Updates from: 04/21/2021 03:34:10
Category Microsoft Docs article Related commit history on GitHub Change details
admin Contact Support For Business Products https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/contact-support-for-business-products.md
localization_priority: Priority -- M365-subscription-management - Adm_O365 - Adm_TOC
Assisted support options are for admins of Office 365 Germany subscribed organiz
You can also [search the Microsoft 365 for business community forums](https://go.microsoft.com/fwlink/p/?LinkId=518605) to find known issues and trending topics, or to post a new question. The community forums are monitored by trained Microsoft support agents who can help resolve your issue.
admin About Shared Mailboxes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/about-shared-mailboxes.md
Before you [create a shared mailbox](create-a-shared-mailbox.md), here are some
> [!NOTE] > To access a shared mailbox, a user must have an Exchange Online license, but the shared mailbox doesn't require a separate license. Every shared mailbox has a corresponding user account. Notice how you weren't asked to provide a password when you created the shared mailbox? The account has a password, but it's system-generated (unknown). You shouldn't use the account to log in to the shared mailbox. Without a license, shared mailboxes are limited to 50 GB. To increase the size limit to 100 GB, the shared mailbox must be assigned an Exchange Online Plan 2 license or an Exchange Online Plan 1 license with an Exchange Online Archiving add-on license. This will also let you enable auto-expanding archiving for an unlimited amount of archive storage capacity. Similarly, if you want to place a shared mailbox on litigation hold, the shared mailbox must have an Exchange Online Plan 2 license or an Exchange Online Plan 1 license with an Exchange Online Archiving add-on license. If you want to apply advanced features such as Microsoft Defender for Office 365, Advanced eDiscovery, or automatic retention policies, the shared mailbox must be licensed for those features.
-## Related articles
+## Related content
[Create a shared mailbox](create-a-shared-mailbox.md)
admin Set Password Expiration Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/set-password-expiration-policy.md
This article is for people who set password expiration policy for a business, sc
As an admin, you can make user passwords expire after a certain number of days, or set passwords to never expire. By default, passwords are set to never expire for your organization.
-Current research strongly indicates that mandated password changes do more harm than good. They drive users to choose weaker passwords, re-use passwords, or update old passwords in ways that are easily guessed by hackers. We recommend enabling [multi-factor authentication](../security-and-compliance/set-up-multi-factor-authentication.md).
+Current research strongly indicates that mandated password changes do more harm than good. They drive users to choose weaker passwords, re-use passwords, or update old passwords in ways that are easily guessed by hackers. We recommend enabling [multi-factor authentication](../security-and-compliance/set-up-multi-factor-authentication.md). To learn more about password policy, check out [Password policy recommendations](../misc/password-policy-recommendations.md).
You must be a [global admin](../add-users/about-admin-roles.md) to perform these steps.
admin Content Collaboration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/productivity/content-collaboration.md
A key aspect of digital transformation is how people collaborate in files. With
We provide a primary insight that contains the key metrics for content collaboration in your organization. Then, a scoring framework detailed below is used for these metrics to calculate your organization's score.
+> [!NOTE]
+> On April 22, 2021, we changed how the collaborators metric is calculated. This affects the [primary insight](#primary-insight), the [file collaboration insight](#number-of-files-collaborated-on), and the way the content collaboration score is measured. This change helps reduce noise in the data from non-human agents (or bots) from Microsoft and other third-party applications, resulting in a more accurate and actionable score.
+ ### Primary insight Microsoft OneDrive for Business and SharePoint help people to easily create, read, and discover their individual and shared content in Microsoft 365 from across devices and applications. They also allow people to securely share and collaborate on content. The primary insight contains information from everyone who can use OneDrive for Business and SharePoint. Additionally it breaks down the details about how many people read, create, and collaborate on content stored in OneDrive for Business and SharePoint.
Types considered for this information include Word, Excel, PowerPoint, OneNote,
They're defined as follows:</br> **Readers:** People who access or download online files in OneDrive or SharePoint.</br> **Creators:** People who create, modify, upload, sync, check in, copy, or move online OneDrive or SharePoint files.</br>
- **Collaborators:** People who collaborate with online files using OneDrive or SharePoint. Two people are collaborators if one of them reads or edits an online Office app or PDF after the other person has created or modified it, within a 28-day window.
+ **Collaborators:** People who collaborate with online files by using OneDrive or SharePoint. Two people are collaborators if one of them reads or edits an online Office app or PDF after the other person has created or modified it, within a 28-day window.
> [!NOTE] > The files considered in the visualization are Word, Excel, PowerPoint, OneNote, or PDF files that are online and saved to OneDrive or SharePoint.
The trend visualizations chart shows the trend-line of the primary insight key m
### Scoring framework
-The content collaboration score for your organization measures at an aggregate (organization) level whether people are consistently reading, creating, or collaborating on online Office files, such as Word, Excel, PowerPoint, OneNote, or PDFs;, or in OneDrive or SharePoint.
-
-Scores are not provided at the individual user level .
+The content collaboration score for your organization measures at an aggregate (organization) level whether people are consistently reading, creating, or collaborating on online Office files such as Word, Excel, PowerPoint, OneNote, or PDFs, or in OneDrive or SharePoint.
+Scores are not provided at the individual user level.
## Explore how your organization collaborates
-We also provide you with information that helps you gain visibility into how your organization collaborates on content. These additional metrics don't directly contribute to your Productivity Score but help you create an action plan plan as part of your digital transformation to help optimize the way people work.
+We also provide you with information that helps you gain visibility into how your organization collaborates on content. These additional metrics don't directly contribute to your Productivity Score but help you create an action plan as part of your digital transformation to help optimize the way people work.
### Creating files in OneDrive or SharePoint
We also provide you with information that helps you gain visibility into how you
3. **Visualization:** The breakdown in the visualization is meant to represent the extent to which people who are attaching content in emails are using different modes (files not on OneDrive or SharePoint; links to online files; and links embedded in the email): - **Attach files:** The blue (colored) portion of the bar and the fraction (numerator/denominator) on the bar represents the percentage of people using attachments in emails. - Numerator: The number of people who attach files to email that weren't saved to OneDrive or SharePoint within the last 28 days.
- - Denominator:  Denominator: The number of people who have had access to Exchange and OneDrive, SharePoint, or both within the last 28 days.
+ - Denominator: The number of people who have had access to Exchange and OneDrive, SharePoint, or both within the last 28 days.
- **Links to online files:** The blue (colored) portion of the bar and the fraction (numerator/denominator) on the bar represent the percentage of people using attachments and attaching links to files in emails. - Numerator: The number of people attaching links to online files (saved to OneDrive or SharePoint) to emails within the last 28 days.
- - Denominator:  Denominator: The number of people who have access to Exchange and OneDrive, SharePoint, or both within the last 28 days.
+ - Denominator: The number of people who have access to Exchange and OneDrive, SharePoint, or both within the last 28 days.
- **Embed links in email:** The blue (colored) portion of the bar and the fraction on the bar represent the percentage of people who embed links in body of the emails. - Numerator: The number of people embedding links in body of emails to online files (saved to OneDrive or SharePoint) within the last 28 days.
- - Denominator:  Denominator: The number of people who have access to Exchange and OneDrive,SharePoint, or both within the last 28 days.
+ - Denominator: The number of people who have access to Exchange and OneDrive, SharePoint, or both within the last 28 days.
4. **Link to resources:** Select this link to view help content. ### Sharing of online files
We also provide you with information that helps you gain visibility into how you
:::image type="content" source="../../media/intensityofcollab.png" alt-text="Chart showing how many files were most collaborated on.":::
-1. **Header:** This highlights the percentage of people who have access to OneDrive or SharePoint who are collaborating on 4 or more files.
-2. **Body:** This provides information about how people can leverage online files for better collaboration.
-3. **Visualization:** This shows a distribution of the people who have access to OneDrive or SharePoint, based on the number of files they collaborate on. This is shown through the following 4 categories (for each, the blue portion of the bar and the fraction represent the percentage of people who have access to OneDrive or SharePoint that fall into that category):
+1. **Header:** Highlights the percentage of people who have access to OneDrive or SharePoint who are collaborating on 4 or more files.
+2. **Body:** Provides information about how people can leverage online files for better collaboration.
+3. **Visualization:** Shows a distribution of the people who have access to OneDrive or SharePoint, based on the number of files they collaborate on. This is shown through the following 4 categories (for each, the blue portion of the bar and the fraction represent the percentage of people who have access to OneDrive or SharePoint that fall into that category):
- **No collaboration:**
- - **Numerator:** The number of people not collaborating on any files in the last 28 days
- - **Denominator:** The total number of people who have access to OneDrive or SharePoint for at least 1 of last 28 days.
+ - Numerator: Number of people not collaborating on any files in the last 28 days.
+ - Denominator: Total number of people who have access to OneDrive or SharePoint for at least 1 of the last 28 days.
- **Collaboration on 1-3 files:**
- - **Numerator:** The number of people collaborating on 1-3 files in the last 28 days.
- - **Denominator:** The total number of people who have had access to OneDrive or SharePoint for at least 1 of the last 28 days.
+ - Numerator: Number of people collaborating on 1-3 files in the last 28 days.
+ - Denominator: Total number of people who have had access to OneDrive or SharePoint for at least 1 of the last 28 days.
- **Collaboration on 4-10 files:**
- - **Numerator:** The number of people collaborating on 4-10 files in the last 28 days
- - **Denominator: The** total number of people who have had access to OneDrive or SharePoint for at least 1 of the last 28 days.
+ - Numerator: Number of people collaborating on 4-10 files in the last 28 days.
+ - Denominator: Total number of people who have had access to OneDrive or SharePoint for at least 1 of the last 28 days.
- **Collaboration on 11 or more files:**
- - **Numerator:** The number of people collaborating on 11 or more files in the last 28 days
- - **Denominator:** The total number of people who have had access to OneDrive or SharePoint for at least 1 of the last 28 days.
+ - Numerator: Number of people collaborating on 11 or more files in the last 28 days.
+ - Denominator: Total number of people who have had access to OneDrive or SharePoint for at least 1 of the last 28 days.
4. **Link to resources:** Select this link to view help content.
We also provide you with information that helps you gain visibility into how you
1. **Header:** Highlights the percentage of devices out of all tested that has poor network connection to OneDrive and SharePoint. 2. **Body:** Provides information about why network connection performance important for collaboration.
-3. **Visualization:** shows a percentage of devices with different levels of network connectivity performance related to OneDrive and SharePoint:
- - **81-100 (best)**: The dark green (colored) portion of the bar represent percentage of devices with best performance.
- - **61-80**: The green (colored) portion of the bar represent percentage of devices with network performance score between 60-80.
- - **41-60**: The orange (colored) portion of the bar represent percentage of devices with network performance score between 40-60.
- - **21-40**: The red (colored) portion of the bar represent percentage of devices with network performance score between 20-40.
- - **0-20**: The dark red (colored) portion of the bar represent percentage of devices with worst network performance score between 0-20.
+3. **Visualization:** Shows a percentage of devices with different levels of network connectivity performance related to OneDrive and SharePoint:
+ - **81-100 (best)**: The dark green (colored) portion of the bar represents the percentage of devices with the best performance.
+ - **61-80**: The green (colored) portion of the bar represents the percentage of devices with a network performance score between 60-80.
+ - **41-60**: The orange (colored) portion of the bar represents the percentage of devices with a network performance score between 40-60.
+ - **21-40**: The red (colored) portion of the bar represents the percentage of devices with a network performance score between 20-40.
+ - **0-20**: The dark red (colored) portion of the bar represents the percentage of devices with the worst network performance score between 0-20.
## Related content
business-video Add Domain https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-video/add-domain.md
To receive email at your new domain, you'll need to add a new email alias for ea
1. Choose **Manage email aliases**, and then **Add an alias**. 1. Enter the username, and then choose the new domain from the drop-down list. 1. Select **Save changes**, and then close the window.
-1. Repeat these steps for each user who should receive email at the new domain.
+1. Repeat these steps for each user who should receive email at the new domain.
+
+## Related content
+
+[Add a domain to Microsoft 365](https://docs.microsoft.com/microsoft-365/admin/setup/add-domain) (article)
+[Add DNS records to connect your domain](https://docs.microsoft.com/microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider) (article)
+[Change nameservers to set up Microsoft 365 with any domain registrar](https://docs.microsoft.com/microsoft-365/admin/get-help-with-domains/change-nameservers-at-any-domain-registrar) (article)
+[Domains FAQ](https://docs.microsoft.com/microsoft-365/admin/setup/domains-faq) (article)
business-video Change User Name Email https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-video/change-user-name-email.md
Occasionally, you may need to change a user's name or email address. You can do
1. Enter the new username, verify the domain, and select **Save changes**. As a result of this change, the user will need to sign in to Microsoft 365 with this new username and add the new email account to Outlook.+
+## Related content
+
+[Give mailbox permissions to another user](https://docs.microsoft.com/microsoft-365/admin/add-users/give-mailbox-permissions-to-another-user) (article)
+[Convert a user mailbox to a shared mailbox](https://docs.microsoft.com/microsoft-365/admin/email/convert-user-mailbox-to-shared-mailbox) (article)
+[User email settings](https://docs.microsoft.com/microsoft-365/admin/email/office-365-user-email-settings) (article)
business-video Join Team Guest https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-video/join-team-guest.md
If you receive a Microsoft Teams invitation to join a team, there are a couple o
1. Just open Microsoft Teams app and choose **Yes** to switch to the team you are invited to. Now you can collaborate on the project in Teams. 2. To switch back to your company's team, select it from the **Organization** drop-down.+
+## Related content
+
+[Guest experience in Teams](https://docs.microsoft.com/microsoftteams/guest-experience) (article)
+[Manage Microsoft Teams settings for your organization](https://docs.microsoft.com/microsoftteams/enable-features-office-365) (article)
+[Use guest access and external access to collaborate with people outside your organization](https://docs.microsoft.com/microsoftteams/communicate-with-users-from-other-organizations) (article)
business-video Set Up Self Serve Password Reset https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-video/set-up-self-serve-password-reset.md
To let your users reset their own passwords without having to contact you each t
1. Select **All** to enable self-service password reset, and then select **Save**. The next time a user signs in to their account, they're asked for their user ID and password. They select **Next**, and then choose whether to authenticate with their phone, email, or both. They enter the code they receive, select **Verify**, and then select **Finish**. When they're done, they can reset their own password.+
+## Related content
+
+[Set the password expiration policy for your organization](https://docs.microsoft.com/microsoft-365/admin/manage/set-password-expiration-policy) (article)
+[Set an individual user's password to never expire](https://docs.microsoft.com/microsoft-365/admin/add-users/set-password-to-never-expire) (article)
+[Turn off strong password requirements for users](https://docs.microsoft.com/microsoft-365/admin/add-users/strong-password) (article)
business-video Shared Calendar https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-video/shared-calendar.md
A shared calendar can help you quickly see when people are available for meeting
1. On the **Home** tab, choose **Add Calendar**, then **From Address Book**. 1. Add users to the shared calendar by entering their name or selecting their name from the list, and then choose **OK**. 1. You can now view your calendar and the calendars for the people you added.
-1. To check your group's availability, choose the **Day** view.
+1. To check your group's availability, choose the **Day** view.
+
+## Related content
+
+[Manage your calendar and contacts in Outlook](https://support.microsoft.com/office/manage-your-calendar-and-contacts-in-outlook-631a182a-21e0-4e41-8fa2-0d83e55da02d) (article)
+[Email collaboration](https://docs.microsoft.com/microsoft-365/admin/email/email-collaboration) (article)
+[Overview of the Microsoft 365 admin center](https://docs.microsoft.com/microsoft-365/business-video/admin-center-overview) (article)
business-video Stop Email Auto Forward https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-video/stop-email-auto-forward.md
If a hacker gains access to a user's mailbox, they can auto-forward the user's e
1. Enter the message text for your explanation, then select **OK**. 1. Scroll to the bottom and select **Save**.
- Your rule has been created, and hackers will no longer be able to auto-forward messages.
+ Your rule has been created, and hackers will no longer be able to auto-forward messages.
+
+## Related content
+
+[Add another email alias for a user](https://docs.microsoft.com/microsoft-365/admin/email/add-another-email-alias-for-a-user) (article)
+[Configure email forwarding in Microsoft 365](https://docs.microsoft.com/microsoft-365/admin/email/configure-email-forwarding) (article)
+[Find and fix email delivery issues as an Office 365 for business admin](https://docs.microsoft.com/exchange/troubleshoot/email-delivery/email-delivery-issues) (article)
commerce About Registration Numbers https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/about-registration-numbers.md
We use the registration number to review the details of your account. This lets
For countries where the registration number is mandatory, the label above the text box indicates what type of number is required.
-For example, in the following screenshot, the label indicates that a CNPJ registration number is needed.
+For example, in the following screenshot, the label indicates that a CNPJ (Brazilian) registration number is needed.
:::image type="content" source="../media/macregnum-cnpj-screenshot-400.png" alt-text="Screenshot of the registration number field for C N P J number.":::
compliance Data Classification Activity Explorer Available Events https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-classification-activity-explorer-available-events.md
+
+ Title: "Labeling actions reported in Activity explorer"
+f1.keywords:
+- NOCSH
+++ Last updated :
+audience: Admin
++
+localization_priority: Normal
+
+- M365-security-compliance
+- m365solution-mip
+- m365initiative-compliance
+search.appverid:
+- MOE150
+- MET150
+description: "listing of labeling actions that are available in activity explorer."
++
+# Labeling activities that are available in Activity explorer
+
+## Sensitivity label applied
+
+This event is generated each time an unlabeled document is labeled or an email is sent with a label.
+
+- It is captured at the time of save in Office native applications and web applications.
+- It is captured at the time of occurrence in Azure Information protection add-ins.
+- Upgrade and downgrade labels actions can also be monitored via the *Label event type* field and filter.
++
+|Source |Reported in activity explorer | Note |
+||||
+| Word, Excel, PowerPoint|yes |
+|Outlook| yes |from Win 32 |
+|SharePoint online, OneDrive|yes | |
+|Exchange |yes | |
+|Azure Information Protection (AIP) unified client and AIP unified scanner |yes |the AIP *new label* action is mapped to *label applied* in activity explorer |
+|Microsoft information protection (MIP) SDK |yes|the AIP *new label* action is mapped to *label applied* in activity explorer|
+|Rights Management Service (RMS) |not applicable | |
+|Power BI desktop and web | no| accessible in the Microsoft 365 audit logs |
+|Microsoft Cloud App Security (MCAS) |no| |
+
+## Sensitivity label changed
+
+This event is generated each time a label is updated on the document or email.
+
+- For the AIP Unified client, Unified Scanner and MIP SDK sources, the AIP *upgrade label* and *downgrade label* action maps to activity explorer *label changed*
+
+- It is captured at the point of save in Office native applications and web applications.
+- It is captured at the time of occurrence in Azure Information protection unified client add-ins and scanner enforcements
+- Upgrade and downgrade labels actions can also be monitored via the *Label event type* field and filter. The *justification* text is also captured except for SharePoint Online and OneDrive.
+- Sensitivity labeling done in Office native apps on Outlook collects the last action that was generated before file save/email send actions. For example, if the user changes label on an email multiple times before sending, the last label found on the email when it is sent is captured in the audit log and then reported in activity explorer.
++
+|Source |Reported in activity explorer|Note |
+||||
+|Word, Excel, PowerPoint |yes |
+|Outlook |yes |Win 32|
+|SharePoint Online, OneDrive |yes |
+|Exchange |yes |
+|AIP unified client |yes |
+|AIP unified scanner |yes |
+|MIP SDK |yes |
+|RMS service |not applicable |
+|Power BI desktop and Web |no |accessible in the Microsoft 365 audit logs |
+|MCAS |no | |
+
+## Sensitivity label removed
+
+This event is generated each time a label is removed from a file or document.
+
+- This event is captured at the time of save in Office native applications and web applications.
+- It is captured at the time of occurrence in Azure Information protection add-ins.
+- Sensitivity labeling, with Office native MIP label, on Outlook collects the last labeling event that was generated before file save/email send actions.
+
+|Source |Reported in activity explorer | Note |
+||||
+|Word, Excel, PowerPoint |yes |
+|Outlook |yes |Win 32|
+|SharePoint Online, OneDrive |yes |
+|Exchange |yes |
+|AIP unified client |yes |the AIP *remove label* action is mapped to the *label removed* action in activity explorer|
+|AIP unified scanner |yes |the AIP *remove label* action is mapped to the *label removed* action in activity explorer |
+|MIP SDK |yes |the AIP *remove label* action is mapped to the *label removed* action in activity explorer |
+|RMS service |not applicable |
+|Power BI desktop and Web |no |accessible in the Microsoft 365 audit logs |
+|MCAS |no | |
+
+
+## Sensitivity label file read
+
+This event is generated each time a labeled or protected document is opened.
+
+|Source |Reported in activity explorer | Note |
+||||
+|Word, Excel, PowerPoint |yes |
+|Outlook |no |
+|SharePoint Online, OneDrive |no |
+|Exchange |no |
+|AIP unified client |yes |the AIP *access* action is mapped to the *file read* action in activity explorer|
+|AIP unified scanner |yes |the AIP *access* action is mapped to the *file read* action in activity explorer|
+|MIP SDK |yes |the AIP *access* action is mapped to the *file read* action in activity explorer|
+|RMS service |yes |the *access* action is mapped to the *file read* action in activity explorer |
+|Power BI desktop and Web |no |accessible in the Microsoft 365 audit logs |
+|MCAS |no | |
++
+## Sensitivity label files discovered
+
+This event is generated each time files are discovered when AIP Scanner is used for scanning sensitive data in various locations and finds files.
+
+|Source |Reported in activity explorer | Note |
+||||
+|Word, Excel, PowerPoint |not applicable |
+|Outlook |not applicable |
+|SharePoint Online, OneDrive |not applicable |
+|Exchange |not applicable |
+|AIP unified client |not applicable |
+|AIP unified scanner |yes |the AIP *discover* action is mapped to the *files discovered* action in activity explorer|
+|MIP SDK |yes |the AIP *discover* action is mapped to the *file discovered* action in activity explorer|
+|RMS service |not applicable |
+|Power BI desktop and Web |not applicable |
+|MCAS |not applicable | |
++
+## Sensitivity label file renamed
+
+This event is generated each time a document with a sensitivity label is renamed.
+
+|Source | Reported in activity explorer | Note |
+||||
+|Word, Excel, PowerPoint |yes |
+|Outlook |not applicable |
+|SharePoint Online, OneDrive |no |
+|Exchange |not applicable |
+|AIP unified client |no |
+|AIP unified scanner |no |
+|MIP SDK |no |
+|RMS service |no |
+|Power BI desktop and Web |no |
+|MCAS |no | |
++
+## Sensitivity label file removed
+
+This event is generated each time the AIP scanner detects that a previously scanned file has been removed.
+
+|Source |Reported in activity explorer | Note |
+||||
+|Word, Excel, PowerPoint |not applicable |
+|Outlook |not applicable |
+|SharePoint Online, OneDrive |not applicable |
+|Exchange |not applicable |
+|AIP unified client |not applicable |
+|AIP unified scanner |yes |
+|MIP SDK |not applicable |
+|RMS service |not applicable |
+|Power BI desktop and Web |not applicable |
+|MCAS |not applicable | |
+
+### Sensitivity label protection applied
+
+This event is generated the first-time protection is added manually to an item that does not have a label.
+
+|Source |Reported in activity explorer | Note |
+||||
+|Word, Excel, PowerPoint |no |
+|Outlook |no |
+|SharePoint Online, OneDrive |not applicable |
+|Exchange |no |
+|AIP unified client |yes |
+|AIP unified scanner |not applicable |
+|MIP SDK |yes |
+|RMS service |not applicable |
+|Power BI desktop and Web |not applicable |
+|MCAS |not applicable | |
+
+## Sensitivity label protection changed
+
+This event is generated each time the protection on an unlabeled document is changed manually.
+
+|Source |Reported in activity explorer |
+|||
+|Word, Excel, PowerPoint |no |
+|Outlook |no |
+|SharePoint Online, OneDrive |not applicable |
+|Exchange |no |
+|AIP unified client |yes |
+|AIP unified scanner |not applicable |
+|MIP SDK |yes |
+|RMS service |not applicable |
+|Power BI desktop and Web |not applicable |
+|MCAS |not applicable |
+
+## Sensitivity label protection removed
+
+This event is generated each time the protection on an unlabeled document is changed manually.
+
+|Source |Reported in activity explorer |
+|||
+|Word, Excel, PowerPoint |no |
+|Outlook |no |
+|SharePoint Online, OneDrive |not applicable |
+|Exchange |no |
+|AIP unified client |yes |
+|AIP unified scanner |not applicable |
+|MIP SDK |yes |
+|RMS service |not applicable |
+|Power BI desktop and Web |not applicable |
+|MCAS |not applicable |
+
+## Sensitivity label DLP policy matched
+
+This event is generated each time a DLP policy is matched.
+
+|Source |Reported in activity explorer |
+|||
+|Exchange |yes |
+|SharePoint Online|yes |
+|OneDrive |yes|
+|Teams |yes |
+|Windows 10 devices |yes |
+|MAC |no |
+|on-premises |no|
+|MCAS |no |
+
+The events for Windows 10 Devices (Endpoint DLP) are:
+
+- file deleted
+- file created
+- file copied to clipboard
+- file modified
+- file read
+- file printed
+- file renamed
+- file copied to network share
+- file accessed by unallowed app
++
+## Retention label applied
+
+This event is generated each time an unlabeled document is labeled or an email is sent with a label.
+
+- It is captured at the time of save in Office native applications and web applications.
+
+|Source |Reported in activity explorer |
+|||
+|Exchange |no |
+|SharePoint Online|yes |
+|OneDrive |yes|
+
+## Retention label changed
+
+This event is generated each time a label is updated on a document or email.
+
+- It is captured at the time of save.
+
+|Source |Reported in activity explorer |
+|||
+|Exchange |no |
+|SharePoint Online|yes |
+|OneDrive |yes|
+
+## Retention label removed
+
+This event is generated each time a label is removed from a file or document.
+
+- It is captured at the time of save.
+
+|Source |Reported in activity explorer |
+|||
+|Exchange |no |
+|SharePoint Online|yes |
+|OneDrive |yes|
++
+## Known issues
+
+- When the recommended label tool tip is shown to an end user, it is not captured. But if the user chooses to apply the recommended label, the label will be shown under the *How applied* field as *Recommended*
+
+- Justification text is not currently available on sensitivity label downgrade from Sharepoint and OneDrive.
+
+- Sensitive information types are currently not available for autolabeling activities from Word, Excel, PowerPoint, and Outlook, as well as SharePoint Online, and OneDrive.
compliance Data Classification Activity Explorer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-classification-activity-explorer.md
Last updated
audience: Admin
-localization_priority: Priority
+localization_priority: Normal
- M365-security-compliance - m365solution-mip
description: "Activity explorer rounds out the functionality of the data classif
# Get started with activity explorer
-The data classification overview and content explorer tabs give you visibility into what content has been discovered and labeled, and where that content is. Activity explorer rounds out this suite of functionality by allowing you to monitor what's being done with your labeled content. Activity explorer provides a historical view.
+The [data classification overview](data-classification-overview.md) and [content explorer](data-classification-content-explorer.md) tabs give you visibility into what content has been discovered and labeled, and where that content is. Activity explorer rounds out this suite of functionality by allowing you to monitor what's being done with your labeled content. Activity explorer provides a historical view of activities on your labeled content. The activity information is collected from the Microsoft 365 unified audit logs, transformed and made available in the Activity explorer UI.
![placeholder screenshot overview activity explorer](../media/data-classification-activity-explorer-1.png)
There are over 30 different filters available for use, some are:
- DLP policy + ## Prerequisites Every account that accesses and uses data classification must have a license assigned to it from one of these subscriptions:
Every account that accesses and uses data classification must have a license ass
### Permissions
- In order to get access to the activity explorer tab, an account must be assigned membership in any one of these roles or role groups.
+ In order to get access to the activity explorer tab, an account must be explicitly assigned membership in any one of these role groups or explicitly granted the role.
+
+<!--
+> [!IMPORTANT]
+> Access to Activity explorer via the Security reader or Device Management role groups or other has been removed-->
**Microsoft 365 role groups**
Every account that accesses and uses data classification must have a license ass
- Security administrator - Compliance data administrator
-## Activity type
+**Microsoft 365 roles**
+
+- Compliance administrator
+- Security administrator
+
+## Activity types
+
+Activity explorer gathers activity information from the audit logs on multiple sources of activities. For more detailed information on what labeling activity makes it to Activity explorer, see [Labeling events available in Activity explorer](data-classification-activity-explorer-available-events.md).
-Microsoft 365 monitors and reports on types of activities across SharePoint Online, and OneDrive like:
+**Sensitivity label activities** and **Retention labeling activities** from Office native applications, Azure Information Protection add-in, SharePoint Online, Exchange Online (sensitivity labels only) and OneDrive. Some examples are:
- label applied - label changed (upgraded, downgraded, or removed) - auto-labeling simulation
+- file read
+
+**Azure Information Protection (AIP) scanner and AIP clients**
+
+- protection applied
+- protection changed
+- protection removed
+- files discovered
+
+Activity explorer also gathers **DLP policy matches** events from Exchange Online, SharePoint Online, OneDrive, Teams Chat and Channel (preview), on-premises SharePoint folders and libraries, and on-premises file shares, and Windows 10 devices via **Endpoint data loss prevention (DLP)**. Some examples events from Windows 10 devices are file:
+
+- deletions
+- creations
+- copied to clipboard
+- modified
+- read
+- printed
+- renamed
+- copied to network share
+- accessed by unallowed app
The value of understanding what actions are being taken with your sensitive labeled content is that you can see if the controls that you have already put into place, such as [data loss prevention policies](data-loss-prevention-policies.md) are effective or not. If not, or if you discover something unexpected, such as a large number of items that are labeled `highly confidential` and are downgraded `general`, you can manage your various policies and take new actions to restrict the undesired behavior.
The value of understanding what actions are being taken with your sensitive labe
> Activity explorer doesn't currently monitor retention activities for Exchange Online. ## See also+ - [Learn about sensitivity labels](sensitivity-labels.md) - [Learn about retention policies and retention labels](retention.md)-- [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md)-
+- [Learn about sensitive information types](sensitive-information-type-learn-about.md)
+- [Learn about data classification](data-classification-overview.md)
compliance Data Classification Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-classification-overview.md
Title: "Get started with data classification"
+ Title: "Learn about data classification"
f1.keywords: - NOCSH
search.appverid:
description: "The data classification dashboard gives you visibility into how much sensitive data has been found and classified in your organization."
-# Know your data - data classification overview
+# Learn about data classification
As a Microsoft 365 administrator or compliance administrator, you can evaluate and then tag content in your organization in order to control where it goes, protect it no matter where it is and to ensure that it is preserved and deleted according to your organizations needs. You do this through the application of [sensitivity labels](sensitivity-labels.md), [retention labels](retention.md#retention-labels), and sensitive information type classification. There are various ways to do the discovery, evaluation and tagging, but the end result is that you may have very large number of documents and emails that are tagged and classified with one or both of these labels. After you apply your retention labels and sensitivity labels, you'll want to see how the labels are being used across your tenant and what is being done with those items. The data classification page provides visibility into that body of content, specifically:
As a Microsoft 365 administrator or compliance administrator, you can evaluate a
- the locations of your sensitive and retained data You also manage these features on the data classification page:+ - [trainable classifiers](classifier-learn-about.md)-- [sensitive information types](./sensitive-information-type-entity-definitions.md)
+- [sensitive information types](sensitive-information-type-learn-about.md)
+- [exact data matches](create-custom-sensitive-information-types-with-exact-data-match-based-classification.md)
+- [content explorer](data-classification-content-explorer.md)
+- [activity explorer](data-classification-activity-explorer.md)
You can find data classification in the **Microsoft 365 compliance center** or **Microsoft 365 security center** > **Classification** > **Data Classification**.
The top applied retention labels card shows you how many items have a given rete
## Top activities detected
-This card provides a quick summary of the most common actions that users are taking on the sensitivity labeled items. You can use the [Activity explorer](data-classification-activity-explorer.md) to drill deep down on eight different activities that Microsoft 365 tracks on labeled content and content that is located on Windows 10 endpoints.
+This card provides a quick summary of the most common actions that users are taking on the sensitivity labeled items. You can use the [Activity explorer](data-classification-activity-explorer.md) to drill deep down on the different activities that Microsoft 365 tracks on labeled content and content that is located on Windows 10 endpoints.
> [!NOTE] > If this card displays the message, "No activity detected" it means that there's been no activity on the files or that user and admin auditing isn't turned on. To turn the audit logs on , see:
The point of the data classification reporting is to provide visibility into the
- [View labeled content](data-classification-content-explorer.md) - [Learn about sensitivity labels](sensitivity-labels.md) - [Learn about retention policies and retention labels](retention.md)
+- [Learn about sensitive information types](sensitive-information-type-learn-about.md)
- [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md) - [Learn about trainable classifiers (preview)](classifier-learn-about.md)
compliance Dlp Policy Tips Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-policy-tips-reference.md
DLP policy tips in Outlook Web Access is supported for all the conditions, excep
- Add HTML disclaimer - Prepend email subject - Remove O365 Message Encryption and rights protection-- Remove ## Outlook 2013 and later supports showing policy tips for only some conditions and exceptions
Currently, Outlook 2013 and later supports showing policy tips for policies whic
- Content contains (works only for Sensitive information types. Sensitivity labels are not supported) - Content is shared
-Note that all the conditions work for emails authored in Outlook client app, where they will match content and enforce protective actions on content. However, showing policy tips to users is not yet supported for any conditions that are used apart from the ones mentioned above.
+Note that all the conditions work for emails authored in Outlook client app, where they will match content and enforce protective actions on content. However, showing policy tips to users is not supported for any conditions that are used apart from the ones mentioned above.
-## Outlook 2013 and later supports showing policy tips for only some sensitive information types
+## Outlook 2013 and later and Office apps on Desktop support showing policy tips for only some sensitive information types
-The list of out-of-the-box sensitive information types that will be detected for showing DLP policy tips in Outlook on Desktop (2013 and later) are the following :
+The list of out-of-the-box sensitive information types that will be detected for showing DLP policy tips in Outlook on Desktop (2013 and later) and Office apps (Word, Excel, PowerPoint) on Desktop are the following :
- ABA Routing Number - Argentina National Identity (DNI) Number
The list of out-of-the-box sensitive information types that will be detected for
Please note that custom sensitive information types are also supported for DLP policy tips in addition to the above out-of-the-box sensitive information types.
-## Data Loss Prevention on Endpoint supports policy tips for only some sensitive information types
+## Data Loss Prevention on endpoint devices supports policy tips for only some sensitive information types
The list of out-of-the-box sensitive information types that will be detected in documents residing on endpoint devices are the following :
Please note that custom sensitive information types will also be detected in add
|**App and platform**|**DLP policy tip support**|**Sensitive information types supported**|**Predicates and actions supported**|**Comments**| |:--|:--|:--|:--|:--| |**Outlook Web Access**|:::image type="icon" source="../media/rightmrk.png" border="false":::|All|Subset|See [Data Loss Prevention policy tips reference](#data-loss-prevention-policy-tips-reference)|
-|**Outlook Win32 (Outlook 2013 and beyond)**|:::image type="icon" source="../media/rightmrk.png" border="false":::|Subset|Subset|See [Outlook 2013 and later supports showing policy tips for only some conditions and exceptions](#outlook-2013-and-later-supports-showing-policy-tips-for-only-some-conditions-and-exceptions) and [Outlook 2013 and later supports showing policy tips for only some sensitive information types](#outlook-2013-and-later-supports-showing-policy-tips-for-only-some-sensitive-information-types) for details on support for sensitive information types and DLP conditions and actions supported for showing DLP policy tips on Outlook Win32.|
+|**Outlook Win32 (Outlook 2013 and beyond)**|:::image type="icon" source="../media/rightmrk.png" border="false":::|Subset|Subset|See [Outlook 2013 and later supports showing policy tips for only some conditions and exceptions](#outlook-2013-and-later-supports-showing-policy-tips-for-only-some-conditions-and-exceptions) and [Outlook 2013 and later and Office apps on Desktop support showing policy tips for only some sensitive information types](#outlook-2013-and-later-and-office-apps-on-desktop-support-showing-policy-tips-for-only-some-sensitive-information-types) for details on support for sensitive information types and DLP conditions and actions supported for showing DLP policy tips on Outlook Win32.|
|**Outlook Mobile (iOS, Android)/Outlook Mac**|:::image type="icon" source="../media/crsmrk.png" border="false":::|None|None|DLP policy tips are not supported on Outlook mobile| |**Sharepoint Online/One Drive for Business Web client**|:::image type="icon" source="../media/rightmrk.png" border="false":::|All|All SPO/ODB predicates and actions in DLP|| |**Sharepoint Win32/ One Drive for Business Win32 client**|:::image type="icon" source="../media/crsmrk.png" border="false":::|None|None|DLP policy tips are not supported on Sharepoint or OneDrive desktop client apps|
-|**Word, Excel, Powerpoint Web Client**|:::image type="icon" source="../media/rightmrk.png" border="false":::|All|All SPO/ODB predicates and actions in DLP|DLP policy tip is supported if the document is hosted on SPO or ODB web app and the DLP policy is already stamped.|
-|**Word, Excel, Powerpoint Mobile Client**|:::image type="icon" source="../media/crsmrk.png" border="false":::|None|None|DLP policy tips are not supported in mobile apps for Office.|
+|**Word, Excel, PowerPoint Web Client**|:::image type="icon" source="../media/rightmrk.png" border="false":::|All|All SPO/ODB predicates and actions in DLP|DLP policy tip is supported if the document is hosted on SPO or ODB web app and the DLP policy is already stamped.|
+|**Word, Excel, PowerPoint Mobile Client**|:::image type="icon" source="../media/crsmrk.png" border="false":::|None|None|DLP policy tips are not supported in mobile apps for Office.|
|**Teams Web/ Teams Desktop/ Teams Mobile/ Teams Mac**|:::image type="icon" source="../media/rightmrk.png" border="false":::|All|All Teams predicates in DLP policy|Policy tips will show when a message is flagged as ΓÇ£This message has been flagged. What can I do?ΓÇ¥ When clicking the link, the user can review the sensitive info types detected and override or report an issue if allowed by the admin. Note that no policy tips are shown for files. When the recipient tries to access the document, they might get access denied if not allowed.|
-|**Win32 Endpoint Devices**|:::image type="icon" source="../media/rightmrk.png" border="false":::|Subset|All Endpoint DLP predicates and actions in DLP policy|See [Data Loss Prevention on Endpoint supports policy tips for only some sensitive information types](#data-loss-prevention-on-endpoint-supports-policy-tips-for-only-some-sensitive-information-types)|
-|**Mac devices**|:::image type="icon" source="../media/crsmrk.png" border="false":::|None|None|Data loss prevention are not enforceable on Mac devices today|
-|**3rd party cloud apps**|:::image type="icon" source="../media/crsmrk.png" border="false":::|None|None|Data Loss Prevention|
+|**Win32 Endpoint Devices**|:::image type="icon" source="../media/rightmrk.png" border="false":::|Subset|All Endpoint DLP predicates and actions in DLP policy|See [Data Loss Prevention on Endpoint supports policy tips for only some sensitive information types](#data-loss-prevention-on-endpoint-devices-supports-policy-tips-for-only-some-sensitive-information-types)|
+|**Mac devices**|:::image type="icon" source="../media/crsmrk.png" border="false":::|None|None|Data loss prevention policies are not enforceable on Mac devices today|
+|**3rd party cloud apps**|:::image type="icon" source="../media/crsmrk.png" border="false":::|None|None|Data Loss Prevention policy tips are not supported on 3rd party cloud apps|
|**On-prem**|:::image type="icon" source="../media/crsmrk.png" border="false":::|None|None||
-|**Word, Excel, Powerpoint Win32 Client**|:::image type="icon" source="../media/crsmrk.png" border="false":::|Subset|Subset|Policy tips for WXP client apps will work for documents stored on Sharepoint Online or One Drive for Business Sites for all DLP policies which have exactly the below or a subset of conditions or actions in the DLP policy:</br> <ul><li>Content contains sensitive information types</li><li>Access Scope (Content is shared internally/externally)</li><li>Notify User (policy tips/user notifications)</li><li>Block everyone</li><li>Incident reports</li></ul></br> If any other condition or action is present, the DLP policy tip for that policy will not appear in the desktop apps of Word, Excel or PowerPoint.|
-||||||
+|**Word, Excel, PowerPoint Win32 Client**|:::image type="icon" source="../medi#policy-tips-in-excel-powerpoint-and-word) for more details|
+||||||
knowledge Manage Topics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/manage-topics.md
description: 'How to manage topics in the Topic Center.'
-+ audience: admin ms.prod: microsoft-365-enterprise
localization_priority: None
</br>
-In the Viva Topics topic center, a knowledge manager can view the **Manage topics** page to review topics that have been identified in SharePoint source locations as specified by your knowledge admin.
+In the Viva Topics topic center, a knowledge manager can view the **Manage topics** page to review topics that have been identified in the source locations as specified by your knowledge admin.
![Topic Center](../media/knowledge-management/topic-center.png) </br>
-Knowledge managers help to guide discovered topics through the topic lifecycle in which topics are:
+Knowledge managers help to guide discovered topics through the various topic lifecycle stages:
- **Suggested**: A topic has been identified by AI and has enough supporting resources, connections, and properties.-- **Confirmed**: A topic that has been suggested by AI is validated. Validation is done by confirmation from a knowledge manager. Additionally, a topic can be confirmed if at least two users give positive feedback through the feedback question on the topic card.
+- **Confirmed**: A topic that has been suggested by AI is validated. Validation is done by confirmation from a knowledge manager. Additionally, a topic can be confirmed if there is a net positive 2 votes from end users received via the feedback mechanisms on the topic card.
- **Published**: A confirmed topic that has been curated: manual edits have been made to improve its quality. - **Removed**: A topic is rejected by a knowledge manager and will no longer be visible to viewers. The topic can be in any state when it is removed (suggested, confirmed, or published). When a published topic is removed, the page with the curated details will need to be deleted manually through the Pages Library of the topic center. ![Topic Lifecycle chart](../media/knowledge-management/topic-lifecycle.png) </br> > [!Note]
-> On the Manage Topics page, each knowledge manager will only be able to see topics where they have access to the files and pages of the topic. This will be reflected in the topics that are listed under the **Suggested**, **Confirmed**, **Removed**, and **Published** tabs. The topic counts, however, show the total counts in the organization.
+> On the Manage Topics page, each knowledge manager will only be able to see topics where they have access to the underlying files and pages connected to the topic. This permission trimming will be reflected in the list of topics that appear in the **Suggested**, **Confirmed**, **Removed**, and **Published** tabs. The topic counts, however, show the total counts in the organization regardless of permissions.
## Requirements
To manage topics in the topic center, you need to:
You will not be able to view the Manage Topics page in the topic center unless you have the **Who can manage topics** permission.
-In the topic center, a knowledge manager can review topics that have been identified in the SharePoint source locations you specified, and can either confirm or reject them. A knowledge manager can also create and publish new topic pages if one was not found in topic discovery, or edit existing ones if they need to be updated.
+In the topic center, a knowledge manager can review topics that have been identified in the source locations you specified, and can either confirm or reject them. A knowledge manager can also create and publish new topic pages if one was not found in topic discovery, or edit existing ones if they need to be updated.
## Review suggested topics
Each topic that appears on your Suggested Topics page has a quality score assign
The quality score can help give insight to the topics with the most information and can be useful for finding topics that may need to be manually edited. For example, a topic with a lower quality score might be the result of some users not having SharePoint permissions to pertinent files or sites that AI has included in the topic. A contributor could then edit the topic to include the information (when appropriate), which will then be viewable to all users who can view the topic.
-The quality score could range from 1 to 100. A newly discovered topic will have a quality score of 0 until two or more users have viewed it. Each user's quality score is determined by a number of factors, such as the amount of content displayed for the specific user, which is controlled the user's permissions as each topic page has security trimming in place for AI-generated content. The quality score shown on the **Suggested** topics tab is an average of each users individual score.
- ### Impressions
-The **Impressions** column displays the number of times a topic has been shown to end users. This includes views through topic cards in search, through topic highlights, and through topic center views. It does not reflect the click-through on these topics, but that the topic has been displayed. The **Impressions** column will show for topics in the **Suggested**, **Confirmed**, **Published**, and **Removed** tabs on the Manage Topics page.
+The **Impressions** column displays the number of times a topic has been shown to end users. This includes views through topic answer cards in search and through topic highlights. It does not reflect the click-through on these topics, but that the topic has been displayed. The **Impressions** column will show for topics in the **Suggested**, **Confirmed**, **Published**, and **Removed** tabs on the Manage Topics page.
## Confirmed topics
-On the Manage Topics page, topics that were discovered in your specified SharePoint source locations and have been confirmed by a knowledge manager or "crowdsourced" confirmed by two or more people through the card feedback mechanism will be listed in the **Confirmed** tab. If needed, a user with permissions to manage topics can review confirmed topics and choose to reject them.
+On the Manage Topics page, topics that were discovered in your specified SharePoint source locations and have been confirmed by a knowledge manager or "crowdsourced" confirmed by a net two or more people (balancing negative user votes against positive user votes) through the card feedback mechanism will be listed in the **Confirmed** tab. If needed, a user with permissions to manage topics can review confirmed topics and choose to reject them.
To review a confirmed topic:
Note that you can still choose to reject a confirmed topic. To do this, go to th
## Published topics Published topics have been edited so that specific information will always appear to whoever encounters the page. Manually created topics are listed here as well.
- ![Manage Topics](../media/knowledge-management/manage-topics-new.png) </br>
+ ![Manage Topics](../media/knowledge-management/manage-topics-new.png) </br>
knowledge Topic Center Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/topic-center-overview.md
Once a user confirms their connection to a topic, the user can make edits to the
## Manage topics page
-To work in the **Manage Topics** section of topic center, you need to have the required Manage topic permissions needed for the knowledge manager role. Your admin can assign these permissions to users during [knowledge management setup](set-up-topic-experiences.md), or new users can be [added afterwards](topic-experiences-knowledge-rules.md) by an admin through the Microsoft 365 admin center.
+To work in the **Manage Topics** section of topic center, you need to have the required Manage Topic permissions needed for the knowledge manager role. Your admin can assign these permissions to users during [knowledge management setup](set-up-topic-experiences.md), or new users can be [added afterwards](topic-experiences-knowledge-rules.md) by an admin through the Microsoft 365 admin center.
On the Manage Topics page, the topic dashboard shows all the topics, you have access to, that were identified from your specified source locations. Each topic will show the date the topic was discovered. A user who was assigned Manage topics permissions can review the unconfirmed topics and choose to:-- Confirm the topic: Highlights the topic to users who have access to the files and pages related to the topic, and lets them see the associated topic card and topic page.
+- Confirm the topic: Indicates to users that an AI-suggested topic has been validated by a human curator.
- Publish the topic: Edit the topic information to improve the quality of the topic that was initially identified, and highlights the topic to all users who have view access to topics. -- Reject the topic: Makes the topic not available to users. The topic is moved to the **Rejected** tab and can be confirmed later if needed.
+- Reject the topic: Makes the topic undiscoverable to end users. The topic is moved to the **Rejected** tab and can be confirmed later if needed.
> [!Note] > See [Manage topics](manage-topics.md) for more details about topic managing topics in the Manage topics page.
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
####### [Get security recommendations](get-security-recommendations.md) ####### [Add or Remove machine tags](add-or-remove-machine-tags.md) ####### [Find machines by IP](find-machines-by-ip.md)
+####### [Find machines by tag](find-machines-by-tag.md)
####### [Get missing KBs](get-missing-kbs-machine.md) ####### [Set device value](set-device-value.md)
security Advanced Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-features.md
Turn on this feature so that potentially unwanted applications (PUA) are remedia
## Restrict correlation to within scoped device groups
-When this setting is turned on, alerts are correlated into separate incidents based on their scoped device group. By default, incident correlation happens across the entire tenant scope.
-
+This configuration can be used for scenarios where local SOC operations would like to limit alert correlations only to device groups that they can access. By turning this setting on, an incident composed of alerts that cross device groups will no longer be considered a single incident. The local SOC can then take action on the incident because they have access to one of the device groups involved. However, global SOC will see several different incidents by device group instead of one incident. We do not recommend turning this setting on unless doing so outweighs the benefits of incident correlation across the entire organization
>[!NOTE] >Changing this setting impacts future alert correlations only.
security Check Sensor Status https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/check-sensor-status.md
Title: Check the health state of the sensor in Microsoft Defender ATP
+ Title: Check the health state of the sensor in Microsoft Defender for Endpoint
description: Check the sensor health on devices to identify which ones are misconfigured, inactive, or are not reporting sensor data. keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communications, communication search.product: eADQiWindows 10XVcnh
security Client Behavioral Blocking https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/client-behavioral-blocking.md
Title: Client behavioral blocking description: Client behavioral blocking is part of behavioral blocking and containment capabilities in Microsoft Defender for Endpoint
-keywords: behavioral blocking, rapid protection, client behavior, Microsoft Defender ATP
+keywords: behavioral blocking, rapid protection, client behavior, Microsoft Defender ATP, microsoft defender for endpoint
search.product: eADQiWindows 10XVcnh ms.pagetype: security
security Configure Conditional Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-conditional-access.md
Take the following steps to enable Conditional Access:
### Step 4: Assign the policy 1. In the [Azure portal](https://portal.azure.com), select **All services**, filter on **Intune**, and select **Microsoft Intune**.
-2. Select **Device compliance** > **Policies**> select your Microsoft Defender ATP compliance policy.
+2. Select **Device compliance** > **Policies**> select your Microsoft Defender for Endpoint compliance policy.
3. Select **Assignments**. 4. Include or exclude your Azure AD groups to assign them the policy. 5. To deploy the policy to the groups, select **Save**. The user devices targeted by the policy are evaluated for compliance.
Take the following steps to enable Conditional Access:
6. Select **Enable policy**, and then **Create** to save your changes.
-For more information, see [Enable Microsoft Defender ATP with Conditional Access in Intune](https://docs.microsoft.com/intune/advanced-threat-protection).
+For more information, see [Enforce compliance for Microsoft Defender for Endpoint with Conditional Access in Intune](https://docs.microsoft.com/intune/advanced-threat-protection).
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-conditionalaccess-belowfoldlink)
security Configure Machines Onboarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines-onboarding.md
Defender for Endpoint provides several convenient options for [onboarding Window
From the **Onboarding** card, select **Onboard more devices** to create and assign a profile on Intune. The link takes you to the device compliance page on Intune, which provides a similar overview of your onboarding state.
-![Microsoft Defender ATP device compliance page on Intune device management](images/secconmgmt_onboarding_1deviceconfprofile.png)<br>
- *Microsoft Defender ATP device compliance page on Intune device management*
+![Microsoft Defender for Endpoint device compliance page on Intune device management](images/secconmgmt_onboarding_1deviceconfprofile.png)<br>
+ *Microsoft Defender for Endpoint device compliance page on Intune device management*
>[!TIP] >Alternatively, you can navigate to the Defender for Endpoint onboarding compliance page in the [Microsoft Azure portal](https://portal.azure.com/) from **All services > Intune > Device compliance > Microsoft Defender ATP**.
security Data Storage Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/data-storage-privacy.md
No. Customer data is isolated from other customers and is not shared. However, i
## How long will Microsoft store my data? What is MicrosoftΓÇÖs data retention policy? **At service onboarding**<br>
-You can choose the data retention policy for your data. This determines how long Window Defender for Endpoint will store your data. ThereΓÇÖs a flexibility of choosing in the range of one month to six months to meet your companyΓÇÖs regulatory compliance needs.
+By default, data is retained for 180 days; however, you can specify the data retention policy for your data. This determines how long Window Defender for Endpoint will store your data. ThereΓÇÖs a flexibility of choosing in the range of one month to six months to meet your companyΓÇÖs regulatory compliance needs.
**At contract termination or expiration**<br> Your data will be kept and will be available to you while the license is under grace period or suspended mode. At the end of this period, that data will be erased from MicrosoftΓÇÖs systems to make it unrecoverable, no later than 180 days from contract termination or expiration.
security Detect Block Potentially Unwanted Apps Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
Although potentially unwanted application protection in Microsoft Edge (Chromium
> [!TIP] > If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our [Microsoft Defender SmartScreen demo pages](https://demo.smartscreen.msft.net/).
-### Blocking URLs with Microsoft Defender SmartScreen
+### Block URLs with Microsoft Defender SmartScreen
In Chromium-based Edge with PUA protection turned on, Microsoft Defender SmartScreen protects you from PUA-associated URLs.
Security admins can [configure](/DeployEdge/configure-microsoft-edge) how Micros
Although Microsoft Defender for Endpoint has its own blocklist based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](manage-indicators.md) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen respects the new settings.
-## Microsoft Defender Antivirus
+## Microsoft Defender Antivirus and PUA protection
-The potentially unwanted application (PUA) protection feature in Microsoft Defender Antivirus can detect and block PUAs on endpoints in your network.
+The potentially unwanted application (PUA) protection feature in Microsoft Defender Antivirus can detect and block PUA on endpoints in your network.
> [!NOTE] > This feature is available in Windows 10, Windows Server 2019, and Windows Server 2016.
Microsoft Defender Antivirus blocks detected PUA files and any attempts to downl
The notification appears in the usual [quarantine list within the Windows Security app](microsoft-defender-security-center-antivirus.md).
-### Configure PUA protection in Microsoft Defender Antivirus
+## Configure PUA protection in Microsoft Defender Antivirus
You can enable PUA protection with [Microsoft Intune](/mem/intune/protect/device-protect), [Microsoft Endpoint Configuration Manager](/mem/configmgr/protect/deploy-use/endpoint-protection), [Group Policy](/azure/active-directory-domain-services/manage-group-policy), or via [PowerShell cmdlets](/powershell/module/defender/?preserve-view=true&view=win10-ps).
You can also use PUA protection in audit mode to detect potentially unwanted app
PUA protection in audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives.
-#### Use Intune to configure PUA protection
+### Use Intune to configure PUA protection
See [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details.
-#### Use Configuration Manager to configure PUA protection
+### Use Configuration Manager to configure PUA protection
PUA protection is enabled by default in the Microsoft Endpoint Manager (Current Branch).
For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw
> [!NOTE] > PUA events blocked by Microsoft Defender Antivirus are reported in the Windows Event Viewer and not in Microsoft Endpoint Configuration Manager.
-#### Use Group Policy to configure PUA protection
+### Use Group Policy to configure PUA protection
1. Download and install [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157)
For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw
9. Deploy your Group Policy object as you usually do.
-#### Use PowerShell cmdlets to configure PUA protection
+### Use PowerShell cmdlets to configure PUA protection
-##### To enable PUA protection
+#### To enable PUA protection
```PowerShell Set-MpPreference -PUAProtection Enabled
Set-MpPreference -PUAProtection Enabled
Setting the value for this cmdlet to `Enabled` turns on the feature if it has been disabled.
-##### To set PUA protection to audit mode
+#### To set PUA protection to audit mode
```PowerShell Set-MpPreference -PUAProtection AuditMode
Set-MpPreference -PUAProtection AuditMode
Setting `AuditMode` detects PUAs without blocking them.
-##### To disable PUA protection
+#### To disable PUA protection
We recommend keeping PUA protection turned on. However, you can turn it off by using the following cmdlet:
Set-MpPreference -PUAProtection Disabled
Setting the value for this cmdlet to `Disabled` turns off the feature if it has been enabled.
-See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
+For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/index).
-## View PUA events
+## View PUA events using PowerShell
PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune. You can also use the `Get-MpThreat` cmdlet to view threats that Microsoft Defender Antivirus handled. Here's an example:
TypeID : 0
PSComputerName : ```
+## Get email notifications about PUA detections
+ You can turn on email notifications to receive mail about PUA detections. See [Troubleshoot event IDs](troubleshoot-microsoft-defender-antivirus.md) for details on viewing Microsoft Defender Antivirus events. PUA events are recorded under event ID **1160**.
-If you're using Microsoft Defender for Endpoint, you can use an advanced hunting query to view PUA events. Here's an example query:
+## View PUA events using advanced hunting
+
+If you're using [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md), you can use an advanced hunting query to view PUA events. Here's an example query:
```console DeviceEvents
DeviceEvents
| project Timestamp, DeviceName, FolderPath, FileName, SHA256, ThreatName, WasExecutingWhileDetected, WasRemediated ```
-## Excluding files
+To learn more about advanced hunting, see [Proactively hunt for threats with advanced hunting](advanced-hunting-overview.md).
+
+## Exclude files from PUA protection
Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be added to an exclusion list.
security Information Protection In Windows Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/information-protection-in-windows-overview.md
Information protection is an integral part of Microsoft 365 Enterprise suite, pr
>[!TIP]
-> Read our blog post about how [Microsoft Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/).
+> Read our blog post about how Microsoft Defender for Endpoint (formerly known as Microsoft Defender ATP) integrates with Microsoft Information Protection to [discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/).
Defender for Endpoint applies the following methods to discover, classify, and protect data:
security Investigate Behind Proxy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-behind-proxy.md
Title: Investigate connection events that occur behind forward proxies
-description: Learn how to use advanced HTTP level monitoring through network protection in Microsoft Defender ATP, which surfaces a real target, instead of a proxy.
+description: Learn how to use advanced HTTP level monitoring through network protection in Microsoft Defender for Endpoint, which surfaces a real target, instead of a proxy.
keywords: proxy, network protection, forward proxy, network events, audit, block, domain names, domain search.product: eADQiWindows 10XVcnh search.appverid: met150
security Investigate Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-incidents.md
Title: Investigate incidents in Microsoft Defender ATP
+ Title: Investigate incidents in Microsoft Defender for Endpoint
description: See associated alerts, manage the incident, and see alert metadata to help you investigate an incident keywords: investigate, incident, alerts, metadata, risk, detection source, affected devices, patterns, correlation search.product: eADQiWindows 10XVcnh
security Ios Configure Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-configure-features.md
Title: Configure Microsoft Defender for Endpoint on iOS features
-description: Describes how to deploy Microsoft Defender ATP for iOS features
+description: Describes how to deploy Microsoft Defender for Endpoint on iOS features
keywords: microsoft, defender, atp, ios, configure, features, ios search.product: eADQiWindows 10XVcnh search.appverid: met150
By default, Defender for Endpoint for iOS includes and enables the web protectio
While enabled by default, there might be some cases that require you to disable VPN. For example, you want to run some apps that do not work when a VPN is configured. In such cases, you can choose to disable VPN from the app on the device by following the steps below: 1. On your iOS device, open the **Settings** app, click or tap **General** and then **VPN**.
-1. Click or tap the "i" button for Microsoft Defender ATP.
+1. Click or tap the "i" button for Microsoft Defender for Endpoint.
1. Toggle off **Connect On Demand** to disable VPN. > [!div class="mx-imgBorder"]
security Ios Install https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-install.md
Title: App-based deployment for Microsoft Defender ATP for iOS
+ Title: App-based deployment for Microsoft Defender for Endpoint on iOS
-description: Describes how to deploy Microsoft Defender ATP for iOS using an app
+description: Describes how to deploy Microsoft Defender for Endpoint on iOS using an app
keywords: microsoft, defender, atp, ios, app, installation, deploy, uninstallation, intune search.product: eADQiWindows 10XVcnh search.appverid: met150
This topic describes deploying Defender for Endpoint for iOS on Intune Company P
- Ensure iOS enrollment is done for your users. Users need to have a Defender for Endpoint license assigned in order to use Defender for Endpoint for iOS. Refer to [Assign licenses to users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign) for instructions on how to assign licenses. > [!NOTE]
-> Microsoft Defender ATP (Microsoft Defender for Endpoint) for iOS is now available in the [Apple App Store](https://aka.ms/mdatpiosappstore).
+> Microsoft Defender for Endpoint on iOS is now available in the [Apple App Store](https://aka.ms/mdatpiosappstore).
## Deployment steps
security Ios Terms https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-terms.md
Title: Microsoft Defender ATP for iOS Application license terms
+ Title: Microsoft Defender for Endpoint on iOS Application license terms
-description: Describes the Microsoft Defender ATP for iOS license terms
+description: Describes the Microsoft Defender for Endpoint on iOS license terms
keywords: microsoft, defender, atp, iOS, license, terms, application, use, installation, service, feedback, scope, search.product: eADQiWindows 10XVcnh search.appverid: met150
security Linux Deploy Defender For Endpoint With Chef https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-deploy-defender-for-endpoint-with-chef.md
end
Make sure to update the path name to the location of the onboarding file. To test deploy it on the Chef workstation, just run ``sudo chef-client -z -o mdatp``.
-After your deployment you should consider creating and deploying a configuration file to the servers based on [Set preferences for Microsoft Defender ATP for Linux - Windows security | Microsoft Docs](/windows/security/threat-protection/microsoft-defender-atp/linux-preferences).
+After your deployment you should consider creating and deploying a configuration file to the servers based on [Set preferences for Microsoft Defender for Endpoint on Linux](/linux-preferences.md).
After you've created and tested your configuration file, you can place it into the cookbook/mdatp/files folder where you also placed the onboarding package. Then you can create a settings_mdatp.rb file in the mdatp/recipies folder and add this text: ```powershell
security Linux Exclusions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-exclusions.md
Title: Configure and validate exclusions for Microsoft Defender ATP for Linux
-description: Provide and validate exclusions for Microsoft Defender ATP for Linux. Exclusions can be set for files, folders, and processes.
+ Title: Configure and validate exclusions for Microsoft Defender for Endpoint on Linux
+description: Provide and validate exclusions for Microsoft Defender for Endpoint on Linux. Exclusions can be set for files, folders, and processes.
keywords: microsoft, defender, atp, linux, exclusions, scans, antivirus search.product: eADQiWindows 10XVcnh search.appverid: met150
security Linux Install Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-manually.md
Title: Deploy Microsoft Defender for Endpoint on Linux manually
-description: Describes how to deploy Microsoft Defender ATP for Linux manually from the command line.
+description: Describes how to deploy Microsoft Defender for Endpoint on Linux manually from the command line.
keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh search.appverid: met150
security Linux Install With Ansible https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-with-ansible.md
Title: Deploy Microsoft Defender ATP for Linux with Ansible
+ Title: Deploy Microsoft Defender for Endpoint on Linux with Ansible
-description: Describes how to deploy Microsoft Defender ATP for Linux using Ansible.
+description: Describes how to deploy Microsoft Defender for Endpoint on Linux using Ansible.
keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh search.appverid: met150
security Linux Install With Puppet https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-with-puppet.md
Title: Deploy Microsoft Defender ATP for Linux with Puppet
+ Title: Deploy Microsoft Defender for Endpoint on Linux with Puppet
-description: Describes how to deploy Microsoft Defender ATP for Linux using Puppet.
+description: Describes how to deploy Microsoft Defender for Endpoint on Linux using Puppet.
keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh search.appverid: met150
In the below commands, replace *[distro]* and *[version]* with the information y
> In case of RedHat, Oracle EL, and CentOS 8, replace *[distro]* with 'rhel'. ```puppet
-# Puppet manifest to install Microsoft Defender ATP.
+# Puppet manifest to install Microsoft Defender for Endpoint on Linux.
# @param channel The release channel based on your environment, insider-fast or prod. # @param distro The Linux distribution in lowercase. In case of RedHat, Oracle EL, and CentOS 8, the distro variable should be 'rhel'. # @param version The Linux distribution release number, e.g. 7.4.
security Linux Preferences https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-preferences.md
Title: Set preferences for Microsoft Defender ATP for Linux
+ Title: Set preferences for Microsoft Defender for Endpoint on Linux
-description: Describes how to configure Microsoft Defender ATP for Linux in enterprises.
+description: Describes how to configure Microsoft Defender for Endpoint on Linux in enterprises.
keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh search.appverid: met150
security Linux Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-privacy.md
Title: Privacy for Microsoft Defender ATP for Linux
-description: Privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender ATP for Linux.
+ Title: Privacy for Microsoft Defender for Endpoint on Linux
+description: Privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender for Endpoint on Linux.
keywords: microsoft, defender, atp, linux, privacy, diagnostic search.product: eADQiWindows 10XVcnh search.appverid: met150
security Linux Pua https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-pua.md
Title: Detect and block potentially unwanted applications with Microsoft Defender ATP for Linux
-description: Detect and block Potentially Unwanted Applications (PUA) using Microsoft Defender ATP for Linux.
+ Title: Detect and block potentially unwanted applications with Microsoft Defender for Endpoint on Linux
+description: Detect and block Potentially Unwanted Applications (PUA) using Microsoft Defender for Endpoint on Linux.
keywords: microsoft, defender, atp, linux, pua, pus search.product: eADQiWindows 10XVcnh search.appverid: met150
security Linux Resources https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-resources.md
Title: Microsoft Defender ATP for Linux resources
+ Title: Microsoft Defender for Endpoint on Linux resources
-description: Describes resources for Microsoft Defender ATP for Linux, including how to uninstall it, how to collect diagnostic logs, CLI commands, and known issues with the product.
+description: Describes resources for Microsoft Defender for Endpoint on Linux, including how to uninstall it, how to collect diagnostic logs, CLI commands, and known issues with the product.
keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh search.appverid: met150
security Linux Static Proxy Configuration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-static-proxy-configuration.md
Title: Microsoft Defender ATP for Linux static proxy discovery
+ Title: Microsoft Defender for Endpoint on Linux static proxy discovery
-description: Describes how to configure Microsoft Defender ATP for static proxy discovery.
+description: Describes how to configure Microsoft Defender for Endpoint on Linux, for static proxy discovery.
keywords: microsoft, defender, atp, linux, installation, proxy search.product: eADQiWindows 10XVcnh search.appverid: met150
ms.technology: mde
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
-Microsoft Defender ATP can discover a proxy server using the ```HTTPS_PROXY``` environment variable. This setting must be configured **both** at installation time and after the product has been installed.
+Microsoft Defender for Endpoint can discover a proxy server using the ```HTTPS_PROXY``` environment variable. This setting must be configured **both** at installation time and after the product has been installed.
## Installation time configuration
security Linux Support Connectivity https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-connectivity.md
Title: Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux
+ Title: Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on Linux
-description: Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux
+description: Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on Linux
keywords: microsoft, defender, atp, linux, cloud, connectivity, communication search.product: eADQiWindows 10XVcnh search.appverid: met150
security Linux Support Events https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-events.md
Title: Troubleshoot missing events or alerts issues for Microsoft Defender ATP for Linux
-description: Troubleshoot missing events or alerts issues in Microsoft Defender ATP for Linux.
+ Title: Troubleshoot missing events or alerts issues for Microsoft Defender for Endpoint on Linux
+description: Troubleshoot missing events or alerts issues in Microsoft Defender for Endpoint on Linux.
keywords: microsoft, defender, atp, linux, events search.product: eADQiWindows 10XVcnh search.appverid: met150
security Linux Support Install https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-install.md
Title: Troubleshoot installation issues for Microsoft Defender ATP for Linux
+ Title: Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux
-description: Troubleshoot installation issues for Microsoft Defender ATP for Linux
+description: Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux
keywords: microsoft, defender, atp, linux, installation search.product: eADQiWindows 10XVcnh search.appverid: met150
security Linux Support Perf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-perf.md
Title: Troubleshoot performance issues for Microsoft Defender for Endpoint for Linux
-description: Troubleshoot performance issues in Microsoft Defender Endpoint for Linux.
+ Title: Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux
+description: Troubleshoot performance issues in Microsoft Defender Endpoint on Linux.
keywords: microsoft, defender, atp, linux, performance search.product: eADQiWindows 10XVcnh search.appverid: met150
The following steps can be used to troubleshoot and mitigate these issues:
>[!NOTE] > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted.
-5. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection.
+5. Configure Microsoft Defender Endpoint on Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection.
- For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md).
+ For more information, see [Configure and validate exclusions for Microsoft Defender for Endpoint for Linux](linux-exclusions.md).
security Linux Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-whatsnew.md
Title: What's new in Microsoft Defender for Endpoint on Linux
-description: List of major changes for Microsoft Defender ATP on Linux.
+description: List of major changes for Microsoft Defender for Endpoint on Linux.
keywords: microsoft, defender, atp, linux, whatsnew, release search.product: eADQiWindows 10XVcnh search.appverid: met150
security Microsoft Defender Endpoint Mac https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac.md
The three most recent major releases of macOS are supported.
Beta versions of macOS are not supported.
+macOS devices with M1 processors are not supported.
+ After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints. ### Licensing requirements
security Pull Alerts Using Rest Api https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/pull-alerts-using-rest-api.md
sinceTimeUtc | DateTime | Defines the lower time bound alerts are retrieved from
untilTimeUtc | DateTime | Defines the upper time bound alerts are retrieved. <br> The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time. <br><br> **NOTE**: When not specified, the default value will be the current time. ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time. <br><br> Value should be set according to **ISO 8601** duration format <br> Example: `ago=PT10M` will pull alerts received in the last 10 minutes. limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.<br><br> **NOTE**: When not specified, all alerts available in the time range will be retrieved.
-machinegroups | string | Specifies device groups to pull alerts from. <br><br> **NOTE**: When not specified, alerts from all device groups will be retrieved. <br><br> Example: <br><br> ```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines```
+machinegroups | string | Specifies device groups to pull alerts from. <br><br> **NOTE**: When not specified, alerts from all device groups will be retrieved. <br><br> Example: <br><br> ```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts/?machinegroups=UKMachines&machinegroups=FranceMachines```
DeviceCreatedMachineTags | string | Single device tag from the registry. CloudCreatedMachineTags | string | Device tags that were created in Microsoft Defender Security Center.
security Api Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-overview.md
Use the Microsoft 365 Defender APIs to automate workflows based on the shared in
Along with these Microsoft 365 Defender-specific APIs, each of our other security products expose [additional APIs](api-articles.md) to help you take advantage of their unique capabilities. +
+> [!NOTE]
+> The transition to the unified portal should not affect the PowerBi dashboards based on Microsoft Defender for Endpoint APIs. You can continue to work with the existing APIs regardless of the interactive portal transition.
++ ## Learn more | **Understand how to access the APIs** |
security Custom Detection Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/custom-detection-rules.md
You maintain control over the broadness or specificity of your custom detections
## Manage existing custom detection rules You can view the list of existing custom detection rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it.
+>[!TIP]
+> Alerts raised by custom detections are available over alerts and incident APIs. For more information, see [Supported Microsoft 365 Defender APIs](api-supported.md).
+ ### View existing rules To view all existing custom detection rules, navigate to **Hunting** > **Custom detections**. The page lists all the rules with the following run information:
security Feedback https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/feedback.md
ms.technology: m365d
Your feedback helps us get better in protecting your environment from advanced attacks. Share your experience, impressions, and requests by providing feedback.
+Check out this video to see how easy it is to provide feedback.
+
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4LWeP]
++ 1. From any part of the portal, select **Give feedback**. ![Image of feedback button](../../media/feedback.png)
security Overview Security Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/overview-security-center.md
After clicking through to the content, it may be useful to bookmark this site an
> > Along with the Product filter, current topics, types of resources (from videos to webinars), levels of familiarity or experience with security areas, security roles, and product features are listed.
+> [!TIP]
+> There are lots of other learning opportunities in [Microsoft Learn](https://docs.microsoft.com/e/learn/). You'll find certification training such as [Course MS-500T02-A: Implementing Microsoft 365 Threat Protection](https://docs.microsoft.com/learn/certifications/courses/ms-500t02).
+ ## Send us your feedback We need your feedback. We're always looking to improve, so if there's something you'd like to see, [send us your Microsoft 365 Defender feedback](https://www.microsoft.com/videoplayer/embed/RE4K5Ci).
solutions Groups Teams Compliance Governance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/groups-teams-compliance-governance.md
User chats are retained indefinitely even if a user account is deleted. If you d
- [Retention policies in Microsoft Teams](/microsoftteams/retention-policies)
-A single retention policy can be set to apply to Microsoft 365 Groups, Teams chat, and Teams channel messages.
+A single retention policy can be set to apply to Teams chat and Teams channel messages.
Additional resources:
With information barriers, you can segment your data and users to restrict unwan
[Security and compliance for Exchange Online](/exchange/security-and-compliance/security-and-compliance)
-[Protect information](../compliance/information-protection.md)
+[Protect information](../compliance/information-protection.md)