Docs update tracker

Updates from: 04/19/2022 07:31:10

Category	Microsoft Docs article	Related commit history on GitHub	Change details
admin	Create A Shared Mailbox	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/create-a-shared-mailbox.md	Before creating a shared mailbox, be sure to read [About shared mailboxes](about ::: moniker-end -3. On the Shared mailboxes page, select + Add a shared mailbox. Enter a name for the shared mailbox. The chooses the email address, but you can edit it if needed. +3. On the Shared mailboxes page, select + Add a shared mailbox. Enter a name for the shared mailbox. This chooses the email address, but you can edit it if needed. ![Name your shared mailbox.](../../media/e3035132-8986-4ec7-b7c0-f2752080d2c0.png) You can use the following permissions with a shared mailbox: ### Use the EAC to edit shared mailbox delegation -1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a>, go to Recipients \> Shared. Select the shared mailbox, and then select Edit ![Edit icon.](../../media/ITPro-EAC-EditIcon.png). +1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a>, go to Recipients \> Mailboxes. Select the shared mailbox, and then select Edit ![Edit icon.](../../media/ITPro-EAC-EditIcon.png). -2. Select Mailbox delegation. +2. Under Mailbox permissions, select Manage mailbox delegation. 3. To grant or remove Full Access and Send As permissions, select Add ![Add Icon.](../../media/ITPro-EAC-AddIcon.png) or Remove ![Remove icon](../../media/ITPro-EAC-RemoveIcon.gif) and then select the users you want to grant permissions to.
compliance	Change The Hold Duration For An Inactive Mailbox	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/change-the-hold-duration-for-an-inactive-mailbox.md	Once the search is created, you will start the search using the following comman Start-ComplianceSearch "MeganB Inactive Mailbox HR-Content Label Search" ``` -Using this method, you can then identify which labels from the identified label policy apply to content within the inactive mailbox so that you can modify their retention periods. Be aware that retention labels are typically applied to more than one location, so modifying a label will affect all applied locations and labeled content, which may also include locations and content other than Exchange. For more information, see [Create retention labels and apply them in apps](create-apply-retention-labels.md). +Using this method, you can then identify which labels from the identified label policy apply to content within the inactive mailbox so that you can modify their retention periods. Be aware that retention labels are typically applied to more than one location, so modifying a label will affect all applied locations and labeled content, which may also include locations and content other than Exchange. For more information, see [Publish retention labels and apply them in apps](create-apply-retention-labels.md). > [!NOTE] > Not all types of retention labels can be modified. For some labels, you may only be able to increase the time of retention, and for others you may not be able to modify the retention period at all.
compliance	Declare Records	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/declare-records.md	Using this retention label, you can now apply it to SharePoint or OneDrive docum For full instructions: -- [Create retention labels and apply them in apps](create-apply-retention-labels.md) +- [Publish retention labels and apply them in apps](create-apply-retention-labels.md) - [Apply a retention label to content automatically](apply-retention-labels-automatically.md) (not supported for regulatory records)
compliance	Get Started With Records Management	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/get-started-with-records-management.md	Ready to start managing your organization's high-value content for legal, busine 4. Publish and apply your retention labels. Retention labels are reusable building blocks that can be used in multiple policies and can be incorporated into user workflows: - - [Create retention labels and apply them in apps](create-apply-retention-labels.md) + - [Publish retention labels and apply them in apps](create-apply-retention-labels.md) - [Apply a retention label to content automatically](apply-retention-labels-automatically.md) Independently from these steps, Use connectors to import and archive third-party-data that includes data from social media platforms, instant messaging platforms, and document collaboration platforms. When this data is imported to online mailboxes, it supports not just records management from Microsoft 365 Compliance, but also other compliance solutions such as communication compliance, insider risk management, and eDiscovery. For more information, see [Learn about connectors for third-party data](archiving-third-party-data.md). Use the following table to help you map your business requirements to the scenar \|-\|\| \|Declare a record \|[Declare records by using retention labels](declare-records.md)\| \|Update a record \|[Use record versioning to update records stored in SharePoint or OneDrive](record-versioning.md)\| -\|Let admins and users manually apply retain and delete actions for documents and emails: <br />- SharePoint <br />- OneDrive <br />- Outlook and Outlook on the web\|[Create retention labels and apply them in apps](create-apply-retention-labels.md)\| -\|Let site admins set default retain and delete actions for all content in a SharePoint library, folder, or document set\|[Create retention labels and apply them in apps](create-apply-retention-labels.md)\| -\|Let users automatically apply retain and delete actions to emails by using Outlook rules\|[Create retention labels and apply them in apps](create-apply-retention-labels.md)\| -\|Let admins apply retain and delete actions to a document understanding model, so that these are automatically applied to identified documents in a SharePoint library\|[Create retention labels and apply them in apps](create-apply-retention-labels.md)\| +\|Let admins and users manually apply retain and delete actions for documents and emails: <br />- SharePoint <br />- OneDrive <br />- Outlook and Outlook on the web\|[Publish retention labels and apply them in apps](create-apply-retention-labels.md)\| +\|Let site admins set default retain and delete actions for all content in a SharePoint library, folder, or document set\|[Publish retention labels and apply them in apps](create-apply-retention-labels.md)\| +\|Let users automatically apply retain and delete actions to emails by using Outlook rules\|[Publish retention labels and apply them in apps](create-apply-retention-labels.md)\| +\|Let admins apply retain and delete actions to a document understanding model, so that these are automatically applied to identified documents in a SharePoint library\|[Publish retention labels and apply them in apps](create-apply-retention-labels.md)\| \|Automatically apply retain and delete actions to documents and emails \|[Apply a retention label to content automatically](apply-retention-labels-automatically.md)\| \|Start the retention period when an event occurs, such as: <br />- Employees leave the organization <br />- Contracts expire <br />- End of product lifetime\| [Start retention when an event occurs](event-driven-retention.md)\| \|Restrict changes to policies to help meet regulatory requirements or safeguard against rogue administrators\| [Use Preservation Lock to restrict changes to retention policies and retention label policies](retention-preservation-lock.md)
compliance	Retention Policies Exchange	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-policies-exchange.md	If you're new to configuring retention in Microsoft 365, see [Get started with i If you're ready to configure a retention policy or retention label for Exchange, see the following instructions: - [Create and configure retention policies](create-retention-policies.md)-- [Create retention labels and apply them in apps](create-apply-retention-labels.md) +- [Publish retention labels and apply them in apps](create-apply-retention-labels.md) - [Apply a retention label to content automatically](apply-retention-labels-automatically.md)
compliance	Retention Policies Sharepoint	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-policies-sharepoint.md	If you're new to configuring retention in Microsoft 365, see [Get started with i If you're ready to configure a retention policy or retention label for Exchange, see the following instructions: - [Create and configure retention policies](create-retention-policies.md)-- [Create retention labels and apply them in apps](create-apply-retention-labels.md) +- [Publish retention labels and apply them in apps](create-apply-retention-labels.md) - [Apply a retention label to content automatically](apply-retention-labels-automatically.md)
compliance	Retention Settings	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-settings.md	Many settings for retention are common to both retention policies and retention For the scenarios that support these policies for retention, see: - [Create and configure retention policies](create-retention-policies.md).-- [Create retention labels and apply them in apps](create-apply-retention-labels.md) +- [Publish retention labels and apply them in apps](create-apply-retention-labels.md) - [Apply a retention label to content automatically](apply-retention-labels-automatically.md) Settings that are specific to each scenario are explained in their respective documentation.
compliance	Sensitivity Labels Teams Groups Sites	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-teams-groups-sites.md	In addition to using [sensitivity labels](sensitivity-labels.md) to classify and - Access from unmanaged devices - Authentication contexts (in preview) - Default sharing link for a SharePoint site (PowerShell-only configuration) +- In preview: Site sharing settings (PowerShell-only configuration) > [!IMPORTANT] > The settings for unmanaged devices and authentication contexts work in conjunction with Azure Active Directory Conditional Access. You must configure this dependent feature if you want to use a sensitivity label for these settings. Additional information is included in the instructions that follow. After sensitivity labels are enabled for containers as described in the previous - You choose an authentication context that is configured to require [multifactor authentication (MFA)](/azure/active-directory/conditional-access/untrusted-networks). This label is then applied to a SharePoint site that contains highly confidential items. As a result, when users from an untrusted network attempt to access a document in this site, they see the MFA prompt that they must complete before they can access the document. - - You choose an authentication context that is configured for [terms of use (ToU) policies](/azure/active-directory/conditional-access/terms-of-use). This label is then applied to a SharePoint site that contains items that require a terms of use acceptance for legal or compliance reasons. As a result, when users attempt to access a document in this site, they see a terms of use document that they must accept before they can access the original document. + - You choose an authentication context that is configured for [terms-of-use (ToU) policies](/azure/active-directory/conditional-access/terms-of-use). This label is then applied to a SharePoint site that contains items that require a terms-of-use acceptance for legal or compliance reasons. As a result, when users attempt to access a document in this site, they see a terms-of-use document that they must accept before they can access the original document. > [!IMPORTANT] > Only these site and group settings take effect when you apply the label to a team, group, or site. If the [label's scope](sensitivity-labels.md#label-scopes) includes files and emails, other label settings such as encryption and content marking aren't applied to the content within the team, group, or site. In addition to the label settings for sites and groups that you can configure fr For more information and instructions, see [Use sensitivity labels to configure the default sharing link type for sites and documents in SharePoint and OneDrive](sensitivity-labels-default-sharing-link.md). +### Configure site sharing permissions by using PowerShell advanced settings + +> [!NOTE] +> This label setting is currently in preview. + +Another PowerShell advanced setting that you can configure for the sensitivity label to be applied to a SharePoint site is MembersCanShare. This setting is the equivalent configuration that you can set from the SharePoint admin center > Site permissions > Site Sharing > Change how members can share > Sharing permissions. + +The three options are listed with the equivalent values for the PowerShell advanced setting MembersCanShare: + +\|Option from the SharePoint admin center \|Equivalent PowerShell value for MembersCanShare \| +\|-\|\| +\|Site owners and members can share files, folders, and the site. People with Edit permissions can share files and folders.\| MemberShareAll\| +\|Site owners and members, and people with Edit permissions can share files and folders, but only site owners can share the site.\|MemberShareFileAndFolder\| +\|Only site owners can share files, folders, and the site.\|MemberShareNone\| + +For more information about these configuration options, see [Change how members can share](/microsoft-365/community/sharepoint-security-a-team-effort#change-how-members-can-share) from the SharePoint community documentation. + +Example, where the sensitivity label GUID is 8faca7b8-8d20-48a3-8ea2-0f96310a848e: + +````powershell +Set-Label -Identity 8faca7b8-8d20-48a3-8ea2-0f96310a848e -AdvancedSettings @{MembersCanShare="MemberShareNone"} +```` + +For more help in specifying PowerShell advanced settings, see [PowerShell tips for specifying the advanced settings](sensitivity-labels-default-sharing-link.md#powershell-tips-for-specifying-the-advanced-settings). + ## Sensitivity label management Use the following guidance for when you create, modify, or delete sensitivity labels that are configured for sites and groups.
contentunderstanding	Form Processing Overview	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/form-processing-overview.md	Form processing supports documents in more than 73 languages. For the list of la When setting up SharePoint Syntex in a [Microsoft 365 Multi-Geo environment](../enterprise/microsoft-365-multi-geo.md), you can only configure it to use form processing in the central location. If you want to use form processing in a satellite location, contact Microsoft support. ----- -## See Also +## See also [Power Automate documentation](/power-automate/)
contentunderstanding	Learn About Document Understanding Models Through The Sample Model	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/learn-about-document-understanding-models-through-the-sample-model.md	You can not only look through analyze the sample model to get a better understan You can access the [SharePoint Syntex Samples repository](https://github.com/pnp/syntex-samples), which contains community samples that demonstrate different usage patterns of document understanding models. The samples in this repository contain both the document understanding model files and the files used to train the model. Once imported, you can use these models to process files and to view and edit the classifier and extractors. -## See Also +## See also [Create a classifier](create-a-classifier.md) [Create an extractor](create-an-extractor.md)
contentunderstanding	Model Discovery	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/model-discovery.md	- enabler-strategic - m365initiative-syntex ms.localizationpriority: medium -description: Learn how to make trained models available to others and how to apply other trained models in Microsoft SharePoint Syntex. +description: Learn how to make trained models available to other users and how to apply other trained models in Microsoft SharePoint Syntex. # Publish and discover models in Microsoft SharePoint Syntex
contentunderstanding	Model Usage Analytics	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/model-usage-analytics.md	Each model in the model usage list will show the usage data: -## See Also +## See also [Create a classifier](create-a-classifier.md) [Create an extractor](create-an-extractor.md)
contentunderstanding	Prebuilt Overview	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/prebuilt-overview.md	Note the following differences about Microsoft Office text-based files and OCR-s - Applying more than one custom form processing model to a library is not supported. -## See Also +## See also [Use a prebuilt model to extract info from invoices or receipts](prebuilt-overview.md)
contentunderstanding	Rename A Model	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/rename-a-model.md	Follow these steps to rename a document understanding model. 5. Select Rename. -## See Also +## See also [Create a classifier](create-a-classifier.md) [Create an extractor](create-an-extractor.md)
contentunderstanding	Rename An Extractor	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/rename-an-extractor.md	Follow these steps to rename an entity extractor. 5. Select Rename. -## See Also +## See also [Create an extractor](create-an-extractor.md) [Create a classifier](create-a-classifier.md)
enterprise	Additional Office365 Ip Addresses And Urls	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/additional-office365-ip-addresses-and-urls.md	Apart from DNS, these instances are all optional for most customers unless you n \|21\|Microsoft Stream (needs the Azure AD user token). <br> Office 365 Worldwide (including GCC)\|\.cloudapp.net <br> \.api.microsoftstream.com <br> \.notification.api.microsoftstream.com <br> amp.azure.net <br> api.microsoftstream.com <br> az416426.vo.msecnd.net <br> s0.assets-yammer.com <br> vortex.data.microsoft.com <br> web.microsoftstream.com <br> TCP port 443\|Inbound server traffic\| \|22\|Use MFA server* for multi-factor authentication requests, both new installations of the server and setting it up with Active Directory Domain Services (AD DS).\|See [Getting started with the Azure AD multi-factor authentication Server](/azure/active-directory/authentication/howto-mfaserver-deploy#plan-your-deployment).\|Outbound server-only traffic\| \|23\|Microsoft Graph Change Notifications <p> Developers can use [change notifications](/graph/webhooks?context=graph%2fapi%2f1.0&view=graph-rest-1.0) to subscribe to events in the Microsoft Graph.\|Public Cloud: 52.159.23.209, 52.159.17.84, 52.147.213.251, 52.147.213.181, 13.85.192.59, 13.85.192.123, 13.89.108.233, 13.89.104.147, 20.96.21.67, 20.69.245.215, 137.135.11.161, 137.135.11.116, 52.159.107.50, 52.159.107.4, 52.229.38.131, 52.183.67.212, 52.142.114.29, 52.142.115.31, 51.124.75.43, 51.124.73.177, 20.44.210.83, 20.44.210.146, 40.80.232.177, 40.80.232.118, 20.48.12.75, 20.48.11.201, 104.215.13.23, 104.215.6.169, 52.148.24.136, 52.148.27.39, 40.76.162.99, 40.76.162.42, 40.74.203.28, 40.74.203.27, 13.86.37.15, 52.154.246.238, 20.96.21.98, 20.96.21.115, 137.135.11.222, 137.135.11.250, 52.159.109.205, 52.159.102.72, 52.151.30.78, 52.191.173.85, 51.104.159.213, 51.104.159.181, 51.138.90.7, 51.138.90.52, 52.148.115.48, 52.148.114.238, 40.80.233.14, 40.80.239.196, 20.48.14.35, 20.48.15.147, 104.215.18.55, 104.215.12.254, 20.199.102.157, 20.199.102.73, 13.87.81.123, 13.87.81.35, 20.111.9.46, 20.111.9.77, 13.87.81.133, 13.87.81.141 <p> Microsoft Cloud for US Government: 52.244.33.45, 52.244.35.174, 52.243.157.104, 52.243.157.105, 52.182.25.254, 52.182.25.110, 52.181.25.67, 52.181.25.66, 52.244.111.156, 52.244.111.170, 52.243.147.249, 52.243.148.19, 52.182.32.51, 52.182.32.143, 52.181.24.199, 52.181.24.220 <p> Microsoft Cloud China operated by 21Vianet: 42.159.72.35, 42.159.72.47, 42.159.180.55, 42.159.180.56, 40.125.138.23, 40.125.136.69, 40.72.155.199, 40.72.155.216 <br> TCP port 443 <p> Note: Developers can specify different ports when creating the subscriptions.\|Inbound server traffic\| -\|24\|Network Connection Status Indicator<p>Used by Windows 10 and 11 to determine if the computer is connected to the internet (does not apply to non-Windows clients). When this URL cannot be reached, Windows will assume it is not connected to the Internet and M365 Apps for Enterprise will not try to verify activation status, causing connections to Exchange and other services to fail.\|www.mstfconnecttest.com <br> 13.107.4.52<p>Also see [Manage connection endpoints for Windows 11 Enterprise](/windows/privacy/manage-windows-11-endpoints) and [Manage connection endpoints for Windows 10 Enterprise, version 21H2](/windows/privacy/manage-windows-21h2-endpoints).\|Outbound server-only traffic\| +\|24\|Network Connection Status Indicator<p>Used by Windows 10 and 11 to determine if the computer is connected to the internet (does not apply to non-Windows clients). When this URL cannot be reached, Windows will assume it is not connected to the Internet and M365 Apps for Enterprise will not try to verify activation status, causing connections to Exchange and other services to fail.\|www.msftconnecttest.com <br> 13.107.4.52<p>Also see [Manage connection endpoints for Windows 11 Enterprise](/windows/privacy/manage-windows-11-endpoints) and [Manage connection endpoints for Windows 10 Enterprise, version 21H2](/windows/privacy/manage-windows-21h2-endpoints).\|Outbound server-only traffic\| \| ## Related Topics
enterprise	Disable Access To Services With Microsoft 365 Powershell	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/disable-access-to-services-with-microsoft-365-powershell.md	EMSPREMIUM SPE_E5 RIGHTSMANAGEMENT_ADHOC -$LO = New-MsolLicenseOptions -AccountSkuId <AccountSkuId> -DisabledPlans "<UndesiredService1>", "<UndesiredService2>"... ``` Next, use the SkuPartNumber from the command above, list the service plans available for a given license plan (Sku).
enterprise	View Account License And Service Details With Microsoft 365 Powershell	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/view-account-license-and-service-details-with-microsoft-365-powershell.md	First, [connect to your Microsoft 365 tenant](/graph/powershell/get-started#auth Reading user properties including license details requires the User.Read.All permission scope or one of the other permissions listed in the ['Get a user' Graph API reference page](/graph/api/user-get). ```powershell -Connect-Graph -Scopes User.Read.All +Connect-Graph -Scopes User.ReadWrite.All, Organization.Read.All ``` Next, list the license plans for your tenant with this command.
lighthouse	M365 Lighthouse Overview Of Permissions	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-overview-of-permissions.md	For certain actions in Lighthouse, role assignments in the partner tenant are re \| Partner tenant roles \| Permissions \| \|--\|--\| -\| Global Administrator of partner tenant \| <ul><li>Sign up for Lighthouse in the Microsoft 365 admin center.</li><li>Accept partner contract amendments during the first-run experience.</li><li>Activate and inactivate a tenant.</li><li>Create, update, and delete tags.</li><li>Assign and remove tags from a customer tenant.</li></ul> \| +\| Global Administrator of partner tenant \| <ul><li>Sign up for Lighthouse in the Microsoft 365 admin center.</li><li>Accept partner contract amendments during the first-run experience.</li><li>Activate and inactivate a tenant.</li><li>Create, update, and delete tags.</li><li>Assign and remove tags from a customer tenant.</li><li>Review audit logs</li></ul> \| \| Partner tenant member with at least one Azure AD role assigned with the following property set:<br>microsoft.office365.supportTickets/allEntities/allTasks<br>(For a complete list of Azure AD roles, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference).) \| Create Lighthouse service requests. \| \| Partner tenant member who meets both of the following requirements: <ul><li>Has at least one Azure AD role assigned with the following property set:<br>microsoft.office365.serviceHealth/allEntities/allTasks<br>(For a complete list of Azure AD roles, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference).)</li><li>Has at least one DAP delegated role assigned (Admin Agent or Helpdesk Agent)</li></ul> \| View service health information. \|
security	Compare Mdb M365 Plans	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/compare-mdb-m365-plans.md	audience: Admin Previously updated : 04/12/2022 Last updated : 04/18/2022 ms.prod: m365-security ms.technology: mdb ms.localizationpriority: medium The following table compares security features and capabilities in Defender for Defender for Business brings enterprise-grade capabilities of Defender for Endpoint to small and medium-sized businesses. -The following table compares security features and capabilities in Defender for Business to Microsoft Defender for Endpoint Plans 1 and 2. +The following table compares security features and capabilities in Defender for Business to the enterprise offerings, Microsoft Defender for Endpoint Plans 1 and 2. -\|Feature/Capability\|[Defender for Business](mdb-overview.md)<br/>(standalone; currently in preview)\|[Defender for Endpoint Plan 1](../defender-endpoint/defender-endpoint-plan-1.md)\|[Defender for Endpoint Plan 2](../defender-endpoint/microsoft-defender-endpoint.md)\| +\|Feature/Capability\|[Defender for Business](mdb-overview.md)<br/>(standalone; currently in preview)\|[Defender for Endpoint Plan 1](../defender-endpoint/defender-endpoint-plan-1.md)<br/>(for enterprise customers) \|[Defender for Endpoint Plan 2](../defender-endpoint/microsoft-defender-endpoint.md)<br/>(for enterprise customers) \| \|\|\|\|\| \|[Centralized management](../defender-endpoint/manage-atp-post-migration.md) \|Yes <sup>[[1](#fn1)]</sup>\|Yes\|Yes\| \|[Simplified client configuration](mdb-simplified-configuration.md)\|Yes\|No\|No\|
security	Mdb Configure Security Settings	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-configure-security-settings.md	audience: Admin Previously updated : 04/12/2022 Last updated : 04/18/2022 ms.prod: m365-security ms.technology: mdb ms.localizationpriority: medium ## Overview -After you've onboarded your company's devices to Microsoft Defender for Business, your next step is to view and if necessary, edit your security policies and settings. Security policies to configure include: +After you've onboarded your company's devices to Microsoft Defender for Business, your next step is to review your security policies. If necessary, you can edit your security policies and settings. + +> [!TIP] +> Defender for Business includes preconfigured security policies that use recommended settings. However, you can edit your settings to suit your business needs. + +Security policies to review and configure include: - [Next-generation protection policies](#view-or-edit-your-next-generation-protection-policies), which determine antivirus and antimalware protection for your company's devices - [Firewall protection and rules](#view-or-edit-your-firewall-policies-and-custom-rules), which determine what network traffic is allowed to flow to or from your company's devices The following table can help you choose where to manage your security policies a \| Option \| Description \| \|:\|:\| -\| Use the Microsoft 365 Defender portal (recommended) \| The Microsoft 365 Defender portal ([https://security.microsoft.com/](https://security.microsoft.com/)) can be your one-stop shop for managing your company's devices, security policies, and security settings. You can access your security policies and settings, use your [Threat & Vulnerability Management dashboard](mdb-view-tvm-dashboard.md), and [view and manage incidents](mdb-view-manage-incidents.md) all in one place. <br/><br/>If you're using Microsoft Endpoint Manager, devices that you onboard to Defender for Business and your security policies are visible in Endpoint Manager. To learn more, see the following articles:<br/><br/>- [Defender for Business default settings and Microsoft Endpoint Manager](mdb-next-gen-configuration-settings.md#defender-for-business-default-settings-and-microsoft-endpoint-manager)<br/><br/>- [Firewall in Microsoft Defender for Business](mdb-firewall.md) \| +\| Use the Microsoft 365 Defender portal (recommended) \| The Microsoft 365 Defender portal ([https://security.microsoft.com/](https://security.microsoft.com/)) can be your one-stop shop for managing your company's devices, security policies, and security settings. You can access your security policies and settings, use your [Threat & Vulnerability Management dashboard](mdb-view-tvm-dashboard.md), and [view and manage incidents](mdb-view-manage-incidents.md) all in one place. <br/><br/>If you're using Microsoft Endpoint Manager, devices that you onboard to Defender for Business and your security policies are visible in Endpoint Manager. To learn more, see the following articles:<br/>- [Defender for Business default settings and Microsoft Endpoint Manager](mdb-next-gen-configuration-settings.md#defender-for-business-default-settings-and-microsoft-endpoint-manager)<br/>- [Firewall in Microsoft Defender for Business](mdb-firewall.md) \| \| Use Microsoft Endpoint Manager \| If your company is already using Endpoint Manager (which includes Microsoft Intune) to manage security policies, you can continue using Endpoint Manager to manage devices and security policies. To learn more, see [Manage device security with endpoint security policies in Microsoft Intune](/mem/intune/protect/endpoint-security-policy). <br/><br/>If you decide to switch to the [simplified configuration process in Defender for Business](mdb-simplified-configuration.md), you'll be prompted to delete any existing security policies in Endpoint Manager to avoid [policy conflicts](mdb-troubleshooting.yml) later. \| > [!IMPORTANT] The following table describes settings for advanced features: \| Setting \| Description \| \|:\|:\| \| Automated Investigation <br/>(turned on by default) \| As alerts are generated, automated investigations can occur. Each automated investigation determines whether a detected threat requires action, and then takes (or recommends) remediation actions (such as sending a file to quarantine, stopping a process, isolating a device, or blocking a URL). While an investigation is running, any other related alerts that arise are added to the investigation until it completes. If an affected entity is seen elsewhere, the automated investigation expands its scope to include that entity, and the investigation process repeats.<br/><br/>You can view investigations on the Incidents page. Select an incident, and then select the Investigations tab.<br/><br/>[Learn more about automated investigations](../defender-endpoint/automated-investigations.md). \| -\| Live Response <br/>(turned on by default) \| Defender for Business includes the following types of manual response actions: <br/>- Run antivirus scan<br/>- Isolate device<br/>- Stop and quarantine a file<br/>- Add an indicator to block or allow a file <br/><br/>[Learn more about response actions](../defender-endpoint/respond-machine-alerts.md). \| +\| Live Response \| Defender for Business includes the following types of manual response actions: <br/>- Run antivirus scan<br/>- Isolate device<br/>- Stop and quarantine a file<br/>- Add an indicator to block or allow a file <br/><br/>[Learn more about response actions](../defender-endpoint/respond-machine-alerts.md). \| \| Live Response for Servers \| (This setting is currently not available in Defender for Business) \| \| Live Response unsigned script execution \| (This setting is currently not available in Defender for Business) \| \| Enable EDR in block mode<br/>(turned on by default) \| Provides added protection from malicious artifacts when Microsoft Defender Antivirus is not the primary antivirus product and is running in passive mode on a device. EDR in block mode works behind the scenes to remediate malicious artifacts that were detected by EDR capabilities. Such artifacts might have been missed by the primary, non-Microsoft antivirus product. For devices running Microsoft Defender Antivirus as their primary antivirus, EDR in block mode provides an extra layer of defense by allowing Microsoft Defender Antivirus to take automatic actions on post-breach, behavioral EDR detections.<br/><br/>[Learn more about EDR in block mode](../defender-endpoint/edr-in-block-mode.md). \| \| Allow or block a file <br/>(turned on by default) \| Enables you to allow or block a file by using [indicators](../defender-endpoint/indicator-file.md). This capability requires Microsoft Defender Antivirus to be in active mode and [cloud protection](../defender-endpoint/cloud-protection-microsoft-defender-antivirus.md) to be turned on.<br/><br/>Blocking a file will prevent it from being read, written, or executed on devices in your organization. <br/><br/>[Learn more about indicators for files](../defender-endpoint/indicator-file.md). \| \| Custom network indicators<br/>(turned on by default) \| Enables you to allow or block an IP address, URL, or domain by using [network indicators](../defender-endpoint/indicator-ip-domain.md). This capability requires Microsoft Defender Antivirus to be in active mode and [network protection](../defender-endpoint/enable-network-protection.md) to be turned on.<br/><br/>You can allow or block IPs, URLs, or domains based on your own threat intelligence. You can also warn users with a prompt if they open a risky app. The prompt won't stop them from using the app, but you can provide a warning for users.<br/><br/>[Learn more about network protection](../defender-endpoint/network-protection.md). \| -\| Tamper protection<br/>(we recommend turning this setting on) \| Tamper protection prevents malicious apps taking actions such as:<br/>- Disabling virus and threat protection<br/>- Disabling real-time protection<br/>- Turning off behavior monitoring<br/>- Disabling cloud protection<br/>- Removing security intelligence updates<br/>- Disabling automatic actions on detected threats<br/><br/>Tamper protection essentially locks Microsoft Defender Antivirus to its secure, default values, and prevents your security settings from being changed by apps and unauthorized methods. <br/><br/>[Lern more about tamper protection](../defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md). \| +\| Tamper protection<br/>(we recommend turning this setting on) \| Tamper protection prevents malicious apps taking actions such as:<br/>- Disabling virus and threat protection<br/>- Disabling real-time protection<br/>- Turning off behavior monitoring<br/>- Disabling cloud protection<br/>- Removing security intelligence updates<br/>- Disabling automatic actions on detected threats<br/><br/>Tamper protection essentially locks Microsoft Defender Antivirus to its secure, default values, and prevents your security settings from being changed by apps and unauthorized methods. <br/><br/>[Learn more about tamper protection](../defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md). \| \| Show user details<br/>(turned on by default) \| Enables people in your organization to see details, such as employees' picture, name, title, and department. These details are stored in Azure Active Directory (Azure AD).<br/><br/>[Learn more about user profiles in Azure AD](/azure/active-directory/fundamentals/active-directory-users-profile-azure-portal). \| \| Skype for Business integration<br/>(turned on by default) \| Skype for Business was retired in July 2021. If you haven't already moved to Microsoft Teams, see [Set up Microsoft Teams in your small business](/microsoftteams/deploy-small-business). <br/><br/>Integration with Microsoft Teams (or the former Skype for Business) enables one-click communication between people in your business. \| \| Web content filtering<br/>(turned on by default) \| Block access to websites containing unwanted content and track web activity across all domains. See [Set up web content filtering](#set-up-web-content-filtering). \|
security	Mdb Onboard Devices	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-onboard-devices.md	audience: Admin Previously updated : 04/14/2022 Last updated : 04/18/2022 ms.prod: m365-security ms.technology: mdb ms.localizationpriority: medium With Microsoft Defender for Business, you have several options to choose from fo 1. Select the tab for your operating system: - Windows clients - - Windows Server (preview) - macOS computers - mobile devices With Microsoft Defender for Business, you have several options to choose from fo Choose one of the following options to onboard Windows client devices to Defender for Business: - [Local script](#local-script-for-windows-clients) (for onboarding devices manually in the Microsoft 365 Defender portal) +- [Group Policy](#group-policy-for-windows-clients) - [Microsoft Endpoint Manager](#endpoint-manager-for-windows-clients) (included in [Microsoft 365 Business Premium](../../business-premium/index.md)) You can use a local script to onboard Windows client devices. When you run the o 8. After the script runs, proceed to [Run a detection test](#running-a-detection-test-on-a-windows-client). +### Group Policy for Windows clients + +If you prefer to use Group Policy to onboard Windows clients, follow the guidance in [Onboard Windows devices using Group Policy](../defender-endpoint/configure-endpoints-gp.md). This article describes the steps for onboarding to Microsoft Defender for Endpoint; however, the steps for onboarding to Defender for Business are similar. + ### Endpoint Manager for Windows clients If your subscription includes [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), you can onboard Windows clients and other devices in the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)). For example, if you have [Microsoft 365 Business Premium](../../business/index.yml), you have Endpoint Manager as part of your subscription. Endpoint Manager includes [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Mobile Device Management capabilities](/mem/intune/fundamentals/what-is-device-management). To view the list of devices that are onboarded to Defender for Business, in the - If you're done onboarding devices, proceed to [Step 5: Configure your security settings and policies in Microsoft Defender for Business](mdb-configure-security-settings.md) - See [Get started using Microsoft Defender for Business](mdb-get-started.md). -## [Windows Server](#tab/WindowsServerEndpoints) - -## Windows Server (preview) - -You can onboard a Windows Server device by using a local script. - -> [!IMPORTANT] -> The ability to onboard Windows Server endpoints is currently in preview. - -1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in. - -2. In the navigation pane, choose Settings > Endpoints, and then under Device management, choose Onboarding. - -3. Select an operating system, such as Windows Server 1803, 2019, and 2022, and then, in the Deployment method section, choose Local script. - - If you select Windows Server 2012 R2 and 2016, you'll have two packages to download and run: an installation package, and an onboarding package. The installation package contains an MSI file that installs the Microsoft Defender for Business agent. The onboarding package contains the script to onboard your Windows Server endpoint to Defender for Business. - -4. Select Download onboarding package. We recommend saving the onboarding package to a removable drive. - - If you selected Windows Server 2012 R2 and 2016, also select Download installation package, and save it to a removable drive - -5. On your Windows Server endpoint, extract the contents of the installation/onboarding package(s) to a location, such as the Desktop folder. You should have a file named `WindowsDefenderATPLocalOnboardingScript.cmd`. - - If you're onboarding Windows Server 2012 R2 or Windows Server 2016, extract the installation package first. - -6. Open Command Prompt as an administrator. - -7. If you're onboarding Windows Server 2012R2 or Windows Server 2016, run the following command: `Msiexec /i md4ws.msi /quiet`. - - If you're onboarding Windows Server 1803, 2019, or 2022, skip this step and proceed to step 8. - -8. Type the location of the script file. For example, if you copied the file to the Desktop folder, you would type `%userprofile%\Desktop\WindowsDefenderATPLocalOnboardingScript.cmd`, and then press the Enter key (or select OK). - -9. Proceed to [Run a detection test on Windows Server](#running-a-detection-test-on-windows-server) - -### Running a detection test on Windows Server - -After you've onboarded your Windows Server endpoint to Defender for Business, you can run a detection test to make sure that everything is working correctly. - -1. On the Windows Server device, create a folder: `C:\test-MDATP-test`. - -2. Open Command Prompt as an administrator. - -3. In the Command Prompt window, run the following PowerShell command: - - ```powershell - powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference = 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe' - ``` - -After the command has run, the Command Prompt window will close automatically. If successful, the detection test will be marked as completed, and a new alert will appear in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) for the newly onboarded device in about 10 minutes. - -## View a list of onboarded devices - -To view the list of devices that are onboarded to Defender for Business, in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, under Endpoints, choose Device invetory. - -## Next steps --- If you have other devices to onboard, select the tab that corresponds to the operating system on the devices [(Windows clients, Windows Server, macOS, or mobile devices](#what-to-do)), and follow the guidance on that tab.-- If you're done onboarding devices, proceed to [Step 5: Configure your security settings and policies in Microsoft Defender for Business](mdb-configure-security-settings.md)-- See [Get started using Microsoft Defender for Business](mdb-get-started.md).- ## [macOS](#tab/macOSdevices) ## macOS computers
security	Microsoft Defender Antivirus Compatibility	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility.md	You can use one of several methods to confirm the state of Microsoft Defender An \| Windows Security app \| 1. On a Windows device, open the Windows Security app.<br/>2. Select Virus & threat protection.<br/>3. Under Who's protecting me? select Manage providers.<br/>4. On the Security providers page, under Antivirus, you should see Microsoft Defender Antivirus is turned on. \| \| Task Manager \| 1. On a Windows device, open the Task Manager app.<br/>2. Select the Details tab.<br/>3. Look for MsMpEng.exe in the list. \| \| Windows PowerShell <br/> (To confirm that Microsoft Defender Antivirus is running) \| 1. On a Windows device, open Windows PowerShell. <br/>2. Run the following PowerShell cmdlet: `Get-Process`.<br/>3. Review the results. You should see MsMpEng.exe if Microsoft Defender Antivirus is enabled. \| - \| Windows PowerShell <br/>(To confirm that antivirus protection is in place) \| You can use the [Get-MpComputerStatus PowerShell cmdlet](/powershell/module/defender/get-mpcomputerstatus).<br/>1. On a Windows device, open Windows PowerShell.<br/>2. Run following PowerShell cmdlet:<br/> Get-MpComputerStatus \\| select AMRunningMode <br/>3. Review the results. You should see either Normal or Passive if Microsoft Defender Antivirus is enabled on the endpoint. \| + \| Windows PowerShell <br/>(To confirm that antivirus protection is in place) \| You can use the [Get-MpComputerStatus PowerShell cmdlet](/powershell/module/defender/get-mpcomputerstatus).<br/>1. On a Windows device, open Windows PowerShell.<br/>2. Run following PowerShell cmdlet:<br/> Get-MpComputerStatus \\| select AMRunningMode <br/>3. Review the results. You should see either Normal, Passive, or EDR Block Mode if Microsoft Defender Antivirus is enabled on the endpoint. \| \| Command Prompt \| 1. On a Windows device, open Command Prompt.<br/>2. Type `sc query windefend`, and then press Enter.<br/>3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. \| ## More details about Microsoft Defender Antivirus states The table in this section describes various states you might see with Microsoft \| State \| What happens \| \|:\|:\| \| Active mode \| In active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. Settings that are configured by using Configuration Manager, Group Policy, Microsoft Intune, or other management products will apply. Files are scanned, threats are remediated, and detection information is reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the endpoint itself). \| - \| Passive mode \| In passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Threats can be remediated by [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md), however. <br/><br/> Files are scanned by EDR, and reports are provided for threat detections that are shared with the Defender for Endpoint service. You might see alerts showing Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in passive mode. <br/><br/> When Microsoft Defender Antivirus is in passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into active mode if your devices have a non-Microsoft antivirus product that is providing real-time protection from malware. <br/><br/> For optimal security layered defense and detection efficacy, make sure to get your antivirus and antimalware updates, even if Microsoft Defender Antivirus is running in passive mode. See [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md). <br/><br/> Note that passive mode is only supported on Windows Server 2012 R2 & 2016 when the machine is onboarded using the [modern, unified solution](/microsoft-365/security/defender-endpoint/configure-server-endpoints). \| + \| Passive mode <br/><br/> or <br/><br/> EDR Block mode \| In passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. <br/><br/>Threats can be remediated by [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md) when running in EDR Block Mode, however. <br/><br/> Files are scanned by EDR, and reports are provided for threat detections that are shared with the Defender for Endpoint service. You might see alerts showing Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in passive mode. <br/><br/> When Microsoft Defender Antivirus is in passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into active mode if your devices have a non-Microsoft antivirus product that is providing real-time protection from malware. <br/><br/> For optimal security layered defense and detection efficacy, make sure to get your antivirus and antimalware updates, even if Microsoft Defender Antivirus is running in passive mode. See [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md). <br/><br/> Note that passive mode is only supported on Windows Server 2012 R2 & 2016 when the machine is onboarded using the [modern, unified solution](/microsoft-365/security/defender-endpoint/configure-server-endpoints). \| \| Disabled <br/><br/> or <br/><br/> Uninstalled \| When disabled or uninstalled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. <br/><br/> Disabling or uninstalling Microsoft Defender Antivirus is not recommended in general; if possible, keep Microsoft Defender Antivirus in passive mode if you are using a non-Microsoft antimalware/antivirus solution. <br/><br/> In cases where Microsoft Defender Antivirus is disabled automatically, it can be re-enabled automatically if the non-Microsoft antivirus/antimalware product expires or otherwise stops providing real-time protection from viruses, malware, or other threats. The automatic re-enabling of Microsoft Defender Antivirus helps to ensure that antivirus protection is maintained on your endpoints. <br/><br/> You might also use [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which works with the Microsoft Defender Antivirus engine to periodically check for threats if you are using a non-Microsoft antivirus app. \| > [!TIP]
security	Preset Security Policies	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/preset-security-policies.md	Preset security policies use the corresponding policies from the various protect - [Anti-malware policies](configure-anti-malware-policies.md) named Standard Preset Security Policy and Strict Preset Security Policy. - [EOP Anti-phishing policies](set-up-anti-phishing-policies.md#spoof-settings) named Standard Preset Security Policy and Strict Preset Security Policy (spoof settings). + > [!NOTE] + > Outbound spam policies are not part of preset security policies. The default outbound spam policy automatically protects members of preset security policies. Or, you can create custom outbound spam policies to customize the protection for members of preset security policies. For more information, see [Configure outbound spam filtering in EOP](configure-the-outbound-spam-policy.md). + - Microsoft Defender for Office 365 policies: This includes organizations with Microsoft 365 E5 or Defender for Office 365 add-on subscriptions: - Anti-phishing policies in Microsoft Defender for Office 365 named Standard Preset Security Policy and Strict Preset Security Policy, which include: - The same [spoof settings](set-up-anti-phishing-policies.md#spoof-settings) that are available in the EOP anti-phishing policies.
security	Recommended Settings For Eop And Office365	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md	To create and configure outbound spam policies, see [Configure outbound spam fil For more information about the default sending limits in the service, see [Sending limits](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#sending-limits-1). > [!NOTE] -> Outbound spam policies are not part of Standard or Strict preset security policies. The Standard and Strict values indicate our recommended values in the default outbound spam policy or custom policies that you create. +> Outbound spam policies are not part of Standard or Strict preset security policies. The Standard and Strict values indicate our recommended values in the default outbound spam policy or custom outbound spam policies that you create. -\|Security feature name\|Default\|Standard\|Strict\|Comment\| +\|Security feature name\|Default\|Recommended<br/>Standard\|Recommended<br/>Strict\|Comment\| \|\|::\|::\|::\|\| \|Set an external message limit <br/><br/> _RecipientLimitExternalPerHour_\|0\|500\|400\|The default value 0 means use the service defaults.\| \|Set an internal message limit <br/><br/> _RecipientLimitInternalPerHour_\|0\|1000\|800\|The default value 0 means use the service defaults.\|
solutions	Plan External Collaboration	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/plan-external-collaboration.md	Title: "Plan external collaboration" + Title: "Plan external collaboration with channel conversations, file collaboration, and shared apps" localization_priority: Normal f1.keywords: NOCSH recommendations: false -description: Plan which external collaboration options to use in Microsoft 365. +description: Learn the difference between guest collaboration and shared channels in Teams and how to choose which one to use. -# Plan external collaboration +# Plan external collaboration with channel conversations, file collaboration, and shared apps Microsoft 365 offers several options for collaborating with people outside your organization: Microsoft 365 offers several options for collaborating with people outside your - Sharing individual files or folders with people outside your organization - Collaboration in a team, with channel conversations, file collaboration, and shared apps -This article covers the fourth option, group collaboration with channel conversations, file collaboration, and shared apps. +This article covers the fourth option, group collaboration with channel conversations, file collaboration, and shared apps. (For an overview of all the options, see [Overview of external collaboration options in Microsoft 365](/microsoft-365/enterprise/external-guest-access).) ## Terms Shared channels are integrated with Microsoft 365 compliance features. ##### Communications compliance -Admins can set policies to monitor content for all users in the channel. All messages content in channels, including the shared channel, are covered by [communication compliance policies](/microsoft-365/compliance/communication-compliance). Shared channels inherit the policy of the host organization. +Admins can set policies to monitor content for all users in the channel. All messages content in channels, including shared channels, is covered by [communication compliance policies](/microsoft-365/compliance/communication-compliance). Shared channels inherit the policy of the host organization. ##### Conditional access The host organization's [conditional access policies](/azure/active-directory/conditional-access/overview) are applied to external participants, including B2B direct connect users. The external organization's policies are not used. The following types of conditional access policies are supported with shared channels: -- Policies that are scoped to all guest users, external participants, SharePoint Online cloud apps +- Policies that are scoped to all guests, external participants, and SharePoint Online cloud apps. - Grant Access controls that require MFA, a compliant device, or a hybrid Azure AD joined device. IP-based policies are supported at the SharePoint file level. So an external participant could access shared channel from a restricted location, but be blocked when trying to open a file.