Updates from: 04/23/2021 03:17:04
Category Microsoft Docs article Related commit history on GitHub Change details
compliance Insider Risk Management Content Explorer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-content-explorer.md
In some cases, data associated with a case may not be available as a snapshot fo
If the content includes Information Rights Management permissions, these permissions are maintained for the copied content and users assigned the *Insider Risk Management Investigators* role will need these permissions and rights if they need to open and view the files. Each file and message are automatically assigned a unique file ID in the insider risk management case for management purposes. Documents associated with device indicator activities are not included in Content explorer.
-![Insider risk management Content explorer](../media/insider-risk-content-explorer.png)
- >[!Note] >Content explorer includes activities related to Microsoft Office files. Site-level activities, such as when a SharePoint site is deleted or if site permissions are changed, aren't included in Content explorer.
compliance Sensitive Information Type Entity Definitions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitive-information-type-entity-definitions.md
- M365-security-compliance hideEdit: true feedback_system: None
-description: "Data loss prevention (DLP) in the Security & Compliance Center includes 80 sensitive information types that are ready for you to use in your DLP policies. This article lists all of these sensitive information types and shows what a DLP policy looks for when it detects each type."
+description: "Data loss prevention (DLP) in the Security & Compliance Center includes over 200 sensitive information types that are ready for you to use in your DLP policies. This article lists all of these sensitive information types and shows what a DLP policy looks for when it detects each type."
# Sensitive information type entity definitions
-Data loss prevention (DLP) in the Compliance Center includes many sensitive information types that are ready to use in your DLP policies. This article lists all of these sensitive information types and shows what a DLP policy looks for when it detects each type. A sensitive information type is defined by a pattern that can be identified by a regular expression or a function. Corroborative evidence, like keywords and checksums, can be used to identify a sensitive information type. Confidence level and proximity are also used in the evaluation process.
-
-Sensitive information types require one of these subscriptions:
-- Microsoft 365 E3-- Microsoft 365 E5-
-Sensitive information types are used in:
--- [Data loss prevention policies](data-loss-prevention-policies.md) -- [Sensitivity labels](sensitivity-labels.md)-- [Retention labels](retention.md)-- [Communication compliance](communication-compliance.md)-- [Auto-labelling policies](apply-sensitivity-label-automatically.md#how-to-configure-auto-labeling-for-office-apps)
+Data loss prevention (DLP) in the Compliance Center includes many sensitive information types that are ready to use in your DLP policies. This article lists all of these sensitive information types and shows what a DLP policy looks for when it detects each type. To learn more about sensitive information types, see [Sensitive information types](sensitive-information-type-learn-about.md)
## ABA routing number
A DLP policy has medium confidence that it's detected this type of sensitive inf
- registro nacional de las personas - rnp
+## Argentina Unique Tax Identification Key (CUIT/CUIL)
+
+### Format
+
+Eleven digits with dash
+
+### Pattern
+
+Eleven digits with a dash:
+- two digits in 20, 23, 24, 27, 30, 33 or 34
+- a hyphen (-)
+- eight digits
+- a hyphen (-)
+- one check digit
+
+### Checksum
+
+Yes
+
+### Definition
+
+A DLP policy has high confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:
+- The function `Func_Argentina_Unique_Tax_Key` finds content that matches the pattern.
+- A keyword from `Keyword_Argentina_Unique_Tax_Key` is found.
+
+A DLP policy has medium confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:
+- The function `Func_Argentina_Unique_Tax_Key` finds content that matches the pattern.
+
+```xml
+ <!-- Argentina Unique Tax Identification Key (CUIT/CUIL) -->
+ <Entity id="98da3da1-9199-4571-b7c4-b6522980b507" patternsProximity="300" recommendedConfidence="75" relaxProximity="true">
+ <Pattern confidenceLevel="85">
+ <IdMatch idRef="Func_Argentina_Unique_Tax_Key" />
+ <Match idRef="Keyword_Argentina_Unique_Tax_Key" />
+ </Pattern>
+ <Pattern confidenceLevel="75">
+ <IdMatch idRef="Func_Argentina_Unique_Tax_Key" />
+ </Pattern>
+ </Entity>
+```
+
+### Keywords
+
+#### Keyword_Argentina_Unique_Tax_Key
+
+- Clave Unica de Identificacion Tributaria
+- CUIT
+- unique code of labour identification 
+- Clave Única de Identificación Tributaria
+- unique labour identification code
+- CUIL
+- Unique Tax Identification Key
+- Unique Labour Identification Key
+- Unique Key of Labour Identification
+- Unique Work Identification Code
+- Unique Code of Work Identification
+- Unique Work Identification Key
+- Unique Key of Work Identification
+- Unique Code of Tax Identification
+- Unique Key of Tax Identification
+- Unique Labor Identification Code
+- Unique Code of Labor Identification
+- Unique Labor Identification Key
+- Unique Key of Labor Identification
+- tax ID
+- taxID#
+- taxId
+- taxidnumber
+- tax number
+- tax no
+- tax #
+- tax#
+- taxpayer ID
+- taxpayer number
+- taxpayer no
+- taxpayer #
+- taxpayer#
+- tax identity
+- tax identification
+- Número de Identificación Fiscal
+- número de contribuyente
+
+
## Australia bank account number ### Format
A DLP policy has low confidence that it's detected this type of sensitive inform
- unique identity number - uniqueidentityno# +
+## Medicare Beneficiary Identifier (MBI) card
+
+### Format
+
+eleven character alphanumeric pattern
+
+### Pattern
+
+- one digit between 1 to 9
+- one letter excluding S, L, O, I, B, Z
+- one digit or letter excluding S, L, O, I, B, Z
+- one digit
+- an optional Hyphen
+- one letter excluding S, L, O, I, B, Z
+- one digit or letter excluding S, L, O, I, B, Z
+- one digit
+- an optional Hyphen
+- two letters excluding S, L, O, I, B, Z
+- two digits
+
+### Checksum
+
+No
+
+### Definition
+
+A DLP policy has high confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:
+- The regular expression `Regex_mbi_card` finds content that matches the pattern.
+- A keyword from `Keyword_mbi_card` is found.
+
+A DLP policy has medium confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:
+- The regular expression `Regex_mbi_card` finds content that matches the pattern.
+
+```xml
+ <!-- Medicare Beneficiary Identifier (MBI) card -->
+ <Entity id="f753a286-f5cc-47e6-a592-4be25fd02591" patternsProximity="300" recommendedConfidence="75" relaxProximity="true">
+ <Pattern confidenceLevel="85">
+ <IdMatch idRef="Regex_mbi_card" />
+ <Match idRef="Keyword_mbi_card" />
+ </Pattern>
+ <Pattern confidenceLevel="75">
+ <IdMatch idRef="Regex_mbi_card" />
+ </Pattern>
+ </Entity>
+```
+
+### Keywords
+
+#### Keyword_mbi_card
+
+- mbi
+- mbi#
+- medicare beneficiary #
+- medicare beneficiary identifier
+- medicare beneficiary no
+- medicare beneficiary number
+- medicare beneficiary#
++
+## Mexico Unique Population Registry Code (CURP)
+
+### Format
+
+18 character alphanumeric pattern
+
+### Pattern
+
+- four letters (case insensitive)
+- six digits indicating a valid date
+- a letter - H/h or M/m
+- two letters indicating a valid Mexican state code
+- three letters
+- one letter or digit
+- one digit
+
+### Checksum
+
+No
+
+### Definition
+
+A DLP policy has high confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:
+- The function `Func_mexico_population_registry_code` finds content that matches the pattern.
+- A keyword from `Keyword_mexico_population_registry_code` is found.
+
+A DLP policy has medium confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:
+- The function `Func_mexico_population_registry_code` finds content that matches the pattern.
+
+```xml
+ <!-- Mexico Unique Population Registry Code (CURP) -->
+ <Entity id="e905ad4d-5a74-406d-bf36-b1efca798af4" patternsProximity="300" recommendedConfidence="75" relaxProximity="true">
+ <Pattern confidenceLevel="85">
+ <IdMatch idRef="Func_mexico_population_registry_code" />
+ <Match idRef="Keyword_mexico_population_registry_code" />
+ </Pattern>
+ <Pattern confidenceLevel="75">
+ <IdMatch idRef="Func_mexico_population_registry_code" />
+ </Pattern>
+ </Entity>
+```
+
+### Keywords
+
+#### Keyword_mexico_population_registry_code
+
+- Clave Única de Registro de Población
+- Clave Unica de Registro de Poblacion
+- Unique Population Registry Code 
+- unique population code
+- CURP
+- Personal ID
+- Unique ID
+- personalid
+- personalidnumber
+- uniqueidkey
+- uniqueidnumber
+- clave única
+- clave unica
+- clave personal Identidad
+- personal Identidad Clave
+- ClaveÚnica
+- claveunica
+- clavepersonalIdentidad
++ ## Netherlands citizen's service (BSN) number ### Format
compliance Sensitivity Labels Office Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md
Office apps apply content marking and encryption with a sensitivity label differ
Solutions that apply sensitivity labels to files outside Office apps do so by applying labeling metadata to the file. In this scenario, content marking from the label's configuration isn't inserted into the file but encryption is applied.
-When those files are opened in an Office desktop app, the content markings are automatically applied by the Azure Information Protection unified labeling client. The content markings are not automatically applied when you use built-in labeling for desktop, mobile, or web apps.
+When those files are opened in an Office desktop app, the content markings are automatically applied by the Azure Information Protection unified labeling client when the file is first saved. The content markings are not automatically applied when you use built-in labeling for desktop, mobile, or web apps.
Scenarios that include applying a sensitivity label outside Office apps include:
knowledge Plan Topic Experiences https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/plan-topic-experiences.md
All processing and storage of content is done in the central location.
The user permissions that you specify determine which people in your organization interact with topics and what they can do.
+> [!Note]
+> At this time, Viva Topics doesn't support providing licenses or user permissions for Guest (External) users.
+ *Manage topics* Knowledge managers oversee the quality of information, how its structured, and other best practices in your organization. They can confirm and reject topics.
managed-desktop Prerequisites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/prerequisites.md
This topic outlines the infrastructure requirements you must meet to assure succ
Area | Prerequisite details |
-Licensing |Microsoft Managed Desktop requires the Microsoft 365 E3 license with Microsoft Defender for Endpoint (or equivalents) assigned to your users. Two licenses for Azure Active Directory Premium 2 must be available in the tenant but users do not need this license. <br>For details about the specific service plans, see [More about licenses](#more-about-licenses) in this topic.<br>For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans).
+Licensing |Microsoft Managed Desktop requires the Microsoft 365 E3 license with Microsoft Defender for Endpoint (or equivalents) assigned to your users.<br>For details about the specific service plans, see [More about licenses](#more-about-licenses) in this topic.<br>For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).
Connectivity | All Microsoft Managed Desktop devices require connectivity to numerous Microsoft service endpoints from the corporate network.<br><br>For the full list of required IPs and URLs, see [Network configuration](../get-ready/network.md). Azure Active Directory | Azure Active Directory (Azure AD) must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Azure AD Connect.<br><br>[Enterprise State Roaming](/azure/active-directory/devices/enterprise-state-roaming-overview) must be enabled for Microsoft Managed Desktop users.<br><br>For more information, see [Azure AD Connect](/azure/active-directory/hybrid/whatis-azure-ad-connect).<br><br>For more information on supported Azure AD Connect versions, see [Azure AD Connect:Version release history](/azure/active-directory/hybrid/reference-connect-version-history). Authentication | If Azure AD is not the source of primary authentication for user accounts, you must configure one of these in Azure AD Connect:<br>- Password hash synchronization<br>- Pass-through authentication<br>- An external identity provider (including Windows Server ADFS and non-Microsoft IDPs) configured to meet Azure AD integration requirements. See the [guidelines](https://www.microsoft.com/download/details.aspx?id=56843) for more information. <br><br>When setting authentication options with Azure AD Connect, password writeback is also recommended. For more information, see [Password writeback](/azure/active-directory/authentication/howto-sspr-writeback). <br><br>If an external identity provider is implemented, you must validate the solution:<br>- Meets Azure AD integration requirements<br>- Supports Azure AD Conditional Access, which allows the Microsoft Managed Desktop device compliance policy to be configured<br>- Enables device enrollment and use of Microsoft 365 services or features required as part of Microsoft Managed Desktop <br><br>For more information on authentication options with Azure AD, see [Azure AD Connect user sign-in options](/azure/active-directory/connect/active-directory-aadconnect-user-signin).
security Configure Proxy Internet https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-proxy-internet.md
Configure a registry-based static proxy to allow only Defender for Endpoint sens
> [!NOTE] > - When using this option on Windows 10 or Windows Server 2019, it is recommended to have the following (or later) build and cumulative update rollup:</br>
+> Windows 10, version 1809 or Windows Server 2019 - https://support.microsoft.com/kb/5001384 <br>
> Windows 10, version 1909 - https://support.microsoft.com/kb/4601380</br> > Windows 10, version 2004 - https://support.microsoft.com/kb/4601382</br> > Windows 10, version 20H2 - https://support.microsoft.com/kb/4601382</br>
security Configure Server Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-endpoints.md
Defender for Endpoint can integrate with Azure Defender to provide a comprehensi
The following capabilities are included in this integration: -- Automated onboarding - Defender for Endpoint sensor is automatically enabled on Windows Servers that are onboarded to Azure Defender. For more information on Azure Defender onboarding, see [Onboarding to Azure Defender Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding).
+- Automated onboarding - Defender for Endpoint sensor is automatically enabled on Windows Servers that are onboarded to Azure Defender. For more information on Azure Defender onboarding, see [Use the integrated Microsoft Defender for Endpoint license](https://docs.microsoft.com/azure/security-center/security-center-wdatp).
> [!NOTE] > The integration between Azure Defender for Servers and Microsoft Defender for Endpoint has been expanded to support [Windows Server 2019 and Windows Virtual Desktop (WVD)](https://docs.microsoft.com/azure/security-center/release-notes#microsoft-defender-for-endpoint-integration-with-azure-defender-now-supports-windows-server-2019-and-windows-10-virtual-desktop-wvd-in-preview).
To offboard the Windows server, you can use either of the following methods:
(MMA Agent .exe x64 [New SHA-2 compliant version](https://go.microsoft.com/fwlink/?LinkId=828603)) **Step-2: Create a file name DeployMMA.cmd (using notepad)**
-Add the following lines to the cmd file. Note that you will need your WORKSPACE ID and KEY.
+Add the following lines to the cmd file. Note that you'll need your WORKSPACE ID and KEY.
```dos @echo off
Once this is done, you'll need to create a start-up script policy:
:::image type="content" source="images/startupprops.png" alt-text="start up properties":::
-The name of the file to run here is c:\windows\MMA\DeployMMA.cmd
-Once the server is restarted as part of the start-up process it will install the Update for customer experience and diagnostic telemetry KB, and then install the MMAAgent, while setting the workspace id and key, and the server will be onboarded.
+The name of the file to run here is c:\windows\MMA\DeployMMA.cmd.
+Once the server is restarted as part of the start-up process it will install the Update for customer experience and diagnostic telemetry KB, and then install the MMA Agent, while setting the Workspace ID and Key, and the server will be onboarded.
-You could also use an **immediate task** to run the deployMMA.cmd if you do not want to reboot all the servers.
+You could also use an **immediate task** to run the deployMMA.cmd if you don't want to reboot all the servers.
This could be done in two phases. First create **the files and the folder in** GPO ΓÇô Give the system time to ensure the GPO has been applied, and all the servers have the install files. Then, add the immediate task. This will achieve the same result without requiring a reboot.
-As the Script has an exit method and wont re-run if the MMA is installed, you could also use a daily scheduled task to achieve the same result. Similar to an Configuration Manager compliance policy it will check daily to ensure the MMA is present.
+As the Script has an exit method and wont re-run if the MMA is installed, you could also use a daily scheduled task to achieve the same result. Similar to a Configuration Manager compliance policy it will check daily to ensure the MMA is present.
:::image type="content" source="images/schtask.png" alt-text="schedule task":::
security Manage Updates Baselines Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus.md
After a new package version is released, support for the previous two versions i
&ensp;Released: **December 03, 2020** &ensp;Platform: **4.18.2011.6** &ensp;Engine: **1.1.17700.4**
-&ensp;Support phase: **Security and Critical Updates**
+&ensp;Support phase: **Technical upgrade support (only)**
### What's new
No known issues
&ensp;Released: **October 29, 2020** &ensp;Platform: **4.18.2010.7** &ensp;Engine: **1.1.17600.5**
-&ensp;Support phase: **Security and Critical Updates**
+&ensp;Support phase: **Technical upgrade support (only)**
### What's new
security Non Windows https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/non-windows.md
benefits, read our
[announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/macOS). For more details on how to get started, visit the Defender for Endpoint on macOS
-[documentation](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-atp-mac).
+[documentation](microsoft-defender-endpoint-mac.md).
## Microsoft Defender for Endpoint on Linux
the key features and benefits, read our
For more details on how to get started, visit the Microsoft Defender for Endpoint on Linux
-[documentation](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-atp-linux).
+[documentation](microsoft-defender-endpoint-linux.md).
## Microsoft Defender for Endpoint on Android
information about the key features and benefits, read our
For more details on how to get started, visit the Microsoft Defender for Endpoint on Android
-[documentation](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-atp-android).
+[documentation](microsoft-defender-endpoint-android.md).
## Microsoft Defender for Endpoint on iOS
setting custom indicators. For more information about the key features and benef
read our [announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bg-p/MicrosoftDefenderATPBlog/label-name/iOS). For more details on how to get started, visit the Microsoft Defender for Endpoint
-on iOS [documentation](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-atp-ios).
+on iOS [documentation](microsoft-defender-endpoint-ios.md).
## Licensing requirements
security Troubleshoot Performance Issues https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-performance-issues.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-If your system is having high CPU usage or performance issues related to the real-time protection service in Microsoft Defender for Endpoint, you can submit a ticket to Microsoft support. Follow the steps in [Collect Microsoft Defender AV diagnostic data](/collect-diagnostic-data.md).
+If your system is having high CPU usage or performance issues related to the real-time protection service in Microsoft Defender for Endpoint, you can submit a ticket to Microsoft support. Follow the steps in [Collect Microsoft Defender Antivirus diagnostic data](collect-diagnostic-data.md).
As an admin, you can also troubleshoot these issues on your own.
The command-line tool *wpr.exe* is part of the operating system starting with Wi
## See also -- [Collect Microsoft Defender AV diagnostic data](collect-diagnostic-data.md)-- [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
+- [Collect Microsoft Defender Antivirus diagnostic data](collect-diagnostic-data.md)
+- [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
security Advanced Hunting Best Practices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-best-practices.md
There are various functions you can use to efficiently handle strings that need
To learn about all supported parsing functions, [read about Kusto string functions](/azure/data-explorer/kusto/query/scalarfunctions#string-functions).
+>[!NOTE]
+>Some tables in this article might not be available in Microsoft Defender for Endpoint. [Turn on Microsoft 365 Defender](m365d-enable.md) to hunt for threats using more data sources. You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender by following the steps in [Migrate advanced hunting queries from Microsoft Defender for Endpoint](advanced-hunting-migrate-from-mde.md).
+ ## Related topics - [Kusto query language documentation](/azure/data-explorer/kusto/query/) - [Quotas and usage parameters](advanced-hunting-limits.md)
security Advanced Hunting Errors https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-errors.md
ms.technology: m365d
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
+**Applies to:**
+- Microsoft 365 Defender
+- Microsoft Defender for Endpoint
++ Advanced hunting displays errors to notify for syntax mistakes and whenever queries hit [predefined quotas and usage parameters](advanced-hunting-limits.md). Refer to the table below for tips on how to resolve or avoid errors. | Error type | Cause | Resolution | Error message examples |
Advanced hunting displays errors to notify for syntax mistakes and whenever quer
| Excessive resource consumption | The query has consumed excessive amounts of resources and has been stopped from completing. In some cases, advanced hunting identifies the specific operator that wasn't optimized. | [Optimize the query](advanced-hunting-best-practices.md) | -`Query stopped due to excessive resource consumption.`<br>-`Query stopped. Adjust use of the <operator name> operator to avoid excessive resource consumption.` | | Unknown errors | The query failed because of an unknown reason. | Try running the query again. Contact Microsoft through the portal if queries continue to return unknown errors. | `An unexpected error occurred during query execution. Please try again in a few minutes.` ++ ## Related topics - [Advanced hunting best practices](advanced-hunting-best-practices.md) - [Quotas and usage parameters](advanced-hunting-limits.md)
security Advanced Hunting Extend Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-extend-data.md
ms.technology: m365d
**Applies to:** - Microsoft 365 Defender
+- Microsoft Defender for Endpoint
[Advanced hunting](advanced-hunting-overview.md) relies on data coming from various sources, including your devices, your Office 365 workspaces, Azure AD, and Microsoft Defender for Identity. To get the most comprehensive data possible, ensure that you have the correct settings in the corresponding data sources.
If you're running Active Directory on premises, you need to install the Microsof
| | | | | | Domain controller | Data from on-premises Active Directory sent to Microsoft Defender for Identity, enriching identity-related information, such as account details, logon activity, and Active Directory queries | Multiple tables, including [IdentityInfo](advanced-hunting-identityinfo-table.md), [IdentityLogonEvents](advanced-hunting-identitylogonevents-table.md), and [IdentityQueryEvents](advanced-hunting-identityqueryevents-table.md) | - [Install the Microsoft Defender for Identity sensor](/azure-advanced-threat-protection/install-atp-step4)<br>- [Turn on relevant Windows Events](/azure-advanced-threat-protection/configure-event-collection) |
+>[!NOTE]
+>Some tables in this article might not be available in Microsoft Defender for Endpoint. [Turn on Microsoft 365 Defender](m365d-enable.md) to hunt for threats using more data sources. You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender by following the steps in [Migrate advanced hunting queries from Microsoft Defender for Endpoint](advanced-hunting-migrate-from-mde.md).
+ ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) - [Understand the schema](advanced-hunting-schema-tables.md)
security Advanced Hunting Go Hunt https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-go-hunt.md
ms.technology: m365d
**Applies to:** - Microsoft 365 Defender
+- Microsoft Defender for Endpoint
With the *go hunt* action, you can quickly investigate events and various entity types using powerful query-based [advanced hunting](advanced-hunting-overview.md) capabilities. This action automatically runs an advanced hunting query to find relevant information about the selected event or entity. The *go hunt* action is available in various sections of the security center whenever event or entity details are displayed. For example, you can use *go hunt* from the following sections: -- In the [incident page](investigate-incidents.md#summary), you can review details about users, devices, and many other entities associated with an incident. As you select an entity, you get additional information as well as various actions you could take on that entitity. In the example below, a mailbox is selected, showing details about the mailbox as well the option to hunt for more information about the mailbox.
+- In the [incident page](investigate-incidents.md#summary), you can review details about users, devices, and many other entities associated with an incident. As you select an entity, you get additional information as well as various actions you could take on that entity. In the example below, a mailbox is selected, showing details about the mailbox as well the option to hunt for more information about the mailbox.
![Image showing mailbox details with the go hunt option](../../media/mtp-ah/go-hunt-email.png)
You can use *go hunt* after selecting any of these entity types:
- URLs ## Query for event information
-When using *go hunt* to query for information about a timeline event, the query checks all relevant schema tables for other events around the time of the selected event. For example, the following query lists events in various schema tables that occured around the same time period on the same device:
+When using *go hunt* to query for information about a timeline event, the query checks all relevant schema tables for other events around the time of the selected event. For example, the following query lists events in various schema tables that occurred around the same time period on the same device:
```kusto // List relevant events 30 minutes before and after selected LogonAttempted event
In addition to modifying the query to get more relevant results, you can also:
- [View the results as charts](advanced-hunting-query-results.md#view-query-results-as-a-table-or-chart) - [Create a custom detection rule](custom-detection-rules.md)
+>[!NOTE]
+>Some tables in this article might not be available in Microsoft Defender for Endpoint. [Turn on Microsoft 365 Defender](m365d-enable.md) to hunt for threats using more data sources. You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender by following the steps in [Migrate advanced hunting queries from Microsoft Defender for Endpoint](advanced-hunting-migrate-from-mde.md).
+ ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the query language](advanced-hunting-query-language.md)
security Advanced Hunting Query Language https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-query-language.md
ms.technology: m365d
**Applies to:** - Microsoft 365 Defender
+- Microsoft Defender for Endpoint
Advanced hunting is based on the [Kusto query language](/azure/kusto/query/). You can use Kusto operators and statements to construct queries that locate information in a specialized [schema](advanced-hunting-schema-tables.md). To understand these concepts better, run your first query.
The **Get started** section provides a few simple queries using commonly used op
For more information on Kusto query language and supported operators, see [Kusto query language documentation](/azure/kusto/query/).
+>[!NOTE]
+>Some tables in this article might not be available in Microsoft Defender for Endpoint. [Turn on Microsoft 365 Defender](m365d-enable.md) to hunt for threats using more data sources. You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender by following the steps in [Migrate advanced hunting queries from Microsoft Defender for Endpoint](advanced-hunting-migrate-from-mde.md).
+ ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) - [Work with query results](advanced-hunting-query-results.md)
security Advanced Hunting Query Results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-query-results.md
ms.technology: m365d
**Applies to:** - Microsoft 365 Defender
+- Microsoft Defender for Endpoint
[!INCLUDE [Prerelease information](../includes/prerelease.md)]
Refine your query by selecting the `+` or `-` buttons on the values that you wan
Once you apply the filter to modify the query and then run the query, the results are updated accordingly.
+>[!NOTE]
+>Some tables in this article might not be available in Microsoft Defender for Endpoint. [Turn on Microsoft 365 Defender](m365d-enable.md) to hunt for threats using more data sources. You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender by following the steps in [Migrate advanced hunting queries from Microsoft Defender for Endpoint](advanced-hunting-migrate-from-mde.md).
+ ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the query language](advanced-hunting-query-language.md)
security Advanced Hunting Shared Queries https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-shared-queries.md
ms.technology: m365d
**Applies to:** - Microsoft 365 Defender
+- Microsoft Defender for Endpoint
Microsoft security researchers regularly share advanced hunting queries in a [de
>[!tip] >Microsoft security researchers also provide advanced hunting queries that you can use to locate activities and indicators associated with emerging threats. These queries are provided as part of the [threat analytics](/windows/security/threat-protection/microsoft-defender-atp/threat-analytics) reports in Microsoft Defender Security Center.
+>[!NOTE]
+>Some tables in this article might not be available in Microsoft Defender for Endpoint. [Turn on Microsoft 365 Defender](m365d-enable.md) to hunt for threats using more data sources. You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender by following the steps in [Migrate advanced hunting queries from Microsoft Defender for Endpoint](advanced-hunting-migrate-from-mde.md).
+ ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the query language](advanced-hunting-query-language.md)
security Advanced Hunting Take Action https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-take-action.md
ms.technology: m365d
**Applies to:** - Microsoft 365 Defender
+- Microsoft Defender for Endpoint
[!INCLUDE [Prerelease information](../includes/prerelease.md)]
To take any of the described actions, select one or more records in your query r
## Review actions taken Each action is individually recorded in the [action center](m365d-action-center.md) under **Action center** > **History** ([security.microsoft.com/action-center/history](https://security.microsoft.com/action-center/history)). Go to the action center to check the status of each action.
+>[!NOTE]
+>Some tables in this article might not be available in Microsoft Defender for Endpoint. [Turn on Microsoft 365 Defender](m365d-enable.md) to hunt for threats using more data sources. You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender by following the steps in [Migrate advanced hunting queries from Microsoft Defender for Endpoint](advanced-hunting-migrate-from-mde.md).
+ ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the query language](advanced-hunting-query-language.md)
security Custom Detection Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/custom-detection-rules.md
ms.technology: m365d
**Applies to:** - Microsoft 365 Defender
+- Microsoft Defender for Endpoint
Custom detection rules are rules you can design and tweak using [advanced hunting](advanced-hunting-overview.md) queries. These rules let you proactively monitor various events and system states, including suspected breach activity and misconfigured endpoints. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
In the rule details screen (**Hunting** > **Custom detections** > **[Rule name]*
>[!TIP] >To quickly view information and take action on an item in a table, use the selection column [&#10003;] at the left of the table.
+>[!NOTE]
+>Some columns in this article might not be available in Microsoft Defender for Endpoint. [Turn on Microsoft 365 Defender](m365d-enable.md) to hunt for threats using more data sources. You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender by following the steps in [Migrate advanced hunting queries from Microsoft Defender for Endpoint](advanced-hunting-migrate-from-mde.md).
+ ## See also - [Custom detections overview](custom-detections-overview.md) - [Advanced hunting overview](advanced-hunting-overview.md)
security Custom Detections Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/custom-detections-overview.md
ms.technology: m365d
**Applies to:** - Microsoft 365 Defender
+- Microsoft Defender for Endpoint
With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured endpoints. This is made possible by customizable detection rules that automatically trigger alerts as well as response actions.
security Investigate Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-users.md
To get a quick summary of a user account for the incident, select the check mark
:::image type="content" source="../../media/investigate-users/incidents-ss-user-pane.png" alt-text="Example of the user account summary pane for an incident in the Microsoft 365 security center":::
+> [!NOTE]
+> The User page shows Azure Active Directory (AD) organization as well as groups, helping you understand the groups and permissions associated with a user.
+
+In this fly-out page, you can review user threat information, including any current incidents, active alerts, and risk level as well as user exposure, accounts, devices, and more.
+
+In addition, you can take action directly in the Microsoft 365 security center to address a compromised user, confirming the user is compromised or requiring them to sign in again.
+ From here, you can select **Go to user page** to see the details of a user account. Here's an example. :::image type="content" source="../../media/investigate-users/incidents-ss-user-details.png" alt-text="Example of the user account page for an incident in the Microsoft 365 security center":::
security Identity Access Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/identity-access-policies.md
The rest of this article describes how to configure these policies.
To give you time to accomplish these tasks, we recommend implementing the baseline policies in the order listed in this table. However, the MFA policies for sensitive and highly regulated levels of protection can be implemented at any time.
-|Protection level|Policies|More information|
-||||
-|**Baseline**|[Require MFA when sign-in risk is *medium* or *high*](#require-mfa-based-on-sign-in-risk)||
-||[Block clients that don't support modern authentication](#block-clients-that-dont-support-multi-factor)|Clients that do not use modern authentication can bypass Conditional Access policies, so it's important to block these.|
-||[High risk users must change password](#high-risk-users-must-change-password)|Forces users to change their password when signing in if high-risk activity is detected for their account.|
-||[Apply app data protection policies](#apply-app-data-protection-policies)|One Intune App Protection policy per platform (Windows, iOS/iPadOS, Android).|
-||[Require approved apps and app protection](#require-approved-apps-and-app-protection)|Enforces mobile app protection for phones and tablets using iOS, iPadOS, or Android.|
-||[Define device compliance policies](#define-device-compliance-policies)|One policy for each platform.|
-||[Require compliant PCs](#require-compliant-pcs-but-not-compliant-phones-and-tablets)|Enforces Intune management of PCs using Windows or MacOS.|
-|**Sensitive**|[Require MFA when sign-in risk is *low*, *medium*, or *high*](#require-mfa-based-on-sign-in-risk)||
-||[Require compliant PCs *and* mobile devices](#require-compliant-pcs-and-mobile-devices)|Enforces Intune management for both PCs (Windows or MacOS) and phones or tablets (iOS, iPadOS, or Android).|
-|**Highly regulated**|[*Always* require MFA](#require-mfa-based-on-sign-in-risk)|
+|Protection level|Policies|More information|Licensing|
+|||||
+|**Baseline**|[Require MFA when sign-in risk is *medium* or *high*](#require-mfa-based-on-sign-in-risk)||Microsoft 365 E5 or Microsoft 365 E3 with the E5 Security add-on|
+||[Block clients that don't support modern authentication](#block-clients-that-dont-support-multi-factor)|Clients that do not use modern authentication can bypass Conditional Access policies, so it's important to block these.|Microsoft 365 E3 or E5|
+||[High risk users must change password](#high-risk-users-must-change-password)|Forces users to change their password when signing in if high-risk activity is detected for their account.|Microsoft 365 E5 or Microsoft 365 E3 with the E5 Security add-on|
+||[Apply Application Protection Policies (APP) data protection](#apply-app-data-protection-policies)|One Intune App Protection policy per platform (Windows, iOS/iPadOS, Android).|Microsoft 365 E3 or E5|
+||[Require approved apps and app protection](#require-approved-apps-and-app-protection)|Enforces mobile app protection for phones and tablets using iOS, iPadOS, or Android.|Microsoft 365 E3 or E5|
+||[Define device compliance policies](#define-device-compliance-policies)|One policy for each platform.|Microsoft 365 E3 or E5|
+||[Require compliant PCs](#require-compliant-pcs-but-not-compliant-phones-and-tablets)|Enforces Intune management of PCs using Windows or MacOS.|Microsoft 365 E3 or E5|
+|**Sensitive**|[Require MFA when sign-in risk is *low*, *medium*, or *high*](#require-mfa-based-on-sign-in-risk)||Microsoft 365 E5 or Microsoft 365 E3 with the E5 Security add-on|
+||[Require compliant PCs *and* mobile devices](#require-compliant-pcs-and-mobile-devices)|Enforces Intune management for both PCs (Windows or MacOS) and phones or tablets (iOS, iPadOS, or Android).|Microsoft 365 E3 or E5|
+|**Highly regulated**|[*Always* require MFA](#assigning-policies-to-groups-and-users)||Microsoft 365 E3 or E5|
| ## Assigning policies to groups and users
Be careful when applying higher levels of protection to groups and users. For ex
All Azure AD groups created as part of these recommendations must be created as Microsoft 365 groups. This is important for the deployment of sensitivity labels when securing documents in Microsoft Teams and SharePoint.
-![Screen capture for creating Microsoft 365 groups](../../media/microsoft-365-policies-configurations/identity-device-AAD-groups.png)
+![Example of creating a Microsoft 365 group](../../media/microsoft-365-policies-configurations/identity-device-AAD-groups.png)
## Require MFA based on sign-in risk
-You should have your users register for MFA prior to requiring its use. If you have Microsoft 365 E5, Microsoft 365 E3 with the Identity & Threat Protection add-on, Office 365 with EMS E5, or individual Azure AD Premium P2 licenses, you can use the MFA registration policy with Azure AD Identity Protection to require that users register for MFA. The [prerequisite work](identity-access-prerequisites.md) includes registering all users with MFA.
+You should have your users register for MFA prior to requiring its use. If you have Microsoft 365 E5, Microsoft 365 E3 with the E5 Security add-on, Office 365 with EMS E5, or individual Azure AD Premium P2 licenses, you can use the MFA registration policy with Azure AD Identity Protection to require that users register for MFA. The [prerequisite work](identity-access-prerequisites.md) includes registering all users with MFA.
After your users are registered, you can require MFA for sign-in with a new Conditional Access policy.
Use this policy in conjunction with [Configure Azure AD password protection](/az
## Apply APP data protection policies
-App Protection Policies (APP) define which apps are allowed and the actions they can take with your organization's data. The choices available in APP enable organizations to tailor the protection to their specific needs. For some, it may not be obvious which policy settings are required to implement a complete scenario. To help organizations prioritize mobile client endpoint hardening, Microsoft has introduced taxonomy for its APP data protection framework for iOS and Android mobile app management.
+APPs define which apps are allowed and the actions they can take with your organization's data. The choices available in APP enable organizations to tailor the protection to their specific needs. For some, it may not be obvious which policy settings are required to implement a complete scenario. To help organizations prioritize mobile client endpoint hardening, Microsoft has introduced taxonomy for its APP data protection framework for iOS and Android mobile app management.
The APP data protection framework is organized into three distinct configuration levels, with each level building off the previous level:
For **System security**, see this table.
|Type|Properties|Value|Action| |||||
-|Microsoft Defender for Endpoint rules|Require the device to be at or under the machine-risk score|Medium|Select|
+|Microsoft Defender for Endpoint rules in the Microsoft Endpoint Manager admin center|[Require the device to be at or under the machine-risk score](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection-configure#create-and-assign-compliance-policy-to-set-device-risk-level)|Medium|Select|
| ## Require compliant PCs (but not compliant phones and tablets)
-Before adding a policy to require compliant PCs, be sure to enroll devices for management into Intune. Using multi-factor authentication is recommended before enrolling devices into Intune for assurance that the device is in the possession of the intended user.
+Before adding a policy to require compliant PCs, be sure to enroll your devices for management in Intune. Using multi-factor authentication is recommended before enrolling devices into Intune for assurance that the device is in the possession of the intended user.
To require compliant PCs:
security Identity Access Prerequisites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/identity-access-prerequisites.md
Before using the identity and device access policies that are recommended, your
The following table details the prerequisite features and their configuration that apply to all identity models, except where noted.
-|Configuration|Exceptions|
-||::|
-|[Configure PHS](/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization). This must be enabled to detect leaked credentials and to act on them for risk-based Conditional Access. **Note:** This is required regardless of whether your organization uses federated authentication.|Cloud-only|
-|[Enable seamless single sign-on](/azure/active-directory/connect/active-directory-aadconnect-sso) to automatically sign users in when they are on their organization devices connected to your organization network.|Cloud-only and federated|
-|[Configure named locations](/azure/active-directory/reports-monitoring/quickstart-configure-named-locations). Azure AD Identity Protection collects and analyzes all available session data to generate a risk score. We recommend you specify your organization's public IP ranges for your network in the Azure AD named locations configuration. Traffic coming from these ranges is given a reduced risk score, and traffic from outside the organization environment is given a higher risk score.||
-|[Register all users for self-service password reset (SSPR) and multi-factor authentication (MFA)](/azure/active-directory/authentication/concept-registration-mfa-sspr-converged). We recommend you register users for Azure AD Multi-Factor Authentication ahead of time. Azure AD Identity Protection makes use of Azure AD Multi-Factor Authentication to perform additional security verification. Additionally, for the best sign-in experience, we recommend users install the [Microsoft Authenticator app](/azure/active-directory/user-help/microsoft-authenticator-app-how-to) and the Microsoft Company Portal app on their devices. These can be installed from the app store for each platform.||
-|[Enable automatic device registration of domain-joined Windows computers](/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup). Conditional Access will make sure devices connecting to apps are domain-joined or compliant. To support this on Windows computers, the device must be registered with Azure AD. This article discusses how to configure automatic device registration.|Cloud-only|
-|**Prepare your support team**. Have a plan in place for users that cannot complete MFA. This could be adding them to a policy exclusion group, or registering new MFA information for them. Before making either of these security-sensitive changes, you need to ensure that the actual user is making the request. Requiring users' managers to help with the approval is an effective step.||
-|[Configure password writeback to on-premises AD](/azure/active-directory/active-directory-passwords-getting-started). Password writeback allows Azure AD to require that users change their on-premises passwords when a high-risk account compromise is detected. You can enable this feature using Azure AD Connect in one of two ways: either enable **Password Writeback** in the optional features screen of the Azure AD Connect setup wizard, or enable it via Windows PowerShell.|Cloud-only|
-|[Configure Azure AD password protection](/azure/active-directory/authentication/concept-password-ban-bad). Azure AD Password Protection detects and blocks known weak passwords and their variants, and can also block additional weak terms that are specific to your organization. Default global banned password lists are automatically applied to all users in an Azure AD tenant. You can define additional entries in a custom banned password list. When users change or reset their passwords, these banned password lists are checked to enforce the use of strong passwords.||
-|[Enable Azure Active Directory Identity Protection](/azure/active-directory/identity-protection/overview-identity-protection). Azure AD Identity Protection enables you to detect potential vulnerabilities affecting your organization's identities and configure an automated remediation policy to low, medium, and high sign-in risk and user risk.||
-|**Enable modern authentication** for [Exchange Online](/Exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online) and for [Skype for Business Online](https://social.technet.microsoft.com/wiki/contents/articles/34339.skype-for-business-online-enable-your-tenant-for-modern-authentication.aspx). Modern authentication is a prerequisite for using MFA. Modern authentication is enabled by default for Office 2016 and 2019 clients, SharePoint, and OneDrive for Business.||
+|Configuration|Exceptions|Licensing|
+||::||
+|[Configure PHS](/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization). This must be enabled to detect leaked credentials and to act on them for risk-based Conditional Access. **Note:** This is required regardless of whether your organization uses federated authentication.|Cloud-only|Microsoft 365 E3 or E5|
+|[Enable seamless single sign-on](/azure/active-directory/connect/active-directory-aadconnect-sso) to automatically sign users in when they are on their organization devices connected to your organization network.|Cloud-only and federated|Microsoft 365 E3 or E5|
+|[Configure named locations](/azure/active-directory/reports-monitoring/quickstart-configure-named-locations). Azure AD Identity Protection collects and analyzes all available session data to generate a risk score. We recommend you specify your organization's public IP ranges for your network in the Azure AD named locations configuration. Traffic coming from these ranges is given a reduced risk score, and traffic from outside the organization environment is given a higher risk score.||Microsoft 365 E3 or E5|
+|[Register all users for self-service password reset (SSPR) and multi-factor authentication (MFA)](/azure/active-directory/authentication/concept-registration-mfa-sspr-converged). We recommend you register users for Azure AD Multi-Factor Authentication ahead of time. Azure AD Identity Protection makes use of Azure AD Multi-Factor Authentication to perform additional security verification. Additionally, for the best sign-in experience, we recommend users install the [Microsoft Authenticator app](/azure/active-directory/user-help/microsoft-authenticator-app-how-to) and the Microsoft Company Portal app on their devices. These can be installed from the app store for each platform.||Microsoft 365 E3 or E5|
+|[Enable automatic device registration of domain-joined Windows computers](/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup). Conditional Access will make sure devices connecting to apps are domain-joined or compliant. To support this on Windows computers, the device must be registered with Azure AD. This article discusses how to configure automatic device registration.|Cloud-only|Microsoft 365 E3 or E5|
+|**Prepare your support team**. Have a plan in place for users that cannot complete MFA. This could be adding them to a policy exclusion group, or registering new MFA information for them. Before making either of these security-sensitive changes, you need to ensure that the actual user is making the request. Requiring users' managers to help with the approval is an effective step.||Microsoft 365 E3 or E5|
+|[Configure password writeback to on-premises AD](/azure/active-directory/active-directory-passwords-getting-started). Password writeback allows Azure AD to require that users change their on-premises passwords when a high-risk account compromise is detected. You can enable this feature using Azure AD Connect in one of two ways: either enable **Password Writeback** in the optional features screen of the Azure AD Connect setup wizard, or enable it via Windows PowerShell.|Cloud-only|Microsoft 365 E3 or E5|
+|[Configure Azure AD password protection](/azure/active-directory/authentication/concept-password-ban-bad). Azure AD Password Protection detects and blocks known weak passwords and their variants, and can also block additional weak terms that are specific to your organization. Default global banned password lists are automatically applied to all users in an Azure AD tenant. You can define additional entries in a custom banned password list. When users change or reset their passwords, these banned password lists are checked to enforce the use of strong passwords.||Microsoft 365 E3 or E5|
+|[Enable Azure Active Directory Identity Protection](/azure/active-directory/identity-protection/overview-identity-protection). Azure AD Identity Protection enables you to detect potential vulnerabilities affecting your organization's identities and configure an automated remediation policy to low, medium, and high sign-in risk and user risk.||Microsoft 365 E5 or Microsoft 365 E3 with the E5 Security add-on|
+|**Enable modern authentication** for [Exchange Online](/Exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online) and for [Skype for Business Online](https://social.technet.microsoft.com/wiki/contents/articles/34339.skype-for-business-online-enable-your-tenant-for-modern-authentication.aspx). Modern authentication is a prerequisite for using MFA. Modern authentication is enabled by default for Office 2016 and 2019 clients, SharePoint, and OneDrive for Business.||Microsoft 365 E3 or E5|
| ## Recommended client configurations
security Microsoft 365 Policies Configurations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/microsoft-365-policies-configurations.md
If your organization has unique environment requirements or complexities, use th
Watch this video for a quick overview of identity and device access configurations for Microsoft 365 for enterprise.
+<br>
+ > [!VIDEO https://www.microsoft.com/videoplayer/embed/RWxEDQ] > [!NOTE]
Watch this video for a quick overview of identity and device access configuratio
## Intended audience
-These recommendations are intended for enterprise architects and IT professionals who are familiar with Microsoft 365 cloud productivity and security services, which includes Azure AD (identity), Microsoft Intune (device management), and Azure Information Protection (data protection).
+These recommendations are intended for enterprise architects and IT professionals who are familiar with Microsoft 365 cloud productivity and security services, which includes Azure AD (identity), Microsoft Intune (device management), and Microsoft Information Protection (data protection).
### Customer environment The recommended policies are applicable to enterprise organizations operating both entirely within the Microsoft cloud and for customers with hybrid identity infrastructure, which is an on-premises Active Directory Domain Services (AD DS) forest that is synchronized with an Azure AD tenant.
-Many of the provided recommendations rely on services available only with Microsoft 365 E5, Microsoft 365 E3 with the Identity & Threat Protection add-on, EMS E5, or Azure Premium P2 licenses.
+Many of the provided recommendations rely on services available only with Microsoft 365 E5, Microsoft 365 E3 with the E5 Security add-on, EMS E5, or Azure AD Premium P2 licenses.
For those organizations who do not have these licenses, Microsoft recommends you at least implement [security defaults](/azure/active-directory/fundamentals/concept-fundamentals-security-defaults), which is included with all Microsoft 365 plans.
Azure AD provides a full suite of identity management capabilities. We recommend
|[Conditional Access](/azure/active-directory/conditional-access/overview)|Azure AD evaluates the conditions of the user sign-in and uses Conditional Access policies to determine the allowed access. For example, in this guidance we show you how to create a Conditional Access policy to require device compliance for access to sensitive data. This greatly reduces the risk that a hacker with their own device and stolen credentials can access your sensitive data. It also protects sensitive data on the devices, because the devices must meet specific requirements for health and security.|Microsoft 365 E3 or E5| |[Azure AD groups](/azure/active-directory/fundamentals/active-directory-manage-groups)|Conditional Access policies, device management with Intune, and even permissions to files and sites in your organization rely on the assignment to user accounts or Azure AD groups. We recommend you create Azure AD groups that correspond to the levels of protection you are implementing. For example, your executive staff are likely higher value targets for hackers. Therefore, it makes sense to add the user accounts of these employees to an Azure AD group and assign this group to Conditional Access policies and other policies that enforce a higher level of protection for access.|Microsoft 365 E3 or E5| |[Device enrollment](/azure/active-directory/devices/overview)|You enroll a device into Azure AD to create an identity for the device. This identity is used to authenticate the device when a user signs in and to apply Conditional Access policies that require domain-joined or compliant PCs. For this guidance, we use device enrollment to automatically enroll domain-joined Windows computers. Device enrollment is a prerequisite for managing devices with Intune.|Microsoft 365 E3 or E5|
-|[Azure AD Identity Protection](/azure/active-directory/identity-protection/overview)|Enables you to detect potential vulnerabilities affecting your organization's identities and configure automated remediation policy to low, medium, and high sign-in risk and user risk. This guidance relies on this risk evaluation to apply Conditional Access policies for multi-factor authentication. This guidance also includes a Conditional Access policy that requires users to change their password if high-risk activity is detected for their account.|Microsoft 365 E5, Microsoft 365 E3 with the Identity & Threat Protection add-on, EMS E5, or Azure Premium P2 licenses|
+|[Azure AD Identity Protection](/azure/active-directory/identity-protection/overview)|Enables you to detect potential vulnerabilities affecting your organization's identities and configure automated remediation policy to low, medium, and high sign-in risk and user risk. This guidance relies on this risk evaluation to apply Conditional Access policies for multi-factor authentication. This guidance also includes a Conditional Access policy that requires users to change their password if high-risk activity is detected for their account.|Microsoft 365 E5, Microsoft 365 E3 with the E5 Security add-on, EMS E5, or Azure AD Premium P2 licenses|
|[Self-service password reset (SSPR)](/azure/active-directory/authentication/concept-sspr-howitworks)|Allow your users to reset their passwords securely and without help-desk intervention, by providing verification of multiple authentication methods that the administrator can control.|Microsoft 365 E3 or E5| |[Azure AD password protection](/azure/active-directory/authentication/concept-password-ban-bad)|Detect and block known weak passwords and their variants and additional weak terms that are specific to your organization. Default global banned password lists are automatically applied to all users in an Azure AD tenant. You can define additional entries in a custom banned password list. When users change or reset their passwords, these banned password lists are checked to enforce the use of strong passwords.|Microsoft 365 E3 or E5| |
Similarly, for your sensitive apps, create the set of policies and add one app a
Microsoft recommends that you do not create policy sets that apply to all apps because it can result in some unintended configurations. For example, policies that block all apps could lock your admins out of the Azure portal and exclusions cannot be configured for important endpoints such as Microsoft Graph.
-## Steps in the process of configuring identity and device access
+## Steps to configure identity and device access
![Steps to configure identity and device access.](../../media/microsoft-365-policies-configurations/identity-device-access-steps.png)