+ In the **Manage sources** pop-up window that appears, under **Plugins**, confirm that the **Microsoft Defender Threat Intelligence** toggle is turned on, then close the window.

+2. From the dashboard homepage, select the **View more** button on the Microsoft Teams apps activity card.

+- Users who installed apps

+- Users who used apps

+### Users who have used apps

+For more information about how to manage your Teams apps, refer to [About apps in Microsoft Teams](/microsoftteams/deploy-apps-microsoft-teams-landing-page).

+External App IDs are equivalent to the ID in the Manage apps page for Store apps. For custom apps, to view External App ID in the Manage Apps page, follow the instructions on [Manage apps setup policies in Microsoft Teams](/microsoftteams/teams-app-setup-policies) to add the column in the column settings. You can also view it on the app details page for a custom app.

+ :::image type="content" source="../../media/dns-ionos/ionos-domains-3.png" alt-text="Screenshot of where you select Add record to add a domain verification TXT record.":::

+ :::image type="content" source="../../media/dns-ionos/ionos-domains-5.png" alt-text="Screenshot of where you select Save to add a TXT verification record.":::

+ :::image type="content" source="../../media/dns-ionos/ionos-domains-3.png" alt-text="Screenshot of where you select Add record to add an MX record.":::

+ :::image type="content" source="../../media/dns-ionos/ionos-domains-mx-save.png" alt-text="Screenshot of where you select Save to add an MX record.":::

+ :::image type="content" source="../../media/dns-ionos/ionos-domains-3.png" alt-text="Screenshot of where you select Add record to add an SPF TXT record.":::

+ :::image type="content" source="../../media/dns-ionos/ionos-domains-spftxt-save.png" alt-text="Screenshot of where you select Save to add an SPF TXT record.":::

+ :::image type="content" source="../../media/dns-ionos/ionos-domains-3.png" alt-text="Screenshot of where you select Add record to add CNAME records for Skype for Business.":::

+ :::image type="content" source="../../media/dns-ionos/ionos-domains-3.png" alt-text="Screenshot of where you select Add record to add an SRV record.":::

+ :::image type="content" source="../../media/dns-ionos/ionos-domains-srv-save.png" alt-text="Screenshot of where you select Save to add an SRV record.":::

+ :::image type="content" source="../../media/dns-ionos/ionos-domains-3.png" alt-text="Screenshot of where you select Add record to add CNAME records for Mobile Device Management.":::

+ :::image type="content" source="../../media/dns-123reg/123reg-domains-TXTSPF-Add.png" alt-text="Screenshot of where you select Add to add a domain verification TXT record.":::

+ :::image type="content" source="../../media/dns-123reg/123reg-domains-MX-Add.png" alt-text="Screenshot of where you select Add to add an MX record.":::

+ :::image type="content" source="../../media/dns-123reg/123reg-domains-CNAME-Add.png" alt-text="Screenshot of where you select Add to add a CNAME record.":::

+ :::image type="content" source="../../media/dns-123reg/123reg-domains-TXTSPF-Add.png" alt-text="Screenshot of where you select Add to add an SRV record.":::

+ :::image type="content" source="../../media/dns-123reg/123reg-domains-CNAME-Add.png" alt-text="Screenshot of where you select Add to add CNAME records for Skype for Business.":::

+ :::image type="content" source="../../media/dns-123reg/123reg-domains-CNAME-Add.png" alt-text="Screenshot of where you select Add to add CNAME records for Mobile Device Management.":::

+ :::image type="content" source="../../media/dns-aws/aws-domains-1.png" alt-text="Screenshot of Registered Domains where you select the Domain Name for the domain verification TXT record.":::

+ :::image type="content" source="../../media/dns-aws/aws-domains-3.png" alt-text="Screenshot of Hosted zones where you select the Domain name for the domain verification TXT record.":::

+ :::image type="content" source="../../media/dns-aws/aws-domains-create-record.png" alt-text="Screenshot of where you select Create record to add a domain verification TXT record.":::

+ :::image type="content" source="../../media/dns-aws/aws-domains-txt-create-records.png" alt-text="Screenshot of where you select Create records to add a domain verification TXT record.":::

+ :::image type="content" source="../../media/dns-aws/aws-domains-1.png" alt-text="Screenshot of Registered Domains where you select the Domain Name for the MX record.":::

+ :::image type="content" source="../../media/dns-aws/aws-domains-3.png" alt-text="Select the domain name for the hosted zone version of the domain.":::

+ :::image type="content" source="../../media/dns-aws/aws-domains-create-record.png" alt-text="Screenshot of where you select Create record to add an MX record.":::

+ :::image type="content" source="../../media/dns-aws/aws-domains-mx-create-records.png" alt-text="Screenshot of where you select Create records to add an MX record":::

+ :::image type="content" source="../../media/dns-aws/aws-domains-1.png" alt-text="Screenshot of Registered Domains where you select the Domain Name for the CNAME record.":::

+ :::image type="content" source="../../media/dns-aws/aws-domains-3.png" alt-text="Screenshot of Hosted zones where you select the Domain name for the MX record.":::

+ :::image type="content" source="../../media/dns-aws/aws-domains-create-record.png" alt-text="Screenshot of where you select Create record to add a CNAME record":::

+ :::image type="content" source="../../media/dns-aws/aws-domains-cname-create-records.png" alt-text="Screenshot of where you select Create records to add a CNAME record":::

+ :::image type="content" source="../../media/dns-aws/aws-domains-1.png" alt-text="Screenshot of Registered Domains where you select the Domain Name for the SPF TXT record.":::

+ :::image type="content" source="../../media/dns-aws/aws-domains-3.png" alt-text="Screenshot of Hosted zones where you select the Domain name for the SPF TXT record.":::

+ :::image type="content" source="../../media/dns-aws/aws-domains-create-record.png" alt-text="Screenshot of where you select Create record to add an SPF TXT record.":::

+ :::image type="content" source="../../media/dns-aws/aws-domains-txt-create-records.png" alt-text="Screenshot of where you select Create records to add an SPF TXT record.":::

+ :::image type="content" source="../../media/dns-aws/aws-domains-1.png" alt-text="Screenshot of Registered Domains where you select the Domain Name for the SRV records for Skype for Business.":::

+ :::image type="content" source="../../media/dns-aws/aws-domains-3.png" alt-text="Screenshot of Hosted zones where you select the Domain name for the SRV records for Skype for Business.":::

+ :::image type="content" source="../../media/dns-aws/aws-domains-create-record.png" alt-text="Screenshot of where you select Create record to add an SRV record.":::

+ :::image type="content" source="../../media/dns-aws/aws-domians-srv-create-records.png" alt-text="Screenshot of where you select Create records to add an SRV record.":::

+ :::image type="content" source="../../media/dns-aws/aws-domains-1.png" alt-text="Screenshot of Registered Domains where you select the Domain Name for the CNAME records for Skype for Business.":::

+ :::image type="content" source="../../media/dns-aws/aws-domains-2.png" alt-text="Screenshot of Registered Domains where you select Manage DNS for the CNAME records for Skype for Business.":::

+ :::image type="content" source="../../media/dns-aws/aws-domains-3.png" alt-text="Screenshot of Hosted zones where you select the Domain name for the CNAME records for Skype for Business.":::

+ :::image type="content" source="../../media/dns-aws/aws-domains-create-record.png" alt-text="Screenshot of where you select Create record to add CNAME records for Skype for Business.":::

+ :::image type="content" source="../../media/dns-aws/aws-domains-cname-create-records.png" alt-text="Screenshot of where you select Create records to add CNAME records for Skype for Business.":::

+ :::image type="content" source="../../media/dns-aws/aws-domains-1.png" alt-text="Screenshot of Registered Domains where you select the Domain Name for the CNAME records for Mobile Device Management.":::

+ :::image type="content" source="../../media/dns-aws/aws-domains-3.png" alt-text="Screenshot of Hosted zones where you select the Domain name for the CNAME records for Mobile Device Management.":::

+ :::image type="content" source="../../media/dns-aws/aws-domains-create-record.png" alt-text="Screenshot of where you select Create record to add CNAME records for Mobile Device Management.":::

+ :::image type="content" source="../../media/dns-aws/aws-domains-cname-create-records.png" alt-text="Screenshot of where you select Create records to add CNAME records for Mobile Device Management.":::

+ :::image type="content" source="../../media/dns-cloudflare/cloudflare-domains-add-record.png" alt-text="Screenshot of where you select Add record to add a domain verification TXT record.":::

+ :::image type="content" source="../../media/dns-cloudflare/cloudflare-domains-TXT-save.png" alt-text="Screenshot of where you select Save to add a domain verification TXT record.":::

+ :::image type="content" source="../../media/dns-cloudflare/cloudflare-domains-add-record.png" alt-text="Screenshot of where you select Add record to add an MX record.":::

+ :::image type="content" source="../../media/dns-cloudflare/cloudflare-domains-mx-save.png" alt-text="Screenshot of where you select Save record to add an MX record.":::

+ :::image type="content" source="../../media/dns-cloudflare/cloudflare-domains-add-record.png" alt-text="Screenshot of where you select Add record to add a CNAME record.":::

+ :::image type="content" source="../../media/dns-cloudflare/cloudflare-domains-cname-save.png" alt-text="Screenshot of where you select Save to add a CNAME record.":::

+ :::image type="content" source="../../media/dns-cloudflare/cloudflare-domains-add-record.png" alt-text="Screenshot of where you select Add record to add an SPF TXT record.":::

+ :::image type="content" source="../../media/dns-cloudflare/cloudflare-domains-TXT-save.png" alt-text="Screenshot of where you select Save to add an SPF TXT record.":::

+ :::image type="content" source="../../media/dns-cloudflare/cloudflare-domains-add-record.png" alt-text="Screenshot of where you select Add record to add an SRV record.":::

+ :::image type="content" source="../../media/dns-cloudflare/cloudflare-domains-srv-save.png" alt-text="Screenshot of where you select Save to add an SRV record.":::

+ :::image type="content" source="../../media/dns-cloudflare/cloudflare-domains-add-record.png" alt-text="Screenshot of where you select Add record to add CNAME records for Skype for Business.":::

+ :::image type="content" source="../../media/dns-cloudflare/cloudflare-domains-cname-save.png" alt-text="Screenshot of where you select Save to add CNAME records for Skype for Business.":::

+ :::image type="content" source="../../media/dns-cloudflare/cloudflare-domains-add-record.png" alt-text="Screenshot of where you select Add record to add CNAME records for Mobile Device Management.":::

+ :::image type="content" source="../../media/dns-cloudflare/cloudflare-domains-cname-save.png" alt-text="Screenshot of where you select Save to add an CNAME record for Mobile Device Management.":::

+ :::image type="content" source="../../media/dns-godaddy/godaddy-domains-add.png" alt-text="Screenshot of where you select Add to add a domain verification TXT record.":::

+ :::image type="content" source="../../media/dns-godaddy/godaddy-add-txt-records.png" alt-text="Select TXT from the Type drop-down list for the domain verification TXT record.":::

+ :::image type="content" source="../../media/dns-godaddy/godaddy-domains-TXTvalue.png" alt-text="Fill in the values from the table for the domain verification TXT record.":::

+ :::image type="content" source="../../media/dns-godaddy/godaddy-domains-TXT-save.png" alt-text="Screenshot of where you select Save to add a domain verification TXT record.":::

+ :::image type="content" source="../../media/dns-godaddy/godaddy-domains-add.png" alt-text="Screenshot of where you select Add to add an MX record.":::

+ :::image type="content" source="../../media/dns-godaddy/godaddy-domains-add-MX-records.png" alt-text="Drop down menu showing MX record selected.":::

+ :::image type="content" source="../../media/dns-godaddy/godaddy-domains-add.png" alt-text="Screenshot of where you select Add to add a CNAME record.":::

+ :::image type="content" source="../../media/dns-godaddy/godaddy-domains-add.png" alt-text="Screenshot of where you select Add to add an SPF TXT record.":::

+ :::image type="content" source="../../media/dns-godaddy/godaddy-domains-TXT-save.png" alt-text="Select TXT from the Type drop-down list for the SPF TXT record.":::

+ :::image type="content" source="../../media/dns-godaddy/godaddy-add-TXTvalue-spf.png" alt-text="Fill in the values from the table for the SPF TXT record.":::

+ :::image type="content" source="../../media/dns-godaddy/godaddy-domains-add.png" alt-text="Screenshot of where you select Add to add an SRV record.":::

+ :::image type="content" source="../../media/dns-godaddy/godaddy-domains-SRV-records.png" alt-text="Fill in the values from the table for the SRV records.":::

+### Add the two required CNAME records for Microsoft Teams

+ :::image type="content" source="../../media/dns-godaddy/godaddy-domains-add.png" alt-text="Screenshot of where you select Add to add CNAME records for Microsoft Teams.":::

+ :::image type="content" source="../../media/dns-godaddy/godaddy-domains-CNAME-records.png" alt-text="Fill in the values from the table for the CNAME records for Microsoft Teams.":::

+6. Select **Save**.

+7. Add the other CNAME record by choosing the values from the second row of the table.

+ :::image type="content" source="../../media/dns-godaddy/godaddy-domains-add.png" alt-text="Screenshot of where you select Add to add CNAME records for Mobile Device Management.":::

+5. In the empty boxes for the new records, type or copy and paste the values from the first row in the following table.

+ :::image type="content" source="../../media/dns-godaddy/godaddy-domains-CNAME-values.png" alt-text="Fill in the values from the table for the CNAME records for Mobile Device Management.":::

+6. Select **Save**.

+7. Add the other CNAME record by choosing the values from the second row of the table.

+ :::image type="content" source="../../media/a5b40973-19b5-4c32-8e1b-1521aa971836.png" alt-text="Select TXT Record for the domain verification TXT record.":::

+ :::image type="content" source="../../media/fe75c0fd-f85c-4bef-8068-edaf9779b7f1.png" alt-text="Copy and paste the values from the table for the domain verification TXT record.":::

+ :::image type="content" source="../../media/b48d2c67-66b5-4aa4-8e59-0c764f236fac.png" alt-text="Screenshot of the the Save Changes control for the domain verification TXT record.":::

+ :::image type="content" source="../../media/f3b76d62-5022-48c1-901b-8615a8571309.png" alt-text="Copy and paste the values from the table for the MX record.":::

+ :::image type="content" source="../../media/ef4e3112-36d2-47c8-a478-136a565dd71d.png" alt-text="Screenshot of the the Save Changes control for the MX record.":::

+ :::image type="content" source="../../media/f79c5679-34eb-4544-8517-caa2e8a4111a.png" alt-text="Copy and paste the values from the table for the CNAME record.":::

+ :::image type="content" source="../../media/91a5cce4-ca41-41ec-b976-aafe681a4d68.png" alt-text="Screenshot of the the Save Changes control for the CNAME record.":::

+ :::image type="content" source="../../media/c5d1fddb-28b5-48ec-91c9-3e5d3955ac80.png" alt-text="Select TXT Record for the SPF TXT record.":::

+ :::image type="content" source="../../media/ea0829f1-990b-424b-b26e-9859468318dd.png" alt-text="Copy and paste the values from the table for the SPF TXT record.":::

+ :::image type="content" source="../../media/f2846c36-ace3-43d8-be5d-a65e2c267619.png" alt-text="Screenshot of the the Save Changes control for the SPF TXT record.":::

+ :::image type="content" source="../../media/ff9566ea-0096-4b7f-873c-027080a23b56.png" alt-text="Copy and paste the values from the table for the SRV records.":::

+ :::image type="content" source="../../media/48a8dee4-c66d-449d-8759-9e9784c82b13.png" alt-text="Screenshot of the the Save Changes control for the SRV records for Microsoft Teams.":::

+ :::image type="content" source="../../media/91a5cce4-ca41-41ec-b976-aafe681a4d68.png" alt-text="Screenshot of the the Save Changes control for the CNAME records for Microsoft Teams.":::

+ :::image type="content" source="../../media/f79c5679-34eb-4544-8517-caa2e8a4111a.png" alt-text="Copy and paste the values from the table for the CNAME records for Mobile Device Management.":::

+ :::image type="content" source="../../media/91a5cce4-ca41-41ec-b976-aafe681a4d68.png" alt-text="Screenshot of the the Save Changes control for the CNAME records for Mobile Device Management.":::

+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-add.png" alt-text="Screenshot of where you select Add to add a domain verification TXT record.":::

+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-MX-add.png" alt-text="Screenshot of where you select Add to add an MX record.":::

+ |Refers to|TXT Value|TTL|

+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-add.png" alt-text="Screenshot of where you select Add to add an SPF TXT record.":::

+ :::image type="content" source="../../media/dns-networksolutions/networksolutions-domains-srv-add.png" alt-text="Screenshot of where you select Add to add an SRV record.":::

+ :::image type="content" source="../../media/dns-webcom/webcom-domains-add-record.png" alt-text="Screenshot of where you select Add a record to add a domain verification TXT record.":::

+ :::image type="content" source="../../media/dns-webcom/webcom-domains-TXT.png" alt-text="Select TXT from the Type drop-down list for the domain verification TXT record.":::

+ :::image type="content" source="../../media/dns-webcom/webcom-domains-add-record.png" alt-text="Screenshot of where you select Add a record to add an MX record.":::

+ :::image type="content" source="../../media/dns-webcom/webcom-domains-mx-add.png" alt-text="Screenshot of where you select Add to add an MX record.":::

+ :::image type="content" source="../../media/dns-webcom/webcom-domains-add-record.png" alt-text="Screenshot of where you select Add a record to add a CNAME record.":::

+ :::image type="content" source="../../media/dns-webcom/webcom-domains-add-record.png" alt-text="Screenshot of where you select Add a record to add an SPF TXT record.":::

+ :::image type="content" source="../../media/dns-webcom/webcom-domains-TXT.png" alt-text="Select TXT from the Type drop-down list for the SPF TXT record.":::

+ :::image type="content" source="../../media/dns-webcom/webcom-domains-add-record.png" alt-text="Screenshot of where you select Add a record to add an SRV record.":::

+ :::image type="content" source="../../media/dns-webcom/webcom-domains-add-record.png" alt-text="Screenshot of where you select Add a record to add CNAME records for Skype for Business.":::

+ :::image type="content" source="../../media/dns-webcom/webcom-domains-add-record.png" alt-text="Screenshot of where you select Add a record to add CNAME records for Mobile Device Management.":::

+ :::image type="content" source="../../media/dns-wix/wix-domains-TXT-add-record.png" alt-text="Screenshot of where you select Add record to add a domain verification TXT record.":::

+ :::image type="content" source="../../media/dns-wix/wix-domains-txt-save.png" alt-text="Screenshot of where you select Save to add domain verification TXT record.":::

+ :::image type="content" source="../../media/dns-wix/wix-domains-cname-add-record.png" alt-text="Screenshot of where you select Add a record to add a CNAME record.":::

+ :::image type="content" source="../../media/dns-wix/wix-domains-cname-save.png" alt-text="Screenshot of where you select Save to add a CNAME record.":::

+ :::image type="content" source="../../media/dns-wix/wix-domains-TXT-add-record.png" alt-text="Screenshot of where you select Add a record to add an SPF TXT record.":::

+ :::image type="content" source="../../media/dns-wix/wix-domains-txt-save.png" alt-text="Screenshot of where you select Save to add an SPF TXT record.":::

+ :::image type="content" source="../../media/dns-wix/wix-domains-srv-add-record.png" alt-text="Screenshot of where you select Add a record to add an SRV record.":::

+ :::image type="content" source="../../media/dns-wix/wix-domains-srv-save.png" alt-text="Screenshot of where you select Save to add a SRV record.":::

+ :::image type="content" source="../../media/dns-wix/wix-domains-cname-save.png" alt-text="Screenshot of where you select Save to add CNAME records for Skype for Business.":::

+ :::image type="content" source="../../media/dns-wix/wix-domains-cname-add-record.png" alt-text="Screenshot of where you select Add a record to add CNAME records for Mobile Device Management.":::

+ :::image type="content" source="../../media/dns-wix/wix-domains-cname-save.png" alt-text="Screenshot of where you select Save to add CNAME records for Mobile Device Management.":::

+4. On the **Choose where to transfer your domain** page, select **A different registrar**, and then select **Next**.

+8. Go to the website of the domain registrar you want to manage your domain name going forward. Follow directions for transferring a domain (search for help on their website). This usually means paying transfer fees and giving the Authcode to the new registrar so they can initiate the transfer. Microsoft emails you to confirm weΓÇÖve received the transfer request, and the domain will transfer within five days.

+10. To finish the process, go back to the **Domains** page in the admin center, and then select **Complete domain transfer**. This marks the domain as no longer purchased from Microsoft 365, and will disable the domain subscription. It will not remove the domain from the tenant, and won't affect existing users and mailboxes on the domain.

+We added explanations to the main katakana terms used in the Microsoft 365 Management Center. For more detailed information, refer to the text in the link on each item.

+Refers to an identifying name assigned to an individual within an organization/company for using Microsoft 365. It's created for each organization/company and a separate account is assigned to each individual. Use this account to use Microsoft 365 services.

+This isn't a stand-alone offering by itself, but an extra feature to a service that is subscribed to by subscription. It provides more advanced and new features.

+A place or device for storing files on the Internet. It can be beneficial when an individual uses the same file from multiple terminals or devices, or when multiple people work together. It's suitable for referencing and modifying files from different environments such as PCs and mobile devices, internal and remotely.

+The global administrator has the authority to change, delete, or set new settings for all setting items.

+If you wish to appoint an administrator with limited administrative functions (for example, you want to give them administrative functions but not allow them to purchase new services.), refer to the following article.

+A computer or software function that is provided over a network (Internet). It's distinguished from software that is executed directly on the PC at your disposal.

+To make the service available for use from the account via authentication, or to allow the service to recognize the user. Microsoft 365 services become available by signing in.

+For example: contoso.com part of www.contoso.com and mail@contoso.com.

+In Microsoft 365, it refers to the state of being viewable or editable by all users in the organization. For example: Public group: A group in which anyone in the organization can participate.

+For matters that require customer support attention in accordance with your support contract, use the "Help and Support" link at the top of the page. For non-support related issues such as usability or new feature suggestions, use this feedback form to send your suggestions. The development team looks directly at the content. The more specific your comments and requests are, the more likely it will be implemented.

+A state in which only certain people within an organization can view, modify, etc. The owner or administrator of that information or group can set which people are granted permission to connect. For example: Private group

+Billing information and other information related to Microsoft 365 payments are stored. It's used to pay for products and services purchased from Microsoft. Note: Billing profiles aren't used for products and services purchased from Microsoft.com or the Management Center.

+Search results are organized into different categories. Most of the categories are items in the admin center. For example, users, groups, shared mailboxes, or domains. Other categories show you places you can navigate to, actions you can take or app level settings that you can change. And there's also a category related to documentation.

+You need to be an administrator to search in the admin center. Search results are scoped to administrator permissions the logged in user has. For example, if SharePoint admin doesn't see an area or category in the admin center, they can't see it in search.

+You can find users by display name, last name, first name, username, primary email address, or email aliases. Select the user's name edit to edit the userΓÇÖs details.

+- Make sure you spell the users' names correctly as user searches are matched exactly against the earlier mentioned properties. For example, in the above example, Jus or Malz will work but a misspelling, like, Jostin instead of Justin won't find this user.

+You can search for Actions category, which contains frequently used actions in M365 Admin Center. Think of actions as verb in the system. For example, you can also search "reset password" from any page and then reset one or more passwords for users. You can search for ΓÇ£delete a userΓÇ¥ and delete the user from the Delete user page.

+Results provides a way to quickly navigate to a specific page in the admin center. For example, searching for RBAC takes you to the Roles page for Microsoft Entra roles.

+You can find quick links to your domains, and then the link takes you to that domain's overview page.

+A documentation search provides relevant help documentation based on your search phrase. Select the article to learn more.

+description: "Make your organization more secure against password attacks, and ban common passwords and enable risk-based multifactor authentication."

+Microsoft cloud-only accounts have a predefined password policy that can't be changed. The only items you can change are the number of days until a password expires and whether or not passwords expire at all.

+- **Understanding human nature** Many valid password practices fail in the face of natural human behaviors. Understanding human nature is critical because research shows that almost every rule you impose on your users results in a weakening of password quality. Length requirements, special character requirements, and password change requirements all result in normalization of passwords, which makes it easier for attackers to guess or crack passwords.

+- Maintain an eight-character minimum length requirement

+- Educate your users to not reuse their organization passwords for nonwork related purposes

+- Make passwords hard to guess, even by people who know a lot about you, such as the names and birthdays of your friends and family, your favorite bands, and phrases you like to use

+They're some of the most commonly used password management practices, but research warns us about their negative impacts.

+Password expiration requirements do more harm than good, as they make users select predictable passwords, composed of sequential words and numbers that are closely related to each other. In these cases, the next password can be predicted based on the previous password. Password expiration requirements offer no containment benefits because cybercriminals almost always use credentials as soon as they compromise them.

+To encourage users to think about a unique password, we recommend keeping a reasonable eight-character minimum length requirement.

+Most people use similar patterns. For example, a capital letter in the first position, a symbol in the last, and a number in the last 2. Cyber criminals are aware about such patterns, so they run their dictionary attacks using the most common substitutions, "$" for "s", "@" for "a," "1" for "l". Forcing your users to choose a combination of upper, lower, digits, special characters has a negative effect. Some complexity requirements even prevent users from using secure and memorable passwords, and force them into coming up with less secure and less memorable passwords.

+One of the most important messages to get across to users in your organization is to not reuse their organization password anywhere else. The use of organization passwords in external websites greatly increases the likelihood that cybercriminals can compromise these passwords.

+Make sure your users update contact and security information, like an alternate email address, phone number, or a device registered for push notifications, so they can respond to security challenges and be notified of security events. Updated contact and security information helps users verify their identity if they ever forget their password, or if someone else tries to take over their account. It also provides an out of band notification channel for security events such as login attempts or changed passwords.

+Risk-based multi-factor authentication ensures that when our system detects suspicious activity, it can challenge the user to ensure that they're the legitimate account owner.

+Want to know more about managing passwords? Here's some recommended reading:

+- Make sure that no duplicates exist in your directory for the following attributes: **mail**, **proxyAddresses**, and **userPrincipalName**. These values must be unique and any duplicates must be removed.

+- We recommend that you configure the **userPrincipalName** (UPN) attribute for each local user account to match the primary email address that corresponds to the licensed Microsoft 365 user. For example: *mary.shelley@contoso.com* rather than *mary@contoso.local*.

+- If the Active Directory domain ends in a non-routable suffix like *.local* or *.lan*, instead of an internet routable suffix such as *.com* or *.org*, adjust the UPN suffix of the local user accounts first as described in [Prepare a non-routable domain for directory synchronization](../../enterprise/prepare-a-non-routable-domain-for-directory-synchronization.md).

+The **Run IdFix** in the following steps makes sure that your on-premises Active Directory is ready for directory synchronization.

+## Step 1: Make your organizationΓÇÖs data available for the Microsoft 365 Usage Analytics report

+ This starts a process to make your organizations data accessible for this report, and you'll see a message stating that **WeΓÇÖre getting your data ready for Microsoft 365 usage analytics**. This process can take 24 hours to complete.

+4. When your organizations data is ready, refreshing the page shows a message stating that your data is now available, and provides your **tenant ID** number. You'll need to use the tenant ID in a later step when you attempt to connect to your tenant data.

+Microsoft 365 GCC users can download and use the Microsoft 365 Usage Analytics report template file to connect to their data. You would need Power BI Desktop to open and use the template file.

+2. When prompted for a **TenantID**, enter the tenant ID you received when you prepared your organizationΓÇÖs data for this report in step 1. Then select **Load**. It can take several minutes for your data to load.

+3. When loading completes, your report is displayed, and you'll see an executive summary of your data.

+5. Select **Publish** in the Power BI Desktop menu to publish the report to the Power BI Online service where it can be viewed. This requires either a Power BI Pro license or Power BI Premium capacity. As part of the [publish process](/power-bi/create-reports/desktop-upload-desktop-files#to-publish-a-power-bi-desktop-dataset-and-reports), you'll need to select a destination to publish to an available workspace in the Power BI Online Service.

+ 

+ 

+ 

+ 

+ Hover data points to view a call out that contains details.

+ 

+ 

+ Learn about dashboard, datasets, reports, and other Power BI concepts.

+ Learn the basic functionality in Power BI. Find links to how to use Power BI Desktop.

+ Learn how to share reports with your colleagues or people outside your organization. You can also share the report or a filtered version of the report.

+ **Where you will see this message:** In Power BI when you're connecting to the Microsoft 365 Usage Analytics template app, or when directly calling the Microsoft 365 Reporting APIs.

+ **Cause:** Before you can connect to the app, you have to subscribe to the data from the Microsoft 365 admin center. If this step isn't done first, you cannot connect to the template app, even if you provide your Microsoft 365 tenant ID.

+ **Where you will see this message:** In the **Microsoft 365 usage analytics** tile, on the **Usage** dashboard in the Microsoft 365 admin center.

+ **To fix this:** Just be patient, but if the message doesn't change to **Your data is ready** after 3 days, [contact Microsoft 365 for business support](Get support](../get-help-support.md).

+ **Where you will see this message:** In Power BI, when you're connecting to the Microsoft 365 Usage Analytics template app or when directly calling the Microsoft 365 Reporting APIs.

+ **To fix this:** Just be patient, but if the message doesn't change to **Your data is ready** even 3 days since initiation, [contact Microsoft 365 for business support](../../business-video/get-help-support.md).

+ **Where you will see this message:** In Power BI, when you're connecting to the Microsoft 365 Usage Analytics template app or when directly calling the Microsoft 365 Reporting APIs.

+ **Cause:** The tenant ID is a guid and has to be in the format of xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx. If you enter any other string in the tenant input box, you get this error.

+ **Where you will see this message:** In Power BI when you're connecting to the Microsoft 365 Usage Analytics template app or when directly calling the Microsoft 365 Reporting APIs.

+ **Cause:** The tenant ID you provided isn't valid or doesn't exist.

+ **Where you will see this message:** In Power BI when you're connecting to the Microsoft 365 Usage Analytics template app or when directly calling the Microsoft 365 Reporting APIs.

+ **Cause:** The authorization code failed and can require you to enter your credentials again.

+ **Where you will see this message:** In Power BI when you're connecting to the Microsoft 365 Usage Analytics template app or when directly calling the Microsoft 365 Reporting APIs.

+ **Cause:** The authorization code failed because the user who tried connecting to the template app doesn't have the right level of authorization to access this data.

+ **To fix this error:** Provide the credentials of a user who is either a **Global admin**, **Exchange admin**, **Skype for Business admin**, **SharePoint admin**, **Global reader**, or **Report reader** to connect to the template app. See [About admin roles](../add-users/about-admin-roles.md) for more information.

+ Title: Set up pay-as-you-go billing for Microsoft 365 Backup (Preview)

+audience: admin

+search.appverid:

+ - enabler-strategic

+ - m365initiative-syntex

+ms.localizationpriority: medium

+description: Learn how to set up pay-as-you-go billing for Microsoft 365 Backup.

+# Set up pay-as-you-go billing for Microsoft 365 Backup (Preview)

+As a first step to start using Microsoft 365 Backup, you should link an Azure subscription in Syntex pay-as-you-go, if you haven't already done so. Although Microsoft 365 Backup isn't part of the Microsoft Syntex product suite, this offering is still using the Syntex billing setup for consistency with other Microsoft 365 pay-as-you-go offerings.

+## Set up billing

+Use these steps to set up pay-as-you-go billing for Microsoft 365 Backup.

+1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com/Adminportal/Home).

+2. Select **Setup**.

+3. On the **Setup** page, in the **Files and content** section, select **Use content AI with Microsoft Syntex**.

+4. On the **Use content AI with Microsoft Syntex** page, select **Set up billing**.

+ 

+ > [!NOTE]

+ > To set up pay-as-you-go billing for Microsoft 365 Backup, you must provide an owner or contribution role on the Azure subscription to be used.

+5. If you ***don't*** have an Azure subscription or resource group, follow these steps. If you have an Azure subscription and resource group, go directly to step 6.

+ To create a new Azure subscription with the same organization and Microsoft Entra tenant as your Microsoft 365 subscription:

+ 1. Sign in to the [Azure portal](https://portal.azure.com) with your Microsoft 365 admin, Microsoft Entra DC admin, or Global admin account.

+ 1. In the left navigation, select **Subscriptions**, and then select **Add**.

+ 1. On the **Add subscription** page, select an offer and complete the payment information and agreement.

+ To create a new Azure resource group:

+ 1. On the **Set up pay-as-you-go billing** panel, select **Learn more about Azure resource groups**.

+ 1. Or, you can follow steps in [Manage Azure resource groups by using the Azure portal](/azure/azure-resource-manager/management/manage-resource-groups-portal) to create a resource group.

+ 

+ > [!NOTE]

+ > The resource group should be mapped to the Azure subscription you provided when you set up pay-as-you-go.

+6. If you ***have*** an Azure subscription, follow these steps:

+ 1. On the **Set up pay-as-you-go billing** panel, under **Azure subscription**, select the subscription from the dropdown list.

+ > [!NOTE]

+ > The subscription dropdown list will not populate if you don't have an owner or contributor on the subscription.

+ 

+ 1. Under **Resource group**, select the resource group from the dropdown list.

+ 1. Under **Region**, select the region from the dropdown list.

+ 1. Review and accept the terms of service, and then select **Save**.

+You have successfully set up billing. You can proceed to [Step 2: Turn on Microsoft 365 Backup](backup-setup.md#step-2-turn-on-microsoft-365-backup).

+## Manage consumption and invoices in the Azure portal

+You can view actual and accumulated cost breakdown by tenants and service type for OneDrive, SharePoint, and Exchange in Microsoft Cost Management in the Azure portal or access the information by using the [Cost Management public APIs](/rest/api/cost-management/operation-groups). Cost breakdown by application ID is coming soon.

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+2. Search for *Cost Management + Billing*.

+3. Select **Cost analysis** to see:

+ - Accumulated cost and forecast cost.

+ - Select **+Add Filter** to see breakdown of cost by meters and tags.

+ 

+### Billing attribution by tenants, service type, and applications

+You can see actual cost breakdown by tags in Azure portal. There are currently two tags available for Microsoft 365 Backup: **tenants** and **servicetype**.

+To view tags:

+1. Select **+Add Filter** to see breakdown of cost by meters and tags.

+2. Select the tag:

+ - In the key-value pair, select **tenants** or **servicetype**, and then select the respective tenant ID or service type.

+ - **tenants** shows a list of tenant IDs.

+ - **servicetype** is OneDrive, SharePoint, or Exchange.

+ - **applications** is coming soon.

+ - Azure cost analysis - filter by tag.

+4. In the left navigation, select **Billing** to see monthly invoices.

+5. Set up budget alerts on cost by following the steps in the [Cost Management public APIs](/rest/api/cost-management/operation-groups).

+ Title: Frequently asked questions about Microsoft 365 Backup (Preview)

+audience: admin

+search.appverid:

+ - enabler-strategic

+ - m365initiative-syntex

+ms.localizationpriority: medium

+description: Read frequently asked questions about Microsoft 365 Backup.

+# Frequently asked questions about Microsoft 365 Backup (Preview)

+> [!NOTE]

+> This feature is currently in preview and subject to change.

+#### Has Microsoft's stance on shared responsibility of data protection changed?

+No, we still have the same point of view, but are now offering additional tools to help organizations achieve those goals and responsibilities.

+#### Why donΓÇÖt Disaster Recovery copies suffice for my backup?

+Disaster Recovery (DR) is the ability to recover from a situation in which the primary data center is unable to continue to operate. A DR copy with Microsoft 365 maintains the current state of content, not any historical versions from prior points in time. Microsoft 365 Backup provides additional benefit by giving you a way to restore data back to a healthy state in the past with fast RTO to with short RPO intervals.

+#### Why donΓÇÖt versions already solve this point in time restore problem?

+Versions give individual users a way to restore files or sites to prior points in time, but that kind of recovery method doesn't scale well for mass ransomware attacks where an admin needs to orchestrate the recovery. Versions might also be exhausted depending on the version limit set by the admin.

+#### Why donΓÇÖt legal holds solve the problem of keeping all versions of items for recovery?

+Legal holds retain data, but that feature is optimized for export (for example, via eDiscovery), not for mass restore. Microsoft 365 Backup gives the right enhanced restore tooling for ransomware and accidental/malicious deletions at scale, plus optimized performance for those scenarios.

+#### What mailbox changes are ΓÇ£backed upΓÇ¥?

+Mailbox backup enables the recovery of copies of mailbox item ΓÇ£versions.ΓÇ¥ Versions are created by two types of actions:

+- Modifications

+- Deletions

+Example events that are versions and recoverable via backup:

+**User action**

+- Edit a received email using ΓÇÿedit messageΓÇÖ via OL

+- Edit a Note (not draft)

+- Remove an attachment from an email

+- Edit an attachment to an email

+- Edit a contact (not draft)

+- Modify body of a calendar invite

+- Update time of a calendar invite

+- Edit a task (not draft)

+- Delete note from deleted items

+- Delete email from deleted items

+- Purge items from single item retention

+- Delete a folder with items in it

+Example events that aren't versioned or recoverable via backup:

+**User action**

+- Edit an email item in the drafts folder

+- Update a flag on a received email

+- Set ΓÇÿDo Not ForwardΓÇÖ on a received email

+- Set a received message to highly important

+#### What is the service recovery point objective?

+The recovery point objective (RPO) is the maximum amount of time between the most recent backup and a data destruction event. Stated another way, itΓÇÖs the amount data lost due to a data destruction event not recoverable via the backups. In the case of Microsoft 365 Backup, the RPOs are:

+For OneDrive and SharePoint, the RPO for the first two weeks is 15 mins, then one week beyond that. This means for the first two weeks, the most amount of data that can be lost due to a data destruction event is roughly 10 minuteΓÇÖs worth of the most recent data. Likewise, after two weeks, the most amount of data that can be lost is a weekΓÇÖs worth of data.

+For Exchange Online, the RPO is 10 seconds, meaning the most amount of data that can be lost due to a data destruction event is roughly 10 secondΓÇÖs worth of data.

+Let's start with what it doesn't mean: We are *not* taking snapshots every 10 seconds.

+Backup frequency of 10 seconds (if the item is modified) means that changes to the item will be saved as a version once every 10 seconds, no matter how many changes are made in that 10-second interval. For example, if a ransomware attack encrypts the email item every second, will we take six copies in a minute.

+ Title: Preview limitations in Microsoft 365 Backup (Preview)

+audience: admin

+search.appverid:

+ - enabler-strategic

+ - m365initiative-syntex

+ms.localizationpriority: medium

+description: Learn about the preview limitations in Microsoft 365 Backup.

+# Preview limitations in Microsoft 365 Backup (Preview)

+> [!NOTE]

+> This feature is currently in preview and subject to change.

+## Feature limitations

+The constraints and limitations outlined in this article are temporary for the preview and will be resolved either by general availability or shortly after, unless stated otherwise.

+### Performance

+Performance and speed of web interfaces, initial configuration, and restores might be slower than expected during the preview period as we scale up our infrastructure to remove undesirable latency from our system.

+### Backup configuration

+- You can create only one active backup policy per underlying service (that is, one for OneDrive accounts, one for SharePoint sites, and one for Exchange online users). You can add or remove as many artifacts (sites or user accounts) to or from each active policy.

+- Once the sites or mailboxes are added to a backup policy, it might take up to 15 minutes per 1,000 sites or mailboxes for restore points to become available for restore. Backups begin as soon as the policy is in effect, even if the restore points aren't yet available. This limitation will be removed shortly.

+- The CSV upload feature for bulk addition of sites or user accounts in the backup policy creation workflow can accommodate a maximum of 3,000 entries per CSV file.

+- The rule-based feature for bulk addition of sites via site names or URL in the backup policy creation workflow can accommodate a maximum of 10 keywords at a time. Each keyword can have a minimum of three characters and maximum of 255 characters.

+- The rule-based feature for bulk addition of user accounts via security groups or distribution lists can accommodate a maximum of three groups at a time. These rules are static and applied one time only. That is, the security groups or distribution lists are flattened at the time of adding to the backup configuration policy. Groups or list won't be dynamically updated in the system if users are added or removed from the original security group, for example.

+- Backup and restore of tenants that have the multi-geo feature enabled for OneDrive and SharePoint might not work properly. We recommend not using the preview version of Backup until multi-geo support is fully enabled.

+<!

+- When you remove a OneDrive for Business account or a SharePoint site from a backup policy, you continue to be billed for the existing backups for the next one year of their retention. Additionally, the price of that backup will be proportional to the size of the site or account throughout that remaining year.

+>

+### Restore

+- Site search is case-sensitive and is a prefix-type search.

+- SharePoint sites or OneDrive accounts that are currently in the first stage recycle bin must first be restored from the recycle bin before they can be rolled to a prior point in time via the Microsoft 365 Backup tool. The point in time restore via Microsoft 365 Backup won't work if the site or OneDrive is in the recycle bin.

+- SharePoint admins operating the Microsoft 365 Backup tool need to have explicit read+ permissions to the sites they're searching for in the backups to be able to find those sites in the backup and restore them. In the future, weΓÇÖll introduce a Backup role, which grants SharePoint and Exchange admins full Backup search read rights when combined with their existing admin roles.

+- SharePoint sites and OneDrive accounts being restored to a prior point in time aren't locked in a ready-only state. Therefore, users might not realize their current edits will be imminently rolled back and lost. In the future, we introduce a read-only lock on all sites undergoing a restore.

+- For restores to a new URL, it might take up to 15 minutes for the destination URL to be displayed in the tool once a SharePoint site or OneDrive account restore to a new URL session completes.

+- For restores to a new URL, only the admin who executed the restore has ownership permissions for the restored SharePoint sites or OneDrive accounts in the new URLs. Restores to the same URL reverts permissions to their original state. We might decide to change this behavior in the future via a "copy permissions" feature.

+- Mailboxes, OneDrive accounts, and SharePoint sites that are under legal or in-place holds currently can't be restored unless the destination is removed from legal hold. To restore a SharePoint site under legal hold, you need to restore the site to a new URL.

+- While OneDrive account and mailbox backups of deleted users are maintained and after the userΓÇÖs Microsoft Entra ID is deleted are restorable, search in the people picker UI for that user won't work. The user is displayed as an empty user in results, requiring a guess-and-check methodology.

+- Mailbox draft items aren't backed up or restorable.

+- Calendar item backup and restore is limited to modified items only and doesn't cover deleted items. This action includes the following specific limitations:

+ - Restoring deleted calendar items with the ability to send updates post-restore isn't yet supported.

+ - Replacing encrypted items with healthy items during a cross mailbox restore (mailboxes all belonging to the same user account) isn't supported.

+ - Resolving orphaned conflict (in between ransomware and restore) isn't supported.

+ - Restoring organizer copy doesn't automatically make attendee copies catch up, it only allows future updates by organizer to work for all users added on the calendar item.

+- Deleting the user account (for example, deleting the Microsoft Entra ID user) that owns the OneDrive account or Exchange mailbox renders the OneDrive account and Exchange mailbox as inactive or orphaned. The end-to-end workflow to restore such sites or mailboxes isn't supported directly in the Microsoft 365 Backup product. The Microsoft 365 Backup product ensures retention of the content. For more information about how to restore inactive mailboxes or orphaned OneDrive accounts, see:

+ - OneDrive and Sharepoint: [Fix site user ID mismatch in SharePoint or OneDrive](/sharepoint/troubleshoot/sharing-and-permissions/fix-site-user-id-mismatch)

+ - Exchange: [Recover an inactive mailbox](/purview/recover-an-inactive-mailbox)

+- While restoring Exchange mailboxes at a granular level, the search feature provides several search parameters. These parameters allow you to enter up to a maximum of five keywords each. For example, the parameters "from" and "to" allow you to enter up to a maximum of five email addresses each.

+- The multi-geo feature isn't supported for SharePoint or OneDrive services in this release. This might affect the restore of sites across different geos. Exchange Online multi-geo is supported, however, when configuring a restore each mailbox in a single restore request must be in the same geo.

+- OneDrive accounts and SharePoint sites that have undergone the following types of changes won't be undoable via restore: tenant rename, tenant move, and site URL change.

+- If there are no differences between the current state of a mailbox and the prior point in time from which you're attempting a restore, a restore isn't performed and no new folders are created when a "restore to a new location" request is made. We don't plan to modify this behavior in the future.

+- SharePoint sites and OneDrive accounts being restored to a new URL have a read-only lock on that new URL until the restore completes. The global admin can still download documents or remove the read-only lock manually. This isn't behavior we plan on changing.

+## Self-service scale limits

+During the preview, we're enforcing self-service restore limits while we gain a better understanding of how organizations are using the tool so that we can build in enhancements in the future to help users avoid mistaken restore actions. These limits are described in the following table.

+|Limit parameters |Warning |Limit throttle* |

+||||

+|Number of artifacts being restored across all active restoration tasks per workload (at a time) |> 100 | > 1,000 |

+|Number of parallel active restoration tasks per workload | > 5 | > 25 |

+|Number of artifacts (active and completed) restored in a day per workload | Not applicable | > 10,000 |

+*Customer can call into support to lift the safety restrictions.

+Follow these steps:

+1. As an administrator, select the following link, which will populate a help query in the admin center: [Microsoft 365 Backup Limit Request](https://aka.ms/M365BackupLimit).

+2. At the bottom of the pane, select **Contact Support**, and then select **New Service Request**.

+3. Leave **Description** blank.

+ Title: Offboarding in Microsoft 365 Backup (Preview)

+audience: admin

+search.appverid:

+ - enabler-strategic

+ - m365initiative-syntex

+ms.localizationpriority: medium

+description: Learn about how to offboard usage in Microsoft 365 Backup.

+# Offboarding in Microsoft 365 Backup (Preview)

+> [!NOTE]

+> This feature is currently in preview and subject to change.

+To no longer use the Microsoft 365 Backup tool, you must offboard usage. This action includes pausing and deleting all active policies and deleting all of the backed-up data. During the preview, there are three ways that offboarding is initiated:

+- Disable the tool in the pay-as-you-go billing setup panel where you first enabled the tool.

+- Call into support to ask Microsoft to offboard you from the tool. If youΓÇÖd like offboarding to happen faster than default (with a minimum of 30 days), you can do this via the support call.

+- If your billing account goes into an unhealthy state.

+## Offboarding recovery undo period

+If offboarding from Microsoft 365 Backup has begun due to either an explicit request from you or due to an unhealthy billing state, the grace periods shown in the following table initiate.

+

+By bringing your billing back to a healthy state or by asking support to reverse the offboarding, the tool becomes usable again and no backups are lost.

+## GDPR special handling, compliance, and backup data deletion

+> [!IMPORTANT]

+> Given that compliance tooling actions might destroy primary data, we administratively isolate those destructive actions from flowing through to backed up data automatically. In other words, **compliance actions that automatically delete your primary data will not automatically delete data from your backups**.

+The core purpose of the backup and restore service is to provide you with a way to recover from common data deletion, overwrite, or encryption events.

+### eDiscovery

+Data in the Exchange Online backups is eDiscoverable via existing eDiscovery tooling, assuming you have sufficient licenses to operate that tool.

+Data in the OneDrive account and SharePoint site backups that aren't currently part of your live latest version data in your tenant aren't eDiscoverable. An eDiscovery search won't discover data that exists solely in the OneDrive or SharePoint backups.

+### General Data Protection Regulations (GDPR) workflow instructions

+GDPR workflows aren't directly executable on all data in Microsoft 365 Backup.

+GDPR data service request (DSR) data deletion actions operated on the tenant won't delete data in the backups. Those actions must be executed again after a Backup restoration to ensure the original DSR is honored.

+DSRs related to the discovery of data using eDiscovery is possible for Exchange Online backups, but the same isn't possible for OneDrive or SharePoint backups.

+### Retention policies

+Retention and deletion policies don't ΓÇ£flow throughΓÇ¥ to the backups. This means that backup retention is governed solely by the backup policy. That policy currently has a nonvariable one year retention period. Once data is restored from the backups, that now-live data will be governed by applicable retention or deletion policies.

+### Sensitivity labels

+Restoration of any data (such as sites or mailbox items) reverts the sensitivity labels of the data to the state of that protected item at the prior point in time from which it's being restored (that is, the state of labeling at the point in time from which the content is being restored; in other words, the state reverts to the prior point in time).

+## Backup data deletion and undo grace periods

+If you need to delete data from the backups during the preview period, you must offboard from the offering entirely and delete all backups. In the future, we'll enable more granular restore point deletion capabilities.

+Any offboarding or backup deletion activities trigger a 29-day grace period where we'll hold the backup data. If you re-enable the tool, the backups are present in the tool again. ΓÇâ

+ Title: Overview of Microsoft 365 Backup (Preview)

+audience: admin

+search.appverid:

+ - enabler-strategic

+ - m365initiative-syntex

+ms.localizationpriority: medium

+description: Learn about the backup and recovery capabilities for SharePoint, Exchange Online, and OneDrive for Business using Microsoft 365 Backup.

+# Overview of Microsoft 365 Backup (Preview)

+> [!NOTE]

+> Microsoft 365 Backup (Preview) is now available worldwide in all commercial cloud environments. General availability is expected to be mid-2024. This preview feature is subject to change and [limitations as defined](backup-limitations.md). Before you begin, read the [Microsoft 365 Backup preview terms and conditions](backup-preview-terms.md).

+## About the preview

+Microsoft 365 Backup is currently in preview and begins rolling out to organizations in mid-2024. You can set up billing for the product as described in [Set up Microsoft 365 Backup](backup-setup.md). Once Microsoft 365 Backup has been deployed and is available for use in your tenant, you'll see it in the Microsoft 365 admin center page under **Settings**.

+During the preview period, performance and speed of web interfaces, initial configuration, and restores might be slower than expected as we scale up our infrastructure to remove undesirable latency from our system.

+## Microsoft and partner offerings

+This documentation outlines the Microsoft 365 Backup offering available in the Microsoft 365 admin center. We're partnering with many independent software vendors (ISVs) to provide differentiated versions of their applications integrated with the Microsoft 365 Backup Storage platformΓÇöall providing the same underlying performance value proposition for your Microsoft 365 data.

+In the case of a partner application, operation of the Microsoft 365 Backup tool will be managed and paid for entirely through the partner's application. Those applications will have the ability to provide a single pane of glass for all of your data estates that require backups, and they might provide additional enhanced experiences or workflows.

+## Scenarios and value proposition

+Business continuity assurance is a top-of-mind concern for many companies. Microsoft 365 Backup delivers business continuity peace of mind by providing performance and reliable restore confidence. When evaluating a backup and restore offering, what really matters isn't solely the backup, but the ability to restore your data to a healthy state quickly when you need to do so. Recovering large volumes of content is difficult when copying data at a scale from a remote, air-gapped location requiring weeks or even months to get your business back up and running.

+In cases of a ransomware attack that encrypts large swaths of your data, or instances of an internal accidental or malicious data deletion or overwrite event, you need to be able to get your business back to a healthy state as soon as possible. This is what the Microsoft 365 Backup product offers, both through the Microsoft 365 admin center, and via partner applications built on the Microsoft 365 Backup Storage platform.

+To summarize, applications built on top of the Microsoft 365 Backup Storage platform deliver the following benefits regardless of the size or scale of the protected tenant:

+- Fast backup within hours

+- Fast restore within hours (see [performance targets](#general-availability-performance-targets) later in this article)

+- Full SharePoint site and OneDrive account restore fidelity, meaning the site and OneDrive are restored to their exact state at specific prior points in time via a rollback operation

+- In the future, roll forward granular file-level restores in OneDrive and SharePoint

+- Full Exchange mailbox item restores or granular item restores using search

+- Consolidated security and compliance domain management

+<!M365-Backup_VID_WEB_Final.mp4 <need a link that embeds properly into the learn docs>ΓÇâ>

+## Architectural overview and performance expectations

+### Architecture

+Microsoft 365 Backup provides ultra-fast backup and restore capabilities by creating backups within the protected servicesΓÇÖ data boundaries.

+Microsoft 365 Backup not only provides uniquely fast recovery from common business continuity and disaster recovery (BCDR) scenarios like ransomware or accidental/malicious employee content overwrite/deletion. Additional BCDR scenario protections are also built directly into the service. For example, OneDrive, SharePoint, and Exchange Online provide replicated copies of your data across geographically disparate datacenters to automatically protect against physical disasters and automatically failover to live active copies seamlessly without the need for end customer intervention.

+Our backups are protected from malicious overwrites because OneDrive, SharePoint, and Exchange use Append-Only storage. This means that SharePoint can only add new content blobs and can never change old ones until they're permanently deleted. The Exchange items are backed up in an immutable manner and can't be accessed by a client process (such as Outlook, OWA, or MFCMAPI). This process ensures that items can't be changed or corrupted after an initial save, protecting against attackers that try to corrupt old versions. For More information about the built-in service and data resiliency, see [SharePoint and OneDrive data resiliency in Microsoft 365](/compliance/assurance/assurance-sharepoint-onedrive-data-resiliency) and [Exchange Online data resiliency in Microsoft 365](/compliance/assurance/assurance-exchange-data-resiliency).

+Key architectural takeaways:

+- Data never leaves the Microsoft 365 data trust boundary or the geographic locations of your current data residency.

+- The backups are immutable unless expressly deleted by the Backup tool admin via product offboarding.

+- OneDrive, SharePoint, and Exchange have multiple physically redundant copies of your data to protect against physical disasters.

+ 

+### General availability performance targets

+> [!IMPORTANT]

+> During the preview period, performance and speed of web interfaces, initial configuration, and restores might be slower than expected as we scale up our infrastructure to remove undesirable latency from our system. The following performance targets are not guarantees during the preview and might change at general availability.

+#### Backup policy performance

+Creating a new protection policy initiates the process of backing up selected SharePoint sites, OneDrive accounts, and Exchange mailboxes. Once you submit a request to activate a valid protection policy, it takes on average up to 60 minutes to process and another 60 minutes to create restore points.

+Restore points are physically created in the service as soon as the policy is confirmed to be activated in the tool, even if those restore points take some additional time to become visible in the restore tool.

+#### Restoration performance

+Restoration performance dictates your recovery time objection, or the time it will take for you to restore a healthy state of your data and thus recover from a data destruction event.

+For full OneDrive account and SharePoint site restores, the fastest recovery will happen when choosing in-place restore rather a new URL restore. Additionally, choosing one of the recommended ΓÇ£fasterΓÇ¥ restore points presented in the restore workflow UI will yield the quickest recovery results.

+All restore points and restores to new URLs will be relatively fast, but same URL restores using a recommended ΓÇ£fasterΓÇ¥ restore point will typically yield better results. The Exchange Online restore workflow doesn't have or require the ΓÇ£fasterΓÇ¥ restore points.

+It will take on average less than one hour for the first full site or account protection unit to be restored when a new restore session is initiated. After the first site or account is restored in a session, the remaining protection units will complete in relatively fast succession.

+The following table summarizes expected performance for a normally distributed tenant, including tenants of large size and scale. During the preview period, actual performance might deviate from these general availability targets.

+|Scenario |Restore of all protection units* complete |

+|:-|:--|

+| 1,000 accounts, sites, or mailboxes<br>(30-GB average size) |Less than 12 hours |

+^{*A *protection unit* is a OneDrive account, SharePoint site, or Exchange mailbox.}

+## General Data Protection Regulations (GDPR)

+For information about GDPR and Microsoft 365 Backup, see [GDPR special handling, compliance, and backup data deletion](backup-offboarding.md#gdpr-special-handling-compliance-and-backup-data-deletion).

+ Title: Microsoft 365 Backup preview terms and conditions

+audience: admin

+search.appverid:

+ - m365initiative-syntex

+ms.localizationpriority: medium

+description: Read the preview terms and conditions for Microsoft 365 Backup (Preview).

+# Microsoft 365 Backup preview terms and conditions

+Effective Date: November 15, 2023

+"Company" means the Enterprise customer that uses this Preview Feature.

+**By using this Preview Feature, you accept these Terms and Conditions and all rights and obligations within. If you do not agree to these Terms and Conditions, DO NOT use the Preview Feature.** These Terms and Conditions govern the use of the Preview Feature offerings as described below.

+"Feedback" is all suggestions, comments, feedback, ideas, or know how, in any form, that Company provides to Microsoft. It doesn't include sales forecasts, financial results, future release scheduled, marketing plans and high-level product plans or feature lists for anticipated products.

+**MICROSOFT OFFERING**: Microsoft 365 Backup offers backup and recovery of OneDrive, SharePoint, and Exchange Online data for large volumes of data within the Microsoft 365 security boundary. Microsoft 365 Backup can restore your data in case of accidental deletion or ransomware. Customers will be able to sign up for Microsoft 365 Backup through Microsoft admin center. With Microsoft 365 Backup, customers can back up enterprise user accounts, sites, and mailboxes of users.

+**PREVIEW FEATURE**: To terminate your Feature Preview during the Preview Period, stop using the Preview Feature. Microsoft may change or discontinue the Preview Feature at any time with or without notice. Microsoft may also choose not to make the Preview Feature generally commercially available.

+During the Preview Period, Company will allow its tenant admins to back up SharePoint sites, OneDrive accounts, and Exchange mailboxes. Company must be aware that this is a preview service and all the limitations described in these Terms and Conditions.

+Prerequisite Requirements to enable Microsoft 365 Backup pay-as-you-go are:

+1. An Azure subscription with admin access as owner or contributor on the subscription

+2. A Microsoft 365 tenancy with either Microsoft 365 admin access or SharePoint admin access

+3. An Azure resource group

+No service-level agreement (SLA) applies to this Feature Preview.

+THE PREVIEW FEATURE IS PROVIDED "AS-IS," "WITH ALL FAULTS," AND "AS AVAILABLE." Microsoft provides no performance guarantee for the Feature Preview (including accompanying URLs provided for embedded or unauthenticated viewing) and Company bear the risk of using it. The Feature Preview isn't included in the SLA for Microsoft Syntex and may not be covered by customer support.

+Backup restores are meant to recover from attacks, not to circumvent primary storage costs or other unintended purposes. Periodic testing is permitted, but not in excessive amounts. Restores should be limited to no more than two (2) restores per protected site/mailbox per month, unless recovering from a real attack.

+**RELATIONSHIP WITH COMPANYΓÇÖS CUSTOMERS**: If Company is an Independent Software Vendor (ΓÇ£ISVΓÇ¥) both Parties, Microsoft and ISV retain responsibility for and control over all aspects of its relationship with its customers/users for the purpose of these Terms. Nothing in these Terms changes or terminates either PartyΓÇÖs rights or obligations with regard to, or its relationship with, its customers/users. Microsoft won't be a Party to any ISVΓÇÖs customer agreement that Company may use with its customers/users to test the Feature Preview, and Microsoft won't be identified to CompanyΓÇÖs customers/users, as a direct support provider for CompanyΓÇÖs customers/users of the Feature Preview.

+**Nothing in this Agreement changes CompanyΓÇÖs responsibility with regard to ISVΓÇÖs customers/users data. ΓÇ£User DataΓÇ¥ means any data, images, text, content, code, or other information or materials that a user provides to ISV or Microsoft. ISV is solely responsible for informing CompanyΓÇÖs customers/users that this is a Preview Feature, and that ISV has all the legal authorizations to allow ISVs customers/users data to be stored in the Preview Feature. ISVΓÇÖs and their customers/users will not hold Microsoft liable from any liability arising out of or in connection with this Agreement.**

+**<ins>LICENSE</ins>**

+If Company provides Feedback, Company grants to Microsoft, without charge, the nonexclusive License to make, modify, distribute, or otherwise commercialize the Input as part of any Microsoft offering.

+

+The above License doesn't extend to any technologies that may also be necessary to make or use any offering or portion thereof that incorporates the Feedback but aren't themselves expressly part of the Input (for example, enabling technologies).

+**<ins>PAYMENT TERMS</ins>**

+Microsoft 365 Backup uses pay-as-you-go (PAYG) billing through an Azure subscription. Microsoft 365 Backup billing is determined by how much data in GB you backup using Microsoft 365 Backup in GBs. Company will be able to view this usage as meter events through the Azure subscription it chooses.

+Microsoft 365 Backup Feature Preview pricing is as follows:

+|Microsoft 365 Backup Meters |Meter Unit |Price |

+||||

+|Backup storage |$/GB/Month |$0.15 |

+**<ins>LENGTH OF OBLIGATIONS; DISCLOSURE</ins>**

+**Preview Period.** The Preview Period continues in effect until <ins>June 30, 2024, or 30 days after Commercial General Availability of the Preview Feature, whichever is first</ins>. Company may terminate their use of the Preview Feature at any time. Terminating use of the Preview Feature won't change any of the rights, licenses granted, or duties made while the Preview Period is in effect. Termination is defined as i) the CompanyΓÇÖs termination of use of the Preview Feature and/or ii) the Preview Period ends.

+**Effects upon Termination.** Once terminated, Company will no longer have access to Microsoft 365 Backup and all the backed-up content if Microsoft doesn't continue with the then generally available Microsoft 365 Backup features. Should Microsoft choose to make the Microsoft 365 Backup service generally available a pay-as-you-go (PAYG) billing through an Azure subscription, Company may continue without interruption.

+**<ins>TERMINATION FOR NON-PAYMENT</ins>**

+In case the CompanyΓÇÖs Azure subscription goes into an unhealthy stage of deleted or canceled or suspended, we'll prevent any future backup and restores until the subscription is back to a healthy state. Company has 30 days to recover any backed-up data and restores by bringing back the subscription to an active state. If no action is taken from the Company to bring subscription back to active state in 30 days, we'll soft delete the backed-up data from systems after this 30 days. Upon reactivation, Company must also pay for Microsoft 365 Backup usage for the days the subscription was in unhealthy state.

+This Agreement can't be extended. Microsoft may also choose not to make the Preview Feature generally commercially available.

+**<ins>REPRESENTATIONS AND LIMITATIONS</ins>**

+**Input.** Company represents that it will not give any Feedback that:

+1. Violates any copyright or trade secret claim or right of any third party;

+2. It has reason to believe violates any patent claim or right of any third party; or

+3. Is subject to an excluded license.

+**Authority.** Company represents it has all rights and authority necessary to be legally bound to these Terms and Conditions and grant the rights described therein for itself and its affiliates.

+**Limitations.** All information, materials, and feedback are provided ΓÇ£as-isΓÇ¥ and Company bears the risk of using them; Company gives no express warranties, guarantees, or conditions as to its Feedback; and to the extent permitted under local law, Company excludes the implied warranties of merchantability, fitness for a particular purpose, title, and non-infringement as to its Input.

+**<ins>LIMITATIONS ON AND EXCLUSIONS OF REMEDIES AND DAMAGES</ins>**

+Except as described herein, the only remedy for claims relating to these Terms and Conditions is for Company to terminate its use of the Preview Feature. Neither Party can recover any damages, including direct, consequential, lost profits, special, punitive, indirect, or incidental damages from the other. This limitation applies:

+1. To claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.

+2. Even if one of us knew or should have known about the possibility of the damages.

+The limitations in this section don't apply to claims arising from or in connection with any infringement, misuse, or misappropriation by one of us of the otherΓÇÖs intellectual property rights.

+ Title: Pricing model for Microsoft 365 Backup (Preview)

+audience: admin

+search.appverid:

+ - enabler-strategic

+ - m365initiative-syntex

+ms.localizationpriority: medium

+description: Learn about the charge model and pricing calculator for Microsoft 365 Backup.

+# Pricing model for Microsoft 365 Backup (Preview)

+> [!NOTE]

+> This feature is currently in preview and subject to change.

+## Microsoft 365 Backup charge model

+The Microsoft 365 Backup service, offered through the Microsoft 365 admin center, is a [pay-as-you-go consumption-based service](/microsoft-365/syntex/syntex-pay-as-you-go-services). The preview list price is $0.15/GB/month of protected content.

+### WhatΓÇÖs counted towards protected backup storage?

+Microsoft 365 Backup will charge you for content size of the following for 365 days from when it is added to backup protection:

+- Cumulative back up size of the mailboxes, SharePoint sites, and OneDrive accounts being protected. Size of OneDrive accounts and SharePoint sites are the size of the live OneDrive accounts and SharePoint sites as displayed in the live sitesΓÇÖ usage reports. Mailboxes are the size of the user's mailbox plus their online archives plus deleted items held for Backup.

+- Deleted content in userΓÇÖs Recycle Bin and second-stage Recycle Bin (also known as Site Collection Recycle Bin).

+> [!NOTE]

+> Restore points or size of restores will not be charged. Although Azure is being used to process the payments, there are no additional Azure API or storage costs beyond the Microsoft 365 Backup usage charges mentioned above.

+As an example, if you have a site under protection that is currently 1 GB for the first month, you'll be charged 1 GB of Backup usage. If you delete content in that site such that it's now only 0.5 GB, your next monthly bill will still be for 1 GB since the backup tool is retaining that deleted content for a year. After a year when the backup of that deleted content expires, the 0.5 GB being retained for backup purposes will no longer be charged for Backup.

+> [!NOTE]

+> These prices are subject to change when the product becomes generally available. A partner application integrated with Microsoft 365 Backup storage might charge a different rate for their service.

+<!<Include charge model video >>

+## Pricing calculator

+The Microsoft 365 Backup pricing calculator is a tool that helps you estimate the amount of backup storage and the costs that you'll incur to protect and back up your Microsoft 365 data.

+> [!NOTE]

+> The tool is not intended to provide an exact prediction of your backup consumption, but rather to give you an estimate based on your current usage reports that are forecasted for the next 24 months based on historical trends.

+### Pricing calculator overview

+The Microsoft 365 Backup pricing calculator, when calculating the storage required for each month, takes into consideration the following heuristics:

+- How much storage is typically added (or removed) from a protection unit during the month. For example, if the protection unit was a SharePoint site, how much storage on average is added (or removed) from a SharePoint site during the month due to documents being added (or deleted).

+- How many new protection units for a service type are typically added (or removed) every month. For example, if the service type is Exchange mailboxes, how many new mailboxes are added (or deleted) on average each month.

+- The largest amount of storage required for the previous 12 months.

+### Using the pricing calculator

+To use the Microsoft 365 Backup pricing calculator, you'll need to perform the following steps. Information about how to collect data from each of these steps is detailed later in this article.

+1. Download the latest version of the [Microsoft 365 Backup pricing calculator tool](https://aka.ms/M365BackupCalculator).

+2. Review your [Microsoft 365 usage reports](https://admin.microsoft.com/Adminportal/Home#/reportsUsage) to get historical information about your current usage. Heuristics from the usage reports will be used to populate the inputs (orange boxes) in the pricing calculator tool.

+3. Open the Excel spreadsheet and select the **High-Level Estimates** worksheet. This sheet produces the simplest default model based on linear data growth assumptions.

+4. Enter the information recorded from the usage reports into the **High-Level Estimates** worksheet.

+5. If you know your tenant will have non-organic or non-linear usage changes, then for each of the service types, optionally override the estimated number of protection units or storage for a month in any or all of the service-specific tabs in the pricing calculator tool.

+6. An estimate of the Microsoft 365 Backup costs for the next 24 months will then be generated.

+### Leverage the Microsoft 365 usage reports as source data for the pricing calculator

+This section describes how to use your [Microsoft 365 admin center usage reports](https://admin.microsoft.com/Adminportal/Home#/reportsUsage) to populate the Microsoft 365 Backup pricing calculator.

+The Microsoft 365 Backup pricing calculator uses the input data about your current usage to help determine heuristics such as your average growth and usage patterns. To get this information, go to [Usage - Microsoft 365 admin center](https://admin.microsoft.com/Adminportal/Home#/reportsUsage) and then review the [OneDrive - Usage](#onedriveusage), [SharePoint - Site usage](#sharepointsite-usage), or [Exchange - Mailbox usage](#exchangemailbox-usage) reports.

+You can change the period that the reports display data for by selecting the **Past *n* days** on the right-hand side and then selecting the period.

+

+

+As a recommendation and if there's usage data available, the longer the period isΓÇöfor example, 180-daysΓÇöthe more accurate your usage estimates will be and therefore more accurate the Microsoft 365 Backup pricing calculator estimates will be.

+For each of the service types (Exchange, OneDrive, and SharePoint) record the following information by reviewing the appropriate usage report:

+- Number of protection units at start end of period

+- Number of protection units at end of period

+- The amount of storage used at the start and end of the period

+Once you have this information, enter it into the **High-Level Estimates** worksheet as shown in the following example.

+

+#### OneDrive - Usage

+

+##### Accounts

+Number of total and active accounts at the start of the period and at the end of the period. For example, 14 accounts and 16 accounts:

+

+##### Storage

+Amount of storage used at the start of at the start of the period and at the end of the period. For example, 0.58 GB and 0.37 GB:

+

+#### SharePoint - Site usage

+

+##### Sites

+Number of total and active sites at the start of the period and at the end of the period. For example, 2,457,360 sites and 2,457,454 sites:

+

+##### Storage

+Amount of storage used at the start of at the start of the period and at the end of the period. For example, 2,200 GB and 2,200 GB:

+

+#### Exchange - Mailbox usage

+

+##### Mailbox

+Number of total and active user mailboxes at the start of the period and at the end of the period. For example, 26 mailboxes and 30 mailboxes:

+

+##### Storage

+Amount of storage used at the start of the period and at the end of the period. For example, 5.5 GB and 4.3 GB:

+

+### Pricing calculator notes

+When using the Microsoft 365 Backup pricing calculator, be aware of the following:

+- In the Microsoft 365 Backup pricing calculator, any Excel spreadsheet cell that is colored orange can have data entered.

+- To modify how many protection units you want to protect per service type, you can change the **Percentage of Protection Units to protect**. For example, if you only want to protect 20 percent of your SharePoint sites, you can set the **Percentage of Protection Units to protect** for SharePoint to 20%.

+- The estimate is calculated projecting forward from the end of period data. That is, Month 1 is calculated using the end of period data.

+- The **Variables** worksheet displays the heuristics such as average growth and usage patterns of the service types which are used to calculate the estimate.

+- The **Price per GB** field on the **Variables** worksheet can be modified if required. For the Microsoft 365 Backup solution, we recommend that you use the default value.

+- The OneDrive accounts, SharePoint sites, and Exchange mailboxes worksheets provide more detail on the estimated costs including the ability to override the estimated number of protection units or storage for a month.

+- If the number of protection units for a month is overridden and the storage for a month is *not* overridden as well, then the amount of storage required for the month is calculated by multiplying the overridden number of protection units by the average new protection unit storage added per month (GB).

+### Variables

+The following variables are used to estimate the Microsoft 365 Backup costs and are defined in the **Variables** worksheet:

+- **Number of months in a protection unit period**: The number of months in the period converted from the number of days in the period.

+- **Average number of protection units added per month**: The average number of new protection units that are added each month. Essentially protection unit growth per month.

+- **Average protection unit storage per type at start of period (GB)**: The average amount of storage consumed by a protection unit at the start of the period.

+- **Average protection unit storage per type at end of period (GB)**: The average amount of storage consumed by a protection unit at the end of the period.

+- **Average protection unit storage growth per month (GB)**: The amount of storage that is typically added to each protection unit every month. Essentially protection unit storage growth per month.

+- **Average new protection unit storage added per month (GB)**: The average amount of storage that is required if a new protection unit is added during a month.

+ Title: Restore data in Microsoft 365 Backup (Preview)

+audience: admin

+search.appverid:

+ - enabler-strategic

+ - m365initiative-syntex

+ms.localizationpriority: medium

+description: Learn how to restore data using restore points and express restore points in Microsoft 365 Backup.

+# Restore data in Microsoft 365 Backup (Preview)

+> [!NOTE]

+> This feature is currently in preview and subject to change.

+Once you back up your data, you might need to restore the data if there was an accidental deletion, ransomware attack, or other event. The Restore feature in Microsoft 365 Backup is created to help you restore backed up data.

+As part of restoring data from backup, admin needs to choose a *restore point* manually or from a recommended *express restore point* by the tool.

+- **Restore point**. A prior point in time from which you can restore a healthy version of your content or metadata. If the data from a prior point in time is identical to the present state of your data, then there will be no items restored, including **Restore to a new folder** for Exchange Online.

+- **Express restore point**. A set of recommended restore points that offers faster restore of data from the backup than a regular restore point.

+Currently, you can restore OneDrive accounts, SharePoint sites, and Exchange mailbox content from specific prior points in time from the backups. Site restores to a prior point in time, if restored to the same URL, will overwrite the state and the content of the site to match the exact state at the prior point in time. This is commonly referred to as a rollback versus a roll-forward.

+Mailbox restores inherently restore only changed items such that current items that remain unchanged since the desired prior restore point won't be modified or overwritten. Thus, mailbox restores follow a roll-forward process. Site, OneDrive, and mailbox restores can be done in place or in the case of SharePoint sites to a new URL, or in the case of mailbox items a new folder. By restoring to a new location, any undesirable overwriting any existing data is avoided.

+> [!NOTE]

+> During the preview, only full OneDrive account and SharePoint site restore is possible. In the future, file-level granular restore will be possible.

+In the future, we'll support granular OneDrive and SharePoint file-level restore to provide a roll-forward behavior similar to that of mailbox item restores today.

+Restores started serially for each of three services will execute in parallel. There's no need to wait for one serviceΓÇÖs restore to finish before starting another.

+## Restore point frequency

+The restore point frequency, also known as the [recovery point objective](backup-faq.md#what-is-the-service-recovery-point-objective) (RPO), defines the maximum amount of time during which data is lost after an attack. Stated differently, itΓÇÖs the time between the most recent backup of the healthy state of data and the time of the attack. The RPOs for each of the protected services are summarized in the following table.

+|Type |RPO for 0-14 days in the past |RPO for 15-365 days in the past |

+||||

+|Full OneDrive account and full SharePoint site restore |15 minutes |One week |

+|Exchange Online |10 minutes |10 minutes |

+## Restore data from backup for OneDrive, SharePoint, and Exchange

+Once you back up your data, you might need to restore the data if there was an accidental deletion, ransomware attack, or other event. The restore feature in Microsoft 365 Backup is created to help you restore backed up data.

+> [!NOTE]

+> We recommend choosing an express restore point for full account, site, or mailbox restores as it will provide the fastest restore experience.

+Select the **OneDrive**, **SharePoint**, or **Exchange** tab for steps to restore data from backup for that product.

+# [OneDrive](#tab/onedrive)

+Follow these steps to restore data backed up for OneDrive.

+1. In the Microsoft 365 admin center, on the **Microsoft 365 Backup** page, in the **OneDrive** section, select **Restore**.

+2. On the **Select type of content** page, you'll see **OneDrive accounts** preselected. Select **Next**.

+ 

+3. From the list of backed up OneDrive accounts, select the accounts to restore, and then select **Next**.

+4. On the **Select the date and time** page, select the date and time from which you want to restore the content.

+ 

+ Choose a recommended restore point from **Select a faster restore point**, which will offer a faster restore compared to standard restore points.

+ 

+ Backup will restore the closest backed up content *before* the specified date and time. Select **Next**.

+ For example, assume backup is taken October 2, 2023 8:00 AM and October 2, 10:00 AM PST. If you select date and time as October 2, 2023 9:00 AM PST, Microsoft 365 Backup will restore the OneDrive and its content to its state on October 2, 2023 8:00 AM PST.

+5. On the **Confirm restore points** page, you're presented with a list of available express restore points that will restore with better performance than non-express restore points. We highly recommend that you choose an express restore point all else equal.

+ 

+6. Confirm the restore point in time to which the data will be restored from backup. If the restore point is correct, select **Next**.

+7. On the **Select another backup** panel, choose another backup for the account selected, if needed.

+ 

+8. On the **Set destination** page, selected OneDrive accounts can be restored by choosing either the **Restore to the original OneDrive accounts** or **Create new SharePoint site and restore to there** option.

+ 

+ a. **Restore to the original OneDrive accounts** option

+ - The entire OneDrive is replaced by the backed-up version chosen based on the restore point.

+ - File and folder permissions are also reverted to the selected date and time.

+ b. **Create new SharePoint site and restore to there** option

+ - The entire OneDrive will restore to a new SharePoint site where you can then copy or move data into the original OneDrive to create a roll-forward type of restore and avoid overwriting currently healthy data.

+9. On the **Review and Finish** page, you're asked to review and finish all your choices. If everything looks as you want it, select **Restore OneDrive accounts**.

+ 

+# [SharePoint](#tab/sharepoint)

+Follow these steps to restore data backed up for SharePoint.

+1. In the Microsoft 365 admin center, on the **Microsoft 365 Backup** page, in the **SharePoint** section, select **Restore**.

+2. On the **Select type of content** page, you'll see **SharePoint site content** preselected. Select **Next**.

+ 

+3. From the list of backed up SharePoint sites, select the sites to restore, and then select **Next**.

+4. On the **Select the date and time** page, select the date and time from which you want to restore the content.

+ 

+ Choose a recommended restore point from **Select a faster restore point**, which will offer a faster restore compared to standard restore points.

+ 

+ Backup will restore the closest backed up content *before* the specified date and time. Select **Next**.

+ For example, assume backup is taken October 2, 2023 8:00 AM and October 2, 2023 10:00 AM PST. If you select date and time as October 2, 2023, 9:00 AM PST, Microsoft 365 Backup will restore the site and its content to the state present on October 2, 2023 8:00 AM PST.

+5. On the **Confirm restore points** page, you'll be presented with a list of available express restore points that will restore with better performance than non-express restore points. We highly recommend that you choose an express restore point all else equal.

+ 

+6. Confirm the restore point in time to which the data will be restored from backup. If the restore point is correct, select **Next**.

+7. On the **Select another backup** panel, choose another backup for the site selected, if needed.

+ 

+8. On the **Set destination** page, selected SharePoint sites can be restored by choosing either the **Restore to the original OneDrive accounts** or **Create new SharePoint site and restore to there** option.

+ 

+ a. **Restore to original sites** option

+ - The entire original site is replaced by the backed-up version chosen based on the restore point.

+ - File and folder permissions and all metadata state are also reverted to the selected date and time.

+ b. **Create new SharePoint site and restore to there** option

+ - The entire site will restore to a new SharePoint site where you can then copy or move data into the original site or a different site to create a roll-forward type of restore and avoid overwriting currently healthy data.

+9. On the **Review and Finish** page, you're asked to review and finish your choices. If everything looks as you want it, select **Restore sites**.

+ 

+

+# [Exchange](#tab/exchange)

+<!Once you have set up protection policies for your mailboxes, you might need to restore the data in case of an accidental deletion, ransomware attack, or other event. The Restore feature in Microsoft 365 Backup is created to help you restore backed up data. Exchange restores will only restore modified or deleted items. Any item that is unaffected in the visible folder structure will remain intact.>

+Follow these steps to restore data backed up for Exchange.

+1. In the Microsoft 365 admin center, on the **Microsoft 365 Backup** page, in the **Exchange** section, select **Restore**.

+2. On the **Select type of content** page, you'll see **Exchange mailbox content (emails, notes, contacts, calendars, and tasks)** preselected. Select **Next**. Note that calendar restores aren't supported during the preview.

+3. From the list of backed up Exchange accounts, select the accounts to restore, and then select **Next**.

+4. On the **Content scope** page, you'll see two options to choose from:

+ - [Option 1: All emails, notes, contacts, calendars, and tasks](#option-1-all-emails-notes-contacts-calendars-and-tasks)

+ - [Option 2: Selected content only](#option-2-selected-content-only)

+### Option 1: All emails, notes, contacts, calendars, and tasks

+1. Use this option to perform a full mailbox restore, On the **Content scope** page, the **All emails, notes, contacts, calendars, and tasks** option lets you restore all emails, notes, contacts, and tasks, and modified calendar items for that user account. Select the last known good (LKG) date and time from which you want to restore the content. Make sure that the time zone in the dropdown menu reflects your intention, and select **Next**.

+ 

+ For example, the last time the end user remembers seeing their mailbox in a "good state" was October 2, 2023 8:00 AM. However, on October 2, 2023 9:00 AM they saw all of their emails were encrypted (possible ransomware attack), choose the last known good time as October 2, 2023 8:00 AM.

+2. Now you're asked to confirm the restore point in time to which the data will be restored from backup. The page informs you whether there are any backups to restore from the LKG time chosen. If you see no errors, you can proceed. If there are errors, you have the option to choose another LKG time. Select **Next**.

+3. The destination of restored items can be chosen from two options, then select **Next**.

+ a. **Restore to a new folder** where the content will be restored to a newly created folder named *Restored Items YYYY-DD-MM, HH:MM*.

+ b. **Restore in place** where current version of the item will be overwritten by the restored content.

+4. On the **Review and Finish** page, you'll now be asked to review and finish all your choices. If everything looks as you want it, select **Restore user mailboxes**.

+5. Track the progress of your newly created task on the **Restoration tasks** tab.

+### Option 2: Selected content only

+1. Use this option to perform a partial mailbox restore. On the **Content scope** page, the **Selected content only** option gives the admin the ability to do a granular restore (not full mailbox restore).

+ 

+ The search for items is based on four options:

+ - Sender

+ - Recipient

+ - Has attachment

+ - Keywords

+ Choose the time period, then filter and value that you want to do a granular search on to find matching items.

+

+2. Now you're asked to confirm the restore point in time to which the data will be restored from backup. If the restore point is what you want, select **Next**.

+3. The destination of restored items can be chosen from two options, then select **Next**.

+ a. **Restore to a new folder** where the content will be restored to a newly created folder named *Recovered Items YYYY-MM-DD, HH:MM*.

+ Example:

+ 

+ b. **Restore in place** where the current version of the item will be overwritten by the restored content.

+4. On the **Review and Finish** page, you'll now be asked to review and finish all your choices. If everything looks as you want it, select **Restore user mailboxes**.

+5. Track the progress of your newly created task on the **Restoration tasks** tab.

+### States of backup

+|States |Definition |

+|||

+|Active | Protection scope selected under backup policy is being actively backed up. |

+|Paused | No further backups will be taken but already taken backups will be preserved. |

+|Not set up | No backup policy is set up for this scope. |

+|Processing | A change to backup policy or a restore is in progress. |

+ Title: Set up Microsoft 365 Backup (Preview)

+audience: admin

+search.appverid:

+ - enabler-strategic

+ - m365initiative-syntex

+ms.localizationpriority: medium

+description: Learn how to set up and configure Microsoft 365 Backup and backup policies.

+# Set up Microsoft 365 Backup (Preview)

+> [!NOTE]

+> Microsoft 365 Backup (Preview) is now available worldwide in all commercial cloud environments. General availability is expected to be mid-2024. This preview feature is subject to change and [limitations as defined](backup-limitations.md). Before you begin, read the [Microsoft 365 Backup preview terms and conditions](backup-preview-terms.md).

+Get started with Microsoft 365 Backup by following these simple three steps in the Microsoft 365 admin center.

+

+<!<insert how-to Affirma video ΓÇô https://aka.ms/M365Backup-how-to-video> >

+## Step 1: Set up pay-as-you-go billing

+Microsoft 365 Backup is a pay-as-you-go offering that charges based on consumption, unlike traditional seat-based licenses. To set up pay-as-you-go for Microsoft 365 Backup, you will need to have this information:

+> [!div class="checklist"]

+> * **Valid Azure subscription**. An Azure subscription provides a logical container for your resources. Each Azure resource is associated with only one subscription. Creating a subscription is the first step in adopting Azure. To learn more about Azure, see [Azure fundamental concepts](/azure/cloud-adoption-framework/ready/considerations/fundamental-concepts).

+> * **Resource group**. A resource group provides a logical grouping of resources within an Azure subscription.

+> * **Region**. The region in which you want to register the service.

+> * **Owner or contributor**. Name of an owner or contributor role on the Azure subscription.

+Once you have the information on this list, you are ready to [set up pay-as-you-go billing for Microsoft 365 Backup](backup-billing.md).

+<!To set up pay-as-you-go billing, follow the steps in [Configure Microsoft Syntex for pay-as-you-go billing](../syntex-azure-billing.md).>

+### Permissions

+You must have Global admin or SharePoint admin permissions to access the Microsoft 365 admin center and set up Microsoft 365 Backup.

+## Step 2: Turn on Microsoft 365 Backup

+To turn on Microsoft 365 Backup, you'll need to go to the Microsoft 365 admin center.

+1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com/Adminportal/Home).

+2. Select **Setup**.

+3. On the **Setup** page, in the **Files and content** section, select **Use content AI with Microsoft Syntex**.

+4. On the **Use content AI with Microsoft Syntex** page, select **Manage Microsoft Syntex**.

+5. From the list of products, select **Backup Preview**.

+6. By default, the feature is turned off. Select **Turn on** to enable Microsoft 365 Backup for your organization.

+7. Review the applicable [terms of service for Microsoft 365 Backup](backup-preview-terms.md) and select **Confirm**.

+ 

+<!

+8. Select **Go to Microsoft 365 Backup** to start setting up Microsoft 365 Backup on OneDrive, SharePoint, or Exchange.

+ 

+>

+## Step 3: Create backup policies to protect your data

+Now that you have enabled Microsoft 365 Backup for your organization, follow through to create policies and start protecting your content.

+1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com/Adminportal/Home).

+2. Select **Settings**.

+3. Select **Microsoft 365 Backup** from the list of products.

+ 

+### Set up backup policies for OneDrive, SharePoint, and Exchange

+To use Microsoft 365 Backup for OneDrive, SharePoint, or Exchange, you need to create a backup policy for each product. A *policy* represents the backup plan defined by admins for protecting the Microsoft 365 data of an organization.

+A policy contains details of what data (OneDrive accounts, SharePoint sites, and Exchange mailboxes) to protect. Although you see the retention period and backup frequency (which defines the restore point objective), those settings aren't currently variable or modifiable.

+Select the **OneDrive**, **SharePoint**, or **Exchange** tab for steps to create a backup policy for that product.

+# [OneDrive](#tab/onedrive)

+Follow these steps to set up a backup policy for OneDrive accounts using Microsoft 365 Backup.

+1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com/Adminportal/Home).

+2. Select **Settings**.

+3. Select **Microsoft 365 Backup** from the list of products.

+4. On the **Microsoft 365 Backup** page, in the **OneDrive** section, select **Set up policy**.

+ 

+5. On the **Overview** page, review the backup features for OneDrive, and then select **Next**.

+ 

+6. On the **Protection scope** page, you can set up OneDrive user accounts using any or all three ways. A protection scope is the scope of user accounts within OneDrive that you want to protect with Microsoft 365 Backup.

+ 

+ a. Under **Add via search**, select **Choose accounts** to see user accounts that can be added via search. On the **Search and select accounts** panel, select the accounts you want to add to the policy.

+ 

+ b. Under **Add via**, select **Distribution lists** or **Security groups**, or both. The distribution list and security group are flattened when added, meaning the policy won't update dynamically if the groups or distribution list are updated later.

+ 

+ c. Under **Import from file**, select **Upload CSV** to import user account details via CSV upload.

+ 

+8. On the **Review OneDrive backup policy** page, review the information to make sure it's how you want it, and then select **Create policy** (or **Update policy** if it's an update).

+9. The backup policy for OneDrive is created.

+ 

+# [SharePoint](#tab/sharepoint)

+Follow these steps to set up a backup policy for SharePoint sites using Microsoft 365 Backup.

+1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com/Adminportal/Home).

+2. Select **Settings**.

+3. Select **Microsoft 365 Backup** from the list of products.

+4. On the **Microsoft 365 Backup** page, in the **SharePoint** section, select **Set up policy**.

+ 

+5. On the **Overview** page, review the backup features for SharePoint, and then select **Next**.

+ 

+6. On the **Protection scope** page, you can set up SharePoint sites by choosing to back up individual sites or collection of sites. A protection scope is the scope of sites within SharePoint that you want to protect with Microsoft 365 Backup.

+ 

+ a. Under **Add via search**, select **Choose sites** to see the individual sites or site collections that can be added via search. On the **Search and select sites** panel, select the sites you want to add to the policy.

+ 

+ b. Under **Add via**, select **Distribution lists** or **Security groups**, or both. The distribution list and security group are flattened when added, meaning the policy won't update dynamically if the groups or distribution list are updated later.

+ c. Under **Import from file**, select **Upload CSV** to import user account details via CSV upload.

+ 

+7. Once you've made the right selections, select **Next** to create the backup policy for SharePoint.

+8. On the **Review SharePoint backup policy** page, review the information to make sure it's how you want it, and then select **Create policy** (or **Update policy** if it's an update).

+ 

+9. The backup policy for SharePoint is created.

+ 

+# [Exchange](#tab/exchange)

+Follow these steps to set up a backup policy for Exchange mailboxes sites using Microsoft 365 Backup. Ensure that Microsoft 365 Backup is [enabled for your tenant](#step-2-turn-on-microsoft-365-backup).

+1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com/Adminportal/Home).

+2. Select **Settings**.

+3. Select **Microsoft 365 Backup** from the list of products.

+4. On the **Microsoft 365 Backup** page, in the **Exchange** section, select **Set up policy**.

+ 

+5. On the **Overview** page, review and verify the backup policy attributes for Exchange, such as backup frequency, backup retention, cost details, and then select **Next**.

+ 

+6. On the **Protection scope** page, choose the scope of protection for the mailbox policy. Microsoft 365 Backup for Exchange allows the addition of mailboxes in three ways.

+ 

+ a. Under **Add via search**, select **Choose user mailboxes** to see the mailboxes that can be added via search. On the **Search and select mailboxes** panel, select the mailboxes you want to add to the policy.

+ 

+ b. Under **Add via**, select **Distribution lists** or **Security groups**, or both. The distribution list and security group are flattened when added, meaning the policy won't update dynamically if the groups or distribution list are updated later.

+ 

+ c. Under **Import from file**, select **Upload CSV** to import user account details via CSV upload.

+ 

+7. Once you've made the right selections, select **Next** to create the backup policy for Exchange.

+8. On the **Review Exchange backup policy** page, review the information to make sure it's how you want it, and then select **Create policy** (or **Update policy** if it's an update).

+ 

+9. Wait for status of your policy to show as **Active** in the home screen. This might take between 15 and 60 minutes. The backup policy for Exchange is created. Select **View scope** at any time to verify the details.

+ 

+## Admin roles and backup management privileges

+Only tenant-level admins can create and manage backups using Microsoft 365 Backup for their users. End users don't have the ability to enable backup or restores for their user account, distribution lists, mailboxes, or sites. ItΓÇÖs important to note that your admin role determines which products you can manage with Microsoft 365 Backup. In the future, we might introduce a Backup admin role that can control the entire tool.

+|Admin role |OneDrive |SharePoint |Exchange |

+|||||

+|Global admin | Γ£ô | Γ£ô | Γ£ô |

+|SharePoint admin | Γ£ô | Γ£ô | |

+|Exchange admin | | | Γ£ô |

+## Glossary

+- **Protection units** ΓÇô SharePoint sites, OneDrive accounts, or Exchange Online mailboxes backed up by the Microsoft 365 Backup tool.

+- **Restore point** ΓÇô A prior point in time from which you can restore a version of your content and metadata. If the protection unit from a prior point in time is identical to the present state of your data, then a restore from that point will have no impact on your current data.

+- **RPO** ΓÇô Recovery point objective, or how close in time the most recent restore point is to an impacting event.

+- **RTO** ΓÇô Recovery time objective, or how fast a restore to a prior point in time can complete.

+ Title: View and edit backup policies in Microsoft 365 Backup (Preview)

+audience: admin

+search.appverid:

+ - enabler-strategic

+ - m365initiative-syntex

+ms.localizationpriority: medium

+description: Learn how to view and edit backup policies in Microsoft 365 Backup.

+# View and edit backup policies in Microsoft 365 Backup (Preview)

+> [!NOTE]

+> This feature is currently in preview and subject to change.

+You can edit the scope of OneDrive accounts, SharePoint sites, and Exchange mailboxes associated with a backup policy. As part of edit, you can either add new accounts, sites, or mailboxes to or remove them from backup. Removing accounts, sites, and mailboxes from Microsoft 365 Backup doesn't mean existing backups will be deleted, rather it means additional backups will not be taken.

+Select the **OneDrive**, **SharePoint**, or **Exchange** tab for steps to view and edit backup policies for that product.

+# [OneDrive](#tab/onedrive)

+Follow these steps to view and edit backup policies for OneDrive.

+1. In the Microsoft 365 admin center, on the **Microsoft 365 Backup** page, in the **OneDrive** section, select **Edit scope**.

+ 

+2. On the **OneDrive accounts backup policy** panel, on the **Policy details** tab, select **Edit scope**.

+3. You can either add new accounts to or remove accounts from an existing OneDrive backup policy.

+ a. To add new accounts, on the **Backed up accounts** tab, select **+ Add accounts**.

+ b. Select the accounts from the list. Once you have added accounts to the list, follow the prompts to update the policy.

+ 

+ c. To remove accounts from existing backup policy, on the **Backed up accounts** tab, select the accounts from the list, and then select **Remove**. Once you have done your changes, follow the prompts to remove the accounts.

+ 

+4. Once you have done your changes, follow the prompts to update the policy.

+ 

+> [!NOTE]

+> Removing accounts from backup policy means no future backups will be taken for those removed accounts. Existing backups for those accounts will not be deleted.

+# [SharePoint](#tab/sharepoint)

+Follow these steps to view and edit backup policies in SharePoint.

+1. In the Microsoft 365 admin center, on the **Microsoft 365 Backup** page, in the **SharePoint** section, select **Edit scope**.

+ 

+2. On the **SharePoint sites backup policy** panel, on the **Policy details** tab, select **Edit scope**.

+3. You can either add new sites to or remove sites from an existing SharePoint backup policy.

+ a. To add new sites, on the **Backed up sites** tab, select **+ Add sites**.

+ b. Select sites by any method as discussed in the creation section. Once you have added sites to the list, follow the prompts to update the policy.

+ 

+ c. To remove sites from existing SharePoint backup policy, on the **Backed up sites** tab,select the relevant sites, and then select **Remove**. Once you have done your changes, follow the prompts to remove the sites.

+ 

+4. Once you have done your changes, follow the prompts to update the policy.

+ 

+> [!NOTE]

+> Removing sites from backup policy means no future backups will be taken for those removed sites. Existing backups for the removed sites will not be deleted.

+# [Exchange](#tab/exchange)

+Follow these steps to view and edit backup policies for Exchange.

+1. In the Microsoft 365 admin center, on the **Microsoft 365 Backup** page, in the **Exchange** section, select **Edit scope**.

+ 

+2. On the **Exchange mailbox backup policy** panel, on the **Policy details** tab, select **Edit scope**.

+3. You can either add new user mailboxes to or remove user mailboxes from the existing Exchange backup policy.

+ a. To add new user mailboxes, select **+ Add user mailboxes**.

+ 

+ b. To remove user mailboxes from existing backup policy, on the **Backed up sites** tab, select the user mailboxes from the list, and select **Remove**.

+ 

+4. Once you have done your changes, follow the prompts to update the policy.

+ 

+> [!NOTE]

+> Removing mailboxes from backup policy means no future backups will be taken for those removed mailboxes. Existing backups for those mailboxes will not be deleted.

+| "The product key you entered isn't valid. Try entering it again." Or "This product key isn't valid. Enter a different product key." | Carefully check the numbers and characters you're entering. Mistakes can be made with 0 and o, 5 and S, l and I, and so on. If the issue persists, contact the reseller where you bought your product key. |

+| "This product key has already been used. Enter a different product key." | Verify that the key hasn't already been used by you or a member of your organization. If the key hasn't already been used, contact your partner or the reseller where you bought the product key. |

+| "Sorry, we can't process your request right now. Wait a few minutes and try again." | If subsequent attempts result in the same error message for more than 15 minutes, [contact support](../admin/get-help-support.md). |

+| "The requested subscription isn't available. One of the following reasons could have caused this: The offer isn't available - The service isn't available in your country/region - It's impossible to use/select the same trial twice. If the issue persists, contact Microsoft support." | [Contact support](../admin/get-help-support.md)[contact support](../admin/get-help-support.md). If you're working with a partner, contact your partner for support. |

+This article is for Global or SharePoint administrators who created a Multi-Geo satellite location **before** SharePoint Multi-Geo capabilities became generally available on March 27, 2019, and who didn't enable SharePoint Multi-Geo in their satellite geo locations.

+These instructions allow you to enable SharePoint in your satellite location, so your Multi-Geo satellite users can take advantage of both OneDrive and SharePoint Multi-Geo capabilities in O365.

+4. This operation usually takes about an hour while we perform various publish backs in the service and re-stamp your tenant. After at least 1 hour, perform a Get-SPOMultiGeoExperience. This shows you whether this geo location is in SPO mode.</br></br>

+For additional information regarding SharePoint Multi-Geo, refer to [aka.ms/sharepointmultigeo](multi-geo-capabilities-in-onedrive-and-sharepoint-online-in-microsoft-365.md)

+ Title: "Additional network security requirements for Office 365 Government Community Cloud (GCC) High and DoD"

+description: "Summary: Office 365 GCC High and DoD have extra network security requirements."

+Office 365 GCC High and DOD are secure cloud environments to meet the needs of the United States Government and its suppliers and contractors. These cloud environments have extra network restrictions on which external endpoints the services are permitted to access.

+GCC High and DOD customers planning to use federated identities or hybrid coexistence might require Microsoft to permit inbound and/or outbound access to your existing on-premises deployments. Examples of these activities include:

+* Use of federated identities (with Active Directory Federation Services or similar supported Security token service (STS))

+* An email distribution list that Microsoft communicates with for on-going communications related to network changes and/or follow up for invalid subnets

+* Federated identity system externally accessible URL (for example, sts.contoso.com) and IP address range in CIDR (Classless Inter-Domain Routing) notation (for example, 10.1.1.0/28)

+* On-Premises public key infrastructure (PKI) Certificate Revocation List URL and IP address range in CIDR notation

+Once Microsoft receives and approves your request, there's a three-week service-level agreement (SLA) for implementation and canΓÇÖt be expedited. You receive an initial acknowledgment when we receive your request and a final acknowledgment once it's complete.

+- must-keep

+BCS, Secure Store, and Apps all have separate instances in each satellite location, and therefore the SharePoint administrator should manage and configure these services separately from each satellite location.

+You can set your IP DLP policies for OneDrive, SharePoint, and Exchange Online in the Security and Compliance center, scoping policies as needed to the whole _Tenant_ or to applicable users. For example: If you wish to select a policy for a user in a satellite location, select to apply the policy to a specific OneDrive and enter the user's OneDrive URL. See [Overview of data loss prevention policies](https://support.office.com/article/1966b2a7-d1e2-4d92-ab61-42efbb137f5e) for general guidance in creating DLP policies.

+Flows created for the satellite location will use the end point located in the default geo location for the _Tenant_. Microsoft Power Automate isn't a Multi-Geo service.

+## SharePoint storage quota

+By default, all geo locations of a multi-geo environment share the available _Tenant_ storage quota. You can also manage the storage quota by allocating a specific quota for a particular geo location. For more information, see [SharePoint storage quotas in multi-geo environments](sharepoint-multi-geo-storage-quota.md).

+Administrators can set and manage sharing policies for each of their locations. The OneDrive and SharePoint sites in each geo location will honor only the corresponding geo-specific sharing settings. (For example, you can allow [external sharing](https://support.office.com/article/C8A462EB-0723-4B0B-8D0A-70FEAFE4BE85) for your central location, but not for your satellite location or vice versa.) Note that the sharing settings don't allow configuring sharing limitations between geo locations.

+Videos uploaded to Microsoft Stream in a 1:1 chat are stored in the OneDrive of the person uploading. Meeting recordings are stored in the OneDrive of each attendee who records the meeting.

+Viva Engage isn't a Multi-Geo workload. Viva Engage threads stored in Viva Engage will be placed in the _Tenant's_ central location. Viva Engage is rolling out a file storage change which will store Viva Engage files within SharePoint. Viva Engage files stored in SharePoint will be placed the SharePoint site associated with the Viva Engage group. SharePoint group sites are based on PDL logic as outlined in [SharePoint Sites and Groups](multi-geo-capabilities-in-onedrive-and-sharepoint-online-in-microsoft-365.md#sharepoint-sites-and-groups).

+Unless you have created any custom instances of ExternalAccessPolicy, that command returns one policy that meets our criteria (FederationOnly). Here's an example:

+Now that you know which policy to assign to Alex, we can assign that policy by using the [Grant-CsExternalAccessPolicy](/powershell/module/skype/Get-CsExternalAccessPolicy) cmdlet. Here's an example:

+Assigning a policy is simple: you can specify the Identity of the user and the name of the policy to be assigned.

+And when it comes to policies and policy assignments, you're not limited to working with user accounts one a time. For example, suppose you need a list of all the users who are allowed to communicate with federated partners and with Windows Live users. We already know that those users have been assigned the external user access policy FederationAndPICDefault. Because we know that, you can display a list of all those users by running one simple command. Here's the command:

+As an additional example, suppose you've previously assigned Alex the FederationAndPICDefault policy, and now you've changed your mind and would like him to be managed by the global external access policy. You can't explicitly assign the global policy to anyone. Instead, the global policy is used for a given user if no per-user policy is assigned to that user. Therefore, if we want Alex to be managed by the global policy, you need to *unassign* any per-user policy previously assigned to him. Here's an example command:

+To manage large numbers of users (1000 or more), you need to batch the commands via a script block using the [Invoke-Command](/powershell/module/microsoft.powershell.core/invoke-command) cmdlet. In previous examples, each time a cmdlet is executed, it must set up the call and then wait for the result before sending it back. When using a script block, this allows the cmdlets to be executed remotely, and once completed, send the data back.

+This finds 500 users at a time who don't have a client policy. It grants them the client policy "ClientPolicyNoIMURL" and the external access policy "FederationAndPicDefault". The results are batched into groups of 50 and each batch of 50 is then sent to the remote machine.

+description: "This article describes how you can deploy to SharePoint Online without performing traditional load testing since it isn't permitted."

+This article describes how you can deploy to SharePoint Online without traditional load testing, since load-testing isn't permitted on SharePoint Online. SharePoint Online is a cloud service and Microsoft manages the load capabilities, health, and overall balance of load in the service.

+One of the main benefits of SharePoint Online over an on-premises deployment is the elasticity of the cloud and optimizations for users in distributed regions. Our large-scale environment is set up to service millions of users on a daily basis. So it's important that we handle capacity effectively by balancing and expanding farms.

+In order to efficiently use capacity and deal with unexpected growth, in any farm, we have automation that tracks and monitors various elements of the service. Multiple metrics are utilized, with one of the main ones being CPU load, which is used as a signal to scale-up front-end servers. Additionally, we recommend a [phased / wave approach](planportallaunchroll-out.md), as SQL environments will scale according to load and growth over time. Following the phases and waves allows for the correct distribution of that load and growth.

+Capacity is more than just about adding more hardware on a continuous basis but it also pertains to managing and controlling that capacity to ensure it's servicing valid load requests. We recommend that customers follow the recommended guidance to ensure they have the best experience. It also means that we have throttling patterns and controls in place to ensure we don't allow "abusive" behavior in the service. While not all "bad" behavior is intentional, we do have to ensure that we limit the effect of that behavior. For further information on throttling and how to avoid it, review the [how to avoid being throttled guidance](/sharepoint/dev/general-development/how-to-avoid-getting-throttled-or-blocked-in-sharepoint-online) article.

+With SharePoint Online, we need to do things differently because the scale is relatively fluid and adjusts, throttles, and controls load, based on certain heuristics. Being such a large-scale multi-tenant environment, we must protect all tenants in the same farm, so we automatically throttle any load tests.

+If you do however attempt to load test, besides being throttled, you could receive disappointing and potentially misleading results. The reason it could happen is because the farm you tested today could have scale changes during the testing window or within hours after testing, as scale and farm balancing actions are performed on an on-going basis.

+Modern Authentication is a method of identity management that offers more secure user authentication and authorization, is available for Skype for Business server on-premises and Exchange server on-premises, and split-domain Skype for Business hybrids.

+1. Collect the HMA-specific info you need in a file, or OneNote.

+These steps turn on MA for SFB, SFBO, EXCH, and EXO - that is, all the products that can participate in an HMA configuration of SFB and SFBO (including dependencies on EXCH/EXO). In other words, if your users are homed in/have mailboxes created in any part of the Hybrid (EXO + SFBO, EXO + SFB, EXCH + SFBO, or EXCH + SFB), your finished product looks like this:

+As you can see, there are four different places to turn on MA! For the best user experience, we recommend you turn on MA in all four of these locations. If you can't turn MA on in all these locations, adjust the steps so that you turn on MA only in the locations that are necessary for your environment.

+After you've checked that you meet the [prerequisites](hybrid-modern-auth-overview.md) to use Modern Authentication (see the previous note), you should create a file to hold the info you'll need for configuring HMA in the steps ahead. Examples used in this article:

+You need internal and external web service URLs for all SfB 2015 pools deployed. To obtain these, run the following command from Skype for Business Management Shell:

+If you're using a Standard Edition server, the internal URL would be blank. In this case, use the pool fqdn for the internal URL.

+Now you need to run commands to add the URLs (collected earlier) as Service Principals in SFBO.

+ The AppPrincipalId begins with `00000004`. This corresponds to Skype for Business Online.

+ Take note of (and screenshot for later comparison) the output of this command, which includes an SE and WS URL, but mostly consist of SPNs that begin with `00000004-0000-0ff1-ce00-000000000000/`.

+3. If the internal **or** external SFB URLs from on-premises are missing (for example, https://lyncwebint01.contoso.com and https://lyncwebext01.contoso.com) we'll need to add those specific records to this list.

+ Be sure to replace *the example URLs* with your actual URLs in the Add commands!

+4. Verify your new records were added by running the **Get-MsolServicePrincipal** command from step 2 again, and looking through the output. Compare the list or screenshot from before to the new list of SPNs. You can also screenshot the new list for your records. If you were successful, you can view the two new URLs in the list. Going by our example, the list of SPNs will now include the specific URLs https://lyncwebint01.contoso.com and https://lyncwebext01.contoso.com/.

+Once you enable HMA, a client's next login will use the new auth flow. Just turning on HMA wouldn't trigger a reauthentication for any client. The clients reauthenticate based on the lifetime of the auth tokens and/or certs they have.

+To test that HMA is working after you've enabled it, sign out of a test SFB Windows client and be sure to select 'delete my credentials'. Sign in again. The client should now use the Modern Auth flow and your login will now include an **Office 365** prompt for a 'Work or school' account, seen right before the client contacts the server and logs you in.

+You should also check the 'Configuration Information' for Skype for Business Clients for an 'OAuth Authority'. To do this on your client computer, hold down the CTRL key at the same time you right-click the Skype for Business Icon in the Windows Notification tray. Select **Configuration Information** in the menu that appears. In the 'Skype for Business Configuration Information' window that appears on the desktop, look for the following:

+You should also hold down the CTRL key at the same time you right-click the icon for the Outlook client (also in the Windows Notifications tray) and select 'Connection Status'. Look for the client's SMTP address against an AuthN type of 'Bearer\*', which represents the bearer token used in OAuth.

+When you use PowerShell for Microsoft 365 to create SharePoint Online sites and add users, you can quickly and repeatedly perform tasks faster than you can in the Microsoft 365 admin center. You can also perform tasks that aren't possible to perform in the Microsoft 365 admin center.

+The procedures in this article require you to connect to SharePoint Online. For instructions, see [Connect to SharePoint Online PowerShell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online).

+Create multiple sites using PowerShell and a .csv file that you create using the example code provided and Notepad. For the procedure, you're replacing the placeholder information shown in brackets with your own site- and tenant-specific information. This process lets you create a single file and run a single PowerShell command that uses that file. This process makes the actions both repeatable and portable and eliminates many, if not all, errors that can come from typing long commands into the SharePoint Online Management Shell. There are two parts to this procedure. First you create a .csv file, and then you reference that .csv file using PowerShell, which uses its contents to create the sites.

+The PowerShell cmdlet imports the .csv file and pipes it to a loop inside the curly brackets that reads the opening line of the file as column headers. The PowerShell cmdlet then iterates through the remaining records, creates a new site collection for each record, and assigns properties of the site collection according to the column headers.

+ Where *MyAlias* equals your user alias

+ThatΓÇÖs it. You created multiple site collections using the .csv file you created and a single Windows PowerShell command. YouΓÇÖre now ready to create and assign users to these sites.

+Now youΓÇÖre going to create users and add them to a site collection group. You then use a .csv file to bulk upload new groups and users.

+ Where *tenant* equals your tenant name

+6. Save the file to your desktop as **UsersAndGroups.ps1**, which is a simple Windows PowerShell script.

+ Where *MyAlias* equals your user name

+5. Wait for the prompt to return before moving on. You initially see the groups appear as they're created. Then the group list is repeated as users are added.

+Using Cross-Tenant Identity Mapping reduces mistakes when configuring target objects for a migration by automatically configuring values such as _ExchangeGuid_, _ArchiveGuid_, and all necessary _X500 proxy addresses_.

+- Cross-Tenant Identity Mapping does **not** create the Mail Enabled User objects in the target tenant for you. These objects must still be created with a minimal attribute set. Once created, then Cross-Tenant Identity Mapping decorates their attributes correctly for a mailbox migration to proceed.

+- Target organizations in a hybrid configuration require Microsoft supported on-premises object management tools to modify any Mail Enabled User objects synchronized from the on-premises directory.

+This step is Step 3 in a solution designed to complete a Cross-tenant OneDrive migration. To learn more, see [Cross-tenant OneDrive migration overview](cross-tenant-onedrive-migration.md).

+|NotEstablished|Trust wasn't requested locally.|

+description: Learn how to decrease the load time for SharePoint Online pages by using JavaScript to delay loading images and nonessential JavaScript.

+The article describes how you can decrease the load time for SharePoint Online pages by using JavaScript to delay loading images and also by waiting to load nonessential JavaScript until after the page loads.

+Images can negatively affect page load speeds on SharePoint Online. By default, most modern Internet browsers prefetch images when loading an HTML page. This process can cause the page to be slow to load if the images aren't visible on the screen until the user scrolls down. The images can block the browser from loading the visible part of the page. To work around this problem, you can use JavaScript to skip loading the images first. Also, loading nonessential JavaScript can slow download times on your SharePoint pages too. This article describes some methods you can use to improve page load times with JavaScript in SharePoint Online.

+You can use JavaScript to prevent a web browser from prefetching images. This technique speeds up overall document rendering. To do it, you remove the value of the src attribute from the \<img\> tag and replace it with the path to a file in a data attribute such as: data-src. For example:

+In this method, the browser doesn't download the images immediately. If the image is already in the viewport, JavaScript tells the browser to retrieve the URL from the data attribute and insert it as the value for the src attribute. The image only loads as the user scrolls and it comes into view.

+To perform this function, you need to use JavaScript.

+Next, use **isElementInViewport()** in the **loadItemsInView()** function. The **loadItemsInView()** function loads all images that have a value for the data-src attribute if they are in the part of the browser that is visible to the user. Add the following function to the text file:

+Finally, call **loadItemsInView()** from within **window.onscroll()** as shown in the following example. This function ensures that any images that are in the viewport are loaded as the user needs them, but not before. Add the following to the text file:

+For SharePoint Online, you need to attach the following function to the scroll event on the #s4-workspace \<div\> tag because the window events are overridden in order to ensure the ribbon remains attached to the top of the page.

+Once you finish writing delayLoadImages.js, you can add the contents of the file to a master page in SharePoint Online by adding a script link to the header in the master page. Once it's in a master page, the JavaScript is applied to all pages in your SharePoint Online site that use that master page layout. Alternatively, if you intend to only use the functionality on one page of your site, use the script editor Web Part to embed the JavaScript into the page. For more information, see:

+For this example to work, you also need to reference jQuery in the master page. In the following example, you can see in the initial page load that there's only one image loaded but there are several more on the page.

+Delaying image loading by using JavaScript can be an effective technique in increasing performance; however, if the technique is applied on a public website then search engines aren't able to crawl the images in the same way they would crawl a regularly formed image. This technique can affect rankings on search engines because metadata on the image itself isn't there until the page loads. Search engine crawlers only read the HTML and therefore can't see the images as content on the page. Images are one of the factors used to rank pages in search results. A work-around is to use introductory text for your images.

+- must-keep

+The body of content that comprised the Desktop Deployment Center has been deprecated.

+This kit helps you plan, test, and validate your deployment and management of desktops running Windows 10 and 11 Enterprise and Microsoft 365 Apps for enterprise. The labs cover using Microsoft Endpoint Configuration Manager, Desktop Analytics, Office Customization Tool, OneDrive, Windows Autopilot and more.

+See [Windows and Office Deployment Lab Kit](modern-desktop-deployment-and-management-lab.md) for details.

+Once you have your domains added to your tenant and validated, use the following guidance to add the appropriate DNS records for the services. You might need to modify the below table to fit your organizationΓÇÖs needs with respect to the inbound MX record(s) and any existing Exchange Autodiscover records you have in place. We strongly recommend coordinating these DNS records with your messaging team to avoid any outages or mis-delivery of email.

+The MX record value for your accepted domains follows a standard format as noted previously: *tenant*.mail.protection.office365.us, replacing *tenant* with the first part of your default tenant name.

+ Title: "Domain Name System (DNS) records for Office 365 Government Community Cloud (GCC) High"

+As part of onboarding to Office 365 GCC High, you need to add your Simple Mail Transfer Protocol (SMTP) and SIP domains to your Online Services tenant. You do this using the New-MsolDomain cmdlet in Azure AD PowerShell or use the [Azure Government Portal](https://portal.azure.us) to start the process of adding the domain and proving ownership.

+Once you have your domains added to your tenant and validated, use the following guidance to add the appropriate DNS records for the following services. You might need to modify the below table to fit your organizationΓÇÖs needs with respect to the inbound MX record(s) and any existing Exchange Autodiscover records you have in place. We strongly recommend coordinating these DNS records with your messaging team to avoid any outages or mis-delivery of email.

+The MX record value for your accepted domains follows a standard format as noted previously: *tenant*.mail.protection.office365.us, replacing *tenant* with the first part of your default tenant name.

+- must-keep

+Additionally, your organization computers and devices must trust the public certification authority that is issuing the digital certificate. This trust is established by having a root certificate from the public certification authority installed in the trusted root certification authorities store on your computers and devices. Computers running Microsoft Windows typically have a set of these types of certificates installed from commonly used certification authorities. If the root certificate from your public certification authority isn't already installed, you must deploy this to the computers and devices of your organization.

+You should now be ready to configure Microsoft Entra Connect and federated authentication for Microsoft 365. To ensure that you are, here's a checklist:

+Here's an example for the Contoso organization:

+Here's the final configuration, with placeholder names for the servers.

+description: "In this article, you can learn about Hybrid Modern Authentication and the prerequisites for use with on-premises Skype for Business and Exchange servers."

+Modern authentication is an umbrella term for a combination of authentication and authorization methods between a client (for example, your laptop or your phone) and a server, as well as some security measures that rely on access policies that you might already be familiar with. It includes:

+> As of August of 2017, all new Office 365 tenants that include Skype for Business online and Exchange online will have modern authentication enabled by default. Pre-existing tenants won't have a change in their default MA state, but all new tenants automatically support the expanded set of identity features you see listed previously. To check your MA status, see the [Check the modern authentication status of your on-premises environment](hybrid-modern-auth-overview.md#BKMK_CheckStatus) section.

+The change to evoSTS allows your on-premises servers to take advantage of OAuth (token issuance) for authorizing your clients, and also lets your on-premises use security methods common in the cloud (like Multi-factor Authentication). Additionally, the evoSTS issues tokens that allow users to request access to resources without supplying their password as part of the request. No matter where your users are homed (of online or on-premises), and no matter which location hosts the needed resource, EvoSTS would become the core of authorizing users and clients once modern authentication is configured.

+This also means that even though your Exchange server and Skype for Business environments might be entirely on-premises, the authorizing server is online, and your on-premises environment must have the ability to create and maintain a connection to your Office 365 subscription in the Cloud (and the Microsoft Entra instance that your subscription uses as its directory).

+ - If you're using Exchange Server 2013, at least one server must have the Mailbox and Client Access server roles installed. While it's possible to install the Mailbox and Client Access roles on separate servers, we strongly recommend that you install both roles on the same server to provide more reliability and improved performance.

+ - If you're using Exchange server 2016 or later version, at least one server must have the Mailbox server role installed.

+ - All Exchange servers must have the latest cumulative updates installed. See [Upgrade Exchange to the latest Cumulative Updates](/exchange/plan-and-deploy/install-cumulative-updates) to find and manage all available updates.

+ The availability of modern authentication is determined by the combination of the client, protocol, and configuration. If modern authentication isn't supported by the client, protocol, and/or configuration, then the client continues to use legacy authentication.

+ |Outlook 2013 and later <br/> |MAPI over HTTP <br/> |MAPI over HTTP must be enabled within Exchange in order to use modern authentication with these clients (enabled or True for new installs of Exchange 2013 Service Pack 1 and above); for more information, see [How modern authentication works for Office 2013 and Office 2016 client apps](modern-auth-for-office-2013-and-2016.md). <br/> Ensure you're running the minimum required build of Outlook; see [Latest updates for versions of Outlook that use Windows Installer (MSI)](/officeupdates/outlook-updates-msi). <br/> |

+ Clients and/or protocols that aren't listed (for example, POP3) don't support modern authentication with on-premises Exchange and continue to use legacy authentication mechanisms even after modern authentication is enabled in the environment.

+ - Resource forest scenarios require a two-way trust with the account forest to ensure proper SID lookups are performed during hybrid modern authentication requests.

+ - Make sure both an on-premises test user, and a hybrid test user homed in Office 365, can sign in to the Skype for Business desktop client (if you want to use modern authentication with Skype) and Microsoft Outlook (if you want to use modern authentication with Exchange).

+ - Make sure the SignInOptions setting in Microsoft Office isn't configured to its most restrictive setting. For more information, see [How to allow Office to connect to the internet](/office365/troubleshoot/access-management/office-feature-disabled).

+- All the scenarios for on-premises servers involve setting up modern authentication on-premises (in fact, for Skype for Business there's a list of supported topologies) so that the server responsible for authentication and authorization is in the Microsoft Cloud (Microsoft Entra ID's security token service, called 'evoSTS'), and updating Microsoft Entra ID about the URLs or namespaces used by your on-premises installation of either Skype for Business or Exchange. Therefore, on-premises servers take on a Microsoft Cloud dependency. Taking this action could be considered configuring 'hybrid auth'.

+- This article links out to others that help you choose supported modern authentication topologies (necessary only for Skype for Business), and how-to articles that outline the setup steps, or steps to disable modern authentication, for Exchange on-premises and Skype for Business on-premises. Favorite this page in your browser if you're going to need a home-base for using modern authentication in your server environment.

+- The speed at which pages load

+- The number of round-trips required per page

+- The issues with the service

+- The other things that cause performance degradation

+One simple benchmark test you can use would be to measure performance by comparing the load time of your own portal against the load time of the OneDrive for Business home page as it uses few customized features. This step is often the first step Support asks you to complete when troubleshooting network performance issues.

+This scenario is applicable to SharePoint on-premises and SharePoint Online but in an on-premises scenario the differences can't be as easily noticed as in SharePoint Online.

+In order to correctly evaluate how a page performs for users, you should use a standard user account to avoid loading the authoring controls and extra traffic related to security groups.

+You can categorize the connections between the server and the user into three main components. Consider these components when designing SharePoint Online pages for insight into load times.

+Within these three connections, there are typically five reasons that cause 95% of slow pages. Each of these reasons is discussed in this article:

+As you would expect, you have far more control over how servers perform with on-premises SharePoint. With SharePoint Online, things are a little different. The more work you make a server do, the longer it takes to render a page. With SharePoint, the biggest culprits in this respect are complex pages with multiple web parts.

+With SharePoint Online, certain page requests might actually end up calling multiple servers. You could end up with a matrix of requests between servers for an individual request. These interactions are expensive from a page load perspective and make things slow.

+The other thing that can slow down server interactions is cache misses. Unlike on-premises SharePoint, there's a slim chance that you would hit the same server for a page that you visited previously; this makes object caching obsolete.

+With on-premises SharePoint that doesn't make use of a WAN, you can use a high-speed connection between datacenter and end users. Generally, things are easy to manage from a network perspective.

+- The Internet Service Provider (ISP)

+Regardless of which version of SharePoint (and which network) you're using, things that typically cause the network to be busy include:

+One feature that you can use in SharePoint Online is the Microsoft CDN (Content Delivery Network). A CDN is basically a distributed collection of servers deployed across multiple datacenters. With a CDN, content on pages can be hosted on a server close to the client even if the client is far away from the originating SharePoint Server. Microsoft will be using this feature more in the future to store local instances of pages that can't be customized, for example the SharePoint Online admin home page. For more information about CDNs, see [Content delivery networks](content-delivery-networks.md).

+Something that you need to be aware of but have no control over is the connection speed of your ISP. A simple speed test tool tells you the connection speed.

+Visiting complex pages affects performance. Most browsers only have a small cache (around 90 MB), while the average web page is typically around 1.6 MB, which doesn't take long to get used up.

+Bandwidth can also be an issue. For example, if a user is watching videos in another session, it affects the performance of your SharePoint page. While you can't prevent users from streaming media, you can control the way a page loads for users.

+Windows PowerShell allows Syndication and Cloud Solution Provider (CSP) partners to easily administer and report on customer tenancy settings that aren't available in the Microsoft 365 admin center. Administer on Behalf Of (AOBO) permissions are required for the partner administrator account to connect to its customer tenancies.

+Delegated Access Permission (DAP) partners are Syndication and Cloud Solution Providers (CSP) Partners. They're frequently network or telecom providers to other companies. They bundle Microsoft 365 subscriptions into their service offerings to their customers. When they sell a Microsoft 365 subscription, they're automatically granted Administer On Behalf Of (AOBO) permissions to the customer tenancies so they can administer and report on the customer tenancies.

+This displays a listing of all your customer tenants by **TenantId**.

+If you have registered additional domains, this returns all domains associated with the customer **TenantId**.

+This displays the **UserPrincipalName**, the **DisplayName**, and the **isLicensed** status for all users for a particular tenant. Replace _\<customer TenantId value>_ with the actual value.

+- **LicenseAssignment**: The value for this uses this format: `syndication-account:<PROVISIONING_ID>`. For example, if you're assigning customer tenant users O365_Business_Premium licenses, the **LicenseAssignment** value looks like this: **syndication-account:O365_Business_Premium**. You'll find the PROVISIONING_IDs in the Syndication Partner Portal that you have access to as a Syndication or CSP partner.

+In this example, the values within this policy determine what a use can or can't do when it comes to communicating with federated users. For example, the EnableOutsideAccess property must be set to True for a user to be able to communicate with people outside the organization. This property doesn't appear in the Microsoft 365 admin center. Instead, the property is automatically set to True or False based on the other selections that you make. The other two properties of interest are:

+- Determine which external access policy is assigned to that user.

+- Determine which capabilities are or aren't allowed by that policy.

+In some cases, properties of policies aren't used with Microsoft 365, while others can only be managed by Microsoft support personnel.

+With Skype for Business Online, users must be managed by a policy of some kind. If a valid policy-related property is blank, that means that the user in question is being managed by a global policy, which is a policy that is automatically applied to a user unless they're specifically assigned a per-user policy. Because we don't see a client policy listed for a user account, it's managed by the global policy. You can determine the global client policy with this command:

+We released a new Exchange Online service advisory that informs you of auto-expanding archives attached to mailboxes at risk of reaching the 1.5TB limit on total auto-expanding archive size. These service advisories provide visibility to the mailboxes in your organization that can require admin intervention.

+These service advisories are displayed in the Microsoft 365 admin center. To view these service advisories, go to **Health** \> **Service health** \> **Exchange Online** and then select the **Active issues** tab.

+This service advisory informs you of potential data storage limits being reached in your organization. Mailboxes with archive mailboxes that have the auto-expanding archive feature enabled can store a maximum of 1.5 TB of data in the auto-expanding archive. The service advisory contains a link under "User Impact" that shows a flyout window listing impacted mailbox Globally Unique Identifiers (GUIDs) for your tenant.

+Here's an example of the flyout:

+- **mailboxGuid** : The GUID of the main archive for the mailbox or one of the other storage units in the auxiliary archive ("AuxArchive").

+Microsoft Entra ID was designed to host multiple tenants in a highly secure way through logical data isolation. Access to Microsoft Entra ID is gated by an authorization layer. Microsoft Entra ID isolates customers using tenant containers as security boundaries to safeguard a customer's content so that the content can't be accessed or compromised by co-tenants. Three checks are performed by Microsoft Entra authorization layer:

+No application, user, server, or service can access Microsoft Entra ID without the proper authentication and token or certificate. Requests are rejected if they aren't accompanied by proper credentials.

+The concept of tenant containers is deeply ingrained in the directory service at all layers, from portals all the way to persistent storage. Even when multiple Microsoft Entra tenant metadata is stored on the same physical disk, there's no relationship between the containers other than what is defined by the directory service, which in turn is dictated by the tenant administrator. There can be no direct connections to Microsoft Entra storage from any requesting application or service without first going through the authorization layer.

+In the following example, Contoso and Fabrikam both have separate, dedicated containers, and even though those containers can share some of the same underlying infrastructure, such as servers and storage, they remain separate and isolated from each other, and gated by layers of authorization and access control.

+In addition, there are no application components that can execute from within Microsoft Entra ID, and it isn't possible for one tenant to forcibly breach the integrity of another tenant, access encryption keys of another tenant, or read raw data from the server.

+By default, Microsoft Entra disallows all operations issued by identities in other tenants. Each tenant is logically isolated within Microsoft Entra ID through claims-based access controls. Reads and writes of directory data are scoped to tenant containers, and gated by an internal abstraction layer and a role-based access control (RBAC) layer, which together enforce the tenant as the security boundary. Every directory data access request is processed by these layers and every access request in Microsoft 365 is policed by the previous logic.

+Microsoft Entra ID has North America, U.S. Government, European Union, Germany, and World Wide partitions. A tenant exists in a single partition, and partitions can contain multiple tenants. Partition information is abstracted away from users. A given partition (including all the tenants within it) is replicated to multiple datacenters. The partition for a tenant is chosen based on properties of the tenant (for example, the country code). Secrets and other sensitive information in each partition is encrypted with a dedicated key. The keys are generated automatically when a new partition is created.

+- must-keep

+The goal of this article is to provide best practices for mitigating the impact of China cross-border network congestion on Microsoft 365 services. This article doesn't address other common last-mile performance issues such as issues of high packet latency due to complex routing within China carriers.

+As a first step, it's crucial that you follow our benchmark network guidance at [Network planning and performance tuning for Microsoft 365](./network-planning-and-performance.md). The primary goal should be to avoid accessing global Microsoft 365 services from the Internet in China if possible.

+- Configure your network to route all Microsoft 365 traffic across your private offshore link. If you must minimize the volume of traffic on your private link, you can choose to only route endpoints in the **Optimize** category, and allow requests to **Allow** and **Default** endpoints to transit the Internet. This improves performance and minimize bandwidth consumption by limiting optimized traffic to critical services that are most sensitive to high latency and packet loss.

+If cross-border private networks and/or VPN access into the corporate network aren't an option, per-user performance issues can still be mitigated by training your China-based users to follow these best practices.

+- Utilize rich Office clients that support caching (Outlook, Teams, OneDrive, etc.), and avoid web-based clients. Office client caching and offline access features can dramatically reduce the impact of network congestion and latency.

+Sending Teams real-time media audio and video traffic over the public internet, which uses the higher quality connectivity, can result in considerable cost savings, because it's free versus paying to send that traffic over a private network. There might be similar additional benefits if users are also using SDWAN or VPN clients. Some organizations might also prefer to have more of their data traverse public internet connections as a general practice.

+However, data from other Microsoft 365 services ΓÇö and other traffic in Teams, such as chat or files ΓÇö won't directly benefit from these improvements. Users outside the organization network might still experience poor network performance for this traffic. As discussed in this article, you can mitigate these effects by using a VPN or SDWAN. You can also have your users use rich desktop clients over web clients, which support in-app caching to mitigate network issues.

+ Title: "Multi-Geo Capabilities in OneDrive and SharePoint"

+- must-keep

+description: "Expand your Microsoft 365 presence to multiple geographic regions with multi-geo capabilities in OneDrive and SharePoint."

+# Multi-Geo Capabilities in OneDrive and SharePoint

+Multi-Geo capabilities in OneDrive and SharePoint enable control of shared resources like SharePoint team sites and Microsoft 365 Group mailboxes stored at rest in a specified geo location.

+Each user's OneDrive can be provisioned in or [moved by an administrator](move-onedrive-between-geo-locations.md) to a satellite location in accordance with the user's PDL. Personal files are then kept in that geo location, though they can be shared with users in other geo locations. Administrative options found under the OneDrive tab of an active user within the Microsoft 365 admin center are currently not supported for multi-geo tenants.

+Microsoft 365 services other than Exchange, OneDrive, SharePoint, and Teams aren't Multi-Geo. However, Microsoft 365 Groups that are created by these services will be configured with the PDL of the creator and their Exchange Group mailbox, SharePoint site are provisioned in the corresponding geo.

+Setting up and managing your multi-geo environment is done through the <a href="https://go.microsoft.com/fwlink/?linkid=2185219" target="_blank">SharePoint admin center</a>.

+- scotvorg

+- must-keep

+The multitenant Organization (MTO) People Search is a collaboration feature that enables search and discovery of people across multiple tenants. A tenant admin can enable cross-tenant synchronization that allows users to be synced to another tenant and be discoverable in its global address list. Once enabled, users are able to search and discover synced user profiles from the other tenant and view their corresponding people cards.

+- There's no external tag to differentiate synced users and internal users. For example, if there was a megan@fabrikam and megan@Contoso there's no (External) tag to show that megan@fabrikam is a different user.

+To test the MTO People Search feature, it's assumed that you already have the following settings:

+- essentials-get-started

+| `AccountName` | `string` | User name of the account; if the device is registered in Microsoft Entra ID, the Entra ID user name of the account might be shown instead |

+| `InitiatingProcessAccountName` | `string` | User name of the account that ran the process responsible for the event; if the device is registered in Microsoft Entra ID, the Entra ID user name of the account that ran the process responsible for the event might be shown instead |

+| `InitiatingProcessAccountUpn` | `string` | User principal name (UPN) of the account that ran the process responsible for the event; if the device is registered in Microsoft Entra ID, the Entra ID UPN of the account that ran the process responsible for the event might be shown instead |

+| `InitiatingProcessAccountName` | `string` | User name of the account that ran the process responsible for the event; if the device is registered in Microsoft Entra ID, the Entra ID user name of the account that ran the process responsible for the event might be shown instead |

+| `InitiatingProcessAccountUpn` | `string` | User principal name (UPN) of the account that ran the process responsible for the event; if the device is registered in Microsoft Entra ID, the Entra ID UPN of the account that ran the process responsible for the event might be shown instead |

+| `InitiatingProcessAccountName` | `string` | User name of the account that ran the process responsible for the event; if the device is registered in Microsoft Entra ID, the Entra ID user name of the account that ran the process responsible for the event might be shown instead |

+| `InitiatingProcessAccountUpn` | `string` | User principal name (UPN) of the account that ran the process responsible for the event; if the device is registered in Microsoft Entra ID, the Entra ID UPN of the account that ran the process responsible for the event might be shown instead |

+| `InitiatingProcessAccountName` | `string` | User name of the account that ran the process responsible for the event; if the device is registered in Microsoft Entra ID, the Entra ID user name of the account that ran the process responsible for the event might be shown instead |

+| `InitiatingProcessAccountUpn` | `string` | User principal name (UPN) of the account that ran the process responsible for the event; if the device is registered in Microsoft Entra ID, the Entra ID UPN of the account that ran the process responsible for the event might be shown instead |

+| `AccountName` | `string` | User name of the account; if the device is registered in Microsoft Entra ID, the Entra ID user name of the account might be shown instead |

+| `AccountUpn` | `string` | User principal name (UPN) of the account; if the device is registered in Microsoft Entra ID, the Entra ID UPN of the account might be shown instead |

+| `InitiatingProcessAccountName` | `string` | User name of the account that ran the process responsible for the event; if the device is registered in Microsoft Entra ID, the Entra ID user name of the account that ran the process responsible for the event might be shown instead |

+| `InitiatingProcessAccountUpn` | `string` | User principal name (UPN) of the account that ran the process responsible for the event; if the device is registered in Microsoft Entra ID, the Entra ID UPN of the account that ran the process responsible for the event might be shown instead |

+| `InitiatingProcessAccountName` | `string` | User name of the account that ran the process responsible for the event; if the device is registered in Microsoft Entra ID, the Entra ID user name of the account that ran the process responsible for the event might be shown instead |

+| `InitiatingProcessAccountUpn` | `string` | User principal name (UPN) of the account that ran the process responsible for the event; if the device is registered in Microsoft Entra ID, the Entra ID UPN of the account that ran the process responsible for the event might be shown instead |

+|Exchange Administrator|Security posture \ Posture management \ Secure Score (read) </br> Security posture \ Posture management \ Secure Score (manage) |_**Defender for Office only permissions**_ </br>Security operations \ Security data \ Security data basic (read) </br>Security operations \ Raw data (Email & collaboration) \ Email message headers (read) </br>Authorization and settings \ System settings (Read and manage)|

+ - essentials-get-started

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell):

+ - _Read only access to the Alert policies page_: **Security operations / Security data / Security data basics (read)**.

+ - _Manage alert policies_: **Authorization and settings / Security settings / Detection tuning (manage)**.

+> - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Security operations/Raw data (email & collaboration)/Email & collaboration content (read)**.

+ - **Preview** role (Email & collaboration): Assign this role to team members who need to preview or download email messages as part of investigation activities. Allows users to preview and download email messages from cloud mailboxes using [Threat Explorer (Explorer) or Real-time detections](threat-explorer-real-time-detections-about.md#about-threat-explorer-and-real-time-detections-in-microsoft-defender-for-office-365) and the [Email entity page](mdo-email-entity-page.md#email-preview-and-download-for-cloud-mailboxes).

+ By default, the **Preview** role is assigned only to the following role groups:

+ You can add users to those role groups, or you can [create a new role group](mdo-portal-permissions.md#create-email--collaboration-role-groups-in-the-microsoft-defender-portal) with the **Preview** role assigned, and add the users to the custom role group.

+ By default, the **Search and Purge** role is assigned only to the following role groups:

+ You can add users to those role groups, or you can [create a new role group](mdo-portal-permissions.md#create-email--collaboration-role-groups-in-the-microsoft-defender-portal) with the **Search and Purge** role assigned, and add the users to the custom role group.

+ - [EmailEvents](/microsoft-365/security/defender/advanced-hunting-emailevents-table)

+ - [EmailUrlInfo](/microsoft-365/security/defender/advanced-hunting-emailurlinfo-table)

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](../defender/manage-rbac.md) (Affects the Defender portal only, not PowerShell):

+ - _Take action on quarantined messages for all users_: **Security operations / Security data / Email & collaboration quarantine (manage)**.

+ - _Read-only access to quarantined messages for all users_: **Security operations / Security data / Security data basics (read)**.

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Security operations/Security data/Email & collaboration advanced actions (manage)**.

+ - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in the **Organization Management** or **Data Investigator** role groups. Or, you can [create a new role group](mdo-portal-permissions.md#create-email--collaboration-role-groups-in-the-microsoft-defender-portal) with the **Search and Purge** role assigned, and add the users to the custom role group.

+- [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Security operations/Security data/Security data basics (read)** or **Authorization and settings/System settings/manage**.

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Security operations/Security data/Response (manage)** or **Security operations/Security data/Security data basics (read)**.

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Security operations/Security data/Response (manage)** or **Security operations/Security data/Security data basics (read)**.

+ - _Preview and download messages_: Requires the **Preview** role, which is assigned only to the **Data Investigator** or **eDiscovery Manager** role groups by default. Or, you can [create a new role group](mdo-portal-permissions.md#create-email--collaboration-role-groups-in-the-microsoft-defender-portal) with the **Preview** role assigned, and add the users to the custom role group.

+ - _Move messages in and delete messages from mailboxes_: Requires the **Search and Purge** role, which is assigned only to the **Data Investigator** or **Organization Management** role groups by default. Or, you can [create a new role group](mdo-portal-permissions.md#create-email--collaboration-role-groups-in-the-microsoft-defender-portal) with the **Search and Purge** role assigned, and add the users to the custom role group.

+

+ ┬╣ The **Move & delete** actions require the **Search and Purge** role in [Email & collaboration permissions](mdo-portal-permissions.md). By default, this role is assigned only to the **Data Investigator** and **Organization Management** role groups. You can add users to those role groups, or you can [create a new role group](mdo-portal-permissions.md#create-email--collaboration-role-groups-in-the-microsoft-defender-portal) with the **Search and Purge** role assigned, and add the users to the custom role group.

+┬╣ This action requires the **Search and Purge** role in [Email & collaboration permissions](mdo-portal-permissions.md). By default, this role is assigned only to the **Data Investigator** and **Organization Management** role groups. You can add users to those role groups, or you can [create a new role group](mdo-portal-permissions.md#create-email--collaboration-role-groups-in-the-microsoft-defender-portal) with the **Search and Purge** role assigned, and add the users to the custom role group.

+ > [!div class="mx-imgBorder"]

+ > [!div class="mx-imgBorder"]

+#### Step 2: Define test scripts

+In the Edit package page, user should be able to see 2 pre-generated test scripts (install/uninstall) under the folder of flowDriven with Flow driven tag followed by sequence order number. User should be able to add new script using the existing menu.

+ > [!div class="mx-imgBorder"]

+ > [!div class="mx-imgBorder"]

+ > [!div class="mx-imgBorder"]

+ > 

+ > [!div class="mx-imgBorder"]

+Check the automatically generated In-place Upgrade Test Flow plan to see if the sequence of the test script execution matches your expectation.

+ > [!div class="mx-imgBorder"]

+ > 

+ > [!div class="mx-imgBorder"]

+ > 

+Once configuration is completed. You should be able to review the overall configuration and publish.

+ > [!div class="mx-imgBorder"]

+ > 

+ > [!div class="mx-imgBorder"]

+ > [!div class="mx-imgBorder"]

+Click on the OS versions link to drill down to the new In-place upgrade test results page which can also be accessed through the left navigation panel. Validate the top filter functions works to quickly switch between different in-place upgrade test runs on the package.

+ > [!div class="mx-imgBorder"]

+Click on the Script execution tab, user should be able to see the script execution result side by side for the applicationΓÇÖs test scripts before (on the baseline OS) and after the upgrade (on the target OS).

+ > [!div class="mx-imgBorder"]

+ > 

+ > If a script is scheduled to be run both pre and post upgrade, the overall script status should be passed only if both pre and post upgrade script executions are successful.

+> [!div class="mx-imgBorder"]

+> 

+> [!div class="mx-imgBorder"]