-# Microsoft 365 multitenant Organization People Search (public preview)

->[!NOTE]

->This Public Preview program is designed to give customers the opportunity to try out the multitenant people search feature. You can then validate the scenario and provide feedback to the product development team. The purpose of this article is to:

->

->- Give an overview of the feature

->- Define use cases that we currently support as part of the preview

->- Provide instructions on how you can configure and test the feature

-> - api-us.securitycenter.microsoft.com

-> - api-eu.securitycenter.microsoft.com

-> - api-uk.securitycenter.microsoft.com

-> - api-au.securitycenter.microsoft.com

-description: Learn how to use the get agent details api

-GET https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanAgents/7f3d76a6976818553e996875dc91f55df6b26625

-"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#DeviceAuthenticatedScanAgents/$entity",

-DELETE https://api.securitycenter.microsoft.com/api/libraryfiles/{fileName}

-DELETE https://api.securitycenter.microsoft.com/api/libraryfiles/script1.ps1

-> The service base URI is: [https://api.securitycenter.microsoft.com](https://api.securitycenter.microsoft.com)

->

-> The queries based OData have the '/api' prefix. For example, to get Alerts you can send GET request to [https://api.securitycenter.microsoft.com/api/alerts](https://api.securitycenter.microsoft.com/api/alerts)

->

-> The current version is **V1.0**.

->

-> To use a specific version, use this format: `https://api.securitycenter.microsoft.com/api/{Version}`. For example: `https://api.securitycenter.microsoft.com/api/v1.0/alerts`

->

-> If you don't specify any version (e.g. `https://api.securitycenter.microsoft.com/api/alerts`) you will get to the latest version.

-GET https://api.securitycenter.microsoft.com/api/domains/example.com/stats?lookBackHours=48

- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgDomainStats",

-GET https://api.securitycenter.microsoft.com/api/exposureScore

- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#ExposureScore/$entity",

-GET https://api.securitycenter.microsoft.com/api/files/4388963aaa83afe2042a46a3c017ad50bdcdafb3

- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Files/$entity",

-GET https://api.securitycenter.microsoft.com/api/files/0991a395da64e1c5fbe8732ed11e6be064081d9f/stats?lookBackHours=48

- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats",

-GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats?lookBackHours=48

- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats",

-GET https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07

- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machine",

-GET https://api.securitycenter.microsoft.com/api/machines

-GET https://api.securitycenter.microsoft.com/api/machines

- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines",

-GET https://api.securitycenter.microsoft.com/api/machineactions/{machine action id}/getPackageUri

-GET https://api.securitycenter.microsoft.com/api/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUri

- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Edm.String",

-GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge

- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Software/$entity",

-GET https://api.securitycenter.microsoft.com/api/Software

- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Software",

-GET https://api.securitycenter.microsoft.com/api/libraryfiles

-GET https://api.securitycenter.microsoft.com/api/libraryfiles

-"\@odata.context": "https://api.securitycenter.microsoft.com

-POST https://api.securitycenter.microsoft.com/api/machines/{id}/offboard

-POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/offboard

-POST https://api.securitycenter.microsoft.com/api/machines/{id}/runAntiVirusScan

-POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/runAntiVirusScan

-POST https://api.securitycenter.microsoft.com/api/machines/{machineId}/setDeviceValue

-POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/setDeviceValue

-POST https://api.securitycenter.microsoft.com/api/machines/{id}/unisolate

-POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unisolate

-POST https://api.securitycenter.microsoft.com/api/libraryfiles

-curl -X POST https://api.securitycenter.microsoft.com/api/libraryfiles -H

-### Step 7: Microsoft AutoUpdate

-### Step 8: Microsoft Defender for Endpoint configuration settings

-### Step 9: Network protection for Microsoft Defender for Endpoint on macOS

-### Step 10: Device Control for Microsoft Defender for Endpoint on macOS

-### Step 11: Data Loss Prevention (DLP) for Endpoint

-### Step 12: Check status of PList(.mobileconfig)

-### Step 13: Publish application

-#### Step 14: Download the onboarding package

-### Step 15: Deploy the onboarding package

-## Step 16: Verify anti-malware detection

-## Step 17: Verifying EDR detection

-10. [Schedule scans with Microsoft Defender for Endpoint on macOS](/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp)

-11. [Deploy Microsoft Defender for Endpoint on macOS](#step-11-deploy-microsoft-defender-for-endpoint-on-macos)

-## Step 10: Schedule scans with Microsoft Defender for Endpoint on macOS

-## Step 11: Deploy Microsoft Defender for Endpoint on macOS

-|Intune | [Download the onboarding package](mac-install-with-intune.md#step-14-download-the-onboarding-package) |

-### Apr-2024 (Build: 101.24012.0010 | Release version: 20.124012.10.0)

-The **Device inventory** shows a list of the devices in your network where alerts were generated. By default, the queue displays devices seen in the last 30 days.

-At a glance, you see information such as domain, risk level, OS platform, and other details for easy identification of devices most at risk.

-> [!NOTE]

-> The device inventory is available in different Microsoft Defender XDR services. The information available to you will differ depending on your license. You'll get the most complete set of capabilities when using [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037).

-> Risk Level which can influence enforcement of conditional access and other security policies on Microsoft Intune, is available in Windows today.

-> If you export the device list, it will contain every device in your organization. It might take a significant amount of time to download, depending on how large your organization is. Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all devices in the organization, regardless of any filtering applied in the view itself.

-Automatic attack disruption is designed to contain attacks in progress, limit the impact on an organization's assets, and provide more time for security teams to remediate the attack fully. Attack disruption uses the full breadth of our extended detection and response (XDR) signals, taking the entire attack into account to act at the incident level. This capability is unlike known protection methods such as prevention and blocking based on a single indicator of compromise.

-While many XDR and security orchestration, automation, and response (SOAR) platforms allow you to create your automatic response actions, automatic attack disruption is built in and uses insights from Microsoft security researchers and advanced AI models to counteract the complexities of advanced attacks. Automatic attack disruption considers the entire context of signals from different sources to determine compromised assets.

-Here's an [example on advanced hunting](advanced-hunting-example.md) in Microsoft Defender for Office 365.

-|Seashell Blizzard|IRIDIUM|Russia|Sandworm|

-4. Connect to your directory using the [Connect-AzureAD](/powershell/module/azuread/connect-azuread) cmdlet.

- - **Send a copy of suspicious outbound that exceed these limits to these users and groups**: This setting adds the specified recipients to the Bcc field of suspicious outbound messages that were marked as spam, phishing, or malware.

- - Whether the user is covered by **Mobile management** at <https://portal.office.com/EAdmin/Device/IntuneInventory.aspx>. <!-- Security Administrator can't open the page>

-Intune App Protection policies (APP), sometimes referred to as Mobile Application Management (MAM), protect corporate data even if a device itself is not managed. This allows you to enable bring-your-own (BYO) and personal devices at work where users may be reluctant to ΓÇ£enrollΓÇ¥ their device into management. App Protection policies ensure corporate data in the apps you specify cannot be copied and pasted to other apps on the device.

-

-If you have custom Line of Business applications that need protection, currently you can use the app wrapping tool to enable APP with these applications. Or, you can integrate using the Intune App SDK. When your app has app protection policies applied to it, it can be managed by Intune and is recognized by Intune as a managed app. For more information on protecting your Line of Business applications using Intune, see [Prepare apps for mobile application management with Microsoft Intune](/mem/intune/developer/apps-prepare-mobile-application-management).

-## Configuring mobile app protection

-This guidance is tightly coordinated with the recommended [Zero Trust identity and device access policies](../security/office-365-security/zero-trust-identity-device-access-policies-overview.md). After you create the Mobile App protection policies in Intune, work with your identity team to configure the conditional access policy in Microsoft Entra ID that enforces mobile app protection.

-This illustration highlights the two policies (also described in the table below the illustration).

-[](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/media/devices/identity-device-starting-point.png)

-To configure these policies, use the recommended guidance and settings prescribed in [Zero Trust identity and device access policies](../security/office-365-security/zero-trust-identity-device-access-policies-overview.md). The table below links directly to the instructions for configuring these policies in Intune and Microsoft Entra ID.

-|Step |Policies |More information |Licensing |

-|||||

-|1 | [Apply Application Protection Policies (APP) data protection](../security/office-365-security/zero-trust-identity-device-access-policies-common.md#app-protection-policies) | One Intune App Protection policy per platform (Windows, iOS/iPadOS, Android). | Microsoft 365 E3 or E5 |

-|2 | [Require approved apps and app protection ](../security/office-365-security/zero-trust-identity-device-access-policies-common.md#require-approved-apps-and-app-protection-policies) | Enforces mobile app protection for phones and tablets using iOS, iPadOS, or Android. | Microsoft 365 E3 or E5 |

-| | | | |

-## Next steps

-Go to [Step 2. Enroll devices to Intune](manage-devices-with-intune-enroll.md).

-

-You want to be sure devices that are accessing your apps and data meet minimum requirements. For example, theyΓÇÖre password or pin-protected and the operating system is up to date. Compliance policies are the way to define the requirements that devices must meet. Intune uses these compliance policies to mark a device as compliant or non-compliant. This binary status is passed to Microsoft Entra which can use this status in conditional access rules to allow or prevent a device from accessing resources.

-This illustration highlights where the work of defining compliance policies fits into the overall Zero Trust recommended policy set.

-[](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/media/devices/identity-device-define-compliance.png)

-To configure device compliance policies, use the recommended guidance and settings prescribed in [Zero Trust identity and device access policies](../security/office-365-security/zero-trust-identity-device-access-policies-overview.md). The table below links directly to the instructions for configuring these policies in Intune, including the recommended settings for each platform.

-|[Define device compliance policies ](../security/office-365-security/zero-trust-identity-device-access-policies-common.md#create-device-compliance-policies) | One policy for each platform | Microsoft 365 E3 or E5 |

-| | | |

-## Next steps

-Go to [Step 4. Require healthy and compliant devices](manage-devices-with-intune-require-compliance.md) for instructions on how to create the conditional access rule in Microsoft Entra ID.

-

-For now, just deploy the most appropriate MDM security baseline. See [Manage security baseline profiles in Microsoft Intune ](/mem/intune/protect/security-baselines-configure)to create the profile and choose the baseline version.

-

-## Next steps

-description: Implement Endpoint DLP by working with your information protection and governance team to create DLP policies for your organization.

-If your organization has already put the time into understanding your data, developing a data sensitivity schema, and applying the schema, you might be ready to extend elements of this schema to endpoints by using Microsoft Purview Data Loss Prevention (DLP) policies.

-DLP policies are created by your information protection and governance team. Each DLP policy defines what elements within a data set to look for, like sensitive information types or labels, and how to protect this data.

-If your information protection and governance team is ready to extend DLP policies to endpoints, you need to coordinate with them to enable devices for Endpoint DLP, test and tune DLP policies, train users, and monitor the results.

-

-|1 | [Learn about Endpoint data loss prevention](../compliance/endpoint-dlp-learn-about.md). |

-|3 | Work with your information protection and governance team to define, test, and tune policies. This includes monitoring the results. See these resources:<br>- [Using Endpoint data loss prevention](../compliance/endpoint-dlp-using.md)<br>- [Get started with Activity Explorer](../compliance/data-classification-activity-explorer.md) |

-# Step 2. Enroll devices to Intune

-Whether a device is a personally owned BYOD device or a corporate-owned and fully managed device, it's good to have visibility into the endpoints accessing your organizationΓÇÖs resources to ensure youΓÇÖre only allowing healthy and compliant devices. This includes the health and trustworthiness of mobile and desktop apps that run on endpoints. You want to ensure those apps are healthy and compliant and that they prevent corporate data from leaking to consumer apps or services through malicious intent or accidental means.

-

-Use the guidance in this article together with this illustrated version of enrollment options for each platform.

-[](https://download.microsoft.com/download/e/6/2/e6233fdd-a956-4f77-93a5-1aa254ee2917/msft-intune-enrollment-options.pdf) <br/> [PDF](https://download.microsoft.com/download/e/6/2/e6233fdd-a956-4f77-93a5-1aa254ee2917/msft-intune-enrollment-options.pdf) | [Visio](https://download.microsoft.com/download/e/6/2/e6233fdd-a956-4f77-93a5-1aa254ee2917/msft-intune-enrollment-options.vsdx) <br/> Updated June 2022

-## Android enrollment

-There are several options for Android Enrollment depending on the type of device, the type of enrollment youΓÇÖd like to support, as well as things like the Android version you are using or even the manufacturer (particularly Samsung). Most organizations use Android Work profiles for their end users, particular in BYOD scenarios.

-With an Android work profile the end userΓÇÖs information is separated distinctly with data containers as well as separate apps for work and personal use. This is an ideal way for users to enroll their device while still maintaining the privacy of their own data and the security of corporate data.

-Enrollment for macOS can be a tricky subject for lots of IT organizations. Unless a majority of your users are Mac users than you may not be managing these types of devices to a great extent. If you have a small number of macOS users, we recommend Intune Only Enrollment. If you have a large number of macOS users, we recommend Intune + Jamf enrollment.

-## Next steps

-Go to Step [3. Set up compliance policies for devices with Intune](manage-devices-with-intune-compliance-policies.md).

-description: Learn how to connect Microsoft Intune to Defender for Endpoint and monitor device risk as a condition for access.

-# Step 6. Monitor device risk and compliance to security baselines

-After your organization has deployed Microsoft Defender for Endpoint, you can gain greater insights and protection of your devices by integrating Microsoft Intune with Defender for Endpoint. For mobile devices, this includes the ability to monitor device risk as a condition for access. For Windows devices, you can monitor compliance of these devices to security baselines.

-Deploying Microsoft Defender for Endpoint includes onboarding endpoints. If you used Intune to onboard endpoints (recommended), then you have already connected Microsoft Intune to Defender for Endpoint. If you used a different method to onboard endpoints to Defender for Endpoint, see [Configure Microsoft Defender for Endpoint in Intune](/mem/intune/protect/advanced-threat-protection-configure) to ensure you have set up the service-to-service connection between Intune and Microsoft Defender for Endpoint.

-

-With Microsoft Defender for Endpoint deployed, you can take advantage of threat risk signals. This allows you to block access to devices based on their risk score. Microsoft recommends allowing access to devices with a risk score of medium or below.

-For Android and iOS/iPadOS, threat signals can be used within your App Protection Policies (APP). For information on configuring this, see [Create and assign app protection policy to set device risk level](/mem/intune/protect/advanced-threat-protection-configure#create-and-assign-compliance-policy-to-set-device-risk-level).

-For all platforms, you can set the risk level in the existing device compliance policies. See [Create a conditional access policy](/mem/intune/protect/advanced-threat-protection-configure#create-a-conditional-access-policy).

-## Deploy security baselines and monitor compliance to these settings

-The article, [Step 5. Deploy configuration profiles](manage-devices-with-intune-configuration-profiles.md), recommends getting started with configuration profiles by using the security baselines, available for Windows 10 and Windows 11. Microsoft Defender for Endpoint also includes security baselines that provide settings that optimize all the security controls in the Defender for Endpoint stack, including settings for endpoint detection and response (EDR). These are also deployed by using Microsoft Intune.

-Using Defender for Endpoint, you can monitor compliance to these baselines.

-

-To deploy security baselines and monitor compliance to these settings, use the steps in this table.

-|1 |Review key concepts and compare the Microsoft Defender for Endpoint and the Windows Intune security baselines. <br><br>See [Increase compliance to the Microsoft Defender for Endpoint security baseline](../security/defender-endpoint/configure-machines-security-baseline.md) to learn recommendations.<br><br>See [Use security baselines to configure Windows devices in Intune ](/mem/intune/protect/security-baselines) to review the list of available security baselines and how to avoid conflicts. |

-|2 | Deploy Windows security baseline settings for Intune. You might have already accomplished this if you followed the guidance in [Step 5. Deploy configuration profiles](manage-devices-with-intune-configuration-profiles.md). |

-|3 | Deploy Defender for Endpoint baseline settings for Intune. See [Manage security baseline profiles in Microsoft Intune](/mem/intune/protect/security-baselines-configure) to create the profile and choose the baseline version.<br><br>You can also follow the instructions here: [Review and assign the Microsoft Defender for Endpoint security baseline](../security/defender-endpoint/configure-machines-security-baseline.md#review-and-assign-the-microsoft-defender-for-endpoint-security-baseline). |

-|4 | In Defender for Endpoint, review the [Security baseline card on device configuration management](../security/defender-endpoint/configure-machines.md). |

-## Next steps

-Mostly driven by necessity as the world shifted to a remote or hybrid work model, users are working from anywhere, from any device, more than anytime in history. Attackers are quickly adjusting their tactics to take advantage of this change. Many organizations face constrained resources as they navigate these new business challenges. Virtually overnight, companies have accelerated digital transformation. Simply stated, the way people work has changed ΓÇö we no longer expect to access the myriad of corporate resources only from the office and on company-owned devices.

-Gaining visibility into the endpoints accessing your corporate resources is the first step in your Zero Trust device strategy. Typically, companies are proactive in protecting PCs from vulnerabilities and attack while mobile devices often go unmonitored and without protections. To ensure youΓÇÖre not exposing your data to risk, we need to monitor every endpoint for risks and employ granular access controls to deliver the appropriate level of access based on organizational policy. For example, if a personal device is jailbroken, you can block access to ensure that enterprise applications are not exposed to known vulnerabilities.

-Protecting the data and apps on devices and the devices themselves is a multi-layer process. There are some protections you can gain on unmanaged devices. After enrolling devices into management, you can implement more sophisticated controls. When threat protection is deployed across your endpoints, you gain even more insights and the ability to automatically remediate some attacks. Finally, if your organization has put the work into identifying sensitive data, applying classification and labels, and configuring Microsoft Purview data loss prevention policies, you can obtain even more granular protection for data on your endpoints.

-The following diagram illustrates building blocks to achieve a Zero Trust security posture for Microsoft 365 and other SaaS apps that you introduce to this environment. The elements related to devices are numbered 1 through 7. These are the layers of protection device admins will coordinate with other administrators to accomplish.

-

-|&nbsp;|Step|Description|Licensing requirements|

-|1|Configure starting-point Zero Trust identity and device access policies|Work with your identity administrator to [**Implement Level 2 App Protection Policies (APP) data protection**](manage-devices-with-intune-app-protection.md). These policies do not require that you manage devices. You configure the APP policies in Intune. Your identity admin configures a Conditional Access policy to require approved apps.|E3, E5, F1, F3, F5|

-|6|Monitor device risk and compliance with security baselines|In this step, you connect Intune to Microsoft Defender for Endpoint. With this integration, you can then monitor device risk as a condition for access. Devices that are found to be in a risky state will be blocked. You can also monitor compliance with security baselines. See [**Step 6. Monitor device risk and compliance to security baselines**](manage-devices-with-intune-monitor-risk.md).|E5, F5|

-This guidance is tightly coordinated with the recommended [**Zero Trust identity and device access policies**](../security/office-365-security/zero-trust-identity-device-access-policies-overview.md). You will be working with your identity team to carry through protection that you configure with Intune into Conditional Access policies in Microsoft Entra ID.

-HereΓÇÖs an illustration of the recommended policy set with step callouts for the work you will do in Intune and the related Conditional Access policies you will help coordinate in Microsoft Entra ID.

-[](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/media/devices/identity-device-overview-steps.png)

-If you follow this guidance, you will enroll devices into management using Intune and you will onboard devices for the following Microsoft 365 capabilities:

-

-|Description | Enrollment applies to managing devices. Devices are enrolled for management with Intune or Configuration Manager. | Onboarding configures a device to work with a specific set of capabilities in Microsoft 365. Currently, onboarding applies to Microsoft Defender for Endpoint and Microsoft compliance capabilities. <br><br>On Windows devices, onboarding involves toggling a setting in Windows Defender that allows Defender to connect to the online service and accept policies that apply to the device. |

-|Recommended method | Microsoft Entra join automatically enrolls devices into Intune. | Intune is the preferred method for onboarding devices to Windows Defender for Endpoint, and consequently Microsoft Purview capabilities.<br><br>Note that devices that are onboarded to Microsoft Purview capabilities using other methods are not automatically enrolled for Defender for Endpoint. |

-|Other methods | Other methods of enrollment depend on the platform of the device and whether it is BYOD or managed by your organization. | Other methods for onboarding devices include, in recommended order:<br><li>Configuration Manager<li>Other mobile device management tool (if the device is managed by one)<li>Local script<li>VDI configuration package for onboarding non-persistent virtual desktop infrastructure (VDI) devices<li>Group Policy|

-| | | |

-[Simplify device management with Microsoft Intune](/training/modules/simplify-device-management-with-microsoft-endpoint-manager/)

-Description: Learn about modern management and the Microsoft Intune family of products, and how the business management tools in Microsoft 365 can simplify management of all your devices.

-[Set up Microsoft Intune](/training/modules/set-up-microsoft-intune/)

-Description: Microsoft Intune helps you protect the devices, apps, and data that the people at your organization use to be productive. After completing this module, you will have set up Microsoft Intune. Set up includes reviewing the supported configurations, signing up for Intune, adding users and groups, assigning licenses to users, granting admin permissions, and setting the MDM authority.

-

-[](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/media/devices/identity-device-require-compliance.png)

-If you aren't able to create a signature request, check the PDF viewer settings, the collaboration settings, or the access policies. Refer to the [setup page](/microsoft-365/syntex/esignature-setup) to ensure the correct settings are done. Also, check that the PDF you are attempting to sign isn't already electronically signed using SharePoint eSignature or any other electronic signature provider.

-Certain [conditional access](/entra/identity/conditional-access/overview) policies might determine whether an external recipient (signers outside of your organization or Microsoft 365 tenant) is able sign a document. When this happens, the external signers might not be able to access the document for signing. In some other cases, they might be able to access the document for signing but the signing operation is unsuccessful. One common way to resolve this is to contact your IT admin who will be able to add the eSignature app to the list of approved apps via the Microsoft Entra admin center.