Category | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
microsoft-365-copilot-overview | Microsoft 365 Copilot Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/copilot/microsoft-365-copilot-overview.md | Copilot for Microsoft 365 is available as an add-on plan with one of the followi - Microsoft 365 E5 - Microsoft 365 E3+- Microsoft 365 F1 +- Microsoft 365 F3 +- Office 365 E1 - Office 365 E3 - Office 365 E5-- Microsoft 365 Business Standard+- Office 365 F3 +- Microsoft 365 Business Basic - Microsoft 365 Business Premium+- Microsoft 365 Business Standard - Microsoft 365 A5 for faculty* - Microsoft 365 A3 for faculty* - Office 365 A5 for faculty* - Office 365 A3 for faculty* -*Available via Enrollment for Education Solutions (EES) or Cloud Solution Provider only. +*Available via Enrollment for Education Solutions (EES) or Cloud Solution Provider only. You can use the [Microsoft Copilot for Microsoft 365 setup guide](https://admin.microsoft.com/Adminportal/Home?Q=learndocs#/modernonboarding/microsoft365copilotsetupguide) in the Microsoft 365 admin center to assign the required licenses to users. For more information, see [Assign licenses to users in the Microsoft 365 admin center](/microsoft-365/admin/manage/assign-licenses-to-users) and [Microsoft Copilot for Microsoft 365 requirements](microsoft-365-copilot-requirements.md). |
microsoft-365-copilot-requirements | Microsoft 365 Copilot Requirements | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/copilot/microsoft-365-copilot-requirements.md | Copilot for Microsoft 365 is available as an add-on plan with one of the followi - Microsoft 365 E5 - Microsoft 365 E3+- Microsoft 365 F1 +- Microsoft 365 F3 +- Office 365 E1 - Office 365 E3 - Office 365 E5-- Microsoft 365 Business Standard+- Office 365 F3 +- Microsoft 365 Business Basic - Microsoft 365 Business Premium+- Microsoft 365 Business Standard - Microsoft 365 A5 for faculty* - Microsoft 365 A3 for faculty* - Office 365 A5 for faculty* - Office 365 A3 for faculty* -*Available via Enrollment for Education Solutions (EES) or Cloud Solution Provider only. +*Available via Enrollment for Education Solutions (EES) or Cloud Solution Provider only. You can use the [Microsoft Copilot for Microsoft 365 setup guide](https://admin.microsoft.com/Adminportal/Home?Q=learndocs#/modernonboarding/microsoft365copilotsetupguide) in the Microsoft 365 admin center to assign the required licenses to users. For more information, see [Assign licenses to users in the Microsoft 365 admin center](/microsoft-365/admin/manage/assign-licenses-to-users). |
microsoft-365-copilot-setup | Microsoft 365 Copilot Setup | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/copilot/microsoft-365-copilot-setup.md | Your users must have one of the following base licenses to be eligible for a Cop - Microsoft 365 E5 - Microsoft 365 E3+- Microsoft 365 F1 +- Microsoft 365 F3 +- Office 365 E1 - Office 365 E3 - Office 365 E5-- Microsoft 365 Business Standard+- Office 365 F3 +- Microsoft 365 Business Basic - Microsoft 365 Business Premium+- Microsoft 365 Business Standard - Microsoft 365 A5 for faculty* - Microsoft 365 A3 for faculty* - Office 365 A5 for faculty* - Office 365 A3 for faculty* -*Available via Enrollment for Education Solutions (EES) or Cloud Solution Provider only. +*Available via Enrollment for Education Solutions (EES) or Cloud Solution Provider only. >[!NOTE] > Customers with Education or Business subscriptions that do not include Teams can still purchase Copilot for Microsoft 365 licenses. For more information on data security and compliance configurations using Micros Review your privacy settings for Microsoft 365 Apps because those settings might have an effect on the availability of Microsoft Copilot for Microsoft 365 features. For more information, see [Microsoft Copilot for Microsoft 365 and policy settings for connected experiences](microsoft-365-copilot-privacy.md#microsoft-copilot-for-microsoft-365-and-policy-settings-for-connected-experiences). -- ## Update channels Microsoft Copilot for Microsoft 365 will follow Microsoft 365 Apps' standard practice for deployment and updates, being available in all update channels, except for Semi-Annual Enterprise Channel. Preview channels include Current Channel (Preview) and Beta Channel. Production channels include Current Channel and then Monthly Enterprise Channel. Preview channels are a great option to validate the product before rolling out to the rest of organization. To learn more, see [Overview of update channels](/deployoffice/updates/overview-update-channels), and [Microsoft 365 Insider channels](/deployoffice/insider/compare-channels). |
admin | Microsoft 365 Copilot Usage | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft-365-copilot-usage.md | You can see the following summary charts in this report: - Microsoft 365 E5 - Microsoft 365 E3+- Microsoft 365 F1 +- Microsoft 365 F3 +- Office 365 E1 - Office 365 E3 - Office 365 E5-- Microsoft 365 Business Standard+- Office 365 F3 +- Microsoft 365 Business Basic - Microsoft 365 Business Premium+- Microsoft 365 Business Standard - Microsoft 365 A5 for faculty* - Microsoft 365 A3 for faculty* - Office 365 A5 for faculty* - Office 365 A3 for faculty* -*Available via Enrollment for Education Solutions (EES) or Cloud Solution Provider only. +*Available via Enrollment for Education Solutions (EES) or Cloud Solution Provider only. **Users on an eligible update channel** This number is the sum of all users who are enrolled in Current Channel or Monthly Enterprise Channel for app updates in your organization and could be assigned with a Copilot license. You can see the following summary charts in this report as default view: The definitions for Enabled Users and Active Users metrics are the same as provided earlier. -To note, Active users of Word, Excel, and PowerPoint is incomplete prior to Jan 25, 2024. Active users of Outlook might be lower than expected if there are people in your organization using the Coach feature on Outlook Win32 over the selected time period. We are currently working on integrating this data into our reports and will notify you as soon as it becomes available. +To note, Active users of Word, Excel, and PowerPoint is incomplete prior to Jan 25, 2024. Active users of Outlook might increase from February 1st, 2024, as we have restated ‘Draft with Copilot’ and ‘Coaching by Copilot’ tried actions data for Outlook Win32. >[!IMPORTANT] > Your organization must have optional diagnostic telemetry for Office apps enabled for Windows, Mac, iOS, and Android in order for comprehensive usage information to be captured in this report. [Learn more about diagnostic telemetry settings](/DeployOffice/privacy/optional-diagnostic-data). When switching to Trend view, you can select one product in the dropdown list to :::image type="content" alt-text="Screenshot showing the dropdown list of products for Microsoft 365 Copilot adoption chart." source="../../media/copilot-usage-trend-view2.png"::: - In the Adoption section, you may see a recommendation card: :::image type="content" alt-text="Screenshot showing the recommendation card for Microsoft 365 Copilot adoption." source="../../media/copilot-usage-recommendation.png"::: This report now includes a new metric for Microsoft Copilot with Graph-grounded - Selecting a prompt from the "Try these Prompts" section, which will automatically copy the prompt into the chat box. - Clicking on one of the suggestions from the "Stay on top" tab in some platforms (such as Microsoft365.com). -Note that automated prompts are not included in this feature. - ### What are the behaviors of All up last activity date and last activity date per app in user-level table? All up last activity date and last activity date per app are reflecting different narratives now. All up last activity date is reflecting the historical last activity date no matter what period is selected on the page, while last activity date per app is reflecting the last activity date within the selected time period; hence, if there's no activity in selected time period, the last activity date per app will be empty. We are planning to make them consistent to reflect the historical last activity date narrative and will provide update once it’s done. |
admin | About Admin Roles | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/about-admin-roles.md | You'll probably only need to assign the following roles in your organization. By |Migration admin | Assign the Microsoft 365 Migration Administrator role to users who need to do the following tasks: <br> - Use Migration Manager in the Microsoft 365 admin center to manage content migration to Microsoft 365, including Teams, OneDrive for Business, and SharePoint sites, from various sources such as Google Drive, Dropbox, and Box. <br> - Select migration sources, create migration inventories (such as Google Drive user lists), schedule and execute migrations, and download reports. <br> - Create new SharePoint sites if the destination sites don't already exist, create SharePoint lists under the SharePoint admin sites, and create and update items in SharePoint lists. <br> - Manage migration project settings and migration lifecycle for tasks as well as manage permission mappings from source to destination. <br> **Note:** With this role, you can only migrate from Google Drive, Box, Dropbox and Egnyte. This role doesn't allow you to migrate from file share sources from the SharePoint admin center. Use either SharePoint admin or a Global admin to migrate from file share sources.| |Office Apps admin | Assign the Office Apps admin role to users who need to do the following: <br> - Use the Cloud Policy service for Microsoft 365 to create and manage cloud-based policies. <br> - Create and manage service requests <br> - Manage the What's New content that users see in their Microsoft 365 apps <br> - Monitor service health | |Organizational Message Writer | Assign the Organizational Message Writer role to users who need to write, publish, manage, and review the organizational messages for end-users through Microsoft product surfaces. |+|Organizational Messages Approver | Assign the Organizational Messages Approver role to users who need to review, approve, or reject new organizational messages for delivery in the Microsoft 365 admin center before they are sent to users through Microsoft product surfaces. | |Password admin | Assign the Password admin role to a user who needs to reset passwords for non-administrators and Password Administrators. | |Power Platform admin | Assign the Power Platform admin role to users who need to do the following: <br> - Manage all admin features for Power Apps, Power Automate, Power BI, Microsoft Fabric, and Microsoft Purview Data Loss Prevention <br> - Create and manage service requests <br> - Monitor service health | |Reports reader | Assign the Reports reader role to users who need to do the following: <br> - View usage data and the activity reports in the Microsoft 365 admin center <br> - Get access to the Power BI adoption content pack <br> - Get access to sign-in reports and activity in Microsoft Entra ID <br> - View data returned by Microsoft Graph reporting API| |
enterprise | Cloud Microsoft Domain | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cloud-microsoft-domain.md | description: Describes the new cloud.microsoft domain for Microsoft 365 apps Previously updated : 02/15/2024 Last updated : 04/18/2024 ms.localizationpriority: medium-+ search.appverid: MET150 Consolidating authenticated user-facing Microsoft 365 experiences to a single do 'Dot brand' top-level domains like `.microsoft` enhance security, trustworthiness, and integrity. Microsoft has exclusive rights to the `.microsoft` top-level domain, enabling enhanced security protocols and governance controls. All experiences on the `.microsoft` domain are legitimate and authentic, as Microsoft is the registry operator and sole registrant. +## Security considerations ++To ensure that customers and users can treat everything under the *.cloud.microsoft domain as fully trusted, the entire domain hierarchy is isolated, purpose built, and dedicated to hosting only secure and compliant Microsoft product experiences. The domain is managed to the highest standards of domain security and reputation, and is kept free of scenarios such as third-party websites, IaaS/PaaS resources (such as file and blob storage), and hosting of active content, code or scripts that may affect the trust and integrity of products and applications residing in the domain. + ## Requirements for admins Organizations currently following standard [Microsoft network guidance on domains and service endpoints](/microsoft-365/enterprise/urls-and-ip-address-ranges) shouldn't see an impact to the Microsoft 365 experience. The *.cloud.microsoft domain is already added to the official list of Office 365 URLs and IP address ranges. |
enterprise | Disable Access To Services While Assigning User Licenses | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/disable-access-to-services-while-assigning-user-licenses.md | - Title: "Disable access to Microsoft 365 services while assigning user licenses"--- Previously updated : 04/24/2020---- scotvorg -- Ent_O365--- MET150-- CSH- - - PowerShell - - Ent_Office_Other - - has-azure-ad-ps-ref -description: "Learn how to assign licenses to user accounts and disable specific service plans at the same time using PowerShell for Microsoft 365." ---# Disable access to Microsoft 365 services while assigning user licenses --*This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.* --Microsoft 365 subscriptions come with service plans for individual services. Microsoft 365 administrators often need to disable certain plans when assigning licenses to users. With the instructions in this article, you can assign a Microsoft 365 license while disabling specific service plans using PowerShell for an individual user account or multiple user accounts. --## Use the Azure Active Directory PowerShell for Graph module --First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md#connect-with-the-azure-active-directory-powershell-for-graph-module). ---Next, list the license plans for your tenant with this command. --```powershell -Get-AzureADSubscribedSku | Select SkuPartNumber -``` ---Next, get the sign-in name of the account to which you want to add a license, also known as the user principal name (UPN). --Next, compile a list of services to enable. For a complete list of license plans (also known as product names), their included service plans, and their corresponding friendly names, see [Product names and service plan identifiers for licensing](/azure/active-directory/users-groups-roles/licensing-service-plan-reference). --For the command block below, fill in the user principal name of the user account, the SKU part number, and the list of service plans to enable and remove the explanatory text and the \< and > characters. Then, run the resulting commands at the PowerShell command prompt. --```powershell -$userUPN="<user account UPN>" -$skuPart="<SKU part number>" -$serviceList=<double-quoted enclosed, comma-separated list of enabled services> -$user = Get-AzureADUser -ObjectID $userUPN -$skuID= (Get-AzureADSubscribedSku | Where {$_.SkuPartNumber -eq $skuPart}).SkuID -$SkuFeaturesToEnable = @($serviceList) -$StandardLicense = Get-AzureADSubscribedSku | Where {$_.SkuId -eq $skuID} -$SkuFeaturesToDisable = $StandardLicense.ServicePlans | ForEach-Object { $_ | Where {$_.ServicePlanName -notin $SkuFeaturesToEnable }} -$License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense -$License.SkuId = $StandardLicense.SkuId -$License.DisabledPlans = $SkuFeaturesToDisable.ServicePlanId -$LicensesToAssign = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses -$LicensesToAssign.AddLicenses = $License -Set-AzureADUserLicense -ObjectId $user.ObjectId -AssignedLicenses $LicensesToAssign -``` --## Use the Microsoft Azure Active Directory module for Windows PowerShell --First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md#connect-with-the-microsoft-azure-active-directory-module-for-windows-powershell). --Next, run this command to see your current subscriptions: --```powershell -Get-MsolAccountSku -``` -->[!Note] ->PowerShell Core does not support the Microsoft Azure Active Directory module for Windows PowerShell module and cmdlets with **Msol** in their name. To continue using these cmdlets, you must run them from Windows PowerShell. -> --In the display of the `Get-MsolAccountSku` command: --- **AccountSkuId** is a subscription for your organization in \<OrganizationName>:\<Subscription> format. The \<OrganizationName> is the value that you provided when you enrolled in Microsoft 365, and is unique for your organization. The \<Subscription> value is for a specific subscription. For example, for litwareinc:ENTERPRISEPACK, the organization name is litwareinc, and the subscription name is ENTERPRISEPACK (Office 365 Enterprise E3).--- **ActiveUnits** is the number of licenses that you purchased for the subscription.--- **WarningUnits** is the number of licenses in a subscription that you haven't renewed, and that will expire after the 30-day grace period.--- **ConsumedUnits** is the number of licenses that you assigned to users for the subscription.--Note the AccountSkuId for your Microsoft 365 subscription that contains the users you want to license. Also, ensure that there are enough licenses to assign (subtract **ConsumedUnits** from **ActiveUnits**). --Next, run this command to see the details about the Microsoft 365 service plans that are available in all your subscriptions: --```powershell -Get-MsolAccountSku | Select -ExpandProperty ServiceStatus -``` --From the display of this command, determine which service plans you would like to disable when you assign licenses to users. --Here's a partial list of service plans and their corresponding Microsoft 365 services. --The following table shows the Microsoft 365 service plans and their friendly names for the most common services. Your list of service plans might be different. --|**Service plan**|**Description**| -|:--|:--| -| `SWAY` <br/> |Sway <br/> | -| `TEAMS1` <br/> |Microsoft Teams <br/> | -| `YAMMER_ENTERPRISE` <br/> |Viva Engage <br/> | -| `RMS_S_ENTERPRISE` <br/> |Azure Rights Management (RMS) <br/> | -| `OFFICESUBSCRIPTION` <br/> |Microsoft 365 Apps for enterprise *(previously named Office 365 ProPlus)* <br/> | -| `MCOSTANDARD` <br/> |Skype for Business Online <br/> | -| `SHAREPOINTWAC` <br/> |Office <br/> | -| `SHAREPOINTENTERPRISE` <br/> |SharePoint Online <br/> | -| `EXCHANGE_S_ENTERPRISE` <br/> |Exchange Online Plan 2 <br/> | --For a complete list of license plans (also known as product names), their included service plans, and their corresponding friendly names, see [Product names and service plan identifiers for licensing](/azure/active-directory/users-groups-roles/licensing-service-plan-reference). --Now that you have the AccountSkuId and the service plans to disable, you can assign licenses for an individual user or for multiple users. --### For a single user --For a single user, fill in the user principal name of the user account, the AccountSkuId, and the list of service plans to disable and remove the explanatory text and the \< and > characters. Then, run the resulting commands at the PowerShell command prompt. --```powershell -$userUPN="<the user's account name in email format>" -$accountSkuId="<the AccountSkuId from the Get-MsolAccountSku command>" -$planList=@( <comma-separated, double-quote enclosed list of the service plans to disable> ) -$licenseOptions=New-MsolLicenseOptions -AccountSkuId $accountSkuId -DisabledPlans $planList -Set-MsolUserLicense -UserPrincipalName $userUpn -AddLicenses $accountSkuId -ErrorAction SilentlyContinue -Sleep -Seconds 5 -Set-MsolUserLicense -UserPrincipalName $userUpn -LicenseOptions $licenseOptions -ErrorAction SilentlyContinue -``` --Here's an example command block for the account named belindan@contoso.com, for the contoso:ENTERPRISEPACK license, and the service plans to disable are RMS_S_ENTERPRISE, SWAY, INTUNE_O365, and YAMMER_ENTERPRISE: --```powershell -$userUPN="belindan@contoso.com" -$accountSkuId="contoso:ENTERPRISEPACK" -$planList=@( "RMS_S_ENTERPRISE","SWAY","INTUNE_O365","YAMMER_ENTERPRISE" ) -$licenseOptions=New-MsolLicenseOptions -AccountSkuId $accountSkuId -DisabledPlans $planList -Set-MsolUserLicense -UserPrincipalName $userUpn -AddLicenses $accountSkuId -ErrorAction SilentlyContinue -Sleep -Seconds 5 -Set-MsolUserLicense -UserPrincipalName $userUpn -LicenseOptions $licenseOptions -ErrorAction SilentlyContinue -``` --### For multiple users --To perform this administration task for multiple users, create a comma-separated value (CSV) text file that contains the UserPrincipalName and UsageLocation fields. Here's an example: --```powershell -UserPrincipalName,UsageLocation -ClaudeL@contoso.onmicrosoft.com,FR -LynneB@contoso.onmicrosoft.com,US -ShawnM@contoso.onmicrosoft.com,US -``` --Next, fill in the location of the input and output CSV files, the account SKU ID, and the list of service plans to disable, and then run the resulting commands at the PowerShell command prompt. --```powershell -$inFileName="<path and file name of the input CSV file that contains the users, example: C:\admin\Users2License.CSV>" -$outFileName="<path and file name of the output CSV file that records the results, example: C:\admin\Users2License-Done.CSV>" -$accountSkuId="<the AccountSkuId from the Get-MsolAccountSku command>" -$planList=@( <comma-separated, double-quote enclosed list of the plans to disable> ) -$users=Import-Csv $inFileName -$licenseOptions=New-MsolLicenseOptions -AccountSkuId $accountSkuId -DisabledPlans $planList -ForEach ($user in $users) -{ -$user.Userprincipalname -$upn=$user.UserPrincipalName -Set-MsolUserLicense -UserPrincipalName $upn -AddLicenses $accountSkuId -ErrorAction SilentlyContinue -sleep -Seconds 5 -Set-MsolUserLicense -UserPrincipalName $upn -LicenseOptions $licenseOptions -ErrorAction SilentlyContinue -$users | Get-MsolUser | Select UserPrincipalName, Islicensed,Usagelocation | Export-Csv $outFileName -} -``` --This PowerShell command block: --- Displays the user principal name of each user.--- Assigns customized licenses to each user.--- Creates a CSV file with all the users that were processed and shows their license status.--## See also --[Disable access to Microsoft 365 services with PowerShell](disable-access-to-services-with-microsoft-365-powershell.md) --[Disable access to Sway with PowerShell](disable-access-to-sway-with-microsoft-365-powershell.md) --[Manage Microsoft 365 user accounts, licenses, and groups with PowerShell](manage-user-accounts-and-licenses-with-microsoft-365-powershell.md) --[Manage Microsoft 365 with PowerShell](manage-microsoft-365-with-microsoft-365-powershell.md) |
enterprise | Move Onedrive Between Geo Locations | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/move-onedrive-between-geo-locations.md | - Title: "Move a OneDrive site to a different geo location"- Previously updated : 04/12/2024------- NOCSH---- Strat_SP_gtc-- SPO_Content-- must-keep -description: Find information about moving a OneDrive site to a different geo location, including how to schedule site moves and communicating expectations to users. ---# Move a OneDrive site to a different geo location --With OneDrive geo move, you can move a user's OneDrive to a different geo location. OneDrive geo move is performed by the SharePoint administrator or the Microsoft 365 global administrator. Before you start a OneDrive geo move, be sure to notify the user whose OneDrive is being moved and recommend they close all files during the move. (If the user has a document open using the Office client during the move, then upon move completion the document needs to be saved to the new location.) The move can be scheduled for a future time, if desired. --The OneDrive service uses Azure Blob Storage to store content. The Storage blob associated with the user's OneDrive will be moved from the source to destination geo location within 40 days of destination OneDrive being available to the user. The access to the user's OneDrive will be restored as soon as the destination OneDrive is available. --During the OneDrive geo move window (about 2-6 hours), the user's OneDrive is set to read-only. The user can still access their files via the OneDrive sync app or their OneDrive site in SharePoint. After OneDrive geo move is complete, the user will be automatically connected to their OneDrive at the destination geo location when they navigate to OneDrive in the Microsoft 365 app launcher. The sync app will automatically begin syncing from the new location. --The procedures in this article require the [Microsoft SharePoint Online PowerShell Module](https://www.microsoft.com/download/details.aspx?id=35588). --## Communicating to your users --When moving OneDrive sites between geo locations, it's important to communicate to your users what to expect. This can help reduce user confusion and calls to your help desk. Email your users before the move and let them know the following information: --- When the move is expected to start and how long it's expected to take-- What geo location their OneDrive is moving to, and the URL to access the new location-- They should close their files and not make edits during the move.-- File permissions and sharing won't change as a result of the move.-- What to expect from the [user experience in a multi-geo environment](multi-geo-user-experience.md)--Be sure to send your users an email when the move has successfully completed informing them that they can resume working in OneDrive. --## Scheduling OneDrive site moves --You can schedule OneDrive site moves in advance (described later in this article). We recommend that you start with a small number of users to validate your workflows and communication strategies. Once you're comfortable with the process, you can schedule moves as follows: --- You can schedule up to 4,000 moves at a time.-- As the moves begin, you can schedule more, with a maximum of 4,000 pending moves in the queue and any given time.-- The maximum size of a OneDrive that can be moved is 1 terabyte (1 TB).-- The maximum number of list items that can be moved is 1,000,000.--## Moving a OneDrive site --To perform a OneDrive geo move, the tenant administrator must first set the user's Preferred Data Location (PDL) to the appropriate geo location. Once the PDL is set, wait for at least 24 hours for the PDL update to sync across the geo locations before starting the OneDrive geo move. --When using the geo move cmdlets, connect to the SharePoint Service at the user's current OneDrive geo location, using the following syntax: --```powershell -Connect-SPOService -url https://<tenantName>-admin.sharepoint.com -``` --For example: To move OneDrive of user 'Matt@contosoenergy.onmicrosoft.com', connect to EUR SharePoint Admin center as the user's OneDrive is in EUR geo location: --```powershell -Connect-SPOService -url https://contosoenergyeur-admin.sharepoint.com -``` --![Screenshot of PowerShell window showing connect-sposervice cmdlet.](../media/move-onedrive-between-geo-locations-image1.png) --## Validating the environment --Before you start a OneDrive geo move, we recommend that you validate the environment. --To ensure that all geo locations are compatible, run: --```powershell -Get-SPOGeoMoveCrossCompatibilityStatus -``` --This displays all your geo locations and whether the environment is compatible with the destination geo location. If a geo location is incompatible, that means an update is in progress in that location. Try again in a few days. --If a OneDrive contains a subsite, for example, it can't be moved. You can use the Start-SPOUserAndContentMove cmdlet with the -ValidationOnly parameter to validate if the OneDrive is able to be moved: --```powershell -Start-SPOUserAndContentMove -UserPrincipalName <UPN> -DestinationDataLocation <DestinationDataLocation> -ValidationOnly -``` --This returns **Success** if the OneDrive is ready to be moved or **Fail** if there's a legal hold or subsite that would prevent the move. Once you validate that the OneDrive is ready to move, you can start the move. --## Start a OneDrive geo move --To start the move, run: --```powershell -Start-SPOUserAndContentMove -UserPrincipalName <UserPrincipalName> -DestinationDataLocation <DestinationDataLocation> -``` --Using these parameters: --- _UserPrincipalName_ ΓÇô UPN of the user whose OneDrive is being moved.-- _DestinationDataLocation_ ΓÇô Geo-Location where the OneDrive needs to be moved. This should be same as the user's preferred data location.--For example, to move the OneDrive of matt@contosoenergy.onmicrosoft.com from EUR to AUS, run: --```powershell -Start-SPOUserAndContentMove -UserPrincipalName matt@contosoenergy.onmicrosoft.com -DestinationDataLocation AUS -``` --![Screenshot of PowerShell window showing Start-SPOUserAndContentMove cmdlet.](../media/move-onedrive-between-geo-locations-image2.png) --To schedule a geo move for a later time, use one of the following parameters: --- _PreferredMoveBeginDate_ ΓÇô The move will likely begin at this specified time. Time must be specified in Coordinated Universal Time (UTC).-- _PreferredMoveEndDate_ ΓÇô The move will likely be completed by this specified time, on a best effort basis. Time must be specified in Coordinated Universal Time (UTC).--## Cancel a OneDrive geo move --You can stop the geo move of a user's OneDrive, provided the move isn't in progress or completed by using the cmdlet: --```powershell -Stop-SPOUserAndContentMove ΓÇô UserPrincipalName <UserPrincipalName> -``` --Where _UserPrincipalName_ is the UPN of the user whose OneDrive move you want to stop. --## Determining current status --You can check the status of a OneDrive geo move in or out of the geo that you're connected to by using the ```Get-SPOUserAndContentMoveState``` cmdlet. --The move statuses are described in the following table. --|Status|Description| -||| -|NotStarted|The move hasn't started| -|InProgress (*n*/4)|The move is in progress in one of the following states: <ul><li>Validation (1/4)</li><li>Backup (2/4)</li><li>Restore (3/4)</li><li>Cleanup (4/4)</li></ul>| -|Success|The move has completed successfully.| -|Failed|The move failed.| --To find the status of a specific user's move, use the *UserPrincipalName* parameter: --```powershell -Get-SPOUserAndContentMoveState -UserPrincipalName <UPN> -``` --To find the status of all of the moves in or out of the geo location that you're connected to, use the *MoveState* parameter with one of the following values: NotStarted, InProgress, Success, Failed, All. --```powershell -Get-SPOUserAndContentMoveState -MoveState <value> -``` --You can also add the *Verbose* parameter for more verbose descriptions of the move state. --## User Experience --Users of OneDrive should notice minimal disruption if their OneDrive is moved to a different geo location. Aside from a brief read-only state during the move, existing links and permissions will continue to work as expected once the move is completed. --### User's OneDrive --While the move is in progress the user's OneDrive is set to read-only. Once the move is completed, the user is directed to their OneDrive in the new geo location when they navigate to OneDrive the Microsoft 365 app launcher or a web browser. --### Permissions on OneDrive content --Users with permissions to OneDrive content will continue to have access to the content during the move and after it's complete. --### OneDrive sync app --The OneDrive sync app will automatically detect and seamlessly transfer syncing to the new OneDrive location once the OneDrive geo move is complete. The user doesn't need to sign-in again or take any other action. (Version 17.3.6943.0625 or later of the sync app required.) --If a user updates a file while the OneDrive geo move is in progress, the sync app notifies them that file uploads are pending while the move is underway. --### Sharing links --Upon OneDrive geo move completion, the existing shared links for the files that were moved will automatically redirect to the new geo location. --### OneNote Experience --OneNote Win32 client and UWP (Universal) App will automatically detect and seamlessly sync notebooks to the new OneDrive location once OneDrive geo move is complete. The user doesn't need to sign-in again or take any other action. The only visible indicator to the user is notebook sync would fail when OneDrive geo move is in progress. This experience is available on the following OneNote client versions: --- OneNote Win32 ΓÇô Version 16.0.8326.2096 (and later)-- OneNote UWP ΓÇô Version 16.0.8431.1006 (and later)-- OneNote Mobile App ΓÇô Version 16.0.8431.1011 (and later)--### Teams app --Upon OneDrive geo move completion, users have access to their OneDrive files on the Teams app. Additionally, files shared via Teams chat from their OneDrive prior to geo move will continue to work after move is complete. --### OneDrive Mobile App (iOS) --Upon OneDrive geo move completion, the user would need to sign out and sign in again on the iOS Mobile App to sync to the new OneDrive location. --### Existing followed groups and sites --Followed sites and groups show up in the user's OneDrive regardless of their geo location. Sites and groups hosted in another geo location will open in a separate tab. --### Delve Geo URL updates --Users will be sent to the Delve geo corresponding to their PDL only after their OneDrive has been moved to the new geo. |
enterprise | Turn Off Directory Synchronization | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/turn-off-directory-synchronization.md | You can use PowerShell to turn off directory synchronization and convert your sy To turn off Directory synchronization: -1. First, install the required software and connect to your Microsoft 365 subscription. For instructions, see [Connect with the Microsoft Azure Active Directory module for Windows PowerShell](connect-to-microsoft-365-powershell.md#connect-with-the-microsoft-azure-active-directory-module-for-windows-powershell). +1. First, install the required software and connect to your Microsoft 365 subscription. For instructions, see [Connect with the Microsoft Graph PowerShell module for Windows PowerShell](/microsoft-365/enterprise/connect-to-microsoft-365-powershell#connect-with-microsoft-graph-powershell). -2. Use **Set-MsolDirSyncEnabled** to disable directory synchronization: +2. Use **Update-MgBetaOrganization** to disable directory synchronization: ```powershell- Set-MsolDirSyncEnabled -EnableDirSync $false + # Install v1.0 and beta Microsoft Graph PowerShell modules + Install-Module Microsoft.Graph -Force + Install-Module Microsoft.Graph.Beta -AllowClobber -Force + + # Connect With Global Admin Account + Connect-MgGraph -scopes "Organization.ReadWrite.All,Directory.ReadWrite.All" + + # Verify the current status of the DirSync Type + Get-MgOrganization | Select OnPremisesSyncEnabled + + # Store the Tenant ID in a variable named organizationId + $organizationId = (Get-MgOrganization).Id + + # Store the False value for the DirSyncEnabled Attribute + $params = @{ + onPremisesSyncEnabled = $false + } + + # Perform the update + Update-MgBetaOrganization -OrganizationId $organizationId -BodyParameter $params + + # Check that the command worked + Get-MgOrganization | Select OnPremisesSyncEnabled ``` >[!Note] >If you use this command, you must wait 72 hours before you can turn directory synchronization back on. -Visit [Set-MsolDirSyncEnabled](/powershell/module/msonline/set-msoldirsyncenabled) for more detailed information on cmdlet usage and switches. +Visit [Update-MgBetaOrganization](/powershell/module/microsoft.graph.beta.identity.directorymanagement/update-mgbetaorganization) for more detailed information on cmdlet usage and switches. |
security | Configure Server Endpoints | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-endpoints.md | You can use any of the following options to install the agent: - [Install using the command line](#install-microsoft-defender-for-endpoint-using-the-command-line) - [Install using a script](#install-microsoft-defender-for-endpoint-using-a-script)-- [Apply the installation and onboarding packages using Group Policy](#apply-the-microsoft-defender-for-endpoint-installation-and-onboarding-packages-using-group-policy)+- [Apply the installation and onboarding packages using Group Policy](#apply-the-microsoft-defender-for-endpoint-installation-and-onboarding-packages-using-group-policy-when-performing-the-installation-with-an-installer-script) ##### Install Microsoft Defender For Endpoint using the command line You can use the [installer helper script](server-migration.md#installer-script) This script can be used in various scenarios, including those scenarios described in [Server migration scenarios from the previous, MMA-based Microsoft Defender for Endpoint solution](/microsoft-365/security/defender-endpoint/server-migration) and for deployment using Group Policy as described below. -##### Apply the Microsoft Defender for Endpoint installation and onboarding packages using Group policy +## Apply the Microsoft Defender for Endpoint installation and onboarding packages using Group policy when performing the installation with an installer script 1. Create a group policy: <br> Open the [Group Policy Management Console](/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click **Group Policy Objects** you want to configure and select **New**. Enter the name of the new GPO in the dialogue box that is displayed and select **OK**. |
security | Tvm Software Inventory | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-software-inventory.md | Access the software inventory page by selecting **Software inventory** from the The **Software inventory** page opens with a list of software installed in your network, including the vendor name, weaknesses found, threats associated with them, exposed devices, impact to exposure score, and tags. +The data is updated every three to four hours. There is currently no way to force a sync. + By default, the view is filtered by **Product Code (CPE): Available**. You can also filter the list view based on weaknesses found in the software, threats associated with them, and tags like whether the software has reached end-of-support. :::image type="content" alt-text="Example of the landing page for software inventory." source="../../media/defender-vulnerability-management/software-inventory-page.png" lightbox="../../media/defender-vulnerability-management/software-inventory-page.png"::: |
security | Access Den Graph Api | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/access-den-graph-api.md | + + Title: Accessing Defender Experts notifications using Graph security API ++description: The method to access Defender Experts Notifications using Graph security API +++++ms.localizationpriority: medium ++audience: ITPro ++ - m365-security + - tier1 + - essentials-overview ++search.appverid: met150 Last updated : 04/18/2024+++# Access incident notifications using Graph API ++**Applies to:** ++- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804) ++[Defender Experts Notifications](onboarding-defender-experts-for-hunting.md#receive-defender-experts-notifications) are incidents that have been generated from hunting conducted by Defender Experts in your environment. They contain information regarding the hunting investigation and recommended actions provided by Defender Experts. You can now access DENs using the [Microsoft Graph security API](/graph/api/resources/security-api-overview). ++> [!NOTE] +> Any incident in the Microsoft Defender portal is a collection of correlated alerts. [Learn more](/graph/api/resources/security-incident) ++The following Defender Experts Notification details are available in the Microsoft Defender portal: ++- **Incident title** - starts with _Defender Experts_ to distinguish Defender Experts Notifications from other incidents +- **Executive summary** - provides an overview of the investigation summary +- **Recommendation summary** - lists the recommended actions from Defender Experts +- **Advanced hunting queries** - lists the converted KQL hunting queries used for the investigation ++In Microsoft Graph security API, the following fields are also available: ++- **Graph endpoint** - <https://graph.microsoft.com/beta/security/incidents> +- The following **field names** that correspond to the details mentioned earlier: + - displayName + - description + - recommendedActions + - recommendedHuntingQueries ++> [!NOTE] +> These fields will soon be available in Graph v1.0 endpoint. For more details, see [Microsoft Graph REST API v1.0](/graph/api/resources/security-incident) ++Your approach to consuming Defender Experts Notifications from the API will vary depending on the downstream system you intend to use and your specific requirements. However, the following is a basic implementation to help you get started: ++1. Get incidents from Graph security API +2. Check for new incidents where **displayName** starts with _Defender Experts_ +3. Continue reading the remaining fields for such incidents +4. Synchronize the Defender Experts Notification information into your downstream tool (for example, ServiceNow). ++### Next step ++- [Collaborate with Experts on Demand](experts-on-demand.md) |
security | Advanced Hunting Deviceinfo Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-deviceinfo-table.md | For information on other tables in the advanced hunting schema, [see the advance | `DeviceDynamicTags` | `string` | Device tags added and removed dynamically based on dynamic rules | | `ConnectivityType` | `string` | Type of connectivity from the device to the cloud | | `HostDeviceId` | `string` | Device ID of the device running Windows Subsystem for Linux |+| `AzureResourceId` | `string` | Unique identifier of the Azure resource associated with the device | |
security | Communicate Defender Experts Xdr | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/communicate-defender-experts-xdr.md | Once you turn on chat on Teams, a new team named **Defender Experts team** is cr ### Email -The Defender Experts for XDR service typically sends automated emails whenever a managed response with completed or pending actions is published in the Microsoft XDR portal, or when it needs to remind you about incidents awaiting your action. +The Defender Experts for XDR service typically sends automated emails whenever a managed response with completed or pending actions is published in the Microsoft XDR portal, or when it needs to remind you about incidents awaiting your action. However, our experts could also send out emails to your identified notification contacts directly during any of the following situations: - When they require additional information or context to investigate an incident - When they detect a malicious or suspicious activity manually and outside of incidents or alerts in the Microsoft Defender XDR portal, and it requires a response action-- When they reply to the requests or queries sent to them through email +- When they reply to the requests or queries sent to them through email > [!IMPORTANT] > Remember to verify emails claiming to be from Defender Experts. In break-glass scenarios or matters that require immediate attention (for exampl ## Ask Defender Experts -While the previous scenarios involve our experts initiating communication with you, you can also request advanced threat expertise on demand by selecting **Ask Defender Experts** directly inside the Microsoft Defender XDR portal. [Learn more](onboarding-defender-experts-for-hunting.md#collaborate-with-experts-on-demand) +While the previous scenarios involve our experts initiating communication with you, you can also request advanced threat expertise on demand by selecting **Ask Defender Experts** directly inside the Microsoft Defender XDR portal. [Learn more](experts-on-demand.md) ## Collaborating with your service delivery manager |
security | Defender Experts For Hunting | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/defender-experts-for-hunting.md | Title: What is Microsoft Defender Experts for Hunting offering -description: Defender Experts for Hunting is a proactive threat hunting service that goes beyond the endpoint to hunt across endpoints +description: Microsoft Defender Experts for Hunting is a proactive threat hunting service that goes beyond the endpoint to hunt across endpoints The following capabilities included in this managed threat hunting service could - **Threat hunting and analysis** ΓÇô Defender Experts for Hunting look deeper to expose advanced threats and identify the scope and impact of malicious activity associated with human adversaries or hands-on-keyboard attacks. - **Defender Experts Notifications** ΓÇô Notifications show up as incidents in Microsoft Defender XDR, helping to improve your security operations' incident response with specific information about the scope, method of entry, and remediation instructions.-- **Ask Defender Experts** ΓÇô Select **Ask Defender Experts** in the Microsoft Defender portal to get expert advice about threats your organization is facing. You can ask for help on a specific incident, nation-state actor, or attack vector-related notifications.+- **Ask Defender Experts** ΓÇô Select [**Ask Defender Experts**](experts-on-demand.md) in the Microsoft Defender portal to get expert advice about threats your organization is facing. You can ask for help on a specific incident, nation-state actor, or attack vector-related notifications. - **Hunter-trained AI** ΓÇô Our Defender Experts for Hunting share their learning back into the automated tools they use to improve threat discovery and prioritization. - **Reports** ΓÇô An interactive report summarizing what we hunted and what we found. |
security | Experts On Demand | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/experts-on-demand.md | + + Title: Collaborate with Experts on Demand using Ask Defender Experts ++description: Select Ask Defender Experts directly inside the Microsoft Defender security portal to get swift and accurate responses to all your threat hunting questions. +search.product: Windows 10 ++ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +++ms.localizationpriority: medium ++audience: ITPro ++ - m365-security + - tier1 + - essentials-get-started ++search.appverid: met150 Last updated : 04/18/2024+++# Collaborate with experts on demand +++**Applies to:** ++- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804) ++> [!NOTE] +> Ask Defender Experts is included in your Defender Experts for Hunting subscription with [monthly allocations](/microsoft-365/security/defender/before-you-begin-defender-experts#eligibility-and-licensing). However, it's not a security incident response service. It's intended to provide a better understanding of complex threats affecting your organization. Engage with your own security incident response team to address urgent security incident response issues. If you don't have your own security incident response team and would like Microsoft's help, create a support request in the [Premier Services Hub](/services-hub/). ++Select **Ask Defender Experts** directly inside the Microsoft 365 security portal to get swift and accurate responses to all your threat hunting questions. Experts can provide insight to better understand the complex threats your organization might face. Ask Defender Experts can help: ++- Gather additional information on alerts and incidents, including root causes and scope +- Gain clarity into suspicious devices, alerts, or incidents and take next steps if faced with an advanced attacker +- Determine risks and available protections related to threat actors, campaigns, or emerging attacker techniques ++### Required permissions for submitting inquiries in the Ask Defender Experts panel ++You need to select one of the following permissions before submitting inquires to our Defender experts. For more details about role-based access control (RBAC) permissions, see: [Microsoft Defender for Endpoint and Microsoft Defender XDR RBAC permissions](/microsoft-365/security/defender/compare-rbac-roles#map-defender-for-endpoint-and-defender-vulnerability-management-permissions-to-the-microsoft-defender-xdr-rbac-permissions). ++|**Product name**|**Product RBAC permission**| +|||| +| Microsoft Defender for Endpoint RBAC | Manage security settings in the Security Center| +| Microsoft Defender XDR Unified RBAC | Authorization and settings \ Security settings \ Core security settings (manage)</br>Authorization and settings \ Security settings \ Detection tuning (manage) | ++### Where to find Ask Defender Experts ++The option to **Ask Defender Experts** is available in several places throughout the portal: ++- **Device page actions menu** +++- **Device inventory page flyout menu** +++- **Alerts page flyout menu** +++- **Incidents page actions menu** +++### Sample questions you can ask from Defender Experts ++**Alert information** ++- We saw a new type of alert for a living-off-the-land binary. We can provide the alert ID. Can you tell us more about this alert and if it's related to any incident and how we can investigate it further? +- We've observed two similar attacks, which both try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious PowerShell command line" and the other is "A malicious file was detected based on indication provided by Office 365." What is the difference? +- We received an odd alert today about an abnormal number of failed logins from a high profile user's device. We can't find any further evidence for these attempts. How can Microsoft Defender XDR see these attempts? What type of logins are being monitored? +- Can you give more context or insight about the alert and any related incidents, "Suspicious behavior by a system utility was observed"? +- I observed an alert titled "Creation of forwarding/redirect rule". I believe the activity is benign. Can you tell me why I received an alert? ++**Possible device compromise** ++- Can you help explain why we see a message or alert for "Unknown process observed" on many devices in our organization? We appreciate any input to clarify whether this message or alert is related to malicious activity or incidents. +- Can you help validate a possible compromise on the following system, dating from last week? It's behaving similarly as a previous malware detection on the same system six months ago. ++**Threat intelligence details** ++- We detected a phishing email that delivered a malicious Word document to a user. The document caused a series of suspicious events, which triggered multiple alerts for a particular malware family. Do you have any information on this malware? If yes, can you send us a link? +- We recently saw a blog post about a threat that is targeting our industry. Can you help us understand what protection Microsoft Defender XDR provides against this threat actor? +- We recently observed a phishing campaign conducted against our organization. Can you tell us if this was targeted specifically to our company or vertical? ++**Microsoft Defender Experts for Hunting alert communications** ++- Can your incident response team help us address the Defender Experts Notification that we got? +- We received this Defender Experts Notification from Microsoft Defender Experts for Hunting. We don't have our own incident response team. What can we do now, and how can we contain the incident? +- We received a Defender Experts Notification from Microsoft Defender Experts for Hunting. What data can you provide to us that we can pass on to our incident response team? ++### Next step ++- [Understand the Defender Experts for Hunting report in Microsoft Defender XDR](defender-experts-report.md) |
security | Onboarding Defender Experts For Hunting | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/onboarding-defender-experts-for-hunting.md | A sample Defender Experts Notification shows up in your **Incidents** page with :::image type="content" source="../../media/mte/defenderexperts/sample-den-links-dexh.png" alt-text="Screenshot of Sample DEN links." lightbox="../../media/mte/defenderexperts/sample-den-links-dexh.png"::: -## Collaborate with experts on demand --> [!NOTE] -> Ask Defender Experts is included in your Defender Experts for Hunting subscription with [monthly allocations](/microsoft-365/security/defender/before-you-begin-defender-experts#eligibility-and-licensing). However, it's not a security incident response service. It's intended to provide a better understanding of complex threats affecting your organization. Engage with your own security incident response team to address urgent security incident response issues. If you don't have your own security incident response team and would like Microsoft's help, create a support request in the [Premier Services Hub](/services-hub/). --Select **Ask Defender Experts** directly inside the Microsoft 365 security portal to get swift and accurate responses to all your threat hunting questions. Experts can provide insight to better understand the complex threats your organization might face. Ask Defender Experts can help: --- Gather additional information on alerts and incidents, including root causes and scope-- Gain clarity into suspicious devices, alerts, or incidents and take next steps if faced with an advanced attacker-- Determine risks and available protections related to threat actors, campaigns, or emerging attacker techniques--### Required permissions for submitting inquiries in the Ask Defender Experts panel --You need to select one of the following permissions before submitting inquires to our Defender experts. For more details about role-based access control (RBAC) permissions, see: [Microsoft Defender for Endpoint and Microsoft Defender XDR RBAC permissions](/microsoft-365/security/defender/compare-rbac-roles#map-defender-for-endpoint-and-defender-vulnerability-management-permissions-to-the-microsoft-defender-xdr-rbac-permissions). --|**Product name**|**Product RBAC permission**| -|||| -| Microsoft Defender for Endpoint RBAC | Manage security settings in the Security Center| -| Microsoft Defender XDR Unified RBAC | Authorization and settings \ Security settings \ Core security settings (manage)</br>Authorization and settings \ Security settings \ Detection tuning (manage) | --### Where to find Ask Defender Experts --The option to **Ask Defender Experts** is available in several places throughout the portal: --- **Device page actions menu**-- ![Screenshot of the Ask Defender Experts menu option in the Device page action menu in the Microsoft Defender portal.](../../media/mte/defenderexperts/device-page-actions-menu.png) --- **Device inventory page flyout menu**-- ![Screenshot of the Ask Defender Experts menu option in the Device inventory page flyout menu in the Microsoft Defender portal.](../../media/mte/defenderexperts/device-inventory-flyout-menu.png) --- **Alerts page flyout menu**-- ![Screenshot of the Ask Defender Experts menu option in the Alerts page flyout menu in the Microsoft Defender portal.](../../media/mte/defenderexperts/alerts-flyout-menu.png) --- **Incidents page actions menu**-- ![Screenshot of the Ask Defender Experts menu option in the Incidents page actions menu in the Microsoft Defender portal.](../../media/mte/defenderexperts/incidents-page-actions-menu.png) --### Sample questions you can ask from Defender Experts --**Alert information** --- We saw a new type of alert for a living-off-the-land binary. We can provide the alert ID. Can you tell us more about this alert and if it's related to any incident and how we can investigate it further?-- We've observed two similar attacks, which both try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious PowerShell command line" and the other is "A malicious file was detected based on indication provided by Office 365." What is the difference?-- We received an odd alert today about an abnormal number of failed logins from a high profile user's device. We can't find any further evidence for these attempts. How can Microsoft Defender XDR see these attempts? What type of logins are being monitored?-- Can you give more context or insight about the alert and any related incidents, "Suspicious behavior by a system utility was observed"?-- I observed an alert titled "Creation of forwarding/redirect rule". I believe the activity is benign. Can you tell me why I received an alert?--**Possible device compromise** --- Can you help explain why we see a message or alert for "Unknown process observed" on many devices in our organization? We appreciate any input to clarify whether this message or alert is related to malicious activity or incidents.-- Can you help validate a possible compromise on the following system, dating from last week? It's behaving similarly as a previous malware detection on the same system six months ago.--**Threat intelligence details** --- We detected a phishing email that delivered a malicious Word document to a user. The document caused a series of suspicious events, which triggered multiple alerts for a particular malware family. Do you have any information on this malware? If yes, can you send us a link?-- We recently saw a blog post about a threat that is targeting our industry. Can you help us understand what protection Microsoft Defender XDR provides against this threat actor?-- We recently observed a phishing campaign conducted against our organization. Can you tell us if this was targeted specifically to our company or vertical?--**Microsoft Defender Experts for Hunting alert communications** --- Can your incident response team help us address the Defender Experts Notification that we got?-- We received this Defender Experts Notification from Microsoft Defender Experts for Hunting. We don't have our own incident response team. What can we do now, and how can we contain the incident?-- We received a Defender Experts Notification from Microsoft Defender Experts for Hunting. What data can you provide to us that we can pass on to our incident response team?- ### Next step -- [Understand the Defender Experts for Hunting report in Microsoft Defender XDR](defender-experts-report.md)+- [Access Defender Experts Notifications using Microsoft Graph security API](access-den-graph-api.md) |
security | Whats New | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/whats-new.md | You can also get product updates and important notifications through the [messag - (GA) **[Microsoft Copilot in Microsoft Defender](security-copilot-in-microsoft-365-defender.md)** is now generally available. Copilot in Defender helps you investigate and respond to incidents faster and more effectively. Copilot provides guided responses, incident summaries and reports, helps you build KQL queries to hunt for threats, provide file and script analyses, and enable you to summarize relevant and actionable threat intelligence. - Copilot in Defender customers can now export incident data to PDF. Use the exported data to easily share incident data, facilitating discussions with your security teams and other stakeholders. For details, see **[Export incident data to PDF](manage-incidents.md#export-incident-data-to-pdf)**. - **Notifications in the Microsoft Defender portal** are now available. On the top right-hand side of the Defender portal, select the bell icon to view all your active notifications. Different types of notifications are supported such as success, info, warning, and error. Dismiss individual notifications or dismiss all from the notifications tab.+- The `AzureResourceId` column, which shows the unique identifier of the Azure resource associated with a device, is now available in the [DeviceInfo](advanced-hunting-deviceinfo-table.md) table in advanced hunting. ## February 2024 |
security | Air About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-about.md | An alert is triggered, and a security playbook starts an automated investigation 1. An automated investigation is initiated in one of the following ways: - Either [an alert is triggered](#which-alert-policies-trigger-automated-investigations) by something suspicious in email (such as a message, attachment, URL, or compromised user account). An incident is created, and an automated investigation begins; or- - A security analyst [starts an automated investigation](air-about-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer) while using [Explorer](threat-explorer-real-time-detections-about.md). + - A security analyst [starts an automated investigation](air-examples.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer) while using [Explorer](threat-explorer-real-time-detections-about.md). 2. While an automated investigation runs, it gathers data about the email in question and _entities_ related to that email (for example, files, URLs, and recipients). The investigation's scope can increase as new and related alerts are triggered. During and after each automated investigation, your security operations team can - [Review and approve actions as a result of an investigation](air-review-approve-pending-completed-actions.md) > [!TIP]-> For a more detailed overview, see [How AIR works](air-about-office.md). +> For a more detailed overview, see [How AIR works](air-examples.md). ## How to get AIR |
security | Air Examples | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-examples.md | + + Title: How automated investigation and response works in Microsoft Defender for Office 365 +f1.keywords: +- NOCSH ++++audience: ITPro ++ms.localizationpriority: medium +search.appverid: +- MET150 +- MOE150 ++- m365-security +- tier2 Last updated : 06/09/2023+description: See how automated investigation and response capabilities work in Microsoft Defender for Office 365 ++- air +- seo-marvel-mar2020 ++appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a> +++# How automated investigation and response works in Microsoft Defender for Office 365 +++As security alerts are triggered, it's up to your security operations team to look into those alerts and take steps to protect your organization. Sometimes, security operations teams can feel overwhelmed by the volume of alerts that are triggered. Automated investigation and response (AIR) capabilities in Microsoft Defender for Office 365 can help. ++AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond to detected threats. ++This article describes how AIR works through several examples. When you're ready to get started using AIR, see [Automatically investigate and respond to threats](air-about.md). ++- [Example 1: A user-reported phish message launches an investigation playbook](#example-a-user-reported-phish-message-launches-an-investigation-playbook) +- [Example 2: A security administrator triggers an investigation from Threat Explorer](#example-a-security-administrator-triggers-an-investigation-from-threat-explorer) +- [Example 3: A security operations team integrates AIR with their SIEM using the Office 365 Management Activity API](#example-a-security-operations-team-integrates-air-with-their-siem-using-the-office-365-management-activity-api) ++## Example: A user-reported phish message launches an investigation playbook ++Suppose that a user in your organization receives an email that they think is a phishing attempt. The user, trained to report such messages, uses the [Microsoft Report Message or Report Phishing add-ins](submissions-users-report-message-add-in-configure.md) to send it to Microsoft for analysis. The submission is also sent to your system and is visible in Explorer in the **Submissions** view (formerly referred to as the **User-reported** view). In addition, the user-reported message now triggers a system-based informational alert, which automatically launches the investigation playbook. ++During the root investigation phase, various aspects of the email are assessed. These aspects include: ++- A determination about what type of threat it might be; +- Who sent it; +- Where the email was sent from (sending infrastructure); +- Whether other instances of the email were delivered or blocked; +- An assessment from our analysts; +- Whether the email is associated with any known campaigns; +- and more. ++After the root investigation is complete, the playbook provides a list of recommended actions to take on the original email and the _entities_ associated with it (for example, files, URLs, and recipients). ++Next, several threat investigation and hunting steps are executed: ++- Similar email messages are identified via email cluster searches. +- The signal is shared with other platforms, such as [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection). +- A determination is made on whether any users have clicked through any malicious links in suspicious email messages. +- A check is done across [Exchange Online Protection](eop-about.md) (EOP) and [Microsoft Defender for Office 365](mdo-about.md) to see if there are any other similar messages reported by users. +- A check is done to see if a user has been compromised. This check leverages signals across Office 365, [Microsoft Defender for Cloud Apps](/cloud-app-security), and [Microsoft Entra ID](/azure/active-directory), correlating any related user activity anomalies. ++During the hunting phase, risks and threats are assigned to various hunting steps. ++Remediation is the final phase of the playbook. During this phase, remediation steps are taken, based on the investigation and hunting phases. ++## Example: A security administrator triggers an investigation from Threat Explorer ++In addition to automated investigations that are triggered by an alert, your organization's security operations team can trigger an automated investigation from a view in [Threat Explorer](threat-explorer-real-time-detections-about.md). This investigation also creates an alert, so Microsoft Defender XDR incidents and external SIEM tools can see that this investigation was triggered. ++For example, suppose that you are using the **Malware** view in Explorer. Using the tabs below the chart, you select the **Email** tab. If you select one or more items in the list, the **+ Actions** button activates. +++Using the **Actions** menu, you can select **Trigger investigation**. +++Similar to playbooks triggered by an alert, automatic investigations that are triggered from a view in Explorer include a root investigation, steps to identify and correlate threats, and recommended actions to mitigate those threats. ++## Example: A security operations team integrates AIR with their SIEM using the Office 365 Management Activity API ++AIR capabilities in Microsoft Defender for Office 365 include [reports & details](air-view-investigation-results.md) that security operations teams can use to monitor and address threats. But you can also integrate AIR capabilities with other solutions. Examples include a security information and event management (SIEM) system, a case management system, or a custom reporting solution. These kinds of integrations can be done by using the [Office 365 Management Activity API](/office/office-365-management-api/office-365-management-activity-api-reference). ++For example, recently, an organization set up a way for their security operations team to view user-reported phish alerts that were already processed by AIR. Their solution integrates relevant alerts with the organization's SIEM server and their case-management system. The solution greatly reduces the number of false positives so that their security operations team can focus their time and effort on real threats. To learn more about this custom solution, see [Tech Community blog: Improve the Effectiveness of your SOC with Microsoft Defender for Office 365 and the O365 Management API](https://techcommunity.microsoft.com/t5/microsoft-security-and/improve-the-effectiveness-of-your-soc-with-office-365-atp-and/ba-p/1525185). ++## Next steps ++- [Get started using AIR](air-about.md) +- [View pending or completed remediation actions](air-review-approve-pending-completed-actions.md) |
security | Air Remediation Actions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-remediation-actions.md | Microsoft Defender for Office 365 includes remediation actions to address variou |Email|Malicious URL <br> (A malicious URL was detected by [Safe Links](safe-links-about.md).)|Soft delete email/cluster <br> Block URL (time-of-click verification) <p> Email that contains a malicious URL is considered to be malicious.| |Email|Phish|Soft delete email/cluster <p> If more than a handful of email messages in a cluster contain phishing attempts, the whole cluster is considered a phishing attempt.| |Email|Zapped phish <br> (Email messages were delivered and then [zapped](zero-hour-auto-purge.md).)|Soft delete email/cluster <p> Reports are available to view zapped messages. [See if ZAP moved a message and FAQs](zero-hour-auto-purge.md#how-to-see-if-zap-moved-your-message).|-|Email|Missed phish email [reported](submissions-users-report-message-add-in-configure.md) by a user|[Automated investigation triggered by the user's report](air-about-office.md#example-a-user-reported-phish-message-launches-an-investigation-playbook)| +|Email|Missed phish email [reported](submissions-users-report-message-add-in-configure.md) by a user|[Automated investigation triggered by the user's report](air-examples.md#example-a-user-reported-phish-message-launches-an-investigation-playbook)| |Email|Volume anomaly <br> (Recent email quantities exceed the previous 7-10 days for matching criteria.)|Automated investigation doesn't result in a specific pending action. <p>Volume anomaly isn't a clear threat, but is merely an indication of larger email volumes in recent days compared to the last 7-10 days. <p>Although a high volume of email can indicate potential issues, confirmation is needed in terms of either malicious verdicts or a manual review of email messages/clusters. See [Find suspicious email that was delivered](threat-explorer-investigate-delivered-malicious-email.md#find-suspicious-email-that-was-delivered).| |Email|No threats found <br> (The system didn't find any threats based on files, URLs, or analysis of email cluster verdicts.)|Automated investigation doesn't result in a specific pending action. <p>Threats found and [zapped](zero-hour-auto-purge.md) after an investigation is complete aren't reflected in an investigation's numerical findings, but such threats are viewable in [Threat Explorer](threat-explorer-real-time-detections-about.md).| |User|A user clicked a malicious URL <br> (A user navigated to a page that was later found to be malicious, or a user bypassed a [Safe Links warning page](safe-links-about.md#warning-pages-from-safe-links) to get to a malicious page.)|Automated investigation doesn't result in a specific pending action. <p> Block URL (time-of-click) <p> Use Threat Explorer to [view data about URLs and click verdicts](threat-explorer-real-time-detections-about.md#click-verdict-pivot-for-the-url-clicks-view-for-the-details-area-of-the-all-email-view-in-threat-explorer). <p> If your organization is using [Microsoft Defender for Endpoint](/windows/security/threat-protection/), consider [investigating the user](/microsoft-365/security/defender-endpoint/investigate-user) to determine if their account is compromised.| |
security | Air Report False Positives Negatives | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-report-false-positives-negatives.md | appliesto: [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -If [automated investigation and response (AIR) capabilities in Office 365](air-about-office.md) missed or wrongly detected something, there are steps your security operations team can take to fix it. Such actions include: +If [automated investigation and response (AIR) capabilities in Office 365](air-about.md) missed or wrongly detected something, there are steps your security operations team can take to fix it. Such actions include: - [Reporting a false positive/negative to Microsoft](#report-a-false-positivenegative-to-microsoft-for-analysis); - [Adjusting alerts](#adjust-an-alert-to-prevent-false-positives-from-recurring) (if needed); and |
security | Air User Automatic Feedback Response | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-user-automatic-feedback-response.md | To learn more about submissions and investigations in Defender for Microsoft 365 - [Automated investigation and response in Microsoft Defender for Office 365](air-about.md) - [View the results of an automated investigation in Microsoft 365](air-view-investigation-results.md) - [Admin review for reported messages](admin-review-reported-message.md)-- [How automated investigation and response works in Microsoft Defender for Office 365](air-about-office.md)+- [How automated investigation and response works in Microsoft Defender for Office 365](air-examples.md) |
security | Air View Investigation Results | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-view-investigation-results.md | The investigation status indicates the progress of the analysis and actions. As |**Partially Remediated**|The investigation resulted in remediation actions, and some were approved and completed. Other actions are still [pending](air-review-approve-pending-completed-actions.md).| |**Failed**|At least one investigation analyzer ran into a problem where it couldn't complete properly. <p> **NOTE** If an investigation fails after remediation actions were approved, the remediation actions might still have succeeded. View the investigation details.| |**Queued By Throttling**|An investigation is being held in a queue. When other investigations complete, queued investigations begin. Throttling helps avoid poor service performance. <p> **TIP**: Pending actions can limit how many new investigations can run. Make sure to [approve (or reject) pending actions](air-review-approve-pending-completed-actions.md#approve-or-reject-pending-actions).|-|**Terminated By Throttling**|If an investigation is held in the queue too long, it stops. <p> **TIP**: You can [start an investigation from Threat Explorer](air-about-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer).| +|**Terminated By Throttling**|If an investigation is held in the queue too long, it stops. <p> **TIP**: You can [start an investigation from Threat Explorer](air-examples.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer).| ## View details of an investigation |
security | Mdo Sec Ops Guide | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-sec-ops-guide.md | For a video about this information, see <https://youtu.be/eQanpq9N1Ps>. The **Incidents** page in the Microsoft Defender portal at <https://security.microsoft.com/incidents-queue> (also known as the _Incidents queue_) allows you to manage and monitor events from the following sources in Defender for Office 365: - [Alerts](/purview/alert-policies#default-alert-policies).-- [Automated investigation and response (AIR)](air-about-office.md).+- [Automated investigation and response (AIR)](air-about.md). For more information about the Incidents queue, see [Prioritize incidents in Microsoft Defender XDR](../defender/incident-queue.md). Campaign Views reveals malware and phishing attacks against your organization. F |Activity|Cadence|Description|Persona| |||||-|Investigate and remove bad email in Threat Explorer at <https://security.microsoft.com/threatexplorer> based on user requests.|Ad-hoc|Use the **Trigger investigation** action in Threat Explorer to start an automated investigation and response playbook on any email from the last 30 days. Manually triggering an investigation saves time and effort by centrally including: <ul><li>A root investigation.</li><li>Steps to identify and correlate threats.</li><li>Recommended actions to mitigate those threats.</li></ul> <br/> For more information, see [Example: A user-reported phish message launches an investigation playbook](air-about-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer) <br/><br/> Or, you can use Threat Explorer to [manually investigate email](threat-explorer-investigate-delivered-malicious-email.md) with powerful search and filtering capabilities and [take manual response action](remediate-malicious-email-delivered-office-365.md) directly from the same place. Available manual actions: <ul><li>Move to Inbox</li><li>Move to Junk</li><li>Move to Deleted items</li><li>Soft delete</li><li>Hard delete.</li></ul>|Security Operations Team| +|Investigate and remove bad email in Threat Explorer at <https://security.microsoft.com/threatexplorer> based on user requests.|Ad-hoc|Use the **Trigger investigation** action in Threat Explorer to start an automated investigation and response playbook on any email from the last 30 days. Manually triggering an investigation saves time and effort by centrally including: <ul><li>A root investigation.</li><li>Steps to identify and correlate threats.</li><li>Recommended actions to mitigate those threats.</li></ul> <br/> For more information, see [Example: A user-reported phish message launches an investigation playbook](air-examples.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer) <br/><br/> Or, you can use Threat Explorer to [manually investigate email](threat-explorer-investigate-delivered-malicious-email.md) with powerful search and filtering capabilities and [take manual response action](remediate-malicious-email-delivered-office-365.md) directly from the same place. Available manual actions: <ul><li>Move to Inbox</li><li>Move to Junk</li><li>Move to Deleted items</li><li>Soft delete</li><li>Hard delete.</li></ul>|Security Operations Team| ### Proactively hunt for threats Designate the reporting mailbox where user reported messages are sent on the **U > - The third-party reporting tool must include the original reported message as an uncompressed .EML or .MSG attachment in the message that's sent to the reporting mailbox (don't just forward the original message to the reporting mailbox). For more information, see [Message submission format for third-party reporting tools](submissions-user-reported-messages-custom-mailbox.md#message-submission-format-for-third-party-reporting-tools). > - The reporting mailbox requires specific prerequisites to allow potentially bad messages to be delivered without being filtered or altered. For more information, see [Configuration requirements for the reporting mailbox](submissions-user-reported-messages-custom-mailbox.md#configuration-requirements-for-the-reporting-mailbox). -When a user reported message arrives in the reporting mailbox, Defender for Office 365 automatically generates the alert named **Email reported by user as malware or phish**. This alert launches an [AIR playbook](air-about-office.md#example-a-user-reported-phish-message-launches-an-investigation-playbook). The playbook performs a series of automated investigations steps: +When a user reported message arrives in the reporting mailbox, Defender for Office 365 automatically generates the alert named **Email reported by user as malware or phish**. This alert launches an [AIR playbook](air-examples.md#example-a-user-reported-phish-message-launches-an-investigation-playbook). The playbook performs a series of automated investigations steps: - Gather data about the specified email. - Gather data about the threats and _entities_ related to that email (for example, files, URLs, and recipients). |
security | Migrate To Defender For Office 365 Onboard | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-onboard.md | Congratulations! You have completed your [migration to Microsoft Defender for Of Now you begin the normal operation and maintenance of Defender for Office 365. Monitor and watch for issues that are similar to what you experienced during the pilot, but on a larger scale. The [spoof intelligence insight](anti-spoofing-spoof-intelligence.md) and the [impersonation insight](anti-phishing-mdo-impersonation-insight.md) are most helpful, but consider making the following activities a regular occurrence: -- Review user reported messages, especially [user-reported phishing messages](air-about-office.md)+- Review user reported messages, especially [user-reported phishing messages](air-examples.md) - Review overrides in the [Threat protection status report](reports-email-security.md#threat-protection-status-report). - Use [Advanced Hunting](/microsoft-365/security/defender/advanced-hunting-example) queries to look for tuning opportunities and risky messages. |
security | Migrate To Defender For Office 365 Setup | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-setup.md | For more information, see [Use mail flow rules to set the spam confidence level The first thing to do is configure [Enhanced Filtering for Connectors](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors) (also known as *skip listing*) on the connector that's used for mail flow from your existing protection service into Microsoft 365. You can use the [Inbound messages report](/exchange/monitoring/mail-flow-reports/mfr-inbound-messages-and-outbound-messages-reports) to help identify the connector. -Enhanced Filtering for Connectors is required by Defender for Office 365 to see where internet messages actually came from. Enhanced Filtering for Connectors greatly improves the accuracy of the Microsoft filtering stack (especially [spoof intelligence](anti-phishing-protection-spoofing-about.md), and post-breach capabilities in [Threat Explorer](threat-explorer-real-time-detections-about.md) and [Automated Investigation & Response (AIR)](air-about-office.md). +Enhanced Filtering for Connectors is required by Defender for Office 365 to see where internet messages actually came from. Enhanced Filtering for Connectors greatly improves the accuracy of the Microsoft filtering stack (especially [spoof intelligence](anti-phishing-protection-spoofing-about.md), and post-breach capabilities in [Threat Explorer](threat-explorer-real-time-detections-about.md) and [Automated Investigation & Response (AIR)](air-about.md). To correctly enable Enhanced Filtering for Connectors, you need to add the **public** IP addresses of \*\***all\*\*** third-party services and/or on-premises email system hosts that route inbound mail to Microsoft 365. |
security | Office 365 Ti | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/office-365-ti.md | Threat investigation and response capabilities in [Microsoft Defender for Office - Making it easy to identify, monitor, and understand cyberattacks. - Helping to quickly address threats in Exchange Online, SharePoint Online, OneDrive for Business and Microsoft Teams. - Providing insights and knowledge to help security operations prevent cyberattacks against their organization.-- Employing [automated investigation and response in Office 365](air-about-office.md) for critical email-based threats.+- Employing [automated investigation and response in Office 365](air-about.md) for critical email-based threats. Threat investigation and response capabilities provide insights into threats and related response actions that are available in the Microsoft Defender portal. These insights can help your organization's security team protect users from email- or file-based attacks. The capabilities help monitor signals and gather data from multiple sources, such as user activity, authentication, email, compromised PCs, and security incidents. Business decision makers and your security operations team can use this information to understand and respond to threats against your organization and protect your intellectual property. Threat investigation and response capabilities in the Microsoft Defender portal - [Explorer](#explorer) - [Incidents](#incidents) - [Attack simulation training](attack-simulation-training-simulations.md)-- [Automated investigation and response](air-about-office.md)+- [Automated investigation and response](air-about.md) ### Explorer To view and use this feature in the Microsoft Defender portal at <https://securi ### Automated investigation and response -Use automated investigation and response (AIR) capabilities to save time and effort correlating content, devices, and people at risk from threats in your organization. AIR processes can begin whenever certain alerts are triggered, or when started by your security operations team. To learn more, see [automated investigation and response in Office 365](air-about-office.md). +Use automated investigation and response (AIR) capabilities to save time and effort correlating content, devices, and people at risk from threats in your organization. AIR processes can begin whenever certain alerts are triggered, or when started by your security operations team. To learn more, see [automated investigation and response in Office 365](air-examples.md). ## Threat intelligence widgets |
security | Siem Integration With Office 365 Ti | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/siem-integration-with-office-365-ti.md | The following table summarizes the values of **AuditLogRecordType** that are rel [Office 365 threat investigation and response](office-365-ti.md) -[Automated investigation and response (AIR) in Office 365](air-about-office.md) +[Automated investigation and response (AIR) in Office 365](air-about.md) |
security | How To Prioritize Manage Investigate And Respond To Incidents In Microsoft 365 Defender | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/how-to-prioritize-manage-investigate-and-respond-to-incidents-in-microsoft-365-defender.md | You can start using *Action Center* to act on pending action items from all inci [Manage incidents in Microsoft Defender XDR | Microsoft Docs](../../defender/manage-incidents.md). -[How automated investigation and response works in Microsoft Defender for Office 365](../air-about-office.md). +[How automated investigation and response works in Microsoft Defender for Office 365](../air-examples.md). [Remediation actions in Microsoft Defender for Office 365](../air-remediation-actions.md). |
security | Submissions Admin | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-admin.md | After you submit a user reported message to Microsoft from the **User reported** :::image type="content" source="../../media/admin-submission-user-reported-submit-button-options.png" alt-text="The Trigger investigation action in the Submit to Microsoft for analysis dropdown list." lightbox="../../media/admin-submission-user-reported-submit-button-options.png"::: -For more information, see [Trigger an investigation](air-about-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer). +For more information, see [Trigger an investigation](air-examples.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer). #### Notify users about admin submitted messages to Microsoft |
security | Threat Explorer Email Security | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer-email-security.md | The verdict values are described in the following list: ## Start automated investigation and response in Threat Explorer -[Automated investigation and response (AIR)](air-about-office.md) in Defender for Office 365 Plan 2 can save time and effort as you investigate and mitigate cyberattacks. You can configure alerts that trigger a security playbook, and you can start AIR in Threat Explorer. For details, see [Example: A security administrator triggers an investigation from Explorer](air-about-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer). +[Automated investigation and response (AIR)](air-about.md) in Defender for Office 365 Plan 2 can save time and effort as you investigate and mitigate cyberattacks. You can configure alerts that trigger a security playbook, and you can start AIR in Threat Explorer. For details, see [Example: A security administrator triggers an investigation from Explorer](air-examples.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer). ## Other articles |
security | Threat Explorer Real Time Detections About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer-real-time-detections-about.md | When you open the query by selecting **Explore** from the **Threat tracker** pag - [Find and investigate malicious email that was delivered](threat-explorer-investigate-delivered-malicious-email.md) - [View malicious files detected in SharePoint Online, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md) - [Threat protection status report](reports-email-security.md#threat-protection-status-report)-- [Automated investigation and response in Microsoft Threat Protection](air-about-office.md)+- [Automated investigation and response in Microsoft Threat Protection](air-about.md) |
security | Threat Explorer Threat Hunting | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer-threat-hunting.md | In addition to the scenarios outlined in this article, you have more options in - [Threat protection status report](reports-email-security.md#threat-protection-status-report) - [Automated investigation and response in Microsoft Defender XDR](../defender/m365d-autoir.md)-- [Trigger an investigation from Threat Explorer](air-about-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer).+- [Trigger an investigation from Threat Explorer](air-examples.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer). |
security | Trial User Guide Defender For Office 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/trial-user-guide-defender-for-office-365.md | Watch this video to learn more: [Campaign Views in Microsoft Defender for Office Respond efficiently using Automated investigation and response (AIR) to review, prioritize, and respond to threats. -- [Learn more](air-about-office.md) about investigation user guides.+- [Learn more](air-examples.md) about investigation user guides. - [View details and results](email-analysis-investigations.md) of an investigation. - Eliminate threats by [approving remediation actions](air-remediation-actions.md). |
security | Try Microsoft Defender For Office 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/try-microsoft-defender-for-office-365.md | Remember, when you evaluate or try Defender for Office 365 in audit mode, specia [Enhanced Filtering for Connectors](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors) (also known as _skip listing_) is automatically configured on the connector that you specify. - When a third-party service or device sits in front of email flowing into Microsoft 365, Enhanced Filtering for Connectors correctly identifies the source of internet messages and greatly improves the accuracy of the Microsoft filtering stack (especially [spoof intelligence](anti-phishing-protection-spoofing-about.md), as well as post-breach capabilities in [Threat Explorer](threat-explorer-real-time-detections-about.md) and [Automated Investigation & Response (AIR)](air-about-office.md). + When a third-party service or device sits in front of email flowing into Microsoft 365, Enhanced Filtering for Connectors correctly identifies the source of internet messages and greatly improves the accuracy of the Microsoft filtering stack (especially [spoof intelligence](anti-phishing-protection-spoofing-about.md), as well as post-breach capabilities in [Threat Explorer](threat-explorer-real-time-detections-about.md) and [Automated Investigation & Response (AIR)](air-about.md). - **I'm only using Microsoft Exchange Online**: The MX records for your domain point to Microsoft 365. There's nothing left to configure, so select **Finish**. |
solutions | Cloud Architecture Models | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/cloud-architecture-models.md | This illustration provides a deployment plan for building Zero Trust security wi | Item | Description | |:--|:--|-|[![Illustration of the Microsoft 365 Zero Trust deployment plan.](../medi)</li></ul>| +|[![Illustration of the Microsoft 365 Zero Trust deployment plan.](../medi)</li></ul>| <a name="intune-enrollment"></a> ### Intune enrollment options This guidance helps you decide which enrollment option is best for your endpoint |[![A visual representation of Intune enrollment options by platform](../medi)</li><li>[Microsoft Intune planning guide](/mem/intune/fundamentals/intune-planning-guide)</ul>| <a name="attacks"></a>-### Common attacks and Microsoft capabilities that protect your organization +### Common attacks and how Microsoft capabilities for Zero Trust can protect your organization -Learn about the most common cyber attacks and how Microsoft can help your organization at every stage of an attack. +Learn about the most common cyber attacks and how Microsoft capabilities for Zero Trust can help your organization at every stage of an attack. | Item | Description | |:--|:--|-|[![Illustration of the Common attacks poster.](../medi)</li></ul>| +|[![Illustration of the Common attacks poster.](../medi)</li></ul>| <a name="identity"></a> ### Microsoft cloud identity for IT architects What IT architects need to know about designing identity for organizations using | Item | Description | |:--|:--|-|[![Thumb image for Microsoft cloud identity model.](../media/solutions-architecture-center/msft-cloud-identity-model-thumb.png)](https://download.microsoft.com/download/3/6/a/36a7c1ba-fe48-414f-92c9-9c9ddba323cd/5594928a.pdf) <br/> [PDF](https://download.microsoft.com/download/3/6/a/36a7c1ba-fe48-414f-92c9-9c9ddba323cd/5594928a.pdf) <br/> Updated November 2021 | This model contains: <ul> <li> Introduction to identity with Microsoft's cloud </li><li> Microsoft Entra IDaaS capabilities </li><li>Zero Trust identity and device access policies</li><li> Integrating on-premises Active Directory Domain Services (AD DS) accounts with Microsoft Entra ID </li><li> Putting directory components in Azure IaaS </li><li> AD DS options for workloads in Azure IaaS </li></ul><br/> <br/>| +|[![Thumb image for Microsoft cloud identity model.](../media/solutions-architecture-center/msft-cloud-identity-model-thumb.png)](https://download.microsoft.com/download/3/6/a/36a7c1ba-fe48-414f-92c9-9c9ddba323cd/5594928a.pdf) <br/> [PDF](https://download.microsoft.com/download/3/6/a/36a7c1ba-fe48-414f-92c9-9c9ddba323cd/5594928a.pdf) <br/> Updated November 2021 | This model contains: <ul> <li> Introduction to identity with Microsoft's cloud </li><li> Microsoft Entra IDaaS capabilities </li><li>Zero Trust identity and device access policies</li><li> Integrating on-premises Active Directory Domain Services (AD DS) accounts with Microsoft Entra ID </li><li> Putting directory components in Azure IaaS </li><li> AD DS options for workloads in Azure IaaS </li></ul><br/> <br/>| <a name="security"></a> ### Microsoft cloud security for IT architects What IT architects need to know about networking for Microsoft cloud services an | Item | Description | |:--|:--|-|[![Thumb image for Microsoft cloud networking model.](../media/solutions-architecture-center/msft-cloud-networking-model-thumb.png)](https://download.microsoft.com/download/e/1/5/e15241c4-c5e7-4b23-8c02-1b83fd6bc02e/MSFT_cloud_architecture_networking.pdf) <br/> [View as a PDF](https://download.microsoft.com/download/e/1/5/e15241c4-c5e7-4b23-8c02-1b83fd6bc02e/MSFT_cloud_architecture_networking.pdf) \| [Download as a PDF](https://download.microsoft.com/download/e/1/5/e15241c4-c5e7-4b23-8c02-1b83fd6bc02e/MSFT_cloud_architecture_networking.pdf) \| [Download as a Visio](https://download.microsoft.com/download/d/4/0/d405b909-ee8f-4d08-a5e3-ed0f04ec1b47/MSFT_cloud_architecture_networking.vsdx) <br/>Updated August 2020 | This model contains: <ul><li> Evolving your network for cloud connectivity </li><li> Common elements of Microsoft cloud connectivity </li><li> ExpressRoute for Microsoft cloud connectivity </li><li> Designing networking for Microsoft SaaS, Azure PaaS, and Azure IaaS </li></ul><br/> <br/>| +|[![Thumb image for Microsoft cloud networking model.](../media/solutions-architecture-center/msft-cloud-networking-model-thumb.png)](https://download.microsoft.com/download/e/1/5/e15241c4-c5e7-4b23-8c02-1b83fd6bc02e/MSFT_cloud_architecture_networking.pdf) <br/> [PDF](https://download.microsoft.com/download/e/1/5/e15241c4-c5e7-4b23-8c02-1b83fd6bc02e/MSFT_cloud_architecture_networking.pdf) \| [Visio](https://download.microsoft.com/download/d/4/0/d405b909-ee8f-4d08-a5e3-ed0f04ec1b47/MSFT_cloud_architecture_networking.vsdx) <br> Updated August 2020 | This model contains: <ul><li> Evolving your network for cloud connectivity </li><li> Common elements of Microsoft cloud connectivity </li><li> ExpressRoute for Microsoft cloud connectivity </li><li> Designing networking for Microsoft SaaS, Azure PaaS, and Azure IaaS </li></ul><br/><br/>| <a name="hybrid"></a> ### Microsoft hybrid cloud for IT architects What IT architects need to know about hybrid cloud for Microsoft services and pl | Item | Description | |:--|:--|-|[![Thumb image for the Microsoft hybrid cloud model.](../media/solutions-architecture-center/msft-hybrid-cloud-model-thumb.png)](https://download.microsoft.com/download/5/e/4/5e43a139-09c5-4700-b846-e468444bc557/Microsoft365EnterpriseTLGStack.pdf) <br/> [View as a PDF](https://download.microsoft.com/download/5/e/4/5e43a139-09c5-4700-b846-e468444bc557/Microsoft365EnterpriseTLGStack.pdf) \| [Download as a PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/MSFT_cloud_architecture_hybrid.pdf) \| [Download as a Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/MSFT_cloud_architecture_hybrid.vsdx) <br>Updated August 2020 | This model contains: <ul><li> Microsoft's cloud offerings (SaaS, Azure PaaS, and Azure IaaS) and their common elements </li><li> Hybrid cloud architecture for Microsoft's cloud offerings </li><li> Hybrid cloud scenarios for Microsoft SaaS (Office 365), Azure PaaS, and Azure IaaS </li></ul><br/>| +|[![Thumb image for the Microsoft hybrid cloud model.](../media/solutions-architecture-center/msft-hybrid-cloud-model-thumb.png)](https://download.microsoft.com/download/c/6/2/c621c5f5-3f9e-4580-b1df-2597ec6e86ed/MSFT_cloud_architecture_hybrid.pdf) <br/> [PDF](https://download.microsoft.com/download/c/6/2/c621c5f5-3f9e-4580-b1df-2597ec6e86ed/MSFT_cloud_architecture_hybrid.pdf) \| [Visio](https://download.microsoft.com/download/e/d/3/ed3bdd9d-df30-4243-b672-f2c36a29a2e6/MSFT_cloud_architecture_hybrid.vsdx) <br> Updated August 2020 | This model contains: <ul><li> Microsoft's cloud offerings (SaaS, Azure PaaS, and Azure IaaS) and their common elements </li><li> Hybrid cloud architecture for Microsoft's cloud offerings </li><li> Hybrid cloud scenarios for Microsoft SaaS (Office 365), Azure PaaS, and Azure IaaS </li></ul><br/>| ### Architecture approaches for Microsoft cloud tenant-to-tenant migrations This series of topics illustrates several architecture approaches for mergers, acquisitions, divestitures, and other scenarios that might lead you to migrate to a new cloud tenant. These topics provide starting-point guidance for enterprise resource planning. |
solutions | Collaboration Governance Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/collaboration-governance-overview.md | The logical architecture of productivity services in Microsoft 365, leading with |**Item**|**Description**| |:--|:--|-|[![Thumb image for Teams logical architecture poster.](../downloads/msft-teams-logical-architecture-thumb.png)](https://download.microsoft.com/download/8/c/2/8c2d4d29-a6dd-4d98-92e9-be496f1681df/msft-m365-teams-logical-architecture.pdf) <br/> [PDF](https://download.microsoft.com/download/8/c/2/8c2d4d29-a6dd-4d98-92e9-be496f1681df/msft-m365-teams-logical-architecture.pdf) \| [Visio](https://github.com/MicrosoftDocs/OfficeDocs-Enterprise/raw/live/Enterprise/downloads/msft-m365-teams-logical-architecture.vsdx) <br>Updated April 2019 |Microsoft provides a suite of productivity services that work together to provide collaboration experiences with data governance, security, and compliance capabilities. <br/> <br/>This series of illustrations provides a view into the logical architecture of productivity services for enterprise architects, leading with Microsoft Teams.| +|[![Thumb image for Teams logical architecture poster.](../downloads/msft-teams-logical-architecture-thumb.png)](https://download.microsoft.com/download/8/c/2/8c2d4d29-a6dd-4d98-92e9-be496f1681df/msft-m365-teams-logical-architecture.pdf) <br/> [PDF](https://download.microsoft.com/download/8/c/2/8c2d4d29-a6dd-4d98-92e9-be496f1681df/msft-m365-teams-logical-architecture.pdf) <br>Updated April 2019 |Microsoft provides a suite of productivity services that work together to provide collaboration experiences with data governance, security, and compliance capabilities. <br/> <br/>This series of illustrations provides a view into the logical architecture of productivity services for enterprise architects, leading with Microsoft Teams.| ### Microsoft 365 information protection and compliance capabilities |
solutions | Productivity Illustrations | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/productivity-illustrations.md | Security and information protection for multi-region organizations with a single | Item | Description | |:--|:--|-|[![Multi-region infographic.](../media/solutions-architecture-center/multi-region-single-tenant-security-thumb.png)](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/msft-security-info-protect-multi-region.pdf) <br/> [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/msft-security-info-protect-multi-region.pdf) \| [Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/msft-security-info-protect-multi-region.vsdx)<br>Updated March 2020 |Using a single Microsoft 365 tenant for your global organization is the best choice and experience for many reasons. However, many architects wrestle with how to meet security and information protection objectives across different regions. This set of topics provides recommendations. | +|[![Multi-region infographic.](../media/solutions-architecture-center/multi-region-single-tenant-security-thumb.png)](https://download.microsoft.com/download/b/4/8/b482e1b1-8688-4319-b4ff-a476a4ba46ab/msft-security-info-protect-multi-region.pdf) <br/> [PDF](https://download.microsoft.com/download/b/4/8/b482e1b1-8688-4319-b4ff-a476a4ba46ab/msft-security-info-protect-multi-region.pdf) \| [Visio](https://download.microsoft.com/download/6/8/9/689c1c79-6229-443c-874d-df501bb86f10/msft-security-info-protect-multi-region.vsdx)<br>Updated March 2020 |Using a single Microsoft 365 tenant for your global organization is the best choice and experience for many reasons. However, many architects wrestle with how to meet security and information protection objectives across different regions. This set of topics provides recommendations. | <!-- ## Security Guidance for Political Campaigns, Nonprofits, and Other Agile Organizations Depending on your environment, some tools are better suited for certain architec | Item | Description | |:--|:--| |[![Thumb image for Microsoft Defender for Endpoint deployment strategy.](../medie-deployment-strategy.vsdx) <br>Updated September 2021| The architectural material helps you plan your deployment for the following architectures: <ul><li> Cloud-native </li><li> Co-management </li><li> On-premises</li><li>Evaluation and local onboarding</li> |-<!-- --<a name="BKMK_O365IDP"></a> -## Zero Trust identity and device protection for Microsoft 365 --Recommended Zero Trust capabilities for protecting identities and devices that access Microsoft 365, other SaaS services, and on-premises applications published with Azure AD Application Proxy. --| Item | Description | -|:--|:--| -|[![Model poster: Zero Trust identity and device protection for Microsoft 365.](../media/zero-trust-identity-device-access-policies-overview/zero-trust-id-device-protection-model-thumbnail.png)](../downloads/MSFT_cloud_architecture_identity&device_protection.pdf) <br/> [View as a PDF](../downloads/MSFT_cloud_architecture_identity&device_protection.pdf) \| [Download as a PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/MSFT_cloud_architecture_identity&device_protection.pdf) \| [Download as a Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/MSFT_cloud_architecture_identity&device_protection.vsdx) <br/> Updated November 2021|It's important to use consistent levels of protection across your data, identities, and devices. This model shows you which Zero Trust capabilities are comparable with more information on capabilities to protect identities and devices. <br/> | > <a name="BKMK_ediscovery"></a> ## eDiscovery (Premium) architecture in Microsoft 365 |
solutions | Tenant Management Networking | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/tenant-management-networking.md | Here is an example of an enterprise organization and its tenant with optimal net ![Example of a tenant with optimal networking.](../media/tenant-management-overview/tenant-management-tenant-build-step2.png) -[See a larger version of this image](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/media/tenant-management-overview/tenant-management-tenant-build-step2.png) - In this illustration, the tenant for this enterprise organization has: - Local internet access for each branch office with an SDWAN device that forwards trusted Microsoft 365 traffic to a local front door. |