-On the top of the report, you will see three charts describing cross-app trends across your organization.

-|App ID|The external App identifier present in the app manifest.|Yes|

-For more information about how to manage your Teams apps, please refer to [About apps in Microsoft Teams](/microsoftteams/deploy-apps-microsoft-teams-landing-page.md).

-> The Microsoft 365 updates described in this article apply to OneDrive for Business, SharePoint Online, Office for the web, Microsoft 365 admin center and some components of Exchange Online. These release options are targeted, best effort ways to release changes to Microsoft 365 but cannot be guaranteed at all times or for all updates. They do not currently apply to services other than those listed previously. For information about release options for Microsoft 365 Apps, see [Overview of update channels for Microsoft 365 Apps](/deployoffice/overview-update-channels).

-> Large or complex updates may take longer than others so that no users are adversely affected. There is no guarantee on the exact timeline of a release. Targeted release is now available for customers with either the Office 365 GCC plan or the Office 365 GCC High plan and DoD plan (including the services listed above except for Office for the web).

-Find more information on [Azure Active Directory roles and RBAC](/azure/active-directory/roles/permissions-reference.md).

-MacOS devices can be onboarded into Microsoft Purview solutions using either Intune or JAMF Pro. The onboarding procedures differ depending on which management solution you are using. If your macOS devices have already been onboarded into Microsoft Defender for Endpoint (MDE), there are fewer steps. See [Next steps](#next-steps) for links to the appropriate procedures for you.

-If you are not familiar with DLP at all, you should familiarize yourself with these articles as well:

-If you are not familiar with Insider Risk, you should familiarize yourself with these articles:

-## Activities that can be audited and restricted on macOS

-Once a macOS device is onboarded into Microsoft Purview solutions, you can monitor and restrict these actions with data loss prevention (DLP) policies.

-**Copy to a USB removable media** ΓÇô when enforced, this action blocks, warns or audits the copying or moving of protected files from an endpoint device to USB removable media

-**Copy to network shares** ΓÇô when enforced, this action blocks, warns, or audits the copying or moving of protected files from an endpoint device to any network share

-**Print** ΓÇô when enforced, this action blocks, warns, or audits when protected files are printed from an endpoint device

-**Copy to clipboard** ΓÇô when enforced, this action blocks, warns, or audits data in protected file that is being copied to a clipboard on an endpoint device

-**Upload to cloud** ΓÇô this action blocks, warns, or audits when protected files are prevented from or allowed to be uploaded to cloud services based on the allow/unallowed domains list in global settings. When this action is set to warn or block, other browsers (defined on unallowed browsers list under Global settings) are blocked from accessing the file.

-**Accessed by unallowed apps** ΓÇô when enforced, this action prevents applications that are on the unallowed apps list (as defined in Global settings) from accessing protected files on an endpoint device. Sample scenarios

-You can check the **Configuration status** and the **Policy sync status** of all your onboarded devices in the **Devices** list. For macOS devices the minimum version is 101.95.07. For more information on the configuration and policy status, select an onboarded device to open the details pane.

-|Not updated | You need to enable the configuration settings for this device. Follow the procedures for your environment: </br>- [Onboard and offboard macOS devices into Microsoft Purview solutions using Intune](device-onboarding-offboarding-macos-intune.md#onboard-and-offboard-macos-devices-into-microsoft-purview-solutions-using-intune) </br>- [Onboard and offboard macOS devices into Compliance solutions using Intune for Microsoft Defender for Endpoint customers](device-onboarding-offboarding-macos-intune-mde.md#onboard-and-offboard-macos-devices-into-compliance-solutions-using-intune-for-microsoft-defender-for-endpoint-customers)</br>- [Onboard and offboard macOS devices into Microsoft Purview solutions using JAMF Pro](device-onboarding-offboarding-macos-jamfpro.md#onboard-and-offboard-macos-devices-into-microsoft-purview-solutions-using-jamf-pro)</br>- [Onboard and offboard macOS devices into Compliance solutions using JAMF Pro for Microsoft Defender for Endpoint customers](device-onboarding-offboarding-macos-jamfpro-mde.md#onboard-and-offboard-macos-devices-into-compliance-solutions-using-jamf-pro-for-microsoft-defender-for-endpoint-customers) |This device has not synced the latest policy updates. If the policy update was made within the last 2 hours, wait for the policy to reach your device. |

-|Not available | Device properties are not available in the device list. This is could be because the device doesn't meet the minimum OS version, or configuration or if the device was just onboarded. |Device properties are not available in the device list. This is could be because the device doesn't meet the minimum OS version, or configuration or if the device was just onboarded.|

-|Restricted app groups |Supported |Not supported

-|Unallowed Bluetooth apps |Supported |Not supported | |

-|Auto-quarantine file from unallowed apps | Supported | Not supported| |

-|Advanced classification | Supported | Not supported| |

-|Business justification in policy tips | Supported | Supported| |

-#### File activities for apps in restricted app groups

-### Other matched conditions (preview)

-#### For endpoints (preview)

-# Get started with Data loss prevention policies for Power BI (preview)

-You define a DLP policy in the data loss prevention section of the compliance portal. See, [Design a data loss prevention policy](dlp-policy-design.md#design-a-data-loss-prevention-policy). In the policy, you specify sensitivity label(s) you want to detect. You also specify the action(s) that will happen when the policy detects a dataset that has a specified sensitivity label applied. DLP policies support two actions for Power BI:

-|Windows 10/11 devices |items |yes |yes |

-|Confidence |The [confidence level](/sensitive-information-type-learn-about.md#more-on-confidence-levels) of the SIT |

-|upload to cloud service, or access by unallowed browsers | Detects when a user attempts to upload an item to a restricted service domain or access an item through a browser. If they are using a browser that is listed in DLP as an unallowed browser, the upload activity will be blocked and the user is redirected to use Microsoft Edge. Microsoft Edge will then either allow or block the upload or access based on the DLP policy configuration |supported | supported|auditable and restrictable|

-|copy to other app |Detects when a user attempts to copy information from a protected item and then paste it into another app, process or item. It also detects when a user copies and pastes content among files within the same app, process or item for Word, Excel, and PowerPoint.|supported|supported | auditable and restrictable|

-|copy to USB removable media |Detects when a user attempts to copy an item or information to removable media or USB device.|supported|supported | auditable and restrictable|

-|copy to a network share |Detects when a user attempts to copy an item to a network share or mapped network drive |supported|supported |auditable and restrictable|

-|print a document |Detects when a user attempts to print a protected item to a local or network printer.|supported|supported|auditable and restrictable |

-|copy to a remote session|Detects when a user attempts to copy an item to a remote desktop session |supported|not supported| auditable and restrictable|

-|copy to a Bluetooth device|Detects when a user attempts to copy an item to an unallowed Bluetooth app (as defined in the list of unallowed Bluetooth aps in Endpoint DLP settings).|supported|not supported| auditable and restrictable|

-|create an item|Detects when a user creates an item|supported |supported |auditable|

-|rename an item|Detects when a user renames an item|supported |supported |auditable|

-File Types are a grouping of file formats which are utilized to protect specific workflows or areas of business. You can use one or more File types as conditions in your DLP policies.

-The Preservation Hold library works in the following way:

- - [Endpoint DLP Aggregated most restrictive actions applied to endpoints](dlp-policy-reference.md#for-endpoints-preview)

- - [Display of conditions matched when an item matches a policy](dlp-configure-view-alerts-policies.md#other-matched-conditions-preview)

-> [!IMPORTANT]

-> This cross-tenant functionality is only available to customers with Enterprise Agreements. Licensing is not available via other purchase options at this time.

-Cross Tenant User Data Migration is available as an add-on to the following Microsoft 365 subscription plans for Enterprise Agreement customers. User licenses are per migration (onetime fee). Please contact your Microsoft account team for details.

-No, the Teams chat folder content doesn't migrate cross-tenant. When a mailbox is migrated cross-tenant with this feature, only user visible content in the mailbox (email, contacts, calendar, tasks, and notes) is migrated.

-Yes, if the user in source has auto-expanding archives enabled and has additional auxiliary archives, cross-tenant mailbox migration will work. We support moving users that have no more than 12 auxiliary archive mailboxes. Additionally, users with large primary, large main archive, and large auxiliary archive mailboxes will require extra time to synchronize and should be submitted well in advance of the cutover date. Also note that if the source mailbox is expanded during the mailbox migration process, the migration will fail as a new auxiliary archive will be created in the source, but not in the target. In this case, you'll need to remove the user from the batch and resubmit them.

-|Macro Region Geography 1 - EMEA <br/> |Data centers in Austria, Finland, France, Ireland, Netherlands, Sweden <br/> |

-|Local Region Geography <br/> |Australia, Brazil, Canada, France, Germany, India, Japan, Qatar, South Korea, Norway, South Africa, Sweden, Switzerland, United Arab Emirates, United Kingdom <br/> |

-|Expanded Local Region Geography <br/> |Poland, Italy, Indonesia, Israel, Spain, Mexico, Malaysia, Austria, Chile, New Zealand, Denmark, Greece, Taiwan <br/> |

-1. Product Terms: Exchange Online, SharePoint Online, OneDrive for Business and Microsoft Teams provisioned in any _Local Region Geography_, or the European Union or the United States have a commitment for customer data residency expressed in the [Product Terms](https://www.microsoft.com/licensing/terms/product/PrivacyandSecurityTerms/all). For more information see the [Product Terms Data Residency page](m365-dr-product-terms-dr.md).

-1. _Advanced Data Residency_ subscription guarantees data residency for an expanded set of Microsoft 365 services in any _Local Region Geography_ or _Expanded Local Region Geography_. For more information see the [Advanced Data Residency page](advanced-data-residency.md).

-1. Only available for _Local Region Geography_ countries, European Union and the United States.

-1. Available in _Local Region Geography_, _Expanded Local Region Geography_ and _Regional Geography countries/regions_

-1. Only available for _Local Region Geography_ and _Expanded Local Region Geography_ countries.

-|Macro Region Geography 1 - EMEA (Europe, Middle East and Africa) | Austria, Finland, France, Ireland, Netherlands, Sweden |

-|European Union |Austria (Vienna), Finland (Helsinki), France (Paris, Marseille), Ireland (Dublin), Netherlands (Amsterdam), Sweden (Gävle, Sandviken, Staffanstorp) |

-There are six specific network insights that may be shown for each office location:

-There are two tenant-level network insights that may be shown for the tenant:

->[!IMPORTANT]

->Network insights, performance recommendations and assessments in the Microsoft 365 Admin Center is currently in preview status, and is only available for Microsoft 365 tenants that have been enrolled in the feature preview program.

-The following scenarios are available for healthcare organizations:

-| [Virtual Appointments with Teams and Electronic Healthcare Record (EHR) integration](#virtual-appointments-and-electronic-healthcare-record-ehr-integration) | Schedule, manage, and conduct virtual appointments with patients. This scenario connects Teams and the Oracle Health or Epic platform to support virtual appointments. | Active subscription to Microsoft Cloud for Healthcare or subscription to Microsoft Teams EHR connector standalone offer. <br> Users must have an appropriate Microsoft 365 or Office 365 license that includes Teams meetings*. <br> Organizations must have Oracle Health version November 2018 or later or Epic version November 2018 or later. <br>Details for [Oracle Health EHR](ehr-admin-oracle-health.md#before-you-begin) and [Epic EHR](ehr-admin-epic.md#before-you-begin) requirements |

-| [Virtual Appointments with Teams](#virtual-appointments-and-electronic-healthcare-record-ehr-integration) | Schedule, manage, and conduct virtual appointments with patients. This scenario relies on the Virtual Appointments app or the Bookings app to support virtual appointments. | The Virtual Appointments app or the Bookings app must be enabled for your organization. <br> All staff who conduct meetings must have a license that supports Teams Meeting scheduling*.|

-| [Care coordination and collaboration](#care-coordination-and-collaboration) | Clinicians and staff can collaborate internally on schedules, documents, tasks, and so on.| Users must have an appropriate license*. |

-Or choose from other [scenarios](flw-choose-scenarios.md) for Microsoft 365 for frontline workers, such as [Corporate communications](flw-corp-comms.md) or [Wellbeing and engagement](flw-wellbeing-engagement.md).

-And take advantage of these features that help Microsoft Teams work for your healthcare organization:

-| Feature | Description | Requirements |

-| -- | -- | -- |

-| [Teams policy packages](#teams-policy-packages)| Ensure that clinical workers, information workers, and patient room devices have the appropriate access to Teams functionality.| Users must have an appropriate license*. |

-| [Secure messaging](#secure-messaging) | Get quicker attention to urgent messages and have confidence that the message was received and read. | Users must have an appropriate license*. |

-| [Teams templates](#teams-templates-for-healthcare-organizations) | Create teams that include a predefined template of settings, channels, and pre-installed apps for communication and collaboration within a ward, pod, or department, or between multiple wards, pods, and departments within a hospital. | Users must have an appropriate license*. |

-## Virtual Appointments and Electronic Healthcare Record (EHR) integration

-## Teams policy packages

-Apply Teams policy packages to define what different roles can do in Teams. For example, specify policies for:

-To learn more, see [Teams policy packages for healthcare](/microsoftteams/policy-packages-healthcare?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json).

-## Secure messaging

-Also related to secure messaging is the ability to have other tenants federated by Healthcare organizations, allowing richer inter-tenant communication. (See [Manage external meetings and chat in Microsoft Teams](/microsoftteams/manage-external-access)).

-## Teams templates for healthcare organizations

-Teams includes templates designed specifically for healthcare organizations, making it easier to create teams for staff to communicate and collaborate on patient care or operational needs. To learn more, see [Use healthcare team templates](/microsoftteams/expand-teams-across-your-org/healthcare/healthcare-templates-admin-console?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json).

-## Care coordination and collaboration

-Bring your health team together to coordinate care and collaborate with Teams.

-

-Teams enables physicians, clinicians, nurses, and other staff to collaborate efficiently with included collaboration features in Teams, such as:

-In addition, your team can use apps in Teams to:

-### Coordinate over email with Exchange Online

-Email is a core communication tool for most workplaces. [Set up email with Exchange Online](flw-setup-microsoft-365.md#set-up-email-with-exchange-online) to help your frontline managers and workers coordinate with care team members in other locations or schedule meetings to discuss care plans. Users must have an F3 license to have an email mailbox.

-You can also set up shared mailboxes to allow for incoming mail from customers (such as for customer service or scheduling requests) and have a group of workers who monitor and send email from a public email alias like info@contoso.com. For more information about shared mailboxes, see [About shared mailboxes](../admin/email/about-shared-mailboxes.md) and [Open and use a shared mailbox in Outlook](https://support.microsoft.com/office/open-and-use-a-shared-mailbox-in-outlook-d94a8e9e-21f1-4240-808b-de9c9c088afd).

-The Virtual Appointments usage report in the Microsoft Teams admin center gives you an overview of Teams Virtual Appointments activity in your organization. You can view detailed activity for virtual appointments scheduled through the [Bookings app](https://support.microsoft.com/office/what-is-bookings-42d4e852-8e99-4d8f-9b70-d7fc93973cb5) and the [Microsoft Teams Electronic Health Record (EHR) connector](teams-in-hc.md#virtual-appointments-and-electronic-healthcare-record-ehr-integration).

-[Microsoft Defender SmartScreen Documentation](/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md)

-ms.sitesec: library

-ms.pagetype: security

-| **IncludedIdList** | The group(s) that the policy will be applied to. If multiple groups are added, the policy will be applied to any media in all those groups.|The Group ID/GUID must be used at this instance. <p> The following example shows the usage of GroupID: <p> `<IncludedIdList> <GroupId> {EAA4CCE5-F6C9-4760-8BAD-FDCC76A2ACA1}</GroupId> </IncludedIdList>` |

-| **ExcludedIDList** | The group(s) that the policy won't be applied to. | The Group ID/GUID must be used at this instance. |

-Here are some pre-built advanced hunting queries to give you visibility into the troubleshooting events that are occurring in your environment. You can also use these queries to [create detection rules](/defender/custom-detection-rules.md#create-a-custom-detection-rule) that'd alert you when the devices are in troubleshooting mode.

-To make the most of your trial, see [Trial user guide: Microsoft Defender Vulnerability Management](/trial-user-guide-defender-vulnerability-management.md)

- * [Suspend privileged and local accounts](/investigate-users.md) that you suspect are part of the attack. You can do this from the **Users** tab in the properties of the incident in the Microsoft 365 Defender portal.

-Anti-malware protection stops for a recipient after the first policy is applied. For more information, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).

-Anti-phishing protection stops for a recipient after the first policy is applied. For more information, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).

-Anti-phishing protection stops for a recipient after the first policy is applied. For more information, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).

-Anti-spam protection stops for a recipient after the first policy is applied. For more information, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).

-Outbound spam protection stops for a sender after the first policy is applied. For more information, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).

-Safe Attachments protection stops for a recipient after the first policy is applied. For more information, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).

-After you create multiple policies, you can specify the order that they're applied. No two policies can have the same priority, and policy processing stops after the first policy is applied. The **Built-in protection** policy is always applied last. The Safe Links policies associated **Standard** and **Strict** preset security policies are always applied before custom Safe Links policies.

-Safe Links protection stops for a recipient after the first policy is applied. For more information, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).

- - **Migrated**: Entries that were automatically migrated as [URL block entries in the Tenant Allow/Block List](tenant-allow-block-list-urls-configure.md#create-block-entries-for-urls) from June 2022 to December 2022.

- When you're finished on the **Safe Links settings for your organization** flyout that opens, select **Save**.

-You can use the [Get-AtpPolicyForO365](/powershell/module/exchange/get-atppolicyforo365) cmdlet in Exchange Online PowerShell to view existing entries in the _BlockURLs_ property.

-For example:

- ```powershell

- Get-AtpPolicyForO365 | Format-List BlockUrls

- ```

-For details about the entry syntax, see [Entry syntax for the "Block the following URLs" list](safe-links-about.md#entry-syntax-for-the-block-the-following-urls-list).

-|**Attack Simulator Administrators**|Don't use this role group in these portals. Use the corresponding role in Azure AD.|Attack Simulator Admin|

-|**Attack Simulator Payload Authors**|Don't use this role group in these portals. Use the corresponding role in Azure AD.|Attack Simulator Payload Author|

-|**Attack Simulator Admin**|Don't use this role in the portals. Use the corresponding role in Azure AD.|Attack Simulator Administrators|

-|**Attack Simulator Payload Author**|Don't use this role in the portals. Use the corresponding role in Azure AD.|Attack Simulator Payload Authors|

-There are several [Intune partner productivity apps](/mem/intune/apps/apps-supported-intune-apps.md#partner-productivity-apps) that support Intune configuration and protection. These apps are available from various sources and often provide support for both iOS/iPadOS and Android devices. For apps that require you to purchase a license, subscription, or account for each user to use the app, you'll need to work directly with the app vendor.

-In addition to standard store apps that can be managed, you can add specific [partner UEM apps](/mem/intune/apps/apps-supported-intune-apps.md#partner-uem-apps) to Intune. These apps are also available in either the Google Play Store or the Apple App Store. However, these apps are capable of supporting advanced app protection policy and app configuration policy settings. You may need to work directly with the app vendor to purchase a license, subscription, or account for each user to use the related app.