| Category | Microsoft Docs article | Related commit history on GitHub | Change details |
|---|---|---|---|
| admin | Servicenow Aad Oauth Token | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/servicenow-aad-oauth-token.md | These prerequisites are necessary to set up the Microsoft 365 support integratio :::image type="content" source="../../media/ServiceNow-guide/servicenow-guide-image3.png" lightbox="../../media/ServiceNow-guide/servicenow-guide-image3.png" alt-text="Graphical user interface, text, application, email Description automatically generated"::: -1. Go to **Authentication** and select **Add a platform**. Select the **Web** option and enter the redirect URL: `https://{your-servicenow-instance``}.service-now.com/auth_redirect.do` +1. Go to **Authentication** and select **Add a platform**. Select the **Web** option and enter the redirect URL: `https://{your-servicenow-instance``}.service-now.com/oauth_redirect.do` :::image type="content" source="../../media/ServiceNow-guide/servicenow-guide-image4.png" lightbox="../../media/ServiceNow-guide/servicenow-guide-image4.png" alt-text="Graphical user interface, text, application, email Description automatically generated"::: These prerequisites are necessary to set up the Microsoft 365 support integratio - Token URL: `https://login.microsoftonline.com/{microsoft-365-tenant-name}/oauth2/token` - - Redirect URL: `https://{service-now-instance-name``}.service-now.com/auth_redirect.do` + - Redirect URL: `https://{service-now-instance-name``}.service-now.com/oauth_redirect.do` :::image type="content" source="../../media/ServiceNow-guide/servicenow-guide-image6.png" lightbox="../../media/ServiceNow-guide/servicenow-guide-image6.png" alt-text="Graphical user interface, application Description automatically generated"::: These prerequisites are necessary to set up the Microsoft 365 support integratio - Name: **{Tenant\_Name}\_application\_inbound\_api** (example: contoso\_applicaiton\_inbound\_api) - - Client ID: The Client ID of the application created in Prerequisites (Azure AD Auth Token) step \#2. + - Client ID: The Client ID of the application created in Prerequisites (Azure AD Auth Token) step \#3. - - Client Secret: The App Secret of the application created in Prerequisites (Azure AD Auth Token) step \#2. + - Client Secret: The App Secret of the application created in Prerequisites (Azure AD Auth Token) step \#3. - OAuth OIDC Provider Configuration: The OIDC provider created in the previous step |
| compliance | Alert Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/alert-policies.md | You can also define user tags as a condition of an alert policy. This results in - Data loss prevention - - Information governance + - Data lifecycle management - Mail flow You can also define user tags as a condition of an alert policy. This results in ## Default alert policies -Microsoft provides built-in alert policies that help identify Exchange admin permissions abuse, malware activity, potential external and internal threats, and information governance risks. On the **Alert policies** page, the names of these built-in policies are in bold and the policy type is defined as **System**. These policies are turned on by default. You can turn off these policies (or back on again), set up a list of recipients to send email notifications to, and set a daily notification limit. The other settings for these policies can't be edited. +Microsoft provides built-in alert policies that help identify Exchange admin permissions abuse, malware activity, potential external and internal threats, and data lifecycle management risks. On the **Alert policies** page, the names of these built-in policies are in bold and the policy type is defined as **System**. These policies are turned on by default. You can turn off these policies (or back on again), set up a list of recipients to send email notifications to, and set a daily notification limit. The other settings for these policies can't be edited. The following table lists and describes the available default alert policies and the category each policy is assigned to. The category is used to determine which alerts a user can view on the Alerts page. For more information, see [RBAC permissions required to view alerts](#rbac-permissions-required-to-view-alerts). The table also indicates the Office 365 Enterprise and Office 365 US Government |**Tenant Allow/Block List entry is about to expire**|Generates an alert when a Tenant Allow/Block List entry is about to be removed. This event is triggered three days prior to expiration date, which is based when the entry was created or last updated. This alert policy has an **Informational** severity setting. This is to inform admins of upcoming changes in the filters since the allow or block could be going away. For blocks, you can extend the expiration date to keep the block in place. For allows, you need to resubmit the item so that our analysts can take another look. However, if the allow has already been graded as a false positive, then the entry will only expire when the system filters have been updated to naturally allow the entry. For more information on events that trigger this alert, see [Manage the Tenant Allow/Block list](../security/office-365-security/tenant-allow-block-list.md).|Threat management|No|E5/G5 or Defender for Office 365 P2 add-on subscription| |**Tenant restricted from sending email**|Generates an alert when most of the email traffic from your organization has been detected as suspicious and Microsoft has restricted your organization from sending email. Investigate any potentially compromised user and admin accounts, new connectors, or open relays, and then contact Microsoft Support to unblock your organization. This policy has a **High** severity setting. For more information about why organizations are blocked, see [Fix email delivery issues for error code 5.7.7xx in Exchange Online](/Exchange/mail-flow-best-practices/non-delivery-reports-in-exchange-online/fix-error-code-5-7-700-through-5-7-750).|Threat management|No|E1/F1/G1, E3/F3/G3, or E5/G5| |**Tenant restricted from sending unprovisioned email**|Generates an alert when too much email is being sent from unregistered domains (also known as *unprovisioned* domains). Office 365 allows a reasonable amount of email from unregistered domains, but you should configure every domain that you use to send email as an accepted domain. This alert indicates that all users in the organization can no longer send email. This policy has a **High** severity setting. For more information about why organizations are blocked, see [Fix email delivery issues for error code 5.7.7xx in Exchange Online](/Exchange/mail-flow-best-practices/non-delivery-reports-in-exchange-online/fix-error-code-5-7-700-through-5-7-750).|Threat management|No|E1/F1/G1, E3/F3/G3, or E5/G5|-|**Unusual external user file activity**|Generates an alert when an unusually large number of activities are performed on files in SharePoint or OneDrive by users outside of your organization. This includes activities such as accessing files, downloading files, and deleting files. This policy has a **High** severity setting.|Information governance|No|E5/G5, Microsoft Defender for Office 365 P2, or Microsoft 365 E5 add-on subscription| -|**Unusual volume of external file sharing**|Generates an alert when an unusually large number of files in SharePoint or OneDrive are shared with users outside of your organization. This policy has a **Medium** severity setting.|Information governance|No|E5/G5, Defender for Office 365 P2, or Microsoft 365 E5 add-on subscription| -|**Unusual volume of file deletion**|Generates an alert when an unusually large number of files are deleted in SharePoint or OneDrive within a short time frame. This policy has a **Medium** severity setting.|Information governance|No|E5/G5, Defender for Office 365 P2, or Microsoft 365 E5 add-on subscription| +|**Unusual external user file activity**|Generates an alert when an unusually large number of activities are performed on files in SharePoint or OneDrive by users outside of your organization. This includes activities such as accessing files, downloading files, and deleting files. This policy has a **High** severity setting.|Data lifecycle management|No|E5/G5, Microsoft Defender for Office 365 P2, or Microsoft 365 E5 add-on subscription| +|**Unusual volume of external file sharing**|Generates an alert when an unusually large number of files in SharePoint or OneDrive are shared with users outside of your organization. This policy has a **Medium** severity setting.|Data lifecycle management|No|E5/G5, Defender for Office 365 P2, or Microsoft 365 E5 add-on subscription| +|**Unusual volume of file deletion**|Generates an alert when an unusually large number of files are deleted in SharePoint or OneDrive within a short time frame. This policy has a **Medium** severity setting.|Data lifecycle management|No|E5/G5, Defender for Office 365 P2, or Microsoft 365 E5 add-on subscription| |**Unusual increase in email reported as phish**|Generates an alert when there's a significant increase in the number of people in your organization using the Report Message add-in in Outlook to report messages as phishing mail. This policy has a **Medium** severity setting. For more information about this add-in, see [Use the Report Message add-in](https://support.office.com/article/b5caa9f1-cdf3-4443-af8c-ff724ea719d2).|Threat management|No|E5/G5 or Defender for Office 365 P2 add-on subscription| |**User impersonation phish delivered to inbox/folder**<sup>1,</sup><sup>2</sup>|Generates an alert when Microsoft detects that an admin or user override has allowed the delivery of a user impersonation phishing message to the inbox (or other user-accessible folder) of a mailbox. Examples of overrides include an inbox or mail flow rule that allows messages from a specific sender or domain, or an anti-spam policy that allows messages from specific senders or domains. This policy has a **Medium** severity setting.|Threat management|No|E5/G5 or Defender for Office 365 P2 add-on subscription| |**User requested to release a quarantined message**|Generates an alert when a user requests release for a quarantined message. To request the release of quarantined messages, the **Allow recipients to request a message to be released from quarantine** (_PermissionToRequestRelease_) permission is required in the quarantine policy (for example, from the **Limited access** preset permissions group). For more information, see [Allow recipients to request a message to be released from quarantine permission](../security/office-365-security/quarantine-policies.md#allow-recipients-to-request-a-message-to-be-released-from-quarantine-permission). This policy has an **Informational** severity setting.|Threat management|No|E1/F1/G1, E3/F3/G3, or E5/G5| The following table lists the roles that are required to view alerts from the si To see which category a default alert policy is assigned to, see the table in [Default alert policies](#default-alert-policies). -|Role|Information governance|Data loss prevention|Mail flow|Permissions|Threat management|Others| +|Role|Data lifecycle management|Data loss prevention|Mail flow|Permissions|Threat management|Others| |:|::|::|::|::|::|::| |Audit Logs||||||| |Case Management||||||| |
| compliance | Dlp Conditions And Exceptions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-conditions-and-exceptions.md | Prepend subject|PrependSubject|String|Adds the specified text to the beginning o |Apply HTML disclaimer|ApplyHtmlDisclaimer|First property: *Text*<br/><br/>Second property: *Location*<br/><br/>Third property: *Fallback action*|Applies the specified HTML disclaimer to the required location of the message.<br/><br/>This parameter uses the syntax: @{ Text = " " ; Location = \<Append \| Prepend\>; FallbackAction = \<Wrap \| Ignore \| Reject\> }| |Remove message encryption and rights protection|RemoveRMSTemplate|n/a|Removes message encryption applied on an email| |Deliver the message to the hosted quarantine |*Quarantine*|n/a| This action is currently in **public preview**. During this phase, emails quarantined by DLP policies will show policy type as ExchangeTransportRule.<br/><br/> Delivers the message to the quarantine in EOP. For more information, see [Quarantined email messages in EOP](/microsoft-365/security/office-365-security/quarantine-email-messages).|--<!--|Modify Subject|ModifySubject|PswsHashTable | Remove text from the subject line that matches a specific pattern and replace it with different text. See the example below. You can: <br/><br/>- **Replace** all matches in the subject with the replacement text <br/><br/>- **Append** to remove all matches in the subject and inserts the replacement text at the end of the subject. <br/><br/>- **Prepend** to remove all matches and inserts the replacement text at the beginning of the subject. See ModifySubject parameter in, /powershell/module/exchange/new-dlpcompliancerule|--> +|Modify Subject|ModifySubject|PswsHashTable | Remove text from the subject line that matches a specific pattern and replace it with different text. See the example below. You can: <br/><br/>- **Replace** all matches in the subject with the replacement text <br/><br/>- **Append** to remove all matches in the subject and inserts the replacement text at the end of the subject. <br/><br/>- **Prepend** to remove all matches and inserts the replacement text at the beginning of the subject. See ModifySubject parameter in, /powershell/module/exchange/new-dlpcompliancerule| |
| compliance | Encryption Office 365 Certificate Chains | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/encryption-office-365-certificate-chains.md | f1.keywords: - NOCSH - Previously updated : 2/1/2021+ Last updated : 4/25/2022 audience: Admin description: "View a complete list of root certificates and certificate authorit Microsoft 365 leverages a number of different certificate providers. The following describes the complete list of known Microsoft 365 root certificates that customers may encounter when accessing Microsoft 365. For information on the certificates you may need to install in your own infrastructure, see [Plan for third-party SSL certificates for Microsoft 365](../enterprise/plan-for-third-party-ssl-certificates.md). The following certificate information applies to all worldwide and national cloud instances of Microsoft 365. -Last updated: **10/16/2020** +Last updated: **4/25/2022** > [!NOTE] > For certificate information that applies to **DOD and GCC High** customers, see [Microsoft 365 encryption chains - DOD and GCC High](encryption-office-365-certificate-chains-itar.md). | **Certificate type** | **P7b download** | **CRL Endpoints** | **OCSP Endpoints** | **AIA Endpoints** | | | | | | |-| Publicly Trusted Root Certificates | [Microsoft 365 Root Certificate Bundle (P7B)](https://download.microsoft.com/download/4/a/b/4ab1c940-826b-444b-b287-b7a902e68da0/m365_root_certs_20201012.p7b) | crl.globalsign.net<br>www.d-trust.net | N/A | N/A | +| Publicly Trusted Root Certificates | [Microsoft 365 Root Certificate Bundle (P7B)](https://download.microsoft.com/download/4/a/b/4ab1c940-826b-444b-b287-b7a902e68da0/m365_root_certs_20220331.p7b) | crl.globalsign.net<br>www.d-trust.net | N/A | N/A | | Publicly Trusted Intermediate Certificates | [Microsoft 365 Intermediate Certificate Bundle (P7B)](https://download.microsoft.com/download/1/4/7/14777f28-3fde-4958-aebf-bd192a4a7fac/m365_intermediate_certs_20201013.p7b) | cdp1.public-trust.com<br>crl.cnnic.cn<br>crl.entrust.net<br>crl.globalsign.com<br>crl.globalsign.net<br>crl.identrust.com<br>crl.thawte.com<br>crl3.digicert.com<br>crl4.digicert.com<br>s1.symcb.com<br>www.d-trust.net | isrg.trustid.ocsp.identrust.com<br>ocsp.digicert.com<br>ocsp.entrust.net<br>ocsp.globalsign.com<br>ocsp.omniroot.com<br>ocsp.startssl.com<br>ocsp.thawte.com<br>ocsp2.globalsign.com<br>ocspcnnicroot.cnnic.cn<br>root-c3-ca2-2009.ocsp.d-trust.net<br>root-c3-ca2-ev-2009.ocsp.d-trust.net<br>s2.symcb.com | aia.startssl.com<br>apps.identrust.com<br>cacert.omniroot.com<br>www.cnnic.cn | Expand the root and intermediate sections below to see additional details about the certificate providers. Expand the root and intermediate sections below to see additional details about | **Pin (SHA-256)** | /zQvtsTIvTCkcG9zSJU58Z5uSMwF9GJUZU9mENvFQOk= | | **CRL URLs** | ldap://directory.d-trust.net/CN=D-TRUST%20Root%20Class%203%20CA%202%20EV%202009,O=D-Trust%20GmbH,C=DE?certificaterevocationlist<br>http://www.d-trust.net/crl/d-trust\_root\_class\_3\_ca\_2\_ev\_2009.crl | -### **ISRG Root X1** --| **Subject** | C = US, O = Internet Security Research Group, CN = ISRG Root X1 | -| | | -| **Serial Number** | 82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00 | -| **Public Key Length** | RSA 4096 bit | -| **Signature Algorithm** | sha256WithRSAEncryption | -| **Validity Not Before** | Jun 4 11:04:38 2015 UTC | -| **Validity Not After** | Jun 4 11:04:38 2035 UTC | -| **Subject Key Identifier** | 79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E | -| **Thumbprint (SHA-1)** | CABD2A79A1076A31F21D253635CB039D4329A5E8 | -| **Thumbprint (SHA-256)** | 96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6 | -| **Pin (SHA-256)** | 0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3 | - ### **Entrust Root Certification Authority - G2** | **Subject** | CN=Entrust Root Certification Authority - G2<br>OU="(c) 2009 Entrust, Inc. - for authorized use only"<br>OU=See www.entrust.net/legal-terms<br>O="Entrust, Inc."<br>C=US | Expand the root and intermediate sections below to see additional details about | **Thumbprint (SHA-1)** | D69B561148F01C77C54578C10926DF5B856976AD | | **Thumbprint (SHA-256)** | CBB522D7B7F127AD6A0113865BDF1CD4102E7D0759AF635A7CF4720DC963C53B | +### **ISRG Root X1** ++| **Subject** | C = US, O = Internet Security Research Group, CN = ISRG Root X1 | +| | | +| **Serial Number** | 82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00 | +| **Public Key Length** | RSA 4096 bit | +| **Signature Algorithm** | sha256WithRSAEncryption | +| **Validity Not Before** | Jun 4 11:04:38 2015 UTC | +| **Validity Not After** | Jun 4 11:04:38 2035 UTC | +| **Subject Key Identifier** | 79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E | +| **Thumbprint (SHA-1)** | CABD2A79A1076A31F21D253635CB039D4329A5E8 | +| **Thumbprint (SHA-256)** | 96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6 | +| **Pin (SHA-256)** | 0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3 | + ### **thawte Primary Root CA - G3** | **Subject** | CN=thawte Primary Root CA - G3<br>OU="(c) 2008 thawte, Inc. - For authorized use only"<br>OU=Certification Services Division<br>O="thawte, Inc."<br>C=US | |
| compliance | Use Drive Shipping To Import Pst Files To Office 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/use-drive-shipping-to-import-pst-files-to-office-365.md | After you've shipped the hard drive to Microsoft, complete the following procedu 1. Go to <https://compliance.microsoft.com> and sign in using the credentials for an administrator account in your organization. -2. In the left navigation pane of the compliance portal, click **Information governance > Import**. +2. In the left navigation pane of the compliance portal, click **Data lifecycle management** > **Import**. 3. On the **Import** tab, click the job for the drive shipment that you want to enter the tracking number for. To install the Azure Storage Explorer and connect to your Azure Storage area: 1. Go to <https://compliance.microsoft.com> and sign in using the credentials for an administrator account in your organization. -2. In the left pane of the compliance portal, click **Information governance > Import**. +2. In the left pane of the compliance portal, click **Data lifecycle management** > **Import**. 3. On the **Import** tab, click  **New import job**. |
| compliance | Use Network Upload To Import Pst Files | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/use-network-upload-to-import-pst-files.md | The next step is to create the PST Import job in the Import service in Microsoft 1. Go to <https://compliance.microsoft.com> and sign in using the credentials for an administrator account in your organization. -2. In the left pane of the compliance portal, click **Information governance > Import**. +2. In the left pane of the compliance portal, click **Data lifecycle management > Import**. 3. On the **Import** tab, click  **New import job**. |
| lti | Teams Classes Meetings With Moodle | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lti/teams-classes-meetings-with-moodle.md | description: Create and manage Teams classes and meetings with Microsoft OneDriv # Integrate Microsoft Teams classes and meetings within Moodle +> [!NOTE] +> Currently, Moodle and Microsoft Teams LTI integrations are only available in private preview. +> +>If you'd like to participate in the private preview program, [sign up here](https://m365crmedu.powerappsportals.com/LMSSignup/). + This guide provides the IT admin steps for registering both Teams Classes and Teams Meetings LTI apps on Moodle. For details on managing all OneLTI tools for any LMS, see [Manage Microsoft OneLTI for any LMS](manage-microsoft-one-lti.md). |
| security | Manage Updates Baselines Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus.md | Keeping Microsoft Defender Antivirus up to date is critical to assure your devic ## Security intelligence updates -Microsoft Defender Antivirus uses [cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads dynamic security intelligence updates to provide additional protection. These dynamic updates do not take the place of regular security intelligence updates via security intelligence update KB2267602. +Microsoft Defender Antivirus uses [cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads dynamic security intelligence updates to provide additional protection. These dynamic updates don't take the place of regular security intelligence updates via security intelligence update KB2267602. > [!NOTE] > Updates are released under the following KBs: Security intelligence update version: 1.357.8.0 <br/> - Tamper protection improvements - Replaced `ScanScheduleTime` with new `ScanScheduleOffest` cmdlet in [Set-MpPreference](/powershell/module/defender/set-mppreference). This policy configures the number of minutes after midnight to perform a scheduled scan. - Added the `-ServiceHealthReportInterval` setting to [Set-MpPreference](/powershell/module/defender/set-mppreference). This policy configures the time interval (in minutes) to perform a scheduled scan.-- Added the `AllowSwitchToAsyncInspection` setting to [Set-MpPreference](/powershell/module/defender/set-mppreference). This policy enables a performance optimization, that allows synchronously inspected network flows, to switch to async inspection once they have been checked and validated.+- Added the `AllowSwitchToAsyncInspection` setting to [Set-MpPreference](/powershell/module/defender/set-mppreference). This policy enables a performance optimization, that allows synchronously inspected network flows, to switch to async inspection once they've been checked and validated. - Performance Analyzer v2 updates: Remote PowerShell and PowerShell 7.x support added. See [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md). - Fixed potential duplicate packet bug in Microsoft Defender Antivirus network inspection system driver. Security intelligence update version: 1.355.2.0 - Improved CPU usage efficiency of certain intensive scenarios on Exchange servers - Added new device control status fields under Get-MpComputerStatus in Defender PowerShell module. For more information, see [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](device-control-removable-storage-access-control.md).-- Fixed bug in which `SharedSignatureRoot` value could not be removed when set with PowerShell+- Fixed bug in which `SharedSignatureRoot` value couldn't be removed when set with PowerShell - Fixed bug in which [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) failed to be enabled, even though Microsoft Defender for Endpoint indicated that tamper protection was turned on - Added supportability and bug fixes to performance analyzer for Microsoft Defender Antivirus tool. For more information, see [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md). - PowerShell ISE support added for `New-MpPerformanceRecording` When this update is installed, the device needs the jump package 4.18.2001.10 to Platform and engine updates are provided on a monthly cadence. To be fully supported, keep current with the latest platform updates. Our support structure is dynamic, evolving into two phases depending on the availability of the latest platform version: -- **Security and Critical Updates servicing phase** - When running the latest platform version, you will be eligible to receive both Security and Critical updates to the anti-malware platform.+- **Security and Critical Updates servicing phase** - When running the latest platform version, you'll be eligible to receive both Security and Critical updates to the anti-malware platform. - **Technical Support (Only) phase** - After a new platform version is released, support for older versions (N-2) will reduce to technical support only. Platform versions older than N-2 will no longer be supported.* |
| security | Advanced Hunting Query Language | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-query-language.md | You can use the query editor to experiment with multiple queries. To use multipl - Separate each query with an empty line. - Place the cursor on any part of a query to select that query before running it. This will run only the selected query. To run another query, move the cursor accordingly and select **Run query**. ++For a more efficient workspace, you can also use multiple tabs in the same hunting page. Select **New query** to open a tab for your new query. +++You can then run different queries without ever opening a new browser tab. +++>[!NOTE] +> You risk losing unsaved queries if you open a new browser tab for a new query. ## Use sample queries |
| security | Advanced Hunting Query Results | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-query-results.md | While you can construct your [advanced hunting](advanced-hunting-overview.md) qu - View results as a table or chart - Export tables and charts - Drill down to detailed entity information-- Tweak your queries directly from the results or apply filters+- Tweak your queries directly from the results ## View query results as a table or chart By default, advanced hunting displays query results as tabular data. You can als |--|--| | **Table** | Displays the query results in tabular format | | **Column chart** | Renders a series of unique items on the x-axis as vertical bars whose heights represent numeric values from another field |-| **Stacked column chart** | Renders a series of unique items on the x-axis as stacked vertical bars whose heights represent numeric values from one or more other fields | | **Pie chart** | Renders sectional pies representing unique items. The size of each pie represents numeric values from another field. |-| **Donut chart** | Renders sectional arcs representing unique items. The length of each arc represents numeric values from another field. | | **Line chart** | Plots numeric values for a series of unique items and connects the plotted values | | **Scatter chart** | Plots numeric values for a series of unique items | | **Area chart** | Plots numeric values for a series of unique items and fills the sections below the plotted values |+| **Stacked area chart** | Plots numeric values for a series of unique items and stacks the filled sections below the plotted values | +| **Time chart** | Plots values by count on a linear time scale | ### Construct queries for effective charts |
| security | Advanced Hunting Take Action | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-take-action.md | You can quickly contain threats or address compromised assets that you find in [ - Quarantine files ## Required permissions-To take action through advanced hunting, you need a role in Microsoft Defender for Endpoint with [permissions to submit remediation actions on devices](/windows/security/threat-protection/microsoft-defender-atp/user-roles#permission-options). If you can't take action, contact a global administrator about getting the following permission: +To take action on devices through advanced hunting, you need a role in Microsoft Defender for Endpoint with [permissions to submit remediation actions on devices](/windows/security/threat-protection/microsoft-defender-atp/user-roles#permission-options). If you can't take action, contact a global administrator about getting the following permission: *Active remediation actions > Threat and vulnerability management - Remediation handling* +To take action on emails through advanced hunting, you need a role in Microsoft Defender for Office 365 to [search and purge emails](/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center). + ## Take various actions on devices-You can take the following actions on devices identified by the `DeviceId` column in you query results: +You can take the following actions on devices identified by the `DeviceId` column in your query results: - Isolate affected devices to contain an infection or prevent attacks from moving laterally - Collect investigation package to obtain more forensic information You can take the following actions on devices identified by the `DeviceId` colum To learn more about how these response actions are performed through Microsoft Defender for Endpoint, [read about response actions on devices](/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts). -## Quarantine files +### Quarantine files You can deploy the *quarantine* action on files so that they are automatically quarantined when encountered. When selecting this action, you can choose between the following columns to identify which files in your query results to quarantine: - `SHA1`: In most advanced hunting tables, this column refers to the SHA-1 of the file that was affected by the recorded action. For example, if a file was copied, this affected file would be the copied file. To learn more about how quarantine actions are taken and how files can be restor >[!NOTE] >To locate files and quarantine them, the query results should also include `DeviceId` values as device identifiers. -## Take action To take any of the described actions, select one or more records in your query results and then select **Take actions**. A wizard will guide you through the process of selecting and then submitting your preferred actions. :::image type="content" source="../../media/take-action-multiple.png" alt-text="The Take actions option in the Microsoft 365 Defender portal" lightbox="../../media/take-action-multiple.png"::: ++## Take various actions on emails +Apart from device-focused remediation steps, you can also take some actions on emails from your query results. Select the records you want to take action on, select **Take actions**, then under **Choose actions**, select your choice from the following: +- `Move to mailbox folder` - select this to move the email messages to Junk, Inbox, or Deleted items folder ++ :::image type="content" source="../../media/advanced-hunting-take-actions-email.png" alt-text="The Take actions option in the Microsoft 365 Defender portal" lightbox="../../media/advanced-hunting-take-actions-email.png"::: ++- `Delete email` - select this to move email messages to the Deleted items folder (**Soft delete**) or delete them permanently (**Hard delete**) ++ :::image type="content" source="../../media/advanced-hunting-take-actions-email-del.png" alt-text="The Take actions option in the Microsoft 365 Defender portal" lightbox="../../media/advanced-hunting-take-actions-email-del.png"::: ++You can also provide a remediation name and a short description of the action taken to easily track it in the action center history. You can also use the Approval ID to filter for these actions in the action center. This ID is provided at the end of the wizard: +++These email actions are applicable to [custom detections](custom-detections-overview.md) as well. ++ ## Review actions taken Each action is individually recorded in the [action center](m365d-action-center.md) under **Action center** > **History** ([security.microsoft.com/action-center/history](https://security.microsoft.com/action-center/history)). Go to the action center to check the status of each action. |
| security | Whats New | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/whats-new.md | For more information on what's new with other Microsoft Defender security produc You can also get product updates and important notifications through the [message center](https://admin.microsoft.com/Adminportal/Home#/MessageCenter). +## April 2022 +- (Preview) [Actions](advanced-hunting-take-action.md) can now be taken on email messages straight from hunting query results. Emails can be moved to other folders or deleted permanently. ## March 2022 - (Preview) The incident queue has been enhanced with several features designed to help your investigations. Enhancements include capabilities such as ability to search for incidents by ID or name, specify a custom time range, and others. + ## December 2021 - (GA) The `DeviceTvmSoftwareEvidenceBeta` table was added on a short-term basis in advanced hunting to allow you to view evidence of where a specific software was detected on a device. |
| security | Manage Tenant Allows | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/manage-tenant-allows.md | Allow Files on the **Submissions** page in Microsoft 365 Defender. - **Spoof type**: Select one of the following values: - **Internal**: The spoofed sender is in a domain that belongs to your organization (an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains)). - **External**: The spoofed sender is in an external domain.- - **Action**: Select **Allow** or **Block**. + - **Action**: Select **Allow**. 4. When you're finished, click **Add**. |
| security | Manage Tenant Blocks | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/manage-tenant-blocks.md | ms.prod: m365-security - **Spoof type**: Select one of the following values: - **Internal**: The spoofed sender is in a domain that belongs to your organization (an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains)). - **External**: The spoofed sender is in an external domain.- - **Action**: Select **Allow** or **Block**. + - **Action**: Select **Block**. 4. When you're finished, click **Add**.+> [!NOTE] +> The emails from these senders will be blocked as *phish*. ## Use PowerShell |
| solutions | Collaborate Teams Direct Connect | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/collaborate-teams-direct-connect.md | Title: "Collaborate with external participants in a channel" + Title: "Collaborate with external participants in a shared channel" -description: Learn how to use shared channels with people outside your organization. +description: Learn how to enable shared channels in Microsoft Teams for collaboration with people outside your organization. -# Collaborate with external participants in a channel +# Collaborate with external participants in a shared channel -If you want to allow your users to collaborate with people outside your organization in [shared channels](/MicrosoftTeams/shared-channels), you need to configure B2B direct connect for each organization that you want to collaborate with. (Alternatively, you can [Enable shared channels with all external organizations](/microsoft-365/solutions/allow-direct-connect-with-all-organizations).) +If you want to enable your users to collaborate with people outside your organization in [shared channels](/MicrosoftTeams/shared-channels), you need to configure B2B direct connect for each organization that you want to collaborate with. (Alternatively, you can [Enable shared channels with all external organizations](/microsoft-365/solutions/allow-direct-connect-with-all-organizations).) -When you enable shared channels with another organization: +When you enable shared channels in Teams with another organization: - Team owners in your organization will be able to invite people from other organizations to participate in shared channels. - Your organization's custom (line of business) apps will be available in shared channels and external participants will be able to access them. To configure shared channels 1. Select the policy for which you want to enable shared channels, and then select **Edit**. 1. Select the options you want to enable: - To allow team owners to create shared channels, turn **Create shared channels** on.- - To allow team owners to share shared channels with people outside the organization, turn **Share shared channels externally** on. - - To allow users to be invited to shared channels in other organizations, turn **Can be invited to external shared channels** on. + - To allow team owners to share shared channels with people outside the organization, turn **Invite external users to shared channels** on. + - To allow users to be invited to shared channels in other organizations, turn **Join external shared channels** on. 1. Select **Apply**. In order for external channel participants to participate in meetings, external access must be enabled. This is also required to be able to see external participants' presence in the channel. To add an organization 1. Select **Add organization**. 1. On the **Add organization** pane, type the full domain name (or tenant ID) for the organization. 1. Select the organization in the search results, and then select **Add**.-1. The organization appears in the **Organizational settings** list. At this point, all access settings for this organization are inherited from your default settings. +1. The organization appears in the organizations list. At this point, all access settings for this organization are inherited from your default settings. ### Configure inbound settings To configure inbound settings for an organization 1. In [Azure Active Directory](https://aad.portal.azure.com), select **External Identities**, and then select **Cross-tenant access settings (preview)**. 1. Select the inbound access link for the organization that you want to modify. 1. On the **B2B direct connect** tab, choose **Customize settings**.-1. On the **External users and groups** tab, choose **Allow access** and **All users and groups**. (You can choose **Select external users and groups** if you want to limit access to specific users and groups, such as those who have signed a non-disclosure agreement.) +1. On the **External users and groups** tab, choose **Allow access** and **All external users and groups**. (You can choose **Select external users and groups** if you want to limit access to specific users and groups, such as those who have signed a non-disclosure agreement.) 1. On the **Applications** tab, choose **Allow access** and **Select applications**. 1. Select **Add Microsoft applications**. 1. Select the **Office 365** application, and then choose **Select**. To configure outbound settings for an organization 1. In [Azure Active Directory](https://aad.portal.azure.com), select **External Identities**, and then select **Cross-tenant access settings (preview)**. 1. Select the outbound access link for the organization that you want to modify. 1. On the **B2B direct connect** tab, choose **Customize settings**.-1. On the **External users and groups** tab, choose **Allow access** and set a **Target** of all users. +1. On the **External users and groups** tab, choose **Allow access** and set an **Applies to** of all users. 1. On the **External applications** tab, choose **Allow access** and **Select external applications**. 1. Select **Add Microsoft applications**. 1. Select the **Office 365** application, and then choose **Select**. |
| test-base | Sdkapi | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/sdkapi.md | Check below links to learn more details about the SDK & API. - [Test Base Python SDK Documentation](/python/api/overview/azure/mgmt-testbase-readme) - [Test Base Python SDK Sample](https://aka.ms/testbase-sample-py)-- [Azure General Usage Pattern of Python SDK](/azure/developer/python/azure-sdk-overview#provision-and-manage-azure-resources-with-management-libraries)+- [Azure General Usage Pattern of Python SDK](/azure/developer/python/sdk/azure-sdk-library-usage-patterns) **REST API**: |