Updates from: 04/29/2023 01:21:37
Category Microsoft Docs article Related commit history on GitHub Change details
admin Microsoft Office Activations Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft-office-activations-ww.md
search.appverid:
- MOE150 - GEA150 ms.assetid: 87c24ae2-82e0-4d1e-be01-c3bcc3f18c60
-description: "Learn how to get an Office Activation report to know which users have activated their Office subscription, and identify users that might need additional help."
+description: "Learn how to get an Office Activation report to know which users have activated their Microsoft 365 subscription, and identify users that might need additional help."
# Microsoft 365 Reports in the admin center - Microsoft Office activations
You can also export the report data into an Excel .csv file by selecting the **E
|Username <br/> |The email address of the user. <br/> | |Display name <br/> |The full name of the user. <br/> | |Product licenses <br/> |The products that are assigned to this user. <br/> |
-|Last activated date(UTC) <br/> |The date the user activated Office on a desktop or a device. <br/> |
-|Activation on Windows computers <br/> |The number of Windows desktops a user activated Office on. <br/> |
-|Activation on Mac computers <br/> |The number of Mac desktops a user activated Office on.|
-|Activation on Windows 10 phones and tablets <br/> |The number of Windows 10 mobile devices a user activated Office on. <br/> |
-|Activation on iOS phones and tablets <br/> |The number of iOS devices a user activated Office on.|
-|Activation on Android phones and tablets <br/> |The number of Android devices a user activated Office on. <br/> |
-|Used Shared Computer Activation |This is true if the user used Office through shared computer activation.|
+|Last activated date(UTC) <br/> |The date the user activated Microsoft 365 on a desktop or a device. <br/> |
+|Activation on Windows computers <br/> |The number of Windows desktops a user activated Microsoft 365 on. <br/> |
+|Activation on Mac computers <br/> |The number of Mac desktops a user activated Microsoft 365 on.|
+|Activation on Windows 10 phones and tablets <br/> |The number of Windows 10 mobile devices a user activated Microsoft 365 on. <br/> |
+|Activation on iOS phones and tablets <br/> |The number of iOS devices a user activated Microsoft 365 on.|
+|Activation on Android phones and tablets <br/> |The number of Android devices a user activated Microsoft 365 on. <br/> |
+|Used Shared Computer Activation |This is true if the user used Microsoft 365 through shared computer activation.|
|||
admin Add In Deployment Email Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/add-in-deployment-email-alerts.md
The following sections provide more information about what the email alert would
The following are some key capabilities available to users as part of the email alert sent for Excel, PowerPoint, and Word add-in deployment. -- Email provides details about the add-in such as brief description, deployment date, and supported Office Apps and respective versions.-- Email provides buttons to launch the add-in in the respective Office Apps on the web, on Windows, and on Mac platforms to help make the add-in easier to discover. **Note**: The launch buttons are currently not supported for iPad clients.
+- Email provides details about the add-in such as brief description, deployment date, and supported Microsoft 365 apps and respective versions.
+- Email provides buttons to launch the add-in in the respective Microsoft 365 apps on the web, on Windows, and on Mac platforms to help make the add-in easier to discover. **Note**: The launch buttons are currently not supported for iPad clients.
:::image type="content" source="../../media/email-sample-excel-powerpoint-word-add-in.png" alt-text="Email sample for when Excel, PowerPoint, or Word add-ins are deployed.":::
admin Centralized Deployment Of Add Ins https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/centralized-deployment-of-add-ins.md
Centralized Deployment is the recommended and most feature-rich way for most cus
Centralized Deployment provides the following benefits: - An admin can deploy and assign an add-in directly to a user, to multiple users via a group, or to everyone in the organization (see Admin requirement section for information).-- When the relevant Office application starts, the add-in automatically downloads. If the add-in supports add-in commands, the add-in automatically appears in the ribbon within the Office application.
+- When the relevant Microsoft 365 app starts, the add-in automatically downloads. If the add-in supports add-in commands, the add-in automatically appears in the ribbon within the Microsoft 365 app.
- Add-ins no longer appear for users if the admin turns off or deletes the add-in, or if the user is removed from Azure Active Directory or from a group that the add-in is assigned to.
-Centralized Deployment supports three desktop platforms Windows, Mac and Online Office apps. Centralized Deployment also supports iOS and Android (Outlook Mobile Add-ins Only).
+Centralized Deployment supports three desktop platforms Windows, Mac and Microsoft 365 for the web. Centralized Deployment also supports iOS and Android (Outlook Mobile Add-ins Only).
It can take up to 24 hours for an add-in to show up for client for all users. ## Before you begin
-Centralized deployment of add-ins requires that the users are using Microsoft 365 Business licenses (Business Basic, Business Standard, Business Premium), Office 365 Enterprise licenses (E1/E3/E5/F3), or Microsoft 365 Enterprise licenses (E3/E5/F3) (and are signed into Office using their organizational ID), Office 365 Education licenses (A1/A3/A5), or Microsoft 365 Education licenses (A3/A5), and have Exchange Online and active Exchange Online mailboxes. Your subscription directory must either be in or federated to Azure Active Directory.
-You can view specific requirements for Office and Exchange below, or use the [Centralized Deployment Compatibility Checker](#centralized-deployment-compatibility-checker).
+Centralized deployment of add-ins requires that the users are using Microsoft 365 Business licenses (Business Basic, Business Standard, Business Premium), Office 365 Enterprise licenses (E1/E3/E5/F3), or Microsoft 365 Enterprise licenses (E3/E5/F3) (and are signed in Microsoft 365 using their organizational ID), Office 365 Education licenses (A1/A3/A5), or Microsoft 365 Education licenses (A3/A5), and have Exchange Online and active Exchange Online mailboxes. Your subscription directory must either be in or federated to Azure Active Directory.
+You can view specific requirements for Microsoft 365 and Exchange below, or use the [Centralized Deployment Compatibility Checker](#centralized-deployment-compatibility-checker).
Centralized Deployment doesn't support the following:
Centralized Deployment doesn't support the following:
- Deployment of Component Object Model (COM) or Visual Studio Tools for Office (VSTO) add-ins. - Deployments of Microsoft 365 that do not include Exchange Online such as SKUs: Microsoft 365 Apps for Business and Microsoft 365 Apps for Enterprise.
-### Office Requirements
+### Microsoft 365 Requirements
- For Word, Excel, and PowerPoint add-ins, your users must be using one of the following: - On a Windows device, Version 1704 or later of Microsoft 365 Business licenses (Business Basic, Business Standard, Business Premium), Office 365 Enterprise licenses (E1/E3/E5/F3), or Microsoft 365 Enterprise licenses (E3/E5/F3).
When the tool finishes running, it produces an output file in comma-separated (.
- User Name - User ID (User's email address) - Centralized Deployment ready - If the remaining items are true-- Office plan - The plan of Office they are licensed for-- Office Activated - If they have activated Office
+- Microsoft 365 plan - The plan of Office they are licensed for
+- Microsoft 365 Activated - If they have activated Microsoft 365
- Supported Mailbox - If they are on an OAuth-enabled mailbox Should your Microsoft 365 reports show anonymous user names instead of actual user names, fix this issue by changing the reports setting in Microsoft 365 admin center. For detailed steps, see [Microsoft 365 reports show anonymous user names instead of actual user names](/office365/troubleshoot/miscellaneous/reports-show-anonymous-user-name).
Alternately, you can use the Azure Active Directory Graph API to run queries to
### Contacting Microsoft for support
-If you or your users encounter problems loading the add-in while using Office apps for the web (Word, Excel, etc.), which were centrally deployed, you may need to contact Microsoft support ([learn how](../../business-video/get-help-support.md). Provide the following information about your Microsoft 365 environment in the support ticket.
+If you or your users encounter problems loading the add-in while using Microsoft 365 apps for the web (Word, Excel, etc.), which were centrally deployed, you may need to contact Microsoft support ([learn how](../../business-video/get-help-support.md). Provide the following information about your Microsoft 365 environment in the support ticket.
|Platform|Debug information| |||
-|Office|Charles/Fiddler logs <br/> Tenant ID ([learn how](/onedrive/find-your-office-365-tenant-id)) <br/> CorrelationID. View the source of one of the office pages and look for the Correlation ID value and send it to support: <br/>`<input name=" **wdCorrelationId**" type="hidden" value=" **{BC17079E-505F-3000-C177-26A8E27EB623}**">` <br/> `<input name="user_id" type="hidden" value="1003bffd96933623"></form>`|
+|Microsoft 365|Charles/Fiddler logs <br/> Tenant ID ([learn how](/onedrive/find-your-office-365-tenant-id)) <br/> CorrelationID. View the source of one of the office pages and look for the Correlation ID value and send it to support: <br/>`<input name=" **wdCorrelationId**" type="hidden" value=" **{BC17079E-505F-3000-C177-26A8E27EB623}**">` <br/> `<input name="user_id" type="hidden" value="1003bffd96933623"></form>`|
|Rich clients (Windows, Mac)|Charles/Fiddler logs <br/> Build numbers of the client app (preferably as a screenshot from **File/Account**)| ## Related content
If you or your users encounter problems loading the add-in while using Office ap
[Deploy add-ins in the admin center](../manage/manage-deployment-of-add-ins.md) (article)\ [Manage add-ins in the admin center](manage-addins-in-the-admin-center.md) (article)\ [Centralized Deployment FAQ](../manage/centralized-deployment-faq.yml) (article)\
-[Upgrade your Microsoft 365 for business users to the latest Office client](../setup/upgrade-users-to-latest-office-client.md) (article)
+[Upgrade your Microsoft 365 for business users to the latest version](../setup/upgrade-users-to-latest-office-client.md) (article)
admin Customize The App Launcher https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/customize-the-app-launcher.md
To delete a custom tile, from the **Custom tiles** window, select the tile, sele
## Related content [Pin apps to your users' app launcher](pin-apps-to-app-launcher.md) (article)\
-[Upgrade your Microsoft 365 for business users to the latest Office client](../setup/upgrade-users-to-latest-office-client.md) (article)\
+[Upgrade your Microsoft 365 for business users to the latest version](../setup/upgrade-users-to-latest-office-client.md) (article)\
[Manage add-ins in the admin center](../manage/manage-addins-in-the-admin-center.md) (article)
admin Manage Addins In The Admin Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/manage-addins-in-the-admin-center.md
Post deployment, admins can also manage user access to add-ins.
4. Save the changes.
-## Prevent add-in downloads by turning off the Office Store across all clients (Except Outlook)
+## Prevent add-in downloads by turning off the Office Store across all apps (Except Outlook)
> [!NOTE] > Outlook add-in installation is managed by a [different process](/exchange/clients-and-mobile-in-exchange-online/add-ins-for-outlook/specify-who-can-install-and-manage-add-ins).
To prevent a user from signing in with a Microsoft account, you can restrict log
After you deploy an add-in, your end users can start using it in their Office applications. The add-in appears on all platforms that the add-in supports. See [Start using your Office Add-in](https://support.microsoft.com/office/82e665c4-6700-4b56-a3f3-ef5441996862).
-If the add-in supports add-in commands, the commands appear on the Office ribbon. In the following example, the command **Search Citation** appears for the **Citations** add-in.
+If the add-in supports add-in commands, the commands appear in the ribbon. In the following example, the command **Search Citation** appears for the **Citations** add-in.
-![Office ribbon with Search Citations.](../../media/553b0c0a-65e9-4746-b3b0-8c1b81715a86.png)
+![Microsoft 365 ribbon with Search Citations.](../../media/553b0c0a-65e9-4746-b3b0-8c1b81715a86.png)
If the deployed add-in doesn't support add-in commands or if you want to view all deployed add-ins, you can view them via **My Add-ins**.
admin Manage Deployment Of Add Ins https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/manage-deployment-of-add-ins.md
Before you begin, see [Determine if Centralized Deployment of add-ins works for
7. A green tick appears when the add-in is deployed. Follow the on-page instructions to test the add-in. > [!NOTE]
- > Users might need to relaunch Office to view the add-in icon on the app ribbon. Outlook add-ins can take up to 24 hours to appear on app ribbons.
+ > Users might need to relaunch Microsoft 365 to view the add-in icon on the app ribbon. Outlook add-ins can take up to 24 hours to appear on app ribbons.
8. When finished, select **Next**. If you've deployed to just yourself, you can select **Change who has access to add-in** to deploy to more users.
When updating a manifest, the typical changes are to an add-in's icon and text.
Updates for add-ins happen as follows: -- **Line-of-business add-in:** In this case, where an admin explicitly uploaded a manifest, the add-in requires that the admin upload a new manifest file to support metadata changes. The next time the relevant Office applications start, the add-in will update. The web application can change at any time.
+- **Line-of-business add-in:** In this case, where an admin explicitly uploaded a manifest, the add-in requires that the admin upload a new manifest file to support metadata changes. The next time the relevant Microsoft 365 apps start, the add-in will update. The web application can change at any time.
> [!NOTE] > Admin does not need to remove a LOB Add-in for doing an update. In the Add-ins section, Admin can simply click on the LOB Add-in and choose the **Update Button** in the bottom right corner. Update will work only if the version of the new add-in is greater than that of the existing add-in.
admin Minors And Acquiring Addins From The Store https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/minors-and-acquiring-addins-from-the-store.md
A user is determined to be a minor based on data specified in Azure Active Direc
If the parent/guardian consents to a minor using a specific add-In, then the organization admin can use centralized deployment to deploy that add-In to all minors who have consent.
-To be GDPR compliant for minors you need to ensure that one of following builds of Office is deployed in your school/organization.
+To be GDPR compliant for minors you need to ensure that one of following builds is deployed in your school/organization.
**For Word, Excel, PowerPoint, and Project**:
To be GDPR compliant for minors you need to ensure that one of following builds
Word, Excel, and PowerPoint 2013 for Windows will support the same minors checks if Active Directory Authentication Library (ADAL) is enabled. There are two options for compliance, as explained next. -- **Enable ADAL**. This article explains how to enable ADAL for Office 2013: [Using Microsoft 365 modern authentication with Office clients](../../enterprise/modern-auth-for-office-2013-and-2016.md).<br/>You also need to set the registry keys to enable ADAL as explained in [Enable Modern Authentication for Office 2013 on Windows devices](../security-and-compliance/enable-modern-authentication.md).<br/>Additionally, you need to install the following April updates for Office 2013:
+- **Enable ADAL**. This article explains how to enable ADAL for Office 2013: [How modern authentication works for Office 2013, Office 2016, and Office 2019 client apps](../../enterprise/modern-auth-for-office-2013-and-2016.md).<br/>You also need to set the registry keys to enable ADAL as explained in [Enable Modern Authentication for Office 2013 on Windows devices](../security-and-compliance/enable-modern-authentication.md).<br/>Additionally, you need to install the following April updates for Office 2013:
- [Description of the security update for Office 2013: April 10, 2018](https://support.microsoft.com/help/4018330/description-of-the-security-update-for-office-2013-april-10-2018) - [April 3, 2018, update for Office 2013 (KB4018333)](https://support.microsoft.com/help/4018333/april-3-2018-update-for-office-2013-kb4018333) -- **Don't enable ADAL**. If you're unable to enable ADAL in Office 2013, then our recommendation is to use Group Policy to turn off the Store for the Office clients. Information on how to turn off the app for Office settings is located [here](/previous-versions/office/office-2013-resource-kit/cc178992(v=office.15)).
+- **Don't enable ADAL**. If you're unable to enable ADAL in Office 2013, then our recommendation is to use Group Policy to turn off the Store for the Office apps. Information on how to turn off the app for Office settings is located [here](/previous-versions/office/office-2013-resource-kit/cc178992(v=office.15)).
## Related articles
admin Release Options In Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/release-options-in-office-365.md
description: "Learn how to set up the release option for new product and feature
# Set up the Standard or Targeted release options > [!IMPORTANT]
-> The Microsoft 365 updates described in this article apply to OneDrive for Business, SharePoint Online, Office for the web, Microsoft 365 admin center, some components of Exchange Online and Microsoft Teams. These release options are targeted, best effort ways to release changes to Microsoft 365 but cannot be guaranteed at all times or for all updates. They do not currently apply to services other than those listed previously. For information about release options for Microsoft 365 Apps, see [Overview of update channels for Microsoft 365 Apps](/deployoffice/overview-update-channels).
+> The Microsoft 365 updates described in this article apply to OneDrive for Business, SharePoint Online, Microsoft 365 for the web, Microsoft 365 admin center, some components of Exchange Online and Microsoft Teams. These release options are targeted, best effort ways to release changes to Microsoft 365 but cannot be guaranteed at all times or for all updates. They do not currently apply to services other than those listed previously. For information about release options for Microsoft 365 Apps, see [Overview of update channels for Microsoft 365 Apps](/deployoffice/overview-update-channels).
With Microsoft 365, you receive new product updates and features as they become available instead of doing costly updates every few years. You can manage how your organization receives these updates. For example, you can sign up for an early release so that your organization receives updates first. You can designate that only certain individuals receive the updates. Or, you can remain on the default release schedule and receive the updates later. This article explains the different release options and how you can use them for your organization.
Discover how to [manage messages](/office365/admin/manage/message-center) in you
## Related content
-[Join the Office Insider Program](https://insider.office.com/join/windows) (article)
+[Join the Microsoft 365 Insider Program](https://insider.office.com/join/windows) (article)
admin Test And Deploy Microsoft 365 Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/test-and-deploy-microsoft-365-apps.md
You can manage testing and deployment of purchased and licensed Microsoft 365 Ap
An Enhanced Teams App is an upgraded version of a Teams App with a manifest version greater than or equal to v1.13. This app can work across Teams, Outlook, and the Microsoft 365 App (formerly known as Office.com). Going forward, app developers won't need to build different apps for different platforms. They can submit a single app package that will work across Teams, Outlook, and the Microsoft 365 App. Enhanced Teams Apps may be subject to different terms than other Office add-ins or Teams Apps. Read your license agreement for more details.
-Previously, for an app to work in Teams, Outlook, and the Microsoft 365 App, admins needed to manage each app independently across the Teams Admin Center, Exchange Admin Center, and Microsoft 365 Admin Center. With the Enhanced Teams Apps, admins can manage the app once, and enable a single, connected experience for end-users across Teams, Outlook, and the Microsoft 365 App from the Integrated Apps page on the Microsoft 365 Admin center.
+Previously, for an app to work in Teams, Outlook, and the Microsoft 365 App, admins needed to manage each app independently across the Teams admin center, Exchange admin center, and Microsoft 365 admin center. With the Enhanced Teams Apps, admins can manage the app once, and enable a single, connected experience for end-users across Teams, Outlook, and the Microsoft 365 App from the Integrated Apps page on the Microsoft 365 Admin center.
The management of Enhanced Teams Apps is currently only available to global admins. The following sections will tell you more about the management tools available for Enhanced Teams Apps. ### Block or Unblock Enhanced Teams Apps in the Integrated Apps portal
-As a global admin, you can manage Enhanced Teams Apps on Microsoft 365 (formerly known as Office.com) and Outlook via Integrated Apps on the Microsoft 365 Admin Center.
+As a global admin, you can manage Enhanced Teams Apps on Microsoft 365 (formerly known as Office.com) and Outlook via Integrated Apps on the Microsoft 365 admin center.
This feature is currently available to global admins only and only targets Microsoft 365 and Outlook. By default, all Enhanced Teams Apps will be allowed to all users in your organization on Microsoft 365 and Outlook. For now, any changes made to an Enhanced Teams App will only appear in Microsoft 365 and Outlook. Teams is not supported at this time.
-You can control how users install these apps from the store on Integrated Apps in the Microsoft 365 Admin Center through the Available Apps and Blocked Apps.
+You can control how users install these apps from the store on Integrated Apps in the Microsoft 365 admin center through the Available Apps and Blocked Apps.
#### How to see Available and Blocked Apps in your organization
-1. Sign in to Microsoft 365 Admin Center as a Global Administrator.
+1. Sign in to Microsoft 365 admin center as a Global Administrator.
2. Select **Settings**, then select **Integrated Apps**.
-3. Select the **Available Apps** or **Blocked Apps** list. Here you can view the status of all Enhanced Teams Apps in the public catalog and any custom line-of-business apps uploaded from Teams Admin Center or Microsoft 365 Admin Center.
+3. Select the **Available Apps** or **Blocked Apps** list. Here you can view the status of all Enhanced Teams Apps in the public catalog and any custom line-of-business apps uploaded from Teams admin center or Microsoft 365 admin center.
:::image type="content" alt-text="Available apps list." source="../../media/apps-status.png" lightbox="../../media/apps-status.png":::
You can control how users install these apps from the store on Integrated Apps i
4. Select an Enhanced Teams App to view more details about the app, applicable host products, and availability status within your organization.
-Custom line-of-business Enhanced Teams Apps uploaded from Teams Admin Center or Microsoft 365 Admin Center can be viewed on Integrated Apps. These apps will appear in the store for Teams, Microsoft 365, and Outlook based on the policies set for the app, similar to public apps submitted via the Partner Center.
+Custom line-of-business Enhanced Teams Apps uploaded from Teams admin center or Microsoft 365 admin center can be viewed on Integrated Apps. These apps will appear in the store for Teams, Microsoft 365, and Outlook based on the policies set for the app, similar to public apps submitted via the Partner Center.
-- You can manage these apps from the Teams Admin Center or the Microsoft 365 Admin Center. Any policy set from the Teams Admin Center will reflect on the Teams client.-- Any policy set from the Microsoft 365 Admin Center will reflect in Microsoft 365 and Outlook.
+- You can manage these apps from the Teams admin center or the Microsoft 365 admin center. Any policy set from the Teams admin center will reflect on the Teams client.
+- Any policy set from the Microsoft 365 admin center will reflect in Microsoft 365 and Outlook.
Since all Enhanced Teams Apps are allowed by default to all users on Microsoft 365 and Outlook, all apps will show the status **All users in the organization can install**. This means that the app is available for all users in your organization to install and use on Microsoft 365 and Outlook.
Since all Enhanced Teams Apps are allowed by default to all users on Microsoft 3
You can block an app for all users in your organization to restrict them from downloading and using the app in Microsoft 365 and Outlook.
-1. Sign in to M365 Admin Center as a Global Administrator.
+1. Sign in to Microsoft 365 admin center as a Global Administrator.
2. Select **Settings**, and then select **Integrated Apps**. 3. Select the **Available Apps** list. 4. Select an app from the **Available Apps** list to open the overview pane.
When you choose to block an app, it will be blocked for all users in your organi
:::image type="content" alt-text="How to block an app." source="../../media/to-block-app.png" lightbox="../../media/to-block-app.png"::: > [!NOTE]
-> Currently, the Enhanced Teams App will only be blocked in Microsoft 365 and Outlook. Teams will continue to honor the current setting for Teams Apps made in the Teams Admin Center and for Outlook add-ins made in the Exchange Admin Center.
+> Currently, the Enhanced Teams App will only be blocked in Microsoft 365 and Outlook. Teams will continue to honor the current setting for Teams Apps made in the Teams admin center and for Outlook add-ins made in the Exchange admin center.
#### How to unblock an app You can unblock an Enhanced Teams App so that it can start showing up in Microsoft 365 and Outlook.
-1. Sign in to M365 Admin Center as a Global Administrator.
+1. Sign in to Microsoft 365 admin center as a Global Administrator.
2. Select **Settings**, and then select **Integrated Apps**. 3. Select the **Blocked Apps** list. 4. Select an app from the **Blocked Apps** list to launch the overview pane.
You can unblock an Enhanced Teams App so that it can start showing up in Microso
### What happens to your existing settings for Teams and Outlook?
-Any existing settings made from the Teams Admin Center will continue to be honored on the Teams client.
+Any existing settings made from the Teams admin center will continue to be honored on the Teams client.
As an example, the _Foo_ Teams app recently upgraded to an Enhanced Teams app and is now available for Teams, Outlook, and Microsoft 365 (formerly known as Office.com). |&nbsp;|Impact on Teams client|Impact on Microsoft 365|Impact on Outlook client| |||||
-|**If you had previously blocked the Foo Teams App on Teams Admin Center**|Users in your organization cannot download and use Foo on Teams.|Users in your organization can download and use Foo Enhanced Teams App in Microsoft 365. This can be controlled by admins on the Microsoft 365 Admin Center.|Users in your organization can download and use Foo Enhanced Teams App on Outlook. This can be controlled by admins on the Microsoft 365 Admin Center.|
-|**If you had previously allowed the Foo Teams App on Teams Admin Center**|Users in your organization can download and use the Foo Enhanced Teams App on Teams.|Users in your organization can download and use Foo Enhanced Teams App in Microsoft 365. This can be controlled by admins on the Microsoft 365 Admin Center.|Users in your organization can download and use Foo Enhanced Teams App on Outlook. This can be controlled by admins on the Microsoft 365 Admin Center.|
+|**If you had previously blocked the Foo Teams App on Teams admin center**|Users in your organization cannot download and use Foo on Teams.|Users in your organization can download and use Foo Enhanced Teams App in Microsoft 365. This can be controlled by admins on the Microsoft 365 admin center.|Users in your organization can download and use Foo Enhanced Teams App on Outlook. This can be controlled by admins on the Microsoft 365 admin center.|
+|**If you had previously allowed the Foo Teams App on Teams admin center**|Users in your organization can download and use the Foo Enhanced Teams App on Teams.|Users in your organization can download and use Foo Enhanced Teams App in Microsoft 365. This can be controlled by admins on the Microsoft 365 admin center.|Users in your organization can download and use Foo Enhanced Teams App on Outlook. This can be controlled by admins on the Microsoft 365 admin center.|
-Now that _Foo_ is an Enhanced Teams App, you can make changes to its availability from the Microsoft 365 Admin Center.
+Now that _Foo_ is an Enhanced Teams App, you can make changes to its availability from the Microsoft 365 admin center.
|&nbsp;|Impact on Teams client|Impact on Microsoft 365|Impact on Outlook client| |||||
-|**If you block Foo Enhanced Teams App on Microsoft 365 Admin Center**|No impact. Users in your organization will continue to experience Teams behavior for Foo Enhanced Teams App based on the admin settings in Teams Admin Center.|Users in your organization cannot download the Foo Enhanced Teams App in Microsoft 365, and cannot use any previously installed (by user/admin) Foo enhanced teams app.|Users in your organization cannot download the Foo Enhanced Teams App on Outlook, and cannot use any previously installed (by user/admin) Foo enhanced teams app.|
-|**If you unblock Foo Enhanced Teams App on Microsoft 365 Admin Center.**|No impact. Users in your organization will continue to experience Teams behavior for Foo Enhanced Teams App based on the admin settings in Teams Admin Center.|Users in your organization can download and use Foo Enhanced Teams App on Microsoft 365. Users can use any previously installed (by user/admin) Foo Enhanced Teams App.|Users in your organization can download and use Foo Enhanced Teams App on Outlook. Users can use any previously installed (by user/admin) Foo Enhanced Teams App.|
+|**If you block Foo Enhanced Teams App on Microsoft 365 admin center**|No impact. Users in your organization will continue to experience Teams behavior for Foo Enhanced Teams App based on the admin settings in Teams admin center.|Users in your organization cannot download the Foo Enhanced Teams App in Microsoft 365, and cannot use any previously installed (by user/admin) Foo enhanced teams app.|Users in your organization cannot download the Foo Enhanced Teams App on Outlook, and cannot use any previously installed (by user/admin) Foo enhanced teams app.|
+|**If you unblock Foo Enhanced Teams App on Microsoft 365 admin center.**|No impact. Users in your organization will continue to experience Teams behavior for Foo Enhanced Teams App based on the admin settings in Teams admin center.|Users in your organization can download and use Foo Enhanced Teams App on Microsoft 365. Users can use any previously installed (by user/admin) Foo Enhanced Teams App.|Users in your organization can download and use Foo Enhanced Teams App on Outlook. Users can use any previously installed (by user/admin) Foo Enhanced Teams App.|
### Managing Office add-ins and Teams Apps You can continue to manage access to Office add-ins and Teams apps via the following settings: - Org Settings for access to Word, Excel, and PowerPoint Add-ins-- Exchange Admin Center for Outlook Add-ins-- Teams Admin Center for Teams Apps
+- Exchange admin center for Outlook Add-ins
+- Teams admin center for Teams Apps
-You can continue to [deploy Office Add-ins via Integrated Apps](test-and-deploy-microsoft-365-apps.md#deploy-an-office-add-in-using-the-admin-center) and [Teams Apps via Teams Admin Center](/microsoftteams/manage-apps).
+You can continue to [deploy Office Add-ins via Integrated Apps](test-and-deploy-microsoft-365-apps.md#deploy-an-office-add-in-using-the-admin-center) and [Teams Apps via Teams admin center](/microsoftteams/manage-apps).
#### How to deploy an Enhanced Teams app
-As a global admin, you can now deploy an Enhanced Teams App on Teams, Outlook, and Microsoft 365 (formerly known as Office.com) to a specific set of users, the entire organization, or just to yourself from Integrated Apps on Microsoft 365 Admin Center. Deploying an Enhanced Teams Apps means that it will be pre-installed for the selected users on the applicable hosts of the app.
+As a global admin, you can now deploy an Enhanced Teams App on Teams, Outlook, and Microsoft 365 (formerly known as Office.com) to a specific set of users, the entire organization, or just to yourself from Integrated Apps on Microsoft 365 admin center. Deploying an Enhanced Teams Apps means that it will be pre-installed for the selected users on the applicable hosts of the app.
-1. Sign in to M365 Admin Center as a Global Administrator.
+1. Sign in to Microsoft 365 admin center as a Global Administrator.
2. Select **Settings** and then select **Integrated Apps**. 3. Select **Get apps** in the **Deployed Apps** list. This opens up AppSource in embedded form from where you can select the Enhanced Teams App that you want to deploy. 4. Next, you will see the deployment screen where general information about the app is given and the applicable products on which the app will be deployed.
Office Add-ins help you personalize your documents and streamline the way you ac
Add-ins provides the following benefits: -- When the relevant Office application starts, the add-in automatically downloads. If the add-in supports add-in commands, the add-in automatically appears in the ribbon within the Office application.
+- When the relevant Microsoft 365 app starts, the add-in automatically downloads. If the add-in supports add-in commands, the add-in automatically appears in the ribbon within the Microsoft 365 app.
- Add-ins no longer appear for users if the admin turns off or deletes the add-in, or if the user is removed from Azure Active Directory or from a group that the add-in is assigned to.
-Add-ins are supported in three desktop platforms Windows, Mac and Online Office apps. It is also supported in iOS and Android (Outlook Mobile Add-ins Only).
+Add-ins are supported in three desktop platforms Windows, Mac and Microsoft 365 for the web. It is also supported in iOS and Android (Outlook Mobile Add-ins Only).
It can take up to 24 hours for an add-in to show up for client for all users.
Today both Exchange Admins and Global Admins can deploy add-ins from Integrated
### Before you begin
-Deployment of add-ins requires that the users are using Microsoft 365 Business licenses (Business Basic, Business Standard, Business Premium), Office 365 Enterprise licenses (E1/E3/E5/F3), or Microsoft 365 Enterprise licenses (E3/E5/F3). The users also need to be signed into Office using their organizational ID) and have Exchange Online and active Exchange Online mailboxes. Your subscription directory must either be in, or federated to Azure Active Directory.
+Deployment of add-ins requires that the users are using Microsoft 365 Business licenses (Business Basic, Business Standard, Business Premium), Office 365 Enterprise licenses (E1/E3/E5/F3), or Microsoft 365 Enterprise licenses (E3/E5/F3). The users also need to be signed into Microsoft 365 using their organizational ID) and have Exchange Online and active Exchange Online mailboxes. Your subscription directory must either be in, or federated to Azure Active Directory.
Deployment doesn't support the following:
Deployment doesn't support the following:
- Deployment of Component Object Model (COM) or Visual Studio Tools for Office (VSTO) add-ins. - Deployments of Microsoft 365 that do not include Exchange Online such as Microsoft 365 Apps for Business and Microsoft 365 Apps for Enterprise.
-### Office Requirements
+### Microsoft 365 Requirements
For Word, Excel, and PowerPoint add-ins, your users must be using one of the following:
Depending on the size of the target audience, you can add or remove roll-out ste
7. A green "tick" icon appears when the add-in is deployed. Follow the on-page instructions to test the add-in. > [!NOTE]
-> Users might need to relaunch Office to view the add-in icon on the app ribbon. Outlook add-ins can take up to 24 hours to appear on app ribbons.
+> Users might need to relaunch Microsoft 365 to view the add-in icon on the app ribbon. Outlook add-ins can take up to 24 hours to appear on app ribbons.
It's good practice to inform users and groups that the deployed add-in is available. Consider sending an email that describes when and how to use the add-in. Include or link to help content or FAQs that might help users if they have problems with the add-in.
When updating a manifest, the typical changes are to an add-in's icon and text.
Updates for add-ins happen as follows: -- **Line-of-business add-in**: In this case, where an admin explicitly uploaded a manifest, the add-in requires that the admin upload a new manifest file to support metadata changes. The next time the relevant Office applications start, the add-in will update. The web application can change at any time.
+- **Line-of-business add-in**: In this case, where an admin explicitly uploaded a manifest, the add-in requires that the admin upload a new manifest file to support metadata changes. The next time the relevant Microsoft 365 apps start, the add-in will update. The web application can change at any time.
-- **Office Store add-in**: When an admin selected an add-in from the Office Store, if an add-in updates in the Office Store, the next time the relevant Office applications start, the add-in will update. The web application can change at any time.
+- **Office Store add-in**: When an admin selected an add-in from the Office Store, if an add-in updates in the Office Store, the next time the relevant Microsoft 365 apps start, the add-in will update. The web application can change at any time.
> [!NOTE] > For Word, Excel, and PowerPoint use a [SharePoint App Catalog](/sharepoint/dev/sp-add-ins/publish-sharepoint-add-ins) to deploy add-ins to users in an on-premises environment with no connection to Microsoft 365 and/or support for SharePoint add-ins required. For Outlook use Exchange control panel to deploy in an on-premises environment without a connection to Microsoft 365.
admin Plan Your Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/plan-your-setup.md
The table below outlines each choice.
|&nbsp;|**Option 1** ΓÇô Sign in with Outlook, Hotmail, Yahoo, Gmail or other email account |**Option 2** ΓÇô Add a business domain and create a new business email account | ||||
-|Available apps and services|Use Word for the web, Excel for the web, PowerPoint for the web, Teams for the web and Access for the web. OneDrive and SharePoint desktop app are included. This set of apps is best for very small businesses who don't need branded email immediately, or who already use branded email from a different provider and do not intend to switch to use Microsoft Exchange. You'll use Outlook with your existing email account (be it outlook.com, Hotmail, Yahoo, Gmail or other).|Use Word for the web, Excel for the web, PowerPoint for the web, Teams for the web and Access for the web. OneDrive and SharePoint desktop app are included. Microsoft 365 Business Basic with Option 2 also lets you access a wide range of additional
+|Available apps and services|Use Word for the web, Excel for the web, PowerPoint for the web, Teams for the web and Access for the web. OneDrive and SharePoint desktop app are included. This set of apps is best for very small businesses who don't need branded email immediately, or who already use branded email from a different provider and do not intend to switch to use Microsoft Exchange. You'll use Outlook with your existing email account (be it outlook.com, Hotmail, Yahoo, Gmail or other).|Use Word for the web, Excel for the web, PowerPoint for the web, Teams for the web and Access for the web. OneDrive and SharePoint desktop app are included. Microsoft 365 Business Basic with Option 2 also lets you access a wide range of additional
|Required knowledge|Let's you get started without technical know-how.|Requires you to buy a domain, or to own a domain. You may need technical knowledge to prove ownership of the domain.| |Data handling|Available under the Supplement to the [Microsoft Services Agreement](https://go.microsoft.com/fwlink/p/?linkid=2180702) and is best for businesses that want some remote work and collaboration tools and are comfortable with Microsoft acting as controller for your data under the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?LinkId=521839). Subscribers to services using this option will not have access to an individual's user content or data until a domain is attached. Subscribers should evaluate data ownership and intellectual property rights considerations based on their needs. For example, if you are working collaboratively with other users on a document stored in their account, they may choose to make those documents inaccessible to you. As such, you should evaluate data ownership and intellectual property rights considerations accordingly. Separately, users may choose not to transfer documents in their Simplified Sign-Up account to your Domain Account subscription, even after you invite them to do so. This means their documents may also not be accessible to you even if you add a domain account later|Available under the [Microsoft Online Subscription Agreement](https://go.microsoft.com/fwlink/p/?linkid=2180430) and is best for businesses that need Microsoft to act as a processor for their data under Microsoft's [Data Protection Addendum](https://go.microsoft.com/fwlink/p/?linkid=2180314) and need our full suite of remote work and collaboration tools. Subscribers who are in regulated industries or seek more control, both over the use of the services by your employees and over processing of related data by Microsoft, should choose Option 2 and attach a domain and sign up under the Domain Account enterprise-level agreement.|
There are a couple of scenarios that include either migrating data or users from
- **Do you want to move to Microsoft 365 gradually?** If you want to move to Microsoft 365 in stages, then skip running the Microsoft 365 setup wizard and consider adopting Microsoft 365 features in the following order:
- 1. [Add your employees to Microsoft 365](../add-users/add-users.md) so they can download and install the Office apps.
+ 1. [Add your employees to Microsoft 365](../add-users/add-users.md) so they can download and install the Microsoft 365 apps.
- 2. [Download and install the Office apps](https://support.microsoft.com/office/4414eaaf-0478-48be-9c42-23adc4716658) to use Word, Excel, and PowerPoint on your computer and devices.
+ 2. [Download and install the Microsoft 365 apps](https://support.microsoft.com/office/4414eaaf-0478-48be-9c42-23adc4716658) to use Word, Excel, and PowerPoint on your computer and devices.
3. [Set up Microsoft Teams](#plan-for-teams) to use for your meetings.
There are a couple of scenarios that include either migrating data or users from
## Check that your devices meet system requirements
-Each person in your organization can install the Office 2016 suite of apps (Word, Excel, PowerPoint, and so on) on up to five PCs and Macs. See the operating system and computer requirements for installing [Office 2016 suites](https://go.microsoft.com/fwlink/?LinkId=534827) for business.
+Each person in your organization can install the Microsoft 365 apps (Word, Excel, PowerPoint, and so on) on up to five PCs and Macs. See the operating system and computer requirements for installing [Microsoft 365](https://go.microsoft.com/fwlink/?LinkId=534827) for business.
-Mobile apps can be installed on iOS, Android, and Windows devices. You can find information on mobile device and browser support in [System requirements for Office](https://go.microsoft.com/fwlink/?LinkId=534827).
+Mobile apps can be installed on iOS, Android, and Windows devices. You can find information on mobile device and browser support in [System requirements for Microsoft 365](https://go.microsoft.com/fwlink/?LinkId=534827).
## Plan for email
admin Upgrade Users To Latest Office Client https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/upgrade-users-to-latest-office-client.md
If you haven't already done so, assign licenses to any users in your organizatio
## Step 5 - Install Microsoft 365
-After you've verified the users you want to upgrade all have licenses, the final step is to have them install the Microsoft 365 apps. See [Download and install or reinstall Office on your PC or Mac](https://support.microsoft.com/office/4414eaaf-0478-48be-9c42-23adc4716658).
+After you've verified the users you want to upgrade all have licenses, the final step is to have them install the Microsoft 365 apps. See [Download and install or reinstall Microsoft 365 or Office 2021 on a PC or Mac](https://support.microsoft.com/office/4414eaaf-0478-48be-9c42-23adc4716658).
> [!TIP] > If you don't want your users installing Office themselves, see [Manage Microsoft 365 installation options in the Microsoft 365 admin center](/DeployOffice/manage-software-download-settings-office-365). You can use the [Deployment Tool](/DeployOffice/overview-office-deployment-tool) to download Microsoft 365 apps to your local network and then deploy using the software deployment method you typically use.
business-premium Secure Your Business Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/secure-your-business-data.md
Title: How to secure your business data with Microsoft 365
+ Title: Secure your business data with Microsoft 365 for business
f1.keywords: - CSH
audience: Admin
Previously updated : 04/25/2023 Last updated : 04/28/2023 ms.localizationpriority: medium - highpri-- Adm_O365-- Adm_TOC - m365-security - tier2 - ContentEnagagementFY23
description: "Learn best practices to protect your business from ransomware, phi
# Secure your business data with Microsoft 365
-**Applies to**
--- Microsoft 365 Business Basic-- Microsoft 365 Business Standard-- Microsoft 365 Business Premium-
-> [!NOTE]
-> This article is designed for small and medium-sized businesses who have up to 300 users.
+> [!TIP]
+> This article is for small and medium-sized businesses who have up to 300 users.
> > If you're looking for information for enterprise organizations, see [Deploy ransomware protection for your Microsoft 365 tenant](../solutions/ransomware-protection-microsoft-365.md). > > If you're a Microsoft partner, see [Resources for Microsoft partners working with small and medium-sized businesses](../security/defender-business/mdb-partners.md).
-Microsoft 365 for business plans, such as Microsoft 365 Business Basic, Standard, and Premium, include security capabilities, such as antiphishing, antispam, and antimalware protection. Microsoft 365 Business Premium includes even more capabilities, such as device security, advanced threat protection, and information protection. This article describes the top 10 ways to secure your data with Microsoft 365 for business, and it includes information to [compare capabilities across Microsoft 365 for business plans](#comparing-microsoft-365-for-business-plans).
-
-## Secure your business data
-
-| Step | Task | Description |
-|:--:|:|:|
-| 1 | **[Use multi-factor authentication](../admin/security-and-compliance/multi-factor-authentication-microsoft-365.md)**. | [Multi-factor authentication](../admin/security-and-compliance/multi-factor-authentication-microsoft-365.md) (MFA), also known as two-step verification, requires people to use a code or authentication app on their phone to sign into Microsoft 365, and is a critical first step to protecting your business data. Using MFA can prevent hackers from taking over if they know your password. Security defaults can simplify the process of enabling MFA. <br/><br/>See [security defaults and MFA](m365bp-conditional-access.md). |
-| 2 | **[Protect your administrator accounts](m365bp-protect-admin-accounts.md)**. | Administrator accounts (also called admins) have elevated privileges, making these accounts more susceptible to cyberattacks. You'll need to set up and manage the right number of admin and user accounts for your business. We also recommend adhering to the information security principle of least privilege, which means that users and applications should be granted access only to the data and operations they require to perform their jobs. <br/><br/>See [Protect your administrator accounts](m365bp-protect-admin-accounts.md). |
-| 3 | **[Use preset security policies](m365bp-increase-protection.md)**. | Your subscription includes [preset security policies](../security/office-365-security/preset-security-policies.md) that use recommended settings for anti-spam, anti-malware, and anti-phishing protection. <br/><br/>See [Protect against malware and other cyberthreats](m365bp-increase-protection.md). |
-| 4 | **[Protect all devices](m365bp-devices-overview.md)**. | Every device is a possible attack avenue into your network and must be configured properly, even those devices that are personally owned but used for work. <br/><br/>See the following articles: <br/>- [Help users set up MFA on their devices](https://support.microsoft.com/office/set-up-your-microsoft-365-sign-in-for-multi-factor-authentication-ace1d096-61e5-449b-a875-58eb3d74de14)<br/>- [Protect unmanaged Windows and Mac computers](m365bp-protect-pcs-macs.md) <br/>- [Set up managed devices](m365bp-managed-devices-setup.md) (requires Microsoft 365 Business Premium or Microsoft Defender for Business) |
-| 5 | **[Train everyone on email best practices](m365bp-avoid-phishing-and-attacks.md)**. | Email can contain malicious attacks cloaked as harmless communications. Email systems are especially vulnerable, because email is handled by everyone in the organization, and safety relies on humans making consistently good decisions with those communications. Train everyone to know what to watch for spam or junk mail, phishing attempts, spoofing, and malware in their email. <br/><br/>See [Protect yourself against phishing and other attacks](m365bp-avoid-phishing-and-attacks.md). |
-| 6 | **[Use Microsoft Teams for collaboration and sharing](m365bp-collaborate-share-securely.md)**. | The best way to collaborate and share securely is to use Microsoft Teams. With Microsoft Teams, all your files and communications are in a protected environment and aren't being stored in unsafe ways outside of it.<br/><br/> See the following articles: <br/>- [Use Microsoft Teams for collaboration](create-teams-for-collaboration.md) <br/>- [Set up meetings with Microsoft Teams](set-up-meetings.md) <br/>- [Share files and videos in a safe environment](share-files-and-videos.md) |
-| 7 | **[Set sharing settings for SharePoint and OneDrive files and folders](m365bp-increase-protection.md)**. | Your default sharing levels for SharePoint and OneDrive might be set to a more permissive level than you should use. We recommend reviewing and if necessary, changing the default settings to better protect your business. Grant people only the access they need to do their jobs. <br/><br/>See [Set sharing settings for SharePoint and OneDrive files and folders](m365bp-increase-protection.md#set-sharing-settings-for-sharepoint-and-onedrive-files-and-folders). |
-| 8 | **[Use Microsoft 365 Apps on devices](https://support.microsoft.com/topic/train-your-users-on-office-and-microsoft-365-7cba3c97-7f19-46ed-a1c6-763971a26c27)**. | Outlook and Microsoft 365 Apps (also referred to as Office apps) enable people to work productively and more securely across devices. Whether you're using the web or desktop version of an app, you can start a document on one device, and pick it up later on another device. Instead of sending files as email attachments, you can share links to documents that are stored in SharePoint or OneDrive. <br/><br/>See the following articles: <br/>- [Install Office apps on all devices](m365bp-install-office-apps.md).<br/>- [Train your users on Office and Microsoft 365](https://support.microsoft.com/topic/train-your-users-on-office-and-microsoft-365-7cba3c97-7f19-46ed-a1c6-763971a26c27) |
-| 9 | **[Manage calendar sharing for your business](m365bp-increase-protection.md#manage-calendar-sharing)**. | You can help people in your organization share their calendars appropriately for better collaboration. You can manage what level of detail they can share, such as by limiting the details that are shared to free/busy times only. <br/><br/>See [Manage calendar sharing](m365bp-increase-protection.md#manage-calendar-sharing). |
-| 10 | **[Maintain your environment](m365bp-maintain-environment.md)**. | After your initial setup and configuration of Microsoft 365 for business is complete, your organization needs a maintenance and operations plan. As employees come and go, you'll need to add or remove users, reset passwords, and maybe even reset devices to factory settings. You'll also want to make sure people have only the access they need to do their jobs. <br/><br/>See [Maintain your environment](m365bp-maintain-environment.md). |
+This article lists the top 10 ways to secure your data with Microsoft 365 for business, with links for more information. Microsoft 365 for business plans include security capabilities, such as antiphishing, antispam, and antimalware protection. Microsoft 365 Business Premium includes even more capabilities, such as device security, advanced threat protection, and information protection.
-## Comparing Microsoft 365 for business plans
+## Top 10 ways to secure your business data
-Microsoft 365 for business plans include Microsoft Exchange, Microsoft Teams, SharePoint, and OneDrive for secure email, collaboration, and file storage. These plans also include baseline antiphishing, antimalware, and antispam protection. With Microsoft 365 Business Premium, you get more capabilities, such as device management, advanced threat protection, and information protection. The following table compares capabilities in Microsoft 365 for business plans.
+The following table lists the top 10 ways to secure business data and includes capabilities that are included in Microsoft 365 for business plans. It's not intended to be an exhaustive list of all capabilities in each plan. For more details about what each plan includes, see [Microsoft 365 User Subscription Suites for Small and Medium-sized Businesses](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWR6bM).
-| Capability | [Microsoft 365 Business Basic](../admin/setup/setup-business-basic.md)| [Microsoft 365 Business Standard](../admin/setup/setup-business-standard.md) | [Microsoft 365 Business Premium](index.md) |
-|:|:--:|:--:|:--:|
-| **Outlook and Web/mobile versions of Office apps** <br/>Word, Excel, and PowerPoint | ![Included.](../media/d238e041-6854-4a78-9141-049224df0795.png) | ![Included.](../media/d238e041-6854-4a78-9141-049224df0795.png) |![Included.](../media/d238e041-6854-4a78-9141-049224df0795.png) |
-| **Desktop versions of Office apps**<br/>Word, Excel, PowerPoint, Publisher, and Access <br/>(See note 1 below) | | ![Included.](../media/d238e041-6854-4a78-9141-049224df0795.png) | ![Included.](../media/d238e041-6854-4a78-9141-049224df0795.png) |
-| **Secure communication, collaboration, and file storage**<br/>Microsoft Teams, Exchange, OneDrive, and SharePoint | ![Included.](../media/d238e041-6854-4a78-9141-049224df0795.png) | ![Included.](../media/d238e041-6854-4a78-9141-049224df0795.png) | ![Included.](../media/d238e041-6854-4a78-9141-049224df0795.png) |
-| **Antispam, antiphishing, and antimalware protection** for email <br/>[Exchange Online Protection overview](../security/office-365-security/eop-about.md) | ![Included.](../media/d238e041-6854-4a78-9141-049224df0795.png) | ![Included.](../media/d238e041-6854-4a78-9141-049224df0795.png) | ![Included.](../media/d238e041-6854-4a78-9141-049224df0795.png) |
-| **Mobile device management** and mobile app management <br/>[Microsoft Intune](/mem/intune/fundamentals/what-is-intune) | (See note 2 below) | (See note 2 below) | ![Included.](../media/d238e041-6854-4a78-9141-049224df0795.png) |
-| **Advanced device security** with next-generation protection, firewall, attack surface reduction, automated investigation and response, and more <br/>[Defender for Business](../security/defender-business/mdb-overview.md) | (See note 3 below) | (See note 3 below) | ![Included.](../media/d238e041-6854-4a78-9141-049224df0795.png) |
-| **Advanced protection for email and documents** with advanced anti-phishing, Safe Links, Safe Attachments, and real-time detections<br/>[Microsoft Defender for Office 365 Plan 1](../security/office-365-security/defender-for-office-365.md) | (See note 4 below) | (See note 4 below) | ![Included.](../media/d238e041-6854-4a78-9141-049224df0795.png) |
-| **Information protection** capabilities to discover, classify, protect, and govern sensitive information <br/>[Azure Information Protection](/azure/information-protection/what-is-information-protection) | | | ![Included.](../media/d238e041-6854-4a78-9141-049224df0795.png) |
+| What to do | [Microsoft 365 Business Premium](index.md) | [Microsoft 365 Business Standard](../admin/setup/setup-business-standard.md) | [Microsoft 365 Business Basic](../admin/setup/setup-business-basic.md) |
+|||||
+| 1. **[Use multi-factor authentication](../admin/security-and-compliance/multi-factor-authentication-microsoft-365.md)**.<br/><br/>[Multi-factor authentication](../admin/security-and-compliance/multi-factor-authentication-microsoft-365.md) (MFA), also known as two-step verification, requires people to use a code or authentication app on their phone to sign into Microsoft 365, and is a critical first step to protecting your business data. Using MFA can prevent bad actors from taking over your account if they know your password. <br/><br/>See [security defaults and MFA](m365bp-conditional-access.md). |*Use security defaults or Conditional Access in [Azure Active Directory (Azure AD) Premium P1](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses).* | *Use [security defaults in Azure AD](/azure/active-directory/fundamentals/concept-fundamentals-security-defaults).* | *Use [security defaults in Azure AD](/azure/active-directory/fundamentals/concept-fundamentals-security-defaults).* |
+| 2. **[Protect your administrator accounts](m365bp-protect-admin-accounts.md)**.<br/><br/>Administrator accounts (also called admins) have elevated privileges, making these accounts more susceptible to cyberattacks. You'll need to set up and manage the right number of admin and user accounts for your business. <br/><br/>We also recommend adhering to the information security principle of least privilege, which means that users and applications should be granted access only to the data and operations they require to perform their jobs.<br/><br/>See [Protect your administrator accounts](m365bp-protect-admin-accounts.md). |*Use the [Azure AD portal](https://entra.microsoft.com) or the [Microsoft 365 admin center](https://admin.microsoft.com) to manage user accounts.* | *Use the [Azure AD portal](https://entra.microsoft.com) or the [Microsoft 365 admin center](https://admin.microsoft.com) to manage user accounts.* | *Use the [Azure AD portal](https://entra.microsoft.com) or the [Microsoft 365 admin center](https://admin.microsoft.com) to manage user accounts.* |
+| 3. **[Use preset security policies](m365bp-increase-protection.md)**.<br/><br/>Preset security policies save time by applying recommended spam, anti-malware, and anti-phishing policies to users all at once.<br/><br/>See: <br/>- [Preset security policies](../security/office-365-security/preset-security-policies.md)<br/>- [Protect against malware and other cyberthreats](m365bp-increase-protection.md) | *Use preset security policies for anti-spam, anti-malware, and anti-phishing in [Exchange Online Protection](../security/office-365-security/eop-about.md) (EOP). And, use preset security policies for advanced anti-phishing, spoof settings, impersonation settings, Safe Links, and Safe Attachments in [Microsoft Defender for Office 365 Plan 1](/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet).* | *Use [preset security policies in EOP](../security/office-365-security/preset-security-policies.md).* | *Use [preset security policies in EOP](../security/office-365-security/preset-security-policies.md).* |
+| 4. **[Protect all devices](m365bp-devices-overview.md)**.<br/><br/>Every device is a possible attack avenue into your network and must be configured properly, even those devices that are personally owned but used for work. Your security team and employees can all take steps to protect devices. For example, all users can use MFA on their devices.<br/><br/>See:<br/>- [Secure managed and unmanaged devices](m365bp-managed-unmanaged-devices.md) <br/>- [Set up unmanaged (BYOD) devices](m365bp-devices-overview.md)<br/>- [Set up and secure managed devices](m365bp-protect-devices.md) | *Use MFA, Microsoft 365 Apps on devices, and advanced device security with [Microsoft Defender for Business](../security/defender-business/mdb-overview.md) and [Microsoft Intune](/mem/intune/fundamentals/what-is-intune).* | *Use MFA and Microsoft 365 Apps on devices.*<br/>(*Defender for Business can be added on*) | *Use MFA.*<br/>(*Defender for Business can be added on*) |
+| 5. **[Train everyone on email best practices](m365bp-avoid-phishing-and-attacks.md)**.<br/><br/>Email can contain malicious attacks cloaked as harmless communications. Email systems are especially vulnerable, because email is handled by everyone in the organization, and safety relies on humans making consistently good decisions with those communications. Train everyone to know what to watch for spam or junk mail, phishing attempts, spoofing, and malware in their email. <br/><br/>See: <br/>- [Protect yourself against phishing and other attacks](m365bp-avoid-phishing-and-attacks.md)<br/>- [Anti-phishing protection in Defender for Office 365](/microsoft-365/security/office-365-security/anti-phishing-protection-about#additional-anti-phishing-protection-in-microsoft-defender-for-office-365)<br/>- [Safe Attachments](/microsoft-365/security/office-365-security/safe-attachments-about) <br/>- [Safe Links](/microsoft-365/security/office-365-security/safe-links-about) | *Use EOP and advanced protection for email with [Defender for Office 365 Plan 1](/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet).* | *Use EOP.* <br/>(*Defender for Office 365 can be added on*) | *Use EOP.*<br/>(*Defender for Office 365 can be added on*) |
+| 6. **[Use Microsoft Teams for collaboration and sharing](m365bp-collaborate-share-securely.md)**.<br/><br/>The best way to collaborate and share securely is to use Microsoft Teams. With Microsoft Teams, all your files and communications are in a protected environment and aren't being stored in unsafe ways outside of it.<br/><br/>See: <br/>- [Use Microsoft Teams for collaboration](create-teams-for-collaboration.md) <br/>- [Set up meetings with Microsoft Teams](set-up-meetings.md) <br/>- [Share files and videos in a safe environment](share-files-and-videos.md)<br/>- [Defender for Office 365 support for Microsoft Teams](/microsoft-365/security/office-365-security/mdo-support-teams-about)<br/>- [Data Loss Prevention (DLP) in Microsoft Teams](/microsoft-365/compliance/dlp-teams-default-policy)<br/>- [Use sensitivity labels to protect calendar items, Teams meetings, and chat](/microsoft-365/compliance/sensitivity-labels-meetings) | *Use Microsoft Teams with [Safe Links & Safe Attachments](/microsoft-365/security/office-365-security/mdo-support-teams-about), [sensitivity labels](/microsoft-365/compliance/sensitivity-labels-meetings), and [DLP](/microsoft-365/compliance/dlp-teams-default-policy).* | *Use Microsoft Teams.*<br/>(*Defender for Office 365 can be added on*) | *Use Microsoft Teams.*<br/>(*Defender for Office 365 can be added on*) |
+| 7. **[Set sharing settings for SharePoint and OneDrive files and folders](m365bp-increase-protection.md)**.<br/><br/>Your default sharing levels for SharePoint and OneDrive might be set to a more permissive level than you should use. We recommend reviewing and if necessary, changing the default settings to better protect your business. Grant people only the access they need to do their jobs. <br/><br/>See: <br/>- [Set sharing settings for SharePoint and OneDrive](m365bp-increase-protection.md#set-sharing-settings-for-sharepoint-and-onedrive-files-and-folders)<br/>- [Sensitivity labels for Office files in SharePoint and OneDrive](/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files) | *Use SharePoint and OneDrive, with Safe Links, Safe Attachments, sensitivity labels, and DLP.* | *Use SharePoint and OneDrive.* | *Use SharePoint and OneDrive.* |
+| 8. **[Use Microsoft 365 Apps on devices](https://support.microsoft.com/topic/train-your-users-on-office-and-microsoft-365-7cba3c97-7f19-46ed-a1c6-763971a26c27)**.<br/><br/>Outlook and Microsoft 365 Apps (also referred to as Office apps) enable people to work productively and more securely across devices. Start a document on one device, and pick it up later on another device. Instead of sending files as email attachments, you can share links to documents that are stored in SharePoint or OneDrive.<br/><br/>See: <br/>- [Install Microsoft 365 Apps on all devices](m365bp-install-office-apps.md).<br/>- [Train your users on Microsoft 365](https://support.microsoft.com/topic/train-your-users-on-office-and-microsoft-365-7cba3c97-7f19-46ed-a1c6-763971a26c27)<br/>- [How Safe Links works in Microsoft 365 Apps](/microsoft-365/security/office-365-security/safe-links-about#how-safe-links-works-in-office-apps)<br/>- [Sensitivity bar in Microsoft 365 Apps](/microsoft-365/compliance/sensitivity-labels-office-apps#sensitivity-bar)| *Use Outlook and Web, mobile, and desktop versions of Microsoft 365 Apps, with [Safe Links](/microsoft-365/security/office-365-security/safe-links-about#how-safe-links-works-in-office-apps) and [sensitivity labels](/microsoft-365/compliance/sensitivity-labels-office-apps).* | *Use Outlook and Web/mobile/desktop versions of Microsoft 365 Apps.* | *Use Outlook and Web/mobile versions of Microsoft 365 Apps.* |
+| 9. **[Manage calendar sharing for your business](m365bp-increase-protection.md#manage-calendar-sharing)**.<br/><br/>You can help people in your organization share their calendars appropriately for better collaboration. You can manage what level of detail they can share, such as by limiting the details that are shared to free/busy times only.<br/><br/>See: <br/>- [Manage calendar sharing](m365bp-increase-protection.md#manage-calendar-sharing) <br/>- [Get started with the default DLP policy](/microsoft-365/compliance/get-started-with-the-default-dlp-policy) | *Use Outlook, Exchange Online, and [DLP](/microsoft-365/compliance/get-started-with-the-default-dlp-policy).* | *Use Outlook and Exchange Online.* | *Use Outlook and Exchange Online.* |
+| 10. **[Maintain your environment](m365bp-maintain-environment.md)**.<br/><br/>After your initial setup and configuration of Microsoft 365 for business is complete, your organization needs a maintenance and operations plan. As employees come and go, you'll need to add or remove users, reset passwords, and maybe even reset devices to factory settings. You'll also want to make sure people have only the access they need to do their jobs.<br/><br/>See: <br/>- [Maintain your environment](m365bp-maintain-environment.md) <br/>- [Security incident management in Microsoft 365 Business Premium](m365bp-security-incident-management.md)<br/>- [Microsoft 365 Business Premium security operations guide](m365bp-security-incident-quick-start.md) | *Use the [Azure AD portal](https://entra.microsoft.com) and the [Microsoft 365 admin center](https://admin.microsoft.com) for managing user accounts.<br/>Use the [Microsoft 365 Defender portal](https://security.microsoft.com) and the [Microsoft 365 Purview compliance portal](https://compliance.microsoft.com/) for viewing and managing security & compliance capabilities. <br/>You can also use the [Intune admin center](https://intune.microsoft.com) to view or manage devices.* | *Use the [Microsoft 365 admin center](https://admin.microsoft.com) and the [Azure AD portal](https://entra.microsoft.com). to view or manage user accounts.* | *Use the [Microsoft 365 admin center](https://admin.microsoft.com) and the [Azure AD portal](https://entra.microsoft.com) to view or manage user accounts.* |
-> [!NOTE]
-> 1. Microsoft Publisher and Microsoft Access run on Windows laptops and desktops only.
->
-> 2. Microsoft Intune is included with Microsoft 365 Business Premium, and can be added on to Microsoft 365 Business Basic and Standard. Basic Mobility and Security capabilities in Microsoft 365 Business Basic and Standard enable users to access work email, calendar, contacts, and documents on their devices. [Choose between Basic Mobility and Security or Intune](../admin/basic-mobility-security/choose-between-basic-mobility-and-security-and-intune.md).
->
-> 3. Defender for Business is included in Microsoft 365 Business Premium. Defender for Business can also be added on to Microsoft 365 Business Basic or Standard. See [Get Defender for Business](/microsoft-365/security/defender-business/get-defender-business).
->
-> 4. Defender for Office 365 Plan 1 is included in Microsoft 365 Business Premium. Defender for Office 365 Plan 1 can also be added on to Microsoft 365 Business Basic or Standard. See [Defender for Office 365](/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview).
->
## See also -- For more information about what each plan includes, see [Reimagine productivity with Microsoft 365 and Microsoft Teams](https://www.microsoft.com/en-us/microsoft-365/business/compare-all-microsoft-365-business-products-b?ef_id=8c2a86ec9ea514a008c6e419e036519c:G:s&OCID=AIDcmmwf9kwzdj_SEM_8c2a86ec9ea514a008c6e419e036519c:G:s&lnkd=Bing_O365SMB_Brand&msclkid=8c2a86ec9ea514a008c6e419e036519c).
+- For more information about what each plan includes, see [Reimagine productivity with Microsoft 365 and Microsoft Teams](https://www.microsoft.com/en-us/microsoft-365/business/compare-all-microsoft-365-business-products-b?ef_id=8c2a86ec9ea514a008c6e419e036519c:G:s&OCID=AIDcmmwf9kwzdj_SEM_8c2a86ec9ea514a008c6e419e036519c:G:s&lnkd=Bing_O365SMB_Brand&msclkid=8c2a86ec9ea514a008c6e419e036519c) and the [Microsoft 365 User Subscription Suites for Small and Medium-sized Businesses](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWR6bM).
- [What is Defender for Business?](../security/defender-business/mdb-overview.md) - [Microsoft 365 Business PremiumΓÇöcybersecurity for small business](/microsoft-365/business-premium/) - [Compare security features in Microsoft 365 plans for small and medium-sized businesses](../security/defender-business/compare-mdb-m365-plans.md) (for more details about Defender for Business and Microsoft 365 Business Premium)
compliance Apply Retention Labels Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-retention-labels-automatically.md
f1.keywords:
Previously updated : 04/26/2023 Last updated : 04/28/2023 audience: Admin
When you create an auto-apply policy, you select a retention label to automatica
3. For **Choose the type of content you want to apply this label to**, select one of the available conditions. For more information about the choices, see the [Configuring conditions for auto-apply retention labels](#configuring-conditions-for-auto-apply-retention-labels) section on this page.
-4. For the **Choose the type of retention policy to create** page, select **Adaptive** or **Static**, depending on the choice you made from the [Before you begin](#before-you-begin) instructions. If you haven't already created adaptive scopes, you can select **Adaptive** but because there won't be any adaptive scopes to select, you won't be able to finish the policy configuration with this option.
+4. For the **Assign admin units** page: This configuration is currently in preview. If your organization is using [administrative units in Azure Active Directory](/azure/active-directory/roles/administrative-units), a retention label policy that doesn't include SharePoint sites can be automatically restricted to specific users by selecting administrative units. If your account has been [assigned administrative units](microsoft-365-compliance-center-permissions.md#administrative-units-preview), you must select one or more administrative units.
+
+ If you don't want to restrict the policy by using administrative units, or your organization hasn't configured administrative units, keep the default of **Full directory**. You must select **Full directory** for the policy to include the location for SharePoint sites.
+
+5. For the **Choose the type of retention policy to create** page, select **Adaptive** or **Static**, depending on the choice you made from the [Before you begin](#before-you-begin) instructions. If you haven't already created adaptive scopes, you can select **Adaptive** but because there won't be any adaptive scopes to select, you won't be able to finish the policy configuration with this option.
-5. Depending on your selected scope:
+6. Depending on your selected scope:
- If you chose **Adaptive**: On the **Choose adaptive policy scopes and locations** page, select **Add scopes** and select one or more adaptive scopes that have been created. Then, select one or more locations. The locations that you can select depend on the [scope types](purview-adaptive-scopes.md#configure-adaptive-scopes) added. For example, if you only added a scope type of **User**, you will be able to select **Exchange mailboxes** but not **SharePoint sites**.
When you create an auto-apply policy, you select a retention label to automatica
For information about the location choices, see [Locations](retention-settings.md#locations).
-6. Follow the prompts to select a retention label, whether to run the policy in [simulation mode](#learn-about-simulation-mode) or turn it on (if applicable for your chosen condition), and then review and submit your configuration choices.
+7. Follow the prompts to select a retention label, whether to run the policy in [simulation mode](#learn-about-simulation-mode) or turn it on (if applicable for your chosen condition), and then review and submit your configuration choices.
To edit an existing retention label policy (the policy type is **Auto-apply**), select it, and then select the **Edit** option to start the **Edit retention policy** configuration.
compliance Audit Log Activities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/audit-log-activities.md
The following table lists Azure AD directory and domain-related activities that
## Disposition review activities
-The following table lists the activities a disposition reviewer took when an item reached the end of its configured retention period. For more information, see [Viewing and disposing of content](disposition.md#viewing-and-disposing-of-content).
+The following table lists the [activities a disposition reviewer took](disposition.md#viewing-and-disposing-of-content) when an item reached the end of its configured retention period, or an item was automatically moved to the next disposition stage or permanently deleted as a result of [auto-approval](disposition.md#auto-approval-for-disposition).
|Friendly name|Operation|Description| |:--|:--|:--|
-|Approved disposal|ApproveDisposal|A disposition reviewer approved the disposition of the item to move it to the next disposition stage. If the item was in the only or final stage of disposition review, the disposition approval marked the item as eligible for permanent deletion.|
+|Approved disposal|ApproveDisposal|For manual approval: A disposition reviewer approved the disposition of the item to move it to the next disposition stage. If the item was in the only or final stage of disposition review, the disposition approval marked the item as eligible for permanent deletion. <br/><br/> For auto-approval: No manual action was taken within the configured auto-approval time period so the item automatically moved to the next disposition stage. If the item was in the only or final stage of disposition review, the item automatically became eligible for permanent deletion.|
|Extended retention period|ExtendRetention|A disposition reviewer extended the retention period of the item.| |Relabeled item|RelabelItem|A disposition reviewer relabeled the retention label.| |Added reviewers|AddReviewer|A disposition reviewer added one or more other users to the current disposition review stage.|
compliance Create Apply Retention Labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-apply-retention-labels.md
f1.keywords:
Previously updated : 04/24/2023 Last updated : 04/28/2023 audience: Admin
Decide before you create your retention label policy whether it will be **adapti
3. Use the link to select the retention labels to publish, and then select **Next**.
-4. For the **Choose the type of retention policy to create** page, select **Adaptive** or **Static**, depending on the choice you made from the [Before you begin](#before-you-begin) instructions. If you haven't already created adaptive scopes, you can select **Adaptive** but because there won't be any adaptive scopes to select, you won't be able to finish the wizard with this option.
+4. For the **Assign admin units** page: This configuration is currently in preview. If your organization is using [administrative units in Azure Active Directory](/azure/active-directory/roles/administrative-units), a retention label policy that doesn't include SharePoint sites can be automatically restricted to specific users by selecting administrative units. If your account has been [assigned administrative units](microsoft-365-compliance-center-permissions.md#administrative-units-preview), you must select one or more administrative units.
+
+ If you don't want to restrict the policy by using administrative units, or your organization hasn't configured administrative units, keep the default of **Full directory**. You must select **Full directory** for the policy to include the location for SharePoint sites.
+
+5. For the **Choose the type of retention policy to create** page, select **Adaptive** or **Static**, depending on the choice you made from the [Before you begin](#before-you-begin) instructions. If you haven't already created adaptive scopes, you can select **Adaptive** but because there won't be any adaptive scopes to select, you won't be able to finish the wizard with this option.
-5. Depending on your selected scope:
+6. Depending on your selected scope:
- If you chose **Adaptive**: On the **Choose adaptive policy scopes and locations** page, select **Add scopes** and select one or more adaptive scopes that have been created. Then, select one or more locations. The locations that you can select depend on the [scope types](purview-adaptive-scopes.md#configure-adaptive-scopes) added. For example, if you only added a scope type of **User**, you will be able to select **Exchange email** but not **SharePoint sites**.
compliance Create Retention Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-retention-policies.md
f1.keywords:
Previously updated : 03/06/2023 Last updated : 04/28/2023 audience: Admin
Select the tab for instructions to create a retention policy for Teams, Yammer,
2. Select **New retention policy** to start the **Create retention policy** configuration, and name your new retention policy.
-3. For the **Choose the type of retention policy to create** page, select **Adaptive** or **Static**, depending on the choice you made from the [Before you begin](#before-you-begin) instructions. If you haven't already created adaptive scopes, you can select **Adaptive** but because there won't be any adaptive scopes to select, you won't be able to finish the configuration with this option.
+3. For the **Assign admin units** page: This configuration is currently in preview. If your organization is using [administrative units in Azure Active Directory](/azure/active-directory/roles/administrative-units), the retention policy can be automatically restricted to specific users by selecting administrative units. If your account has been [assigned administrative units](microsoft-365-compliance-center-permissions.md#administrative-units-preview), you must select one or more administrative units.
+
+ If you don't want to restrict the policy by using administrative units, or your organization hasn't configured administrative units, keep the default of **Full directory**.
+
+4. For the **Choose the type of retention policy to create** page, select **Adaptive** or **Static**, depending on the choice you made from the [Before you begin](#before-you-begin) instructions. If you haven't already created adaptive scopes, you can select **Adaptive** but because there won't be any adaptive scopes to select, you won't be able to finish the configuration with this option.
-4. Depending on your selected scope:
+5. Depending on your selected scope:
- If you chose **Adaptive**: On the **Choose adaptive policy scopes and locations** page, select **Add scopes** and select one or more adaptive scopes that have been created. Then, select one or more locations. The locations that you can select depend on the [scope types](purview-adaptive-scopes.md#configure-adaptive-scopes) added. For example, if you only added a scope type of **User**, you'll be able to select **Teams chats** but not **Teams channel messages**.
Select the tab for instructions to create a retention policy for Teams, Yammer,
By default, [all teams and all users are selected](retention-settings.md#a-policy-that-applies-to-entire-locations), but you can refine this by selecting the [**Choose** and **Exclude** options](retention-settings.md#a-policy-with-specific-inclusions-or-exclusions).
-5. For **Decide if you want to retain content, delete it, or both** page, specify the configuration options for retaining and deleting content.
+6. For **Decide if you want to retain content, delete it, or both** page, specify the configuration options for retaining and deleting content.
You can create a retention policy that just retains content without deleting, retains and then deletes after a specified period of time, or just deletes content after a specified period of time. For more information, see [Settings for retaining and deleting content](retention-settings.md#settings-for-retaining-and-deleting-content).
-6. Complete the configuration and save your settings.
+7. Complete the configuration and save your settings.
For guidance when to use retention policies for Teams and understand the end user experience, see [Manage retention policies for Microsoft Teams](/microsoftteams/retention-policies) from the Teams documentation.
It's possible that a retention policy that's applied to Microsoft 365 groups, Sh
2. Select **New retention policy** to create a new retention policy.
-3. For the **Choose the type of retention policy to create** page, select **Adaptive** or **Static**, depending on the choice you made from the [Before you begin](#before-you-begin) instructions. If you haven't already created adaptive scopes, you can select **Adaptive** but because there won't be any adaptive scopes to select, you won't be able to finish the configuration with this option.
+3. For the **Assign admin units** page: This configuration is currently in preview. If your organization is using [administrative units in Azure Active Directory](/azure/active-directory/roles/administrative-units), the retention policy can be automatically restricted to specific users by selecting administrative units. If your account has been [assigned administrative units](microsoft-365-compliance-center-permissions.md#administrative-units-preview), you must select one or more administrative units.
+
+ If you don't want to restrict the policy by using administrative units, or your organization hasn't configured administrative units, keep the default of **Full directory**.
+
+4. For the **Choose the type of retention policy to create** page, select **Adaptive** or **Static**, depending on the choice you made from the [Before you begin](#before-you-begin) instructions. If you haven't already created adaptive scopes, you can select **Adaptive** but because there won't be any adaptive scopes to select, you won't be able to finish the configuration with this option.
-4. Depending on your selected scope:
+5. Depending on your selected scope:
- If you chose **Adaptive**: On the **Choose adaptive policy scopes and locations** page, select **Add scopes** and select one or more adaptive scopes that have been created. Then, select one or more locations. The locations that you can select depend on the [scope types](purview-adaptive-scopes.md#configure-adaptive-scopes) added. For example, if you only added a scope type of **User**, you'll be able to select **Yammer user messages** but not **Yammer community messages**.
It's possible that a retention policy that's applied to Microsoft 365 groups, Sh
- If you leave the default at **All users**, Azure B2B guest users are not included. - If you select **Edit** for **All users**, you can apply a retention policy to external users if you know their account.
-5. For **Decide if you want to retain content, delete it, or both** page, specify the configuration options for retaining and deleting content.
+6. For **Decide if you want to retain content, delete it, or both** page, specify the configuration options for retaining and deleting content.
You can create a retention policy that just retains content without deleting, retains and then deletes after a specified period of time, or just deletes content after a specified period of time. For more information, see [Settings for retaining and deleting content](retention-settings.md#settings-for-retaining-and-deleting-content).
-6. Complete the configuration and save your settings.
+7. Complete the configuration and save your settings.
For technical details about how retention works for Yammer, including what elements of messages are supported for retention and timing information with example walkthroughs, see [Learn about retention for Yammer](retention-policies-yammer.md).
Use the following instructions for retention policies that apply to any of these
- Microsoft 365 groups - Skype for Business
+> [!NOTE]
+> If your organization is using [administrative units]( ) and you're a restricted administrator (assigned one or more adminsitrative units), you won't be able to configure a retention policy that includes SharePoint sites or Exchange public folders. For these locations, you must be an unrestricted administrator.
+ 1. From the [Microsoft Purview compliance portal](https://compliance.microsoft.com/), select **Data lifecycle management** > **Microsoft 365** > **Retention Policies**. 2. Select **New retention policy** to start the **Create retention policy** configuration, and name your new retention policy.
-3. For the **Choose the type of retention policy to create** page, select **Adaptive** or **Static**, depending on the choice you made from the [Before you begin](#before-you-begin) instructions. If you haven't already created adaptive scopes, you can select **Adaptive** but because there won't be any adaptive scopes to select, you won't be able to finish the configuration with this option. Adaptive policies don't support the locations for Exchange public folders or Skype for Business.
+3. For the **Assign admin units** page: This configuration is currently in preview. If your organization is using [administrative units in Azure Active Directory](/azure/active-directory/roles/administrative-units), a retention policy that doesn't include SharePoint sites or Exchange public folders can be automatically restricted to specific users by selecting administrative units. If your account has been [assigned administrative units](microsoft-365-compliance-center-permissions.md#administrative-units-preview), you must select one or more administrative units.
+
+ If you don't want to restrict the policy by using administrative units, or your organization hasn't configured administrative units, keep the default of **Full directory**. You must select **Full directory** for the policy to include the locations for SharePoint sites and Exchange public folders.
+
+4. For the **Choose the type of retention policy to create** page, select **Adaptive** or **Static**, depending on the choice you made from the [Before you begin](#before-you-begin) instructions. If you haven't already created adaptive scopes, you can select **Adaptive** but because there won't be any adaptive scopes to select, you won't be able to finish the configuration with this option. Adaptive policies don't support the locations for Exchange public folders or Skype for Business.
-4. Depending on your selected scope:
+5. Depending on your selected scope:
- If you chose **Adaptive**: On the **Choose adaptive policy scopes and locations** page, select **Add scopes** and select one or more adaptive scopes that have been created. Then, select one or more locations. The locations that you can select depend on the [scope types](purview-adaptive-scopes.md#configure-adaptive-scopes) added. For example, if you only added a scope type of **User**, you'll be able to select **Exchange mailboxes** but not **SharePoint sites**.
Use the following instructions for retention policies that apply to any of these
- [Microsoft 365 Group mailboxes & sites](retention-settings.md#configuration-information-for-microsoft-365-group-mailboxes--sites) - [Skype for Business](retention-settings.md#configuration-information-for-skype-for-business)
-5. For **Decide if you want to retain content, delete it, or both** page, specify the configuration options for retaining and deleting content.
+6. For **Decide if you want to retain content, delete it, or both** page, specify the configuration options for retaining and deleting content.
You can create a retention policy that just retains content without deleting, retains and then deletes after a specified period of time, or just deletes content after a specified period of time. For more information, see [Settings for retaining and deleting content](retention-settings.md#settings-for-retaining-and-deleting-content) on this page.
-6. Complete the configuration and save your settings.
+7. Complete the configuration and save your settings.
compliance Data Classification Activity Explorer Available Events https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-classification-activity-explorer-available-events.md
This event is generated each time an unlabeled document is labeled or an email i
This event is generated each time a sensitivity label is updated on the document or email. - For the AIP unified client, AIP unified scanner and MIP SDK sources, the AIP *upgrade label* and *downgrade label* action maps to Activity explorer *label changed*- - It is captured at the point of save in Office native applications and web applications. - It is captured at the time of occurrence for the AIP unified labeling client and scanner enforcements - Upgrade and downgrade labels actions can also be monitored via the *Label event type* field and filter. The *justification* text is also captured except for SharePoint Online and OneDrive.
compliance Data Classification Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-classification-overview.md
You also manage these features on the data classification page:
You can find data classification in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">Microsoft Purview compliance portal</a> or <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a> > **Classification** > **Data Classification**.
-Take a video tour of our data classification features.
-
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4vx8x]
- Data classification will scan your sensitive content and labeled content before you create any policies. This is called **zero change management**. This lets you see the impact that all the retention and sensitivity labels are having in your environment and empower you to start assessing your protection and governance policy needs. [!INCLUDE [purview-preview](../includes/purview-preview.md)]
compliance Device Onboarding Macos Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/device-onboarding-macos-overview.md
f1.keywords:
Previously updated : 10/06/2020 Last updated : 03/28/2023 audience: ITPro
description: Learn about onboarding macOS devices into Compliance solutions
# Onboard macOS devices into Microsoft 365 overview
-MacOS devices can be onboarded into Microsoft Purview solutions using either Intune or JAMF Pro. The onboarding procedures differ depending on which management solution you're using. If your macOS devices have already been onboarded into Microsoft Defender for Endpoint (MDE), there are fewer steps. See [Next steps](#next-steps) for links to the appropriate procedures for you.
+MacOS devices can be onboarded into Microsoft Purview solutions using either Intune or JAMF Pro. The onboarding procedures differ depending on which management solution you use. If your macOS devices have already been onboarded into Microsoft Defender for Endpoint (MDE), there are fewer steps. See [Next steps](#next-steps) for links to the appropriate procedures for you.
**Applies to:**
MacOS devices can be onboarded into Microsoft Purview solutions using either Int
## Before you begin
-Before you get started with Endpoint DLP on macOS devices (three latest released versions), you should familiarize yourself with these articles:
+Before you get started with Endpoint DLP on macOS devices (the latest three released versions), familiarize yourself with these articles:
- [Learn about Endpoint data loss prevention](endpoint-dlp-learn-about.md) - [Get started with Endpoint data loss prevention](endpoint-dlp-getting-started.md)
If you aren't familiar with DLP at all, you should familiarize yourself with the
- [Plan for data loss prevention (DLP)](dlp-overview-plan-for-dlp.md#plan-for-data-loss-prevention-dlp) - [Data loss prevention policy reference](dlp-policy-reference.md#data-loss-prevention-policy-reference)
-If you aren't familiar with Insider Risk, you should familiarize yourself with these articles:
+If you aren't familiar with Insider Risk, read these articles:
- [Insider risk management](insider-risk-management.md) - [Plan for insider risk management](insider-risk-management-plan.md#plan-for-insider-risk-management)
Endpoint DLP supports these browsers on macOS (three latest released versions):
See, [Microsoft 365 licensing guidance for information protection](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#information-protection-data-loss-prevention-for-exchange-online-sharepoint-online-and-onedrive-for-business).
+## Activities that can be audited and restricted on macOS
+
+Once a macOS device is onboarded into Microsoft Purview solutions, you can monitor and restrict the following actions using data loss prevention (DLP) policies.
+
+**Copy to a USB removable media** ΓÇô When enforced, this action blocks, warns, or audits the copying or moving of protected files from an endpoint device to USB removable media.
+
+**Copy to network shares** ΓÇô When enforced, this action blocks, warns, or audits the copying or moving of protected files from an endpoint device to any network share.
+
+**Print** ΓÇô When enforced, this action blocks, warns, or audits when protected files are printed from an endpoint device.
+
+**Copy to clipboard** ΓÇô When enforced, this action blocks, warns, or audits data in protected file that is being copied to a clipboard on an endpoint device.
+
+**Upload to cloud** ΓÇô This action blocks, warns, or audits when protected files are uploaded or prevented from being uploaded to cloud services based on the allow/unallowed domains list in global settings. When this action is set to warn or block, other browsers (defined on the unallowed browsers list under Global settings) are blocked from accessing the file.
+
+**Accessed by unallowed apps** ΓÇô When enforced, this action prevents applications that are on the unallowed apps list (as defined in Global settings) from accessing protected files on an endpoint device.
+ ## Onboarding devices into device management You must enable device monitoring and onboard your endpoints before you can monitor and protect sensitive items on a device. Both of these actions are done in the Microsoft Purview compliance portal.
-When you want to onboard devices that haven't been onboarded yet, you'll download the appropriate script and deploy it to those devices. <!--Follow the [Onboarding devices procedure](endpoint-dlp-getting-started.md#onboarding-devices).-->
+When you want to onboard devices that haven't been onboarded yet, download the appropriate script and deploy it to those devices. <!--Follow the [Onboarding devices procedure](endpoint-dlp-getting-started.md#onboarding-devices).-->
-<!--If you already have devices onboarded into [Microsoft Defender for Endpoint](/windows/security/threat-protection/), they will already appear in the managed devices list.-->
+<!--If you already have devices onboarded into [Microsoft Defender for Endpoint](/windows/security/threat-protection/), they will automatically appear in the managed devices list.-->
1. Open the [Microsoft Purview compliance portal](https://compliance.microsoft.com) **Settings** page and choose **Enable device monitoring**.
When you want to onboard devices that haven't been onboarded yet, you'll downloa
## Next steps
-Getting devices onboarding into Microsoft Purview solutions is required in order to receive DLP sensor telemetry and to enforce data loss prevention policies.
+Getting devices onboarded into Microsoft Purview solutions is required in order to receive DLP sensor telemetry and to enforce data loss prevention policies. As mentioned, macOS devices can be onboarded into Microsoft Purview solutions using either Intune or JAMF Pro. the following articles for the procedures appropriate to your situation.
Topic | Description :|:
Topic | Description
|[JAMF Pro](device-onboarding-offboarding-macos-jamfpro.md) | For macOS devices that are managed through JAMF Pro |[JAMF Pro for Microsoft Defender for Endpoint](device-onboarding-offboarding-macos-jamfpro-mde.md)|For macOS devices that are managed through JAMF Pro and that have Microsoft Defender for Endpoint (MDE) deployed to them
-## Device configuration and policy sync status (preview)
+## Device configuration and policy sync status
-You can check the **Configuration status** and the **Policy sync status** of all your onboarded devices in the **Devices** list. For macOS devices, the minimum version is 101.95.07. For more information on the configuration and policy status, select an onboarded device to open the details pane.
-**Configuration status** shows you if the device is configured correctly, meets DLP configuration requirements, and the last time the configuration was validated. For macOS devices configuration includes:
-- Checking the UPN configuration by making sure your devices are [onboarded into Intune](/mem/intune/fundamentals/deployment-guide-platform-macos) if you're using Intune.-- Making sure that they're enrolled in the [Company Portal](/mem/intune/user-help/enroll-your-device-in-intune-macos-cp)-- If you use [JAMF Pro make sure that they're onboarded](https://www.jamf.com/resources/product-documentation/jamf-pro-installation-guide-for-mac/) for checking the UPN configuration.
+You can check the **Configuration status** and the **Policy sync status** of all your onboarded devices in the **Devices** list. For macOS devices, the minimum version is 101.95.07. For more information on the configuration and policy status, select an onboarded device and then open the details pane.
-**Policy sync status** shows you if the most current versions of the endpoint DLP policies have been synchronized to the device and the last time a policy sync occurred.
+**Configuration status** shows you whether the device is configured correctly, meets DLP configuration requirements, and the last time the configuration was validated. For macOS devices, configuration includes:
+- If you use Intune, check the UPN configuration by making sure your devices are [onboarded into Intune](/mem/intune/fundamentals/deployment-guide-platform-macos).
+- If you use Intune, make sure that your devices are enrolled in the [Company Portal](/mem/intune/user-help/enroll-your-device-in-intune-macos-cp)
+- If you use JAMF Pro, [make sure your devices are onboarded](https://www.jamf.com/resources/product-documentation/jamf-pro-installation-guide-for-mac/) before checking the UPN configuration.
+**Policy sync status** shows you whether the most current versions of the endpoint DLP policies have been synchronized to the device and the last time a policy sync occurred.
|Field value |Configuration status |Policy sync status | |||| |Updated |Device health parameters are enabled and correctly set. |Device has been updated with the current versions of policies. |
-|Not updated | You need to enable the configuration settings for this device. Follow the procedures for your environment: </br>- [Onboard and offboard macOS devices into Microsoft Purview solutions using Intune](device-onboarding-offboarding-macos-intune.md#onboard-and-offboard-macos-devices-into-microsoft-purview-solutions-using-intune) </br>- [Onboard and offboard macOS devices into Compliance solutions using Intune for Microsoft Defender for Endpoint customers](device-onboarding-offboarding-macos-intune-mde.md#onboard-and-offboard-macos-devices-into-compliance-solutions-using-intune-for-microsoft-defender-for-endpoint-customers)</br>- [Onboard and offboard macOS devices into Microsoft Purview solutions using JAMF Pro](device-onboarding-offboarding-macos-jamfpro.md#onboard-and-offboard-macos-devices-into-microsoft-purview-solutions-using-jamf-pro)</br>- [Onboard and offboard macOS devices into Compliance solutions using JAMF Pro for Microsoft Defender for Endpoint customers](device-onboarding-offboarding-macos-jamfpro-mde.md#onboard-and-offboard-macos-devices-into-compliance-solutions-using-jamf-pro-for-microsoft-defender-for-endpoint-customers) |This device hasn't synced the latest policy updates. If the policy update was made within the last 2 hours, wait for the policy to reach your device. |
-|Not available | Device properties aren't available in the device list. This could be because the device doesn't meet the minimum OS version, or configuration or if the device was just onboarded. |Device properties aren't available in the device list. This could be because the device doesn't meet the minimum OS version, or configuration or if the device was just onboarded.|
+|Not updated | You need to enable the configuration settings for this device. Follow the procedures for your environment: </br></br>- [Onboard and offboard macOS devices into Microsoft Purview solutions using Intune](device-onboarding-offboarding-macos-intune.md#onboard-and-offboard-macos-devices-into-microsoft-purview-solutions-using-intune) </br></br>- [Onboard and offboard macOS devices into Compliance solutions using Intune for Microsoft Defender for Endpoint customers](device-onboarding-offboarding-macos-intune-mde.md#onboard-and-offboard-macos-devices-into-compliance-solutions-using-intune-for-microsoft-defender-for-endpoint-customers)</br></br>- [Onboard and offboard macOS devices into Microsoft Purview solutions using JAMF Pro](device-onboarding-offboarding-macos-jamfpro.md#onboard-and-offboard-macos-devices-into-microsoft-purview-solutions-using-jamf-pro)</br></br>- [Onboard and offboard macOS devices into Compliance solutions using JAMF Pro for Microsoft Defender for Endpoint customers](device-onboarding-offboarding-macos-jamfpro-mde.md#onboard-and-offboard-macos-devices-into-compliance-solutions-using-jamf-pro-for-microsoft-defender-for-endpoint-customers) |This device hasn't synced the latest policy updates. If the policy update was made within the last 2 hours, wait for the policy to reach your device. |
+|Not available | Device properties aren't available in the device list. This could be because the device doesn't meet the minimum OS version or configuration, or because the device was just onboarded. |Device properties aren't available in the device list. This could be because the device doesn't meet the minimum OS version or configuration, or because the device was just onboarded.|
-## Related topics
+## Related articles
- [Using Endpoint data loss prevention](endpoint-dlp-using.md#using-endpoint-data-loss-prevention) - [Support Matrix for DLP policy tips across Microsoft apps](dlp-policy-tips-reference.md#support-matrix-for-dlp-policy-tips-across-microsoft-apps)
compliance Device Onboarding Mdm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/device-onboarding-mdm.md
f1.keywords:
Previously updated : 10/06/2020 Last updated : 04/03/2023 audience: ITPro
description: Use Mobile Device Management tools to deploy the configuration pack
- [Endpoint data loss prevention (DLP)](./endpoint-dlp-learn-about.md) - [Insider risk management](insider-risk-management.md)
-You can use mobile device management (MDM) solutions to configure devices. Microsoft 365 information protection supports MDMs by providing OMA-URIs to create policies to manage devices.
+You can use mobile device management (MDM) solutions to configure devices. Microsoft 365 information protection supports MDM solutions by providing OMA-URIs to create policies to manage devices.
[!INCLUDE [purview-preview](../includes/purview-preview.md)] ## Before you begin
-If you're using Microsoft Intune, you must have the device MDM Enrolled. Otherwise, settings will not be applied successfully.
+If you're using Microsoft Intune, the device must be enrolled in MDM.
For more information on enabling MDM with Microsoft Intune, see [Device enrollment (Microsoft Intune)](/mem/intune/enrollment/device-enrollment).
Follow the instructions from [Intune](/mem/intune/protect/advanced-threat-protec
## Offboard and monitor devices using Mobile Device Management tools
-For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
+For security reasons, the package used to offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When you download an offboarding package, you are notified of the package's expiry date. The expiry date is also included in the package name.
> [!NOTE]
-> Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.
+> Onboarding and offboarding policies must not be deployed on the same device at the same time. If they are, unpredictable collisions will result.
1. Get the offboarding package from the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">Microsoft Purview compliance portal</a>.
For security reasons, the package used to Offboard devices will expire 30 days a
3. In the **Deployment method** field, select **Mobile Device Management / Microsoft Intune**.
-4. Click **Download package**, and save the .zip file.
+4. Select **Download package**, and save the .zip file.
5. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *DeviceCompliance_valid_until_YYYY-MM-DD.offboarding*.
For security reasons, the package used to Offboard devices will expire 30 days a
Value: [Copy and paste the value from the content of the DeviceCompliance_valid_until_YYYY-MM-DD.offboarding file] ``` > [!NOTE]
-> If Microsoft Defender for Endpoint is already configured, you can **Turn on device onboarding** and Step 6 is no longer required.
+> If Microsoft Defender for Endpoint is already configured, you can **Turn on device onboarding**. If you do this, step 6 is not required.
> [!NOTE] > The **Health Status for offboarded devices** policy uses read-only properties and can't be remediated. > [!IMPORTANT]
-> Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months.
+> Offboarding causes the device to stop sending sensor data to the portal. However, data from the device, including reference to any alerts it has received, will be retained for up to 6 months.
## Related topics - [Onboard Windows 10 devices using Group Policy](device-onboarding-gp.md)
compliance Device Onboarding Offboarding Macos Intune Mde https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/device-onboarding-offboarding-macos-intune-mde.md
f1.keywords:
Previously updated : 10/06/2020 Last updated : 04/24/2023 audience: ITPro
description: Learn how to onboard and offboard macOS devices into Microsoft Purv
# Onboard and offboard macOS devices into Compliance solutions using Intune for Microsoft Defender for Endpoint customers
+You can use Microsoft Intune to onboard macOS devices into Microsoft Purview solutions.
+ > [!IMPORTANT]
-> Use this procedure ***if you have*** deployed Microsoft Defender for Endpoint (MDE) to your macOS devices
+> Use this procedure ***if you have already deployed*** Microsoft Defender for Endpoint (MDE) to your macOS devices.
**Applies to:**
description: Learn how to onboard and offboard macOS devices into Microsoft Purv
## Before you begin -- Make sure your [macOS devices are onboarded into Intune](/mem/intune/fundamentals/deployment-guide-platform-macos) and enrolled in the [Company Portal app](/mem/intune/user-help/enroll-your-device-in-intune-macos-cp). -- Make sure you have access to the [Microsoft Intune admin center](https://endpoint.microsoft.com/#home)-- This supports the three latest released macOS versions.-- OPTIONAL: Install the v95+ Edge browser on your macOS devices to have native Endpoint DLP support on Edge.
+- Make sure your [macOS devices are onboarded to Intune](/mem/intune/fundamentals/deployment-guide-platform-macos) and enrolled in the [Company Portal app](/mem/intune/user-help/enroll-your-device-in-intune-macos-cp).
+- Make sure you have access to the [Microsoft Intune admin center](https://endpoint.microsoft.com/#home).
+- OPTIONAL: Install the v95+ Microsoft Edge browser on your macOS devices.
+
+> [!NOTE]
+> The three most recent major releases of macOS are supported.
## Onboard macOS devices into Microsoft Purview solutions using Microsoft Intune
-Use these steps to onboard a macOS device into Compliance solutions if it already has MDE deployed to it.
+If Microsoft Defender for Endpoints (MDE) has already been deployed to your macOS device, you can still onboard that device into Compliance solutions. Doing so is multi-phase process:
-1. You'll need these files for this procedure.
+1. [Create system configuration profiles](#create-system-configuration-profiles)
+1. [Update existing system configuration profiles](#update-existing-system-configuration-profiles)
+1. [Update MDE preferences](#update-mde-preferences)
-|file needed for |source |
-|||
-|accessibility |[accessibility.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/accessibility.mobileconfig)|
-full disk access |[fulldisk.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig)|
-> [!TIP]
-> You can download the *.mobileconfig* files individually or in [single combined file](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/combined/mdatp-nokext.mobileconfig) that contains:
-> - accessibility.mobileconfig
-> - fulldisk.mobileconfig
->
->
->If any of these individual files is updated, you'd need to download the either the combined file again or the single updated file individually.
+### Prerequisites
-### Create system configuration profiles
+Download the following files:
-1. Open the **Microsoft Intune admin center** > **Devices** > **Configuration profiles**.
+|File | Description |
+|||
+|[accessibility.mobileconfig](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/accessibility.mobileconfig) |Used for accessibility |
+| [fulldisk.mobileconfig](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/fulldisk.mobileconfig) | Used to grant full disk access (FDA). |
-1. Choose: **Create profile**.
-1. Choose:
- 1. **Platform = macOS**
- 1. **Profile type = Templates**
- 1. **Template name = Custom**
+> [!NOTE]
+> To download the files:
+> 1. Right-click the link and select **Save link as...**.
+> 2. Choose a folder and save the file.
-1. Choose **Create**
+### Create system configuration profiles ###
-1. Choose a name for the profile, like *AccessibilityformacOS* in this example. Choose **Next**.
+1. Open the **Microsoft Intune admin center** and navigate to **Devices** > **Configuration profiles**.
-1. Choose the **accessibility.mobileconfig** file that you downloaded in step 1 as the configuration profile file.
+2. Choose: **Create profile**.
-1. Choose **Next**
+3. Select the following values:
+ 1. **Profile type** = Templates
+ 1. **Template name** = Custom
-1. On the **Assignments** tab add the group you want to deploy these configurations to and choose **Next**.
+4. Choose **Create**.
-1. Review your settings and choose **Create** to deploy the configuration.
+5. Enter a name for the profile, for instance: *Microsoft Purview Accessibility Permission*, and then choose **Next**.
-1. Open **Devices** > **Configuration profiles**, you should see your created profiles there.
+6. Choose the `accessibility.mobileconfig` as the configuration profile file (downloaded as part of the prerequisites) and then choose **Next**.
-1. In the **Configuration profiles** page, choose the profile that you just created, in this example *AccessibilityformacOS* and choose **Device status** to see a list of devices and the deployment status of the configuration profile.
+7. On the **Assignments** tab, add the group you want to deploy this configuration to and then choose **Next**.
-### Update existing system configuration profiles
+8. Review your settings and then choose **Create** to deploy the configuration.
+9. Open **Devices** and navigate to **macOS** > **Configuration profiles**. The profiles you created display.
+
+10. On the **Configuration profiles** page, choose the new profile. Next, choose **Device status** to see a list of devices and the deployment status of the configuration profile.
+
+### Update existing system configuration profiles
-1. A Full Disk Access configuration profile should have been previously created and deployed for MDE. See, [Intune-based deployment for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-install-with-intune#full-disk-access). Endpoint DLP requires an additional Full Disk Access permission for a new application: `com.microsoft.dlp.daemon`.
- 1. Update the existing Full Disk Access configuration profile with the fulldisk.mobileconfig file.
+1. A full disk access (FDA) configuration profile should have been created and deployed previously for MDE. (For details, see [Intune-based deployment for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-install-with-intune#full-disk-access)). Endpoint data loss prevention (DLP) *requires additional FDA permission* for the new application (`com.microsoft.dlp.daemon`).
+
+2. Update the existing FDA configuration profile with the downloaded `fulldisk.mobileconfig` file.
+### Update MDE preferences
-1. Find the existing MDE Preferences configuration profile. See, [Set preferences for Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-preferences#intune-full-profile)
- 1. Add a new key to the profile using these values:
+1. Find the existing **MDE Preferences** configuration profile. See [Intune-based deployment for Microsoft Defender for Endpoint on Mac](/security/defender-endpoint/mac-install-with-intune) for details. <br><br>
+2. Add the following key to the .mobileconfig file, then save the file.
```xml
-<key>features</key>
-<dict>
- <key>systemExtensions</key>
- <string>enabled</string>
- <key>dataLossPrevention</key>
- <string>enabled</string>
-</dict>
-```
-
-Here's an [example mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/settings/data_loss_prevention/com.microsoft.wdav.mobileconfig)
- 2. For *upload to cloud service* activity, if you only want to monitor browser and URL on the browser address bar, you can enable *DLP_browser_only_cloud_egress* and *DLP_ax_only_cloud_egress*, here is an example [com.microsoft.wdav.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/settings/data_loss_prevention/cloud_egress/com.microsoft.wdav.mobileconfig).
-
-## Offboard macOS devices using Intune
+ <key>features</key>
+ <dict>
+ <key>dataLossPrevention</key>
+ <string>enabled</string>
+ </dict>
+```
++
+## Offboard macOS devices using Microsoft Intune
> [!IMPORTANT]
-> Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months.
+> Offboarding causes the device to stop sending sensor data to the portal. However, data received from the device, including references to any alerts it has had, will be retained for up to six months.
-1. In **Microsoft Intune admin center**, open **Devices** > **Configuration profiles**, you should see your created profiles there.
+1. In the **Microsoft Intune admin center**, open **Devices** > **Configuration profiles**. The profiles you created display.
-2. In the **Configuration profiles** page, choose the MDE preferences profile.
+2. On the **Configuration profiles** page, choose the **MDE preferences** profile.
-1. Remove these settings:
+3. Remove these settings:
```xml
-<key>features</key>
-<dict>
- <key>systemExtensions</key>
- <string>enabled</string>
- <key>dataLossPrevention</key>
- <string>enabled</string>
-</dict>
+ <key>features</key>
+ <dict>
+ <key>dataLossPrevention</key>
+ <string>enabled</string>
+ </dict>
```
-3. **Save**.
+
+4. Choose **Save**.
compliance Device Onboarding Offboarding Macos Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/device-onboarding-offboarding-macos-intune.md
f1.keywords:
Previously updated : 10/06/2020 Last updated : 04/24/2023 audience: ITPro
search.appverid:
description: Learn how to onboard and offboard macOS devices into Microsoft Purview solutions using Microsoft Intune
-# Onboard and offboard macOS devices into Microsoft Purview solutions using Intune
+# Onboard and offboard macOS devices into Microsoft Purview solutions using Intune #
-You can use Intune to onboard macOS devices into Microsoft Purview solutions.
+You can use Microsoft Intune to onboard macOS devices into Microsoft Purview solutions.
> [!IMPORTANT] > Use this procedure if you ***do not*** have Microsoft Defender for Endpoint (MDE) deployed to your macOS devices
You can use Intune to onboard macOS devices into Microsoft Purview solutions.
[!INCLUDE [purview-preview](../includes/purview-preview.md)]
-## Before you begin
+## Before you begin ##
-- Make sure your [macOS devices are onboarded into Intune](/mem/intune/fundamentals/deployment-guide-platform-macos) and are enrolled in the [Company Portal app](/mem/intune/user-help/enroll-your-device-in-intune-macos-cp).
+- Make sure your [macOS devices are onboarded into Intune](https://learn.microsoft.co/mem/intune/fundamentals/deployment-guide-platform-macos) and are enrolled in the [Company Portal app](https://learn.microsoft.co/mem/intune/user-help/enroll-your-device-in-intune-macos-cp).
- Make sure you have access to the [Microsoft Intune admin center](https://endpoint.microsoft.com/#home).-- This supports three most recent major releases of macOS. - Create the user groups that you are going to assign the configuration updates to.-- OPTIONAL: Install the v95+ Edge browser on your macOS devices to have native Endpoint DLP support on Edge.
+- OPTIONAL: Install the v95+ Edge browser on your macOS devices to have native Endpoint DLP support on Microsoft Edge.
+
+> [!NOTE]
+> The three most recent major releases of macOS are supported.
-## Onboard macOS devices into Microsoft Purview solutions using Microsoft Intune
+## Onboard macOS devices into Microsoft Purview solutions using Microsoft Intune ##
Onboarding a macOS device into Compliance solutions is a multi-phase process.
-1. [Create system configuration profiles](#create-system-configuration-profiles)
1. [Get the device onboarding package](#get-the-device-onboarding-package) 1. [Deploy the mobileconfig and onboarding packages](#deploy-the-mobileconfig-and-onboarding-packages)
-1. [Publish application](#publish-application)
-<!--1. [Enable system extension](#enable-system-extension)-->
+1. [Publish the application](#publish-the-application)
-### Create system configuration profiles
+### Prerequisites ###
-1. You'll need these files for this procedure.
+Download the following files:
-|file needed for |source |
+|File |Description |
|||
-System mobile config file | [mdatp-nokext.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/combined/mdatp-nokext.mobileconfig) Copy and paste the contents into a text file. Save the file with the **mobileconfig** extension only, it will not be recognized if it has the .txt extension.|
-MDE preferences| [com.microsoft.wdav.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/settings/data_loss_prevention/com.microsoft.wdav.mobileconfig). Copy and paste the contents into a text file. Save the file with the **mobileconfig** extension only, it will not be recognized if it has the .txt extension. For *upload to cloud service* activity, if you only want to monitor browser and URL on the browser address bar, you can enable *DLP_browser_only_cloud_egress* and *DLP_ax_only_cloud_egress*, here is an example [com.microsoft.wdav.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/settings/data_loss_prevention/cloud_egress/com.microsoft.wdav.mobileconfig).
+[mdatp-nokext.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/combined/mdatp-nokext.mobileconfig) | System mobile config file |
+[com.microsoft.wdav.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/settings/data_loss_prevention/com.microsoft.wdav.mobileconfig). | MDE preferences |
+ ### Get the device onboarding package
-1. In **Microsoft Purview Compliance center** open **Settings** > **Device Onboarding** and choose **Onboarding**.
+
+1. In **Microsoft Purview Compliance center** open **Settings** > **Device Onboarding** and then choose **Onboarding**.
-1. For **Select operating system to start onboarding process** choose **macOS**.
+2. For the **Select operating system to start onboarding process** option, choose **macOS**.
-1. For **Deployment method** choose **Mobile Device Management/Microsoft Intune**.
+3. For **Deployment method**, choose **Mobile Device Management/Microsoft Intune**.
-1. Choose **Download onboarding package**.
-
-1. Extract the zip file and open the *Intune* folder. This contains the onboarding code in the *DeviceComplianceOnboarding.xml* file.
-
-<!--|accessibility |[accessibility.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/accessibility.mobileconfig)|
-full disk access |[fulldisk.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig)|
-|Network filer| [netfilter.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/netfilter.mobileconfig)]
-|System extensions |[sysext.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/sysext.mobileconfig)
-|MDE preference |[com.microsoft.wdav.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/settings/data_loss_prevention/com.microsoft.wdav.mobileconfig)|
-|MAU preference|[com.microsoft.autoupdate2.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/settings/microsoft_auto_update/com.microsoft.autoupdate2.mobileconfig)|
-|Installation package |downloaded from the compliance portal **Installation package**, file name *\*wdav.pkg*\* |
-
-> [!TIP]
-> You can download the *.mobileconfig* files individually or in [single combined file](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/combined/mdatp-nokext.mobileconfig) that contains:
-> - accessibility.mobileconfig
-> - fulldisk.mobileconfig
-> - netfilter.mobileconfig
-> - system extensions
->
->If any of these individual files is updated, you'd need to download the either the combined file again or the single updated file individually.-->
+4. Choose **Download onboarding package**.
+
+5. Extract the .ZIP file and open the *Intune* folder. This contains the onboarding code in the *DeviceComplianceOnboarding.xml* file.
### Deploy the mobileconfig and onboarding packages
-1. Open the **Microsoft Intune admin center** > **Devices** > **Configuration profiles**.
+1. Open the **Microsoft Intune admin center** and navigate to **Devices** > **Configuration profiles**.
-1. Choose: **Create profile**
+1. Choose: **Create profile**.
-1. Choose:
- 1. **Platform = macOS**
- 1. **Profile type = Templates**
- 1. **Template name = Custom**
+1. Select the following values:
+ 1. **Platform** = macOS
+ 1. **Profile type** = Templates
+ 1. **Template name** = Custom
-1. Choose **Create**
+1. Choose **Create**.
-1. Choose a name for the profile, like *SystemMobileConfig* in this example. Choose **Next**.
+1. Enter a name for the profile, such as *Microsoft Purview System MobileConfig*, and then Choose **Next**.
-1. Choose the **mdatp-nokext.mobileconfig** file that you copied and saved in step 1 as the configuration profile file.
+1. Choose the `mdatp-nokext.mobileconfig` file that you downloaded in Step 1 as the configuration profile file.
-1. Choose **Next**
+1. Choose **Next**.
-1. On the **Assignments** tab add the group you want to deploy these configurations to and choose **Next**.
+1. On the **Assignments** tab, add the group you want to deploy these configurations to and then choose **Next**.
-1. Review your settings and choose **Create** to deploy the configuration.
+1. Review your settings and then choose **Create** to deploy the configuration.
1. Repeat steps 2-9 to create profiles for the:
- 1. **DeviceComplianceOnboarding.xml** file. Name it *Purview Device Onboarding Package*
- 1. **com.microsoft.wdav.mobileconfig** file. Name it *Endpoint Device Preferences*
+ 1. **DeviceComplianceOnboarding.xml** file. Name it *Microsoft Purview Device Onboarding Package*
+ 1. **com.microsoft.wdav.mobileconfig** file. Name it *Microsoft Endpoint Device Preferences*
-1. Open **Devices** > **Configuration profiles**, you should see your created profiles there.
+1. Open **Devices** > **Configuration profiles**. The profiles you created now display.
+
+1. In the **Configuration profiles** page, choose the profile that you just created. Next, choose **Device status** to see a list of devices and the deployment status of the configuration profile.
-1. In the **Configuration profiles** page, choose the profile that you just created, for example *SystemMobileConfig* and choose **Device status** to see a list of devices and the deployment status of the configuration profile.
+> [!NOTE]
+> For the *upload to cloud service* activity, if you only want to monitor the browser and the URL in the browser address bar, you can enable *DLP_browser_only_cloud_egress* and *DLP_ax_only_cloud_egress*.
+>
+> Here is an example [com.microsoft.wdav.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/settings/data_loss_prevention/cloud_egress/com.microsoft.wdav.mobileconfig).
-### Publish application
-Microsoft Endpoint DLP is installed as a component of Microsoft Defender for Endpoint (MDE) on macOS. This procedure applies to onboarding devices into Microsoft Purview solutions
+### Publish the application
+
+Microsoft Endpoint data lost protection is installed as a component of Microsoft Defender for Endpoint on macOS. This procedure applies to onboarding devices into Microsoft Purview solutions
1. In the [Microsoft Intune admin center](https://endpoint.microsoft.com/), open **Apps**.
-1. Select By platform > macOS > Add.
+2. Select **By platform** > **macOS** > **Add**.
+
+3. Choose **App type**=**macOS**, and then choose **Select**. Choose **Microsoft Defender for Endpoint**.
-1. Choose **App type**=**macOS**, click **Select**.
+4. Keep the default values and then choose **Next**.
-1. Keep default values, click **Next**.
+5. Add assignments and then choose **Next**.
-1. Add assignments, click **Next**.
+6. Review your chosen settings and then choose **Create**.
-1. Review and **Create**.
+7. You can visit **Apps** \> **By platform** \> **macOS** to see the new application in the list of all applications.
-1. You can visit **Apps** \> **By platform** \> **macOS** to see it on the list of all applications.
-<!--## Offboard macOS devices using Intune PINGING PG FOR THIS PROCEDURE
+## Offboard macOS devices using Intune ##
> [!NOTE]
-> Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to six months.
+> Offboarding causes the device to stop sending sensor data to the portal. However, data from the device, including reference to any alerts it has had, will be retained for up to six months.
-1. In the **Microsoft Intune admin center**, open **Devices** > **Configuration profiles**, you should see your created profiles there.
+1. In the **Microsoft Intune admin center**, open **Devices** > **Configuration profiles**. The profiles you created are listed.
-1. In the **Configuration profiles** page, choose the *wdav.pkg.intunemac* profile.
+2. On the **Configuration profiles** page, choose the **wdav.pkg.intunemac** profile.
-1. Choose **Device status** to see a list of devices and the deployment status of the configuration profile
+3. Choose **Device status** to see a list of devices and the deployment status of the configuration profile.
-1. Open **Properties** and **Assignments**
+4. Open **Properties** and then **Assignments**.
-1. Remove the group from the assignment. This will uninstall the *wdav.pkg.intunemac* package and offboard the macOS device from Compliance solutions.-->
+5. Remove the group from the assignment. This will uninstall the *wdav.pkg.intunemac* package and offboard the macOS device from Compliance solutions.
compliance Device Onboarding Offboarding Macos Jamfpro Mde https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/device-onboarding-offboarding-macos-jamfpro-mde.md
f1.keywords:
Previously updated : 10/06/2020 Last updated : 04/24/2023 audience: ITPro
description: Learn how to onboard and offboard macOS devices into Microsoft Purv
# Onboard and offboard macOS devices into Compliance solutions using JAMF Pro for Microsoft Defender for Endpoint customers
-You can use JAMF Pro to onboard macOS devices into Microsoft Purview solutions.
+You can use JAMF Pro to onboard macOS devices into Microsoft Purview solutions.
> [!IMPORTANT] > Use this procedure ***if you have*** deployed Microsoft Defender for Endpoint (MDE) to your macOS devices
You can use JAMF Pro to onboard macOS devices into Microsoft Purview solutions.
- [Endpoint data loss prevention (DLP)](./endpoint-dlp-learn-about.md) - [Insider risk management](insider-risk-management.md) - [!INCLUDE [purview-preview](../includes/purview-preview.md)]
-## Before you begin
+## Before you begin ##
-- Make sure your [macOS devices are managed through JAMF pro](https://www.jamf.com/resources/product-documentation/jamf-pro-installation-guide-for-mac/) and are associated with an identity (Azure AD joined UPN) through JAMF Connect or Intune.
+- Make sure your [macOS devices are managed through JAMF pro](https://www.jamf.com/resources/product-documentation/jamf-pro-installation-guide-for-mac/) and are associated with an identity (Azure AD joined UPN) through JAMF Connect or Microsoft Intune.
- OPTIONAL: Install the v95+ Edge browser on your macOS devices to have native Endpoint DLP support on Edge.
+
+> [!NOTE]
+> The three most recent major releases of macOS are supported.
## Onboard devices into Microsoft Purview solutions using JAMF Pro
-Onboarding a macOS device into Compliance solutions is a multiphase process.
+Onboarding a macOS device into Compliance solutions is a multi-phase process.
+
+1. [Update the existing MDE Preference domain profile using the JAMF PRO console](#update-the-existing-mde-preference-domain-profile-using-the-jamf-pro-console)
+2. [Enable full-disk access](#enable-full-disk-access)
+3. [Enable accessibility access to Microsoft Purview data loss prevention](#enable-accessibility-access-to-microsoft-purview-data-loss-prevention)
+4. [Check the macOS device](#check-the-macos-device)
-### Download the configuration files
+### Prerequisites
-1. You'll need these files for this procedure.
+Download the following files:
-|file needed for |source |
+|File |Description |
|||
-|accessibility |[accessibility.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/accessibility.mobileconfig)|
-full disk access |[fulldisk.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig)|
-|MDE preference |[schema.json](https://github.com/microsoft/mdatp-xplat/blob/master/macos/schema/schema.json)
+[accessibility.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/accessibility.mobileconfig)| Accessibility |
+|[fulldisk.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig)| Full disk access (FDA) |
+|[schema.json](https://github.com/microsoft/mdatp-xplat/blob/master/macos/schemE preference |
+
+If any of these individual files are updated, you must download the updated bundled file and redeploy as described.
-> [!TIP]
-> You can download the *.mobileconfig* files individually or in [single combined file](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/combined/mdatp-nokext.mobileconfig) that contains:
-> - accessibility.mobileconfig
-> - fulldisk.mobileconfig
->
->If any of these individual files is updated, you'd need to download the either the combined file again or the single updated file individually.
+
+> [!NOTE]
+> To download the files:
+> 1. Right-click the link and select **Save link as...**.
+> 2. Choose a folder and save the file.
### Update the existing MDE Preference domain profile using the JAMF PRO console 1. Update the schema.xml profile with the **schema.json** file you just downloaded.
-1. Under **MDE Preference Domain Properties** choose these settings
- - Features
- - Use System Extensions: `enabled` - required for network extensions on Catalina
+1. Under **MDE Preference Domain Properties** choose these settings:
+ - **Features**
- Use Data Loss Prevention: `enabled`
+ - **Data Loss Prevention**
+ - **Features**
+ - Use DLP_browser_only_cloud_egress: `enabled` if you want to only monitor browser
+ - Use DLP_ax_only_cloud_egress: `enabled` if you want to only monitor URL on the browser address bar
1. Choose the **Scope** tab.
full disk access |[fulldisk.mobileconfig](https://github.com/microsoft/mdatp
1. Choose **Save**.
-### Update the configuration profile for Grant full disk access
-
-1. Update the existing full disk access profile with the **fulldisk.mobileconfig** file.
-
-1. Upload the **fulldisk.mobileconfig** file to JAMF. Refer to [Deploying Custom Configuration Profiles using JAMF Pro](https://docs.jamf.com/technical-articles/Deploying_Custom_Configuration_Profiles_Using_Jamf_Pro.html).
+### Enable full-disk access
-### Grant accessibility access to DLP
+To update the existing full disk access profile with the `fulldisk.mobileconfig` file, upload `fulldisk.mobileconfig` to JAMF. For more information, refer to [Deploying Custom Configuration Profiles using JAMF Pro](https://docs.jamf.com/technical-articles/Deploying_Custom_Configuration_Profiles_Using_Jamf_Pro.html).
-1. Use the accessibility.mobileconfig file you previously downloaded.
+### Enable accessibility access to Microsoft Purview data loss prevention ###
+To grant accessibility access to DLP, upload the `accessibility.mobileconfig` file you downloaded previously to JAMF, as described in [Deploying Custom Configuration Profiles using JAMF Pro](https://docs.jamf.com/technical-articles/Deploying_Custom_Configuration_Profiles_Using_Jamf_Pro.html).
-1. Upload to JAMF as described in [Deploying Custom Configuration Profiles using Jamf Pro](https://www.jamf.com/jamf-nation/articles/648/deploying-custom-configuration-profiles-using-jamf-pro).
-### Check the macOS device
+### Check the macOS device
1. Restart the macOS device. 1. Open **System Preferences** > **Profiles**.
-1. You should see:
+1. The following profiles are now listed::
- Accessibility - Full Disk Access - Kernel Extension Profile
full disk access |[fulldisk.mobileconfig](https://github.com/microsoft/mdatp
## Offboard macOS devices using JAMF Pro > [!IMPORTANT]
-> Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months.
+> Offboarding causes the device to stop sending sensor data to the portal. However, data from the device, including references to any alerts it has had, will be retained for up to six months.
To offboard a macOS device, follow these steps 1. Under **MDE Preference Domain Properties** remove the values for these settings
- - Features
+ - **Features**
- Use System Extensions - Use Data Loss Prevention
compliance Device Onboarding Offboarding Macos Jamfpro https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/device-onboarding-offboarding-macos-jamfpro.md
f1.keywords:
Previously updated : 10/06/2020 Last updated : 04/24/2023 audience: ITPro
search.appverid:
description: Learn how to onboard and offboard macOS devices into Microsoft Purview solutions using JAMF Pro
-# Onboard and offboard macOS devices into Microsoft Purview solutions using JAMF Pro
+# Onboard and offboard macOS devices into Microsoft Purview solutions using JAMF Pro #
-You can use JAMF Pro to onboard macOS devices into Microsoft Purview solutions like Endpoint data loss prevention.
+You can use JAMF Pro to onboard macOS devices into Microsoft Purview solutions such as Endpoint data loss prevention (DLP).
> [!IMPORTANT]
-> Use this procedure if you ***do not*** have Microsoft Defender for Endpoint (MDE) deployed to your macOS devices
+> Use this procedure if you ***do not*** have Microsoft Defender for Endpoint (MDE) deployed to your macOS devices.
**Applies to:**
You can use JAMF Pro to onboard macOS devices into Microsoft Purview solutions l
[!INCLUDE [purview-preview](../includes/purview-preview.md)]
-## Before you begin
+## Before you begin ##
-- Make sure your [macOS devices are managed through JAMF pro](https://www.jamf.com/resources/product-documentation/jamf-pro-installation-guide-for-mac/) and are associated with an identity (Azure AD joined UPN) through JAMF Connect or Intune.
+- Make sure your [macOS devices are managed through JAMF pro](https://www.jamf.com/resources/product-documentation/jamf-pro-installation-guide-for-mac/) and are associated with an identity (Azure AD joined UPN) through [JAMF Connect](https://www.jamf.com/products/jamf-connect) or Microsoft Intune.
+- OPTIONAL: Install the v95+ Microsoft Edge browser on your macOS devices for native Endpoint DLP support on Microsoft Edge.
-## Onboard devices into Microsoft Purview solutions using JAMF Pro
+> [!NOTE]
+> The three most recent major releases of macOS are supported.
-1. You'll need these files for this procedure.
+## Onboard devices into Microsoft Purview solutions using JAMF Pro ##
-|File needed for|Source|
-|||
-|Onboarding package|Downloaded from the compliance portal **Onboarding package**, file name *DeviceComplianceOnboarding.plist*|
-|accessibility|[accessibility.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/accessibility.mobileconfig)|
-full disk access|[fulldisk.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig)|
-|Network filter| [netfilter.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/netfilter.mobileconfig)
-|System extensions|[sysext.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/sysext.mobileconfig)
-|MDE preference|[schema.json](https://github.com/microsoft/mdatp-xplat/blob/master/macos/settings/data_loss_prevention/schema.json)|
-|MAU preference|[com.microsoft.autoupdate2.plist](https://github.com/microsoft/mdatp-xplat/blob/master/macos/settings/microsoft_auto_update/com.microsoft.autoupdate2.plist)|
-|Installation package|downloaded from the compliance portal **Installation package**, file name *\*wdav.pkg*\*|
+Onboarding a macOS device into Microsoft Purview solutions is a multi-phase process:
+1. [Deploy onboarding packages](#deploy-onboarding-packages)
+2. [Configure application preferences](#configure-application-preferences)
+3. [Upload the installation package](#upload-the-installation-package)
+4. [Deploy System Configuration Profiles](#deploy-system-configuration-profiles)
-> [!TIP]
-> You can download the *.mobileconfig* files individually or in [single combined file](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/combined/mdatp-nokext.mobileconfig) that contains:
->
-> - accessibility.mobileconfig
-> - fulldisk.mobileconfig
-> - netfilter.mobileconfig
-> - sysext.mobileconfig
->
->If any of these individual files is updated, you'd need to download either the combined file again or the single updated file individually.
+### Prerequisites
-Onboarding a macOS device into Compliance solutions is a multiphase process.
+Download the following files.
-### Get the device onboarding package
+|File | Description|
+|--||
+| [mdatp-nokext.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/combined/mdatp-nokext.mobileconfig) | This is the bundled file. |
+| [schema.json](https://github.com/microsoft/mdatp-xplat/blob/master/macos/settings/data_loss_prevention/schema.json)| This is the MDE preference file.|
-1. In **Compliance center** open **Settings** > **Device Onboarding** and choose **Onboarding**.
-1. For **Select operating system to start onboarding process** choose **macOS**
+> [!NOTE]
+> To download the files:
+> 1. Right-click the link and select **Save link as...**.
+> 2. Choose a folder and save the file.
-1. For **Deployment method** choose **Mobile Device Management/Microsoft Intune**
+### Get the device onboarding and installation packages
-1. Choose **Download onboarding package**
+1. In the compliance portal, open **Settings** > **Device Onboarding** and then choose **Onboarding**.
-1. Extract the contents of the device onboarding package. In the JAMF folder, you should see the *DeviceComplainceOnboarding.plist* file.
+2. For the **Select operating system to start onboarding process** value, choose **macOS**.
-### Create a JAMF Pro configuration profile for the onboarding package
+3. For **Deployment method**, choose **Mobile Device Management/Microsoft Intune**.
-1. Create a new configuration profile in JAMF Pro. Refer to the [JAMF Pro administrators guide](https://www.jamf.com/resources/product-documentation/jamf-pro-administrators-guide/). Use these values:
- - Name: `MDATP onboarding for macOS`
- - Description: `MDATP EDR onboarding for macOS`
- - Category: `none`
- - Distribution method: `install automatically`
- - Level: `computer level`
+4. Choose **Download onboarding package** and then extract the contents of the device onboarding package. the *DeviceComplianceOnboarding.plist* file is downloaded to the JAMF folder.
-2. In the JAMF Pro console > **Application & Custom settings**, choose **upload** and then **add**. Use this value:
- - Preference Domain: `com.microsoft.wdav.atp`
+5. Choose **Download installation package**.
-3. Choose **upload** and select the onboarding file **DeviceComplianceOnboarding.plist**.
+### Deploy onboarding packages
-4. Choose the **scope** tab.
+1. Create a new configuration profile in JAMF Pro. Refer to the [JAMF Pro documentation](https://www.jamf.com/resources/product-documentation/jamf-pro-administrators-guide/). Use the following values:
+ - **Name:** *MDATP onboarding for macOS*
+ - **Description:** **MDATP EDR onboarding for macOS*
+ - **Category:** *none*
+ - **Distribution method:** *`*install automatically*
+ - **Level:** *computer level*
-5. Choose the target computers.
+2. In the JAMF Pro console, select **New**.
-6. Choose **Save**.
-
-7. Choose **Done**.
+3. In the navigation pane, select **Application and Custom Settings** and then choose **Upload**.
-### Configure Preference domain using the JAMF PRO console
+### Configure application preferences
> [!IMPORTANT]
-> You must use ***com.microsoft.wdav*** as the Preference Domain value. Microsoft Defender for Endpoint uses this name and ***com.microsoft.wdav.ext*** to load its managed settings.
-
-1. Create a new configuration profile in JAMF Pro. Refer to the [JAMF Pro administrators guide](https://www.jamf.com/resources/product-documentation/jamf-pro-administrators-guide/). Use these values:
- - Name: `MDATP MDAV configuration settings`
- - Description: leave this blank
- - Category: `none`
- - Distribution method: `install automatically`
- - Level: `computer level`
-
-1. On the **Application & Custom Settings** tab, choose **External Applications**, choose **Add** and choose **Custom Schema** for the preference domain. Use this value:
- - Preference domain: `com.microsoft.wdav`
-
-1. Choose **Add Schema** and **Upload** to upload the *schema.json* file.
-
-1. Choose **Save**.
-
-1. Under **Preference Domain Properties** choose these settings
- - Features
- - Use System Extensions: `enabled` - required for network extensions on Catalina
- - Use Data Loss Prevention: `enabled`
- - Use DLP_browser_only_cloud_egress: `enabled`if you want to only monitor browser
- - Use DLP_ax_only_cloud_egress: `enabled`if you want to only monitor URL on the browser address bar
- - Antivirus engine > Passive mode: `true|false`. Use `true`if deploying DLP only. Use `false` or do not assign a value if deploying DLP and Microsoft Defender for Endpoint (MDE).
-
-1. Choose the **Scope** tab.
-
-1. Choose the groups to deploy this configuration profile to.
-
-1. Choose **Save**.
---
-### Create and deploy a configuration profile for Microsoft AutoUpdate (MAU)
-
-1. Create a JAMF Pro configuration file using the **com.microsoft.autoupdate2.plist**. Refer to the [JAMF Pro administrators guide](https://www.jamf.com/resources/product-documentation/jamf-pro-administrators-guide/). Use these values:
- - Name: `MDATP MDAV MAU settings`
- - Description: `Microsoft AutoUPdate settings for MDATP for macOS`
- - Category: `none`
- - Distribution method: `install automatically`
- - Level: `computer level`
-
-1. In **Application & Custom Settings** choose **Upload** and **Add**.
-
-1. In **Preferences Domain** enter `com.microsoft.autoupdate2` and then choose **Upload**.
-
-1. Choose the **com.microsoft.autoupdate2.plist** file.
-
-1. Choose **Save**.
-
-1. Choose the **Scope** tab.
-
-1. Choose the target computers.
-
-1. Choose **Save**.
-
-1. Choose **Done**.
-
-### Create and deploy a configuration profile for Grant full disk access
-
-1. Use the **fulldisk.mobileconfig** file.
+> You must use *com.microsoft.wdav* as the **Preference Domain** value. Microsoft Defender for Endpoint uses this name and *com.microsoft.wdav.ext* to load the managed settings.
-1. Upload the **fulldisk.mobileconfig** file to JAMF. Refer to [Deploying Custom Configuration Profiles using JAMF Pro](https://docs.jamf.com/technical-articles/Deploying_Custom_Configuration_Profiles_Using_Jamf_Pro.html).
+1. Sign in to JAMF Pro to create a new configuration profile in JAMF Pro. Refer to the [JAMF Pro documentation](https://www.jamf.com/resources/product-documentation/jamf-pro-administrators-guide/) for more information. Use these values:
+ - **Name:** *MDATP MDAV configuration settings*
+ - **Description:** *Leave this blank*
+ - **Category:** *none*
+ - **Distribution method:** *install automatically*
+ - **Level:** *computer level*
-### Create and deploy a configuration profile for System extensions
+2. In the JAMF Pro console, select **New**.
-1. Create a JAMF Pro configuration file using the procedures in [JAMF Pro administrators guide](https://www.jamf.com/resources/product-documentation/jamf-pro-administrators-guide/). Use these values:
- - Name: `MDATP MDAV System Extensions`
- - Description: `MDATP system extensions`
- - Category: `none`
- - Distribution method: `install automatically`
- - Level: `computer level`
+3. In the navigation pane, select **Application and Custom Settings** and then choose **External Applications**.
-1. In **System extensions** profile, enter these values:
- - Display Name: `Microsoft Corp. System Extensions`
- - System Extension Types: `Allowed System Extensions`
- - Team Identifier: `UBF8T346G9`
- - Allowed System Extensions: `com.microsoft.wdav.epsext`, and `com.microsoft.wdav.netext`
+4. Choose **Add** and then choose **Custom Schema**. For **Preference domain**, enter `com.microsoft.wdav`.
-1. Choose the **Scope** tab.
+ :::image type="content" source="../media/macos-onboarding-jamf-external-apps-config-profile-inline.png" alt-text="Screenshot of the External Applications page.":::
-1. Choose the target computers.
+5. Choose **Add Schema** and then select the `schema.json` file you downloaded from GitHub.
-1. Choose **Save**.
-
-1. Choose **Done**.
-
-### Configure Network extension
-
-1. Use the **netfilter.mobileconfig** file that you downloaded from GitHub.
-
-2. Upload to JAMF as described in [Deploying Custom Configuration Profiles using Jamf Pro](https://www.jamf.com/jamf-nation/articles/648/deploying-custom-configuration-profiles-using-jamf-pro).
-
-### Grant accessibility access to DLP
-
-1. Use the **accessibility.mobileconfig** file that you downloaded from GitHub.
-
-2. Upload to JAMF as described in [Deploying Custom Configuration Profiles using Jamf Pro](https://www.jamf.com/jamf-nation/articles/648/deploying-custom-configuration-profiles-using-jamf-pro).
-
-### Get the installation package
-
-1. In **Compliance center** open **Settings** > **Device Onboarding** and choose **Onboarding**.
-
-1. For **Select operating system to start onboarding process** choose **macOS**
-
-1. For **Deployment method** choose **Mobile Device Management/Microsoft Intune**
-
-1. Choose **Download installation package**. This will give you the *wdav.pkg* file.
-
-### Deploy the installation package
-
-1. Navigate to where you saved the `wdav.pkg` file.
-
-1. Open the JAMF Pro dashboard.
-
-1. Select your computer and click the gear at the top, then choose **Computer Management**.
-
-1. In **Packages** choose **+New**. Enter these details:
- - Display Name: leave blank because it will be reset when you choose the .pkg file.
- - Category: None (default)
- - Filename: Choose file, in this case the `wdav.pkg` file.
-
-1. Choose **Open**. Set:
- - **Display Name**: `Microsoft Endpoint Technology`
- - **Manifest File**: not required
- - **Options tab**: leave default values
- - **Limitations tab**: leave default values
-
-1. Choose **Save**. This uploads the package to JAMF Pro.
-
-1. Open the **Policies** page.
+6. Choose **Save**.
-1. Choose **+New** to create a new policy.
+7. Under **Preference Domain Properties** manually update the settings as follows:
+ - **Features**
+ - For **Data Loss Prevention**, select `enabled` and then choose **Save**.
-1. Enter these values
- - **Display name**: `MDATP Onboarding200329 v100.86.92 or later`
+ - **Data Loss Prevention**
+ - **Features**
+ - Use DLP_browser_only_cloud_egress: `enabled` if you want to monitor the browser.
+ - Use DLP_ax_only_cloud_egress: `enabled` if you want to monitor only the URL in the browser address bar.
+ - **Antivirus engine** <br>
+ If you are *only* deploying data loss prevention, and not MDE, take the following steps:
+ - Choose **Real-time Protection**.
+ - Choose **Passive mode**.
+ - Choose **Apply**.
-1. Choose **Recurring Check-in**.
+8. Enter a name for the configuration profile and then choose **Save**.
-1. Choose **Save**.
+9. On the next page, choose the **Scope** tab, select the appropriate targets for this configuration profile, and then choose **Save**.
-1. Choose **Packages** > **Configure**.
-1. Choose **Add**.
+### Deploy System Configuration Profiles
-1. Choose **Save**.
+1. On the **Configuration Profiles** page of the JAMF Pro console, select **Upload** and then choose **File**.
+
+2. Select the `mdatp-nokext.mobileconfig` file, choose **Open**, and then choose **Upload**.
-1. Choose the **Scope** tab.
+## Upload the installation package
-1. Select the target computers.
+1. In the JAMF Pro console, navigate to **Management Settings** > **Packages** and then choose **New**.
+
+2. Enter a display name for the package, and (optionally) select a category.
-1. Choose **Add**.
+3. Under **Filename** select **Choose File**.
-1. Choose **Self service**.
+4. Select the `wdav.pkg` installation package file and then choose **Save**.
-1. Choose **Done**.
+5. Navigate to **Computers** > **Policies** and choose **New**.
-### Check the macOS device
+6. In the left navigation pane, choose **Packages**.
-1. Restart the macOS device.
+7. From the **Packages** list, select the installation package from Step 4.
-1. Open **System Preferences** > **Profiles**.
+8. For the **Action** choose **Install**.
+
+9. Choose the **Scope** tab and then target computers before choosing choose **Save**.
+
+10. On the **General** page, enter a name for the new policy.
-1. You should see:
- - Accessibility
- - Full Disk Access
- - MAU
- - MDATP Onboarding
- - MDE Preferences
- - Management profile
- - Network filter
- - System extension profile
-## Offboard macOS devices using JAMF Pro
+## Offboard macOS devices using JAMF Pro ##
-1. Uninstall the application (if not using MDE)
- 1. See JAMF Pro Docs - Package Deployment - [JAMF Pro administrators guide](https://www.jamf.com/resources/product-documentation/jamf-pro-administrators-guide/)Jamf Pro Administrator's Guide
+> [!IMPORTANT]
+> Offboarding causes the device to stop sending sensor data to the portal. However, data from the device, including references to any alerts it has had, will be retained for up to six months.
-1. Restart the macOS device - some applications may lose printing functionality until they are restarted
+1. If you are not using MDE, uninstall the application. See the **Package Deployment** section in the [JAMF Pro documentation](https://www.jamf.com/resources/product-documentation/jamf-pro-administrators-guide/).
-> [!IMPORTANT]
-> Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months.
+2. Restart the macOS device. (Some applications may lose printing functionality until they're restarted.)
compliance Disposition https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/disposition.md
description: "Monitor and manage the disposal of content for when you use a disp
>*[Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).*
-Use the **Disposition** page from **Records Management** in the Microsoft Purview compliance portal to manage disposition reviews and view the metadata of [records](records-management.md#records) that have been automatically deleted at the end of their retention period.
+Use the **Disposition** page from **Records Management** in the Microsoft Purview compliance portal to manage disposition reviews and view the metadata of [items marked as records](records-management.md#records) that have been automatically deleted at the end of their retention period.
[!INCLUDE [purview-preview](../includes/purview-preview.md)] ## Prerequisites for viewing content dispositions
-To manage disposition reviews and confirm that records have been deleted, you must have sufficient permissions and auditing must be enabled. Also be aware of any [limitations](retention-limits.md#maximum-numbers-for-disposition-review) for disposition.
+To manage disposition reviews and confirm that items marked as records have been deleted, you must have sufficient permissions and auditing must be enabled. Also be aware of any [limitations](retention-limits.md#maximum-numbers-for-disposition-review) for disposition.
### Permissions for disposition
-To successfully access the **Disposition** tab in the Microsoft Purview compliance portal, users must have the **Disposition Management** role. From December 2020, this role is now included in the **Records Management** default role group.
+To successfully access the **Disposition** tab in the Microsoft Purview compliance portal, users must have the **Disposition Management** role. This role is included in the **Records Management** default role group.
> [!NOTE] > By default, a global admin isn't granted the **Disposition Management** role.
A disposition review can include content in Exchange mailboxes, SharePoint sites
Administrators can see an overview of all pending dispositions in the **Overview** tab. Reviewers see only their items pending disposition. For example:
-![Pending dispositions in Records management overview.](../media/dispositions-overview.png)
When you select the **View all pending dispositions**, you're taken to the **Disposition** page. For example:
-![Dispositions page in the Microsoft Purview compliance portal.](../media/disposition-tab.png)
- ### Workflow for a disposition review The following diagram shows the basic workflow for a disposition review (single-stage) when a retention label is published and then manually applied by a user. Alternatively, a retention label configured for a disposition review can be automatically applied to content.
-
-![Chart showing flow of how disposition works.](../media/5fb3f33a-cb53-468c-becc-6dda0ec52778.png)
++
+### Auto-approval for disposition
+
+> [!NOTE]
+> This feature is in preview and subject to change
+
+You can optionally specify a time period (7-365 days) for auto-approval. The default period if you select this option is 14 days.
+
+If designated reviewers don't take manual action during this time period by using the [standard disposition review process](#viewing-and-disposing-of-content), the item automatically passes to the next review stage. If the item is in the final review stage, the item is automatically disposed with permanent deletion.
+
+> [!IMPORTANT]
+> If you configure this option and items are already pending disposition review, they automatically become auto-approved if they have already exceeded the number of days that you specified for auto-approval. The time period always starts from when the item is ready for disposition review and not from when you configure the option.
+
+As with all retention label changes, allow up to 7 days if you turn on, turn off, or change the number of days for this option.
+
+There's no new auditing event for auto-approval. Instead, use the details in the existing [Approved disposal](audit-log-activities.md#disposition-review-activities) auditing event to identify whether the item was manually approved or automatically approved by using this option.
### How to configure a retention label for disposition review
Triggering a disposition review at the end of the retention period is a configur
From the **Choose what happens after the retention period** page for a retention label:
-![Retention settings for a label.](../media/disposition-review-option.png)
-
+ After you select the **Start a disposition review** option, select **+ Create stages and assign reviewers**. On the next page of the configuration, you'll specify how many consecutive stages of disposition you want and the disposition reviewers for each stage:
-![Specifying disposition reviewers.](../media/disposition-reviewers.png)
+
+Optionally, select whether you want to use [automatic-approval](#auto-approval-for-disposition). If you use this option, specify the number of days reviewers have to take manual action before the item is automatically moved to the next disposition stage or automatically disposed.
Select **+ Add a stage**, and name your stage for identification purposes. Then specify the reviewers for that stage.
-For the reviewers, specify up to 10 individual users or mail-enabled security groups. Microsoft 365 groups ([formerly Office 365 groups](https://techcommunity.microsoft.com/t5/microsoft-365-blog/office-365-groups-will-become-microsoft-365-groups/ba-p/1303601)) aren't supported for this option.
+For the reviewers, specify up to 10 individual users or mail-enabled security groups. Microsoft 365 groups aren't supported for this option.
If you need more than one person to review an item at the end of its retention period, select **Add another stage** and repeat the configuration process for the number of stages that you need, with a maximum of five stages.
Within each individual stage of disposition, any of the users you specify for th
During the configuration phase, for each stage specified, you can rename it, reorder it, or remove it by selecting **Edit stages and reviewers** that now displays for the **Start a disposition review** option. Then for each stage, you can select the Stage actions option (**...**):
-![Stage actions for disposition reviews.](../media/stage-actions-disposition-review.png)
However, you can't reorder or remove a stage after you've created the retention label. You'll see only the **Add a stage** and **Rename a stage** options available. You can still edit the reviewers.
You can customize the email messages that are sent to disposition reviewers for
From any of the Records management pages in the Microsoft Purview compliance portal, select **Records management settings**:
-![Records management settings.](../media/record-management-settings.png)
From the **Disposition** tab, in the **Email notifications for disposition reviews** section, select and specify whether you want to use just the default email message, or add your own text to the default message. Your custom text is added to the email instructions after the information about the retention label and before the next steps instructions.
As you can see from the example shown, the actions supported are:
Each action taken has a corresponding audit event in the [Disposition review activities](audit-log-activities.md#disposition-review-activities) auditing activities group.
-During a disposition review, the content never moves from its original location, and it's not marked for permanent deletion until this action is selected by a reviewer for the final or only disposition stage.
+During the disposition review process, unless you're using the optional setting of an [auto-approval timeout period](#auto-approval-for-disposition), the content never moves from its original location, and it's not marked for permanent deletion until this action is selected by a reviewer for the final or only disposition stage.
## Disposition of records From the **Records management** main page > **Disposition** tab, you can identify: - Items deleted as a result of a disposition review.-- Items marked as a record or regulatory record that were automatically deleted at the end of their retention period.
+- Items marked as a record or regulatory record but not marked for disposition review and automatically deleted at the end of their retention period.
These items display **Records Disposed** in the **Type** column. For example:
When you select a retention label from the **Disposition** page, the **Pending d
For pending dispositions, the time range is based on the expiration date. For disposed items, the time range is based on the deletion date.
-You can export information about the items in either view as a .csv file that you can then sort and manage using Excel.
+You can export information about the items in either view as a .csv file that you can then sort and manage using Excel.
compliance Dlp Powerbi Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-powerbi-get-started.md
search.appverid:
- MET150 description: "Prepare for and deploy DLP to Power BI locations, to help organizations detect and protect their sensitive data." + # Get started with Data loss prevention policies for Power BI To help organizations detect and protect their sensitive data, [Microsoft Purview Data Loss Prevention (DLP) polices](/microsoft-365/compliance/dlp-learn-about-dlp) support Power BI. When a Power BI data set matches the criteria in a DLP policy, an alert that explains the nature of the sensitive content can be triggered. This alert is also registered in the data loss prevention **Alerts** tab in the Microsoft compliance portal for monitoring and management by administrators. In addition, email alerts can be sent to administrators and specified users.
To help organizations detect and protect their sensitive data, [Microsoft Purvie
## Considerations and limitations - DLP policies apply to workspaces. Only workspaces hosted in Premium Gen2 capacities are supported. For more information, see [What is Power BI Premium Gen2?](/power-bi/enterprise/service-premium-gen2-what-is).-- DLP dataset evaluation workloads impact capacity. For more information, see [CPU metering for DLP policy evaluation](/power-bi/enterprise/service-security-dlp-policies-for-power-bi-overview.md#cpu-metering-for-dlp-policy-evaluation)
+- DLP dataset evaluation workloads impact capacity. For more information, see [CPU metering for DLP policy evaluation](/power-bi/enterprise/service-security-dlp-policies-for-power-bi-overview#cpu-metering-for-dlp-policy-evaluation)
- Both classic and new experience workspaces are supported, as long as they're hosted in Premium Gen2 capacities. - You must create a custom DLP custom policy for Power BI. DLP templates aren't supported. - DLP policies that are applied to the DLP location support sensitivity labels and sensitive information types as conditions.
Follow the procedures in [Create and Deploy data loss prevention policies](dlp-c
- [Learn about data loss prevention](/microsoft-365/compliance/dlp-learn-about-dlp) - [Sensitivity labels in Power BI](/power-bi/enterprise/service-security-sensitivity-label-overview) - [Audit schema for sensitivity labels in Power BI](/power-bi/enterprise/service-security-sensitivity-label-audit-schema)++
compliance Ediscovery Add Or Remove Members From A Case https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-add-or-remove-members-from-a-case.md
Title: "Add or remove members from a case"
+ Title: "Add or remove members from an eEdiscovery (Premium) case"
description: "Learn how to add or remove the members who can access a case when managing an eDiscovery (Premium) case." f1.keywords: - NOCSH Previously updated : 01/01/2023 Last updated : 04/28/2023 audience: Admin
search.appverid:
- MET150
-# Add or remove members from a case
+# Add or remove members from an eDiscovery (Premium) case
You can add or remove members to manage who can access the case. However, before a member can access an eDiscovery (Premium) case (and perform tasks in the case), you must add the user to the eDiscovery Manager role group on the **Permissions** page in the Microsoft Purview compliance portal. For more information, see [Assign eDiscovery permissions](./ediscovery-assign-permissions.md). 1. On the **eDiscovery (Premium)** page, go to the case that you want to add a member to.-
-2. Select the **Settings** tab and then select **Select** in the **Access & permissions** tile.
-
+2. Select the **Settings** tab and then choose **Select** in the **Access & permissions** tile.
3. Under **Manage members**, select **Add** to add members to the case. You can also choose to add a role group to the case by selecting **Add** under **Manage role groups**.- 4. In the list of people or role groups that can be added as members of the case, select the check box next to the names of the people or role groups that you want to add. > [!NOTE] > When adding a role group to a case, you can only add the role groups that you are a member of. 5. After you've selected the people or role groups to add as members of the case, select **Add**.- 6. In the **Manage this case** flyout page, select **Save** to save the new list of case members. > [!IMPORTANT]
compliance Ediscovery Close Or Delete Case https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-close-or-delete-case.md
Title: "Close or delete a case"
+ Title: "Close or delete an eDiscovery (Premium) case"
description: Learn what happens when an investigation or legal case supported by a Microsoft Purview eDiscovery (Premium) case is closed or deleted. f1.keywords: - NOCSH Previously updated : 01/01/2023 Last updated : 04/28/2023 audience: Admin
When the legal case or investigation supported by a Microsoft Purview eDiscovery
Here's what happens when you close an eDiscovery (Premium) case: -- If the case contains any content locations on hold, those holds will be turned off. After the hold is turned off, a 30-day grace period (called a *delay hold*) is applied to content locations that were on hold. This helps prevent content from being immediately deleted and gives admins an opportunity to search for or recover content that will be permanently deleted after the delay hold period expires. For more information, see [Removing content locations from an eDiscovery hold](ediscovery-create-holds.md#removing-content-locations-from-an-ediscovery-hold).
+- If the case contains any content locations on hold, these holds are turned off. After the hold is turned off, a 30-day grace period (called a *delay hold*) is applied to content locations that were on hold. This helps prevent content from being immediately deleted and gives admins an opportunity to search for or recover content that will be permanently deleted after the delay hold period expires. For more information, see [Removing content locations from an eDiscovery hold](ediscovery-create-holds.md#removing-content-locations-from-an-ediscovery-hold).
- Closing a case only turns off the holds that are associated with that case. If other holds are place on a content location (such as a Litigation Hold, Microsoft Purview eDiscovery (Standard) hold, or a hold from a different eDiscovery (Premium) case) those holds will still be maintained. - The case is still listed on the eDiscovery page in the Microsoft Purview compliance portal. The details, holds, searches, and members of a closed case are retained. - You can edit a case after it's closed. For example, you can add or removing members, create searches, export search results, and prepare search results for analysis in eDiscovery (Premium). The primary difference between active and closed cases is that holds are turned off when a case is closed.
Here's what happens when you close an eDiscovery (Premium) case:
To close a case: 1. On the **eDiscovery (Premium)** page, select the case that you want to close.-
-2. On the **Settings** tab, under **Case Information**, select **Select**.
-
- ![Access the case information flyout page in an eDiscovery (Premium) case.](..\media\AeDSelectCaseInformation.png)
-
+2. On the **Settings** tab, under **Case Information**, choose **Select**.
3. At the bottom of the **Case Information** flyout page, select **Actions**, and then select **Close case**.
- It might take up to 60 minutes for the closing process to complete.
+It may take up to 60 minutes for the closing process to complete.
## Reopen a closed case
To delete holds associated with a case:
To delete a case: 1. On the **eDiscovery (Premium)** page, select the case that you want to delete.
-2. On the **Settings** tab, under **Case Information**, select **Select**.
+2. On the **Settings** tab, under **Case Information**, choose **Select**.
3. At the bottom of the **Case Information** flyout page, select **Actions**, and then select **Delete case**.
compliance Ediscovery Configure Review Set Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-configure-review-set-settings.md
+
+ Title: Configure review set grouping settings for eDiscovery (Premium) cases
+description: "Configure review set settings that apply to a case in eDiscovery (Premium)"
+f1.keywords:
+- NOCSH
+++ Last updated : 04/28/2023
+audience: Admin
++
+ms.localizationpriority: medium
+
+- tier1
+- purview-compliance
+- ediscovery
+search.appverid:
+- MOE150
+- MET150
+++
+# Configure review set grouping settings for eDiscovery (Premium) cases
+
+You can configure grouping settings for each Microsoft Purview eDiscovery (Premium) case to control how the data in a review set is grouped and displayed. Turning on the **Enable group** setting is only available for review sets in cases created in your organization after March 15, 2023.
+
+Depending when the case is created, items in a review set can be grouped in two ways:
+
+- **Group review set items by Group ID and Thread ID**: When enabled, review set items are grouped by *Group ID* and *Thread ID*. This setting is the default for all cases created after March 15, 2023.
+- **Group review set items by Family ID and Conversation ID**: When disabled, review set items are grouped by *Family ID* and *Conversation ID*. This setting is the default for all cases created before March 15, 2023.
+
+For more information about review set grouping, see [Group and view documents in a review set](ediscovery-view-documents-in-review-set.md).
++
+## Configure review set grouping settings for a case
+
+To configure review set grouping settings for a case:
+
+1. On the **eDiscovery (Premium)** page, select the case.
+2. On the **Settings** tab, under **Review sets**, choose **Select**.
+3. On the **Review sets** page, select the **Enable group** toggle to enable grouping review set items by *Group ID* and *Thread ID*.
+
+>[!NOTE]
+> For cases created before March 15, 2023, the **Enable group** toggle is disabled. Item grouping in review sets for these cases is based on *Family ID* and *Conversation ID*.
compliance Ediscovery Configure Search And Analytics Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-configure-search-and-analytics-settings.md
Title: Configure search and analytics settings - eDiscovery (Premium)
+ Title: Configure search and analytics settings for eDiscovery (Premium) cases
description: "Configure Microsoft Purview eDiscovery (Premium) settings that apply to all review set in a case. This includes settings for analytics and Optical character recognition." f1.keywords: - NOCSH Previously updated : 01/01/2023 Last updated : 04/28/2023 audience: Admin
search.appverid:
-# Configure search and analytics settings in eDiscovery (Premium)
+# Configure search and analytics settings for eDiscovery (Premium) cases
-You can configure settings for each Microsoft Purview eDiscovery (Premium) case to control the following functionality.
+You can configure settings for each Microsoft Purview eDiscovery (Premium) case to control the following functionality:
- Near duplicates and email threading - Themes
You can configure settings for each Microsoft Purview eDiscovery (Premium) case
- Ignore text - Optical character recognition
-To configure search and analytics settings for a case:
-
-1. On the **eDiscovery (Premium)** page, select the case.
-2. On the **Settings** tab, under **Search & analytics**, select **Select**.
+## Configure analytics settings for a case
- The case settings page is displayed. These settings are applied to all review sets in a case.
+To configure search and analytics settings for a case:
- ![Configure analytics and search settings for an eDiscovery (Premium) case.](../media/AeDCaseSettings.png)
+1. On the **eDiscovery (Premium)** page, select the case.
+2. On the **Settings** tab, under **Search & analytics**, choose **Select**. The case settings page is displayed. These settings are applied to all review sets in a case.
+The following sections in this article describe the analytics settings that you can configure for a case.
-## Near duplicates and email threading
+### Near duplicates and email threading
In this section, you can set parameters for duplicate detection, near duplicate detection, and email threading. For more information, see [Near duplicate detection](ediscovery-near-duplicate-detection.md) and [Email threading](ediscovery-email-threading.md).
In this section, you can set parameters for duplicate detection, near duplicate
- **Document and email similarity threshold:** If the similarity level for two documents is above the threshold, both documents are put in the same near duplicate set. - **Minimum/maximum number of words:** These settings specify that near duplicates and email threading analysis are performed only on documents that have at least the minimum number of words and at most the maximum number of words.
-## Themes
+### Themes
In this section, you can set parameters for themes. For more information, see [Themes](ediscovery-themes.md).
In this section, you can set parameters for themes. For more information, see [T
- **Include numbers in themes:** When turned on, numbers (that identifies a theme) are included when generating themes. - **Adjust maximum number of themes dynamically:** In certain situations, there may not be enough documents in a review set to produce the desired number of themes. When this setting is enabled, eDiscovery (Premium) adjusts the maximum number of themes dynamically rather than attempting to enforce the maximum number of themes.
-## Review set query
+### Review set query
If you select the **Automatically create a For Review saved search after analytics** checkbox, eDiscovery (Premium) autogenerates review set query named **For Review.**
If you select the **Automatically create a For Review saved search after analyti
This query basically filters out duplicate items from the review set. This lets you review the unique items in the review set. This query is created only when you run analytics for a review set in the case. For more information, about review set queries, see [Query the data in a review set](ediscovery-review-set-search.md).
-## Ignore text
+### Ignore text
There are situations where certain text will diminish the quality of analytics, such as lengthy disclaimers that get added to email messages regardless of the content of the email. If you know of text that should be ignored, you can exclude it from analytics by specifying the text string and the analytics functionality (Near-duplicates, Email threading, Themes, and Relevance) that the text should be excluded for. Using regular expressions (RegEx) as ignored text is also supported.
-## Optical character recognition (OCR)
+### Optical character recognition (OCR)
When this setting is turned on, OCR processing will be run on image files. OCR processing is run in the following situations:
compliance Ediscovery Create And Manage Cases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-create-and-manage-cases.md
f1.keywords:
Previously updated : 01/01/2023 Last updated : 04/28/2023 audience: Admin
This article also provides a high-level overview of using cases to manage the eD
Complete the following steps to create a case and configure case settings. The user who creates the case is automatically added as a member. Members of the case can access the case in the Microsoft Purview compliance portal and perform eDiscovery (Premium) tasks.
-1. Go to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">compliance portal</a> and sign in using the credentials for user account that has been assigned eDiscovery permissions. Members of the *Organization Management* role group can also create eDiscovery (Premium) cases.
-
-2. In the left navigation pane of the compliance portal, select **Show all**, and then select **eDiscovery** > **Premium**, and then select the <a href="https://go.microsoft.com/fwlink/p/?linkid=2173764" target="_blank">**Cases** tab</a>.
-
+1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">compliance portal</a> and sign in using the credentials for user account that has been assigned eDiscovery permissions. Members of the *Organization Management* role group can also create eDiscovery (Premium) cases.
+2. In the left navigation pane of the compliance portal, select **Show all**, and then select **eDiscovery** > **Premium**, and then select the <a href="https://go.microsoft.com/fwlink/p/?linkid=2173764" target="_blank">**Cases**</a>tab.
3. Select **Create a case**. 4. On the **Name and description** page, complete the following fields:
-
- - **Name**: give the case a name (required).The case name must be unique in your organization
+
+ - **Name**: give the case a name (required). The case name must be unique in your organization
- **Description**: Add an optional description to help others understand this case. - **Number**: Enter an optional docket number or other numeric identifier. - **Case format**: The **New (recommended)** option is automatically selected.
Complete the following steps to create a case and configure case settings. The u
>The legacy **Classic** format is no longer available when creating new cases. This format is now retired for all new cases. 5. Select **Next**.- 6. On the **Members and settings** page, complete the following fields as applicable: - **Team members**: Select users and groups that should be assigned to the case. Make sure that users and groups assigned here have been [assigned the appropriate eDiscovery permissions](/microsoft-365/compliance/ediscovery-assign-permissions#ediscovery-assign-permissions).
Complete the following steps to create a case and configure case settings. The u
- **Optical character recognition (OCR)**: Configure the option and settings for finding text contained in images during advanced indexing. 7. Select **Next**.- 8. On the **Summary** page, review the settings for the case and edit the settings if needed. Select **Submit** to create the new case and start your investigation. ## Mark a case as a favorite
To get you started using eDiscovery (Premium), here's a basic workflow that alig
- Data in the custodian's Exchange mailbox, OneDrive account, and any Microsoft Teams or Yammer groups that the custodian is a member of can be "marked" as custodial data in the case. - Custodian data is reindexed (by a process called *Advanced indexing*). This helps optimize searching for it in the next step.
- - You can place a hold on custodian data. This preserves data that may be relevant to the case during the investigation.
+ - You can place a hold on custodian data. A hold preserves data that may be relevant to the case during the investigation.
- You can associate other data sources with a custodian (for example, you can associate a SharePoint site or Microsoft 365 Group with a custodian) so this data can be reindexed, placed on hold, and searched, just like the data in the custodian's mailbox or OneDrive account. - You can use the [communications workflow](managing-custodian-communications.md) in eDiscovery (Premium) to send a legal hold notification to custodians.
To get you started using eDiscovery (Premium), here's a basic workflow that alig
4. **Review and analyze data in a review set**. Now that data is in a review set, you can use a wide-variety of tools and capabilities to view and analyze the case data with the goal of reducing the data set to what is most relevant to the case you're investigating. Here's a list of some tools and capabilities that you can use during this process.
- - [View documents](ediscovery-view-documents-in-review-set.md). This includes viewing the metadata for each document in a review set, and viewing the document in its native version or text version.
+ - [Group and view documents](ediscovery-view-documents-in-review-set.md). This includes selecting the group options for review sets in your cases, viewing the metadata for each document in a review set, and viewing the document in its native version or text version.
- [Create queries and filters](ediscovery-review-set-search.md). You create search queries using various search criteria (including the ability to search all [file metadata properties](ediscovery-document-metadata-fields.md) to further refine and cull the case data to what is most relevant to the case. You can also use review set filters to quickly apply other conditions to the results of a search query to further refine those results. - [Create and use tags](ediscovery-tagging-documents.md). You can apply tags to documents in a review set to identify which are responsive (or non-responsive to the case) and then use those tags when creating search queries to include or exclude the tagged documents. You can also tagging to determine which documents to export. - [Annotate and redact documents](ediscovery-view-documents-in-review-set.md#annotate-view). You can use the annotation tool in a review to annotate documents and redact content in documents as work product. We generate a PDF version of an annotated or redacted document during review to reduce the risk of exporting the unredacted native version of the document.
compliance Ediscovery Document Metadata Fields https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-document-metadata-fields.md
Title: "Document metadata fields in eDiscovery (Premium)"
-description: "This article defines the metadata fields for documents in a review set in a case in Microsoft Purview eDiscovery (Premium) in Microsoft 365."
+description: "This article defines the metadata fields for documents in a review set in a case in Microsoft Purview eDiscovery (Premium)."
f1.keywords: - NOCSH Previously updated : 01/01/2023 Last updated : 04/28/2023 audience: Admin
search.appverid:
# Document metadata fields in eDiscovery (Premium)
-The following table lists the metadata fields for documents in a review set in a case in Microsoft Purview eDiscovery (Premium).
+The following table lists the metadata fields for documents in a review set in a case in Microsoft Purview eDiscovery (Premium). For more information about searchable properties when searching Microsoft 365 content locations when you're collecting data for an eDiscovery (Premium) case, see [Keyword queries and search conditions for Content Search](ediscovery-keyword-queries-and-search-conditions.md).
-The table provides the following information:
+This table provides the following information:
- **Field name** and **Display field name:** The name of the metadata field and the name of the field that's displayed when viewing the file metadata of a selected document in a review set. Some metadata fields aren't included when viewing the file metadata of a document. These fields are highlighted with an asterisk (*).-- **Searchable field name:** The name of the property that you can search for when running a [review set query](ediscovery-review-set-search.md). A blank cell means that you can't search for the field in a review set query.-- **Exported field name:** The name of the metadata field that included when documents are exported. A blank cell means the field isn't included with the exported metadata.
+- **Searchable field name:** The name of the property that you can search for when running a [review set query](ediscovery-review-set-search.md).
+- **Exported field name:** The name of the metadata field that included when documents are exported.
- **Description:** A description of the metadata field. > [!NOTE] > The **Keywords** field in [review set search](./ediscovery-review-set-search.md) uses Keyword Query Language (KQL). The fields listed in the **Searchable field name** column can be used in the **Keywords** field in a review set search to form complex queries without you having to use the query builder. For more information about KQL, see [Keyword Query Language syntax reference](/sharepoint/dev/general-development/keyword-query-language-kql-syntax-reference).
-<br>
-
-****
-
-|Field name and Display field name|Searchable field name|Exported field name|Description|
-|||||
-|Attachment Content ID|AttachmentContentId||Attachment content Id of the item.|
-|Attorney client privilege score|AttorneyClientPrivilegeScore||Attorney-client privilege model content score.|
+|**Field name and Display field name**|**Searchable field name**|**Exported field name**|**Description**|
+|:|:|:-|:--|
+|Attachment Content ID|AttachmentContentId|*Not exported*|Attachment content ID of the item.|
+|Attorney client privilege score|AttorneyClientPrivilegeScore|*Not exported*|Attorney-client privilege model content score.|
|Author|Author|Doc_authors|Author from the document metadata.|
-|BCC|Bcc|Email_bcc|Bcc field for message types. Format is **DisplayName \<SMTPAddress\>**.|
-|CC|Cc|Email_cc|Cc field for message types. Format is **DisplayName \<SMTPAddress\>**.|
+|BCC|Bcc|Email_bcc|Bcc field for message types. The format is *DisplayName \<SMTPAddress\>*.|
+|CC|Cc|Email_cc|Cc field for message types. The format is *DisplayName \<SMTPAddress\>*.|
+|Channel Name|Channel|ChannelName|This field is the Teams channel name. Only applies to Microsoft Teams content.|
|Compliance labels|ComplianceLabels|Compliance_labels|[Retention labels](retention.md) applied to content in Office 365.| |Compound Path|CompoundPath|Compound_path|Human readable path that describes the source of the item.|
-|Content*|Content||Extracted text of the item.|
-|Conversation Body|ConversationBody||Conversation body of the item.|
-|Conversation ID|ConversationId|Conversation_ID|Conversation Id from the message. For Teams 1:1 and group chats, all transcript files and their family items within the same conversation share the same Conversation ID. For more information, see [eDiscovery (Premium) workflow for content in Microsoft Teams](teams-workflow-in-advanced-ediscovery.md).|
-|Conversation Family ID|ConversationFamilyID|ConversationFamilyID|The Id that identifies individual elements of a conversation and the related items in the conversation.|
-|Conversation Index||Conversation_index|Conversation index from the message.|
-|Conversation Name||ConversationName|This field depends on content type.<br>**Teams 1:1 chat:** first 40 characters of first message.<br>**Teams 1:N chat:** Name of group chat; if not available, the first 40 characters of the first message.<br>**Teams Channel Post:** Post title or announcement subhead; if not available, the first 40 characters of the first message.|
-|Conversation Pdf Time|ConversationPdfTime||Date when the PDF version of the conversation was created.|
-|Conversation Redaction Burn Time|ConversationRedactionBurnTime||Date when the PDF version of the conversation was created for Chat.|
-|Conversation Topic|ConversationTopic||Conversation topic of the item.|
+|Content*|Content|*Not exported*|Extracted text of the item.|
+|Conversation Body|ConversationBody|*Not exported*|Conversation body of the item.|
+|Conversation ID|ConversationId|Conversation_ID|Conversation ID from the message. For Teams 1:1 and group chats, all transcript files and their family items within the same conversation share the same Conversation ID. For more information, see [eDiscovery (Premium) workflow for content in Microsoft Teams](ediscovery-teams-workflow.md).|
+|Conversation Family ID|ConversationFamilyID|ConversationFamilyID|The ID that identifies individual elements of a conversation and the related items in the conversation.|
+|Conversation Index|*Not searchable*|Conversation_index|Conversation index from the message.|
+|Conversation Name|*Not searchable*|ConversationName|This field depends on content type.<br>**Teams 1:1 chat:** first 40 characters of first message.<br>**Teams 1:N chat:** Name of group chat; if not available, the first 40 characters of the first message.<br>**Teams Channel Post:** Post title or announcement subhead; if not available, the first 40 characters of the first message.|
+|Conversation Pdf Time|ConversationPdfTime|*Not exported*|Date when the PDF version of the conversation was created.|
+|Conversation Redaction Burn Time|ConversationRedactionBurnTime|*Not exported*|Date when the PDF version of the conversation was created for Chat.|
+|Conversation Topic|ConversationTopic|*Not exported*|Conversation topic of the item.|
|Conversation Type|ConversationType|ConversationType|The type of chat conversation. Values are: <br>**Teams 1:1 and group chats and all Yammer conversations:** Group<br>**Teams channels and private channels:** Channel| |Contains Deleted Message|ContainsDeletedMessage|ContainsDeletedMessage|Indicates if the chat transcript includes a deleted message| |Contains Edited Message|ContainsEditedMessage|ContainsEditedMessage|Indicates if the chat transcript includes an edited message| |Teams Announcement Title|TeamsAnnouncementTitle|TeamsAnnouncementTitle|Title from a [teams announcement](https://support.microsoft.com/office/send-an-announcement-to-a-channel-8f244ea6-235a-4dcc-9143-9c5b801b4992).|
-|||Converted_file_path|The path of the converted export file. For internal Microsoft use only.|
+|*N/A*|*N/A*|Converted_file_path|The path of the converted export file. For internal Microsoft use only.|
|Custodian|Custodian|Custodian|Name of the custodian the item was associated with.| |Date|Date|Date|Date is a computed field that depends on the file type.<p>**Email**: Sent date<br>**Email attachments**: Last modified date of the document; if not available, the parent's sent date<br>**Embedded documents**: Last modified date of the document; if not available, the parent's last modified date<br>**SPO documents (includes modern attachments)**: Last modified date of the document; if not available, SharePoint last modified date<br>**Non-Office 365 documents**: Last modified date<br>**Meetings**: Meeting start date<br>**VoiceMail**: Sent date<br>**IM**: Sent date<br>**Teams**: Sent date| |Document comments|DocComments|Doc_comments|Comments from the document metadata.|
-|Document company||Doc_company|Company from the document metadata.|
+|Document company|*Not searchable*|Doc_company|Company from the document metadata.|
|Document date created|CreatedTime|Doc_date_created|Create date from document metadata.|
-|DocIndex*|||The index in the family. **-1** or **0** means it's the root.|
-|Document keywords||Doc_keywords|Keywords from the document metadata.|
-|Document modified by||Doc_modified_by|The user who last modified the document from document metadata.|
+|DocIndex*|*Not searchable*|*Not exported*|The index in the family. *-1* or *0* means it's the root.|
+|Document keywords|*Not searchable*|Doc_keywords|Keywords from the document metadata.|
+|Document modified by|*Not searchable*|Doc_modified_by|The user who last modified the document from document metadata.|
|Document revision|Doc_Version|Doc_Version|Revision from the document metadata.|
-|Document subject||Doc_subject|Subject from the document metadata.|
-|Document template||Doc_template|Template from the document metadata.|
-|DocLastSavedBy||Doc_last_saved_by|The name of the user who last saved the document.|
+|Document subject|*Not searchable*|Doc_subject|Subject from the document metadata.|
+|Document template|*Not searchable*|Doc_template|Template from the document metadata.|
+|DocLastSavedBy|*Not searchable*|Doc_last_saved_by|The name of the user who last saved the document.|
|Dominant theme|DominantTheme|Dominant_theme|Dominant theme as calculated for analytics.|
-|Duplicate subset||Duplicate_subset|Group ID for exact duplicates.|
-|EmailAction*||Email_action|Values are **None**, **Reply**, or **Forward**; based on the subject line of a message.|
-|Email Delivery Receipt Requested||Email_delivery_receipt|Email address supplied in Internet Headers for delivery receipt.|
-|Importance|EmailImportance|Email_importance|Importance of the message: **0** - Low; **1** - Normal; **2** - High|
+|Duplicate subset|*Not searchable*|Duplicate_subset|Group ID for exact duplicates.|
+|EmailAction*|*Not searchable*|Email_action|Values are *None*, *Reply*, or *Forward*; based on the subject line of a message.|
+|Email Delivery Receipt Requested|*Not searchable*|Email_delivery_receipt|Email address supplied in Internet Headers for delivery receipt.|
+|Importance|EmailImportance|Email_importance|Importance of the message: *0* - Low; *1* - Normal; *2* - High|
|Ignored processing errors|ErrorIgnored|Error_Ignored|Error was ignored and not remediated.| |EmailInternetHeaders|EmailInternetHeaders|Email_internet_headers|The full set of email headers from the email message|
-|EmailLevel*||Email_level|Indicates a message's level within the email thread it belongs to; attachments inherit its parent message's value.|
-|Email Message ID||Email_message_ID|Internet message Id from the message.|
-|EmailReadReceiptRequested||Email_read_receipt|Email address supplied in Internet Headers for read receipt.|
-|Email Security|EmailSecurity|Email_security|Security setting of the message: **0** - None; **1** - Signed; **2** - Encrypted; **3** - Encrypted and signed.|
-|Email Sensitivity|EmailSensitivity|email_sensitivity|Sensitivity setting of the message: **0** - None; **1** Personal; **2** - Private; **3** - CompanyConfidential.|
+|EmailLevel*|*Not searchable*|Email_level|Indicates a message's level within the email thread it belongs to; attachments inherit its parent message's value.|
+|Email Message ID|*Not searchable*|Email_message_ID|Internet message ID from the message.|
+|EmailReadReceiptRequested|*Not searchable*|Email_read_receipt|Email address supplied in Internet Headers for read receipt.|
+|Email Security|EmailSecurity|Email_security|Security setting of the message: *0* - None; *1* - Signed; *2* - Encrypted; *3* - Encrypted and signed.|
+|Email Sensitivity|EmailSensitivity|email_sensitivity|Sensitivity setting of the message: *0* - None; *1* Personal; *2* - Private; *3* - CompanyConfidential.|
|Email set|EmailSet|Email_set|Group ID for all messages in the same email set.|
-|EmailThread*||Email_thread|Position of the message within the email set; consists of node IDs from the root to the current message and are separated by periods (.).|
-|||Export_native_path|The path of the exported file.|
-|Extracted content type||Native_type|Extracted content type, in the form of mime type; for example, **image/jpeg**|
-|||Extracted_text_path|The path to the extracted text file in the export.|
-|ExtractedTextLength*||Extracted_text_length|Number of characters in the extracted text.|
-|FamilyDuplicateSet*||Family_duplicate_set|Numeric identifier for families that are exact duplicates of each other (same content and all the same attachments).|
+|EmailThread*|*Not searchable*|Email_thread|Position of the message within the email set; consists of node IDs from the root to the current message and are separated by periods (.).|
+|*N/A*|*N/A*|Export_native_path|The path of the exported file.|
+|Extracted content type|*Not searchable*|Native_type|Extracted content type, in the form of mime type; for example, *image/jpeg*|
+|*N/A*|*N/A*|Extracted_text_path|The path to the extracted text file in the export.|
+|ExtractedTextLength*|*Not searchable*|Extracted_text_length|Number of characters in the extracted text.|
+|FamilyDuplicateSet*|*Not searchable*|Family_duplicate_set|Numeric identifier for families that are exact duplicates of each other (same content and all the same attachments).|
|Family ID|FamilyId|Family_ID|Groups together attachments and extracted items from email and chats with its parent item. This includes the chat or email and all attachments and extracted items.|
-|Family Size||Family_size|Number of documents in the family.|
-|File class|FileClass|File_class|For content from SharePoint and OneDrive: **Document**. <br>For content from Exchange: **Email** or **Attachment**. <br>For content from Teams or Yammer: **Conversations**.|
+|Family Size|*Not searchable*|Family_size|Number of documents in the family.|
+|File class|FileClass|File_class|For content from SharePoint and OneDrive: *Document*. <br>For content from Exchange: *Email* or *Attachment*. <br>For content from Teams or Yammer: *Conversations*.|
|File ID|FileId|File_ID|Document identifier unique within the case.|
-|File system date created||File_system_date_created|Created date from file system (only applies to non-Office 365 data).|
-|File system date modified||File_system_date_modified|Modified date from file system (only applies to non-Office 365 data).|
-|File Type|FileType||File type of the item based on file extension.|
+|File system date created|*Not searchable*|File_system_date_created|Created date from file system (only applies to non-Office 365 data).|
+|File system date modified|*Not searchable*|File_system_date_modified|Modified date from file system (only applies to non-Office 365 data).|
+|File Type|FileType|*Not exported*|File type of the item based on file extension.|
|Group ID|GroupId|Group_ID|Groups together all items for email and documents. For email, this includes the message and all attachments and extracted items. For documents, this includes the document and any embedded items.| |Has attachment|EmailHasAttachment|Email_has_attachment|Indicates whether or not the message has attachments.|
-|Has attorney|HasAttorney||**True** when at least one of the participants is found in the attorney list; otherwise, the value is **False**.|
-|HasText*||Has_text|Indicates whether or not the item has text; possible values are **True** and **False**.|
-|Immutable ID||Immutable_ID|This Id is used to uniquely identify a document within a review set. This field can't be used in a review set search and the Id can't be used to access a document in its native location.|
-|Inclusive type|InclusiveType|Inclusive_type|Inclusive type calculated for analytics: **0** - not inclusive; **1** - inclusive; **2** - inclusive minus; **3** - inclusive copy.|
-|In Reply To ID||In_reply_to_ID|In reply to Id from the message.|
-|InputFileExtension||Original_file_extension|The original file extension of the file.|
-|InputFileID||Input_file_ID|The file ID of the top level item in the review set. For an attachment, this ID will be the ID of the parent. This can be used to group families together.|
-|Is modern attachment|IsModernAttachment||This file is a modern attachment or linked file.|
-|Is from document version|IsFromDocumentVersion||Current document is from a different version of another document.|
-|Is email attachment|IsEmailAttachment||This item is from an email attachment that shows up as an attached item to the message.|
-|Is inline attachment|IsInlineAttachment||This was attached inline and shows up in the body of the message.|
+|Has attorney|HasAttorney|*Not exported*|*True* when at least one of the participants is found in the attorney list; otherwise, the value is *False*.|
+|HasText*|*Not searchable*|Has_text|Indicates whether or not the item has text; possible values are *True* and *False*.|
+|Immutable ID|*Not searchable*|Immutable_ID|This ID is used to uniquely identify a document within a review set. This field can't be used in a review set search and the ID can't be used to access a document in its native location.|
+|Inclusive type|InclusiveType|Inclusive_type|Inclusive type calculated for analytics: *0* - not inclusive; *1* - inclusive; *2* - inclusive minus; *3* - inclusive copy.|
+|In Reply To ID|*Not searchable*|In_reply_to_ID|In reply to ID from the message.|
+|InputFileExtension|*Not searchable*|Original_file_extension|The original file extension of the file.|
+|InputFileID|*Not searchable*|Input_file_ID|The file ID of the top level item in the review set. For an attachment, this ID will be the ID of the parent. This can be used to group families together.|
+|Is modern attachment|IsModernAttachment|*Not exported*|This file is a modern attachment or linked file.|
+|Is from document version|IsFromDocumentVersion|*Not exported*|Current document is from a different version of another document.|
+|Is email attachment|IsEmailAttachment|*Not exported*|This item is from an email attachment that shows up as an attached item to the message.|
+|Is inline attachment|IsInlineAttachment|*Not exported*|This was attached inline and shows up in the body of the message.|
|Is Representative|IsRepresentative|Is_representative|One document in every set of exact duplicates is marked as representative.|
-|Item class|ItemClass|Item_class|Item class supplied by exchange server; for example, **IPM.Note**|
+|Item class|ItemClass|Item_class|Item class supplied by exchange server; for example, *IPM.Note*|
|Last modified date|LastModifiedDate|Doc_date_modified|Last modified date from document metadata.|
-|Load ID|LoadId|Load_ID|The Id of the load set in which the item was added to a review set.|
+|Load ID|LoadId|Load_ID|The ID of the load set in which the item was added to a review set.|
|Location|Location|Location|String that indicates the type of location that documents were sourced from.<p>**Imported Data** - Non-Office 365 data<br>**Teams** - Microsoft Teams<br>**Exchange** - Exchange mailboxes<br>**SharePoint** - SharePoint sites<br>**OneDrive** - OneDrive accounts| |Location name|LocationName|Location_name|String that identifies the source of the item. For exchange, this will be the SMTP address of the mailbox; for SharePoint and OneDrive, the URL for the site collection.|
-|||Marked_as_pivot|This file is the pivot in a near duplicate set.|
-|Marked as representative|MarkAsRepresentative||One document from each set of exact duplicates is marked as representatives.|
+|*N/A*|*N/A*|Marked_as_pivot|This file is the pivot in a near duplicate set.|
+|Marked as representative|MarkAsRepresentative|*Not exported*|One document from each set of exact duplicates is marked as representatives.|
|Meeting End Date|MeetingEndDate|Meeting_end_date|Meeting end date for meetings.| |Meeting Start Date|MeetingStartDate|Meeting_start_date|Meeting start date for meetings.|
-|Message kind|MessageKind|Message_kind|The type of message to search for. Possible values: **<p>contacts <br>docs <br>email <br>externaldata <br>faxes <br>im <br>journals <br>meetings <br>microsoftteams** (returns items from chats, meetings, and calls in Microsoft Teams) **<br>notes <br>posts <br>rssfeeds <br>tasks <br>voicemail**|
-|Modern Attachment Parent ID||ModernAttachment_ParentId|The Immutable Id of the document's parent.|
+|Message kind|MessageKind|Message_kind|The type of message to search for. Possible values: *<p>contacts <br>docs <br>email <br>externaldata <br>faxes <br>im <br>journals <br>meetings <br>microsoftteams* (returns items from chats, meetings, and calls in Microsoft Teams) *<br>notes <br>posts <br>rssfeeds <br>tasks <br>voicemail*|
+|Modern Attachment Parent ID|*Not searchable*|ModernAttachment_ParentId|The Immutable ID of the document's parent.|
|Native Extension|NativeExtension|Native_extension|Native extension of the item.| |Native file name|NativeFileName|Native_file_name|Native file name of the item.|
-|NativeMD5||Native_MD5|MD5 hash (128-bit hash value) of the file stream.|
-|NativeSHA256||Native_SHA_256|SHA256 hash (256-bit hash value) of the file stream.|
-|ND/ET Sort: Excluding attachments|NdEtSortExclAttach|ND_ET_sort_excl_attach|Concatenation of the email thread (ET) set and Near-duplicate (ND) set. This field is used for efficient sorting at review time. A **D** is prefixed to ND sets and an **E** is prefixed to ET sets.|
-|ND/ET Sort: Including attachments|NdEtSortInclAttach|ND_ET_sort_incl_attach|Concatenation of an email thread (ET) set and near-duplicate (ND) set. This field is used for efficient sorting at review time. A **D** is prefixed to ND sets and an **E** is prefixed to ET sets. Each email item in an ET set is followed by its appropriate attachments.|
-|Near Duplicate Set||ND_set|Items that are similar to the pivot document share the same ND_set.|
-|O365 authors||O365_authors|Author from SharePoint.|
-|O365 created by||O365_created_by|Created by from SharePoint.|
-|O365 date created||O365_date_created|Created date from SharePoint.|
-|O365ModifiedDate||O365_date_modified|The date a document (or document version) collected from SharePoint or OneDrive for Business was modified. This is the same modified date as the one displayed in the version history in the SharePoint and OneDrive user experience.|
-|O365 modified by||O365_modified_by|Modified by from SharePoint or OneDrive.|
+|Native file size|Size|Native_size|Number of bytes of the native item.|
+|NativeMD5|*Not searchable*|Native_MD5|MD5 hash (128-bit hash value) of the file stream.|
+|NativeSHA256|*Not searchable*|Native_SHA_256|SHA256 hash (256-bit hash value) of the file stream.|
+|ND/ET Sort: Excluding attachments|NdEtSortExclAttach|ND_ET_sort_excl_attach|Concatenation of the email thread (ET) set and Near-duplicate (ND) set. This field is used for efficient sorting at review time. A *D* is prefixed to ND sets and an *E* is prefixed to ET sets.|
+|ND/ET Sort: Including attachments|NdEtSortInclAttach|ND_ET_sort_incl_attach|Concatenation of an email thread (ET) set and near-duplicate (ND) set. This field is used for efficient sorting at review time. A *D* is prefixed to ND sets and an *E* is prefixed to ET sets. Each email item in an ET set is followed by its appropriate attachments.|
+|Near Duplicate Set|*Not searchable*|ND_set|Items that are similar to the pivot document share the same ND_set.|
+|O365 authors|*Not searchable*|O365_authors|Author from SharePoint.|
+|O365 created by|*Not searchable*|O365_created_by|Created by from SharePoint.|
+|O365 date created|*Not searchable*|O365_date_created|Created date from SharePoint.|
+|O365ModifiedDate|*Not searchable*|O365_date_modified|The date a document (or document version) collected from SharePoint or OneDrive for Business was modified. This is the same modified date as the one displayed in the version history in the SharePoint and OneDrive user experience.|
+|O365 modified by|*Not searchable*|O365_modified_by|Modified by from SharePoint or OneDrive.|
|Other custodians|DedupedCustodians|Deduped_custodians|List of custodians of documents that are exact duplicates (for email, based on content; for documents, based on hash).| |Other file IDs|DedupedFileIds|Deduped_file_IDs|List of file IDs of documents that are exact duplicates (for email, based on content; for documents, based on hash).| |Other paths|Dedupedcompoundpath|Deduped_compound_path|List of compound paths of documents that are exact duplicates (email: based on content, documents: based on hash).|
-|Parent ID|ParentId|Parent_ID|Id of the item's parent.|
-|ParentNode||Parent_node|The closest preceding email message in the email thread.|
+|Parent ID|ParentId|Parent_ID|ID of the item's parent.|
+|ParentNode|*Not searchable*|Parent_node|The closest preceding email message in the email thread.|
|Participant domains|ParticipantDomains|Email_participant_domains|List of all domains of participants of a message.|
-|Participants|Participants|Email_participants|List of all participants of a message; for example, Sender, To, Cc, Bcc.|
+|Participants|Participants|Email_participants|List of all participants of a message; for example, *Sender*, *To*, *Cc*, *Bcc*.|
|Pivot ID|PivotId|Pivot_ID|The ID of a pivot.| |Potentially privileged|PotentiallyPrivileged|Potentially_privileged|True if attorney-client privilege detection model considers the document potentially privileged| |Processing status|ProcessingStatus|Error_code|Processing status after the item was added to a review set.|
-|Read percentile|ReadPercentile||Read percentile for the document based on Relevance.|
+|Read percentile|ReadPercentile|*Not exported*|Read percentile for the document based on Relevance.|
|Received|Received|Email_date_received|The date and time the email was received in UTC.|
-|Recipient Count||Recipient_count|Number of recipients in the message.|
+|Recipient Count|*Not searchable*|Recipient_count|Number of recipients in the message.|
|Recipient domains|RecipientDomains|Email_recipient_domains|List of all domains of recipients of a message.| |Recipients|Recipients|Email_recipients|List of all recipients of a message (To, Cc, Bcc).|
-|||Redacted_file_path|The path of the redacted replacement file in the export.|
-|||Redacted_text_path|The path of the redacted text file replacement in the export. For internal Microsoft use only.|
-|Relevance tag Case issue 1||Relevance_tag_case_issue_1|Relevance tag Case issue 1 from Relevance.|
-|Relevance score|RelevanceScore||Relevance score of a document based on Relevance.|
-|Relevance tag|RelevanceTag||Relevance score of a document based on Relevance.|
-|Representative ID|RepresentativeId||Numeric identifier of each set of exact duplicates.|
-|||Row_number|The row number of the item in the load file.|
-|Sender|Sender|Email_sender|Sender (From) field for message types. Format is **DisplayName \<SmtpAddress>**.|
-|Sender/Author|SenderAuthor||Calculated field comprised of the sender or author of the item.|
+|*N/A*|*N/A*|Redacted_file_path|The path of the redacted replacement file in the export.|
+|*N/A*|*N/A*|Redacted_text_path|The path of the redacted text file replacement in the export. For internal Microsoft use only.|
+|Relevance tag Case issue 1|*Not searchable*|Relevance_tag_case_issue_1|Relevance tag Case issue 1 from Relevance.|
+|Relevance score|RelevanceScore|*Not exported*|Relevance score of a document based on Relevance.|
+|Relevance tag|RelevanceTag|*Not exported*|Relevance score of a document based on Relevance.|
+|Representative ID|RepresentativeId|*Not exported*|Numeric identifier of each set of exact duplicates.|
+|*N/A*|*N/A*|Row_number|The row number of the item in the load file.|
+|Sender|Sender|Email_sender|Sender (From) field for message types. The format is *DisplayName \<SmtpAddress>*.|
+|Sender/Author|SenderAuthor|*Not exported*|Calculated field comprised of the sender or author of the item.|
|Sender domain|SenderDomain|Email_sender_domain|Domain of the sender.| |Sent|Sent|Email_date_sent|Sent date of the message.<br>Chats: Beginning date from the transcript|
+|Set ID|*Not searchable*|Set_ID|Documents of similar content (ND_set) or email within the same email thread (Email_set) share the same Set_ID.|
|Set Order: Inclusive First|SetOrderInclusivesFirst|Set_order_inclusives_first|Sorting field - email and attachments: counter-chronological; documents: pivot first then by descending similarity score.|
-|Set ID||Set_ID|Documents of similar content (ND_set) or email within the same email thread (Email_set) share the same Set_ID.|
-|SimilarityPercent||Similarity_percent|Indicates how similar a document is to the pivot of the near duplicate set.|
-|Native file size|Size|Native_size|Number of bytes of the native item.|
+|SimilarityPercent|*Not searchable*|Similarity_percent|Indicates how similar a document is to the pivot of the near duplicate set.|
|Subject|Subject|Email_subject|Subject of the message.|
-|Subject/Title|SubjectTitle||Calculated field comprised of the subject or title of the item.|
+|Subject/Title|SubjectTitle|*Not searchable*|Calculated field comprised of the subject or title of the item.|
|Tags|Tags|Tags|Tags applied in a review set.|
-|Channel Name|Channel|ChannelName|This is the Teams channel name. Only applies to Microsoft Teams content.|
|Team Name|TeamName|TeamName|**Teams:** Name of team<br>**Yammer:** Community name| |Themes list|ThemesList|Themes_list|Themes list as calculated for analytics.|
+|Thread ID|ThreadId|Thread_ID|The Thread ID from email messages, Teams conversations, and Yammer conversations. For email messages, all reply messages and attachments share the same Thread ID. For Teams 1:1 and group chats, all transcript files and their associated items within the same conversation share the same Thread ID. For more information, see [View documents in a review set](ediscovery-view-documents-in-review-set.md#grouping).|
|Title|Title|Doc_title|Title from the document metadata. Title from the document metadata. For Teams and Yammer content, this is the value from the ConversationName property.|
-|To|To|Email_to|To field for message types. Format is **DisplayName\<SmtpAddress>**|
-|Unique in email set|UniqueInEmailSet||**False** if there's a duplicate of the attachment in its email set.|
-|Version Group ID||Version_Group_Id|Groups together the different versions of the same document.|
-|VersionNumber||Version_Number|The version number of a document collected from SharePoint or OneDrive for Business. This is the same version number as the one displayed in the version history in the SharePoint and OneDrive user experience.|
-|Was Remediated|WasRemediated|Was_Remediated|**True** if the item was remediated, otherwise **False**.|
+|To|To|Email_to|To field for message types. The format is *DisplayName\<SmtpAddress>*|
+|Unique in email set|UniqueInEmailSet|*Not exported*|*False* if there's a duplicate of the attachment in its email set.|
+|Version Group ID|*Not searchable*|Version_Group_Id|Groups together the different versions of the same document.|
+|VersionNumber|*Not searchable*|Version_Number|The version number of a document collected from SharePoint or OneDrive for Business. This is the same version number as the one displayed in the version history in the SharePoint and OneDrive user experience.|
+|Was Remediated|WasRemediated|Was_Remediated|*True* if the item was remediated, otherwise *False*.|
|Word count|WordCount|Word_count|Number of words in the item.| |||||-
-> [!NOTE]
-> For more information about searchable properties when searching Microsoft 365 content locations when you're collecting data for an eDiscovery (Premium) case, see [Keyword queries and search conditions for Content Search](ediscovery-keyword-queries-and-search-conditions.md).
compliance Ediscovery Tagging Documents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-tagging-documents.md
f1.keywords:
Previously updated : 01/01/2023 Last updated : 04/28/2023 audience: Admin
Tagging items in review sets is a two-step process. The first step is to create
Before applying tags to items in a review set, you need to create a tag structure. 1. Open a review set, go to the command bar, and select **Tag files**.- 2. On the **Tag files** flyout page, select **Create/edit tags**.-
- ![Select Create/edit tags on the flyout page.](../media/CreateAeDTags1.png)
- 3. On the **Tags** page, select **Add section**.- 4. Type a tag group title and an optional description, and then select**Save**.- 5. Select the triple dot dropdown menu next to the tag group title and select **Add check box** or **Add option button**.- 6. Type a name and description for the checkbox or option button.- 7. Repeat this process to create new tag sections, tag options, and checkboxes. For example, the following screenshot shows a tag group named **Review**, which consists of **Responsive** and **Not-responsive** checkboxes. ![Configure tag structure.](../media/ManageTagOptions3.png)
Before applying tags to items in a review set, you need to create a tag structur
With the tag structure in place, reviewers can apply tags to items in a review set by configuring tagging settings. 1. In the review set command bar, select **Tag files** to display the **Tag files** flyout page (also called the *tagging panel*).-
- ![Select Tag files in the command bar to open the tagging panel.](../media/TagFilesFlyoutPage.png)
- 2. On the **Tag files** flyout page, you can set the following options to configure how to tag items displayed in the review set. The filters or filter queries currently applied to the review set determine which items are displayed and therefore the items that you can apply tags to. For more information, see [Query and filter content in a review set](ediscovery-review-set-search.md). - **Choose selection**. Choose one the following options to determine the scope of items to apply tags to. - **Tag selected items**: This option applies tags to the items that you select. You can select items before or after launching the tagging panel. This option displays (in real time) the number of selected items that will be tagged.- - **Tag all items in list**: This option applies tags to all items displayed in the review set. This option displays the total number of items that will be tagged.
- - **Expand selection**: Use the following options to tag additional items that are related to tagged items in the review set.
+ - **Expand selection**: Use the following options to tag additional items that are related to tagged items in the review set. Depending on the **Enable group** option [enabled in the case settings](ediscovery-configure-review-set-settings.md), you'll see the following options:
- - **Include associated family items**: This option applies the same tag to the associated family items of items that are tagged. *Family items* are items that share the same **FamilyId** metadata property value. For example, a document that's attached to an email message shares the same **FamilyId** as the email message. So if this option is selected for this example, the email message and the document are tagged, even though the document might not be included in the list of review set items.
+ **With *Enable group* in settings disabled**:
+ - **None**: This option doesn't apply tags to associated family items or associated conversation items. It only applies tags to the items that are selected or to all items in the review set list.
+ - **Include associated family items**: This option applies the same tag to the associated family items of items that are tagged. *Family items* are items that share the same **FamilyId** metadata property value. For example, a document that's attached to an email message shares the same **FamilyId** as the email message. So if this option is selected for this example, the email message and the document are tagged, even though the document might not be included in the list of review set items.
- **Include associated conversation items**: This option applies the same tag to all items that are in the same Teams or Yammer conversation as the items that are tagged. *Conversation items* are items that share the same **ConversationId** metadata property value. All messages, posts, and corresponding transcript file of a conversation share the same **ConversationId**. If this option is selected, then all items in the same conversation (and transcript file) are tagged, even though some of those conversation items might not be included in the list of review set items. For more information about conversation items, see the "Grouping" section in [eDiscovery (Premium) workflow for content in Microsoft Teams](teams-workflow-in-advanced-ediscovery.md#grouping).
- - **None**: This option doesn't apply tags to family items or conversation items. It only applies tags to the items that are selected or to all items in the review set list.
+ >[!NOTE]
+ >Including associated family or conversation items will not change the count of items shown in the **Tag selected items** or **Tag all items in list** options. In other words, the number of associated items that will be tagged is not displayed.
- > [!NOTE]
- > Including associated family or conversation items will not change the count of items shown in the **Tag selected items** or **Tag all items in list** options. In other words, the number of associated items that will be tagged is not displayed.
+ **With *Enable group* in settings enabled**:
+
+ - **None**: This option doesn't apply tags to family group items or conversation group items. It only applies tags to the items that are selected or to all items in the review set list.
+ - **Include family groups**: This option applies the same tag to the associated family items of items that are tagged. *Family group* items are items that share the same **GroupId** metadata property value. For example, a document that's attached to an PowerPoint file shares the same **GroupId** as the document. So if this option is selected for this example, the document and the PowerPoint file are both tagged. Both are grouped together in the list of review set items.
+ - **Include conversation groups**: This option applies the same tag to all items that are in the same email, Teams, or Yammer conversation as the items that are tagged. *Conversation group* items are items that share the same **ThreadId** metadata property value. All messages, posts, and corresponding transcript files of a conversation share the same **ThreadId**. If this option is selected, then all items in the same conversation (and transcript file) are tagged. All items are grouped together in the list of review set items.
- **Assign tags**: This section displays the tags (organized by tag groups) that you can apply to documents. You can only apply one single-choice tag (identified by a radio button) per tag group. However, you can apply multiple multi-choice tags (which are identified by a checkbox).
You can remove tags from items in a review set. However, you can't remove a sing
To remove a tag:
-1. Select the items the you want to remove the tag from.
-
+1. Select the items that you want to remove the tag from.
2. Select **Tag files** to display the tagging panel.- 3. Under **Assign tags**, unselect the tag, and then select **Apply tags**. You can also use the previous procedure to change the tag applied to selected items. After unselecting the current tag, you can select a different one.
compliance Ediscovery View Documents In Review Set https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-view-documents-in-review-set.md
Title: View documents in a review set in eDiscovery (Premium)
-description: "Choose how you view content in eDiscovery (Premium) review sets, such as source, plain text, annotate, and metadata."
+ Title: Group and view documents in a review set in eDiscovery (Premium)
+description: "Choose how you group and view content in eDiscovery (Premium) review sets. Includes grouping review set items by families and conversations, and viewing individual item source, plain text, annotate, and metadata information."
f1.keywords: - NOCSH Previously updated : 03/17/2023 Last updated : 04/28/2023 audience: Admin
search.appverid:
-# View documents in a review set in eDiscovery (Premium)
+# Group and view documents in a review set in eDiscovery (Premium)
-eDiscovery (Premium) review sets display content using several viewers each with different purposes. These viewers are used by selecting the viewer on any document within a review set. The available document viewers are:
--- Source-- Plain text-- Annotate-- Metadata
+eDiscovery (Premium) review sets display content using different grouping options and include specialized viewers that you can use to examine details about individual items.
[!INCLUDE [purview-preview](../includes/purview-preview.md)]
+## Grouping
+
+Use the **Group** control in the command bar of a review set to view review content grouped by the following options:
+
+### Option 1: Group items with Group ID and Thread ID
+
+If you're new to eDiscovery or are an existing eDiscovery customer with a steady stream of new cases, grouping review set items using [Group IDs and Thread IDs](ediscovery-document-metadata-fields.md) is the recommended option. This grouping option makes it easier to find and review related items in a review set by grouping them together in the list view. With the **Enable group** option [enabled in the case settings](ediscovery-configure-review-set-settings.md), you'll see the following grouping options on the **Group** control in the command bar of a review set:
+
+- **Group by families**: All items related to a specific file are grouped together using the same Group ID. For example, if you have a PowerPoint file in the review set that includes imbedded images or .zip files, these images and files are grouped with the PowerPoint file and shown as nested items with the file in the item list view.
+- **Group by conversations**: All email messages, Teams conversations, and Yammer conversations are grouped using the same Thread ID and appear as nested items. Additionally, all associated content for these messages and conversations is also grouped together. For example, if you have an email conversation that includes several email messages, some of which include attachments and some that include embedded images, all of the email messages, attachments, and images are grouped together in the review set list view under an applicable item.
+
+>[!NOTE]
+> For cases created before March 15, 2023, the **Enable group** toggle is disabled and these grouping options aren't available. Item grouping in review sets for these cases is based on *Family ID* and *Conversation ID* described in Option 2.
+
+### Option 2: Group items with Family ID and Conversation ID
+
+If you're an existing eDiscovery with a large number of existing cases or use existing internal or third-party automation to help process review set items, you may want to continue to group review set items with [Family IDs and Conversation IDs](ediscovery-document-metadata-fields.md). With the **Enable group** option [disabled in the case settings](ediscovery-configure-review-set-settings.md), you'll see the following grouping options on the **Group** control in the command bar of a review set:
+
+- **Group family attachments**: View review set content grouped by family. Each transcript file is displayed on a line in the list of review set items. Attachments are nested under the item.
+- **Group Teams or Yammer conversations**: View Teams and Yammer content grouped by conversation. Each conversation is displayed on a line in the list of review set items. Transcript files and attachments are nested under the top-level conversation.
+
+> [!NOTE]
+> Cloud attachments are grouped with the conversations they appear in. This grouping is accomplished by assigning the same **FamilyId** as the transcript file of the message the file was attached to and the same **ConversationId** as the conversation the message appeared in. This means multiple copies of cloud attachments may be added to the review set if they were attached to different conversations.
+ ## Source view
-The source viewer displays the richest view of a document. It supports hundreds of file types and is meant to display the truest to native experience possible. For Microsoft Office files, the viewer uses the web version of Office apps to display content such as document comments, Microsoft Teams chats, Excel formulas, hidden rows/columns, and PowerPoint notes.
+The **Source** viewer displays the richest view of a selected document. It supports hundreds of file types and is meant to display the truest to native experience possible. For Microsoft Office files, the viewer uses the web version of Office apps to display content such as document comments, Microsoft Teams chats, Excel formulas, hidden rows/columns, and PowerPoint notes.
![Review set source view](../media/ediscovery-source-view.png) ## Text view
-The Text viewer provides a view of the extracted text of a file. It ignores any embedded images and formatting but is useful if you're trying to understand the content quickly. Text view also includes these features:
+The **Plain text** viewer provides a view of the extracted text of a selected file. It ignores any embedded images and formatting but is useful if you're trying to understand the content quickly. Text view also includes these features:
- Line counter makes it easier to reference specific portions of a document - Search hit highlighting that highlights terms within the document and in the scrollbar
The Text viewer provides a view of the extracted text of a file. It ignores any
## Annotate view
-The Annotate view provides features that allow users to apply markup on a document including:
+The **Annotate** view provides features that allow users to apply markup on a selected document including:
- **Select annotations**: Select annotations on a document to delete - **Select text**: Select text on the document to delete
The Annotate view provides features that allow users to apply markup on a docume
## Metadata view
-This panel can be toggled on/off to display various metadata associated with the document. Although the search results grid can be customized to display specific metadata, there are instances where scrolling horizontally can be difficult while reviewing data. The File metadata panel allows a user to toggle on a view within the viewer.
+The panel in the **Metadata** view can be toggled on/off to display various metadata associated with the selected document. Although the search results grid can be customized to display specific metadata, there are instances where scrolling horizontally can be difficult while reviewing data. The File metadata panel allows a user to toggle on a view within the viewer.
![Review set metadata view](../media/ediscovery-metadata-view.png) ## Viewer and management tools
-For selected content, there are additional view and management tools to help you work with documents.
+For selected content, there are additional view and management tools to help you work with documents.
![Review set additional viewer tools](../media/ediscovery-additional-viewer-tools.png)
compliance Get Started With Data Lifecycle Management https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/get-started-with-data-lifecycle-management.md
f1.keywords:
Previously updated : 03/07/2023 Last updated : 04/26/2023 audience: Admin
For instructions to add users to the default roles or create your own role group
These permissions are required only to create, configure, and apply retention policies and retention labels. The person configuring these policies and labels doesn't require access to the content.
+## Support for administrative units
+
+Now rolling out in preview, data lifecycle management supports [administrative units that have been configured in Azure Active Directory](/azure/active-directory/roles/administrative-units):
+
+- You can assign administrative units to members of custom role groups and any others that support administrative units. For example, role groups used with Microsoft Purview Records Management. Edit these role groups and select individual members, and then the **Assign admin units** option to select administrative units from Azure Active Directory. These administrators are now restricted to managing just the users in those administrative units.
+
+- You can define the initial scope of retention policies and retention label policies when you create or edit these policies. When you select administrative units, only the users in those administrative units will be eligible for the policy.
+
+> [!IMPORTANT]
+> Don't select administrative units for a policy that you want to apply to SharePoint sites or to Exchange public folders. Because administrative units support only users and groups, if you configure policy for retention to use administrative units, you won't be able to select the locations for SharePoint sites or Exchange public folders.
+
+- Both adaptive scopes and static scopes support administrative units.
+
+- Additional impact for restricted administrators
+ - [Policy lookup](retention.md#policy-lookup): Restricted administrators will see policies only from users within their assigned administrative units
+ - [Import PST files](importing-pst-files-to-office-365.md): Restricted administrators won't be able to use the network upload feature to bulk-import PST files to Microsoft 365 mailboxes
+ - [Exchange legacy features](data-lifecycle-management.md#exchange-legacy-features): Restricted administrators won't be able to configure the Exchange legacy features of retention policies and retention tags from messaging records management (MRM), and journaling rules
+
+- Currently, retention labels don't support administrative units.
+
+- Currently, a restricted administrator can create and view adaptive scopes for all administrative units when they use PowerShell cmdlets.
+
+- Currently, inactive mailboxes aren't supported in a policy when you select one or more administrative units. To include inactive mailboxes in the policy, you must be an unrestricted administrator and select **Full directory**.
+
+For more information about how Microsoft Purview supports administrative units, see [Administrative units](microsoft-365-compliance-center-permissions.md#administrative-units-preview).
+ ## Common scenarios Use the following table to help you map your business requirements to the most common scenarios for data lifecycle management.
compliance Get Started With Records Management https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/get-started-with-records-management.md
f1.keywords:
Previously updated : 04/24/2023 Last updated : 04/28/2023 audience: Admin
For instructions to add users to the default roles or create your own role group
These permissions are required only to create, configure, and apply retention labels that declare records, and manage disposition. The person configuring these labels doesn't require access to the content.
+## Support for administrative units
+
+Now rolling out in preview, records management supports [administrative units that have been configured in Azure Active Directory](/azure/active-directory/roles/administrative-units):
+
+- You can assign administrative units to members of role groups that are used with Microsoft Purview Records Management. Edit the Records Management role group or other role groups that support administrative units. From these role groups, select individual members, and then the **Assign admin units** option to select administrative units from Azure Active Directory. These administrators are now restricted to managing just the users in those administrative units.
+
+- You can define the initial scope of retention policies and retention label policies when you create or edit these policies. When you select administrative units, only the users in those administrative units will be eligible for the policy.
+
+ > [!IMPORTANT]
+ > Don't select administrative units for a retention label policy that you want to apply to SharePoint sites. Because administrative units support only users and groups, if you configure a retention label policy to use administrative units, you won't be able to select the locations for SharePoint sites.
+
+- Both adaptive scopes and static scopes support administrative units.
+
+- Additional impact for restricted administrators
+ - [Policy lookup](retention.md#policy-lookup): Restricted administrators will see policies only from users within their assigned administrative units
+ - [Disposition review and verification](disposition.md): Restricted administrators will be able to add reviewers only from within their assigned administrative units, and see disposition reviews and items disposed only from users within their assigned administrative units
+
+- Currently, retention labels and [events](event-driven-retention.md) don't support administrative units.
+
+- Currently, a restricted administrator can create and view adaptive scopes for all administrative units when they use PowerShell cmdlets.
+
+Scoped admins can view all adaptive scopes across AUs using cmdlets
+
+- Currently, inactive mailboxes aren't supported in a policy when you select one or more administrative units. To include inactive mailboxes in the policy, you must be an unrestricted administrator and select **Full directory**.
+
+For more information about how Microsoft Purview supports administrative units, see [Administrative units](microsoft-365-compliance-center-permissions.md#administrative-units-preview).
+ ## Common scenarios Use the following table to help you map your business requirements to the scenarios that are supported by records management.
compliance Microsoft 365 Compliance Center Permissions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/microsoft-365-compliance-center-permissions.md
f1.keywords:
Previously updated : 03/15/2023 Last updated : 04/28/2023 audience: ITPro
For example, you could use administrative units to delegate permissions to admin
The following Microsoft Purview compliance solutions support administrative units:
-|**Solution**|**Description of support**|
+|**Solution**|**Configuration support**|
|:--|:-|
+| [Data lifecycle management](data-lifecycle-management.md) | [Role groups, retention policies, and retention label policies](get-started-with-data-lifecycle-management.md#support-for-administrative-units) |
| [Data Loss Prevention (DLP)](/microsoft-365/compliance/dlp-learn-about-dlp) | Role groups and [DLP policies](/microsoft-365/compliance/dlp-create-deploy-policy) |
-| [Sensitivity labeling](/microsoft-365/compliance/sensitivity-labels) | Role groups and [labeling policies](/microsoft-365/compliance/get-started-with-sensitivity-labels#support-for-administrative-units) |
+| [Records management](records-management.md) | [Role groups, retention policies, and retention label policies](get-started-with-records-management.md#support-for-administrative-units)|
+| [Sensitivity labeling](/microsoft-365/compliance/sensitivity-labels) | [Role groups, sensitivity label policies, and auto-labeling policies](/microsoft-365/compliance/get-started-with-sensitivity-labels#support-for-administrative-units) |
-For these solutions, the following features also support administrative units:
+When you configure these solutions to use administrative units, the configuration automatically flows down to the following features:
- Alerts: [DLP](/microsoft-365/compliance/dlp-alerts-dashboard-get-started) alerts are visible only from users in assigned administrative units - [Activity explorer](data-classification-activity-explorer.md): Activity events are visible only from users in assigned administrative units
+- [Adaptive scopes](purview-adaptive-scopes.md): When adaptive scopes are supported by a solution, restricted administrators can select, create, edit, and view adaptive scopes only from users in assigned administrative units
+- Data lifecycle management and records management:
+ - [Policy lookup](retention.md#policy-lookup): Restricted administrators will see policies only from users within their assigned administrative units
+ - [Disposition review and verification](disposition.md): Restricted administrators will be able to add reviewers only from within their assigned administrative units, and see disposition reviews and items disposed only from users within their assigned administrative units
-Administrative units are also supported for some built-in role groups. You can add users and groups to administrative units for the following built-in role groups:
+You can add users and groups to administrative units by using the following built-in role groups:
- Compliance Administrator - Compliance Data Administrators
Administrative units are also supported for some built-in role groups. You can a
- Information Protection Investigators - Information Protection Readers - Organization Management
+- Records Management
- Security Administrator - Security Operator - Security Reader
Further into the policy configuration, administrators who selected administrativ
For information about administrative units that is specific to each supported solution, see the following sections:
+- For data lifecycle management: [Support for administrative units](get-started-with-data-lifecycle-management.md#support-for-administrative-units)
- For DLP: [Administrative Unit restricted policies](dlp-policy-reference.md#administrative-unit-restricted-policies-preview)
+- For records management:[Support for administrative units](get-started-with-records-management.md#support-for-administrative-units)
- For sensitivity labeling: [Support for administrative units](get-started-with-sensitivity-labels.md#support-for-administrative-units) ## Add users or groups to a Microsoft Purview built-in role group
compliance Retention Policies Sharepoint https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-policies-sharepoint.md
For retention policies and auto-apply label policies: SharePoint sites must be i
## How retention works for SharePoint and OneDrive
-To store content that needs to be retained, SharePoint and OneDrive create a Preservation Hold library if one doesn't exist for the site. The Preservation Hold library isn't designed to be used interactively but instead, automatically stores files when this is needed for compliance reasons. It's not supported to edit, delete, or move these automatically retained files yourself. Instead, use compliance tools, such as those supported by [eDiscovery](ediscovery.md) to access these files.
+To store content that needs to be retained, SharePoint and OneDrive create a Preservation Hold library if one doesn't exist for the site. The Preservation Hold library is a hidden system location that isn't designed to be used interactively but instead, automatically stores files when this is needed for compliance reasons. It's not supported to edit, delete, or move these automatically retained files yourself. Instead, use compliance tools, such as those supported by [eDiscovery](ediscovery.md) to access these files.
The Preservation Hold library works in the following way to support retention policies and retention labels:
compliance Sit Get Started Exact Data Match Hash Upload https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-get-started-exact-data-match-hash-upload.md
This computer must have direct access to your Microsoft 365 tenant.
> [!NOTE] > The EDMUploadAgent at the above links has been updated to automatically add a salt value to the hashed data. Alternately, you can provide your own salt value. Once you have used this version, you will not be able to use the previous version of the EDMUploadAgent. >
- > You can upload data with the EDMUploadAgent to any given data store only twice per day.
+ > You can upload data with the EDMUploadAgent to any given data store up to five times per day.
3. Authorize the EDM Upload Agent, open Command Prompt window as an administrator, switch to the **C:\EDM\Data** directory, and then run the following command:
This computer must have direct access to your Microsoft 365 tenant.
If your sensitive information table has some incorrectly formatted values, but you still want to import the remaining data while ignoring invalid rows, you can use the */AllowedBadLinesPercentage* parameter in the command. The example above specifies a five percent threshold. This means that the tool hashes and uploads the sensitive information table, even if up to five percent of the rows are invalid.
- This command automatically adds a randomly-generated salt value to the hash for greater security. Optionally, if you want to use your own salt value, add the **/Salt \<saltvalue\>** to the command. This value must be 64 characters in length and can only contain the a-z characters and 0-9 characters.
+ This command automatically adds a randomly generated salt value to the hash for greater security. Optionally, if you want to use your own salt value, add the **/Salt \<saltvalue\>** to the command. This value must be 64 characters in length and can only contain the a-z characters and 0-9 characters.
6. Check the upload status by running this command:
compliance Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/whats-new.md
f1.keywords:
Previously updated : 04/26/2023 Last updated : 04/28/2023 audience: Admin
Whether it be adding new solutions to the [Microsoft Purview compliance portal](
## April 2023
+### Communication compliance
+
+- New content on the [Filter email blasts feature](communication-compliance-policies.md#filter-email-blasts) and the [Email blasts senders report](communication-compliance-reports-audits.md#detailed-reports).
+- Updates to [User-reported messages policy](communication-compliance-policies.md#user-reported-messages-policy).
+- New fields for [Message Details reports](communication-compliance-reports-audits.md#message-details-report).
+- New conditions for [Regulatory compliance policy template](communication-compliance-policies.md#policy-templates).
+- **New video**: Learn how to [detect communication risks in Microsoft Teams with communication compliance](communication-compliance-channels.md#microsoft-teams).
++ ### Data lifecycle management and records management - **In preview**: Scan for sensitive information in images with support for [optical character recognition](ocr-learn-about.md) when you use auto-apply retention label policies. - **In preview**: Auto-labeling retention policies for [cloud attachments](apply-retention-labels-automatically.md#auto-apply-labels-to-cloud-attachments) that were already in preview now include attachments and links shared in Yammer.
+- **In preview**: Support for Azure Active Directory administrative unitsΓÇöfor both [data lifecycle managment](get-started-with-data-lifecycle-management.md#support-for-administrative-units) and [records management](get-started-with-records-management.md#support-for-administrative-units)ΓÇöis starting to roll out.
+- **In preview**: You can now optionally configure [auto-approval](disposition.md#auto-approval-for-disposition) when you configure a retention label for disposition review.
### Data loss prevention
Whether it be adding new solutions to the [Microsoft Purview compliance portal](
- **In preview**: Scan for sensitive information in images with support for [optical character recognition](ocr-learn-about.md). + ### Sensitivity labels - **General availability (GA)**: [Default sensitivity label for a SharePoint document library](sensitivity-labels-sharepoint-default-label.md)
Whether it be adding new solutions to the [Microsoft Purview compliance portal](
- [Show policy tips as an oversharing popup](dlp-create-deploy-policy.md#scenario-2-show-policy-tip-as-oversharing-popup-preview) ### Device onboarding-- **In preview**: Device configuration and policy sync status is now viewable in the onboarded devices list for [Windows 10/11](device-onboarding-overview.md#device-configuration-and-policy-sync-status-preview) and [macOS](device-onboarding-macos-overview.md#device-configuration-and-policy-sync-status-preview) devices
+- **In preview**: Device configuration and policy sync status is now viewable in the onboarded devices list for [Onboarding Windows 10 or Windows 11 devices](device-onboarding-overview.md#onboarding-windows-10-or-windows-11-devices) and [Onboarding devices into device management](device-onboarding-macos-overview.md#onboarding-devices-into-device-management) devices
### eDiscovery
enterprise Cross Tenant Sharepoint Bulk Site Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-sharepoint-bulk-site-migration.md
+
+ Title: Performing Bulk SharePoint site Cross-tenant migrations (preview)
+++
+recommendations: true
+audience: ITPro
+++
+ms.localizationpriority: high
+
+- SPMigration
+- M365-collaboration
+- m365initiative-migratetom365
+search.appverid: MET150
+description: "Performing Bulk SharePoint site Cross-tenant migrations. This feature is in private preview."
+
+# Performing Bulk SharePoint Site Migrations (preview)
+
+>[!Note]
+>Cross-Tenant SharePoint migration is currently in a private preview stage of development. As an unfinished project, any information or availability is subject to change at any time. Support for private-preview customers will be handled via email. Cross-Tenant SharePoint migration is covered by the preview terms of the [Microsoft Universal License Terms for Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all).
+
+This article discusses to to perform bulk SharePoint site migrations using the Cross-tenant SharePoint migration solution. To learn more, see [Cross-tenant SharePoint migration overview](cross-tenant-SharePoint-migration.md).
+
+To perform a bulk SharePoint Site migration, you can create specific scripts via PowerShell on the Source tenant.
+
+Though Microsoft does not offer any specific suggestions for how to create these PowerShell scripts, we recommend that you engage the services of an Admin user who is proficient in PowerShell script creation and execution. A suggested approach would be the following:
+
+1. **Validate scoped sites for SharePoint Migration**. Create a script that will validate the status of your SharePoint Sites, site users, and groups before initiating the migration. This script should be designed to validate the existence of the **SharePoint** site, as well as the provisioning status of the users and groups on the target tenant. Once validated, the script should provide the status of those users and groups, and log any exceptions that are found.</br>
+
+2. **Build Identity Map**. Follow the steps detailed here: [Create the Identity mapping file](/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step5#create-the-identity-mapping-file). </br>
+
+3. **Schedule jobs for sites for SharePoint site migration**. Create a script that will schedule all the **SharePoint** sites you want to migrate. You can schedule up to 4,000 migrations. </br>
+
+4. **Reporting status for all SharePoint sites being migrated**. Create scripts that can be used to provide a report on the status of all SharePoint sites in the migration. You can tailor the script to output success and failure status and provide status details for each site migration.
enterprise Cross Tenant Sharepoint Migration Faqs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-sharepoint-migration-faqs.md
+
+ Title: SharePoint Cross-tenant SharePoint migration FAQs (preview)
+++
+recommendations: true
+audience: ITPro
+++
+ms.localizationpriority: high
+
+- SPMigration
+- M365-collaboration
+- m365initiative-migratetom365
+search.appverid: MET150
+description: "SharePoint Cross-tenant migration feature FAQs"
++
+# Cross-tenant SharePoint migration FAQs (Preview)
+
+>[!Note]
+>Cross-Tenant SharePoint migration is currently in a private preview stage of development. As an unfinished project, any information or availability is subject to change at any time. Support for private-preview customers will be handled via email. Cross-Tenant SharePoint migration is covered by the preview terms of the [Microsoft Universal License Terms for Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all).
+
+## Pre-migration FAQs
+
+**Question**: Can a SharePoint account have any content in the **target tenant** before migration?</br>
+**Answer:** No. The tool doesn't support Merge functionality with existing content. The user being migrated must not have a pre-existing SharePoint on the target tenant.
+
+**Question**: Can users be pre-created on the target tenant?</br>
+**Answer:** Yes, all Users/Groups that are identified for migration should be pre-created on the target tenant and appropriate licenses assigned prior to staring any migrations. Also:
+
+- SharePoint site creation should be restricted in the target tenant to prevent users creating SharePoint sites.
+- If a SharePoint site already exists for the user on the target tenant the migration will fail.
+- You can't overwrite an existing site.
+- SharePoint sites should NOT be created Prior OR during a migration.
+
+**Question**: Can my SharePoint accounts be in Read-only mode prior to starting any cross-tenant migrations?</br>
+**Answer:** No. Before starting any migration, you need to ensure that your Source SharePoint accounts are NOT set to Read-Only, otherwise the migration will fail.
+
+**Question**: Can my SharePoint accounts be in **Read-only** mode prior to starting any cross-tenant migrations?</br>
+**Answer:** No, before starting any migrations, ensure that your source SharePoint accounts are NOT set to Read-only. Otherwise, the migration will fail.
++
+**Question**: Does the tool support GCC and GCC-High tenants?</br>
+**Answer:** We do not currently support government environments (GCC & GCC-High) but we plan to support them in the future.
+
+**Question:** Are SharePoint accounts with Customer Key Encryption supported for migration?</br>
+**Answer:** No. We do NOT support migration if the source tenant has Service encryption with Microsoft Purview Customer Key enabled.
+
+**Question:** What do I need to consider for migrating sites between Multi-Geo tenants? </br>
+**Answer:** If you're a SharePoint Multi-Geo or MNC customer, you must treat each geography as a separate tenant and supply the correct geography-specific URLs throughout the process. You must also establish trust between each geography involved in your migration project.
++
+## Post-migration FAQs
+
+**Question:** What happens to permissions on SharePoint content?</br>
+**Answer:** Users with permissions to SharePoint content will continue to have access to their content upon completion on the new target tenant. if those users/groups were included as part of the Identity Map and mapped accordingly.
+
+**Question:** What happens to sharing links? </br>
+**Answer:** After the SharePoint cross-tenant migration, existing shared links for files that were migrated will automatically redirect to the new target location.
+
+**Question:** How are shared files handled?</br>
+Anyone clicking on a sharing link to the old location will be redirected to the new location The original/source tenant is deprovisioned or can be removed by the admin site-by-site basis.
+
+**Question:** Will external Shared Files still work?</br>
+**Answer:** As part of the migration process, Admins must pre-create the appropriate users on the destination tenant, including guest/external users, and provide the tool with an "Identity Map". The identify map tells us how to adjust file/site ownership and permissions.
+
+**Question:** If a file is shared in a Teams chat, will those files still be accessible after migration?</br>
+**Answer:** See the question above. The identity map will inform how files are shared. If a user clicks on the link, it will attempt to redirect to the new location. The file will be accessible as long as the user has permissions to access the file on the destination.
+
enterprise Cross Tenant Sharepoint Migration Step1 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step1.md
+
+ Title: SharePoint Cross-tenant SharePoint migration Step 1 (preview)
+++
+recommendations: true
+audience: ITPro
+++
+ms.localizationpriority: high
+
+- SPMigration
+- M365-collaboration
+- m365initiative-migratetom365
+search.appverid: MET150
+description: "Step 1 of the SharePoint Cross-tenant migration feature"
+
+# Step 1: Connect to the source and target tenants (preview)
+
+>[!Note]
+>Cross-Tenant SharePoint migration is currently in a private preview stage of development. As an unfinished project, any information or availability is subject to change at any time. Support for private-preview customers will be handled via email. Cross-Tenant SharePoint migration is covered by the preview terms of the [Microsoft Universal License Terms for Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all).
+
+This is Step 1 in a solution designed to complete a **Cross-tenant SharePoint migration**. To learn more, see [Cross-tenant SharePoint migration overview](cross-tenant-SharePoint-migration.md).
+
+- **Step 1: [Connect to the source and the target tenants](cross-tenant-SharePoint-migration-step1.md)**
+- Step 2: [Establish trust between the source and the target tenant](cross-tenant-SharePoint-migration-step2.md)
+- Step 3: [Verify trust has been established](cross-tenant-SharePoint-migration-step3.md)
+- Step 4: [Pre-create users and groups](cross-tenant-SharePoint-migration-step4.md)
+- Step 5: [Prepare identity mapping](cross-tenant-SharePoint-migration-step5.md)
+- Step 6: [Start a Cross-tenant SharePoint migration](cross-tenant-SharePoint-migration-step6.md)
+- Step 7: [Post migration steps](cross-tenant-SharePoint-migration-step7.md)
+
+## Before you begin
+
+- **Microsoft SharePoint Online Powershell**. Confirm you have the most recent version installed. If not, [Download SharePoint Online Management Shell from Official Microsoft Download Center](/download/details.aspx?id=35588).
+- Be a SharePoint Online admin or Microsoft 365 Global admin on both the source and target tenants
++
+### Connect to both tenants
+
+1. Sign in to the SharePoint Management Shell as a SharePoint Online admin or Microsoft 365 Global admin.
+2. Run the following entering the **source** tenant URL:
+
+ ```powershell
+ Connect-SPOService -url https://<TenantName>-admin.sharepoint.com
+ ```
+
+3. When prompted, sign in to the **source** tenant using your Admin username and password.
+
+4. Run the following entering the **target** tenant URL:
+
+ ```powershell
+ Connect-SPOService -url https://<TenantName>-admin.sharepoint.com
+ ```
+
+5. When prompted, sign in to the **target** tenant using your Admin username and password.
+
+>[!Important]
+>**Microsoft 365 Multi-Geo customers:** You must treat each geography as a separate tenant. Provide the correct geography-specific URLs throughout the migration process.
+
+## Step 2: [Establish trust between the source and target tenants](cross-tenant-SharePoint-migration-step2.md)
enterprise Cross Tenant Sharepoint Migration Step2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step2.md
+
+ Title: SharePoint Cross-tenant SharePoint migration Step 2 (preview)
+++
+recommendations: true
+audience: ITPro
+++
+ms.localizationpriority: high
+
+- SPMigration
+- M365-collaboration
+- m365initiative-migratetom365
+search.appverid: MET150
+description: "Step 2 of the SharePoint Cross-tenant migration feature"
+
+# Step 2: Establishing trust between the source and target tenants (preview)
+
+>[!Note]
+>Cross-Tenant SharePoint migration is currently in a private preview stage of development. As an unfinished project, any information or availability is subject to change at any time. Support for private-preview customers will be handled via email. Cross-Tenant SharePoint migration is covered by the preview terms of the [Microsoft Universal License Terms for Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all).
+
+This is Step 2 in a solution designed to complete a Cross-tenant SharePoint migration. To learn more, see [Cross-tenant SharePoint migration overview](cross-tenant-SharePoint-migration.md).
+
+- Step 1: [Connect to the source and the target tenants](cross-tenant-SharePoint-migration-step1.md)
+- **Step 2: [Establish trust between the source and the target tenant](cross-tenant-SharePoint-migration-step2.md)**
+- Step 3: [Verify trust has been established](cross-tenant-SharePoint-migration-step3.md)
+- Step 4: [Pre-create users and groups](cross-tenant-SharePoint-migration-step4.md)
+- Step 5: [Prepare identity mapping](cross-tenant-SharePoint-migration-step5.md)
+- Step 6: [Start a Cross-tenant SharePoint migration](cross-tenant-SharePoint-migration-step6.md)
+- Step 7: [Post migration steps](cross-tenant-SharePoint-migration-step7.md)
+
+After connecting to the source and target tenant, the next step in performing a cross-tenant SharePoint migration is establishing trust between the tenants.
+
+To establish trust, each SharePoint Online tenant administrator must run specific commands on both source and target tenants. Once the trust has been requested, the administrator of the target tenant will receive an email informing them that another tenant is trying to establish a trust relationship.
+
+> [!NOTE]
+> The "trust" command is specific to SharePoint Online. It only grants permission for the SharePoint administrator on the source tenant to execute SharePoint Migration operations to the identified target tenant.
+>
+> Granting trust *doesn't* give the administrator any visibility, permission, or ability to collaborate between the source tenant and the target tenant.
+
+> [!IMPORTANT]
+> If you are Microsoft 365 Multi-Geo customer, you must establish trust between each geography involved in your migration project.
+
+## Before you begin
+
+Before running the trust commands, obtain the cross-tenant host URLs for both the source and target tenants. You'll need these URLs when establishing the trust relationship between source-to-target and target-to-source.
+
+**To obtain the cross-tenant host URLs:**
+
+On both the source and target tenants, run:
+
+```powershell
+Get-SPOCrossTenantHostURL
+```
+
+*Example:* Run command on Source tenant:
+
+ :::image type="content" source="../media/cross-tenant-migration/t2t-onedrive-hosturl-source.png" alt-text="example of how to obtain host url for source":::
+
+*Example:* Run command on target tenant:
++
+## Run the trust commands
+
+These commands send a request to the tenant with whom you want to establish trust.
+
+1. On the source tenant, run this command to send a trust request to the target tenant:
+
+ ```powershell
+ Set-SPOCrossTenantRelationship -Scenario MnA -PartnerRole Target -PartnerCrossTenantHostUrl <TARGETCrossTenantHostUrl>
+ ```
+
+2. On the target tenant, run this command to send a trust request to the source tenant:
+
+ ```powershell
+ Set-SPOCrossTenantRelationship -Scenario MnA -PartnerRole Source -PartnerCrossTenantHostUrl <SOURCECrossTenantHostUrl>
+ ```
+
+### Parameter definitions
+
+|Parameter|Definition|
+|||
+|PartnerRole|Roles of the partner tenant you're establishing trust with. Use *source* if partner tenant is the source of the SharePoint migrations, and *target* if the partner tenant is the Destination.
+|PartnerCrossTenantHostURL|The cross-tenant host URL of the partner tenant. The partner tenant can determine this for you by running: *Get-SPOCrossTenantHostURL* on each of the tenants.|
+
+## Sample trust email
+
+The following in an example of the email that is sent to global admins:
++
+**Subject:** SPO Tenant [https://a830edad9050849mnaus093022-my.sharepoint.com/] [setuporupdate] Organization Relation [Scenario=MnA, Role=Source] with us
+
+**Message:** SPO Tenant [https://a830edad9050849mnaus093022-my.sharepoint.com/] [setuporupdate] Organization Relation [Scenario=MnA, Role=Source] with us
+
+## Step 3: [Verify that trust has been established](cross-tenant-SharePoint-migration-step3.md)
enterprise Cross Tenant Sharepoint Migration Step3 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step3.md
+
+ Title: SharePoint Cross-tenant SharePoint migration Step 3 (preview)
+++
+recommendations: true
+audience: ITPro
+++
+ms.localizationpriority: high
+
+- SPMigration
+- M365-collaboration
+- m365initiative-migratetom365
+search.appverid: MET150
+description: "Step 3 of the SharePoint Cross-tenant migration feature"
+
+# Step 3: Verifying trust (preview)
+
+>[!Note]
+>Cross-Tenant SharePoint migration is currently in a private preview stage of development. As an unfinished project, any information or availability is subject to change at any time. Support for private-preview customers will be handled via email. Cross-Tenant SharePoint migration is covered by the preview terms of the [Microsoft Universal License Terms for Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all).
+
+This is Step 3 in a solution designed to complete a **Cross-tenant SharePoint migration.** To learn more, see [Cross-tenant SharePoint migration overview](cross-tenant-SharePoint-migration.md).
+
+- Step 1: [Connect to the source and the target tenants](cross-tenant-SharePoint-migration-step1.md)
+- Step 2: [Establish trust between the source and the target tenant](cross-tenant-SharePoint-migration-step2.md)
+- **Step 3: [Verify trust has been established](cross-tenant-SharePoint-migration-step3.md)**
+- Step 4: [Pre-create users and groups](cross-tenant-SharePoint-migration-step4.md)
+- Step 5: [Prepare identity mapping](cross-tenant-SharePoint-migration-step5.md)
+- Step 6: [Start a Cross-tenant SharePoint migration](cross-tenant-SharePoint-migration-step6.md)
+- Step 7: [Post migration steps](cross-tenant-SharePoint-migration-step7.md)
+
+Before proceeding with your migration, you'll need to verify the trust is complete. A status of *GoodToProceed*, confirms that the trust is verified.
+
+## To verify trust has been established
+
+1. On the **source tenant** run:
+
+```powershell
+
+Verify-SPOCrossTenantRelationship -Scenario MnA -PartnerRole Target -PartnerCrossTenantHostUrl <TARGETCrossTenantHostUrl>
+
+```
+2. On the **target tenant** run:
+
+```powershell
+
+Verify-SPOCrossTenantRelationship -Scenario MnA -PartnerRole Source -PartnerCrossTenantHostUrl <SOURCECrossTenantHostUrl>
+```
+
+## Troubleshooting trust issues
+
+When verifying trust, possible values
+
+|Value|Description|
+|:--|:--|
+|NotEstablished|Trust hasn't been requested locally.|
+|NotEstablishedByPartner|Trust hasn't been requested by the partner|
+|DormantByPartner|PartnerΓÇÖs requested trust is within the seven days waiting period after creation.|
+|CouldNotContactPartner|Couldn't contact the partner to determine status.|
+|GoodToProceed|Verified to proceed.|
++
+## Step 4: [Pre-create users and groups](cross-tenant-SharePoint-migration-step4.md)
enterprise Cross Tenant Sharepoint Migration Step4 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step4.md
+
+ Title: SharePoint Cross-tenant SharePoint migration Step 4 (preview)
+++
+recommendations: true
+audience: ITPro
+++
+ms.localizationpriority: high
+
+- SPMigration
+- M365-collaboration
+- m365initiative-migratetom365
+search.appverid: MET150
+description: "Step 4 of the SharePoint Cross-tenant migration feature"
++
+# Step 4: Pre-creating users and groups (preview)
+
+>[!Note]
+>Cross-Tenant SharePoint migration is currently in a private preview stage of development. As an unfinished project, any information or availability is subject to change at any time. Support for private-preview customers will be handled via email. Cross-Tenant SharePoint migration is covered by the preview terms of the [Microsoft Universal License Terms for Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all).
+
+This is Step 4 in a solution designed to complete a Cross-tenant SharePoint migration. To learn more, see [Cross-tenant SharePoint migration overview](cross-tenant-SharePoint-migration.md).
+
+- Step 1: [Connect to the source and the target tenants](cross-tenant-SharePoint-migration-step1.md)
+- Step 2: [Establish trust between the source and the target tenant](cross-tenant-SharePoint-migration-step2.md)
+- Step 3: [Verify trust has been established](cross-tenant-SharePoint-migration-step3.md)
+- **Step 4: [Pre-create users and groups](cross-tenant-SharePoint-migration-step4.md)**
+- Step 5: [Prepare identity mapping](cross-tenant-SharePoint-migration-step5.md)
+- Step 6: [Start a Cross-tenant SharePoint migration](cross-tenant-SharePoint-migration-step6.md)
+- Step 7: [Post migration steps](cross-tenant-SharePoint-migration-step7.md)
++
+## Identify users and groups to be migrated
+
+To ensure that SharePoint permissions are retained as part of the migration, a mapping file needs to be created to align users from the source tenant to the target tenant.
+
+1. Identify the full list of SharePoint users and sites that will be migrated from the source to the target tenant.
+2. Identify the list of Microsoft 365 Groups that are connected to any Group-connected SharePoint sites that will be migrating as part of your project.
+3. Prepare a complete list of users, groups, and Microsoft 365 groups that will be migrated to the target tenant.
+
+## Pre-create users, groups, and Microsoft 365 groups on the target tenant
+
+- Pre-create users and groups as needed in the target tenantΓÇÖs directory.
+- All users who are migrating to the target tenant must have new user identities created for them in the target tenant.
+
+>[!Note]
+>Note: If these users are also having their OneDrive migrated, make sure that these new users don't attempt to sign-in to their new target OneDrive until their corresponding OneDrive migration is complete.
+
+- All users whose SharePoint accounts are migrating to the target tenant must be assigned the appropriate SharePoint license.
+- Any users who remain in the source tenant but need access to resources migrating to the target tenant should have new guest identities created for them in the target tenant.
+- Pre-created users must be added as members of any appropriate security groups or unified groups before the SharePoint migration begins.
+- If the user or group name already exists in the target tenant, create a user or group with a different name and make a note of it for the next step.
+- We recommend that SharePoint site creations are restricted in the target tenant to prevent users from creating SharePoint sites.
+
+>[!Note]
+>To learn more on restricting SharePoint site creation, see [Disable SharePoint creation for some users](/sharepoint/manage-user-profiles#disable-SharePoint-creation-for-some-users)
+
+## Pre-create Microsoft 365 groups connect to SharePoint sites
+
+Microsoft 365 groups connected to SharePoint sites must be pre-created using the [Exchange Online management shell](/powershell/exchange/connect-to-exchange-online-powershell)
+
+These commands send a request to the tenant with whom you want to establish trust.
+
+1. Sign in to the Exchange Online Management Shell as an Exchange Online Admin or Microsoft 365 Global admin. Enter the password for target tenant when prompted.
+
+```powershell
+Connect-ExchangeOnline ΓÇôUserPrincipalName <UserPrincipalName>
+```
+
+2. Create the appropriate Microsoft 365 groups, where *AccessType* matches the access type of the corresponding Microsoft 365 group on the source tenant.
+
+```powershell
+New-UnifiedGroup -DisplayName <TargetGroupDisplayName> -Alias <TargetGroupAlias> -AccessType <Private|Public> 
+
+ ```
+>[!Important]
+>Microsoft 365 Groups connected to SharePoint sites **MUST be pre-created using this method**. Pre-creating Microsoft 365 groups using any other methods will cause SharePoint site migrations to fail.
++
+## Step 5: [Prepare the identity mapping file](cross-tenant-SharePoint-migration-step5.md)
enterprise Cross Tenant Sharepoint Migration Step5 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step5.md
+
+ Title: SharePoint Cross-tenant SharePoint migration Step 5 (preview)
+++
+recommendations: true
+audience: ITPro
+++
+ms.localizationpriority: high
+
+- SPMigration
+- M365-collaboration
+- m365initiative-migratetom365
+search.appverid: MET150
+description: "Step 5 of the SharePoint Cross-tenant migration feature"
+
+# Step 5: Identity mapping (preview)
+
+>[!Note]
+>Cross-Tenant SharePoint migration is currently in a private preview stage of development. As an unfinished project, any information or availability is subject to change at any time. Support for private-preview customers will be handled via email. Cross-Tenant SharePoint migration is covered by the preview terms of the [Microsoft Universal License Terms for Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all).
+
+This is Step 5 in a solution designed to complete a Cross-tenant SharePoint migration. To learn more, see [Cross-tenant SharePoint migration overview](cross-tenant-SharePoint-migration.md).
+
+- Step 1: [Connect to the source and the target tenants](cross-tenant-SharePoint-migration-step1.md)
+- Step 2: [Establish trust between the source and the target tenant](cross-tenant-SharePoint-migration-step2.md)
+- Step 3: [Verify trust has been established](cross-tenant-SharePoint-migration-step3.md)
+- Step 4: [Pre-create users and groups](cross-tenant-SharePoint-migration-step4.md)
+- **Step 5: [Prepare identity mapping](cross-tenant-SharePoint-migration-step5.md)**
+- Step 6: [Start a Cross-tenant SharePoint migration](cross-tenant-SharePoint-migration-step6.md)
+- Step 7: [Post migration steps](cross-tenant-SharePoint-migration-step7.md)
+
+## Create the identity mapping file
+
+In this step of the cross-tenant migration process, you're going to create a single CSV (comma separated values) file that contains the mapping of the users and groups on the source tenant to their corresponding users and groups on the target tenant.
+
+We recommend that you take the time to verify your mappings, ensuring they're accurate before starting any migrations to the target tenant.
+
+There's a one-to-one relationship in the identity mapping file. You can't map the same user to multiple users in the target tenant. For example, if you have instances where the admin is the owner of multiple SharePoint accounts, the ownership must be changed to match the corresponding user you wish to migrate from Source to Target. If you don't, those account files won't migrate.
+
+**Example:** In this example, the admin owns multiple SharePoint accounts.
+
+|Source Tenant Owner|Target Tenant User|
+|||
+|admin@source.com|new.userA@target.com|
+|admin@source.com|new.userB@target.com|
+|admin@source.com|new.userC@target.com|
+
+Cross-tenant migration supports this scenario:
+
+**Example**:
+
+|Source Tenant Owner|Target Tenant User|
+|||
+|userA@source.com|new.userA@target.com|
+|userB@source.com|new.userB@target.com|
+|userC@source.com|new.userC@target.com|
+
+### Create the CSV file
+
+There are six columns needed in your CSV file. The first three are your source values, each providing detail about where your data is currently located. The remaining three columns are the corresponding info on the target tenant. All six columns must be accounted for in the file. Create your file in Excel and save it as a .csv file.
+
+Users and groups are included in the same file. Depending on whether it's a user or group, what you enter in the column is different. In each of the columns enter values as shown in the examples. **Do NOT include column headings.**
+
+|Column|User|Group|Microsoft 365 Group|
+||||:--|
+|1|User|Group|Group|
+|2|SourceTenantCompanyID|SourceTenantCompanyID|SourceTenantCompanyID|
+|3|SourceUserUpn|SourceGroupObjectID|SourceGroupObjectID|
+|4|TargetUserUpn|TargetGroupObjectID|TargetGroupObjectID|
+|5|TargetUserEmail|GroupName|M365GroupAlias|
+|6|UserType|GroupType|GroupType|
+
+> [!IMPORTANT]
+> **Do NOT include column headings in your CSV file.** In the examples below we include them for illustrative purposes only.
+
+**Users**. Enter your values as shown in this example for guests:
++++
+**Guest users**. You can map guest accounts in the source tenant to member accounts in the target tenant. You can also map a guest account in the source to a guest account in the target if the guest has been previously created. Enter your values as shown in this example for guests:
+++
+**Groups**. Enter your values as shown in this example for groups:
+</br>
+</br>
+
+*Example*:
++
+**Microsoft 365 Groups**. Enter your values as shown in this example for Microsoft 365 groups:
++
+**Multiple users and groups in a CSV file:** </br>
+
+*Example:*
++
+#### Obtain the source tenant company ID
+
+To obtain Source Tenant Company ID:
+
+1. Sign in as Admin to your [Azure portal](https://ms.portal.azure.com/)
+2. Select or Search for **Azure Active Directory**.
+3. Scroll down on the left-hand panel and select **Properties**.
+4. Locate the **Tenant ID Field**. The required Tenant ID will be in that box.
++
+#### To obtain source group object ID:
+
+1. Sign in to source tenant as Admin to [Azure Groups](https://ms.portal.azure.com).
+2. Search for your required group(s).
+3. Select the required Group instance and then **Copy to clipboard**. Paste this value in the sourceGroupObjectId column of your mapping CSV file.
+4. If you have multiple Groups to map, then repeat these steps for each group.
++
+#### To obtain target group object ID:
+
+1. Sign in to Target tenant as Admin to [Azure Groups](https://ms.portal.azure.com)
+2. Search for your required group(s).
+3. Select the required group instance and then **Copy to clipboard**. Paste this value in the targetGroupObjectId column of your mapping CSV file.
+4. If you have multiple groups to map, then repeat the above process to obtain those specific targetGroupObjectId's.
+5. For the GroupName, use the same ID as the *TargetGroupObjectId* you obtained.
++
+## Upload the identity map
+
+Once the identity mapping file has been prepared, the SharePoint Administrator on the target tenant uploads the file to SharePoint. This will allow identity mapping to occur automatically as part of the cross-tenant migration.
+
+> [!IMPORTANT]
+> Before you run the *Add-SPOTenantIdentityMap -IdentityMapPath* command, save and close the identitymap.csv file on your Desktop/SharePoint/SharePoint.
+>
+>If the file remains open, you will receive the following error.
+> *Add-SPOTenantIdentityMap: The process cannot access the file 'C:\Users\myuser\Test-Identity-Map.csv' because it is being used by another process.*
+
+1. To upload the identity Map on the target tenant, run the following command. For *-IdentityMapPath*, provide the full path and filename of the identity mapping CSV file.
+
+```powershell
+Add-SPOTenantIdentityMap -IdentityMapPath <identitymap.csv>
+```
+
+> [!IMPORTANT]
+> If you make or need to make any changes to your Identity Map during the lifecycle of the migration you must run the `Add-SPOTenantIdentityMap -IdentityMapPath <identitymap.csv>` command **every time** a change is made to ensure those changes are applied to the migration.
+
+Uploading any new identity map will overwrite the current one. Make sure that any revision or addition includes ALL users and groups for the full migration. Your identity map should always include everyone you're wanting to migrate.
+
+To look at the mapping entries in the identity mapping file for a particular user, use the command *Get-SPOTenantIdentityMappingUser* with Field as *SourceUserKey* and Value as the UPN of the user you are moving.
+
+**Example:**
+
+```powershell
+get-spoTenantIdentityMappingUser -Field SourceUserKey -Value usera@Contoso.onmicrosoft.com
+```
+
+## Verify cross-tenant compatibility status
+
+Before starting any cross-tenant migrations, make sure that both SharePoint database schemas are up to date and compatible between source and target.
+
+To perform this check, run the below cmdlet on your Source tenant.
+
+```powershell
+Get-SPOCrossTenantCompatibilityStatus -PartnerCrossTenantHostURL [Target tenant hostname]
+
+Get-SPOCrossTenantCompatibilityStatus -PartnerCrossTenantHostURL https://m365x12395529-my.sharepoint.com
+```
+
+- If the tenant status shows as **Compatible** or **Warning**, you can then proceed with the next step of starting cross-tenant migrations.
+- If the tenant status shows as **Incompatible**, your tenants will need to be patched/updated to ensure compatibility.
+
+|Status|Can proceed with migration|
+|||
+|Compatible|Yes|
+|Warning|Yes|
+|Incompatible|No|
+
+> [!NOTE]
+> We recommend waiting a period of 24 hours. If your tenants are still reporting as *incompatible*, contact support.
+>
+> We recommend performing the compatibility status check on a frequent basis and prior to starting ANY instances of cross tenant migrations. If the tenants are not compatible, this can result in cross-tenant migrations failing.
+
+## Step 6: [Start a SharePoint cross-tenant migration](cross-tenant-SharePoint-migration-step6.md)
enterprise Cross Tenant Sharepoint Migration Step6 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step6.md
+
+ Title: SharePoint site Cross-tenant SharePoint migration Step 6 (preview)
+++
+recommendations: true
+audience: ITPro
+++
+ms.localizationpriority: high
+
+- SPMigration
+- M365-collaboration
+- m365initiative-migratetom365
+search.appverid: MET150
+description: "Step 6 of the SharePoint site Cross-tenant migration feature"
+
+# Step 6: Start a SharePoint site cross-tenant migration (preview)
+
+>[!Note]
+>Cross-Tenant SharePoint migration is currently in a private preview stage of development. As an unfinished project, any information or availability is subject to change at any time. Support for private-preview customers will be handled via email. Cross-Tenant SharePoint migration is covered by the preview terms of the [Microsoft Universal License Terms for Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all).
+
+This is Step 6 in a solution designed to complete a Cross-tenant SharePoint migration. To learn more, see [Cross-tenant SharePoint migration overview](cross-tenant-SharePoint-migration.md).
+
+- Step 1: [Connect to the source and the target tenants](cross-tenant-SharePoint-migration-step1.md)
+- Step 2: [Establish trust between the source and the target tenant](cross-tenant-SharePoint-migration-step2.md)
+- Step 3: [Verify trust has been established](cross-tenant-SharePoint-migration-step3.md)
+- Step 4: [Pre-create users and groups](cross-tenant-SharePoint-migration-step4.md)
+- Step 5: [Prepare identity mapping](cross-tenant-SharePoint-migration-step5.md)
+- **Step 6: [Start a Cross-tenant SharePoint migration](cross-tenant-SharePoint-migration-step6.md)**
+- Step 7: [Post migration steps](cross-tenant-SharePoint-migration-step7.md)
+
+Now you're ready to start your SharePoint migration. Before starting any cross-tenant migration, do the following steps.
+
+## Start a SharePoint Cross-tenant site migration
+
+1. Ensure you have verified the compatibility status. If you see a status of either **Compatible** or **Warning** on your source tenant, you may continue. Run:
+
+ ```powershell
+ Get-SPOCrossTenantCompatibilityStatus ΓÇôPartnerCrossTenantHostURL [Target tenant hostname]
+ ```
+
+2. To start the migration, a SharePoint Online Admin or Microsoft 365 Global Admin of the source tenant must run the following command:
+
+```PowerShell
+Start-SPOCrossTenantGroupContentMove  -SourceGroupAlias <…> -TargetGroupAlias <…> -TargetCrossTenantHostUrl <…>
+
+```
+
+|Parameters|Description|
+|||
+|SourceSiteUrl|Full URL of the SharePoint Site of the on the Source tenant, for example: https://sourcetenant.sharepoint.com/sites/sitename|
+|TargetSiteUrl |Full URL of the SharePoint Site of the on the Target tenant, for example: https://targettenant.sharepoint.com/sites/newsitename.|
+|TargetCrossTenantHostUrl|The Cross-tenant host URL of the target tenant. The target tenant Admin can determine the TargetCrossTenantHostUrl by running *Get-SPOCrossTenantHostUrl* on their tenant.|
+|
+
+### Start a SharePoint M365 Group connected site cross-tenant migration
+
+1. Ensure you have verified the compatibility status. If you see a status of either **Compatible** or **Warning** on your source tenant, you may continue. Run:
+
+ ```powershell
+ Get-SPOCrossTenantCompatibilityStatus ΓÇôPartnerCrossTenantHostURL [Target tenant hostname]
+
+2. To start the migration, a SharePoint Online Admin or Microsoft 365 Global Admin of the source tenant must run the following command:
+
+```powershell
+Start-SPOCrossTenantGroupContentMove  -SourceGroupAlias <…> -TargetGroupAlias <…> -TargetCrossTenantHostUrl <…>
+
+```
+
+|Parameters|Description|
+|||
+|SourceGroupAlias|Alias of the Microsoft 365 Group connected to the SharePoint Site on the Source tenant. For example: SourceGroup1|
+|TargetGroupAlias|Alias of the Microsoft 365 that was created on the target tenant |
+|TargetCrossTenantHostUrl|The Cross-tenant Host URL of the target tenant. The target tenant Admin can determine the TargetCrossTenantHostUrl by running *Get-SPOCrossTenantHostUrl* on their tenant|
++
+## Schedule a migration for a later time
+
+To schedule a migration for a later time, add one of the following parameters to the command.
+
+For example:
+
+```powershell
+
+Start-SPOCrossTenantGroupContentMove  -SourceGroupAlias <…> -TargetGroupAlias <…> -TargetCrossTenantHostUrl <…> -PreferredMoveBeginDate <…>
+
+```
++
+These commands can be useful when planning bulk batches of site migrations.  You can queue and migrate up to 4,000 migrations per batch.  If your count exceeds 4,000 then separate batches can be created and scheduled to run once the current batch is close to completion.
+
+|Parameter|Description|
+|||
+|PreferredMoveBeginDate|The migration will likely begin at this specified time. Time must be specified in Coordinated Universal Time (UTC).|
+|PreferredMoveEndDate|The migration will likely be completed by this specified time, on a best effort basis. Time must be specified in Coordinated Universal Time (UTC).|
+
+## SharePoint status pre-migration
+
+Before starting the migration, the users current source SharePoint status will be similar to the example below. This example is from the users source tenant, showing their current files and folders.
++
+## Cancelling a SharePoint site migration
+
+You can stop the cross-tenant migration of either a SharePoint site or SharePoint Microsoft 365 Group by using the following command, provided the migration doesn't have a status of *In Progress* or *Success*.
+
+**To cancel a SharePoint site migration:**
+
+```powershell
+Stop-SPOCrossTenantSiteContentMove – SourceSiteURL [URL of Site you wish to stop]
+```
+
+**To cancel a SharePoint Microsoft 365 Group migration:**
+
+```powershell
+Stop-SPOCrossTenantGroupContentMove – SourceGroupAlias [Alias of Group connected to site you wish to stop]
+
+```
+
+## Determining current status of a migration
+
+After starting your migration, you can check its status using the following command on either the source OR target tenant:
+
+**Source command format:**
+
+```powershell
+Get-SPOCrossTenantUserContentMoveState -PartnerCrossTenantHostURL [Target URL]
+```
+
+Example:
+
+```Powershell
+Get-SPOCrossTenantUserContentMoveState -PartnerCrossTenantHostURL https://m365x946316-my.sharepoint.com/
+```
+
+**Target command:**
+
+```powershell
+Get-SPOCrossTenantUserContentMoveState -PartnerCrossTenantHostURL [Source URL]
+```
+
+Example:
+
+```powershell
+Get-SPOCrossTenantUserContentMoveState -PartnerCrossTenantHostURL https://m365x016551-my.sharepoint.com/
+```
+
+To find the status of a specific user's migration, use the *SourceUserPrincipalName* parameter:
+
+```powershell
+Get-SPOCrossTenantUserContentMoveState -PartnerCrossTenantHostURL <PartnerCrossTenantHostURL> -SourceUserPrincipalName <UPN>
+```
+
+Example:
+
+```powershell
+Get-SPOUserAndContentMoveState -PartnerCrossTenantHostURL https://m365x946316-my.sharepoint.com -SourceUserPrincipalName DiegoS@M365x016651.OnMicrosoft.com
+```
+
+To get the status of the move based on a particular userΓÇÖs UPN but with more information, use the *-Verbose* parameter.
+
+Example:
+
+```PowerShell
+Get-SPOCrossTenantUserContentMoveState -PartnerCrossTenantHostURL https://ttesttenant-my.sharepoint.com -SourceUserPrincipalName User3@stesttenant.onmicrosoft.com -Verbose
+```
+
+## Migration States
+
+|Status|Description|
+|||
+|NotStarted|The migration hasn't yet started.|
+|Scheduled|The migration is now in the queue and is scheduled to run when a slot becomes available.|
+|ReadytoTrigger|The Migration is in its pre-flight stage and will start the Migration shortly.|
+|InProgress|The migration is in progress in one of the following states: </br>- Validation </br>- Backup </br>- Restore </br>- Cleanup|
+|Success|The Migration has completed successfully.|
+|Rescheduled|The migration may not have completed and has been requeued for another pass.|
+|Failed|The migration failed to complete.|
+
+## Post-migration status checks
+
+**Target tenant**: After the migration has successfully completed, check the status of the user on the target tenant by logging into their new SharePoint account.
+
+**Source tenant**: Since the user has successfully migrated to the target tenant, they no longer have an active SharePoint account on the source.
+
+## Step 7: [Post migration steps](cross-tenant-SharePoint-migration-step7.md)
enterprise Cross Tenant Sharepoint Migration Step7 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step7.md
+
+ Title: SharePoint Cross-Tenant User Data Migration Step 7 (preview)
+++
+recommendations: true
+audience: ITPro
+++
+ms.localizationpriority: high
+
+- SPMigration
+- M365-collaboration
+- m365initiative-migratetom365
+search.appverid: MET150
+description: "Step 7 of the SharePoint Cross-tenant migration feature"
+
+# Step 7: Post migration steps (preview)
+
+>[!Note]
+>Cross-Tenant SharePoint migration is currently in a private preview stage of development. As an unfinished project, any information or availability is subject to change at any time. Support for private-preview customers will be handled via email. Cross-Tenant SharePoint migration is covered by the preview terms of the [Microsoft Universal License Terms for Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all).
+
+This is Step 7 in a solution designed to complete a Cross-tenant SharePoint migration. To learn more, see [Cross-tenant SharePoint migration overview](cross-tenant-SharePoint-migration.md).
+
+- Step 1: [Connect to the source and the target tenants](cross-tenant-SharePoint-migration-step1.md)
+- Step 2: [Establish trust between the source and the target tenant](cross-tenant-SharePoint-migration-step2.md)
+- Step 3: [Verify trust has been established](cross-tenant-SharePoint-migration-step3.md)
+- Step 4: [Pre-create users and groups](cross-tenant-SharePoint-migration-step4.md)
+- Step 5: [Prepare identity mapping](cross-tenant-SharePoint-migration-step5.md)
+- Step 6: [Start a Cross-tenant SharePoint migration](cross-tenant-SharePoint-migration-step6.md)
+- **Step 7: [Post migration steps](cross-tenant-SharePoint-migration-step7.md)**
+
+## Removing trust relationship
+
+> [!IMPORTANT]
+> Make sure you remove the Trust Relationship on both source and target tenants before your source tenant licenses expire. Once the licenses expire, the trust removal command will not work on source.
+
+1. On the source tenant, run this command to remove the trust relationship between Source and Target tenant.
+
+ ```powershell
+ Remove-SPOCrossTenantRelationship -Scenario MnA -PartnerRole Target -PartnerCrossTenantHostUrl <TARGETCrossTenantHostUrl>
+ ```
+
+2. On the target tenant, run this command to remove the trust relationship between the target and source tenant.
+
+ ```powershell
+ Remove-SPOCrossTenantRelationship -Scenario MnA -PartnerRole Target -PartnerCrossTenantHostUrl <TARGETCrossTenantHostUrl>
+ ```
+
+### Parameter definitions
+
+|Parameter|Definition|
+|||
+|PartnerRole|Roles of the partner tenant you're establishing trust with. Use *source* if partner tenant is the source of the SharePoint migrations, and *target* if the partner tenant is the destination.|
+|PartnerCrossTenantHostURL|The cross-tenant host URL of the partner tenant. The partner tenant can determine this for you by running: *Get-SPOCrossTenantHostURL* on each of the tenants.|
++
+## Removing redirect links post migration
+
+ After the migration from Source to Target is complete, a redirect link is placed on the source. If users attempt to log back into their Source account or site, the link automatically redirects them to their new Target site. Remove the redirect links on the source after your full migration has completed.
+
+
+Occasionally, a user may need to be migrated back to the original source. Remove the redirect link on the Target if you migrate a user back to the source.
+
+- To remove redirect links, use the **Remove-SPOSite** PowerShell command.
+- To get a list of all redirect sites on a tenant, use the **Get-Sposite -Template RedirectSite#0** command.
+
+Keep track of any user or site you migrate back to the source from the target. After successfully migrating these users or sites back to the source, confirm that the user/sites are accessible. Then you can remove the redirect link from Target using the **Remove-SPOSite command**.
+
+>[!Important]
+>Site URLΓÇÖs must be unique. When migrating a user or site back to the source, the redirect site created on the initial move will use the original URL. This will result in a conflict and cause the migration to fail if not removed. redirect link still being present on the tenant you are attempting to migrate to.
++
+## Other post migration steps
+
+Existing links and permissions should continue to work as expected once the migration is complete, based on the identity mapping files that were created.
+
+### SharePoint sites
+
+The source SharePoint site is set to read-only while a migration is in progress. Once the migration is complete, users are directed to the site in the new target tenant whenever they navigate to the source site. Users must sign in using their target tenant credentials.
+
+### Permissions on SharePoint content
+
+Users with permissions to SharePoint content will continue to have access to the content during the migration and after it is complete, provided that those users or groups were included as part of the identity mapping step.
+
+### Sharing Links
+
+The existing shared links for the migrated files will automatically redirect to the new target location.
enterprise Cross Tenant Sharepoint Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-sharepoint-migration.md
+
+ Title: Cross-tenant SharePoint site migration overview (preview)
+++
+recommendations: true
+audience: ITPro
++
+ms.localizationpriority: high
+
+- SPMigration
+- M365-collaboration
+- m365initiative-migratetom365
+search.appverid: MET150
+description: "Learn about the Cross-tenant SharePoint migration solution to migrate your SharePoint sites from tenant to tenant, currently in preview."
+
+# Cross-tenant SharePoint migration (preview)
+
+>[!Note]
+>Cross-Tenant SharePoint migration is currently in a private preview stage of development. As an unfinished project, any information or availability is subject to change at any time. Support for private-preview customers will be handled via email. Cross-Tenant SharePoint migration is covered by the preview terms of the [Microsoft Universal License Terms for Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all).
++
+SharePoint sites can now be moved from one tenant to another using the Cross-tenant SharePoint migration feature.
+
+Using *SharePoint Online PowerShell*, SharePoint Admins can to transition sites into their new tenants.
+
+Up to 4,000 SharePoint accounts can be scheduled for migration in advance at a given time. Once scheduled, migrations occur without content ever leaving the Microsoft 365 cloud and with minimal disruption. When migrations are complete, a redirect is placed in the location of the user's original SharePoint site, so any links to files and folders can continue working in the new location.
++
+## How to participate
+
+The **Cross-Tenant User Content Migration** feature and licenses are currently only available to Enterprise Agreement customers.
+
+If you are an Enterprise Agreement customer who will be purchasing Cross-Tenant User Content Migration licenses, and you would like to evaluate Cross-Tenant SharePoint migration to improve your migration experience, then please email CTMSPreview@service.microsoft.com and provide some basic information about the migration you are performing.
+
+The team will respond to you within a couple business days with some additional questions. For more information on licensing, please see [Cross-Tenant User Content Migration Licensing](/microsoft-365/enterprise/cross-tenant-mailbox-migration) and contact your Microsoft account team.
+
+## Prerequisites and settings
+
+- **Microsoft SharePoint Online Powershell**. Confirm you have the most recent version installed. [Download SharePoint Online Management Shell from Official Microsoft Download Center](/download/details.aspx?id=35588)
+
+- **Turn off service encryption with Customer Key enabled.** Confirm that the source OneDrive tenant **doesn't** have Service encryption with Microsoft Purview Customer Key enabled. If enabled on Source tenant, the migration will fail. [Learn more on Service encryption with Microsoft Purview Customer Key](/microsoft-365/compliance/customer-key-overview)
+
+- Source SharePoint sites must be set to Read/Write. If set to Read only, the migration will fail.
+
+## Target SharePoint sites and Group-connected SharePoint sites
+
+>[!Important]
+>- Do not create any target SharePoint sites before starting your migration. If the site already exists on the target tenant the migration will fail. **You cannot overwrite or merge an existing site.** 
+>
+>- Target Microsoft 365 Groups for group-connected SharePoint site migrations CANNOT be linked to existing SharePoint sites. Target Microsoft 365 groups must be pre-created in a specific way
+>
+>Before starting any migrations, make certain that your source SharePoint sites are set to Read/write mode. If they are set to read-only the migration will fail.
+>
+>- Each individual SharePoint site being migrated must have no more than 2 TB of storage, or 1 million items. If during a migration of multiple sites a site with more than 2 TB is encountered, that site will eventually timeout and fail. Sites less 2 TB will continue until completion.
+>
+>- Ensure all users and groups identified for migration have been pre-created on the target tenant.
+>- Assign the appropriate licenses to each user on the target tenant.
++
+## Path size limits
+
+Microsoft character path limit cannot exceed 400 characters. We recommend shortening your Target User/Site URL names to stay within the character limit.
+
+Consider the length of User/Site ULR names in your Target tenant when planning your migrations. Longer user/site URL names may result in migrations failing. Remember that the source's file or folder path name is combined with the new user or site name on the Target. Make sure that total doesn't exceed the 400-character path limit.
+
+If your migration fails, rename the User/Site URL or work with the user to rename or move the affected files or folders higher up the directory structure to ensure it remains under the character threshold limit. Once resolved, you should be able to complete the migration.
++
+## Support SharePoint features
+
+The following types of site can be migrated between geographic locations:
+
+- Microsoft 365 group-connected sites, including those sites associated with Microsoft Teams
+- Modern sites without a Microsoft 365 group association
+- Classic SharePoint sites
+- Communication sites
+
+>[!Important]
+>This feature **does not** include migration of Teams content, channels or associated structure. If a Teams-connected SharePoint site is migrated, only the SharePoint site content will be migrated to the target.
+
+### Sharing Links
+
+When the SharePoint site migration completes, the existing shared links for the files that were migrated will automatically redirect to the new geographic location.
+
+### Permissions
+
+Users with permissions to site may continue to have access to the site after the migration is complete, provided those users/groups were accounted for in the Identity Mapping step.
+
+### SharePoint Workflows
+
+Workflows (2010 or 2013) must be re-created and republished on the Target tenant.
++
+### Apps
+If you're migrating a site with Apps, you must republish & potentially modify the App on the target tenant.
+
+### PowerApps/PowerAutomate
+
+PowerApps & Automation Tasks must be re-created and reconnected to the Site on the target tenant.
++
+### Web Parts
+
+Web parts that reference content in other SharePoint Sites and/or other Microsoft 365 services (such as email, calendars) may need to be modified or re-created on the target tenant.
+
+## Communicating with your users
+
+When migrating SharePoint sites between tenants, it is important to communicate to your users what to expect.
+
+- How will this migration impact them?
+- Will they be able to continue to work during the migration?
+- When will the migration start and how long will it last?
+- What is the new URL in which to access their new site plus any other details about the new tenant
+- Advise users to close their files and not make any edits during their migration window.
+- Advise of any file permissions or sharing changes that may occur as part of the migration.
+
+## Scheduling SharePoint site migrations
+
+You can schedule SharePoint site migrations in advance but consider the following:
+
+- Start with a small number of sites to validate your workflows and communication strategies
+- Once you are comfortable with the process, you can schedule large batches of migrations.
+- You can schedule up to 4,000 migrations at a time per batch
+- As the migrations begin, you can schedule more, with a maximum of 4,000 pending migrations in the queue at any given time.
+++
+## Get started
+
+- **Step 1:** [Connect to the source and the target tenants](cross-tenant-onedrive-migration-step1.md).
+- **Step 2:** [Establish trust between the source and the target tenant](cross-tenant-onedrive-migration-step2.md)
+- **Step 3:** [Verify trust has been established](cross-tenant-onedrive-migration-step3.md)
+- **Step 4:** [Pre-create users and groups](cross-tenant-sharepoint-migration-step4.md)
+- **Step 5:** [Prepare identity mapping](cross-tenant-sharepoint-migration-step5.md)
+- **Step 6:** [Start a Cross-tenant SharePoint migration](cross-tenant-sharepoint-migration-step6.md)
+- **Step 7:** [Post migration steps](cross-tenant-sharepoint-migration-step7.md)
+
+## Step 1: [Connect to source and target tenants](cross-tenant-sharepoint-migration-step1.md)
enterprise Office 365 Network Mac Perf Score https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/office-365-network-mac-perf-score.md
The SharePoint Online assessment is made using the following table. Any download
## Microsoft Teams
-For Microsoft Teams the Network quality is measured as UDP latency, UDP jitter, and UDP packet loss. UDP is used for call and conferencing audio and video media connectivity for Microsoft Teams. This can be impacted by the same factors as for latency and download speed in addition to connectivity gaps in a network's UDP support since UDP is configured separately to the more common TCP protocol. The median (also known as the 50th percentile or P50 measure) is taken for all measurements over the previous three days.
+For Microsoft Teams the Network quality is measured as UDP latency, UDP jitter, and UDP packet loss. UDP is used for call and conferencing audio and video media connectivity for Microsoft Teams. This can be impacted by the same factors as for latency and download speed in addition to connectivity gaps in a network's UDP support since UDP is configured separately to the more common TCP protocol. The median (also known as the 50th percentile or P50 measure) is taken for all measurements over the previous three days.
We calculate a mean opinion score from these UDP measurements for a scale from one to five. Then we map that to the 0-100 points scale for the Microsoft Teams network assessment. Overall good is over 87.5 points and overall bad is below 50 points.
+## Understanding test sampling
+
+Network test sampling does not include user or device identities and hence the size of offices and number of users in them is estimated. We use the number of test results from Exchange tests and the number of tests from SharePoint tests to do this. If no samples are received for the office location then summary assessment information is still shown for up to 60 days but detail information is not shown and that includes the estimated number users.
+ ## Related topics [Network connectivity in the Microsoft 365 Admin Center](office-365-network-mac-perf-overview.md)
enterprise Setup Guides For Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/setup-guides-for-microsoft-365.md
Advanced deployment guides in the admin center require authentication to a Micro
|**Guide - [Setup Portal](https://go.microsoft.com/fwlink/?linkid=2220880)** |**Guide - [Admin Center](https://go.microsoft.com/fwlink/?linkid=2224913)** |**Description** | |||| |[Build your employee experience with Microsoft 365 and Microsoft Viva dashboard](https://go.microsoft.com/fwlink/?linkid=2223653)|[Build your employee experience with Microsoft 365 and Microsoft Viva dashboard](https://go.microsoft.com/fwlink/?linkid=2224787)|Transform how your employees work together with the **Build your employee experience with Microsoft 365 and Microsoft Viva dashboard**. For seamless teamwork, use Microsoft 365 to create productive, aligned teams, and keep employees engaged with leadership and the rest of the organization. Help your employees be effective in all work activities. These guides will provide instructions on how to use SharePoint, Teams, and Yammer to build collaboration across your org to help drive productivity.|
-|[Microsoft 365 Apps setup guide](https://go.microsoft.com/fwlink/?linkid=2223409)|[Microsoft 365 Apps setup guide](https://go.microsoft.com/fwlink/?linkid=2224187)|The **Microsoft 365 Apps setup guide** helps you get your users' devices running the latest version of Office products like Word, Excel, PowerPoint, and OneNote. You'll get guidance on the various deployment methods that include easy self-install options to enterprise deployments with management tools. The instructions will help you assess your environment, figure out your specific deployment requirements, and implement the necessary support tools to ensure a successful installation.|
+|[Microsoft 365 Apps setup guide](https://go.microsoft.com/fwlink/?linkid=2234169)|[Microsoft 365 Apps setup guide](https://go.microsoft.com/fwlink/?linkid=2233871)|The **Microsoft 365 Apps setup guide** provides comprehensive guidance for setting up and deploying the latest versions of Office products like Word, Excel, PowerPoint, and OneNote on your users' devices. You'll be walked through the activation process for your Microsoft 365 product key, as well as various deployment methods including easy self-install options and enterprise deployments with management tools. Additionally, the guide offers instructions on assessing your environment, determining your specific deployment requirements, and implementing the necessary support tools to ensure a successful installation.|
||[Mobile apps setup guide](https://go.microsoft.com/fwlink/?linkid=2224813)|The **Mobile apps setup guide** provides instructions for the download and installation of Office apps on your Windows, iOS, and Android mobile devices. This guide provides you with step-by-step information to download and install Microsoft 365 and Office 365 apps on your phone and tablet devices.| |[Microsoft Teams setup guide]( https://go.microsoft.com/fwlink/?linkid=2222975)|[Microsoft Teams setup guide](https://go.microsoft.com/fwlink/?linkid=2224815)|The **Microsoft Teams setup guide** provides your organization with guidance to set up team workspaces that host real-time conversations through messaging, calls, and audio or video meetings for both team and private communication. Use the tools in this guide to configure Guest access, set who can create teams, and add team members from a .csv file, all without the need to open a PowerShell session. You'll also get best practices for determining your organization's network requirements and ensuring a successful Teams deployment.| |[Plan and implement your Microsoft Teams Phone deployment](https://go.microsoft.com/fwlink/?linkid=2223356)|[Plan and implement your Microsoft Teams Phone deployment](https://go.microsoft.com/fwlink/?linkid=2224790)|This guide will help you transition from your existing voice solution to Microsoft Teams Phone. You'll be guided through discovery and planning phases, or you can go straight to deployment. You'll be able to configure a calling plan, Operator Connect, Teams Phone Mobile, Direct Routing, caller ID, and other features.|
includes Device Macos Check Browser Vs End Url https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/device-macos-check-browser-vs-end-url.md
+### OPTIONAL: Allow sensitive data to pass through forbidden domains
+
+Microsoft Purview DLP checks for sensitive data through all stages of its travels. So, if sensitive data gets posted or sent to an allowed domain, but travels through a forbidden domain, it's blocked. Let's take a closer look.
+
+Say that sending sensitive data via Outlook Live (*outlook.live.com*) is permissible, but that sensitive data must not be exposed to *microsoft.com*. However, when a user accesses Outlook Live, the data passes through *microsoft.com* in the background, as shown:
++
+By default, because the sensitive data passes through microsoft.com on its way to outlook.live.com, DLP automatically blocks the data from being shared.
+
+In some cases, however, you may not be concerned with the domains that data passes through on the back end. Instead, you may only be concerned about where the data ultimately ends up, as indicated by the URL that shows up in the address bar. In this case, *outlook.live.com*. To prevent sensitive data from being blocked in our example case, you need to specifically change the default setting.
+
+So, if you only want to monitor the browser and the final destination of the data (the URL in the browser address bar), you can enable *DLP_browser_only_cloud_egress* and *DLP_ax_only_cloud_egress*. Here's how.
+
+To change the settings to allow sensitive data to pass through forbidden domains on its way to a permitted domain:
+
+1. Open the [com.microsoft.wdav.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/settings/data_loss_prevention/cloud_egress/com.microsoft.wdav.mobileconfig) file.
+
+2. Under the `dlp` key, Set `DLP_browser_only_cloud_egress` to *enabled* and set ` DLP_ax_only_cloud_egress` to *enabled* as shown in the following example.
++
+```xml
+
+<key>dlp</key>
+ <dict>
+ <key>features</key>
+ <array>
+ <dict>
+ <key>name</key>
+ <string>DLP_browser_only_cloud_egress</string>
+ <key>state</key>
+ <string>enabled</string>
+ </dict>
+ <dict>
+ <key>name</key>
+ <string>DLP_ax_only_cloud_egress</string>
+ <key>state</key>
+ <string>enabled</string>
+ </dict>
+ </array>
+ </dict>
+```
includes Devices Macos Onboarding Tip https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/devices-macos-onboarding-tip.md
++
+> [!TIP]
+> We recommend downloading the bundled ([mdatp-nokext.mobileconfig](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/combined/mdatp-nokext.mobileconfig)) file, rather than the [individual](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles) *.mobileconfig* files. The bundled file includes the following required files:
+>
+> - accessibility.mobileconfig
+> - fulldisk.mobileconfig
+> - netfilter.mobileconfig
+> - sysext.mobileconfig
+>
+> If any of these files are updated, you need to either download the updated bundle, or download each updated file individually.
includes Office 365 Operated By 21Vianet Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-operated-by-21vianet-endpoints.md
<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.-->
-<!--China endpoints version 2023030100-->
-<!--File generated 2023-03-01 08:00:07.5376-->
+<!--China endpoints version 2023042800-->
+<!--File generated 2023-04-28 08:00:07.7632-->
## Exchange Online ID | Category | ER | Addresses | Ports -- | -- | -- | -- |
-1 | Optimize<BR>Required | No | `*.partner.outlook.cn`<BR>`40.73.132.0/24, 40.73.164.128/25, 40.73.165.0/26, 42.159.40.0/24, 42.159.44.0/22, 42.159.163.128/25, 42.159.165.0/24, 42.159.172.0/22, 2406:e500:4010::/48, 2406:e500:4030::/53, 2406:e500:4030:800::/54, 2406:e500:4040::/53, 2406:e500:4040:800::/54, 2406:e500:4040:1000::/54, 2406:e500:4040:1400::/54, 2406:e500:4110::/48, 2406:e500:4210::/48, 2406:e500:4310::/48` | **TCP:** 443, 80
-2 | Allow<BR>Required | No | `42.159.33.192/27, 42.159.36.0/24, 42.159.161.192/27, 42.159.164.0/24, 139.219.16.0/27, 139.219.17.0/24, 139.219.24.0/22, 139.219.145.0/27, 139.219.146.0/24, 139.219.156.0/22, 2406:e500:4420::/43, 2406:e500:4440::/43, 2406:e500:c020::/44, 2406:e500:c120::/44` | **TCP:** 25, 443, 53, 80
-12 | Default<BR>Required | No | `attachments.office365-net.cn` | **TCP:** 443, 80
+1 | Optimize<BR>Required | No | `partner.outlook.cn`<BR>`40.73.132.0/24, 40.73.164.128/25, 40.73.165.0/26, 42.159.40.0/24, 42.159.44.0/22, 42.159.163.128/25, 42.159.165.0/24, 42.159.172.0/22, 2406:e500:4010::/48, 2406:e500:4030::/53, 2406:e500:4030:800::/54, 2406:e500:4040::/53, 2406:e500:4040:800::/54, 2406:e500:4040:1000::/54, 2406:e500:4040:1400::/54, 2406:e500:4110::/48, 2406:e500:4210::/48, 2406:e500:4310::/48` | **TCP:** 443, 80
+2 | Allow<BR>Required | No | `*.protection.partner.outlook.cn`<BR>`42.159.33.192/27, 42.159.36.0/24, 42.159.161.192/27, 42.159.164.0/24, 139.219.16.0/27, 139.219.17.0/24, 139.219.24.0/22, 139.219.145.0/27, 139.219.146.0/24, 139.219.156.0/22, 2406:e500:4420::/43, 2406:e500:4440::/43, 2406:e500:c020::/44, 2406:e500:c120::/44` | **TCP:** 25, 443, 53, 80
+12 | Default<BR>Required | No | `*.partner.outlook.cn, attachments.office365-net.cn` | **TCP:** 443, 80
+20 | Allow<BR>Required | No | `*.partner.outlook.cn`<BR>`40.73.132.0/24, 40.73.164.128/25, 40.73.165.0/26, 42.159.40.0/24, 42.159.44.0/22, 42.159.163.128/25, 42.159.165.0/24, 42.159.172.0/22, 2406:e500:4010::/48, 2406:e500:4030::/53, 2406:e500:4030:800::/54, 2406:e500:4040::/53, 2406:e500:4040:800::/54, 2406:e500:4040:1000::/54, 2406:e500:4040:1400::/54, 2406:e500:4110::/48, 2406:e500:4210::/48, 2406:e500:4310::/48` | **TCP:** 587, 993, 995
## SharePoint Online and OneDrive for Business
ID | Category | ER | Addresses | Ports
## Microsoft 365 Common and Office Online ID | Category | ER | Addresses | Ports | - | -- | - | -
+-- | - | -- | -- | -
6 | Allow<BR>Required | No | `webshell.suite.partner.microsoftonline.cn`<BR>`40.73.248.8/32, 40.73.252.10/32` | **TCP:** 443, 80
-7 | Allow<BR>Required | No | `*.azure-mobile.cn, *.chinacloudapi.cn, *.chinacloudapp.cn, *.chinacloud-mobile.cn, *.chinacloudsites.cn, *.partner.microsoftonline-m.cn, *.partner.microsoftonline-m.net.cn, *.partner.microsoftonline-m-i.cn, *.partner.microsoftonline-m-i.net.cn, *.partner.microsoftonline-p.net.cn, *.partner.microsoftonline-p-i.cn, *.partner.microsoftonline-p-i.net.cn, *.partner.officewebapps.cn, *.windowsazure.cn, partner.outlook.cn, portal.partner.microsoftonline.cdnsvc.com, r4.partner.outlook.cn`<BR>`23.236.126.0/24, 42.159.224.122/32, 42.159.233.91/32, 42.159.237.146/32, 42.159.238.120/32, 58.68.168.0/24, 112.25.33.0/24, 123.150.49.0/24, 125.65.247.0/24, 139.217.17.219/32, 139.217.19.156/32, 139.217.21.3/32, 139.217.25.244/32, 171.107.84.0/24, 180.210.232.0/24, 180.210.234.0/24, 209.177.86.0/24, 209.177.90.0/24, 209.177.94.0/24, 222.161.226.0/24` | **TCP:** 443, 80
+7 | Allow<BR>Required | No | `*.azure-mobile.cn, *.chinacloudapi.cn, *.chinacloudapp.cn, *.chinacloud-mobile.cn, *.chinacloudsites.cn, *.partner.microsoftonline-m.cn, *.partner.microsoftonline-m.net.cn, *.partner.microsoftonline-m-i.cn, *.partner.microsoftonline-m-i.net.cn, *.partner.microsoftonline-p.net.cn, *.partner.microsoftonline-p-i.cn, *.partner.microsoftonline-p-i.net.cn, *.partner.officewebapps.cn, *.windowsazure.cn, portal.partner.microsoftonline.cdnsvc.com, r4.partner.outlook.cn`<BR>`23.236.126.0/24, 42.159.224.122/32, 42.159.233.91/32, 42.159.237.146/32, 42.159.238.120/32, 58.68.168.0/24, 112.25.33.0/24, 123.150.49.0/24, 125.65.247.0/24, 139.217.17.219/32, 139.217.19.156/32, 139.217.21.3/32, 139.217.25.244/32, 171.107.84.0/24, 180.210.232.0/24, 180.210.234.0/24, 209.177.86.0/24, 209.177.90.0/24, 209.177.94.0/24, 222.161.226.0/24` | **TCP:** 443, 80
8 | Allow<BR>Required | No | `*.onmschina.cn, *.partner.microsoftonline.net.cn, *.partner.microsoftonline-i.cn, *.partner.microsoftonline-i.net.cn, *.partner.office365.cn`<BR>`101.28.252.0/24, 115.231.150.0/24, 123.235.32.0/24, 171.111.154.0/24, 175.6.10.0/24, 180.210.229.0/24, 211.90.28.0/24` | **TCP:** 443, 80 9 | Allow<BR>Required | No | `*.partner.microsoftonline-p.cn`<BR>`42.159.4.68/32, 42.159.4.200/32, 42.159.7.156/32, 42.159.132.138/32, 42.159.133.17/32, 42.159.135.78/32, 182.50.87.0/24` | **TCP:** 443, 80 10 | Allow<BR>Required | No | `*.partner.microsoftonline.cn`<BR>`42.159.4.68/32, 42.159.4.200/32, 42.159.7.156/32, 42.159.132.138/32, 42.159.133.17/32, 42.159.135.78/32, 103.9.8.0/22` | **TCP:** 443, 80
includes Office 365 Worldwide Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-worldwide-endpoints.md
<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.-->
-<!--Worldwide endpoints version 2023032900-->
-<!--File generated 2023-03-29 17:00:01.6148-->
+<!--Worldwide endpoints version 2023042800-->
+<!--File generated 2023-04-28 08:00:06.2024-->
## Exchange Online
ID | Category | ER | Addresses | Ports
51 | Default<BR>Required | No | `*cdn.onenote.net` | **TCP:** 443 53 | Default<BR>Required | No | `ajax.aspnetcdn.com, apis.live.net, officeapps.live.com, www.onedrive.com` | **TCP:** 443 56 | Allow<BR>Required | Yes | `*.auth.microsoft.com, *.msftidentity.com, *.msidentity.com, account.activedirectory.windowsazure.com, accounts.accesscontrol.windows.net, adminwebservice.microsoftonline.com, api.passwordreset.microsoftonline.com, autologon.microsoftazuread-sso.com, becws.microsoftonline.com, ccs.login.microsoftonline.com, clientconfig.microsoftonline-p.net, companymanager.microsoftonline.com, device.login.microsoftonline.com, graph.microsoft.com, graph.windows.net, login.microsoft.com, login.microsoftonline.com, login.microsoftonline-p.com, login.windows.net, logincert.microsoftonline.com, loginex.microsoftonline.com, login-us.microsoftonline.com, nexus.microsoftonline-p.com, passwordreset.microsoftonline.com, provisioningapi.microsoftonline.com`<BR>`20.20.32.0/19, 20.190.128.0/18, 20.231.128.0/19, 40.126.0.0/18, 2603:1006:2000::/48, 2603:1007:200::/48, 2603:1016:1400::/48, 2603:1017::/48, 2603:1026:3000::/48, 2603:1027:1::/48, 2603:1036:3000::/48, 2603:1037:1::/48, 2603:1046:2000::/48, 2603:1047:1::/48, 2603:1056:2000::/48, 2603:1057:2::/48` | **TCP:** 443, 80
-59 | Default<BR>Required | No | `*.hip.live.com, *.microsoftonline.com, *.microsoftonline-p.com, *.msauth.net, *.msauthimages.net, *.msecnd.net, *.msftauth.net, *.msftauthimages.net, *.phonefactor.net, enterpriseregistration.windows.net, management.azure.com, policykeyservice.dc.ad.msft.net` | **TCP:** 443, 80
+59 | Default<BR>Required | No | `*.hip.live.com, *.microsoftonline.com, *.microsoftonline-p.com, *.msauth.net, *.msauthimages.net, *.msecnd.net, *.msftauth.net, *.msftauthimages.net, *.phonefactor.net, enterpriseregistration.windows.net, policykeyservice.dc.ad.msft.net` | **TCP:** 443, 80
64 | Allow<BR>Required | Yes | `*.compliance.microsoft.com, *.protection.office.com, *.security.microsoft.com, compliance.microsoft.com, defender.microsoft.com, protection.office.com, security.microsoft.com`<BR>`13.107.6.192/32, 13.107.9.192/32, 52.108.0.0/14, 2620:1ec:4::192/128, 2620:1ec:a92::192/128` | **TCP:** 443 66 | Default<BR>Required | No | `*.portal.cloudappsecurity.com` | **TCP:** 443 67 | Default<BR>Optional<BR>**Notes:** Security and Compliance Center eDiscovery export | No | `*.blob.core.windows.net` | **TCP:** 443
security Microsoft 365 Zero Trust https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/microsoft-365-zero-trust.md
- zerotrust-solution - highpri - tier1-- zerotrust-services Last updated 1/31/2023
security Submissions Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-teams.md
Last updated
In organizations with Microsoft Defender for Office 365 Plan 2 or Microsoft 365 Defender, admins can decide whether users can report malicious messages in Microsoft Teams. Admins can also get visibility into the Teams messages that users are reporting.
-Users can report messages in Teams from **internal** chats and meeting conversations. Users can only report messages as malicious.
+Users can report messages in Teams from **internal** chats, channels and meeting conversations. Users can only report messages as malicious.
> [!NOTE] > User reporting of messages in Teams is not supported in U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD).