| Category | Microsoft Docs article | Related commit history on GitHub | Change details |
|---|---|---|---|
| admin | What Is Microsoft 365 For Business | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/admin-overview/what-is-microsoft-365-for-business.md | + + Title: "What is Microsoft 365 for business" +f1.keywords: +- NOCSH ++++audience: Admin +++ms.localizationpriority: medium ++- M365-subscription-management +- Adm_O365 ++- AdminSurgePortfolio +- adminvideo +- intro-overview +search.appverid: +- MET150 +description: "Learn about Microsoft 365 for business, a subscription service that takes care of the IT part for you." +feedback_system: None Last updated : +++# What is Microsoft 365 for business ++> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4U5xs?autoplay=false] ++[Microsoft 365 for business](https://www.microsoft.com/microsoft-365/business) is a subscription service that lets you run your organization in the cloud while Microsoft takes care of the IT for you. It connects employees to the people, information, and content they need to do their best work, from any device. +++**Microsoft 365 for business plans** ++Microsoft 365 for business provides the following plans to select from to help you find the subscription that best suits your business needs. ++|Plan|Description| +| | | +| [Microsoft 365 Apps for Business](https://www.microsoft.com/microsoft-365/business/microsoft-365-apps-for-business) | ΓÇó Get desktop versions of Office apps: Outlook, Word, Excel, PowerPoint, OneNote (plus Access and Publisher for PC only).</br>ΓÇó Store and share files with 1 TB of OneDrive cloud storage per user.</br>ΓÇó Use one license to cover fully installed Office apps on five mobile devices, five tablets, and five PCs or Macs per user.</br>ΓÇó Automatically update your apps with new features and capabilities every month.</br>ΓÇó Get help anytime with around-the-clock phone and web support from Microsoft. | +| [Microsoft 365 Business Basic](https://www.microsoft.com/microsoft-365/business/microsoft-365-business-basic) | ΓÇó Host email with a 50 GB mailbox and custom email domain address.</br>ΓÇó Create a hub for teamwork to connect people using Microsoft Teams.</br>ΓÇó Use Office apps for the web, including Outlook, Word, Excel, PowerPoint, and OneNote.</br>ΓÇó Store and share files with 1 TB of OneDrive cloud storage per user.</br>ΓÇó Facilitate online meetings and video conferencing for up to 300 users.</br>ΓÇó Get help anytime with around-the-clock phone and web support from Microsoft. | +| [Microsoft 365 Business Standard](https://www.microsoft.com/microsoft-365/business/microsoft-365-business-standard) | ΓÇó Get desktop versions of Office apps, including Outlook, Word, Excel, PowerPoint, and OneNote (plus Access and Publisher for PC only).</br>ΓÇó Host email with a 50 GB mailbox and custom email domain.</br>ΓÇó Create a hub for teamwork to connect people using Microsoft Teams.</br>ΓÇó Store and share files with 1 TB of OneDrive cloud storage per user.</br>ΓÇó Use one license to cover fully installed Office apps on five mobile devices, five tablets, and five PCs or Macs per user.</br>ΓÇó Get help anytime with around-the-clock phone and web support from Microsoft. | +| [Microsoft 365 Business Premium](https://www.microsoft.com/microsoft-365/business/microsoft-365-business-premium) | ΓÇó Stay up to date with the latest versions of Word, Excel, PowerPoint, and more.</br>ΓÇó Connect with customers and coworkers using Outlook, Exchange, and Microsoft Teams.</br>ΓÇó Manage your files from anywhere with 1 TB of cloud storage on OneDrive per user.</br>ΓÇó Defend your business against advanced cyberthreats with sophisticated phishing and ransomware protection.</br>ΓÇó Control access to sensitive information using encryption to help keep data from being accidentally shared.</br>ΓÇó Secure devices that connect to your data and help keep iOS, Android, Windows, and MacOS devices safe and up to date. | +++For more details, you can [compare plans](https://www.microsoft.com/microsoft-365/business#coreui-heading-hiatrep). +++## Related content ++[How to sign up - Admin help](../admin-overview/sign-up-for-office-365.md) (Article) ++[Sign up for a Microsoft 365 Business Standard subscription](../simplified-signup/signup-business-standard.md) (Article) ++[Plan your setup of Microsoft 365 for business](../setup/plan-your-setup.md) (Article) |
| admin | Azure Ad Setup Guides | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/azure-ad-setup-guides.md | An Azure Active Directory P2 license is required to utilize the security feature [Open the Identity security for Teams catalog](https://aka.ms/teamsidentity) +## Identity Governance ++This wizard catalog is designed to help customers with Azure Active Directory P2 functionality, including Access Reviews (AR), Privileged Identity Management (PIM) and Entitlement Management (ELM). For PIM and ELM we offer a curated list of docs and a pointer to the Azure Active Directory admin center, where the admin can configure this functionality. For AR, we offer a fully automated experience that allows admins to choose from two templates. These templates include one that allows group owners to approve guest usage in all Microsoft 365 groups. This is a top policy that customers use today. ++Next, we offer a test template, where the admin is the reviewer of guests for a specific group they choose. If the tenant already has a review in place that covers all Microsoft 365 groups guest users, the admin will be pointed to the Azure Active Directory admin center to manage the existing review and there will be no automated experience. ++[Open the Identity Governance setup guide](https://go.microsoft.com/fwlink/p/?linkid=386330) ++> [!NOTE] +> Azure Active Directory P2 license is required to utilize the security features in this catalog. + ## Azure Active Directory deployment The Azure Active Directory setup guide will help you set up the most common Azure AD features in a recommended order. The setup guide is split into three sections: **Initial**, **Core**, and **Advanced**. Each section recommends a set of features you should turn on. Using Azure Active Directory sync tools is free and included with all Microsoft [Open the Add or Sync users setup guide](https://go.microsoft.com/fwlink/?linkid=2183349). -## Add a cloud app to Microsoft 365 +## Secure your cloud apps with Single Sign On (SSO) This guide is designed to help you add cloud apps to Microsoft 365. In our guide, you can add an application to your tenant, add users to the app, assign roles, and more. If the app supports Single Sign-On (SSO), weΓÇÖll walk you through that configuration as well. |
| admin | Plan Your Setup | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/plan-your-setup.md | This article is for people who have subscribed to a Microsoft 365 for business p Before moving your organization to Microsoft 365, there are requirements you need to meet, info you need to have on hand, and decisions you have to make. -## Overview of Microsoft 365 Business Premium setup +## Overview of Microsoft 365 for business setup -> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4jZwg?autoplay=false] +> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4Vjso?autoplay=false] -Congratulations on your decision to move your business to the cloud with Microsoft 365! Whether you have one person in your business or 20, doing a little planning will help you get the most out of Microsoft 365 Business Premium. +Congratulations on your decision to move your business to the cloud with Microsoft 365! Whether you have one person in your business or 20, doing a little planning will help you get the most out of Microsoft 365 for business. ## Info to have on hand before you run the setup wizard There are a couple of scenarios that include either migrating data or users from - To set up directory synchronization with your on-premises Active Directory, see [Set up directory synchronization for Microsoft 365](../../enterprise/set-up-directory-synchronization.md), and to understand the different identity models in Microsoft 365, read [Deploy your identity infrastructure for Microsoft 365](../../enterprise/deploy-identity-solution-overview.md). -- To set-up an Exchange hybrid, the full set of instructions that guide you through all the different ways of setting up a hybrid exchange (including setting up DNS records) can be found here: [Exchange Server Deployment Assistant](/exchange/exchange-deployment-assistant)+- To set up an Exchange hybrid, the full set of instructions that guide you through all the different ways of setting up a hybrid exchange (including setting up DNS records) can be found here: [Exchange Server Deployment Assistant](/exchange/exchange-deployment-assistant) - To set up a SharePoint hybrid, particularly hybrid search and site features, see [Hybrid Search in SharePoint](/SharePoint/hybrid/hybrid-search-in-sharepoint). |
| compliance | Compliance Manager Alert Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-alert-policies.md | Learn more about [Azure roles in the Microsoft Purview compliance portal](micros | **Compliance Manager Administration**| Yes | Yes | | **Compliance Manager Assessor**| Yes | Yes | | **Compliance Manager Contribution**| Yes | Yes | -| **Global Administrator**| No | No | +| **Global Administrator**| Yes | Yes | | **Compliance Manager Reader**| No | No | Learn how to [set user permissions and assign roles for Compliance Manager](compliance-manager-setup.md#set-user-permissions-and-assign-roles). |
| compliance | Create Ediscovery Holds | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-ediscovery-holds.md | To create an eDiscovery hold that's associated with a eDiscovery (Standard) case 3. **Exchange public folders**: Set the toggle to **On** to put all public folders in your Exchange Online organization on hold. You can't choose specific public folders to put on hold. Leave the toggle switch off if you don't want to put a hold on public folders. > [!IMPORTANT]- > When adding Exchange mailboxes or SharePoint sites to a hold, you must explicitly add at least one content location to the hold. In other words, if you set the toggle to **On** for mailboxes or sites, you must select specific mailboxes or sites to add to the hold. Otherwise, the eDiscovery hold will be created but no mailboxes or sites will be added to the hold, and the statistics will show that no content locations or items are on hold. + > When adding Exchange mailboxes or SharePoint sites to a hold, you must explicitly add at least one content location to the hold. In other words, if you set the toggle to **On** for mailboxes or sites, you must select specific mailboxes or sites to add to the hold. Otherwise, the eDiscovery hold will be created but no mailboxes or sites will be added to the hold. 8. When you're done adding locations to the hold, click **Next**. |
| compliance | How Smtp Dane Works | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/how-smtp-dane-works.md | Currently, there are four error codes for DANE when sending emails with Exchange |5.7.323|tlsa-invalid: The domain failed DANE validation.| |5.7.324|dnssec-invalid: Destination domain returned invalid DNSSEC records.| +> [!NOTE] +> Currently, when a domain signals that it supports DNSSEC but fails DNSSEC checks, Exchange Online does not generate the 4/5.7.324 dnssec-invalid error. It generates a generic DNS error: +> +> `4/5.4.312 DNS query failed` +> +> We are actively working to remedy this known limitation. If you recieve this error statement, +navigate to the Microsoft Remote Connectivity Analyzer and perform the DANE validation test against +the domain that generated the 4/5.4.312 error. The results will show if it is a DNSSEC issue +or a different DNS issue. + ### Troubleshooting 5.7.321 starttls-not-supported This usually indicates an issue with the destination mail server. After receiving the message: When troubleshooting, the below error codes may be generated: |4/5.7.323|tlsa-invalid: The domain failed DANE validation.| |4/5.7.324|dnssec-invalid: Destination domain returned invalid DNSSEC records.| +> [!NOTE] +> Currently, when a domain signals that it supports DNSSEC but fails DNSSEC checks, Exchange Online does not generate the 4/5.7.324 dnssec-invalid error. It generates a generic DNS error: +> +> `4/5.4.312 DNS query failed` +> +> We are actively working to remedy this known limitation. If you recieve this error statement, +navigate to the Microsoft Remote Connectivity Analyzer and perform the DANE validation test against +the domain that generated the 4/5.4.312 error. The results will show if it is a DNSSEC issue +or a different DNS issue. + ### Troubleshooting 5.7.321 starttls-not-supported > [!NOTE] |
| compliance | Retention Settings | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-settings.md | By choosing the settings for retaining and deleting content, your policy for ret ### Retaining content for a specific period of time -When you configure a retention label or policy to retain content, you choose to retain items for a specific number of days, months, or years. Or alternatively, retain the items forever. The retention period is not calculated from the time the policy was assigned, but according to the start of the retention period specified. +When you configure a retention label or policy to retain content, you choose to retain items for a specific number of days, months (assumes 30 days for a month), or years. Or alternatively, retain the items forever. The retention period is not calculated from the time the policy was assigned, but according to the start of the retention period specified. For the start of the retention period, you can choose when the content was created or, supported only for files and the SharePoint, OneDrive, and Microsoft 365 Groups, when the content was last modified. For retention labels, you can start the retention period from the content was labeled, and when an event occurs. |
| compliance | Sensitive Information Type Entity Definitions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitive-information-type-entity-definitions.md | A DLP policy has medium confidence that it's detected this type of sensitive inf ### Keywords -Any term from the Dictionary_icd_10_updated keyword dictionary, which is based on the [International Classification of Diseases, Tenth Revision, Clinical Modification (ICD-10-CM)](https://go.microsoft.com/fwlink/?linkid=852604). This type looks only for the term, not the insurance codes. +Any term from the Dictionary_icd_10_updated keyword dictionary, which is based on the [International Classification of Diseases, Tenth Revision, Clinical Modification (ICD-10-CM)](https://icd10cmtool.cdc.gov/). This type looks only for the term, not the insurance codes. -Any term from the Dictionary_icd_10_codes keyword dictionary, which is based on the [International Classification of Diseases, Tenth Revision, Clinical Modification (ICD-10-CM)](https://go.microsoft.com/fwlink/?linkid=852604). This type looks only for insurance codes, not the description. +Any term from the Dictionary_icd_10_codes keyword dictionary, which is based on the [International Classification of Diseases, Tenth Revision, Clinical Modification (ICD-10-CM)](https://icd10cmtool.cdc.gov/). This type looks only for insurance codes, not the description. ## International classification of diseases (ICD-9-CM) |
| enterprise | Administering Exchange Online Multi Geo | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/administering-exchange-online-multi-geo.md | Or, you can use the following steps to onboard mailboxes directly in a specific ## Multi-geo reporting +> [!NOTE] +> The multi-geo reporting feature is currently in Preview, is not available in all organizations, and is subject to change. + **Multi-Geo Usage Reports** in the Microsoft 365 admin center displays the user count by geo location. The report displays user distribution for the current month and provides historical data for the past 6 months. ## See also -[Manage Microsoft 365 with PowerShell](manage-microsoft-365-with-microsoft-365-powershell.md) +[Manage Microsoft 365 with PowerShell](manage-microsoft-365-with-microsoft-365-powershell.md) |
| lti | Moodle Plugin Configuration | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lti/moodle-plugin-configuration.md | description: Get ready to integrate Moodle and Microsoft Teams by setting up and In this article, you'll learn how to install and configure the Moodle LMS plugin to incorporate Microsoft Teams with your Moodle experience. +> [!NOTE] +> Currently, Moodle and Microsoft Teams LTI integrations are only available in private preview. +> +>If you'd like to participate in the private preview program, [sign up here](https://m365crmedu.powerappsportals.com/LMSSignup) + ## Prerequisites Here are the prerequisites to install Moodle: |
| security | TOC | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md | ##### [Event timeline](threat-and-vuln-mgt-event-timeline.md) ##### [Vulnerable devices report](tvm-vulnerable-devices-report.md) ##### [Hunt for exposed devices](tvm-hunt-exposed-devices.md)- +#### [Guidance for active threats and campaigns]() +##### [Manage the Log4Shell vulnerability](tvm-manage-log4shell-guidance.md) ### [Device discovery]() #### [Device discovery overview](device-discovery.md) #### [Configure device discovery](configure-device-discovery.md) |
| security | Android Intune | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-intune.md | The device configuration profile is now assigned to the selected user group. :::image type="content" source="images/9fe378a1dce0f143005c3aa53d8c4f51.png" alt-text="The Microsoft Defender for Endpoint portal" lightbox="images/9fe378a1dce0f143005c3aa53d8c4f51.png"::: +## Set up Microsoft Defender in Personal Profile on Android Enterprise in BYOD mode ++>[!NOTE] +>Microsoft Defender support in Personal profile in Android Enterprise (AE) in Bring-Your-Own-Device (BYOD) mode is now in public preview. The following information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ++With Microsoft defender support in Android personal profiles, user devices can be protected against phishing and malware attacks on a personal profile that could potentially compromise corporate resources on work profile. ++**Set up Microsoft Defender in Personal Profile** ++Admins can go to the [Microsoft Endpoint Management admin center](https://endpoint.microsoft.com) to set up and configure Microsoft Defender support in personal profiles by following these steps: +1. Go to **Apps> App configuration policies** and click on **Add**. Select **Managed Devices**. ++ > [!div class="mx-imgBorder"] + >  ++1. Enter **Name** and **Description** to uniquely identify the configuration policy. Select platform as **ΓÇÿAndroid EnterpriseΓÇÖ**, Profile type as **ΓÇÿPersonally-owned work profile onlyΓÇÖ** and Targeted app as **ΓÇÿMicrosoft DefenderΓÇÖ**. + + > [!div class="mx-imgBorder"] + >  ++1. On the settings page, in **ΓÇÿConfiguration settings formatΓÇÖ**, select **ΓÇÿUse configuration designerΓÇÖ** and click on **Add**. From the list of configurations that are displayed, select **ΓÇÿMicrosoft Defender in Personal profileΓÇÖ**. ++ > [!div class="mx-imgBorder"] + >  ++1. The selected configuration will be listed. Change the **configuration value to 1** to enable Microsoft Defender support personal profiles. A notification will appear informing the admin about the same. Click on **Next**. ++ > [!div class="mx-imgBorder"] + >  ++1. **Assign** the configuration policy to a group of users. **Review and create** the policy. ++ > [!div class="mx-imgBorder"] + >  ++Admins can also setup **privacy controls** from the Microsoft Endpoint Manager admin center to control what data can be sent by the Defender mobile client to the security portal. For more information, see [configuring privacy controls](android-configure.md). ++Organizations can communicate to their users to protect Personal profile with Microsoft Defender on their enrolled BYOD devices. +- Pre-requisite: Microsoft Defender must be already installed and active in work profile to enabled Microsoft Defender in personal profiles. ++**To complete onboarding a device** +1. Install the Microsoft Defender application in a personal profile with a personal Google Play store account. +2. Install the Company portal application on personal profile. No sign-in is required. +3. When a user launches the application, they'll see the sign-in screen. **Login using corporate account only**. +4. On a successful login, users will see the following screens: ++ a. **EULA screen**: Presented only if the user has not consented already in the Work profile. ++ b. **Notice screen**: Users need to provide consent on this screen to move forward with onboarding the application. This is required only during the first run of the app. +5. Provide the required permissions to complete onboarding. ++>[!NOTE] +>**Pre-requisite:** + >1. The Company portal needs to be enabled on personal profile. + >2. Microsoft Defender needs to be already installed and active in work profile. ++ ## Related topics - [Overview of Microsoft Defender for Endpoint on Android](microsoft-defender-endpoint-android.md) |
| security | Device Control Removable Storage Access Control | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control.md | You can use the following properties to create a removable storage group: | **Type** | Defines the action for the removable storage groups in IncludedIDList. <p>Enforcement: Allow or Deny <p>Audit: AuditAllowed or AuditDenied<p> | Allow<p>Deny <p>AuditAllowed: Defines notification and event when access is allowed <p>AuditDenied: Defines notification and event when access is denied; has to work together with **Deny** entry.<p> When there are conflict types for the same media, the system will apply the first one in the policy. An example of a conflict type is **Allow** and **Deny**. | | **Sid** | Local user Sid or user Sid group or the Sid of the AD object, defines whether to apply this policy over a specific user or user group; one entry can have a maximum of one Sid and an entry without any Sid means applying the policy over the machine. | | | **ComputerSid** | Local computer Sid or computer Sid group or the Sid of the AD object, defines whether to apply this policy over a specific machine or machine group; one entry can have a maximum of one ComputerSid and an entry without any ComputerSid means applying the policy over the machine. If you want to apply an Entry to a specific user and specific machine, add both Sid and ComputerSid into the same Entry. | |-| **Options** | Defines whether to display notification or not |**When Type Allow is selected**: <p>0: nothing<p>4: disable **AuditAllowed** and **AuditDenied** for this Entry. Even if **Allow** happens and the AuditAllowed is setting configured, the system will not send event. <p>8: capture file information and have a copy of the file as evidence for Write access. <p>16: capture file information for Write access. <p>**When Type Deny is selected**: <p>0: nothing<p>4: disable **AuditDenied** for this Entry. Even if **Block** happens and the AuditDenied is setting configured, the system will not show notification. <p>**When Type **AuditAllowed** is selected**: <p>0: nothing <p>1: nothing <p>2: send event<p>3: send event <p> **When Type **AuditDenied** is selected**: <p>0: nothing <p>1: show notification <p>2: send event<p>3: show notification and send event | +| **Options** | Defines whether to display notification or not |**When Type Allow is selected**: <p>0: nothing<p>4: disable **AuditAllowed** and **AuditDenied** for this Entry. Even if **Allow** happens and the AuditAllowed is setting configured, the system will not send event. <p>8: capture file information and have a copy of the file as evidence for Write access. <p>16: capture file information for Write access. <p>**When Type Deny is selected**: <p>0: nothing<p>4: disable **AuditDenied** for this Entry. Even if **Block** happens and the AuditDenied is setting configured, the system will not show notification. <p>**When Type **AuditAllowed** is selected**: <p>0: nothing <p>1: nothing <p>2: send event<p> **When Type **AuditDenied** is selected**: <p>0: nothing <p>1: show notification <p>2: send event<p>3: show notification and send event | |AccessMask|Defines the access. | **Disk level access**: <p>1: Read <p>2: Write <p>4: Execute <p>**File system level access**: <p>8: File system Read <p>16: File system Write <p>32: File system Execute <p><p>You can have multiple access by performing binary OR operation, for example, the AccessMask for Read and Write and Execute will be 7; the AccessMask for Read and Write will be 3.| ## Common Removable Storage Access Control scenarios |
| security | Linux Install Manually | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-manually.md | Download the onboarding package from Microsoft 365 Defender portal. ```Output Archive: WindowsDefenderATPOnboardingPackage.zip- inflating: MicrosoftDefenderATPOnboardingLinuxServer.py + inflating: MicrosoftDefenderATPOnboardingLinuxServer.sh ``` ## Client configuration -1. Copy MicrosoftDefenderATPOnboardingLinuxServer.py to the target device. +1. Copy MicrosoftDefenderATPOnboardingLinuxServer.sh to the target device. > [!NOTE] > Initially the client device is not associated with an organization and the *orgId* attribute is blank. Download the onboarding package from Microsoft 365 Defender portal. mdatp health --field org_id ``` -2. Run MicrosoftDefenderATPOnboardingLinuxServer.py. +2. Run MicrosoftDefenderATPOnboardingLinuxServer.sh. - > [!NOTE] - > To run this command, you must have `python` or `python3` installed on the device depending on the disto and version. If needed, see [Step-by-step Instruction for Installing Python on Linux](https://opensource.com/article/20/4/install-python-linux). - - If you're running RHEL 8.x or Ubuntu 20.04 or higher, you will need to use `python3`. -- ```bash - sudo python3 MicrosoftDefenderATPOnboardingLinuxServer.py - ``` -- For the rest of distros and versions, you will need to use `python`. - ```bash- sudo python MicrosoftDefenderATPOnboardingLinuxServer.py + sudo bash MicrosoftDefenderATPOnboardingLinuxServer.sh ``` 3. Verify that the device is now associated with your organization and reports a valid organization identifier: |
| security | Mac Install Manually | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-manually.md | To complete this process, you must have admin privileges on the device. ## Client configuration -1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the device where you deploy Microsoft Defender for Endpoint on macOS. +1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.sh to the device where you deploy Microsoft Defender for Endpoint on macOS. The client device isn't associated with org_id. Note that the *org_id* attribute is blank. To complete this process, you must have admin privileges on the device. mdatp health --field org_id ``` -2. Run the Python script to install the configuration file: +2. Run the Bash script to install the configuration file: ```bash- /usr/bin/python MicrosoftDefenderATPOnboardingMacOs.py + bash MicrosoftDefenderATPOnboardingMacOs.sh ``` 3. Verify that the device is now associated with your organization and reports a valid org ID: |
| security | Threat Analytics | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-analytics.md | Watch this short video to learn more about how threat analytics can help you tra > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4bw1f] +## Required roles and permissions +The following table outlines the roles and permissions required to access Threat Analytics. Roles defined in the table below refer to custom roles in individual portals and are not connected to global roles in Azure AD, even if similarly named. ++| **One of the following roles are required for Microsoft 365 Defender** | **One of the following roles are required for Defender for Endpoint** | **One of the following roles are required for Defender for Office 365** | **One of the following roles are required for Defender for Cloud Apps** | +||||| +| Threat Analytics | Alerts and incidents data: <ul><li>View data- security operations</li></ul>TVM mitigations:<ul><li>View data - Threat and vulnerability management</li></ul> | Alerts and incidents data:<ul> <li>View-only manage alerts</li> <li>Manage alerts</li> <li>Organization configuration</li><li>Audit logs</li> <li>View-only audit logs</li><li>Security reader</li> <li>Security admin</li><li>View-only recipients</li> </ul> Prevented email attempts: <ul><li>Security reader</li> <li>Security admin</li><li>View-only recipients</li> | Not available for Defender for Cloud Apps or MDI users | + ## View the threat analytics dashboard The threat analytics dashboard is a great jump off point for getting to the reports that are most relevant to your organization. It summarizes the threats in the following sections: |
| security | Tvm Manage Log4shell Guidance | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-manage-Log4shell-guidance.md | + + Title: Learn how to mitigate the Log4Shell vulnerability in Microsoft Defender for Endpoint - threat and vulnerability management +description: Learn how to mitigate the Log4Shell vulnerability in Microsoft Defender for Endpoint +keywords: tvm, lo4j +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +f1.keywords: +- NOCSH +++ms.localizationpriority: medium ++audience: ITPro ++- M365-security-compliance +- m365initiative-m365-defender +- m365-initiative-defender-endpoint +++ms.technology: m365d +++# Learn how to manage the Log4Shell vulnerability in Microsoft Defender for Endpoint ++**Applies to:** ++- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) ++The Log4Shell vulnerability is a remote code execution (RCE) vulnerability found in the Apache Log4j 2 logging library. As Apache Log4j 2 is commonly used by many software applications and online services, it represents a complex and high-risk situation for companies across the globe. Referred to as “Log4Shell” ([CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228), [CVE-2021-45046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046) ) it introduces a new attack vector that attackers can exploit to extract data and deploy ransomware in an organization. ++> [!NOTE] +> Refer to the blogs [Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability and](https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/) [Microsoft Security Response Center](https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/) for guidance and technical information about the vulnerability and product specific mitigation recommendations to protect your organization. ++## Overview of discovery, monitoring and mitigation capabilities ++Threat and vulnerability management provides you with the following capabilities to help you identify, monitor, and mitigate your organizational exposure to the Log4Shell vulnerability: ++- **Discovery**: Detection of exposed devices, both Microsoft Defender for Endpoint onboarded devices as well as devices that have been discovered but are not yet onboarded, is based on vulnerable software and vulnerable files detected on disk. +- **Threat awareness:** A consolidated view to assess your organizational exposure. This view shows your exposure at the device level and software level, and provides access to details on vulnerable files like, the last time it was seen, the last time it was executed and the last time it was executed with open ports. You can use this information to prioritize your remediation actions. It can take up to 24 hours for data related to exposed devices to appear on the dashboard. +- **Mitigation options:** Apply mitigation options to help lower your exposure risk. +- **Advanced hunting:** Use advanced hunting to return details for vulnerable log4j files identified on disk. ++> [!NOTE] +> These capabilities are supported on Windows 10 & Windows 11, Windows Server, Linux and macOS. +> +> Support on Linux requires Microsoft Defender for Endpoint Linux client version 101.52.57 (30.121092.15257.0) or later. +> +> Support on macOS requires Microsoft Defender for Endpoint macOS client version 20.121111.15416.0 or later. +> +>For more information on supported versions, see [Supported operating systems platforms and capabilities](tvm-supported-os.md). ++## Exposed devices discovery ++Embedded threat and vulnerability management capabilities, along with enabling Log4j detection, in the Microsoft 365 Defender portal, will help you discover devices exposed to the Log4Shell vulnerability. ++Onboarded devices, are assessed using existing embedded threat and vulnerability management capabilities that can discover vulnerable software and files. ++For detection on discovered but not yet onboarded devices, Log4j detection must be enabled. This will initiate probes in the same way device discovery actively probes your network. This includes probing from multiple onboarded endpoints (Windows 10+ and Windows Server 2019+ devices) and only probing within subnets, to detect devices that are vulnerable and remotely exposed to CVE-2021-44228. ++To enable Log4 detection: ++1. Go to **Settings** > **Device discovery** > **Discovery setup** +2. Select **Enable Log4j2 detection (CVE-2021-44228)** +3. Select **Save** +++Running these probes will trigger the standard Log4j flow without causing any harmful impact on either the device being probed or the probing device. The probing itself is done by sending multiple HTTP requests to discovered devices, targeting common web application ports (for example - 80,8000,8080,443,8443) and URLs. The request contains HTTP headers with a JNDI payload that triggers a DNS request from the probed machine. ++For example, User-Agent: ${jndi:dns://192.168.1.3:5353/MDEDiscoveryUser-Agent} where 192.168.1.3 is the IP of the probing machine. ++> [!NOTE] +> Enabling Log4j2 detection also means onboarded devices will use self-probing to detect local vulnerabilities. ++## Vulnerable software and files detection ++Threat and vulnerability management provides layers of detection to help you discover: ++- **Vulnerable software**: Discovery is based on installed application Common Platform Enumerations (CPE) that are known to be vulnerable to Log4j remote code execution. +- **Vulnerable files:** Both files in memory and files in the file system are assessed. These files can be Log4j-core jar files with the known vulnerable version or an Uber-JAR that contains either a vulnerable jndi lookup class or a vulnerable log4j-core file. Specifically, it: ++ - determines if a JAR file contains a vulnerable Log4j file by examining JAR files and searching for the following file: + \\META-INF\\maven\\org.apache.logging.log4j\\log4j-core\\pom.properties - if this file exists, the Log4j version is read and extracted. + - searches for the JndiLookup.class file inside the JAR file by looking for paths that contain the string “/log4j/core/lookup/JndiLookup.class” - if the JndiLookup.class file exists, threat and vulnerability management determines if this JAR contains a Log4j file with the version defined in pom.properties. + - searches for any vulnerable Log4j-core JAR files embedded within a nested-JAR by searching for paths that contain any of these strings: + - lib/log4j-core- + - WEB-INF/lib/log4j-core- + - App-INF/lib/log4j-core- ++This table describes the search capabilities supported platforms and versions: ++|Capability|File Type|Windows10+,<br>server2019+|Server 2012R2,<br>server2016|Server 2008R2|Linux + macOS| +|:|:|:|:|:|:| +|Search In Memory | Log4j-core | Yes |Yes<sup>[1]| - | Yes | +| |Uber-JARs | Yes |Yes<sup>[1]| - | Yes | +| Search all files on disk |Log4j-core | Yes |Yes<sup>[1]| Yes | - | +| | Uber-JARs|Yes |Yes<sup>[1]| - | -| ++(1) Capabilities are available when [KB5005292](https://support.microsoft.com/topic/microsoft-defender-for-endpoint-update-for-edr-sensor-f8f69773-f17f-420f-91f4-a8e5167284ac) is installed on Windows Server 2012 R2 and 2016. ++## Learn about your Log4Shell exposure and mitigation options ++### Threat and vulnerability management dashboard ++Use the threat and vulnerability management dashboard to see your current exposure. ++1. In the Microsoft 365 Defender portal, go to **Vulnerability management** > **Dashboard** > **Threat awareness:** +2. Select **View vulnerability details** to see the consolidated view of your organizational exposure. +3. Choose the relevant tab to see your exposure broken down by: + - Exposed devices – onboard + - Exposed devices – not onboarded + - Vulnerable files + - Vulnerable software ++### Log4Shell vulnerability mitigation ++The log4Shell vulnerability can be mitigated by preventing JNDI lookups on Log4j versions 2.10 - 2.14.1 with default configurations. To create this mitigation action, from the **Threat awareness dashboard**: ++1. Select **View vulnerability details** +2. Select **Mitigation options** ++You can choose to apply the mitigation to all exposed devices or select specific onboarded devices. To complete the process and apply the mitigation on devices, select **Create mitigation action**. +++### Mitigation status ++The mitigation status indicates whether the workaround mitigation to disable JDNI lookups has been applied to the device. You can view the mitigation status for each affected device in the Exposed devices tabs. This can help prioritize mitigation and/or patching of devices based on their mitigation status. +++The table below lists the potential mitigation statuses: ++| Mitigation status | Description | +|:|:| +| Workaround applied | _Windows_: The LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable was observed before latest device reboot. <br/><br/> _Linux + macOS_: All running processes have LOG4J_FORMAT_MSG_NO_LOOKUPS=true in its environment variables. | +| Workaround pending reboot | The LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable is set, but no following reboot detected. | +| Not applied | _Windows_: The LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable was not observed. <br/><br/> _Linux + macOS_: Not all running processes have LOG4J_FORMAT_MSG_NO_LOOKUPS=true in its environment variables, and mitigation action was not applied on device. | +| Partially mitigated | _Linux + macOS_: Although mitigation action was applied on device, not all running processes have LOG4J_FORMAT_MSG_NO_LOOKUPS=true in its environment variables. | +|Not applicable | Devices that have vulnerable files that are not in the version range of the mitigation. | +|Unknown | The mitigation status couldn’t be determined at this time. | ++> [!NOTE] +> It may take a few hours for the updated mitigation status of a device to be reflected. ++### Revert mitigations applied for the Log4Shell vulnerability ++In cases where the mitigation needs to be reverted, follow these steps: ++**_For Windows:_** ++1. Open an elevated PowerShell window +2. Run the following command: ++ ```Powershell + [Environment]::SetEnvironmentVariable("LOG4J\_FORMAT\_MSG\_NO\_LOOKUPS", $null,[EnvironmentVariableTarget]::Machine) +``` ++The change will take effect after the device restarts. ++**_For Linux:_** ++1. Open the file /etc/environment and delete the line LOG4J\_FORMAT\_MSG\_NO\_LOOKUPS=true +2. Delete the file /etc/systemd/system.conf.d/log4j\_disable\_jndi\_lookups.conf +3. Delete the file /etc/systemd/user.conf.d/log4j\_disable\_jndi\_lookups.conf ++The change will take effect after the device restarts. ++**_For macOS:_** ++Remove the file setenv.LOG4J\_FORMAT\_MSG\_NO\_LOOKUPS.plist from the following folders: ++ - */Library/LaunchDaemons/* + - */Library/LaunchAgents/* + - */Users/\[username\]/Library/LaunchAgents/ - for all users* ++The change will take effect after the device restarts. ++### Apache Log4j security recommendations ++To see active security recommendation related to Apache log4j, select the **Security recommendations** tab from the vulnerability details page. In this example, if you select **Update Apache Log4j** you'll see another flyout with more information: +++Select **Request remediation** to create a remediation request. ++## Explore the vulnerability in the Microsoft 365 Defender portal ++Once exposed devices, files and software are found, relevant information will also be conveyed through the following experiences in the Microsoft 365 Defender portal: ++### Security recommendations ++Search for **CVE-2021-44228** to see security recommendations addressing the Log4Shell vulnerability: +++### Software inventory ++ On the software inventory page, search for **CVE-2021-44228** to see details about the Log4j software installations and exposure: +++### Weaknesses ++On the weaknesses page, search for **CVE-2021-44228** to see information about the Log4Shell vulnerability: +++## Use advanced hunting ++You can use the following advanced hunting query to identify vulnerabilities in installed software on devices: ++ ```text + DeviceTvmSoftwareVulnerabilities + | where CveId in ("CVE-2021-44228", "CVE-2021-45046") + ``` ++You can use the following advanced hunting query to identify vulnerabilities in installed software on devices to surface file-level findings from the disk: ++ ```text + DeviceTvmSoftwareEvidenceBeta + | mv-expand DiskPaths + | where DiskPaths contains "log4j" + | project DeviceId, SoftwareName, SoftwareVendor, SoftwareVersion, DiskPaths + ``` ++## Related articles ++- [Threat and vulnerability management overview](http://next-gen-threat-and-vuln-mgt.md) +- [Security recommendations](tvm-security-recommendation.md) |
| security | Safe Attachments | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-attachments.md | The following table describes scenarios for Safe Attachments in Microsoft 365 an ||| |Pat's Microsoft 365 E5 organization has no Safe Attachments policies configured.|Pat is protected by Safe Attachments due to the **Built-in protection** preset security policy that applies to all recipients who are not otherwise defined in Safe Attachments policies.| |Lee's organization has a Safe Attachments policy that applies only to finance employees. Lee is a member of the sales department.|Lee and the rest of the sales department are protected by Safe Attachments due to the **Built-in protection** preset security policy that applies to all recipients who are not otherwise defined in Safe Attachments policies.|-|Yesterday, an admin in Jean's organization created a Safe Attachments policy that applies to all employees. Earlier today, Jean received an email message that included an attachment.|Jean is protected by Safe Attachments due to that custom Safe Attachments policy. <p> Typically, it takes about 30 minutes for a new policy to take effect.| -|Chris's organization has long-standing Safe Attachments policies for everyone in the organization. Chris receives an email that has an attachment, and then forwards the message to external recipients.|Chis is protected by Safe Attachments. <p> If the external recipients in a Microsoft 365 organization, then the forwarded messages are also protected by Safe Attachments.| +|Yesterday, an admin in Jean's organization created a Safe Attachments policy that applies to all employees. Earlier today, Jean received an email message that included an attachment.|Jean is protected by Safe Attachments due to that custom Safe Attachments policy. <br/><br/> Typically, it takes about 30 minutes for a new policy to take effect.| +|Chris's organization has long-standing Safe Attachments policies for everyone in the organization. Chris receives an email that has an attachment, and then forwards the message to external recipients.|Chis is protected by Safe Attachments. <br/><br/> If the external recipients in a Microsoft 365 organization, then the forwarded messages are also protected by Safe Attachments.| Safe Attachments scanning takes place in the same region where your Microsoft 365 data resides. For more information about datacenter geography, see [Where is your data located?](https://products.office.com/where-is-your-data-located?geo=All) This section describes the settings in Safe Attachments policies: |Option|Effect|Use when you want to:| ||||- |**Off**|Attachments aren't scanned for malware by Safe Attachments. Messages are still scanned for malware by [anti-malware protection in EOP](anti-malware-protection.md).|Turn scanning off for selected recipients. <p> Prevent unnecessary delays in routing internal mail. <p> **This option is not recommended for most users. You should only use this option to turn off Safe Attachments scanning for recipients who only receive messages from trusted senders. ZAP will not quarantine messages if Safe Attachments is turned off and a malware signal is not received. For details, see [Zero-hour auto purge](zero-hour-auto-purge.md)**| - |**Monitor**|Delivers messages with attachments and then tracks what happens with detected malware. <p> Delivery of safe messages might be delayed due to Safe Attachments scanning.|See where detected malware goes in your organization.| - |**Block**|Prevents messages with detected malware attachments from being delivered. <p> Messages are quarantined. By default, only admins (not users) can review, release, or delete the messages.<sup>\*</sup> <p> Automatically blocks future instances of the messages and attachments. <p> Delivery of safe messages might be delayed due to Safe Attachments scanning.|Protects your organization from repeated attacks using the same malware attachments. <p> This is the default value, and the recommended value in Standard and Strict [preset security policies](preset-security-policies.md).| - |**Replace**|Removes detected malware attachments. <p> Notifies recipients that attachments have been removed. <p> Messages that contain malicious attachments are quarantined. By default, only admins (not users) can review, release, or delete the messages.<sup>\*</sup> <p> Delivery of safe messages might be delayed due to Safe Attachments scanning.|Raise visibility to recipients that attachments were removed because of detected malware.| - |**Dynamic Delivery**|Delivers messages immediately, but replaces attachments with placeholders until Safe Attachments scanning is complete. <p> Messages that contain malicious attachments are quarantined. By default, only admins (not users) can review, release, or delete the messages.<sup>\*</sup> <p> For details, see the [Dynamic Delivery in Safe Attachments policies](#dynamic-delivery-in-safe-attachments-policies) section later in this article.|Avoid message delays while protecting recipients from malicious files.| + |**Off**|Attachments aren't scanned for malware by Safe Attachments. Messages are still scanned for malware by [anti-malware protection in EOP](anti-malware-protection.md).|Turn scanning off for selected recipients. <br/><br/> Prevent unnecessary delays in routing internal mail. <br/><br/> **This option is not recommended for most users. You should only use this option to turn off Safe Attachments scanning for recipients who only receive messages from trusted senders. ZAP will not quarantine messages if Safe Attachments is turned off and a malware signal is not received. For details, see [Zero-hour auto purge](zero-hour-auto-purge.md)**| + |**Monitor**|Delivers messages with attachments and then tracks what happens with detected malware. <br/><br/> Delivery of safe messages might be delayed due to Safe Attachments scanning.|See where detected malware goes in your organization.| + |**Block**|Prevents messages with detected malware attachments from being delivered. <br/><br/> Messages are quarantined. By default, only admins (not users) can review, release, or delete the messages.<sup>\*</sup> <br/><br/> Automatically blocks future instances of the messages and attachments. <br/><br/> Delivery of safe messages might be delayed due to Safe Attachments scanning.|Protects your organization from repeated attacks using the same malware attachments. <br/><br/> This is the default value, and the recommended value in Standard and Strict [preset security policies](preset-security-policies.md).| + |**Replace**|Removes detected malware attachments. <br/><br/> Notifies recipients that attachments have been removed. <br/><br/> Messages that contain malicious attachments are quarantined. By default, only admins (not users) can review, release, or delete the messages.<sup>\*</sup> <br/><br/> Delivery of safe messages might be delayed due to Safe Attachments scanning.|Raise visibility to recipients that attachments were removed because of detected malware.| + |**Dynamic Delivery**|Delivers messages immediately, but replaces attachments with placeholders until Safe Attachments scanning is complete. <br/><br/> Messages that contain malicious attachments are quarantined. By default, only admins (not users) can review, release, or delete the messages.<sup>\*</sup> <br/><br/> For details, see the [Dynamic Delivery in Safe Attachments policies](#dynamic-delivery-in-safe-attachments-policies) section later in this article.|Avoid message delays while protecting recipients from malicious files.| <sup>\*</sup> Admins can create and assign _quarantine policies_ in Safe Attachments policies that define what users are allowed to do to quarantined messages. For more information, see [Quarantine policies](quarantine-policies.md). |
| solutions | Best Practices Anonymous Sharing | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/best-practices-anonymous-sharing.md | To set an expiration date for Anyone links on a specific site Note that once an *Anyone* link expires, the file or folder can be re-shared with a new *Anyone* link. -You can set *Anyone* link expiration for a specific OneDrive by using [Set-SPOSite](/powershell/module/sharepoint-online/set-sposite). +You can set *Anyone* link expiration for a specific site by using [Set-SPOSite](/powershell/module/sharepoint-online/set-sposite). ++```powershell +Set-SPOSite -Identity https://contoso.sharepoint.com/sites/marketing -OverrideTenantAnonymousLinkExpirationPolicy $true -AnonymousLinkExpirationInDays 15 +``` ## Set link permissions |