+- driver's licence#
+- driver's licences#
+- driving licence
+- driving license
- dlno#-- driv lic-- driv licen-- driv license-- driv licenses-- driv licence-- driv licences-- driver licen-- drivers licen-- driver's licen-- driving lic-- driving licen-- driving licenses-- driving licence-- driving licences-- driving permit-- dl no
+- driv lic
+- driv licen
+- driv license
+- driv licenses
+- driv licence
+- driv licences
+- driver licen
+- drivers licen
+- driver's licen
+- driving lic
+- driving licen
+- driving licenses
+- driving licence
+- driving licences
+- driving permit
+- dl no
- dlno-- dl number-
+- dl number
#### Keywords_austria_eu_driver's_license_number
A DLP policy has medium confidence that it's detected this type of sensitive inf
- F├╝hrerscheinnummer - F├╝hrerscheinnummern - ## Austria identity card This sensitive information type is only available for use in:+ - data loss prevention policies - communication compliance policies - information governance
A 24-character combination of letters, digits, and special characters
24 characters: -- 22 letters (not case-sensitive), digits, backslashes, forward slashes, or plus signs
+- 22 letters (not case-sensitive), digits, backslashes, forward slashes, or plus signs
- two letters (not case-sensitive), digits, backslashes, forward slashes, plus signs, or equal signs
Not applicable
A DLP policy has medium confidence that it's detected this type of sensitive information if, within a proximity of 300 characters: -- The regular expression `Regex_austria_eu_national_id_card` finds content that matches the pattern.-- A keyword from `Keywords_austria_eu_national_id_card` is found.
+- The regular expression `Regex_austria_eu_national_id_card` finds content that matches the pattern.
+- A keyword from `Keywords_austria_eu_national_id_card` is found.
```xml <!-- Austria Identity Card -->
A DLP policy has medium confidence that it's detected this type of sensitive inf
#### Keywords_austria_eu_national_id_card -- identity number-- national id-- personalausweis republik österreich-
+- identity number
+- national id
+- personalausweis republik ├╢sterreich
## Austria passport number
not applicable
### Definition A DLP policy has high confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:-- The regular expression `Regex_austria_eu_passport_number` finds content that matches the pattern.-- A keyword from `Keywords_eu_passport_number` or `Keywords_austria_eu_passport_number` is found.+
+- The regular expression `Regex_austria_eu_passport_number` finds content that matches the pattern.
+- A keyword from `Keywords_eu_passport_number` or `Keywords_austria_eu_passport_number` is found.
- The regular expression `Regex_eu_passport_date1` finds date in the format DD.MM.YYYY or a keyword from `Keywords_eu_passport_date` is found A DLP policy has medium confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:-- The regular expression `Regex_austria_eu_passport_number` finds content that matches the pattern.-- A keyword from `Keywords_eu_passport_number` or `Keywords_austria_eu_passport_number` is found.+
+- The regular expression `Regex_austria_eu_passport_number` finds content that matches the pattern.
+- A keyword from `Keywords_eu_passport_number` or `Keywords_austria_eu_passport_number` is found.
```xml <!-- Austria Passport Number -->
A DLP policy has medium confidence that it's detected this type of sensitive inf
#### Keywords_eu_passport_number - passport#-- passport #
+- passport #
- passportid - passports - passportno-- passport no
+- passport no
- passportnumber-- passport number
+- passport number
- passportnumbers-- passport numbers
+- passport numbers
#### Keywords_austria_eu_passport_number
A DLP policy has medium confidence that it's detected this type of sensitive inf
- date of issue - date of expiry - ## Austria physical addresses This unbundled named entity detects patterns related to physical address from Austria. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
This unbundled named entity detects patterns related to physical address from Au
Medium - ## Austria social security number ### Format
Yes
### Definition A DLP policy has high confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:-- The function `Func_austria_eu_ssn_or_equivalent` finds content that matches the pattern.-- a keyword from `Keywords_austria_eu_ssn_or_equivalent` is found.+
+- The function `Func_austria_eu_ssn_or_equivalent` finds content that matches the pattern.
+- a keyword from `Keywords_austria_eu_ssn_or_equivalent` is found.
A DLP policy has medium confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:-- The function `Func_austria_eu_ssn_or_equivalent` finds content that matches the pattern.+
+- The function `Func_austria_eu_ssn_or_equivalent` finds content that matches the pattern.
```xml <!-- Austria Social Security Number -->
A DLP policy has medium confidence that it's detected this type of sensitive inf
- versicherungsnummer - zdravstveno zavarovanje - ## Austria tax identification number ### Format
Yes
### Definition A DLP policy has high confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:-- The function `Func_austria_eu_tax_file_number` finds content that matches the pattern.-- A keyword from `Keywords_austria_eu_tax_file_number` is found.+
+- The function `Func_austria_eu_tax_file_number` finds content that matches the pattern.
+- A keyword from `Keywords_austria_eu_tax_file_number` is found.
A DLP policy has low confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:-- The function `Func_austria_eu_tax_file_number` finds content that matches the pattern.+
+- The function `Func_austria_eu_tax_file_number` finds content that matches the pattern.
```xml <!-- Austria Tax Identification Number -->
A DLP policy has low confidence that it's detected this type of sensitive inform
- österreich - st.nr. - steuernummer-- tax id-- tax identification no-- tax identification number-- tax no#-- tax no-- tax number-- tax registration number
+- tax id
+- tax identification no
+- tax identification number
+- tax no#
+- tax no
+- tax number
+- tax registration number
- taxid# - taxidno# - taxidnumber# - taxno# - taxnumber# - taxnumber-- tin id-- tin no
+- tin id
+- tin no
- tin# - tax number - ## Austria value added tax This sensitive information type is only available for use in:+ - data loss prevention policies - communication compliance policies - information governance
Yes
### Definition A DLP policy has high confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:+ - The function Func_Austria_Value_Added_Tax finds content that matches the pattern. - A keyword from Keyword_Austria_Value_Added_Tax is found. A DLP policy has medium confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:+ - The function Func_Austria_Value_Added_Tax finds content that matches the pattern. ```xml
A DLP policy has medium confidence that it's detected this type of sensitive inf
#### Keyword_austria_value_added_tax -- vat number
+- vat number
- vat#-- austrian vat number-- vat no.
+- austrian vat number
+- vat no.
- vatno#-- value added tax number-- austrian vat
+- value added tax number
+- austrian vat
- mwst - umsatzsteuernummer - mwstnummer - ust.-identifikationsnummer - umsatzsteuer-identifikationsnummer-- vat identification number-- atu number-- uid number-
+- vat identification number
+- atu number
+- uid number
## Azure DocumentDB auth key
No
### Definition A DLP policy has high confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:+ - The regular expression CEP_Regex_AzureDocumentDBAuthKey finds content that matches the pattern. - The regular expression CEP_CommonExampleKeywords doesn't find content that matches the pattern.
A DLP policy has high confidence that it's detected this type of sensitive infor
- testacs.<!--no-hyperlink-->com - s-int.<!--no-hyperlink-->net - ## Azure IAAS database connection string and Azure SQL connection string ### Format
No
### Definition A DLP policy has high confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:+ - The regular expression CEP_Regex_AzureConnectionString finds content that matches the pattern. - The regular expression CEP_CommonExampleKeywords doesn't find content that matches the pattern.
A DLP policy has high confidence that it's detected this type of sensitive infor
- testacs.<!--no-hyperlink-->com - s-int.<!--no-hyperlink-->net - ## Azure IoT connection string ### Format
No
### Definition A DLP policy has high confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:+ - The regular expression CEP_Regex_AzureIoTConnectionString finds content that matches the pattern. - The regular expression CEP_CommonExampleKeywords doesn't find content that matches the pattern.
This sensitive information type identifies these keywords by using a regular exp
- testacs.<!--no-hyperlink-->com - s-int.<!--no-hyperlink-->net - ## Azure publish setting password ### Format
No
### Definition A DLP policy has high confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:+ - The regular expression CEP_Regex_AzurePublishSettingPasswords finds content that matches the pattern. - The regular expression CEP_CommonExampleKeywords doesn't find content that matches the pattern. - ```xml <!--Azure Publish Setting Password--> <Entity id="75f4cc8a-a68e-49e5-89ce-fa8f03d286a5" patternsProximity="300" recommendedConfidence="85">
This sensitive information type identifies these keywords by using a regular exp
- testacs.<!--no-hyperlink-->com - s-int.<!--no-hyperlink-->net - ## Azure Redis cache connection string ### Format
No
### Definition A DLP policy has high confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:+ - The regular expression CEP_Regex_AzureRedisCacheConnectionString finds content that matches the pattern. - The regular expression CEP_CommonExampleKeywords doesn't find content that matches the pattern.
A DLP policy has high confidence that it's detected this type of sensitive infor
- testacs.<!--no-hyperlink-->com - s-int.<!--no-hyperlink-->net - ## Azure SAS ### Format
No
### Definition A DLP policy has high confidence that it's detected this type of sensitive information if, within a proximity o