-> [!VIDEO https://youtu.be/G2HOsM767Sw]

-To get started, see [Get access to Microsoft Bookings](get-access.md). To turn Bookings on or off, see [Turn Bookings on or off for your organization](turn-bookings-on-or-off.md).

-2. In the admin center, go toΓÇ»**Settings**ΓÇ»\> <a href="https://go.microsoft.com/fwlink/p/?linkid=2053743" target="_blank">**Org settings**</a>.

-For more information about security defaults and the policies they enforce, see [What are security defaults?](/azure/active-directory/fundamentals/concept-fundamentals-security-defaults)

-1. Sign in to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a> with security administrator, Conditional Access administrator, or Global admin credentials.

-2. In the left pane, select **Show All,** and then under **Admin centers**, select **Azure Active Directory**.

-3. In the left pane of the **Azure Active Directory admin center,** select **Azure Active Directory**.

-4. From the left menu of the Dashboard, in the **Manage** section, select **Properties**.

-5. At the bottom of the **Properties** page, select **Manage Security defaults**.

-6. In the right pane, you'll see the **Enable Security defaults** setting. If **Yes** is selected, then security defaults are already enabled and no further action is required. If security defaults are not currently enabled, then select **Yes** to enable them, and then select **Save**.

-> If you've been using Conditional Access policies, you'll need to turn them off before using security defaults.

-Meetings in Microsoft Teams include audio, video, and sharing. And because they're online, you'll always have a meeting space (without needing a room or projector!), even if your staff is geographically distributed or working remotely. Microsoft Teams meetings are a great way to come together with your staff both inside and outside of your organization. You don’t need to be a member of your organization or even have an account to join a meeting. You can schedule and run online meetings using Microsoft Teams. During a meeting, you can share your screen, share files, assign tasks, and more. Political campaigns can include staff, volunteers, and guests outside your organization in the meeting. Small firms or practices can meet with their staff, or meet with clients or partners over Microsoft Teams.

-When you buy a subscription to Microsoft 365 for business, you sign up for a set of apps and services that you pay for on either a monthly or an annual basis. The applications and services that you receive as part of your subscription depend on which product you purchased, such as Microsoft 365 Apps for business or Microsoft 365 Business Standard. You can see what comes with each product on the [Microsoft 365 for small and medium-sized businesses](https://products.office.com/compare-all-microsoft-office-products?&activetab=tab:primaryr1) page.

-|**If the subscription has this service**|**This automatically happens**|

-|Exchange Online <br/> |A mailbox is created for that person. <br/> To learn about the SLA for this task to be completed, see ["Setting up..." messages in the Microsoft 365 admin center](https://support.microsoft.com/help/2635238/setting-up-messages-in-the-office-365-admin-center). |

-|SharePoint Online <br/> |Edit permissions to the default SharePoint Online team site are assigned to that person. <br/> |

-|Skype for Business Online <br/> |The person has access to the features associated with the license. <br/> |

-|Microsoft 365 Apps for enterprise and Microsoft 365 Apps for business <br/> |The person can download Office apps on up to five Macs or PCs, five tablets, and five smartphones. <br/> |

-|**Admin role**|**Assign a license**|**Unassign a license**|**Buy more licenses**|**Delete an account**|

-|Billing admin <br/> |No <br/> |No <br/> |Yes <br/> |No <br/> |

-|Global admin <br/> |Yes <br/> |Yes <br/> |Yes <br/> |Yes <br/> |

-|License admin <br/> |Yes <br/>|Yes <br/> |No <br/> |No <br/> |

-|Service Support admin <br/> |No <br/> |No <br/> |No <br/> |No <br/> |

-|User admin <br/> |Yes <br/> |Yes <br/> |No <br/> |Yes <br/> |

-You must be a Microsoft Teams Free admin to upgrade a Microsoft Teams Free organization. You're automatically an admin if you created the Microsoft Teams Free organization.

-You don't need an existing Microsoft account to sign up for a free trial. For all other procedures in this article, you must be a Global or Billing admin for your organization. For more information, see [About admin roles](../admin/add-users/about-admin-roles.md).

-1. Go to the <a href="https://www.aka.ms/office365signup" target="_blank">Microsoft 365 Products site</a>.

-2. Select the plan that you want to sign up for, such as **Microsoft 365 Business Standard**, scroll down the page, and select **Try free for 1 month**.

-1. In the Microsoft 365 admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.

-2. On the **Your products** page, find the subscription that you want to buy.

-3. In the **Licenses** section, select **Purchase subscription**.

-4. Choose either a monthly or annual commitment for your subscription, then select **Checkout**.

-5. On the next page, verify the subscription, and select **Checkout**.

-6. On the next page, verify the **Sold to** address, the **Billed to** information, and **Items in this order**. If you need to make any changes, select **Change** next to the applicable section.

-7. When you\'re finished, select **Accept agreement & place order**.

-If you decide to cancel your trial subscription before the free trial period ends, go to the Microsoft 365 admin center and [turn off Recurring billing](subscriptions/renew-your-subscription.md#turn-recurring-billing-off-or-on). The trial will automatically expire when your month ends, and your credit card won't be charged.

-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=868433" target="_blank">Purchase services</a> page.

-2. On the **Purchase services** page, you see the plans that are available to your organization. Choose the Microsoft 365 plan that you want to try.

-3. On the next page, select **Get free trial**. The trial gives you 25 user licenses for a one-month term.

-4. Choose to receive a text or a call, enter your phone number, then choose **Text me** or **Call me**.

-5. Enter the verification code, then select **Start your free trial**.

-6. On the **Check out** page, select **Try now**.

-7. On the **order receipt** page, select **Continue**.

-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=868433" target="_blank">Purchase services</a> page.

-2. On the **Purchase services** page, select the plan that you want to buy, select **Details**, then select **Buy**.

-3. Enter the number of licenses that you need and choose whether to pay each month or for the whole year. Choose whether you want to automatically assign licenses to everyone who does not currently have a license. Then select **Check out now**.

-4. Review the pricing information and select **Next**.

-5. Provide your payment information, and then select **Place order** \> **Go to Admin Home**.

-The Microsoft Customer Agreement (MCA) lets an organization buy Microsoft products and services. For more information, see [Microsoft Customer Agreement](https://www.microsoft.com/en-us/Licensing/how-to-buy/microsoft-customer-agreement).

-| **Term** | **Definition** |

-||-|

-||--|

- |Maximum number of eDiscovery hold policies for an organization. This limit includes the combined total of hold policies in Core eDiscovery and Advanced eDiscovery cases. <br/> |10,000¹ <br/> |

- |Maximum number of cases displayed on the eDiscovery home page, and the maximum number of items displayed on the Holds, Searches, and Export tabs within a case. |1,000²|

- |||

- > ¹ When you put more than 1,000 mailboxes or 100 sites on hold in a single hold policy, the system will automatically scale the hold as needed. This means the system will automatically add data locations to multiple hold policies, instead of adding them to a single hold policy. However, the limit of 10,000 case hold policies per organization still applies.

- >

- > ² To view a list of more than 1,000 cases, holds, searches, or exports, you can use the corresponding Security & Compliance PowerShell cmdlet:

-This policy template enables risk scoring for internal users that detects suspicious activities associated with records hosted on existing electronic medical record (EMR) systems. Detection focuses on unauthorized access, viewing, modification, and export of patient data. You'll need to configure a connector (the [Microsoft Healthcare connector](import-healthcare-data.md) or [Epic connector](import-epic-data.md) to support detection of access, exfiltration, or obfuscation activities in your EMR system.

-When using this template, you must also configure a Microsoft 365 HR connector to periodically import organization profile data for users in your organization. See the Import data with the HR connector article for step-by-step guidance to configure the Microsoft 365 HR connector for your organization.

- |||

-1. From a Sharepoint document library, select **New** > **Create modern template**.

-

-2. Choose an existing Word document that you want to use as a basis for creating a modern template, and then select **Open**.

-

-

-

-

- > You can create placeholders for text only. Currently, images, smart art, tables, and bullet lists are not supported.

-### Associate a placeholder by entering text or selecting a date

-4. On the **Select a source column from the existing list** page, select the column name you want to associate with the placeholder, and then select **Save**.

-

-You can create as many placeholders as you think are necessary. When you're done, you can choose to save the template as a draft or publish the template.

- - **Save draft** ΓÇô Saves the template as a draft and you can access it later. You can view, edit, or publish saved drafts from the **Modern templates** section by selecting **New** > **Edit New menu** from the document library.

- - **Publish** ΓÇô Publishes the template to be used by other users in the organization to create documents. You can view, edit, or unpublish *published* templates from the **Modern templates** section by selecting **New** > **Edit New menu** from the document library.

-1. From a Sharepoint document library, select **New** > **Edit New menu**.

-

-

- - For **Published templates**, select **Edit** to open the template studio where you can edit the published template. You can also choose to delete or unpublish the template.

-

- - For **Draft templates**, select **Edit** to open the template studio where you can edit the draft template. You can also choose to delete or publish the template.

-

-

->- The template and the document are associated with one document library. To use the template in another document library, you will need to create the template again in that document library.

->- The uploaded document that is used to create the modern template will be saved as a separate copy and placed in the /forms directory of the document library. The original file on the disk will be unaffected.

->- You can create placeholders for text only. Currently, images, smart art, tables, and bullet lists are not supported.

->- Once a document is created from a template, it is not associated with the template.

-

-<br/>

-You need to create an extractor for each entity in the document that you want to extract. In our example, we want to extract the **Service Start Date** for each **Contract Renewal** document that is identified by the model. We want to be able to see a view in the document library of all **Contract Renewal** documents, with a column that shows the **Service Start** date value of each document.

-> To create an extractor, you use the same files you previously uploaded to train the classifier.

- 

- 

-

-Once you labeled five files, a notification banner displays informing you to move to training. You can choose to more label more documents or advance to training.

- 

-> For more learn more about explanation types, see [Explanation types](./explanation-types-overview.md).

-For creating explanations for items such as dates, it's easier to [use the explanation library](./explanation-types-overview.md) than to manually enter all variations. The explanation library is a set of pre-built phrase and pattern explanations. The library tries to provide all formats for common phrase or pattern lists, such as dates, phone numbers, zip codes, and many others.

- 

- 

-## Train the model

-Saving your explanation starts the training. If your model has enough information to extract the data from your labeled example files, you'll see each file labeled with **Match**.

-

- 

-Saving the explanation starts the training again, this time using both explanations in the example. If your model has enough information to extract the data from the labeled example files, you see each file labeled with **Match**.

-If you receive a match on your labeled sample files, you can now test your model on the remaining unlabeled example files. This is optional, but a useful step to evaluate the ΓÇ£fitnessΓÇ¥ or readiness of the model before using it, by testing it on files the model hasnΓÇÖt seen before.

- 

- 

-

- 

-5. When you test the extractor, you'll be able to see the refinement in the **Refinement result** column of the **Test Files** list.

- 

-[Apply a model](apply-a-model.md)

-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4CSu7]

-Add *classifiers* and *extractors* to your document understanding models to do the following actions:

-

-> AI Builder doesn't currently support the following types of form processing input data:<br>- Check boxes or radio buttons<br>- Signatures<br>- Fillable PDFs

-[Apply a model](apply-a-model.md)

-|Option |State |Current functionality |

-||||

-|Case sensitivity | Currently not supported. | All matches performed are case-insensitive. |

-|Line anchors | Currently not supported. | Unable to specify a specific position in a string where a match must occur. |

-> Regular expressions currently canΓÇÖt be used with the proximity explanation type.

-|--|--|--|

-|`425-555-5555`|5|A phone number. Each punctuation mark is a single token, so `425-555-5555` is 5 tokens:<br>`425`<br>`-`<br>`555`<br>`-`<br>`5555` |

-|`https://luis.ai`|7|`https`<br>`:`<br>`/`<br>`/`<br>`luis`<br>`.`<br>`ai`<br>|

-

-

-Microsoft recognizes the importance of maintaining the privacy and confidentiality of your business data. Your data belongs to you, and you can access, modify, or delete it at any time. Microsoft will not use your data without your consent and, when we have your consent, we use your data to provide only the services you have chosen. If you leave one of our services, we ensure your continued ownership of your data, following strict standards and processes to remove the data from our systems.

->[!Note]

->Customer data (also referred to as ΓÇ£your dataΓÇ¥ or ΓÇ£your business dataΓÇ¥) means all data, including text, sound, video or image files, and software that you provide to Microsoft or thatΓÇÖs provided on your behalf through your use of Microsoft enterprise online services, excluding Microsoft Professional Services. It includes customer content, which is the data you upload for storage or processing and apps you upload for distribution through a Microsoft enterprise cloud service. For example, customer content includes Exchange Online email and attachments, SharePoint Online site content, or instant messaging conversations.

->

-When you use Microsoft 365 services, we start with the assumption that our enterprise customers would like to have their business data stored and processed close to home. Wherever possible, we do just that. To keep your data in datacenters nearest to you, we store your data based on the business location you provide when you create your tenant. To choose storage locations that are meaningful to your organizationΓÇÖs businesses, you may create as many tenants for your organization as you would like.

-We have datacenter geos in Germany and France that allow you to store data in your country if your business is located there. Our regional European Union data centers are located in Austria, Finland, France, Ireland, and the Netherlands. Your data for the following services will be hosted in the following locations based on which billing address you choose:

-|:-|:--|:-|:-|

-|||||

->[!Note]

->If you have an Office 365 Education subscription with a billing address in France or Germany, your data may be stored in our regional European Union datacenters. For the locations of tenant data outside of the EU, see [Where your Microsoft 365 customer data is stored](o365-data-locations.md).

->

-When you initiate the use of any of the above services, the computations needed to provide the service for your data stored in one of our regional European datacenters (or in your country) will take place within that same geographic boundary unless a temporary data transfer is needed to perform the computation in a Microsoft datacenter located further away.

-If a temporary transfer is required, we will always employ state of the art encryption in the transfer and we will always return your data to your chosen data storage location immediately thereafter. We rely on our compliance with European law through the Standard Contractual Clauses (SCCs) for these temporary transfers, along with our supplemental measures to ensure the data is protected.

->[!Note]

->Customer data for Sway and Workplace Analytics will be stored and computed in the United States if you elect to use these services.

->

->[!Note]

->Microsoft 365 services may query and store portions of tenant directory/identity data information in regions other than the EU where necessary to facilitate certain scenarios. For example, in scenarios of cross regional e-mail routing, call routing and authentication, Microsoft 365 systems may need some information about EU recipients to route these requests properly. Microsoft 365 systems also depend on Azure Active Directory for identity and authentication functions. To learn more, see [Identity data storage for European customers in Azure Active Directory](/azure/active-directory/fundamentals/active-directory-data-storage-eu).

-In addition, Microsoft by default uses the [Transport Layer Security (TLS)](https://wikipedia.org/wiki/Transport_Layer_Security) protocol to encrypt data when itΓÇÖs traveling between the cloud services and customers. Microsoft Services negotiate a TLS connection with client systems that connect to Microsoft 365 services.

-To prevent unauthorized physical access to datacenters, we employ rigorous operational controls and processes that include 24×7 video monitoring, trained security personnel and processes, and smart card or biometric multifactor access controls. Upon end of life, data disks are shredded and destroyed. If a disk drive used for storage suffers a hardware failure or reaches its end of life, it is securely erased or destroyed. The data on the drive is completely overwritten to ensure the data cannot be recovered by any means. When such devices are decommissioned, they are shredded and destroyed in line with NIST SP 800-88 R1, Guidelines for Media Sanitization. Records of the destruction are retained and reviewed as part of the Microsoft audit and compliance process. All Microsoft 365 services utilize approved media storage and disposal management services.

-In addition to the physical and technological protections, Microsoft takes strong measures to help protect your customer data from unauthorized access by Microsoft personnel and subcontractors. Access to customer data by Microsoft operations and support personnel is denied by default. Nearly all service operations performed by Microsoft are fully automated and human involvement is highly controlled and abstracted away from customer data.

-Only in rare cases does a Microsoft engineer need access to customer data. Typically this is only necessary if you request MicrosoftΓÇÖs assistance to resolve a customer issue. Access to customer data is highly restricted by role-based access controls, multifactor authentication, data minimization and other controls. All access to customer data is strictly logged, and both Microsoft and third parties perform regular audits (as well as sample audits) to attest that any access is appropriate.

-Customers can use customer-managed keys to further prevent their data from being readable in case of unauthorized access. Both server-side and client-side encryption can rely on customer-managed keys or customer-provided keys. In either case, Microsoft would not have access to encryption keys and cannot decrypt the data. A SOC audit by an AICPA-accredited auditor twice a year to verifies the effectiveness of our security controls in audit scope. The SOC 2 Type 2 attestation report published by the auditor explains under what circumstances access to customer data can occur and how.

-If a government wants customer data, it must follow applicable legal processes. Microsoft must be served with a warrant or court order for content, or a subpoena for subscriber information or other non-content data.

-For more information on MicrosoftΓÇÖs commitment to challenge orders in line with the EUΓÇÖs GDPR, see [New Steps to Defend Your Data](https://blogs.microsoft.com/on-the-issues/2020/11/19/defending-your-data-edpb-gdpr/).

-When governments or law enforcement agencies make a lawful request for customer data, Microsoft is committed to transparency and limits what it discloses. Twice a year, we publish the number of legal demands for customer data that we receive from law enforcement agencies around the world. See [Law Enforcement Requests Report](https://www.microsoft.com/corporate-responsibility/law-enforcement-requests-report). This report does not disclose the specifics of any particular demand, including the customer at issue. Twice a year, we also publish data about the legal demands we receive from the U.S. government. See [US National Security Orders Report](https://www.microsoft.com/corporate-responsibility/us-national-security-orders-report) for the latest report.

-

-Site permissions must be set up separately from waves as part of the launch. For example, if you are releasing an organization-wide portal, you can set permissions to ΓÇ£Everyone except external users,ΓÇ¥ then separate your users into waves using security groups. Adding a security group to a wave does not give that security group access to the site.

-2. Then, start scheduling your portalΓÇÖs launch by accessing the Portal launch scheduler in one of two ways:

- **Option 2**: At any time, you can navigate to the SharePoint communication site home page, select **Settings** and then **Schedule site launch** to schedule your portalΓÇÖs launch.

-3. Next, confirm the portalΓÇÖs health score and make improvements to the portal if needed using the [Page Diagnostics for SharePoint](https://aka.ms/perftool) tool until your portal receives a **Healthy** score. Then, select **Next**.

- > The site name and description canΓÇÖt be edited from the Portal launch scheduler and instead can be changed by selecting **Settings** and then **Site information** from the home page.

- **Option 3: Send users to an external page** ΓÇô Provide an external URL to a temporary landing page experience until the userΓÇÖs wave is launched.

-6. Break up your audience into waves. Add up to 20 security groups per wave. Wave details can be edited up until the launch of each wave. Each wave can last at minimum one day (24 hours) and at most seven days. This allows SharePoint and your technical environment an opportunity to acclimate and scale to the large volume of site users. When scheduling a launch through the UI, the time zone is based on the siteΓÇÖs regional settings.

- > Up to 50 distinct users or security groups max can be added. Use security groups when you need more than 50 individuals to get access to the portal before the waves start launching.

-8. Confirm portal launch details and select **Schedule**. Once the launch has been scheduled, any changes to the SharePoint portal home page will need to receive a healthy diagnostic result before the portal launch will resume.

-1. As an administrator , click the following link which will populate a help query in the admin center.

-2. At the bottom of the pane, select **Contact Support**, and then select **New Service Request**.

-3. Under **Description**, enter "Launch SharePoint Portal with 100k users".

-Launch details can be edited for each wave up until the date of the waveΓÇÖs launch.

-1. To cancel your portalΓÇÖs launch, navigate to **Settings** and **Schedule site launch**.

- >

- New-SPOPortalLaunchWaves -LaunchSiteUrl <object> -RedirectionType Bidirectional -RedirectUrl <string> -ExpectedNumberOfUsers <object> -WaveOverrideUsers <object> -Waves <object>

- New-SPOPortalLaunchWaves -LaunchSiteUrl "https://contoso.sharepoint.com/teams/newsite" -RedirectionType Bidirectional -RedirectUrl "https://contoso.sharepoint.com/teams/oldsite" -ExpectedNumberOfUsers 10kTo30kUsers -WaveOverrideUsers "admin@contoso.com" -Waves ' 

- [{Name:"Wave 1", Groups:["Viewers 1"], LaunchDateUtc:"2020/10/14"}, 

- {Name:"Wave 2", Groups:["Viewers 2"], LaunchDateUtc:"2020/10/15"},

- {Name:"Wave 3", Groups:["Viewers 3"], LaunchDateUtc:"2020/10/16"}]'

- New-SPOPortalLaunchWaves -LaunchSiteUrl <object> -RedirectionType ToTemporaryPage -RedirectUrl <string> -ExpectedNumberOfUsers <object> -WaveOverrideUsers <object> -Waves <object>

- New-SPOPortalLaunchWaves -LaunchSiteUrl "https://contoso.sharepoint.com/teams/newsite" -RedirectionType ToTemporaryPage -RedirectUrl "https://portal.contoso.com/UnderConstruction.aspx" -ExpectedNumberOfUsers 10kTo30kUsers -WaveOverrideUsers "admin@contoso.com" -Waves ' 

- [{Name:"Wave 1", Groups:["Viewers 1"], LaunchDateUtc:"2020/10/14"}, 

- {Name:"Wave 2", Groups:["Viewers 2"], LaunchDateUtc:"2020/10/15"},

- {Name:"Wave 3", Groups:["Viewers 3"], LaunchDateUtc:"2020/10/16"}]'

-Please note that we will begin to deprecate this module when the functionality of this module is available in the newer [Azure Active Directory PowerShell for Graph](/powershell/azuread/v2/azureactivedirectory) module. We advise customers who are creating new PowerShell scripts to use the newer module instead of this module.

-<td align="left">Search returns refiners from all the geo locations of a tenant and then aggregates them. The aggregation is a best effort, meaning that the refiner counts might not be 100% accurate. For most search-driven scenarios, this accuracy is sufficient.

-Custom search applications get results from all, or some, geo locations by specifying query parameters with the request to the SharePoint Search REST API. Depending on the query parameters, the query is fanned out to all geo locations, or to some geo locations. For example, if you only need to query a subset of geo locations to find relevant information, you can control the fan out to only these. If the request succeeds, the SharePoint Search REST API returns response data.

-<br>

-****

-|:-|:-|:--|

-|Right for highly technical users and developers. <p> Be the first to access the latest builds earliest in the development cycle with the newest code. <p> There will be rough edges and some instability.|Dev|N/A|

-|Right for early adopters and IT Pros who want more reliable builds that are still in development. <p> See whatΓÇÖs coming up next and help validate new features.|Beta Channel|Beta Channel|

-|Right for those who want early access to upcoming releases. <p> Where companies preview and validate upcoming releases before broad deployment. <p> These are supported.|Release Preview|Current Channel (Preview) <p> Semi-Annual Enterprise Channel (Preview)|

-|

-<br>

-****

-|:-|:-|:--|:-|

-|Right for customers who want the latest releases as soon as theyΓÇÖre ready.|Semi-Annual Channel|[Current Channel](/deployoffice/overview-update-channels#current-channel-overview)|[Latest releases](deploy-update-channels-examples-rapid-deploy.md)|

-|Right for enterprises who want the latest release with more predictability.|Semi-Annual Channel|[Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview)||

-|

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-|**Migration option**|**Organization size**|**Duration**|

-|:--|:--|:--|

-|Cutover migration <br/> |Fewer than 150 seats <br/> |A week or less <br/> |

-|Staged migration <br/> |More than 150 seats <br/> |A few weeks <br/> |

-|Full hybrid migration <br/> |Several hundred to thousands of seats <br/> |A few months or more <br/> |

-

-The following sections provide an overview of these methods. For more detail, see [Decide on a migration path](https://support.office.com/article/Decide-on-a-migration-path-0d4f2396-9cef-43b8-9bd6-306d01df1e27).

-

-

-Cutover migration is great for small organizations that don't have many mailboxes, want to get to Microsoft 365 quickly, and don't want to deal with some of the complexities of the other methods. But it should be completed in a week or less, and it requires users to reconfigure their Outlook profiles. Cutover migration can handle up to 2,000 mailboxes, but we strongly recommend you use it to migrate a maximum of 150 mailboxes. If you try to migrate more, you could run out of time to transfer all the mailboxes before your deadline, and your IT support staff may get overwhelmed with requests to help users reconfigure Outlook.

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-|**Exchange release**|**Features**|

-|:--|:--|

-|Exchange 2010 <br/> | Role-Based Access Control (permissions without ACLs) <br/> Outlook Web App mailbox policies <br/> Ability to share free/busy and delegate calendars between organizations <br/> |

-|Exchange 2013 <br/> | *Features from Exchange 2010 and …* <br/> Simplified architecture that reduced the number of server roles to three (Mailbox, Client Access, Edge Transport) <br/> Data loss prevention policies (DLP) that help keep sensitive information from leaking <br/> Improved Outlook Web App experience <br/> |

-|Exchange 2016 <br/> | *Features from Exchange 2013 and …* <br/> Further simplified server roles to just Mailbox and Edge Transport <br/> Improved DLP along with integration with SharePoint <br/> Improved database resilience <br/> Online document collaboration |

-

-

-|**Consideration**|**More Info**|

-|:--|:--|

-|End of support dates <br/> | Like Exchange 2007, each version of Exchange has its own end-of-support date: <br/> *Exchange 2010* - January 2020 <br/> *Exchange 2013* - April 2023 <br/> *Exchange 2016* - October 2025 <br/> The earlier the end of support, the sooner you'll need to perform another migration.<br/> |

-|Migration path to Exchange 2010 and 2013. <br/> |Here are the general phases for migrating to Exchange 2010 or Exchange 2013: <br/> - Install Exchange 2010 or 2013 into your existing Exchange 2007 organization. <br/>- Move services and other infrastructure to Exchange 2010 or 2013.<br/>- Move mailboxes and public folders to Exchange 2010 or 2013.<br/>- Decommission remaining Exchange 2007 servers. |

-|Migration path to Exchange 2016 <br/> |Here are the general phases for migrating to Exchange 2016: <br/> - Install Exchange 2013 into your existing Exchange 2007 organization.<br/>- Move services and other infrastructure to Exchange 2013.<br/>- Move mailboxes and public folders to Exchange 2013.<br/>- Decommission remaining Exchange 2007 servers.<br/>- Install Exchange 2016 into your existing Exchange 2013 organization.<br/>- Move mailboxes, public folders, services, and other infrastructure to Exchange 2016 (order doesn't matter). Decommission remaining Exchange 2013 servers.<br/><br/> **Note:** Migrating from Exchange 2013 to Exchange 2016 is simple. The two versions have almost the same hardware requirements, and these versions are very compatible. So you can rebuild a server you bought for Exchange 2013 and install Exchange 2016 on it. For online mailbox moves, most users won't even notice that their mailbox was moved off the server and then back after you've rebuilt it with Exchange 2016. |

-|Version coexistence <br/> | When migrating to ... <br/> **Exchange 2016:** Exchange 2016 can't be installed in an organization that includes an Exchange 2007 server. You'll first need to migrate to Exchange 2010 or 2013 (we strongly recommend Exchange 2013), remove all Exchange 2007 servers, and then migrate to Exchange 2016. <br/> **Exchange 2010 or Exchange 2013:** You can install Exchange 2010 or Exchange 2013 into an existing Exchange 2007 organization. This enables you to install one or more Exchange 2010 or 2013 servers and perform your migration. <br/> |

-|Server hardware <br/> | Server hardware requirements have changed from Exchange 2007. Make sure your hardware is compatible. For details, see: <br/> [Exchange 2016 System Requirements](/Exchange/plan-and-deploy/system-requirements) <br/> [Exchange 2013 System Requirements](/exchange/exchange-2013-system-requirements-exchange-2013-help) <br/> [Exchange 2010 System Requirements](/previous-versions/office/exchange-server-2010/aa996719(v=exchg.141)) <br/> You'll find that the significant improvements in Exchange performance and the increased computing power and storage capacity in newer servers mean you'll likely need fewer servers to support the same number of mailboxes. <br/> |

-|Operating system version <br/> | The minimum supported operating system versions for each version are: <br/> **Exchange 2016** - Windows Server 2012 <br/> **Exchange 2013** - Windows Server 2008 R2 SP1 <br/> **Exchange 2010** - Windows Server 2008 SP2 <br/> Find more information about operating system support at [Exchange Supportability Matrix](/Exchange/plan-and-deploy/supportability-matrix). <br/> |

-|Active Directory forest functional level <br/> | The minimum supported Active Directory forest functional levels for each version are: <br/> **Exchange 2016** Windows Server 2008 R2 SP1 <br/> **Exchange 2013** Windows Server 2003 <br/> **Exchange 2010** Windows Server 2003 <br/> Find more information about forest functional level support at [Exchange Supportability Matrix](/Exchange/plan-and-deploy/supportability-matrix). <br/> |

-|Office client versions <br/> | The minimum supported Office client versions for each version are: <br/> **Exchange 2016** - Office 2010 (with the latest updates) <br/> **Exchange 2013** - Office 2007 SP3 <br/> **Exchange 2010** - Office 2003 <br/> Find more information about Office client support at [Exchange Supportability Matrix](/Exchange/plan-and-deploy/supportability-matrix). <br/> |

-

-

-

-

-

-

-

-

-

-

-[Resources to help you upgrade your Office 2007 servers and clients](upgrade-from-office-2007-servers-and-products.md)

->- *Recommended:* If you migrated your mailboxes to Microsoft 365 and upgraded your servers by October 13, 2020, use Exchange 2010 to connect to Microsoft 365 and migrate mailboxes. Next, migrate Exchange 2010 to Exchange 2016, and decommission any remaining Exchange 2010 servers.

->- If you didn't complete the mailbox migration and on-premises server upgrade by October 13, 2020, upgrade your on-premises Exchange 2010 servers to Exchange 2016 first. Then use Exchange 2016 to connect to Microsoft 365 and migrate mailboxes.

-<br>

-****

-|

-<br>

-****

-|**Exchange 2016**|*Features from Exchange 2013 and …*|

-|

-<br>

-****

-|End of support dates|Like Exchange 2010, each version of Exchange has its own end-of-support date: <p> Exchange 2013 - April 2023 <p> Exchange 2016 - October 2025 <p> The earlier the end-of-support date, the sooner you'll need to perform another migration. April 2023 is a lot closer than you think!|

-|Migration path to Exchange 2013 or 2016|The migration path from Exchange 2010 to a newer version is the same whether you choose Exchange 2013 or Exchange 2016: <p> Install Exchange 2013 or 2016 into your existing Exchange 2010 organization. <p> Move services and other infrastructure to Exchange 2013 or 2016. <p> Move mailboxes and public folders to Exchange 2013 or 2016 Decommission remaining Exchange 2010 servers.|

-|Server hardware|Server hardware requirements have changed from Exchange 2010. Make sure your hardware is compatible. Find out more about hardware requirements for each version here: <p> [Exchange 2016 system requirements](/Exchange/plan-and-deploy/system-requirements?view=exchserver-2016&preserve-view=true) <p> [Exchange 2013 system requirements](/Exchange/exchange-2013-system-requirements-exchange-2013-help) <p> With the significant improvements in Exchange performance and the increased computing power and storage capacity in newer servers, you'll likely need fewer servers to support the same number of mailboxes.|

-|Operating system version|The minimum supported operating system versions for each version are: <p> Exchange 2016 - Windows Server 2012 <p> Exchange 2013 - Windows Server 2008 R2 SP1 <p> You can find more information about operating system support at [Exchange Supportability Matrix](/exchange/plan-and-deploy/supportability-matrix).|

-|Active Directory forest functional level|The minimum supported Active Directory forest functional levels for each version are: <p> Exchange 2016 - Windows Server 2008 R2 SP1 <p> Exchange 2013 - Windows Server 2003 <p> You can find more information about forest functional level support at [Exchange Supportability Matrix](/exchange/plan-and-deploy/supportability-matrix).|

-|Office client versions|The minimum supported Office client versions for each version are: <p> Exchange 2016 - Office 2010 (with the latest updates) <p> Exchange 2013 - Office 2007 SP3 <p> Find more information about Office client support at [Exchange Supportability Matrix](/exchange/plan-and-deploy/supportability-matrix).|

-|

-

-

-The CNAME record is only required for customers using [Office 365 operated by 21Vianet](/microsoft-365/admin/services-in-china/services-in-china). It ensures that Office 365 can direct workstations to authenticate with the appropriate identity platform.

-

-|**DNS record** <br/> |**Purpose** <br/> |**Value to use** <br/> |**Applies to**|

-|-|--|||

-|**TXT** <br/> **(Domain verification)** <br/> |Used by Office 365 to verify only that you own your domain. It doesn't affect anything else. <br/> |**Host:** @ (or, for some DNS hosting providers, your domain name) <br/> **TXT Value:** _A text string provided by_ Office 365 <br/> The Office 365 **domain setup wizard** provides the values that you use to create this record. <br/> |All customers|

-|**CNAME** <br/> **(Suite)** <br/> |Used by Office 365 to direct authentication to the correct identity platform. [More information](../admin/services-in-chin?viewFallbackFrom=o365-worldwide) <br/> **Note** that this CNAME only applies to Office 365 operated by 21Vianet. If present and your Office 365 is not operated by 21Vianet, users on your custom domain will get a "*custom domain* isn't in our system" error and won't be able to activate their Office 365 license. [More information](/office365/servicedescriptions/office-365-platform-service-description/office-365-operated-by-21vianet) |**Alias:** msoid <br/> **Target:** clientconfig.partner.microsoftonline-p.net.cn <br/> | 21Vianet customers only|

-

-

-|**DNS record** <br/> |**Purpose** <br/> |**Value to use** <br/> |

-|-|--||

-|**CNAME** <br/> **(Exchange Online)** <br/> |Helps Outlook clients to easily connect to the Exchange Online service by using the Autodiscover service. Autodiscover automatically finds the correct Exchange Server host and configures Outlook for users. <br/> |**Alias:** Autodiscover <br/> **Target:** autodiscover.outlook.com <br/> |

-|**MX** <br/> **(Exchange Online)** <br/> |Sends incoming mail for your domain to the Exchange Online service in Office 365. <br/> **Note:** Once email is flowing to Exchange Online, you should remove the MX records that are pointing to your old system. |**Domain:** For example, contoso.com <br/> **Target email server:**\<MX token\>.mail.protection.outlook.com <br/> **Time To Live (TTL) Value:** 3600 <br/> **Preference/Priority:** Lower than any other MX records (this ensures mail is delivered to Exchange Online) - for example 1 or 'low' <br/> Find your \<MX token\> by following these steps: <br/> Sign in to Office 365, go to Office 365 admin \> Domains. <br/> In the Action column for your domain, choose Fix issues. <br/> In the MX records section, choose What do I fix? <br/> Follow the directions on this page to update your MX record. <br/> [What is MX priority?](../admin/setup/domains-faq.yml) <br/> |

-|**SPF (TXT)** <br/> **(Exchange Online)** <br/> |Helps to prevent other people from using your domain to send spam or other malicious email. Sender policy framework (SPF) records work by identifying the servers that are authorized to send email from your domain. <br/> |[External DNS records required for SPF](external-domain-name-system-records.md#BKMK_SPFrecords) <br/> |

-|**TXT** <br/> **(Exchange federation)** <br/> |Used for Exchange federation for hybrid deployment. <br/> |**TXT record 1:** For example, contoso.com and associated custom-generated, domain-proof hash text (for example, Y96nu89138789315669824) <br/> **TXT record 2:** For example, exchangedelegation.contoso.com and associated custom-generated, domain-proof hash text (for example, Y3259071352452626169) <br/> |

-|**CNAME** <br/> **(Exchange federation)** <br/> |Helps Outlook clients to easily connect to the Exchange Online service by using the Autodiscover service when your company is using Exchange federation. Autodiscover automatically finds the correct Exchange Server host and configures Outlook for your users. <br/> |**Alias:** For example, Autodiscover.service.contoso.com <br/> **Target:** autodiscover.outlook.com <br/> |

-There are specific steps to take when you use [Office 365 URLs and IP address ranges](https://support.office.com/article/8548a211-3fe7-47cb-abb1-355ea5aa88a2#BKMK_LYO) to make sure your network is configured correctly.

-

-|**DNS record** <br/> |**Purpose** <br/> |**Value to use** <br/> |

-|-|--||

-|**SRV** <br/> **(Skype for Business Online)** <br/> |Allows your Office 365 domain to share instant messaging (IM) features with external clients by enabling SIP federation. Read more about [Office 365 URLs and IP address ranges](https://support.office.com/article/8548a211-3fe7-47cb-abb1-355ea5aa88a2#BKMK_LYO). <br/> |**Service:** sipfederationtls <br/> **Protocol:** TCP <br/> **Priority:** 100 <br/> **Weight:** 1 <br/> **Port:** 5061 <br/> **Target:** sipfed.online.lync.com <br/> **Note:** If the firewall or proxy server blocks SRV lookups on an external DNS, you should add this record to the internal DNS record. |

-|**SRV** <br/> **(Skype for Business Online)** <br/> |Used by Skype for Business to coordinate the flow of information between Lync clients. <br/> |**Service:** sip <br/> **Protocol:** TLS <br/> **Priority:** 100 <br/> **Weight:** 1 <br/> **Port:** 443 <br/> **Target:** sipdir.online.lync.com <br/> |

-|**CNAME** <br/> **(Skype for Business Online)** <br/> |Used by the Lync client to help find the Skype for Business Online service and sign in. <br/> |**Alias:** sip <br/> **Target:** sipdir.online.lync.com <br/> For more information, see [Office 365 URLs and IP address ranges](https://support.office.com/article/8548a211-3fe7-47cb-abb1-355ea5aa88a2#BKMK_LYO). <br/> |

-|**CNAME** <br/> **(Skype for Business Online)** <br/> |Used by the Lync mobile client to help find the Skype for Business Online service and sign in. <br/> |**Alias:** lyncdiscover <br/> **Target:** webdir.online.lync.com <br/> |

-|**DNS record** <br/> |**Purpose** <br/> |**Value to use** <br/> |

-|-|--||

-|**Host (A)** <br/> |Used for single sign-on (SSO). It provides the endpoint for your off-premises users (and on-premises users, if you like) to connect to your Active Directory Federation Services (AD FS) federation server proxies or load-balanced virtual IP (VIP). <br/> |**Target:** For example, sts.contoso.com <br/> |

-

-

-

-

-

-

-

-| Number|If you're using… <br/> |Purpose <br/> |Add these includes <br/> |

-|:--|:--|:--|:--|

-|1 <br/> |All email systems (required) <br/> |All SPF records start with this value <br/> |v=spf1 <br/> |

-|2 <br/> |Exchange Online (common) <br/> |Use with just Exchange Online <br/> |include:spf.protection.outlook.com <br/> |

-|3 <br/> |Third-party email system (less common) <br/> ||include:\<email system like mail.contoso.com\> <br/> |

-|4 <br/> |On-premises mail system (less common) <br/> |Use if you're using Exchange Online Protection or Exchange Online plus another mail system <br/> |ip4:\<0.0.0.0\> <br/> ip6:\< : : \> <br/> include:\<mail.contoso.com\> <br/> The value in brackets (\<\>) should be other mail systems that will send email for your domain. <br/> |

-|5 <br/> |All email systems (required) <br/> ||-all <br/> |

-

-

-

-

-

-

-

-Here's a short link you can use to come back: [https://aka.ms/o365edns]()

-You can use dashboards in the [Microsoft 365 admin center](https://go.microsoft.com/fwlink/p/?linkid=2024339) to monitor the health of various Microsoft services for your organization's Microsoft 365 subscription. This capability was initially started with Exchange Online and now getting expanded to other Microsoft services like Microsoft Teams, Microsoft 365 Apps and more service in future. Monitoring provides you with information about incidents and advisories that are collected in these categories:

-Here's an example of the **Service health** page in the Microsoft 365 admin center, which is available at **Health** > **Service health** for organization scenarios and [priority account](../admin/setup/priority-accounts.md) scenarios.

-**Issues in your organization** will be identified and used by organizational-level monitoring and priority account monitoring.

-The value of the **Health** column under **Issues in your organization** indicates whether your organization's infrastructure or third-party software affects the service health experience of your organization's users and/or priority accounts in Exchange Online. Advisories or incidents require your actions to resolve.

-The value of the **Health** column under **Microsoft service health** indicates that the service is healthy or has advisories or incidents based on the cloud services that Microsoft maintains.

-Here's an example of the Exchange Online monitoring page in the Microsoft 365 admin center that shows the health of organization-level and priority account scenarios available from **Health** > **Service health** > **Exchange Online**.

-With the scenario list page, you can see whether the Microsoft service is healthy or not and whether there are any associated incidents or advisories. For example, with Exchange Online monitoring, you can look at the service health for specific email scenarios and view near real-time signals to determine the impact by organization-level scenario. You can also see health of priority account scenarios, if available.

-First, make sure you've enabled the new admin center on the **Home** page of the [Microsoft 365 admin center](https://go.microsoft.com/fwlink/p/?linkid=2024339).

-For general feedback, use the **Give feedback** icon on the bottom-right corner of the monitoring page.

-For feedback on incidents or advisories, use the **Is this post helpful? link.

-This guidance is designed for administrators of multi-national companies (MNCs) who are preparing their Microsoft 365 tenant to be expanded to additional geographies in accordance with the companyΓÇÖs presence to meet data residency requirements.

-1. Work with your account team to add the _Multi-Geo Capabilities in Microsoft 365_ service plan.

-2. Choose your desired satellite location(s) and add them to your tenant.

-3. Set your users' preferred data location to the desired satellite location. When a new OneDrive site or Exchange mailbox is provisioned for a user, it is provisioned to their PDL.

-4. Migrate your users' existing OneDrive sites from the central location to their preferred data location as needed. (Exchange mailboxes are migrated automatically when you set a user's PDL.)

-We recommend that you create a test user in Microsoft 365 to do some initial testing. WeΓÇÖll walk through some testing and verification steps with this user before you proceed to onboard production users into Microsoft 365 Multi-Geo.

-Once youΓÇÖve completed testing with the test user, select a pilot group ΓÇô perhaps from your IT department ΓÇô to be the first to use OneDrive and Exchange in a new geo location. For this first group, select users who do not yet have a OneDrive. We recommend no more than five people in this initial group and gradually expand following a batched rollout approach.

-[Microsoft 365 Multi-Geo eDiscovery configuration](./multi-geo-ediscovery-configuration.md)

-Next, get the sign-in name of the account for which you want remove a license, also known as the user principal name (UPN).

-[Getting started with PowerShell for Microsoft 365](getting-started-with-microsoft-365-powershell.md)

-As a Microsoft 365 global admin, you can deploy Office add-ins to users via the Centralized Deployment feature (see [Deploy Office Add-ins in the admin center](../admin/manage/manage-deployment-of-add-ins.md). In addition to deploying Office add-ins via the Microsoft 365 admin center, you can also use Microsoft PowerShell. Install the [O365 Centralized Add-In Deployment Module for Windows PowerShell](https://www.powershellgallery.com/packages/O365CentralizedAddInDeployment).

-

-

-

-

-3. In the **Enter Credentials** page, enter your Microsoft 365 **User Admin**, or **Global admin** credentials. Alternately, you can enter your credentials directly into the cmdlet.

-

-

-> For more information about using PowerShell, see [Connect to Microsoft 365 with PowerShell](./connect-to-microsoft-365-powershell.md).

-

-Run the **New-OrganizationAdd-In** cmdlet to upload an add-in manifest from a path, which can be either a file location or URL. The following example shows a file location for the value of the _ManifestPath_ parameter.

-

-You can also run the **New-OrganizationAdd-In** cmdlet to upload an add-in and assign it to users or groups directly by using the _Members_ parameter, as shown in the following example. Separate the email addresses of members with a comma.

-

-

-

-

-The values for the _Locale_ parameter and the _ContentMarket_ parameter are identical and indicate the country/region you're trying to install the add-in from. The format is en-US, fr-FR. and so forth.

-

-> Add-ins uploaded from the Office Store will update automatically within a few days of the latest update being available on the Office Store.

-

-

-Run the **Get-OrganizationAddIn** cmdlet with a value for the _ProductId_ parameter to specify which add-in you want to retrieve details for.

-

-

-

-

-To add users and groups to a specific add-in, run the **Set-OrganizationAddInAssignments** cmdlet with the _ProductId_, _Add_, and _Members_ parameters. Separate the email addresses of members with a comma.

-

-To remove users and groups, run the same cmdlet using the _Remove_ parameter.

-

-

-

-To update an add-in from a manifest, run the **Set-OrganizationAddIn** cmdlet with the _ProductId_, _ManifestPath_, and _Locale_ parameters, as shown in the following example.

-

-> Add-ins uploaded from the Office Store will update automatically within a few days of the latest update being available on the Office Store.

-

-To delete an add-in, run the **Remove-OrganizationAddIn** cmdlet with the _ProductId_ parameter, as shown in the following example.

-

-You must customize the add-in before you deploy it to your organization. Add-ins older than version 1.1 are not supported by this feature.

-

- - =

-To customize an add-in, run the **Set ΓÇôOrganizationAddInOverrides** cmdlet with the *ProductId* as a parameter, followed by the tag you want to overwrite and the new value. To find out how to get the *ProductId* see [get details of an add-in](#get-details-of-an-add-in) in this article. For example:

- Set-OrganizationAddInOverrides -ProductId 5b31b349-2c41-4f94-b720-6ee40349d391 -IconUrl "https://site.com/img.jpg"

-Set-OrganizationAddInOverrides -ProductId 5b31b349-2c41-4f94-b720-6ee40349d391 -Hosts h1, 2 -DisplayName "New DocuSign W" -IconUrl "https://site.com/img.jpg"

-| \<IconURL> </br>| The URL of the image used as the add-inΓÇÖs icon (in admin center). </br> |

-| \<SourceLocation> | The source URL that the add-in will connect to.|

-| \<AppDomains> | A list of domains that the add-in can connect with. |

-| \<SupportURL>| The URL users can use to access help and support. |

-| \<Resources> | This tag contains a number of elements including titles, tooltips, and icons of different sizes.|

-<Resources>

- <bt:Images>

- <bt:Image id=ΓÇ¥img16iconΓÇ¥ DefaultValue=ΓÇ¥https://site.com/img.jpgΓÇ¥

- </bt:Images>

-</Resources>

-```

-In this case, the element id for the image is ΓÇ£img16iconΓÇ¥ and the value associated with it is ΓÇ£http:<i></i>//site.<i></i>com/img.jpg.ΓÇ¥

-Set-OrganizationAddInOverrides -Resources @{ΓÇ£ElementIDΓÇ¥ = ΓÇ£New ValueΓÇ¥; ΓÇ£NextElementIDΓÇ¥ = ΓÇ£Next New ValueΓÇ¥}

-Remove-OrganizationAddInOverrides -ProductId 5b31b349-2c41-4f94-b720-6ee40349d391

-To view a list of applied customizations, run the **Get-OrganizationAddInOverrides** cmdlet. If **Get-OrganizationAddInOverrides** is run without a *ProductId* then a list of all add-ins with applied overrides are returned.

-Get-OrganizationAddInOverrides

-If ProductId is specified, then a list of overrides applied to that add-in is returned.

-Get-OrganizationAddInOverrides -ProductId 5b31b349-2c41-4f94-b720-6ee40349d391

-If an add-in has been deployed, it has to be removed from the cache in each computer before it can be customized. To remive an add-in from cache:

-1. Navigate to the ΓÇ£UsersΓÇ¥ folder in C:\

-

-In Microsoft 365, licenses from licensing plans (also called SKUs or Microsoft 365 plans) give users access to the Microsoft 365 services that are defined for those plans. However, a user might not have access to all the services that are available in a license that's currently assigned to them. You can use PowerShell for Microsoft 365 to view the status of services on user accounts.

-

-As mentioned in the blog post [Your Pa$$word doesn't matter](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984):

-Role-based access control (RBAC) grants access to resources or information based on user roles. Access to customer tenant data and settings in Lighthouse is restricted to specific roles from the Cloud Solution Provider (CSP) program. To set up RBAC roles in Lighthouse, we recommend using Granular Delegated Admin Privileges (GDAP) to implement granular assignments for users. Delegated Admin Privileges (DAP) is still required for the tenant to onboard successfully, but GDAP-only customers will soon be able to onboard without a dependency on DAP. GDAP permissions take precedence when DAP and GDAP coexist for a customer.

-MSPs can minimize the number of people who have high-privilege role access to secure information or resources by using PIM. PIM reduces the chance of a malicious person gaining access to resources or authorized users inadvertently impacting a sensitive resource. MSPs can also grant users just-in-time high privilege roles to access resources, make broad changes, and monitor what the designated users are doing with their privileged access.

-1. Create a role-assignable group as described in the article [Create a group for assigning roles in Azure Active Directory](/azure/active-directory/roles/groups-create-eligible).

-2. Go to [Azure AD – All Groups](https://portal.azure.com/#blade/Microsoft_AAD_IAM/GroupsManagementMenuBlade/AllGroups) and add the new group as a member of a security group for high-privilege roles (for example, Admin Agents security group for DAP or a similarly respective security group for GDAP roles).

-3. Set up privileged access to the new group as described in the article [Assign eligible owners and members for privileged access groups](/azure/active-directory/privileged-identity-management/groups-assign-member-owner).

-To learn more about PIM, see [What is Privileged Identity Management?](/azure/active-directory/privileged-identity-management/pim-configure)

-MSPs may use risk-based Conditional Access to make sure their staff members prove their identity by using MFA and by changing their password when detected as a risky user (with leaked credentials or per Azure AD threat intelligence). Users must also sign in from a familiar location or registered device when detected as a risky sign-in. Other risky behaviors include signing in from a malicious or anonymous IP address or from an atypical or impossible travel location, using an anomalous token, using a password from a password spray, or exhibiting other unusual sign-in behavior. Depending on a user's risk level, MSPs may also choose to block access upon sign-in. To learn more about risks, see [What is risk?](/azure/active-directory/identity-protection/concept-identity-protection-risks)

-[Password reset permissions](/azure/active-directory/roles/permissions-reference#password-reset-permissions) (article)\

-## Delegated Admin PrivilegesΓÇ»(DAP)

-## Granular Delegated Admin PrivilegesΓÇ»(GDAP)

-[Get help and support for Microsoft 365 Lighthouse](m365-lighthouse-get-help-and-support.md) (article)

-[Sign up for Microsoft 365 Lighthouse](m365-lighthouse-sign-up.md) (article)

-[Microsoft 365 Lighthouse Device compliance page overview](m365-lighthouse-device-compliance-page-overview.md) (article)

-[Microsoft 365 Lighthouse FAQ](m365-lighthouse-faq.yml) (article)

-[Threat management page overview ](m365-lighthouse-threat-management-page-overview.md) (article)\

-[Microsoft Security Intelligence](https://www.microsoft.com/wdsi/threats) (web page)

-The table in the next section describes which GDAP roles grant permission to read customer data and take action on customer tenants in Lighthouse. See [Permissions in the partner tenant](#permissions-in-the-partner-tenant) in this article for additional roles required to manage Lighthouse entities (for example, tags and Lighthouse service requests).

-## Example MSP service tiers and recommended GDAP roles

-The following table lists the recommended GDAP roles for some example MSP service tiers and the actions those roles can perform on the different Lighthouse pages.

-|| Account&nbsp;Managers| Service&nbsp;Desk&nbsp;Technician |System&nbsp;Administrators | Escalation&nbsp;Engineers|

-|**Lighthouse&nbsp;page&nbsp;+&nbsp;allowed&nbsp;actions** |

-| **Home** | <ul><li>View all data</li></ul> | <ul><li>View all data</li></ul> | <ul><li>View all data</li></ul> | <ul><li>View all data</li></ul> |

-| **Tenants** | <ul><li>View tenants list</li><li>Update customer contacts and website</li><li>View deployment plans</li></ul> | <ul><li>View tenants list</li><li>Update customer contacts and website</li><li>View deployment plans</li></ul> | <ul><li>View tenants list</li><li>Update customer contacts and website</li><li>View deployment plans</li><li>View Microsoft 365 services usage</li></ul> | <ul><li>View tenants list</li><li>Update customer contacts and website</li><li>View deployment plans</li><li>View Microsoft 365 services usage</li></ul> |

-| **Users** | <ul><li>View tenant level (non-user specific) data</li><li>Search user accounts across tenants</li><li>Reset password for non-administrators*</li></ul> | <ul><li>View all user-specific data</li><li>Search user accounts across tenants</li><li>Reset password for non-administrators*</li></ul>| <ul><li>View all user-specific data</li><li>Search user accounts across tenants</li><li>Reset password for non-administrators*</i><li>Block sign-in</li></ul> | <ul><li>View all user-specific data</li><li>Search user accounts across tenants</li><li>Reset password for non-administrators*</li><li>Block sign-in</li><li>Confirm compromised users</li><li>Dismiss risk for users</li></ul> |

-| **Devices** | <ul><li>View all data</li></ul> | <ul><li>View all data</li></ul> | <ul><li>View all data</li></ul> | <ul><li>View all data</li><li>Sync device</li><li>Restart device</li><li>Collect diagnostics</li></ul>|

-| **Threat management** | <ul><li>View all data</li></ul> | <ul><li>View all data</li></ul> | <ul><li>View all data</li></ul> | <ul><li>View all data</li><li>Run full scan</li><li>Run quick scan</li><li>Update antivirus protection</li><li>Reboot device</li></ul>|

-| **Baselines** | <ul><li>View all data</li></ul> | <ul><li>View all data</li></ul> | <ul><li>View all data</li></ul> | <ul><li>View all data</li></ul> |

-| **Windows 365** | <ul><li>View all data</li></ul> | <ul><li>View all data</li></ul> | <ul><li>View all data</li></ul> | <ul><li>View all data</li></ul> |

-| **Service health****|

-|**Audit logs****|

-**Other roles and permissions are required to view service health and audit logs. For more information, see [Permissions in the partner tenant](#permissions-in-the-partner-tenant).

-Microsoft 365 Lighthouse is an admin portal that helps Managed Service Providers (MSPs) secure and manage devices, data, and users at scale for small- and medium-sized business (SMB) customers.

-MSPs must be enrolled in the Cloud Solution Provider (CSP) program as an Indirect Reseller or Direct Bill partner to use Lighthouse.

-

-## Requirements for enabling device management

-## Requirements for enabling user management

-For customer data to show up in reports on user management pages, including Risky users, Multifactor authentication, and Password reset, customer tenants must have licenses for Azure Active Directory Premium P1 or later. Azure AD Premium P1 is included with Microsoft 365 Business Premium and Microsoft 365 E3.

-## Requirements for enabling threat management

-To view customer tenant devices and threats on the threat management pages, you must enroll all customer tenant devices in Microsoft Endpoint Manager (MEM) and protect them by running Microsoft Defender Antivirus. 

-For more information, see [Enroll devices in Microsoft Intune](/mem/intune/enrollment/).

-Microsoft Defender Antivirus is part of the Windows operating system and is enabled by default on devices running Windows 10.

-> If you're using a non-Microsoft antivirus solution and not Microsoft Defender Antivirus, Microsoft Defender Antivirus is disabled automatically. When you uninstall the non-Microsoft antivirus solution, Microsoft Defender Antivirus is activated automatically to protect your Windows devices from threats.

-[Microsoft 365 Lighthouse FAQ](m365-lighthouse-faq.yml)ΓÇ»(article)

-1. In the left navigation pane in Lighthouse, select **Users**.

-2. Select the **Search users** tab.

-3. In the search box, enter a display name or user principal name (UPN).

-4. From the search results list, select the user you want to research.

-[Manage Microsoft 365 user accounts ](../enterprise/manage-microsoft-365-accounts.md) (article)\

-After your tenants meet the [Lighthouse onboarding requirements](m365-lighthouse-requirements.md), its status will show as **Active** in the tenant list.

-|--|--|

-[Deploy Microsoft 365 Lighthouse baselines](m365-lighthouse-deploy-baselines.md) (article)\

- - Must have delegated access set up for the Managed Service Provider (MSP) to be able to manage the customer tenant*

- - Must have at least one Microsoft 365 Business Premium, Microsoft 365 E3, or Windows 365 Business license

- - Must have no more than 1000 licensed users 

-[Get help and support for Microsoft 365 Lighthouse](m365-lighthouse-get-help-and-support.md) (article)

-1. In the left navigation pane in Lighthouse, select **Users**.

-2. Select the **Risky Users** tab.

-1. From the **Risky Users** tab, select the set of users you want to take action on.

-If you can't sign in to Lighthouse, you can use the [Microsoft 365 service health status page](https://status.office365.com/) to check for known issues preventing you from logging in to your partner tenant. Also, sign up to follow [@MSFT365status](https://twitter.com/MSFT365Status) on Twitter to see information on specific service incidents.

-To view service health, you'll need an Azure AD role in the partner tenant with the following property set: **microsoft.office365.serviceHealth/allEntities/allTasks**. For a list of Azure AD roles, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference).

-1. In the left navigation pane in Lighthouse, select **Service health**.

-2. On the **Service health** page, review the current service health status, including:

- - Total number of incidents

- - Total number of advisories affecting any of the managed tenants

- - Number of services with active incidents.

-1. In the left navigation pane in Lighthouse, select **Service health**.

-2. On the **Service health** page, select the **All services** or **All issues** tab.

-[Known issues with Microsoft 365 Lighthouse](m365-lighthouse-known-issues.md) (article)

-description: Learn how to conduct key Microsoft OneLTI management tasks including deleting, viewing, editing, and troubleshooting.

-## View an LTI registration

-If you would like to view the details of an LTI registration, follow the steps below.

-1. Visit [Microsoft LTI Portal](https://lti.microsoft.com/).

-2. Sign in with a Microsoft 365 administrator account.

-3. In the registration list, find the LTI registration you wish to view.

-4. Select the **eye icon** next to the listing.

-5. The registration details panel will open.

-1. Delete the existing registration.

-> - Microsoft OneDrive LTI works in the private mode in Microsoft Edge browser. Ensure that you havenΓÇÖt blocked cookies (which are allowed by default).

-1. From BlackboardΓÇÖs Administrator Panel, selectΓÇ»**LTI Tool Providers**.

-2. SelectΓÇ»**Register LTI 1.3 Tool**.

-3. In the Client ID field, type or copy and paste this ID: ``78cd1b1c-ccbd-4318-9f90-22241f63b1f5``

- > [!NOTE]

- > Adding this client ID will configure two different placements in Blackboard: one that allows access to the tool from the Content Market, Books and Tools, and the Rich text editor, and another which allows access to the tool from the Add Content menu in the course online for Ultra courses.

-5. Review all pre-populated settings in the **Tool Status** view, and make sure the **Tool Status** round button selected is **Approved**.

-6. InΓÇ»**Institution Policies**, select the **Role in course** and the **Name** checkboxes in the user fields to send. All other user fields are optional, but itΓÇÖs recommended to leave them on to future proof your OneDrive installation.

-7. **Allow grade service access** and **Allow membership service access** are also optional at this time but might be required for future updates to the LTI tool.

-After you complete these steps, your instructors will be able to open documents from OneDrive when they use the ΓÇÿplusΓÇÖ menu in the Course Content page.

-> - Cookies are not enabled by default in the Chrome browser incognito mode, and will need to be enabled.

-> - Microsoft OneDrive LTI works in the private mode in Microsoft Edge browser. Ensure that you have not blocked cookies (which are enabled by default).

-1. Select the **Admin Consent** button and accept the permissions.

-> [!CAUTION]

-> If this step isn't performed, the following step will give you an error, and you won't be able to take this step for an hour once you've gotten the error.

-> [!NOTE]

-> If your Canvas instance is, for example, https://contoso.test.instructure.com](https://contoso.test.instructure.com), then the complete URL should be entered.

-9. Defender for Endpoint supports App configuration policies for managed devices via Intune. This capability can be leveraged to autogrant applicable Android permission(s), so the end user does not need to accept these permission(s).

- 1. In the **Settings** page, go to the Permissions section click on Add to view the list of supported permissions. In the Add Permissions section, select the following permissions:

- - External storage (read)

- - External storage (write)

- Then select **OK**.

- :::image type="content" source="images/android-create-app-config.png" alt-text="The Add permissions pane" lightbox="images/android-create-app-config.png":::

- 1. You should now see both the permissions listed and now you can autogrant both by choosing autogrant in the **Permission state** drop-down and then select **Next**.

- :::image type="content" source="images/android-auto-grant.png" alt-text="The Permission state pane" lightbox="images/android-auto-grant.png":::

-Microsoft Defender for Endpoint is now available as **Microsoft Defender** in the play store. With this update, the app will be available as preview for **Consumers in the US region** - based on how you log into the app with your work or personal account, you will have access to features for Microsoft Defender for Endpoint or to features for Microsoft Defender for individuals. Please see [this blog](https://www.microsoft.com/en-us/microsoft-365/microsoft-defender-for-individuals) for more details.

-As a best practice, we recommend using offline servicing tools to patch golden/master images.

-For example, you can use the below commands to install an update while the image remains offline:

-```console

-DISM /Mount-image /ImageFile:"D:\Win10-1909.vhdx" /index:1 /MountDir:"C:\Temp\OfflineServicing"

-DISM /Image:"C:\Temp\OfflineServicing" /Add-Package /Packagepath:"C:\temp\patch\windows10.0-kb4541338-x64.msu"

-DISM /Unmount-Image /MountDir:"C:\Temp\OfflineServicing" /commit

-```

-For more information on DISM commands and offline servicing, refer to the articles below:

-If offline servicing isn't a viable option for your non-persistent VDI environment, the following steps should be taken to ensure consistency and sensor health:

-1. After booting the master image for online servicing or patching, run an offboarding script to turn off the Defender for Endpoint sensor. For more information, see [Offboard devices using a local script](configure-endpoints-script.md#offboard-devices-using-a-local-script).

-2. Ensure the sensor is stopped by running the command below in a CMD window:

- ```console

- sc query sense

- ```

-3. Service the image as needed.

-4. Run the below commands using PsExec.exe (which can be downloaded from https://download.sysinternals.com/files/PSTools.zip) to cleanup the cyber folder contents that the sensor may have accumulated since boot:

- ```console

- PsExec.exe -s cmd.exe

- cd "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Cyber"

- del *.* /f /s /q

- REG DELETE "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection" /v senseGuid /f

- exit

- ```

-5. Reseal the golden/master image as you normally would.

-4. Check the Microsoft Defender for Endpoint URLs list for the complete list of requirements for your region (refer to the Service URLs [Spreadsheet](https://download.microsoft.com/download/8/e-urls.xlsx)).

- > If you are running a non-Microsoft antimalware solution ensure you add exclusions for Microsoft Defender Antivirus ([from this list of Microsoft Defender Processes on the Defender Processes tab](https://download.microsoft.com/download/8/e-urls.xlsx)) to the non-Microsoft solution before installation. It is also recommended to add non-Microsoft security solutions to the Defender Antivirus exclusion list.

-GET /testwdatppreview/machinegroups

- - **Bundle ID**: `com.microsoft.autoupdate2`

- Note that now you have two 'tables' with notification configurations, one for **Bundle ID: com.microsoft.wdav.tray**, and another for **Bundle ID: com.microsoft.autoupdate2**. While you can configure alert settings per your requirements, Bundle IDs must be exactly the same as described before, and **Include** switch must be **On** for **Notifications**.

-> - If you're looking for a list of Microsoft Defender processes, **[download the mde-urls workbook](https://download.microsoft.com/download/8/).

-Application | AdvancedQuery.Read.All| Run advanced queries

-Delegated (work or school account) | AdvancedQuery.Read | Run advanced queries

-description: Describes what new changes are coming to Microsoft Secure Score in the Microsoft 365 Defender portal.

-keywords: microsoft secure score, secure score, office 365 secure score, microsoft security score, Microsoft 365 Defender portal, improvement actions

- - NOCSH

- - M365-security-compliance

- - MOE150

- - MET150

-# What's coming to Microsoft Secure Score

-Microsoft Secure Score can be found at https://security.microsoft.com/securescore in the [Microsoft 365 Defender portal](microsoft-365-defender.md#the-microsoft-365-defender-portal).

-This article lets you know about upcoming improvements to Microsoft Secure Score.

-## Proposed changes

-### Upcoming improvement action additions (December 2021)

-## Related resources

-## July 2021

-### Added improvement action related to Microsoft Teams

-### Added improvement action related to Microsoft Defender for Endpoint

-## June 2021

-### Removed improvement action related to Microsoft Cloud App Security

-## February 2021

-### Compatibility with Graph API

-Microsoft Secure Score recommendations delivered via Graph API will look and be weighted the same as the recommendations you currently see in the Microsoft 365 Defender portal.

-## January 2021

-### Added our first security recommendation for Microsoft Teams

-Microsoft Teams customers will see "Restrict anonymous users from joining meetings" as a new improvement action in Secure Score.

-## December 2020

-### Added six accounts-related improvement actions for Microsoft Defender for Endpoint:

-## November 2020

-### Removed the ability to create ServiceNow tickets through Secure Score

-The ability to create ServiceNow tickets through Secure Score by going to **Share > ServiceNow** is no longer available. Thank you for your feedback and continued support while we determine next steps.

-### Added three services-related improvement actions for Microsoft Defender for Endpoint:

-## October 2020

-### Removed improvement action related to Microsoft Defender for Endpoint

-## August 2020

-### Updated improvement action for Azure Active Directory

-## Incompatibility with Identity Secure Score

-In the recent release of Microsoft Secure Score, an improved scoring model has been released. These changes allow for a more flexible and accurate view of your security posture. However, these updates have made Microsoft Secure Score temporarily incompatible with Identity Secure Score.

-In time, Identity Secure Score will adopt the new scoring model. Until then, customers will see differences in the scores reported by Microsoft Secure Score and the Identity Secure Score. We apologize for any inconvenience this causes, and are working to ensure these experiences are more compatible in the future.

-## Updated improvement actions

- - All released security recommendations supplied by TVM are now available

-## Updated interface and functionality

-* All new metrics and trends views for CISO and lead level discussions

-* New ways to track and benchmark your score

-* Better tracking and understanding for score regressions

-* Filter, tag, search, and group your improvement actions

-* Manage towards your future goals using score projections and planned actions

-* And more!

-||Article (13)(2)(a)|"…the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing: (a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.|Govern information|

-# Networking up (to the cloud)ΓÇöOne architectΓÇÖs viewpoint

-In this article, [Ed Fisher](https://www.linkedin.com/in/edfisher/), Security & Compliance Architect at Microsoft, describes how to optimize your network for cloud connectivity by avoiding the most common pitfalls.

-

-I am currently a Principal Technical Specialist in our Retail and Consumer Goods team, focusing on Security & Compliance. I have worked with customers moving to Office 365 for the past ten years. IΓÇÖve worked with smaller shops with a handful of locations to government agencies and enterprises with millions of users distributed around the world, and many other customers in between, with the majority having tens of thousands of users, multiple locations in various parts of the world, the need for a higher degree of security, and a multitude of compliance requirements. I have helped hundreds of enterprises and millions of users move to the cloud safely and securely.

-With a background over the past 25 years that includes security, infrastructure, and network engineering, and having moved two of my previous employers to Office 365 before joining Microsoft, IΓÇÖve been on your side of the table plenty of times, and do remember what thatΓÇÖs like. While no two customers are ever the same, most have similar needs, and when consuming a standardized service such as any SaaS or PaaS platform, the best approaches tend to be the same.

-## ItΓÇÖs not the network ΓÇö itΓÇÖs how youΓÇÖre (mis)using it!

-No matter how many times it happens, it never fails to amaze me how *creative* security teams and networking teams try to get with how they think they should connect to Microsoft cloud services. ThereΓÇÖs always some security policy, compliance standard, or better way they insist on using, without being willing to engage in a conversation about what it is they are trying to accomplish, or *how* there are better, easier, more cost-effective, and more performant ways of doing so.

-When this sort of thing is escalated to me, IΓÇÖm usually willing to take the challenge and walk them through the hows and the whys and get them to where they need to be. But if I am being completely frank, I have to share that sometimes I want to just let them do what they will, and come back to say I told you so when they finally concede it doesnΓÇÖt work. I may want to do that sometimes, but I *donΓÇÖt*. What I do is try to explain all of what I am going to include in this post. Regardless of your role, if your organization wants to use Microsoft cloud services, thereΓÇÖs probably some wisdom in what follows that can help you out.

-LetΓÇÖs start with some ground rules around what weΓÇÖre doing here. We are discussing how to securely connect to cloud services to ensure the minimum complexity, and the maximum performance, while maintaining real security. None of what follows is counter to any of that, even if you, or your customer, wonΓÇÖt get to use your favorite proxy server for everything.

-Very few customers are deploying greenfield environments, and they have years of experience with how their users work and what their Internet egress is like. Whether customers have proxy servers or allow direct access and simply NAT outbound traffic, theyΓÇÖve been doing it for years and donΓÇÖt consider just how much more they are going to start pumping through their edge as they move traditionally internal applications out to the cloud.

-Everything else in this list comes down to one thingΓÇögetting off your network and onto ours as quickly as possible. Backhauling your usersΓÇÖ traffic to a central egress point, especially when that egress point is in another region than your users are in, introduces unnecessary latency and impacts both the client experience and download speeds. Microsoft has points of presence throughout the world with front ends for all our services and peering established with practically every major ISP, so routing your usersΓÇÖ traffic out *locally* ensures it gets into our network quickly with minimum latency.

-Of course, for a client to find any endpoint, it needs to use DNS. MicrosoftΓÇÖs DNS servers evaluate the source of DNS requests to ensure we return the response that is, in Internet terms, closest to the source of the request. Make sure your DNS is configured so that name resolution requests go out the same path as your usersΓÇÖ traffic, lest you give them local egress but to an endpoint in another region. That means letting local DNS servers ΓÇ£go to rootΓÇ¥ rather than forwarding to DNS servers in remote data centers. And watch out for public and private DNS services, which may cache results from one part of the world and serve them to requests from other parts of the world.

-One of the first things to consider is whether to proxy usersΓÇÖ connections to Office 365. That oneΓÇÖs easy; do not proxy. Office 365 is accessed over the Internet, but it is not THE Internet. ItΓÇÖs an extension of your core services and should be treated as such. Anything you might want a proxy to do, such as DLP or antimalware or content inspection, is already available to you in the service, and can be used at scale and without needing to crack TLS-encrypted connections. But if you really want to proxy traffic that you cannot otherwise control, pay attention to our guidance at [https://aka.ms/pnc](../enterprise/microsoft-365-network-connectivity-principles.md) and the categories of traffic at [https://aka.ms/ipaddrs](../enterprise/urls-and-ip-address-ranges.md). We have three categories of traffic for Office 365. Optimize and Allow really should go direct and bypass your proxy. Default can be proxied. The details are in those docs...read them.

-Most customers who insist on using a proxy, when they actually look at what they are doing, come to realize that when the client makes an HTTP CONNECT request to the proxy, the proxy is now just an expensive extra router. The protocols in use such as MAPI and RTC are not even protocols that web proxies understand, so even with TLS cracking youΓÇÖre not really getting any extra security. You *are* getting extra latency. See [https://aka.ms/pnc](../enterprise/microsoft-365-network-connectivity-principles.md) for more on this, including the Optimize, Allow, and Default categories for Microsoft 365 traffic.

-Finally, consider the overall impact to the proxy and its corresponding response to deal with that impact. As more and more connections are being made through the proxy, it may decrease the TCP Scale Factor so that it doesnΓÇÖt have to buffer so much traffic. IΓÇÖve seen customers where their proxies were so overloaded that they were using a Scale Factor of 0. Since Scale Factor is an exponential value and we like to use 8, each reduction in the Scale Factor value is a huge negative impact to throughput.

-TLS Inspection means SECURITY! But not really! Many customers with proxies want to use them to inspect all traffic, and that means TLS ΓÇ£break and inspect.ΓÇ¥ When you do that for a website accessed over HTTPS (privacy concerns notwithstanding) your proxy may have to do that for 10 or even 20 concurrent streams for a few hundred milliseconds. If thereΓÇÖs a large download or maybe a video involved, one or more of those connections may last much longer, but on the whole, most of those connections establish, transfer, and close very quickly. Doing break and inspect means the proxy must do double the work. For each connection from the client to the proxy, the proxy must also make a separate connection back to the endpoint. So, 1 becomes 2, 2 becomes 4, 32 becomes 64...see where I am going? You probably sized your proxy solution just fine for typical web surfing, but when you try to do the same thing for client connections to Office 365, the number of concurrent, long-lived connections may be orders of magnitude greater than what you sized for.

-### Streaming isnΓÇÖt important, except that it *is*

-The only services in Office 365 that use UDP are Skype (soon to be retired) and Microsoft Teams. Teams uses UDP for streaming traffic including audio, video, and presentation sharing. Streaming traffic is live, such as when you're having an online meeting with voice, video, and presenting decks or performing demos. These use UDP because if packets are dropped, or arrive out of order, itΓÇÖs practically unnoticeable by the user and the stream can just keep going.

-When you donΓÇÖt permit outbound UDP traffic from clients to the service, they can fall back to using TCP. But if a TCP packet is dropped, *everything stops* until the Retransmission Timeout (RTO) expires and the missing packet can be retransmitted. If a packet arrives out of order, everything stops until the other packets arrive and can be reassembled in order. Both lead to perceptible glitches in the audio (remember Max Headroom?) and video (did you click something...oh, there it is) and lead to poor performance and a bad user experience. And remember what I put up above about proxies? When you force a Teams client to use a proxy, you force it to use TCP. So now youΓÇÖre causing negative performance impacts twice.

-But it isnΓÇÖt. All connections to Office 365 are over TLS. We have been offering TLS 1.2 for quite a while now and will be disabling older versions soon because legacy clients still use them and thatΓÇÖs a risk.

-ItΓÇÖs an easy fix to do split tunneling and itΓÇÖs one you should do. For more, make sure you review [Optimize Office 365 connectivity for remote users using VPN split tunneling](../enterprise/microsoft-365-vpn-split-tunnel.md).

-Many times, the reason bad choices are made comes from a combination of (1) not knowing how the service works, (2) trying to adhere to company policies that were written before adopting the cloud, and (3) security teams who may not be easily convinced that thereΓÇÖs more than one way to accomplish their goals. Hopefully the above, and the links below, will help with the first. Executive sponsorship may be required to get past the second. Addressing the security policiesΓÇÖ goals, rather than their methods, helps with the third. From conditional access to content moderation, DLP to information protection, endpoint validation to zero-day threatsΓÇöany end goal a reasonable security policy may have can be accomplished with what is available in Office 365, and without any dependency upon on-premises network gear, forced VPN tunnels, and TLS break and inspect.

-Other times, hardware that was sized and purchased before the organization started to move to the cloud simply cannot be scaled up to handle the new traffic patterns and loads. If you truly must route all traffic through a single egress point, and/or proxy it, be prepared to upgrade network equipment and bandwidth accordingly. Carefully monitor utilization on both, as the experience wonΓÇÖt diminish slowly as more users onboard. Everything will be fine until the tipping point is reached, then everyone suffers.

-If your organization requires [tenant restrictions](/azure/active-directory/manage-apps/tenant-restrictions), youΓÇÖll need to use a proxy with TLS break and inspect to force some traffic through the proxy, but you donΓÇÖt have to force all traffic through it. ItΓÇÖs not an all or nothing proposition, so pay attention to what does need to be modified by the proxy.

-No matter what security goals you have in play, there are ways to accomplish them that donΓÇÖt require VPN connections, proxy servers, TLS break and inspect, or centralized Internet egress to get your usersΓÇÖ traffic off your network and on to ours as quickly as you can, which provides the best performance, whether your network is the company headquarters, a remote office, or that user working at home. Our guidance is based on how the Office 365 services are built and to ensure a secure and performant user experience.

-## Exchange email management baseline