+|[Microsoft browser usage](browser-usage-report.md)|Yes|N/A¹|N/A¹|N/A¹|N/A¹|

+|[Microsoft 365 Apps usage](microsoft365-apps-usage-ww.md)|Yes|Yes|N/A¹|N/A¹|Yes

+|[Microsoft Teams user activity](microsoft-teams-user-activity-preview.md)|Yes|Yes|Yes|Yes|N/A¹|

+|[Microsoft Teams device usage](microsoft-teams-device-usage-preview.md)|Yes|Yes|Yes|Yes|N/A¹|

+|[Microsoft Teams team activity](microsoft-teams-usage-activity.md)|Yes|Yes|Yes|Yes|N/A¹|

+|[Forms activity](forms-activity-ww.md)|Yes|Yes|N/A¹|N/A¹|N/A¹|

+|[Skype for Business Online activity](/SkypeForBusiness/skype-for-business-online-reporting/activity-report)|Yes|Yes|N/A¹|N/A¹|Yes|

+|[Skype for Business Online conference organized activity](/SkypeForBusiness/skype-for-business-online-reporting/conference-organizer-activity-report)|Yes|Yes|N/A¹|N/A¹|Yes|

+|[Skype for Business Online conference participant activity](/SkypeForBusiness/skype-for-business-online-reporting/conference-participant-activity-report)|Yes|Yes|N/A¹|N/A¹|Yes|

+|[Skype for Business Online peer-to-peer activity](/SkypeForBusiness/skype-for-business-online-reporting/peer-to-peer-activity-report)|Yes|Yes|N/A¹|N/A¹|Yes|

+|[Viva Learning activity](viva-learning-activity.md)|Yes|N/A|N/A|N/A|N/A²|

+|[Viva Insights activity](viva-insights-activity.md)|Yes|Yes|N/A|N/A|N/A²|

+|[Project activity](project-activity.md)|Yes|Yes|N/A|N/A|N/A²|

+|[Visio activity](visio-activity.md)|Yes|Yes|N/A|N/A|N/A²|

+N/A²: The service is not available in the environment, so there's no plan to release the report.

+1. Use the following command to verify the folder size thatΓÇÖs occupying User data:

+1. Check the folders quota or size.

+1. If the folder consuming the space is `SharePointWebPartsConnectorMessages`, as mentioned in [Use the Connector web part](https://support.microsoft.com/en-us/office/use-the-connector-web-part-db0756aa-f78f-4b74-8b19-be5dca0420e1?ns=spostandard&version=16&syslcid=1033&uilcid=1033&appver=spo160&helpid=wssenduser_useconnectorwebpart_fl862286&ui=en-us&rs=en-us&ad=us)then do the following:

+ 1. Wait for the messages to be cleared by default in 90 days.

+1. If there's no special folder occupying the group mailbox size, [apply the group mailbox retention policy,](/microsoft-365/compliance/create-retention-policies) and wait for retention policy to clean up the emails from group mailbox.

+> Microsoft 365 Health dashboard is in public preview and may not be available to all customers.

+## Watch

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RW12HEz?autoplay=false]

+## Steps: Health dashboard in the Microsoft 365 admin center

+> Cortana voice assistance is supported in Microsoft Teams mobile apps for iOS and Android, [Microsoft Teams displays](/microsoftteams/devices/teams-displays), and [Microsoft Teams Rooms on Windows](/microsoftteams/rooms), in the English language for users in the United States, United Kingdom, Canada, India, and Australia. Cortana voice assistance isn't currently available for GCC, GCC-High, DoD, EDU tenants. Expansion to additional languages and regions will happen as part of future releases and admin customers will be notified through Message Center and the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=65346).

+ Title: "Welcome to Business Assist"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: medium

+description: "Welcome to Business Assist."

+# Welcome to Business Assist

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE1FOfN?autoplay=false]

+## Download Dual Use Rights keys

+Dual Use Rights keys are a benefit of some specific Dynamics 365 subscription licenses.

+1. In the Microsoft 365 admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.

+2. Choose the Dynamics 365 Service that has a Dual Use Right key.

+3. On the subscription details page, in the **Registration Keys** section, select the version to download.

+ > [!NOTE]

+ > If the product only has one version to download, you can't select other versions.

+4. To download the installation file, select **Download Software**. To download the activation file, select **Download License Key**.

+# Manage Microsoft Teams auto-claim policies

+> Auto-claim policies are currently only available for Microsoft Teams. More products will be available to use in the future.

+> [!NOTE]

+> Currently, you can only create one auto-claim policy. The number of policies you can create will increase as more products are able to use this feature.

+## Back up data before changing Microsoft 365 for business plans

+If you plant to move a user to another subscription that has fewer data-related services, or a user leaves the organization, you can download a copy of their data stored in Microsoft 365 before they are switched to the new subscription.

+[Change plans manually](upgrade-to-different-plan.md#change-plans-manually) (article)\

+ Title: "Upgrade or change to a different Microsoft 365 for business plan"

+- CSH

+description: "Learned how to upgrade or change to a different plan in the Microsoft 365 admin center."

+# Upgrade or change to a different Microsoft 365 for business plan

+When your business needs change, or you want more features, you can change to a different Microsoft 365 for business plan. Most of the time, you can change plans automatically. An automatic change walks you through the entire process from beginning to end. After you buy a new plan, all users are automatically assigned licenses in the new plan, and your old plan is canceled for you. In some cases, you can't automatically change to a new plan, and instead must [change plans manually](#change-plans-manually).

+## Before you begin

+- You must be a Global or Billing admin to do the steps in this article. For more information, see [About admin roles in the Microsoft 365 admin center](../../admin/add-users/about-admin-roles.md)

+- If you have a billing profile, you must be a billing account owner or billing account contributor. [Find out if you have a billing profile](../billing-and-payments/manage-billing-profiles.md#view-my-billing-profiles). For more information about billing account roles, see [Understand access to billing accounts](../manage-billing-accounts.md#understand-access-to-billing-accounts).

+## When should I change plans?

+Changing plans is the right choice when you want to move all users assigned to a single plan. When you change plans, all users in the current plan are assigned licenses for the new plan at the same time. If you only want to move some users to a new plan, buy a new plan with the number of licenses you need, and assign those licenses to the users that you want to move. For more information, see [Move users to a different subscription](move-users-different-subscription.md).

+## Automatically change your subscription to a new plan

+> [!IMPORTANT]

+> Before you continue, [determine if you have a billing profile](../billing-and-payments/manage-billing-profiles.md#view-my-billing-profiles).

+### If you don't have a billing profile

+1. In the Microsoft 365 admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.

+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Your products</a> page.

+2. On the **Products** tab, select the subscription that you want to change.

+3. On the subscription details page, in the **Product details and upgrades** section, select **View upgrades recommended for your org**.

+ > [!NOTE]

+ > If the View upgrades recommended for your org link is grayed out, see [Why can't I change plans?](#why-cant-i-change-plans)

+4. On the **Available upgrades** page, find a new product, then select **Upgrade**.

+5. On the **Checkout** page, select or add a payment method, then select **Place order**.

+After you place the order, it might take a few minutes to finalize the change. You can start using your new subscription right away.

+### If you have a billing profile

+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.

+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Your products</a> page.

+2. On the **Products** tab, select the subscription that you want to change.

+3. On the subscription details page, in the **Other subscription options** section, select **Change to a different subscription option**.

+4. In the right pane, select a different plan. Indicate the number of licenses you want, choose when to schedule the change, select a subscription length, and select a billing frequency.

+5. **Select Change plan**.

+## Why can't I change plans?

+If you can't select the **View upgrades recommended for your org** link, it means that you can't automatically change your plan right now. In some cases, you can resolve the issue so that you can view available plans. In other cases, you can [change plans manually](#change-plans-manually), instead. The following table lists issues you might encounter when you try to change your plan, and information about how to resolve them.

+|Issue |Resolution |

+|||

+|You have more users than licenses. |To change plans automatically, all users must have valid licenses. [Unassign licenses from users](../../admin/manage/remove-licenses-from-users.md) until you have the same or fewer users as your number of licenses. |

+|The current subscription isn't fully set up or the service isn't available. |For example, if a service in your existing plan has an incident, you can't change plans until all services are healthy. To see if there are provisioning or service health issues, in the admin center, go to the **Health** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842900" target="_blank">Service health</a> page. </br></br>If you find that a service isn't fully provisioned, or there's a service health issue, wait a few hours for the service to become available and try again. If you still have a problem, [contact support](../../admin/get-help-support.md). |

+|Another plan is in the process of being changed or a credit check is pending. |Wait until the credit check is complete before you change plans. Credit checks can take up to two working days. |

+|The subscription isn't currently eligible to change plans. |You can [change plans manually](#change-plans-manually). |

+|You have two or more plans for the same product. |You can only change plans automatically if all users have licenses to the same plan. For example, if you have two Microsoft 365 Business Standard plans, you can't automatically change one of them to a different plan. In this case, move all users into a single plan, cancel the unused plan, then try changing plans again. |

+|You have a government or non-profit plan. |If you have a government or non-profit plan, you can [change plans manually](#change-plans-manually). |

+|The plan that you want to change to isn't a supported option. |The plans that are available to change to are displayed based on the services in your current plan. You can only automatically change to a plan that has the same data-related services, or to a higher version. This ensures that users don't lose data related to those services during the change.</br></br>If you want to change to a plan with fewer services, you can [change plans manually](#change-plans-manually). |

+|Your subscription has an add-on. |If you start to change plans and your subscription has an add-on that prevents you from continuing, remove the add-on. You can add it back later if you still need it. You can also [change plans manually](#change-plans-manually). |

+|Your invoice has an unpaid balance. |This only applies if you pay for your subscription by invoice. To resolve this issue, find the subscription on the **Your products** page, and select the **Pay now** or **Settle balance** link in the **Billing** section. After the payment has been made, try changing plans again. |

+|I have a different problem than what's listed here. |You can [change plans manually](#change-plans-manually) or [contact support](../../admin/get-help-support.md). |

+## What does automatically changing plans do to my service and billing?

+When you change plans automatically, your services and billing are affected in the following ways.

+### Access to services

+- **Admins:** Admins can't make changes to the subscription details page while the change is in process, but you can use the rest of the admin center. The change between plans can take up to an hour.

+- **Users:** Users experience no interruption of service during the plan change. They continue to have the existing service until the change is finished.

+### Users and licenses

+- **Users:** Users on the old subscription are automatically moved to the new subscription.

+- **

+- **License assignments:** If you have more than one subscription before you change plans, and users have licenses to more than one subscription, this assignment pattern is kept as much as possible in the new subscription.

+- **Data:** All user data is retained during the change, including Exchange mailboxes and SharePoint Online documents, lists, and other information.

+### Billing

+The day your plan change is complete, the billing on your old subscription is turned off and the billing on your new subscription is turned on. Depending on the new plan you selected, you might receive a prorated credit. You receive a new invoice that includes the credit for your old subscription within 30 days of changing to the new subscription.

+> [!NOTE]

+> The length of time it takes to receive your prorated credit depends on the payment method used for the old subscription.

+## Change plans manually

+Most of the time, you can change plans automatically. However, sometimes this isn't possible. You can change plans manually if:

+- You can't select the **View upgrades recommended for your org** link.

+- When you select the **View upgrades recommended for your org** link, the plan you want isn't listed.

+- You don't want to move all your users to the same plan. Some businesses need different users licensed for different plans.

+> [!IMPORTANT]

+> If you're changing to a plan with fewer data-related services than your current plan, you must manually back up any data that you want to keep. For more information, see [Back up data before changing Microsoft 365 for business plans](move-users-different-subscription.md#back-up-data-before-changing-microsoft-365-for-business-plans).

+### Step 1: Buy a new subscription

+**Already bought a new subscription?** If you already have the subscription that you want to move users to, skip this step and go to [Step 2: Check your new subscription and licenses](#step-2-check-your-new-subscription-and-licenses).

+**Need to buy a new subscription and licenses?** Follow the steps in [Buy a different subscription](../try-or-buy-microsoft-365.md#buy-a-different-subscription).

+Make sure that you buy a subscription for the same organization that the users are in now. For example, check the email addresses for the users that you want to move. If their email addresses include @contoso.com, you must buy a new subscription for contoso.com. Buy a license for each user that you want to move.

+### Step 2: Check your new subscription and licenses

+In the admin center, go to the **Billing** > **Your products** page, then do the following:

+- **Verify that both the old and new subscriptions are listed and active.** The subscription that you're moving users from and the subscription that you're moving users to must be listed together. If the new subscription isn't there when you first check, try again later. Verify that both subscriptions are listed as **Active**.

+- **Check that you have enough licenses for each user.** Each user needs a license that matches their subscription. If you want to move 10 users to Microsoft 365 Business Premium, make sure 10 unassigned licenses are available in that subscription.

+- **Need more licenses for the new subscription?** Go to the **Your products** page, select the subscription, and [buy more licenses](../licenses/buy-licenses.md).

+#### The new subscription isn't listed, or isn't active

+If you bought two subscriptions and they aren't both listed on the **Your products** page, they may have been bought for different organizations (for different domains). Subscriptions can't cross organization boundaries.

+If you know you have another subscription, and it's not listed here, or isn't active, [contact support](../../admin/get-help-support.md).

+#### What about old licenses?

+The licenses for the current subscription are removed in [Step 4: Cancel subscriptions or remove licenses that you no longer need (Optional)](#step-4-cancel-subscriptions-or-remove-licenses-that-you-no-longer-need-optional). After that, you only pay for the new licenses.

+### Step 3: Move users to the new subscription

+After you confirm the number of licenses in your new subscription, you can [move users from the old subscription to the new one](move-users-different-subscription.md).

+### Step 4: Cancel subscriptions or remove licenses that you no longer need (Optional)

+If you moved all users from one subscription to another, and you don't need the original subscription anymore, just [cancel the subscription](cancel-your-subscription.md).

+If you moved only some users to a different subscription, [remove licenses that you no longer need](../licenses/buy-licenses.md#buy-or-remove-licenses-for-your-business-subscription).

+## Next steps

+If you upgraded to Microsoft 365 Business Premium, use the steps in the Business Premium library to set up your new security capabilities.

+>[!div class="nextstepaction"]

+>[Visit the Microsoft 365 Business Premium library](/microsoft-365/business-premium/index)

+[Move users to a different subscription](move-users-different-subscription.md) (article)\

+[Try or buy a Microsoft 365 for business subscription](../try-or-buy-microsoft-365.md) (article)

+You might need to use this option if you're required to capture and retain all copies of files in your tenant that are sent over communications by users. You use this option in conjunction with retention policies for the communication services themselves; Exchange, Teams, and Yammer.

+Cloud attachments, sometimes also known as modern attachments, are a sharing mechanism that uses embedded links to files that are stored in the cloud. They support centralized storage for shared content with collaborative benefits, such as version control. Cloud attachments are not attached copies of a file or a URL text link to a file. However, support for URL text links are also now gradually rolling out. You might find it helpful to refer to the visual checklists for supported cloud attachments in [Outlook](/microsoft-365/troubleshoot/retention/cannot-retain-cloud-attachments#cloud-attachments-in-outlook), [Teams](/microsoft-365/troubleshoot/retention/cannot-retain-cloud-attachments#cloud-attachments-in-teams), and [Yammer](/microsoft-365/troubleshoot/retention/cannot-retain-cloud-attachments#cloud-attachments-in-yammer).

+The cloud attachments supported for this option are files such as documents, videos, and images that are stored in SharePoint and OneDrive. For Teams, cloud attachments shared in chat messages, and standard and private channels are supported. For Yammer, cloud attachments shared with users in storylines, community posts, and Inbox messages are supported.

+Cloud attachments shared over meeting invites and apps other than Teams, Outlook, or Yammer aren't supported. The cloud attachments must be shared by users; cloud attachments sent via bots aren't supported.

+You will need to create separate retention policies if you want to retain or delete the original files, email messages, or messages from Teams and Yammer.

+> If you want retained cloud attachments to expire at the same time as the messages that contained them, configure the retention label to have the same retain and then delete actions and timings as your retention policies for Exchange, Teams, and Yammer.

+- Yammer must be in [native mode](/yammer/configure-your-yammer-network/overview-native-mode) to support cloud attachments.

+- If cloud attachments and links in a Teams or Yammer message are changed after the message is sent by editing the message, those changed cloud attachments and links aren't supported for retention.

+- Attachments and links shared outside Teams, Outlook, and Yammer aren't supported, and the attachments and links must be content stored in SharePoint or OneDrive.

+- Cloud attachments and links in encrypted emails or encrypted messages aren't supported.

+- Sharing an existing Yammer message with an attachment isn't supported.

+ - Not supported beyond 5,000 characters in the initial email body or in Teams and Yammer messages

+ 2. For *upload to cloud service* activity, if you only want to monitor browser and URL on the browser address bar, you can enable *DLP_browser_only_cloud_egress* and *DLP_ax_only_cloud_egress*, here is an example [com.microsoft.wdav.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/settings/data_loss_prevention/cloud_egress/com.microsoft.wdav.mobileconfig).

+MDE preferences| [com.microsoft.wdav.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/settings/data_loss_prevention/com.microsoft.wdav.mobileconfig). Copy and paste the contents into a text file. Save the file with the **mobileconfig** extension only, it will not be recognized if it has the .txt extension. For *upload to cloud service* activity, if you only want to monitor browser and URL on the browser address bar, you can enable *DLP_browser_only_cloud_egress* and *DLP_ax_only_cloud_egress*, here is an example [com.microsoft.wdav.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/settings/data_loss_prevention/cloud_egress/com.microsoft.wdav.mobileconfig).

+ - Use DLP_browser_only_cloud_egress: `enabled`if you want to only monitor browser

+ - Use DLP_ax_only_cloud_egress: `enabled`if you want to only monitor URL on the browser address bar

+5. A supported version of Microsoft 365 Apps is installed and up to date. For the most robust protection and user experience, ensure Microsoft 365 Apps version 16.0.14701.0 or later is installed.

+|Removable USB device groups| Supported | Not Supported | |

+|Autoquarantine file from unallowed apps | Supported | Supported (preview)| |

+When advanced classification is turned on, content is sent from the local device to the cloud services for scanning and classification. If bandwidth utilization is a concern, you can set a limit on how much can be used in a rolling 24 hour period. The limit is configured in Endpoint DLP settings and is applied per device. If you set a bandwidth utilization limit and it's exceeded, DLP stops sending the user content to the cloud. At this point data classification continues locally on the device but classification using exact data match, named entities, and trainable classifiers aren't available. When the cumulative bandwidth utilization drops below the rolling 24 hour limit, communication with the cloud services resumes.

+### Set up evidence collection for file activities on devices (preview)

+DLP can copy items that match policies on devices to an [Azure storage account](/azure/storage/common/storage-account-overview.md). This is useful for auditing policy activity and troubleshooting why a specific item matched a policy. Use this section to add name and url of storage account. Before you enable this feature, you must create an Azure storage account and a container in the storage account and configuring permissions. As you configure this, keep in mind that you'll probably want to use a storage account that's in the same Azure region/geopolitical boundary as your tenant. You should also consider configuring [Azure storage account access tiers](/azure/storage/blobs/storage-blob-storage-tiers.md) and [Azure storage account pricing](/azure/storage/common/storage-account-overview#pricing.md).

+- For more information on this feature, see [Learn about collecting files that match data loss prevention policies from devices](dlp-copy-matched-items-learn.md)

+- For more information on how to configure this feature, see [Get started with collecting files that match data loss prevention policies from devices](dlp-copy-matched-items-get-started.md)

+##### Autoquarantine

+When enabled, Autoquarantine kicks in when an unallowed app attempts to access a DLP protected sensitive item. Autoquarantine moves the sensitive item to an admin configured folder and can leave a placeholder **.txt** file in the place of the original. You can configure the text in the placeholder file to tell users where the item was moved to and other pertinent information.

+You can use autoquarantine to prevent an endless chain of DLP notifications for the user and adminsΓÇösee [Scenario 4: Avoid looping DLP notifications from cloud synchronization apps with autoquarantine](endpoint-dlp-using.md#scenario-4-avoid-looping-dlp-notifications-from-cloud-synchronization-apps-with-auto-quarantine).

+- Upload a sensitive file with credit card numbers to wingtiptoys.com (which isn't on the list).

+When the **Service domains** list is set to **Block**, DLP policies are applied when a user attempts to upload a sensitive file to any of the domains on the list.

+If the list mode is set to **Block**, when a user attempts an activity involving a sensitive item and a domain that is on the list then DLP policies, and the actions defined in the polices, are applied. Any activity involving a sensitive item and a domain that isn't on the list will be audited and the user activity is allowed.

+- Upload a sensitive file with credit card numbers to wingtiptoys.com (which isn't on the list).

+Up to 50 domains can be configured under Service domains.

+

+For the print, copy data and save actions, each website must be listed in a website group and the user must be accessing the website through Microsoft Edge. For the upload action, the user can be using Microsoft Edge or Google Chrome with the Purview extension. Sensitive service domains is used with a DLP policy for Devices. You can also define website groups that you want to assign policy actions to that are different from the global website group actions. See, [Scenario 6 Monitor or restrict user activities on sensitive service domains](endpoint-dlp-using.md#scenario-6-monitor-or-restrict-user-activities-on-sensitive-service-domains) for more information.

+Do not add protocol, for example, https://, file:// into the URL. You can use a flexible syntax to include and exclude domains, subdomains, websites, and subsites in your website groups.

+|URL that you add to the website group |URL will match | URL won't match|

+Up to 20 groups and 50 domains per group can be configured under Sensitive Service domains.

+- **Only show custom text box**: Users can only enter their own justification. Only the text box appears in the end-user policy tip notification.

+You can create up to five customized options that appear when users interact with the policy notification tip by selecting the **Customize the options drop-down menu**.

+You can multi-select the parameters and then the printer group will include all devices that satisfy those parameters.

+ Title: "Get started with collecting files that match data loss prevention policies from devices (preview)"

+f1.keywords:

+- NOCSH

+audience: ITPro

+ms.localizationpriority: medium

+- tier1

+- purview-compliance

+search.appverid:

+- MET150

+description: "Learn how to configure data loss prevention to collect items that match policies from devices to an Azure storage account."

+# Get started with collecting files that match data loss prevention policies from devices (preview)

+This article walks you through the prerequisites and configuration steps for evidence collection for file activities on devices and introduces how to view the items that are copied out and saved.

+Here are the high level steps for configuring and using evidence collection for file activities on devices.

+1. [Onboard devices](#onboard-devices)

+1. [Setup Azure Storage](#setup-azure-storage)

+1. [Set permissions on the Azure blob storage](#set-permissions-on-the-azure-blob-storage)

+1. [Endpoint DLP settings configuration](#endpoint-dlp-settings-configuration)

+1. [Policy configuration](#policy-configuration)

+1. [View saved files](#view-saved-files)

+## Before you begin

+Before you start these procedures, you should review [Learn about evidence collection for file activities on devices (preview)](dlp-copy-matched-items-learn.md).

+## Licensing and Subscriptions

+See the [licensing requirements for Information Protection](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#information-protection) for details on the subscriptions that support DLP. You don't need any additional licenses over what is needed for endpoint DLP.

+## Permissions

+Standard Microsoft Purview Data Loss Prevention (DLP) permissions are required. For more information, see [Permissions](dlp-create-deploy-policy.md#permissions).

+### Onboard devices

+Before you can use copy matched items you have to onboard Windows 10/11 devices into Purview, see [Onboard Windows 10 and Windows 11 devices into Microsoft 365 overview](device-onboarding-overview.md#onboard-windows-10-and-windows-11-devices-into-microsoft-365-overview)

+### Setup Azure storage

+> [!IMPORTANT]

+> Containers inherit the permissions of the storage account that they are in. You can't set different permissions per container. If you need to configure different permission for different regions, you must create multiple storage accounts, not multiple containers.

+You should have answers to these question before setting up your Azure storage and scoping the feature to users.

+#### Do you need to compartmentalize items and access along role or departmental lines?

+For example, if your organization wants to have one set of administrators or DLP event investigators who can view saved items from your senior leadership and another set of administrators or DLP event investigators for saved items from human resources, you should create one Azure storage account for senior leadership and another for human resources. This ensures that the Azure storage admins or DLP event investigators can only see the items that matched DLP policies from their respective groups.

+#### Do you want to use containers to organize saved items?

+You can create multiple different evidence containers within same storage account to sort saved items into. For example, one for items saved off from the HR department and one for IT department.

+#### What is your strategy for protecting against saved item deletion or modification?

+In the Azure Storage, data protection refers to strategies for protecting the storage account and data within it from being deleted or modified, or for restoring data after it has been deleted or modified. Azure Storage also offers options for disaster recovery, including multiple levels of redundancy to protect your data from service outages due to hardware problems or natural disasters, and customer-managed failover if the data center in the primary region becomes unavailable. For more information, see [Data protection overview](/azure/storage/blobs/data-protection-overview.md).

+You can also configure immutability policies for your blob data that protects against the saved items being overwritten or deleted. For more information, see [Store business-critical blob data with immutable storage](/azure/storage/blobs/immutable-storage-overview.md)

+#### Create an Azure storage account

+The procedures for setting up your Azure storage account, container and blobs are documented in the Azure document set. Here are links to relevant articles you can refer to help you get started:

+1. [Introduction to Azure Blob Storage](/azure/storage/blobs/storage-blobs-introduction)

+1. [Create a storage account](/azure/storage/common/storage-account-create)

+1. [Manage blob containers using the Azure portal](/azure/storage/blobs/blob-containers-portal)

+1. [Manage block blobs with PowerShell](/azure/storage/blobs/blob-powershell)

+Be sure to save the name and URL of the Azure blob container. To view the URL, open the Azure storage portal \> **Home \> **Storage Accounts** \> **Container** \> **Properties**

+### Set permissions on the Azure blob storage

+You have to configure two sets of permissions on the blobs, one for the administrators and investigators so they can view and manage evidence and another for users whose devices need to upload items to Azure. You should [create custom role groups in Microsoft Purview compliance](../security/office-365-security/scc-permissions.md) to enforce least privileges and assign accounts to them.

+#### Permissions on Azure blob for administrators and investigators

+Once you've created the role group that DLP incident investigators will use, it must have these permissions on the Azure blob. For more information on configuring blob access, see [how to authorize access to blob data in the Azure portal](/azure/storage/blobs/authorize-data-operations-portal) and [Assign share-level permissions](/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal.md).

+##### Investigator actions

+Configure these permissions for these actions for investigators:

+|Object |Permissions |

+|||

+|Microsoft.Storage/storageAccounts/blobServices |Read: List Blob Services |

+|Microsoft.Storage/storageAcccounts/blobServices |Read: Get blob service properties or statistics |

+|Microsoft.Storage/storageAccounts/blobServices/containers |Read: Get blob container |

+|Microsoft.Storage/storageAccounts/blobServices/containers |Read: List of blob containers |

+|Microsoft.Storage/storageAccounts/blobServices/containers/blobs |Read: Read blob |

+##### Investigator data actions

+|Object |Permissions|

+|||

+|Microsoft.Storage/storageAccounts/blobServices/containers/blobs|Read: Read Blob|

+The JSON for the investigator role group should look like this:

+```json

+"permissions": [

+ {

+ "actions": [

+ "Microsoft.Storage/storageAccounts/blobServices/containers/read",

+ "Microsoft.Storage/storageAccounts/blobServices/read"

+ ],

+ "notActions": [],

+ "dataActions": [

+ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"

+ ],

+ "notDataActions": []

+ }

+ ]

+```

+#### Permissions on Azure blob for users

+Assign these permissions to the Azure blob for the users role:

+##### User actions

+|Object |Permissions|

+|||

+|Microsoft.Storage/storageAccounts/blobServices |Read: List Blob Services|

+|Microsoft.Storage/storageAccounts/blobServices/containers|Read: Get blob container|

+|Microsoft.Storage/storageAccounts/blobServices/containers|Write: Put blob container|

+##### User data actions

+|Object|Permissions|

+|||

+|Microsoft.Storage/storageAccounts/blobServices/containers/blobs|Write: Write Blob|

+|Microsoft.Storage/storageAccounts/blobServices/containers/blobs|Other: Add blob content|

+The JSON for user role group should look like this:

+```json

+"permissions": [

+ {

+ "actions": [

+ "Microsoft.Storage/storageAccounts/blobServices/containers/read",

+ "Microsoft.Storage/storageAccounts/blobServices/containers/write",

+ "Microsoft.Storage/storageAccounts/blobServices/read"

+ ],

+ "notActions": [],

+ "dataActions": [

+ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",

+ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action",

+ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"

+ ],

+ "notDataActions": []

+ }

+ ]

+```

+### Endpoint DLP settings configuration

+1. Sign in to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">Microsoft Purview compliance portal</a>.

+1. In the Microsoft Purview compliance portal \> left navigation \> **Solutions** \> **Data loss prevention** \> **Endpoint DLP settings** \> **Setup evidence collection for file activities on devices**.

+1. Set the toggle to **On**.

+1. Set how long you want items to be cached on devices if they can't access the Azure storage account. You can choose, **7**, **30**, or **60** days.

+1. Select **+ Add storage** and provide the Name and URL of the Azure storage account.

+### Policy configuration

+Create a DLP policy as you normally would. Refer to [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) for policy configuration examples.

+Configure your policy using these settings:

+- Make sure that **Devices** is the only location selected.

+- In **Incident reports**, toggle **Send an alert to admins when a rule match occurs** to **On**.

+- In **Incident reports**, select **Collect original file as evidence for all selected file activities on Endpoint**.

+- Select the storage account you want.

+- Select the activities (**Copy to a removable USB device**, **Copy to a network share**, **Print**, **Copy or move using unallowed Bluetooth app**, **Copy or move using RDP**) you want to copy matched items to Azure storage for.

+### View saved files

+1. Sign in to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">Microsoft Purview compliance portal</a>.

+1. In the Microsoft Purview compliance portal \> left navigation \> **Data classification** \> **Activity explorer**.

+1. Select a **DLP rule matched** event that was generated by an activity that you're monitoring for.

+1. In the flyout pane, select the file name link under **Evidence file**. Note the file type.

+1. During this preview, the link returns this error:

+ 1. `This XML file does not appear to have any style information associated with it. The document tree is shown below`

+1. During this preview, you have to copy the full hash value from the URL in the browser address bar.

+1. Sign in to the **Microsoft Azure** portal.

+1. In the Azure portal \> **Home** \> **Storage accounts** \> *\<container\>* \> **Storage browser** \> *\<blobname\>*.

+1. Open the blob and find the hashed value that you copied from step 6 above.

+1. Download the file and open it with the appropriate app for the file type.

+ Title: "Learn about collecting files that match DLP policies from devices (preview)"

+f1.keywords:

+- NOCSH

+audience: ITPro

+ms.localizationpriority: medium

+- tier1

+- purview-compliance

+search.appverid:

+- MET150

+description: "Learn about copying items that match policies to an Azure storage account."

+# Learn about evidence collection for file activities on devices (preview)

+When you're investigating a Microsoft Purview Data Loss Prevention (DLP) incident or troubleshooting a DLP policy, it can be helpful to have a complete copy of the item that matched the policy to refer to. DLP can copy the item that matches a DLP policy from onboarded Windows devices to an Azure storage account. DLP incident investigators and administrators that have been granted the appropriate permissions on the Azure storage blob can then access the files.

+To get started configuring and using the feature, see [Get started with collecting files that match data loss prevention policies from devices (preview)](dlp-copy-matched-items-get-started.md).

+If you're new to Microsoft Purview DLP, here's a list of the core articles you'll need as you implement DLP:

+1. [Administrative units (preview)](microsoft-365-compliance-center-permissions.md#administrative-units-preview)

+1. [Learn about Microsoft Purview Data Loss Prevention](dlp-learn-about-dlp.md) - This article introduces you to the data loss prevention discipline and Microsoft's implementation of DLP.

+1. [Plan for data loss prevention (DLP)](dlp-overview-plan-for-dlp.md#plan-for-data-loss-prevention-dlp) - by working through this article you will:

+ 1. [Identify stakeholders](dlp-overview-plan-for-dlp.md#identify-stakeholders)

+ 1. [Describe the categories of sensitive information to protect](dlp-overview-plan-for-dlp.md#describe-the-categories-of-sensitive-information-to-protect)

+ 1. [Set goals and strategy](dlp-overview-plan-for-dlp.md#set-goals-and-strategy)

+1. [Data Loss Prevention policy reference](dlp-policy-reference.md#data-loss-prevention-policy-reference) - This article introduces all the components of a DLP policy and how each one influences the behavior of a policy.

+1. [Design a DLP policy](dlp-policy-design.md) - This article walks you through creating a policy intent statement and mapping it to a specific policy configuration.

+1. [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) - This article presents some common policy intent scenarios that you'll map to configuration options, then it walks you through configuring those options.

+## Where evidence collection for file activities on devices fits in Purview

+Endpoint DLP is part of the [larger DLP offering](dlp-learn-about-dlp.md) and part of the larger range of services offered in [Microsoft Purview](/microsoft-365/compliance.md). You should understand how evidence collection for file activities on devices fits into the larger set of service offerings.

+### Evidence collection for file activities on devices and eDiscovery

+This feature makes copies of items that match DLP policies on onboarded Windows devices and places those copies in an Azure storage account. These copies aren't held in a changless state and aren't evidence in the legal sense of the term. If you need to find and hold items for legal purposes, you should use the [Microsoft Purview eDiscovery solutions](ediscovery.md). Electronic discovery, or eDiscovery, is the process of identifying and delivering electronic information that can be used as evidence in legal cases.

+### Evidence collection for file activities on devices and contextual summary

+ When an item and the activity that a user is taking on that item match the conditions defined in a DLP policy, a **DLPRuleMatch** event shows up in [Activity explorer](data-classification-activity-explorer.md). This is true for every location that DLP supports. The **DLPRuleMatch** event contains a limited amount of the text that surrounds the matched content. This limited amount of text is called [contextual summary](dlp-learn-about-dlp.md#contextual-summary).

+It's important to understand the difference between evidence collection for file activities on devices and contextual summary. Evidence collection for file activities on devices is only available for onboarded Windows devices and saves a copy of the entire item that matched a policy to the Azure storage account. Contextual summary is captured for every DLP policy rule match and only contains a limited amount of the text that surrounds the target text that triggered the match.

+## Covered user activities

+

+You can configure evidence collection for file activities on devices to save a copy of a matched item to the Azure storage account when a user attempts to do one of these activities on a matched item:

+ - Copy to a removable USB

+ - Copy to Network share

+ - Print

+ - Copy or move using unallowed Bluetooth app

+ - Copy or move through RDP

+

+The detection of these activities is configured in the DLP policy. For more information on how to create a DLP policy, see, [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) and [Using Endpoint data loss prevention](endpoint-dlp-using.md).

+## Covered actions

+When you enable evidence collection for file activities on devices in Endpoint DLP settings and configure a DLP policy to use this feature, it saves a copy of a matched item for these actions:

+- Audit only

+- Block with override

+<!--Block-->

+These actions are configured in the DLP policy. For more information on how to create a DLP policy, see [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) and [Using Endpoint data loss prevention](endpoint-dlp-using.md).

+

+## Design consideration

+### Regions for your Azure Storage accounts

+To comply with regulatory requirements, make sure that the Azure storage accounts that you use are in the same geo-political or regulatory boundaries as the devices that they're being copied from. Also, be aware of the geo-political location of the DLP investigators who will be accessing the sensitive items once they're saved. Consider using [Administrative units (preview)](microsoft-365-compliance-center-permissions.md#administrative-units-preview) to scope the administration of the users and devices that the DLP policy will be scoped to. To learn how to use data loss prevention to comply with data privacy regulations, see [Deploy information protection for data privacy regulations with Microsoft Purview](../solutions/information-protection-deploy.md) (aka.ms/m365dataprivacy).

+Evidence collection for file activities on devices supports up to 10 Azure storage accounts.

+To learn how to use data loss prevention to comply with data privacy regulations, see [Deploy information protection for data privacy regulations with Microsoft Purview](../solutions/information-protection-deploy.md) (aka.ms/m365dataprivacy).

+### Local storage and bandwidth

+By default, copies of matched items are saved asynchronously to the configured Azure storage account over the existing network connection. If the device doesn't have connectivity, matched items are save locally, up to the 500-MB limit. You can save items locally up to 60 days.

+While the device has connectivity to the Azure storage account URL, there's no limit on bandwidth usage. The bandwidth that evidence collection for file activities on devices uses doesn't impact the default or configured bandwidth limits for [Advanced classification scanning and protection](dlp-configure-endpoint-settings.md#advanced-classification-scanning-and-protection).

+### Azure storage accounts

+Customers are responsible for creating and managing their own Azure storage accounts. If you're new to Azure storage, see:

+- [What is Azure Blob storage](/azure/storage/blobs/storage-blobs-overview.md)

+- [Introduction to Azure Storage](/azure/storage/common/storage-introduction.md)

+- [Create a storage account](/azure/storage/common/storage-account-create)

+Items that match a policy are copied from the users' device to the Azure storage account blob in the security context of the logged in user. So, all users who are in-scope for the policy must have read and write permission to the blob storage. For more information, see [Get started with collecting files that match data loss prevention policies from devices (preview)](dlp-copy-matched-items-get-started.md)

+Similarly, all administrators who are reviewing the saved items must have read permission to the Azure storage account blob. For more information, see [Get started with collecting files that match data loss prevention policies from devices (preview)](dlp-copy-matched-items-get-started.md).

+## Next step

+Your next step is to configure evidence collection for file activities on devices

+- [Get started with collecting files that match data loss prevention policies from devices (preview)](dlp-copy-matched-items-get-started.md#get-started-with-collecting-files-that-match-data-loss-prevention-policies-from-devices-preview)

+- Microsoft 365 services such as Teams, Exchange, SharePoint, and OneDrive accounts

+- on-premises file shares and on-premises SharePoint

+- Power BI

+Each one has different prerequisites. Sensitive items in some locations, like Exchange online, can be brought under the DLP umbrella by just configuring a policy that applies to them. Others, such as on-premises file repositories require a deployment of Azure Information Protection (AIP) scanner. You'll need to prepare your environment, code draft policies, and test them thoroughly before activating any blocking actions.

+4. **Choose the conditions that must be matched for a policy to be applied to an item** - You can accept preconfigured conditions or define custom conditions. Some examples are:

+- SharePoint/Exchange/OneDrive: Block people who are outside your organization from accessing the content. Show the user a tip and send them an email notification that they're taking an action that is prohibited by the DLP policy.

+- [**Incident reports**](#incident-reports) that notify admins and other key stakeholders when a rule match occurs

+- [**Additional options**](#additional-options) which define the priority for rule evaluation and can stop further rule and policy processing.

+When a rule is matched, you can send an incident report to your compliance officer (or any people you choose) with details of the event. The report includes information about the item that was matched, the actual content that matched the rule, and the name of the person who last modified the content. For email messages, the report also includes the original message as an attachment that matches a DLP policy.

+#### Evidence collection for file activities on devices (preview)

+If you've enabled **Setup evidence collection for file activities on devices (preview)** and added Azure storage accounts, you can select **Collect original file as evidence for all selected file activities on Endpoint** and the Azure storage account you want to copy the items to. You must also choose the activities you want to copy items for. For example, if you select **Print** but not **Copy to a network share**, then only items that are printed from monitored devices will be copied to the Azure storage account.

+- [Get started with eDiscovery (Standard)](ediscovery-standard-get-started.md#step-5-optional-add-members-to-a-ediscovery-standard-case)

+To create a new case, you can use eDiscovery in the Microsoft Purview compliance portal. See "Create a new case" in [Get started with eDiscovery (Standard)](ediscovery-standard-get-started.md#step-4-create-a-ediscovery-standard-case).

+Sometimes it's not possible to remediate a file to native format that eDiscovery (Premium) can interpret. But you can replace the original file with a text file that contains the original text of the native file (in a process called *text overlay*). To do this, follow the steps described in this article but instead of remediating the original file in the native format, you would create a text file that contains the extracted text from the original file, and then upload the text file using the original filename appended with a .txt suffix.

+For example, you download a file during error remediation with the filename 335850cc-6602-4af0-acfa-1d14d9128ca2.abc. You open the file in the native application, copy the text, and then paste it into a new file named 335850cc-6602-4af0-acfa-1d14d9128ca2.abc.txt. When you do this, be sure to remove the original file in the native format from the remediated file location on your local computer before uploading the remediated text file to eDiscovery (Premium).

+> [!NOTE]

+> The number of of files used in error remediation upload must match the number of files downloaded from the review set. If the number of uploaded files doesn't match the number of downloaded files, the matching process will fail (even if AzCopy reports that the upload was successful).

+## Step 4: Verify that required eDiscovery apps are enabled

+eDiscovery (Premium) requires the following Enterprise apps to be enabled in your Microsoft 365 or Office 365 organization. If these apps are not enabled, you won't be able to access eDiscovery (Premium) view, filter, and search features.

+|**App**|**App ID**|

+|:|:|

+| ComplianceWorkbenchApp | 92876b03-76a3-4da8-ad6a-0511ffdf8647 |

+| MicrosoftPurviewEDiscovery | b26e684c-5068-4120-a679-64a5d2c909d9 |

+| Microsoft Exchange Online Protection | 00000007-0000-0ff1-ce00-000000000000 |

+| Office365Zoom | 0d38933a-0bbd-41ca-9ebd-28c4b5ba7cb7 |

+For more information about how to view and enable apps, see:

+- [Quickstart: View enterprise applications](/azure/active-directory/manage-apps/view-applications-portal)

+- [Quickstart: Add an enterprise application](/azure/active-directory/manage-apps/add-application-portal)

+ - [Add members to a eDiscovery (Standard) case](ediscovery-standard-get-started.md#step-5-optional-add-members-to-a-ediscovery-standard-case)

+ For information and guidance on security and compliance licensing and subscriptions, see the [Microsoft 365 guidance for security & compliance service descriptions](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).

+## Step 2: Verify that required eDiscovery apps are enabled

+eDiscovery (Standard) requires the following Enterprise apps to be enabled in your Microsoft 365 or Office 365 organization. If these apps are not enabled, you won't be able to access eDiscovery (Standard) view, filter, and search features.

+|**App**|**App ID**|

+|:|:|

+| ComplianceWorkbenchApp | 92876b03-76a3-4da8-ad6a-0511ffdf8647 |

+| MicrosoftPurviewEDiscovery | b26e684c-5068-4120-a679-64a5d2c909d9 |

+| Microsoft Exchange Online Protection | 00000007-0000-0ff1-ce00-000000000000 |

+| Office365Zoom | 0d38933a-0bbd-41ca-9ebd-28c4b5ba7cb7 |

+For more information about how to view and enable apps, see:

+- [Quickstart: View enterprise applications](/azure/active-directory/manage-apps/view-applications-portal)

+- [Quickstart: Add an enterprise application](/azure/active-directory/manage-apps/add-application-portal)

+## Step 3: Assign eDiscovery permissions

+## Step 4: Create a eDiscovery (Standard) case

+The new case is created and displayed on the eDiscovery (Standard) page. You may have to select **Refresh** to display the new case.

+## Step 5 (optional): Add members to a eDiscovery (Standard) case

+>- Only an eDiscovery Administrator can remove members from a case. Users who are members of the eDiscovery Manager subgroup can't remove members from a case, even if the user created the case.

+Use the information from knowing where your sensitive data resides to help you more efficiently protect it. However, there's no need to waitΓÇöyou can start to protect your data immediately with a combination of manual, default, and automatic labeling. Then, use [content explorer](data-classification-content-explorer.md) and [activity explorer](data-classification-activity-explorer.md) from the previous section to confirm what items are labeled and how your labels are being used.

+Refer to the [Protect your data with Microsoft Purview](information-protection.md) page for the full list of protection capabilities.

+|1|Learn about DLP. <br /><br /> Organizations have sensitive information under their control, such as financial data, proprietary data, credit card numbers, health records, and social security numbers. To help protect this sensitive data and reduce risk, they need a way to prevent their users from inappropriately sharing it with people who shouldn't have it. This practice is called data loss prevention (DLP).| [Learn about data loss prevention](dlp-learn-about-dlp.md)|

+When you deploy data loss prevention policies for Teams, you might find the following end-user guidance useful as an introduction to this technology. It includes some potential messages that users might see: [Teams messages about data loss prevention (DLP) and communication compliance policies](https://support.microsoft.com/office/teams-messages-about-data-loss-prevention-dlp-and-communication-compliance-policies-c5631c3f-f61b-4306-a6ac-6603d9fc5ff0).

+There may be scenarios where you need to stop assigning risk scores to a user in insider risk management policies. Use **Stop scoring activity for users** on the **Users dashboard** to stop assigning risk scores for a user from all insider risk management policies that they are currently in scope for. This action does not remove the user from the overall policy assignment (when you add users or groups to a policy configuration), but simply removes the user from active processing by policies after current triggering events. If the user has another triggering event in the future, risk scores from policies will automatically begin to be assigned to the user again. Any existing alerts or cases for this user will not be removed.

+To remove a user from in-scope status in all insider risk management policies:

+1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com), go to **Insider risk management**, and then select the **Users** tab.

+2. On the **Users dashboard**, select the user(s) you want to stop scoring activity for.

+3. Select **Stop scoring activity for users**.

+> [!NOTE]

+> Removing a user from in-scope status may take several minutes. Once complete, the user will not be listed on the **Users dashboard**. If the removed user has active alerts or cases, the user will remain on the **Users dashboard** and the user details will show that they are no longer in-scope for a policy.

+Eligible customers include those who have a [free trial for Microsoft Purview](compliance-easy-trials.md) and some customers who already have a Microsoft 365 E5 plan:

+ If you don't see this information displayed with the activation option, you're not currently eligible for the automatic creation of sensitivity labels and policies. You can try checking back later to see if this status has changed. You can also use the settings information that follows to manually create the same labels and policies.

+3. Next, enable sensitivity labels for SharePoint and OneDrive. This step is a prerequisite to use sensitivity labels in Office for the web, and auto-labeling policies for SharePoint and OneDrive.

+Service-side auto-labeling helps label sensitive documents at rest, and emails in transit. The default service-side auto-labeling policy creates policies that run in simulation mode for documents stored in all SharePoint or OneDrive sites, and all emails that are sent via Exchange Online.

+In simulation mode, items aren't actually labeled until the policy is turned on. You can manually turn on the policy. Alternatively, if you don't change the default setting, the policy will be automatically turned on for you if there aren't any changes to the policy within a set number of days from when the simulation completes.

+Simulation mode allows you to preview what items would get labeled when the policy is turned on, so you can have confidence in the labeling feature before you deploy the policy to your tenant for actual labeling.

+For new customers from June 23, 2022, where the Microsoft 365 tenant is in the US region:

+- SharePoint and OneDrive locations: The auto-labeling policy is created but waits 25 days before it automatically starts simulation. This delay ensures that there is time for files to be created and saved to these locations.

+When the simulation is complete, review the results. If you are happy with them, turn on the policies. By default, the policies will be automatically turned on if they're not edited within the set time period (25 days initially for new customers, otherwise 7 days).

+The default DLP policy for devices detects the presence of credit card numbers on Windows 10 devices that have been onboarded into Microsoft Purview. It then audits (but does not block) the following actions:

+- Copy to clipboard, USB, or network share

+- Access by unallowed apps

+- Print

+- Copy or move using an unallowed Bluetooth app

+- Remote desktop services

+Here are some examples of enhanced DLP policies that use named entity SITs. You can find all 10 of them in the **Microsoft Purview compliance portal** Navigate to **Data loss prevention** > **Create policy**. Enhanced templates can be used in DLP and auto-labeling.

+|**Phase 2:** Set up pay-as-you-go billing to enable OCR. | Your Global or SharePoint admin must follow the instructions in [Set up Microsoft Syntex billing in Azure](../syntex/syntex-azure-billing.md#set-up-microsoft-syntex-billing-in-azure) to add a subscription for OCR. |

+Because it's an optional feature, your Global admin must set up pay-as-you-go billing to enable OCR. Refer to the instructions in [Set up Microsoft Syntex billing in Azure](../syntex/syntex-azure-billing.md#set-up-microsoft-syntex-billing-in-azure) to add a subscription for OCR.

+> You can find OCR pay-as-you-go pricing information on the [Set up Microsoft Syntex billing in Azure](../syntex/syntex-azure-billing.md#set-up-microsoft-syntex-billing-in-azure) page.

+#### Charges

+When a user changes an item that's subject to retention from a retention policy or a retention label that marks items as a record, or deletes any item subject to retention, the original content is copied to the Preservation Hold library. This behavior lets the user change or delete the content in their app, while keeping a copy of the original for compliance reasons.

+Cloud attachments are embedded links to files that users share, and these can be retained and deleted when your users share them in Outlook emails and Teams or Yammer messages. When you [automatically apply a retention label to cloud attachments](apply-retention-labels-automatically.md#auto-apply-labels-to-cloud-attachments), the retention label is applied to a copy of the shared file, which is stored in the Preservation Hold library.

+Sensitive information types (SIT) are pattern-based classifiers. They detect sensitive information like social security, credit card, or bank account numbers to identify sensitive items, see [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md) for a complete list of all SITs.

+These SITs are created by Microsoft and show up in the compliance console by default. These SITs can't be edited, but you can use them as templates by copying them to create custom sensitive information types. See, [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md) for a full list of all SITs.

+These named entity SITs have a narrower focus, such as a single country, or a single class of terms. Use them when you need a DLP policy with a narrower detection scope. See, [Examples of named entity SITs](named-entities-learn.md#examples-of-named-entity-sits).

+Bundled named entity SITs detect all possible matches in a class, such as *All physical addresses*. Use them as broad criteria in your DLP policies for detecting sensitive items. See, [Examples of named entity SITs](named-entities-learn.md#examples-of-named-entity-sits).

+All exact data match (EDM)-based SITs are created from scratch. You use them to detect items that have exact values which you define in a database of sensitive information. See, [Learn about exact data match based sensitive information types](sit-learn-about-exact-data-match-based-sits.md#learn-about-exact-data-match-based-sensitive-information-types) for more information.

+- Name: indicates how the sensitive information type is referred to

+- Description: describes what the sensitive information type is looking for

+- Pattern: A pattern defines what a sensitive information type detects. It consists of the following components.

+ - Primary element ΓÇô the main element that the sensitive information type is looking for. It can be a **regular expression** with or without a checksum validation, a **keyword list**, a **keyword dictionary**, or a **function**.

+ - Supporting element ΓÇô an element that acts as supporting evidence that help in increasing the confidence of the match. For example, keyword "SSN" in proximity to a Social Security Number (SSN). It can be a regular expression with or without a checksum validation, keyword list, keyword dictionary.

+ - Confidence Level - confidence levels (high, medium, low) reflect how much supporting evidence is detected along with the primary element. The more supporting evidence an item contains, the higher the confidence that a matched item contains the sensitive info you're looking for.

+ - Proximity ΓÇô the number of characters between the primary and supporting elements.

+> Along with Chinese/Japanese/double byte characters, if the list of keywords/phrases also contains non-Chinese/Japanese words also (for instance, English only), you should create two dictionaries/keyword lists. One for keywords containing Chinese/Japanese/double byte characters and another one for English-only keywords.

+> While creating a regex using a double byte hyphen or a double byte period, make sure to escape both the characters like you would escape a hyphen or period in a regex. Here is a sample regex for reference:

+- **In preview**: Auto-labeling retention policies for [cloud attachments](apply-retention-labels-automatically.md#auto-apply-labels-to-cloud-attachments) that were already in preview now include attachments and links shared in Yammer.

+- **In preview**: Scan for sensitive information in images with support for [optical character recognition](ocr-learn-about.md).

+- **In preview**: Save a copy of items that match DLP policies to Azure storage [Learn about evidence collection for file activities on devices (preview)](dlp-copy-matched-items-learn.md) and [Get started with collecting files that match data loss prevention policies from devices (preview)](dlp-copy-matched-items-get-started.md).

+1. Then, start scheduling your portal's launch by accessing the Portal launch scheduler in one of two ways:

+1. Next, confirm the portal's health score and make improvements to the portal if needed using the [Page Diagnostics for SharePoint](https://aka.ms/perftool) tool until your portal receives a **Healthy** score. Then, select **Next**.

+1. Select the **Number of expected users** from the drop-down. This figure represents the number of users who will most likely need access to the site. The Portal launch scheduler will automatically determine the ideal number of waves depending on the expected users like this:

+1. Then, determine the **Type of redirect** needed:

+1. Break up your audience into waves. Add up to 20 security groups per wave. Wave details can be edited up until the launch of each wave. Each wave can last at minimum one day (24 hours) and at most seven days. This allows SharePoint and your technical environment an opportunity to acclimate and scale to the large volume of site users. When scheduling a launch through the UI, the time zone is based on the site's regional settings.

+1. Determine who needs to view the site right away and enter their information into the **Users exempt from waves** field. These users are excluded from waves and will not be redirected before, during, or after the launch.

+1. Confirm portal launch details and select **Schedule**. Once the launch has been scheduled, any changes to the SharePoint portal home page will need to receive a healthy diagnostic result before the portal launch will resume.

+1. At the bottom of the pane, select **Contact Support**, and then select **New Service Request**.

+1. Under **Description**, enter "Launch SharePoint Portal with 100k users".

+1. Fill out the remaining info, and select **Contact me**.

+1. After the ticket has been created, ensure you provide the support agent with the following information:

+1. Then, select **Edit**.

+1. When you are finished making your edits, select **Update**.

+1. Then, select **Delete** and then when you see the message below select **Delete** again.

+1. Connect to SharePoint as a [global admin or SharePoint admin](/sharepoint/sharepoint-admin-role) in Microsoft 365. To learn how, see [Getting started with SharePoint Online Management Shell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online).

+```PowerShell

+Get-SPOPortalLaunchWaves -LaunchSiteUrl <object> -DisplayFormat <object>

+```

+This insight displays if the network insights service detects that the distance from a given user location to the network egress is greater than 500 miles (800 kilometers). This may indicate that Microsoft 365 traffic is being backhauled to a common Internet edge device or proxy.

+We recommend network egress as close as possible to the office location. Microsoft 365 traffic should route optimally to Microsoft's global network and to the nearest Microsoft 365 service front door. Having close network egress to users office locations also allows for improved performance as Microsoft expands both network points of presence and Microsoft 365 service front doors in the future.

+This insight displays if we detected devices between your users and Microsoft's network. We recommend that latency-sensitive Microsoft 365 network traffic bypass such devices. This recommendation is additionally described in [Microsoft 365 Network Connectivity Principles](microsoft-365-network-connectivity-principles.md).

+One network intermediary insight we show is SSL break and inspection when network intermediary devices intercept and decrypt critical Microsoft 365 network endpoints for Exchange, SharePoint, and Teams.

+This insight displays if the network insights service detects that a significant number of customers in your metro area have better performance than users at this office location.

+This insight examines the aggregate performance of Microsoft 365 customers in the same city as this office location. This insight displays if the average latency of your users is 10% greater than the average latency of neighboring tenants.

+This insight displays if the network insights service detects that users in a specific location aren't connecting to an optimal Exchange Online service front door.

+We list Exchange Online service front doors that are suitable for use from the office location city. If the current test shows use of an Exchange Online service front door not on this list, then we make this recommendation.

+Network backhaul might cause use of a non-optimal Exchange Online service front door, in which case we recommend local and direct network egress. If you have implemented a remote DNS Recursive Resolver server, we recommend aligning the server configuration with the network egress.

+This insight displays if the network insights service detects that users in a specific location aren't connecting to the closest SharePoint Online service front door.

+We identify the SharePoint Online service front door that the test client is connecting to, and then we compare the office location city to the expected SharePoint Online service front door for that city. If the test client service front door and the expected service front door match, we recommend connecting to a SharePoint service front door closer to the office location.

+Network backhaul before the corporate network egress could cause non-optimal SharePoint Online service front door use. If so, try local and direct network egress. Non-optimal SharePoint Online service front door use could also be caused by a remote DNS Recursive Resolver server, in which case we recommend aligning the DNS Recursive Resolver server with the network egress.

+This insight displays if the network insights service detects that bandwidth between the specific office location and SharePoint Online is less than 1 MBps.

+To improve download speeds, your organization might need to increase bandwidth. Alternatively, network congestion might exist between computers at the office location and the SharePoint Online service front door. This condition restricts the download speed available to users even if sufficient bandwidth is available.

+This insight displays if your organization has users in China connecting to your Microsoft 365 tenant in other geographic locations.

+If your organization has private WAN connectivity, we recommend configuring a network WAN circuit from your office locations in China that have network egress to the Internet in any of the following locations:

+Internet egress farther away from users than these locations reduces performance, and egress in China may cause high latency and connectivity issues due to cross-border congestion.

+This insight shows when 50% or more of the sampled connections are affected. The impact is defined by the Exchange assessment being below 60% for each sample.

+This insight indicates that most of your users likely experience issues with Outlook connecting to Exchange Online. The percentage of samples represents the percentage of users below 60 points.

+Enable office location network connectivity visibility if you haven't already done so. Identify which offices are affected by poor network connectivity and find ways to improve the network perimeter at each that connects the users to Microsoft's network.

+This insight shows when 50% or more of the sampled connections are affected. The impact is defined by the SharePoint assessment being below 40% for each sample.

+This insight indicates that most of your users are likely experiencing issues with SharePoint and OneDrive. The percentage of samples represents the percentage of users who show below 40 points.

+Enable office location network connectivity visibility if you haven't already done so. Identify which offices are affected by poor network connectivity and find ways to improve the network perimeter at each that connects the users to Microsoft's network.

+> [!NOTE]

+> Microsoft has begun a long-term transition to providing services from the **cloud.microsoft** namespace to simplify the endpoints managed by our customers. If you are following existing guidance for allowing access to required endpoints as listed below, thereΓÇÖs no further action required from you.

+### I'm an Epic analyst and I get an "OAUTH2" error from Epic when I try to approve the FHIR URL

+### I'm an Epic analyst and when I try to approve the FHIR URL in the EHR connector configuration portal, I can't sign in to Epic using my Epic credentials

+### I've set up the EHR connector for the first time and patients are unable to launch a virtual appointment from the patient portal

+### Users get a "Tenant config not found" error when launching a virtual appointment even though all our FHIR base URLs are configured correctly

+### Group visits aren't working in my organization

+### Providers donΓÇÖt get a Teams notification when patients join a virtual appointment

+### Patients are prompted to download the Teams app instead of joining from a web browser. We want patients to join from a web browser without having to install Teams

+### I'm unable to access the EHR connector configuration portal or I can only see existing configurations and can't add new ones

+### My organization wants to share the EHR Connector integration with other organizations in my network

+If you want to share your FHIR base URL, email us with the FHIR base URL you would like to share at [TeamsForHealthcare](mailto:teamsforhealthcare@service.microsoft.com) with the following information:

+1. FHIR base URL to be shared

+1. Tenant ID of the parent/initial Microsoft tenant hosting the EHR Connector (such as the main hospital hosting the EHR)

+1. Tenant ID(s) of the new tenant(s) that will share the EHR Connector (such as regional branches, related medical offices or clinics)

+You'll get an overview of what to expect when users are switched to an F plan, how to prepare for the change, and what to do after switching plans to transition the frontline workers in your organization.

+- F plans don't include Office desktop apps or the Outlook desktop app.

+In this section, we've included more information about these key differences and highlighted some additional differences to pay attention to. Keep in mind that this isn't a comprehensive list. To learn more:

+- See [Modern work plan comparison](https://go.microsoft.com/fwlink/p/?linkid=2139145) for a detailed comparison of what's included in E and F plans.

+|**Word for the web**|<ul><li> Can open and edit macro-enabled documents (.docm) and templates (.dotm) but macros don't run.</li><li>Can open but not edit User Defined Permission (UDP) Information Rights Management (IRM)-protected documents.</li></ul>|<ul><li>[Word for the web service description](/office365/servicedescriptions/office-online-service-description/word-online)</li><li>[Differences between using a document in the browser and in Word](https://support.microsoft.com//office/differences-between-using-a-document-in-the-browser-and-in-word-3e863ce3-e82c-4211-8f97-5b33c36c55f8)</li></ul>|

+|**Excel for the web**|<ul><li>Can open and edit macro-enabled workbooks (.xlsm) but macros don't run.</li><li>[File size limitations](https://support.microsoft.com/office/file-size-limits-for-workbooks-in-sharepoint-9e5bc6f8-018f-415a-b890-5452687b325e)<ul><li>To view or interact with a workbook stored in SharePoint Online, the workbook must be less than 100 MB. </li><li>To open a workbook that's attached to an email message in Outlook on the web, the workbook must be less than 10 MB.</li></ul></ul>|<ul><li>[Excel for the web service description](/office365/servicedescriptions/office-online-service-description/excel-online)</li><li>[Differences between using a workbook in the browser and in Excel](https://support.microsoft.com/office/differences-between-using-a-workbook-in-the-browser-and-in-excel-f0dc28ed-b85d-4e1d-be6d-5878005db3b6)</li><li>Most Excel functions work in a browser as they do in Excel. For a list of exceptions, see [Functions in Excel and in Excel for the web](https://support.microsoft.com/office/differences-between-using-a-workbook-in-the-browser-and-in-excel-f0dc28ed-b85d-4e1d-be6d-5878005db3b6#__functions).</li></ul>|

+|**OneNote for the web**|<ul><li>Search is limited to the current section.</li><li>Zoom in and out isn't available. Instead, users can use their browser's zoom feature.</li></ul>|<ul><li>[OneNote for the web service description](/office365/servicedescriptions/office-online-service-description/onenote-online)</li><li>[Differences between using a notebook in the browser and in OneNote](https://support.microsoft.com/office/differences-between-using-a-notebook-in-the-browser-and-in-onenote-a3d1fc13-ac74-456b-b391-b633a62aa83f)</li></ul>|

+|**PowerPoint for the web**|<ul><li>Can open files up to 2 GB.</li><li>Can open and edit macro-enabled presentations (.pptm, .potm, .ppsm) but macros don't run.</li></ul>|<ul><li>[PowerPoint for the web service description](/office365/servicedescriptions/office-online-service-description/powerpoint-online)</li><li>[How certain features behave in web-based PowerPoint](https://support.microsoft.com/office/how-certain-features-behave-in-web-based-powerpoint-a931f0c8-1305-4428-8f7c-9cfa00ef28c5)</li></ul>|

+F1 users don't have mailbox rights. Although a mailbox is provisioned for users through the Exchange Kiosk plan, they aren't entitled to use it. We recommend that you [disable Outlook on the web](/exchange/recipients-in-exchange-online/manage-user-mailboxes/enable-or-disable-outlook-web-app) for F1 users.

+&sup1;F1 includes the Exchange Kiosk plan to enable Teams calendar only and doesn't include mailbox rights.

+F3 and F1 plans include the Teams desktop app, mobile app, and web app for frontline worker communication and collaboration. Your frontline workers have access to Teams features including meetings, chat, channels, content, and apps. However, they won't be able to create live events and webinars or use Teams Phone capabilities.

+&sup2;Users can record meetings and consume Stream content but can't publish to or share in Stream.

+&sup1;Licensed users can create, share, and manage forms. A license isn't needed to complete or respond to a form.

+|Email, Exchange, Outlook|<ul><li>Identify user mailboxes over 2 GB by using the [Get-MailboxStatistics](/powershell/module/exchange/get-mailboxstatistics?view=exchange-ps&preserve-view=true) Exchange PowerShell cmdlet, and then reduce mailbox size, as needed. To learn more, see [Mailbox storage limits in Outlook on the web](https://support.microsoft.com/office/mailbox-storage-limits-in-outlook-on-the-web-f170fe90-b859-4034-bcda-e186fc6a26f5).</li><li>If users have an archive mailbox:</li><ul><li>Move archive mailbox content back to the user's mailbox.</li><li>Check for any archive policies that may automatically move email based on the age of messages by using the [Get-EXOMailbox](/powershell/module/exchange/get-exomailbox?view=exchange-ps&preserve-view=true) Exchange Online PowerShell cmdlet.</li></ul> <li>Identify site mailbox access and usage.</li><li>Outlook desktop app, data, and configuration:</li><ul><li>Identify users and computers that are using Outlook data (.pst) files.</li><li>Identify and document existing Outlook client-only rules.</li><li>Export email signatures.</li></ul></ul>|Users:</br><ul><li>Sign in to [office.com](https://www.office.com) to access Outlook on the web.</li><li>[Set up email on mobile devices](https://support.microsoft.com/office/set-up-office-apps-and-email-on-a-mobile-device-7dabb6cb-0046-40b6-81fe-767e0b1f014f) (if not already).</li><li>Check and update mail signatures.</li><li>Check and update mailbox rules.</li></ul>Admins:<ul><li> [Disable Outlook on the web](/exchange/recipients-in-exchange-online/manage-user-mailboxes/enable-or-disable-outlook-web-app) for F1 users and ask them not to access the mailbox through any other methods.</li></ul>|

+An optimal change management strategy includes how you'll communicate with, train, and support your users before and after you switch them to an F plan. For example, here are a few things to consider:

+For step-by-step guidance on how to change plans in the Microsoft admin center, see [Manually change Microsoft plans](/microsoft-365/commerce/subscriptions/upgrade-to-different-plan#change-plans-manually)

+> Defender for Business is available as a standalone security solution for small and medium-sized businesses. Defender for Business is also included in Microsoft 365 Business Premium, along with additional security capabilities.

+> If you already have Microsoft 365 Business Basic or Standard, consider either upgrading to Microsoft 365 Business Premium or adding Defender for Business to your current subscription to get more threat protection capabilities for your organization.

+The following table summarizes what's included in each plan:

+| Feature/capability | [Defender for Business](mdb-overview.md)<br/>(standalone) | [Microsoft 365 Business Premium](../../business-premium/index.md) |

+||||

+| **Identity management** | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|

+| [Azure Active Directory Free](/azure/active-directory/fundamentals/active-directory-whatis) (Azure AD) (includes security defaults) | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | |

+ [Azure AD Premium Plan 1](/azure/active-directory/fundamentals/active-directory-whatis) (includes security defaults and Conditional Access) | | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: |

+| **Antivirus, antimalware, and ransomware protection for devices** | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|

+| [Next-generation protection](../defender-endpoint/microsoft-defender-antivirus-in-windows-10.md) (antivirus/antimalware protection on devices together with cloud protection) |:::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: |

+| [Attack surface reduction](../defender-endpoint/overview-attack-surface-reduction.md) (network protection, firewall, and attack surface reduction rules) (*see note 1 below*) | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: |

+| [Endpoint detection and response](../defender-endpoint/overview-endpoint-detection-response.md) (behavior-based detection and manual response actions) | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: |

+| [Automated investigation and response](../defender/m365d-autoir.md) (with self-healing for detected threats) | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: |

+| [Microsoft Defender Vulnerability Management](mdb-view-tvm-dashboard.md) (view exposed devices and recommendations) | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: |

+| [Cross-platform support for devices](mdb-onboard-devices.md) (Windows, Mac, iOS, and Android) (*see note 2 below*) | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: |

+| [Centralized management and reporting](mdb-get-started.md) (Microsoft 365 Defender portal) | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: |

+| [APIs for integration](../defender-endpoint/management-apis.md) (for Microsoft partners or your custom tools and apps) | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: |

+| **Productivity and additional security for email and collaboration** | | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|

+| [Microsoft 365 Business Standard](../../admin/admin-overview/what-is-microsoft-365-for-business.md) (Office apps and services, and Microsoft Teams) | | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: |

+| [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) (for device onboarding and management) | | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: |

+| [Shared computer activation](/deployoffice/overview-shared-computer-activation) (for deploying Microsoft 365 Apps) | | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: |

+| [Windows 10/11 Business](../../business-premium/m365bp-upgrade-windows-10-pro.md) (upgrade from previous versions of Windows Pro) | | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: |

+| [Windows Autopilot](/mem/autopilot/windows-autopilot) (for setting up and configuring Windows devices for first use) | | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: |

+| [Exchange Online Protection](../office-365-security/eop-about.md) (antiphishing, antispam, antimalware, and spoof intelligence for email) | | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: |

+| [Microsoft Defender for Office 365 Plan 1](/microsoft-365/security/office-365-security/defender-for-office-365) (advanced antiphishing, real-time detections, Safe Attachments, and Safe Links) | | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: |

+| [Auto-expanding archiving](../../compliance/autoexpanding-archiving.md) (for email) | | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: |

+| [Azure Information Protection Premium Plan 1](/azure/information-protection/what-is-information-protection) (protection for sensitive information) | | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: |

+| [Azure Virtual Desktop](/azure/virtual-desktop/overview) (centrally managed, secure virtual machines in the cloud) | | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: |

+> 1. [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) is required to modify or customize attack surface reduction rules. Intune is included in Microsoft 365 Business Premium, and can be added on to the standalone version of Defender for Business.

+> 2. You can use *either* [mobile threat defense (preview)](mdb-mtd.md) *or* Microsoft Intune to onboard iOS and Android devices. See [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md).

+Defender for Business brings the enterprise-grade capabilities of Defender for Endpoint to small and medium-sized businesses. If you're wondering how Defender for Business compares to Defender for Endpoint Plan 1 and 2, you can use the following table:

+|[Centralized management](../defender-endpoint/manage-atp-post-migration.md)<br/>(*see note 1 below*) | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|

+|[Attack surface reduction capabilities](../defender-endpoint/overview-attack-surface-reduction.md) <br/>(*see note 2 below*)|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|

+|[Endpoint detection and response](../defender-endpoint/overview-endpoint-detection-response.md) <br/>(*see note 3 below*) |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|

+|[Automated investigation and response](../defender-endpoint/automated-investigations.md) <br/>(*see note 4 below*) |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: ||:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|

+|[Threat analytics](../defender-endpoint/threat-analytics.md) <br/>(*see note 5 below*) |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|

+|[Cross-platform support](../defender-endpoint/minimum-requirements.md) <br/>Windows, Mac, iOS, and Android OS (*For Windows Server and Linux, see note 6 below*) |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|

+> 3. Endpoint detection and response (EDR) capabilities in Defender for Business include behavior-based detection and the following manual response actions: Run antivirus scan; Isolate device; and Add an indicator to block or allow a file.

+> 6. To onboard servers, another license is required. See [Onboard devices to Defender for Business](mdb-onboard-devices.md) or [Onboard devices and configure Microsoft Defender for Endpoint capabilities](../defender-endpoint/onboard-configure.md).

+> You must be a global administrator to complete setup tasks, including running the setup wizard. See [Security roles and permissions in Defender for Business](mdb-roles-permissions.md).

+1. **Get Defender for Business**. Start a trial or paid subscription today. You can choose from the standalone version of Defender for Business, or get it as part of Microsoft 365 Business Premium. See [Get Microsoft Defender for Business](get-defender-business.md). And, if you're planning to onboard servers, see [How to get Microsoft Defender for Business servers](get-defender-business-servers.md).

+2. **Add users and assign Defender for Business licenses**. You'll want to do this task before you run the setup wizard. See [Add users and assign licenses in Microsoft Defender for Business](mdb-add-users.md).

+3. **Create a list of your security team's email addresses**. Set up a list of your security team's names and email addresses. This list will come in handy while you are using the setup wizard. To view a list of users, in the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com)), go to **Users** > **Active users**.

+4. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, select **Assets** > **Devices**.

+ If Defender for Business isn't provisioned yet, that process begins now. When Defender for Business has finished provisioning, you're prompted to use the setup wizard, as shown in the following image:

+ :::image type="content" source="medib-wizard-start.png":::

+5. **Assign user permissions**. In this first step of the setup wizard, you grant your security team access to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). This portal is where you and your security team will manage your security capabilities, view alerts, and take any needed actions on detected threats. Portal access is granted through roles that imply certain permissions. [Learn more about roles and permissions](mdb-roles-permissions.md).

+6. **Set up email notifications**. In this step of the setup wizard, you can set up email notifications for your security team using the list you created in step 3. Then, when an alert is generated or a new vulnerability is discovered, your security team won't miss it even if they're away from their desk. [Learn more about email notifications](mdb-email-notifications.md).

+7. **Onboard and configure Windows devices**. In this step of the setup wizard, you can onboard Windows devices to Defender for Business. Onboarding devices right away helps to protect those devices from day one. Note that this step of the wizard applies to Windows devices only. You can onboard other devices later. See [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md).

+ > If your organization is using Microsoft Intune, and devices are already enrolled in Intune, Defender for Business prompts you to either continue using Intune, or switch to using the simplified configuration process in the Microsoft 365 Defender portal. See [Choose where to manage security policies and devices](mdb-configure-security-settings.md#choose-where-to-manage-security-policies-and-devices).

+ >

+ > Defender for Business also offers automatic onboarding for Windows devices enrolled in Intune. Automatic onboarding is a simplified way to onboard Windows devices to Defender for Business. We recommend selecting the "all devices enrolled" option so that as Windows devices are enrolled in Intune, they're onboarded to Defender for Business automatically.

+

+8. **Configure your security policies**. Defender for Business includes default security policies for next-generation protection and firewall protection that can be applied to your company's devices. These default policies use recommended settings and are designed to provide strong protection for your devices. You can start with your default policies, and add more later. See [View and edit your security policies and settings](mdb-configure-security-settings.md).

+9. **Select your next step**. Afer the setup wizard has completed, you're prompted to choose a next step. For example, you can onboard devices, view your security dashboard, or view your security policies.

+> [!IMPORTANT]

+> You must be a global administrator to complete setup tasks. See [Security roles and permissions in Defender for Business](mdb-roles-permissions.md).

+2. **Add users and assign licenses**. Assign a license for Defender for Business (or Microsoft 365 Business Premium, if that's your subscription) to each member of your organization to protect their devices. You'll also want to make sure multifactor authentication is enabled for all users. See [Add users and assign licenses in Microsoft Defender for Business](mdb-add-users.md).

+4. **Set up email notifications for your security team**. As alerts are generated, or new vulnerabilities are discovered, people on your security team can be notified automatically, via email messages. See [Set up email notifications](mdb-email-notifications.md).

+5. **Onboard devices to Defender for Business**. The sooner you get your devices onboarded to Defender for Business, the sooner they're protected. You can onboard devices in the Microsoft 365 Defender portal. Or, if your organization is already using Microsoft Intune, you can use it to enroll devices. See [Onboard devices to Defender for Business](mdb-onboard-devices.md).

+If you choose not to use the setup wizard, see the following diagram that depicts the [overall setup and configuration process](mdb-setup-configuration.md) for Defender for Business.

+- tier3

+- tier3

+- tier3

+- tier3

+- tier3

+- tier3

+- tier3

+- tier3

+- tier3

+- tier3

+- tier3

+- tier3

+- tier3

+> [!NOTE]

+> As a best practice, we recommend setting AuditD configuration **max_log_file_action** to **rotate**.

+>

+> This helps prevent situations where AuditD logs accumulate and consume all available disk space.

+

+**To mitigate most AuditD performance issues, you can implement AuditD exclusion. If the given exclusions do not improve the performance then we can use the rate limiter option. This will reduce the number of events being generated by AuditD altogether.**

+### Rate Limiter

+The XMDEClientAnalyzer support tool contains syntax that can be used to limit the number of events being reported by the auditD plugin. This option will set the rate limit globally for AuditD causing a drop in all the audit events.

+> [!NOTE]

+> This functionality should be carefully used as limits the number of events being reported by the auditd subsystem as a whole. This could reduces the number of events for other subscribers as well.

+The ratelimit option can be used to enable/disable this rate limit.

+Enable: `./mde_support_tool.sh ratelimit -e true`

+Disable: `./mde_support_tool.sh ratelimit -e false`

+When the ratelimit is enabled a rule will be added in AuditD to handle 2500 events/sec.

+| fg `<command ID>` | Place the specified job in the foreground, making it the current job. NOTE: fg takes a 'command ID` available from jobs, not a PID. | Y | Y | Y |

+| collect | Collects forensics package from device. | N | Y | Y |

+| getfile <file_path> | Downloads a file. | Y | Y | Y |

+| isolate | Disconnects the device from the network while retaining connectivity to the Defender for Endpoint service. | N | Y | N |

+| release | Releases a device from network isolation. | N | Y | N |

+> [!NOTE]

+> Risk Level which can influence enforcement of conditional access and other security policies on Microsoft Intune, is available in Windows today.

+### External package dependancy

+The following external package dependencies exist for the mdatp package:

+- The mdatp RPM package requires "glibc >= 2.17", "audit", "policycoreutils", "semanage" "selinux-policy-targeted", "mde-netfilter"

+- For RHEL6 the mdatp RPM package requires "audit", "policycoreutils", "libselinux", "mde-netfilter"

+- For DEBIAN the mdatp package requires "libc6 >= 2.23", "uuid-runtime", "auditd", "mde-netfilter"

+The mde-netfilter package also has the following package dependencies:

+- For DEBIAN the mde-netfilter package requires "libnetfilter-queue1", "libglib2.0-0"

+- For RPM the mde-netfilter package requires "libmnl", "libnfnetlink", "libnetfilter_queue", "glib2"

+If the Microsoft Defender for Endpoint installation fails due to missing dependencies errors, you can manually download the pre-requisite dependencies.

+- tier3

+> - These response actions are only available for devices on Windows 10, version 1703 or later, Windows 11, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, and Windows Server 2022.

+> - Full isolation is available for devices running Windows 11, Windows 10, version 1703 or later, Windows Server 2022, Windows Server 2019, Windows Server 2016 and Windows Server 2012 R2.

+ > The current SHA256 hash of 'XMDEClientAnalyzerBinary.zip' that is downloaded from the above link is: 'E812F96A7735C746129ACD66468E2C524CB016359780AFB8CF972D281C2A2B81'

+ echo 'E812F96A7735C746129ACD66468E2C524CB016359780AFB8CF972D281C2A2B81 XMDEClientAnalyzerBinary.zip' | sha256sum -c

+ echo '01AC21ED1963E5BFA9926300029B7BC57826ED3904DE774458CD8CF7C872E896 XMDEClientAnalyzer.zip' | sha256sum -c

+### AuditD Rate Limiter

+Syntax that can be used to limit the number of events being reported by the auditD plugin. This option will set the rate limit globally for AuditD causing a drop in all the audit events. When the limiter is enabled the number of auditd events will be limited to 2500 events/sec. This option can be used in cases where we see high CPU usage from AuditD side.

+> [!NOTE]

+> This functionality exists for Linux only.

+```console

+-h, --help show this help message and exit

+-e <true/false>, --enable <true/false> enable/disable the rate limit with default values

+```

+Usage example `sudo ./mde_support_tool.sh ratelimit -e true`

+> [!NOTE]

+> This functionality should be carefully used as limits the number of events being reported by the auditd subsystem as a whole. This could reduces the number of events for other subscribers as well.

+- tier3

+- tier3

+- tier3

+- tier3

+- tier3

+ - tier3

+- tier3

+ - tier2

+ - tier2

+ - tier2

+ - tier3

+ - tier2

+ - tier2

+ - tier2

+- tier3

+ - tier3

+- tier3

+ - tier3

+ - tier3

+ - tier3

+ - tier3

+ - tier3

+- tier3

+- tier3

+ - tier3

+Randomize send time works in batches of 1000 users and is meant to be used with a large number of targeted users. If less than 1000 users are involved in simulations created by automations, batches of 100 users are created for randomized send times.

+ - **Send end-user spam notification every (days)**: Select the frequency for quarantine notifications. You can select **Within 4 hours**, **Daily**, or **Weekly**.

+Get-QuarantinePolicy -QuarantinePolicyType GlobalQuarantinePolicy | Set-QuarantinePolicy -MultiLanguageSetting ('Language1','Language2','Language3') -MultiLanguageCustomDisclaimer ('Language1 Disclaimer','Language2 Disclaimer','Language3 Disclaimer') -ESNCustomSubject ('Language1 Subject','Language2 Subject','Language3 Subject') -MultiLanguageSenderName ('Language1 Sender Display Name','Language2 Sender Display Name','Language3 Sender Display Name') [-EndUserSpamNotificationCustomFromAddress <InternalUserEmailAddress>] [-OrganizationBrandingEnabled <$true | $false>] [-EndUserSpamNotificationFrequency <04:00:00 | 1.00:00:00 | 7.00:00:00>]

+description: Admins can learn how to find and use the email security reports that are available in the Microsoft 365 Defender portal. This article helps answer the question What is the The Threat protection status report in Microsoft Defender for Office 365?

+## What is the The Threat protection status report in Microsoft Defender for Office 365?

+The **Threat protection status** report is available in both EOP and Defender for Office 365. However, the reports contain different data. For example, EOP customers can view information about malware detected in email, but not information about malicious files detected by [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md).

+Each Safe Links policy contains a **Do not rewrite the following URLs** list that you can use to specify URLs that aren't rewritten by Safe Links scanning. You can configure different lists in different Safe Links policies. Policy processing stops after the first (likely, the highest priority) policy is applied to the user. So, only one **Do not rewrite the following URLs** list is applied to a user who is included in multiple active Safe Links policies.

+|`https://toys.contoso.com*`|Blocks a subdomain (`toys` in this example) but allow clicks to other domain URLs (like `https://contoso.com` or `https://home.contoso.com`).|

+The Tenant Allow/Block List in the Microsoft 365 Defender portal gives you a way to manually override the Defender for Office 365 or EOP filtering verdicts. The list is used during mail flow for incoming messages from external senders.

+The Tenant Allow/Block List doesn't apply to internal messages within the organization. However, block entries for **Domains and email addresses** prevent users in the organization from sending email to those blocked domains and addresses.

+ Title: Why do I need Microsoft Defender for Office 365?

+audience: Admin

+ms.localizationpriority: high

+search.appverid:

+ - MET150

+ - MOE150

+ms.assetid: e100fe7c-f2a1-4b7d-9e08-622330b83653

+ - m365-security

+ - tier1

+ - highpri

+ - seo-marvel-apr2020

+ - intro-overview

+ - curated-apr-2023

+description: Is Microsoft Defender for Office 365 worth it? Let's find out. This article had info on the fastest and most recommended setup of Microsoft Defender for Office 365 including Safe Attachments, Safe Links, advanced anti-phishing tools, reporting tools, and threat intelligence capabilities.

+# Why do I need Microsoft Defender for Office 365?

+> [!IMPORTANT]

+> **If you are being blocked by Safe Links pages**, go here for info: [Advanced Outlook.com security for Microsoft 365 subscribers](https://support.microsoft.com/office/advanced-outlook-com-security-for-microsoft-365-subscribers-882d2243-eab9-4545-a58a-b36fee4a46e2?storagetype=live).

+**Applies to**

+- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)

+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)

+**Microsoft Defender for Office 365 is a seamless integration into your Office 365 subscription** that provides protection against threats that arrive in email, links (URLS), attachments, or collaboration tools like SharePoint, Teams, and Outlook. With real-time views of threats and tools like Threat Explorer, you can threat hunt and stay ahead of potential threats.

+For email threats that you may discover after the fact, Zero-hour autopurge (ZAP) can remove those mails. Automated Investigation and Response (AIR) allows you to automate monitoring and remediation, making it more efficient for security operations (sec ops) teams. The deep integration with Office 365 and robust reporting ensures that you are always on top of security operations.

+## Let's focus on the features of Microsoft Defender for Office 365

+Microsoft Defender for Office 365 safeguards organizations against malicious threats by providing admins and sec ops teams a wide range of capabilities. These features *start* benefitting users, admins, and sec ops at the time of installation. For example:

+- **[Installation by Preset can set up everything for you](preset-security-policies.md)**: This is the fastest, easiest, and the *recommended* set up, because it automates the roll-out of a secure environment (if automated policies are allowed and possible in your organization). And abbreviated steps are available too (because when *isn't* admin/sec ops in a hurry): [Just the steps for preset policy setup, please!](step-by-step-guides/ensuring-you-always-have-the-optimal-security-controls-with-preset-security-policies.md)

+- **[Threat protection policies](#defender-for-office-365-policies)**: Define threat-protection policies so admins can set the right level of protection for the organization.

+- **[Reports](#how-to-view-microsoft-defender-for-office-365-reports)**: Sec ops can view real-time reports to monitor Defender for Office 365 performance in the organization.

+- **[Threat investigation and response capabilities](#best-of-class-threat-investigation-and-response-capabilities)**: These are leading-edge tools to investigate, understand, simulate, and prevent threats.

+- **[Automated investigation and response capabilities](air-about.md)**: Save time and effort investigating and mitigating threats by automating what you can.

+## Interactive guide to Microsoft Defender for Office 365

+If you need more information, this interactive guide will show you why Microsoft Defender for Office 365 is worth it, and give examples on how to safeguard your organization.

+You'll also see how Defender for Office 365 can help you define protection policies, analyze threats to your organization, and respond to attacks.

+[Check out the interactive guide](https://aka.ms/MSDO-IG)

+## What is the difference between Plan 1 and Plan 2 Defender for Office 365?

+For more on what's included in Microsoft 365 Plans 1 & 2, browse over to [this document](microsoft-defender-for-office-365-product-overview.md), because that article quickly spells out what makes up the two products, and the ***emphasis*** of each part of *Microsoft Defender for Office 365* using a familiar structure: *Protect*, *Detect*, *Investigate*, and *Respond*.

+Graphics and short, scannable paragraphs answer questions like:

+- What is *Plan 1* optimized to do for you?

+- What's the biggest benefit to your company in *Plan 2*?

+- Who has *Exchange Online Protection* and what's it optimized to do?

+So, don't miss it!

+## How do you get started?

+There are two methods to set up Microsoft Defender for Office 365 for your subscription.

+### Preset security policy configuration is *recommended*

+It is **recommended** that -- as much as your organization can, given its specific needs -- you configure via **preset security policies**. You can learn more about presets here: [Preset setup information and steps](preset-security-policies.md); or if you just want steps, here are just [the steps for preset policy setup](step-by-step-guides/ensuring-you-always-have-the-optimal-security-controls-with-preset-security-policies.md).

+### Manual configuration for Microsoft Defender for Office 365

+Though it's no longer the recommended practice, here are the initial logical configuration chunks for manual set up:

+- Configure everything with '*anti*' in the name.

+ - anti-malware

+ - anti-phishing

+ - anti-spam

+- Set up everything with '*safe*' in the name.

+ - Safe Links

+ - Safe Attachments

+- Defend the workloads (ex. SharePoint Online, OneDrive, and Teams)

+- Protect with zero-hour auto purge (ZAP).

+To learn by doing things manually, [click this link](protect-against-threats.md).

+> [!NOTE]

+> Microsoft Defender for Office 365 comes in two different Plan types. You can tell if you have **Plan 1** if you have *Real-time Detections*, and **Plan 2**, if you have *Threat Explorer* (also called Explorer). The Plan you have influences the tools you see, so be sure that you're aware of your Plan as you learn.

+## Manual steps to Configure Microsoft Defender for Office 365 policies

+*It's recommended that you configure with preset security policies* (if I haven't said this enough), but some organizations must configure manually.

+With Microsoft Defender for Office 365, your organization's security team can configure protection by defining policies in the Microsoft 365 Defender portal at <https://security.microsoft.com> > **Email & collaboration** \> **Policies & rules** \> **Threat policies**. Or, you can go directly to the **Threat policies** page by using <https://security.microsoft.com/threatpolicy>.

+> [!TIP]

+> For a quick list of policies to define manually, see [Protect against threats](protect-against-threats.md).

+## Defender for Office 365 Policies

+The policies that are defined for your organization determine the behavior and protection level for predefined threats.

+Policy options are extremely flexible. For example, your organization's security team can set fine-grained threat protection at the user, organization, recipient, and domain level. It is important to *review your policies regularly*, because new threats and challenges emerge daily.

+### Safe Attachments

+- **[Safe Attachments](safe-attachments-about.md)**: Provides zero-day protection to safeguard your messaging system, by checking email attachments for malicious content. It routes all messages and attachments that do not have a virus/malware signature to a special environment, and then uses machine learning and analysis techniques to detect malicious intent. If no suspicious activity is found, the message is forwarded to the mailbox. To learn more, see [Set up Safe Attachments policies](safe-attachments-policies-configure.md).

+### Safe Links

+- **[Safe Links](safe-links-about.md)**: Provides time-of-click verification of URLs, for example, in emails messages and Office files. Protection is ongoing and applies across your messaging and Office environment. Links are scanned for each click: safe links remain accessible and malicious links are dynamically blocked. To learn more, see [Set up Safe Links policies](safe-links-policies-configure.md).

+### Safe Attachments for SharePoint, OneDrive, and Microsoft Teams

+- **[Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md)**: Protects your organization when users collaborate and share files, by identifying and blocking malicious files in team sites and document libraries. To learn more, see [Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-configure.md).

+### Anti-phishing protection in Defender for Office 365

+- **[Anti-phishing protection in Defender for Office 365](anti-phishing-policies-about.md#exclusive-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)**: Detects attempts to impersonate your users and internal or custom domains. It applies machine learning models and advanced impersonation-detection algorithms to avert phishing attacks. To learn more, see [Configure anti-phishing policies in Microsoft Defender for Office 365](anti-phishing-policies-mdo-configure.md).

+## How to view Microsoft Defender for Office 365 reports

+Microsoft Defender for Office 365 includes [reports](reports-defender-for-office-365.md) to monitor Defender for Office 365. You can access the reports in the Microsoft 365 Defender portal at <https://security.microsoft.com> at **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. You can also go directly to the **Email and collaboration reports** page using <https://security.microsoft.com/securityreports>.

+Reports update in real-time, providing you with the latest insights. These reports also provide recommendations and alert you to imminent threats. Predefined reports include the following:

+- [Threat Explorer (or real-time detections)](threat-explorer-about.md)

+- [Threat protection status report](reports-defender-for-office-365.md#threat-protection-status-report)

+- ... and several more.

+## Best of class threat investigation and response capabilities

+Microsoft Defender for Office 365 Plan 2 includes best-of-class [threat investigation and response tools](office-365-ti.md) that enable your organization's security team to anticipate, understand, and prevent malicious attacks.

+### Threat Trackers on the latest threats

+- **[Threat trackers](threat-trackers.md)** provide the latest intelligence on prevailing cybersecurity issues. For example, you can view information about the latest malware, and take countermeasures before it becomes an actual threat to your organization. Available trackers include [Noteworthy trackers](threat-trackers.md#noteworthy-trackers), [Trending trackers](threat-trackers.md#trending-trackers), [Tracked queries](threat-trackers.md#tracked-queries), and [Saved queries](threat-trackers.md#saved-queries).

+### Threat Explorer or Real-Time Detections

+- **[Threat Explorer in Plan 2 (or real-time detections in Plan 1)](threat-explorer-about.md)** (also referred to as Explorer) is a real-time report that allows you to identify and analyze recent threats. You can configure Explorer to show data for custom periods.

+### Attack simulation training for user readiness

+- **[Attack simulation training](attack-simulation-training-simulations.md)** allows you to run realistic attack scenarios in your organization to identify vulnerabilities. Simulations of current types of attacks are available, including spear phishing credential harvest and attachment attacks, and password spray and brute force password attacks.

+## Save time with automated investigation and response

+When sec ops is investigating a potential cyberattack, time is of the essence. The sooner you can identify and mitigate threats, the better off your organization will be.

+[Automated investigation and response](air-about.md) (AIR) capabilities include a set of security playbooks that can be launched automatically, such as when an alert is triggered, or manually, such as from a view in Explorer.

+AIR can save your security operations team time and effort in mitigating threats effectively and efficiently. To learn more, see [AIR in Office 365](air-about.md).

+## These are the permissions needed to use Defender for Office 365 features

+To access Microsoft Defender for Office 365 features, you *must* be assigned an appropriate role. The following table includes some examples:

+|Role or role group|Resources to learn more|

+|||

+|global administrator (or Organization Management)|You can assign this role in Azure Active Directory or in the Microsoft 365 Defender portal. For more information, see [Permissions in the Microsoft 365 Defender portal](mdo-portal-permissions.md).|

+|Security Administrator|You can assign this role in Azure Active Directory or in the Microsoft 365 Defender portal. For more information, see [Permissions in the Microsoft 365 Defender portal](mdo-portal-permissions.md).|

+|Organization Management in Exchange Online|[Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo) <p> [Exchange Online PowerShell](/powershell/exchange/exchange-online-powershell)|

+|Search and Purge|This role is available only in the Microsoft 365 Defender portal or the Microsoft Purview compliance portal. For more information, see [Permissions in the Microsoft 365 Defender portal](mdo-portal-permissions.md) and [Permissions in the Microsoft Purview compliance portal](../../compliance/microsoft-365-compliance-center-permissions.md).|

+|||

+## Where can you get Microsoft Defender for Office 365?

+Microsoft Defender for Office 365 is included in certain subscriptions, such as Microsoft 365 E5, Office 365 E5, Office 365 A5, and Microsoft 365 Business Premium.

+### What to do if your subscription doesn't have Defender for Office 365 but you need it

+If your subscription doesn't include Defender for Office 365, you can get Defender for Office 365 Plan 1 or Plan 2 as an add-on to certain subscriptions. To learn more, take a look at the following resources:

+- [Microsoft Defender for Office 365 availability](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#office-365-advanced-threat-protection-atp-availability) for a list of subscriptions that include Defender for Office 365 plans.

+- [Feature availability across Microsoft Defender for Office 365 plans](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#feature-availability-across-advanced-threat-protection-atp-plans) for a list of features included in Plan 1 and 2.

+- [Get the right Microsoft Defender for Office 365](https://products.office.com/exchange/advance-threat-protection#pmg-allup-content) to compare plans and purchase Defender for Office 365.

+- [Start a free trial](https://go.microsoft.com/fwlink/p/?LinkID=698279)

+## What new features are coming for Microsoft Defender for Office 365?

+New features are added to Microsoft Defender for Office 365 continually. To learn more, see the following resources:

+- [Microsoft 365 Roadmap](https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=Microsoft%2CDefender%2Cfor%2COffice%2C365) provides a list of new features in development and rolling out.

+- [Microsoft Defender for Office 365 Service Description](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#whats-new-in-office-365-advanced-threat-protection-atp) describes features and availability across Defender for Office 365 plans.

+## See also

+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)

+- [Automated investigation and response (AIR) in Microsoft 365 Defender](../defender/m365d-autoir.md)

+ 

+

+

+- **Contract processing**

+

+# [Contract processing](#tab/contract-processing)

+1. Select **Contract processing**.

+2. On the **Contract processing: Details** page, you'll find more information about the model. If you want to proceed with using the model, select **Next**.

+3. On the right panel of the **Create a contract processing model** page, enter the following information.

+ - **Model name** ΓÇô Enter the name of the model, for example *Service agreement*.

+ 

+6. You're now ready to [complete setting up the model](prebuilt-model-contract.md).

+# [Invoice processing](#tab/invoice-processing)

+5. When you're ready to create the model, select **Create**.

+6. You're now ready to [complete setting up the model](prebuilt-model-invoice.md).

+# [Receipt processing](#tab/receipt-processing)

+3. On the right panel of the **Create a receipt processing model** page, enter the following information.

+4. Under **Advanced settings**:

+5. When you're ready to create the model, select **Create**.

+6. You're now ready to [complete setting up the model](prebuilt-model-receipt.md).

+| Supported file types | Train on 5-10 .pdf, Office, or email files, including negative examples.<br>Files are truncated at 64,000 characters. OCR-scanned files are limited to 20 pages. Supports more than 20 file types. See [supported file types](requirements-and-limitations.md#unstructured-document-processing). | Train on .pdf, .jpg, or .png format, total 50 MB and 500 pages. | Train on .pdf, .jpg, or .png format, total 50 MB and 500 pages. |

+Content understanding in Microsoft Syntex starts with AI models. Models let you identify and classify documents that are uploaded to SharePoint document libraries, and then to extract the information you need from each file.

+When applied to a SharePoint document library, the model is associated with a content type and has columns to store the information being extracted. The content type you create is stored in the SharePoint content type gallery. You can also choose to use existing content types to use their schema.

+

+- [Contract processing](#contract-processing)

+

+### Contract processing

+The contract processing model analyzes and extracts key information from contract documents. The API analyzes contracts in various formats and extracts key contract information such as client or party name, billing address, jurisdiction, and expiration date.

+For more information about prebuilt contract processing models, see [Use a prebuilt model to extract information from contracts](prebuilt-model-contract.md).

+ Title: Use a prebuilt model to extract information from contracts in Microsoft Syntex

+audience: admin

+search.appverid:

+ - enabler-strategic

+ - m365initiative-syntex

+ms.localizationpriority: medium

+description: Learn how to use a prebuilt contracts model in Microsoft Syntex.

+# Use a prebuilt model to extract information from contracts in Microsoft Syntex

+The prebuilt *contracts model* analyzes and extracts key information from contract documents. The API recognizes contracts in various formats and extracts key contract information, such as client name and address, contract duration, and renewal date.

+> [!NOTE]

+> Currently, this model is available only for .pdf and image file types. More file types will be added in future releases.

+To use a contracts model, follow these steps:

+- Step 1: [Create a contracts model](#step-1-create-a-contracts-model)

+- Step 2: [Upload an example file to analyze](#step-2-upload-an-example-file-to-analyze)

+- Step 3: [Select extractors for your model](#step-3-select-extractors-for-your-model)

+- Step 4: [Apply the model](#step-4-apply-the-model)

+## Step 1: Create a contracts model

+Follow the instructions in [Create a model in Syntex](create-syntex-model.md#set-up-a-prebuilt-model) to create a prebuilt contracts model. Then continue with the following steps to complete your model.

+## Step 2: Upload an example file to analyze

+1. On the **Models** page, in the **Add a file to analyze** section, select **Add a file**.

+ 

+2. On the **Files to analyze the model** page, select **Add** to find the file you want to use.

+ 

+3. On the **Add a file from the training files library** page, select the file, and then select **Add**.

+ 

+4. On the **Files to analyze the model** page, select **Next**.

+## Step 3: Select extractors for your model

+On the extractor details page, you'll see the document area on the right and the **Extractors** panel on the left. The **Extractors** panel shows the list of extractors that have been identified in the document.

+ 

+The entity fields that are highlighted in green in the document area are the items that were detected by the model when it analyzed the file. When you select an entity to extract, the highlighted field will change to blue. If you later decide not to include the entity, the highlighted field will change to gray. The highlights make it easier to see the current state of the extractors you've selected.

+The prebuilt contracts model lets you have multiple values for a given field. For example, if a contract involves two or more parties, it could apply to multiple jurisdictions. In addition, the parties and jurisdictions are themselves objects with multiple properties.

+> [!TIP]

+> You can use the scroll wheel on your mouse or the controls at the bottom of the document area to zoom in or out as needed to read the entity fields.

+### Select an extractor entity

+You can select an extractor either from the document area or from the **Extractors** panel, depending on your preference.

+

+- To select an extractor from the document area, select the entity field.

+ 

+- To select an extractor from the **Extractors** panel, select the checkbox to the right of the entity name.

+ 

+When you select an extractor, a **Select extractor?** box is displayed in the document area. The box shows the extractor name, the original value, and the option to select it as an extractor. For certain data types such as numbers or dates, it will also show an extracted value.

+ 

+The original value is what is actually in the document. The extracted value is what will be written into the column in SharePoint. When the model is applied to a library, you can use column formatting to specify how you want it to look in the document.

+Continue to select additional extractors you want to you use. You can also add other files to analyze for this model configuration.

+### Rename an extractor

+You can rename an extractor either from the model home page or from the **Extractors** panel. You might consider renaming selected extractors because these names will be used as the column names when the model is applied to the library.

+To rename an extractor from the model home page:

+1. In the **Extractors** section, select the extractor you want to rename, and then select **Rename**.

+ 

+2. On the **Rename entity extractor** panel, enter the new name of the extractor, and then select **Rename**.

+To rename an extractor from the **Extractors** panel:

+1. Select the extractor you want to rename, and then select **Rename**.

+ 

+2. In the **Rename extractor** box, enter the new name of the extractor, and then select **Rename**.

+## Step 4: Apply the model

+- To save changes and return to the model home page, on the **Extractors** panel, select **Save and exit**.

+- If you're ready to apply the model to a library, in the document area, select **Next**. On the **Add to library** panel, choose the library to which you want to add the model, and then select **Add**.

+## Change the view in a document library

+For information about how to set the default view and how to change the view of a document library, see [Choose the view in a document library](choose-library-view.md).

+Follow the instructions in [Create a model in Syntex](create-syntex-model.md#set-up-a-prebuilt-model) to create a prebuilt invoices model. Then continue with the following steps to complete your model.

+Follow the instructions in [Create a model in Syntex](create-syntex-model.md#set-up-a-prebuilt-model) to create a prebuilt receipts model. Then continue with the following steps to complete your model.

+Currently, there are three prebuilt models available: [invoices](prebuilt-model-invoice.md), [receipts](prebuilt-model-receipt.md), and [contracts](prebuilt-model-contract.md).

+- The prebuilt *contracts model* analyzes and extracts key information from contract documents. The API recognizes contracts in various formats and extracts key contract information, such as client name and address, contract duration, and renewal date.

+- The prebuilt *invoices model* analyzes and extracts key information from sales invoices. The API analyzes invoices in various formats and [extracts key invoice information](/azure/applied-ai-services/form-recognizer/concept-invoice#field-extraction) such as customer name, billing address, due date, and amount due.

+- The prebuilt *receipts model* analyzes and extracts key information from sales receipts. The API analyzes printed and handwritten receipts and [extracts key receipt information](/azure/applied-ai-services/form-recognizer/concept-receipt#field-extraction) such as merchant name, merchant phone number, transaction date, tax, and transaction total.

+

+[Use a prebuilt model to extract information from contracts](prebuilt-model-contract.md)

+- [Contract processing](#contract-processing)

+### Contract processing

+| Icon | Description |

+| - | - |

+|  | **Supported file types** <br>This model supports the following file types: .bmp, .jpeg, .pdf, .png, and .tiff. |

+|  | **Supported languages** <br>This model supports only English language contracts from the United States. |

+|  | **OCR considerations** <br>This model uses optical character recognition (OCR) technology to scan .pdf files, image files, and .tiff files. OCR processing works best on documents that meet the following requirements: <br> - File format of .jpg, .png, or .pdf (text or scanned). Text-embedded .pdf files are better, because there won't be any errors in character extraction and location. <br> - For .pdf and .tiff files, up to 2,000 pages can be processed. <br> - The file size must be less than 50 MB. <br> - For images, dimensions must be between 50 x 50 and 10,000 x 10,000 pixels. <br> - For .pdf files, dimensions must be at most 11 x 17 inches, corresponding to Legal or A3 paper sizes and smaller. <br> - The total size of the training data is 500 pages or less. <br> Note the following differences about Microsoft Office text-based files and OCR-scanned files (.pdf, image, or .tiff): <br> - Office files: Truncated at 64,000 characters (in training and when run against files in a document library). <br> - OCR-scanned files: There's a 20-page limit.|

+|  | **Multi-Geo environments** <br>When setting up Syntex in a [Microsoft 365 Multi-Geo](/microsoft-365/enterprise/microsoft-365-multi-geo) environment, you can only configure it to use the model type in the central location. If you want to use this model type in a satellite location, contact Microsoft support. |

+|  | **Multi-model libraries** <br>If two or more trained models are applied to the same library, the file is classified using the model that has the highest average confidence score. The extracted entities will be from the applied model only. |

+- [Contract processing](prebuilt-model-contract.md)

+| Contract processing | Invoice processing | Receipt processing |

+| - | - | - |

+| |  |  |

+| Use this prebuilt model to save time processing contracts. Automatically extract key information specific to contract documents. <br>[Learn more about contract models.](prebuilt-model-contract.md) | Use this prebuilt model to save time processing invoices. Automatically extract key information specific to invoices. <br>[Learn more about invoice models.](prebuilt-model-invoice.md) | Use this prebuilt model to save time processing receipts. Automatically extract key information specific to expenses. <br>[Learn more about receipt models.](prebuilt-model-receipt.md) |

+You might have to estimate your projected use of structured document processing or freeform document processing models, and plan for the expected number of AI Builder credits. For help, see [Estimate the AI Builder capacity that's right for you](https://powerapps.microsoft.com/ai-builder-calculator/).