+|[Visio activity](visio-activity.md)|Yes|Yes|N/A|N/A|N/A|

+If users or admins have their privacy settings set to **Neither**, we do not have accurate metrics for the **Project activity** chart for the Project Online desktop client. The numbers shown will be undercounted. For more information on privacy settings, see [Use policy settings to manage privacy controls for for Microsoft 365 Apps for enterprise](/deployoffice/privacy/manage-privacy-controls).

+1. Sign in to Microsoft 365 Defender(https://security.microsoft.com/antispam), select **Policies & rules**, Click on **Threat policies** and then select **Anti-spam policies**.

+2. Select **Connection filter policy (Default)**, and click on Edit **Edit connection filter policy** and add the mail server IP address for your current email provider in the **Always allow messages from the following IP addresses or address range** Section.

+## More resources

+[Enhanced Filtering for Connectors in Exchange Online](/Exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors)

+This article only applies to canceling **Dynamics 365**, **Intune**, **Power Platform**, **Windows 365**, and **Microsoft 365 for business** subscriptions. If you have an Azure subscription, see [Cancel your Azure subscription](/azure/cost-management-billing/manage/cancel-azure-subscription). If you have Microsoft 365 Family or Personal, see [Cancel a Microsoft 365 subscription](https://support.microsoft.com/office/cancel-a-microsoft-365-subscription-46e2634c-c64b-4c65-94b9-2cc9c960e91b?OCID=M365_DocsCancel_Link).

+- If you have a billing profile, you must also be a billing account owner or billing account contributor to do the tasks in this article. [Find out if you have a billing profile](../billing-and-payments/manage-billing-profiles.md#view-my-billing-profiles). For more information about billing account roles, see [Understand access to billing accounts](../manage-billing-accounts.md).

+|25 or fewer licenses | [Use the steps later in this article to cancel your trial or paid subscription](#steps-to-cancel-your-subscription) online in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>. |

+|More than 25 licenses | Reduce the number of licenses to 25 or fewer and then [use the steps later in this article to cancel](#steps-to-cancel-your-subscription). |

+> If you have multiple subscriptions to the same product, such as Microsoft 365 Business Premium, canceling one subscription won't impact the licenses or services that you bought inside the other subscriptions.

+Your subscription now appears in a **Disabled** state, and has reduced functionality until it's deleted. For information about what to expect when you cancel a paid Microsoft 365 for business subscription, see [What happens to my data and access when my Microsoft 365 for business subscription ends?](what-if-my-subscription-expires.md)

+If you canceled your subscription and didn't [move users to a different subscription](move-users-different-subscription.md) that includes Microsoft 365, Microsoft 365 runs in reduced functionality mode. When this happens, users can only read and print documents, and Microsoft 365 apps display [Unlicensed Product notifications](https://support.microsoft.com/office/0d23d3c0-c19c-4b2f-9845-5344fedc4380). To avoid any confusion, have your users [uninstall Microsoft 365](https://support.microsoft.com/office/9dd49b83-264a-477a-8fcc-2fdf5dbf61d8) from their computers.

+ - Because these scopes use dynamic queries that run daily and can take a few days to fully populate, wait and [confirm their membership](purview-adaptive-scopes.md#confirm-scope-membership) before you start simulation.

+ - For the **Microsoft 365 Group mailboxes & sites** location, items stored in [AuxPrimary mailboxes](/powershell/module/exchange/get-mailboxlocation#-mailboxlocationtype) aren't supported.

+- Although auto-labeling for sensitive information types applies to emails sent and received rather than emails stored in mailboxes, simulation for Exchange locations runs against against emails stored in mailboxes. Using historical data lets you more quickly assess the effectiveness of your chosen sensitive information types and configuration.

+- For the **Microsoft 365 Group mailboxes & sites** and **OneDrive accounts** locations: Items that are stored in [arbitration mailboxes](/powershell/module/exchange/new-mailbox#-arbitration) aren't supported for simulation.

+ Title: Search the audit log for events in Microsoft Teams

+description: "Learn how to retrieve Microsoft Teams data from the audit log in the Microsoft Purview compliance portal."

+audience: admin

+- tier1

+- purview-compliance

+- M365-collaboration

+- audit

+f1.keywords:

+- NOCSH

+search.appverid: MET150

+appliesto:

+ - Microsoft Teams

+# Search the audit log for events in Microsoft Teams

+> [!IMPORTANT]

+> [!INCLUDE [new-teams-sfb-admin-center-notice](../includes/new-teams-sfb-admin-center-notice.md)]

+The audit log can help you investigate specific activities across Microsoft 365 services. For Microsoft Teams, here are some of the activities that are audited:

+- Team creation

+- Team deletion

+- Added channel

+- Deleted channel

+- Changed channel setting

+For a complete list of Teams activities that are audited, see [Teams activities](#teams-activities) and [Shifts in Teams activities](#shifts-in-teams-activities).

+> [!NOTE]

+> Audit events from private channels are also logged as they are for teams and standard channels.

+## Turn on auditing in Teams

+Before you can look at audit data, you have to first turn on auditing in the Microsoft Purview compliance portal. For more information, see [Turn auditing on or off](turn-audit-log-search-on-or-off.md).

+> [!IMPORTANT]

+> Audit data is only available from the point at which you turned on auditing.

+## Retrieve Teams data from the audit log

+1. To retrieve audit logs for Teams activities, go to <https://compliance.microsoft.com> and select **Audit**.

+2. On the **Search** page, filter the activities, dates, and users you want to audit.

+3. Export your results to Excel for further analysis.

+For step-by-step instructions, see [Search the audit log in the compliance portal](search-the-audit-log-in-security-and-compliance.md#search-the-audit-log).

+> [!IMPORTANT]

+> Audit data is only visible in the audit log if auditing is turned on.

+The length of time that an audit record is retained and searchable in the audit log depends on your Microsoft 365 or Office 365 subscription, and specifically the type of license that's assigned to users. To learn more, see the [Security & Compliance Center service description](/office365/servicedescriptions/office-365-platform-service-description/office-365-securitycompliance-center).

+## Tips for searching the audit log

+Here are tips for searching for Teams activities in the audit log.

+

+- You can select specific activities to search for by clicking the checkbox next to one or more activities. If an activity is selected, you can select it to cancel the selection. You can also use the search box to display the activities that contain the keyword that you type.

+ 

+- To display events for activities run using cmdlets, select **Show results for all activities** in the **Activities** list. If you know the name of the operation for these activities, type it in the search box to display the activity, and then select it.

+- To clear the current search criteria, select **Clear all**. The date range returns to the default of the last seven days.

+- If 5,000 results are found, you can probably assume that there are more than 5,000 events that met the search criteria. You can refine the search criteria and rerun the search to return fewer results, or you can export all the search results by selecting **Export** > **Download all results**. For step-by-step instructions to export audit logs, see [Export the search results to a file](search-the-audit-log-in-security-and-compliance.md#step-3-export-the-search-results-to-a-file).

+Check out [this video](https://www.youtube.com/embed/UBxaRySAxyE) for using audio log search. Join Ansuman Acharya, a program manager for Teams, as he demonstrates how to do an audit log search for Teams.

+## Teams activities

+Here's a list of all events that are logged for user and admin activities in Teams in the Microsoft 365 audit log. The table includes the friendly name that's displayed in the **Activities** column and the name of the corresponding operation that appears in the detailed information of an audit record and in the CSV file when you export the search results.

+|**Friendly name**|**Operation**|**Description**|

+|:-|:|:--|

+|Added bot to team|BotAddedToTeam|A user adds a bot to a team.|

+|Added channel|ChannelAdded|A user adds a channel to a team.|

+|Added connector|ConnectorAdded|A user adds a connector to a channel.|

+|Added details about Teams meeting ²|MeetingDetail|Teams added information about a meeting, including the start time, the end time, and the URL to join the meeting.|

+|Added information about meeting participants ²|MeetingParticipantDetail|Teams added information about the participants of a meeting, including the user ID of each participant, the time a participant joined the meeting, and the time a participant left the meeting.|

+|Added members|MemberAdded|A team owner adds members to a team, channel, or group chat.|

+|Added tab|TabAdded|A user adds a tab to a channel.|

+| Applied sensitivity label | SensitivityLabelApplied | A user or meeting organizer applied a sensitivity label to a Teams meeting. |

+|Changed channel setting|ChannelSettingChanged|The ChannelSettingChanged operation is logged when the following activities are performed by a team member. For each of these activities, a description of the setting that was changed (shown in parentheses is displayed in the **Item** column in the audit log search results. <ul><li>Changes name of a team channel (**Channel name**)</li><li>Changes description of a team channel (**Channel description**)</li> </ul>|

+|Changed organization setting|TeamsTenantSettingChanged|The TeamsTenantSettingChanged operation is logged when the following activities are performed by a global admin in the Microsoft 365 admin center. These activities affect org-wide Teams settings. To learn more, see [Manage Teams settings for your organization](/microsoftteams/enable-features-office-365). <br>For each of these activities, a description of the setting that was changed (shown in parentheses) is displayed in the **Item** column in the audit log search results.<ul><li>Enables or disables Teams for the organization (**Microsoft Teams**).</li><li>Enables or disables interoperability between Microsoft Teams and Skype for Business for the organization (**Skype for Business interoperability**).</li><li>Enables or disables the organizational chart view in Microsoft Teams clients (**Org chart view**).</li><li>Enables or disables the ability for team members to schedule private meetings (**Private meeting scheduling**).</li><li>Enables or disables the ability for team members to schedule channel meetings (**Channel meeting scheduling**).</li><li>Enables or disables video calling in Teams meetings (**Video for Skype meetings**).</li><li>Enables or disables screen sharing in Microsoft Teams meetups for the organization (**Screen sharing for Skype meetings**).</li><li>Enables or disables that ability to add animated images (called Giphys) to Teams conversations (**Animated images**).</li><li>Changes the content rating setting for the organization (**Content rating**). The content rating restricts the type of animated image that can be displayed in conversations.</li><li>Enables or disables the ability for team members to add customizable images (called custom memes) from the internet to team conversations (**Customizable images from the Internet**).</li><li>Enables or disables the ability for team members to add editable images (called stickers) to team conversations (**Editable images**).</li><li>Enables or disables that ability for team members to use bots in Microsoft Teams chats and channels (**Org-wide bots)**.</li><li>Enables specific bots for Microsoft Teams. This doesn't include the T-Bot, which is Teams help bot that's available when bots are enabled for the organization (**Individual bots**).</li><li>Enables or disables the ability for team members to add extensions or tabs (**Extensions or tabs**).</li><li>Enables or disables the side-loading of proprietary bots for Microsoft Teams (**Side loading of Bots**).</li><li>Enables or disables the ability for users to send email messages to a Microsoft Teams channel (**Channel email**).</li></ul>|

+|Changed role of members in team|MemberRoleChanged|A team owner changes the role of members in a team. The following values indicate the role type assigned to the user. <br><br>**1** - Indicates the Member role.<br>**2** - Indicates the Owner role.<br>**3** - Indicates the Guest role.<br><br>The Members property also includes the name of your organization and the member's email address.|

+|Changed team setting|TeamSettingChanged|The TeamSettingChanged operation is logged when the following activities are performed by a team owner. For each of these activities, a description of the setting that was changed (shown in parentheses) is displayed in the **Item** column in the audit log search results.<ul><li>Changes the access type for a team. Teams can be set as private or public (**Team access type**). When a team is private (the default setting), users can access the team only by invitation. When a team is public, it's discoverable by anyone.</li><li>Changes the information classification of a team (**Team classification**). For example, team data can be classified as high business impact, medium business impact, or low business impact.</li><li>Changes the name of a team (**Team name**).</li><li>Changes the team description (**Team description**).</li><li>Changes made to team settings. To access these settings, a team owner can right-click a team, select **Manage team**, and then select the **Settings** tab. For these activities, the name of the setting that was changed is displayed in the **Item** column in the audit log search results.</li></ul>|

+| Changed sensitivity label | SensitivityLabelChanged | A user changed a sensitivity label on a Teams meeting. |

+|Created a chat ^1, ²|ChatCreated|A Teams chat was created.|

+|Created team|TeamCreated|A user creates a team.|

+|Deleted a message|MessageDeleted|A message in a chat or channel was deleted.|

+|Deleted all organization apps|DeletedAllOrganizationApps|Deleted all organization apps from the catalog.|

+|Deleted app|AppDeletedFromCatalog|An app has been deleted from the catalog.|

+|Deleted channel|ChannelDeleted|A user deletes a channel from a team.|

+|Deleted team|TeamDeleted|A team owner deletes a team.|

+|Edited a message with a URL link in Teams|MessageEditedHasLink|A user edits a message and adds a URL link to it in Teams.|

+|Exported messages ^1, ²|MessagesExported|Chat or channel messages were exported.|

+|Failed to validate invitation to shared channel ³|FailedValidation|A user responds to an invitation to a shared channel but the invitation failed validation.|

+|Fetched chat ^1, ²|ChatRetrieved|A Microsoft Teams chat was retrieved.|

+|Fetched all hosted content of a message^1, ²|MessageHostedContentsListed|All hosted content in a message, such as images or code snippets, was retrieved.|

+|Installed app|AppInstalled|An app was installed.|

+|Performed action on card|PerformedCardAction|A user took action on an adaptive card within a chat. Adaptive cards are typically used by bots to allow the rich display of information and interaction in chats. <br/><br/>**Note:** Only inline input actions on an adaptive card inside a chat will be available in the audit log. For example, when a user submits a poll response in a channel conversation on an adaptive card generated by a Poll bot. User actions such as "View result", which will open a dialog, or user actions inside dialogs won't be available in the audit log.|

+|Posted a new message ^1, ²|MessageSent|A new message was posted to a chat or channel.|

+|Published app|AppPublishedToCatalog|An app was added to the catalog.|

+|Read a message ^1, ²|MessageRead|A message of a chat or channel was retrieved.|

+|Read hosted content of a message ^1, ²|MessageHostedContentRead|Hosted content in a message, such as an image or a code snippet, was retrieved.|

+|Removed bot from team|BotRemovedFromTeam|A user removes a bot from a team.|

+|Removed connector|ConnectorRemoved|A user removes a connector from a channel.|

+|Removed members|MemberRemoved|A team owner removes members from a team, channel, or group chat.|

+| Removed sensitivity label | SensitivityLabelRemoved | A user removed a sensitivity label from a Teams meeting. |

+|Removed sharing of team channel ³|TerminatedSharing|A team or channel owner disabled sharing for a shared channel.|

+|Restored sharing of team channel ³|SharingRestored|A team or channel owner re-enabled sharing for a shared channel.|

+|Removed tab|TabRemoved|A user removes a tab from a channel.|

+|Responded to invitation for shared channel ³|InviteeResponded|A user responded to a shared channel invitation.|

+|Responded to invitee response to shared channel ³|ChannelOwnerResponded|A channel owner responded to a response from a user who responded to a shared channel invitation.|

+|Retrieved messages ^1, ²|MessagesListed|Messages from a chat or channel were retrieved.|

+|Sent a message with a URL link in Teams|MessageCreatedHasLink|A user sends a message containing a URL link in Teams.|

+|Sent change notification for message creation ^1, ²|MessageCreatedNotification|A change notification was sent to notify a subscribed listener application of a new message.|

+|Sent change notification for message deletion ^1, ²|MessageDeletedNotification|A change notification was sent to notify a subscribed listener application of a deleted message.|

+|Sent change notification for message update ^1, ²|MessageUpdatedNotification|A change notification was sent to notify a subscribed listener application of an updated message.|

+|Sent invitation for shared channel ³|InviteSent|A channel owner or member sends an invitation to a shared channel. Invitations to shared channels can be sent to people outside of your organization if the channel policy is configured to share the channel with external users.|

+|Subscribed to message change notifications ^1, ²|SubscribedToMessages|A subscription was created by a listener application to receive change notifications for messages.|

+|Uninstalled app|AppUninstalled|An app was uninstalled.|

+|Updated app|AppUpdatedInCatalog|An app was updated in the catalog.|

+|Updated a chat ^1, ²|ChatUpdated|A Teams chat was updated.|

+|Updated a message ^1, ²|MessageUpdated|A message of a chat or channel was updated.|

+|Updated connector|ConnectorUpdated|A user modified a connector in a channel.|

+|Updated tab|TabUpdated|A user modified a tab in a channel.|

+|Upgraded app|AppUpgraded|An app was upgraded to its latest version in the catalog.|

+|User signed in to Teams|TeamsSessionStarted|A user signs in to a Microsoft Teams client. This event doesn't capture token refresh activities.|

+|Posted New Message ^3, ⁴|MessageSent|A new message was posted to a chat or a channel. This event is a premium feature with licensing details to be defined.|

+> [!NOTE]

+> ¹ An audit record for this event is only logged when the operation is performed by calling a Microsoft Graph API. If the operation is performed in the Teams client, an audit record will not be logged<br/>² This event is only available in Audit (Premium). That means users must be assigned the appropriate license before these events are logged in the audit log. For more information about activities only available in Audit (Premium), see [Audit (Premium) in Microsoft Purview](advanced-audit.md#advanced-audit-events). For Audit (Premium) licensing requirements, see [Auditing solutions in Microsoft 365](auditing-solutions-overview.md#licensing-requirements). <br/> ³ This event is in public preview. <br/> ⁴This event is generated for chat only if there are guests, federated and/or anonymous users.

+## Shifts in Teams activities

+**(in preview)**

+If your organization is using the Shifts app in Teams, you can search the audit log for activities related to the Shifts app. Here's a list of all events that are logged for Shifts activities in Teams in the Microsoft 365 audit log.

+|Friendly name|Operation|Description|

+||||

+|Added scheduling group|ScheduleGroupAdded|A user successfully adds a new scheduling group to the schedule.|

+|Edited scheduling group|ScheduleGroupEdited|A user successfully edits a scheduling group.|

+|Deleted scheduling group|ScheduleGroupDeleted|A user successfully deletes a scheduling group from the schedule.|

+|Withdrew schedule|ScheduleWithdrawn|A user successfully withdraws a published schedule.|

+|Added shift|ShiftAdded|A user successfully adds a shift.|

+|Edited shift|ShiftEdited|A user successfully edits a shift.|

+|Deleted shift|ShiftDeleted|A user successfully deletes a shift.|

+|Added time off|TimeOffAdded|A user successfully adds time off on the schedule.|

+|Edited time off|TimeOffEdited|A user successfully edits time off.|

+|Deleted time off|TimeOffDeleted|A user successfully deletes time off.|

+|Added open shift|OpenShiftAdded|A user successfully adds an open shift to a scheduling group.|

+|Edited open shift|OpenShiftEdited|A user successfully edits an open shift in a scheduling group.|

+|Deleted open shift|OpenShiftDeleted|A user successfully deletes an open shift from a scheduling group.|

+|Shared schedule|ScheduleShared|A user successfully shared a team schedule for a date range.|

+|Clocked in using Time clock|ClockedIn|A user successfully clocks in using Time clock.|

+|Clocked out using Time clock|ClockedOut|A user successfully clocks out using Time clock.|

+|Started break using Time clock|BreakStarted|A user successfully starts a break during an active Time clock session.|

+|Ended break using Time clock|BreakEnded|A user successfully ends a break during an active Time clock session.|

+|Added Time clock entry|TimeClockEntryAdded|A user successfully adds a new manual Time clock entry on Time Sheet.|

+|Edited Time clock entry|TimeClockEntryEdited|A user successfully edits a Time clock entry on Time Sheet.|

+|Deleted Time clock entry|TimeClockEntryDeleted|A user successfully deletes a Time clock entry on Time Sheet.|

+|Added shift request|RequestAdded|A user added a shift request.|

+|Responded to shift request|RequestRespondedTo|A user responded to a shift request.|

+|Canceled shift request|RequestCancelled|A user canceled a shift request.|

+|Changed schedule setting|ScheduleSettingChanged|A user changes a setting in Shifts settings.|

+|Added workforce integration|WorkforceIntegrationAdded|The Shifts app is integrated with a third-party system.|

+|Accepted off shift message|OffShiftDialogAccepted|A user acknowledges the off-shift message to access Teams after shift hours.|

+## Updates app in Teams activities

+If your organization is using the Updates app in Teams, you can search the audit log for activities related to the Updates app. Here's a list of all events that are logged for Updates app activities in Teams in the Microsoft 365 audit log.

+|Friendly name|Operation|Description|

+||||

+|Create an update request|CreateUpdateRequest|A user successfully creates an update request.|

+|Edit an update request|EditUpdateRequest|A user opens the request editing wizard and selects **Save** to confirm and save any changes, or enables or disables the update request directly.|

+|Submit an update|SubmitUpdate|A user successfully submits an update.|

+|View the details of one update|ViewUpdate|A user views the details of the update.|

+## Office 365 Management Activity API

+You can use the Office 365 Management Activity API to retrieve information about Teams events. To learn more about the Management Activity API schema for Teams, see [Teams schema](/office/office-365-management-api/office-365-management-activity-api-schema#microsoft-teams-schema).

+## Attribution in Teams audit logs

+Membership changes to Teams (such as users added or deleted) made through Azure Active Directory (Azure AD), Microsoft 365 admin portal, or Microsoft 365 Groups Graph API will appear in Teams audit messages and in the General channel with an attribution to an existing owner of the team, and not to the actual initiator of the action. In these scenarios, consult Azure AD or [Microsoft 365 Group audit logs](search-the-audit-log-in-security-and-compliance.md) to see the relevant information.

+## Use Defender for Cloud Apps to set activity policies

+Using [Microsoft Defender for Cloud Apps](/cloud-app-security/what-is-cloud-app-security) integration, you can set [activity policies](/cloud-app-security/user-activity-policies) to enforce a wide range of automated processes using the app provider's APIs. These policies enable you to monitor specific activities carried out by various users, or follow unexpectedly high rates of one certain type of activity.

+After you set an activity detection policy, it starts to generate alerts. Alerts are only generated on activities that occur after you create the policy. Here's some example scenarios for how you can use activity policies in Defender for Cloud Apps to monitor Teams activities.

+### External user scenario

+One scenario you might want to keep an eye on, from a business perspective, is the addition of external users to your Teams environment. If external users are enabled, monitoring their presence is a good idea. You can use [Defender for Cloud Apps](/cloud-app-security/what-is-cloud-app-security) to identify potential threats.

+

+The screenshot of this policy to monitor adding external users allows you to name the policy, set the severity according to your business needs, set it as (in this case) a single activity, and then establish the parameters that will specifically monitor only the addition of non-internal users, and limit this activity to Teams.

+The results from this policy can be viewed in the activity log:

+

+Here you can review matches to the policy you've set, and make any adjustments as needed, or export the results to use elsewhere.

+### Mass delete scenario

+As mentioned earlier, you can monitor deletion scenarios. It's possible to create a policy that would monitor mass deletion of Teams sites. In this example, an alert-based policy is set up to detect mass deletion of teams in a span of 30 minutes.

+

+As the screenshot shows, you can set many different parameters for this policy to monitor Teams deletions, including severity, single or repeated action, and parameters limiting this to Teams and site deletion. This can be done independently of a template, or you may have a template created to base this policy on, depending on your organizational needs.

+After you establish a policy that works for your business, you can review the results in the activity log as events are triggered:

+

+You can filter down to the policy you've set to see the results of that policy. If the results you're getting in the activity log aren't satisfactory (maybe you're seeing lots of results, or nothing at all), this may help you to fine-tune the query to make it more relevant to what you need it to do.

+### Alert and governance scenario

+You can set alerts and send emails to admins and other users when an activity policy is triggered. You can set automated governance actions such as suspending a user or making a user to sign in again in an automated way. This example shows how a user account can be suspended when an activity policy is triggered and determines a user deleted two or more teams in 30 minutes.

+

+## Use Defender for Cloud Apps to set anomaly detection policies

+[Anomaly detection policies](/cloud-app-security/anomaly-detection-policy) in Defender for Cloud Apps provide out-of-the-box user and entity behavioral analytics (UEBA) and machine learning (ML) so that you can immediately run advanced threat detection across your cloud environment. Because they're automatically enabled, the new anomaly detection policies provide immediate results by providing immediate detections, targeting numerous behavioral anomalies across your users and the machines and devices connected to your network. Additionally, the new policies expose more data from the Defender for Cloud Apps detection engine, to help you speed up the investigation process and contain ongoing threats.

+We're working to integrate Teams events into anomaly detection policies. For now, you can set up anomaly detection policies for other Office products and take action items on users who match those policies.

+## Related articles

+- [Search the audit log in the Microsoft Purview compliance portal](search-the-audit-log-in-security-and-compliance.md)

+- Switzerland - Federal Act on Data Protection (FADP)

+- Turkey - Information and Communication Security Guide

+1. OPTIONAL: Adjust the requirements for each confidence level and then choose **Next**. For more information, see [Partial matching](#partial-matching) and [Exact matching](#exact-matching).

+ Title: Use Content Search in Microsoft Teams

+description: Learn about using Content search in the Microsoft Purview compliance portal to search for Microsoft Teams content that's stored in Exchange Online, SharePoint Online, OneDrive for Business, and OneNote.

+audience: admin

+- tier1

+- purview-compliance

+- M365-collaboration

+- content-search

+search.appverid: MET150

+f1.keywords:

+ - NOCSH

+appliesto:

+ - Microsoft Teams

+# Use Content search in Microsoft Teams

+> [!NOTE]

+> Content search of messages and files in [private channels](/microsoftteams/private-channels) work differently than in standard channels. To learn more, see [Content search of private channels](#content-search-of-private-channels).

+Content search provides a way to query Microsoft Teams information spanning Exchange, SharePoint Online, and OneDrive for Business.

+To learn more, see [Content search in Microsoft 365](ediscovery-content-search.md).

+For example, using **Content search** against your Manufacturing Specs mailbox and Manufacturing Specs SharePoint site, you can search against Teams standard channel conversations from Exchange, file uploads and modifications from SharePoint Online, and OneNote changes.

+You can also add query criteria to the **Content Search** to narrow the results returned. In the above example, you can look for content where the keywords "**New Factory Specs"** were used.

+> [!TIP]

+> After adding search conditions, you can export a report or the actual content to your computer for analysis.

+## Content search of private channels

+Records for messages sent in a private channel are delivered to the mailbox of all private channel members, rather than to a group mailbox. The titles of the records are formatted to indicate which private channel they were sent from.

+Because each private channel has its own SharePoint site collection that's separate from the parent team site, files in a private channel are managed independently of the parent team.

+Teams doesn't support content search of a single channel, so the whole team must be searched. To perform a content search of a private channel, search across the team, the site collection associated with the private channel (to include files), and mailboxes of private channel members (to include messages).

+Use the following steps to identify files and messages in a private channel to include in your content search.

+### Include private channel files in a content search

+Before you perform these steps, install the [SharePoint Online Management Shell and connect to SharePoint Online](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online?view=sharepoint-ps).

+1. Run the following to get a list of all SharePoint site collections associated with private channels in the team.

+ ```PowerShell

+ Get-SPOSite

+ ```

+2. Run the following PowerShell script to get a list of all SharePoint site collection URLs associated with private channels in the team and the parent team group ID.

+ ```PowerShell

+ $sites = get-sposite -template "teamchannel#0"

+ foreach ($site in $sites) {$x= get-sposite -identity $site.url -detail; $x.relatedgroupID; $x.url}

+ ```

+3. For each team or group ID, run the following PowerShell script to identify all relevant private channel sites.

+ ```PowerShell

+ $sites = get-sposite -template "teamchannel#0"

+ $groupID = "e8195240-4a70-4830-9106-80193cf717cb"

+ foreach ($site in $sites) {$x= Get-SpoSite -Identity $site.url -Detail; if ($x.RelatedGroupId -eq $groupID) {$x.RelatedGroupId;$x.url}}

+ ```

+### Include private channel messages in a content search

+Before you perform these steps, make sure you have the [latest version of the Teams PowerShell module](/microsoftteams/teams-powershell-overview) installed.

+1. Run the following to get a list of private channels in the team.

+ ```PowerShell

+ Get-TeamChannel -GroupId <GroupID> -MembershipType Private

+ ```

+2. Run the following to get a list of private channel members.

+ ```PowerShell

+ Get-TeamChannelUser -GroupId <GroupID> -DisplayName "Engineering" -Role Member

+ ```

+3. Include the mailboxes of all members from each private channel in the team as part of your content search query.

+## Related topics

+- [eDiscovery cases in the Microsoft Purview compliance portal](/Office365/SecurityCompliance/ediscovery-cases)

+Recorded Teams meetings are stored in the OneDrive for Business account of the user recording the meeting. To learn more, see [eDiscovery (Premium) workflow for content in Microsoft Teams](/microsoft-365/compliance/ediscovery-teams-workflow).

+Not all Teams content is eDiscoverable. The following table shows the Teams content types that you can search for using Microsoft eDiscovery tools:

+|Audio recordings|Audio calls between Teams user and external contacts|

+|Meeting recordings and transcripts (preview)|Transcripts of the meeting audio are extracted and provided as a separate file. Maximum supported recorded meeting .mp4 file size is 350 MB. If the recorded meeting file size is above 350 MB, a processing error occurs and the file is available for download.|

+Card content generated by apps in Teams channels, 1:1 chats, and 1xN chats are stored in mailboxes and can be searched. A *card* is a UI container for short pieces of content. Cards can have multiple properties and attachments, and can include buttons that can trigger card actions. For more information, see [Cards](/microsoftteams/platform/task-modules-and-cards/what-are-cards)

+ Title: Place a Microsoft Teams user or team on legal hold

+description: "Learn to place a Microsoft Teams user or team on legal hold using the Microsoft Purview compliance portal and learn what needs a legal hold based on data requirements."

+audience: admin

+- tier1

+- purview-compliance

+- M365-collaboration

+- ediscovery

+search.appverid: MET150

+f1.keywords:

+- NOCSH

+appliesto:

+ - Microsoft Teams

+# Place a Microsoft Teams user or team on legal hold

+When a reasonable expectation of litigation exists, organizations are required to preserve electronically stored information (ESI), including Teams chat messages that are relevant to the case. Organizations may need to preserve all messages related to a specific investigation or for a specific person. This article will discuss using a legal hold to preserve content in Microsoft Teams. To preserve content in other services in Microsoft 365, see [Create an eDiscovery hold](ediscovery-create-holds.md).

+> [!NOTE]

+> Private channel chats are stored in user mailboxes, while standard channel chats are stored in the mailbox associated with the parent team. If there is already a legal hold in place for a user mailbox, the hold policy will now automatically apply to private channel messages stored in that mailbox. There is no further action needed for an admin to turn this on. Legal hold of files shared in private channels is also supported.

+Within Microsoft Teams, an entire team or select users can be put on legal hold. Doing that will make sure that all messages that were exchanged in those teams (including private and shared channels) or messages exchanged by those individuals are discoverable by the organization's compliance managers or Teams Admins.

+> [!NOTE]

+> Placing a user on hold does not automatically place a group on hold or vice-versa.

+> Notifications sent in activity feeds can't be placed on hold.

+To put a user or a team on legal hold in a eDiscovery (Standard) case:

+1. Go to the [Microsoft Purview compliance portal](https://compliance.microsoft.com). When you create a new case, you're presented with the option to place mailboxes or sites on hold.

+2. Go to **eDiscovery** > **Standard** and create a case by selecting **Create a case**. After the case is created, open it.

+ > [!NOTE]

+ > You can also place a user on a hold that's associated with an eDiscovery (Premium) case. For more information, see [Manage holds in eDiscovery (Premium)](ediscovery-managing-holds.md).

+3. Go to the **Hold** tab on the top menu and select **Create** to create a hold. Placing a user or a team on hold preserves all the messages exchanged by those users. When you create a new case, you're presented with the option to place mailboxes or sites on hold.

+4. **Name your hold**. Select a descriptive and unique name for the hold you're going to create.

+5. **Choose locations**. Choose whether you want the hold to be applied on a user or on an entire team (a hold can't be applied on individual channels for now). If a user is on hold, all their messages are preserved, including messages in 1:1 chats, group chats, and private channels. Messages in standard and shared channels are preserved when the parent team is placed on hold.

+6. **Query**. You can customize the hold if you want more granularity in the hold policy. For example, you can specify keywords to look for, or you can add more conditions that would need to be satisfied for the hold to take effect.

+7. **Review your settings** before creating the hold.

+After the hold is created, you can search the content retained by the hold policy. For more information, see [Conduct an eDiscovery investigation in Teams](ediscovery-teams-investigation.md).

+> [!IMPORTANT]

+> When a user or group is placed on hold, all compliance copies of messages are preserved. For example, if a user posts a message in a channel and then modifies the message, both copies of the message are preserved. Without the hold, only the latest message is preserved.

+## Content locations to place on hold to preserve Teams content

+As a helpful guide, use the following table to understand what content locations (such as a mailbox or a site) to place on hold to preserve different types of Teams content.

+|Scenario |Content location |

+|||

+|Chat messages for a user (for example, 1:1 chats, 1:N group chats, and private channel conversations) |User mailbox |

+|Chat messages in standard and shared channels |Mailbox associated with the parent team |

+|Files in standard channels (for example, Wiki content and files) |SharePoint site associated with the parent team |

+|Files in private and shared channels |Dedicated SharePoint site associated with the channel

+|User's private content |The user's OneDrive for Business account |

+|Card content in chats|User mailbox for 1:1 chats, 1:N group chats, and private channel conversations; the parent team mailbox for card content in standard and shared channel messages. For more information, see the "Preserve card content" section in [Create an eDiscovery hold](ediscovery-create-holds.md#preserve-card-content).|

+|||

+> [!NOTE]

+> To retain message content in private channels, you need to put the user mailboxes (of the members of a private channel) on hold. and when using eDiscovery tool to search private channel messages, you have to search the user's mailbox. As was stated earlier, private channel chats are stored in user mailboxes, not in the group mailbox associated with the parent team.

+ Title: "eDiscovery (Premium) workflow for content in Microsoft Teams"

+There are seven categories of Teams content that you can collect and process using eDiscovery (Premium):

+- **Teams meetings (preview)**. Audio and transcripts from recorded Teams meetings.

+The following table lists Teams content type and where each is stored for compliance purposes. The data stored in Exchange online is hidden from clients. eDiscovery never operates against the real Teams message data, which remains in Azure Cosmos DB.

+|**Teams category**|**Location of chat messages/posts**|**Location of files/attachments**|**Location of meeting recordings**|

+|:|:|:|:|

+|Teams 1:1 chats|Messages in 1:1 chats are stored in the Exchange Online mailbox of all chat participants.|Files shared in a 1:1 chat are stored in the OneDrive for Business account of the person who shared the file.| N/A |

+|Teams group chats|Messages in group chats are stored in the Exchange Online mailbox of all chat participants.|Files shared in group chats are stored in the OneDrive for Business account of the person who shared the file.| N/A |

+|Teams reactions|Messages in group chats are stored in the Exchange Online mailbox of all chat participants.|Files shared in group chats are stored in the OneDrive for Business account of the person who shared the file.| N/A |

+|Teams channels|All channel messages and posts are stored in the Exchange Online mailbox associated with the team.|Files shared in a channel are stored in the SharePoint Online site associated with the team.| N/A |

+|Teams meetings (preview)| Chats in recorded meetings are stored in the OneDrive for Business account for the user recording the Teams meeting. | Files and attachments shared in recorded meetings are stored in the OneDrive for Business account for the user recording the Teams meeting. | Meeting recordings are stored in the OneDrive for Business account for the user recording the Teams meeting. |

+|Private channels|Messages sent in a private channel are stored in the Exchange Online mailboxes of all members of the private channel.|Files shared in a private channel are stored in a dedicated SharePoint Online site associated with the private channel.| N/A |

+|Shared channels|Messages sent in a shared channel are stored in a system mailbox associated with the shared channel.¹|Files shared in a shared channel are stored in a dedicated SharePoint Online site associated with the shared channel.| N/A |

+The first step to managing Teams content in eDiscovery (Premium) is to create a case using the [new case format](/microsoft-365/compliance/ediscovery-new-case-format) that's optimized for managing Teams content. The new case format helps accommodate significant increases in case size, both for total data volume and the total number of items in cases.

+For step-by-step guidance on how to create a case, see [Create and manage an eDiscovery (Premium) case](/microsoft-365/compliance/ediscovery-create-and-manage-cases#create-a-case).

+1. Go to the eDiscovery (Premium) case that you created in the previous section, and then select **Data sources**.

+2. On the **Data sources** page, select **Add data source** > **Add new custodians**.

+5. Follow these guidelines to add custodial data sources for Teams content. Select **Edit** to add a data location.

+ - **OneDrives**. The custodian's OneDrive account is selected by default. Keep this selected to add (and preserve) files shared in 1:1 chats, group chats, and Teams meetings as custodial data.

+ - **SharePoint**. Add the SharePoint site associated with any private or shared channel the custodian is a member of to add (and preserve) as custodial data the files shared in a channel. Select **Edit** and then add the URL for the SharePoint site associated with a private or shared channel. To learn how to locate the private and shared channels a user is a member of, see [eDiscovery of private and shared channels](/microsoftteams/ediscovery-investigation#ediscovery-of-private-and-shared-channels).

+ - **Teams**. Add the teams that the custodian is a member of to add (and preserve) as custodial data all channel messages and all files shared to a Teams channel. This recommendation includes adding the mailbox for the parent team of a shared channel the custodian is a member of. When you select **Edit**, the mailbox and site associated with each team the custodian is a member of are displayed in a list. Select the teams that you want to associate to the custodian. You have to select both the corresponding mailbox and site for each team.

+6. After you add custodians and configure the custodial data sources, select **Next** to display the **Hold settings** page. A list of the custodians is displayed and the checkbox in the **Hold** column is selected by default. This checkbox indicates that a hold will be placed on the data sources that you associated with each custodian. Leave these checkboxes selected to preserve this data.

+7. On the **Hold settings** page, select **Next** to review the custodians settings. Select **Submit** to add the custodians to the case.

+For more information about adding and preserving data sources in eDiscovery (Premium) cases, see:

+1. **Create a collection estimate**. The first step is to create a *collection estimate*, which is an estimate of the items that match your search criteria. You can view information about the results that matched the search query, such as the total number and size of items found, the different data sources where they were found, and statistics about the search query. You can also preview a sample of items returned by the collection. Using these statistics, you can change the search query and rerun the collection estimate as many times as is necessary to narrow the results until you're satisfied you're collecting the content relevant to your case.

+1. Go to the eDiscovery (Premium) case that you added the custodians to in the previous section, and then select **Collections**.

+2. On the **Collections** page, select **New collection**.

+3. On the **Name and description** page, enter a name (required) and description (optional) for the collection. Select **Next**.

+4. On the **Custodial data sources** page, select **Select custodians** to select the custodians that you added to the case. The list of the case custodians is displayed on the **Select custodians** flyout page.

+5. Select one or more custodians and then select **Add**. After you add specific custodians to the collection, a list of specific data sources for each custodian is displayed. These data sources are the ones that you configured when you added the custodian to the case. All custodian data sources are selected by default. This includes any Teams or channels that you associated with a custodian.

+6. If you previously followed the steps to add Teams content as custodian data sources, you can skip this step and select **Next**. Otherwise, on the **Non-custodial data sources** page, you can choose non-custodial data sources that contain Teams content that you may have added to the case to search in the collection.

+7. If you previously followed the steps to add Teams content as custodian data sources, you can skip this step and select **Next**. Otherwise, on the **Additional locations** page, you can add other data sources to search in the collection. For example, you could add the mailbox and site for a team that wasn't added as a custodial or non-custodial data source. You can also select the **Shared Teams channels** option to include shared channels during tenant-wide searches. Otherwise, select **Next** and skip this step.

+8. On the **Conditions** page, configure the search query to collect Teams content from the data sources that you specified on the previous pages. You can use various keywords and search conditions to narrow the scope of the collection. For more information, see [Build search queries for collections](ediscovery-building-search-queries.md).

+ - To help ensure the most comprehensive collection of Teams chat conversations (including 1:1, group, and channel chats) use the **Type** filter condition and select the **Instant messages** option.

+ - To help ensure you add recorded Teams meeting information to the collection, use the **File type** filter condition and include *.mp4* as contained value.

+ - We also recommend including a date range or several keywords to narrow the scope of the collection to items relevant to your investigation.

+9. On the **Review your collection** page, review the collection settings and select **Submit** to create a collection estimate or **Save and close** to save the collection settings to complete later.

+When the process of adding the collection to the review set is completed, the **Status** value for the collection on the **Collections** tab is set to **Estimated**.

+## Commit a collection estimate to a review set

+When you're satisfied with the items you've collected in a collection estimate and are ready to analyze, tag, and review them, you can commit a collection to a review set in the case.

+For step-by-step guidance on how to commit a collection, see [Commit a collection estimate to a review set in eDiscovery (Premium)](/microsoft-365/compliance/ediscovery-commit-draft-collection).

+After you add collections of Teams content to a review set, the next step is to review the content for its relevance to your investigation and cull it if necessary. An important prerequisite to reviewing Teams content is understanding how eDiscovery (Premium) processes Teams meeting, chat conversations, and attachments when adding them to a review set. This processing of Teams content results in the following three things:

+- **[Conversation transcript threading](#conversation-transcript-threading)**. How eDiscovery (Premium) determines what additional content from a conversation to collect to provide context around items that matched the collection criteria.

+The following table describes how the different types of Teams content are grouped by family and conversation.

+|**Teams content type**|**Group by family**|**Group by conversation**|

+|:|:|:|

+|Teams meetings (preview)| Each meeting |

+### Viewing recorded meeting transcripts (preview)

+The transcript of audio of the recorded meeting is captured as a separate file and indexed automatically for search. Recorded meetings in a review set are stored as a .zip file that contains the following files:

+- The transcript of the meeting audio in .txt format

+- The video recording of the meeting in .mp4 format

+- The thumbnail image of the meeting in .jpg format

+- Meeting metadata and meeting chapters (as applicable) in .json format

+To view meeting audio transcript files in a review set, you'll select the meeting and the **Transcript** viewer on the meeting details pane. The following screenshots show an example of a meeting in the Teams client and the meeting transcript file of the same meeting in the review set.

+#### Meeting in Teams client

+

+#### Meeting transcript file in review set

+

+#### Viewing conversation transcript files

+

+

+### Conversation transcript threading

+|**Teams content type**|**Queries with search parameters**|**Queries with date ranges**|

+|:|:|:|

+|**Metadata property**|**Description**|

+|:--|:--|

+- Use the **Customize columns** control in the command bar to add and organize columns to optimize the review of Teams content. You can add and remove columns that are useful for Teams content. You can also sequence the order of columns by dragging and dropping them in the **Edit column** flyout page. You can also sort on columns to group Teams content with similar values for the column you sort on.

+You can use eDiscovery (Premium) and the Microsoft Graph Explorer to respond to data spillage incidents, when content containing confidential or malicious information is released through Teams chat messages. Admins in your organization can search for and delete chat messages in Microsoft Teams. This feature can help you remove sensitive information or inappropriate content in Teams chat messages. For more information, see [Search and purge chat messages in Teams](ediscovery-search-and-delete-teams-chat-messages.md).

+|**SharePoint sites** - applies to: <br/> - SharePoint sites ^\* <br/> - OneDrive accounts |Site URL <br/>Site name <br/> SharePoint custom properties: RefinableString00 - RefinableString99 |

+^\* Currently, [shared channel SharePoint sites](/microsoftteams/shared-channels#shared-channel-sharepoint-sites) aren't supported for adaptive scopes.

+> For communication compliance policies:

+> - SharePoint sites and OneDrive accounts aren't supported.

+> - Excluded users and Microsoft 365 groups are supported.

+<a name="confirm-scope-membership"></a>To confirm the current membership and membership changes for an adaptive scope:

+Starting with **version 2302** for Current Channel and Semi-Annual Enterprise Channel, but **version 2303** for Monthly Enterprise Channel, the AIP add-in is disabled by default. For these versions, there's nothing for you to configure for users to benefit from built-in labels. If you need to use the AIP add-in rather than built-in labeling, you must [configure a new setting to override the default](#how-to-configure-newer-versions-of-office-to-enable-the-aip-add-in).

+> If youΓÇÖve previously used the AIP add-in as the default labeling client in Office apps and use Office versions later than the ones listed, by default, the AIP add-in is automatically disabled and replaced by built-in labeling.

+For Office apps older than version 2302 (Current Channel and Semi-Annual Enterprise Channel) or version 2303 (Monthly Enterprise Channel), to prevent the AIP add-in from loading in Office apps, use the Group Policy setting **List of managed add-ins** as documented in [No Add-ins loaded due to group policy settings for Office 2013 and Office 2016 programs](https://support.microsoft.com/help/2733070/no-add-ins-loaded-due-to-group-policy-settings-for-office-2013-and-off).

+Starting with version 2302 (Current Channel and Semi-Annual Enterprise Channel) and version 2303 (Monthly Enterprise Channel) of the Office apps, the AIP add-in is disabled by default. To enable it, you must configure a new Office setting under **User Configuration/Administrative Templates/Microsoft Office 2016/Security Settings**:

+For additional information, see the Tech Community blog post, [Microsoft Purview Information Protection in M365 Apps - January 2023](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-purview-information-protection-in-m365-apps-january/ba-p/3721547).

+|[AIP add-in disabled by default](sensitivity-labels-aip.md#how-to-configure-newer-versions-of-office-to-enable-the-aip-add-in)|Current Channel: Rolling Out to 2302+ <br /><br> Monthly Enterprise Channel: 2303+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Not relevant |Not relevant |Not relevant|Not relevant |

+|[Sensitivity bar](sensitivity-labels-office-apps.md#sensitivity-bar) and [display label color](sensitivity-labels-office-apps.md#label-colors) |Current Channel: Rolling Out to 2302+<br /><br> Monthly Enterprise Channel: 2303+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Under review |Under review |Under review |Under review |

+|[AIP add-in disabled by default](sensitivity-labels-aip.md#how-to-configure-newer-versions-of-office-to-enable-the-aip-add-in)|Current Channel: Rolling Out to 2302+ <br /><br> Monthly Enterprise Channel: 2303+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Not relevant |Not relevant |Not relevant|Not relevant |

+|[Sensitivity bar](sensitivity-labels-office-apps.md#sensitivity-bar) |Current Channel: Rolling Out to 2302+<br /><br> Monthly Enterprise Channel: 2303+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Under review |Under review |In preview (4.2313+) |Under review |

+|[Display label color](sensitivity-labels-office-apps.md#label-colors) |Current Channel: 2302+ <br /><br> Monthly Enterprise Channel: 2303+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Preview: [Current Channel (Preview)](https://office.com/insider) ^\* |Under review |In preview (4.2313+) |Under review |

+- **Change of version for AIP add-in disabled by default**: For the Monthly Enterprise Channel only, the AIP add-in for Office apps is disabled by default in version 2303. For the Current Channel and Semi-Annual Enterprise Channel, the AIP add-in is still disabled by default in version 2302.

+All advanced deployment guides are available in the Microsoft 365 admin center as described in the section below, and most guides can also be found in the [Microsoft 365 Setup portal](https://go.microsoft.com/fwlink/?linkid=2220880).

+Advanced deployment guides are accessible from the [Advanced deployment guides & assistance](https://go.microsoft.com/fwlink/?linkid=2224913) page in the Microsoft 365 admin center. When you access advanced deployment guides from the admin center, you can keep track of the status of your progress and return at any time to complete a guide. This functionality is not available when you access guides from the [Microsoft 365 Setup portal](https://go.microsoft.com/fwlink/?linkid=2220880).

+|**Guide - [Setup Portal](https://go.microsoft.com/fwlink/?linkid=2220880)** |**Guide - [Admin Center](https://go.microsoft.com/fwlink/?linkid=2224913)** |**Description** |

+|Guide - [Setup Portal](https://go.microsoft.com/fwlink/?linkid=2220880) |Guide - [Admin Center](https://go.microsoft.com/fwlink/?linkid=2224913) |Description |

+| | [Configure multi-factor authentication (MFA) guide](https://go.microsoft.com/fwlink/?linkid=2224780) | The **Configure multi-factor authentication (MFA) guide** provides customers with Azure AD Premium P1 or Azure AD Premium P2 customizable Conditional Access templates that include the most common and least intrusive security standards. When Azure AD Premium licensing isnΓÇÖt available, we provide a one-click solution to enable Security Defaults, a baseline protection policy for all users, or we provide steps to enable legacy (per-user) MFA. |

+| | [Plan your passwordless deployment guide](https://go.microsoft.com/fwlink/?linkid=2224194) | Use the **Plan your passwordless deployment guide** to discover the best passwordless authentication methods to use and receive guidance on how to upgrade to an alternative sign-in approach that allows users to access their devices securely with one of the following passwordless authentication methods:<ul><li>Windows Hello for Business</li><li>The Microsoft Authenticator app</li><li>Security keys</li><li>Temporary Access Pass</li></ul>|

+||[Secure your cloud apps with Single Sign on (SSO) guide](https://go.microsoft.com/fwlink/?linkid=2224689)|This guide is designed to help you add cloud apps to Microsoft 365. In our guide, you can add an application to your tenant, add users to the app, assign roles, and more. If the app supports single sign-on (SSO), weΓÇÖll walk you through that configuration. |

+|**Guide - [Setup Portal](https://go.microsoft.com/fwlink/?linkid=2220880)** |**Guide - [Admin Center](https://go.microsoft.com/fwlink/?linkid=2224913)** |**Description** |

+|**Guide - [Setup Portal](https://go.microsoft.com/fwlink/?linkid=2220880)** |**Guide - [Admin Center](https://go.microsoft.com/fwlink/?linkid=2224913)** |**Description** |

+|**Guide - [Setup Portal](https://go.microsoft.com/fwlink/?linkid=2220880)** |**Guide - [Admin Center](https://go.microsoft.com/fwlink/?linkid=2224913)** |**Description** |

+Now that you have Microsoft 365 set up, you can start to add users, organize them into groups, and assign licenses. Much of this information is also in the [downloadable technical planning guide](https://go.microsoft.com/fwlink/?linkid=2211637).

+The Microsoft Teams admin center is gradually replacing the Skype for Business admin center, and we're migrating Teams settings to it from the Microsoft 365 admin center. If a setting has been migrated, you'll see a notification and then be directed to the setting's location in the Teams admin center. For more information, see [Manage Teams during the transition to the Teams admin center](/microsoftteams/manage-teams-skypeforbusiness-admin-center).

+ :::image type="content" source="" alt-text="Configure windows defender smart screen Edge" lightbox="images/":::

+| Microsoft Defender for Endpoint Security Configuration Management||||

+

+

+**Known issues**

+- With mdatp version 101.98.30 you might see a health false issue in some of the cases, because SELinux rules are not defined for certain scenarios. The health warning could look something like this:

+*found SELinux denials within last one day. If the MDATP is recently installed, please clear the existing audit logs or wait for a day for this issue to auto-resolve. Please use command: \"sudo ausearch -i -c 'mdatp_audisp_pl' | grep \"type=AVC\" | grep \" denied\" to find details*

+The issue could be mitigated by running the following commands.

+```

+sudo ausearch -c 'mdatp_audisp_pl' --raw | sudo audit2allow -M my-mdatpaudisppl_v1

+sudo semodule -i my-mdatpaudisppl_v1.pp

+```

+Here my-mdatpaudisppl_v1 represents the policy module name. After running the commands, either wait for 24 hours or clear/archive the audit logs. The audit logs could be archived by running the following command

+```

+sudo service auditd stop

+sudo systemctl stop mdatp

+cd /var/log/audit

+sudo gzip audit.*

+sudo service auditd start

+sudo systemctl start mdatp

+mdatp health

+```

+In case the issue reappears with some different denials. We need to run the mitigation again with a different module name(eg my-mdatpaudisppl_v2).

+- [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011)

+**Windows version** </br> | Filter by the Windows versions you're interested in investigating. If ΓÇÿfuture versionΓÇÖ appears in the Windows version field, it can mean:</br></br> - This is a pre-release build for a future Windows release</br> - The build has no version name</br> - The build version name is not yet supported </br></br> In all these scenarios, where available, the full OS version can be seen in the device details page.</br></br> (_Computers and mobile only_)

+This policy setting will change the evaluation order in which Allow and Prevent policy settings are applied when more than one install policy setting is applicable for a given device. Enable this policy setting to ensure that overlapping device match criteria are applied based on an established hierarchy where more specific match criteria supersedes less specific match criteria. The hierarchical order of evaluation for policy settings that specify device match criteria is as follows:

+> To enable the **Allow installation of devices that match any of these device instance IDs** policy setting to supersede this policy setting for applicable devices, enable the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting.

+> To enable the **Allow installation of devices using drivers that match these device setup classes**, **Allow installation of devices that match any of these device IDs**, and **Allow installation of devices that match any of these device instance IDs** policy settings to supersede this policy setting for applicable devices, enable the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting. Also, the allow policy wonΓÇÖt take precedence if the **Block Removable Storage** option is selected in Device Control.

+### March-2023 (Platform: 4.18.2302.x | Engine: 1.1.20200.4)

+- Security intelligence update version: **1.381.61.0**

+- Release date: **April 4, 2023 (Engine) / April 11, 2023 (Platform)**

+- Platform: **4.18.2302.x**

+- Engine: **1.1.20200.4**

+- Support phase: **Security and Critical Updates**

+#### What's new

+- Beginning in April 2023, monthly platform and engine version release information now includes two dates: Engine and Platform

+- Increased file hash support

+#### Known issues

+- None

+

+> [!NOTE]

+> Windows Server 2016 ships with the same Platform version as RS1 and falls under the same support phase: Technical upgrade support (only)

+> Windows Server 2019 ships with the same Platform version as RS5 and falls under the same support phase: Technical upgrade support (only)

+## November-2022 (Platform: 4.18.2211.5 | Engine: 1.1.19900.2)

+- Security intelligence update version: **1.381.144.0**

+- Release date: **December 8, 2022**

+- Platform: **4.18.2211.5**

+- Engine: **1.1.19900.2**

+- Support phase: **Technical upgrade support (only)**

+### What's new

+- Enhanced threat protection capabilities

+- Improved [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) capabilities

+- Enhanced enabling of tamper protection for newly onboarded devices

+- Improved reporting for [cloud protection](cloud-protection-microsoft-defender-antivirus.md)

+- Improved [controlled folder access](controlled-folders.md) notifications

+- Improved scanning of network shares

+- Enhanced processing of host files containing a wild card

+- Improved performance for [scan events](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)

+### Known Issues

+- None

+ - If network protection is configured and active on the device, web content filtering (WCF) policies created in the MDEP Portal are respected in browsers, including Chromium Microsoft Edge for macOS. Web content filtering in Microsoft Edge on Mac currently requires network protection; other E5 features, such as Microsoft Defender for Cloud Apps or Custom Indicators, currently also require network protection.

+- Licensing: Microsoft 365 Defender for Endpoint Plan 1 or Microsoft 365 Defender for Endpoint Plan 2 (can be trial)

+Note on licensing: When using Windows Enterprise multi-session, depending on your requirements, you can choose to either have all users licensed through Microsoft Defender for Endpoint (per user), Windows Enterprise E5, Microsoft 365 E5 Security, or Microsoft 365 E5, or have the VM licensed through Microsoft Defender for Cloud.

+- [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011)

+ Title: About the Microsoft Defender Vulnerability Management trial

+To make the most of your trial, see [Trial user guide: Microsoft Defender Vulnerability Management](/trial-user-guide-defender-vulnerability-management.md)

+> Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to [sign up for a free trial](../defender-vulnerability-management/defender-vulnerability-management-trial.md).

+For more information on the features and capabilities that are included in each offering, see [Compare Microsoft Defender Vulnerability Management offerings](defender-vulnerability-management-capabilities.md).

+- [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011)

+> Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to [sign up for a free trial](../defender-vulnerability-management/defender-vulnerability-management-trial.md).

+There are three entry points from the [Microsoft Defender Vulnerability Management dashboard](tvm-dashboard-insights.md):

+- [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011)

+> [!TIP]

+> Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to [sign up for a free trial](../defender-vulnerability-management/defender-vulnerability-management-trial.md).

+- [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011)

+> [!TIP]

+> Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to [sign up for a free trial](../defender-vulnerability-management/defender-vulnerability-management-trial.md).

+- [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011)

+> [!TIP]

+> Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to [sign up for a free trial](../defender-vulnerability-management/defender-vulnerability-management-trial.md).

+- [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011)

+- [Microsoft Defender for Servers Plan 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)

+> [!TIP]

+> Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to [sign up for a free trial](../defender-vulnerability-management/defender-vulnerability-management-trial.md).

+- [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011)

+- [Microsoft Defender for Servers Plan 1 & 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)

+> [!TIP]

+> Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to [sign up for a free trial](../defender-vulnerability-management/defender-vulnerability-management-trial.md).

+- [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011)

+> [!TIP]

+> Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to [sign up for a free trial](../defender-vulnerability-management/defender-vulnerability-management-trial.md).

+- [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011)

+> [!TIP]

+> Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to [sign up for a free trial](../defender-vulnerability-management/defender-vulnerability-management-trial.md).

+- [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011)

+- [Microsoft Defender for Servers Plan 1 & 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)

+> [!TIP]

+> Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to [sign up for a free trial](../defender-vulnerability-management/defender-vulnerability-management-trial.md).

+- [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011)

+> [!TIP]

+> Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to [sign up for a free trial](../defender-vulnerability-management/defender-vulnerability-management-trial.md).

+- [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011)

+- [Microsoft Defender for Servers Plan 1 & 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)

+Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats. to Learn more about advanced hunting, see [Advanced hunting overview](../defender-endpoint/advanced-hunting-overview.md).

+> [!TIP]

+> Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to [sign up for a free trial](../defender-vulnerability-management/defender-vulnerability-management-trial.md).

+- [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011)

+> [!TIP]

+> Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to [sign up for a free trial](../defender-vulnerability-management/defender-vulnerability-management-trial.md).

+- [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011)

+> [!TIP]

+> Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to [sign up for a free trial](../defender-vulnerability-management/defender-vulnerability-management-trial.md).

+- [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011)

+> [!TIP]

+> Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to [sign up for a free trial](../defender-vulnerability-management/defender-vulnerability-management-trial.md).

+- [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011)

+> [!TIP]

+> Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to [sign up for a free trial](../defender-vulnerability-management/defender-vulnerability-management-trial.md).

+- [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011)

+> [!TIP]

+> Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to [sign up for a free trial](../defender-vulnerability-management/defender-vulnerability-management-trial.md).

+- [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011)

+- [Microsoft Defender for Servers Plan 1 & 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)

+> [!TIP]

+> Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to [sign up for a free trial](../defender-vulnerability-management/defender-vulnerability-management-trial.md).

+- [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011)

+> [!TIP]

+> Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to [sign up for a free trial](../defender-vulnerability-management/defender-vulnerability-management-trial.md).

+- [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011)

+> [!TIP]

+> Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to [sign up for a free trial](../defender-vulnerability-management/defender-vulnerability-management-trial.md).

+- [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011)

+> Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to [sign up for a free trial](../defender-vulnerability-management/defender-vulnerability-management-trial.md).

+- [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011)

+> [!TIP]

+> Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to [sign up for a free trial](../defender-vulnerability-management/defender-vulnerability-management-trial.md).

+> [!TIP]

+> Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to [sign up for a free trial](../defender-vulnerability-management/defender-vulnerability-management-trial.md).

+- [Microsoft Defender Vulnerability Management](https://go.microsoft.com/fwlink/?linkid=2229011)

+- [Microsoft Defender for Servers Plan 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)

+> [!TIP]

+> Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to [sign up for a free trial](../defender-vulnerability-management/defender-vulnerability-management-trial.md).

+# Alert classification for malicious exchange connectors

+The playbook helps in investigating instances, where malicious connectors are setup/deployed by malicious actors. Accordingly, they take necessary steps to remediate the attack and mitigate the security risks arising from it. Playbook is available for security teams like security operations center (SOC) and IT administrators, who review, handle/manage, and grade the alerts. Playbook will help in classifying the alerts as either true positive (TP) or false positive (FP). If there is TP, playbook will take necessary recommended actions for remediating the attack.

+## See also

+- [Overview of alert classification](alert-grading-playbooks.md)

+- [Investigate alerts](investigate-alerts.md)

+ Title: Alert classification for password spray attacks

+description: Alert classification guide for password spray attacks coming to review the alerts and take recommended actions to remediate the attack and protect your network.

+keywords: incidents, alerts, investigate, analyze, response, correlation, attack, devices, users, 365, microsoft, m365, password, spray, alert classification, alert grading, cloud apps, password spray, password spray attack

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+ - NOCSH

+ms.localizationpriority: medium

+audience: ITPro

+ - m365-security

+ - tier2

+search.appverid:

+ - MOE150

+ - met150

+# Alert classification for password spray attacks

+**Applies to:**

+- Microsoft 365 Defender

+Threat actors use innovative ways to compromise their target environments. One type of attack gaining traction is the password spray attack, where attackers aim to access many accounts within a network with minimal effort. Unlike traditional brute force attacks, where threat actors try many passwords on a single account, password spray attacks focus on guessing the correct password for many accounts with a limited set of commonly used passwords. It makes the attack particularly effective against organizations with weak or easily guessable passwords, leading to severe data breaches and financial losses for organizations.

+Attackers use automated tools to repeatedly attempt to gain access to a specific account or system using a list of commonly used passwords. Attackers sometimes abuse legitimate cloud services by creating many virtual machines (VMs) or containers to launch a password spray attack.

+This playbook helps investigate cases where suspicious behavior is observed as indicative of a password spray attack. This guide is for security teams like the security operations center (SOC) and IT administrators who review, handle/manage, and classify the alerts. This guide helps in quickly classifying the alerts as either [true positive (TP) or false positive (FP)](investigate-alerts.md) and, in the case of TP, take recommended actions to remediate the attack and mitigate the security risks.

+The intended results of using this guide are:

+- YouΓÇÖve identified the alerts associated with password spray attempts as malicious (TP) or false positive (FP) activities.

+- You've taken the necessary actions to remediate the attack.

+## Investigation steps

+This section contains step-by-step guidance to respond to the alert and take the recommended actions to protect your organization from further attacks.

+### 1. Investigate the security alerts

+ - **Are the alerted sign-in attempts coming from a suspicious location?** Check sign-in attempts from locations other than those typical for impacted user accounts. Multiple sign-in attempts from one or many users are helpful indicators.

+### 2. Investigate suspicious user activity

+ - **Are there unusual events with uncommon properties?** Unique properties for an impacted user, like unusual ISP, country, or city, might indicate suspicious sign-in patterns.

+ - **Is there a marked increase in email or file-related activities?** Suspicious events like increased attempts in mail access or send activity or an increase in uploading of files to SharePoint or OneDrive for an impacted user are some signs to look for.

+ - **Are there multiple failed sign-in attempts?** A high number of failed sign-in attempts from various IPs and geographic locations by an impacted user might indicate a password spray attack.

+ - **Identify the ISP from the sign-in activity of an impacted user.** Check for sign-in activities by other user accounts from the same ISP.

+

+ - **Inspect any recent modifications in your environment:**

+ - Changes in Office 365 applications like Exchange Online permission, mail auto-forwarding, mail redirection

+ - Modifications in PowerApps, like automated data transmission configuration through PowerAutomate

+ - Modifications in Azure environments, like Azure portal subscription changes

+ - Changes to SharePoint Online, like the impacted user account gaining access to multiple sites or files with sensitive/confidential/company-only content

+

+ - **Inspect the impacted account's activities that occur within a short time span on multiple platforms and apps.** Audit events to check the timeline of activities, like contrasting the userΓÇÖs time spent reading or sending email followed by allocating resources to the userΓÇÖs account or other accounts.

+### 3. Investigate possible follow-on attacks

+**Inspect your environment for other attacks involving impacted user accounts** as attackers often perform malicious activities after a successful password spray attack. Consider investigating the following possibly suspicious activities:

+- [Multi-factor authentication (MFA)](/microsoft-365/admin/security-and-compliance/multi-factor-authentication-microsoft-365)-related attacks

+ - Attackers use **MFA fatigue** to bypass this security measure that organizations adopt to protect their systems. **Check for multiple MFA requests raised by an impacted user account.**

+ - Attackers might perform **MFA tampering** using an impacted user account with elevated privileges by disabling MFA protection for other accounts within the tenant. **Check for suspicious admin activities performed by an impacted user.**

+- Internal phishing attacks

+ - Attackers might use an impacted user account to send internal phishing mails. **Check suspicious activities like email forwarding or creation of inbox manipulation or inbox forwarding rules.** The following playbooks can guide you to further investigate email events:

+ - [Classifying alerts for suspicious email forwarding activity](alert-grading-playbook-email-forwarding.md)

+ - [Classifying alerts for suspicious inbox forwarding rules](alert-grading-playbook-inbox-forwarding-rules.md)

+ - [Classifying alerts for suspicious inbox manipulation rules](alert-grading-playbook-inbox-manipulation-rules.md)

+ - **Check whether the user received other alerts before the password spray activity.** Having these alerts indicate that the user account might be compromised. Examples include impossible travel alert, activity from infrequent country, and suspicious email deletion activity, among others.

+## Advanced hunting queries

+[Advanced hunting](/microsoft-365/security/defender/advanced-hunting-overview) is a query-based threat hunting tool that lets you inspect events in your network and locate threat indicators.

+Use these queries to gather more information related to the alert and determine whether the activity is suspicious.

+Ensure you have access to the following tables:

+- [AadSignInEventsBeta](advanced-hunting-aadsignineventsbeta-table.md)

+- [CloudAppEvents](advanced-hunting-cloudappevents-table.md)

+- [DeviceEvents](advanced-hunting-deviceevents-table.md)

+- [EmailEvents](advanced-hunting-emailevents-table.md)

+- [EmailUrlInfo](advanced-hunting-emailurlinfo-table.md)

+- [IdentityLogonEvents](advanced-hunting-identitylogonevents-table.md)

+- [UrlClickEvents](advanced-hunting-urlclickevents-table.md)

+Use this query to identify password spray activity.

+```kusto

+IdentityLogonEvents

+| where Timestamp > ago(7d)

+| where ActionType == "LogonFailed"

+| where isnotempty(RiskLevelDuringSignIn)

+| where AccountObjectId == <Impacted User Account Object ID>

+| summarize TargetCount = dcount(AccountObjectId), TargetCountry = dcount(Location), TargetIPAddress = dcount(IPAddress) by ISP

+| where TargetCount >= 100

+| where TargetCountry >= 5

+| where TargetIPAddress >= 25

+```

+Use this query to identify other activities from the alerted ISP.

+```kusto

+CloudAppEvents

+| where Timestamp > ago(7d)

+| where AccountObjectId == <Impacted User Account Object ID>

+| where ISP == <Alerted ISP>

+| summarize count() by Application, ActionType, bin(Timestamp, 1h)

+```

+Use this query to identify sign-in patterns for the impacted user.

+```kusto

+IdentityLogonEvents

+| where Timestamp > ago(7d)

+| where AccountObjectId == <Impacted User Account Object ID>

+| where ISP == <Alerted ISP>

+| where Application != "Active Directory"

+| summarize SuccessCount = countif(ActionType == "LogonSuccess"), FailureCount = countif(ActionType == "LogonFailed") by ISP

+```

+Use this query to identify MFA fatigue attacks.

+```kusto

+AADSignInEventsBeta

+| where Timestamp > ago(1h)

+//Error Code : 50088 : Limit on telecom MFA calls reached

+//Error Code : 50074 : Strong Authentication is required.

+| where ErrorCode in ("50074","50088")

+| where isnotempty(AccountObjectId)

+| where isnotempty(IPAddress)

+| where isnotempty(Country)

+| summarize (Timestamp, ReportId) = arg_max(Timestamp, ReportId), FailureCount = count() by AccountObjectId, Country, IPAddress

+| where FailureCount >= 10

+```

+Use this query to identify MFA reset activities.

+```kusto

+let relevantActionTypes = pack_array("Disable Strong Authentication.","system.mfa.factor.deactivate", "user.mfa.factor.update", "user.mfa.factor.reset_all", "core.user_auth.mfa_bypass_attempted");

+CloudAppEvents

+AlertInfo

+| where Timestamp > ago(1d)

+| where isnotempty(AccountObjectId)

+| where Application in ("Office 365","Okta")

+| where ActionType in (relevantActionTypes)

+| where RawEventData contains "success"

+| project Timestamp, ReportId, AccountObjectId, IPAddress, ActionType

+CloudAppEvents

+| where Timestamp > ago(1d)

+| where ApplicationId == 11161

+| where ActionType == "Update user."

+| where isnotempty(AccountObjectId)

+| where RawEventData has_all("StrongAuthenticationRequirement","[]")

+| mv-expand ModifiedProperties = RawEventData.ModifiedProperties

+| where ModifiedProperties.Name == "StrongAuthenticationRequirement" and ModifiedProperties.OldValue != "[]" and ModifiedProperties.NewValue == "[]"

+| mv-expand ActivityObject = ActivityObjects

+| where ActivityObject.Role == "Target objectΓÇ¥

+| extend TargetObjectId = tostring(ActivityObject.Id)

+| project Timestamp, ReportId, AccountObjectId, ActivityObjects, TargetObjectId

+```

+Use this query to find new email inbox rules created by the impacted user.

+```kusto

+CloudAppEvents

+| where AccountObjectId == <ImpactedUser>

+| where Timestamp > ago(21d)

+| where ActionType == "New-InboxRule"

+| where RawEventData.SessionId in (suspiciousSessionIds)

+```

+## Recommended actions

+Once you determine that the activities associated with this alert are malicious, classify those alerts as TP and take these actions for remediation:

+1. Reset the user's account credentials.

+2. Revoke access tokens of the compromised account.

+3. Use number matching in Microsoft Authenticator to mitigate MFA fatigue attacks.

+4. Apply the principle of least privilege. Create accounts with minimum privilege required to complete tasks.

+5. Configure blocking based on the senderΓÇÖs IP address and domains if the artifacts are related to email.

+6. Block URLs or IP addresses (on the network protection platforms) that were identified as malicious during the investigation.

+## See also

+- [Overview of alert classification](alert-grading-playbooks.md)

+- [Investigate alerts](investigate-alerts.md)

+ Title: Alert classification for suspicious IP address related to password spraying activity

+description: Alert classification for suspicious IP address related to password spraying activity to review the alerts and take recommended actions to remediate the attack and protect your network.

+keywords: incidents, alerts, investigate, analyze, response, correlation, attack, devices, users, 365, microsoft, m365, password, spray, alert classification, alert grading, cloud apps, suspicious IP, classify alert

+# Alert classification for suspicious IP addresses related to password spray attacks

+This playbook helps you investigate instances where IP addresses have been labeled risky or associated with a password spray attack, or suspicious unexplained activities were detected, such as a user signing in from an unfamiliar location or a user getting unexpected multi-factor authentication (MFA) prompts. This guide is for security teams like the security operations center (SOC) and IT administrators who review, handle/manage, and classify the alerts. This guide helps in quickly classifying the alerts as either [true positive (TP) or false positive (FP)](investigate-alerts.md) and, in the case of TP, take recommended actions to remediate the attack and mitigate the security risks.

+- [Overview of alert classification](alert-grading-playbooks.md)

+- [Classifying password spray attacks](alert-grading-password-spray-attack.md)

+ Title: Alert classification for suspicious email forwarding activity

+description: Alert classification for suspicious email forwarding activity to review the alerts and take recommended actions to remediate the attack and protect your network.

+keywords: incidents, alerts, investigate, analyze, response, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365, alert classification, alert grading, classify alert

+# Alert classification for suspicious email forwarding activity

+This playbook helps you investigate Suspicious Email Forwarding Activity alerts and quickly grade them as either a true positive (TP) or a false positive (FP). You can then take recommended actions for the TP alerts to remediate the attack.

+For an overview of alert classifications for Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps, see the [introduction article](alert-grading-playbooks.md).

+- [Overview of alert classification](alert-grading-playbooks.md)

+ Title: Alert classification for suspicious inbox forwarding rules

+description: Alert classification for suspicious inbox forwarding rules to review the alerts and take recommended actions to remediate the attack and protect your network.

+keywords: incidents, alerts, investigate, analyze, response, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365, alert classification, alert grading, classify alert

+# Alert classification for suspicious inbox forwarding rules

+This playbook helps you investigate alerts for suspicious inbox forwarding rules and quickly grade them as either a true positive (TP) or a false positive (TP). You can then take recommended actions for the TP alerts to remediate the attack.

+For an overview of alert classification for Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps, see the [introduction article](alert-grading-playbooks.md).

+- [Overview of alert classification](alert-grading-playbooks.md)

+ Title: Alert classification for suspicious inbox manipulation rules

+description: Alert classification for suspicious inbox manipulation rules to review the alerts and take recommended actions to remediate the attack and protect your network.

+keywords: incidents, alerts, investigate, analyze, response, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365, alert classification, alert grading, classify alert

+# Alert classification for suspicious inbox manipulation rules

+This playbook helps you investigate any incident related to suspicious inbox manipulation rules configured by attackers and take recommended actions to remediate the attack and protect your network. This playbook is for security teams, including security operations center (SOC) analysts and IT administrators who review, investigate, and grade the alerts. You can quickly grade alerts as either a true positive (TP) or a false positive (TP) and take recommended actions for the TP alerts to remediate the attack.

+- [Overview of alert classification](alert-grading-playbooks.md)

+ Title: Alert classification playbooks

+keywords: incidents, alerts, investigate, analyze, response, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365, alert classification, alert grading, classify alert

+# Alert classification playbooks

+Alert classification playbooks allow you to methodically review and quickly classify the alerts for well-known attacks and take recommended actions to remediate the attack and protect your network. Alert classification will also help in properly classifying the overall incident.

+## Alert classification playbooks

+See these playbooks for steps to more quickly classify alerts for the following threats:

+- [Suspicious IP addresses related to password spray activity](alert-grading-password-spray.md)

+- [Password spray attacks](alert-grading-password-spray-attack.md)

+ Title: Setup guides for Microsoft 365 Defender

+description: Learn how to deploy and configure Microsoft 365 Defender by using online setup guides

+keywords: deploy, licenses, supported services, provisioning, configuration Microsoft 365 Defender, M365, license eligibility, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps

+search.product: eADQiWindows 10XVcnh

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+ - NOCSH

+ms.localizationpriority: medium

+audience: ITPro

+ - m365-security

+ - tier2

+search.appverid:

+ - MOE150

+ - MET150

+# Setup guides for Microsoft 365 Defender

+**Applies to:**

+- Microsoft 365 Defender

+Setup guides for Microsoft 365 Defender deployment give you tailored guidance and resources for planning and deploying security controls for your tenant, apps, and services.

+All deployment guides are available in the [Microsoft 365 admin center](https://go.microsoft.com/fwlink/?linkid=2224913) and in the [Microsoft 365 Setup portal](https://go.microsoft.com/fwlink/?linkid=2230646).

+## Deployment Guides

+Deployment guides in the admin center require authentication to a Microsoft 365 tenant as an administrator or other role with access to the admin center, but guides in the Microsoft 365 Setup portal can be accessed by anyone. We have provided links to both locations for each guide, where available, in the tables below.

+|**Guide - [Setup Portal](https://go.microsoft.com/fwlink/?linkid=2220880)** |**Guide - [Admin Center](https://go.microsoft.com/fwlink/?linkid=2224913)** |**Description** |

+||||

+| [Microsoft Defender for Endpoint setup guide](https://go.microsoft.com/fwlink/?linkid=2223155) | [Microsoft Defender for Endpoint setup guide](https://go.microsoft.com/fwlink/?linkid=2224785) |The **Microsoft Defender for Endpoint setup guide** provides instructions that will help your enterprise network prevent, detect, investigate, and respond to advanced threats. Make an informed assessment of your organization's vulnerability and decide which deployment package and configuration methods are best. <br> **Note**: A Microsoft Volume License is required for Microsoft Defender for Endpoint. |

+|[Microsoft Defender for Office 365 setup guide ](https://go.microsoft.com/fwlink/?linkid=2222971) | [Microsoft Defender for Office 365 setup guide ](https://go.microsoft.com/fwlink/?linkid=2224784) | The **Microsoft Defender for Office 365 setup guide** safeguards your organization against malicious threats that your environment might come across through email messages, links, and third party collaboration tools. This guide provides you with the resources and information to help you prepare and identify the Defender for Office 365 plan to fit your organization's needs. |

+|[Microsoft Defender for Cloud Apps setup guide](https://go.microsoft.com/fwlink/?linkid=2222969) | [Microsoft Defender for Cloud Apps setup guide](https://go.microsoft.com/fwlink/?linkid=2224814) | The **Microsoft Defender for Cloud Apps setup guide** provides easy to follow deployment and management guidance to set up your Cloud Discovery solution. With Cloud Discovery, you'll integrate your supported security apps, and then you'll use traffic logs to dynamically discover and analyze the cloud apps that your organization uses. You'll also set up features available through the Defender for Cloud Apps solution, including threat detection policies to identify high-risk use, information protection policies to define access, and real-time session controls to monitor activity. With these features, your environment gets enhanced visibility, control over data movement, and analytics to identify and combat cyberthreats across all your Microsoft and third party cloud services. |

+|[Microsoft Defender for Identity setup guide](https://go.microsoft.com/fwlink/?linkid=2222970)|[Microsoft Defender for Identity setup guide](https://go.microsoft.com/fwlink/?linkid=2224783)|The **Microsoft Defender for Identity setup guide** provides security solution set-up guidance to identify, detect, and investigate advanced threats that might compromise user identities. These include detecting suspicious user activities and malicious insider actions directed at your organization. You'll create a Defender for Identity instance, connect to your organization's Active Directory, and then set up sensors, alerts, notifications, and configure your unique portal preferences.|

+## Related topics

+- [Microsoft 365 Defender overview](microsoft-365-defender.md)

+- [Turn on Microsoft 365 Defender](m365d-enable.md)

+- [Deploy supported services](deploy-supported-services.md)

+- [Microsoft Defender for Endpoint overview](../defender-endpoint/microsoft-defender-endpoint.md)

+- [Microsoft Defender for Office 365 overview](../office-365-security/defender-for-office-365.md)

+- [Microsoft Defender for Cloud Apps overview](/cloud-app-security/what-is-cloud-app-security)

+- [Setup guides for Microsoft 365 Defender](deploy-configure-m365-defender.md)

+- [Setup guides for Microsoft 365 Defender](deploy-configure-m365-defender.md)

+- [Setup guides for Microsoft 365 Defender](deploy-configure-m365-defender.md)

+> [!IMPORTANT]

+> The button below will let you test and identify suspicious activities against an account and return information that can be used to recover in the case an account is compromised.

+>

+<div class="nextstepaction">

+<p><a href="https://aka.ms/diagca" data-linktype="external">Run Tests: Compromised Accounts</a></p>

+</div>

+ - Select one of the questions Copilot has generated for you tailored for the specific file.

+ - In the text box, select **More from Syntex** to find more information about the file.