Updates from: 04/13/2023 01:40:20
Category Microsoft Docs article Related commit history on GitHub Change details
compliance Communication Compliance Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-policies.md
Policy templates are pre-defined policy settings that you can use to quickly cre
| **Inappropriate text** | Detect inappropriate text | - Locations: Exchange Online, Microsoft Teams, Yammer <br> - Direction: Inbound, Outbound, Internal <br> - Review Percentage: 100% <br> - Conditions: Threat, Discrimination, and Targeted harassment classifiers | | **Inappropriate images** | Detect inappropriate images | - Locations: Exchange Online, Microsoft Teams, Yammer <br> - Direction: Inbound, Outbound, Internal <br> - Review Percentage: 100% <br> - Conditions: Adult and Racy image classifiers | | **Sensitive information** | Detect sensitive info types | - Locations: Exchange Online, Microsoft Teams, Yammer <br> - Direction: Inbound, Outbound, Internal <br> - Review Percentage: 10% <br> - Conditions: Sensitive information, out-of-the-box content patterns, and types, custom dictionary option, attachments larger than 1 MB |
-| **Regulatory compliance** | Detect financial regulatory compliance | - Locations: Exchange Online, Microsoft Teams, Yammer <br> - Direction: Inbound, Outbound <br> - Review Percentage: 10% <br> - Conditions: custom dictionary option, attachments larger than 1 MB |
+| **Regulatory compliance** | Detect financial regulatory compliance | - Locations: Exchange Online, Microsoft Teams, Yammer <br> - Direction: Inbound, Outbound <br> - Review Percentage: 10% <br> - Conditions: Customer complaints, Gifts & entertainment, Money laundering, Regulatory collusion, Stock manipulation, and Unauthorized disclosure classifiers|
| **Conflict of interest** | Detect conflict of interest | - Locations: Exchange Online, Microsoft Teams, Yammer <br> - Direction: Internal <br> - Review Percentage: 100% <br> - Conditions: None | Communications are scanned every 24 hours from the time policies are created. For example, if you create an inappropriate content policy at 11:00 AM, the policy will gather communication compliance signals every 24 hours at 11:00 AM daily. Editing a policy doesn't change this time. To view the last scan date and Coordinated Universal Time (UTC) for a policy, navigate to the *Last policy scan* column on the **Policy** page. After creating a new policy, it may take up to 24 hours to view the first policy scan date and time.
Communication compliance policies using classifiers inspect and evaluate message
|**Classifier**|**Description**| |:-|:--|
-| [Corporate sabotage (preview)](classifier-tc-definitions.md#corporate-sabotage-preview) | Detects messages that may mention acts to damage or destroy corporate assets or property. This classifier can help customers manage regulatory compliance obligations such as NERC Critical Infrastructure Protection standards or state by state regulations like Chapter 9.05 RCW in Washington state. |
-| [Customer complaints (preview)](classifier-tc-definitions.md#customer-complaints) | Detects messages that may suggest customer complaints made on your organization's products or services, as required by law for regulated industries. This classifier can help customers manage regulatory compliance obligations such as FINRA Rule 4530, FINRA 4513, FINRA 2111, Consumer Financial Protection Bureau, Code of Federal Regulations Title 21: Food and Drugs, and the Federal Trade Commission Act. |
+| [Corporate sabotage](classifier-tc-definitions.md#corporate-sabotage-preview) | Detects messages that may mention acts to damage or destroy corporate assets or property. This classifier can help customers manage regulatory compliance obligations such as NERC Critical Infrastructure Protection standards or state by state regulations like Chapter 9.05 RCW in Washington state. |
+| [Customer complaints](classifier-tc-definitions.md#customer-complaints) | Detects messages that may suggest customer complaints made on your organization's products or services, as required by law for regulated industries. This classifier can help customers manage regulatory compliance obligations such as FINRA Rule 4530, FINRA 4513, FINRA 2111, Consumer Financial Protection Bureau, Code of Federal Regulations Title 21: Food and Drugs, and the Federal Trade Commission Act. |
| [Discrimination](classifier-tc-definitions.md#discrimination) | Detects potentially explicit discriminatory language and is particularly sensitive to discriminatory language against the African American/Black communities when compared to other communities. |
-| [Gifts & entertainment (preview)](classifier-tc-definitions.md#gifts--entertainment-preview) | Detects messages that may suggest exchanging gifts or entertainment in return for service, which violates regulations related to bribery. This classifier can help customers manage regulatory compliance obligations such as Foreign Corrupt Practices Act (FCPA), UK Bribery Act, and FINRA Rule 2320. |
+| [Gifts & entertainment](classifier-tc-definitions.md#gifts--entertainment-preview) | Detects messages that may suggest exchanging gifts or entertainment in return for service, which violates regulations related to bribery. This classifier can help customers manage regulatory compliance obligations such as Foreign Corrupt Practices Act (FCPA), UK Bribery Act, and FINRA Rule 2320. |
| [Harassment](classifier-tc-definitions.md#harassment) | Detects potentially offensive content in multiple languages that targets people regarding race, color, religion, national origin. |
-| [Money laundering (preview)](classifier-tc-definitions.md#money-laundering-preview) | Detects signs that may suggest money laundering or engagement in acts to conceal or disguise the origin or destination of proceeds. This classifier can help customers manage regulatory compliance obligations such as the Bank Secrecy Act, the USA Patriot Act, FINRA Rule 3310, and the Anti-Money Laundering Act of 2020. |
+| [Money laundering](classifier-tc-definitions.md#money-laundering-preview) | Detects signs that may suggest money laundering or engagement in acts to conceal or disguise the origin or destination of proceeds. This classifier can help customers manage regulatory compliance obligations such as the Bank Secrecy Act, the USA Patriot Act, FINRA Rule 3310, and the Anti-Money Laundering Act of 2020. |
| [Profanity](classifier-tc-definitions.md#profanity) | Detects potentially profane content in multiple languages that would likely offend most people. |
-| [Regulatory collusion (preview)](classifier-tc-definitions.md#regulatory-collusion-preview) | Detects messages that may violate regulatory anti-collusion requirements such as an attempted concealment of sensitive information. This classifier can help customers manage regulatory compliance obligations such as the Sherman Antitrust Act, Securities Exchange Act 1933, Securities Exchange Act of 1934, Investment Advisers Act of 1940, Federal Commission Act, and the Robinson-Patman Act. |
-| [Stock manipulation (preview)](classifier-tc-definitions.md#stock-manipulation-preview) | Detects signs of possible stock manipulation, such as recommendations to buy, sell or hold stocks that may suggest an attempt to manipulate the stock price. This classifier can help customers manage regulatory compliance obligations such as the Securities Exchange Act of 1934, FINRA Rule 2372, and FINRA Rule 5270. |
+| [Regulatory collusion](classifier-tc-definitions.md#regulatory-collusion-preview) | Detects messages that may violate regulatory anti-collusion requirements such as an attempted concealment of sensitive information. This classifier can help customers manage regulatory compliance obligations such as the Sherman Antitrust Act, Securities Exchange Act 1933, Securities Exchange Act of 1934, Investment Advisers Act of 1940, Federal Commission Act, and the Robinson-Patman Act. |
+| [Stock manipulation](classifier-tc-definitions.md#stock-manipulation-preview) | Detects signs of possible stock manipulation, such as recommendations to buy, sell or hold stocks that may suggest an attempt to manipulate the stock price. This classifier can help customers manage regulatory compliance obligations such as the Securities Exchange Act of 1934, FINRA Rule 2372, and FINRA Rule 5270. |
| [Threat](classifier-tc-definitions.md#threat) | Detects potential threatening content in multiple languages aimed at committing violence or physical harm to a person or property. |
-| [Unauthorized disclosure (preview)](classifier-tc-definitions.md#unauthorized-disclosure-preview) | Detects sharing of information containing content that is explicitly designated as confidential or internal to unauthorized individuals. This classifier can help customers manage regulatory compliance obligations such as FINRA Rule 2010 and SEC Rule 10b-5. |
+| [Unauthorized disclosure](classifier-tc-definitions.md#unauthorized-disclosure-preview) | Detects sharing of information containing content that is explicitly designated as confidential or internal to unauthorized individuals. This classifier can help customers manage regulatory compliance obligations such as FINRA Rule 2010 and SEC Rule 10b-5. |
> [!IMPORTANT]
-> Classifiers in (preview) may detect a large volume of bulk sender/newsletter content due to a known issue. You can mitigate the detection of large volumes of bulk sender/newsletter content by selecting the [**Filter email blasts** check box](communication-compliance-configure.md#step-5-required-create-a-communication-compliance-policy) when you create the policy. You can also edit an existing policy to turn on this feature.
+> Classifiers may detect a large volume of bulk sender/newsletter content due to a known issue. You can mitigate the detection of large volumes of bulk sender/newsletter content by selecting the [**Filter email blasts** check box](communication-compliance-configure.md#step-5-required-create-a-communication-compliance-policy) when you create the policy. You can also edit an existing policy to turn on this feature.
### Optical character recognition (OCR)
The following table explains more about each condition.
|**Condition**|**How to use this condition**| |:--|:--|
-| **Content matches any of these classifiers** | Apply to the policy when any classifiers are included or excluded in a message. Some classifiers are pre-defined in your organization, and custom classifiers must be configured separately before they're available for this condition. Only one classifier can be defined as a condition in a policy. For more information about configuring classifiers, see [Learn about trainable classifiers (preview)](/microsoft-365/compliance/classifier-learn-about). |
+| **Content matches any of these classifiers** | Apply to the policy when any classifiers are included or excluded in a message. Some classifiers are pre-defined in your organization, and custom classifiers must be configured separately before they're available for this condition. Only one classifier can be defined as a condition in a policy. For more information about configuring classifiers, see [Learn about trainable classifiers](/microsoft-365/compliance/classifier-learn-about). |
| **Content contains any of these sensitive info types** | Apply to the policy when any sensitive information types are included or excluded in a message. Some classifiers are pre-defined in your tenant, and custom classifiers can be configured separately or as part of the condition assignment process. Each sensitive information type you choose is applied separately and only one of these sensitive information types must apply for the policy to apply to the message. For more information about custom sensitive information types, see [Learn about sensitive information types](/microsoft-365/compliance/sensitive-information-type-learn-about). | | **Message is received from any of these domains** <br><br> **Message is not received from any of these domains** | Apply the policy to include or exclude specific domains in received messages. Enter each domain and separate multiple domains with a comma. Do not include spaces between items separated by a comma. Each domain entered is applied separately, only one domain must apply for the policy to apply to the message. If you want to use **Message is received from any of these domains** to look for messages from specific emails address you need to combine this with another condition like **Message contains any of these words** or **Content matches any of these classifiers** or you might get unexpected results. <br><br> If you want to scan all email from a specific domain, but want to exclude messages that don't need review (newsletters, announcements, and so on), you must configure a **Message is not received from any of these domains** condition that excludes the email address (example newsletter@contoso.com). | | **Message is sent to any of these domains** <br><br> **Message is not sent to any of these domains** | Apply the policy to include or exclude specific domains in sent messages. Enter each domain and separate multiple domains with a comma. Do not include spaces between items separated by a comma. Each domain is applied separately, only one domain must apply for the policy to apply to the message. <br><br> If you want to exclude all emails sent to two specific domains, you'd configure the **Message is not sent to any of these domains** condition with the two domains (example 'contoso.com,wingtiptoys.com'). |
compliance Dlp Create Deploy Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-create-deploy-policy.md
Endpoint + Teams
> [!IMPORTANT] > This is a hypothetical scenario with hypothetical values. It's only for illustrative purposes. You should substitute your own sensitive information types, sensitivity labels, distribution groups and users.
+> [!IMPORTANT]
+> To identify the minimum version of Outlook that supports this feature, use the [capabilities table for Outlook](sensitivity-labels-versions.md#sensitivity-label-capabilities-in-outlook), and the row **Preventing oversharing as DLP policy tip**.
+ #### Scenario 2 pre-requisites and assumptions This scenario uses the *Highly confidential* sensitivity label, so it requires that you have created and published sensitivity labels. To learn more, see:
compliance Ediscovery Add Custodians To Case https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-add-custodians-to-case.md
f1.keywords:
Previously updated : 01/01/2023 Last updated : 04/10/2023 audience: Admin
In addition to a custodian's mailbox and OneDrive account, you can also associat
To deselect the primary mailbox and OneDrive account for a custodian: 1. Expand the custodian to view the primary data locations that have been automatically associated to each custodian.- 2. Select **Clear** next to **Mailbox** or **OneDrive** to remove a custodian's mailbox or OneDrive account from being associated as a data location for this custodian. ![Configure locations to associate to a custodian.](../media/ConfigureCustodianLocations.png)
Before you actually add the custodians to the case, you can review the list of c
The new custodians are added to the case and displayed on the **Data sources** tab. [ ![Custodians listed on the Data sources tab.](../media/DataSourcesTab.png) ](../media/DataSourcesTab.png#lightbox)+
+## Retry hold action
+
+Once a custodian is placed on hold, you can validate the status in the **Hold** column of the list page. If the hold status isn't equal to *True* (when hold is enabled) or *False* (when hold is disabled), you can multi-select the relevant custodians and select *Retry hold action* at the top of the page. *Retry hold action* is only available for custodial sources and when multiple custodians are selected. If *Retry hold action* is performed for data sources successfully placed or released from hold, no action is triggered.
compliance Ediscovery Bulk Add Custodians https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-bulk-add-custodians.md
f1.keywords:
Previously updated : 01/01/2023 Last updated : 04/10/2023 audience: Admin
Here's an example of a CSV file with custodian information:<br/><br/>
> [!NOTE] > As previously explained, add a "." prefix to the UPN address of an inactive mailbox to import an inactive mailbox as a custodian or to associate an inactive mailbox with another custodian.+
+## Retry hold action
+
+Once a custodian is placed on hold, you can validate the status in the **Hold** column of the list page. If the hold status isn't equal to *True* (when hold is enabled) or *False* (when hold is disabled), you can multi-select the relevant custodians and select *Retry hold action* at the top of the page. *Retry hold action* is only available for custodial sources and when multiple custodians are selected. If *Retry hold action* is performed for data sources succesfully placed or released from hold, no action is triggered.
compliance Ediscovery Clone A Content Search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-clone-a-content-search.md
+
+ Title: "Clone a Content Search"
+description: "Use the PowerShell script in this article to quickly clone an existing Content Search in the Microsoft Purview compliance portal in Microsoft 365."
+f1.keywords:
+- NOCSH
+++ Last updated : 01/01/2023
+audience: Admin
++
+ms.localizationpriority: medium
+search.appverid:
+- MOE150
+- MED150
+- MET150
+
+- seo-marvel-apr2020
+
+- tier1
+- purview-compliance
+- content-search
++
+# Clone a Content Search
+
+Creating a Content Search in the Microsoft Purview compliance portal in Microsoft 365 that searches many mailboxes or SharePoint and OneDrive for Business sites can take a while. Specifying the sites to search can also be prone to errors if you mistype a URL. To avoid these issues, you can use the Windows PowerShell script in this article to quickly clone an existing Content Search. When you clone a search, a new search (with a different name) is created that contains the same properties (such as the content locations and the search query) as the original search. Then you can edit the new search by changing the keyword query or the date range, and run it.
+
+Why clone Content Searches?
+
+- To compare the results of different keyword search queries run on the same content locations.
+
+- To save you from having to reenter a large number of content locations when you create a new search.
+
+- To decrease the size of the search results. For example, if you have a search that returns too many results to export, you can clone the search and then add a search condition based on a date range to reduce the number of search results.
++
+## Script information
+
+- You need to install the Exchange Online PowerShell module. For instructions, see [Install and maintain the Exchange Online PowerShell module](/powershell/exchange/exchange-online-powershell-v2#install-and-maintain-the-exchange-online-powershell-module).
+
+- You have to be a member of the eDiscovery Manager role group in the Microsoft Purview compliance portal to run the script described in this topic.
+
+- The script includes minimal error handling. The primary purpose of the script is to quickly clone a content search.
+
+- The script creates a new Content Search, but doesn't start it.
+
+- This script takes into account whether the Content Search that you're cloning is associated with an eDiscovery case. If the search is associated with a case, the new search will also be associated with the same case. If the existing search isn't associated with a case, the new search will be listed on the **Content search** page in the Microsoft Purview compliance portal.
+
+- The sample script provided in this topic isn't supported under any Microsoft standard support program or service. The sample script is provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample script and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.
+
+## Step 1: Run the script to clone a search
+
+The script in this step will create a new Content Search by cloning an existing one. When you run this script, you'll be prompted for the following information:
+
+- **Your user credentials** - The script will use your credentials to connect to Security & Compliance PowerShell. As previously stated, you have to be a member of the eDiscovery Manager role group in the Microsoft Purview compliance portal to run the script.
+
+- **The name of the existing search** - This is the Content Search that you want to clone.
+
+- **The name of the new search that will be created** - If you leave this value blank, the script will create a name for the new search that is based on the name of the search that you're cloning.
+
+To clone a search:
+
+1. Save the following text to a Windows PowerShell script file by using a filename suffix of .ps1; for example, `CloneSearch.ps1`.
+
+ ```powershell
+ # This PowerShell script clones an existing content search in Microsoft Purview compliance.
+
+ # Ask for the name of the search you want to clone
+ $searchName = Read-Host 'Enter the name of the search that you want to clone'
+ # Ask for the name of the new search
+ $newSearchName = Read-Host 'Enter a name for the new search [leave blank to automatically generate a name]'
+ $originalSearch = Get-ComplianceSearch $searchName -EA SilentlyContinue
+ # Make sure we have a valid search before continuing
+ if(!$originalSearch)
+ {
+ Write-Error "Couldn't find search: $searchName"
+ return
+ }
+ $searchNameCounter = 1
+ # Find a suitable name for the new search
+ while(!$newSearchName)
+ {
+ $newSearchName = $originalSearch.Name + "_" + $searchNameCounter
+ $tempSearch = Get-ComplianceSearch $newSearchName -EA SilentlyContinue
+ if ($tempSearch)
+ {
+ $newSearchName = $null
+ $searchNameCounter++
+ }
+ }
+ $caseName
+ # Determine if the search is part of a case; if so get the case name
+ if ($originalSearch.CaseId)
+ {
+ $searchCase = Get-ComplianceCase $originalSearch.CaseId
+ $caseName = $searchCase.Name
+ }
+ # Need to cast this value as a Boolean the old fashion way
+ $allowNotFoundExchangeLocationsEnabled = $false
+ if ($originalSearch.AllowNotFoundExchangeLocationsEnabled)
+ {
+ $allowNotFoundExchangeLocationsEnabled = $true
+ }
+ $newSearch = New-ComplianceSearch -Name $newSearchName -AllowNotFoundExchangeLocationsEnabled $allowNotFoundExchangeLocationsEnabled -Case $caseName -ContentMatchQuery $originalSearch.ContentMatchQuery -Description $originalSearch.Description -ExchangeLocation $originalSearch.ExchangeLocation -ExchangeLocationExclusion $originalSearch.ExchangeLocationExclusion -Language $originalSearch.Language -SharePointLocation $originalSearch.SharePointLocation -SharePointLocationExclusion $originalSearch.SharePointLocationExclusion -PublicFolderLocation $originalSearch.PublicFolderLocation
+ if ($newSearch)
+ {
+ Write-Host $newSearch.Name "was successfully created" -ForegroundColor Yellow
+ }
+ ```
+
+2. [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). In the same PowerShell window, go to the folder where you saved the script.
+
+3. Run the script; for example:
+
+ ```powershell
+ .\CloneSearch.ps1
+ ```
+
+4. Enter following information when prompted by the script. Type each piece of information and then press **Enter**.
+
+ - The name of the existing search.
+ - The name of the new search.
+
+ The script creates the new Content Search, but doesn't start it. This gives you a chance to edit and run the search in the next step. You can view the properties of the new search by running the **Get-ComplianceSearch** cmdlet or by going to the **Content search** or **eDiscovery** page in the Microsoft Purview compliance portal, depending on whether the new search is associated with a case.
+
+## Step 2: Edit and run the cloned search in the Microsoft Purview compliance portal
+
+After you run the script to clone an existing Content Search, the next step is to go to the Microsoft Purview compliance portal to edit and run the new search. As previously stated, you can edit a search by changing the keyword search query and adding or removing search conditions. For more information, see:
+
+- [Content Search in Office 365](ediscovery-content-search.md)
+
+- [Keyword queries and search conditions for Content Search](ediscovery-keyword-queries-and-search-conditions.md)
+
+- [eDiscovery cases](./ediscovery-standard-get-started.md)
compliance Ediscovery Content Search Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-content-search-overview.md
+
+ Title: "Overview of Content search"
+description: "Use the Content search eDiscovery tool in the Microsoft Purview compliance portal to quickly find email in Exchange mailboxes, documents in SharePoint sites and OneDrive locations, and instant messaging conversations in Skype for Business."
+f1.keywords:
+- NOCSH
+++ Last updated : 01/01/2023
+audience: Admin
++
+ms.localizationpriority: medium
+
+- highpri
+- tier1
+- purview-compliance
+- content-search
++
+# Overview of Content search
+
+Use the Content search tool in the Microsoft Purview compliance portal to quickly find email in Exchange mailboxes, documents in SharePoint sites and OneDrive locations, and instant messaging conversations in Skype for Business. You can use the content search tool to search for email, documents, and instant messaging conversations in collaboration tools such as Microsoft Teams and Microsoft 365 Groups.
+
+
+## Search for content
+
+The first step is to starting using the Content search tool to choose content locations to search and configure a keyword query to search for specific items. Or, you can just leave the query blank and return all items in the target locations.
+
+- [Create and run](ediscovery-content-search.md) a Content search.
+- [Build search queries and use conditions](ediscovery-keyword-queries-and-search-conditions.md) to narrow your search.
+- [Feature reference](ediscovery-content-search-reference.md) for Content search.
+- [Configure search permissions filtering](ediscovery-permissions-filtering-for-content-search.md) so that an eDiscovery manager can only search subset of mailboxes or sites in your organization.
+- [Search cloud-based mailboxes](ediscovery-search-cloud-based-mailboxes-for-on-premises-users.md) for on-premises users in Microsoft 365.
+- [View keyword statistics](ediscovery-view-keyword-statistics-for-content-search.md) for the results of a search and then refine the query if necessary.
+- [Search for third-party data](use-content-search-to-search-third-party-data-that-was-imported.md) that your organization has imported to Microsoft 365.
+- [Preserve Bcc recipients](/exchange/policy-and-compliance/holds/preserve-bcc-recipients-and-group-members) so you can search for them.
+
+## Perform actions on content you find
+
+After you run a search and refine it as necessary, the next step is to do something with the results returned by the search. You can export and download the results to your local computer or in the case of an email attack on your organization, you can delete the results of a search from user mailboxes.
+
+- [Export the results of a content search](export-search-results.md) and download them to your local computer..
+- [Search for and delete email messages](search-for-and-delete-messages-in-your-organization.md), such as messages that content a virus, dangerous attachments, or phishing messages.
+- [Export a report](ediscovery-export-a-content-search-report.md) about the results of a content search, without exporting the actual results.
+
+## Learn more about content search
+
+Content search is easy to use, but it's also a powerful tool. Behind-the-scenes, there's a lot going on. The more you know about it and understand its behavior and its limitations, the more successful you'll be using it for your organization's search and investigation needs.
+
+- [Content search limits](ediscovery-limits-for-content-search.md), such as the maximum number of searches that you can run at one time and the maximum number of content locations you can include in a single search.
+- [Estimated and actual search results](ediscovery-differences-between-estimated-and-actual-search-results.md) and the reasons why there might be differences between them when you export and download search results.
+- [Partially indexed items in Exchange and SharePoint](ediscovery-partially-indexed-items-in-content-search.md) and how to include or exclude them when you export and download search results.
+- [Investigate partially indexed items](ediscovery-investigating-partially-indexed-items.md) and determine your organization's exposure to them.
+- [De-duplication in search results](ediscovery-de-duplication-in-search-results.md) that you can enable when you export email messages that are the results of a search.
+
+## Use scripts for advanced scenarios
+
+Sometimes you have to perform more advanced, complex, and repetitive content search tasks. In these cases, it's easier and faster to use commands in [Security & Compliance PowerShell](/powershell/exchange/scc-powershell).
+
+To help make this easier, we've created several Security & Compliance PowerShell scripts to help you complete complex content search-related tasks.
+
+- [Search specific mailbox and site folders](use-content-search-for-targeted-collections.md) (called a *targeted* collection) when you're confident that items responsive to a case are located in that folder.
+- [Search the mailbox and OneDrive location](search-the-mailbox-and-onedrive-for-business-for-a-list-of-users.md) for a list of users.
+- [Create, report on, and delete multiple searches](ediscovery-create-reports-and-delete-multiple-content-searches.md) to quickly and efficiently identify and cull search data.
+- [Clone a content search](clone-a-content-search.md) and quickly compare the results of different keyword search queries run on the same content locations; or use the script to save time by not having to re-enter a large number of content locations when you create a new search.
compliance Ediscovery Content Search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-content-search.md
Title: "Create and run a Content search in the Microsoft Purview compliance portal"
+ Title: "Get started with Content search"
description: "Use the Content search eDiscovery tool in the compliance center to search for content in different Microsoft 365 services." f1.keywords: - NOCSH Previously updated : 01/01/2023 Last updated : 04/11/2023 audience: Admin
- admindeeplinkCOMPLIANCE
-# Create a content search
+# Get started with Content search
You can use the Content search eDiscovery tool in the Microsoft Purview compliance portal to search for in-place content such as email, documents, and instant messaging conversations in your organization. Use this tool to search for content in these cloud-based Microsoft 365 data sources:
compliance Ediscovery Delete Items In The Recoverable Items Folder Of Mailboxes On Hold https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-delete-items-in-the-recoverable-items-folder-of-mailboxes-on-hold.md
+
+ Title: Delete items in the Recoverable Items folder
+description: Learn how admins can delete items in a user's Recoverable Items folder for an Exchange Online mailbox, even if that mailbox is placed on legal hold.
+f1.keywords:
+- NOCSH
+++ Last updated : 01/01/2023
+audience: Admin
++
+ms.localizationpriority: medium
+
+- tier1
+- purview-compliance
+- ediscovery
+search.appverid:
+- MOE150
+- MET150
+ms.assetid: a85e1c87-a48e-4715-bfa9-d5275cde67b0
+
+- seo-marvel-apr2020
+- admindeeplinkEXCHANGE
++
+# Delete items in the Recoverable Items folder of cloud-based mailboxes on hold
+
+The Recoverable Items folder for an Exchange Online mailbox exists to protect from accidental or malicious deletions. It's also used to store items that are retained and accessed by compliance features, such as holds and eDiscovery searches. However, in some situations organizations might have data that's been unintentionally retained in the Recoverable Items folder that they must delete. For example, a user might unknowingly send or forward an email message that contains sensitive information or information that may have serious business consequences. Even if the message is permanently deleted, it might be retained indefinitely because a legal hold has been placed on the mailbox. This scenario is known as *data spillage* because data has been unintentionally *spilled* into Office 365. In these situations, you can delete items in a user's Recoverable Items folder for an Exchange Online mailbox, even if that mailbox is placed on hold with one of the different hold features in Office 365. These types of holds include Litigation Holds, In-Place Holds, eDiscovery holds, and retention policies created in the security and compliance center in Office 365 or Microsoft 365.
+
+This article explains how admins can delete items from the Recoverable Items folder for cloud-based mailboxes that are on hold. This procedure involves disabling access to the mailbox and disabling single item recovery, disabling the Managed Folder Assistant from processing the mailbox, temporarily removing the hold, deleting items from the Recoverable Items folder, and then reverting the mailbox to its previous configuration. Here's the process:
+
+[Step 1: Collect information about the mailbox](#step-1-collect-information-about-the-mailbox)
+
+[Step 2: Prepare the mailbox](#step-2-prepare-the-mailbox)
+
+[Step 3: Remove all holds from the mailbox](#step-3-remove-all-holds-from-the-mailbox)
+
+[Step 4: Remove the delay hold from the mailbox](#step-4-remove-the-delay-hold-from-the-mailbox)
+
+[Step 5: Delete items in the Recoverable Items folder](#step-5-delete-items-in-the-recoverable-items-folder)
+
+[Step 6: Revert the mailbox to its previous state](#step-6-revert-the-mailbox-to-its-previous-state)
+
+> [!CAUTION]
+> The procedures outlined in this article will result in data being permanently deleted (purged) from an Exchange Online mailbox. That means messages that you delete from the Recoverable Items folder can't be recovered and won't be available for legal discovery or other compliance purposes. If you want to delete messages from a mailbox that's placed on hold as part of a Litigation Hold, In-Place Hold, eDiscovery hold, or retention policy created in the Microsoft Purview compliance portal, check with your records management or legal departments before removing the hold. Your organization might have a policy that defines whether a mailbox on hold or a data spillage incident takes priority.
+
+
+## Before you delete items
+
+- To create and run a Content Search, you have to be a member of the eDiscovery Manager role group or be assigned the Compliance Search management role. To delete messages, you have to be a member of the Organization Management role group or be assigned the Search And Purge management role. For information about adding users to a role group, see [Assign eDiscovery permissions](./ediscovery-assign-permissions.md).
+
+- If a mailbox is assigned to an organization-wide retention policy, you have to exclude the mailbox from the policy before you can delete items from the Recoverable Items folder. It may take up to 24 hours to synchronize the policy change, and remove the mailbox from the policy. For more information, see "Organization-wide retention policies" in the [Remove all holds from the mailbox](#organization-wide-retention-policies) section in this article.
+
+- You can't perform this procedure for a mailbox that has been assigned retention settings with a retention policy that's locked by using Preservation Lock. That's because this lock prevents you from removing or excluding the mailbox from the policy and from disabling the Managed Folder Assistant on the mailbox. For more information about locking policies for retention,see [Use Preservation Lock to restrict changes to retention policies and retention label policies](retention-preservation-lock.md).
+
+- The procedure described in this article isn't supported for inactive mailboxes. That's because you can't reapply a hold (or retention policy) to an inactive mailbox after you remove it. When you remove a hold from an inactive mailbox, it's changed to a normal soft-deleted mailbox and will be permanently deleted from your organization after it's processed by the Managed Folder Assistant.
+
+- If a mailbox isn't placed on hold (or doesn't have single item recovery enabled), you can delete the items from the Recoverable Items folder. For more information about how to do this, see [Search for and delete email messages in your organization](./search-for-and-delete-messages-in-your-organization.md).
+
+## Step 1: Collect information about the mailbox
+
+This first step is to collect selected properties from the target mailbox that will affect this procedure. Be sure to write down these settings or save them to a text file because you'll change some of these properties and then revert back to the original values in Step 6, after you delete items from the Recoverable Items folder. Here's a list of the mailbox properties you need to collect.
+
+- *SingleItemRecoveryEnabled* and *RetainDeletedItemsFor*. If necessary, you'll disable single recovery and increase the deleted items retention period in Step 3.
+
+- *LitigationHoldEnabled* and *InPlaceHolds*. You need to identify all the holds placed on the mailbox so that you can temporarily remove them in Step 3. See the [More information](#more-information) section for tips about how to identify the type hold that might be placed on a mailbox.
+
+Additionally, you need to get the mailbox client access settings so you can temporarily disable them so the owner (or other users) can't access the mailbox during this procedure. Finally, you can get the current size and number of items in the Recoverable Items folder. After you delete items in the Recoverable Items folder in Step 5, you'll use this information to verify that items were removed.
+
+1. [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). Be sure to use a user name and password for an administrator account that's been assigned the appropriate management roles in Exchange Online.
+
+2. Run the following command to get information about single item recovery and the deleted item retention period.
+
+ ```powershell
+ Get-Mailbox <username> | FL SingleItemRecoveryEnabled,RetainDeletedItemsFor
+ ```
+
+ If single item recovery is enabled, you'll have to disable it in Step 2. If the deleted item retention period isn't set for 30 days (the maximum value in Exchange Online), then you can increase it in Step 2.
+
+3. Run the following command to get the mailbox access settings for the mailbox.
+
+ ```powershell
+ Get-CASMailbox <username> | FL EwsEnabled,ActiveSyncEnabled,MAPIEnabled,OWAEnabled,ImapEnabled,PopEnabled
+ ```
+
+ You'll disable all of these access methods in Step 2.
+
+4. Run the following command to get information about the holds and retention policies applied to the mailbox.
+
+ ```powershell
+ Get-Mailbox <username> | FL LitigationHoldEnabled,InPlaceHolds
+ ```
+
+ > [!TIP]
+ > If there are too many values in the *InPlaceHolds* property and not all of them are displayed, you can run the `Get-Mailbox <username> | Select-Object -ExpandProperty InPlaceHolds` command to display each value on a separate line.
+
+5. Run the following command to get information about any organization-wide retention policies.
+
+ ```powershell
+ Get-OrganizationConfig | FL InPlaceHolds
+ ```
+
+ If your organization has any organization-wide retention policies, you'll have to exclude the mailbox from these policies in Step 3. It may take up to 24 hours to replicate the change.
+
+ > [!TIP]
+ > If there are too many values in the *InPlaceHolds* property and not all of them are displayed, you can run the `Get-OrganizationConfig | Select-Object -ExpandProperty InPlaceHolds` command to display each value on a separate line.
+
+6. Run the following command to determine if a delay hold is applied to the mailbox.
+
+ ```powershell
+ Get-Mailbox <username> | FL DelayHoldApplied,DelayReleaseHoldApplied
+ ```
+
+ If the value of the *DelayHoldApplied* or *DelayReleaseHoldApplied* property is set to **True**, a delay hold is applied to the mailbox and must be removed. For more information about delay holds, see [Step 4: Remove the delay hold from the mailbox](#step-4-remove-the-delay-hold-from-the-mailbox).
+
+ If the value of either properties is set to **False**, a delay hold is not applied to the mailbox, and you can skip Step 4.
+
+7. Run the following command to get the current size and total number of items in folders and subfolders in the Recoverable Items folder in the user's primary mailbox.
+
+ ```powershell
+ Get-MailboxFolderStatistics <username> -FolderScope RecoverableItems | FL Name,FolderAndSubfolderSize,ItemsInFolderAndSubfolders
+ ```
+
+ If the user's archive mailbox is enabled, run the following command to get the size and total number of items in folders and subfolders in the Recoverable Items folder in their archive mailbox.
+
+ ```powershell
+ Get-MailboxFolderStatistics <username> -FolderScope RecoverableItems -Archive | FL Name,FolderAndSubfolderSize,ItemsInFolderAndSubfolders
+ ```
+
+ When you delete items in Step 5, you can choose to delete or not delete items in the Recoverable Items folder in the user's primary archive mailbox. If auto-expanding archiving is enabled for the mailbox, items in an auxiliary archive mailbox won't be deleted.
+
+## Step 2: Prepare the mailbox
+
+After collecting and saving information about the mailbox, the next step is to prepare the mailbox by performing the following tasks:
+
+- **Disable client access to mailbox** so that the mailbox owner can't access their mailbox and make any changes to the mailbox data during this procedure.
+
+- **Increase the deleted item retention period** to 30 days (the maximum value in Exchange Online) so that items aren't purged from the Recoverable Items folder before you can delete them in Step 5.
+
+- **Disable single Item recovery** so that items won't be retained (for the duration of the deleted item retention period) after you delete them from the Recoverable Items folder in Step 5.
+
+- **Disable the Managed Folder Assistant** so that it doesn't process the mailbox and retain the items that you delete in Step 5.
+
+Perform the following steps in Exchange Online PowerShell.
+
+1. Run the following command to disable all client access to the mailbox. The command syntax assumes that all client access methods were enabled on the mailbox.
+
+ ```powershell
+ Set-CASMailbox <username> -EwsEnabled $false -ActiveSyncEnabled $false -MAPIEnabled $false -OWAEnabled $false -ImapEnabled $false -PopEnabled $false
+ ```
+
+ > [!NOTE]
+ > It might take up to 60 minutes to disable all client access methods to the mailbox. Note that disabling these access methods won't disconnect the mailbox owner if they are currently signed in. If the owner isn't signed in, they won't be able to access their mailbox after these access methods are disabled.
+
+2. Run the following command to increase the deleted item retention period the maximum of 30 days. This assumes that the current setting is less than 30 days.
+
+ ```powershell
+ Set-Mailbox <username> -RetainDeletedItemsFor 30
+ ```
+
+3. Run the following command to disable single item recovery.
+
+ ```powershell
+ Set-Mailbox <username> -SingleItemRecoveryEnabled $false
+ ```
+
+ > [!NOTE]
+ > It might take up to 240 minutes to disable single item recovery. Don't delete items in the Recoverable Items folder until this period has elapsed.
+
+4. Run the following command to prevent the Managed Folder Assistant from processing the mailbox. As previously explained, you can disable the Managed Folder Assistant only if a retention policy with a Preservation Lock is not applied to the mailbox.
+
+ ```powershell
+ Set-Mailbox <username> -ElcProcessingDisabled $true
+ ```
+
+## Step 3: Remove all holds from the mailbox
+
+The last step before you can delete items from the Recoverable Items folder is to remove all holds (that you identified in Step 1) placed on the mailbox. All holds must be removed so that items won't be retained after you delete them from the Recoverable Items folder. The following sections contain information about removing different types of holds on a mailbox. See the [More information](#more-information) section for tips about how to identify the type hold that might be placed on a mailbox. For more information, see [How to identify the type of hold placed on an Exchange Online mailbox](ediscovery-identify-a-hold-on-an-exchange-online-mailbox.md).
+
+> [!CAUTION]
+> As previously stated, check with your records management or legal departments before removing a hold from a mailbox.
+
+### Litigation Hold
+
+Run the following command in Exchange Online PowerShell to remove a Litigation Hold from the mailbox.
+
+```powershell
+Set-Mailbox <username> -LitigationHoldEnabled $false
+```
+
+> [!NOTE]
+> Similar to disabling single item recovery, it might take up to 240 minutes to remove the Litigation Hold. Don't delete items from the Recoverable Items folder until this period has elapsed.
+
+### In-Place Hold
+
+Run the following command in Exchange Online PowerShell to identify the In-Place Hold that's placed on the mailbox. Use the GUID for the In-Place Hold that you identified in Step 1.
+
+```powershell
+Get-MailboxSearch -InPlaceHoldIdentity <hold GUID> | FL Name
+```
+
+After you identify the In-Place Hold, you can use the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center (EAC)</a> or Exchange Online PowerShell to remove the mailbox from the hold. For more information, see [Create or remove an In-Place Hold](/exchange/security-and-compliance/create-or-remove-in-place-holds).
+
+### Retention policies applied to specific mailboxes
+
+Run the following command in [Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell) to identify the retention policy that is applied to the mailbox. This command will also return any Teams conversation retention policies applied to a mailbox. Use the GUID (not including the `mbx` or `skp` prefix) for the retention policy that you identified in Step 1.
+
+```powershell
+Get-RetentionCompliancePolicy <retention policy GUID without prefix> | FL Name
+```
+
+After you identify the retention policy, go to the **Data lifecycle management** > **Microsoft 365** > **Retention** page in the compliance portal, edit the retention policy that you identified in the previous step, and remove the mailbox from the list of recipients that are included in the retention policy.
+
+### Organization-wide retention policies
+
+Organization-wide, Exchange-wide, and Teams-wide retention policies are applied to every mailbox in the organization. They are applied at the organization level (not the mailbox level) and are returned when you run the **Get-OrganizationConfig** cmdlet in Step 1. Run the following command in [Security & Compliance PowerShell](/powershell/exchange/exchange-online-powershell) to identify the organization-wide retention policies. Use the GUID (not including the `mbx` prefix) for the organization-wide retention policies that you identified in Step 1.
+
+```powershell
+Get-RetentionCompliancePolicy <retention policy GUID without prefix> | FL Name
+```
+
+After you identify the organization-wide retention policies, go to the **Data lifecycle management** > **Microsoft 365** > **Retention** page in the compliance portal, edit each organization-wide retention policy that you identified in the previous step, and add the mailbox to the list of excluded recipients. Doing this will remove the user's mailbox from the retention policy.
+
+> [!IMPORTANT]
+> After you exclude a mailbox from an organization-wide retention policy, it may take up to 24 hours to synchronize this change and remove the mailbox from the policy.
+
+### Retention labels
+
+Whenever a user applies a label that's configured to retain content or retain and then delete content to any folder or item in their mailbox, the *ComplianceTagHoldApplied* mailbox property is set to **True**. When this happens, the mailbox is considered to be on hold, as if it was placed on Litigation Hold or assigned to a retention policy.
+
+To view the value of the *ComplianceTagHoldApplied* property, run the following command in Exchange Online PowerShell:
+
+```powershell
+Get-Mailbox <username> |FL ComplianceTagHoldApplied
+```
+
+After you've identified that a mailbox is on hold because a retention label is applied to a folder or item, you can use the Content search tool in the compliance portal to search for labeled items by using the **Retention label** condition. For more information, see:
+
+- The "Using Content Search to find all content with a specific retention label" section in [Learn about retention policies and retention labels](retention.md#using-content-search-to-find-all-content-with-a-specific-retention-label)
+
+- The "Search conditions" section in [Keyword queries and search conditions for Content Search](ediscovery-keyword-queries-and-search-conditions.md#conditions-for-common-properties).
+
+For more information about labels, see [Learn about retention policies and retention labels](retention.md).
+
+### eDiscovery holds
+
+Run the following commands in [Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell) to identify the hold associated with an eDiscovery case (called *eDiscovery holds*) that's applied to the mailbox. Use the GUID (not including the `UniH` prefix) for the eDiscovery hold that you identified in Step 1. The second command displays the name of the eDiscovery case the hold is associated with; the third command displays the name of the hold.
+
+```powershell
+$CaseHold = Get-CaseHoldPolicy <hold GUID without prefix>
+```
+
+```powershell
+Get-ComplianceCase $CaseHold.CaseId | FL Name
+```
+
+```powershell
+$CaseHold.Name
+```
+
+After you've identified the name of the eDiscovery case and the hold, go to the **eDiscovery** \> **eDiscovery** page in the compliance center, open the case, and remove the mailbox from the hold. For more information about identifying eDiscovery holds, see the "eDiscovery holds" section in [How to identify the type of hold placed on an Exchange Online mailbox](ediscovery-identify-a-hold-on-an-exchange-online-mailbox.md#ediscovery-holds).
+
+## Step 4: Remove the delay hold from the mailbox
+
+After any type of hold is removed from a mailbox, the value of the *DelayHoldApplied* or *DelayReleaseHoldApplied* mailbox property is set to **True**. This occurs the next time the Managed Folder Assistant processes the mailbox and detects that a hold has been removed. This is called a *delay hold* and means the actual removal of the hold is delayed for 30 days to prevent data from being permanently deleted from the mailbox. (The purpose of a delay hold is to give admins an opportunity to search for or recover mailbox items that will be purged after a hold is removed.) When a delay hold is placed on the mailbox, the mailbox is still considered to be on hold for an unlimited duration, as if the mailbox was on Litigation Hold. After 30 days, the delay hold expires, and Microsoft 365 will automatically attempt to remove the delay hold (by setting the *DelayHoldApplied* or *DelayReleaseHoldApplied* property to **False**) so that the hold is removed. For more information about a delay hold, see the "Managing mailboxes on delay hold" section in [How to identify the type of hold placed on an Exchange Online mailbox](ediscovery-identify-a-hold-on-an-exchange-online-mailbox.md#managing-mailboxes-on-delay-hold).
+
+If the value of the *DelayHoldApplied* or *DelayReleaseHoldApplied* property is set to **True**, run one of the following commands to remove the delay hold:
+
+```powershell
+Set-Mailbox <username> -RemoveDelayHoldApplied
+```
+
+Or
+
+```powershell
+Set-Mailbox <username> -RemoveDelayReleaseHoldApplied
+```
+
+You must be assigned the Legal Hold role in Exchange Online to use the *RemoveDelayHoldApplied* or *RemoveDelayReleaseHoldApplied* parameter.
+
+## Step 5: Delete items in the Recoverable Items folder
+
+Now you're ready to actually delete items in the Recoverable Items folder by using the [New-ComplianceSearch](/powershell/module/exchange/new-compliancesearch) and [New-ComplianceSearchAction](/powershell/module/exchange/new-compliancesearchaction) cmdlets in Security & Compliance PowerShell.
+
+To search for items that are located in the Recoverable Items folder, we recommend that you perform a *targeted collection*. This means you narrow the scope of your search only to items located in the Recoverable Items folder. You can do this by running the script in the [Use Content Search for targeted collections](use-content-search-for-targeted-collections.md) article. This script returns the value of the folder ID property for all the subfolders in the target Recoverable Items folder. Then you use the folder ID in a search query to return items located in that folder.
+
+Here's an overview of the process to search for and delete items in a user's Recoverable Items folder:
+
+1. Run the targeted collection script that returns the folder IDs for all folders in the target user's mailbox. The script connects to Exchange Online PowerShell and Security & Compliance PowerShell in the same PowerShell session. For more information, see [Run the script to get a list of folders for a mailbox](use-content-search-for-targeted-collections.md#step-1-run-the-script-to-get-a-list-of-folders-for-a-mailbox-or-site).
+
+2. Copy the folder IDs for all subfolders in the Recoverable Items folder. Alternatively, you can redirect the output of the script to a text file.
+
+ Here's a list and description of the subfolders in the Recoverable Items folder that you can search and delete items from:
+
+ - **Deletions**: Contains soft-deleted items whose deleted item retention period has not expired. Users can recover soft-deleted items from this subfolder using the Recover Deleted Items tool in Outlook.
+
+ - **DiscoveryHolds**: Contains hard-deleted items that have been preserved by an eDiscovery hold or a retention policy. This subfolder isn't visible to end users.
+
+ - **SubstrateHolds**: Contains hard-deleted items from Teams and other cloud-based apps that have been preserved by a retention policy or other type of hold. This subfolder isn't visible to end users.
+
+3. Use the **New-ComplianceSearch** cmdlet (in Security & Compliance PowerShell) or use the Content search tool in the compliance center to create a content search that returns items from the target user's Recoverable Items folder. You can do this by including the FolderId in the search query for all subfolders that you want to search. For example, the following query returns all messages in the Deletions and eDiscoveryHolds subfolders:
+
+ ```text
+ folderid:<folder ID of Deletions subfolder> OR folderid:<folder ID of DiscoveryHolds subfolder>
+ ```
+
+ For more information and examples about running content searches that use the folder ID property, see [Use a folder ID or to perform a targeted collection](use-content-search-for-targeted-collections.md#step-2-use-a-folder-id-or-documentlink-to-perform-a-targeted-collection).
+
+ > [!NOTE]
+ > If you use the **New-ComplianceSearch** cmdlet to search the Recoverable Items folder, be sure to use **Start-ComplianceSearch** cmdlet to run the search.
+
+4. After you've created a content search and validated that it returns the items that you wan to delete, use the `New-ComplianceSearchAction -Purge -PurgeType HardDelete` command (in Security & Compliance PowerShell) to permanently delete the items returned by the content search that you created in the previous step. For example, you can run a command similar to the following command:
+
+ ```powershell
+ New-ComplianceSearchAction -SearchName "RecoverableItems" -Purge -PurgeType HardDelete
+ ```
+
+5. A maximum of 10 items per mailbox are deleted when you run the previous command. That means you may have to run the `New-ComplianceSearchAction -Purge` command multiple times to delete all the items that you want to delete in the Recoverable Items folder. To delete additional items, you first have to remove the previous compliance search purge action. You do this by running the `Remove-ComplianceSearchAction` cmdlet. For example, to delete the purge action that was run in the previous step, run the following command:
+
+ ```powershell
+ Remove-ComplianceSearchAction "RecoverableItems_Purge"
+ ```
+
+ After you do this, you can create a new compliance search purge action to delete more items. You'll have to delete each purge action before creating a new one.
+
+ To get a list of the compliance search actions, you can run the `Get-ComplianceSearchAction` cmdlet. Purge actions are identified by `_Purge` appended to the search name.
+
+### Verify that items were deleted
+
+To verify that you've successfully deleted items from the Recoverable Items folder of a mailbox, use **Get-MailboxFolderStatistics** cmdlet in Exchange Online PowerShell to check the size and number of items in Recoverable Items folder. You can compare these statistics with the ones you collected in Step 1.
+
+Run the following command in to get the current size and total number of items in folders and subfolders in the Recoverable Items folder in the user's primary mailbox.
+
+```powershell
+Get-MailboxFolderStatistics <username> -FolderScope RecoverableItems | FL Name,FolderAndSubfolderSize,ItemsInFolderAndSubfolders
+```
+
+Run the following command to get the size and total number of items in folders and subfolders in the Recoverable Items folder in the user's archive mailbox.
+
+```powershell
+Get-MailboxFolderStatistics <username> -FolderScope RecoverableItems -Archive | FL Name,FolderAndSubfolderSize,ItemsInFolderAndSubfolders
+```
+
+## Step 6: Revert the mailbox to its previous state
+
+The final step is to revert the mailbox back to its previous configuration. This means resetting the properties that you changed in Step 2 and reapplying the holds that you removed in Step 3. This includes:
+
+- Changing the deleted item retention period back to its previous value. Alternatively, you can just leave this set to 30 days, the maximum value in Exchange Online.
+
+- Re-enabling single Item recovery.
+
+- Re-enabling the client access methods so that the owner can access their mailbox.
+
+- Reapplying the holds and retention policies that you removed.
+
+- Re-enabling the Managed Folder Assistant to process the mailbox.
+
+> [!IMPORTANT]
+> We recommend that you wait 24 hours after re-applying a hold or retention policy (and verifying that it's in place) before you re-enable the Managed Folder Assistant to process the mailbox.
+
+Perform the following steps (in the specified sequence) in Exchange Online PowerShell.
+
+1. Run the following command to change the deleted item retention period back to its original value. This assumes that the previous setting is less than 30 days; for example, 14 days.
+
+ ```powershell
+ Set-Mailbox <username> -RetainDeletedItemsFor 14
+ ```
+
+2. Run the following command to re-enable single item recovery.
+
+ ```powershell
+ Set-Mailbox <username> -SingleItemRecoveryEnabled $true
+ ```
+
+3. Run the following command to re-enable all client access methods to the mailbox.
+
+ ```powershell
+ Set-CASMailbox <username> -EwsEnabled $true -ActiveSyncEnabled $true -MAPIEnabled $true -OWAEnabled $true -ImapEnabled $true -PopEnabled $true
+ ```
+
+4. Reapply the holds that you removed in Step 3. Depending on the type of hold, use one of the following procedures.
+
+ **Litigation Hold**
+
+ Run the following command to re-enable a Litigation Hold for the mailbox.
+
+ ```powershell
+ Set-Mailbox <username> -LitigationHoldEnabled $true
+ ```
+
+ **In-Place Hold**
+
+ Use the EAC (or Exchange Online PowerShell) to add the mailbox back to the In-Place Hold.
+
+ **Retention policies applied to specific mailboxes**
+
+ Use the compliance portal to add the mailbox back to the retention policy. Go to the **Data lifecycle management** > **Microsoft 365** > **Retention** page in the compliance center, edit the retention policy, and add the mailbox back to the list of recipients that the retention policy is applied to.
+
+ **Organization-wide retention policies**
+
+ If you removed an organization-wide or Exchange-wide retention policy by excluding it from the policy, then use the compliance portal to remove the mailbox from the list of excluded users. Go to the **Data lifecycle management** > **Microsoft 365** > **Retention** page in the compliance center, edit the organization-wide retention policy, and remove the mailbox from the list of excluded recipients. Doing this will reapply the retention policy to the user's mailbox.
+
+ **eDiscovery case holds**
+
+ Use the compliance portal to add the mailbox back the hold that's associated with an eDiscovery case. Go to the **eDiscovery** > **Core** page, open the case, and add the mailbox back to the hold.
+
+5. Run the following command to allow the Managed Folder Assistant to process the mailbox again. As previously stated, we recommend that you wait 24 hours after reapplying a hold or retention policy (and verifying that it's in place) before you re-enable the Managed Folder Assistant.
+
+ ```powershell
+ Set-Mailbox <username> -ElcProcessingDisabled $false
+ ```
+
+6. To verify that the mailbox has been reverted back to its previous configuration, you can run the following commands and then compare the settings to the ones that you collected in Step 1.
+
+ ```powershell
+ Get-Mailbox <username> | FL ElcProcessingDisabled,InPlaceHolds,LitigationHoldEnabled,RetainDeletedItemsFor,SingleItemRecoveryEnabled
+ ```
+
+ ```powershell
+ Get-CASMailbox <username> | FL EwsEnabled,ActiveSyncEnabled,MAPIEnabled,OWAEnabled,ImapEnabled,PopEnabled
+ ```
+
+## More information
+
+Here's a table that describes how to identify different types of holds based on the values in the *InPlaceHolds* property when you run the **Get-Mailbox** or **Get-OrganizationConfig** cmdlets. For more detailed information, see [How to identify the type of hold placed on an Exchange Online mailbox](ediscovery-identify-a-hold-on-an-exchange-online-mailbox.md).
+
+As previously explained, you have to remove all holds and retention policies from a mailbox before you can successfully delete items in the Recoverable Items folder.
+
+| Hold type | Example value | How to identify the hold |
+|:--|:--|:--|
+|Litigation Hold <br/> | `True` <br/> |The *LitigationHoldEnabled* property is set to `True`. <br/> |
+|In-Place Hold <br/> | `c0ba3ce811b6432a8751430937152491` <br/> |The *InPlaceHolds* property contains the GUID of the In-Place Hold that's placed on the mailbox. You can tell this is an In-Place Hold because the GUID doesn't start with a prefix. <br/> You can use the `Get-MailboxSearch -InPlaceHoldIdentity <hold GUID> | FL` command in Exchange Online PowerShell to get information about the In-Place Hold on the mailbox. <br/> |
+| Retention policies in the compliance portal applied to specific mailboxes <br/> | `mbxcdbbb86ce60342489bff371876e7f224` <br/> or <br/> `skp127d7cf1076947929bf136b7a2a8c36f` <br/> |When you run the **Get-Mailbox** cmdlet, the *InPlaceHolds* property also contains GUIDs of retention policies applied to the mailbox. You can identify retention policies because the GUID starts with the `mbx` prefix. If the GUID of the retention policy starts with the `skp` prefix, that indicates that the retention policy is applied to Skype for Business conversations. <br/> To identity the retention policy that's applied to the mailbox, run the following command in Security & Compliance PowerShell: <br/> <br/>`Get-RetentionCompliancePolicy <retention policy GUID without prefix> | FL Name`<br/><br/>Be sure to remove the `mbx` or `skp` prefix when you run this command. <br/> |
+|Organization-wide retention policies in the compliance portal <br/> |No value <br/> or <br/> `-mbxe9b52bf7ab3b46a286308ecb29624696` (indicates that the mailbox is excluded from an organization-wide policy) <br/> |Even if the *InPlaceHolds* property is empty when you run the **Get-Mailbox** cmdlet, there still might be one or more organization-wide retention policies applied to the mailbox. <br/> To verify this, you can run the `Get-OrganizationConfig | FL InPlaceHolds` command in Exchange Online PowerShell to get a list of the GUIDs for organization-wide retention policies. The GUID for organization-wide retention policies applied to Exchange mailboxes starts with the `mbx` prefix; for example, `mbxa3056bb15562480fadb46ce523ff7b02`. <br/> To identity the organization-wide retention policy that's applied to the mailbox, run the following command in Security & Compliance PowerShell: <br/><br/> `Get-RetentionCompliancePolicy <retention policy GUID without prefix> | FL Name`<br/><br/>If a mailbox is excluded from an organization-wide retention policy, the GUID for the retention policy is displayed in the *InPlaceHolds* property of the user's mailbox when you run the **Get-Mailbox** cmdlet; it's identified by the prefix `-mbx`; for example, `-mbxe9b52bf7ab3b46a286308ecb29624696` <br/> |
+|eDiscovery case hold in the compliance portal <br/> | `UniH7d895d48-7e23-4a8d-8346-533c3beac15d` <br/> |The *InPlaceHolds* property also contains the GUID of any hold associated with an eDiscovery case in the compliance portal that might be placed on the mailbox. You can tell this is an eDiscovery case hold because the GUID starts with the `UniH` prefix. <br/> You can use the `Get-CaseHoldPolicy` cmdlet in Security & Compliance PowerShell to get information about the eDiscovery case that the hold on the mailbox is associated with. For example, you can run the command `Get-CaseHoldPolicy <hold GUID without prefix> | FL Name` to display the name of the case hold that's on the mailbox. Be sure to remove the `UniH` prefix when you run this command. <br/><br/> To identity the eDiscovery case that the hold on the mailbox is associated with, run the following commands:<br/><br/>`$CaseHold = Get-CaseHoldPolicy <hold GUID without prefix>`<br/><br/>`Get-ComplianceCase $CaseHold.CaseId | FL Name`
compliance Ediscovery Disable Reports For Exported Content Search Results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-disable-reports-for-exported-content-search-results.md
+
+ Title: "Disable reports when you export Content Search results"
+description: Edit the Windows Registry on your local computer to disable reports when you export the results of a Content Search from the Microsoft Purview compliance portal.
+f1.keywords:
+- NOCSH
+++ Last updated : 01/01/2023
+audience: Admin
++
+ms.localizationpriority: medium
+search.appverid:
+- MOE150
+- MET150
+
+- seo-marvel-apr2020
+
+- tier1
+- purview-compliance
+- content-search
++
+# Disable reports when you export Content Search results
+
+When you use the eDiscovery Export tool to export the results of a Content Search in the Microsoft Purview compliance portal, the tool automatically creates and exports two reports that contain additional information about the exported content. These reports are the Results.csv file and the Manifest.xml file (see the [Frequently asked questions about disabling export reports](#frequently-asked-questions-about-disabling-export-reports) section in this article for detailed descriptions of these reports). Because these files can be very large, you can speed up the download time and save disk space by preventing these files from being exported. You can do this by changing the Windows Registry on the computer that you use to export the search results. If you want to include the reports at a later time, you can edit the registry setting.
+
+
+## Create registry settings to disable the export reports
+
+Perform the following procedure on the computer that you'll use to export the results a content search.
+
+1. Close the eDiscovery Export tool if it's open.
+
+2. Perform one or both of the following steps, depending on which export report you want to disable.
+
+ - **Results.csv**
+
+ Save the following text to a Windows registry file by using a filename suffix of .reg; for example, DisableResultsCsv.reg.
+
+ ```text
+ Windows Registry Editor Version 5.00
+ reg add HKLM\SOFTWARE\Microsoft\Exchange\Client\eDiscovery\ExportTool /v ResultCsvEnabled /t REG_SZ /d False
+ ```
+
+ - **Manifest.xml**
+
+ Save the following text to a Windows registry file by using a filename suffix of .reg; for example, DisableManifestXml.reg.
+
+ ```text
+ Windows Registry Editor Version 5.00
+ reg add HKLM\SOFTWARE\Microsoft\Exchange\Client\eDiscovery\ExportTool /v ResultEdrmEnabled /t REG_SZ /d False
+ ```
+
+3. In Windows Explorer, select or double-click the .reg file that you created in the previous steps.
+
+4. In the User Access Control window, select **Yes** to let the Registry Editor make the change.
+
+5. When prompted to continue, select **Yes**.
+
+ The Registry Editor displays a message saying that the setting was successfully added to the registry.
+
+## Edit registry settings to re-enable the export reports
+
+If you disabled the Results.csv and Manifest.xml reports by creating the .reg files in the previous procedure, you can edit those files to re-enable a report so that it's exported with the search results. Again, perform the following procedure on the computer that you'll use to export the results a content search.
+
+1. Close the eDiscovery Export tool if it's open.
+
+2. Edit one or both of the .reg edit files that you created in the previous procedure.
+
+ - **Results.csv**
+
+ Open the DisableResultsCsv.reg file in Notepad, change the value `False` to `True`, and then save the file. For example, after you edit the file, it looks like this:
+
+ ```text
+ Windows Registry Editor Version 5.00
+ reg add HKLM\SOFTWARE\Microsoft\Exchange\Client\eDiscovery\ExportTool /v ResultCsvEnabled /t REG_SZ /d True
+ ```
+
+ - **Manifest.xml**
+
+ Open the DisableManifestXml.reg file in Notepad, change the value `False` to `True`, and then save the file. For example, after you edit the file, it looks like this:
+
+ ```text
+ Windows Registry Editor Version 5.00
+ reg add HKLM\SOFTWARE\Microsoft\Exchange\Client\eDiscovery\ExportTool /v ResultEdrmEnabled /t REG_SZ /d True
+ ```
+
+3. In Windows Explorer, select or double-click a .reg file that you edited in the previous step.
+
+4. In the User Access Control window, select **Yes** to let the Registry Editor make the change.
+
+5. When prompted to continue, select **Yes**.
+
+ The Registry Editor displays a message saying that the setting was successfully added to the registry.
+
+## Frequently asked questions about disabling export reports
+
+**What are the Results.csv and Manifest.xml reports?**
+
+The Results.csv and Manifest.xml files contain additional information about the content that was exported.
+
+- **Results.csv** An Excel document that contains information about each item that is download as a search result. For email, the result log contains information about each message, including:
+
+ - The location of the message in the source mailbox (including whether the message is in the primary or archive mailbox).
+ - The date the message was sent or received.
+ - The Subject line from the message.
+ - The sender and recipients of the message.
+ - Whether the message is a duplicate message if you enabled de-duplication when exporting the search results. Duplicate messages will have a value in the **Parent ItemId** column that identifies the message as a duplicate. The value in the **Parent ItemId** column is the same as the value in the **Item DocumentId** column of the message that was exported.
+
+ For documents from SharePoint and OneDrive for Business sites, the result log contains information about each document, including:
+
+ - The URL for the document.
+ - The URL for the site collection where the document is located.
+ - The date that the document was last modified.
+ - The name of the document (which is located in the Subject column in the result log).
+
+- **Manifest.xml** A manifest file (in XML format) that contains information about each item included in the search results. The information in this report is the same as the Results.csv report, but it's in the format specified by the Electronic Discovery Reference Model (EDRM). For more information about EDRM, go to [https://www.edrm.net](https://www.edrm.net).
+
+**When should I disable exporting these reports?**
+
+It depends on your specific needs. Many organizations don't require additional information about search results, and don't need these reports.
+
+**What computer do I have to do this on?**
+
+You have to change the registry setting on any local computer that you run the eDiscovery Export tool on.
+
+**After I change this setting, do I have to restart the computer?**
+
+No, you don't have to restart the computer. But if the eDiscovery Export tool is running, you have to close it and then restart it after you change the registry setting.
+
+**Does an existing registry key get edited or does a new key get created?**
+
+A new registry key is created the first time you run the .reg file that you created in the procedure in this article. Then the setting is edited each time you change and rerun the .reg edit file.
compliance Ediscovery Export Search Results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-export-search-results.md
+
+ Title: "Export Content search results"
+description: "Export the search results from a Content search in the Microsoft Purview compliance portal to a local computer. Email results are exported as PST files. Content from SharePoint and OneDrive for Business sites are exported as native Office documents."
+f1.keywords:
+- NOCSH
+++ Last updated : 01/01/2023
+audience: Admin
+
+f1_keywords:
+- 'ms.o365.cc.CustomizeExport'
+
+ms.localizationpriority: medium
+
+- tier1
+- purview-compliance
+- content-search
+search.appverid:
+- MOE150
+- MED150
+- MET150
+++
+# Export Content search results
+
+After a Content search is successfully run, you can export the search results to a local computer. When you export email results, they're downloaded to your computer as PST files. When you export content from SharePoint and OneDrive for Business sites, copies of native Office documents are exported. There are other documents and reports included with the exported search results.
+
+Exporting the results of a Content search involves preparing the results, and then downloading them to a local computer. These steps for exporting search results also apply to exporting the results of a search that's associated with Microsoft Purview eDiscovery (Standard) cases.
+
+
+## Before you export search results
+
+- To export search results, you have to be assigned the Export management role in Microsoft Purview compliance portal. This role is assigned to the built-in eDiscovery Manager role group. It isn't assigned by default to the Organization Management role group. For more information, see [Assign eDiscovery permissions](ediscovery-assign-permissions.md).
+- The computer you use to export the search results has to meet the following system requirements:
+
+ - Latest version of Windows (32-bit or 64-bit)
+ - Microsoft .NET Framework 4.7 or higher
+
+- You have to use Microsoft Edge<sup>1</sup> to run the eDiscovery Export Tool. Using Internet Explorer 11 to export search results is no longer supported<sup>2</sup>.
+
+ > [!NOTE]
+ > <sup>1</sup> As a result of recent changes to Microsoft Edge, SelectOnce support is no longer enabled by default. For instructions on enabling SelectOnce support in Edge, see [Use the eDiscovery Export Tool in Microsoft Edge](ediscovery-configure-edge-to-export-search-results.md). Also, Microsoft doesn't manufacture third-party extensions or add-ons for SelectOnce applications. Exporting search results using an unsupported browser with third-party extensions or add-ons isn't supported.
+ >
+ > <sup>2</sup> Beginning August 2021, Microsoft 365 apps and services will no longer support Internet Explorer 11 (IE11) and users may have a degraded experience or be unable to connect to those apps and services. These apps and services will phase out over the upcoming weeks and months to ensure a smooth end of support. Each app and service are being phased out on independent schedules. For more information, see this [blog post](https://techcommunity.microsoft.com/t5/microsoft-365-blog/microsoft-365-apps-say-farewell-to-internet-explorer-11-and/ba-p/1591666).
+
+- The eDiscovery Export Tool that you use in Step 2 to download search results doesn't support automation (by using a script or running cmdlets). We highly recommended that you don't automate the preparation process in Step 1 or the download process in Step 2. If you automate either of these processes, Microsoft Support won't provide assistance if you run into issues.
+- We recommend downloading search results to a local computer. To eliminate your company's firewall or proxy infrastructure from causing issues when downloading search results, you might consider downloading search results to a virtual desktop outside of your network. This may decrease timeouts that occur in Azure data connections when exporting a large number of files. For more information about virtual desktops, see [Windows Virtual Desktop](https://azure.microsoft.com/services/virtual-desktop).
+- To improve performance when downloading search results, consider dividing searches that return a large set of results into smaller searches. For example, you can use date ranges in search queries to return a smaller set of results that can be downloaded faster.
+- When you export search results, the data is temporarily stored in a Microsoft-provided Azure Storage location in the Microsoft cloud before it's downloaded to your local computer. Be sure that your organization can connect to the endpoint in Azure, which is **\*.blob.core.windows.net** (the wildcard represents a unique identifier for your export). The search results data is deleted from the Azure Storage location two weeks after it's created.
+- If your organization uses a proxy server to communicate with the Internet, you need to define the proxy server settings on the computer that you use to export the search results (so the export tool can be authenticated by your proxy server). To do this, open the *machine.config* file in the location that matches your version of Windows.
+
+ - **32-bit:** `%windir%\Microsoft.NET\Framework\[version]\Config\machine.config`
+ - **64-bit:** `%windir%\Microsoft.NET\Framework64\[version]\Config\machine.config`
+
+ Add the following lines to the *machine.config* file somewhere between the `<configuration>` and `</configuration>` tags. Be sure to replace `ProxyServer` and `Port` with the correct values for your organization; for example, `proxy01.contoso.com:80`.
+
+ ```xml
+ <system.net>
+ <defaultProxy enabled="true" useDefaultCredentials="true">
+ <proxy proxyaddress="https://ProxyServer :Port "
+ usesystemdefault="False"
+ bypassonlocal="True"
+ autoDetect="False" />
+ </defaultProxy>
+ </system.net>
+ ```
+
+- If the results of a search are older than 7 days and you submit an export job, an error message is displayed prompting you to rerun the search to update the search results. If this happens, cancel the export, rerun the search, and then start the export again.
+
+## Step 1: Prepare search results for export
+
+The first step is to prepare the search results for exporting. When you prepare results, they're uploaded to a Microsoft-provided Azure Storage location in the Microsoft cloud. Content from mailboxes and sites is uploaded at a maximum rate of 2 GB per hour.
+
+1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com), select the content search that you want to export results from.
+
+2. On the **Actions** menu at the bottom of the flyout page, select **Export results**.
+
+ ![Export results option in Actions menu.](../media/ActionMenuExportResults.png)
+
+ The **Export results** flyout page is displayed. The export options available to export content depend on whether search results are located in mailboxes or sites or a combination of both.
+
+3. Under **Output options**, choose one of the following options:
+
+ ![Export output options.](../media/ExportOutputOptions.png)
+
+ - **All items, excluding ones that have unrecognized format, are encrypted, or weren't indexed for other reasons**. This option exports only indexed items.
+ - **All items, including ones that have unrecognized format, are encrypted, or weren't indexed for other reasons**. This option exports indexed and unindexed items.
+ - **Only items that have an unrecognized format, are encrypted, or weren't indexed for other reasons**. This option exports only unindexed items.
+
+ See the [More information](#more-information) section for a description about how partially indexed items are exported. For more information about partially indexed items, see [Partially indexed items in Content search](ediscovery-partially-indexed-items-in-content-search.md).
+
+4. Under **Export Exchange content as**, choose one of the following options:
+
+ ![Exchange options.](../media/ExchangeExportOptions.png)
+
+ - **One PST file for each mailbox**: Exports one PST file for each user mailbox that contains search results. Any results from the user's archive mailbox are included in the same PST file. This option reproduces the mailbox folder structure from the source mailbox.
+ - **One PST file containing all messages**: Exports a single PST file (named *Exchange.pst*) that contains the search results from all source mailboxes included in the search. This option reproduces the mailbox folder structure for each message.
+ - **One PST file containing all messages in a single folder**: Exports search results to a single PST file where all messages are located in a single, top-level folder. This option lets reviewers review items in chronological order (items are sorted by sent date) without having to navigate the original mailbox folder structure for each item.
+ - **Individual messages**: Exports search results as individual email messages, using the .msg format. If you select this option, email search results are exported to a folder in the file system. The folder path for individual messages is the same as the one used if you exported the results to a PST file.
+
+5. Configure the following additional options:
+
+ ![Configure other export options.](../media/OtherExportOptions.png)
+
+ 1. Select the **Enable de-duplication for Exchange content** checkbox to exclude duplicate messages.
+
+ If you select this option, only one copy of a message will be exported even if multiple copies of the same message are found in the mailboxes that were searched. The export results report (which is a file named Results.csv) will contain a row for every copy of a duplicate message so that you can identify the mailboxes (or public folders) that contain a copy of the duplicate message. For more information about de-duplication and how duplicate items are identified, see [De-duplication in eDiscovery search results](ediscovery-de-duplication-in-search-results.md).
+
+ 2. Select the **Include versions for SharePoint files** checkbox to export all versions of SharePoint documents. This option appears only if the content sources of the search include SharePoint or OneDrive for Business sites.
+
+ 3. Select the **Export files in a compressed (zipped) folder. Includes only individual messages and SharePoint documents** checkbox to export search results to compressed folders. This option appears only when you choose to export Exchange items as individual messages and when the search results include SharePoint or OneDrive documents. This option is primarily used to work around the 260 character limit in Windows file path names when items are exported. See the "Filenames of exported items" in the [More information](#more-information) section.
+ > [!IMPORTANT]
+ > Exporting files in a compressed (zipped) folder will increase export times.
+
+6. Select **Export** to start the export process. The search results are prepared for downloading, which means they're collected from the original content locations and then uploaded to an Azure Storage location in the Microsoft cloud. This may take several minutes.
+
+See the next section for instructions to download the exported search results.
+
+## Step 2: Download the search results
+
+The next step is to download the search results from the Azure Storage location to your local computer.
+
+> [!IMPORTANT]
+> The exported search results must be downloaded within 14 days after you created the export job in Step 1.
+
+1. On the **Content search** page in the compliance portal, select the **Exports** tab
+
+ You may have to select **Refresh** to update the list of export jobs so that it shows the export job you created. Export jobs have the same name as the corresponding search with **_Export** appended to the search name.
+
+2. Select the export job that you created in Step 1.
+
+3. On the flyout page under **Export key**, select **Copy to clipboard**. You use this key in step 6 to download the search results.
+
+ > [!IMPORTANT]
+ > Because anyone can install and start the eDiscovery Export tool, and then use this key to download the search results, be sure to take precautions to protect this key just like you would protect passwords or other security-related information.
+
+4. At the top of the flyout page, select **Download results**.
+
+5. If you're prompted to install the **eDiscovery Export Tool**, select **Install**.
+
+6. In the **eDiscovery Export Tool**, do the following:
+
+ ![eDiscovery Export Tool.](../media/eDiscoveryExportTool.png)
+
+ 1. Paste the export key that you copied in Step 3 in the appropriate box.
+
+ 2. Select **Browse** to specify the location where you want to download the search result files.
+
+ > [!IMPORTANT]
+ > Due to high network activity during download, you should download search results only to a location on an internal drive on your local computer. For the best download experience, follow these guidelines: <br/>
+ >- Don't download search results to a UNC path, a mapped network drive, an external USB drive, or a synched OneDrive for Business account.<br/>
+ >- Disable anti-virus scanning for the folder that you download the search result to.<br/>
+ >- Download search results to different folders for concurrent download jobs.
+
+7. Select **Start** to download the search results to your computer.
+
+ The **eDiscovery Export Tool** displays status information about the export process, including an estimate of the number (and size) of the remaining items to be downloaded. When the export process is complete, you can access the files in the location where they were downloaded.
+
+## More information
+
+Here's more information about exporting search results.
+
+- [Export limits](#export-limits)
+- [Export reports](#export-reports)
+- [Exporting partially indexed items](#exporting-partially-indexed-items)
+- [Exporting individual messages or PST files](#exporting-individual-messages-or-pst-files)
+- [Decrypting RMS-protected email messages and encrypted file attachments](#decrypting-rms-protected-email-messages-and-encrypted-file-attachments)
+- [Filenames of exported items](#filenames-of-exported-items)
+- [Miscellaneous](#miscellaneous)
+
+### Export limits
+
+For information about limits when exporting content search results, see the "Export limits" section in [Limits for content search](ediscovery-limits-for-content-search.md#export-limits).
+
+### Export reports
+
+- When you export search results, the following reports are included in addition to the search results.
+
+ - **Export Summary** An Excel document that contains a summary of the export. This includes information such as the number of content sources that were searched, the estimated and downloaded sizes of the search results, and the estimated and downloaded number of items that were exported.
+ - **Manifest** A manifest file (in XML format) that contains information about each item included in the search results.
+ - **Results** An Excel document that contains information about each item that is download as a search result. For email, the result log contains information about each message, including:
+
+ - The location of the message in the source mailbox (including whether the message is in the primary or archive mailbox).
+ - The date the message was sent or received.
+ - The Subject line from the message.
+ - The sender and recipients of the message.
+ - Whether the message is a duplicate message if you enabled the de-duplication option when exporting the search results. Duplicate messages have a value in the **Duplicate to Item** column that identifies the message as a duplicate. The value in the **Duplicate to Item** column contains the item identity of the message that was exported. For more information, see [De-duplication in eDiscovery search results](ediscovery-de-duplication-in-search-results.md).
+
+ For documents from SharePoint and OneDrive for Business sites, the result log contains information about each document, including:
+
+ - The URL for the document.
+ - The URL for the site collection where the document is located.
+ - The date that the document was last modified.
+ - The name of the document (which is located in the Subject column in the result log).
+
+ - **Unindexed Items** An Excel document that contains information about any partially indexed items that would be included in the search results. If you don't include partially indexed items when you generate the search results report, this report will still be downloaded, but will be empty.
+ - **Errors and Warnings** Contains errors and warnings for files encountered during export. See the Error Details column for information specific to each individual error or warning.
+ - **Skipped Items** When you export search results from SharePoint and OneDrive for Business sites, the export will usually include a skipped items report (SkippedItems.csv). The items cited in this report are typically items that won't be downloaded, such as a folder or a document set. Not exporting these types of items is by design. For other items that were skipped, the 'Error Type' and 'Error Details' field in the skipped items report show the reason the item was skipped and wasn't downloaded with the other search results.
+ - **Trace.log** Contains detailed logging information about the export process and can help uncover issues during export. If you open a ticket with Microsoft Support about an issue related to exporting search results, you may be asked to provide this trace log.
+
+ > [!NOTE]
+ > You can just export these documents without having to export the actual search results. See [Export a Content search report](ediscovery-export-a-content-search-report.md).
+
+### Exporting partially indexed items
+
+- If you're exporting mailbox items from a content search that returns all mailbox items in the search results (because no keywords where included in the search query), partially indexed items won't be copied to the PST file that contains the unindexed items. This is because all items, including any partially indexed items, are automatically included in the regular search results. This means that partially indexed items will be included in a PST file (or as individual messages) that contains the other, indexed items.
+
+ If you export both the indexed and partially indexed items or if you export only the indexed items from a content search that returns all items, the same number of items will be downloaded. This happens even though the estimated search results for the content search (displayed in the search statistics in the compliance portal) will still include a separate estimate for the number of partially indexed items. For example, let's say that the estimate for a search that includes all items (no keywords in the search query) shows that 1,000 items were found and that 200 partially indexed items were also found. In this case, the 1,000 items include the partially indexed items because the search returns all items. In other words, there are 1,000 total items returned by the search, and not 1,200 items (as you might expect). If you export the results of this search and choose to export indexed and partially indexed items (or export only partially indexed items), then 1,000 items will be downloaded. Again, that's because partially indexed items are included with the regular (indexed) results when you use a blank search query to return all items. In this same example, if you choose to export only partially indexed items, then only the 200 unindexed items would be downloaded.
+
+ Also note that in the previous example (when you export indexed and partially indexed items or you export only indexed items), the **Export Summary** report included with the exported search results would list 1,000 items estimated items and 1,000 downloaded items for the same reasons as previously described.
+
+- If the search that you're exporting results from was a search of specific content locations or all content locations in your organization, only the partial items from content locations that contain items that match the search criteria will be exported. In other words, if no search results are found in a mailbox or site, then any partially indexed items in that mailbox or site won't be exported. The reason for this is that exporting partially indexed items from lots of locations in the organization might increase the likelihood of export errors and increase the time it takes to export and download the search results.
+
+ To export partially indexed items from all content locations for a search, configure the search to return all items (by removing any keywords from the search query) and then export only partially indexed items when you export the search results.
+
+ ![Use the third export option to export only unindexed items.](../media/5d7be338-a0e5-425f-8ba5-92769c24bf75.png)
+
+- When exporting search results from SharePoint or OneDrive for Business sites, the ability to export unindexed items also depends on the export option that you select and whether a site that was searched contains an indexed item that matches the search criteria. For example, if you search specific SharePoint or OneDrive for Business sites and no search results are found, then no unindexed items from those sites will be exported if you choose the second export option to export both indexed and unindexed items. If an indexed item from a site does match the search criteria, then all unindexed items from that site will be exported when exporting both indexed and unindexed items. The following illustration describes the export options based on whether a site contains an indexed item that matches the search criteria.
+
+ ![Choose the export option based on whether a site contains an indexed item that matches the search criteria.](../media/94f78786-c6bb-42fb-96b3-7ea3998bcd39.png)
+
+ a. Only indexed items that match the search criteria are exported. No partially indexed items are exported.
+
+ b. If no indexed items from a site match the search criteria, then partially indexed items from that same site aren't exported. If indexed items from a site are returned in the search results, then the partially indexed items from that site are exported. In other words, only the partially indexed items from sites that contain items that match the search criteria are exported.
+
+ c. All partially indexed items from all sites in the search are exported, regardless of whether a site contains items that match the search criteria.
+
+ If you choose to export partially indexed items, partially indexed mailbox items are exported in a separate PST file regardless of the option that you choose under **Export Exchange content as**.
+
+- If partially indexed items are returned in the search results (because other properties of partially indexed items matched the search criteria), then those partially indexed are exported with the regular search results. So, if you choose to export both indexed items and partially indexed items (by selecting the **All items, including ones that have unrecognized format, are encrypted, or weren't indexed for other reasons** export option), the partially indexed items exported with the regular results will be listed in the Results.csv report. They won't be listed in the Unindexed items.csv report.
+
+### Exporting individual messages or PST files
+
+- If the file path name of a message exceeds the maximum character limit for Windows, the file path name is truncated. But the original file path name will be listed in the Manifest and ResultsLog.
+- As previously explained, email search results are exported to a folder in the file system. The folder path for individual messages would replicate the folder path in the user's mailbox. For example, for a search named "ContosoCase101" messages in a user's inbox would be located in the folder path `~ContosoCase101\\<date of export\Exchange\user@contoso.com (Primary)\Top of Information Store\Inbox`.
+- If you choose to export email messages in one PST file containing all messages in a single folder, a **Deleted Items** folder and a **Search Folders** folder are included in the top level of the PST folder. These folders are empty.
+- As previously stated, you must export email search results as individual messages to decrypt RMS-protected messages when they're exported. Encrypted messages will remain encrypted if you export email search results as a PST file.
+
+### Decrypting RMS-protected email messages and encrypted file attachments
+
+Any rights-protected (RMS-protected) email messages included in the results of a Content search will be decrypted when you export them. Additionally, any file that's encrypted with a [Microsoft encryption technology](encryption.md) and is attached to an email message that's included in the search results will also be decrypted when it's exported. This decryption capability is enabled by default for members of the eDiscovery Manager role group. This is because the RMS Decrypt management role is assigned to this role group by default. Keep the following things in mind when exporting encrypted email messages and attachments:
+
+- As previously explained, to decrypt RMS-protected messages when you export them, you have to export the search results as individual messages. If you export search results to a PST file, RMS-protected messages remain encrypted.
+- Messages that are decrypted are identified in the **ResultsLog** report. This report contains a column named **Decode Status**, and a value of **Decoded** in this column identifies the messages that were decrypted.
+- In addition to decrypting file attachments when exporting search results, you can also preview the decrypted file when previewing search results. You can only view the rights-protected email message after you export it.
+- At this time, the decryption capability when exporting search results doesn't include encrypted content from SharePoint and OneDrive for Business sites. However, support is coming soon for documents encrypted with Microsoft encryption technologies and stored in SharePoint Online and OneDrive for Business.
+- If you need to prevent someone from decrypting RMS-protect messages and encrypted file attachments, you have to create a custom role group (by copying the built-in eDiscovery Manager role group) and then remove the RMS Decrypt management role from the custom role group. Then add the person who you don't want to decrypt messages as a member of the custom role group.
+
+### Filenames of exported items
+
+- There's a 260-character limit (imposed by the operating system) for the full path name for email messages and site documents exported to your local computer. The full path name for exported items includes the item's original location and the folder location on the local computer where the search results are downloaded to. For example, if you specify to download the search results to `C:\Users\Admin\Desktop\SearchResults` in the eDiscovery Export tool, then the full pathname for a downloaded email item would be `C:\Users\Admin\Desktop\SearchResults\ContentSearch1\03.15.2017-1242PM\Exchange\sarad@contoso.com (Primary)\Top of Information Store\Inbox\Insider trading investigation.msg`.
+
+- If the 260-character limit is exceeded, the full path name for an item will be truncated, based on the following:
+
+ - If the full path name is longer than 260 characters, the file name will be shortened to get under the limit; note that the truncated filename (excluding the file extension) won't be fewer than eight characters.
+
+ - If the full path name is still too long after shortening the file name, the item is moved from its current location to the parent folder. If the pathname is still too long, then the process is repeated: shorten the filename, and if necessary move again to the parent folder. This process is repeated until the full pathname is under the 260-character limit.
+
+ - If a truncated full path name already exists, a version number is added to the end of the filename; for example, `statusmessage(2).msg`.
+
+ To help mitigate this issue, consider downloading search results to a location with a short path name; for example, downloading search results to a folder named `C:\Results` would add fewer characters to the path names of exported items than downloading them to a folder named `C:\Users\Admin\Desktop\Results`.
+
+- When you export site documents, it's also possible that the original file name of a document will be modified. This happens specifically for documents that have been deleted from a SharePoint or OneDrive for Business site that's been placed on hold. After a document that's on a site that's on hold is deleted, the deleted document is automatically moved to the Preservation Hold library for the site (which was created when the site was placed on hold). When the deleted document is moved to the Preservation Hold library, a randomly generated and unique ID is appended to the original filename of the document. For example, if the filename for a document is `FY2017Budget.xlsx` and that document is later deleted and moved to the Preservation Hold library, the filename of the document that is moved to the Preservation Hold library is modified to something like `FY2017Budget_DEAF727D-0478-4A7F-87DE-5487F033C81A2000-07-05T10-37-55.xlsx`. If a document in the Preservation Hold library matches the query of a Content search and you export the results of that search, the exported file has the modified filename; in this example, the filename of the exported document would be `FY2017Budget_DEAF727D-0478-4A7F-87DE-5487F033C81A2000-07-05T10-37-55.xlsx`.
+
+ When a document on a site that's on hold is modified (and versioning for the document library in the site has been enabled), a copy of the file is automatically created in the Preservation Hold library. In this case, a randomly generated and unique ID is also appended to the filename of the document that's copied to the Preservation Hold library.
+
+ The reason why filenames of documents that are moved or copied to the Preservation Hold library is to prevent conflicting filenames. For more information about placing a hold on sites and the Preservation Hold library, see [Overview of in-place hold in SharePoint Server 2016](https://support.office.com/article/5e400d68-cd51-444a-8fe6-e4df1d20aa95).
+
+### Miscellaneous
+
+- When downloading search results using the eDiscovery Export Tool, it's possible you might receive the following error: `System.Net.WebException: The remote server returned an error: (412) The condition specified using HTTP conditional header(s) is not met.` This is transient error, which typically occurs in the Azure Storage location. To resolve this issue, retry [downloading the search results](#step-2-download-the-search-results), which will restart the eDiscovery Export Tool.
+- All search results and the export reports are included in a folder that has the same name as the Content search. The email messages that were exported are located in a folder named **Exchange**. Documents are located in a folder named **SharePoint**.
+- The file system metadata for documents on SharePoint and OneDrive for Business sites is maintained when documents are exported to your local computer. That means document properties, such as created and last modified dates, aren't changed when documents are exported.
+- If your search results include a list item from SharePoint that matches the search query, all rows in the list will be exported in addition to the item that matches the search query and any attachments in the list. The reason for this behavior is to provide a context for list items that are returned in the search results. The other list items and attachments may cause the count of exported items to be different than the original estimate of search results.
compliance Ediscovery Premium Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-premium-get-started.md
Title: "Set up eDiscovery (Premium) in Microsoft Purview"
-description: "This article describes how to set up eDiscovery (Premium) so you can start creating and managing cases. It also describes the required Microsoft subscriptions and licensing. After you complete a few quick steps, the eDiscovery (Premium) tool is ready to use."
+ Title: "Get started with eDiscovery (Premium)"
+description: "This article describes how to get started eDiscovery (Premium) so you can start creating and managing cases. It also describes the required Microsoft subscriptions and licensing. After you complete a few quick steps, the eDiscovery (Premium) tool is ready to use."
f1.keywords: - NOCSH Previously updated : 01/01/2023 Last updated : 04/11/2023 audience: Admin
search.appverid:
- MET150
-# Set up Microsoft Purview eDiscovery (Premium)
+# Get started with eDiscovery (Premium)
Microsoft Purview eDiscovery (Premium) provides an end-to-end workflow to preserve, collect, review, analyze, and export data that's responsive to your organization's internal and external investigations. Nothing is needed to deploy eDiscovery (Premium), but there are some prerequisite tasks that an IT admin and eDiscovery manager have to complete before your organization can start to create and use eDiscovery (Premium) cases to manage your investigations.
To access eDiscovery (Premium) or added as a member of an eDiscovery (Premium) c
Complete the following steps to add users to the eDiscovery Manager role group: 1. Go to <a href="https://go.microsoft.com/fwlink/p/?linkid=2173597" target="_blank">compliance portal</a>and sign in using the credentials for an admin account in your Microsoft 365 organization.- 2. On the **Permissions** page, select the **eDiscovery Manager** role group.- 3. On the eDiscovery Manager flyout page, select **Edit** next to the **eDiscovery Manager** section.- 4. On the **Choose eDiscovery Manager** page in the edit role group wizard, select **Choose eDiscovery Manager**.- 5. Select **Add** then select the checkbox for all users you want to add to the role group.- 6. Select **Add** to add the selected users, and then select **Done**.- 7. Select **Save** to add the users to the role group, and then select **Close** to complete the step. ### More information about the eDiscovery Manager role group
compliance Ediscovery Retry Failed Content Search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-retry-failed-content-search.md
+
+ Title: "Retry a Content Search to resolve a content location error"
+description: During an investigation, you can use the Retry button to resolve Content Searches that have content location errors.
+f1.keywords:
+- NOCSH
+++ Last updated : 01/01/2023
+audience: Admin
++
+ms.localizationpriority: medium
+
+- tier1
+- purview-compliance
+- content-search
+search.appverid:
+- MOE150
+- MET150
+++
+# Retry a Content Search to resolve a content location error
+
+When you use Content Search in the compliance portal to search a large number of mailboxes, you may get search errors that are similar to the error:
+
+```text
+Error
+
+The search on the following locations failed:
+User1@contoso.com: Problem in processing the request. Please try again later. If you keep getting this error, contact your admin. (CS008-009)
+User2@contoso.com: Application error occurred. Please try again later. (CS012-002)
+```
+
+These errors (with error codes of CS001-002, CS003-002, CS008-009, CS012-002, and other errors of the form CS0XX-0XX) indicate that Content Search failed to search specific content locations. In this example, two mailboxes weren't searched. These errors are displayed on the status details flyout page of the Content Search.
++
+## Cause of content location errors
+
+When searching a large number of mailboxes, the search is distributed across thousands of servers in a Microsoft datacenter. At any one time, specific servers could be in reboot state or in the process of failing over to redundant copies. In either of these cases, the Content Search's request to retrieve data will time out. In the previous example, the errors for the mailboxes that failed were the result of the search timing out.
+
+## Resolving content location errors
+
+Restarting the search will often result in similar errors on different servers. Instead of restarting the search, select the **Retry** button that is displayed at the top of the search results page.
+
+![Select the Retry button to resolve content location errors.](../media/retrycontentsearch3.png)
+
+This will result in the retrying the search only for the mailboxes that failed. When you retry the search, the other results that were successfully returned are retained.
+
+## Tips to avoid content location errors
+
+Here are some additional causes of content location errors and some tips to help you avoid them when searching large numbers of mailboxes.
+
+- The mailbox being searched might be busy due to user activity. In this case, the search service might throttle itself to prevent the mailbox from becoming unavailable. To avoid this, try running searches during non-business hours.
+- The search query might be retrieving too much content from the mailbox. If possible, try to narrow the scope of the search by using keywords, date ranges, and search conditions.
+- Too many keywords or keyword phrases when you create a search query using the [keywords list](ediscovery-view-keyword-statistics-for-content-search.md#get-keyword-statistics-for-searches). When you run a search query that uses the keywords list, the service essentially runs a separate search for each row in the keyword list so that statistics can be generated. If you're using the keywords list in search queries, minimize the number of rows in the keyword list or divide the number keywords into smaller lists and create a different search for each keyword list.
+
+ > [!NOTE]
+ > To help reduce issues caused by large keyword lists, you're now limited to a maximum of 20 rows in the keyword list of a search query.
+
+- Too many searches are being performed on the same mailbox at the same time. If possible, try to run one search at a time on any one mailbox.
+- Searching too many mailboxes in a single search. The probability of content location errors increases when searching a large number of mailboxes. If possible, try to run multiple searches so that each search includes a subset of mailboxes in your organization.
+- Required maintenance is being performed on the mailbox. Though this cause probably occurs infrequently, wait a little while after receiving the content location error and then retry the search.
compliance Ediscovery Search For And Delete Email Messages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-search-for-and-delete-email-messages.md
+
+ Title: "Search for and delete email messages in your organization"
+description: "Use the search and purge feature in the Microsoft Purview compliance portal to search for and delete an email message from all mailboxes in your organization."
+f1.keywords:
+- NOCSH
+++ Last updated : 01/01/2023
+audience: Admin
++
+ms.localizationpriority: high
+
+- tier1
+- purview-compliance
+- content-search
+search.appverid:
+- MOE150
+- MET150
++
+# Search for and delete email messages
+
+> [!TIP]
+>This article is for administrators. Are you trying to find items in your mailbox that you want to delete? See [Find a message or item with Instant Search](https://support.office.com/article/69748862-5976-47b9-98e8-ed179f1b9e4d).
+
+You can use the Content search feature to search for and delete email messages from all mailboxes in your organization. This can help you find and remove potentially harmful or high-risk email, such as:
+
+- Messages that contain dangerous attachments or viruses
+- Phishing messages
+- Messages that contain sensitive data
+
+> [!TIP]
+> If your organization has a Defender for Office 365 Plan 2 subscription, we recommend using the procedure detailed in [Remediate malicious email delivered in Office 365](/microsoft-365/security/office-365-security/remediate-malicious-email-delivered-office-365), rather than following the procedure described in this article.
++
+## Before you begin
+
+- The search and purge workflow described in this article doesn't delete chat messages or other content from Microsoft Teams. If the Content search that you create in Step 2 returns items from Microsoft Teams, those items won't be deleted when you purge items in Step 3. To search for and delete chat messages, see [Search and purge chat messages in Teams](ediscovery-search-and-delete-teams-chat-messages.md).
+- To create and run a Content search, you have to be a member of the *eDiscovery Manager* role group or be assigned the *Compliance Search* role in the Microsoft Purview compliance portal. To delete messages, you have to be a member of the *Organization Management* role group or be assigned the *Search And Purge* role in the compliance portal For information about adding users to a role group, see [Assign eDiscovery permissions](ediscovery-assign-permissions.md).
+
+ > [!NOTE]
+ > The *Organization Management* role group exists in both Exchange Online and in the compliance portal. These are separate role groups that give different permissions. Being a member of *Organization Management* in Exchange Online does not grant the required permissions to delete email messages. If you aren't assigned the *Search And Purge* role in the compliance portal (either directly or through a role group such as *Organization Management*), you'll receive an error in Step 3 when you run the *New-ComplianceSearchAction* cmdlet with the message "A parameter cannot be found that matches parameter name 'Purge'".
+
+- You have to use Security & Compliance PowerShell to delete messages. See [Step 1: Connect to Security & Compliance PowerShell](#step-1-connect-to-security--compliance-powershell) for instructions about how to connect.
+- A maximum of 10 items per mailbox can be removed at one time. Because the capability to search for and remove messages is intended to be an incident-response tool, this limit helps ensure that messages are quickly removed from mailboxes. This feature isn't intended to clean up user mailboxes.
+- The maximum number of mailboxes in a content search that you can use to delete items by doing a search and purge action is 50,000. If the search (that you create in [Step 2](#step-2-create-a-content-search-to-find-the-message-to-delete) searches more than 50,000 mailboxes, the purge action (that you create in Step 3) will fail. Searching more than 50,000 mailbox in a single search might typically happen when you configure the search to include all mailboxes in your organization. This restriction still applies even when less than 50,000 mailboxes contain items that match the search query. See the [More information](#more-information) section for guidance about using search permissions filters to search for and purge items from more than 50,000 mailboxes.
+- The procedure in this article can only be used to delete items in Exchange Online mailboxes and public folders. You can't use it to delete content from SharePoint or OneDrive for Business sites.
+- Email items in a review set in an eDiscovery (Premium) case can't be deleted by using the procedures in this article. That's because items in a review set are stored in an Azure Storage location, and not in the live service. This means they won't be returned by the content search that you create in Step 1. To delete items in a review set, you have to delete the eDiscovery (Premium) case that contains the review set. For more information, see [Close or delete an eDiscovery (Premium) case](ediscovery-close-or-delete-case.md).
+
+## Step 1: Connect to Security & Compliance PowerShell
+
+The first step is to connect to [Security & Compliance PowerShell](/powershell/exchange/scc-powershell) for your organization. For step-by-step instructions, see [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell).
+
+## Step 2: Create a Content Search to find the message to delete
+
+The second step is to create and run a Content search to find the message that you want to remove from mailboxes in your organization. You can create the search by using the [Microsoft Purview compliance portal](https://compliance.microsoft.com) or by running the **New-ComplianceSearch** and **Start-ComplianceSearch** cmdlets in Security & Compliance PowerShell. The messages that match the query for this search will be deleted by running the **New-ComplianceSearchAction -Purge** command in [Step 3](#step-3-delete-the-message). For information about creating a Content search and configuring search queries, see the following articles:
+
+- [Content search in Office 365](ediscovery-content-search.md)
+- [Keyword queries for Content search](ediscovery-keyword-queries-and-search-conditions.md)
+- [New-ComplianceSearch](/powershell/module/exchange/New-ComplianceSearch)
+- [Start-ComplianceSearch](/powershell/module/exchange/Start-ComplianceSearch)
+
+> [!NOTE]
+> The content locations that are searched in the Content search that you create in this step can't include SharePoint or OneDrive for Business sites. You can include only mailboxes and public folders in a Content search that will be used to email messages. If the Content search includes sites, you'll receive an error in Step 3 when you run the **New-ComplianceSearchAction** cmdlet.
+
+### Tips for finding messages to remove
+
+The goal of the search query is to narrow the results of the search to only the message or messages that you want to remove. Here are some tips:
+
+- If you know the exact text or phrase used in the subject line of the message, use the **Subject** property in the search query.
+- If you know that exact date (or date range) of the message, include the **Received** property in the search query.
+- If you know who sent the message, include the **From** property in the search query.
+- Preview the search results to verify that the search returned only the message (or messages) that you want to delete.
+- Use the search estimate statistics (displayed in the details pane of the search in the compliance portal or by using the [Get-ComplianceSearch](/powershell/module/exchange/get-compliancesearch) cmdlet) to get a count of the total number of results.
+
+Here are two examples of queries to find suspicious email messages.
+
+- This query returns messages that were received by users between April 13, 2016 and April 14, 2016 and that contain the words "action" and "required" in the subject line.
+
+ ```powershell
+ (Received:4/13/2016..4/14/2016) AND (Subject:'Action required')
+ ```
+
+- This query returns messages that were sent by user@contoso.com and that contain the exact phrase "Update your account information" in the subject line.
+
+ ```powershell
+ (From:user@contoso.com) AND (Subject:"Update your account information")
+ ```
+
+Here's an example of using a query to create and start a search by running the **New-ComplianceSearch** and **Start-ComplianceSearch** cmdlets to search all mailboxes in the organization:
+
+```powershell
+$Search=New-ComplianceSearch -Name "Remove Phishing Message" -ExchangeLocation All -ContentMatchQuery '(Received:4/13/2016..4/14/2016) AND (Subject:"Action required")'
+Start-ComplianceSearch -Identity $Search.Identity
+```
+
+## Step 3: Delete the message
+
+After you've created and refined a Content search to return the messages that you want to remove, the final step is to run the **New-ComplianceSearchAction -Purge** command in Security & Compliance PowerShell to delete the message.
+
+You can soft- or hard-delete the message. A soft-deleted message is moved to a user's Recoverable Items folder and retained until the deleted item retention period expires. Hard-deleted messages are marked for permanent removal from the mailbox and will be permanently removed the next time the mailbox is processed by the Managed Folder Assistant. If single item recovery is enabled for the mailbox, hard-deleted items will be permanently removed after the deleted item retention period expires. If a mailbox is placed on hold, deleted messages are preserved until the hold duration for the item expires or until the hold is removed from the mailbox.
+
+> [!NOTE]
+> As previously stated, items from Microsoft Teams that are returned by Content search are not deleted when you run the the **New-ComplianceSearchAction -Purge** command.
+
+To run the following commands to delete messages, be sure that you're [connected to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell).
+
+### Soft-delete messages
+
+In the following example, the command soft-deletes the search results returned by a Content search named "Remove Phishing Message".
+
+```powershell
+New-ComplianceSearchAction -SearchName "Remove Phishing Message" -Purge -PurgeType SoftDelete
+```
+
+### Hard-delete messages
+
+To hard-delete the items returned by the "Remove Phishing Message" content search, you would run this command:
+
+```powershell
+New-ComplianceSearchAction -SearchName "Remove Phishing Message" -Purge -PurgeType HardDelete
+```
+
+When you run the previous commands to soft- or hard-delete messages, the search specified by the *SearchName* parameter is the Content search that you created in Step 1.
+
+For more information, see [New-ComplianceSearchAction](/powershell/module/exchange/New-ComplianceSearchAction).
+
+## More information
+
+- **How do you get status on the search and remove operation?**
+
+ Run the **Get-ComplianceSearchAction** to get the status on the delete operation. The object that is created when you run the **New-ComplianceSearchAction** cmdlet is named using this format: `<name of Content Search>_Purge`.
+
+- **What happens after you delete a message?**
+
+ A message that's deleted with the `New-ComplianceSearchAction -Purge -PurgeType HardDelete` command is moved to the Purges folder and can't be accessed by the user. After the message is moved to the Purges folder, the message is retained for the duration of the deleted item retention period if single item recovery is enabled for the mailbox. (In Microsoft 365, single item recovery is enabled by default when a new mailbox is created.) After the deleted item retention period expires, the message is marked for permanent deletion and will be purged from Microsoft 365 the next time the mailbox is processed by the Managed Folder assistant.
+
+ If you use the `New-ComplianceSearchAction -Purge -PurgeType SoftDelete` command, messages are moved to the Deletions folder in the user's Recoverable Items folder. It isn't immediately purged from Microsoft 365. The user can recover messages in the Deleted Items folder for the duration based on the deleted item retention period configured for the mailbox. After this retention period expires (or if user purges the message before it expires), the message is moved to the Purges folder and can no longer be accessed by the user. Once in the Purges folder, the message is retained for the duration based on the deleted item retention period configured for the mailbox if single items recovery is enabled for the mailbox. (In Microsoft 365, single item recovery is enabled by default when a new mailbox is created.) After the deleted item retention period expires, the message is marked for permanent deletion and will be purged from Microsoft 365 the next time that the mailbox is processed by the Managed Folder assistant.
+
+- **What if you have to delete a message from more than 50,000 mailboxes?**
+
+ As previously stated, you can perform a search and purge operation on a maximum of 50,000 mailboxes (even if less than 50,000 contain items that match the search query). If you have to do a search and purge operation on more than 50,000 mailboxes, consider creating temporary search permissions filters that reduce the number of mailboxes that would be searched to less than 50,000 mailboxes. For example, if your organization contains mailboxes in different departments, states, or countries, you can create a mailbox search permissions filter based on one of those mailbox properties to search a subset of mailboxes in your organization. After you create the search permissions filter, you would create the search (described in Step 1) and then delete the message (described in Step 3). Then you can edit the filter to search for and purge messages in a different set of mailboxes. For more information about creating search permissions filters, see [Configure permissions filtering for Content Search](ediscovery-permissions-filtering-for-content-search.md).
+
+- **Will unindexed items included in the search results be deleted?**
+
+ No, the `New-ComplianceSearchAction -Purge command doesn't delete unindexed items.
+
+- **What happens if a message is deleted from a mailbox that has been placed on In-Place Hold or Litigation Hold or is assigned to an Microsoft 365 retention policy?**
+
+ After the message is purged and moved to the Purges folder, the message is retained until the hold duration expires. If the hold duration is unlimited, then items are retained until the hold is removed or the hold duration is changed.
+
+- **Why is the search and remove workflow divided among different security and compliance center role groups?**
+
+ As previously explained, a person has to be a member of the eDiscovery Manager role group or be assigned the Compliance Search management role to search mailboxes. To delete messages, a person has to be a member of the Organization Management role group or be assigned the Search And Purge management role. This makes it possible to control who can search mailboxes in the organization and who can delete messages.
compliance Ediscovery Search Mailboxes And Onedrive For Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-search-mailboxes-and-onedrive-for-users.md
+
+ Title: Use Content Search for a list of users on the mailbox & OneDrive for Business site
+description: "Use Content Search and the script in this article to search the mailboxes and OneDrive for Business sites for a group of users."
+f1.keywords:
+- NOCSH
+++ Last updated : 01/01/2023
+audience: Admin
+++
+- tier1
+- purview-compliance
+- content-search
+ms.localizationpriority: medium
+search.appverid:
+- MOE150
+- MET150
+++
+# Use Content Search to search the mailbox and OneDrive for Business site for a list of users
+
+Security & Compliance PowerShell provides a number of cmdlets that let you automate time-consuming eDiscovery-related tasks. Currently, creating a Content search in the Microsoft Purview compliance portal to search a large number of custodian content locations takes time and preparation. Before you create a search, you have to collect the URL for each OneDrive for Business site and then add each mailbox and OneDrive for Business site to the search. In future releases, this will be easier to do in the compliance portal. Until then, you can use the script in this article to automate this process. This script prompts you for the name of your organization's MySite domain (for example, **contoso** in the URL `https://contoso-my.sharepoint.com`), a list of user email addresses, the name of the new Content Search, and the search query to use. The script gets the OneDrive for Business URL for each user in the list, and then it creates and starts a Content Search that searches the mailbox and OneDrive for Business site for each user in the list, using the search query that you provide.
++
+## Permissions and script information
+
+- You have to be a member of the eDiscovery Manager role group in the compliance portal and a SharePoint Online global administrator to run the script in Step 3.
+
+- Be sure to save the list of users that you create in Step 2 and the script in Step 3 to the same folder. That will make it easier to run the script.
+
+- The script includes minimal error handling. Its primary purpose is to quickly and easily search the mailbox and OneDrive for Business site of each user.
+
+- The sample scripts provided in this topic aren't supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.
+
+## Step 1: Install the SharePoint Online Management Shell
+
+The first step is to install the SharePoint Online Management Shell. You don't have to use the shell in this procedure, but you have to install it because it contains pre-requisites required by the script that you run in Step 3. These prerequisites allow the script to communicate with SharePoint Online to get the URLs for the OneDrive for Business sites.
+
+Go to [Set up the SharePoint Online Management Shell environment](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online) and perform Step 1 and Step 2 to install the SharePoint Online Management Shell.
+
+## Step 2: Generate a list of users
+
+The script in Step 3 will create a Content Search to search the mailboxes and OneDrive accounts for a list of users. You can just type the email addresses in a text file, or you can run a command in PowerShell to get a list of email addresses and save them to a file (located in same folder that you'll save the script to in Step 3).
+
+Here's an [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) command that you can runt to get a list of email addresses for all users in your organization and save it to a text file named `Users.txt`.
+
+```powershell
+Get-Mailbox -ResultSize unlimited -Filter { RecipientTypeDetails -eq 'UserMailbox'} | Select-Object PrimarySmtpAddress > Users.txt
+```
+
+After you run this command, be sure to open the file and remove the header that contains the property name, `PrimarySmtpAddress`. The text file should just contain a list of email addresses, and nothing else. Make sure there are no blank rows before or after the list of email addresses.
+
+## Step 3: Run the script to create and start the search
+
+When you run the script in this step, it will prompt you for the following information. Be sure to have this information ready before you run the script.
+
+- **Your user credentials** - The script will use your credentials to access SharePoint Online to get the OneDrive for Business URLs and to connect to Security & Compliance PowerShell.
+
+- **Name of your MySite domain** - The MySite domain is the domain that contains all the OneDrive for Business sites in your organization. For example, if the URL for your MySite domain is **https://contoso-my.sharepoint.com**, then you would enter `contoso` when the script prompts you for the name of your MySite domain.
+
+- **Pathname of the text file from Step 2** - The pathname of the text file that you created in Step 2. If the text file and the script are located in the same folder, then enter the name of the text file. Otherwise, enter the complete pathname for the text file.
+
+- **Name of the Content Search** - The name of the Content Search that will be created by the script.
+
+- **Search query** - The search query that will be used with the Content Search is created and run. For more information about search queries, see [Keyword queries and search conditions for eDiscovery](ediscovery-keyword-queries-and-search-conditions.md).
+
+**To run the script:**
+
+1. Save the following text to a Windows PowerShell script file by using a filename suffix of .ps1; for example, `SearchEXOOD4B.ps1`. Save the file to the same folder where you saved the list of users in Step 2.
+
+ ```powershell
+ # This PowerShell script will prompt you for the following information:
+ # * Your user credentials
+ # * The name of your organization's MySite domain
+ # * The pathname for the text file that contains a list of user email addresses
+ # * The name of the Content Search that will be created
+ # * The search query string
+ # The script will then:
+ # * Find the OneDrive for Business site for each user in the text file
+ # * Create and start a Content Search using the above information
+ # Get user credentials
+ if (!$credentials)
+ {
+ $credentials = Get-Credential
+ }
+ # Get the user's MySite domain name. We use this to create the admin URL and root URL for OneDrive for Business
+ $mySiteDomain = Read-Host "What is your organization's MySite domain? For example, 'contoso' for 'https://contoso-my.sharepoint.com'"
+ $AdminUrl = "https://$mySiteDomain-admin.sharepoint.com"
+ $mySiteUrlRoot = "https://$mySiteDomain-my.sharepoint.com"
+ # Get other required information
+ $inputfile = read-host "Enter the file name of the text file that contains the email addresses for the users you want to search"
+ $searchName = Read-Host "Enter the name for the new search"
+ $searchQuery = Read-Host "Enter the search query you want to use"
+ $emailAddresses = Get-Content $inputfile | where {$_ -ne ""} | foreach{ $_.Trim() }
+ # Connect to Security & Compliance PowerShell
+ if (!$s -or !$a)
+ {
+ Import-Module ExchangeOnlineManagement
+ Connect-IPPSSession
+ }
+
+ # Load the SharePoint assemblies from the SharePoint Online Management Shell
+ # To install, go to https://go.microsoft.com/fwlink/p/?LinkId=255251
+ if (!$SharePointClient -or !$SPRuntime -or !$SPUserProfile)
+ {
+ $SharePointClient = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client")
+ $SPRuntime = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.Runtime")
+ $SPUserProfile = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.UserProfiles")
+ if (!$SharePointClient)
+ {
+ Write-Error "SharePoint Online Management Shell isn't installed, please install from: https://go.microsoft.com/fwlink/p/?LinkId=255251 and then run this script again"
+ return;
+ }
+ }
+ if (!$spCreds)
+ {
+ $spCreds = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($credentials.UserName, $credentials.Password)
+ }
+ # Add the path of the User Profile Service to the SPO admin URL, then create a new webservice proxy to access it
+ $proxyaddr = "$AdminUrl/_vti_bin/UserProfileService.asmx?wsdl"
+ $UserProfileService= New-WebServiceProxy -Uri $proxyaddr -UseDefaultCredential False
+ $UserProfileService.Credentials = $credentials
+ # Take care of auth cookies
+ $strAuthCookie = $spCreds.GetAuthenticationCookie($AdminUrl)
+ $uri = New-Object System.Uri($AdminUrl)
+ $container = New-Object System.Net.CookieContainer
+ $container.SetCookies($uri, $strAuthCookie)
+ $UserProfileService.CookieContainer = $container
+ Write-Host "Getting each user's OneDrive for Business URL"
+ $urls = @()
+ foreach($emailAddress in $emailAddresses)
+ {
+ try
+ {
+ $prop = $UserProfileService.GetUserProfileByName("i:0#.f|membership|$emailAddress") | Where-Object { $_.Name -eq "PersonalSpace" }
+ $url = $prop.values[0].value
+ $furl = $mySiteUrlRoot + $url
+ $urls += $furl
+ Write-Host "-$emailAddress => $furl"
+ }
+ catch
+ {
+ Write-Warning "Could not locate OneDrive for $emailAddress"
+ }
+ }
+ Write-Host "Creating and starting the search"
+ $search = New-ComplianceSearch -Name $searchName -ExchangeLocation $emailAddresses -SharePointLocation $urls -ContentMatchQuery $searchQuery
+ # Finally, start the search and then display the status
+ if($search)
+ {
+ Start-ComplianceSearch $search.Name
+ Get-ComplianceSearch $search.Name
+ }
+ ```
+
+2. Open Windows PowerShell and go to the folder where you saved the script and the list of users from Step 2.
+
+3. Start the script; for example:
+
+ ```powershell
+ .\SearchEXOOD4B.ps1
+ ```
+
+4. When prompted for your credentials, enter your email address and password, and then click **OK**.
+
+5. Enter following information when prompted by the script. Type each piece of information and then press **Enter**.
+
+ - The name of your MySite domain.
+
+ - The pathname of the text file that contains the list of users.
+
+ - A name for the Content Search.
+
+ - The search query (leave this blank to return all items in the content locations).
+
+ The script gets the URLs for each OneDrive for Business site and then creates and starts the search. You can either run the **Get-ComplianceSearch** cmdlet in Security & Compliance PowerShell to display the search statistics and results, or you can go to the **Content search** page in the compliance portal to view information about the search.
compliance Ediscovery Set Up Compliance Boundaries https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-set-up-compliance-boundaries.md
f1.keywords:
Previously updated : 01/01/2023 Last updated : 04/10/2023 audience: Admin
We use the example in the following illustration to explain how compliance bound
![Compliance boundaries consist of search permissions filters that control access to agencies and admin role groups that control access to eDiscovery cases.](../media/M365_ComplianceBoundary_OrgChart_v2.png)
-In this example, Contoso LTD is an organization that consists of two subsidiaries, Fourth Coffee and Coho Winery. The business requires that eDiscovery managers and investigators can only search the Exchange mailboxes, OneDrive accounts, and SharePoint sites in their agency. Also, eDiscovery managers and investigators can only see eDiscovery cases in their agency, and they can only access the cases that they're a member of. Additionally in this scenario, investigators cannot place content locations on hold or export content from a case. Here's how compliance boundaries meet these requirements.
+In this example, Contoso LTD is an organization that consists of two subsidiaries, Fourth Coffee and Coho Winery. The business requires that eDiscovery managers and investigators can only search the Exchange mailboxes, OneDrive accounts, and SharePoint sites in their agency. Also, eDiscovery managers and investigators can only see eDiscovery cases in their agency, and they can only access the cases that they're a member of. Additionally in this scenario, investigators can't place content locations on hold or export content from a case. Here's how compliance boundaries meet these requirements.
- The search permissions filtering functionality for eDiscovery controls the content locations that eDiscovery managers and investigators can search. This means eDiscovery managers and investigators in the Fourth Coffee agency can only search content locations in the Fourth Coffee subsidiary. The same restriction applies to the Coho Winery subsidiary.
Here's the process for setting up compliance boundaries:
## Step 1: Identify a user attribute to define your agencies
-The first step is to choose an attribute to use that will define your agencies. This attribute is used to create the search permissions filter that limits an eDiscovery manager to search only the content locations of users who are assigned a specific value for this attribute. For example, let's say Contoso decides to use the **Department** attribute. The value for this attribute for users in the Fourth Coffee subsidiary would be `FourthCoffee` and the value for users in Coho Winery subsidiary would be `CohoWinery`. In Step 3, you use this `attribute:value` pair (for example, *Department:FourthCoffee*) to limit the user content locations that eDiscovery managers can search.
+The first step is to choose an attribute to use that will define your agencies. This attribute is used to create the search permissions filter that limits an eDiscovery manager to search only the content locations of users who are assigned a specific value for this attribute. For example, let's say Contoso decides to use the **Department** attribute. The value for this attribute for users in the Fourth Coffee subsidiary would be `FourthCoffee` and the value for users in Coho Winery subsidiary would be `CohoWinery`. In Step 3, you use this `attribute:value` pair (for example, *Department:FourthCoffee*) to limit the user content locations that eDiscovery managers can search.
Here are some examples of user attributes that you can use for compliance boundaries:
For a complete list, see the full list of supported [mailbox filters](/powershel
## Step 2: Create a role group for each agency
-The next step is to create the role groups in the compliance portal that will align with your agencies. We recommend that you create a role group by copying the built-in eDiscovery Managers group, adding the appropriate members, and removing roles that may not be applicable to your needs. For more information about eDiscovery-related roles, see [Assign eDiscovery permissions](ediscovery-assign-permissions.md).
+The next step is to create the role groups in the compliance portal that will align with your agencies.
To create the role groups, go to the **Permissions** page in the compliance portal and create a role group for each team in each agency that will use compliance boundaries and eDiscovery cases to manage investigations.+
+We recommend that the role groups created for the compliance boundary don't have any roles attached to it. This role group should only be used to assign users to the role group. Separate built-in (eDiscovery Manager) or custom role groups should be used to assign roles to members. For more information about eDiscovery-related roles, see [Assign eDiscovery permissions](ediscovery-assign-permissions.md).
Using the Contoso compliance boundaries scenario, four role groups need to be created and the appropriate members added to each one.
Using the Contoso compliance boundaries scenario, four role groups need to be cr
- Fourth Coffee Investigators - Coho Winery eDiscovery Managers - Coho Winery Investigators
-
-To meet the requirements of the Contoso compliance boundaries scenario, you would also remove the **Hold** and **Export** roles from the investigators role groups to prevent investigators from placing holds on content locations and exporting content from a case.
> [!IMPORTANT]
-> If a role is added or removed from a role group that you've added as a member of a case, then the role group will be automatically removed as a member of the case (or any case the role group is a member of). The reason for this is to protect your organization from inadvertently providing additional permissions to members of a case. Similarly, if a role group is deleted, it will be removed from all cases it was a member of.
+> If a role is added or removed from a role group that you've added as a member of a case, then the role group is automatically removed as a member of the case (or any case the role group is a member of). The reason for this is to protect your organization from inadvertently providing additional permissions to members of a case. If a role group is deleted, it is removed from all cases it was a member of. We recommend that the role groups created for compliance boundaries don't have any roles assigned to them. Use separate built-in/custom role groups to assign roles to members.
## Step 3: Create a search permissions filter to enforce the compliance boundary
New-ComplianceSecurityFilter -FilterName <name of filter> -Users <role groups> -
Here's a description of each parameter in the command: - `FilterName`: Specifies the name of the filter. Use a name that describes or identifies the agency that the filter is used in.- - `Users`: Specifies the users or groups who get this filter applied to the search actions they perform. For compliance boundaries, this parameter specifies the role groups (that you created in Step 2) in the agency that you're creating the filter for. Note this is a multi-value parameter so you can include one or more role groups, separated by commas.- - `Filters`: Specifies the search criteria for the filter. For compliance boundaries, you define the following filters. Each one applies to different content locations. - `Mailbox`: Specifies the mailboxes or OneDrive accounts that the role groups defined in the `Users` parameter can search. This filter allows members of the role group to search only the mailboxes or OneDrive accounts in a specific agency; for example, `"Mailbox_Department -eq 'FourthCoffee'"`.- - `SiteContent`: This filter includes two separate filters. The first `SiteContent_Path` specifies the SharePoint sites in the agency that the role groups defined in the `Users` parameter can search. For example, `SiteContent_Path -like 'https://contoso.sharepoint.com/sites/FourthCoffee'`. The second `SiteContent_Path` filter (connected to the first `SiteContent_Path` filter by the `or` operator) specifies the agency's OneDrive domain (also called the *MySite* domain). For example, `SiteContent_Path -like 'https://contoso-my.sharepoint.com/personal'`. You can also use the `Site_Path` filter in place of the `SiteContent` filter. The `Site` and `SiteContent` filters are interchangeable, and don't affect search permissions filters described in this article. > [!IMPORTANT]
The final step is to create a eDiscovery (Standard) case or eDiscovery (Premium)
- Only members of the role group added to the case will be able to see and access the case in the compliance portal. For example, if the Fourth Coffee Investigators role group is the only member of a case, then members of the Fourth Coffee eDiscovery Managers role group (or members of any other role group) won't be able to see or access the case. -- When a member of the role group assigned to a case runs a search associated with the case, they will only be able to search the content locations within their agency (which is defined by the search permissions filter that you created in Step 3.)
+- When a member of the role group assigned to a case runs a search associated with the case, they'll only be able to search the content locations within their agency (which is defined by the search permissions filter that you created in Step 3.)
To create a case and assign members: 1. Go to the **eDiscovery (Standard)** or **eDiscovery (Premium)** page in the compliance portal and create a case.- 2. In the list of cases, select the name of the case you created.- 3. Add role groups as members to the case. For instructions, see the one of the following articles: - [Add members to a eDiscovery (Standard) case](ediscovery-standard-get-started.md#step-4-optional-add-members-to-a-ediscovery-standard-case)- - [Add members to an eDiscovery (Premium) case](ediscovery-add-or-remove-members-from-a-case.md) > [!NOTE]
If the region specified in the search permissions filter doesn't exist in your o
**What is the maximum number of search permissions filters that can be created in an organization?**
-There is no limit to the number of search permissions filters that can be created in an organization. However, a search query can have a maximum of 100 conditions. In this case, a condition is defined as something that's connected to the query by a Boolean operator (such as **AND**, **OR**, and **NEAR**). The limit of the number of conditions includes the search query itself plus all search permissions filters that are applied to the user who runs the search. Therefore, the more search permissions filters you have (especially if these filters are applied to the same user or group of users), the better the chance of exceeding the maximum number of conditions for a search.
+There's no limit to the number of search permissions filters that can be created in an organization. However, a search query can have a maximum of 100 conditions. In this case, a condition is defined as something that's connected to the query by a Boolean operator (such as **AND**, **OR**, and **NEAR**). The limit of the number of conditions includes the search query itself plus all search permissions filters that are applied to the user who runs the search. Therefore, the more search permissions filters you have (especially if these filters are applied to the same user or group of users), the better the chance of exceeding the maximum number of conditions for a search.
To understand how this limit works, you need to understand that a search permissions filter is appended to the search query when a search is run. A search permissions filter is joined to the search query by the **AND** Boolean operator. The query logic for the search query and a single search permissions filter would look like this:
compliance Ediscovery Standard Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-standard-get-started.md
Title: "Get started with eDiscovery (Standard) cases in Microsoft Purview"
+ Title: "Get started with eDiscovery (Standard)"
description: "Describes how to get started using eDiscovery (Standard) in Microsoft Purview. After you assign eDiscovery permissions and create a case, you can add members, create eDiscovery holds, and then search for and export content that's relevant to your investigation." f1.keywords: - NOCSH Previously updated : 01/01/2023 Last updated : 04/11/2023 audience: Admin
search.appverid:
- MET150
-# Get started with eDiscovery (Standard) in Microsoft Purview
+# Get started with eDiscovery (Standard)
Microsoft Purview eDiscovery (Standard) in Microsoft Purview provides a basic eDiscovery tool that organizations can use to search and export content in Microsoft 365 and Office 365. You can also use eDiscovery (Standard) to place an eDiscovery hold on content locations, such as Exchange mailboxes, SharePoint sites, OneDrive accounts, and Microsoft Teams. Nothing is needed to deploy eDiscovery (Standard), but there are some prerequisite tasks that an IT admin and eDiscovery manager have to complete before your organization can start using eDiscovery (Standard) to search, export, and preserve content.
compliance Ediscovery Use Content Search For Targeted Collections https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-use-content-search-for-targeted-collections.md
+
+ Title: "Use Content search for targeted collections"
+description: "Use Content search in the Microsoft Purview compliance portal to perform a targeted collection, which searches for items in a specific mailbox or site folder."
+f1.keywords:
+- NOCSH
+++ Last updated : 01/01/2023
+audience: Admin
+++
+- tier1
+- purview-compliance
+- content-search
+ms.localizationpriority: medium
+search.appverid:
+- MOE150
+- MET150
+++
+# Use Content search for targeted collections
+
+The Content search tool in the Microsoft Purview compliance portal doesn't provide a direct way in the UI to search specific folders in Exchange mailboxes or SharePoint and OneDrive for Business sites. However, it's possible to search specific folders (called a *targeted collection*) by specifying the folder ID property for email or path (DocumentLink) property for sites in the actual search query syntax. Using Content Search to perform a targeted collection is useful when you're confident that items responsive to a case or privileged items are located in a specific mailbox or site folder. You can use the script in this article to obtain the folder ID for mailbox folders or the path (DocumentLink) for folders on a SharePoint and OneDrive for Business site. Then you can use the folder ID or path in a search query to return items located in the folder.
+
+> [!NOTE]
+> To return content located in a folder in a SharePoint or OneDrive for Business site, the script in this topic uses the DocumentLink managed property instead of the Path property. The DocumentLink property is more robust than the Path property because it will return all content in a folder, whereas the Path property won't return some media files.
++
+## Before you run a targeted collection
+
+- You have to be a member of the eDiscovery Manager role group in the compliance portal to run the script in Step 1. For more information, see [Assign eDiscovery permissions](ediscovery-assign-permissions.md).
+
+- You also have to be assigned the Mail Recipients role in your Exchange Online organization. This is required to run the **Get-MailboxFolderStatistics** cmdlet, which is included in the script. By default, the Mail Recipients role is assigned to the Organization Management and Recipient Management role groups in Exchange Online. For more information about assigning permissions in Exchange Online, see [Manage role group members](/exchange/manage-role-group-members-exchange-2013-help). You could also create a custom role group, assign the Mail Recipients role to it, and then add the members who need to run the script in Step 1. For more information, see [Manage role groups](/Exchange/permissions-exo/role-groups).
+
+- The script in this article supports modern authentication. You can use the script as-is if you are a Microsoft 365 or a Microsoft 365 GCC organization. If you are an Office 365 Germany organization, a Microsoft 365 GCC High organization, or a Microsoft 365 DoD organization, you will have to edit the script to successfully run it. Specifically, you have to edit the line `Connect-ExchangeOnline` and use the *ExchangeEnvironmentName* parameter (and the appropriate value for your organization type) to connect to Exchange Online PowerShell. Also, you have to edit the line `Connect-IPPSSession` and use the *ConnectionUri* and *AzureADAuthorizationEndpointUri* parameters (and the appropriate values for your organization type) to connect to Security & Compliance PowerShell. For more information, see the examples in [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell#connect-to-exchange-online-powershell-without-using-mfa) and [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell#connect-to-security--compliance-center-powershell-without-using-mfa).
+
+- Each time you run the script, a new remote PowerShell session is created. That means you can use up all the remote PowerShell sessions available to you. To prevent this from happening, run the following commands to disconnect your active remote PowerShell sessions.
+
+ ```powershell
+ Get-PSSession | Remove-PSSession; Disconnect-ExchangeOnline
+ ```
+
+ For more information, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).
+
+- The script includes minimal error handling. The primary purpose of the script is to quickly display a list of mailbox folder IDs or site paths that can be used in the search query syntax of a Content Search to perform a targeted collection.
+
+- The sample script provided in this topic isn't supported under any Microsoft standard support program or service. The sample script is provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample script and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.
+
+## Step 1: Run the script to get a list of folders for a mailbox or site
+
+The script that you run in this first step will return a list of mailbox folders or SharePoint and OneDrive for Business folders, and the corresponding folder ID or path for each folder. When you run this script, it will prompt you for the following information.
+
+- **Email address or site URL**: Type an email address of the custodian to return a list of Exchange mailbox folders and folder IDs. Or type the URL for a SharePoint site or a OneDrive for Business site to return a list of paths for the specified site. Here are some examples:
+
+ - **Exchange**: `stacig@contoso.onmicrosoft.com`
+
+ - **SharePoint**: `https://contoso.sharepoint.com/sites/marketing`
+
+ - **OneDrive for Business**: `https://contoso-my.sharepoint.com/personal/stacig_contoso_onmicrosoft_com`
+
+- **Your user credentials**: The script will use your credentials to connect to Exchange Online PowerShell or Security & Compliance PowerShell using modern authentication. As previously explained, you have to be assigned the appropriate permissions to successfully run this script.
+
+To display a list of mailbox folders or site documentlink (path) names:
+
+1. Save the following text to a Windows PowerShell script file by using a filename suffix of .ps1; for example, `GetFolderSearchParameters.ps1`.
+
+ ```powershell
+ #########################################################################################################
+ # This PowerShell script will prompt you for: #
+ # * Admin credentials for a user who can run the Get-MailboxFolderStatistics cmdlet in Exchange #
+ # Online and who is an eDiscovery Manager in the compliance portal. #
+ # The script will then: #
+ # * If an email address is supplied: list the folders for the target mailbox. #
+ # * If a SharePoint or OneDrive for Business site is supplied: list the documentlinks (folder paths) #
+ # * for the site. #
+ # * In both cases, the script supplies the correct search properties (folderid: or documentlink:) #
+ # appended to the folder ID or documentlink to use in a Content Search. #
+ # Notes: #
+ # * For SharePoint and OneDrive for Business, the paths are searched recursively; this means the #
+ # the current folder and all sub-folders are searched. #
+ # * For Exchange, only the specified folder will be searched; this means sub-folders in the folder #
+ # will not be searched. To search sub-folders, you need to use the specify the folder ID for #
+ # each sub-folder that you want to search. #
+ # * For Exchange, only folders in the user's primary mailbox will be returned by the script. #
+ #########################################################################################################
+ # Collect the target email address or SharePoint Url
+ $addressOrSite = Read-Host "Enter an email address or a URL for a SharePoint or OneDrive for Business site"
+ # Authenticate with Exchange Online and the compliance portal (Exchange Online Protection - EOP)
+ if ($addressOrSite.IndexOf("@") -ige 0)
+ {
+ # List the folder Ids for the target mailbox
+ $emailAddress = $addressOrSite
+ # Connect to Exchange Online PowerShell
+ if (!$ExoSession)
+ {
+ Import-Module ExchangeOnlineManagement
+ Connect-ExchangeOnline -ShowBanner:$false -CommandName Get-MailboxFolderStatistics
+ }
+ $folderQueries = @()
+ $folderStatistics = Get-MailboxFolderStatistics $emailAddress
+ foreach ($folderStatistic in $folderStatistics)
+ {
+ $folderId = $folderStatistic.FolderId;
+ $folderPath = $folderStatistic.FolderPath;
+ $encoding= [System.Text.Encoding]::GetEncoding("us-ascii")
+ $nibbler= $encoding.GetBytes("0123456789ABCDEF");
+ $folderIdBytes = [Convert]::FromBase64String($folderId);
+ $indexIdBytes = New-Object byte[] 48;
+ $indexIdIdx=0;
+ $folderIdBytes | select -skip 23 -First 24 | %{$indexIdBytes[$indexIdIdx++]=$nibbler[$_ -shr 4];$indexIdBytes[$indexIdIdx++]=$nibbler[$_ -band 0xF]}
+ $folderQuery = "folderid:$($encoding.GetString($indexIdBytes))";
+ $folderStat = New-Object PSObject
+ Add-Member -InputObject $folderStat -MemberType NoteProperty -Name FolderPath -Value $folderPath
+ Add-Member -InputObject $folderStat -MemberType NoteProperty -Name FolderQuery -Value $folderQuery
+ $folderQueries += $folderStat
+ }
+ Write-Host "--Exchange Folders--"
+ $folderQueries |ft
+ }
+ elseif ($addressOrSite.IndexOf("http") -ige 0)
+ {
+ $searchName = "SPFoldersSearch"
+ $searchActionName = "SPFoldersSearch_Preview"
+ # List the folders for the SharePoint or OneDrive for Business Site
+ $siteUrl = $addressOrSite
+ # Connect to Security & Compliance PowerShell
+ if (!$SccSession)
+ {
+ Import-Module ExchangeOnlineManagement
+ Connect-IPPSSession
+ }
+ # Clean-up, if the script was aborted, the search we created might not have been deleted. Try to do so now.
+ Remove-ComplianceSearch $searchName -Confirm:$false -ErrorAction 'SilentlyContinue'
+ # Create a Content Search against the SharePoint Site or OneDrive for Business site and only search for folders; wait for the search to complete
+ $complianceSearch = New-ComplianceSearch -Name $searchName -ContentMatchQuery "contenttype:folder" -SharePointLocation $siteUrl
+ Start-ComplianceSearch $searchName
+ do{
+ Write-host "Waiting for search to complete..."
+ Start-Sleep -s 5
+ $complianceSearch = Get-ComplianceSearch $searchName
+ }while ($complianceSearch.Status -ne 'Completed')
+ if ($complianceSearch.Items -gt 0)
+ {
+ # Create a Compliance Search Action and wait for it to complete. The folders will be listed in the .Results parameter
+ $complianceSearchAction = New-ComplianceSearchAction -SearchName $searchName -Preview
+ do
+ {
+ Write-host "Waiting for search action to complete..."
+ Start-Sleep -s 5
+ $complianceSearchAction = Get-ComplianceSearchAction $searchActionName
+ }while ($complianceSearchAction.Status -ne 'Completed')
+ # Get the results and print out the folders
+ $results = $complianceSearchAction.Results
+ $matches = Select-String "Data Link:.+[,}]" -Input $results -AllMatches
+ foreach ($match in $matches.Matches)
+ {
+ $rawUrl = $match.Value
+ $rawUrl = $rawUrl -replace "Data Link: " -replace "," -replace "}"
+ Write-Host "DocumentLink:""$rawUrl"""
+ }
+ }
+ else
+ {
+ Write-Host "No folders were found for $siteUrl"
+ }
+ Remove-ComplianceSearch $searchName -Confirm:$false -ErrorAction 'SilentlyContinue'
+ }
+ else
+ {
+ Write-Error "Couldn't recognize $addressOrSite as an email address or a site URL"
+ }
+ ```
+
+2. On your local computer, open Windows PowerShell and go to the folder where you saved the script.
+
+3. Run the script; for example:
+
+ ```powershell
+ .\GetFolderSearchParameters.ps1
+ ```
+
+4. Enter the information that the script prompts you for.
+
+ The script displays a list of mailbox folders or site folders for the specified user. Leave this window open so that you can copy a folder ID or documentlink name and paste it in to a search query in Step 2.
+
+ > [!TIP]
+ > Instead of displaying a list of folders on the computer screen, you can re-direct the output of the script to a text file. This file will be saved to the folder where the script is located. For example, to redirect the script output to a text file, run the following command in Step 3: `.\GetFolderSearchParameters.ps1 > StacigFolderIds.txt` Then you can copy a folder ID or documentlink from the file to use in a search query.
+
+### Script output for mailbox folders
+
+If you're getting mailbox folder IDs, the script connects to Exchange Online PowerShell, runs the **Get-MailboxFolderStatisics** cmdlet, and then displays the list of the folders from the specified mailbox. For every folder in the mailbox, the script displays the name of the folder in the **FolderPath** column and the folder ID in the **FolderQuery** column. Additionally, the script adds the prefix of **folderId** (which is the name of the mailbox property) to the folder ID. Because the **folderid** property is a searchable property, you'll use `folderid:<folderid>` in a search query in Step 2 to search that folder.
+
+> [!IMPORTANT]
+> The script in this article includes encoding logic that converts the 64-character folder Id values that are returned by **Get-MailboxFolderStatistics** to the same 48-character format that is indexed for search. If you just run the **Get-MailboxFolderStatistics** cmdlet in PowerShell to obtain a folder Id (instead of running the script in this article), a search query that uses that folder Id value will fail. You have to run the script to get the correctly-formatted folder Ids that can be used in a Content Search.
+
+Here's an example of the output returned by the script for mailbox folders.
+
+![Example of the list of mailbox folders and folder IDs returned by the script.](../media/cd739207-eb84-4ebf-a03d-703f3d3a797d.png)
+
+The example in Step 2 shows the query used to search the Purges subfolder in the user's Recoverable Items folder.
+
+### Script output for site folders
+
+If you're getting the path of the **documentlink** property from SharePoint or OneDrive for Business sites, the script connects to Security & Compliance PowerShell, creates a new Content Search that searches the site for folders, and then displays a list of the folders located in the specified site. The script displays the name of each folder and adds the prefix of **documentlink** to the folder URL. Because the **documentlink** property is a searchable property, you'll use `documentlink:<path>` property:value pair in a search query in Step 2 to search that folder. The script displays a maximum of 100 site folders. If there are more than 100 site folders, the newest ones are displayed.
+
+Here's an example of the output returned by the script for site folders.
+
+![Example of the list of documentlink names for site folders returned by the script.](../media/519e8347-7365-4067-af78-96c465dc3d15.png)
+
+## Step 2: Use a folder ID or documentlink to perform a targeted collection
+
+After you've run the script to collect a list of folder IDs or document links for a specific user, the next step to go to the compliance portal and create a new Content Search to search a specific folder. You'll use the `folderid:<folderid>` or `documentlink:<path>` property:value pair in the search query that you configure in the Content Search keyword box (or as the value for the *ContentMatchQuery* parameter if you use the **New-ComplianceSearch** cmdlet). You can combine the `folderid` or `documentlink` property with other search parameters or search conditions. If you only include the `folderid` or `documentlink` property in the query, the search will return all items located in the specified folder.
+
+1. Go to <https://compliance.microsoft.com> and sign in using the account and credentials that you used to run the script in Step 1.
+
+2. In the left pane of the compliance center, click **Show all** > **Content search**, and then click **New search**.
+
+3. In the **Keywords** box, paste the `folderid:<folderid>` or `documentlink:<path>/*` value that was returned by the script in Step 1.
+
+ For example, the query in the following screenshot will search for any item in the Purges subfolder in the user's Recoverable Items folder (the value of the `folderid` property for the Purges subfolder is shown in the screenshot in Step 1):
+
+ ![Paste the folderid or documentlink in to the keyword box of the search query.](../media/FolderIDSearchQuery.png)
+ > [!IMPORTANT]
+ > documentlink searches require the use of a trailing `asterisk '/*'`.
+
+4. Under **Locations**, select **Specific locations** and then click **Modify**.
+
+5. Do one of the following, based on whether you're searching a mailbox folder or a site folder:
+
+ - Next to **Exchange email**, click **Choose users, groups, or teams** and then add the same mailbox that you specified when you ran the script in Step 1.
+
+ Or
+
+ - Next to **SharePoint sites**, click **Choose sites** and then add the same site URL that you specified when you ran the script in Step 1.
+
+6. After you save the content location to search, click **Save & run**, type a name for the Content Search, and then click **Save** to start the targeted collection search.
+
+### Examples of search queries for targeted collections
+
+Here are some examples of using the `folderid` and `documentlink` properties in a search query to perform a targeted collection. Placeholders are used for `folderid:<folderid>` and `documentlink:<path>` to save space.
+
+- This example searches three different mailbox folders. You could use similar query syntax to search the hidden folders in a user's Recoverable Items folder.
+
+ ```powershell
+ folderid:<folderid> OR folderid:<folderid> OR folderid:<folderid>
+ ```
+
+- This example searches a mailbox folder for items that contain an exact phrase.
+
+ ```powershell
+ folderid:<folderid> AND "Contoso financial results"
+ ```
+
+- This example searches a site folder (and any subfolders) for documents that contain the letters "NDA" in the title.
+
+ ```powershell
+ documentlink:"<path>/*" AND filename:nda
+ ```
+
+- This example searches a site folder (and any subfolder) for documents there were changed within a date range.
+
+ ```powershell
+ documentlink:"<path>/*" AND (lastmodifiedtime>=01/01/2017 AND lastmodifiedtime<=01/21/2017)
+ ```
+
+## More information
+
+Keep the following things in mind when using the script in this article to perform targeted collections.
+
+- The script doesn't remove any folders from the results. So some folders listed in the results might be unsearchable (or return zero items) because they contain system-generated content or because they only contain subfolders and not mailbox items.
+
+- This script only returns folder information for the user's primary mailbox. It doesn't return information about folders in the user's archive mailbox. To return information about folders in the user's archive mailbox, you can edit the script. To do this, change the line `$folderStatistics = Get-MailboxFolderStatistics $emailAddress` to `$folderStatistics = Get-MailboxFolderStatistics $emailAddress -Archive` and then save and run the edited script. This change will return the folder IDs for folders and subfolders in the user's archive mailbox. To search the entire archive mailbox, you can connect all folder ID property:value pairs with an `OR` operator in a search query.
+
+- When searching mailbox folders, only the specified folder (identified by its `folderid` property) will be searched; subfolders won't be searched. To search subfolders, you need to use the folder ID for the subfolder that you want to search.
+
+- When searching site folders, the folder (identified by its `documentlink` property) and all subfolders will be searched.
+
+- When exporting the results of a search in which you only specified the `folderid` property in the search query, you can choose the first export option, "All items, excluding ones that have an unrecognized format, are encrypted, or weren't indexed for other reasons." All items in the folder will always be exported regardless of their indexing status because the folder ID is always indexed.
compliance Ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery.md
See the following articles to help you learn more and get started using Microsof
### Get started with Content search -- [Search for content using Content search](search-for-content.md)-- [Create a search](ediscovery-content-search.md)
+- [Overview of Content search](search-for-content.md)
+- [Get started with Content search](ediscovery-content-search.md)
### Get started with eDiscovery (Standard)
See the following articles to help you learn more and get started using Microsof
### Get started with eDiscovery (Premium) - [Overview of eDiscovery (Premium)](ediscovery-overview.md)-- [Set up eDiscovery (Premium)](ediscovery-premium-get-started.md)
+- [Get started with eDiscovery (Premium)](ediscovery-premium-get-started.md)
- [Create and manage an eDiscovery (Premium) case](ediscovery-create-and-manage-cases.md) ## Integration with Insider Risk Management
compliance Sensitivity Labels Aip https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-aip.md
f1.keywords:
Previously updated : 04/11/2023 Last updated : 04/12/2023 audience: Admin
Remember to use the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-
The AIP client supports many customizations by using [PowerShell advanced settings](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#configuring-advanced-settings-for-the-client-via-powershell). For the advanced settings applicable to Office apps that are also supported by built-in labeling, see the list in [New-Label](/powershell/module/exchange/new-label) or [Set-Label](/powershell/module/exchange/set-label), and [New-LabelPolicy](/powershell/module/exchange/new-labelpolicy) or [Set-LabelPolicy](/powershell/module/exchange/set-labelpolicy).
-However, you might find you don't need to use PowerShell to configure the supported settings because they're included in the standard configuration from the Microsoft Purview compliance portal. For example, UI configuration to choose label colors, and turn off mandatory labeling for Outlook.
+However, you might find you don't need to use PowerShell to configure the supported settings because they're included in the standard configuration from the Microsoft Purview compliance portal. For example, UI configuration to choose label colors, and turn off mandatory labeling for Outlook. Check the available configurations in [Manage sensitivity labels in Office apps](sensitivity-labels-office-apps.md).
-The following configurations from the AIP add-in that aren't yet supported by built-in labeling include:
--- [Label inheritance from email attachments](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#for-email-messages-with-attachments-apply-a-label-that-matches-the-highest-classification-of-those-attachments)
- - This option is currently rolling out in preview. For more information, see [Configure label inheritance from email attachments](sensitivity-labels-office-apps.md#configure-label-inheritance-from-email-attachments).
--- [Oversharing popup messages for Outlook](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#implement-pop-up-messages-in-outlook-that-warn-justify-or-block-emails-being-sent)
- - The equivalent of this configuration is now available in preview as a DLP policy configuration. For more information, see [Scenario 2 Show policy tip as oversharing popup (preview)](dlp-create-deploy-policy.md#scenario-2-show-policy-tip-as-oversharing-popup-preview).
--- [Remove external content markings](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#remove-headers-and-footers-from-other-labeling-solution)
+> [!NOTE]
+> The AIP add-in used PowerShell advanced settings for [oversharing popup messages in Outlook](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#implement-pop-up-messages-in-outlook-that-warn-justify-or-block-emails-being-sent). When you use built-in labeling, the equivalent of this configuration is now available as a [DLP policy configuration](dlp-create-deploy-policy.md#scenario-2-show-policy-tip-as-oversharing-popup-preview).
## Features not planned to be supported by built-in labeling for Office apps
compliance Sensitivity Labels Office Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md
For guidance about when to use this setting, see the information about [policy s
> [!NOTE] > If you use the default label policy setting for documents and emails in addition to mandatory labeling: >
-> The default label always takes priority over mandatory labeling. However, for documents, the Azure Information Protection unified labeling client applies the default label to all unlabeled documents whereas built-in labeling applies the default label to new documents and not to existing documents that are unlabeled. This difference in behavior means that when you use mandatory labeling with the default label setting, users will probably be prompted to apply a sensitivity label more often when they use built-in labeling than when they use the Azure Information Protection unified labeling client.
->
-> Now rolling out: Office apps that use built-in labeling and support a default label for existing documents. For details, see the [capabilities table](sensitivity-labels-versions.md#sensitivity-label-capabilities-in-word-excel-and-powerpoint) for Word, Excel, and PowerPoint.
+> The default label always takes priority over mandatory labeling. However, if you use a version of built-in labeling that doesn't yet support a default label for existing documents, users will be prompted to apply a sensitivity label for each new document.
+>
+> Identify the minimum versions of Word, Excel, and PowerPoint that support a default label for existing documents by using the [capabilities table](sensitivity-labels-versions.md#sensitivity-label-capabilities-in-word-excel-and-powerpoint) and the row **Apply a default label to existing documents**.
### For Outlook Mobile, change when users are prompted for a label
Before you can scope a label to just files or emails, you must first remove it i
## Configure a label to apply S/MIME protection in Outlook > [!NOTE]
-> This capability is available for built-in labeling for Windows, Mac, iOS, and Android, but it's not yet available for Outlook on the web. Identify the minimum versions of Outlook that support this feature by using the [capabilities table for Outlook](sensitivity-labels-versions.md#sensitivity-label-capabilities-in-outlook) and the row **Apply S/MIME protection**.
+> Identify the minimum versions of Outlook that support this feature by using the [capabilities table for Outlook](sensitivity-labels-versions.md#sensitivity-label-capabilities-in-outlook) and the row **Apply S/MIME protection**.
> > If you configure a label to apply S/MIME protection but your version of Outlook for Windows doesn't yet support it, the label is still displayed and can be applied, but the S/MIME settings are ignored. You won't be able to select this label for Exchange auto-labeling policies.
For more help in specifying PowerShell advanced settings, see [PowerShell tips f
## Configure label inheritance from email attachments > [!NOTE]
-> This capability is currently rolling out in preview for built-in labeling, and in various stages of release across the platforms. Identify the minimum versions of Outlook that support this feature by using the [capabilities table for Outlook](sensitivity-labels-versions.md#sensitivity-label-capabilities-in-outlook), and the row **Label inheritance from email attachments**.
+> Identify the minimum versions of Outlook that support this feature by using the [capabilities table for Outlook](sensitivity-labels-versions.md#sensitivity-label-capabilities-in-outlook), and the row **Label inheritance from email attachments**.
Turn on email inheritance for when users attach labeled documents to an email message that isn't manually labeled. With this configuration, a sensitivity label is dynamically selected for the email message, based on the sensitivity labels that are applied to the attachments and published to the user. The [highest priority label](sensitivity-labels.md#label-priority-order-matters) is dynamically selected when it's supported by Outlook.
compliance Sensitivity Labels Versions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-versions.md
Previously updated : 04/03/2023 Last updated : 04/12/2023 audience: Admin
The numbers listed are the minimum Office application versions required for each
|Capability |Windows |Mac |iOS |Android |Web | |--|-:|-|-|--|-|
-|[AIP add-in disabled by default](sensitivity-labels-aip.md#how-to-configure-newer-versions-of-office-to-enable-the-aip-add-in)|Current Channel: Rolling Out to 2302+ <br /><br> Monthly Enterprise Channel: 2303+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Not relevant |Not relevant |Not relevant|Not relevant |
+|[AIP add-in disabled by default](sensitivity-labels-aip.md#how-to-configure-newer-versions-of-office-to-enable-the-aip-add-in)|Current Channel: Rolling out to 2302+ <br /><br> Monthly Enterprise Channel: 2303+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Not relevant |Not relevant |Not relevant|Not relevant |
|[Manually apply, change, or remove label](https://support.microsoft.com/office/apply-sensitivity-labels-to-your-files-and-email-in-office-2f96e7cd-d5a4-403b-8bd7-4cc636bae0f9)|Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ |16.21+ | 2.21+ | 16.0.11231+ |[Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | |[Multi-language support](create-sensitivity-labels.md#additional-label-settings-with-security--compliance-powershell)|Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ |16.21+|2.21+ |16.0.11231+ |Under review | |[Apply a default label](sensitivity-labels.md#what-label-policies-can-do) to new documents |Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ |16.21+ |2.21+ |16.0.11231+ |[Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md)|
The numbers listed are the minimum Office application versions required for each
|[Apply a sensitivity label to files automatically](apply-sensitivity-label-automatically.md) <br /> - Using trainable classifiers |Current Channel: 2105+ <br /><br> Monthly Enterprise Channel: 2105+ <br /><br> Semi-Annual Enterprise Channel: 2108+ |16.49+ |Under review |Under review |Under review | |[Support co-authoring and AutoSave](sensitivity-labels-coauthoring.md) for labeled and encrypted documents |Current Channel: 2107+ <br /><br> Monthly Enterprise Channel: 2107+ <br /><br> Semi-Annual Enterprise Channel: 2202+ |16.51+ |2.58+ |16.0.14931+ |[Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | |[PDF support](sensitivity-labels-office-apps.md#pdf-support)|Current Channel: 2208+ <br /><br> Monthly Enterprise Channel: 2209+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Under review |Under review |Under review |Under review |
-|[Sensitivity bar](sensitivity-labels-office-apps.md#sensitivity-bar) and [display label color](sensitivity-labels-office-apps.md#label-colors) |Current Channel: Rolling Out to 2302+<br /><br> Monthly Enterprise Channel: 2303+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Under review |Under review |Under review |Under review |
+|[Sensitivity bar](sensitivity-labels-office-apps.md#sensitivity-bar) and [display label color](sensitivity-labels-office-apps.md#label-colors) |Current Channel: Rolling out to 2302+ <br /><br> Monthly Enterprise Channel: 2303+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Under review |Under review |Under review |Under review |
|[Default sublabel for parent label](sensitivity-labels-office-apps.md#specify-a-default-sublabel-for-a-parent-label)|Current Channel: 2302+ <br /><br> Monthly Enterprise Channel: 2302+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Under review |Under review |Under review |Under review | |[Scope labels to files or emails](sensitivity-labels-office-apps.md#scope-labels-to-just-files-or-emails) |Current Channel: 2301+ <br /><br> Monthly Enterprise Channel: Under review <br /><br> Semi-Annual Enterprise Channel: Under review |16.69+ |Preview: Rolling out to [Beta Channel](https://insider.office.com/join/ios) |Preview: Rolling out to [Beta Channel](https://insider.office.com/join/android)| [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |
The numbers listed are the minimum Office application versions required for each
|Capability |Outlook for Windows |Outlook for Mac |Outlook on iOS |Outlook on Android |Outlook on the web | |--|-:|-||-|-|
-|[AIP add-in disabled by default](sensitivity-labels-aip.md#how-to-configure-newer-versions-of-office-to-enable-the-aip-add-in)|Current Channel: Rolling Out to 2302+ <br /><br> Monthly Enterprise Channel: 2303+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Not relevant |Not relevant |Not relevant|Not relevant |
+|[AIP add-in disabled by default](sensitivity-labels-aip.md#how-to-configure-newer-versions-of-office-to-enable-the-aip-add-in)|Current Channel: Rolling out to 2302+ <br /><br> Monthly Enterprise Channel: 2303+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Not relevant |Not relevant |Not relevant|Not relevant |
|Manually apply, change, or remove label <br /> - [Files and emails](https://support.microsoft.com/office/apply-sensitivity-labels-to-your-files-and-email-in-office-2f96e7cd-d5a4-403b-8bd7-4cc636bae0f9)|Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ |16.21+ | 4.7.1+ | 4.0.39+ | Yes | |Manually apply, change, or remove label <br /> - [Calendar items](sensitivity-labels-meetings.md)| Current Channel: Rolling out to 2302+ |16.70+ <sup>\*</sup> |Under review |Under review |Yes | |[Multi-language support](create-sensitivity-labels.md#additional-label-settings-with-security--compliance-powershell)|Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ |16.21+ |4.7.1+ |4.0.39+ |Yes |
The numbers listed are the minimum Office application versions required for each
|[Different settings for default label and mandatory labeling](sensitivity-labels-office-apps.md#outlook-specific-options-for-default-label-and-mandatory-labeling) |Current Channel: 2105+ <br /><br> Monthly Enterprise Channel: 2105+ <br /><br> Semi-Annual Enterprise Channel: 2108+ |16.43+ <sup>\*</sup> |4.2111+ |4.2111+ |Yes | |[PDF support](sensitivity-labels-office-apps.md#pdf-support) |Current Channel: 2205+ <br /><br> Monthly Enterprise Channel: 2205+ <br /><br> Semi-Annual Enterprise Channel: Under review| Under review |Under review |Under review |Under review | |[Apply S/MIME protection](sensitivity-labels-office-apps.md#configure-a-label-to-apply-smime-protection-in-outlook) |Current Channel: 2211+ <br /><br> Monthly Enterprise Channel: 2211+ <br /><br> Semi-Annual Enterprise Channel: 2302+ | 16.61+ <sup>\*</sup> |4.2226+ |4.2203+ |Under review |
-|[Sensitivity bar](sensitivity-labels-office-apps.md#sensitivity-bar) |Current Channel: Rolling Out to 2302+<br /><br> Monthly Enterprise Channel: 2303+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Under review |Under review |In preview (4.2313+) |Under review |
+|[Sensitivity bar](sensitivity-labels-office-apps.md#sensitivity-bar) |Current Channel: Rolling out to 2302+<br /><br> Monthly Enterprise Channel: 2303+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Under review |Under review |In preview (4.2313+) |Under review |
|[Display label color](sensitivity-labels-office-apps.md#label-colors) |Current Channel: 2302+ <br /><br> Monthly Enterprise Channel: 2303+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Preview: [Current Channel (Preview)](https://office.com/insider) <sup>\*</sup> |Under review |In preview (4.2313+) |Under review | |[Default sublabel for parent label](sensitivity-labels-office-apps.md#specify-a-default-sublabel-for-a-parent-label)|Current Channel: 2302+ <br /><br> Monthly Enterprise Channel: 2302+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Under review |Under review |Under review |Under review |
-|[Scope labels to files or emails](sensitivity-labels-office-apps.md#scope-labels-to-just-files-or-emails) |Current Channel: 2301+ <br /><br> Monthly Enterprise Channel: Under review <br /><br> Semi-Annual Enterprise Channel: Under review |Rolling out: 16.70+ <sup>\*</sup> | Rolling out 4.2309+ |Rolling out 4.2309+ |Yes |
+|[Scope labels to files or emails](sensitivity-labels-office-apps.md#scope-labels-to-just-files-or-emails) |Current Channel: 2301+ <br /><br> Monthly Enterprise Channel: Under review <br /><br> Semi-Annual Enterprise Channel: Under review |Rolling out: 16.70+ <sup>\*</sup> | Rolling out: 4.2309+ |Rolling out: 4.2309+ |Yes |
|[Preventing oversharing as DLP policy tip](dlp-create-deploy-policy.md#scenario-2-show-policy-tip-as-oversharing-popup-preview)|Preview: [Current Channel (Preview)](https://office.com/insider) |Under review |Under review |Under review |Under review |
-|[Label inheritance from email attachments](sensitivity-labels-office-apps.md#configure-label-inheritance-from-email-attachments) |Current Channel: Rolling Out to 2303+<br /><br> Monthly Enterprise Channel: 2304+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Under review |Under review |Under review |Under review |
+|[Label inheritance from email attachments](sensitivity-labels-office-apps.md#configure-label-inheritance-from-email-attachments) |Current Channel: Rolling out to 2303+ <br /><br> Monthly Enterprise Channel: 2304+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Under review |Under review |Under review |Under review |
**Footnotes:**
compliance Sensitivity Labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels.md
When you configure a label policy, you can:
- **Specify a default label** for unlabeled documents, emails and meeting invites, new containers (when you've [enabled sensitivity labels for Microsoft Teams, Microsoft 365 groups, and SharePoint sites](sensitivity-labels-teams-groups-sites.md)), and also a default label for [Power BI content](/power-bi/admin/service-security-sensitivity-label-default-label-policy). You can specify the same label for all five types of items, or different labels. Users can change the applied default sensitivity label to better match the sensitivity of their content or container. > [!NOTE]
- > Default labeling for existing documents is newly supported for built-in labeling for Office apps. For more information about the rollout per app and minimum versions, see the [capabilities table](sensitivity-labels-versions.md#sensitivity-label-capabilities-in-word-excel-and-powerpoint) for Word, Excel, and PowerPoint.
+ > Although applying a default label to new documents has been supported for built-in labeling for a while, support for existing documents is still rolling out across the Office deployment channels. To identify the supported versions, use the [capabilities table](sensitivity-labels-versions.md#sensitivity-label-capabilities-in-word-excel-and-powerpoint) and the row **Apply a default label to existing documents**.
Consider using a default label to set a base level of protection settings that you want applied to all your content. However, without user training and other controls, this setting can also result in inaccurate labeling. It's usually not a good idea to select a label that applies encryption as a default label to documents. For example, many organizations need to send and share documents with external users who might not have apps that support the encryption or they might not use an account that can be authorized. For more information about this scenario, see [Sharing encrypted documents with external users](sensitivity-labels-office-apps.md#sharing-encrypted-documents-with-external-users).
compliance Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/whats-new.md
f1.keywords:
Previously updated : 04/11/2023 Last updated : 04/12/2023 audience: Admin
Whether it be adding new solutions to the [Microsoft Purview compliance portal](
- **General availability (GA)**: [Default sensitivity label for a SharePoint document library](sensitivity-labels-sharepoint-default-label.md) - **General availability (GA)**: Outlook for Mac [displays label colors](sensitivity-labels-office-apps.md#label-colors)
+- **General availability (GA)**: Rolling out to Current Channel as a parity feature for the AIP add-in, built-in labeling for Windows supports [label inheritance from email attachments](sensitivity-labels-office-apps.md#configure-label-inheritance-from-email-attachments).
- **Change of version for AIP add-in disabled by default**: For the Monthly Enterprise Channel only, the AIP add-in for Office apps is disabled by default in version 2303. For the Current Channel and Semi-Annual Enterprise Channel, the AIP add-in is still disabled by default in version 2302. - **Retirement notification for the AIP add-in for Office apps**: The AIP add-in will [retire April 2024](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/retirement-notification-for-the-azure-information-protection/ba-p/3791908). Although the add-in remains in maintenance mode until then, if you haven't already done so, we encourage you to [migrate to the labels built into Office](sensitivity-labels-aip.md).
enterprise Cross Tenant Onedrive Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-onedrive-migration.md
Microsoft 365 Business Basic/Business Standard/Business Premium/F1/F3/E3/A3/E5/A
## Prerequisites and settings -- **Microsoft SharePoint Online Powershell**. Confirm you have the most recent version installed. [Download SharePoint Online Management Shell from Official Microsoft Download Center](/download/details.aspx?id=35588)
+- **Microsoft SharePoint Online Powershell**. Confirm you have the most recent version installed. [Download SharePoint Online Management Shell from the official Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=35588).
-- **Turn off service encryption with Customer Key enabled.** Confirm that the source OneDrive tenant **doesn't** have Service encryption with Microsoft Purview Customer Key enabled. If enabled on Source tenant, the migration will fail. [Learn more on Service encryption with Microsoft Purview Customer Key](/microsoft-365/compliance/customer-key-overview)
+- **Turn off service encryption with Customer Key enabled.** Confirm that the source OneDrive tenant **doesn't** have Service encryption with Microsoft Purview Customer Key enabled. If enabled on the source tenant, the migration will fail. [Learn more on Service encryption with Microsoft Purview Customer Key](/microsoft-365/compliance/customer-key-overview).
- Source OneDrive accounts must be set to Read/Write. If set to Read only, they'll fail.
ms-feed M365 Feed https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/ms-feed/m365-feed.md
+
+ Title: "Overview of the Microsoft Feed"
+++ Last updated : 03/28/2023
+audience: Admin
++
+ms.localizationpriority: medium
+
+- scotvorg
+- Adm_O365
+description: "Use Microsoft Feed to help users discover and learn about people and interests relevant to their work."
++
+# Overview of Microsoft Feed
+
+Microsoft Feed is powered by Microsoft Graph and aims to help users discover and learn about people and interests relevant to their work. Microsoft Feed shows users a mix of content and activity from across Microsoft 365. Users might, for example, see updates to documents theyΓÇÖre working on with others, links shared with them in Teams chats, suggested tasks to follow up, highlights about colleagues, and much more.
+
+Read more about how the feed works here: [Discover and learn with Microsoft Feed](https://support.microsoft.com/en-us/office/discover-and-learn-with-microsoft-feed-9c190800-e348-46b7-9d46-41c628b80ebb)
+
+## Where can users see Microsoft Feed?
+
+In **Microsoft 365** (previously Office.com), while signed in with a work or school account, select **Feed** from the left navigation bar.
+
+![Select Feed in Microsoft 365.](../media/MS-select-feed.png)
+
+In **Microsoft Edge**, select the **Microsoft 365** page when opening a new tab.
+
+![Select Feed in Microsoft 365.](../media/MS-contoso-feed.png)
+
+See the section *Find your way around* in [Discover and learn with Microsoft Feed](https://support.microsoft.com/en-us/office/discover-and-learn-with-microsoft-feed-9c190800-e348-46b7-9d46-41c628b80ebb)
+
+## Availability
+
+In Microsoft 365, the new Feed experience will be rolled out gradually to customers, beginning with the tenants who have selected a Targeted Release attribute in their Microsoft 365 Admin Center.
+
+In Microsoft Edge Enterprise New Tab Page, the new Feed experience will be rolled out in February-March 2023.
+
+## Privacy in Microsoft Feed
+
+The information in Microsoft Feed is tailored to each user. Users will only see documents or other content they have access to or that was shared directly with them. This can be documents that are stored in a shared folder in OneDrive or on a SharePoint site that the user has access to, or a link that someone shared in an email conversation or a Teams chat.
+
+Microsoft Feed doesnΓÇÖt change any permissions, so each user has a unique feed based on what they already have access to. Documents and information are not stored in Microsoft Feed, and changing permissions must be done from where the information is stored, such as in OneDrive or SharePoint.
+
+## What controls are available?
+
+Microsoft Feed is built on Microsoft 365 and implicitly respects all settings and restrictions enabled by admins and users, such as People Insights (see more information on how to [Customize people insights privacy in Microsoft Graph](/graph/insights-customize-people-insights-privacy)), and Item Insights (see more information on how item insights setting works [Item insights overview](/graph/item-insights-overview)).
+
+In addition, Microsoft Feed respects LinkedIn visibility settings (when a user prefers to limit the visibility of their profile information outside of LinkedIn). To learn more, see [Off-LinkedIn Visibility | LinkedIn Help](https://www.linkedin.com/help/linkedin/answer/a1340507), and [Disconnecting Your LinkedIn and Microsoft Accounts and Managing Your Data | LinkedIn Help](https://www.linkedin.com/help/linkedin/answer/a552108).
+
+In Microsoft 365, as a tenant admin, if you want to disable the new experience, you can contact Microsoft via a service request to turn off Microsoft Feed. This is a temporary solution which removes the Feed icon from the left navigation of Microsoft 365.
+
+1. [Sign in to Microsoft 365](https://admin.microsoft.com) with your Microsoft 365 admin account.
+2. **Select Support** > **New service request.**
+3. If you're in the admin center, selectΓÇ»**Support** > **New service request.**
+4. To re-enable the feature, you can create a **New service request.**
+
+In Microsoft Edge, while signed in with a work or school account, as a tenant admin, if you want to disable the new experience, you can choose to *not show* Microsoft 365 content on the Microsoft Edge new tab page:
+
+1. Sign in to the [Microsoft 365 admin center](https://admin.microsoft.com)
+2. Go toΓÇ»**Org settings**ΓÇ»>ΓÇ»**News.**
+3. Under **News**, select **Microsoft Edge new tab page**.
+4. *Clear* the box that says **Show Microsoft 365 content on the Microsoft Edge new tab page.**
+5. To re-enable the feature, check the box that says **Show Microsoft 365 content on the Microsoft Edge new tab page.**
+
+## Provide feedback
+
+We would love to hear from you! To let us know what you think of this feature, you can reach us by:
+
+1. Responding to our Message Center post with feedback. This option is only available for tenant admins with access to the Microsoft Admin Center in Microsoft 365.
+2. Providing general feature feedback when viewing Microsoft Feed by clicking on "Feedback" in the lower right-hand corner.
+
+## Frequently Asked Questions (FAQ)
+
+1. **What documents can users see in Microsoft Feed?**
+
+When a user creates and stores a document in a folder in OneDrive, and this folder is shared with other people, the document can be picked up and showed in those peopleΓÇÖs feeds, even if the user hasnΓÇÖt explicitly shared the document with others (yet). The same is the case if a user stores a document on a SharePoint site that others have access to.
+
+2. **How does following work?**
+
+Following is synchronized between Microsoft Feed and Yammer. Following features in Microsoft Feed are only available to users who have a Yammer license. If users donΓÇÖt have a Yammer license, the My network page is not available, and the users canΓÇÖt follow others from Microsoft Feed.
+
+3. **What's the connection between** [Office Delve](https://delve.office.com) **and Microsoft Feed?**
+
+Office Delve and Microsoft Feed are both based on Microsoft Graph. However, turning off Office Delve will not turn off Microsoft Feed.
security Built In Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/built-in-protection.md
f1.keywords: NOCSH
> [!TIP] > **You don't have to wait for built-in protection to come to you**! You can protect your organization's devices now by configuring these capabilities:
-> - [Enable cloud protection](why-cloud-protection-should-be-on-mdav.md)
+> - [Enable cloud protection](enable-cloud-protection-microsoft-defender-antivirus.md)
> - [Turn tamper protection on](prevent-changes-to-security-settings-with-tamper-protection.md) > - [Set standard attack surface reduction rules to block mode](attack-surface-reduction-rules-deployment.md) > - [Enable network protection in block mode](enable-network-protection.md)
security Cloud Protection Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus.md
Next-generation technologies in Microsoft Defender Antivirus provide near-instan
[:::image type="content" source="images/mde-cloud-protection.png" alt-text="Diagram showing how cloud protection works together with Microsoft Defender Antivirus" lightbox="images/mde-cloud-protection.png":::](enable-cloud-protection-microsoft-defender-antivirus.md) > [!TIP]
-> We recommend keeping cloud protection turned on. To learn more, see [Why cloud protection should be enabled for Microsoft Defender Antivirus](why-cloud-protection-should-be-on-mdav.md).
+> We recommend keeping cloud protection turned on. To learn more, see [Why cloud protection should be turned on](enable-cloud-protection-microsoft-defender-antivirus.md#why-cloud-protection-should-be-turned-on).
## How cloud protection works
Cloud protection is enabled by default. However, you might need to re-enable it
If your subscription includes Windows 10 E5, you can take advantage of emergency dynamic intelligence updates, which provide near real-time protection from emerging threats. When you turn on cloud protection, fixes for malware issues can be delivered via the cloud within minutes, instead of waiting for the next update. See [Configure Microsoft Defender Antivirus to automatically receive new protection updates based on reports from our cloud service](manage-event-based-updates-microsoft-defender-antivirus.md#cloud-report-updates).
-## Next steps
-
-Now that you have an overview of cloud protection in Microsoft Defender Antivirus, here are some next steps:
-
-1. See [Why cloud protection should be enabled for Microsoft Defender Antivirus](why-cloud-protection-should-be-on-mdav.md).
-
-2. Proceed to [Enable cloud protection](enable-cloud-protection-microsoft-defender-antivirus.md)
-
-> [!TIP]
-> If you're looking for Antivirus related information for other platforms, see:
-> - [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md)
-> - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md)
-> - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos)
-> - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md)
-> - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)
-> - [Configure Defender for Endpoint on Android features](android-configure.md)
-> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)
security Enable Cloud Protection Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus.md
search.appverid: met150
**Platforms** - Windows
-[Cloud protection in Microsoft Defender Antivirus](cloud-protection-microsoft-defender-antivirus.md) delivers accurate, real-time, and intelligent protection. Cloud protection should be enabled by default; however, you can configure cloud protection to suit your organization's needs.
+[Cloud protection in Microsoft Defender Antivirus](cloud-protection-microsoft-defender-antivirus.md) delivers accurate, real-time, and intelligent protection. Cloud protection should be enabled by default; however, you can configure cloud protection to suit your organization's needs.
+
+## Why cloud protection should be turned on
+
+Microsoft Defender Antivirus cloud protection helps protect against malware on your endpoints and across your network. We recommend keeping cloud protection turned on, because certain security features and capabilities in Microsoft Defender for Endpoint only work when cloud protection is enabled.
+
+[![alt-text="Diagram showing things that depend on cloud protection](images/mde-cloud-protection.png#lightbox)](enable-cloud-protection-microsoft-defender-antivirus.md)
++
+The following table summarizes the features and capabilities that depend on cloud protection: <br/><br/>
+
+| Feature/Capability | Subscription requirement | Description |
+|||--|
+| **Checking against metadata in the cloud**. The Microsoft Defender Antivirus cloud service uses machine learning models as an extra layer of defense. These machine learning models include metadata, so when a suspicious or malicious file is detected, its metadata is checked. <br/><br/>To learn more, see [Blog: Get to know the advanced technologies at the core of Microsoft Defender for Endpoint next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/) | Microsoft Defender for Endpoint Plan 1 or Plan 2 (Standalone or included in a plan like Microsoft 365 E3 or E5) |
+| **[Cloud protection and sample submission](cloud-protection-microsoft-antivirus-sample-submission.md)**. Files and executables can be sent to the Microsoft Defender Antivirus cloud service for detonation and analysis. Automatic sample submission relies on cloud protection, although it can also be configured as a standalone setting.<br/><br/>To learn more, see [Cloud protection and sample submission in Microsoft Defender Antivirus](cloud-protection-microsoft-antivirus-sample-submission.md). | Microsoft Defender for Endpoint Plan 1 or Plan 2 (Standalone or included in a plan like Microsoft 365 E3 or E5) |
+| **[Tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md)**. Tamper protection helps protect against unwanted changes to your organization's security settings. <br/><br/>To learn more, see [Protect security settings with tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md). | Microsoft Defender for Endpoint Plan 2 (Standalone or included in a plan like Microsoft 365 E5) |
+| **[Block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md)** <br/>Block at first sight detects new malware and blocks it within seconds. When a suspicious or malicious file is detected, block at first sight capabilities queries the cloud protection backend and applies heuristics, machine learning, and automated analysis of the file to determine whether it is a threat.<br/><br/>To learn more, see [What is "block at first sight"?](configure-block-at-first-sight-microsoft-defender-antivirus.md#what-is-block-at-first-sight) | Microsoft Defender for Endpoint Plan 1 or Plan 2 (Standalone or included in a plan like Microsoft 365 E3 or E5) |
+| **[Emergency signature updates](microsoft-defender-antivirus-updates.md#security-intelligence-updates)**. When malicious content is detected, emergency signature updates and fixes are deployed. Rather than wait for the next regular update, you can receive these fixes and updates within minutes. <br/><br/>To learn more about updates, see [Microsoft Defender Antivirus security intelligence and product updates](microsoft-defender-antivirus-updates.md). | Microsoft Defender for Endpoint Plan 2 (Standalone or included in a plan like Microsoft 365 E5) |
+| **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)**. EDR in block mode provides extra protection when Microsoft Defender Antivirus isn't the primary antivirus product on a device. EDR in block mode remediates artifacts found during EDR-generated scans that the non-Microsoft, primary antivirus solution might have missed. When enabled for devices with Microsoft Defender Antivirus as the primary antivirus solution, EDR in block mode provides the added benefit of automatically remediating artifacts identified during EDR-generated scans. <br/><br/>To learn more, see [EDR in block mode](edr-in-block-mode.md). | Microsoft Defender for Endpoint Plan 2 (Standalone or included in a plan like Microsoft 365 E5) |
+| **[Attack surface reduction (ASR) rules](attack-surface-reduction.md)**. ASR rules are intelligent rules that you can configure to help stop malware. Certain rules require cloud protection to be turned on in order to function fully. These rules include: <br/>- Block executable files from running unless they meet a prevalence, age, or trusted list criteria <br/>- Use advanced protection against ransomware <br/>- Block untrusted programs from running from removable drives <br/><br/>To learn more, see [Use attack surface reduction rules to prevent malware infection](attack-surface-reduction.md). | Microsoft Defender for Endpoint Plan 1 or Plan 2 (Standalone or included in a plan like Microsoft 365 E3 or E5) |
+| **[Indicators of compromise (IoCs)](manage-indicators.md)**. In Defender for Endpoint, IoCs can be configured to define the detection, prevention, and exclusion of entities. Examples: <br/>"Allow" indicators can be used to define exceptions to antivirus scans and remediation actions.<br/>"Alert and block" indicators can be used to prevent files or processes from executing. <br/><br/>To learn more, see [Create indicators](manage-indicators.md). | Microsoft Defender for Endpoint Plan 2 (Standalone or included in a plan like Microsoft 365 E5) |
+
+> [!TIP]
+> To learn more about Defender for Endpoint plans, see [Microsoft Defender for Endpoint Plan 1 and Plan 2](defender-endpoint-plan-1-2.md).
## Methods to configure cloud protection
For more information about the specific network-connectivity requirements to ens
You can choose to send basic or additional information about detected software:
- - Basic MAPS: Basic membership will send basic information to Microsoft about malware and potentially unwanted software that has been detected on your device. Information includes where the software came from (like URLs and partial paths), the actions taken to resolve the threat, and whether the actions were successful.
+ - Basic MAPS: Basic membership sends basic information to Microsoft about malware and potentially unwanted software that has been detected on your device. Information includes where the software came from (like URLs and partial paths), the actions taken to resolve the threat, and whether the actions were successful.
- - Advanced MAPS: In addition to basic information, advanced membership will send detailed information about malware and potentially unwanted software, including the full path to the software, and detailed information about how the software has affected your device.
+ - Advanced MAPS: In addition to basic information, advanced membership sends detailed information about malware and potentially unwanted software, including the full path to the software, and detailed information about how the software has affected your device.
6. Double-click **Send file samples when further analysis is required**. Ensure that the first option is set to **Enabled** and that the other options are set to either:
security Linux Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-whatsnew.md
This article is updated frequently to let you know what's new in the latest rele
<details> <summary> March-2023 (Build: 101.98.30 | Release version: 30.123012.19830.0)</summary>
+## March-2023 Build: 101.98.30 | Release version: 30.123012.19830.0
+ &ensp;Released: **March , 20,2023**<br/> &ensp;Published: **March 20, 2023**<br/> &ensp;Build: **101.98.30**<br/>
mdatp health
In case the issue reappears with some different denials. We need to run the mitigation again with a different module name(eg my-mdatpaudisppl_v2). </details>
-
+ <details> <summary> March-2023 (Build: 101.98.05 | Release version: 30.123012.19805.0)</summary>
+## March-2023 (Build: 101.98.05 | Release version: 30.123012.19805.0)
+ &ensp;Released: **March , 08,2023**<br/> &ensp;Published: **March 08, 2023**<br/> &ensp;Build: **101.98.05**<br/>
sudo systemctl disable mdatp
<details> <summary>Jan-2023 (Build: 101.94.13 | Release version: 30.122112.19413.0)</summary>
+## Jan-2023 (Build: 101.94.13 | Release version: 30.122112.19413.0)
+ &ensp;Released: **January 10, 2023**<br/> &ensp;Published: **January 10, 2023**<br/> &ensp;Build: **101.94.13**<br/>
sudo systemctl disable mdatp
<details> <summary>Nov-2022 (Build: 101.85.27 | Release version: 30.122092.18527.0)</summary>
+## Nov-2022 (Build: 101.85.27 | Release version: 30.122092.18527.0)
+ &ensp;Released: **November 02, 2022**<br/> &ensp;Published: **November 02, 2022**<br/> &ensp;Build: **101.85.27**<br/>
sudo systemctl disable mdatp
<details> <summary>Sep-2022 (Build: 101.80.97 | Release version: 30.122072.18097.0)</summary>
+## Sep-2022 (Build: 101.80.97 | Release version: 30.122072.18097.0)
+ &ensp;Released: **September 14, 2022**<br/> &ensp;Published: **September 14, 2022**<br/> &ensp;Build: **101.80.97**<br/>
As an alternative to the above, you can follow the instructions to [uninstall](/
</details> <details>
- <summary>Aug-2022 (Build: 101.78.13, | Release version: 30.122072.17813.0)</summary>
+ <summary>Aug-2022 (Build: 101.78.13 | Release version: 30.122072.17813.0)</summary>
+
+## Aug-2022 (Build: 101.78.13 | Release version: 30.122072.17813.0)
&ensp;Released: **August 24, 2022**<br/> &ensp;Published: **August 24, 2022**<br/>
As an alternative to the above, you can follow the instructions to [uninstall](/
<details> <summary>Aug-2022 (Build: 101.75.43 | Release version: 30.122071.17543.0)</summary>
+## Aug-2022 (Build: 101.75.43 | Release version: 30.122071.17543.0)
+ &ensp;Released: **August 2, 2022**<br/> &ensp;Published: **August 2, 2022**<br/> &ensp;Build: **101.75.43**<br/>
As an alternative to the above, you can follow the instructions to [uninstall](/
<details> <summary>Jul-2022 (Build: 101.73.77 | Release version: 30.122062.17377.0)</summary>
+## Jul-2022 (Build: 101.73.77 | Release version: 30.122062.17377.0)
+ &ensp;Released: **July 21, 2022**<br/> &ensp;Published: **July 21, 2022**<br/> &ensp;Build: **101.73.77**<br/>
As an alternative to the above, you can follow the instructions to [uninstall](/
<details> <summary>May-2022 (Build: 101.68.80 | Release version: 30.122042.16880.0)</summary>
+## May-2022 (Build: 101.68.80 | Release version: 30.122042.16880.0)
+ &ensp;Released: **May 23, 2022**<br/> &ensp;Published: **May 23, 2022**<br/> &ensp;Build: **101.68.80**<br/>
As an alternative to the above, you can follow the instructions to [uninstall](/
<details> <summary>May-2022 (Build: 101.65.77 | Release version: 30.122032.16577.0)</summary>
+## May-2022 (Build: 101.65.77 | Release version: 30.122032.16577.0)
+ &ensp;Released: **May 2, 2022**<br/> &ensp;Published: **May 2, 2022**<br/> &ensp;Build: **101.65.77**<br/>
As an alternative to the above, you can follow the instructions to [uninstall](/
</details><details> <summary>Mar-2022 (Build: 101.60.93 | Release version: 30.122012.16093.0)</summary>
+## Mar-2022 (Build: 101.60.93 | Release version: 30.122012.16093.0)
+ &ensp;Released: **Mar 9, 2022**<br/> &ensp;Published: **Mar 9, 2022**<br/> &ensp;Build: **101.60.93**<br/>
As an alternative to the above, you can follow the instructions to [uninstall](/
</details><details> <summary>Feb-2022 (Build: 101.58.80 | Release version: 30.122012.15880.0)</summary>
+## Feb-2022 (Build: 101.58.80 | Release version: 30.122012.15880.0)
+ &ensp;Released: **Feb 20, 2022**<br/> &ensp;Published: **Feb 20, 2022**<br/> &ensp;Build: **101.58.80**<br/>
As an alternative to the above, you can follow the instructions to [uninstall](/
</details><details> <summary>Jan-2022 (Build: 101.56.62 | Release version: 30.121122.15662.0)</summary>
+## Jan-2022 (Build: 101.56.62 | Release version: 30.121122.15662.0)
+ &ensp;Released: **Jan 26, 2022**<br/> &ensp;Published: **Jan 26, 2022**<br/> &ensp;Build: **101.56.62**<br/>
security Specify Cloud Protection Level Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus.md
ms.localizationpriority: medium
Previously updated : 04/10/2023 Last updated : 04/11/2023
Cloud protection works together with Microsoft Defender Antivirus to deliver pro
> [!TIP] > Need some help? See the following resources: >
-> - [Configure Endpoint Protection](/mem/configmgr/protect/deploy-use/endpoint-protection-configure)
-> - [Add endpoint protection settings in Intune](/mem/intune/protect/endpoint-protection-configure)
+> - [Manage device security with endpoint security policies in Microsoft Intune](/mem/intune/protect/endpoint-security-policy)
+> - [Configure Endpoint Protection](/mem/configmgr/protect/deploy-use/endpoint-protection-configure) (Configuration Manager)
## Use Group Policy to specify the level of cloud protection
Cloud protection works together with Microsoft Defender Antivirus to deliver pro
## See also -- [Why cloud protection should be enabled for Microsoft Defender Antivirus](why-cloud-protection-should-be-on-mdav.md) - [Onboard non-Windows devices to Defender for Endpoint](configure-endpoints-non-windows.md)
+- [Turn on cloud protection in Microsoft Defender Antivirus](enable-cloud-protection-microsoft-defender-antivirus.md)
security Why Cloud Protection Should Be On Mdav https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/why-cloud-protection-should-be-on-mdav.md
- Title: Why cloud protection should be enabled for Microsoft Defender Antivirus
-description: See why cloud protection should be turned on for Microsoft Defender Antivirus. It helps many security features in Microsoft Defender for Endpoint work
-keywords: Microsoft Defender Antivirus, cloud protection, security features, sample submission
-search.product:
-
-ms.sitesec: library
------- Previously updated : 10/22/2021--- m365-security-- tier2--
-# Why cloud protection should be enabled for Microsoft Defender Antivirus
-
-**Applies to:**
--- Microsoft Defender Antivirus-- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)-
-**Platforms**
-- Windows-
-Microsoft Defender Antivirus cloud protection helps protect against malware on your endpoints and across your network. We recommend keeping cloud protection turned on, because certain security features and capabilities in Microsoft Defender for Endpoint only work when cloud protection is enabled.
-
-[![alt-text="Diagram showing things that depend on cloud protection](images/mde-cloud-protection.png#lightbox)](enable-cloud-protection-microsoft-defender-antivirus.md)
-
-The following table summarizes the features and capabilities that depend on cloud protection: <br/><br/>
-
-| Feature/Capability | Subscription requirement | Description |
-|||--|
-| Checking against metadata in the cloud | Microsoft Defender for Endpoint Plan 1 or Plan 2 (Standalone or included in a plan like Microsoft 365 E3 or E5) | The Microsoft Defender Antivirus cloud service uses machine learning models as an extra layer of defense. These machine learning models include metadata, so when a suspicious or malicious file is detected, its metadata is checked. <br/><br/>To learn more, see [Blog: Get to know the advanced technologies at the core of Microsoft Defender for Endpoint next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/) |
-| Cloud protection and sample submission | Microsoft Defender for Endpoint Plan 1 or Plan 2 (Standalone or included in a plan like Microsoft 365 E3 or E5) | Files and executables can be sent to the Microsoft Defender Antivirus cloud service for detonation and analysis. <br/><br/>To learn more, see [Cloud protection and sample submission in Microsoft Defender Antivirus](cloud-protection-microsoft-antivirus-sample-submission.md).<br/><br/>**NOTE**: Automatic sample submission relies on cloud protection, although it can also be configured as a standalone setting. |
-| Tamper protection | Microsoft Defender for Endpoint Plan 2 (Standalone or included in a plan like Microsoft 365 E5) | Tamper protection helps protect against unwanted changes to your organization's security settings. To enforce tamper protection in the Microsoft 365 Defender portal, cloud protection must be enabled. <br/><br/>To learn more, see [Protect security settings with tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md). |
-| Block at first sight | Microsoft Defender for Endpoint Plan 1 or Plan 2 (Standalone or included in a plan like Microsoft 365 E3 or E5) | Block at first sight detects new malware and blocks it within seconds. When a suspicious or malicious file is detected, block at first sight capabilities queries the cloud protection backend and applies heuristics, machine learning, and automated analysis of the file to determine whether it is a threat.<br/><br/>To learn more, see [What is "block at first sight"?](configure-block-at-first-sight-microsoft-defender-antivirus.md#what-is-block-at-first-sight) |
-| Emergency signature updates | Microsoft Defender for Endpoint Plan 2 (Standalone or included in a plan like Microsoft 365 E5) | When malicious content is detected, emergency signature updates and fixes are deployed. Rather than wait for the next regular update, you can receive these fixes and updates within minutes. |
-| Endpoint detection and response (EDR) in block mode | Microsoft Defender for Endpoint Plan 2 (Standalone or included in a plan like Microsoft 365 E5) | EDR in block mode provides extra protection when Microsoft Defender Antivirus is not the primary antivirus product on a device. EDR in block mode remediates artifacts found during EDR-generated scans that the non-Microsoft, primary antivirus solution might have missed. When enabled for devices with Microsoft Defender Antivirus as the primary antivirus solution, EDR in block mode provides the added benefit of automatically remediating artifacts identified during EDR-generated scans. <br/><br/>To learn more, see [EDR in block mode](edr-in-block-mode.md).|
-| Attack surface reduction rules | Microsoft Defender for Endpoint Plan 1 or Plan 2 (Standalone or included in a plan like Microsoft 365 E3 or E5) | Attack surface reduction is all about reducing the places and ways your organization's endpoints are vulnerable to a cyber attack. Attack surface reduction rules are intelligent rules that you can configure to help stop malware. Certain rules require cloud protection to be turned on in order to function fully. These rules include: <br/>- Block executable files from running unless they meet a prevalence, age, or trusted list criteria <br/>- Use advanced protection against ransomware <br/>- Block untrusted programs from running from removable drives <br/><br/>To learn more, see [Use attack surface reduction rules to prevent malware infection](attack-surface-reduction.md). |
-| Indicators of compromise (IoCs) | Microsoft Defender for Endpoint Plan 2 (Standalone or included in a plan like Microsoft 365 E5) | IoCs in Defender for Endpoint can be configured to define the detection, prevention, and exclusion of entities. For example, "allow" indicators can be used to define exceptions to Microsoft Defender Antivirus scans and remediation actions in Defender for Endpoint. As another example, "alert and block" indicators can be used to prevent files or processes from executing, and to track these activities with alerts that are viewable in the Microsoft 365 Defender portal. <br/><br/>To learn more, see [Create indicators](manage-indicators.md). |
-
-> [!TIP]
-> To learn more about Defender for Endpoint plans, see [Microsoft Defender for Endpoint Plan 1 and Plan 2](defender-endpoint-plan-1-2.md).
-
-## Next steps
-
-Now that you have an overview of cloud protection and its role in Microsoft Defender Antivirus, here are some next steps:
-
-1. **[Enable cloud protection](enable-cloud-protection-microsoft-defender-antivirus.md)**. You can enable cloud protection with Microsoft Configuration Manager, Microsoft Intune, Group Policy, or PowerShell cmdlets.
-
-2. **[Specify the cloud protection level](specify-cloud-protection-level-microsoft-defender-antivirus.md)**. You can specify the level of protection offered by the cloud by using Microsoft Intune, Configuration Manager, or Group Policy. The protection level affects the amount of information shared with the cloud and how aggressively new files are blocked.
-
-3. **[Configure and validate network connections for Microsoft Defender Antivirus](configure-network-connections-microsoft-defender-antivirus.md)**. There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud protection to work effectively. This article lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud protection.
-
-4. **[Configure the "block at first sight" feature](configure-block-at-first-sight-microsoft-defender-antivirus.md)**. The "block at first sight" feature can block new malware within seconds, without having to wait hours for traditional Security intelligence. You can enable and configure it by using Microsoft Intune, Configuration Manager, or Group Policy.
-
-5. **[Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md)**. Microsoft Defender Antivirus can block suspicious files from running while it queries our cloud protection service. You can configure the amount of time the file will be prevented from running by using Microsoft Intune, Configuration Manager, or Group Policy.
-
-> [!TIP]
-> If you're looking for Antivirus related information for other platforms, see:
-> - [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md)
-> - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md)
-> - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos)
-> - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md)
-> - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)
-> - [Configure Defender for Endpoint on Android features](android-configure.md)
-> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)
security Attack Simulation Training Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-settings.md
description: Admins can learn how to configure global settings in Attack simulation training in Microsoft Defender for Office 365 Plan 2. search.appverid: met150 Previously updated : 4/3/2023 Last updated : 4/12/2023 # Global settings in Attack simulation training
Last updated 4/3/2023
In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, the **Settings** tab contains settings that affect all simulations: -- **Repeat offender threshold**: A _repeat offender_ is someone who gives up their credentials in multiple consecutive simulations. How many simulations in a row constitutes a repeat offender is determined by the repeat offender threshold. Information about repeat offenders appears in the following locations:
+- **Repeat offender threshold**: A _repeat offender_ is someone who gives up their credentials in multiple consecutive simulations. How many simulations in a row constitute a repeat offender is determined by the repeat offender threshold. Information about repeat offenders appears in the following locations:
- The [Repeat offenders card on the Overview tab](attack-simulation-training-insights.md#repeat-offenders-card) and the [Repeat offenders tab in the Attack simulation report](attack-simulation-training-insights.md#repeat-offenders-tab-for-the-attack-simulation-report). - When you select users in [simulations](attack-simulation-training-simulation-automations.md#target-users), [simulation automations](attack-simulation-training-simulation-automations.md#target-users), and [training simulations](attack-simulation-training-training-campaigns.md#target-users), you can find and filter repeat offenders.
+- **Training threshold**: In [Training campaigns](attack-simulation-training-training-campaigns.md), the _training threshold_ specifies a time period in days to prevent users from having the same training modules assigned to them. Specifically, a training module isn't reassigned to users who completed the module during the training threshold, nor is a training module assigned to users who haven't completed modules assigned during the training threshold. For more information, see [Set the training threshold time period](attack-simulation-training-training-campaigns.md#set-the-training-threshold).
+ - **View exclude simulations from reporting**: After a simulation has completed, you can exclude the results of the simulation from reporting. For instructions, see [Exclude completed simulations from reporting](attack-simulation-training-simulations.md#exclude-completed-simulations-from-reporting). You can use the **View all** link in this section to see excluded simulations on the **Simulations** tab. To get to the **Settings** tab, open the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Content library** tab \> and then select **Login pages**. To go directly to the **Settings** tab, use <https://security.microsoft.com/attacksimulator?viewid=setting>.
For getting started information about Attack simulation training, see [Get start
To configure the repeat offender threshold, use the box in the **Repeat offender threshold** section on the **Settings** tab. The default value is 2.
+## Configure the training threshold
+
+To configure the training threshold, use the box in the **Training threshold** section on the **Settings** tab. The default value is 90 days.
+
+The training threshold starts from the time that modules are assigned to users.
+
+We recommend that this value is greater than the number of days users have to complete a training module.
+
+To remove the training threshold and always assign training, regardless of whether a user has already completed or been assigned a training, set value to 0.
+ ## View simulations excluded from reporting To view completed simulations that have been excluded from reporting on the **Settings** tab, click the **View all** link in the **Simulations excluded from reporting** section. This link takes you to the **Simulations** tab at <https://security.microsoft.com/attacksimulator?viewid=simulations> where **Show excluded simulations** is automatically toggled on ![Toggle on icon.](../../media/scc-toggle-on.png).
security Attack Simulation Training Training Campaigns https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-training-campaigns.md
description: Admins can learn how to create training campaigns in Attack simulation training in Microsoft Defender for Office 365 Plan 2. search.appverid: met150 Previously updated : 4/3/2023 Last updated : 4/12/2023 # Training campaigns in Attack simulation training
Last updated 4/3/2023
**Applies to** [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md)
-> [!NOTE]
-> This article describes features that are in Public Preview, aren't available in all organizations, and are subject to change.
- In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, Training campaigns are a faster, more direct way to provide security training to users. Instead of creating and launching [simulated phishing attacks](attack-simulation-training-simulations.md) that eventually lead to training, you can create and assign Training campaigns directly to users. A Training campaign contains one or more built-in Training modules that you select. Currently, there are over 70 Training modules to select from. For more information about Training modules, see [Training modules for Training campaigns in Attack simulation training](attack-simulation-training-training-modules.md).
For getting started information about Attack simulation training, see [Get start
To see the existing Training campaigns, open the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Training** tab. To go directly to the **Training** tab, use <https://security.microsoft.com/attacksimulator?viewid=trainingcampaign>.
-The **Training campaigns** tab lists the Training campaigns that you've created. The list includes the following information for each Training campaign:
+The **Training** tab lists the Training campaigns that you've created. The list includes the following information for each Training campaign<sup>\*</sup>:
-- **Name**
+- **Campaign name**
- **Description**-- **Duration (mins)**-- **Date of completion**
+- **Total duration (mins)**
+- **Training completion** (date/time)
- **Training completion**: The number of users who were included in the Training campaign and how many of them completed the training. The information is shown as a fraction (for example, **2/5**) and in a corresponding horizontal bar graph. - **No. of training modules**: The number of training modules that are included in the Training campaign. - **Created by** - **Created time** - **Status**: One of the following values:
- - **Completed**<sup>\*</sup>
- - **In progress**<sup>\*</sup>
- - **Draft**<sup>\*</sup>
- - **Cancelled**
+ - **Completed**<sup>\*\*</sup>
+ - **In progress**<sup>\*\*</sup>
+ - **Draft**<sup>\*\*</sup>
+ - **Canceled**
- **Deleted**
- - **Failed**<sup>\*</sup>
- - **Scheduled**<sup>\*</sup>
-- **Γï«** (**Actions** control): Take action on the Training campaign. The available actions depend on the **Status** value of the Training campaign as described in the procedure sections. This control always appears at the end of the payload row.
+ - **Failed**<sup>\*\*</sup>
+ - **Scheduled**<sup>\*\*</sup>
-To find a Training campaign in the list, type part of the campaign name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png"::: **Search** box and then press the ENTER key.
+ For more information about the **Status** values, see the [Set the training threshold](#set-the-training-threshold) section later in this article.
+
+Click a column header to sort by that column. To add or remove columns, click ![Customize columns icon.](../../media/m365-cc-sc-customize-icon.png) **Customize columns**. By default, all available columns are selected.
+
+<sup>\*</sup> To see all columns, you likely need to do one or more of the following steps:
+
+- Horizontally scroll in your web browser.
+- Narrow the width of appropriate columns.
+- Remove columns from the view.
+- Zoom out in your web browser.
Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png"::: **Filter** to filter the information on the page by the **Status** value of the Training campaign.
-<sup>\*</sup> The total count of Training campaigns with these **Status** values is also shown at the top of the page. But if you filter the information (for example, exclude on of these **Status** values), the count at the top of the page will be **0** for that excluded **Status** value.
+<sup>\*\*</sup> The total count of Training campaigns with these **Status** values is also shown at the top of the page. But if you filter the information (for example, exclude on of these **Status** values), the count at the top of the page is **0** for that excluded **Status** value.
+
+To find a Training campaign in the list, type part of the campaign name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png"::: **Search** box and then press the ENTER key.
+
+To see details about a Training campaign, see the [View Training campaign details](#view-training-campaign-details) section.
## Create Training campaigns
To create a Training campaign, do the following steps:
1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Training** tab. Or, to go directly to the **Training** tab, use <https://security.microsoft.com/attacksimulator?viewid=trainingcampaign>.
-2. On the **Training** tab,select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png"::: **Create new**.
+2. On the **Training** tab, select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png"::: **Create new** to start the new Training campaign wizard.
-3. The new Training campaign wizard opens. The rest of this section describes the pages and the settings they contain.
+ The following sections describe the steps and configuration options to create a Training campaign.
-### Name Training campaign
+ > [!NOTE]
+ > At any point after you name the Training campaign during the new Training campaign wizard, you can click **Save and close** to save your progress and continue later. The incomplete Training campaign has the **Status** value **Draft**. You can pick up where you left off by selecting the Training campaign and then clicking the ![Edit icon.](../../media/m365-cc-sc-edit-icon.png) **Edit** icon that appears.
-On the **Name Training campaign** page, configure the following settings:
+### Name and describe the Training campaign
-- **Name**: Enter a unique name.
+On the **Name campaign** page, configure the following settings:
+
+- **Name**: Enter a unique name for the Training campaign.
- **Description**: Enter an optional description. When you're finished on the **Name Training campaign** page, click **Next**. ### Target users
-On the **Target users** page, select one of the following values:
+On the **Target users** page, select who receives the Training campaign. Use the following options to select users:
+
+- **Include all users in my organization**: The unmodifiable list of users is show in groups of 10. You can use the **Next** and **Previous** buttons directly below the list of users to scroll through the list. You can also use the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** icon on the page to find specific users.
+
+ > [!TIP]
+ > Although you can't remove users from the list on this page, you can use the next **Exclude users** page to exclude specific users.
-- **Include all users in my organization**
+- **Include only specific users and groups**: At first, no users or groups are shown on the **Targeted users** page. To add users or groups to the Training campaign, choose one of the following options:
-- **Include only specific users and groups**: When this value is selected, use the following options to find and select the users or groups to include in the Training campaign:
- - :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png"::: **Add users**: In the **Add users** flyout that appears, use the following options to find and select users:
- - **Search for users or groups**: In the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png"::: **Search** box, enter three or more letters of the user or group name, and then press Enter. The results (if any) are shown in the **User list** section that appears.
- - To clear the search results without selecting any users or groups and return to all filters on the **Add users** flyout, select **Add/Edit**.
- - To clear the text from the search box and the entries from the **User list** section but remain in user/group search mode, select :::image type="icon" source="../../media/m365-cc-sc-search-icon.png"::: in the search box.
- - To clear any *selections* in the **User list** section but preserve the text in the search box and the actual entries in the list, select **Clear all selections**.
- - When you're done selecting entries from the **User list** section, select **Add n user(s)**. You'll return to the **Target users** page where the selected users are shown in a list. To return to the **Add users** flyout, select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png"::: **Add users**.
+ - **Search for users or groups**: If you click in the ![Search for users or groups icon.](../../media/m365-cc-sc-search-icon.png) **Search** box and do one of the following actions, the **Filter users by categories** options on the **Add users** flyout are replaced by a **User list** section:
+ - Type three or more characters and then press the ENTER key. Any users or group names that contain those characters are shown in the **User list** section by **Name** and **Email**.
+ - Type fewer than three characters or no characters and then press the ENTER key. No users are shown in the **User list** section, but you can type three or more characters in the **Search** box to search for users and groups.
- Repeat this step as many times as required.
+ The number of results appears in the **Selected (0/x) users** label.
- - **Filter users by categories**: Use the following categories to filter and select users and groups. Multiple selections within the same category use the OR operator (for example, **User tags** equals **Priority account** OR **User tags** equals **High risk profile**). Selections from different categories use the AND operator (for example, **City** equals Redmond AND **Department** equals IT):
+ > [!NOTE]
+ > Clicking the **Add filters** button clears and replaces any results the **User list** section with the **Filter users by categories**.
- - **Suggested user groups**: Select one or both of the following values:
+ When you have a list of users or groups in the **User list** section, select some or all of the results by selecting the round check box next to the **Name** column. The number of selected results appears in the **Selected (y/x) users** label.
+
+ Click the **Add x users** button to add the selected users or groups on the **Target users** page and to return to the **Target users** page.
+
+ - **Filter users by categories**: Use the following options:
+
+ - **Suggested user groups**: Select from the following values:
+ - **All suggested user groups**
- **Users not targeted by a simulation in the last three months** - **Repeat offenders**: For more information, see [Configure the repeat offender threshold](attack-simulation-training-settings.md#configure-the-repeat-offender-threshold).
- - **User tags**: Select one or more of the following values. You'll need to click **See all user tags** to see all values, and custom [user tags](user-tags-about.md) aren't available:
- - **Priority accounts**: For more information, see [Priority accounts](../../admin/setup/priority-accounts.md).
- - **High risk profile**
- - **Medium risk profile**
- - **Low risk profile**
+ - **User tags**: User tags are identifiers for specific groups of users (for example, Priority accounts). For more information, see [User tags in Microsoft Defender for Office 365](user-tags-about.md). Use the following options:
+ - **Search**: In ![Search by user tags icon.](../../media/m365-cc-sc-search-icon.png) **Search by user tags**, you can type part of the user tag and then press Enter. You can select some or all of the results.
+ - Select **All user tags**
+ - Select existing user tags. If the link is available, click **See all user tags** to see the complete list of available tags.
- - **City**, **Department**, or **Title** properties: In each section, the following options are available:
- - :::image type="icon" source="../../media/m365-cc-sc-search-icon.png"::: **Search by**: Type the property value and select it from the list of results.
- - The first three values for each property are shown. To see all values for the specific property, select the **All \<property>** link. Select one or more values.
- - Select **All \<property\>** to select all values for the specific property.
+ - **City**: Use the following options:
+ - **Search**: In ![Search by City icon.](../../media/m365-cc-sc-search-icon.png) **Search by City**, you can type part of the City value and then press Enter. You can select some or all of the results.
+ - Select **All City**
+ - Select existing City values. If the link is available, click **See all Cities** to see the complete list of available City values.
- After you select values from one or more categories, select **Apply(n)**. The results (if any) are shown in the **User list** section that appears.
+ - **Country**: Use the following options:
+ - **Search**: In ![Search by Country icon.](../../media/m365-cc-sc-search-icon.png) **Search by Country**, you can type part of the Country value and then press Enter. You can select some or all of the results.
+ - Select **All Country**
+ - Select existing City values. If the link is available, click **See all Countries** to see the complete list of available Country values.
- - To not select any users or groups and return to all filters on the **Add users** flyout, select **Add/Edit**.
- - To clear any *selections* in the **User list** section but preserve the actual entries in the list, select **Clear all selections**.
- - When you're done selecting entries from the **User list** section, select **Add n user(s)**. You'll return to the **Target users** page where the selected users are shown in a list. To return to the **Add users** flyout, select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png"::: **Add users**.
+ - **Department**: Use the following options:
+ - **Search**: In ![Search by Department icon.](../../media/m365-cc-sc-search-icon.png) **Search by Department**, you can type part the Department value and then press Enter. You can select some or all of the results.
+ - Select **All Department**
+ - Select existing Department values. If the link is available, click **See all Departments** to see the complete list of available Department values.
- Repeat this step as many times as required.
+ - **Title**: Use the following options:
+ - **Search**: In ![Search by Title icon.](../../media/m365-cc-sc-search-icon.png) **Search by Title**, you can type part of the Title value and then press Enter. You can select some or all of the results.
+ - Select **All Title**
+ - Select existing Title values. If the link is available, click **See all Titles** to see the complete list of available Title values.
- - :::image type="icon" source="../../media/m365-cc-sc-import-icon.png"::: **Import**: In the dialog that opens, find and select a .csv file.
+ :::image type="content" source="../../media/attack-sim-training-simulations-target-users-filter-by-category.png" alt-text="The User filtering on the Target users page in Attack simulation training in the Microsoft 365 Defender portal" lightbox="../../media/attack-sim-training-simulations-target-users-filter-by-category.png":::
-After you've selected one or more users or groups, the following information is shown for each entry on the **Target users** page:
+ You can use some or all of the search categories to find users and groups. If you select multiple categories, the AND operator is used. Any users or groups must match both values to be returned in the results (which is virtually impossible if you use the value **All** in multiple categories).
-- **Name**-- **Email**-- **Title**-- **Type**: **User** or **Group**-- **Delete**: Use the :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png"::: **Delete** icon to remove the entry from the list. Select **Confirm** in the confirmation dialog**.
+ The number of values that were used as the search criteria by a specific category is shown next to the category tile (for example, **City 50** or **Priority accounts 10**).
+
+ When you're finished searching by category, click the **Apply(x)** button. The previous **Filter users by categories** options on the **Add users** flyout are replaced by the following information:
+
+ - **Filters** section: Show how many filter values you used and the names of the filter values. If it's available, click the **See all** link to see all filter values
+ - **User list** section: Shows the users or groups that match your category searches. The number of results appears in the **Selected (0/x) users** label.
+
+ When you have a list of users or groups in the **User list** section, select some or all of the results by selecting the round check box next to the **Name** column. The number of selected results appears in the **Selected (y/x) users** label.
-Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png"::: **Search** box to find users or groups in the list.
+ Click the **Add x users** button to add the selected users or groups on the **Target users** page and to return to the **Target users** page.
-When you're finished on the **Target users** page, select **Next**.
+ - ![Import icon.](../../media/m365-cc-sc-create-icon.png) **Import**: In the dialog that opens, specify a CSV file that contains one email address per line.
+
+ After you find a select the CSV file, the users are imported and shown on the **Targeted users** page.
+
+ On the main **Target users** page, you can use the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box to find selected users. You can also click ![Delete users icon.](../../media/m365-cc-sc-search-icon.png) **Delete** and then **Confirm** in the confirmation dialog to remove specific users.
+
+ To add more users and groups, click ![Add users icon.](../../media/m365-cc-sc-create-icon.png) **Add users** or ![Import icon.](../../media/m365-cc-sc-create-icon.png) **Import** on the **Target users** page and repeat the previous steps.
+
+When you're finished on the **Target users** page, click **Next**.
### Exclude users
The selection options are identical to the previous step when you select :::imag
When you're finished on the **Exclude users** page, select **Next**.
-### Select courses
+### Select training modules
+
+On the **Select training modules** page, select one of the following options:
+
+- **Training catalog**: Click :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png"::: **Add trainings**.
-On the **Select courses** page, click :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png"::: **Add trainings**.
+ In the **Add Training** flyout that opens, select one or more Training modules to include in the Training campaign by selecting the round check box that appears in the blank area next to the module name, and then clicking **Add**.
-In the **Add Training** flyout that appears, select one or more Training modules to include in the Training campaign by clicking the blank area next to the module name, and then clicking **Add**.
+ The modules that are available in the **Add Training** flyout are identical to the modules that are available at **Training modules** on the **Content library** tab at <https://security.microsoft.com/attacksimulator?viewid=contentlibrary>. For more information, see [Training modules for Training campaigns in Attack simulation training](attack-simulation-training-training-modules.md).
-What you see and what you can do in the **Add Training** flyout is identical to what's available at **Training modules** on the **Content library** tab at <https://security.microsoft.com/attacksimulator?viewid=contentlibrary>. For more information, see [Training modules for Training campaigns in Attack simulation training](attack-simulation-training-training-modules.md).
+ After you've selected one or more Training modules, the following information is shown for each entry on the **Select courses** page:
-After you've selected one or more Training modules, the following information is shown for each entry on the **Select courses** page:
+ - **Training name**
+ - **Source**
+ - **Duration (mins)**
+ - **Delete**: Use the :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png"::: **Delete** icon to remove the entry from the list. Click **Confirm** in the confirmation dialog**.
-- **Training name**-- **Source**-- **Duration (mins)**-- **Delete**: Use the :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png"::: **Delete** icon to remove the entry from the list. Click **Confirm** in the confirmation dialog**.
+- **Redirect to a custom URL**: Click :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png"::: **Add trainings**.
+
+ In the **Custom training URL** flyout that opens, the following options are available:
+
+ - **Custom training URL** (required)
+ - **Custom training name** (required)
+ - **Custom training description**
+ - **Custom training duration (in minutes)** (required): The default value is 0, which means there's no specified duration for the training.
+
+ When you're finished on the **Custom training URL** flyout, click **Add**. Information about the custom URL is visible on the **Select courses** page.
When you're finished on the **Select courses** page, click **Next**.
-### Select end user notification
+### Select end user notifications
On the **Select end user notification** page, select from the following notification options: -- **Microsoft default notification (recommended)**: The following additional settings are available on the page:-
- - **Select default language**: The available values are: **Chinese (Simplified)**, **Chinese (Traditional)**, **English**, **French**, **German**, **Italian**, **Japanese**, **Korean**, **Portuguese**, **Russian**, **Spanish**, and **Dutch**.
+- **Microsoft default notification (recommended)**: The notifications that users will receive are shown on the page:
+ - **Microsoft default training only campaign-training assignment notification**
+ - **Microsoft default training only campaign-training reminder notification**
- - By default, the following notifications are included:
- - **Microsoft default training only campaign-training assignment notification**
- - **Microsoft default training only campaign-training reminder notification**
+ Select the default language to use in **Select default language**. The available values are: **Chinese (Simplified)**, **Chinese (Traditional)**, **English**, **French**, **German**, **Italian**, **Japanese**, **Korean**, **Portuguese**, **Romanian**, **Russian**, **Spanish**, or **Dutch**.
For each notification, the following information is available: - **Notifications**: The name of the notification. - **Language**: If the notification contains multiple translations, the first two languages are shown directly. To see the remaining languages, hover over the numeric icon (for example, **+10**).
- - **Type**: **Training assignment notification** or **Training reminder notification**.
- - **Delivery preferences**: For **Training reminder notification** types, the values **Twice a week** and **Weekly** are available.
- - **Γï«** (**Actions** control): If you click the :::image type="icon" source="../../media/m365-cc-sc-view-icon.png"::: **View** icon, the **Review notification** page appears with the following information:
- - **Preview** tab: View the notification message as users will see it. To view the message in different languages, use the **Select notification language** box.
+ - **Type**: One of the following values:
+ - **Training assignment notification**
+ - **Training reminder notification**
+ - **Delivery preferences**: You need to configure the following delivery preferences before you can continue:
+ - For **Microsoft default training only campaign-training reminder notification**, select **Twice a week** or **Weekly**.
+ - **Actions**: If you click ![View icon.](../../media/m365-cc-sc-view-icon.png) **View**, a **Review notification** page opens with the following information:
+ - **Preview** tab: View the notification message as users see it. To view the message in different languages, use the **Select notification language** box.
- **Details** tab: View details about the notification: - **Notification description**
- - **Source**: For built-in notifications, the value is **Global**.
- - **Notification type**: **Training assignment notification** or **Training reminder notification** based on the notification you originally selected:
+ - **Source**: For built-in notifications, the value is **Global**. For custom notifications, the value is **Tenant**.
+ - **Notification type**: One of the following types based on the notification you originally selected:
+ - **Training assignment notification**
+ - **Training reminder notification**
- **Modified by** - **Last modified**
- When you're finished, click **Close**.
+ When you're finished on the **Review notification** page, click **Close** to return to the **Select end user notification** page.
- You're taken to the **[Schedule](#schedule)** page when you click **Next**.
+- **Customized end user notifications**: No other configuration options are available on the page. When you click **Next**, you need to select a **Training assignment notification** and a **Training reminder notification** to use for the Training campaign as described in the next two subsections.
-- **Customized end user notifications**: When you click **Next**, you're taken to the **Training assignment notification** page as described in the next sections.
+When you're finished on the **Select end user notification** page, click **Next**.
-#### Training assignment notification
+#### Select a training assignment notification
-The **Training assignment notification** page is available only if you selected **Customized end user notifications** on the **[Select end user notification](#select-end-user-notification)** page.
+> [!NOTE]
+> This page is available only if you selected **Customized end user notifications** on the [Select end user notifications](#select-end-user-notifications) page.
-This page shows the following notifications and their configured languages:
+The **Training assignment notification** page shows the following notifications and their configured languages:
- **Microsoft default training assignment notification** - **Microsoft default training only campaign-training assignment notification**-- Any custom training assignment notifications that you previously created where the **Type** value is **Training assignment notification**.
+- Any custom training assignment notifications that you previously created.
- These notifications are also available in **End user notifications** on the **Content library** tab in Attack simulation training at <https://security.microsoft.com/attacksimulator?viewid=contentlibrary>. The built-in notifications are available on the **Global notifications** tab. Custom training assignment notifications are available on the **Tenant notifications** tab. For more information, see [End-user notifications for Attack simulation training](attack-simulation-training-end-user-notifications.md).
+These notifications are also available on the **End user notifications** page on the **Content library** tab:
-You can select an existing training assignment notification or create a new notification to use:
+- Built-in training assignment notifications are available on the **Global notifications** tab at <https://security.microsoft.com/attacksimulator?viewid=contentlibrary&source=global>.
+- Custom training assignment notifications are available on the **Tenant notifications** tab at <https://security.microsoft.com/attacksimulator?viewid=contentlibrary&source=tenant>.
-- To select an existing notification, select the check box next to the notification name. If you click on the notification name, the notification is selected and a preview flyout appears. To deselect the notification, clear the check box next to the notification.-- To search for an existing notification on the page, use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png"::: **Search** box to search for the name.
+For more information, see [End-user notifications for Attack simulation training](attack-simulation-training-end-user-notifications.md).
- Select the notification that you want to use, and then click **Next**.
+Do one of the following steps:
-- To create and use a new notification, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png"::: **Create new**.
+- **Select an existing notification to use**:
+ - To search for an existing notification in the list, type part of the notification name in the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box and then press the ENTER key.
+ - When you select a notification by clicking anywhere in the row other than the check box, a details flyout opens that shows more information about the notification:
+ - The **Preview** tab shows what the notification looks like to users.
+ - The **Details** tab shows the properties of the notification.
-- To edit an existing custom notification, select it and then click the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png"::: **Edit notification** icon that appears.
+ When you're finished in the notification details flyout, click **Close**.
-##### Training assignment notification wizard
+ On the **Training assignment notification** page, select a notification to use by selecting the check box next to the name.
-If you select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png"::: **Create new** on the **Training assignment notification** page or select a custom notification and then click :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png"::: **Edit notification**, a new notification wizard opens.
+- **Create a new notification to use**: Click ![Create new icon.](../../medi#create-end-user-notifications).
-The creation steps are identical as described in [Create end-user notifications](attack-simulation-training-end-user-notifications.md#create-end-user-notifications).
+ > [!NOTE]
+ > On the **Define details** page of the new notification wizard, be sure to select the value **Training assignment notification** for the notification type.
-> [!NOTE]
-> On the **Define details** page of the new notification wizard, be sure to select the value **Training assignment notification** for the notification type.
+ When you're finished creating the notification, you return to the **Training assignment notification** page where the new notification now appears in the list for you to select
-When you're finished, you're taken back to the **Training assignment notification** page where the notification that you just created now appears in the list.
+When you're finished on the **Training assignment notification** page, click **Next**.
-Select the notification that you want to use, and then click **Next**.
+#### Select a training reminder notification
-When you're finished, click **Next**.
-
-#### Training reminder notification
-
-The **Training reminder notification** page is available only if you selected **Customized end user notifications** on the **[Select end user notification](#select-end-user-notification)** page.
+> [!NOTE]
+> This page is available only if you selected **Customized end user notifications** on the [Select end user notifications](#select-end-user-notifications) page.
-- **Set frequency for reminder notification**: Select **Weekly** (default) or **Twice a week**.
- - Reminder notifications will stop at the end of the campaign.
+The **Training reminder notification** page shows the following notifications and their configured languages:
-- **Select a reminder notification**: This section shows the following notifications and their configured languages:
+- **Microsoft default training reminder notification**
+- **Microsoft default training only campaign-training reminder notification**
+- Any custom training reminder notifications that you previously created.
- - **Microsoft default training reminder notification**
- - **Microsoft default training only campaign-training reminder notification**
- - Any custom training reminder notifications that you previously created where the **Type** value is **Training reminder notification**.
+These notifications are also available at **Attack simulation training** \> **Content library** tab \> **End user notifications**:
- These notifications are also available in **End user notifications** on the **Content library** tab in Attack simulation training at <https://security.microsoft.com/attacksimulator?viewid=contentlibrary>. The build-it notifications available on the **Global notifications** tab. Custom training reminder notifications are available on the **Tenant notifications** tab. For more information, see [End-user notifications for Attack simulation training](attack-simulation-training-end-user-notifications.md).
+- Built-in training reminder notifications are available on the **Global notifications** tab at <https://security.microsoft.com/attacksimulator?viewid=contentlibrary&source=global>.
+- Custom training reminder notifications are available on the **Tenant notifications** tab at <https://security.microsoft.com/attacksimulator?viewid=contentlibrary&source=tenant>.
- You can select an existing training reminder notification or create a new notification to use:
+For more information, see [End-user notifications for Attack simulation training](attack-simulation-training-end-user-notifications.md).
-- To select an existing notification, select the check box next to the notification name. If you click on the notification name, the notification is selected and a preview flyout appears. To deselect the notification, clear the check box next to the notification.-- To search for an existing notification on the page, use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png"::: **Search** box to search for the name.
+In **Set frequency for reminder notification**, select **Weekly** or **Twice a week**, and then do one of the following steps:
- Select the notification that you want to use, and then select **Next**.
+- **Select an existing notification to use**:
+ - To search for an existing notification in the list, type part of the notification name in the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box and then press the ENTER key.
+ - When you select a notification by clicking anywhere in the row other than the check box, a details flyout opens that shows more information about the notification:
+ - The **Preview** tab shows what the notification looks like to users.
+ - The **Details** tab shows the properties of the notification.
- - To create and use a new notification, click :::image type="icon" source="../../media/m365-cc-sc-create-icon.png"::: **Create new**.
+ When you're finished in the notification details flyout, click **Close**.
- - To edit an existing custom notification, select it and then click the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png"::: **Edit notification** icon that appears.
+ On the **Training reminder notification** page, select a notification to use by selecting the check box next to the name.
-##### Training reminder notification wizard
+- **Create a new notification to use**: Click ![Create new icon.](../../medi#create-end-user-notifications).
-If you click :::image type="icon" source="../../media/m365-cc-sc-create-icon.png"::: **Create new** on the **Training reminder notification** page or select a custom notification and then click :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png"::: **Edit notification**, a new notification wizard opens.
+ > [!NOTE]
+ > On the **Define details** page of the new notification wizard, be sure to select the value **Training reminder notification** for the notification type.
-The creation steps are identical as described in [Create end-user notifications](attack-simulation-training-end-user-notifications.md#create-end-user-notifications).
+ When you're finished creating the notification, you return to the **Training reminder notification** page where the new notification now appears in the list for you to select.
-> [!NOTE]
-> On the **Define details** page of the new notification wizard, be sure to select the value **Training reminder notification** for the notification type.
+When you're finished on the **Training reminder notification** page, click **Next**.
-When you're finished, you're taken back to the **Training reminder notification** page where the notification that you created is now listed.
+### Schedule the Training campaign
-Select the notification that you want to use, and then click **Next**.
+On the **Schedule** page, you choose when to start and end the Training campaign by choosing one of the following values:
-### Schedule
+- **Launch this Training campaign as soon as I'm done**
-On the **Schedule** page, select the start date and end date for the Training campaign using one of the following values:
+ If you select **Send training with an end date** (it's selected by default), you need to configure the end date/time in **Set the campaign end date** and **Set hours**, **Set minutes**, and **Set time format**.
-- **launch this Training campaign as soon as I'm done**-- **Schedule this Training campaign to be launched later**: If this option is selected, **Set the campaign launch date** and **Set launch time** boxes appear for you to configure.
+- **Schedule this Training campaign to be launched later**: Enter the Training campaign start date/time in **Set the campaign launch date** and **Set hours**, **Set minutes**, and **Set time format**.
-**Send training with an end date** is selected by default, so **Set the campaign end date** and **Set end time** boxes are available for you to configure. If you clear **Send training with an end date**, the boxes disappear.
+ If you select **Send training with an end date** (it's selected by default), you need to configure the end date/time in **Set the campaign end date** and **Set hours**, **Set minutes**, and **Set time format**.
> [!NOTE]
-> If you clear the **Send training with an end date** box, no reminder notifications will be send to the targeted users outside of the initial assignment notice.
+> If you clear the **Send training with an end date** check box, no reminder notifications will be send to the targeted users outside of the initial training assignment notice.
When you're finished on the **Schedule** page, click **Next**.
-## Review
+## Review Training campaign details
+
+On the **Review** page, you can review the details of the Training campaign.
-On the **Review** page, you can review the details of your Training campaign.
+Click the ![Send a test icon.](../../media/m365-cc-sc-send-icon.png) **Send a test** button to send a copy of the Training campaign to yourself (the currently signed in user) for inspection.
-You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.
+You can click **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard to modify the settings.
When you're finished on the **Review** page, click **Submit**.
-## View details and reports for Training campaigns
+Back on the **Training campaign** tab, the Training campaign that you created is now listed. The **Status** value depends on your previous selection in the [Schedule the Training campaign](#schedule-the-training-campaign) step:
-To view the details and reports for a Training campaign, do the following steps:
+- **In progress** if you selected **Launch this Training campaign as soon as I'm done**.
+- **Scheduled** if you selected **Schedule this Training campaign to be launched later**.
-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Training** tab. Or, to go directly to the **Training** tab, use <https://security.microsoft.com/attacksimulator?viewid=trainingcampaign>.
+## Take action on Training campaigns
+
+All actions on existing Training campaigns start on the **Training** tab. To get there, open the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Training** tab. Or, to go directly to the **Training** tab, use <https://security.microsoft.com/attacksimulator?viewid=trainingcampaign>.
+
+### View Training campaign details
-2. On the **Training** tab, do one of the following steps:
- - Select the Training campaign by selecting the check box next to it, and then click **Γï«** (**Actions**) \> :::image type="icon" source="../../media/m365-cc-sc-eye-icon.png"::: **View report**. You might need to scroll to the right to see **Γï«** (**Actions**).
- - In the list of Training campaigns, click anywhere in the row without selecting the check box (for example, on the **Name** value).
+To view the details and reports for a Training campaign on the **Training** tab, select the Training campaign by clicking anywhere other than the check box next to the name.
-3. A details page for the Training campaign opens with the following tabs:
- - **Report**
- - **Users**
- - **Details**
+A details page for the Training campaign opens with the following tabs:
+
+- **Report**
+- **Users**
+- **Details**
These tabs are described in the following sections.
-### Report tab
+#### Report tab
The **Report** tab of the Training campaign shows the following information: -- **Training completion** section:
- - Each Training module that's included in the Training campaign is shown with a bar graph and a fraction that shows how many people have completed the module (number of users / total number of users).
- - Using the previous data, the top of the section shows:
+- **Training completion classification** section.
+
+- **Training completion summary** section:
+ - Each Training module in the Training campaign is shown with a bar graph and a fraction that shows how many people have completed the module (number of users / total number of users).
+ - From the previous data, the top of the section shows:
- The percentage of users who completed all modules in the campaign. - The percentage of users who completed some of the modules in the campaign. - The percentage of users who haven't started any of the modules in the campaign.
The **Report** tab of the Training campaign shows the following information:
- **All user activity** section: - **Successfully received training notification**: A bar graph and a fraction that shows how main people received notifications for the modules in the campaign.
-### Users tab
+#### Users tab
The **Users** tab shows the following information about the users who were assigned the Training campaign: -- **Display name**
+- **Name**
- **Training status**: One of the following values: - **Not started**: The user hasn't started any Training modules in the campaign. - **In progress**: The user has completed some Training modules in the campaign. - **Completed**: The user has completed all Training modules in the campaign. - **Overdue**: The user hasn't completed all Training modules by the campaign end date/time. - **Training completion date**-- **Mail**
+- **Username**
-To add or remove the **Training date status** or **Department** columns, click :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png"::: **Customize columns**.
+To remove the **Training status** column, click :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png"::: **Customize columns**. By default, the only available column that's not shown is **Department**.
To download the displayed results to a RecordExport.csv file in the local Downloads folder, click :::image type="icon" source="../../media/m365-cc-sc-download-icon.png"::: **Export**.
-If you select a user from the list, the following information appears in a details flyout:
+If you select a user from the list by clicking anywhere other than the round check box that appears in the blank area next to the name, the following user information appears in a details flyout:
- **User details** section: - **Company**
If you select a user from the list, the following information appears in a detai
- **Manager** - Status information for Training modules in the Training campaign for the user: - **Training name**: The training module name.
- - **Training status**: **Not started**, **In progress**, **Completed**, **Training Already Completed**, **Training Previously Assigned**, **Overdue**, or **Not Completed**.
+ - **Training status**: **Not started**, **In progress**, **Completed**, **Training Previously Assigned**, **Overdue**, or **Not Completed**.
- **Training start date** - **Training completed date**
-To see details about other users in the Training campaign without leaving the details flyout, use ![Previous item and Next item icons.](../../media/updownarrows.png) **Previous item** and **Next item**.
+> [!TIP]
+> To see details about other users in the Training campaign without leaving the details flyout, use ![Previous item and Next item icons.](../../media/updownarrows.png) **Previous item** and **Next item** buttons at the top of the flyout.
-### Details tab
+#### Details tab
The **Details** tab of the Training campaign shows the following information:
The **Details** tab of the Training campaign shows the following information:
- **Notifications**: Whether training assignment notifications and training reminder notifications are enabled, and their delivery frequency. - **Selected modules**: The Training modules in the Training campaign are listed, along with their durations.
-## Delete Training campaigns
+### Cancel Training campaigns
-To delete an existing Training campaign, do the following steps:
+You can cancel Training campaigns with the **Status** value **In progress** or **Scheduled**.
-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Training** tab. Or, to go directly to the **Training** tab, use <https://security.microsoft.com/attacksimulator?viewid=trainingcampaign>.
+To cancel an existing Training campaign on the **Training tab**, select the Training campaign by selecting the check box next to the name, click the :::image type="icon" source="../../media/m365-cc-sc-close-icon.png" border="false"::: **Cancel** icon that appears, and then click **Confirm** in the confirmation dialog.
+
+After you cancel the Training campaign, the **Status** value changes to **Canceled**.
+
+### Remove Training campaigns
+
+You can't remove Training campaigns with the **Status** value **In progress** or **Scheduled**.
+
+To remove an existing Training campaign from the **Training** tab, select the Training campaign by selecting the check box next to the name, click the :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete** icon that appears, and then click **Confirm** in the confirmation dialog.
+
+After you remove the Training campaign, it's no longer listed on the **Training** tab.
-2. On the **Training** tab, click **Γï«** (**Actions**) in the Training \> :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png"::: **Delete**. You might need to scroll to the right to see **Γï«** (**Actions**).
+## Set the training threshold
-3. Click **Confirm** in the warning dialog that opens.
+The _training threshold_ prevents users from having the same trainings assigned to them during a specific interval in days. The default value is 90 days.
-## Set the training threshold time period
+During the time interval, the same training module won't be reassigned to users who meet either of the following criteria:
-The training threshold time period is the number of days for which a training module will not be re-assigned to a user who meets either of the following criteria:
+- They completed the training module during the training threshold.
+- They haven't completed the training module, but the module was assigned to them during the training threshold.
-- They've already completed the same training module during the threshold time period.-- They're actively assigned the same training module during the threshold time period.
+The training threshold starts when a training module is assigned to a user.
-The training threshold starts from the time of user training module assignment.
+We recommend that the training threshold is greater than the number of days that a user has to complete a training module.
-We recommend the number of days for the training threshold assignment to be greater than the number of days that a user would have to complete a training module assignment.
+In the training campaign user report, the **Status** value shows the effect of the training threshold on users and their assigned trainings modules:
-In the training campaign user report, a user may have the following **Status** values:
+- **Completed**: The user completed the training module.
+- **In Progress**: The user started the training module.
+- **Not Started**: The user hasn't started the training module.
+- **Training Previously Assigned**: The training module was assigned to the user during the training threshold, but the user hasn't completed the training yet. The user can still complete the training module, at which point the **Status** value changes to **Completed**.
+- **Overdue**: The user hasn't completed the training module before the assigned due date and the same training module hasn't been reassigned to the user during the training threshold.
+- **Not Completed**: The user hasn't completed the training module within the assigned due date and/or outside the training threshold. This status makes the user eligible to have the same training module reassigned to them.
-- **Completed**: The user has already completed their training module.-- **In Progress**: The user has started their training module.-- **Not Started**: The user hasn't started their training module.-- **Training Already Completed**: The user was previously assigned and completed the training module within the training threshold time period.-- **Training Previously Assigned**: The user currently has been assigned the training module within the training threshold time period, but hasn't completed the training. The user can still complete the training module to move it to a **Completed** state.-- **Overdue**: The user hasn't completed the training before the assigned module due date and has not been reassigned the same training module within the training threshold period.-- **Not Completed**: The user hasn't completed the training module within the assigned module due date and/ or is outside the training threshold period and is eligible for the same training module reassignment.
+You set the training threshold on the **Settings** tab on the **Attack simulation training** page. For more information about the **Settings** tab, see [Global settings in Attack simulation training](attack-simulation-training-settings.md).
-To set the training threshold, do the following steps:
+To set the training threshold on the **Settings** tab, do the following steps:
1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Settings** tab. Or, to go directly to the **Settings** tab, use <https://security.microsoft.com/attacksimulator?viewid=setting>.
-2. Set the value in days for the training threshold time period. The default value is 90 days. To remove training threshold and always assign training, set value to 0.
+2. Set the value in days for the training threshold time period. The default value is 90 days. To remove the training threshold and always assign training, set value to 0.
-3. When you're finished, click **Save**.
+3. When you're finished on the **Settings** tab, click **Save**.
security Attack Simulation Training Training Modules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-training-modules.md
description: Admins can learn about the Training modules that are available to use in Training campaigns in Attack simulation training in Microsoft Defender for Office 365 Plan 2. search.appverid: met150 Previously updated : 01/13/2023 Last updated : 4/12/2023 # Training modules for Training campaigns in Attack simulation training
Last updated 01/13/2023
In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, you select one or more Training modules to include in Training campaigns that you create and assign to users. For more information about Training campaigns, see [Training campaigns in Attack simulation training](attack-simulation-training-training-campaigns.md).
-To see the available Training modules, open the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Content library** tab \> and then select **Training modules**. To go directly to the **Content library** tab where you can select **Training modules**, use <https://security.microsoft.com/attacksimulator?viewid=contentlibrary>.
+To see the available Training modules, open the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Content library** tab \> and then select **Training modules**. Or, to go directly to the **Content library** tab where you can select **Training modules**, use <https://security.microsoft.com/attacksimulator?viewid=contentlibrary>.
-**Training modules** shows the following information for each module:
+The **Training modules** page shows the following information for each module<sup>\*</sup>:
- **Training name** - **Languages**: The available values are: **Arabic**, **Chinese(Simplified)**, **Chinese(Traditional, Hong Kong), **Chinese(Traditional, Taiwan), **Czech**, **Danish**, **Dutch**, **English**, **English**, **Finnish**, **French**, **French**, **German**, **Hebrew**, **Hindi**, **Hungarian**, **Indonesian**, **Italian**, **Japanese**, **Korean**, **Malay**, **NorwegianBokmål**, **Persian**, **Polish**, **Portuguese**, **Portuguese**, **Russian**, **Slovakian**, **Spanish**, **Swedish**, **Thai**, **Turkish**, **Ukrainian**, **Vietnamese**- - **Tags**: Training modules are organized into one or more of the following categories: - **AttachmentMalware** - **Basic**
To see the available Training modules, open the Microsoft 365 Defender portal at
- **Completion rate** - **Preview**: Click the **Preview** button in this column to watch the training.
+Click a column header to sort by that column. To add or remove columns, click ![Customize columns icon.](../../media/m365-cc-sc-customize-icon.png) **Customize columns**. By default, all available columns are selected.
+
+<sup>\*</sup> To see all columns, you likely need to do one or more of the following steps:
+
+- Horizontally scroll in your web browser.
+- Narrow the width of appropriate columns.
+- Remove columns from the view.
+- Zoom out in your web browser.
+ To find a Training module in the list, type the name of the module in the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box, and then press the ENTER key. Click ![Filter icon.](../../media/m365-cc-sc-filter-icon.png) **Filter** to filter the information on the page. The following filters are available in the flyout that opens: - **Source** - **Language**-- **Tags**: Filter the results by the previously described **Tags** values.
+- **Add Tags**
When you're finished configuring the filters, click **Apply**, **Cancel**, or ![Clear filters icon](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
-To remove one or more columns that are displayed, click ![Customize columns icon.](../../media/m365-cc-sc-customize-icon.png) **Customize columns**.
-
-When you select a Training module from the list, a details flyout appears with the following information:
+When you select a Training module from the list by clicking anywhere other than the check box next to the name, a details flyout appears with the following information:
- **Description** - **Source**
security Quarantine About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-about.md
description: Admins can learn about quarantine in Exchange Online Protection (EOP) that holds potentially dangerous or unwanted messages. Previously updated : 3/3/2023 Last updated : 4/7/2023 # Quarantined email messages in EOP and Defender for Office 365
Last updated 3/3/2023
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, quarantine is available to hold potentially dangerous or unwanted messages.
-Anti-malware policies automatically quarantine a message if _any_ attachment is found to contain malware. For more information, see [Configure anti-malware policies in EOP](anti-malware-policies-configure.md).
+Whether a detected message is quarantined by default depends on the following factors:
-By default, anti-spam policies quarantine phishing and high confidence phishing messages, and deliver spam, high confidence spam, and bulk email messages to the user's Junk Email folder. But, you can also create and customize anti-spam policies to quarantine spam, high confidence spam, and bulk-email messages. For more information, see [Configure anti-spam policies in EOP](anti-spam-policies-configure.md).
+- The protection feature that detected the message. For example, the following detections are always quarantined:
+ - Malware detections by [anti-malware policies](anti-malware-policies-configure.md) and [Safe Attachments policies](safe-attachments-policies-configure.md), including [Built-in protection](preset-security-policies.md) for Safe Attachments.
+ - High-confidence phishing detections by [anti-spam policies](anti-spam-policies-configure.md).
+- Whether you're using the Standard and/or Strict [preset security policies](preset-security-policies.md). The Strict profile quarantines more types of detections than the Standard profile.
-Both users and admins can work with quarantined messages:
+The default actions for protection features in EOP and Defender for Office 365, including preset security policies, are described in the feature tables in [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md).
+
+For anti-spam and anti-phishing protection, admins can also modify the default policy or create custom policies to quarantine messages instead of delivering them to the Junk Email folder. For instructions, see the following articles:
+
+- [Configure anti-spam policies in EOP](anti-spam-policies-configure.md)
+- [Configure anti-phishing policies in EOP](anti-phishing-policies-eop-configure.md)
+- [Configure anti-phishing policies in Microsoft Defender for Office 365](anti-phishing-policies-mdo-configure.md)
+
+The protection policies for [supported features](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features) have one or more _quarantine policies_ assigned to them (each action within the protection policy has an associated quarantine policy assignment).
-- _Quarantine policies_ define what users are allowed to do or not do to quarantined messages based on why the message was quarantined for [supported features](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features). Default quarantine policies enforce the historical capabilities for the security feature that quarantined the message as described in the table [here](quarantine-end-user.md). The default quarantine policies that are used by supported security features are described in [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md). Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users, and also turn on quarantine notifications. For more information, see [Create quarantine policies](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal).
+_Quarantine policies_ define what users are able to do or not do to quarantined messages, and whether users receive quarantine notifications for those messages. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
-- Admins can work with all types of quarantined messages for all users. By default, only admins can work with messages that were quarantined as malware, high confidence phishing, or as a result of mail flow rules (also known as transport rules). For more information, see [Manage quarantined messages and files as an admin in EOP](quarantine-admin-manage-messages-files.md).
+The default quarantine policies that are assigned to protection feature verdicts enforce the historical capabilities that users get for their quarantined messages (messages where they're a recipient). For more information, see the table in [Find and release quarantined messages as a user in EOP](quarantine-end-user.md). For example, only admins can work with messages that were quarantined as malware or high confidence phishing. By default, users can work with their messages that were quarantined as spam, bulk, phishing, spoof, user impersonation, domain impersonation, or mailbox intelligence.
+
+Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users, and also turn on quarantine notifications. For more information, see [Create quarantine policies](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal).
+
+> [!NOTE]
+> Users can't release their own messages that were quarantined as malware by anti-malware or Safe Attachments policies, or as high confidence phishing by anti-spam policies, regardless of how the quarantine policy is configured. At best, admins can create and configure a quarantine policy so users can view and _request_ the release of their quarantined malware or high confidence phishing messages, although we typically don't recommend it.
+
+Both users and admins can work with quarantined messages:
-- By default, users can work with quarantined messages where they are a recipient and the message was quarantined as spam, bulk email, or phishing (not high confidence phishing). For more information, see [Find and release quarantined messages as a user in EOP](quarantine-end-user.md).
+- Admins can work with all types of quarantined messages for all users, including messages that were quarantined as malware, high confidence phishing, or as a result of mail flow rules (also known as transport rules). For more information, see [Manage quarantined messages and files as an admin in EOP](quarantine-admin-manage-messages-files.md).
- To prevent users from managing their own quarantined phishing (not high confidence phishing) messages, admins can assign a quarantine policy that denies access to quarantined messages from the **Phishing email** filtering verdict in anti-spam policies. For more information, see [Assign quarantine policies in anti-spam policies](quarantine-policies.md#anti-spam-policies).
+- Users can work with their quarantined messages based on the protection feature that quarantined the message, and the setting in corresponding quarantine policy. For more information, see [Find and release quarantined messages as a user in EOP](quarantine-end-user.md).
- Admins can report false positives to Microsoft from quarantine. For more information, see [Take action on quarantined email](quarantine-admin-manage-messages-files.md#take-action-on-quarantined-email) and [Take action on quarantined files](quarantine-admin-manage-messages-files.md#take-action-on-quarantined-files). -- Depending on the [User reported settings](submissions-user-reported-messages-custom-mailbox.md) in the organization (specifically, the **Let your organization report messages from quarantine** setting), users can report false positives to Microsoft from quarantine.
+- Users can also report false positives to Microsoft from quarantine, depending on the value of the **Reporting from quarantine** setting in [user reported settings](submissions-user-reported-messages-custom-mailbox.md).
-- How long quarantined messages are held in quarantine before they expire varies based on why the message was quarantined. The features that quarantine messages and their corresponding retention periods are described in the following table:
+How long quarantined messages or files are held in quarantine before they expire depends why the message or file was quarantined. Features and their corresponding retention periods are described in the following table:
- |Quarantine reason|Default retention period|Customizable?|Comments|
- |||::||
- |Messages quarantined by anti-spam policies: spam, high confidence spam, phishing, high confidence phishing, or bulk.|15 days: <ul><li>In the default anti-spam policy.</li><li>In anti-spam policies that you create in PowerShell.</li></ul> <br/> 30 days in anti-spam policies that you create in the Microsoft 365 Defender portal.|Yes|You can configure (lower) this value in anti-spam policies. For more information, see the **Retain spam in quarantine for this many days** (_QuarantineRetentionPeriod_) setting in [Configure anti-spam policies](anti-spam-policies-configure.md).|
- |Messages quarantined by anti-phishing policies: spoof intelligence in EOP; user impersonation, domain impersonation, or mailbox intelligence in Defender for Office 365.|30 days|Yes|This retention period is also controlled by the **Retain spam in quarantine for this many days** (_QuarantineRetentionPeriod_) setting in **anti-spam** policies. The retention period that's used is the value from the first matching **anti-spam** policy that the recipient is defined in.|
- |Messages quarantined by anti-malware policies (malware messages).|30 days|No|If you turn on common attachments filtering in anti-malware policies (in the default policy or in custom policies), file attachments in email messages to the affected recipients are treated as malware based solely on the file extension. A predefined list of mostly executable file types is used by default, but you can customize the list. For more information, see [Anti-malware policies](anti-malware-protection-about.md#anti-malware-policies).|
- |Messages quarantined by Safe Attachments policies in Defender for Office 365 (malware messages).|30 days|No||
- |Messages quarantined by mail flow rules: the action is **Deliver the message to the hosted quarantine** (_Quarantine_).|30 days|No||
- |Files quarantined by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams (malware files).|30 days|No|Files quarantined in SharePoint or OneDrive are removed fom quarantine after 30 days, but the blocked files remain in SharePoint or OneDrive in the blocked state.|
+|Quarantine reason|Default retention period|Customizable?|Comments|
+|||::||
+|Messages quarantined by anti-spam policies: spam, high confidence spam, phishing, high confidence phishing, or bulk.|15 days: <ul><li>In the default anti-spam policy.</li><li>In anti-spam policies that you create in PowerShell.</li></ul> <br/> 30 days in anti-spam policies that you create in the Microsoft 365 Defender portal.|Yes|You can configure (lower) this value in anti-spam policies. For more information, see the **Retain spam in quarantine for this many days** (_QuarantineRetentionPeriod_) setting in [Configure anti-spam policies](anti-spam-policies-configure.md).|
+|Messages quarantined by anti-phishing policies: spoof intelligence in EOP; user impersonation, domain impersonation, or mailbox intelligence in Defender for Office 365.|30 days|Yes|This retention period is also controlled by the **Retain spam in quarantine for this many days** (_QuarantineRetentionPeriod_) setting in **anti-spam** policies. The retention period that's used is the value from the first matching **anti-spam** policy that the recipient is defined in.|
+|Messages quarantined by anti-malware policies (malware messages).|30 days|No|If you turn on common attachments filtering in anti-malware policies (in the default policy or in custom policies), file attachments in email messages to the affected recipients are treated as malware based solely on the file extension. A predefined list of mostly executable file types is used by default, but you can customize the list. For more information, see [Anti-malware policies](anti-malware-protection-about.md#anti-malware-policies).|
+|Messages quarantined by Safe Attachments policies in Defender for Office 365 (malware messages).|30 days|No||
+|Messages quarantined by mail flow rules: the action is **Deliver the message to the hosted quarantine** (_Quarantine_).|30 days|No||
+|Files quarantined by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams (malware files).|30 days|No|Files quarantined in SharePoint or OneDrive are removed fom quarantine after 30 days, but the blocked files remain in SharePoint or OneDrive in the blocked state.|
- When a message expires from quarantine, you can't recover it.
+When a message expires from quarantine, you can't recover it.
For more information about quarantine, see [Quarantine FAQ](quarantine-faq.yml).
security Quarantine Admin Manage Messages Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-admin-manage-messages-files.md
description: Admins can learn how to view and manage quarantined messages for all users in Exchange Online Protection (EOP). Admins in organizations with Microsoft Defender for Office 365 can also manage quarantined files in SharePoint Online, OneDrive for Business, and Microsoft Teams. Previously updated : 3/28/2023 Last updated : 4/11/2023 # Manage quarantined messages and files as an admin
Last updated 3/28/2023
- [Exchange Online Protection](eop-about.md) - [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)
-In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes and in Microsoft Teams, quarantine holds potentially dangerous or unwanted messages.
+In Microsoft 365 organizations with mailboxes in Exchange Online or Microsoft Teams, or in standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes or Teams, quarantine holds potentially dangerous or unwanted messages that were detected by EOP and Defender for Office 365.
-Admins can view, release, and delete all types of quarantined messages for all users. Admins can also report false positives to Microsoft.
+Admins can view, release, and delete all types of quarantined messages and files for all users.
-By default, only admins can manage messages that were quarantined as malware, high confidence phishing, or as a result of mail flow rules (also known as transport rules). But admins can use _quarantine policies_ to define what users are allowed to do to quarantined messages based on why the message was quarantined (for supported features). For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
+Admins in organizations with Microsoft Defender for Office 365 can also manage files that were quarantined by [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md) and Microsoft Teams messages that were [quarantined by zero-hour auto purge (ZAP)](zero-hour-auto-purge.md#zero-hour-auto-purge-zap-in-microsoft-teams) (currently in Preview).
-Admins in organizations with Microsoft Defender for Office 365 can also manage files that were quarantined by [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md) and [Zero-hour auto purge](zero-hour-auto-purge.md#zero-hour-auto-purge-zap-in-microsoft-teams).
+Users can manage most quarantined email messages based on the _quarantine policy_ for [supported email protection features](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features). For more information about quarantine policies, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
+
+Admins and also users (depending on the [user reported settings](submissions-user-reported-messages-custom-mailbox.md) for the organization) can report false positives to Microsoft from quarantine.
You view and manage quarantined messages in the Microsoft 365 Defender portal or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).
-Watch this short video to learn how to manage quarantined messages as an administrator.
+Watch this short video to learn how to manage quarantined messages as an admin.
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWGGPF] ## What do you need to know before you begin?
Watch this short video to learn how to manage quarantined messages as an adminis
- [Email & collaboration RBAC in the Microsoft 365 Defender portal](mdo-portal-permissions.md): Membership in the **Quarantine Administrator** role group. To do quarantine procedures in Exchange Online PowerShell, you also need membership in the **Hygiene Management** role group in Exchange Online RBAC. - [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365. -- Quarantined messages are retained for a default period of time based on why they were quarantined. After the retention period expires, the messages are automatically deleted and are not recoverable. For more information, see [Quarantined email messages in EOP and Defender for Office 365](quarantine-about.md).
+- Quarantined messages and files are retained for a default period of time based on why they were quarantined. After the retention period expires, the messages are automatically deleted and aren't recoverable. For more information, see [Quarantined email messages in EOP and Defender for Office 365](quarantine-about.md).
## Use the Microsoft 365 Defender portal to manage quarantined email messages ### View quarantined email
-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Quarantine**. To go directly to the **Quarantine** page, use <https://security.microsoft.com/quarantine>.
-
-2. On the **Quarantine** page, verify that the **Email** tab is selected.
-
-3. You can sort the results by clicking on an available column header. Click ![Customize columns icon.](../../media/m365-cc-sc-customize-icon.png) **Customize columns** to change the columns that are shown. The default values are marked with an asterisk (<sup>\*</sup>):
-
- - **Time received**<sup>\*</sup>
- - **Subject**<sup>\*</sup>
- - **Sender**<sup>\*</sup>
- - **Quarantine reason**<sup>\*</sup>
- - **Release status**<sup>\*</sup>
- - **Policy type**<sup>\*</sup>
- - **Expires**<sup>\*</sup>
- - **Recipient**
- - **Message ID**
- - **Policy name**
- - **Message size**
- - **Mail direction**
- - **Recipient tag**
-
- When you're finished, click **Apply**.
-
-4. To filter the results, click ![Filter icon.](../../media/m365-cc-sc-filter-icon.png) **Filter**. The following filters are available in the **Filters** flyout that appears:
- - **Message ID**: The globally unique identifier of the message.
-
- For example, you used [message trace](message-trace-scc.md) to look for a message that was sent to a user in your organization, and you determine that the message was quarantined instead of delivered. Be sure to include the full message ID value, which might include angle brackets (\<\>). For example: `<79239079-d95a-483a-aacf-e954f592a0f6@XYZPR00BM0200.contoso.com>`.
-
- - **Sender address**
- - **Recipient address**
- - **Subject**
- - **Time received**:
- - **Last 24 hours**
- - **Last 7 days**
- - **Last 14 days**
- - **Last 30 days**
- - **Custom**: Enter a **Start time** and **End time** (date).
- - **Expires**: Filter messages by when they will expire from quarantine:
- - **Today**
- - **Next 2 days**
- - **Next 7 days**
- - **Custom**: Enter a **Start time** and **End time** (date).
- - **Recipient tag**
- - **Quarantine reason**:
- - **Transport rule** (mail flow rule)
- - **Bulk**
- - **Spam**
- - **Data loss prevention**
- - **Malware**: Anti-malware policies in EOP or Safe Attachments policies in Defender for Office 365. The **Policy Type** value indicates which feature was used.
- - **Phishing**: The spam filter verdict was **Phishing** or anti-phishing protection quarantined the message ([spoof settings](anti-phishing-policies-about.md#spoof-settings) or [impersonation protection](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)).
- - **High confidence phishing**
- - **Recipient**: **All users** or **Only me**. End users can only manage quarantined messages sent to them.
- - **Release status**: Any of the following values:
- - **Needs review**
- - **Approved**
- - **Denied**
- - **Release requested**
- - **Released**
- - **Preparing to release**
- - **Error**
- - **Policy Type**: Filter messages by policy type:
- - **Anti-malware policy**
- - **Safe Attachments policy**
- - **Anti-phishing policy**
- - **Anti-spam policy**
- - **Transport rule** (mail flow rule)
- - **Data loss prevention rule**
-
- When you're finished, click **Apply**. To clear the filters, click ![Clear filters icon.](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
-
-5. Use the **Search** box and a corresponding value to find specific messages. Wildcards aren't supported. You can search by the following values:
- - Sender email address
- - Subject. Use the entire subject of the message. The search is not case-sensitive.
-
- After you've entered the search criteria, press the enter ENTER key to filter the results.
-
- > [!NOTE]
- > The **Search** box on the main **Quarantine** page will search only quarantined items in the current view, not the entire quarantine. To search all quarantined items, use **Filter** and the resulting **Filters** flyout.
-
-After you find a specific quarantined message, select the message to view details about it, and to take action on it (for example, view, release, download, or delete the message).
+In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Quarantine** \> **Email** tab. Or, to go directly to the **Email** tab on the **Quarantine** page, use <https://security.microsoft.com/quarantine?viewid=Email>.
-### View quarantined email details
+On the **Email** tab, you can decrease the vertical spacing in the list by clicking ![Change list spacing to compact or normal icon.](../../media/m365-cc-sc-standard-icon.png) **Change list spacing to compact or normal** and then selecting ![Compact list icon.](../../media/m365-cc-sc-compact-icon.png) **Compact list**.
-When you select quarantined message from the list, the following information is available in the details flyout that appears.
+You can sort the results by clicking on an available column header. Click ![Customize columns icon.](../../media/m365-cc-sc-customize-icon.png) **Customize columns** to change the columns that are shown. The default values are marked with an asterisk (<sup>\*</sup>):
+- **Time received**<sup>\*</sup>
+- **Subject**<sup>\*</sup>
+- **Sender**<sup>\*</sup>
+- **Quarantine reason**<sup>\*</sup>
+- **Release status**<sup>\*</sup>
+- **Policy type**<sup>\*</sup>
+- **Expires**<sup>\*</sup>
+- **Recipient**
+- **Message ID**
+- **Policy name**
+- **Message size**
+- **Mail direction**
+- **Recipient tag**
+
+To filter the results, click ![Filter icon.](../../media/m365-cc-sc-filter-icon.png) **Filter**. The following filters are available in the **Filters** flyout that opens:
+
+- **Message ID**: The globally unique identifier of the message.
+
+ For example, you used [message trace](message-trace-scc.md) to look for a message, and you determine that the message was quarantined instead of delivered. Be sure to include the full message ID value, which might include angle brackets (\<\>). For example: `<79239079-d95a-483a-aacf-e954f592a0f6@XYZPR00BM0200.contoso.com>`.
-- **Message ID**: The globally unique identifier for the message. Available in the **Message-ID** header field in the message header. - **Sender address**-- **Received**: The date/time when the message was received.
+- **Recipient address**
- **Subject**-- **Quarantine reason**: Shows if a message has been identified as **Spam**, **Bulk**, **Phish**, matched a mail flow rule (**Transport rule**), or was identified as containing **Malware**.-- **Policy type**-- **Policy name**-- **Recipient count**-- **Recipients**: If the message contains multiple recipients, you need to click **Preview message** or **View message header** to see the complete list of recipients.-- **Recipient tag**: For more information, see [User tags in Microsoft Defender for Office 365](user-tags-about.md).-- **Expires**: The date/time when the message will be automatically and permanently deleted from quarantine.-- **Released to**: All email addresses (if any) to which the message has been released.-- **Not yet released to**: All email addresses (if any) to which the message has not yet been released.-
-To take action on the message, see the next section.
+- **Time received**:
+ - **Last 24 hours**
+ - **Last 7 days**
+ - **Last 14 days**
+ - **Last 30 days** (default)
+ - **Custom**: Enter a **Start time** and **End time** (date).
+- **Expires**: Filter messages by when they expire from quarantine:
+ - **Today**
+ - **Next 2 days**
+ - **Next 7 days**
+ - **Custom**: Enter a **Start time** and **End time** (date).
+- **Recipient tag**
+- **Quarantine reason**:
+ - **Transport rule** (mail flow rule)
+ - **Bulk**
+ - **Spam**
+ - **Data loss prevention**
+ - **Malware**: Anti-malware policies in EOP or Safe Attachments policies in Defender for Office 365. The **Policy Type** value indicates which feature was used.
+ - **Phishing**: The spam filter verdict was **Phishing** or anti-phishing protection quarantined the message ([spoof settings](anti-phishing-policies-about.md#spoof-settings) or [impersonation protection](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)).
+ - **High confidence phishing**
+- **Recipient**: **All users** or **Only me**. End users can only manage quarantined messages sent to them.
+- **Release status**: Any of the following values:
+ - **Needs review**
+ - **Approved**
+ - **Denied**
+ - **Release requested**
+ - **Released**
+ - **Preparing to release**
+ - **Error**
+- **Policy Type**: Filter messages by policy type:
+ - **Anti-malware policy**
+ - **Safe Attachments policy**
+ - **Anti-phishing policy**
+ - **Anti-spam policy**
+ - **Transport rule** (mail flow rule)
+ - **Data loss prevention rule**
+
+When you're finished on the **Filters** flyout, click **Apply**. To clear the filters, click ![Clear filters icon.](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
+
+Use the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box and a corresponding value to find specific messages. Wildcards aren't supported. You can search by the following values:
+
+- Sender email address
+- Subject. Use the entire subject of the message. The search isn't case-sensitive.
+
+After you've entered the search criteria, press the enter ENTER key to filter the results.
> [!NOTE]
-> To remain in the details flyout, but change the quarantined message that you're looking at, use the up and down arrows at the top of the flyout.
+> The **Search** box searches for quarantined items in the current view, not all quarantined items. To search all quarantined items, use **Filter** and the resulting **Filters** flyout.
+
+After you find a specific quarantined message, select the message to view details about it and to take action on it (for example, view, release, download, or delete the message).
+
+> [!TIP]
+> On mobile devices, the previously described controls are available under ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More**.
>
-> :::image type="content" source="../../media/quarantine-message-details-flyout-up-down-arrows.png" alt-text="The up and down arrows in the details flyout of a quarantined message" lightbox="../../media/quarantine-message-details-flyout-up-down-arrows.png":::
+> :::image type="content" source="../../media/quarantine-message-main-page-mobile-actions.png" alt-text="Selecting a quarantined message and selecting More on a mobile device." lightbox="../../media/quarantine-message-main-page-mobile-actions.png":::
+
+### View quarantined email details
+
+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Quarantine** \> **Email** tab. Or, to go directly to the **Email** tab on the **Quarantine** page, use <https://security.microsoft.com/quarantine?viewid=Email>.
+
+2. On the **Email** tab, select the quarantined message by clicking anywhere in the row other than the check box.
+
+In the details flyout that opens, the following information is available:
+
+- **Quarantine details** section:
+ - **Received**: The date/time when the message was received.
+ - **Expires**: The date/time when the message is automatically and permanently deleted from quarantine.
+ - **Subject**
+ - **Quarantine reason**: Shows if a message has been identified as **Spam**, **Bulk**, **Phish**, matched a mail flow rule (**Transport rule**), or was identified as containing **Malware**.
+ - **Policy type**
+ - **Policy name**
+ - **Recipient count**
+ - **Recipients**: If the message contains multiple recipients, you might need to use [Preview message](#preview-email-from-quarantine) or [View message header](#view-email-message-headers) to see the complete list of recipients.
+ - **Released to**: All email addresses (if any) to which the message has been released.
+- **Delivery details** section:
+ - **Threats**
+ - **Delivery action**
+ - **Original location**
+ - **Latest delivery location**
+ - **Detection technologies**
+ - **Primary override**
+- **Email details** section:
+ - **Sender display name**
+ - **Sender address**
+ - **SMTP Mail From address**
+ - **Sent on behalf of**
+ - **Return path**
+ - **Sender IP**
+ - **Location**
+ - **Recipients**
+ - **Time received**
+ - **Directionality**
+ - **Network message ID**
+ - **Internet message ID**
+ - **Campaign ID**
+ - **DMARC**
+ - **DKIM**
+ - **SPF**
+ - **Composite authentication**
+- **URLs** section
+- **Attachments** section
++
+To take action on the message, see the next section.
+
+> [!TIP]
+> To see details about other quarantined messages without leaving the details flyout, use ![Previous item and Next item icons.](../../media/updownarrows.png) **Previous item** and **Next item** buttons at the top of the flyout.
### Take action on quarantined email
-After you select a quarantined message from the list, the following actions are available in the details flyout:
+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Quarantine** \> **Email** tab. Or, to go directly to the **Email** tab on the **Quarantine** page, use <https://security.microsoft.com/quarantine?viewid=Email>.
+
+2. On the **Email** tab, select the quarantined email message by using either of the following methods:
+
+ - Select the message from the list by selecting the check box next to the first column. The available actions are no longer grayed out.
+
+ :::image type="content" source="../../media/quarantine-message-selected-message-actions.png" alt-text="Available actions after you select a quarantined message on the Email tab of the Quarantine page." lightbox="../../media/quarantine-message-selected-message-actions.png":::
+
+ - Select the message from the list by clicking anywhere in the row other than the check box. The available actions are in the details flyout that opens.
+
+ :::image type="content" source="../../media/quarantine-message-details-flyout-actions.png" alt-text="Available actions in the details flyout of a selected message." lightbox="../../media/quarantine-message-details-flyout-actions.png":::
+
+ Using either method to select the message, many actions are available under ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More** or **More options**.
+
+After you select the quarantined message, the available actions are described in the following subsections.
+
+> [!TIP]
+> On mobile devices, the action experience is slightly different:
+>
+> - When you select the message by selecting the check box, all actions are under ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More**:
+>
+> :::image type="content" source="../../media/quarantine-message-main-page-mobile-actions.png" alt-text="Selecting a quarantined message and selecting More on a mobile device." lightbox="../../media/quarantine-message-main-page-mobile-actions.png":::
+>
+> - When you select the message by clicking anywhere other than the check box, description text isn't available on some of the action icons in the details flyout. But, the actions and their order is the same as on a PC:
+>
+> :::image type="content" source="../../media/quarantine-message-details-flyout-mobile-actions.png" alt-text="The details of a quarantined message with available actions being highlighted" lightbox="../../media/quarantine-message-details-flyout-mobile-actions.png":::
+
+#### Release quarantined email
+
+This action isn't available for email messages that have already been released (the **Release status** value is **Released**).
+
+If you don't release or remove a message, it's automatically deleted from quarantine after the date shown in the **Expires** column.
+
+- You can't release a message to the same recipient more than once.
+- When you select individual original recipients to receive the released message, you can select only recipients who haven't already received the released message.
+- Members of the **Security Administrators** role group can see and use the **Submit the message to Microsoft to improve detection** and **Allow email with similar attributes** options.
+- Users can report false positives to Microsoft from quarantine, depending on the value of the **Reporting from quarantine** setting in [user reported settings](submissions-user-reported-messages-custom-mailbox.md).
+
+After you select the message, use either of the following methods to release it:
+
+- **On the Email tab**: Click ![Release icon.](../../media/m365-cc-sc-check-mark-icon.png) **Release**.
+- **In the details flyout of the selected message**: Click ![Release email icon.](../../media/m365-cc-sc-check-mark-icon.png) **Release email**.
+
+In the **Release email to recipient inboxes** flyout that opens, configure the following options:
+
+- Select one of the following values:
+ - **Release to all recipients**
+ - **Release to one or more of the original recipients of the email**: Enter the recipients in the **Recipients** box that appears.
+
+- **Send a copy of this message to another recipient**: If you select this option, select one or more recipients by clicking in the **Recipients** box that appears.
+
+- **Submit the message to Microsoft to improve detection**: If you select this option, the erroneously quarantined message is reported to Microsoft as a false positive. Depending on the results of their analysis, the service-wide spam filter rules might be adjusted to allow the message through.
+
+ Selecting this option reveals the following options:
+
+ - **Allow email with similar attributes**: If you select this option, allow entries are added to the [Tenant Allow/Block List](tenant-allow-block-list-about.md) for the sender and any related URLs or attachments in the message. The following options also appear:
+ - **Remove entry after**: The default value is **30 days**, but you can also select **1 day**, **7 days**, or a **Specific date** that's less than 30 days.
+ - **Allow entry note**: Enter an optional note that contains additional information.
+When you're finished on the **Release email to recipient inboxes** flyout, click **Release message**.
-- ![Release email icon.](../../media/m365-cc-sc-check-mark-icon.png) **Release email**<sup>\*</sup>: In the flyout pane that appears, configure the following options:
- - **Add sender to your organization's allow list**: Select this option to prevent messages from the sender from being quarantined.
- - Choose one of the following options:
- - **Release to all recipients**
- - **Release to specific recipients**: Select the recipients in the **Recipients** box that appears
- - **Send a copy of this message to other recipients**: Select this option and enter the recipient email addresses in the **Recipients** box that appears.
+Back on the **Email** tab, the **Release status** value of the message is **Released**.
- > [!NOTE]
- > To send a copy of the message to other recipients, you must also release the message at least one of the original recipients (select **Release to all recipients** or **Release to specific recipients**).
+#### Approve or deny release requests from users for quarantined email
- - **Submit the message to Microsoft to improve detection (false positive)**: This option is selected by default, and reports the erroneously quarantined message to Microsoft as a false positive. If the message was quarantined as spam, bulk, phishing, or containing malware, the message is also reported to the Microsoft Spam Analysis Team. Depending on the results of their analysis, the service-wide spam filter rules might be adjusted to allow the message through.
+Users can request the release of email messages if the quarantine policy used **Allow recipients to request a message to be released from quarantine** (`PermissionToRequestRelease` permission) instead of **Allow recipients to release a message from quarantine** (`PermissionToRelease` permission) when the message was quarantined. For more information, see [Create quarantine policies in the Microsoft 365 Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal).
- - **Allow messages like this**: This option is turned off by default (![Toggle off.](../../media/scc-toggle-off.png)). Turn it on (![Toggle on](../../media/scc-toggle-on.png)) to temporarily prevent messages with similar URLs, attachments, and other properties from being quarantined. When you turn this option on, the following options are available:
- - **Remove after**: Select how long you want to allow messages like this. Select **1 day** to **30 days**. The default is 30.
- - **Optional note**: Enter a useful description for the allow.
+After a recipient requests the release of the email message, the **Release status** value changes to **Release requested**, and an admin can approve or deny the request.
- When you're finished, click **Release message**.
+If you don't release or remove a message, it's automatically deleted from quarantine after the date shown in the **Expires** column.
- Notes about releasing messages:
+After you select the message, use either of the following methods to approve or deny the release request:
- - You can't release a message to the same recipient more than once.
- - Only recipients who haven't received the message will appear in the list of potential recipients.
- - Only members of the **Security Administrators** role group can see and use the **Submit the message to Microsoft to improve detection (false positive)** and **Allow messages like this** options.
+- **On the Email tab**: Click ![Approve release icon.](../../media/m365-cc-sc-edit-icon.png) **Approve release** or ![Deny icon.](../../media/m365-cc-sc-edit-icon.png) **Deny**.
+- **In the details flyout of the selected message**: Click ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More** and then select **Approve release** or ![Deny icon.](../../media/m365-cc-sc-edit-icon.png) **Deny release**.
-- ![Share email icon.](../../media/m365-cc-sc-share-email-icon.png) **Share email**: In the flyout that appears, add one or more recipients to receive a copy of the message. When you're finished, click **Share**.
+If you click **Approve release**, an **Approve release** flyout opens where you can review information about the message. To approve the request, click **Approve release**. A **Release approved** flyout opens where you can click the link to learn more about releasing messages. Click **Done** when you're finished on the **Release approved** flyout. Back on the **Email** tab, the **Release status** value of the message changes to **Approved**.
-The following actions are available after you click ![More actions icon.](../../media/m365-cc-sc-more-actions-icon.png) **More actions**:
+If you click **Deny**, a **Deny release** flyout opens where you can review information about the message. To deny the request, click **Deny release**. A **Release denied** flyout opens where you can click the link to learn more about releasing messages. Click **Done** when you're finished on the **Release denied** flyout. Back on the **Email** tab, the **Release status** value of the message changes to **Denied**.
-- ![View message headers icon.](../../media/m365-cc-sc-view-message-headers-icon.png) **View message headers**: Choose this link to see the message header text. The **Message header** flyout appears with the following links:
- - **Copy message header**: Click this link to copy the message header (all header fields) to your clipboard.
- - **Microsoft Message Header Analyzer**: To analyze the header fields and values in depth, click this link to go to the Message Header Analyzer. Paste the message header into the **Insert the message header you would like to analyze** section (CTRL+V or right-click and choose **Paste**), and then click **Analyze headers**.
+#### Delete email from quarantine
-- ![Preview message icon.](../../media/m365-cc-sc-preview-message-icon.png) **Preview message**: In the flyout that appears, choose one of the following tabs:
+When you delete an email message from quarantine, the message is removed and isn't sent to the original recipients.
+
+If you don't release or remove a message, it's automatically deleted from quarantine after the date shown in the **Expires** column.
+
+After you select the message, use either of the following methods to remove it:
+
+- **On the Email tab**: Click ![Delete from quarantine icon.](../../media/m365-cc-sc-delete-icon.png) **Delete from quarantine**.
+- **In the details flyout of the selected message**: Click ![More options icon.](../../media/m365-cc-sc-more-actions-icon.png) **More options** \> ![Delete from quarantine icon.](../../media/m365-cc-sc-delete-icon.png) **Delete from quarantine**.
+
+In the **Delete (n) messages from quarantine** flyout that opens, use one of the following methods to delete the message:
+
+- Select **Permanently delete the message from quarantine** and then click **Delete**: The message is permanently deleted and isn't recoverable.
+- Click **Delete** only: The message is deleted, but is potentially recoverable.
+
+After you click **Delete** on the **Delete (n) messages from quarantine** flyout, you return to the **Email** tab where the message is no longer listed.
+
+#### Preview email from quarantine
+
+After you select the message, use either of the following methods to preview it:
+
+- **On the Email tab**: Click ![Preview message icon.](../../media/m365-cc-sc-preview-message-icon.png) **Preview message**.
+- **In the details flyout of the selected message**: Click ![More options icon.](../../media/m365-cc-sc-more-actions-icon.png) **More options** \> ![Preview message icon.](../../media/m365-cc-sc-preview-message-icon.png) **Preview message**.
+
+In the flyout that opens, choose one of the following tabs:
- **Source**: Shows the HTML version of the message body with all links disabled. - **Plain text**: Shows the message body in plain text. -- ![Delete from quarantine icon.](../../media/m365-cc-sc-delete-icon.png) **Delete from quarantine**: The message is deleted and is not sent to the original recipients. How the message is deleted depends on your selections in the flyout that opens:
- - Select **Permanently delete the message from quarantine** and then click **Delete**: The message is permanently deleted and is not recoverable.
- - Click **Delete** only: The message is deleted, but is potentially recoverable.
+#### View email message headers
+
+After you select the message, use either of the following methods to view the message headers:
+
+- **On the Email tab**: Click ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More** \> ![View message headers icon.](../../media/m365-cc-sc-view-message-headers-icon.png) **View message headers**.
+- **In the details flyout of the selected message**: Click ![More options icon.](../../media/m365-cc-sc-more-actions-icon.png) **More options** \> ![View message headers icon.](../../media/m365-cc-sc-view-message-headers-icon.png) **View message headers**.
+
+In the **Message header** flyout that opens, the message header (all header fields) is shown.
+
+Use ![Copy message header icon.](../../media/m365-cc-sc-copy-icon.png) **Copy message header** to copy the message header to the clipboard.
+
+Click the **Microsoft Message Header Analyzer** link to analyze the header fields and values in depth. Paste the message header into the **Insert the message header you would like to analyze** section (CTRL+V or right-click and choose **Paste**), and then click **Analyze headers**.
+
+#### Report email to Microsoft for review from quarantine
+
+After you select the message, use either of the following methods to report the message to Microsoft for analysis:
+
+- **On the Email tab**: Click ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More** \> ![Submit for review icon.](../../media/m365-cc-sc-create-icon.png) **Submit for review**.
+- **In the details flyout of the selected message**: Click ![More options icon.](../../media/m365-cc-sc-more-actions-icon.png) **More options** \> ![Submit for review icon.](../../media/m365-cc-sc-create-icon.png) **Submit for review**.
+
+In the **Submit to Microsoft for analysis** flyout that opens, configure the following options:
+
+- **Select the submission type**: Select **Email** (default), **URL**, or **File**.
+
+- **Add the network message ID or upload the email file**: Select one of the following options:
+ - **Add the email network message ID**: This value is selected by default, with the corresponding value in the box.
+ - **Upload the email file (.msg or eml)**: After you select this option, click the ![Browse files icon.](../../media/m365-cc-sc-import-icon.png)**Browse files** button that appears to find and select the .msg or .eml message file to submit.
+
+- **Choose a recipient who had an issue**: Select one (preferred) or more original recipients of the message to analyze the policies that were applied to them.
-- ![Download email icon.](../../media/m365-cc-sc-download-icon.png) **Download email**: In the flyout that appears, configure the following settings:
- - **Reason for downloading file**: Enter descriptive text.
- - **Create password** and **Confirm password**: Enter a password that's required to open the downloaded message file.
+- **Select a reason for submitting to Microsoft**: Choose one of the following options:
- When you're finished, click **Download**, and then **Done** to save a local copy of the message. The .eml message file is save in a compressed file named Quarantined Messages.zip in your **Downloads** folder. If the .zip file already exists, a number is appended to the filename (for example, Quarantined Messages(1).zip).
+ - **Should not have been blocked (false positive)** (default): If you select this option, the following settings are available:
+ - **Allow email with similar attributes**: If you select this option, allow entries are added to the [Tenant Allow/Block List](tenant-allow-block-list-about.md) for the sender and any related URLs or attachments in the message. The following options also appear:
+ - **Remove entry after**: The default value is **30 days**, but you can also select **1 day**, **7 days**, or a **Specific date** that's less than 30 days.
+ - **Allow entry note**: Enter an optional note that contains additional information.
-- ![Block sender icon.](../../media/m365-cc-sc-block-sender-icon.png) **Block sender**: Add the sender to the Blocked Senders list in **your** mailbox. For more information, see [Block a mail sender](https://support.microsoft.com/office/b29fd867-cac9-40d8-aed1-659e06a706e4).
+ - **Should not have been blocked (false negative)**: If you select this option, the following settings appear:
+ - **The email should have been categorized as**: Select **Phish**, **Spam**, or **Spam**.
+ - **Block all email from this sender or domain**: If you select this option, block entries for the **Sender** or **Domain** (you choose) are added to the [Tenant Allow/Block List](tenant-allow-block-list-about.md).
+ - **Remove block entry after**: The default value is **30 days**, but you can also select **1 day**, **7 days**, **90 days**, **Never expire**, or a **Specific date**.
+ - **Block entry note**: Enter an optional note that contains additional information.
-- ![Submit only icon.](../../media/m365-cc-sc-create-icon.png) **Submit only**: Reports the message to Microsoft for analysis. In the flyout that appears, choose the following options:
- - **Select the submission type**: **Email** (default), **URL**, or **File**.
- - **Add the network message ID or upload the email file**: Select one of the following options:
- - **Add the email network message ID** (default, with the corresponding value in the box)
- - **Upload the email file (.msg or eml)**: Click **Browse files** to find and select the .msg or .eml message file to submit.
- - **Choose a recipient who had an issue**: Select one (preferred) or more original recipients of the message to analyze the policies that were applied to them.
- - **Select a reason for submitting to Microsoft**: Choose one of the following options:
- - **Should not have been blocked (false positive)** (default): The following options are available:
- - **Allow messages like this**: This option is turned off by default (![Toggle off.](../../media/scc-toggle-off.png)). Turn it on (![Toggle on](../../media/scc-toggle-on.png)) to temporarily prevent messages with similar URLs, attachments, and other properties from being quarantined. When you turn this option on, the following options are available:
- - **Remove after**: Select how long you want to allow messages like this. Select **1 day** to **30 days**. The default is 30.
- - **Optional note**: Enter a useful description for the allow.
- - **Should have been blocked (false negative)**.
+When you're finished on the **Submit to Microsoft for analysis** flyout, click **Submit**.
- When you're finished, click **Submit**.
+> [!TIP]
+> Users can report false positives to Microsoft from quarantine, depending on the value of the **Reporting from quarantine** setting in [user reported settings](submissions-user-reported-messages-custom-mailbox.md).
-<sup>\*</sup> This option is not available for messages that have already been released (the **Released status** value is **Released**).
+#### Block email senders from quarantine
-If you don't release or remove the message, it will be deleted after the default quarantine retention period expires (as shown in the **Expires** column).
+The Block senders action adds the sender of the selected email message to the Blocked Senders list **in the mailbox of whomever is signed in**. Typically, this action is used by end-users if it's available to them by [quarantine policies](quarantine-policies.md#anatomy-of-a-quarantine-policy). For more information about users blocking senders, see [Block a mail sender](https://support.microsoft.com/office/b29fd867-cac9-40d8-aed1-659e06a706e4)
+
+After you select the message, use either of the following methods to add the message sender to the Blocked Senders list in **your** mailbox:
+
+- **On the Email tab**: Click ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More** \> ![Block sender icon.](../../media/m365-cc-sc-block-sender-icon.png) **Block sender**.
+- **In the details flyout of the selected message**: Click ![More options icon.](../../media/m365-cc-sc-more-actions-icon.png) **More options** \> ![Block sender icon.](../../media/m365-cc-sc-block-sender-icon.png) **Block sender**.
+
+In the **Block sender** flyout that opens, review the information about the sender, and then click **Block**.
> [!NOTE]
-> On a mobile device, the description text isn't available on the action icons.
->
-> :::image type="content" source="../../media/quarantine-message-details-flyout-mobile-actions.png" alt-text="The details of a quarantined message with available actions being highlighted" lightbox="../../media/quarantine-message-details-flyout-mobile-actions.png":::
->
-> The icons in order and their corresponding descriptions are summarized in the following table:
->
-> |Icon|Description|
-> |:||
-> |![Release email icon.](../../media/m365-cc-sc-check-mark-icon.png)|**Release email**|
-> |![Share email icon.](../../media/m365-cc-sc-share-email-icon.png)|**Share email**|
-> |![View message headers icon.](../../media/m365-cc-sc-view-message-headers-icon.png)|**View message headers**|
-> |![Preview message icon.](../../media/m365-cc-sc-preview-message-icon.png)|**Preview message**|
-> |![Delete from quarantine icon.](../../media/m365-cc-sc-delete-icon.png)|**Delete from quarantine**|
-> |![Download email icon.](../../media/m365-cc-sc-download-icon.png)|**Download email**|
-> |![Block sender icon.](../../media/m365-cc-sc-block-sender-icon.png)|**Block sender**|
-> |![Submit only icon.](../../media/m365-cc-sc-create-icon.png)|**Submit only**|
+> Your organization can continue to received mail from the blocked sender. Messages from the sender are delivered to your Junk Email folder or to quarantine. To delete messages from the sender upon arrival, use [mail flow rules](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules) (also known as transport rules) to **Block the message**.
+
+#### Share email from quarantine
+
+You can send a copy of the quarantined email message, including potentially harmful content, to the specified recipients.
+
+After you select the message, use either of the following methods to send a copy of it to others:
+
+- **On the Email tab**: Click ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More** \> ![Share email icon.](../../media/m365-cc-sc-share-email-icon.png) **Share email**.
+- **In the details flyout of the selected message**: Click ![More options icon.](../../media/m365-cc-sc-more-actions-icon.png) **More options** \> ![Share email icon.](../../media/m365-cc-sc-share-email-icon.png) **Share email**.
+
+In the **Share email with other users** flyout that opens, select one or more recipients to receive a copy of the message. When you're finished, click **Share**.
+
+#### Download email from quarantine
+
+After you select the email message, use either of the following methods to download it:
+
+- **On the Email tab**: Click ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More** \> ![Download messages icon.](../../media/m365-cc-sc-download-icon.png) **Download messages**.
+- **In the details flyout of the selected message**: Click ![More options icon.](../../media/m365-cc-sc-more-actions-icon.png) **More options** \> ![Download messages icon.](../../media/m365-cc-sc-download-icon.png) **Download message**.
+
+In the **Download file** flyout that opens, enter the following information:
+
+- **Reason for downloading file**: Enter descriptive text.
+- **Create password** and **Confirm password**: Enter a password that's required to open the downloaded message file.
+
+When you're finished on the **Download file** flyout, click **Download**.
+
+When the download is ready, a **Save As** dialog opens for you to view or change the downloaded filename and location. By default, The .eml message file is saved in a compressed file named Quarantined Messages.zip in your **Downloads** folder. If the .zip file already exists, a number is appended to the filename (for example, Quarantined Messages(1).zip).
+
+Accept or change the downloaded file details, and then click **Save**.
+
+Back on the **Download file** flyout, click **Done**.
#### Take action on multiple quarantined email messages
-When you select multiple quarantined messages in the list (up to 100) by clicking in the empty check box to the left of the first column, you can take the following actions on the selected messages:
+When you select multiple quarantined messages on the **Email** tab by selecting the check boxes next to the first column, the following bulk actions are available on the **Email** tab (depending on the **Release status** values of the messages that you selected):
+
+- [Release quarantined email](#release-quarantined-email)
+
+ The only available options to select for bulk actions are **Send a copy of this message to other recipients in your organization** and **Send the message to Microsoft to improve detection (false positive)**.
-- ![Release email icon.](../../media/m365-cc-sc-check-mark-icon.png) **Release**: Releases messages to all recipients. In the flyout that appears, you can choose the following options, which are the same as when you release a single message:
- - **Add sender to your organization's allow list**
- - **Send a copy of this message to other recipients**
- - **Submit the message to Microsoft to improve detection (false positive)**
- - **Allow messages like this**:
- - **Remove after**: **1 day** to **30 days**
- - **Optional note**
+- [Approve or deny release requests from users for quarantined email](#approve-or-deny-release-requests-from-users-for-quarantined-email)
+- [Delete email from quarantine](#delete-email-from-quarantine)
+- [Report email to Microsoft for review from quarantine](#report-email-to-microsoft-for-review-from-quarantine)
- When you're finished, click **Release message**.
+ The only available options to select for bulk actions are **Allow emails with similar attributes** and the related **Remove allow entry after** and **Allow entry note** options.
- > [!NOTE]
- > Consider the following scenario: john@gmail.com sends a message to faith@contoso.com and john@subsidiary.contoso.com. Gmail bifurcates this message into two copies that are both routed to quarantine as phishing in Microsoft. An admin releases both of these messages to admin@contoso.com. The first released message that reaches the admin mailbox is delivered. The second released message is identified as duplicate delivery and is skipped. Message are identified as duplicates if they have the same message ID and received time.
+- [Download email from quarantine](#download-email-from-quarantine)
-- ![Delete from quarantine icon.](../../media/m365-cc-sc-delete-icon.png) **Delete from quarantine**: The messages are deleted and are not sent to the original recipients. How the messages are deleted depends on your selections in the flyout that opens:
- - Select **Permanently delete the message from quarantine** and then click **Delete**: The messages are permanently deleted and are not recoverable.
- - Click **Delete** only: The messages are deleted, but they're potentially recoverable.
-- **... More** \> ![Submit only icon.](../../media/m365-cc-sc-create-icon.png) **Submit for review**.-- **... More** \> ![Download email icon.](../../media/m365-cc-sc-download-icon.png) **Download messages** ## Use the Microsoft 365 Defender portal to manage quarantined files in Defender for Office 365 > [!NOTE] > The procedures for quarantined files in this section are available only to Microsoft Defender for Office 365 Plan 1 or Plan 2 subscribers.
+>
+> Files quarantined in SharePoint or OneDrive are removed fom quarantine after 30 days, but the blocked files remain in SharePoint or OneDrive in the blocked state.
In organizations with Defender for Office 365, admins can manage files that were quarantined by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. To enable protection for these files, see [Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-configure.md).
-> [!NOTE]
-> Files quarantined in SharePoint or OneDrive are removed fom quarantine after 30 days, but the blocked files remain in SharePoint or OneDrive in the blocked state.
- ### View quarantined files
-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Quarantine**. To go directly to the **Quarantine** page, use <https://security.microsoft.com/quarantine>.
+In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Quarantine** \> **Files** tab. Or, to go directly to the **Files** tab on the **Quarantine** page, use <https://security.microsoft.com/quarantine?viewid=Files>.
-2. On the **Quarantine** page, select the **Files** tab (**Email** is the default tab).
+On the **Files** tab, you can decrease the vertical spacing in the list by clicking ![Change list spacing to compact or normal icon.](../../media/m365-cc-sc-standard-icon.png) **Change list spacing to compact or normal** and then selecting ![Compact list icon.](../../media/m365-cc-sc-compact-icon.png) **Compact list**.
-3. You can sort the results by clicking on an available column header. Click **Customize columns** to change the columns that are shown. The default columns are marked with an asterisk (<sup>\*</sup>):
- - **User**<sup>\*</sup>
- - **Location**<sup>\*</sup>
- - **Attachment filename**<sup>\*</sup>
- - **File URL**<sup>\*</sup>
- - **File Size**
- - **Release status**<sup>\*</sup>
- - **Expires**<sup>\*</sup>
- - **Detected by**
- - **Modified by time**
+You can sort the results by clicking on an available column header. Click ![Customize columns icon.](../../media/m365-cc-sc-customize-icon.png) **Customize columns** to change the columns that are shown. The default values are marked with an asterisk (<sup>\*</sup>):
- When you're finished, click **Apply** or **Cancel**.
+- **User**<sup>\*</sup>
+- **Location**<sup>\*</sup>: The value is **SharePoint** or **OneDrive**.
+- **Attachment filename**<sup>\*</sup>
+- **File URL**<sup>\*</sup>
+- **File Size**
+- **Release status**<sup>\*</sup>
+- **Expires**<sup>\*</sup>
+- **Detected by**
+- **Modified by time**
-4. To filter the results, click **Filter**. The following filters are available in the **Filters** flyout that appears:
- - **Time received**: **Start time** and **End time** (date).
- - **Expires**: **Start time** and **End time** (date).
- - **Quarantine reason**: The only available value is **Malware**.
- - **Policy type**
+To filter the results, click ![Filter icon.](../../media/m365-cc-sc-filter-icon.png) **Filter**. The following filters are available in the **Filters** flyout that opens:
- When you're finished, click **Apply** or **Cancel**.
+- **Time received**:
+ - **Last 24 hours**
+ - **Last 7 days**
+ - **Last 14 days**
+ - **Last 30 days** (default)
+ - **Custom**: Enter a **Start time** and **End time** (date).
+- **Expires**:
+ - **Custom** (default): Enter a **Start time** and **End time** (date).
+ - **Today**
+ - **Next 2 days**
+ - **Next 7 days**
+- **Quarantine reason**: The only available value is **Malware**.
+- **Policy type**: The only available value is **Unknown**.
-After you find a specific quarantined file, select the file to view details about it, and to take action on it (for example, view, release, download, or delete the file).
+When you're finished on the **Filters** flyout, click **Apply**. To clear the filters, click ![Clear filters icon.](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
+
+Use the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box and a corresponding value to find specific files by filename. Wildcards aren't supported.
+
+After you've entered the search criteria, press the enter ENTER key to filter the results.
+
+After you find a specific quarantined file, select the file to view details about it and to take action on it (for example, view, release, download, or delete the file).
### View quarantined file details
-When you select a quarantined file from the list, the following information is available in the details flyout that opens:
+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Quarantine** \> **Files** tab. Or, to go directly to the **Files** tab on the **Quarantine** page, use <https://security.microsoft.com/quarantine?viewid=Files>.
+
+2. On the **Files** tab, select the quarantined file by clicking anywhere in the row other than the check box.
+
+In the details flyout that opens, the following information is available:
:::image type="content" source="../../media/quarantine-file-details-flyout.png" alt-text="The details flyout of a quarantined file" lightbox="../../media/quarantine-file-details-flyout.png"::: -- **File Name**-- **File URL**: URL that defines the location of the file (for example, in SharePoint Online).-- **Malicious content detected on** The date/time the file was quarantined.-- **Expires**: The date when the file will be deleted from quarantine.-- **Detected by**-- **Released?**-- **Malware Name**-- **Document ID**: A unique identifier for the document.-- **File Size**: In kilobytes (KB).-- **Organization** Your organization's unique ID.-- **Last modified**-- **Modified By**: The user who last modified the file.-- **Secure Hash Algorithm 256-bit (SHA-256) value**: You can use this hash value to identify the file in other reputation stores or in other locations in your environment.
+- **File details** section:
+ - **File Name**
+ - **File URL**: URL that defines the location of the file (for example, in SharePoint Online).
+ - **Malicious content detected on** The date/time the file was quarantined.
+ - **Expires**: The date when the file will be deleted from quarantine.
+ - **Detected by**
+ - **Released?**
+ - **Malware Name**
+ - **Document ID**: A unique identifier for the document.
+ - **File Size**
+ - **Organization** Your organization's unique ID.
+ - **Last modified**
+ - **Last modified By**: The user who last modified the file.
+ - **Secure Hash Algorithm 256-bit (SHA-256) value**: You can use this hash value to identify the file in other reputation stores or in other locations in your environment.
To take action on the file, see the next section.
-> [!NOTE]
-> To remain in the details flyout, but change the quarantined file that you're looking at, use the up and down arrows at the top of the flyout.
->
-> :::image type="content" source="../../media/quarantine-file-details-flyout-up-down-arrows.png" alt-text="The up and down arrows in the details flyout of quarantined files" lightbox="../../media/quarantine-file-details-flyout-up-down-arrows.png":::
+> [!TIP]
+> To see details about other quarantined files without leaving the details flyout, use ![Previous item and Next item icons.](../../media/updownarrows.png) **Previous item** and **Next item** buttons at the top of the flyout.
### Take action on quarantined files
-After you select a quarantined file from the list, the following actions are available in the details flyout:
+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Quarantine** \> **Files** tab. Or, to go directly to the **Files** tab on the **Quarantine** page, use <https://security.microsoft.com/quarantine?viewid=Files>.
+
+2. On the **Files** tab, select the quarantined file by clicking anywhere in the row other than the check box.
+
+After you select the quarantined file, the available actions in the file details flyout that opens are described in the following subsections.
:::image type="content" source="../../media/quarantine-file-details-flyout-actions.png" alt-text="The actions in the details flyout of a quarantined file" lightbox="../../media/quarantine-file-details-flyout-actions.png"::: -- ![Release file icon.](../../media/m365-cc-sc-check-mark-icon.png) **Release file**<sup>\*</sup>: In the flyout pane that appears, turn on or turn off **Report files to Microsoft for analysis**, and then click **Release**.-- ![Release file icon.](../../media/m365-cc-sc-check-mark-icon.png)-- ![Download file icon.](../../media/m365-cc-sc-download-icon.png) **Download file**: In the flyout that appears, select **I understand the risks from downloading this file**, and then click **Download** to save a local copy of the file.-- ![Delete from quarantine icon.](../../media/m365-cc-sc-delete-icon.png) **Delete from quarantine**: After you click **Yes** in the warning that appears, the file is immediately deleted.-- ![Block sender icon.](../../media/m365-cc-sc-block-sender-icon.png) **Block sender**: Add the sender to the Blocked Senders list in **your** mailbox. For more information, see [Block a mail sender](https://support.microsoft.com/office/b29fd867-cac9-40d8-aed1-659e06a706e4).
+#### Release quarantined files from quarantine
+
+This action isn't available for files that have already been released (the **Released status** value is **Released**).
+
+If you don't release or delete the file from quarantine, the file is removed from quarantine after the default quarantine retention period expires (as shown in the **Expires** column), but the blocked file remains in SharePoint or OneDrive in the blocked state.
+
+After you select the file, click ![Release file icon.](../../media/m365-cc-sc-check-mark-icon.png) **Release file** in the file details flyout that opens.
+
+In the **Release files and report them to Microsoft** flyout that opens, view the file details in the **Report files to Microsoft for analysis** section, decide whether to select **Report files to Microsoft for analysis**, and then click **Release**.
+
+In the **Files have been released** flyout that opens, click **Done**.
+
+Back on the file details flyout, click **Close**.
-<sup>\*</sup> This option is not available for files that have already been released (the **Released status** value is **Released**).
+Back on the **Files** tab, the **Release status** value of the file is **Released**.
-If you don't release or remove the file, it will be deleted after the default quarantine retention period expires (as shown in the **Expires** column).
+#### Download quarantined files from quarantine
+
+After you select the file, click ![Download file icon.](../../media/m365-cc-sc-download-icon.png) **Download file** in the details flyout that opens.
+
+In the **Download file** flyout that opens, enter the following information:
+
+- **Reason for downloading file**: Enter descriptive text.
+- **Create password** and **Confirm password**: Enter a password that's required to open the downloaded file.
+
+When you're finished on the **Download file** flyout, click **Download**.
+
+When the download is ready, a **Save As** dialog opens for you to view or change the downloaded filename and location. By default, The file is saved in a compressed file named Quarantined Messages.zip in your **Downloads** folder. If the .zip file already exists, a number is appended to the filename (for example, Quarantined Messages(1).zip).
+
+Accept or change the downloaded file details, and then click **Save**.
+
+Back on the **Download file** flyout, click **Done**.
+
+#### Delete quarantined files from quarantine
+
+If you don't release or delete the file from quarantine, the file is removed from quarantine after the default quarantine retention period expires (as shown in the **Expires** column), but the blocked file remains in SharePoint or OneDrive in the blocked state.
+
+After you select the file, click ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More** \> ![Delete from quarantine icon.](../../media/m365-cc-sc-delete-icon.png) **Delete from quarantine** in the details flyout that opens.
+
+Select **Continue** in the warning dialog that opens.
+
+Back on the **Files** tab, the file is no longer listed.
#### Take action on multiple quarantined files
-When you select multiple quarantined files in the list (up to 100) by clicking in the blank area to the left of the **Subject** column, the **Bulk actions** drop down list appears where you can take the following actions:
+When you select multiple quarantined files on the **Files** tab by selecting the check boxes next to the first column (up to 100 files), a **Bulk actions** drop down list appears where you can take the following actions:
+- [Release quarantined files from quarantine](#release-quarantined-files-from-quarantine)
+- [Delete quarantined files from quarantine](#delete-quarantined-files-from-quarantine)
+- [Download quarantined files from quarantine](#download-quarantined-files-from-quarantine)
-- ![Release file icon.](../../media/m365-cc-sc-check-mark-icon.png) **Release file**: In the flyout pane that appears, turn on or turn off **Report files to Microsoft for analysis**, and then click **Release**.-- ![Delete from quarantine icon.](../../media/m365-cc-sc-delete-icon.png) **Delete from quarantine**: After you click **Yes** in the warning that appears, the file is immediately deleted.-- ![Download file icon.](../../media/m365-cc-sc-download-icon.png) **Download file**: In the flyout that appears, select **I understand the risks from downloading this file**, and then click **Download** to save a local copy of the file. ## Use the Microsoft 365 Defender portal to manage quarantined messages in Microsoft Teams > [!NOTE] > This section lists new features which are currently in preview.
-When a potentially malicious message is detected in a chat message in Microsoft Teams, zero-hour auto purge (ZAP) removes the message and quarantines it. Admins can view and manage these quarantined messages. Note that the message is quarantined for 30 days, after that it is permanently removed.
+When a potentially malicious chat message is detected in Microsoft Teams, zero-hour auto purge (ZAP) removes the message and quarantines it. Admins can view and manage these quarantined Teams messages. The message is quarantined for 30 days. After that the Teams message is permanently removed.
For the preview release, this feature is enabled by default.
For the preview release, this feature is enabled by default.
### View quarantined messages in Microsoft Teams
-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Quarantine**. To go directly to the **Quarantine** page, use <https://security.microsoft.com/quarantine>.
-
-2. On the **Quarantine** page, select the **Teams messages** tab.
+In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Quarantine** \> **Teams messages** tab. Or, to go directly to the **Teams messages** tab on the **Quarantine** page, use <https://security.microsoft.com/quarantine?viewid=Teams>.
:::image type="content" source="../../media/admin-quarantine-teams-message-tab.png" alt-text="Screenshot of the Teams messages tab in quarantine." lightbox="../../media/admin-quarantine-teams-message-tab.png":::
-3. You can sort the results by clicking on an available column header. Click **Customize columns** to change the columns that are shown.
- - **Teams message text**: Contains the subject for the teams message.
- - **Time received**: The time the message is received by the recipient.
- - **Release status**: Shows whether the message is already reviewed and released or needs review.
- - **Participants**: The total number of users who received the message.
- - **Sender**: The person who sent the message that was quarantined.
- - **Quarantine reason**: Available options are "High confidence phish" and "Malware".
- - **Policy type**: The organization policy responsible for the quarantined message.
- - **Expires**: Indicates the time after which the message is removed from quarantine. By default, this is 30 days.
- - **Recipient address**: Email address of the recipients.
- - **Message ID**: Includes the chat message ID.
+On the **Teams messages** tab, you can decrease the vertical spacing in the list by clicking ![Change list spacing to compact or normal icon.](../../media/m365-cc-sc-standard-icon.png) **Change list spacing to compact or normal** and then selecting ![Compact list icon.](../../media/m365-cc-sc-compact-icon.png) **Compact list**.
+
+You can sort the results by clicking on an available column header. Click ![Customize columns icon.](../../media/m365-cc-sc-customize-icon.png) **Customize columns** to change the columns that are shown. The default values are marked with an asterisk (<sup>\*</sup>):
+
+- **Teams message text**: Contains the subject for the teams message.<sup>\*</sup>
+- **Time received**: The time the message was received by the recipient.<sup>\*</sup>
+- **Release status**: Shows whether the message is already reviewed and released or needs review. <sup>\*</sup>
+- **Participants**: The total number of users who received the message.<sup>\*</sup>
+- **Sender**: The person who sent the message that was quarantined.<sup>\*</sup>
+- **Quarantine reason**: Available options are "High confidence phish" and "Malware".<sup>\*</sup>
+- **Policy type**: The organization policy responsible for the quarantined message.<sup>\*</sup>
+- **Expires**: Indicates the time after which the message is removed from quarantine. By default, this value is 30 days.<sup>\*</sup>
+- **Recipient address**: Email address of the recipients.<sup>\*</sup>
+- **Message ID**: Includes the chat message ID.
-4. To filter the results, click **Filter**. Select the columns you want, and then click **Apply**.
+To filter the results, click ![Filter icon.](../../media/m365-cc-sc-filter-icon.png) **Filter**. The following filters are available in the **Filters** flyout that opens:
+
+- **Message ID**
+- **Sender address**
+- **Recipient address**
+- **Subject**
+- **Time received**:
+ - **Last 24 hours**
+ - **Last 7 days**
+ - **Last 14 days**
+ - **Last 30 days** (default)
+ - **Custom**: Enter a **Start time** and **End time** (date).
+- **Expires**:
+ - **Custom** (default): Enter a **Start time** and **End time** (date).
+ - **Today**
+ - **Next 2 days**
+ - **Next 7 days**
+- **Quarantine reason**: Available valued are **Malware** and **High confidence phishing**.
+- **Recipient**: Select **All users** or **Only me**.
+
+When you're finished on the **Filters** flyout, click **Apply**. To clear the filters, click ![Clear filters icon.](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
+
+Use the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box and a corresponding value to find specific Teams messages. Wildcards aren't supported.
+
+After you find a specific quarantined Teams message, select the message to view details about it and to take action on it (for example, view, release, download, or delete the message).
### View quarantined message details in Microsoft Teams
-When you select a quarantined message from the list, the following information is available in the details flyout that opens:
+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Quarantine** \> **Teams messages** tab. Or, to go directly to the **Teams messages** tab on the **Quarantine** page, use <https://security.microsoft.com/quarantine?viewid=Teams>.
+
+2. On the **Teams messages** tab, select the quarantined message by clicking anywhere in the row other than the check box.
+
+In the details flyout that opens, the following information is available:
:::image type="content" source="../../media/admin-quarantine-teams-details-flyout.png" alt-text="Screenshot of the Teams message details flyout in quarantine." lightbox="../../media/admin-quarantine-teams-details-flyout.png"::: -- **Quarantine details**: Includes quarantine reason, expiry date, quarantine policy type, and other information.-- **Message details**: Includes the primary threat reason, date and time of the message sent, and the sender address. Also includes the Teams message ID and the detection technology.-- **Sender**: Includes the sender name, their domain location, and whether the sender is from outside the organization.-- **Participants**: The names and email IDs of all the people who received the same message.
+- **Quarantine details** section: Includes quarantine reason, expiry date, quarantine policy type, and other information.
+- **Message details** section: Includes the primary threat reason, date and time of the message sent, and the sender address. Also includes the Teams message ID and the detection technology.
+- **Sender** section: Includes the sender name, their domain location, and whether the sender is from outside the organization.
+- **Participants section**: The names and email IDs of all the people who received the same message.
- **URLs**: Includes the details of any malicious URLs that were detected in the chat message. To take action on the message, see the next section.
+> [!TIP]
+> To see details about other quarantined messages without leaving the details flyout, use ![Previous item and Next item icons.](../../media/updownarrows.png) **Previous item** and **Next item** buttons at the top of the flyout.
+ ### Take action on quarantined messages in Microsoft Teams
-After you select a quarantined message from the list, the following actions are available in the details flyout:
+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Quarantine** \> **Teams messages** tab. Or, to go directly to the **Teams messages** tab on the **Quarantine** page, use <https://security.microsoft.com/quarantine?viewid=Teams>.
+2. On the **Teams messages** tab, select the quarantined message by using either of the following methods:
-- **Release**: Allows the admin to release the message only to the recipients within the organization.-- **Preview message**: Preview the message in quarantine before taking any action.-- **Delete from quarantine**: Deletes the message permanently from quarantine for all users in the organization.-- **Download message**: Downloads the message as a plain .txt for the admin. -- **Submit for review**: Allows the admin to submit the message to Microsoft for review.
+ - Select the message from the list by selecting the check box next to the first column. The available actions are no longer grayed out.
-If you don't release or remove the file, it will be deleted after the default quarantine retention period expires (30 days).
+ :::image type="content" source="../../media/quarantine-teams-message-selected-message-actions.png" alt-text="Available actions after you select a quarantined message on the Teams message tab of the Quarantine page." lightbox="../../media/quarantine-teams-message-selected-message-actions.png":::
-#### Take action on multiple quarantined messages
+ - Select the message from the list by clicking anywhere in the row other than the check box. The available actions are in the details flyout that opens.
-When you select multiple quarantined files in the list by clicking the checkbox next to the messages, the **More** option appears:
+ :::image type="content" source="../../media/admin-quarantine-teams-actions-details.png" alt-text="Screenshot of the actions menu for messages in quarantine." lightbox="../../media/admin-quarantine-teams-actions-details.png":::
+ Using either method to select the message, some actions are available under ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More**.
-- **Release**: Select this option to release messages to the intended recipients within the organization.-- **Delete messages**: Select this option to delete the messages permanently from quarantine.-- **Submit for review**: Select this option to submit the messages to Microsoft for review.-- **Download messages**: Select this option to save a local copy of the messages.
+After you select the quarantined message, the available actions are described in the following subsections.
-## Use Exchange Online PowerShell or standalone EOP PowerShell to manage quarantined messages
+#### Release quarantined Teams messages
-The cmdlets that you use to view and manage messages and files in quarantine are described in this section.
+This action isn't available for Teams messages that have already been released (the **Release status** value is **Released**).
-- [Delete-QuarantineMessage](/powershell/module/exchange/delete-quarantinemessage)-- [Export-QuarantineMessage](/powershell/module/exchange/export-quarantinemessage)-- [Get-QuarantineMessage](/powershell/module/exchange/get-quarantinemessage)-- [Preview-QuarantineMessage](/powershell/module/exchange/preview-quarantinemessage): Note that this cmdlet is only for messages, not quarantined files from Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.-- [Release-QuarantineMessage](/powershell/module/exchange/release-quarantinemessage)
+If you don't release or remove a message, it's automatically deleted from quarantine after the date shown in the **Expires** column.
+
+After you select the message, use either of the following methods to release it:
+
+- **On the Teams messages tab**: Click ![Release icon.](../../media/m365-cc-sc-check-mark-icon.png) **Release**.
+- **In the details flyout of the selected message**: Click ![Release icon.](../../media/m365-cc-sc-check-mark-icon.png) **Release**.
+
+In the **Release to all chat participants** flyout that opens, decide whether to select **Submit the message to Microsoft to improve detection (false positive)**, and then click **Release**.
-### Use PowerShell to manage quarantined messages in Microsoft Teams
+#### Delete Teams messages from quarantine
+
+If you don't release or remove a Teams message, it's automatically deleted from quarantine after the date shown in the **Expires** column.
+
+After you select the Teams message, use either of the following methods to remove it:
+
+- **On the Teams messages tab**: Click ![Delete messages icon.](../../media/m365-cc-sc-delete-icon.png) **Delete messages**.
+- **In the details flyout of the selected message**: Click ![More options icon.](../../media/m365-cc-sc-more-actions-icon.png) **More options** \> ![Delete from quarantine icon.](../../media/m365-cc-sc-delete-icon.png) **Delete from quarantine**.
+
+In the warning dialog that opens, read the information and then click **Continue**.
+
+Back on the **Teams messages** tab, the message is no longer listed.
+
+#### Preview Teams messages from quarantine
+
+After you select the Teams message, use either of the following methods to preview it:
+
+- **On the Teams messages tab**: Click ![Preview message icon.](../../media/m365-cc-sc-preview-message-icon.png) **Preview message**.
+- **In the details flyout of the selected message**: Click ![More options icon.](../../media/m365-cc-sc-more-actions-icon.png) ![Preview message icon.](../../media/m365-cc-sc-preview-message-icon.png) **Preview message**.
+
+In the flyout that opens, choose one of the following tabs:
+ - **Source**: Shows the HTML version of the message body with all links disabled.
+ - **Plain text**: Shows the message body in plain text.
-To manage quarantined messages for the Microsoft Teams chat, the admin will need to use the [Get-QuarantineMessage](/powershell/module/exchange/get-quarantinemessage) cmdlet with the following parameters to identify the messages.
+#### Report Teams messages to Microsoft for review from quarantine
-|Quarantine cmdlets|Parameters|
-|||
-|`QuarantineScenario`|Email </br>SPO </br>Teams|
-|`EmailQuarantineType`|Bulk </br>HighConfPhish </br>Malware</br>Phish </br>Spam </br>TransportRule|
-|`SPOQuarantineType`|Malware|
-|`TeamsQuarantineType`|HighConfPhish </br>Malware|
+After you select the message, use either of the following methods to report the message to Microsoft for analysis:
-Admins can select a quarantined message from the list to view or take action.
+- **On the Teams messages tab**: Click ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More** \> ![Submit for review icon.](../../media/m365-cc-sc-create-icon.png) **Submit for review**.
+- **In the details flyout of the selected message**: Click ![More options icon.](../../media/m365-cc-sc-more-actions-icon.png) **More options** \> ![Submit for review icon.](../../media/m365-cc-sc-create-icon.png) **Submit for review**.
-**Example**:
+When you click **Submit message**, the message is sent to Microsoft for analysis. You receive an **Item** submitted dialog where you click **OK**.
-```powershell
- Get-QuarantineMessage -Identity c14401cf-aa9a-465b-cfd5-08d0f0ca37c5\4c2ca98e-94ea-db3a-7eb8-3b63657d4db7 |
- -Scenario Teams
-```
+#### Download Teams messages from quarantine
+
+After you select the Teams message, use either of the following methods to download it:
+
+- **On the Teams messages tab**: Click ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More** \> ![Download messages icon.](../../media/m365-cc-sc-download-icon.png) **Download messages**.
+- **In the details flyout of the selected message**: Click ![More options icon.](../../media/m365-cc-sc-more-actions-icon.png) **More options** \> ![Download messages icon.](../../media/m365-cc-sc-download-icon.png) **Download message**.
+
+In the **Download messages** flyout that opens, enter the following information:
+
+- **Reason for downloading file**: Enter descriptive text.
+- **Create password** and **Confirm password**: Enter a password that's required to open the downloaded message file.
+
+When you're finished on the **Download file** flyout, click **Download**.
+
+By default, The .html message file is saved in a compressed file named Quarantined Messages.zip in your **Downloads** folder. If the .zip file already exists, a number is appended to the filename (for example, Quarantined Messages(1).zip).
+
+Back on the **Download messages** flyout, click **Done**.
+
+#### Take action on multiple quarantined Teams messages
+
+When you select multiple quarantined messages on the **Teams messages** tab by selecting the check boxes next to the first column, the following bulk actions are available on the **Teams messages** tab:
+
+- [Release quarantined Teams messages](#release-quarantined-teams-messages)
+- [Delete Teams messages from quarantine](#delete-teams-messages-from-quarantine)
+- [Report Teams messages to Microsoft for review from quarantine](#report-teams-messages-to-microsoft-for-review-from-quarantine)
+- [Download Teams messages from quarantine](#download-teams-messages-from-quarantine)
++
+## Use Exchange Online PowerShell or standalone EOP PowerShell to manage quarantined messages
+
+The cmdlets that you use to view and manage messages and files in quarantine are described in this section.
+
+- [Delete-QuarantineMessage](/powershell/module/exchange/delete-quarantinemessage)
+- [Export-QuarantineMessage](/powershell/module/exchange/export-quarantinemessage)
+- [Get-QuarantineMessage](/powershell/module/exchange/get-quarantinemessage)
+- [Preview-QuarantineMessage](/powershell/module/exchange/preview-quarantinemessage): This cmdlet is for messages only, not quarantined files.
+- [Release-QuarantineMessage](/powershell/module/exchange/release-quarantinemessage)
## For more information
security Quarantine End User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-end-user.md
As an ordinary user (not an admin), the **default** capabilities that are availa
|&nbsp;&nbsp;&nbsp;Safe Attachments policies that quarantine email messages with malicious attachments as malware.|||| |&nbsp;&nbsp;&nbsp;Safe Attachments for SharePoint, OneDrive, and Microsoft Teams that quarantines malicious files as malware.|||| |**Mail flow rules (transport rules)**||||
-|&nbsp;&nbsp;&nbsp;Mail flow rules that quarantine email messages.||||
+|&nbsp;&nbsp;&nbsp;Mail flow rules that quarantine email messages (directly, not by marking them as spam).||||
-_Quarantine policies_ define what users are allowed to do to quarantined messages based on why the message was quarantined in [supported features](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features). Default quarantine policies enforce the historical capabilities for messages that were quarantined by the security feature as described in the previous table. Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users in supported features. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
+In [supported protection features](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features), _quarantine policies_ define what users are allowed to do to quarantined messages based on why the message was quarantined. Default quarantine policies enforce the historical capabilities for messages as described in the previous table. Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).
You view and manage your quarantined messages in the Microsoft 365 Defender portal or (if an admin has set this up) quarantine notifications from quarantine policies.
You view and manage your quarantined messages in the Microsoft 365 Defender port
> [!NOTE] > Your ability to view quarantined messages is controlled by the quarantine policy that applies to the reason why the message was quarantined (which might be the default quarantine policy as described in [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md)).
-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Quarantine**. To go directly to the **Quarantine** page, use <https://security.microsoft.com/quarantine>.
-
-2. On the **Quarantine** page, you can sort the results by clicking on an available column header. Click **Customize columns** to change the columns that are shown. The default values are marked with an asterisk (<sup>\*</sup>):
-
- - **Time received**<sup>\*</sup>
- - **Subject**<sup>\*</sup>
- - **Sender**<sup>\*</sup>
- - **Quarantine reason**<sup>\*</sup>
- - **Release status**<sup>\*</sup>
- - **Policy type**<sup>\*</sup>
- - **Expires**<sup>\*</sup>
- - **Recipient**
- - **Message ID**
- - **Policy name**
- - **Message size**
- - **Mail direction**
-
- When you're finished, click **Apply**.
-
-3. To filter the results, click **Filter**. The following filters are available in the **Filters** flyout that appears:
- - **Message ID**: The globally unique identifier of the message.
- - **Sender address**
- - **Recipient address**
- - **Subject**
- - **Time received**: Enter a **Start time** and **End time** (date).
- - **Expires**: Filter messages by when they will expire from quarantine:
- - **Today**
- - **Next 2 days**
- - **Next 7 days**
- - **Custom**: Enter a **Start time** and **End time** (date).
- - **Quarantine reason**:
- - **Bulk**
- - **Spam**
- - **Phishing**: The spam filter verdict was **Phishing** or anti-phishing protection quarantined the message ([spoof settings](anti-phishing-policies-about.md#spoof-settings) or [impersonation protection](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)).
- - **High confidence phishing**
- - **Release status**: Any of the following values:
- - **Needs review**
- - **Approved**
- - **Denied**
- - **Release requested**
- - **Released**
- - **Policy Type**: Filter messages by policy type:
- - **Anti-malware policy**
- - **Safe Attachments policy**
- - **Anti-phishing policy**
- - **Anti-spam policy**
-
- When you're finished, click **Apply**. To clear the filters, click ![Clear filters icon.](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
-
-4. Use **Search** box and a corresponding value to find specific messages. Wildcards aren't supported. You can search by the following values:
- - Message ID
- - Sender email address
- - Recipient email address
- - Subject. Use the entire subject of the message. The search is not case-sensitive.
- - Policy name. Use the entire policy name. The search is not case-sensitive.
-
- After you've entered the search criteria, press the ENTER key to filter the results.
-
- > [!NOTE]
- > The **Search** box on the main **Quarantine** page will search only quarantined items in the current view, not the entire quarantine. To search all quarantined items, use **Filter** and the resulting **Filters** flyout.
-
-After you find a specific quarantined message, select the message to view details about it, and to take action on it (for example, view, release, download, or delete the message).
+In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Quarantine** \> **Email** tab. Or, to go directly to the **Email** tab on the **Quarantine** page, use <https://security.microsoft.com/quarantine?viewid=Email>.
-### View quarantined message details
+On the **Email** tab, you can decrease the vertical spacing in the list by clicking ![Change list spacing to compact or normal icon.](../../media/m365-cc-sc-standard-icon.png) **Change list spacing to compact or normal** and then selecting ![Compact list icon.](../../media/m365-cc-sc-compact-icon.png) **Compact list**.
-When you select quarantined message from the list, the following information is available in the details flyout that appears.
+You can sort the results by clicking on an available column header. Click ![Customize columns icon.](../../media/m365-cc-sc-customize-icon.png) **Customize columns** to change the columns that are shown. The default values are marked with an asterisk (<sup>\*</sup>):
+- **Time received**<sup>\*</sup>
+- **Subject**<sup>\*</sup>
+- **Sender**<sup>\*</sup>
+- **Quarantine reason**<sup>\*</sup>
+- **Release status**<sup>\*</sup>
+- **Policy type**<sup>\*</sup>
+- **Expires**<sup>\*</sup>
+- **Recipient**<sup>\*</sup>
+- **Message ID**
+- **Policy name**
+- **Message size**
+- **Mail direction**
+- **Recipient tag**
-When you select an email message in the list, the following message details appear in the **Details** flyout pane:
+To filter the results, click ![Filter icon.](../../media/m365-cc-sc-filter-icon.png) **Filter**. The following filters are available in the **Filters** flyout that opens:
-- **Message ID**: The globally unique identifier for the message.
+- **Message ID**: The globally unique identifier of the message.
- **Sender address**-- **Received**: The date/time when the message was received.
+- **Recipient address**
- **Subject**-- **Quarantine reason**-- **Policy type**: The type of policy. For example, **Anti-spam policy**.-- **Recipient count**-- **Recipients**: If the message contains multiple recipients, you need to click **Preview message** or **View message header** to see the complete list of recipients.-- **Expires**: The date/time when the message will be automatically and permanently deleted from quarantine.
+- **Time received**:
+ - **Last 24 hours**
+ - **Last 7 days**
+ - **Last 14 days**
+ - **Last 30 days** (default)
+ - **Custom**: Enter a **Start time** and **End time** (date).
+- **Expires**: Filter messages by when they expire from quarantine:
+ - **Today**
+ - **Next 2 days**
+ - **Next 7 days**
+ - **Custom**: Enter a **Start time** and **End time** (date).
+- **Recipient tag**
+- **Quarantine reason**:
+ - **Transport rule** (mail flow rule)
+ - **Bulk**
+ - **Spam**
+ - **Data loss prevention**
+ - **Malware**: Anti-malware policies in EOP or Safe Attachments policies in Defender for Office 365. The **Policy Type** value indicates which feature was used.
+ - **Phishing**: The spam filter verdict was **Phishing** or anti-phishing protection quarantined the message ([spoof settings](anti-phishing-policies-about.md#spoof-settings) or [impersonation protection](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)).
+ - **High confidence phishing**
+- **Recipient**: **All users** or **Only me**. End users can only manage quarantined messages sent to them.
+- **Release status**: Any of the following values:
+ - **Needs review**
+ - **Approved**
+ - **Denied**
+ - **Release requested**
+ - **Released**
+- **Policy Type**: Filter messages by policy type:
+ - **Anti-malware policy**
+ - **Safe Attachments policy**
+ - **Anti-phishing policy**
+ - **Anti-spam policy**
+ - **Transport rule** (mail flow rule)
+
+When you're finished on the **Filters** flyout, click **Apply**. To clear the filters, click ![Clear filters icon.](../../media/m365-cc-sc-clear-filters-icon.png) **Clear filters**.
+
+Use the ![Search icon.](../../media/m365-cc-sc-search-icon.png) **Search** box and a corresponding value to find specific messages. Wildcards aren't supported. You can search by the following values:
+
+- Sender email address
+- Subject. Use the entire subject of the message. The search isn't case-sensitive.
+
+After you've entered the search criteria, press the enter ENTER key to filter the results.
+
+> [!NOTE]
+> The **Search** box searches for quarantined items in the current view, not all quarantined items. To search all quarantined items, use **Filter** and the resulting **Filters** flyout.
+
+After you find a specific quarantined message, select the message to view details about it and to take action on it (for example, view, release, download, or delete the message).
+
+> [!TIP]
+> On mobile devices, the previously described controls are available under ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More**.
+>
+> :::image type="content" source="../../media/quarantine-user-message-main-page-mobile-actions.png" alt-text="Selecting a quarantined message and then selecting More on a mobile device." lightbox="../../media/quarantine-user-message-main-page-mobile-actions.png":::
+
+### View quarantined message details
+
+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Quarantine** \> **Email** tab. Or, to go directly to the **Email** tab on the **Quarantine** page, use <https://security.microsoft.com/quarantine?viewid=Email>.
+
+2. On the **Email** tab, select the quarantined message by clicking anywhere in the row other than the check box.
+
+In the details flyout that opens, the following information is available:
+
+- **Quarantine details** section:
+ - **Received**: The date/time when the message was received.
+ - **Expires**: The date/time when the message is automatically and permanently deleted from quarantine.
+ - **Subject**
+ - **Quarantine reason**: Shows if a message has been identified as **Spam**, **Bulk**, **Phish**, matched a mail flow rule (**Transport rule**), or was identified as containing **Malware**.
+ - **Policy type**
+ - **Policy name**
+ - **Recipient count**
+ - **Recipients**: If the message contains multiple recipients, you might need to click **...** \> **Preview message** or ***...** \> **View message header** to see the complete list of recipients.
+- **Email details** section:
+ - **Sender address**
+ - **Time received**
+ - **Network message ID**
+ - **Recipients**
+ To take action on the message, see the next section.
+> [!TIP]
+> To see details about other quarantined messages without leaving the details flyout, use ![Previous item and Next item icons.](../../media/updownarrows.png) **Previous item** and **Next item** buttons at the top of the flyout.
+
+## Take action on quarantined email
+
+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Quarantine** \> **Email** tab. Or, to go directly to the **Email** tab on the **Quarantine** page, use <https://security.microsoft.com/quarantine?viewid=Email>.
+
+2. On the **Email** tab, select the quarantined email message by using either of the following methods:
+
+ - Select the message from the list by selecting the check box next to the first column. The available actions are no longer grayed out.
+
+ :::image type="content" source="../../media/quarantine-user-message-selected-message-actions.png" alt-text="Available actions after you select a quarantined message on the Email tab of the Quarantine page." lightbox="../../media/quarantine-user-message-selected-message-actions.png":::
+
+ - Select the message from the list by clicking anywhere in the row other than the check box. The available actions are in the details flyout that opens.
+
+ :::image type="content" source="../../media/quarantine-user-message-details-flyout-actions.png" alt-text="The available actions in the details flyout of a quarantined message" lightbox="../../media/quarantine-user-message-details-flyout-actions.png":::
+
+ Using either method to select the message, some actions are available under ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More** or **More options**.
+
+After you select the quarantined message, the available actions are described in the following subsections.
+
+> [!TIP]
+> On mobile devices, the action experience is slightly different:
+>
+> - When you select the message by selecting the check box, all actions are under ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More**:
+>
+> :::image type="content" source="../../media/quarantine-user-message-main-page-mobile-actions.png" alt-text="Selecting a quarantined message and then selecting More on a mobile device." lightbox="../../media/quarantine-user-message-main-page-mobile-actions.png":::
+>
+> - When you select the message by clicking anywhere other than the check box, most options are available under ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More** in the details flyout:
+>
+> :::image type="content" source="../../media/quarantine-user-message-details-flyout-mobile-actions.png" alt-text="The details of a quarantined message with available actions shown." lightbox="../../media/quarantine-user-message-details-flyout-mobile-actions.png":::
+
+### Release quarantined email
+ > [!NOTE]
-> To remain in the details flyout, but change the quarantined message that you're looking at, use the up and down arrows at the top of the flyout.
+> Your ability to release quarantined messages is controlled by the quarantine policy for the protection feature that quarantined the message (which might be a default quarantine policy as described in [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md)).
>
-> :::image type="content" source="../../media/quarantine-message-details-flyout-up-down-arrows.png" alt-text="The up and down arrows in the details flyout of a quarantined message" lightbox="../../media/quarantine-message-details-flyout-up-down-arrows.png":::
+> A quarantine policy can allow you to release a message or request the release of a message, but both options aren't available for the same message. A quarantine policy can also prevent you from releasing or requesting the release of quarantined messages.
+
+This action isn't available for email messages that have already been released (the **Release status** value is **Released**).
+
+If you don't release or remove a message, it's automatically deleted from quarantine after the date shown in the **Expires** column.
+
+After you select the message, use either of the following methods to release it (deliver it to your mailbox):
+
+- **On the Email tab**: Click ![Release icon.](../../media/m365-cc-sc-check-mark-icon.png) **Release**.
+- **In the details flyout of the selected message**: Click ![Release email icon.](../../media/m365-cc-sc-check-mark-icon.png) **Release email**.
+
+In the **Release message to your Inbox** flyout that opens, select **Report message as having no threats** as appropriate, and then click **Release message**.
+
+When you're finished on the **Release message to your Inbox** flyout, click **Release message**.
-### Take action on quarantined email
+In the **Messages released to your Inbox** flyout that opens, click **Done**.
+
+Back on the **Email** tab, the **Release status** value of the message is **Released**.
+
+### Request the release of quarantined email
> [!NOTE]
-> Your ability to view quarantined messages is controlled by the quarantine policy that applies to the reason why the message was quarantined (which might be the default quarantine policy as described in [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md)). This section describes all available actions.
+> Your ability to request the release of quarantined messages is controlled by the quarantine policy for the protection feature that quarantined the message.
+>
+> A quarantine policy can allow you to release a message or request the release of a message, but both options aren't available for the same message. A quarantine policy can also prevent you from releasing or requesting the release of quarantined messages.
+
+This action isn't available for email messages where you already requested release (the **Release status** value is **Released requested**).
+
+If you don't release or remove a message, it's automatically deleted from quarantine after the date shown in the **Expires** column.
+
+After you select the message, use either of the following methods to request its release:
+
+- **On the Email tab**: Click ![Request release icon.](../../media/m365-cc-sc-edit-icon.png) **Request release**.
+- **In the details flyout of the selected message**: Click ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More options** \> ![Request release icon.](../../media/m365-cc-sc-edit-icon.png) **Request release**..
-After you select a quarantined message from the list, the following actions are available in the details flyout:
+In the **Request release** flyout that opens, review the information, click **Request release**. In the **Release requested** flyout that opens, click **Done**.
+Back on the **Quarantine page**, the **Release status** value of the message is **Release requested**. An admin will review your request and approve it or deny it.
-- ![Release email icon.](../../media/m365-cc-sc-check-mark-icon.png) **Release email**<sup>\*</sup>: Delivers the message to your Inbox.
+### Delete email from quarantine
-- ![View message headers icon.](../../media/m365-cc-sc-eye-icon.png) **View message headers**: Choose this link to see the message header text. The **Message header** flyout appears with the following links:-- **Copy message header**: Click this link to copy the message header (all header fields) to your clipboard.-- **Microsoft Message Header Analyzer**: To analyze the header fields and values in depth, click this link to go to the Message Header Analyzer. Paste the message header into the **Insert the message header you would like to analyze** section (CTRL+V or right-click and choose **Paste**), and then click **Analyze headers**.
+When you delete an email message from quarantine, the message is removed and isn't sent to the original recipients.
-The following actions are available after you click ![More actions icon.](../../media/m365-cc-sc-more-actions-icon.png) **More actions**:
+If you don't release or remove a message, it's automatically deleted from quarantine after the date shown in the **Expires** column.
-- ![Preview message icon.](../../media/m365-cc-sc-eye-icon.png) **Preview message**: In the flyout that appears, choose one of the following tabs:
+After you select the message, use either of the following methods to remove it:
+
+- **On the Email tab**: Click ![Delete from quarantine icon.](../../media/m365-cc-sc-delete-icon.png) **Delete messages**.
+- **In the details flyout of the selected message**: Click ![More options icon.](../../media/m365-cc-sc-more-actions-icon.png) **More options** \> ![Delete from quarantine icon.](../../media/m365-cc-sc-delete-icon.png) **Delete from quarantine**.
+
+In the **Delete (n) messages from quarantine** flyout that opens, use one of the following methods to delete the message:
+
+- Select **Permanently delete the message from quarantine** and then click **Delete**: The message is permanently deleted and isn't recoverable.
+- Click **Delete** only: The message is deleted, but is potentially recoverable.
+
+After you click **Delete** on the **Delete (n) messages from quarantine** flyout, you return to the **Email** tab where the message is no longer listed.
+
+### Preview email from quarantine
+
+After you select the message, use either of the following methods to preview it:
+
+- **On the Email tab**: Click ![Preview message icon.](../../media/m365-cc-sc-preview-message-icon.png) **Preview message**.
+- **In the details flyout of the selected message**: Click ![More options icon.](../../media/m365-cc-sc-more-actions-icon.png) **More options** \> ![Preview message icon.](../../media/m365-cc-sc-preview-message-icon.png) **Preview message**.
+
+In the flyout that opens, choose one of the following tabs:
- **Source**: Shows the HTML version of the message body with all links disabled. - **Plain text**: Shows the message body in plain text. -- ![Delete from quarantine icon.](../../media/m365-cc-sc-delete-icon.png) **Delete from quarantine**: The message is deleted and is not sent to the original recipients. How the message is deleted depends on your selections in the flyout that opens:
- - Select **Permanently delete the message from quarantine** and then click **Delete**: The message is permanently deleted and is not recoverable.
- - Click **Delete** only: The message is deleted, but is potentially recoverable.
+### View email message headers
-- ![Download email icon.](../../media/m365-cc-sc-download-icon.png) **Download email**: In the flyout that appears, configure the following settings:
- - **Reason for downloading file**: Enter descriptive text.
- - **Create password** and **Confirm password**: Enter a password that's required to open the downloaded message file.
+After you select the message, use either of the following methods to view the message headers:
- When you're finished, click **Download**, and then **Done** to save a local copy of the message. The .eml message file is save in a compressed file named Quarantined Messages.zip in your **Downloads** folder. If the .zip file already exists, a number is appended to the filename (for example, Quarantined Messages(1).zip).
+- **On the Email tab**: Click ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More** \> ![View message headers icon.](../../media/m365-cc-sc-view-message-headers-icon.png) **View message headers**.
+- **In the details flyout of the selected message**: Click ![More options icon.](../../media/m365-cc-sc-more-actions-icon.png) **More options** \> ![View message headers icon.](../../media/m365-cc-sc-view-message-headers-icon.png) **View message headers**.
-- ![Block sender icon.](../../media/m365-cc-sc-block-sender-icon.png) **Block sender**: Add the sender to the Blocked Senders list in **your** mailbox. For more information, see [Block a mail sender](https://support.microsoft.com/office/b29fd867-cac9-40d8-aed1-659e06a706e4).
+In the **Message header** flyout that opens, the message header (all header fields) is shown.
-<sup>\*</sup> This option is not available for messages that have already been released (the **Released status** value is **Released**).
+Use ![Copy message header icon.](../../media/m365-cc-sc-copy-icon.png) **Copy message header** to copy the message header to the clipboard.
-If you don't release or remove the message, it will be deleted after the default quarantine retention period expires (as shown in the **Expires** column).
+Click the **Microsoft Message Header Analyzer** link to analyze the header fields and values in depth. Paste the message header into the **Insert the message header you would like to analyze** section (CTRL+V or right-click and choose **Paste**), and then click **Analyze headers**.
-> [!NOTE]
-> On a mobile device, the description text isn't available on the action icons.
->
-> :::image type="content" source="../../media/quarantine-user-message-details-flyout-mobile-actions.png" alt-text="The details of a quarantined message with available actions highlighted" lightbox="../../media/quarantine-user-message-details-flyout-mobile-actions.png":::
+### Block email senders from quarantine
->
-> The icons in order and their corresponding descriptions are summarized in the following table:
->
-> |Icon|Description|
-> |:||
-> |![Release email icon.](../../media/m365-cc-sc-check-mark-icon.png)|**Release email**|
-> |![View message headers icon.](../../media/m365-cc-sc-eye-icon.png)|**View message headers**|
-> |![Preview message icon.](../../media/m365-cc-sc-eye-icon.png)|**Preview message**|
-> |![Remove from quarantine icon.](../../media/m365-cc-sc-delete-icon.png)|**Remove from quarantine**|
-> |![Block sender icon.](../../media/m365-cc-sc-block-sender-icon.png)|**Block sender**|
+The Block senders action adds the message sender to the Blocked Senders list in the your mailbox. For more information about blocking senders, see [Block a mail sender](https://support.microsoft.com/office/b29fd867-cac9-40d8-aed1-659e06a706e4)
+
+After you select the message, use either of the following methods to add the message sender to the Blocked Senders list in your mailbox:
+
+- **On the Email tab**: Click ![More icon.](../../media/m365-cc-sc-more-actions-icon.png) **More** \> ![Block sender icon.](../../media/m365-cc-sc-block-sender-icon.png) **Block sender**.
+- **In the details flyout of the selected message**: Click ![More options icon.](../../media/m365-cc-sc-more-actions-icon.png) **More options** \> ![Block sender icon.](../../media/m365-cc-sc-block-sender-icon.png) **Block sender**.
-#### Take action on multiple quarantined email messages
+In the **Block sender** flyout that opens, review the information about the sender, and then click **Block**.
-When you select multiple quarantined messages in the list (up to 100) by clicking in the blank area to the left of the first column, the **Bulk actions** drop down list appears where you can take the following actions:
+### Take action on multiple quarantined email messages
+When you select multiple quarantined messages on the **Email** tab by selecting the check boxes next to the first column, the following bulk actions are available on the **Email** tab (depending on the **Release status** values of the messages that you selected):
-- ![Release messages icon.](../../media/m365-cc-sc-check-mark-icon.png) **Release messages**: Delivers the messages to your Inbox.-- ![Remove from quarantine icon.](../../media/m365-cc-sc-delete-icon.png) **Delete messages**: After you click **Yes** in the warning that appears, the messages are immediately removed from quarantine without being sent to the original recipients.
+- [Release quarantined email](#release-quarantined-email)
+- [Request the release of quarantined email](#request-the-release-of-quarantined-email)
+- [Delete email from quarantine](#delete-email-from-quarantine)
security Quarantine Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-policies.md
description: Admins can learn how to use quarantine policies to control what users are able to do to quarantined messages. Previously updated : 4/5/2023 Last updated : 4/11/2023 # Quarantine policies
Last updated 4/5/2023
In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, _quarantine policies_ allow admins to define the user experience for quarantined messages: - What users are allowed to do to their own quarantined messages (messages where they're a recipient) based on why the message was quarantined.-- Whether users receive notifications about their quarantined messages via [Quarantine notifications](quarantine-quarantine-notifications.md).
+- Whether users receive periodic notifications about their quarantined messages via [quarantine notifications](quarantine-quarantine-notifications.md).
-Traditionally, users have been allowed or denied levels of interactivity for quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.
+Traditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.
Default quarantine policies enforce these historical user capabilities, and are automatically assigned in [supported protection features](#step-2-assign-a-quarantine-policy-to-supported-features) that quarantine messages.
You create and assign quarantine policies in the Microsoft 365 Defender portal o
2. On the **Quarantine policies** page, click ![Add custom policy icon.](../../media/m365-cc-sc-create-icon.png) **Add custom policy** to start the new quarantine policy wizard.
-3. On the **Policy name** page, enter a brief but unique name in the **Policy name** box. The policy name is selectable in drop down list in upcoming steps.
+3. On the **Policy name** page, enter a brief but unique name in the **Policy name** box. The policy name is selectable in drop down lists in upcoming steps.
When you're finished on the **Policy name** page, click **Next**. 4. On the **Recipient message access** page, select one of the following values:
- - **Limited access**: The individual permissions that are included in this permission group are described in the [Appendix](#appendix) section.
+ - **Limited access**: The individual permissions that are included in this permission group are described in the [Appendix](#appendix) section. Basically, users can do anything to their quarantined messages except release them from quarantine without admin approval.
- **Set specific access (Advanced)**: Use this value to specify custom permissions. Configure the following settings that appear: - **Select release action preference**: Select one of the following values from the drop down:
- - Blank: This is the default value.
+ - Blank: Users can't release or request the release of their messages from quarantine. This is the default value.
- **Allow recipients to request a message to be released from quarantine** - **Allow recipients to release a message from quarantine** - **Select additional actions recipients can take on quarantined messages**: Select some, all, or none of the following values:
The required order and values for each individual permission are described in th
|PermissionToPreview|2|00000010| |PermissionToDelete|1|00000001|
-┬╣ The value 0 doesn't hide the **View message header** button in the details of the quarantined message (the button is always available).
+┬╣ The value 0 doesn't hide the **View message header** button (the button is always available).
-┬▓ The PermissionToAllowSender permission isn't used (the value 0 or 1 does nothing).
+┬▓ This permission isn't used (the value 0 or 1 does nothing).
┬│ Don't set both of these permission values to 1. Set one permission value to 1 and the other value to 0, or set both values to 0.
If you'd rather use PowerShell to assign quarantine policies in anti-phishing po
**Notes**: -- Quarantine policies in anti-phish policies matter only when messages are quarantined. In anti-phish policies, messages are quarantined when the _Enable\*_ parameter value for the feature is $true **and** the corresponding _*\Action_ parameter value is Quarantine. The default value for the _EnableMailboxIntelligence_ and _EnableSpoofIntelligence_ parameters is $true, so you don't need to use them when you create new anti-phish policies in PowerShell. By default, no _*\Action_ parameters have the value Quarantine.
+- Quarantine policies matter only when messages are quarantined. In anti-phish policies, messages are quarantined when the _Enable\*_ parameter value for the feature is $true **and** the corresponding _*\Action_ parameter value is Quarantine. The default value for the _EnableMailboxIntelligence_ and _EnableSpoofIntelligence_ parameters is $true, so you don't need to use them when you create new anti-phish policies in PowerShell. By default, no _*\Action_ parameters have the value Quarantine.
To see the important parameter values in existing anti-phish policies, run the following command:
The relationship between permissions, permissions groups, and the default quaran
||::|::|::| |**Block sender** (_PermissionToBlockSender_)||Γ£ö|Γ£ö| |**Delete** (_PermissionToDelete_)||Γ£ö|Γ£ö|
-|**Preview** (_PermissionToPreview_)||Γ£ö|Γ£ö|
-|**Allow recipients to release a message from quarantine** (_PermissionToRelease_)┬╣|||Γ£ö|
+|**Preview** (_PermissionToPreview_)┬╣||Γ£ö|Γ£ö|
+|**Allow recipients to release a message from quarantine** (_PermissionToRelease_)┬▓|||Γ£ö|
|**Allow recipients to request a message to be released from quarantine** (_PermissionToRequestRelease_)||Γ£ö|| |Default quarantine policy|Permission group used|Quarantine notifications enabled?| ||::|::| |AdminOnlyAccessPolicy|No access|No| |DefaultFullAccessPolicy|Full access|No|
-|DefaultFullAccessWithNotificationPolicy┬▓|Full access|Yes|
-|NotificationEnabledPolicy┬│|Full access|Yes|
+|DefaultFullAccessWithNotificationPolicy┬│|Full access|Yes|
+|NotificationEnabledPolicy⁴|Full access|Yes|
-┬╣ **Allow recipients to release a message from quarantine** isn't honored for messages that were quarantined by the following verdicts:
+┬╣ The **Preview** permission is unrelated to the **Review message** button that's available in quarantine notifications.
-- **Malware** by anti-malware policies or Safe Attachments policies.-- **High confidence phishing** by anti-spam policies.
+┬▓ **Allow recipients to release a message from quarantine** isn't honored for messages that were quarantined as **malware** by anti-malware policies or Safe Attachments policies, or as **high confidence phishing** by anti-spam policies.
-In other words, users can never release their own malware or high confidence phishing messages from quarantine, regardless of how you configure the quarantine policy. At best, admins can create and use a custom quarantine policy with the **Allow recipients to request a message to be released from quarantine** permission, although we typically don't recommend it.
+┬│ This policy is used in [preset security policies](preset-security-policies.md) instead of the DefaultFullAccessPolicy policy to enable quarantine notifications.
-┬▓ This policy is used in [preset security policies](preset-security-policies.md) instead of the DefaultFullAccessPolicy policy to enable quarantine notifications.
-
-┬│ Your organization might not have the policy named NotificationEnabledPolicy as described in the next section.
+⁴ Your organization might not have the policy named NotificationEnabledPolicy as described in the next section.
#### Full access permissions and quarantine notifications
To give users **Full access** permissions _and_ quarantine notifications, organi
### Quarantine policy permission details
-The following sections describe the effects of preset permission groups and individual permissions for uses in quarantined messages and in quarantine notifications.
+The following sections describe the effects of preset permission groups and individual permissions for users in quarantined messages and in quarantine notifications.
+
+> [!NOTE]
+> As explained earlier, quarantine notifications are turned on only in the default policies named DefaultFullAccessWithNotificationPolicy or ([if your organization is old enough](#full-access-permissions-and-quarantine-notifications)) NotificationEnabledPolicy.
#### Preset permissions groups
The individual permissions that are included in preset permission groups are des
If the quarantine policy assigns **No access** permissions (admin only access), users can't see quarantined messages: -- **Message details in quarantine**: The quarantined messages aren't visible to the user.-- **Quarantine notifications**: No notifications are sent for those quarantined messages.
+- **On the Quarantine page**: The quarantined messages aren't visible to the user.
+- **In quarantine notifications**: By default, quarantine notifications aren't sent for quarantined messages (notifications aren't turned on in the default policy named AdminOnlyAccessPolicy).
##### Limited access If the quarantine policy assigns **Limited access** permissions, users get the following capabilities: -- **Message details in quarantine**: The following buttons are available:
- - **Request release**
- - **View message headers**
- - **Preview message**
- - **Remove from quarantine**
- - **Block sender**
-
- :::image type="content" source="../../media/quarantine-tags-quarantined-message-details-limited-access.png" alt-text="The available buttons in the quarantined message details if the quarantine policy gives the user limited access permissions" lightbox="../../media/quarantine-tags-quarantined-message-details-limited-access.png":::
+- **On the Quarantine page and in the message details in quarantine**: The following actions are available:
+ - ![Request release icon.](../../medi#request-the-release-of-quarantined-email)
+ - ![Delete icon.](../../medi#delete-email-from-quarantine)
+ - ![Preview message icon.](../../medi#preview-email-from-quarantine)
+ - ![View message headers icon.](../../medi#view-email-message-headers)
+ - ![Block sender icon.](../../medi#block-email-senders-from-quarantine)
-- **Quarantine notifications**: The following buttons are available:
- - **Block sender**
+- **In quarantine notifications**: The following buttons are available:
+ - **Review message**
- **Request release**
- - **Review**
-
- :::image type="content" source="../../media/quarantine-tags-esn-limited-access.png" alt-text="The available buttons in the quarantine notification if the quarantine policy gives the user limited access permissions" lightbox="../../media/quarantine-tags-esn-limited-access.png":::
+ - **Block sender**
##### Full access If the quarantine policy assigns **Full access** permissions (all available permissions), users get the following capabilities: -- **Message details in quarantine**: The following buttons are available:
- - **Release message**
- - **View message headers**
- - **Preview message**
- - **Remove from quarantine**
- - **Block sender**
-
- :::image type="content" source="../../media/quarantine-tags-quarantined-message-details-full-access.png" alt-text="The available buttons in the quarantined message details if the quarantine policy gives the user full access permissions" lightbox="../../media/quarantine-tags-quarantined-message-details-full-access.png":::
+- **On the Quarantine page and in the message details in quarantine**: The following actions are available:
+ - ![Release icon.](../../medi#release-quarantined-email)
+ - ![Delete icon.](../../medi#delete-email-from-quarantine)
+ - ![Preview message icon.](../../medi#preview-email-from-quarantine)
+ - ![View message headers icon.](../../medi#view-email-message-headers)
+ - ![Block sender icon.](../../medi#block-email-senders-from-quarantine)
-- **Quarantine notifications**: The following buttons are available:
- - **Block sender**
+- **In quarantine notifications**: The following actions are available:
+ - **Review message**
- **Release**
- - **Review**
-
- :::image type="content" source="../../media/quarantine-tags-esn-full-access.png" alt-text="The available buttons in the quarantine notification if the quarantine policy gives the user full access permissions" lightbox="../../media/quarantine-tags-esn-full-access.png":::
-
-> [!NOTE]
-> As explained earlier, quarantine notifications are turned on only in the default policies named DefaultFullAccessWithNotificationPolicy or ([if your organization is old enough](#full-access-permissions-and-quarantine-notifications)) NotificationEnabledPolicy.
+ - **Block sender**
#### Individual permissions ##### Block sender permission
-The **Block sender** permission (_PermissionToBlockSender_) controls access to the button that allows users to conveniently add the quarantined message sender to their Blocked Senders list.
+The **Block sender** permission (_PermissionToBlockSender_) allows users to add the message sender to the Blocked Senders list in their mailbox.
-- **Message details in quarantine**:
- - **Block sender** permission enabled: The **Block sender** button is available.
- - **Block sender** permission disabled: The **Block sender** button isn't available.
+If the **Block sender** permission is enabled:
-- **Quarantine notifications**:
- - **Block sender** permission enabled: The **Block sender** button is available.
- - **Block sender** permission disabled: The **Block sender** button isn't available.
+- ![Block sender icon.](../../medi#block-email-senders-from-quarantine) is available on the **Quarantine** page and in the message details in quarantine.
+- **Blocked sender** is available in quarantine notifications.
+
+If the **Block sender** permission is disabled, users can't block senders from quarantine or in quarantine notifications (the action isn't available).
For more information about the Blocked Senders list, see [Block messages from someone](https://support.microsoft.com/office/274ae301-5db2-4aad-be21-25413cede077#__toc304379667) and [Use Exchange Online PowerShell to configure the safelist collection on a mailbox](configure-junk-email-settings-on-exo-mailboxes.md#use-exchange-online-powershell-to-configure-the-safelist-collection-on-a-mailbox). ##### Delete permission
-The **Delete** permission (_PermissionToDelete_) controls the ability to of users to delete their messages from quarantine (messages where they're a recipient).
+The **Delete** permission (_PermissionToDelete_) allows users to delete their own messages from quarantine (messages where they're a recipient).
+
+If the **Delete** permission is enabled:
-- **Message details in quarantine**:
- - **Delete** permission enabled: The **Remove from quarantine** button is available.
- - **Delete** permission disabled: The **Remove from quarantine** button isn't available.
+- ![Delete icon.](../../medi#delete-email-from-quarantine) is available on the **Quarantine** page and in the message details in quarantine.
+- No effect in quarantine notifications. Deleting a quarantined message from the quarantine notification is not possible.
-- **Quarantine notifications**: No effect.
+If the **Delete** permission is disabled, users can't delete their own messages from quarantine (the action isn't available).
##### Preview permission
-The **Preview** permission (_PermissionToPreview_) controls the ability to of users to preview their messages in quarantine.
+The **Preview** permission (_PermissionToPreview_) allows users to preview their messages in quarantine.
+
+If the **Preview** permission is enabled:
-- **Message details in quarantine**:
- - **Preview** permission enabled: The **Preview message** button is available.
- - **Preview** permission disabled: The **Preview message** button isn't available.
+- ![Preview message icon.](../../medi#preview-email-from-quarantine) is available on the **Quarantine** page and in the message details in quarantine.
+- No affect in quarantine notifications. Previewing a quarantined message from the quarantine notification is not possible. The **Review message** button in quarantine notifications takes users to the details flyout of the message in quarantine.
-- **Quarantine notifications**: No effect.
+If the **Preview** permission is disabled, users can't preview their own messages in quarantine (the action isn't available).
##### Allow recipients to release a message from quarantine permission > [!NOTE]
-> This permission isn't honored for messages that were quarantined as **malware** by anti-malware or Safe Attachments policies, or as **high confidence phishing** by anti-spam policies, regardless of how you configure the quarantine policy. At best, you can use the [Allow recipients to request a message to be released from quarantine permission](#allow-recipients-to-request-a-message-to-be-released-from-quarantine-permission) permission so users can view and _request_ the release of their quarantined malware or high confidence phishing messages, although we typically don't recommend it.
+> As explained previously, this permission isn't honored for messages that were quarantined as **malware** by anti-malware or Safe Attachments policies, or as **high confidence phishing** by anti-spam policies. At best, you can use the **Allow recipients to request a message to be released from quarantine permission** permission so users can view and _request_ the release of their quarantined malware or high confidence phishing messages, although we typically don't recommend it.
-The **Allow recipients to release a message from quarantine** permission (_PermissionToRelease_) controls the ability of users to release their quarantined messages directly and without the approval of an admin.
+The **Allow recipients to release a message from quarantine** permission (_PermissionToRelease_) allows users to release their own quarantined messages without admin approval.
-- **Message details in quarantine**:
- - Permission enabled: The **Release message** button is available.
- - Permission disabled: The **Release message** button isn't available.
+If the **Allow recipients to release a message from quarantine** permission is enabled:
-- **Quarantine notifications**:
- - Permission enabled: The **Release** button is available.
- - Permission disabled: The **Release** button isn't available.
+- ![Release icon.](../../medi#release-quarantined-email) is available on the **Quarantine** page and in the message details in quarantine.
+- **Release** is available in quarantine notifications.
+
+If the **Allow recipients to release a message from quarantine** permission is disabled, users can't release their own messages from quarantine or in quarantine notifications (the action isn't available).
##### Allow recipients to request a message to be released from quarantine permission
-The **Allow recipients to request a message to be released from quarantine** permission (_PermissionToRequestRelease_) controls the ability of users to _request_ the release of their quarantined messages. Messages are released only after an admin approves the request.
+The **Allow recipients to request a message to be released from quarantine** permission (_PermissionToRequestRelease_) allows users to _request_ the release of their quarantined messages. Messages are released only after an admin approves the request.
+
+If the **Allow recipients to request a message to be released from quarantine** permission is enabled:
-- **Message details in quarantine**:
- - Permission enabled: The **Request release** button is available.
- - Permission disabled: The **Request release** button isn't available.
+- ![Request release icon.](../../medi#request-the-release-of-quarantined-email) is available on the **Quarantine** page and in the message details in quarantine.
+- **Request release** is available in quarantine notifications.
-- **Quarantine notifications**:
- - Permission enabled: The **Request release** button is available.
- - Permission disabled: The **Request release** button isn't available.
+If the **Allow recipients to request a message to be released from quarantine** permission is disabled, users can't request the release of their own messages from quarantine or in quarantine notifications (the action isn't available).
security Submissions Users Report Message Add In Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-users-report-message-add-in-configure.md
Install and configure the Report Message or Report Phishing add-ins for the orga
### Get the Report Message or Report Phishing add-in for your organization
-1. In the Microsoft 365 admin center at <https://admin.microsoft.com>, expand **Show all** if necessary, and then go to **Settings** \> **Integrated apps**. Or, to directly to the **Integrated apps** page, use <https://admin.microsoft.com/Adminportal/Home#/Settings/IntegratedApps>.
+1. In the Microsoft 365 admin center at <https://admin.microsoft.com>, expand **Show all** if necessary, and then go to **Settings** \> **Integrated apps**. Or, to go directly to the **Integrated apps** page, use <https://admin.microsoft.com/Adminportal/Home#/Settings/IntegratedApps>.
2. On the **Integrated apps** page, click ![Get apps icon.](../../media/m365-cc-sc-get-apps-icon.png)**Get apps**.
Admins in Microsoft 365 Government Community Cloud (GCC) or GCC High need to use
2. On the settings page, select the **Add-ins** option. Then select **Deploy Add-in** followed by **upload custom apps**
-3. On the upload custom apps sidepanel, select **I have a URL for the manifest file**.
+3. On the upload custom apps side panel, select **I have a URL for the manifest file**.
4. In the **Add from URL** dialog that opens, enter one of the following URLs: - **Report Message**: <https://ipagave.azurewebsites.net/ReportMessageManifest/ReportMessageAzure.xml>
Admins in Microsoft 365 Government Community Cloud (GCC) or GCC High need to use
### View and edit settings for the Report Message or Report Phishing add-ins
-1. In the Microsoft 365 admin center at <https://admin.microsoft.com>, expand **Show all** if necessary, and then go to **Settings** \> **Integrated apps**. Or, to directly to the **Integrated apps** page, use <https://admin.microsoft.com/Adminportal/Home#/Settings/IntegratedApps>.
+1. In the Microsoft 365 admin center at <https://admin.microsoft.com>, expand **Show all** if necessary, and then go to **Settings** \> **Integrated apps**. Or, to go directly to the **Integrated apps** page, use <https://admin.microsoft.com/Adminportal/Home#/Settings/IntegratedApps>.
> [!NOTE] > Although the screenshots in the remaining steps show the **Report Message** add-in, the steps are identical for the **Report Phishing** add-in.
syntex Requirements And Limitations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/requirements-and-limitations.md
Prebuilt models:
| - | - | | ![Files symbol.](/office/medi, .msg, .pdf, .png, .ppt, .pptx, .rtf, .tif, .tiff, .txt, .xls, and .xlsx. | | ![Conversation symbol.](/office/media/icons/chat-room-conversation-blue.png) | **Supported languages** <br>This model supports all of the Latin-based languages, including: English, French, German, Italian, and Spanish. |
-| ![Paragraph symbol.](/office/media/icons/paragraph-writing-blue.png) | **OCR considerations** <br>This model uses optical character recognition (OCR) technology to scan .pdf files, image files, and .tiff files. OCR processing works best on documents that meet the following requirements: <br> - File format of .jpg, .png, or .pdf (text or scanned). Text-embedded .pdf files are better, because there won't be any errors in character extraction and location. <br> - If your .pdf files are password-locked, you must remove the lock before submitting them. <br> - The combined file size of the documents used for training per collection must not exceed 50 MB, and PDF documents shouldn't have more than 500 pages. <br> - For images, dimensions must be between 50 x 50 and 10,000 x 10,000 pixels. Images that are very wide or have odd dimensions (for example, floor plans) might get truncated in the OCR process and lose accuracy. <br> - For .pdf files, dimensions must be at most 11 x 17 inches, corresponding to Legal or A3 paper sizes and smaller. <br> - If scanned from paper documents, scans should be high-quality images. <br> - Must use the Latin alphabet (English characters). <br> Note the following differences about Microsoft Office text-based files and OCR-scanned files (.pdf, image, or .tiff): <br> - Office files: Truncated at 64,000 characters (in training and when run against files in a document library). <br> - OCR-scanned files: There's a 500-page limit. Only PDF and image file types are processed by OCR. |
+| ![Paragraph symbol.](/office/media/icons/paragraph-writing-blue.png) | **OCR considerations** <br>This model uses optical character recognition (OCR) technology to scan .pdf files, image files, and .tiff files. OCR processing works best on documents that meet the following requirements: <br> - File format of .jpg, .png, or .pdf (text or scanned). Text-embedded .pdf files are better, because there won't be any errors in character extraction and location. <br> - If your .pdf files are password-locked, you must remove the lock before submitting them. <br> - The combined file size of the documents used for training per collection must not exceed 50 MB, and PDF documents shouldn't have more than 500 pages. <br> - For images, dimensions must be between 50 x 50 and 10,000 x 10,000 pixels. Images that are very wide or have odd dimensions (for example, floor plans) might get truncated in the OCR process and lose accuracy. <br> - For .pdf files, dimensions must be at most 11 x 17 inches, corresponding to Legal or A3 paper sizes and smaller. <br> - If scanned from paper documents, scans should be high-quality images. <br> - Must use the Latin alphabet (English characters). <br> Note the following differences about Microsoft Office text-based files and OCR-scanned files (.pdf, image, or .tiff): <br> - All files: Truncated at 64,000 characters (in training and when run against files in a document library). <br> - OCR-scanned files: There's a 500-page limit. Only PDF and image file types are processed by OCR. |
| ![Globe symbol.](/office/media/icons/globe-internet.png) | **Multi-Geo environments** <br>When setting up Syntex in a [Microsoft 365 Multi-Geo](/microsoft-365/enterprise/microsoft-365-multi-geo) environment, you can only configure it to use the model type in the central location. If you want to use this model type in a satellite location, contact Microsoft support. | | ![Objects symbol.](/office/media/icons/objects-blue.png) | **Multi-model libraries** <br>If two or more trained models are applied to the same library, the file is classified using the model that has the highest average confidence score. The extracted entities will be from the applied model only. |
syntex Syntex Copilot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/syntex-copilot.md
- Title: Overview of Copilot for Microsoft Syntex---- Previously updated : 04/05/2023---
- - enabler-strategic
- - m365initiative-syntex
-
-description: Learn how to use Microsoft 365 Copilot to easier find information in Microsoft Syntex.
--
-# Overview of Copilot for Microsoft Syntex (Preview)
-
-> [!NOTE]
-> The feature is currently in limited preview and subject to change.
-
-Microsoft Syntex is now integrated with Microsoft 365 Copilot to bring the power of assistive AI into your organization's intelligent document processing.
-
-Copilot for Syntex analyzes the text of a selected file in a SharePoint document library, in OneDrive for Business, or in Teams. It then generates a set of questions you can ask about the information in the file. The questions can be used to quickly identify the type of document, generate a summary of information in the document, and identify key points or other important information. You can also ask your own questions, such as "When does this contract expire?" or "What is the fee schedule for this project?"
-
-## To use Copilot for Syntex
-
-1. From a SharePoint document library, select a document.
-
-2. On the ribbon, select **Copilot**.
-
- ![Screenshot of a document library page showing a document selected and the Copilot button on the ribbon.](../media/content-understanding/copilot-document-selected.png)
-
-3. The **Copilot** panel opens.
-
- ![Screenshot of the Copilot panel.](../media/content-understanding/copilot-panel.png)
-
-4. On the **Copilot** panel, you can:
-
- - Select one of the questions Copilot has generated for you tailored for the specific file.
-
- ![Screenshot of the generated questions on the Copilot panel.](../media/content-understanding/copilot-generated-questions.png)
-
- - In the text box, enter your own specific question or make a request.
-
- ![Screenshot of the text box on the Copilot panel.](../media/content-understanding/copilot-text-box.png)
-
- - In the text box, select **More from Syntex** to find more information about the file.
-
- ![Screenshot of the text box on the Copilot panel with the starter prompt highlighted.](../media/content-understanding/copilot-starter-prompt.png)
-
-> [!NOTE]
-> If you want to clear the current session, at the top of the **Copilot** panel, select **More options** (\***), and then select **Clear session**.
-
-## Current limitations
--- Copilot for Syntex currently works on Word (.docx), PowerPoint (.pptx), and text-readable .pdf file types. More file types will be added in the future.--- Copilot for Syntex is currently only available to customers in the United States, and currently only understands instructions in English. More languages and locales will be added in the future.--- Copilot for Syntex works on a single selected file at a time, and it only processes the first 4,000 tokens (approximately six pages).--- Copilot for Syntex won't process encrypted files or files stamped with "Confidential" or "Highly Confidential" sensitivity labels.--- Copilot for Syntex doesn't save the context of your session, but you can copy the information if you want to save it. -
-> [!IMPORTANT]
-> It's important that you review any content the AI generates for you to make sure it has accurately produced what you wanted.
-