Updates from: 04/18/2024 01:49:14
Category Microsoft Docs article Related commit history on GitHub Change details
enterprise Multi Tenant People Search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/multi-tenant-people-search.md
f1.keywords:
description: Learn about People Search in multitenant Microsoft 365 organizations.
-# Microsoft 365 multitenant Organization People Search (public preview)
+# Microsoft 365 multitenant Organization People Search
The multitenant Organization (MTO) People Search is a collaboration feature that enables search and discovery of people across multiple tenants. A tenant admin can enable cross-tenant synchronization that allows users to be synced to another tenant and be discoverable in its global address list. Once enabled, users are able to search and discover synced user profiles from the other tenant and view their corresponding people cards.
->[!NOTE]
->This Public Preview program is designed to give customers the opportunity to try out the multitenant people search feature. You can then validate the scenario and provide feedback to the product development team. The purpose of this article is to:
->
->- Give an overview of the feature
->- Define use cases that we currently support as part of the preview
->- Provide instructions on how you can configure and test the feature
![Azure AD Sync](../media/mt-people-search/aad-sync.png)
includes Improve Request Performance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/improve-request-performance.md
> [!TIP] > For better performance, you can use server closer to your geo location: >
-> - api-us.securitycenter.microsoft.com
-> - api-eu.securitycenter.microsoft.com
-> - api-uk.securitycenter.microsoft.com
-> - api-au.securitycenter.microsoft.com
+> - us.api.security.microsoft.com
+> - eu.api.security.microsoft.com
+> - uk.api.security.microsoft.com
+> - au.api.security.microsoft.com
+> - swa.api.security.microsoft.com
security Get Agent Details https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/Get-agent-details.md
Title: Get scan agent by ID
-description: Learn how to use the get agent details api
+description: Learn how to use the "Get-Agent-Details" api.
keywords: apis, graph api, supported apis, agent details, definition
search.appverid: met150 Previously updated : 12/15/2022 Last updated : 04/17/2024 # Get scan agent ID
If successful, this method returns 200 - OK response code with the details of th
Here's an example of the request. ```http
-GET https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanAgents/7f3d76a6976818553e996875dc91f55df6b26625
+GET https://api.security.microsoft.com/api/DeviceAuthenticatedScanAgents/7f3d76a6976818553e996875dc91f55df6b26625
``` ## Response example ```json {
-"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#DeviceAuthenticatedScanAgents/$entity",
+"@odata.context": "https://api.security.microsoft.com/api/$metadata#DeviceAuthenticatedScanAgents/$entity",
"value": [ { "id": "47df41a0c-asad-4fd6d3-bbea-a93dbc0bfcaa_4edd75b2407a5b64d704b4e53d74f15",
security Delete Library https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/delete-library.md
Previously updated : 06/03/2021 Last updated : 04/17/2024 # Delete a file from the live response library
including how to choose permissions, see [Get started](apis-intro.md).
## HTTP request
-DELETE https://api.securitycenter.microsoft.com/api/libraryfiles/{fileName}
+DELETE https://api.security.microsoft.com/api/libraryfiles/{fileName}
## Request headers
Request
Here is an example of the request. ```HTTP
-DELETE https://api.securitycenter.microsoft.com/api/libraryfiles/script1.ps1
+DELETE https://api.security.microsoft.com/api/libraryfiles/script1.ps1
``` ## Related topic
security Exposed Apis List https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/exposed-apis-list.md
ms.localizationpriority: medium Previously updated : 01/25/2023 Last updated : 04/17/2024 audience: ITPro
search.appverid: met150
### Endpoint URI
-> The service base URI is: [https://api.securitycenter.microsoft.com](https://api.securitycenter.microsoft.com)
->
-> The queries based OData have the '/api' prefix. For example, to get Alerts you can send GET request to [https://api.securitycenter.microsoft.com/api/alerts](https://api.securitycenter.microsoft.com/api/alerts)
+> The service base URI is: [https://api.security.microsoft.com](https://api.security.microsoft.com)
+>
+> The queries based OData have the '/api' prefix. For example, to get Alerts you can send GET request to [https://api.security.microsoft.com/api/alerts](https://api.security.microsoft.com/api/alerts)
### Versioning > The API supports versioning.
->
-> The current version is **V1.0**.
->
-> To use a specific version, use this format: `https://api.securitycenter.microsoft.com/api/{Version}`. For example: `https://api.securitycenter.microsoft.com/api/v1.0/alerts`
->
-> If you don't specify any version (e.g. `https://api.securitycenter.microsoft.com/api/alerts`) you will get to the latest version.
+> > The current version is **V1.0**.
+> > To use a specific version, use this format: `https://api.security.microsoft.com/api/{Version}`. For example: `https://api.security.microsoft.com/api/v1.0/alerts`
+>
+> If you don't specify any version (e.g. `https://api.security.microsoft.com/api/alerts`) you will get to the latest version.
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../../includes/microsoft-defender-api-usgov.md)]
security Get Domain Statistics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-domain-statistics.md
search.appverid: met150 Previously updated : 12/18/2020 Last updated : 04/17/2024 # Get domain statistics API
If successful and domain exists - 200 OK, with statistics object in the response
Here's an example of the request. ```http
-GET https://api.securitycenter.microsoft.com/api/domains/example.com/stats?lookBackHours=48
+GET https://api.security.microsoft.com/api/domains/example.com/stats?lookBackHours=48
``` ### Response example
Here's an example of the response.
```json {
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgDomainStats",
+ "@odata.context": "https://api.security.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgDomainStats",
"host": "example.com", "organizationPrevalence": 4070, "orgFirstSeen": "2017-07-30T13:23:48Z",
security Get Exposure Score https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-exposure-score.md
search.appverid: met150 Previously updated : 12/18/2020 Last updated : 04/17/2024 # Get exposure score
If successful, this method returns 200 OK, with the exposure data in the respons
Here is an example of the request. ```http
-GET https://api.securitycenter.microsoft.com/api/exposureScore
+GET https://api.security.microsoft.com/api/exposureScore
``` ### Response
Here is an example of the response.
```json {
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#ExposureScore/$entity",
+ "@odata.context": "https://api.security.microsoft.com/api/$metadata#ExposureScore/$entity",
"time": "2019-12-03T07:23:53.280499Z", "score": 33.491554051195706 }
security Get File Information https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-file-information.md
search.appverid: met150 Previously updated : 12/18/2020 Last updated : 04/17/2024 # Get file information API
If successful and file exists - 200 OK with the [file](files.md) entity in the b
Here's an example of the request. ```http
-GET https://api.securitycenter.microsoft.com/api/files/4388963aaa83afe2042a46a3c017ad50bdcdafb3
+GET https://api.security.microsoft.com/api/files/4388963aaa83afe2042a46a3c017ad50bdcdafb3
``` ### Response example
Here's an example of the response.
```json {
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Files/$entity",
+ "@odata.context": "https://api.security.microsoft.com/api/$metadata#Files/$entity",
"sha1": "4388963aaa83afe2042a46a3c017ad50bdcdafb3", "sha256": "413c58c8267d2c8648d8f6384bacc2ae9c929b2b96578b6860b5087cd1bd6462", "globalPrevalence": 180022,
security Get File Statistics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-file-statistics.md
search.appverid: met150 Previously updated : 12/18/2020 Last updated : 04/17/2024 # Get file statistics API
If successful and file exists - 200 OK with statistical data in the body. If fil
Here's an example of the request. ```http
-GET https://api.securitycenter.microsoft.com/api/files/0991a395da64e1c5fbe8732ed11e6be064081d9f/stats?lookBackHours=48
+GET https://api.security.microsoft.com/api/files/0991a395da64e1c5fbe8732ed11e6be064081d9f/stats?lookBackHours=48
``` ### Response example
Here's an example of the response.
```json {
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats",
+ "@odata.context": "https://api.security.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats",
"sha1": "0991a395da64e1c5fbe8732ed11e6be064081d9f", "organizationPrevalence": 14850, "orgFirstSeen": "2019-12-07T13:44:16Z",
security Get Ip Statistics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-ip-statistics.md
search.appverid: met150 Previously updated : 12/18/2020 Last updated : 04/17/2024 # Get IP statistics API
If successful and ip exists - 200 OK with statistical data in the body. IP is va
Here's an example of the request. ```http
-GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats?lookBackHours=48
+GET https://api.security.microsoft.com/api/ips/10.209.67.177/stats?lookBackHours=48
``` ### Response example
Here's an example of the response.
```json {
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats",
+ "@odata.context": "https://api.security.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats",
"ipAddress": "10.209.67.177", "organizationPrevalence": 63515, "orgFirstSeen": "2017-07-30T13:36:06Z",
security Get Machine By Id https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-machine-by-id.md
search.appverid: met150 Previously updated : 12/18/2020 Last updated : 04/17/2024 # Get machine by ID API
If machine with the specified ID wasn't found - 404 Not Found.
Here's an example of the request. ```http
-GET https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07
+GET https://api.security.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07
``` ### Response example
Here's an example of the response.
HTTP/1.1 200 OK Content-type: application/json {
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machine",
+ "@odata.context": "https://api.security.microsoft.com/api/$metadata#Machine",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", "computerDnsName": "mymachine1.contoso.com", "firstSeen": "2018-08-02T14:55:03.7791856Z",
security Get Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-machines.md
search.appverid: met150 Previously updated : 09/15/2023 Last updated : 04/17/2024 # List machines API
Delegated (work or school account)|Machine.ReadWrite|'Read and write machine inf
## HTTP request ```http
-GET https://api.securitycenter.microsoft.com/api/machines
+GET https://api.security.microsoft.com/api/machines
``` ## Request headers
If successful and machines exists - 200 OK with list of [machine](machine.md) en
Here's an example of the request. ```http
-GET https://api.securitycenter.microsoft.com/api/machines
+GET https://api.security.microsoft.com/api/machines
``` ### Response example
Here's an example of the response.
HTTP/1.1 200 OK Content-type: application/json {
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines",
+ "@odata.context": "https://api.security.microsoft.com/api/$metadata#Machines",
"value": [ { "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
security Get Package Sas Uri https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-package-sas-uri.md
search.appverid: met150 Previously updated : 12/18/2020 Last updated : 04/17/2024 # Get package SAS URI API
Delegated (work or school account)|Machine.CollectForensics|'Collect forensics'
## HTTP request ```http
-GET https://api.securitycenter.microsoft.com/api/machineactions/{machine action id}/getPackageUri
+GET https://api.security.microsoft.com/api/machineactions/{machine action id}/getPackageUri
``` ## Request headers
If successful, this method returns 200, Ok response code with object that holds
Here's an example of the request. ```http
-GET https://api.securitycenter.microsoft.com/api/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUri
+GET https://api.security.microsoft.com/api/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUri
``` ### Response example
HTTP/1.1 200 Ok
Content-type: application/json {
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Edm.String",
+ "@odata.context": "https://api.security.microsoft.com/api/$metadata#Edm.String",
"value": "\"https://userrequests-us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?token=gbDyj7y%2fbWGAZjn2sFiZXlliBTXOCVG7yiJ6mXNaQ9pLByC2Wxeno9mENsPFP3xMk5l%2bZiJXjLvqAyNEzUNROxoM2I1er9dxzfVeBsxSmclJjPsAx%2btiNyxSz1Ax%2b5jaT5cL5bZg%2b8wgbwY9urXbTpGjAKh6FB1e%2b0ypcWkPm8UkfOwsmtC%2biZJ2%2bPqnkkeQk7SKMNoAvmh9%2fcqDIPKXGIBjMa0D9auzypOqd8bQXp7p2BnLSH136BxST8n9IHR4PILvRjAYW9kvtHkBpBitfydAsUW4g2oDZSPN3kCLBOoo1C4w4Lkc9Bc3GNU2IW6dfB7SHcp7G9p4BDkeJl3VuDs6esCaeBorpn9FKJ%2fXo7o9pdcI0hUPZ6Ds9hiPpwPUtz5J29CBE3QAopCK%2fsWlf6OW2WyXsrNRSnF1tVE5H3wXpREzuhD7S4AIA3OIEZKzC4jIPLeMu%2bazZU9xGwuc3gICOaokbwMJiZTqcUuK%2fV9YdBdjdg8wJ16NDU96Pl6%2fgew2KYuk6Wo7ZuHotgHI1abcsvdlpe4AvixDbqcRJthsg2PpLRaFLm5av44UGkeK6TJpFvxUn%2f9fg6Zk5yM1KUTHb8XGmutoCM8U9er6AzXZlY0gGc3D3bQOg41EJZkEZLyUEbk1hXJB36ku2%2bW01cG71t7MxMBYz7%2bdXobxpdo%3d%3bRWS%2bCeoDfTyDcfH5pkCg6hYDmCOPr%2fHYQuaUWUBNVnXURYkdyOzVHqp%2fe%2f1BNyPdVoVkpQHpz1pPS3b5g9h7IMmNKCk5gFq5m2nPx6kk9EYtzx8Ndoa2m9Yj%2bSaf8zIFke86YnfQL4AYewsnQNJJh4wc%2bXxGlBq7axDcoiOdX91rKzVicH3GSBkFoLFAKoegWWsF%2fEDZcVpF%2fXUA1K8HvB6dwyfy4y0sAqnNPxYTQ97mG7yHhxPt4Pe9YF2UPPAJVuEf8LNlQ%2bWHC9%2f7msF6UUI4%2fca%2ftpjFs%2fSNeRE8%2fyQj21TI8YTF1SowvaJuDc1ivEoeopNNGG%2bGI%2fX0SckaVxU9Hdkh0zbydSlT5SZwbSwescs0IpzECitBbaLUz4aT8KTs8T0lvx8D7Te3wVsKAJ1r3iFMQZrlk%2bS1WW8rvac7oHRx2HKURn1v7fDIQWgJr9aNsNlFz4fLJ50T2qSHuuepkLVbe93Va072aMGhvr09WVKoTpAf1j2bcFZZU6Za5PxI32mr0k90FgiYFJ1F%2f1vRDrGwvWVWUkR3Z33m4g0gHa52W1FMxQY0TJIwbovD6FaSNDx7xhKZSd5IJ7r6P91Gez49PaZRcAZPjd%2bfbul3JNm1VqQPTLohT7wa0ymRiXpSST74xtFzuEBzNSNATdbngj3%2fwV4JesTjZjIj5Dc%3d%3blumqauVlFuuO8MQffZgs0tLJ4Fq6fpeozPTdDf8Ll6XLegi079%2b4mSPFjTK0y6eohstxdoOdom2wAHiZwk0u4KLKmRkfYOdT1wHY79qKoBQ3ZDHFTys9V%2fcwKGl%2bl8IenWDutHygn5IcA1y7GTZj4g%3d%3d\"" } ```
security Get Software By Id https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-software-by-id.md
search.appverid: met150 Previously updated : 12/18/2020 Last updated : 04/17/2024 # Get software by ID
If successful, this method returns 200 OK with the specified software data in th
Here's an example of the request. ```http
-GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge
+GET https://api.security.microsoft.com/api/Software/microsoft-_-edge
``` ### Response example
Here's an example of the response.
```json {
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Software/$entity",
+ "@odata.context": "https://api.security.microsoft.com/api/$metadata#Software/$entity",
"id": "microsoft-_-edge", "name": "edge", "vendor": "microsoft",
security Get Software https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-software.md
search.appverid: met150 Previously updated : 12/18/2020 Last updated : 04/17/2024 # List software inventory API
If successful, this method returns 200 OK with the software inventory in the bod
Here is an example of the request. ```http
-GET https://api.securitycenter.microsoft.com/api/Software
+GET https://api.security.microsoft.com/api/Software
``` ### Response example
Here is an example of the response.
```json {
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Software",
+ "@odata.context": "https://api.security.microsoft.com/api/$metadata#Software",
"value": [ { "id": "microsoft-_-edge",
security List Library Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/list-library-files.md
Previously updated : 06/03/2021 Last updated : 04/17/2024 # List library files
started](apis-intro.md).
## HTTP request ```HTTP
-GET https://api.securitycenter.microsoft.com/api/libraryfiles
+GET https://api.security.microsoft.com/api/libraryfiles
``` ## Request headers
If successful, this method returns 200 - OK response code with a collection
Here's an example of a request that gets all live response library files. ```HTTP
-GET https://api.securitycenter.microsoft.com/api/libraryfiles
+GET https://api.security.microsoft.com/api/libraryfiles
``` ## Response example
Here's an example of the response.
HTTP/1.1 200 Ok Content-type: application/json {
-"\@odata.context": "https://api.securitycenter.microsoft.com
+"\@odata.context": "https://api.security.microsoft.com
/api/\$metadata\#LibraryFiles", "value": [ {
security Offboard Machine Api https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/offboard-machine-api.md
search.appverid: met150 Previously updated : 12/13/2023 Last updated : 04/17/2024 # Offboard machine API
Delegated (work or school account)|Machine.Offboard|'Offboard machine'
## HTTP request ```http
-POST https://api.securitycenter.microsoft.com/api/machines/{id}/offboard
+POST https://api.security.microsoft.com/api/machines/{id}/offboard
``` The machine ID can be found in the URL when you select the device. Generally, it's a 40 digit alphanumeric number that can be found in the URL.
If successful, this method returns 200 - Created response code and [Machine Acti
Here's an example of the request. If there's no JSON comment added, it will error out with code **400**. ```http
-POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/offboard
+POST https://api.security.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/offboard
``` ```json
security Run Av Scan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/run-av-scan.md
search.appverid: met150 Previously updated : 12/18/2020 Last updated : 04/17/2024 # Run antivirus scan API
Delegated (work or school account)|Machine.Scan|'Scan machine'
## HTTP request ```http
-POST https://api.securitycenter.microsoft.com/api/machines/{id}/runAntiVirusScan
+POST https://api.security.microsoft.com/api/machines/{id}/runAntiVirusScan
``` ## Request headers
If you send multiple API calls to run an antivirus scan for the same device, it
Here is an example of the request. ```http
-POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/runAntiVirusScan
+POST https://api.security.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/runAntiVirusScan
``` ```json
security Set Device Value https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/set-device-value.md
search.appverid: met150 Previously updated : 12/18/2020 Last updated : 04/17/2024 # Set device value API
Delegated (work or school account)|Machine.ReadWrite|'Read and write machine inf
## HTTP request ```http
-POST https://api.securitycenter.microsoft.com/api/machines/{machineId}/setDeviceValue
+POST https://api.security.microsoft.com/api/machines/{machineId}/setDeviceValue
``` ## Request headers
If successful, this method returns 200 - Ok response code and the updated Machin
Here is an example of a request that adds machine tag. ```http
-POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/setDeviceValue
+POST https://api.security.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/setDeviceValue
``` ```json
security Unisolate Machine https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/unisolate-machine.md
search.appverid: met150 Previously updated : 12/18/2020 Last updated : 04/17/2024 # Release device from isolation API
Delegated (work or school account)|Machine.Isolate|'Isolate machine'
## HTTP request ```http
-POST https://api.securitycenter.microsoft.com/api/machines/{id}/unisolate
+POST https://api.security.microsoft.com/api/machines/{id}/unisolate
``` ## Request headers
If you send multiple API calls to remove isolation for the same device, it retur
Here is an example of the request. ```http
-POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unisolate
+POST https://api.security.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unisolate
``` ```json
security Upload Library https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/upload-library.md
Previously updated : 06/03/2021 Last updated : 04/17/2024 # Upload files to the live response library
including how to choose permissions, see [Get started](apis-intro.md).
Upload ```HTTP
-POST https://api.securitycenter.microsoft.com/api/libraryfiles
+POST https://api.security.microsoft.com/api/libraryfiles
``` ## Request headers
Request
Here is an example of the request using curl. ```CURL
-curl -X POST https://api.securitycenter.microsoft.com/api/libraryfiles -H
+curl -X POST https://api.security.microsoft.com/api/libraryfiles -H
"Authorization: Bearer \$token" -F "file=\@mdatp1.png" -F "ParametersDescription=test" -F "HasParameters=true" -F "OverrideIfExists=true" -F "Description=test
security Mac Install Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-manually.md
You can view applications permitted to run in background in System Settings => L
Make sure all Microsoft Defender and Microsoft Corporation items are enabled. If they are disabled then macOS will not start Microsoft Defender after a machine restart.
+## Bluetooth permissions
+
+Starting with macOS 14, a user must explicitly allow an application to access Bluetooth.
+macOS will pop a prompt up, telling the user that Microsoft Defender can access Bluetooth (applies only if you use Bluetooth based policies for Device Control).
+Click Allow to grant Microsoft Defender to access Bluetooth.
++
+You can confirm that permissions are granted in System Settings => Privacy Settings => Bluetooth.
++ ## Onboarding Package Once you have installed the MDE on macOS client, you must now onboard the package, which registers to your Microsoft Defender for Endpoint tenant and licenses it.
security Mac Install With Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-intune.md
The following table summarizes the steps you would need to take to deploy and ma
|Background services|`background_services.mobileconfig`|N/A| |Configure Microsoft Defender for Endpoint notifications|`notif.mobileconfig`|`com.microsoft.wdav.tray`| |Accessibility settings|`accessibility.mobileconfig`|`com.microsoft.dlp.daemon`|
+|Bluetooth|`bluetooth.mobileconfig`|`com.microsoft.dlp.agent`|
|Configure Microsoft AutoUpdate (MAU)|`com.microsoft.autoupdate2.mobileconfig`|`com.microsoft.autoupdate2`| |Device Control|`DeviceControl.mobileconfig`|N/A| |Data Loss Prevention|`DataLossPrevention.mobileconfig`|N/A|
To configure Full Disk Access:
1. Review the configuration profile. Select **Create**.
+> [!NOTE]
+> Full Disk Access granted through Apple MDM Configuration Profile is not reflected in System Settings => Privacy & Security => Full Disk Access.
+ ### Step 4: Background services > [!CAUTION]
To configure notifications:
1. Review the configuration profile. Select **Create**. - ### Step 6: Accessibility settings This profile is used to allow Microsoft Defender for Endpoint on macOS to access the accessibility settings on Apple macOS High Sierra (10.13.6) and newer.
Download [accessibility.mobileconfig](https://github.com/microsoft/mdatp-xplat/b
1. Review the configuration profile. Select **Create**.
-### Step 7: Microsoft AutoUpdate
+### Step 7: Bluetooth permissions
+
+ > [!CAUTION]
+ > macOS 14 (Sonoma) contains new privacy enhancements. Beginning with this version, by default, applications cannot access Bluetooth without explicit consent. Microsoft Defender for Endpoint uses it if you configure Bluetooth policies for Device Control.
+
+Download [bluetooth.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/bluetooth.mobileconfig) from [GitHub repository](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles) and use the same workflow as for the Accessibility settings above to enable Bluetooth access.
+
+> [!NOTE]
+> Bluetooth granted through Apple MDM Configuration Profile is not reflected in System Settings => Privacy & Security => Bluetooth.
+
+### Step 8: Microsoft AutoUpdate
This profile is used to update the Microsoft Defender for Endpoint on macOS via Microsoft AutoUpdate (MAU). If you're deploying Microsoft Defender for Endpoint on macOS, you have the options to get an updated version of the application (Platform Update) that are in the different channels mentioned here:
Download [AutoUpdate2.mobileconfig](https://github.com/microsoft/mdatp-xplat/blo
1. Review the configuration profile. Select **Create**.
-### Step 8: Microsoft Defender for Endpoint configuration settings
+### Step 9: Microsoft Defender for Endpoint configuration settings
In this step, we go over the "Preferences," which enables you to configure anti-malware and EDR policies using Microsoft Defender portal and Microsoft Intune.
You can manage the security settings for Microsoft Defender for Endpoint on macO
For more information, see [Set preferences for Microsoft Defender for Endpoint on Mac](mac-preferences.md).
-### Step 9: Network protection for Microsoft Defender for Endpoint on macOS
+### Step 10: Network protection for Microsoft Defender for Endpoint on macOS
In the [Microsoft Defender portal](https://sip.security.microsoft.com/homepage?tid=72f988bf-86f1-41af-91ab-2d7cd011db47):
In the [Microsoft Defender portal](https://sip.security.microsoft.com/homepage?t
> [!TIP] > You can also configure network protection by appending the information from [**Network protection to help prevent macOS connections to bad sites**](network-protection-macos.md) to the .mobileconig from step 8.
-### Step 10: Device Control for Microsoft Defender for Endpoint on macOS
+### Step 11: Device Control for Microsoft Defender for Endpoint on macOS
To set Device Control for Microsoft Defender for Endpoint on macOS, follow the steps in: - [Device Control for macOS](mac-device-control-overview.md) - [Deploy and manage Device Control using Intune](mac-device-control-intune.md)
-### Step 11: Data Loss Prevention (DLP) for Endpoint
+### Step 12: Data Loss Prevention (DLP) for Endpoint
To set Purview's Data Loss Prevention (DLP) for endpoint on macOS, follow the steps in [Onboard and offboard macOS devices into Compliance solutions using Microsoft Intune](/purview/device-onboarding-offboarding-macos-intune-mde).
-### Step 12: Check status of PList(.mobileconfig)
+### Step 13: Check status of PList(.mobileconfig)
After completing the profile configuration, you'll be able to review the status of the policies.
A standard [Company Portal installation](/intune-user-help/enroll-your-device-in
:::image type="content" source="media/mdatp-icon-bar.png" alt-text="The icon for Microsoft Defender for Endpoint in the status bar":::
-### Step 13: Publish application
+### Step 14: Publish application
This step enables deploying Microsoft Defender for Endpoint to enrolled machines.
For more information, see [Add Microsoft Defender for Endpoint to macOS devices
> [!IMPORTANT] > You should create and deploy the configuration profiles in the above order (step 1-13) for a successful system configuration.
-#### Step 14: Download the onboarding package
+#### Step 15: Download the onboarding package
To download the onboarding packages from Microsoft 365 Defender portal:
To download the onboarding packages from Microsoft 365 Defender portal:
:::image type="content" alt-text="Sample description" source="media/deploy-onboarding-package.png" lightbox="media/deploy-onboarding-package.png":::
-### Step 15: Deploy the onboarding package
+### Step 16: Deploy the onboarding package
This profile contains license information for Microsoft Defender for Endpoint.
To deploy the onboarding package:
1. Open **Devices** > **Configuration profiles** to see the created profile.
-## Step 16: Verify anti-malware detection
+## Step 17: Verify anti-malware detection
See the following article to test for an anti-malware detection review: [Antivirus detection test for verifying device's onboarding and reporting services](validate-antimalware.md)
-## Step 17: Verifying EDR detection
+## Step 18: Verifying EDR detection
See the following article to test for an EDR detection review: [EDR detection test for verifying device onboarding and reporting services](edr-detection.md)
security Mac Jamfpro Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-policies.md
You'll need to take the following steps:
7. [Approve System extensions for Microsoft Defender for Endpoint](#step-7-approve-system-extensions-for-microsoft-defender-for-endpoint) 8. [Configure Network Extension](#step-8-configure-network-extension) 9. [Configure Background Services](#step-9-configure-background-services)
-10. [Schedule scans with Microsoft Defender for Endpoint on macOS](/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp)
-11. [Deploy Microsoft Defender for Endpoint on macOS](#step-11-deploy-microsoft-defender-for-endpoint-on-macos)
+10. [Grant Bluetooth Permissions](#step-10-grant-bluetooth-permissions)
+11. [Schedule scans with Microsoft Defender for Endpoint on macOS](#step-11-schedule-scans-with-microsoft-defender-for-endpoint-on-macos)
+12. [Deploy Microsoft Defender for Endpoint on macOS](#step-12-deploy-microsoft-defender-for-endpoint-on-macos)
## Step 1: Get the Microsoft Defender for Endpoint onboarding package
These steps are applicable on macOS 11 (Big Sur) or later.
Alternatively, you can download [fulldisk.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig) and upload it to JAMF Configuration Profiles as described in [Deploying Custom Configuration Profiles using Jamf Pro|Method 2: Upload a Configuration Profile to Jamf Pro](https://www.jamf.com/jamf-nation/articles/648/deploying-custom-configuration-profiles-using-jamf-pro).
+> [!NOTE]
+> Full Disk Access granted through Apple MDM Configuration Profile is not reflected in System Settings => Privacy & Security => Full Disk Access.
+ ## Step 7: Approve System extensions for Microsoft Defender for Endpoint 1. In the **Configuration Profiles**, select **+ New**.
Download [**background_services.mobileconfig**](https://raw.githubusercontent.co
Upload downloaded mobileconfig to JAMF Configuration Profiles as described in [Deploying Custom Configuration Profiles using Jamf Pro|Method 2: Upload a Configuration Profile to Jamf Pro](https://www.jamf.com/jamf-nation/articles/648/deploying-custom-configuration-profiles-using-jamf-pro).
-## Step 10: Schedule scans with Microsoft Defender for Endpoint on macOS
+## Step 10: Grant Bluetooth Permissions
+
+ > [!CAUTION]
+ > macOS 14 (Sonoma) contains new privacy enhancements. Beginning with this version, by default, applications cannot access Bluetooth without explicit consent. Microsoft Defender for Endpoint uses it if you configure Bluetooth policies for Device Control.
+
+Download [bluetooth.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/bluetooth.mobileconfig) from [GitHub repository](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles).
+
+ > [!WARNING]
+ > Current version of JAMF Pro does not support this kind of payload yet. If you upload this mobileconfig as-is, JAMF Pro will remove unsupported payload,
+ > and it will fail to apply to client machines. You need to sign downloaded mobileconfig first, after that JAMF Pro will consider it "sealed" and will not
+ > tamper with it. See instructions below:
+
+- You need to have at least one signing certificate installed into your KeyChain, even a self-signed certificate will work. You can inspect what you have with:
+
+```bash
+> /usr/bin/security find-identity -p codesigning -v
+
+ 1) 70E46A47F552EA8D58521DAC1E7F5144BA3012BC "DevCert"
+ 2) 67FC43F3FAB77662BB7688C114585BAA37CA8175 "Mac Developer: John Doe (1234XX234)"
+ 3) E142DFD879E5EB60FA249FB5B24CEAE3B370394A "Apple Development: Jane Doe 7XX7778888)"
+ 4) 21DE31645BBF1D9F5C46E82E87A6968111E41C75 "Apple Development: me@example.com (8745XX123)"
+ 4 valid identities found
+```
+
+- Choose any of them, and provide the quoted text as the -N parameter:
+
+```bash
+/usr/bin/security cms -S -N "DevCert" -i bluetooth.mobileconfig -o bluetooth-signed.mobileconfig
+```
+
+- Now you can upload the generated bluetooth-signed.mobileconfig to JAMF Pro as described in [Deploying Custom Configuration Profiles using Jamf Pro|Method 2: Upload a Configuration Profile to Jamf Pro](https://www.jamf.com/jamf-nation/articles/648/deploying-custom-configuration-profiles-using-jamf-pro).
+
+> [!NOTE]
+> Bluetooth granted through Apple MDM Configuration Profile is not reflected in System Settings => Privacy & Security => Bluetooth.
+
+## Step 11: Schedule scans with Microsoft Defender for Endpoint on macOS
Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint on macOS](/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp).
-## Step 11: Deploy Microsoft Defender for Endpoint on macOS
+## Step 12: Deploy Microsoft Defender for Endpoint on macOS
> [!NOTE] > In the steps that follow, the name of the `.pkg` file and the **Display Name** values are examples. In these examples, `200329` represents the date on which the
security Mac Support License https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-license.md
You encounter this message in a different way: If you're using the terminal to e
### Cause -- You can encounter an error if you've deployed and/or installed the Microsoft Defender for Endpoint on macOS package [Download installation packages](mac-install-manually.md#download-installation-and-onboarding-packages), but you might not have run the configuration script [Download the onboarding package](mac-install-with-intune.md#step-14-download-the-onboarding-package) that contains the license settings. For information on troubleshooting in this scenario, see [If you didn't run the configuration script](#if-you-did-not-run-the-configuration-script).
+- You can encounter an error if you've deployed and/or installed the Microsoft Defender for Endpoint on macOS package [Download installation packages](mac-install-manually.md#download-installation-and-onboarding-packages), but you might not have run the configuration script [Download the onboarding package](mac-install-with-intune.md#step-15-download-the-onboarding-package) that contains the license settings. For information on troubleshooting in this scenario, see [If you didn't run the configuration script](#if-you-did-not-run-the-configuration-script).
- You can encounter an error message when the Microsoft Defender for Endpoint on macOS agent isn't up to date. For information on troubleshooting in this scenario, see [If Microsoft Defender for Endpoint on macOS isn't up to date](#if-microsoft-defender-for-endpoint-on-macos-is-not-up-to-date).
Depending on the deployment management tool used, follow the tool-specific instr
|Management |License deployment instructions (Onboarding instructions) | |||
-|Intune | [Download the onboarding package](mac-install-with-intune.md#step-14-download-the-onboarding-package) |
+|Intune | [Download the onboarding package](mac-install-with-intune.md#step-15-download-the-onboarding-package) |
|JamF | [Step 1: Get the Microsoft Defender for Endpoint onboarding package](mac-jamfpro-policies.md#step-1-get-the-microsoft-defender-for-endpoint-onboarding-package) | |Other MDM | [License settings](mac-install-with-other-mdm.md#license-settings) | |Manual installation | [Download installation and onboarding packages](mac-install-manually.md#download-installation-and-onboarding-packages); and [Onboarding Package](mac-install-manually.md#onboarding-package) |
security Mac Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-whatsnew.md
Microsoft Defender supports macOS Sonoma (14.0) in the current Defender release.
**macOS Deprecation** Microsoft Defender for Endpoint no longer supports Big Sur (11)
-### Apr-2024 (Build: 101.24012.0010 | Release version: 20.124012.10.0)
+### Apr-2024 (Build: 101.24032.0006 | Release version: 20.124032.06.0)
+
+| Build: | **101.24032.0006** |
+|--|--|
+| Release version: | **20.124012.10.0** |
+| Engine version: | **1.1.24030.4** |
+| Signature version: | **1.407.521.0** |
+
+##### What's new
+
+- Improvements to `mdatp threat` command
+- Remove Big Sur from supported versions of macOS
+- [device control] Fix Bluetooth support on Sonoma (see Note below)
+- Bug and performance fixes
+
+ > [!NOTE]
+ > You need to deploy a new MDM configuration profile for Defender to access Bluetooth.
+ > See details for [JAMF](mac-jamfpro-policies.md#step-10-grant-bluetooth-permissions) and [Intune](mac-install-with-intune.md#step-7-bluetooth-permissions)
+
+### Mar-2024 (Build: 101.24012.0010 | Release version: 20.124012.10.0)
| Build: | **101.24012.0010** | |--|--|
security Machines View Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machines-view-overview.md
description: Learn about the available features that you can use from the Device
+ ms.localizationpriority: medium audience: ITPro
- tier2 search.appverid: met150 Previously updated : 12/18/2020 Last updated : 04/17/2024 # Device inventory
Last updated 12/18/2020
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-machinesview-abovefoldlink)
-The **Device inventory** shows a list of the devices in your network where alerts were generated. By default, the queue displays devices seen in the last 30 days.
-
-At a glance, you see information such as domain, risk level, OS platform, and other details for easy identification of devices most at risk.
-
-> [!NOTE]
-> The device inventory is available in different Microsoft Defender XDR services. The information available to you will differ depending on your license. You'll get the most complete set of capabilities when using [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037).
+The **Device inventory** shows a list of the devices in your network where alerts were generated. By default, the queue displays devices seen in the last 30 days. At a glance, you see information such as domain, risk level, OS platform, and other details for easy identification of devices most at risk.
> [!NOTE]
-> Risk Level which can influence enforcement of conditional access and other security policies on Microsoft Intune, is available in Windows today.
+> The device inventory is available in different Microsoft Defender XDR services. The information available to you can differ depending on your license. To get the most complete set of capabilities, use [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037).
+>
+> Risk Level, which can influence enforcement of Conditional Access and other security policies in Microsoft Intune, is now available for Windows devices.
There are several options you can choose from to customize the devices list view. On the top navigation you can:
There are several options you can choose from to customize the devices list view
During the onboarding process, the **Devices list** is gradually populated with devices as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online, or download the complete endpoint list as a CSV file for offline analysis. > [!NOTE]
-> If you export the device list, it will contain every device in your organization. It might take a significant amount of time to download, depending on how large your organization is. Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all devices in the organization, regardless of any filtering applied in the view itself.
+>
+> If you export the devices list, it contains every device in your organization. It might take a significant amount of time to download, depending on how large your organization is. Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file includes all devices in the organization, regardless of any filtering applied in the view itself.
+>
+> In addition, when you export the devices list, the antivirus status shows as `Not-Supported`. For antivirus status, use the recently released [Microsoft Defender Antivirus health report](/microsoft-365/security/defender-endpoint/device-health-microsoft-defender-antivirus-health) instead. This report allows you to export even more details.
+
+The following image depicts the devices list:
:::image type="content" source="media/device-inventory.png" alt-text="The list of devices" lightbox="media/device-inventory.png":::
security Advanced Hunting Email Threats https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-email-threats.md
+
+ Title: Advanced hunting example for Microsoft Defender for Office 365
+description: Get started searching for email threats using advanced hunting
+search.appverid: met150
++
+f1.keywords:
+ - NOCSH
++
+ms.localizationpriority: medium
+
+audience: ITPro
+
+- m365-security
+- tier3
+ Last updated : 9/13/2023++
+# Advanced hunting example for Microsoft Defender for Office 365
++
+**Applies to:**
+- Microsoft Defender XDR
+
+Want to get started searching for email threats using advanced hunting? Try these steps:
+
+The [Microsoft Defender for Office 365 deployment guide](../office-365-security/mdo-deployment-guide.md) explains how to jump right in and get configuration going on Day 1.
+
+Depending on your [preset security policy vs. custom policy choices](../office-365-security/mdo-deployment-guide.md#determine-your-protection-policy-strategy), **Zero-Hour auto purge** (ZAP) settings are important to know if a malicious message was removed from a mailbox after delivery.
+
+Quickly navigating to Kusto query language to hunt for issues is an advantage of converging these two security centers. Security teams can monitor ZAP misses by taking their next steps in the Microsoft Defender portal at <https://security.microsoft.com> \> **Hunting** \> **Advanced Hunting**.
+
+1. On the **Advanced Hunting page** at <https://security.microsoft.com/v2/advanced-hunting>, verify the **New Query** tab is selected.
+1. Copy the following query into the **Query** box:
+
+ ```kusto
+ EmailPostDeliveryEvents
+ | where Timestamp > ago(7d)
+ //List malicious emails that were not zapped successfully
+ | where ActionType has "ZAP" and ActionResult == "Error"
+ | project ZapTime = Timestamp, ActionType, NetworkMessageId , RecipientEmailAddress
+ //Get logon activity of recipients using RecipientEmailAddress and AccountUpn
+ | join kind=inner IdentityLogonEvents on $left.RecipientEmailAddress == $right.AccountUpn
+ | where Timestamp between ((ZapTime-24h) .. (ZapTime+24h))
+ //Show only pertinent info, such as account name, the app or service, protocol, the target device, and type of logon
+ | project ZapTime, ActionType, NetworkMessageId , RecipientEmailAddress, AccountUpn,
+ LogonTime = Timestamp, AccountDisplayName, Application, Protocol, DeviceName, LogonType
+ ```
+
+1. Select **Run query**.
++
+The data from this query appears in the **Results** panel below the query itself. Results include information like `DeviceName`, `AccountDisplayName`, and `ZapTime` in a customizable result set. Results can also be exported for your records. To save the query for reuse, select **Save** \> **Save As** to add the query to your list of queries, shared, or community queries.
+
+## Related information
+
+- [Advanced hunting best practices](advanced-hunting-best-practices.md)
+- [Overview - Advanced hunting](advanced-hunting-overview.md)
security Automatic Attack Disruption https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/automatic-attack-disruption.md
This article provides an overview of automated attack disruption and includes li
## How automatic attack disruption works
-Automatic attack disruption is designed to contain attacks in progress, limit the impact on an organization's assets, and provide more time for security teams to remediate the attack fully. Attack disruption uses the full breadth of our extended detection and response (XDR) signals, taking the entire attack into account to act at the incident level. This capability is unlike known protection methods such as prevention and blocking based on a single indicator of compromise.
Automatic attack disruption is designed to contain attacks in progress, limit the impact on an organization's assets, and provide more time for security teams to remediate the attack fully. Attack disruption uses the full breadth of our extended detection and response (XDR) signals, taking the entire attack into account to act at the incident level. This capability is unlike known protection methods such as prevention and blocking based on a single indicator of compromise. While many XDR and security orchestration, automation, and response (SOAR) platforms allow you to create your automatic response actions, automatic attack disruption is built in and uses insights from Microsoft security researchers and advanced AI models to counteract the complexities of advanced attacks. Automatic attack disruption considers the entire context of signals from different sources to determine compromised assets.
-While many XDR and security orchestration, automation, and response (SOAR) platforms allow you to create your automatic response actions, automatic attack disruption is built in and uses insights from Microsoft security researchers and advanced AI models to counteract the complexities of advanced attacks. Automatic attack disruption considers the entire context of signals from different sources to determine compromised assets.
+ Automatic attack disruption operates in three key stages:
security Microsoft 365 Security Center Mdo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-mdo.md
Proactively search for threats, malware, and malicious activity across your endp
[Custom detection rules](/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules) can be built from advanced hunting queries to help you proactively watch for events that might be indicative of breach activity and misconfigured devices.
-Here's an [example on advanced hunting](advanced-hunting-example.md) in Microsoft Defender for Office 365.
+Here's an [example on advanced hunting](advanced-hunting-email-threats.md) in Microsoft Defender for Office 365.
### Action center
security Microsoft Sentinel Onboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-sentinel-onboard.md
To onboard and use Microsoft Sentinel in the Microsoft Defender portal, you must
- A Log Analytics workspace that has Microsoft Sentinel enabled - The data connector for Microsoft Defender XDR (formerly named Microsoft 365 Defender) enabled in Microsoft Sentinel for incidents and alerts
+- Access to Microsoft Defender XDR in the Defender portal
- Microsoft Defender XDR onboarded to the Microsoft Entra tenant - An Azure account with the appropriate roles to onboard, use, and create support requests for Microsoft Sentinel in the Defender portal. The following table highlights some of the key roles needed. |Task |Azure built-in role required |Scope | |||| |Connect or disconnect a workspace with Microsoft Sentinel enabled|[Owner](/azure/role-based-access-control/built-in-roles#owner) or </br>[User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator) and [Microsoft Sentinel Contributor](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-contributor) |- Subscription for Owner or User Access Administrator roles </br></br>- Subscription, resource group, or workspace resource for Microsoft Sentinel Contributor |
+ |View Microsoft Sentinel in the Defender portal|[Microsoft Sentinel Reader](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-reader) |Subscription, resource group, or workspace resource |
|Query Sentinel data tables or view incidents |[Microsoft Sentinel Reader](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-reader) or a role with the following actions:</br>- Microsoft.OperationalInsights/workspaces/read</br>- Microsoft.OperationalInsights/workspaces/query/read</br>- Microsoft.SecurityInsights/Incidents/read</br>- Microsoft.SecurityInsights/incidents/comments/read</br>- Microsoft.SecurityInsights/incidents/relations/read</br>- Microsoft.SecurityInsights/incidents/tasks/read|Subscription, resource group, or workspace resource | |Take investigative actions on incidents |[Microsoft Sentinel Contributor](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-contributor) or a role with the following actions:</br>- Microsoft.OperationalInsights/workspaces/read</br>- Microsoft.OperationalInsights/workspaces/query/read</br>- Microsoft.SecurityInsights/incidents/read</br>- Microsoft.SecurityInsights/incidents/write</br>- Microsoft.SecurityInsights/incidents/comments/read</br>- Microsoft.SecurityInsights/incidents/comments/write</br>- Microsoft.SecurityInsights/incidents/relations/read</br>- Microsoft.SecurityInsights/incidents/relations/write</br>- Microsoft.SecurityInsights/incidents/tasks/read</br>- Microsoft.SecurityInsights/incidents/tasks/write |Subscription, resource group, or workspace resource | |Create a support request |[Owner](/azure/role-based-access-control/built-in-roles#owner) or </br> [Contributor](/azure/role-based-access-control/built-in-roles#contributor) or </br> [Support request contributor](/azure/role-based-access-control/built-in-roles#support-request-contributor) or a custom role with Microsoft.Support/*|Subscription |
security Microsoft Threat Actor Naming https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-threat-actor-naming.md
- tier2 search.appverid: met150 Previously updated : 03/04/2024 Last updated : 04/17/2024 # How Microsoft names threat actors
Use the following reference table to understand how our previously publicly disc
|Salmon Typhoon|SODIUM|China|APT4, Maverick Panda| |Sangria Tempest|ELBRUS|Financially motivated|Carbon Spider, FIN7| |Sapphire Sleet|COPERNICIUM|North Korea|Genie Spider, BlueNoroff|
-|Seashell Blizzard|IRIDIUM|Russia|Sandworm|
+|Seashell Blizzard|IRIDIUM|Russia|APT44, Sandworm|
|Secret Blizzard|KRYPTON|Russia|Venomous Bear, Turla, Snake| |Silk Typhoon|HAFNIUM|China|| |Smoke Sandstorm|BOHRIUM|Iran||
security Detect And Remediate Illicit Consent Grants https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants.md
The simplest way to verify the Illicit Consent Grant attack is to run [Get-Azure
3. Open an elevated PowerShell session as an administrator in the folder where you saved the script.
-4. Connect to your directory using the [Connect-AzureAD](/powershell/module/azuread/connect-azuread) cmdlet.
+4. Connect to your directory using the [Connect-MgGraph](/powershell/microsoftgraph/authentication-commands#using-connect-mggraph) cmdlet.
5. Run this PowerShell command:
After you identified the application with illicit permissions, you have several
4. On the **Applications** page, select the illicit application by clicking on the **Name** value. 5. On the **Assignment detail** page that opens, select **Remove**. -- You can revoke the OAuth consent grant with PowerShell by following the steps in [Remove-AzureADOAuth2PermissionGrant](/powershell/module/azuread/Remove-AzureADOAuth2PermissionGrant).
+- You can revoke the OAuth consent grant with PowerShell by following the steps in [Remove-MgOauth2PermissionGrant](/powershell/module/microsoft.graph.identity.signins/remove-mgoauth2permissiongrant)
-- You can revoke the Service App role assignment with PowerShell by following the steps in [Remove-AzureADServiceAppRoleAssignment](/powershell/module/azuread/Remove-AzureADServiceAppRoleAssignment).
+- You can revoke the Service App Role Assignment with PowerShell by following the steps in [Remove-MgServicePrincipalAppRoleAssignment](/powershell/module/microsoft.graph.applications/remove-mgserviceprincipalapproleassignment).
- You can disable sign-in for the affected account, which disables access to data in the account by the app. This action isn't ideal for user productivity, but it can be a short-term remediation to quickly limit the results of the attack.
security Outbound Spam Policies Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/outbound-spam-policies-configure.md
You can configure outbound spam policies in the Microsoft Defender portal or in
- **Notifications** section: Use the settings in the section to configure additional recipients who should receive copies and notifications of suspicious outbound email messages:
- - **Send a copy of suspicious outbound that exceed these limits to these users and groups**: This setting adds the specified recipients to the Bcc field of suspicious outbound messages that were marked as spam, phishing, or malware.
+ - **Send a copy of suspicious outbound messages that exceed these limits to these users and groups**: This setting adds the specified recipients to the Bcc field of suspicious outbound messages.
> [!NOTE] > This setting works only in the default outbound spam policy. It doesn't work in custom outbound spam policies that you create.
security Submissions Admin https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-admin.md
On the **Submissions** page, select the **Teams messages** tab.
You can sort the entries by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. The default values are marked with an asterisk (<sup>\*</sup>): - **Submission name**<sup>\*</sup>-- **Sender**sup>\*</sup>
+- **Sender**<sup>\*</sup>
- **Date submitted**<sup>\*</sup> - **Reason for submitting**<sup>\*</sup> - **Submitted by**
security Threat Explorer Real Time Detections About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer-real-time-detections-about.md
When you select an entry by clicking on the **Recipient** value, a details flyou
- Whether the user has permission to see archive information. - Whether the user has permission to see retention information. - Whether the user is covered by data loss prevention (DLP).
- - Whether the user is covered by **Mobile management** at <https://portal.office.com/EAdmin/Device/IntuneInventory.aspx>. <!-- Security Administrator can't open the page>
+ - Whether the user is covered by **Mobile management** at <https://portal.office.com/EAdmin/Device/IntuneInventory.aspx>.
- **Email** section: A table showing the following related information for messages sent to the recipient: - **Date** - **Subject**
security Threat Explorer Threat Hunting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer-threat-hunting.md
The following information is available in this article:
> > - [Email security with Threat Explorer and Real-time detections in Microsoft Defender for Office 365](threat-explorer-email-security.md) > - [Investigate malicious email that was delivered in Microsoft 365](threat-explorer-investigate-delivered-malicious-email.md)
+>
+> If you're hunting for attacks based on malicious URLs embedded within QR codes, the **URL Source** filter value **QR code** in the **All email**, **Malware**, and **Phish** views in Threat Explorer or Real-time detections allows you to search for email message with URLs extracted from QR codes.
## What do you need to know before you begin?
solutions Manage Devices With Intune App Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/manage-devices-with-intune-app-protection.md
f1.keywords:
- MAM - set up mobile ap protection Previously updated : 10/20/2021 Last updated : 04/17/2024 audience: ITPro description: Configure mobile app protection with App Protection policies (APP) to prevent specified corporate data from being copied and pasted to other apps.
keywords:
# Step 1. Implement App Protection Policies
-Intune App Protection policies (APP), sometimes referred to as Mobile Application Management (MAM), protect corporate data even if a device itself is not managed. This allows you to enable bring-your-own (BYO) and personal devices at work where users may be reluctant to ΓÇ£enrollΓÇ¥ their device into management. App Protection policies ensure corporate data in the apps you specify cannot be copied and pasted to other apps on the device.
+Intune App Protection Policies (APP), sometimes referred to as Mobile Application Management (MAM), protect corporate data even if a device itself is not managed. This allows you to enable bring-your-own (BYO) and personal devices at work where users may be reluctant to ΓÇ£enrollΓÇ¥ their device into management. APP ensure corporate data in the apps you specify cannot be copied and pasted to other apps on the device.
-![Steps for creating app protection policies](../media/devices/intune-app-steps.png#lightbox)
In this illustration:+ - With APP, Intune creates a wall between your organization data and personal data. The app protection policies define which apps are allowed to access your data. - If a user signs in with their organization credentials, Intune applies a policy at the app layer to prevent copy and paste of your organization data to personal apps and to require PIN access to this data.-- After creating an App Protection policy, you enforce data protection with a conditional access policy.
+- After creating an App Protection policy, you enforce data protection with a Conditional Access policy.
This configuration greatly increases your security posture with almost no impact to the user experience. Employees can use apps like Office and Microsoft Teams, that they know and love, while at the same time your organization can protect the data contained within the apps and devices.
-If you have custom Line of Business applications that need protection, currently you can use the app wrapping tool to enable APP with these applications. Or, you can integrate using the Intune App SDK. When your app has app protection policies applied to it, it can be managed by Intune and is recognized by Intune as a managed app. For more information on protecting your Line of Business applications using Intune, see [Prepare apps for mobile application management with Microsoft Intune](/mem/intune/developer/apps-prepare-mobile-application-management).
+If you have custom Line of Business applications that need protection, currently you can use the app wrapping tool to enable APP with these applications. Or, you can integrate using the Intune App SDK. When your app has app protection policies applied to it, it can be managed by Intune and is recognized by Intune as a managed app.
-## Configuring mobile app protection
+For more information about protecting your Line of Business applications using Intune, see [Prepare apps for mobile application management with Microsoft Intune](/mem/intune/developer/apps-prepare-mobile-application-management).
-This guidance is tightly coordinated with the recommended [Zero Trust identity and device access policies](../security/office-365-security/zero-trust-identity-device-access-policies-overview.md). After you create the Mobile App protection policies in Intune, work with your identity team to configure the conditional access policy in Microsoft Entra ID that enforces mobile app protection.
+## Configuring mobile app protection
-This illustration highlights the two policies (also described in the table below the illustration).
+This guidance is tightly coordinated with the recommended [Zero Trust identity and device access policies](../security/office-365-security/zero-trust-identity-device-access-policies-overview.md). After you create the Mobile App protection policies in Intune, work with your identity team to configure the Conditional Access policies in Microsoft Entra ID that enforce mobile app protection.
-[![Zero Trust identity and device access policies](../media/devices/identity-device-starting-point.png#lightbox)](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/media/devices/identity-device-starting-point.png)
+This illustration highlights the two policies (also described in the table following the illustration).
-To configure these policies, use the recommended guidance and settings prescribed in [Zero Trust identity and device access policies](../security/office-365-security/zero-trust-identity-device-access-policies-overview.md). The table below links directly to the instructions for configuring these policies in Intune and Microsoft Entra ID.
+To configure these policies, use the recommended guidance and settings prescribed in [Zero Trust identity and device access policies](../security/office-365-security/zero-trust-identity-device-access-policies-overview.md). The following table links directly to the instructions for configuring these policies in Intune and Microsoft Entra ID.
-|Step |Policies |More information |Licensing |
-|||||
-|1 | [Apply Application Protection Policies (APP) data protection](../security/office-365-security/zero-trust-identity-device-access-policies-common.md#app-protection-policies) | One Intune App Protection policy per platform (Windows, iOS/iPadOS, Android). | Microsoft 365 E3 or E5 |
-|2 | [Require approved apps and app protection ](../security/office-365-security/zero-trust-identity-device-access-policies-common.md#require-approved-apps-and-app-protection-policies) | Enforces mobile app protection for phones and tablets using iOS, iPadOS, or Android. | Microsoft 365 E3 or E5 |
-| | | | |
+|Policy |More information |Licensing |
+||||
+| [Apply Application Protection Policies (APP) data protection](../security/office-365-security/zero-trust-identity-device-access-policies-common.md#app-protection-policies) | One Intune App Protection policy per platform (Windows, iOS/iPadOS, Android). | Microsoft 365 E3 or E5 |
+| [Require approved apps and app protection](../security/office-365-security/zero-trust-identity-device-access-policies-common.md#require-approved-apps-and-app-protection-policies) | Enforces mobile app protection for phones and tablets using iOS, iPadOS, or Android. | Microsoft 365 E3 or E5 |
-## Next steps
+## Next step
-Go to [Step 2. Enroll devices to Intune](manage-devices-with-intune-enroll.md).
+Go to [Step 2. Enroll devices into management with Intune](manage-devices-with-intune-enroll.md).
solutions Manage Devices With Intune Compliance Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/manage-devices-with-intune-compliance-policies.md
f1.keywords:
- Create compliance policies - Intune device compliance policy Previously updated : 10/20/2021 Last updated : 04/17/2024 audience: ITPro description: Learn how to create device compliance policies that specify the minimum requirements for a device to access your environment.
keywords:
Enrolling devices to Intune gives you the ability to achieve even greater security and control of data in your environment. [Step 2. Enroll devices to Intune](manage-devices-with-intune-enroll.md) details how to accomplish this using Intune. This article covers the next step, which is to configure device compliance policies.
-![Steps managing devices](../medim-step-2.png#lightbox)
-You want to be sure devices that are accessing your apps and data meet minimum requirements. For example, theyΓÇÖre password or pin-protected and the operating system is up to date. Compliance policies are the way to define the requirements that devices must meet. Intune uses these compliance policies to mark a device as compliant or non-compliant. This binary status is passed to Microsoft Entra which can use this status in conditional access rules to allow or prevent a device from accessing resources.
+You want to be sure devices that are accessing your apps and data meet minimum requirements. For example, theyΓÇÖre password or pin-protected and the operating system is up to date. Compliance policies are the way to define the requirements that devices must meet. Intune uses these compliance policies to mark a device as compliant or non-compliant. This binary status is passed to Microsoft Entra which can use this status in Conditional Access rules to allow or prevent a device from accessing resources.
## Configuring device compliance policies This guidance is tightly coordinated with the recommended [Zero Trust identity and device access policies](../security/office-365-security/zero-trust-identity-device-access-policies-overview.md).
-This illustration highlights where the work of defining compliance policies fits into the overall Zero Trust recommended policy set.
+This illustration highlights where the work of defining compliance policies fits into the overall Zero Trust recommended policy set.
-[![Zero Trust identity and device access policies](../media/devices/identity-device-define-compliance.png#lightbox)](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/media/devices/identity-device-define-compliance.png)
In this illustration, defining device compliance policies is a dependency for achieving the recommended level of protection within the Zero Trust framework.
-To configure device compliance policies, use the recommended guidance and settings prescribed in [Zero Trust identity and device access policies](../security/office-365-security/zero-trust-identity-device-access-policies-overview.md). The table below links directly to the instructions for configuring these policies in Intune, including the recommended settings for each platform.
-
+To configure device compliance policies, use the recommended guidance and settings prescribed in [Zero Trust identity and device access policies](../security/office-365-security/zero-trust-identity-device-access-policies-overview.md). The following table links directly to the instructions for configuring these policies in Intune, including the recommended settings for each platform.
|Policies |More information |Licensing | ||||
-|[Define device compliance policies ](../security/office-365-security/zero-trust-identity-device-access-policies-common.md#create-device-compliance-policies) | One policy for each platform | Microsoft 365 E3 or E5 |
-| | | |
+|[Define device compliance policies](../security/office-365-security/zero-trust-identity-device-access-policies-common.md#create-device-compliance-policies) | One policy for each platform | Microsoft 365 E3 or E5 |
-## Next steps
+## Next step
-Go to [Step 4. Require healthy and compliant devices](manage-devices-with-intune-require-compliance.md) for instructions on how to create the conditional access rule in Microsoft Entra ID.
+Go to [Step 4. Require healthy and compliant devices with Intune](manage-devices-with-intune-require-compliance.md).
solutions Manage Devices With Intune Configuration Profiles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/manage-devices-with-intune-configuration-profiles.md
f1.keywords:
- Windows security baselines for Intune - customize configuration profiles Previously updated : 10/20/2021 Last updated : 04/17/2024 audience: ITPro description: Get started with configuration profiles to enforce secure settings on devices using Intune to transition these security controls to the cloud.
Microsoft Intune includes settings and features you can enable or disable on dif
This article provides guidance on getting started with configuration profiles. -
-![Steps for managing devices](../medim-step-4.png#lightbox)
Configuration profiles give you the ability to configure important protection and to bring devices into compliance so they can access your resources. Previously, these kinds of configuration changes were configured by using Group Policy settings in Active Directory Domain Services. A modern security strategy includes moving security controls to the cloud where enforcement of these controls isn't dependent on on-premises resources and access. Intune configuration profiles are the way to transition these security controls to the cloud.
As a starting point, if you want to align your device configurations to Microsof
To deploy the Windows security baselines for Intune, available for Windows 10 and Windows 11. See [Use security baselines to configure Windows devices in Intune](/mem/intune/protect/security-baselines) to learn about the available baselines.
-For now, just deploy the most appropriate MDM security baseline. See [Manage security baseline profiles in Microsoft Intune ](/mem/intune/protect/security-baselines-configure)to create the profile and choose the baseline version.
+For now, just deploy the most appropriate MDM security baseline. See [Manage security baseline profiles in Microsoft Intune](/mem/intune/protect/security-baselines-configure)to create the profile and choose the baseline version.
Later, when Microsoft Defender for Endpoint is set up and youΓÇÖve connected Intune, deploy the Defender for Endpoint baselines. This topic is covered in the next article in this series: [Step 6. Monitor device risk and compliance to security baselines](manage-devices-with-intune-monitor-risk.md).
In addition to deploying the pre-configured baselines, many enterprise-scale org
The many settings you can configure by using configuration profiles can be grouped into four categories, as illustrated below.
-![Intune device profile categories](../media/devices/intune-device-profile-categories.png#lightbox)
The following table describes the illustration.
The following table describes the illustration.
| | | | When customizing configuration profiles for your organization, use the following guidance:+ - Simplify your security governance strategy by keeping the overall number of policies small. - Group settings into the categories listed above, or categories that make sense for your organization.-- When moving security controls from Group Policy Objects (GPO) to Intune configuration profiles, consider whether the settings configured by each GPO are still relevant, and needed to contribute to your overall cloud security strategy. Conditional access and the many policies that can be configured across cloud services, including Intune, provide more sophisticated protection than could be configured in an on-premises environment where custom GPOs were originally designed.
+- When moving security controls from Group Policy Objects (GPO) to Intune configuration profiles, consider whether the settings configured by each GPO are still relevant, and needed to contribute to your overall cloud security strategy. Conditional Access and the many policies that can be configured across cloud services, including Intune, provide more sophisticated protection than could be configured in an on-premises environment where custom GPOs were originally designed.
- Utilize Group Policy Analytics to compare and map your current GPO settings to capabilities within Microsoft Intune. See [Analyze your on-premises group policy objects (GPO) using Group Policy analytics](/mem/intune/configuration/group-policy-analytics) in Microsoft Intune. - When utilizing custom configuration profiles, be sure to use the guidance here: [Create a profile with custom settings in Intune](/mem/intune/configuration/custom-settings-configure).
If your environment includes on-prem GPOs, the following features are a good tra
- [Admin templates (ADMX)](/mem/intune/configuration/administrative-templates-windows) - [Settings Catalog](/mem/intune/configuration/settings-catalog)
+## Next step
-## Next steps
Go to [Step 6. Monitor device risk and compliance to security baselines](manage-devices-with-intune-monitor-risk.md).
solutions Manage Devices With Intune Dlp Mip https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/manage-devices-with-intune-dlp-mip.md
Title: "Step 7. Implement data loss prevention (DLP) with information protection capabilities"
+description: Implement Endpoint DLP by working with your information protection and governance team to create DLP policies for your organization.
f1.keywords:
f1.keywords:
- data loss prevention - dlp policies Previously updated : 10/20/2021 Last updated : 04/16/2024 audience: ITPro
- zerotrust-solution keywords:
-description: Implement Endpoint DLP by working with your information protection and governance team to create DLP policies for your organization.
# Step 7. Implement data loss prevention (DLP) with information protection capabilities -
-If your organization has already put the time into understanding your data, developing a data sensitivity schema, and applying the schema, you might be ready to extend elements of this schema to endpoints by using Microsoft Purview Data Loss Prevention (DLP) policies.
+If your organization has already put the time into understanding your data, developing a data sensitivity schema, and applying the schema, you might be ready to extend elements of this schema to endpoints by using Microsoft Purview Data Loss Prevention (DLP) policies.
Endpoint data loss prevention (Endpoint DLP) currently applies to:-- Windows 10, Windows 11+
+- Windows 10 and Windows 11
- macOS
-DLP policies are created by your information protection and governance team. Each DLP policy defines what elements within a data set to look for, like sensitive information types or labels, and how to protect this data.
+DLP policies are created by your information protection and governance team. Each DLP policy defines what elements within a data set to look for, like sensitive information types or labels, and how to protect this data.
For example, a DLP policy can look for personal data like a passport number. The DLP policy includes a condition that triggers the policy to take action, such as when a passport number is shared with people outside your organization. The action the policy takes can be configured as well. Options range from simply reporting the action to admins, warning users, or even preventing the data from being shared. The DLP policy also specifies the location to apply the policy to, such as Exchange email and SharePoint sites. One of the locations available to admins is devices. If devices are selected, you can specify which users and user groups to apply the policy to. You can also specify users and user groups to exclude from the policy.
-If your information protection and governance team is ready to extend DLP policies to endpoints, you need to coordinate with them to enable devices for Endpoint DLP, test and tune DLP policies, train users, and monitor the results.
-
-![Endpoint DLP steps for the device admin](../media/devices/endpoint-dlp-steps.png#lightbox)
+If your information protection and governance team is ready to extend DLP policies to endpoints, you need to coordinate with them to enable devices for Endpoint DLP, test and tune DLP policies, train users, and monitor the results.
Use the following steps to work with your information protection team. - |Step |Description | |||
-|1 | [Learn about Endpoint data loss prevention](../compliance/endpoint-dlp-learn-about.md). |
+|1 | [Learn about Endpoint DLP](../compliance/endpoint-dlp-learn-about.md). |
|2 | Enable devices for Endpoint DLP. If you onboarded devices to Microsoft Defender for Endpoint, your devices are already enabled for Endpoint DLP. If your devices aren't onboarded to Defender for Endpoint, see [Get started with Endpoint data loss prevention](../compliance/endpoint-dlp-getting-started.md) for instructions.|
-|3 | Work with your information protection and governance team to define, test, and tune policies. This includes monitoring the results. See these resources:<br>- [Using Endpoint data loss prevention](../compliance/endpoint-dlp-using.md)<br>- [Get started with Activity Explorer](../compliance/data-classification-activity-explorer.md) |
+|3 | Work with your information protection and governance team to define, test, and tune policies. This includes monitoring the results. See these resources: <br><br> - [Using Endpoint data loss prevention](../compliance/endpoint-dlp-using.md) <br><br> - [Get started with Activity Explorer](../compliance/data-classification-activity-explorer.md) |
+
+## Next step
+
+Go to [Step 7. Implement data loss prevention (DLP) with information protection capabilities](manage-devices-with-intune-dlp-mip.md).
solutions Manage Devices With Intune Enroll https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/manage-devices-with-intune-enroll.md
f1.keywords:
- enroll devices to Intune - Intune mobile device platforms Previously updated : 10/20/2021 Last updated : 04/17/2024 audience: ITPro description: Use Intune and Autopilot to enroll devices into management to ensure the apps running on them are compliant and to prevent corporate data leaks.
keywords:
-# Step 2. Enroll devices to Intune
+# Step 2. Enroll devices into management with Intune
There are several ways to secure the endpoint, a term often used to refer to the combined entity including devices, apps, and user identity. Security policies must be enforced consistently and reliably not only on the apps but the device itself. Enrolling the device to Intune and registering with a cloud identity provider, such as Microsoft Entra ID, is a great start.
-Whether a device is a personally owned BYOD device or a corporate-owned and fully managed device, it's good to have visibility into the endpoints accessing your organizationΓÇÖs resources to ensure youΓÇÖre only allowing healthy and compliant devices. This includes the health and trustworthiness of mobile and desktop apps that run on endpoints. You want to ensure those apps are healthy and compliant and that they prevent corporate data from leaking to consumer apps or services through malicious intent or accidental means.
+Whether a device is a personally owned Bring Your Own Device (BYOD) or a corporate-owned and fully managed device, it's good to have visibility into the endpoints accessing your organizationΓÇÖs resources to ensure youΓÇÖre only allowing healthy and compliant devices. This includes the health and trustworthiness of mobile and desktop apps that run on endpoints. You want to ensure those apps are healthy and compliant and that they prevent corporate data from leaking to consumer apps or services through malicious intent or accidental means.
The device enrollment process establishes a relationship between the user, the device, and the Microsoft Intune service. Using Microsoft Intune as a standalone service enables you to use a single web-based administration console to manage Windows PCs, macOS, and the most popular mobile device platforms. This article recommends methods for enrolling devices to Intune. For more information about these methods and how to deploy each one, see [Deployment guidance: Enroll devices in Microsoft Intune](/mem/intune/fundamentals/deployment-guide-enrollment).
-![Steps for managing devices](../medim-steps-1.png#lightbox)
-
-Use the guidance in this article together with this illustrated version of enrollment options for each platform.
-
-[![A visual representation of Intune enrollment options by platform](../media/devices/msft-intune-enrollment-options-thumb-landscape.png)](https://download.microsoft.com/download/e/6/2/e6233fdd-a956-4f77-93a5-1aa254ee2917/msft-intune-enrollment-options.pdf) <br/> [PDF](https://download.microsoft.com/download/e/6/2/e6233fdd-a956-4f77-93a5-1aa254ee2917/msft-intune-enrollment-options.pdf) | [Visio](https://download.microsoft.com/download/e/6/2/e6233fdd-a956-4f77-93a5-1aa254ee2917/msft-intune-enrollment-options.vsdx) <br/> Updated June 2022
+Use the guidance in this article together with this illustrated version of enrollment options for each platform.
+[![Thumbnail verson of the two pages of the Intune Enrollment Options poster](../media/devices/msft-intune-enrollment-options-thumb-landscape.png)](https://download.microsoft.com/download/e/6/2/e6233fdd-a956-4f77-93a5-1aa254ee2917/msft-intune-enrollment-options.pdf) <br/> [PDF](https://download.microsoft.com/download/e/6/2/e6233fdd-a956-4f77-93a5-1aa254ee2917/msft-intune-enrollment-options.pdf) | [Visio](https://download.microsoft.com/download/e/6/2/e6233fdd-a956-4f77-93a5-1aa254ee2917/msft-intune-enrollment-options.vsdx) <br/> Updated June 2022
## Windows enrollment+ There are several options for enrolling Windows 10 and Windows 11 devices. The most common methods include these two: -- Microsoft Entra join - Joins the device with Microsoft Entra ID and enables users to sign in to Windows with their Microsoft Entra credentials. If Auto Enrollment is enabled, the device is automatically enrolled in Intune. The benefit of auto enrollment is a single-step process for the user. Otherwise, they'll have to enroll separately through MDM only enrollment and reenter their credentials. Users enroll this way either during initial Windows OOBE or from Settings. The device is marked as a corporate owned device in Intune.-- Autopilot - Automates Microsoft Entra join and enrolls new corporate-owned devices into Intune. This method simplifies the out-of-box experience and removes the need to apply custom operating system images onto the devices. When admins use Intune to manage Autopilot devices, they can manage policies, profiles, apps, and more after they're enrolled. There are four types of Autopilot deployment: Self-Deploying Mode (for kiosks, digital signage, or a shared device), User Driven Mode (for traditional users), Windows Autopilot for pre-provisioned deployment enables partners or IT staff to pre-provision a PC running Windows 10 or Windows 11 so that it is fully configured and business-ready, and Autopilot for existing devices enables you to easily deploy the latest version of Windows to your existing devices.
+- **Microsoft Entra ID join:** Joins the device with Microsoft Entra ID and enables users to sign in to Windows with their Microsoft Entra credentials. If Auto Enrollment is enabled, the device is automatically enrolled in Intune. The benefit of auto enrollment is a single-step process for the user. Otherwise, they'll have to enroll separately through MDM only enrollment and reenter their credentials. Users enroll this way either during initial Windows OOBE or from Settings. The device is marked as a corporate owned device in Intune.
+- **Autopilot:** Automates Microsoft Entra join and enrolls new corporate-owned devices into Intune. This method simplifies the out-of-box experience and removes the need to apply custom operating system images onto the devices. When admins use Intune to manage Autopilot devices, they can manage policies, profiles, apps, and more after they're enrolled. There are four types of Autopilot deployment:
+
+ - Self-Deploying Mode (for kiosks, digital signage, or a shared device)
+
+ - User Driven Mode (for traditional users)
+
+ - Windows Autopilot for pre-provisioned deployment enables partners or IT staff to pre-provision a PC running Windows 10 or Windows 11 so that it's fully configured and business-ready.
+
+ - Autopilot for existing devices enables you to easily deploy the latest version of Windows to your existing devices.
For additional options, including enrolling BYOD Windows devices, see, [Enroll Windows devices in Microsoft Intune](/mem/intune/fundamentals/deployment-guide-enrollment-windows). ## iOS and iPadOS enrollment For user owned (BYOD) devices, you can let users enroll their personal devices with Intune using one of the following methods.+ - Device enrollment is what you may think of as typical BYOD enrollment. It provides admins with a wide range of management options. - User enrollment is a more streamlined enrollment process that provides admins with a subset of device management options. This feature is currently in preview. For organizations that buy devices for their users, Intune supports the following iOS/iPadOS company-owned device enrollment methods:+ - Apple's Automated Device Enrollment (ADE) - Apple School Manager - Apple Configurator Setup Assistant enrollment
For organizations that buy devices for their users, Intune supports the followin
For more information, see [Enroll iOS and iPadOS devices in Microsoft Intune](/mem/intune/fundamentals/deployment-guide-enrollment-ios-ipados).
-## Android enrollment
+## Android enrollment
-There are several options for Android Enrollment depending on the type of device, the type of enrollment youΓÇÖd like to support, as well as things like the Android version you are using or even the manufacturer (particularly Samsung). Most organizations use Android Work profiles for their end users, particular in BYOD scenarios.
+There are several options for Android Enrollment depending on the type of device, the type of enrollment youΓÇÖd like to support, as well as things like the Android version you're using or even the manufacturer (particularly Samsung). Most organizations use Android Work profiles for their end users, particular in BYOD scenarios.
-With an Android work profile the end userΓÇÖs information is separated distinctly with data containers as well as separate apps for work and personal use. This is an ideal way for users to enroll their device while still maintaining the privacy of their own data and the security of corporate data.
+With an Android work profile, the end userΓÇÖs information is separated distinctly with data containers as well as separate apps for work and personal use. This is an ideal way for users to enroll their device while still maintaining the privacy of their own data and the security of corporate data.
However, if your organization is providing Android devices, you might choose to use what is called a fully managed (User Affinity) or dedicated (no User Affinity) device.
To learn more about Android enrollment, see [Enroll Android devices in Microsoft
## macOS enrollment
-Enrollment for macOS can be a tricky subject for lots of IT organizations. Unless a majority of your users are Mac users than you may not be managing these types of devices to a great extent. If you have a small number of macOS users, we recommend Intune Only Enrollment. If you have a large number of macOS users, we recommend Intune + Jamf enrollment.
-- Intune Only enrollment ΓÇö This is for basic management of macOS devices. It will require a manual process much like most of the other user-based enrollment options. But if you have a small number of Mac devices this may be easier than setting up an entire automated infrastructure just for those few users. With Intune only enrollment you have the ability to deploy things such as certificates, password configurations, and applications. You can also configure compliance policies and enlighten Conditional Access as well as the ability to enforce encryption and device wipe. -- Intune and Jamf enrollment ΓÇö For those looking for the deepest support for Mac management, with Jamf + Intune for Conditional Access, we have a great solution that combines the extensive Mac management capabilities of Jamf with Intune compliance to enable Conditional Access. In this scenario you are still fully managing the device with Jamf while being able to take those signals from Jamf for increased security.
+Enrollment for macOS can be a tricky subject for lots of IT organizations. Unless a majority of your users are Mac users, then you may not be managing these types of devices to a great extent. If you have a small number of macOS users, we recommend Intune Only Enrollment. If you have a large number of macOS users, we recommend Intune + Jamf enrollment.
+
+- **Intune Only enrollment:** This is for basic management of macOS devices. It requires a manual process much like most of the other user-based enrollment options. But if you have a small number of Mac devices this may be easier than setting up an entire automated infrastructure just for those few users. With Intune only enrollment, you have the ability to deploy things such as certificates, password configurations, and applications. You can also configure compliance policies and enlighten Conditional Access as well as the ability to enforce encryption and device wipe.
+- **Intune and Jamf enrollment:** For those looking for the deepest support for Mac management with Jamf + Intune for Conditional Access, Microsoft has a great solution that combines the extensive Mac management capabilities of Jamf with Intune compliance with Conditional Access policies. In this scenario you're still fully managing the device with Jamf while being able to take those signals from Jamf for increased security.
To learn more about macOS enrollment, see [Enroll macOS devices in Microsoft Intune](/mem/intune/fundamentals/deployment-guide-enrollment-macos).
-## Next steps
+## Next step
-Go to Step [3. Set up compliance policies for devices with Intune](manage-devices-with-intune-compliance-policies.md).
+Go to [Step 3. Set up compliance policies for devices with Intune](manage-devices-with-intune-compliance-policies.md).
solutions Manage Devices With Intune Monitor Risk https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/manage-devices-with-intune-monitor-risk.md
Title: "Step 6. Monitor device risk and compliance to security baselines"
+ Title: "Step 6. Monitor device risk and compliance for security baselines"
+description: Learn how to connect Microsoft Intune to Defender for Endpoint and monitor device risk as a condition for access.
f1.keywords:
f1.keywords:
- monitor device compliance - deploy security baselines Previously updated : 10/20/2021 Last updated : 04/16/2024 audience: ITPro
-description: Learn how to connect Microsoft Intune to Defender for Endpoint and monitor device risk as a condition for access.
ms.localizationpriority: high
keywords:
-# Step 6. Monitor device risk and compliance to security baselines
-
-After your organization has deployed Microsoft Defender for Endpoint, you can gain greater insights and protection of your devices by integrating Microsoft Intune with Defender for Endpoint. For mobile devices, this includes the ability to monitor device risk as a condition for access. For Windows devices, you can monitor compliance of these devices to security baselines.
+# Step 6. Monitor device risk and compliance for security baselines
-Deploying Microsoft Defender for Endpoint includes onboarding endpoints. If you used Intune to onboard endpoints (recommended), then you have already connected Microsoft Intune to Defender for Endpoint. If you used a different method to onboard endpoints to Defender for Endpoint, see [Configure Microsoft Defender for Endpoint in Intune](/mem/intune/protect/advanced-threat-protection-configure) to ensure you have set up the service-to-service connection between Intune and Microsoft Defender for Endpoint.
+After your organization deploys Microsoft Defender for Endpoint, you can gain greater insights and protection of your devices by integrating Microsoft Intune with Defender for Endpoint. For mobile devices, this includes the ability to monitor device risk as a condition for access. For Windows devices, you can monitor compliance of these devices to security baselines.
+Deploying Microsoft Defender for Endpoint includes onboarding endpoints. If you used Intune to onboard endpoints (recommended), then you've connected Microsoft Intune to Defender for Endpoint. If you used a different method to onboard endpoints to Defender for Endpoint, see [Configure Microsoft Defender for Endpoint in Intune](/mem/intune/protect/advanced-threat-protection-configure) to ensure you set up the service-to-service connection between Intune and Microsoft Defender for Endpoint.
-![Defender for Endpoint and Microsoft Intune integration illustration](../media/devices/devices-defender-for-endpoint-steps.png#lightbox)
In this illustration:-- Microsoft Defender for Endpoint greatly increases the sophistication of threat protection for devices. -- While Microsoft Intune allows you to set App Protection Policies and manage devices (including configuration changes), Defender for Endpoint continuously monitors your devices for threats, and can take automated action to remediate attacks. -- You can use Intune to onboard devices to Defender for Endpoint. When you do this, you're also enabling these devices to work with Microsoft Purview Endpoint data loss prevention (Endpoint DLP).+
+- Microsoft Defender for Endpoint greatly increases the sophistication of threat protection for devices.
+- Microsoft Intune allows you to set App Protection Policies and manage devices (including configuration changes). Defender for Endpoint continuously monitors your devices for threats, and can take automated action to remediate attacks.
+- You can use Intune to onboard devices to Defender for Endpoint, which enables these devices to work with Microsoft Purview Endpoint Data Loss Prevention (DLP).
This article includes these steps:+ - Monitor device risk-- Monitor compliance to security baselines
+- Monitor compliance for security baselines
If Defender for Endpoint hasnΓÇÖt already been set up, work with your threat protection admin to [set up the evaluation and pilot environment](../security/defender/eval-defender-endpoint-overview.md). You can work with the pilot group to try out the capabilities in this article. ## Monitor device risk as a condition for access
-With Microsoft Defender for Endpoint deployed, you can take advantage of threat risk signals. This allows you to block access to devices based on their risk score. Microsoft recommends allowing access to devices with a risk score of medium or below.
+With Microsoft Defender for Endpoint deployed, you can take advantage of threat risk signals. This allows you to block access to devices based on their risk score. Microsoft recommends allowing access to devices with a risk score of medium or lower.
-For Android and iOS/iPadOS, threat signals can be used within your App Protection Policies (APP). For information on configuring this, see [Create and assign app protection policy to set device risk level](/mem/intune/protect/advanced-threat-protection-configure#create-and-assign-compliance-policy-to-set-device-risk-level).
+For Android and iOS/iPadOS, threat signals can be used within your App Protection Policies (APP). For more information, see [Create and assign app protection policy to set device risk level](/mem/intune/protect/advanced-threat-protection-configure#create-and-assign-compliance-policy-to-set-device-risk-level).
-For all platforms, you can set the risk level in the existing device compliance policies. See [Create a conditional access policy](/mem/intune/protect/advanced-threat-protection-configure#create-a-conditional-access-policy).
+For all platforms, you can set the risk level in the existing device compliance policies. For more information, see [Create a Conditional Access policy](/mem/intune/protect/advanced-threat-protection-configure#create-a-conditional-access-policy).
-## Deploy security baselines and monitor compliance to these settings
+## Deploy security baselines and monitor compliance for these settings
Applies to: Windows 10, Windows 11
-The article, [Step 5. Deploy configuration profiles](manage-devices-with-intune-configuration-profiles.md), recommends getting started with configuration profiles by using the security baselines, available for Windows 10 and Windows 11. Microsoft Defender for Endpoint also includes security baselines that provide settings that optimize all the security controls in the Defender for Endpoint stack, including settings for endpoint detection and response (EDR). These are also deployed by using Microsoft Intune.
+The [Step 5. Deploy configuration profiles](manage-devices-with-intune-configuration-profiles.md) article recommends getting started with configuration profiles by using the security baselines, available for Windows 10 and Windows 11. Microsoft Defender for Endpoint also includes security baselines that provide settings that optimize all the security controls in the Defender for Endpoint stack, including settings for endpoint detection and response (EDR). These are also deployed by using Microsoft Intune.
Ideally, devices onboarded to Defender for Endpoint are deployed both baselines: the Windows Intune security baseline to initially secure Windows and then the Defender for Endpoint security baseline layered on top to optimally configure the Defender for Endpoint security controls. To benefit from the latest data on risks and threats and to minimize conflicts as baselines evolve, always apply the latest versions of the baselines across all products as soon as they're released.
-Using Defender for Endpoint, you can monitor compliance to these baselines.
-
-![The card for monitoring compliance to security baselines](../media/devices/secconmgmt-baseline-card.png#lightbox)
+Using Defender for Endpoint, you can monitor compliance for these baselines.
-To deploy security baselines and monitor compliance to these settings, use the steps in this table.
+To deploy security baselines and monitor compliance for these settings, use the steps in this table.
|Step |Description | |||
-|1 |Review key concepts and compare the Microsoft Defender for Endpoint and the Windows Intune security baselines. <br><br>See [Increase compliance to the Microsoft Defender for Endpoint security baseline](../security/defender-endpoint/configure-machines-security-baseline.md) to learn recommendations.<br><br>See [Use security baselines to configure Windows devices in Intune ](/mem/intune/protect/security-baselines) to review the list of available security baselines and how to avoid conflicts. |
-|2 | Deploy Windows security baseline settings for Intune. You might have already accomplished this if you followed the guidance in [Step 5. Deploy configuration profiles](manage-devices-with-intune-configuration-profiles.md). |
-|3 | Deploy Defender for Endpoint baseline settings for Intune. See [Manage security baseline profiles in Microsoft Intune](/mem/intune/protect/security-baselines-configure) to create the profile and choose the baseline version.<br><br>You can also follow the instructions here: [Review and assign the Microsoft Defender for Endpoint security baseline](../security/defender-endpoint/configure-machines-security-baseline.md#review-and-assign-the-microsoft-defender-for-endpoint-security-baseline). |
-|4 | In Defender for Endpoint, review the [Security baseline card on device configuration management](../security/defender-endpoint/configure-machines.md). |
+|1 |Review key concepts and compare the Microsoft Defender for Endpoint and the Windows Intune security baselines. <br><br> See [Increase compliance to the Microsoft Defender for Endpoint security baseline](../security/defender-endpoint/configure-machines-security-baseline.md) to learn recommendations. <br><br> See [Use security baselines to configure Windows devices in Intune](/mem/intune/protect/security-baselines) to review the list of available security baselines and how to avoid conflicts. |
+|2 | Deploy Windows security baseline settings for Intune. If you haven't, see the guidance in [Step 5. Deploy configuration profiles](manage-devices-with-intune-configuration-profiles.md). |
+|3 | Deploy Defender for Endpoint baseline settings for Intune. See [Manage security baseline profiles in Microsoft Intune](/mem/intune/protect/security-baselines-configure) to create the profile and choose the baseline version. <br><br> You can also follow the instructions here: [Review and assign the Microsoft Defender for Endpoint security baseline](../security/defender-endpoint/configure-machines-security-baseline.md#review-and-assign-the-microsoft-defender-for-endpoint-security-baseline). |
+|4 | In Defender for Endpoint, review the [Security baseline card on device configuration management](../security/defender-endpoint/configure-machines.md). |
+## Next step
-## Next steps
Go to [Step 7. Implement DLP with information protection capabilities on endpoints](manage-devices-with-intune-dlp-mip.md).
solutions Manage Devices With Intune Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/manage-devices-with-intune-overview.md
f1.keywords:
- zero trust deployment stack - device management with zero trust Previously updated : 10/20/2021 Last updated : 04/17/2024 audience: ITPro description: Enroll your endpoint devices in Microsoft Intune as part of your Zero Trust security architecture, protecting against ransomware while building in protection for remote workers.
Watch this video for an overview of the deployment process.
<br> > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4Y4fC] - ## Why manage endpoints? The modern enterprise has an incredible diversity of endpoints accessing their data. This setup creates a massive attack surface, and as a result, endpoints can easily become the weakest link in your Zero Trust security strategy.
-Mostly driven by necessity as the world shifted to a remote or hybrid work model, users are working from anywhere, from any device, more than anytime in history. Attackers are quickly adjusting their tactics to take advantage of this change. Many organizations face constrained resources as they navigate these new business challenges. Virtually overnight, companies have accelerated digital transformation. Simply stated, the way people work has changed ΓÇö we no longer expect to access the myriad of corporate resources only from the office and on company-owned devices.
+Mostly driven by necessity as the world shifted to a remote or hybrid work model, users are working from anywhere, from any device, more than anytime in history. Attackers are quickly adjusting their tactics to take advantage of this change. Many organizations face constrained resources as they navigate these new business challenges. Virtually overnight, companies have accelerated digital transformation. Simply stated, the way people work has changed. We no longer expect to access the myriad of corporate resources only from the office and on company-owned devices.
-Gaining visibility into the endpoints accessing your corporate resources is the first step in your Zero Trust device strategy. Typically, companies are proactive in protecting PCs from vulnerabilities and attack while mobile devices often go unmonitored and without protections. To ensure youΓÇÖre not exposing your data to risk, we need to monitor every endpoint for risks and employ granular access controls to deliver the appropriate level of access based on organizational policy. For example, if a personal device is jailbroken, you can block access to ensure that enterprise applications are not exposed to known vulnerabilities.
+Gaining visibility into the endpoints accessing your corporate resources is the first step in your Zero Trust device strategy. Typically, companies are proactive in protecting PCs from vulnerabilities and attack while mobile devices often go unmonitored and without protections. To ensure youΓÇÖre not exposing your data to risk, we need to monitor every endpoint for risks and employ granular access controls to deliver the appropriate level of access based on organizational policy. For example, if a personal device is jailbroken, you can block access to ensure that enterprise applications aren't exposed to known vulnerabilities.
This series of articles walks through a recommended process for managing devices that access your resources. If you follow the recommended steps, your organization will achieve very sophisticated protection for your devices and the resources they access. ## Implementing the layers of protection on and for devices
-Protecting the data and apps on devices and the devices themselves is a multi-layer process. There are some protections you can gain on unmanaged devices. After enrolling devices into management, you can implement more sophisticated controls. When threat protection is deployed across your endpoints, you gain even more insights and the ability to automatically remediate some attacks. Finally, if your organization has put the work into identifying sensitive data, applying classification and labels, and configuring Microsoft Purview data loss prevention policies, you can obtain even more granular protection for data on your endpoints.
+Protecting the data and apps on devices and the devices themselves is a multi-layer process. There are some protections you can gain on unmanaged devices. After enrolling devices into management, you can implement more sophisticated controls. When threat protection is deployed across your endpoints, you gain even more insights and the ability to automatically remediate some attacks. Finally, if your organization has put the work into identifying sensitive data, applying classification and labels, and configuring Microsoft Purview Data Loss Prevention policies, you can obtain even more granular protection for data on your endpoints.
-The following diagram illustrates building blocks to achieve a Zero Trust security posture for Microsoft 365 and other SaaS apps that you introduce to this environment. The elements related to devices are numbered 1 through 7. These are the layers of protection device admins will coordinate with other administrators to accomplish.
+The following diagram illustrates building blocks to achieve a Zero Trust security posture for Microsoft 365 and other SaaS apps that you introduce to this environment. The elements related to devices are numbered 1 through 7. Device admins will coordinate with other administrators to accomplish these layers of protection.
-![Microsoft 365 Zero Trust deployment stack](../media/devices/m365-zero-trust-deployment-stack-devices.png#lightbox)
In this illustration:
-|&nbsp;|Step|Description|Licensing requirements|
+|&nbsp;| Step | Description | Licensing requirements |
|||||
-|1|Configure starting-point Zero Trust identity and device access policies|Work with your identity administrator to [**Implement Level 2 App Protection Policies (APP) data protection**](manage-devices-with-intune-app-protection.md). These policies do not require that you manage devices. You configure the APP policies in Intune. Your identity admin configures a Conditional Access policy to require approved apps.|E3, E5, F1, F3, F5|
+|1|Configure starting-point Zero Trust identity and device access policies|Work with your identity administrator to [**Implement Level 2 App Protection Policies (APP) data protection**](manage-devices-with-intune-app-protection.md). These policies don't require that you manage devices. You configure the APP policies in Intune. Your identity admin configures a Conditional Access policy to require approved apps.|E3, E5, F1, F3, F5|
|2|Enroll devices to Intune|This task requires more planning and time to implement. Microsoft recommends using Intune to enroll devices because this tool provides optimal integration. There are several options for enrolling devices, depending on the platform. For example, Windows devices can be enrolled by using Microsoft Entra join or by using Autopilot. You need to review the options for each platform and decide which enrollment option is best for your environment. See [**Step 2. Enroll devices to Intune**](manage-devices-with-intune-enroll.md) for more information.|E3, E5, F1, F3, F5| |3|Configure compliance policies|You want to be sure devices that are accessing your apps and data meet minimum requirements, for example devices are password or pin-protected and the operating system is up to date. Compliance policies are the way to define the requirements that devices must meet. [**Step 3. Set up compliance policies**](manage-devices-with-intune-compliance-policies.md) helps you configure these policies.|E3, E5, F3, F5| |4|Configure Enterprise (recommended) Zero Trust identity and device access policies|Now that your devices are enrolled, you can work with your identity admin to [**tune Conditional Access policies to require healthy and compliant devices**](manage-devices-with-intune-require-compliance.md).|E3, E5, F3, F5| |5|Deploy configuration profiles|As opposed to device compliance policies that simply mark a device as compliant or not based on criteria you configure, configuration profiles actually change the configuration of settings on a device. You can use configuration policies to harden devices against cyberthreats. See [**Step 5. Deploy configuration profiles**](manage-devices-with-intune-configuration-profiles.md).|E3, E5, F3, F5|
-|6|Monitor device risk and compliance with security baselines|In this step, you connect Intune to Microsoft Defender for Endpoint. With this integration, you can then monitor device risk as a condition for access. Devices that are found to be in a risky state will be blocked. You can also monitor compliance with security baselines. See [**Step 6. Monitor device risk and compliance to security baselines**](manage-devices-with-intune-monitor-risk.md).|E5, F5|
+|6|Monitor device risk and compliance with security baselines|In this step, you connect Intune to Microsoft Defender for Endpoint. With this integration, you can then monitor device risk as a condition for access. Devices that are found to be in a risky state are blocked. You can also monitor compliance with security baselines. See [**Step 6. Monitor device risk and compliance to security baselines**](manage-devices-with-intune-monitor-risk.md).|E5, F5|
|7|Implement data loss prevention (DLP) with information protection capabilities|If your organization has put the work into identifying sensitive data and labeling documents, you can work with your information protection admin to [**protect sensitive information and documents on your devices**](manage-devices-with-intune-dlp-mip.md).|E5, F5 compliance add-on| ## Coordinating endpoint management with Zero Trust identity and device access policies
-This guidance is tightly coordinated with the recommended [**Zero Trust identity and device access policies**](../security/office-365-security/zero-trust-identity-device-access-policies-overview.md). You will be working with your identity team to carry through protection that you configure with Intune into Conditional Access policies in Microsoft Entra ID.
+This guidance is tightly coordinated with the recommended [**Zero Trust identity and device access policies**](../security/office-365-security/zero-trust-identity-device-access-policies-overview.md). You'll be working with your identity team to carry through protection that you configure with Intune into Conditional Access policies in Microsoft Entra ID.
-HereΓÇÖs an illustration of the recommended policy set with step callouts for the work you will do in Intune and the related Conditional Access policies you will help coordinate in Microsoft Entra ID.
+HereΓÇÖs an illustration of the recommended policy set with step callouts for the work you'll do in Intune and the related Conditional Access policies you'll help coordinate in Microsoft Entra ID.
-[![Zero Trust identity and device access policies](../media/devices/identity-device-overview-steps.png#lightbox)](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/media/devices/identity-device-overview-steps.png)
In this illustration:
In this illustration:
## Enrolling devices vs. onboarding devices
-If you follow this guidance, you will enroll devices into management using Intune and you will onboard devices for the following Microsoft 365 capabilities:
+If you follow this guidance, you'll enroll devices into management using Intune and you'll onboard devices for the following Microsoft 365 capabilities:
- Microsoft Defender for Endpoint - Microsoft Purview (for endpoint data loss prevention (DLP)) The following illustration details how this works using Intune.
-![Process for enrolling and onboarding devices](../media/devices/devices-enroll-onboard-process.png#lightbox)
In the illustration:
Note that only Intune is managing devices. Onboarding refers to the ability for
| &nbsp; |Enroll |Onboard | ||||
-|Description | Enrollment applies to managing devices. Devices are enrolled for management with Intune or Configuration Manager. | Onboarding configures a device to work with a specific set of capabilities in Microsoft 365. Currently, onboarding applies to Microsoft Defender for Endpoint and Microsoft compliance capabilities. <br><br>On Windows devices, onboarding involves toggling a setting in Windows Defender that allows Defender to connect to the online service and accept policies that apply to the device. |
+|Description | Enrollment applies to managing devices. Devices are enrolled for management with Intune or Configuration Manager. | Onboarding configures a device to work with a specific set of capabilities in Microsoft 365. Currently, onboarding applies to Microsoft Defender for Endpoint and Microsoft compliance capabilities. <br><br> On Windows devices, onboarding involves toggling a setting in Windows Defender that allows Defender to connect to the online service and accept policies that apply to the device. |
|Scope | These device management tools manage the entire device, including configuring the device to meet specific objectives, like security. |Onboarding only affects the services that apply. |
-|Recommended method | Microsoft Entra join automatically enrolls devices into Intune. | Intune is the preferred method for onboarding devices to Windows Defender for Endpoint, and consequently Microsoft Purview capabilities.<br><br>Note that devices that are onboarded to Microsoft Purview capabilities using other methods are not automatically enrolled for Defender for Endpoint. |
-|Other methods | Other methods of enrollment depend on the platform of the device and whether it is BYOD or managed by your organization. | Other methods for onboarding devices include, in recommended order:<br><li>Configuration Manager<li>Other mobile device management tool (if the device is managed by one)<li>Local script<li>VDI configuration package for onboarding non-persistent virtual desktop infrastructure (VDI) devices<li>Group Policy|
-| | | |
-
+|Recommended method | Microsoft Entra join automatically enrolls devices into Intune. | Intune is the preferred method for onboarding devices to Windows Defender for Endpoint, and consequently Microsoft Purview capabilities. <br><br> Note that devices that are onboarded to Microsoft Purview capabilities using other methods aren't automatically enrolled for Defender for Endpoint. |
+|Other methods | Other methods of enrollment depend on the platform of the device and whether it's BYOD or managed by your organization. | Other methods for onboarding devices include, in recommended order: <br><li> Configuration Manager <li> Other mobile device management tool (if the device is managed by one) <li> Local script <li> VDI configuration package for onboarding non-persistent virtual desktop infrastructure (VDI) devices <li> Group Policy|
## Learning for administrators The following resources help administrators learn concepts about using Intune.
-[Simplify device management with Microsoft Intune](/training/modules/simplify-device-management-with-microsoft-endpoint-manager/)
-Description: Learn about modern management and the Microsoft Intune family of products, and how the business management tools in Microsoft 365 can simplify management of all your devices.
+- [Simplify device management with Microsoft Intune](/training/modules/simplify-device-management-with-microsoft-endpoint-manager/) training module
+
+ Learn about how the business management solutions through Microsoft 365 provide people with a secure, personalized desktop experience and help organizations easily manage updates for all devices with a simplified admin experience.
+
+- [Evaluate Microsoft Intune](/training/modules/set-up-microsoft-intune/)
+
+ Microsoft Intune helps you protect the devices, apps, and data that the people at your organization use to be productive. This article tells you how to set up Microsoft Intune. Setup includes reviewing the supported configurations, signing up for Intune, adding users and groups, assigning licenses to users, granting admin permissions, and setting the Mobile Device Management (MDM) authority.
+
+## Next step
-[Set up Microsoft Intune](/training/modules/set-up-microsoft-intune/)
-Description: Microsoft Intune helps you protect the devices, apps, and data that the people at your organization use to be productive. After completing this module, you will have set up Microsoft Intune. Set up includes reviewing the supported configurations, signing up for Intune, adding users and groups, assigning licenses to users, granting admin permissions, and setting the MDM authority.
+Go to [Step 1. Implement App Protection Policies](manage-devices-with-intune-app-protection.md).
solutions Manage Devices With Intune Require Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/manage-devices-with-intune-require-compliance.md
f1.keywords:
- Microsoft Intune - Intune device management Previously updated : 10/20/2021 Last updated : 04/17/2024 audience: ITPro description: Create a conditional access policy in Microsoft Entra ID to require compliant devices, keeping corporate data secure when users work from any device in any location.
Conditional Access provides additional verification of device status prior to al
After setting up device compliance policies and assigning these to user groups, Intune lets Microsoft Entra ID know if a device is compliant or not. To use this status as a condition for access, you must work with your Microsoft Entra administrator to create a Conditional Access rule to require compliant PCs and mobile devices. -
-![Steps for managing devices](../medim-step-3.png#lightbox)
The recommended Zero Trust identity and device access rule set includes this rule. See [Require compliant PCs and mobile devices](../security/office-365-security/zero-trust-identity-device-access-policies-common.md#require-compliant-pcs-and-mobile-devices), as illustrated below. -
-[![Zero Trust identity and device access policies](../media/devices/identity-device-require-compliance.png#lightbox)](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/media/devices/identity-device-require-compliance.png)
-- Be sure to:+ - Coordinate the user groups you assigned to your compliance policies with the user groups assigned to the Conditional Access policy. - Test out your Conditional Access policies using the What If and Audit Mode capabilities before fully assigning the Conditional Access policy. This helps you understand the results of the policy. - Set a grace period in line with the confidentiality of the data and/or app being accessed.
syntex Esignature Troubleshoot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/esignature-troubleshoot.md
description: Learn how to troubleshoot issues with sending, receiving, or viewin
## Unable to create a request
-If you aren't able to create a signature request, check the PDF viewer settings, the collaboration settings, or the access policies. Refer to the [setup page](/microsoft-365/syntex/esignature-setup) to ensure the correct settings are done. Also, check that the PDF you are attempting to sign isn't already electronically signed using SharePoint eSignature or any other electronic signature provider.
+If you aren't able to create a signature request, check the PDF viewer settings, the collaboration settings, or the access policies. Refer to the [setup page](/microsoft-365/syntex/esignature-setup) to ensure the correct settings are done. Also, check that the PDF you're attempting to sign isn't already electronically signed using SharePoint eSignature or any other electronic signature provider.
> [!NOTE] > New eSignature requests can't be started from documents that have been previously signed. You need to choose another document to create the request.
Get-SPOSite -Limit All | Select-Object Url, SharingCapability
### Conditional access policies
-Certain [conditional access](/entra/identity/conditional-access/overview) policies might determine whether an external recipient (signers outside of your organization or Microsoft 365 tenant) is able sign a document. When this happens, the external signers might not be able to access the document for signing. In some other cases, they might be able to access the document for signing but the signing operation is unsuccessful. One common way to resolve this is to contact your IT admin who will be able to add the eSignature app to the list of approved apps via the Microsoft Entra admin center.
+Certain [conditional access](/entra/identity/conditional-access/overview) policies might determine whether an external recipient (signers outside of your organization or Microsoft 365 tenant) is able sign a document. When this happens, the external signers might not be able to access the document for signing. In some other cases, they might be able to access the document for signing but the signing operation is unsuccessful. One common way to resolve this is to contact your IT admin who will be able to add the SharePoint eSignature app to the list of approved apps via the Microsoft Entra admin center.
+
+In some cases, the admin might need to add the SharePoint eSignature app to the **Excluded Apps** list in the **Conditional Access policy** > **Target resources** section so that the policy doesn't apply to the SharePoint eSignature app. The admin can verify the changes using the WhatIf tool with the policy.
## Unable to find the request emails