Updates from: 04/07/2021 03:11:26
Category Microsoft Docs article Related commit history on GitHub Change details
admin Assign Admin Roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/assign-admin-roles.md
You can assign users to a role in 2 different ways:
### Assign admin roles to users using Roles
-1. In the admin center, go to **Roles** > **Roles** to view all of the admin roles available for your organization.
+1. In the admin center, go to **Roles**. Choose the **Azure AD** or **Intune** tabs to view the admin roles available for your organization.
2. Select the admin role that you want to assign the user to. 3. Select **Assigned admins** > **Add**. 4. Type the user's **display name** or **username**, and then select the user from the list of suggestions.
You can assign users to a role in 2 different ways:
1. In the admin center, go to **Users** > [Active users](https://go.microsoft.com/fwlink/p/?linkid=834822) page.
-2. On the **Active users** page, select the user whose admin role you want to change. In the flyout pane, next to **Roles**, select **Manage roles**.
+2. On the **Active users** page, select the user whose admin role you want to change. In the flyout pane, under **Roles**, select **Manage roles**.
3. Select the admin role that you want to assign to the user. If you don't see the role you're looking for, select **Show all** at the bottom of the list.
commerce Manage Auto Claim Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/manage-auto-claim-policies.md
manage the policy:
## Before you begin
-You must be a Global admin to create and manage auto-claim policies. For more information, see [About Microsoft 365 admin roles](../../admin/add-users/about-admin-roles.md).
+You must be a Global, User, or License admin to create and manage auto-claim policies. For more information, see [About Microsoft 365 admin roles](../../admin/add-users/about-admin-roles.md).
## Turn the auto-claim policy feature on or off
By default, the auto-claim policy feature is turned off. Before you can use the
### Turn off auto-claim policies
+Only a Global admin can turn off an auto-claim policy setting.
+ 1. In the admin center, go to the **Settings** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2053743" target="_blank">Org settings</a> page. 2. Near the bottom of the table, select **User owned apps and services**. 3. In the right pane, clear the box for **Let users auto-claim licenses the first time they sign in**.
compliance Sensitivity Labels Office Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md
The numbers listed are the minimum Office application version required for each
|[Require a justification to change a label](sensitivity-labels.md#what-label-policies-can-do) | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes | |[Provide help link to a custom help page](sensitivity-labels.md#what-label-policies-can-do) | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes | |[Mark the content](sensitivity-labels.md#what-sensitivity-labels-can-do) | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes |
-|[Dynamic markings with variables](#dynamic-markings-with-variables) | Under review | Under review | Under review | Under review | Under review |
+|[Dynamic markings with variables](#dynamic-markings-with-variables) <sup>1</sup> | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes |
|[Assign permissions now](encryption-sensitivity-labels.md#assign-permissions-now) | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes | |[Let users assign permissions: <br /> - Do Not Forward](encryption-sensitivity-labels.md#let-users-assign-permissions) | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes | |[Let users assign permissions: <br /> - Encrypt-Only](encryption-sensitivity-labels.md#let-users-assign-permissions) |2011+ | Under review | Under review | Under review | Rolling out |
-|[Require users to apply a label to their email and documents](#require-users-to-apply-a-label-to-their-email-and-documents) | Rolling out: 2101+ | 16.43+ <sup>\*</sup> | Under review | Under review | Yes |
+|[Require users to apply a label to their email and documents](#require-users-to-apply-a-label-to-their-email-and-documents) | Rolling out: 2101+ | 16.43+ <sup>2</sup> | Under review | Under review | Yes |
|[Audit label-related user activity](data-classification-activity-explorer.md) | 2011+ | Under review | Under review | Under review | Under review |
-|[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) | 2009+ | 16.44+ <sup>\*</sup> | Under review | Under review | Yes |
+|[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) | 2009+ | 16.44+ <sup>2</sup> | Under review | Under review | Yes |
|
-**Footnote:**
+**Footnotes:**
-<sup>\*</sup>
+<sup>1</sup>
+Currently, only the [Item.Label and If.App variables](#dynamic-markings-with-variables) are supported
+<br />
+<sup>2</sup>
Requires the [new Outlook for Mac](https://support.microsoft.com/office/the-new-outlook-for-mac-6283be54-e74d-434e-babb-b70cefc77439)
For these scenarios, using their Office apps, a user with built-in labeling can
### Dynamic markings with variables > [!IMPORTANT]
-> Currently, not all apps on all platforms support dynamic content markings that you can specify for your headers, footers, and watermarks. For apps that don't support this capability, they apply the markings as the original text specified in the label configuration, rather than resolving the variables.
+> Currently, not all apps on all platforms support dynamic content markings that you can specify for your headers, footers, and watermarks. For apps that don't support this capability, they apply the markings as the original text specified in the label configuration, rather than resolving the variables.
>
-> The Azure Information Protection unified labeling client supports dynamic markings. For labeling built in to Office, see the tables in the [capabilities](#support-for-sensitivity-label-capabilities-in-apps) section on this page.
+> The Azure Information Protection unified labeling client supports dynamic markings and all listed variables. For labeling built in to Office, see the tables in the [capabilities](#support-for-sensitivity-label-capabilities-in-apps) section on this page for minimum versions, and then the following table to identify the variables supported.
When you configure a sensitivity label for content markings, you can use the following variables in the text string for your header, footer, or watermark: | Variable | Description | Example when label applied | | -- | -- | - |
-| `${Item.Label}` | Label display name of the label applied| **General**|
-| `${Item.Name}` | File name or email subject of the content being labeled | **Sales.docx** |
-| `${Item.Location}` | Path and file name of the document being labeled, or the email subject for an email being labeled | **\\\Sales\2020\Q3\Report.docx**|
-| `${User.Name}` | Display name of the user applying the label| **Richard Simone** |
-| `${User.PrincipalName}` | Azure AD user principal name (UPN) of the user applying the label | **rsimone\@contoso.com** |
-| `${Event.DateTime}` | Date and time when the content is labeled, in the local time zone of the user applying the label | **8/10/2020 1:30 PM** |
+| `${Item.Label}` | Label display name of the label applied <br /><br> Built-in labeling: Supported by Word, Excel, PowerPoint, and Outlook | **General**|
+| `${Item.Name}` | File name or email subject of the content being labeled <br /><br> Built-in labeling: Supported by Word, Excel, PowerPoint | **Sales.docx** |
+| `${Item.Location}` | Path and file name of the document being labeled, or the email subject for an email being labeled <br /><br> Built-in labeling: Supported by Word, Excel, PowerPoint | **\\\Sales\2020\Q3\Report.docx**|
+| `${User.Name}` | Display name of the user applying the label <br /><br> Built-in labeling: Supported by Word, Excel, PowerPoint | **Richard Simone** |
+| `${User.PrincipalName}` | Azure AD user principal name (UPN) of the user applying the label <br /><br> Built-in labeling: Supported by Word, Excel, PowerPoint | **rsimone\@contoso.com** |
+| `${Event.DateTime}` | Date and time when the content is labeled, in the local time zone of the user applying the label <br /><br> Built-in labeling: Supported by Word, Excel, PowerPoint | **8/10/2020 1:30 PM** |
> [!NOTE] > The syntax for these variables is case-sensitive.
When you configure a sensitivity label for content markings, you can use the fol
As an additional variable, you can configure visual markings per Office application type by using an "If.App" variable statement in the text string, and identify the application type by using the values **Word**, **Excel**, **PowerPoint**, or **Outlook**. You can also abbreviate these values, which is necessary if you want to specify more than one in the same If.App statement.
-> [!NOTE]
-> For completeness, instructions for Outlook are included, although currently supported only by the Azure Information Protection unified labeling client.
- Use the following syntax: ```
contentunderstanding Explanation Types Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/explanation-types-overview.md
description: "Learn more about explanation types in Microsoft SharePoint Syntex"
Explanations are used to help to define the information you want to label and extract in your document understanding models in Microsoft SharePoint Syntex. When creating an explanation, you need to select an explanation type. This article helps you understand the different explanation types and how they are used.
- ![Explanation types](../media/content-understanding/explanation-types.png)
+![Explanation types](../media/content-understanding/explanation-types.png)
These explanation types are available: -- **Phrase list**: List of words, phrases, numbers, or other characters you can use in the document or information that you are extracting. For example, the text string **Referring Doctor** is in all Medical Referral documents you are identifying.</br>
+- **Phrase list**: List of words, phrases, numbers, or other characters you can use in the document or information that you are extracting. For example, the text string **Referring Doctor** is in all Medical Referral documents you are identifying. Or the **Phone number** of the referring doctor from all Medical Referral document that you are identifying.
-- **Pattern list**: List patterns of numbers, letters, or other characters that you can use to identify the information that you are extracting. For example, you can extract the **Phone number** of the referring doctor from all Medical Referral document that you are identifying.</br>--- **Proximity**: Describes how close explanations are to each other. For example, a *street number* pattern list goes right before the *street name* phrase list, with no tokens in between (you'll learn about tokens later in this article). Using the proximity type requires you to have at least two explanations in your model or the option will be disabled.
+- **Proximity**: Describes how close explanations are to each other. For example, a *street number* phrase list goes right before the *street name* phrase list, with no tokens in between (you'll learn about tokens later in this article). Using the proximity type requires you to have at least two explanations in your model or the option will be disabled.
## Phrase list A phrase list explanation type is typically used to identify and classify a document through your model. As described in the *Referring Doctor* label example, it is a string of words, phrases, numbers, or characters that is consistently in the documents that you are identifying.
-While not a requirement, you can achieve better success with your explanation if the phrase you are capturing is located in a consistent location in your document. For example, the *Referring Doctor* label may be consistently located in the first paragraph of the document.
+While not a requirement, you can achieve better success with your explanation if the phrase you are capturing is located in a consistent location in your document. For example, the *Referring Doctor* label may be consistently located in the first paragraph of the document. You can also use the **[Configure where phrases occur in the document](https://docs.microsoft.com/microsoft-365/contentunderstanding/explanation-types-overview#configure-where-phrases-occur-in-the-document)** advanced setting to select specific areas where the phrase is located, especially if there is a chance that the phrase might occur in multiple locations in your document.
If case sensitivity is a requirement in identifying your label, using the phrase list type allows you to specify it in your explanation by selecting the **Only exact capitalization** checkbox.
- ![Case sensitivity](../media/content-understanding/case-sensitivity.png)
-
-## Pattern lists
+![Case sensitivity](../media/content-understanding/case-sensitivity.png)
-A pattern list type is especially useful when you create an explanation that identifies and extracts information from a document. It is typically presented in different formats, such as dates, phone numbers, and credit card numbers. For example, a date can be displayed in a number of different formats (1/1/2020, 1-1-2020, 01/01/20, 01/01/2020, Jan 1,2020, etc.). Defining a pattern list makes your explanation more efficient by capturing any possible variations in the data that you are trying to identify and extract.
+A phrase type is especially useful when you create an explanation that identifies and extracts information in different formats, such as dates, phone numbers, and credit card numbers. For example, a date can be displayed in a number of different formats (1/1/2020, 1-1-2020, 01/01/20, 01/01/2020, Jan 1,2020, etc.). Defining a phrase list makes your explanation more efficient by capturing any possible variations in the data that you are trying to identify and extract.
-For the **Phone number** example, you extract the phone number for each referring doctor from all Medical Referral documents that the model identifies. When you create the explanation, select the Pattern list type to allow the different formats that you may expect to be returned.
+For the **Phone number** example, you extract the phone number for each referring doctor from all Medical Referral documents that the model identifies. When you create the explanation, type the different formats a phone number might display in your document so that you are able to capture possible variations.
- ![Phone number pattern list](../media/content-understanding/pattern-list.png)
+![Phone number phrase patterns](../media/content-understanding/pattern-list.png)
-For this example, select the **Any digit from 0-9** checkbox to recognize each "0" value used in your pattern list to be any digit from 0 through 9.
+For this example, in **Advanced Settings** select the **Any digit from 0-9** checkbox to recognize each "0" value used in your phrase list to be any digit from 0 through 9.
- ![Any digit from 0-9](../media/content-understanding/digit-identity.png)
+![Any digit from 0-9](../media/content-understanding/digit-identity.png)
-Similarly, if you create a pattern list that includes text characters, select the **Any letter from a-z** checkbox to recognize each "a" character used in the pattern list to be any character from "a" to "z".
+Similarly, if you create a phrase list that includes text characters, select the **Any letter from a-z** checkbox to recognize each "a" character used in the phrase list to be any character from "a" to "z".
-For example, if you create a **Date** pattern list and you want to make sure that a date format such as *Jan 1, 2020* is recognized, you need to:
-- Add *aaa 0, 0000* and *aaa 00, 0000* to your pattern list.
+For example, if you create a **Date** phrase list and you want to make sure that a date format such as *Jan 1, 2020* is recognized, you need to:
+- Add *aaa 0, 0000* and *aaa 00, 0000* to your phrase list.
- Make sure that **Any letter from a-z** is also selected.
- ![Any letter from a-z](../media/content-understanding/any-letter.png)
+![Any letter from a-z](../media/content-understanding/any-letter.png)
-Additionally, if you have capitalization requirements in your pattern list, you have the option to select the **Only exact capitalization** checkbox. For the Date example, if you require the first letter of the month to be capitalized, you need to:
+Additionally, if you have capitalization requirements in your phrase list, you have the option to select the **Only exact capitalization** checkbox. For the Date example, if you require the first letter of the month to be capitalized, you need to:
-- Add *Aaa 0, 0000* and *Aaa 00, 0000* to your pattern list.
+- Add *Aaa 0, 0000* and *Aaa 00, 0000* to your phrase list.
- Make sure that **Only exact capitalization** is also selected.
- ![Only exact capitalization](../media/content-understanding/exact-caps.png)
+![Only exact capitalization](../media/content-understanding/exact-caps.png)
> [!NOTE]
-> Instead of manually creating a pattern list explanation, use the [explanation library](#use-explanation-templates) to use pattern list templates for a common pattern list, such as *date*, *phone number*, *credit card number*, etc.
+> Instead of manually creating a phrase list explanation, use the [explanation library](https://docs.microsoft.com/microsoft-365/contentunderstanding/explanation-types-overview#use-explanation-templates) to use phrase list templates for a common phrase list, such as *date*, *phone number*, *credit card number*, etc.
## Proximity
Redmond, WA 98034<br>
Use the proximity explanation to define how far away the phone number explanation is to better identify the street address number in your documents.
- ![Proximity explanation](../media/content-understanding/proximity.png)</br>
+![Proximity explanation](../media/content-understanding/proximity.png)
#### What are tokens?
There are three tokens in *(mobile)*:
Configure the proximity setting to have a range of 0 through 3.
- ![Proximity example](../media/content-understanding/proximity-example.png)</br>
+![Proximity example](../media/content-understanding/proximity-example.png)
## Configure where phrases occur in the document
-When you create an explanation, by default the entire document is searched for the phrase you are trying to extract. However, you can use the <b>Where these phrases occur</b> advanced setting to help in isolating a specific location in the document that a phrase occurs. This is useful in situations where similar instances of a phrase might appear somewhere else in the document, and you want to make sure that the correct one is selected. Referring to our Medical Referral document example, the **Referring Doctor** is always mentioned in the first paragraph of the document. With the <b>Where these phrases occur</b> setting, in this example you can configure your explanation to search for this label only in the beginning section of the document, or any other location in which it might occur.
+When you create an explanation, by default the entire document is searched for the phrase you are trying to extract. However, you can use the **Where these phrases occur** advanced setting to help in isolating a specific location in the document that a phrase occurs. This is useful in situations where similar instances of a phrase might appear somewhere else in the document, and you want to make sure that the correct one is selected. Referring to our Medical Referral document example, the **Referring Doctor** is always mentioned in the first paragraph of the document. With the **Where these phrases occur setting, in this example you can configure your explanation to search for this label only in the beginning section of the document, or any other location in which it might occur.
- ![Where these phrases occur setting](../media/content-understanding/phrase-location.png)</br>
+![Where these phrases occur setting](../media/content-understanding/phrase-location.png)
You can choose the following options for this setting: - Anywhere in the file: The entire document is searched for the phrase.-- Beginning of the file: The document is searched from the beginning to the phrase location.</br>
- ![Beginning of file](../media/content-understanding/beginning-of-file.png)</br>
-In the viewer, you can manually adjust the select box to include the location where the phase occurs. The <b>End position</b> value will update to show the number of tokens your selected area includes. Note that you can update the End position value as well to adjust the selected area.</br>
- ![Beginning of file position box](../media/content-understanding/beginning-box.png)</br>
--- End of the file: The document is searched from the end to the phrase location.</br>
- ![End of file](../media/content-understanding/end-of-file.png)</br>
-In the viewer, you can manually adjust the select box to include the location where the phase occurs. The <b>Starting position</b> value will update to show the number of tokens your selected area includes. Note that you can update the Starting position value as well to adjust the selected area.</br>
- ![End of file end box](../media/content-understanding/end-box.png)</br>
-- Custom range: The document is searched in a specified range within the it for the phrase location.</br>
- ![Custom range](../media/content-understanding/custom-file.png)</br>
-In the viewer, you can manually adjust the select box to include the location where the phase occurs. For this setting, you need to select a <b>Start</b> and an <b>End</b> position. These values represent the number of tokens from the begging of the document. While you can manually enter in these values, it is easier to manually adjust the select box in the viewer.</br>
+
+- Beginning of the file: The document is searched from the beginning to the phrase location.
+
+ ![Beginning of file](../media/content-understanding/beginning-of-file.png)
+
+ In the viewer, you can manually adjust the select box to include the location where the phase occurs. The **End position** value will update to show the number of tokens your selected area includes. Note that you can update the End position value as well to adjust the selected area.
+
+ ![Beginning of file position box](../media/content-understanding/beginning-box.png)
+
+- End of the file: The document is searched from the end to the phrase location.
+
+ ![End of file](../media/content-understanding/end-of-file.png)
+
+ In the viewer, you can manually adjust the select box to include the location where the phase occurs. The **Starting position** value will update to show the number of tokens your selected area includes. Note that you can update the Starting position value as well to adjust the selected area.
+
+ ![End of file end box](../media/content-understanding/end-box.png)
+
+- Custom range: The document is searched in a specified range within the it for the phrase location.
+
+ ![Custom range](../media/content-understanding/custom-file.png)
+
+ In the viewer, you can manually adjust the select box to include the location where the phase occurs. For this setting, you need to select a **Start** and an **End** position. These values represent the number of tokens from the begging of the document. While you can manually enter in these values, it is easier to manually adjust the select box in the viewer.
## Use explanation templates While you can manually add various phrase list values for your explanation, it can be easier to use the templates provided to you in the explanation library.
-For example, instead of manually adding all the variations for *Date*, you can use the phrase list template for *Date* as it already includes a number of phrase lists values:</br>
+For example, instead of manually adding all the variations for *Date*, you can use the phrase list template for *Date* as it already includes a number of phrase lists values:
- ![Explanation library](../media/content-understanding/explanation-template.png)</br>
+![Explanation library](../media/content-understanding/explanation-template.png)
-The explanation library includes commonly used phrase list explanations, including:</br>
--- Date: Calendar dates, all formats. Includes text and numbers (for example, "Dec 9, 2020").</br>-- Date (numeric): Calendar dates, all formats. Includes numbers (for example 1-11-2020).</br>-- Time: 12 and 24 hour formats.</br>-- Number: Positive and negative numbers up to 2 decimals. </br>-- Percentage: A list of patterns representing a percentage. For example, 1%, 11%, 100%, 11.11%, etc.</br>-- Phone number: Common US and International formats. For example, 000 000 0000, 000-000-0000, (000)000-0000, (000) 000-0000, etc.</br>-- Zip code: US Zip code formats. For example, 11111, 11111-1111.</br>-- First word of sentence: Common patterns for words up to 9 characters. </br>-- End of sentence: Common punctuation for end of a sentence</br>-- Credit card: Common credit card number formats. For example, 1111-1111-1111-1111. </br>-- Social security number: US Social Security Number format. For example, 111-11-1111. </br>-- Checkbox: A phrase list representing variations on a filled in checkbox. For example, _X_, __X_, etc.</br>-- Currency: Major international symbols. For example, $. </br>-- Email CC: A phrase list with the term 'CC:', often found near the names or email addresses of additional people or groups the message was sent to.</br>-- Email date: A phrase list with the term 'Sent on:', often found near the date the email was sent.</br>-- Email greeting: Common opening lines for emails.</br>-- Email recipient: A phrase list with the term 'To:', often found near the names or email addresses of people or groups the message was sent to. </br>-- Email sender: A phrase list with the term 'From:', often found near the sender's name or email address. </br>-- Email subject: A phrase list with the term 'Subject:', often found near the email's subject. </br>
+The explanation library includes commonly used phrase list explanations, including:
+
+- Date: Calendar dates, all formats. Includes text and numbers (for example, "Dec 9, 2020").
+- Date (numeric): Calendar dates, all formats. Includes numbers (for example 1-11-2020).
+- Time: 12 and 24 hour formats.
+- Number: Positive and negative numbers up to 2 decimals.
+- Percentage: A list of patterns representing a percentage. For example, 1%, 11%, 100%, 11.11%, etc.
+- Phone number: Common US and International formats. For example, 000 000 0000, 000-000-0000, (000)000-0000, (000) 000-0000, etc.
+- Zip code: US Zip code formats. For example, 11111, 11111-1111.
+- First word of sentence: Common patterns for words up to 9 characters.
+- End of sentence: Common punctuation for end of a sentence
+- Credit card: Common credit card number formats. For example, 1111-1111-1111-1111.
+- Social security number: US Social Security Number format. For example, 111-11-1111.
+- Checkbox: A phrase list representing variations on a filled in checkbox. For example, _X_, __X_, etc.
+- Currency: Major international symbols. For example, $.
+- Email CC: A phrase list with the term 'CC:', often found near the names or email addresses of additional people or groups the message was sent to.
+- Email date: A phrase list with the term 'Sent on:', often found near the date the email was sent.
+- Email greeting: Common opening lines for emails.
+- Email recipient: A phrase list with the term 'To:', often found near the names or email addresses of people or groups the message was sent to.
+- Email sender: A phrase list with the term 'From:', often found near the sender's name or email address.
+- Email subject: A phrase list with the term 'Subject:', often found near the email's subject.
The explanation library also includes three automatic template types that work with the data you've labeled in your example files: -- After label: The words or characters that occur after the labels in the example files.</br>-- Before label: The words or characters that occur before the labels in the example files.</br>-- Labels: Up to the first 10 labels from the example files.</br>
+- After label: The words or characters that occur after the labels in the example files.
+- Before label: The words or characters that occur before the labels in the example files.
+- Labels: Up to the first 10 labels from the example files.
To give you an example of how automatic templates work, in the following example file, we will use the Before Label explanation template to help give the model more information to get a more accurate match.
- ![Example file](../media/content-understanding/before-label.png)</br>
+![Example file](../media/content-understanding/before-label.png)
When you select the Before Label explanation template, it will look for the first set of words that appear before the label in your example files. In the example, the words that are identified in the first example file is "As of".
- ![Before label template](../media/content-understanding/before-label-explanation.png)</br>
+![Before label template](../media/content-understanding/before-label-explanation.png)
-You can select <b>Add</b> to create an explanation from the template. As you add more example files, additional words will be identified and added to the phrase list.
+You can select **Add** to create an explanation from the template. As you add more example files, additional words will be identified and added to the phrase list.
- ![Add the label](../media/content-understanding/before-label-add.png)</br>
+![Add the label](../media/content-understanding/before-label-add.png)
#### To use a template from the explanation library
-1. From the **Explanations** section of your model's **Train** page, select **New**, then select **From a template**.</br>
+1. From the **Explanations** section of your model's **Train** page, select **New**, then select **From a template**.
- ![Add Before Label](../media/content-understanding/from-template.png)</br>
+ ![Add Before Label](../media/content-understanding/from-template.png)
-2. On the **Explanation templates** page, select the explanation you want to use, then select **Add**.</br>
+2. On the **Explanation templates** page, select the explanation you want to use, then select **Add**.
- ![Select a template](../media/content-understanding/phone-template.png)</br>
+ ![Select a template](../media/content-understanding/phone-template.png)
-3. The information for the template you selected displays on the **Create an explanation** page. If needed, edit the explanation name and add or remove items from the phrase list. </br>
+3. The information for the template you selected displays on the **Create an explanation** page. If needed, edit the explanation name and add or remove items from the phrase list.
- ![Edit template](../media/content-understanding/phone-template-live.png)</br>
+ ![Edit template](../media/content-understanding/phone-template-live.png)
4. When finished, select **Save**.
enterprise Subscriptions Licenses Accounts And Tenants For Microsoft Cloud Offerings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/subscriptions-licenses-accounts-and-tenants-for-microsoft-cloud-offerings.md
Figure 3 shows an example of multiple subscriptions of an organization using a c
### Tenants
-For SaaS cloud offerings, the tenant is the regional location that houses the servers providing cloud services. For example, the Contoso Corporation chose the European region to host its Microsoft 365, EMS, and Dynamics 365 tenants for the 15,000 workers in their Paris headquarters.
+For SaaS cloud offerings, the tenant is the regional location that houses the servers providing cloud services. For example, the Contoso Corporation chose the European region to host its Microsoft 365, EMS, and Dynamics 365 subscriptions for the 15,000 workers in their Paris headquarters.
Azure PaaS services and virtual machine-based workloads hosted in Azure IaaS can have tenancy in any Azure datacenter across the world. You specify the Azure datacenter, known as the location, when you create the Azure PaaS app or service or element of an IaaS workload.
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
##### [Enable controlled folder access](enable-controlled-folders.md) ##### [Customize controlled folder access](customize-controlled-folders.md)
+### [Network devices](network-devices.md)
+ ### [Microsoft Defender for Endpoint for Mac]() #### [Overview of Microsoft Defender for Endpoint for Mac](microsoft-defender-endpoint-mac.md) #### [What's New](mac-whatsnew.md)
security Network Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/network-devices.md
+
+ Title: Network device discovery and vulnerability management
+description: Security recommendations and vulnerability detection are now available for operating systems of switches, routers, WLAN controllers, and firewalls.
+keywords: network devices, network devices vulnerability detection, operating systems of switches, routers, WLAN controllers, and firewalls
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+localization_priority: Normal
+
+audience: ITPro
+
+ - m365-security-compliance
+ - m365initiative-defender-endpoint
+
+ms.technology: mde
+
+# Network device discovery and vulnerability management
++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> [!IMPORTANT]
+> **Scanning and managing network devices is currently in public preview**<br>
+> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
+> For more information, see [Microsoft Defender for Endpoint preview features](preview.md).
+
+>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+
+Network discovery capabilities are available in the **Device inventory** section of the Microsoft 365 security center and Microsoft Defender Security Center consoles.
+
+A designated Microsoft Defender for Endpoint device will be used on each network segment to perform periodic authenticated scans of preconfigured network devices. Once discovered, Defender for EndpointΓÇÖs threat and vulnerability management capabilities provide integrated workflows to secure discovered switches, routers, WLAN controllers, firewalls, and VPN gateways.
+
+Once the network devices are discovered and classified, security administrators will be able to receive the latest security recommendations and review recently discovered vulnerabilities foron network devices deployed across their organizations.
+
+## Approach
+
+Network devices are not managed as standard endpoints since Defender for Endpoint doesnΓÇÖt have a sensor built into the network devices themselves. These types of devices require an agentless approach where a remote scan will obtain the necessary information from the devices. Depending on the network topology and characteristics, a single device or a few devices onboarded to Microsoft Defender for Endpoint will perform authenticated scans of network devices using SNMP (read-only).
+
+There will be two types of devices to keep in mind:
+
+- **Assessment device**: A device that's already onboarded that you'll use to scan the network devices.
+- **Network devices**: The network devices you plan to scan and onboard.
+
+### Vulnerability management for network devices
+
+Once the network devices are discovered and classified, security administrators will be able to receive the latest security recommendations and review recently discovered vulnerabilities on network devices deployed across their organizations.
+
+## Operating systems that are supported
+
+The following operating systems are currently supported:
+
+- Cisco IOS, IOS-XE, NX-OS
+- Juniper JUNOS
+- HPE ArubaOS, Procurve Switch Software
+- Palo Alto Networks PAN-OS
+
+More networking vendors and OS will be added over time, based on data gathered from customer usage. Therefore, you are encouraged to configure all your network devices, even if theyΓÇÖre not specified in this list.
+
+## How to get started
+
+Your first step is to select a device that will perform the authenticated network scans.
+
+1. Decide on a Defender for Endpoint onboarded device (client or server) that has a network connection to the management port for the network devices you plan on scanning.
+
+2. SNMP traffic between the Defender for Endpoint assessment device and the targeted network devices must be allowed (for example, by the Firewall).
+
+3. Decide which network devices will be assessed for vulnerabilities (for example: a Cisco switch or a Palo Alto Networks firewall).
+
+4. Make sure SNMP read-only is enabled on all configured network devices to allow the Defender for Endpoint assessment device to query the configured network devices. ΓÇÿSNMP writeΓÇÖ isn't needed for the proper functionality of this feature.
+
+5. Obtain the IP addresses of the network devices to be scanned (or the subnets where these devices are deployed).
+
+6. Obtain the SNMP credentials of the network devices (for example: Community String, noAuthNoPriv, authNoPriv, authPriv). YouΓÇÖll be required to provide the credentials when configuring a new assessment job.
+
+7. Proxy client configuration: No extra configuration is required other than the Defender for Endpoint device proxy requirements.
+
+8. To allow the network scanner to be authenticated and work properly, it's essential that you add the following domains/URLs:
+
+ - login.windows.net
+ - *.securitycenter.windows.com
+ - login.microsoftonline.com
+ - *.blob.core.windows.net/networkscannerstable/*
+
+ Note: These URLs are not specified in the Defender for Endpoint documented list of allowed data collection.
+
+## Permissions
+
+To configure assessment jobs, the following user permission option is required: **Manage security settings in Security Center**. You can find the permission by going to **Settings** > **Roles**. For more information, see [Create and manage roles for role-based access control](user-roles.md)
+
+## Install the network scanner
+
+1. Go to **Microsoft 365 security** > **Settings** > **Endpoints** > **Assessment jobs** (under 'Network assessments').
+ 1. In the Microsoft Defender Security Center, go to Settings > Assessment jobs page.
+
+2. Download the network scanner and install it on the designated Defender for Endpoint assessment device.
+
+![Download scanner button](images/assessment-jobs-download-scanner.png)
+
+## Network scanner installation & registration
+
+The signing-in process can be completed on the designated assessment device itself or any other device (for example, your personal client device).
+
+To complete the network scanner registration process:
+
+1. Copy and follow the URL that appears on the command line and use the provided installation code to complete the registration process.
+ - Note: You may need to change Command Prompt settings to be able to copy the URL.
+
+2. Enter the code and sign in using a Microsoft account that has the Defender for Endpoint permission called "Manage security settings in Security Center."
+
+3. When finished, you should see a message confirming you have signed in.
+
+## Configure a new assessment job
+
+In the Assessment jobs page in **Settings**, select **Add network assessment job**. Follow the set-up process to choose network devices to be scanned regularly and added to the device inventory.
+
+To prevent device duplication in the network device inventory, make sure each IP address is configured only once across multiple assessment devices.
+
+![Add network assessment job button](images/assessment-jobs-add.png)
+
+Adding a network assessment job steps:
+
+1. Choose an ΓÇÿAssessment jobΓÇÖ name and the ΓÇÿAssessment deviceΓÇÖ on which the network scanner was installed. This device will perform the periodic authenticated scans.
+2. Add IP addresses of target network devices to be scanned (or the subnets where these devices are deployed).
+3. Add required SNMP credentials of the target network devices.
+4. Save the newly configured network assessment job to start the periodic network scan.
+
+### Scan and add network devices
+
+During the set-up process, you can perform a one time test scan to verify that:
+
+- There is connectivity between the Defender for Endpoint assessment device and the configured target network devices.
+- The configured SNMP credentials are correct.
+
+Each assessment device can support up to 1,500 successful IP addresses scan. For example, if you scan 10 different subnets where only 100 IP addresses return successful results, you will be able to scan 1,400 IP additional addresses from other subnets on the same assessment device.
+
+If there are multiple IP address ranges/subnets to scan, the test scan results will take several minutes to show up. A test scan will be available for up to 1,024 addresses.
+
+Once the results show up, you can choose which devices will be included in the periodic scan. If you skip viewing the scan results, all configured IP addresses will be added to the network assessment job (regardless of the deviceΓÇÖs response). The scan results can also be exported.
+
+## Device inventory
+
+Newly discovered devices will be shown under the new **Network devices** tab in the **Device inventory** page. It may take up to two hours after adding an assessment job until the devices are updated.
+
+![Network devices section in the Device inventory](images/assessment-jobs-device-inventory.png)
+
+## Troubleshooting
+
+### Network scanner installation has failed
+
+Verify that the required URLs are added to the allowed domains in your firewall settings. Also, make sure proxy settings are configured as described in [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md)
+
+### The Microsoft.com/devicelogin web page did not show up
+
+Verify that the required URLs are added to the allowed domains in your firewall. Also, make sure proxy settings are configured as described in [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md).
+
+### Network devices are not shown in the device inventory after several hours
+
+The scan results should be updated a few hours after the initial scan that took place after completing the assessment job configuration.
+
+If devices are still not shown, verify that the service ΓÇÿMdatpNetworkScanServiceΓÇÖ is running on your assessment devices, on which you installed the network scanner, and perform a ΓÇ£Run scanΓÇ¥ in the relevant assessment job configuration.
+
+If you still donΓÇÖt get results after 5 minutes, restart the service.
+
+### Devices last seen time is longer than 24 hours
+
+Validate that the scanner is running properly. Then go to the scan definition and select ΓÇ£Run test.ΓÇ¥ Check what error messages are returning from the relevant IP addresses.
+
+### Required threat and vulnerability management user permission
+
+Registration finished with an error: "It looks like you don't have sufficient permissions for adding a new agent. The required permission is 'Manage security settings in Security Center'."
+
+Press any key to exit.
+
+Ask your system administrator to assign you the required permissions. Alternately, ask another relevant member to help you with the sign-in process by providing them with the sign-in code and link.
+
+### Registration process fails using provided link in the command line in registration process
+
+Try a different browser or copy the sign-in link and code to a different device.
+
+### Text too small or canΓÇÖt copy text from command line
+
+Change command-line settings on your device to allow copying and change text size.
+
+## Related articles
+
+- [Device inventory](machines-view-overview.md)
+- [Configure advanced features](advanced-features.md)
security Preferences Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/preferences-setup.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-prefsettings-abovefoldlink) Use the **Settings** menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature.
Permissions | Manage portal access using RBAC as well as device groups.
APIs | Enable the threat intel and SIEM integration. Rules | Configure suppressions rules and automation settings. Device management | Onboard and offboard devices.
+Network assessments | Choose devices to be scanned regularly and added to the device inventory.
security Run Advanced Query Api https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-advanced-query-api.md
ms.technology: mde
[!include[Improve request performance](../../includes/improve-request-performance.md)] ## Limitations+ 1. You can only run a query on data from the last 30 days.+ 2. The results will include a maximum of 100,000 rows.+ 3. The number of executions is limited per tenant:
- - API calls: Up to 45 calls per minute.
+ - API calls: Up to 45 calls per minute, up to 1500 calls per hour.
- Execution time: 10 minutes of running time every hour and 3 hours of running time a day.+ 4. The maximal execution time of a single request is 10 minutes.+ 5. 429 response will represent reaching quota limit either by number of requests or by CPU. Read response body to understand what limit has been reached. ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name
Delegated (work or school account) | AdvancedQuery.Read | 'Run advanced queries'
>- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) ## HTTP request
-```
+
+```http
POST https://api.securitycenter.microsoft.com/api/advancedqueries/run ```
Authorization | Bearer {token}. **Required**.
Content-Type | application/json ## Request body+ In the request body, supply a JSON object with the following parameters: Parameter | Type | Description
Parameter | Type | Description
Query | Text | The query to run. **Required**. ## Response+ If successful, this method returns 200 OK, and _QueryResponse_ object in the response body. ## Example
-Request
+##### Request
Here is an example of the request.
POST https://api.securitycenter.microsoft.com/api/advancedqueries/run
} ```
-Response
+##### Response
Here is an example of the response.
Here is an example of the response.
} ```
-## Related topic
+## Related topics
+ - [Microsoft Defender for Endpoint APIs introduction](apis-intro.md) - [Advanced Hunting from Portal](advanced-hunting-query-language.md) - [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
security About Defender For Office 365 Trial https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/about-defender-for-office-365-trial.md
Powerful experiences help identify, prioritize, and investigate threats, with ad
- [Threat Explorer and Real-time detections](threat-explorer.md) - [Real-time reports in Defender for Office 365](view-reports-for-mdo.md) - [Threat Trackers - New and Noteworthy](threat-trackers.md)-- Integration with [Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/defender/microsoft-threat-protection)
+- Integration with [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
### Response and remediation
security Admin Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/admin-submission.md
For other ways to submit email messages, URLs, and attachments to Microsoft, see
- **File**: Click **Choose file**. In the dialog that opens, find and select the .eml or .msg file, and then click **Open**. > [!NOTE]
- > Admins with Defender for Office 365 Plan 1 or Plan 2 are able to submit messages as old as 30 days. Other admins will only be able to go back 7 days.
+ > The ability to submit messages as old as 30 days has been temporarily suspended for Defender for Office 365 customers. Admins will only be able to go back 7 days.
2. In the **Recipients** section, specify one or more recipients that you would like to run a policy check against. The policy check will determine if the email bypassed scanning due to user or organization policies.
security Attack Simulation Training Insights https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-insights.md
To see a more detailed report, click **View simulations and training efficacy re
On the [**Simulations** tab](https://security.microsoft.com/attacksimulator?viewid=simulations), selecting a simulation will take you to the simulation details, where you'll find the **Recommended actions** section.
-The recommended actions section details recommendations as available in [Microsoft Secure Score](https://docs.microsoft.com/microsoft-365/security/defender/microsoft-secure-score). These recommendations are based on the payload used in the simulation, and will help you protect your employees and your environment. Clicking on each improvement action will take you to its details.
+The recommended actions section details recommendations as available in [Microsoft Secure Score](../defender/microsoft-secure-score.md). These recommendations are based on the payload used in the simulation, and will help you protect your employees and your environment. Clicking on each improvement action will take you to its details.
> [!div class="mx-imgBorder"] > ![Recommendation actions section on Attack simulation training](../../media/attack-sim-preview-recommended-actions.png)
security Best Practices For Configuring Eop https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/best-practices-for-configuring-eop.md
These settings cover a range of features that are outside of security policies.
|[IMAP connectivity to mailbox](/Exchange/clients-and-mobile-in-exchange-online/pop3-and-imap4/enable-or-disable-pop3-or-imap4-access)|Disabled|Disabled|| |[POP connectivity to mailbox](/Exchange/clients-and-mobile-in-exchange-online/pop3-and-imap4/enable-or-disable-pop3-or-imap4-access)|Disabled|Disabled|| |Authenticated SMTP submission|Disabled|Disabled|Authenticated client SMTP submission (also known as client SMTP submission or SMTP AUTH) is required for POP3 and IMAP4 clients and applications and devices that generate and send email. <p> For instructions to enable and disable SMTP AUTH globally or selectively, see [Enable or disable authenticated client SMTP submission in Exchange Online](/exchange/clients-and-mobile-in-exchange-online/authenticated-client-smtp-submission).|
-|EWS connectivity to mailbox|Disabled|Disabled|Outlook uses Exchange Web Services for free/busy, out-of-office settings, and calendar sharing. If you can't disable EWS globally, you have the following options: <ul><li>Use [Authentication policies](/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online) to prevent EWS from using Basic authentication if your clients support modern authentication (modern auth).</li><li>Use [Client Access Rules](https://docs.microsoft.com/exchange/clients-and-mobile-in-exchange-online/client-access-rules/client-access-rules) to limit EWS to specific users or source IP addresses.</li><li>Control EWS access to specific applications globally or per user. For instructions, see [Control access to EWS in Exchange](/exchange/client-developer/exchange-web-services/how-to-control-access-to-ews-in-exchange).</li></ul> <p> The [Report message add-in](enable-the-report-message-add-in.md) and the [Report phishing add-in](enable-the-report-phish-add-in.md) uses REST by default in supported environments, but will fall back to EWS if REST isn't available. The supported environments that use REST are:<ul><li>Exchange Online</li><li>Exchange 2019 or Exchange 2016</li><li>Current Outlook for Windows from a Microsoft 365 subscription or one-time purchase Outlook 2019.</li><li>Current Outlook for Mac from a Microsoft 365 subscription or one-time purchase Outlook for Mac 2016 or later.</li><li>Outlook for iOS and Android</li><li>Outlook on the web</li></ul>|
+|EWS connectivity to mailbox|Disabled|Disabled|Outlook uses Exchange Web Services for free/busy, out-of-office settings, and calendar sharing. If you can't disable EWS globally, you have the following options: <ul><li>Use [Authentication policies](/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online) to prevent EWS from using Basic authentication if your clients support modern authentication (modern auth).</li><li>Use [Client Access Rules](/exchange/clients-and-mobile-in-exchange-online/client-access-rules/client-access-rules) to limit EWS to specific users or source IP addresses.</li><li>Control EWS access to specific applications globally or per user. For instructions, see [Control access to EWS in Exchange](/exchange/client-developer/exchange-web-services/how-to-control-access-to-ews-in-exchange).</li></ul> <p> The [Report message add-in](enable-the-report-message-add-in.md) and the [Report phishing add-in](enable-the-report-phish-add-in.md) uses REST by default in supported environments, but will fall back to EWS if REST isn't available. The supported environments that use REST are:<ul><li>Exchange Online</li><li>Exchange 2019 or Exchange 2016</li><li>Current Outlook for Windows from a Microsoft 365 subscription or one-time purchase Outlook 2019.</li><li>Current Outlook for Mac from a Microsoft 365 subscription or one-time purchase Outlook for Mac 2016 or later.</li><li>Outlook for iOS and Android</li><li>Outlook on the web</li></ul>|
|[PowerShell connectivity](/powershell/exchange/disable-access-to-exchange-online-powershell)|Disabled|Disabled|Available for mailbox users or mail users (user objects returned by the [Get-User](/powershell/module/exchange/get-user) cmdlet).| |Use [spoof intelligence](learn-about-spoof-intelligence.md) to add senders to your allow list|Yes|Yes|| |[Directory-Based Edge Blocking (DBEB)](/Exchange/mail-flow-best-practices/use-directory-based-edge-blocking)|Enabled|Enabled|Domain Type = Authoritative|
security Find And Release Quarantined Messages As A User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/find-and-release-quarantined-messages-as-a-user.md
After you select a message, you have options for what to do with the messages in
- **Remove from quarantine**: After you click **Yes** in the warning that appears, the message is immediately deleted. -- **Block Sender**: This prevents the sender from sending messages to you.
+- **Block Sender**: Prevents the sender from sending messages to you.
When you're finished, click **Close**.
security Grant Access To The Security And Compliance Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/grant-access-to-the-security-and-compliance-center.md
For more information about the different permissions you can give to users in th
Add-RoleGroupMember -Identity "Organization Management" -Member MatildaS ```
-For detailed syntax and parameter issues, see [Add-RoleGroupMember](https://docs.microsoft.com/powershell/module/exchange/add-rolegroupmember)
+For detailed syntax and parameter issues, see [Add-RoleGroupMember](/powershell/module/exchange/add-rolegroupmember)
### How do you know this worked?
security High Risk Delivery Pool For Outbound Messages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/high-risk-delivery-pool-for-outbound-messages.md
ms.prod: m365-security
Email servers in the Microsoft 365 datacenters might be temporarily guilty of sending spam. For example, a malware or malicious spam attack in an on-premises email organization that sends outbound mail through Microsoft 365, or compromised Microsoft 365 accounts. Attackers also try to avoid detection by relaying messages through Microsoft 365 forwarding.
-These scenarios can result in the IP address of the affected Microsoft 365 datacenter servers appearing on third-party block lists. Destination email organizations that use these block lists will reject email from those messages sources.
+These scenarios can result in the IP address of the affected Microsoft 365 datacenter servers appearing on third-party blocklists. Destination email organizations that use these blocklists will reject email from those messages sources.
## High-risk delivery pool To prevent this, all outbound messages from Microsoft 365 datacenter servers that's determined to be spam or that exceeds the sending limits of [the service](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#sending-limits-across-office-365-options) or [outbound spam policies](configure-the-outbound-spam-policy.md) are sent through the _high-risk delivery pool_.
-The high risk delivery pool is a separate IP address pool for outbound email that's only used to send "low quality" messages (for example, spam and [backscatter](backscatter-messages-and-eop.md)). Using the high risk delivery pool helps prevent the normal IP address pool for outbound email from sending spam. The normal IP address pool for outbound email maintains the reputation sending "high quality" messages, which reduces the likelihood that these IP address will appear on IP block lists.
+The high risk delivery pool is a separate IP address pool for outbound email that's only used to send "low quality" messages (for example, spam and [backscatter](backscatter-messages-and-eop.md)). Using the high risk delivery pool helps prevent the normal IP address pool for outbound email from sending spam. The normal IP address pool for outbound email maintains the reputation sending "high quality" messages, which reduces the likelihood that these IP address will appear on IP blocklists.
-The very real possibility that IP addresses in the high-risk delivery pool will be placed on IP block lists remains, but this is by design. Delivery to the intended recipients isn't guaranteed, because many email organizations won't accept messages from the high risk delivery pool.
+The very real possibility that IP addresses in the high-risk delivery pool will be placed on IP blocklists remains, but this is by design. Delivery to the intended recipients isn't guaranteed, because many email organizations won't accept messages from the high risk delivery pool.
For more information, see [Control outbound spam](outbound-spam-controls.md).
Possible causes for a surge in NDRs include:
- A rogue email server. All of these issues can result in a sudden increase in the number of NDRs being processed by the service. Many times, these NDRs appear to be spam to other email servers and services (also known as _[backscatter](backscatter-messages-and-eop.md)_).-
-## Relay pool
-
-Messages that are forwarded or relayed out of Microsoft 365 are sent using a special relay pool, since the final destination should not consider Microsoft 365 as the actual sender. It's also important for us to isolate this traffic, because there are legitimate and invalid scenarios for autoforwarding or relaying email out of Microsoft 365. Similar to the high-risk delivery pool, a separate IP address pool is used for relayed mail. This address pool is not published since it can change often.
-
-Microsoft 365 needs to verify that the original sender is legitimate so we can confidently deliver the forwarded message. In order to do that, email authentication (SPF, DKIM, and DMARC) needs to pass when the message comes to us. In cases where we can authenticate the sender, we use Sender Rewriting to help the receiver know that the forwarded message is from a trusted source. You can read more about how that works and what you can do to help make sure the sending domain passes authentication in [Sender Rewriting Scheme (SRS)](/office365/troubleshoot/antispam/sender-rewriting-scheme).
security Identity Access Policies Guest Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/identity-access-policies-guest-access.md
ms.prod: m365-security
+audience: Admin
f1.keywords: - NOCSH
security Manage Groups In Eop https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/manage-groups-in-eop.md
$CurrentMemberNames += "Tyson Fawcett"
Update-EOPDistributionGroupMember -Identity "Security Team" -Members $CurrentMemberNames ```
-For detailed syntax and parameter information, see [Set-EOPDistributionGroup](https://docs.microsoft.com/powershell/module/exchange/set-eopdistributiongroup) and [Update-EOPDistributionGroupMember](https://docs.microsoft.com/powershell/module/exchange/update-eopdistributiongroupmember).
+For detailed syntax and parameter information, see [Set-EOPDistributionGroup](/powershell/module/exchange/set-eopdistributiongroup) and [Update-EOPDistributionGroupMember](/powershell/module/exchange/update-eopdistributiongroupmember).
### Remove a group using remote Windows PowerShell
This example uses removes the distribution group named IT Administrators.
Remove-EOPDistributionGroup -Identity "IT Administrators" ```
-For detailed syntax and parameter information, see [Remove-EOPDistributionGroup](https://docs.microsoft.com/powershell/module/exchange/remove-eopdistributiongroup).
+For detailed syntax and parameter information, see [Remove-EOPDistributionGroup](/powershell/module/exchange/remove-eopdistributiongroup).
## How do you know these procedures worked?
security Manage Quarantined Messages And Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/manage-quarantined-messages-and-files.md
After you select a message, you have several options for what to do with the mes
- **View message header**: Choose this link to see the message header text. To analyze the header fields and values in depth, copy the message header text to your clipboard, and then choose **Microsoft Message Header Analyzer** to go to the Remote Connectivity Analyzer (right-click and choose **Open in a new tab** if you don't want to leave Microsoft 365 to complete this task). Paste the message header onto the page in the Message Header Analyzer section, and choose **Analyze headers**: - **Preview message**: In the flyout pane that appears, choose one of the following options:- - **Source view**: Shows the HTML version of the message body with all links disabled. - **Text view**: Shows the message body in plain text.
After you select a message, you have several options for what to do with the mes
- **Download message**: In the flyout pane that appears, select **I understand the risks from downloading this message** to save a local copy of the message in .eml format. -- **Block Sender**: This blocks the sender from sending emails to the admin recipient mailbox.
+- **Block Sender**: Prevents the sender from sending messages to recipients in the organization.
- **Submit message**: In the flyout pane that appears, choose the following options:
security Mcas Saas Access Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mcas-saas-access-policies.md
audience: Admin
Last updated 03/22/2021 -+ - it-pro - goldenconfig-+ - M365-identity-device-management - M365-security-compliance # Recommended Microsoft Cloud App Security policies for SaaS apps
-Microsoft Cloud App Security builds on Azure AD conditional access policies to enable real-time monitoring and control of granular actions with SaaS apps, such as blocking downloads, uploads, copy and paste, and printing. This feature adds security to sessions that carry inherent risk, such as when corporate resources are accessed from unmanaged devices or by guest users.
+Microsoft Cloud App Security builds on Azure AD conditional access policies to enable real-time monitoring and control of granular actions with SaaS apps, such as blocking downloads, uploads, copy and paste, and printing. This feature adds security to sessions that carry inherent risk, such as when corporate resources are accessed from unmanaged devices or by guest users.
-Microsoft Cloud App Security also integrates natively with Microsoft Information Protection, providing real-time content inspection to find sensitive data based on sensitive information types and sensitivity labels and to take appropriate action.
+Microsoft Cloud App Security also integrates natively with Microsoft Information Protection, providing real-time content inspection to find sensitive data based on sensitive information types and sensitivity labels and to take appropriate action.
This guidance includes recommendations for these scenarios:+ - Bring SaaS apps into IT management - Tune protection for specific SaaS apps - Configure data loss prevention (DLP) to help comply with data protection regulations ## Bring SaaS apps into IT management
-The first step in using Microsoft Cloud App Security to manage SaaS apps is to discover these and then add them to your Azure AD tenant. If you need help with discovery, see [Discover and manage SaaS apps in your network](https://docs.microsoft.com/cloud-app-security/tutorial-shadow-it). After you've discovered apps, [add these to your Azure AD tenant](https://docs.microsoft.com/azure/active-directory/manage-apps/add-application-portal).
+The first step in using Microsoft Cloud App Security to manage SaaS apps is to discover these and then add them to your Azure AD tenant. If you need help with discovery, see [Discover and manage SaaS apps in your network](/cloud-app-security/tutorial-shadow-it). After you've discovered apps, [add these to your Azure AD tenant](/azure/active-directory/manage-apps/add-application-portal).
You can begin to manage these by doing the following:+ 1. First, in Azure AD, create a new conditional access policy and configure it to "Use Conditional Access App Control." This redirects the request to Cloud App Security. You can create one policy and add all SaaS apps to this policy.
-1. Next, in Cloud App Security, create session policies. Create one policy for each control you want to apply.
+1. Next, in Cloud App Security, create session policies. Create one policy for each control you want to apply.
Permissions to SaaS apps are typically based on business need for access to the app. These permissions can be highly dynamic. Using Cloud App Security policies ensures protection to app data, regardless of whether users are assigned to an Azure AD group associated with baseline, sensitive, or highly regulated protection.
-To protect data across your collection of SaaS apps, the following diagram illustrates the necessary Azure AD conditional access policy plus suggested policies you can create in Cloud App Security. In this example, the policies created in Cloud App Security apply to all SaaS apps you are managing. These are designed to apply appropriate controls based on whether devices are managed as well as sensitivity labels that are already applied to files.
-
-<br>
+To protect data across your collection of SaaS apps, the following diagram illustrates the necessary Azure AD conditional access policy plus suggested policies you can create in Cloud App Security. In this example, the policies created in Cloud App Security apply to all SaaS apps you are managing. These are designed to apply appropriate controls based on whether devices are managed as well as sensitivity labels that are already applied to files.
![Policies for managing SaaS apps in Cloud App Security](../../media/microsoft-365-policies-configurations/mcas-manage-saas-apps-2.png)
The following table lists the new conditional access policy you must create in A
|Protection level|Policy|More information| ||||
-|All protection levels | [Use Conditional Access App Control in Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-aad#configure-integration-with-azure-ad) |This configures your IdP (Azure AD) to work with Cloud App Security. |
+|All protection levels|[Use Conditional Access App Control in Cloud App Security](/cloud-app-security/proxy-deployment-aad#configure-integration-with-azure-ad)|This configures your IdP (Azure AD) to work with Cloud App Security.|
+||||
-This next table lists the example policies illustrated above that you can create to protect all SaaS apps. Be sure to evaluate your own business, security, and compliance objectives and then create policies that provide the most appropriate protection for your environment.
+This next table lists the example policies illustrated above that you can create to protect all SaaS apps. Be sure to evaluate your own business, security, and compliance objectives and then create policies that provide the most appropriate protection for your environment.
|Protection level|Policy| |||
-|Baseline | Monitor traffic from unmanaged devices<br><br>Add protection to file downloads from unmanaged devices |
-|Sensitive | Block download of files labeled with sensitive or classified from unmanaged devices (this provides browser only access) |
-| Highly regulated | Block download of files labeled with classified from all devices (this provides browser only access) |
-| | |
-
-For end-to-end instructions for setting up Conditional Access App Control, see [Deploy Conditional Access App Control for featured apps](https://docs.microsoft.com/cloud-app-security/proxy-deployment-aad). This article walks you through the process of creating the necessary conditional access policy in Azure AD and testing your SaaS apps.
---
+|Baseline|Monitor traffic from unmanaged devices <p> Add protection to file downloads from unmanaged devices|
+|Sensitive|Block download of files labeled with sensitive or classified from unmanaged devices (this provides browser only access)|
+|Highly regulated|Block download of files labeled with classified from all devices (this provides browser only access)|
+|||
-For more information, see [Protect apps with Microsoft Cloud App Security Conditional Access App Control](https://docs.microsoft.com/cloud-app-security/proxy-intro-aad).
+For end-to-end instructions for setting up Conditional Access App Control, see [Deploy Conditional Access App Control for featured apps](/cloud-app-security/proxy-deployment-aad). This article walks you through the process of creating the necessary conditional access policy in Azure AD and testing your SaaS apps.
+For more information, see [Protect apps with Microsoft Cloud App Security Conditional Access App Control](/cloud-app-security/proxy-intro-aad).
## Tune protection for specific SaaS apps
-You might want to apply additional monitoring and controls to specific SaaS apps in your environment. Cloud App Security allows you to accomplish this. For example, if an app like Box is used heavily in your environment, it makes sense to apply additional controls. Or, if your legal or finance department is using a specific SaaS app for sensitive business data, you can target extra protection to these apps.
+
+You might want to apply additional monitoring and controls to specific SaaS apps in your environment. Cloud App Security allows you to accomplish this. For example, if an app like Box is used heavily in your environment, it makes sense to apply additional controls. Or, if your legal or finance department is using a specific SaaS app for sensitive business data, you can target extra protection to these apps.
For example, you can protect your Box environment with these types of built-in anomaly detection policy templates:+ - Activity from anonymous IP addresses - Activity from infrequent country - Activity from suspicious IP addresses
For example, you can protect your Box environment with these types of built-in a
- Risky Oauth App - Unusual file share activity
-These are examples. Additional policy templates are added on a regular basis. For examples of how to apply additional protection to specific apps, see [Protecting connected apps](https://docs.microsoft.com/cloud-app-security/protect-connected-apps).
-
-[How Cloud App Security helps protect your Box environment](https://docs.microsoft.com/cloud-app-security/protect-box) demonstrates the types of controls that can help you protect your business data in Box and other apps with sensitive data.
+These are examples. Additional policy templates are added on a regular basis. For examples of how to apply additional protection to specific apps, see [Protecting connected apps](/cloud-app-security/protect-connected-apps).
+[How Cloud App Security helps protect your Box environment](/cloud-app-security/protect-box) demonstrates the types of controls that can help you protect your business data in Box and other apps with sensitive data.
## Configure data loss prevention (DLP) to help comply with data protection regulations
-Cloud App Security can be a valuable tool for configuring protection for compliance regulations. In this case, you create specific policies to look for specific data that a regulation applies to and configure each policy to take appropriate action.
+Cloud App Security can be a valuable tool for configuring protection for compliance regulations. In this case, you create specific policies to look for specific data that a regulation applies to and configure each policy to take appropriate action.
-The following illustration and table provide several examples of policies that can be configured to help comply with the General Data Protection Regulation (GDPR). In these examples, policies look for specific data. Based on the sensitivity of the data, each policy is configured to take appropriate action.
+The following illustration and table provide several examples of policies that can be configured to help comply with the General Data Protection Regulation (GDPR). In these examples, policies look for specific data. Based on the sensitivity of the data, each policy is configured to take appropriate action.
![Example Cloud App Security policies for data loss prevention](../../media/microsoft-365-policies-configurations/mcas-dlp.png) |Protection level|Example policies|
-|:|:-|
-| Baseline |Alert when files containing this sensitive information type ("Credit Card Number") are shared outside the organization <br><br>Block downloads of files containing this sensitive information type (ΓÇ¥Credit card number") to unmanaged devices|
-| Sensitive | Protect downloads of files containing this sensitive information type ("Credit card number") to managed devices <br><br>Block downloads of files containing this sensitive information type ("Credit card number") to unmanaged devices <br><br>Alert when a file with on of these labels is uploaded to OneDrive for Business or Box (Customer data, Human Resources: Salary Data,Human Resources, Employee data)|
-| Highly regulated |Alert when files with this label ("Highly classified") are downloaded to managed devices <p>Block downloads of files with this label ("Highly classified") to unmanaged devices |
-| | |
--
+|||
+|Baseline|Alert when files containing this sensitive information type ("Credit Card Number") are shared outside the organization <p> >Block downloads of files containing this sensitive information type (ΓÇ¥Credit card number") to unmanaged devices|
+|Sensitive|Protect downloads of files containing this sensitive information type ("Credit card number") to managed devices <p> Block downloads of files containing this sensitive information type ("Credit card number") to unmanaged devices <p> Alert when a file with on of these labels is uploaded to OneDrive for Business or Box (Customer data, Human Resources: Salary Data,Human Resources, Employee data)|
+|Highly regulated|Alert when files with this label ("Highly classified") are downloaded to managed devices <p> Block downloads of files with this label ("Highly classified") to unmanaged devices|
+|||
## Next steps
-For more information about using Cloud App Security, see [Microsoft Cloud App Security documentation](https://docs.microsoft.com//cloud-app-security/).
+For more information about using Cloud App Security, see [Microsoft Cloud App Security documentation](//cloud-app-security/).
security Mdo Email Entity Page https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-email-entity-page.md
localization_priority: Normal search.appverid:-+ - M365-security-compliance - m365initiative-defender-office365
-description: Microsoft Defender for Office 365 E5 and ATP P1 and ATP P2 customers can now get a 360-degree view of each email with email entity page.
+description: Microsoft Defender for Office 365 E5 and ATP P1 and ATP P2 customers can now get a 360-degree view of each email with email entity page.
# The Email entity page
description: Microsoft Defender for Office 365 E5 and ATP P1 and ATP P2 customer
- [Use email entity page tabs](#use-email-entity-page-tabs) - [New to the email entity page](#new-to-the-email-entity-page)
-Admins of Microsoft Defender for Office 365 (or MDO) E5, and MDO P1 and P2 have a 360-degree view of email using the **Email entity page**. This go-to email page was created to enhance information delivered on the [Threat Explorer 'email details' fly-out](https://docs.microsoft.com/microsoft-365/security/office-365-security/threat-explorer-views).
+Admins of Microsoft Defender for Office 365 (or MDO) E5, and MDO P1 and P2 have a 360-degree view of email using the **Email entity page**. This go-to email page was created to enhance information delivered on the [Threat Explorer 'email details' fly-out](threat-explorer-views.md).
## Reach the email entity page Either of the existing Office Security and Compliance center (protection.office.com) or new Microsoft 365 Security center (security.microsoft.com) will let you see and use the email entity page..
-|Center |URL |Navigation |
-||||
-|Security & Compliance |protection.office.com | Threat Management > Explorer |
-|Microsoft 365 security center |security.microsoft.com | Email & Collaboration > Explorer |
+|Center|URL|Navigation|
+||||
+|Security & Compliance |protection.office.com|Threat Management \> Explorer|
+|Microsoft 365 security center |security.microsoft.com|Email & Collaboration \> Explorer|
In Threat Explorer, select the subject of an email you're investigating. A gold bar will display at the top of the email fly-out for that mail. This invitation to the new page, reads 'Try out our new email entity page with enriched data...'. Select to view the new page.
The tabs along the top of the entity page will allow you to investigate email ef
There are new capabilities that come with this email entity page. Here's the list. ### Email preview for Cloud mailboxes+ Admins can preview emails in Cloud mailboxes, ***if*** the mails are still present in the Cloud. In case of a soft delete (by an admin, or user), or ZAP (to quarantine), emails are no longer present in the Cloud location. In that case, admins won't be able to preview those specific mails. Emails that were dropped, or where delivery failed, never actually made it into the mailbox. As a result, admins wonΓÇÖt be able to preview those emails either. > [!WARNING]
->Previewing emails requires a special role called ***Preview*** to be assigned to admins. You can add this role by going to **Permissions & roles** > **Email & collaboration roles** in *security.microsoft.com*, or **Permissions** in *protection.office.com*. Add the ***Preview*** role to any of the role groups, or a copy of a role group that allows admins in your organization to work in Threat Explorer.
+> Previewing emails requires a special role called ***Preview*** to be assigned to admins. You can add this role by going to **Permissions & roles** > **Email & collaboration roles** in *security.microsoft.com*, or **Permissions** in *protection.office.com*. Add the ***Preview*** role to any of the role groups, or a copy of a role group that allows admins in your organization to work in Threat Explorer.
### Detonation details These details are specific to email attachments and URLs. Users will see enriched detonation details for known malicious attachments or hyperlinks found in their mailboxes, including Detonation chain, Detonation summary, Screenshot, and Observed behavior details to help customers understand why the attachment or URL was deemed malicious and detonated.
-
+ - *Detonation chain*: A single file or URL detonation can trigger multiple detonations. The Detonation chain tracks the path of detonations, including the original malicious file or URL that caused the verdict, and all other files or URLs effected by the detonation. These URLs or attached files may not be directly present in the email, but including that analysis is important to determining why the file or URL was found to be malicious. - *Detonation summary*: This gives information on:
- - Detonation time range.
- - Verdict of the attached file, or URL.
- - Related info (file number, URLs, IPs, or Domains), which are other entities examined during detonation.
+ - Detonation time range.
+ - Verdict of the attached file, or URL.
+ - Related info (file number, URLs, IPs, or Domains), which are other entities examined during detonation.
- *Detonation screenshot*: This shows screenshot(s) taken during detonation process. - *Detonation details*: These are the exact behavior details of each process that took place during the detonation.
Users will see enriched detonation details for known malicious attachments or hy
*Email details*: Details required for a deeper understanding of email available in the *Analysis* tab. - *Exchange Transport Rules (ETRs or Mailflow rules)*: These rules are applied to a message at the transport layer and take precedence over phish and spam verdicts. These can be only created and modified in the Exchange admin center, but if any ETR applies to a message, the ETR name and GUID will be shown here. Valuable information for tracking purposes.
-
+ - *System Overrides*: This is a means of making exceptions to the delivery location intended for a message by overriding the delivery location given by system (as per the threat and detection tech).
-
+ - *Junk Mailbox Rule*: 'Junk' is hidden Inbox rule that's enabled by default in every mailbox.
- - When the Junk email rule is enabled on the mailbox, Exchange Online Protection (EOP) is able to move messages to Junk according to some criteria. The move can be based on spam filtering verdict action *Move message to Junk Email folder*, or on the Blocked Senders list on the mailbox. Disabling the Junk email rule prevents the delivery of messages to the Junk email folder based on the *Safe Senders* list on the mailbox.
- - When the junk email rule is *disabled* on the mailbox, EOP can't move messages to the Junk Email folder based on the spam filtering verdict action *Move message to Junk Email folder*, or the safe list collection on the mailbox.
-
+ - When the Junk email rule is enabled on the mailbox, Exchange Online Protection (EOP) is able to move messages to Junk according to some criteria. The move can be based on spam filtering verdict action *Move message to Junk Email folder*, or on the Blocked Senders list on the mailbox. Disabling the Junk email rule prevents the delivery of messages to the Junk email folder based on the *Safe Senders* list on the mailbox.
+ - When the junk email rule is *disabled* on the mailbox, EOP can't move messages to the Junk Email folder based on the spam filtering verdict action *Move message to Junk Email folder*, or the safe list collection on the mailbox.
+ - *Bulk Compliant Level (BCL)*: The Bulk Complaint Level (BCL) of the message. A higher BCL indicates a bulk mail message is more likely to generate complaints (the natural result if the email is likely to be spam).
-
+ - *Spam Confidence Level (SCL)*: The spam confidence level (SCL) of the message. A higher value indicates the message is more likely to be spam. - *Domain Name*: Is the sender domain name.
-
+ - *Domain Owner*: Specifies the owner of the sending domain.
-
+ - *Domain Location*: Specifies the location of the sending domain.
-
+ - *Domain Created Date*: Specifies the date of creation of the sending domain. A newly created domain is something you could be cautious of if other signals indicate some suspicious behavior. *Email Authentication*: Email authentication methods used by Microsoft 365 include SPF, DKIM, and DMARC. - Sender Policy Framework (**SPF**): Describes results for SPF check for the message. Possible values can be:
- - Pass (IP address): The SPF check for the message passed and includes the sender's IP address. The client is authorized to send or relay email on behalf of the sender's domain.
- - Fail (IP address): The SPF check for the message failed and includes the sender's IP address. This is sometimes called hard fail.
- - Softfail (reason): The SPF record designated the host as not being allowed to send but is in transition.
- - Neutral: The SPF record explicitly states that it does not assert whether the IP address is authorized to send.
- - None: The domain doesn't have an SPF record, or the SPF record doesn't evaluate to a result.
- - Temperror: A temporary error has occurred. For example, a DNS error. The same check later might succeed.
- - Permerror: A permanent error has occurred. For example, the domain has a badly formatted SPF record.
+ - Pass (IP address): The SPF check for the message passed and includes the sender's IP address. The client is authorized to send or relay email on behalf of the sender's domain.
+ - Fail (IP address): The SPF check for the message failed and includes the sender's IP address. This is sometimes called hard fail.
+ - Softfail (reason): The SPF record designated the host as not being allowed to send but is in transition.
+ - Neutral: The SPF record explicitly states that it does not assert whether the IP address is authorized to send.
+ - None: The domain doesn't have an SPF record, or the SPF record doesn't evaluate to a result.
+ - Temperror: A temporary error has occurred. For example, a DNS error. The same check later might succeed.
+ - Permerror: A permanent error has occurred. For example, the domain has a badly formatted SPF record.
- DomainKeys Identified Mail (**DKIM**):
- - Pass: Indicates the DKIM check for the message passed.
- - Fail (reason): Indicates the DKIM check for the message failed and why. For example, if the message was not signed or the signature was not verified.
- - None: Indicates that the message was not signed. This may or may not indicate that the domain has a DKIM record or the DKIM record does not evaluate to a result, only that this message was not signed.
+ - Pass: Indicates the DKIM check for the message passed.
+ - Fail (reason): Indicates the DKIM check for the message failed and why. For example, if the message was not signed or the signature was not verified.
+ - None: Indicates that the message was not signed. This may or may not indicate that the domain has a DKIM record or the DKIM record does not evaluate to a result, only that this message was not signed.
- Domain-based Message Authentication, Reporting and Conformance (**DMARC**):
- - Pass: Indicates the DMARC check for the message passed.
- - Fail: Indicates the DMARC check for the message failed.
- - Bestguesspass: Indicates that no DMARC TXT record for the domain exists, but if one had existed, the DMARC check for the message would have passed.
- - None: Indicates that no DMARC TXT record exists for the sending domain in DNS.
+ - Pass: Indicates the DMARC check for the message passed.
+ - Fail: Indicates the DMARC check for the message failed.
+ - Bestguesspass: Indicates that no DMARC TXT record for the domain exists, but if one had existed, the DMARC check for the message would have passed.
+ - None: Indicates that no DMARC TXT record exists for the sending domain in DNS.
*Composite Authentication*: This is a value is used by Microsoft 365 to combine email authentication like SPF, DKIM, and DMARC, to determine if the message is authentic. It uses the *From:* domain of the mail as the basis of evaluation.
security Mfi Queue Alerts And Queues https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-queue-alerts-and-queues.md
If you click the number of messages on the widget, a **Messages queued** flyout
- **Destination server** - **Last IP address** - **Last error**-- **How to fix**: Common issues and solutions are available. If is a **Fix it now** link is available, click it to fix the problem. Otherwise, click on any available links for more information about the error and possible solutions.
+- **How to fix**: Common issues and solutions are available. If a **Fix it now** link is available, click it to fix the problem. Otherwise, click on any available links for more information about the error and possible solutions.
![Details after clicking on the Queues insight in the Mail flow dashboard](../../media/mfi-queues-details.png)
security Microsoft 365 Policies Configurations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/microsoft-365-policies-configurations.md
Identity and device access settings and policies are recommended in three tiers:
These capabilities and their recommendations: - Are supported in Microsoft 365 E3 and Microsoft 365 E5.-- Are aligned with [Microsoft Secure Score](https://docs.microsoft.com/microsoft-365/security/defender/microsoft-secure-score) as well as [identity score in Azure AD](/azure/active-directory/fundamentals/identity-secure-score), and will increase these scores for your organization.
+- Are aligned with [Microsoft Secure Score](../defender/microsoft-secure-score.md) as well as [identity score in Azure AD](/azure/active-directory/fundamentals/identity-secure-score), and will increase these scores for your organization.
- Will help you implement these [five steps to securing your identity infrastructure](/azure/security/azure-ad-secure-steps). If your organization has unique environment requirements or complexities, use these recommendations as a starting point. However, most organizations can implement these recommendations as prescribed. Watch this video for a quick overview of identity and device access configurations for Microsoft 365 for enterprise.
-<br>
-<br>
+ > [!VIDEO https://www.microsoft.com/videoplayer/embed/RWxEDQ] > [!NOTE]
security Office 365 Air https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/office-365-air.md
AIR capabilities are included in [Microsoft Defender for Office 365](defender-fo
- [Antimalware policies](protect-against-threats.md#part-1anti-malware-protection) - [Antiphishing protection](protect-against-threats.md#part-2anti-phishing-protection) - [Antispam protection](protect-against-threats.md#part-3anti-spam-protection)-- [Antiphishing protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats#part-2anti-phishing-protection)-- [Antispam protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats#part-3anti-spam-protection)-- [Safe Links and Safe Attachments](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats#part-4protection-from-malicious-urls-and-files-safe-links-and-safe-attachments-in-defender-for-office-365)-- [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats#part-5verify-atp-for-sharepoint-onedrive-and-microsoft-teams-is-turned-on)-- [Zero-hour auto purge for email](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats#zero-hour-auto-purge-for-email-in-eop)
+- [Safe Links and Safe Attachments](protect-against-threats.md#part-4protection-from-malicious-urls-and-files-safe-links-and-safe-attachments-in-defender-for-office-365)
+- [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](protect-against-threats.md#part-5verify-safe-attachments-for-sharepoint-onedrive-and-microsoft-teams-is-turned-on)
+- [Zero-hour auto purge for email](protect-against-threats.md#zero-hour-auto-purge-for-email-in-eop)
In addition, make sure to [review your organization's alert policies](../../compliance/alert-policies.md), especially the [default policies in the Threat management category](../../compliance/alert-policies.md#default-alert-policies).
In addition, make sure to [review your organization's alert policies](../../comp
Microsoft 365 provides many built-in alert policies that help identify Exchange admin permissions abuse, malware activity, potential external and internal threats, and information governance risks. Several of the [default alert policies](../../compliance/alert-policies.md#default-alert-policies) can trigger automated investigations. The following table describes the alerts that trigger automated investigations, their severity in the Microsoft 365 security center, and how they're generated: |Alert|Severity|How the alert is generated|
-|:|:|:|
+||||
|A potentially malicious URL click was detected|**High**|This alert is generated when any of the following occurs: <ul><li>A user protected by [Safe Links](safe-links.md) in your organization clicks a malicious link</li><li>Verdict changes for URLs are identified by Microsoft Defender for Office 365</li><li>Users override Safe Links warning pages (based on your organization's [Safe Links policy](set-up-safe-links-policies.md)).</li></ul> <p> For more information on events that trigger this alert, see [Set up Safe Links policies](set-up-safe-links-policies.md).| |An email message is reported by a user as malware or phish|**Informational**|This alert is generated when users in your organization report messages as phishing email using the [Report Message add-in](enable-the-report-message-add-in.md) or the [Report Phishing add-in](enable-the-report-phish-add-in.md).| |Email messages containing malware are removed after delivery|**Informational**|This alert is generated when any email messages containing malware are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [Zero-hour auto purge](zero-hour-auto-purge.md).|
Permissions are granted through certain roles, such as those that are described
- Your organization's security operations team (including security readers and those with the **Search and Purge** role) - End users - ## Changes are coming soon in your security center If youΓÇÖre already using AIR capabilities in Microsoft Defender for Office 365, youΓÇÖre about to see some changes in the [improved Microsoft 365 security center](../defender/overview-security-center.md).
The following table lists changes and improvements coming to AIR in Microsoft De
|**Entities** tab|The **Entities** tab has a tab-in-tab style that includes an all-summary view, and the ability to filter by entity type. The **Entities** tab now includes a **Go hunting** option in addition to the **Open in Explorer** option. You can now use either [Threat Explorer](threat-explorer.md) or [advanced hunting](../defender-endpoint/advanced-hunting-overview.md) to find entities and threats, and filter on results.| |**Actions** tab|The updated **Actions** tab now includes a **Pending actions** tab and an **Actions history** tab. Actions can be approved (or rejected) in a side pane that opens when you select a pending action.| |**Evidence** tab|A new **Evidence** tab shows the key entity findings related to actions. Actions related to each piece of evidence can be approved (or rejected) in a side pane that opens when you select a pending action.|
-|**Action center**|The updated **Action center** ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)) brings together pending and completed actions across email, devices, and identities. To learn more, see Action center. (To learn more, see [The Action center](https://docs.microsoft.com/microsoft-365/security/defender/mtp-action-center).)
-|**Incidents** page|The **Incidents** page now correlates multiple investigations together to provide a better consolidated view of investigations. ([Learn more about Incidents](https://docs.microsoft.com/microsoft-365/security/defender/incidents-overview).)
-
+|**Action center**|The updated **Action center** ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)) brings together pending and completed actions across email, devices, and identities. To learn more, see Action center. (To learn more, see [The Action center](../defender/m365d-action-center.md).)|
+|**Incidents** page|The **Incidents** page now correlates multiple investigations together to provide a better consolidated view of investigations. ([Learn more about Incidents](../defender/incidents-overview.md).)|
+|
## Next steps - [See details and results of an automated investigation](air-view-investigation-results.md#view-details-of-an-investigation)-- [Review and approve pending actions](air-remediation-actions.md)
+- [Review and approve pending actions](air-remediation-actions.md)
security Protection Stack Microsoft Defender For Office365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/protection-stack-microsoft-defender-for-office365.md
+
+ Title: Step-by-step threat protection stack in Microsoft Defender for Office 365
+f1.keywords:
+ - NOCSH
+++ Last updated : 04/05/2021+
+audience: ITPro
+
+localization_priority: Normal
+description: Follow the path of an incoming message through the threat filtering stack in Microsoft Defender for Office 365.
+ms.technology: mdo
+
+# Step-by-step threat protection in Microsoft Defender for Office 365
+
+The Microsoft Defender for Office 365 protection or filtering stack can be broken out into 4 phases, as in this article. Generally speaking, incoming mail passes through all of these phases before delivery, but the actual path email takes is subject to an organization's Defender for Office 365 configuration.
+
+> [!TIP]
+> Stay tuned till the end of this article for a *unified* graphic of all 4 phases of Defender for Office 365 protection!
+
+## Phase 1 - Edge Protection
+
+Unfortunately, Edge blocks that were once *critical* are now relatively simple for bad actors to overcome. Over time, less traffic is blocked here, but it remains an important part of the stack.
+
+Edge blocks are designed to be automatic. In the case of false positive, senders will be notified and told how to address their issue. Connectors from trusted partners with limited reputation can ensure deliverability, or temporary overrides can be put in place, when onboarding new endpoints.
++
+1. **Network throttling** protects Office 365 infrastructure and customers from Denial of Service (DOS) attacks by limiting the number of messages that can be submitted by a specific set of infrastructure.
+
+2. **IP reputation and throttling** will block messages being sent from known bad connecting IP addresses. If a specific IP sends many messages in a short period of time they will be throttled.
+
+3. **Domain reputation** will block any messages being sent from a known bad domain.
+
+4. **Directory-based edge filtering** blocks attempts to harvest an organization's directory information through SMTP.
+
+5. **Backscatter detection** prevents an organization from being attacked through invalid non-delivery reports (NDRs).
+
+6. **Enhanced filtering for connectors** preserves authentication information even when traffic passes through another device before it reaches Office 365. This improves filtering stack accuracy, including heuristic clustering, anti-spoofing, and anti-phishing machine learning models, even when in complex or hybrid routing scenarios.
+
+## Phase 2 - Sender Intelligence
+
+Features in sender intelligence are critical for catching spam, bulk, impersonation, and unauthorized spoof messages, and also factor into phish detection. Most of these features are individually configurable.
++
+1. **Account compromise detection** triggers and alerts are raised when an account has anomalous behavior, consistent with compromise. In some cases, the user account is blocked and prevented from sending any further email messages until the issue is resolved by an organization's security operations team.
+
+2. **Email Authentication** involves both customer configured methods and methods set up in the Cloud, aimed at ensuring that senders are authorized, authentic mailers. These methods resist spoofing.
+ - **SPF** can reject mails based on DNS TXT records that list IP addresses and servers allowed to send mail on the organization's behalf.
+ - **DKIM** provides an encrypted signature that authenticates the sender.
+ - **DMARC** lets admins mark SPF and DKIM as required in their domain and enforces alignment between the results of these two technologies.
+ - **ARC** is not customer configured, but builds on DMARC to work with forwarding in mailing lists, while recording an authentication chain.
+
+3. **Spoof intelligence** is capable of filtering those allowed to 'spoof' (that is, those sending mail on behalf of another account, or forwarding for a mailing list) from malicious spoofers imitating an organizational, or known external, domain. It separates legitimate 'on behalf of' mail from senders spoofing to deliver spam and phishing messages.
+
+ **Intra-org spoof intelligence** detects and blocks spoof attempts from a domain within the organization.
+
+4. **Cross-domain spoof intelligence** detects and blocks spoof attempts from a domain outside of the organization.
+
+5. **Bulk filtering** lets admins configure a bulk confidence level (BCL) indicating whether the message was sent from a bulk sender. Administrators can use the Bulk Slider in the Antispam policy to decide what level of bulk mail to treat as spam.
+
+6. **Mailbox intelligence** learns from standard user email behaviors. It leverages a user's communication graph to detect when a sender only appears to be someone the user usually communicates with, but is actually malicious. This method detects impersonation.
+
+7. **Mailbox intelligence impersonation** enables or disables enhanced impersonation results based on each user's individual sender map. When enabled, this feature helps to identify impersonation.
+
+8. **User impersonation** allows an admin to create a list of high value targets likely to be impersonated. If a mail arrives where the sender only appears to have the same name and address as the protected high value account, the mail is marked or tagged. (For example, *tr╬▒cye@contoso.com* for *tracye@contoso.com*).
+
+9. **Domain impersonation** detects domains that are similar to the recipient's domain and that attempt to look like an internal domain. For example, this impersonation *tracye@liw╬▒re.com* for *tracye@litware.com*.
+
+## Phase 3 - Content Filtering
+
+In this phase the filtering stack begins to handle the specific contents of the mail, including its hyperlinks and attachments.
++
+1. **Transport rules** (also known as mail flow rules or Exchange transport rules) allow an admin to take a wide range of actions when an equally wide range of conditions are met for a message. All messages that flow through your organization are evaluated against the enabled mail flow rules / transport rules.
+
+2. **Microsoft Defender Antivirus** and two *third-party Antivirus engines* are used to detect all known malware in attachments.
+
+3. The anti-virus (AV) engines are also used to true-type all attachments, so that **Type blocking** can block all attachments of types the admin specifies.
+
+4. Whenever Microsoft Defender for Office 365 detects a malicious attachment, the file's hash, and a hash of its active content, are added to Exchange Online Protection (EOP) reputation. **Attachment reputation blocking** will block that file across all Office 365, and on endpoints, through MSAV cloud calls.
+
+5. **Heuristic clustering** can determine that a file is suspicious based on delivery heuristics. When a suspicious attachment is found, the entire campaign pauses, and the file is sandboxed. If the file is found to be malicious, the entire campaign is blocked.
+
+6. **Machine learning models** act on the header, body content, and URLs of a message to detect phishing attempts.
+
+7. Microsoft uses a determination of reputation from URL sandboxing as well as URL reputation from third party feeds in **URL reputation blocking**, to block any message with a known malicious URL.
+
+8. **Content heuristics** can detect suspicious messages based on structure and word frequency within the body of the message, using machine learning models.
+
+9. **Safe Attachments** sandboxes every attachment for Defender for Office 365 customers, using dynamic analysis to detect never-before seen threats.
+
+10. **Linked content detonation** treats every URL linking to a file in an email as an attachment, asynchronously sandboxing the file at the time of delivery.
+
+11. **URL Detonation** happens when upstream anti-phishing technology finds a message or URL to be suspicious. URL detonation sandboxes the URLs in the message at the time of delivery.
+
+## Phase 4 - Post-Delivery Protection
+
+The last stage takes place after mail or file delivery, acting on mail that is in various mailboxes and files and links that appear in clients like Microsoft Teams.
++
+1. **Safe Links** is MDO's time-of-click protection. Every URL in every message is wrapped to point to Microsoft Safe Links servers. When a URL is clicked it is checked against the latest reputation, before the user is redirected to the target site. The URL is asynchronously sandboxed to update its reputation.
+
+2. **Phish Zero-Hour Auto-purge (ZAP)** retroactively detects and neutralizes malicious phishing messages that have already been delivered to Exchange Online mailboxes.
+
+3. **Malware ZAP** retroactively detects and neutralizes malicious malware messages that have already been delivered to Exchange Online mailboxes.
+
+4. **Spam ZAP** retroactively detects and neutralizes malicious spam messages that have already been delivered to Exchange Online mailboxes.
+
+5. **Campaign Views** let administrators see the big picture of an attack, faster and more completely, than any team could without automation. Microsoft leverages the vast amounts of anti-phishing, anti-spam, and anti-malware data across the entire service to help identify campaigns, and then allows admins to investigate them from start to end, including targets, impacts, and flows, that are also available in a downloadable campaign write-up.
+
+6. **The Report Message add-ins** enable people to easily report false positives (good email, mistakenly marked as *bad*) or false negatives (bad email marked as *good*) to Microsoft for further analysis.
+
+7. **Safe Links for Office clients** offers the same Safe Links time-of-click protection, natively, inside of Office clients like Word, PowerPoint, and Excel.
+
+8. **Protection for OneDrive, SharePoint, and Teams** offers the same Safe Attachments protection against malicious files, natively, inside of OneDrive, SharePoint, and Microsoft Teams.
+
+9. When a URL that points to a file is selected post delivery, **linked content detonation** displays a warning page until the sandboxing of the file is complete, and the URL is found to be safe.
++
+## The filtering stack diagram
+
+The final diagram (as with all parts of the diagram composing it) *is subject to change as the product grows and develops*. Bookmark this page and use the **feedback** option you'll find at the bottom if you need to ask after updates. For your records, this is the the stack with all the phases in order:
++
+## More information
+
+Do you need to set up Microsoft Defender for Office 365 ***right now***? Use this stack, *now*, with [this step-by-step](protect-against-threats.md) to start protecting your organization.
+
+*Special thanks from MSFTTracyP and the docs writing team to Giulian Garruba for this content*.
security Secure Email Recommended Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/secure-email-recommended-policies.md
ms.technology: mdo
- [Exchange Online Protection](exchange-online-protection-overview.md) - [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - This article describes how to implement the recommended identity and device access policies to protect organizational email and email clients that support modern authentication and conditional access. This guidance builds on the [Common identity and device access policies](identity-access-policies.md) and also includes a few additional recommendations. These recommendations are based on three different tiers of security and protection that can be applied based on the granularity of your needs: **baseline**, **sensitive**, and **highly regulated**. You can learn more about these security tiers, and the recommended client operating systems, referenced by these recommendations in the [recommended security policies and configurations introduction](microsoft-365-policies-configurations.md).
Here are the steps:
To ensure that users of iOS and Android devices can only access work or school content using Outlook for iOS and Android, you need a Conditional Access policy that targets those potential users.
-See the steps to configure this policy in [Manage messaging collaboration access by using Outlook for iOS and Android]( https://docs.microsoft.com/mem/intune/apps/app-configuration-policies-outlook#apply-conditional-access).
+See the steps to configure this policy in [Manage messaging collaboration access by using Outlook for iOS and Android](/mem/intune/apps/app-configuration-policies-outlook#apply-conditional-access).
## Set up message encryption
For more information, see [Set up new Office 365 Message Encryption capabilities
Configure Conditional Access policies for: - [Microsoft Teams](teams-access-policies.md)-- [SharePoint](sharepoint-file-access-policies.md)
+- [SharePoint](sharepoint-file-access-policies.md)
security Set Up Spf In Office 365 To Help Prevent Spoofing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing.md
For advanced examples, a more detailed discussion about supported SPF syntax, sp
SPF is designed to help prevent spoofing, but there are spoofing techniques that SPF can't protect against. To defend against these, once you've set up SPF, you should configure DKIM and DMARC for Office 365.
-[DKIM](https://docs.microsoft.com/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-worldwide) email authentication's goal is to prove the contents of the mail haven't been tampered with.
+[DKIM](use-dkim-to-validate-outbound-email.md) email authentication's goal is to prove the contents of the mail haven't been tampered with.
-[DMARC](https://docs.microsoft.com/microsoft-365/security/office-365-security/use-dmarc-to-validate-email?view=o365-worldwide) email authentication's goal is to make sure that SPF and DKIM information matches the From address.
+[DMARC](use-dmarc-to-validate-email.md) email authentication's goal is to make sure that SPF and DKIM information matches the From address.
security Siem Server Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/siem-server-integration.md
A SIEM server can receive data from a wide variety of Microsoft 365 services and
|Microsoft 365 Service or Application|SIEM server inputs/methods|Resources to learn more| |||| |[Microsoft Defender for Office 365](defender-for-office-365.md)|Audit logs|[SIEM integration with Microsoft Defender for Office 365](siem-integration-with-office-365-ti.md)|
-|[Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/)|HTTPS endpoint hosted in Azure <p> REST API|[Pull alerts to your SIEM tools](../defender-endpoint/configure-siem.md)|
+|[Microsoft Defender for Endpoint](/windows/security/threat-protection/)|HTTPS endpoint hosted in Azure <p> REST API|[Pull alerts to your SIEM tools](../defender-endpoint/configure-siem.md)|
|[Microsoft Cloud App Security](/cloud-app-security/what-is-cloud-app-security)|Log integration|[SIEM integration with Microsoft Cloud App Security](/cloud-app-security/siem)| |
security Teams Access Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/teams-access-policies.md
ms.prod: m365-security
+audience: Admin
f1.keywords: - NOCSH
security Threat Explorer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer.md
In addition to the scenarios outlined in this article, you have many more report
- [View malicious files detected in SharePoint Online, OneDrive, and Microsoft Teams](./mdo-for-spo-odb-and-teams.md) - [Get an overview of the views in Threat Explorer (and Real-time detections)](threat-explorer-views.md) - [Threat protection status report](view-email-security-reports.md#threat-protection-status-report)-- [Automated investigation and response in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/defender/mtp-autoir)
+- [Automated investigation and response in Microsoft Threat Protection](../defender/m365d-autoir.md)
## Required licenses and permissions
security View And Release Quarantined Messages From Shared Mailboxes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/view-and-release-quarantined-messages-from-shared-mailboxes.md
Previously, the ability for users to manage quarantined messages sent to a share
Now, automapping is no longer required for users to manage quarantined messages that were sent to shared mailboxes. It just works. There are two different methods to access quarantined messages that were sent to a shared mailbox: -- If the admin has [enabled end-user spam notifications](https://docs.microsoft.com/microsoft-365/security/office-365-security/configure-your-spam-filter-policies) in anti-spam policies, any user that has access to the end-user spam notifications in the shared mailbox can click the **Review** button in the notification to go to quarantine in the Security & Compliance Center. Note that this method only allows users to manage quarantined messages that were sent to the shared mailbox. Users can't manage their own quarantine messages in this context.
+- If the admin has [enabled end-user spam notifications in anti-spam policies](configure-your-spam-filter-policies.md#configure-end-user-spam-notifications), any user that has access to the end-user spam notifications in the shared mailbox can click the **Review** button in the notification to go to quarantine in the Security & Compliance Center. Note that this method only allows users to manage quarantined messages that were sent to the shared mailbox. Users can't manage their own quarantine messages in this context.
- The user can [go to the quarantine in the Security & Compliance Center](find-and-release-quarantined-messages-as-a-user.md). By default, only messages that were sent to the user are shown. However, the user can change the **Sort results** (the **Message ID button** by default) to **Recipient email address**, enter the shared mailbox email address, and then click **Refresh** to see the quarantined messages that were sent to the shared mailbox.
security View Reports For Mdo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/view-reports-for-mdo.md
The **URL threat protection** report has two aggregated views that are refreshed
- **URL click protection action**: Shows the number of URL clicks by users in the organization and the results of the click: - **Blocked** (the user was blocked from navigating to the URL)
- - **Blocked and clicked through**
- - **Clicked through during scan**
+ - **Blocked and clicked through** (the user has chosen to continue navigating to the URL)
+ - **Clicked through during scan** (the user has clicked on the link before the scan was complete)
A click indicates that the user has clicked through the block page to the malicious website (admins can disable click through in Safe Links policies).
If you are not seeing data in your Defender for Office 365 reports, double-check
[Smart reports and insights in the Security & Compliance Center](reports-and-insights-in-security-and-compliance.md)
-[Role permissions (Azure Active Directory](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#role-permissions)
+[Role permissions (Azure Active Directory](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#role-permissions)
solutions Collaborate With People Outside Your Organization https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/collaborate-with-people-outside-your-organization.md
Collaborating with people outside your organization consists of two major compon
- **Enable sharing** - Configure the sharing controls across Azure Active Directory, Teams, Microsoft 365 Groups, and SharePoint to allow the level of sharing that you want for your organization. - **Enable additional security** - While the basic sharing features can be configured to require people outside your organization to authenticate, Microsoft 365 provides many additional security and compliance features to help you protect your data and maintain your governance policies while sharing externally.
+Read [Set up secure collaboration with Microsoft 365 and Microsoft Teams](/microsoft-365/solutions/setup-secure-collaboration-with-teams) to learn how external sharing ties in with the overall Microsoft 365 collaboration guidance.
+ ## Enable sharing By default, in Microsoft 365, sharing with people outside your organization is enabled. Many external sharing scenarios work without further configuration. To confirm the settings for a scenario that you're using, or enable a new one, choose from the following options:
If some of the sharing features in Microsoft 365 conflict with your governance p
[Intro to file collaboration in Microsoft 365](/sharepoint/intro-to-file-collaboration)
-[Plan file collaboration in SharePoint with Microsoft 365](/sharepoint/deploy-file-collaboration)
+[Plan file collaboration in SharePoint with Microsoft 365](/sharepoint/deploy-file-collaboration)
solutions Deploy Threat Protection Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/deploy-threat-protection-configure.md
Title: Steps to configure threat protection capabilities across Microsoft 365
-description: Learn how to deploy threat protection services and capabilities across Microsoft 365 E5.
+description: Use this article as a guide for implementing your threat protection solution. Deploy threat protection services and capabilities across Microsoft 365 E5.
+keywords: security, setup, configuration, Microsoft 365 E5, advanced threat protection
ms.audience: ITPro audience: Admin-+ ms.prod: m365-security ms.technology: m365d localization_priority: Normal
f1.keywords: NOCSH
Follow these steps to configure threat protection across Microsoft 365. - ## Step 1: Set up multi-factor authentication and Conditional Access policies
-[Multi-factor authentication](/azure/active-directory/authentication/concept-mfa-howitworks) (MFA) requires users to verify their identity with a phone call or authenticator app. [Conditional access policies](/azure/active-directory/conditional-access/overview) define certain requirements that must be met in order for users to access apps and data in Microsoft 365. MFA and Conditional Access policies work together to protect your organization. For example, if someone attempts to sign in from a mobile device using an account that is not enabled for MFA, and a Conditional Access policy requires MFA to be in effect, that user will be prevented from signing in.
+[Multi-factor authentication](/azure/active-directory/authentication/concept-mfa-howitworks) (MFA) requires users to verify their identity with a phone call or an authenticator app. [Conditional access policies](/azure/active-directory/conditional-access/overview) define certain requirements that must be met in order for users to access apps and data in Microsoft 365. MFA and Conditional Access policies work together to protect your organization. For example, if someone attempts to sign in from a mobile device using an account that is not enabled for MFA, and a Conditional Access policy requires MFA to be in effect, that user is prevented from signing in.
Microsoft has tested and recommends a specific set of Conditional Access and related policies for protecting access to all of your SaaS applications, especially Microsoft 365. Policies are recommended for baseline, sensitive, and highly regulated protection. Begin by implementing the policies for baseline protection.
Microsoft has tested and recommends a specific set of Conditional Access and rel
## Step 2: Configure Microsoft Defender for Identity
-[Microsoft Defender for Identity](/azure-advanced-threat-protection/what-is-atp) is a cloud-based security solution that works with your on-premises Active Directory Domain Services (AD DS) signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
+[Microsoft Defender for Identity](/defender-for-identity/what-is) is a cloud-based security solution that works with your on-premises Active Directory Domain Services (AD DS) signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
Microsoft Defender for Identity enables security operations (SecOps) analysts and security professionals struggling to detect advanced attacks in hybrid environments to: - Monitor users, entity behavior, and activities with learning-based analytics.
Microsoft Defender for Identity enables security operations (SecOps) analysts an
[Microsoft 365 Defender](../security/defender/microsoft-365-defender.md) combines signals and orchestrates capabilities into a single solution. With the integrated Microsoft 365 Defender solution, security professionals can stitch together the threat signals that each of these products receive and determine the full scope and impact of the threat; how it entered the environment, what it's affected, and how it's currently impacting the organization. Microsoft 365 Defender takes automatic action to prevent or stop the attack and self-heal affected mailboxes, endpoints, and user identities.
-Microsoft 365 Defender unifies alerts, incidents, automated investigation and response, and advanced hunting across workloads (Microsoft Defender for Identity, Microsoft Defender for Office 365, Microsoft Defender for Endpoint, and Microsoft Cloud App Security) into a single pane of glass experience. After you have configured one or more of your Defender for Office 365 services, turn on Microsoft 365 Defender. New features are added continually to Microsoft 365 Defender; consider opting in to receive preview features.
+Microsoft 365 Defender unifies alerts, incidents, automated investigation and response, and advanced hunting across workloads (Microsoft Defender for Identity, Microsoft Defender for Office 365, Microsoft Defender for Endpoint, and Microsoft Cloud App Security) into a single pane of glass experience. New features are added continually to Microsoft 365 Defender; consider opting in to receive preview features.
### To set up Microsoft 365 Defender
Microsoft 365 Defender unifies alerts, incidents, automated investigation and re
[Microsoft Defender for Office 365](../security/office-365-security/defender-for-office-365.md) safeguards your organization against malicious threats in email messages (attachments and URLs), Office documents, and collaboration tools. The following table lists Microsoft Defender for Office 365 features and capabilities that are included in Microsoft 365 E5: |Configuration, protection, and detection capabilities|Automation, investigation, remediation, and education capabilities|
-|||
-|[Safe Attachments](../security/office-365-security/safe-attachments.md)<br/>[Safe Links](../security/office-365-security/safe-links.md)<br/>[Safe Documents](../security/office-365-security/safe-docs.md)<br/>[ATP for SharePoint, OneDrive, and Microsoft Teams](../security/office-365-security/mdo-for-spo-odb-and-teams.md)<br/>[Anti-phishing in Defender for Office 365 protection](../security/office-365-security/set-up-anti-phishing-policies.md#Exclusive-settings-in-anti-phishing-policies-in Microsoft-Defender-for-Office-365)|[Threat Trackers](../security/office-365-security/threat-trackers.md)<br/>[Threat Explorer](../security/office-365-security/threat-explorer.md)<br/>[Automated investigation and response](../security/office-365-security/office-365-air.md)<br/>[Attack Simulator](../security/office-365-security/attack-simulator.md)|
+|:|:|
+|[Safe Attachments](../security/office-365-security/safe-attachments.md)<br/>[Safe Links](../security/office-365-security/safe-links.md)<br/>[Safe Documents](../security/office-365-security/safe-docs.md)<br/>[ATP for SharePoint, OneDrive, and Microsoft Teams](../security/office-365-security/mdo-for-spo-odb-and-teams.md)<br/> [Anti-phishing protection in Microsoft 365](../security/office-365-security/anti-phishing-protection.md)|[Threat Trackers](../security/office-365-security/threat-trackers.md)<br/>[Threat Explorer](../security/office-365-security/threat-explorer.md)<br/>[Automated investigation and response](../security/office-365-security/office-365-air.md)<br/>[Attack Simulator](../security/office-365-security/attack-simulator.md)|
| With Microsoft Defender for Office 365, people across your organization can communicate and collaborate more securely, with threat protection for their email content and Office documents.
With Microsoft Defender for Office 365, people across your organization can comm
![Process for deploying Microsoft Defender for Endpoint](../mediatp-steps.png)
-1. [Prepare your environment for Microsoft Defender for Endpoint deployment](/windows/security/threat-protection/microsoft-defender-atp/deployment-phases).
-2. [Set up your Microsoft Defender for Endpoint deployment](/windows/security/threat-protection/micros.oft-defender-atp/production-deployment).
-3. [Onboard to the Microsoft Defender for Endpoint service](/windows/security/threat-protection/microsoft-defender-atp/onboarding).
-4. [Complete your top security administrative tasks](/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation).
+1. [Prepare your environment for Microsoft Defender for Endpoint](../security/defender-endpoint/deployment-phases.md).
+2. [Deploy Microsoft Defender for Endpoint](../security/defender-endpoint/production-deployment.md).
+3. [Onboard to the Microsoft Defender for Endpoint service](../security/defender-endpoint/onboarding.md).
+4. [Complete your top security administrative tasks](../security/defender-endpoint/tvm-security-recommendation.md).
### More information about Microsoft Defender for Endpoint -- [Learn more about Microsoft Defender for Endpoint](/windows/security/threat-protection).-- [Try the Microsoft Defender for Endpoint evaluation lab](/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab).
+- [Learn more about Microsoft Defender for Endpoint](../security/defender-endpoint/microsoft-defender-endpoint.md).
+- [Try the Microsoft Defender for Endpoint evaluation lab](../security/defender-endpoint/evaluation-lab.md).
## Step 6: Configure Microsoft Cloud App Security
After you have set up and deployed your threat protection services and capabilit
![Microsoft 365 security center](../media/solutions-architecture-center/m365-security-center.png)
-The Microsoft 365 security center is specifically intended for security admins and security operations teams. In the Microsoft 365 security center, you can:
+The Microsoft 365 security center is intended for security admins and security operations teams. In the Microsoft 365 security center, you can:
- View the overall security health of your organization with [Secure Score](https://docs.microsoft.com/microsoft-365/security/defender/microsoft-secure-score).-- [Monitor and view reports](https://docs.microsoft.com/microsoft-365/security/defender/monitoring-and-reporting) on the status of your identities, data, devices, apps, and infrastructure.
+- [Monitor and view reports](../security/defender-endpoint/threat-protection-reports.md) on the status of your identities, data, devices, apps, and infrastructure.
- Connect the dots on alerts through [incidents](https://docs.microsoft.com/microsoft-365/security/defender/incident-queue).-- Use [automated investigation and remediation](https://docs.microsoft.com/microsoft-365/security/defender/mtp-autoir) to address threats.
+- Use [automated investigation and remediation](../security/defender/m365d-autoir.md) to address threats.
- [Proactively hunt for threats](https://docs.microsoft.com/microsoft-365/security/defender/advanced-hunting-overview), such as intrusion attempts or breach activity affecting your email, data, devices, and identities. - [Understand the latest attack campaigns](https://docs.microsoft.com/microsoft-365/security/defender/latest-attack-campaigns) and techniques with threat analytics. - ... and more!
solutions Deploy Threat Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/deploy-threat-protection.md
Title: Deploy threat protection capabilities across Microsoft 365
-description: Learn how to deploy threat protection services and security capabilities across Microsoft 365 E5.
+description: Get an overview of threat protection services and security capabilities in Microsoft 365 E5. Protect your user accounts, devices, email content, and more with Microsoft 365 E5.
+keywords: threat protection, security, E5, cyberattack, malware, M365, solution
f1.keywords: NOCSH
-# Deploy threat protection capabilities across Microsoft 365
+# Deploy threat protection capabilities across Microsoft 365 E5
-[Malware](/windows/security/threat-protection/intelligence/understanding-malware), and sophisticated cyberattacks, such as [fileless threats](/windows/security/threat-protection/intelligence/fileless-threats), are a common occurrence. Businesses need to protect themselves and their customers with effective IT security capabilities. Cyberattacks can cause major problems for your organization, ranging from a loss of trust to financial woes, business-threatening downtime, and more. Protecting against threats is important, but it can be challenging to determine where to focus your organization's time, effort, and resources.
+This solution describes powerful threat protection capabilities across Microsoft 365 E5. Read this solution to get an overview of what's included, how it works, and how to get started deploying these capabilities in your organization.
-Microsoft security solutions are built into our products and services. Automation and machine learning capabilities reduce the load on your security teams to make sure the right items are addressed. And the strength of Microsoft security solutions is built on trillions of signals we process every day in our [Intelligent Security Graph](/graph/security-concept-overview). Microsoft 365 security solutions include [Microsoft 365 Defender](../security/defender/microsoft-365-defender.md), a solution that brings together signals across your email, data, devices, and identities to paint a picture of advanced threats against your organization.
+## Why protecting against threats is important
+
+[Malware](/windows/security/threat-protection/intelligence/understanding-malware), and sophisticated cyberattacks, such as [fileless threats](/windows/security/threat-protection/intelligence/fileless-threats), are a common occurrence. Businesses need to protect themselves and their customers with effective IT security capabilities. Cyberattacks can cause major problems for your organization, ranging from a loss of trust to financial woes, business-threatening downtime, and more. Protecting against threats is important, but it can be challenging to determine where to focus your organization's time, effort, and resources. Microsoft 365 E5 can help.
+Microsoft security solutions are built into our products and services. Automation and machine learning capabilities reduce the load on your security teams to make sure the right items are addressed. And the strength of Microsoft security solutions is built on trillions of signals we process every day in our [Intelligent Security Graph](/graph/security-concept-overview). Microsoft 365 security solutions include [Microsoft 365 Defender](../security/defender/microsoft-365-defender.md), a solution that brings together signals across your email, data, devices, and identities to paint a picture of advanced threats against your organization.
Watch this video for an overview of the deployment process. <br><br> > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4vsI7]
-Use this article as a guide for implementing your threat protection solution.
## Threat protection in Microsoft 365 E5
In Microsoft 365 E5, threat protection capabilities are integrated by default. S
![Overview of Microsoft 365 Defender](../media/deploy-threat-protection/deploy-threat-protection-across-m365-overview.png)
-As soon as you deploy any of the Defender for Office 365 capabilities, you can turn on Microsoft 365 Defender, which brings the signals and data together into one place.
+Microsoft 365 Defender brings the signals and data together into a [unified Microsoft 365 security center](/microsoft-365/security/defender/overview-security-center).
-![Conceptual illustration of Microsoft 365 Defender dashboard](../media/deploy-threat-protection/deploy-threat-protection-across-m365-mtp.png)
+> [!div class="mx-imgBorder"]
+> ![Conceptual illustration of Microsoft 365 Defender dashboard](../media/deploy-threat-protection/deploy-threat-protection-across-m365-mtp.png)
The following illustration depicts a recommended path for deploying these individual capabilities.
-![M365 threat protection signals](../media/deploy-threat-protection/deploy-threat-protection-across-m365.png)
+> [!div class="mx-imgBorder"]
+> ![M365 threat protection signals](../media/deploy-threat-protection/deploy-threat-protection-across-m365.png)
|Solution/capabilities |Description | ||| |Multi-factor authentication and Conditional Access |Protect against compromised identities and devices. Begin with this protection because it's foundational. The configuration recommended in this guidance includes Azure AD Identity Protection as a prerequisite. | |Microsoft Defender for Identity | A cloud-based security solution that leverages your on-premises Active Directory Domain Services (AD DS) signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Focus on Microsoft Defender for Identity next because it protects your on-premises and cloud infrastructure, has no dependencies or prerequisites, and can provide immediate security benefits. |
-|Microsoft Defender for Office 365 | Safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools. Protections for malware, phishing, spoofing, and other attack types. Configuring Microsoft Defender for Office 365 is recommended next because change control, migrating settings from incumbent system, and other considerations can take longer to deploy. <br><br>Note: Make sure to configure the threat protection capabilities that are included in all Office 365 subscriptions (Exchange Online Protection). |
+|Microsoft Defender for Office 365 | Safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools. Protections for malware, phishing, spoofing, and other attack types. Configuring Microsoft Defender for Office 365 is recommended next because change control, migrating settings from incumbent system, and other considerations can take longer to deploy. <p>**NOTE**: Make sure to configure the threat protection capabilities that are included in all Office 365 subscriptions (Exchange Online Protection). |
|Microsoft Defender for Endpoint | An endpoint protection platform that helps prevent, detect, investigate, and respond to advanced threats. Defender for Endpoint can take some time to deploy, but configuration can be done in parallel with other capabilities. | |Microsoft Cloud App Security | A cloud access security broker for discovery, investigation, and governance. You can enable Microsoft Cloud App Security early to begin collecting data and insights. Implementing information and other targeted protection across your SaaS apps involves planning and can take more time. | > [!TIP]
-> Organizations with multiple security teams can implement these capabilities in parallel.
+> Organizations who have multiple security teams can implement these capabilities in parallel.
-## Deploy your threat protection solution
+## Plan to deploy your threat protection solution
-To make sure your organization has the best protection possible, set up and deploy your security solution to include the following steps:
+The following diagram illustrates the high-level process for deploying threat protection capabilities.
-1. [Set up multi-factor authentication and Conditional Access policies](deploy-threat-protection-configure.md#step-1-set-up-multi-factor-authentication-and-conditional-access-policies)
-2. [Configure Microsoft Defender for Identity](deploy-threat-protection-configure.md#step-2-configure-microsoft-defender-for-identity)
-3. [Turn on Microsoft 365 Defender](deploy-threat-protection-configure.md#step-3-turn-on-microsoft-365-defender)
-4. [Configure Defender for Office 365](deploy-threat-protection-configure.md#step-4-configure-microsoft-defender-for-office-365)
-5. [Configure Microsoft Defender for Endpoint](deploy-threat-protection-configure.md#step-5-configure-microsoft-defender-for-endpoint)
-6. [Configure Microsoft Cloud App Security](deploy-threat-protection-configure.md#step-6-configure-microsoft-cloud-app-security)
-7. [Monitor status and take actions](deploy-threat-protection-configure.md#step-7-monitor-status-and-take-actions)
-8. [Train users](deploy-threat-protection-configure.md#step-8-train-users)
+![Process for deploying threat protection capabilities](../media/deploy-threat-protection/deploy-threat-protection-across-m365-grid.png)
+
+To make sure your organization has the best protection possible, set up and deploy your security solution by using a process that includes the following steps:
+
+1. [Set up multi-factor authentication and Conditional Access policies](deploy-threat-protection-configure.md#step-1-set-up-multi-factor-authentication-and-conditional-access-policies).
+2. [Configure Microsoft Defender for Identity](deploy-threat-protection-configure.md#step-2-configure-microsoft-defender-for-identity).
+3. [Turn on Microsoft 365 Defender](deploy-threat-protection-configure.md#step-3-turn-on-microsoft-365-defender).
+4. [Configure Defender for Office 365](deploy-threat-protection-configure.md#step-4-configure-microsoft-defender-for-office-365).
+5. [Configure Microsoft Defender for Endpoint](deploy-threat-protection-configure.md#step-5-configure-microsoft-defender-for-endpoint).
+6. [Configure Microsoft Cloud App Security](deploy-threat-protection-configure.md#step-6-configure-microsoft-cloud-app-security).
+7. [Monitor status and take actions](deploy-threat-protection-configure.md#step-7-monitor-status-and-take-actions).
+8. [Train users](deploy-threat-protection-configure.md#step-8-train-users).
+
+Your threat protection features can be configured in parallel, so if you have multiple network security teams responsible for different services, they can configure your organizationΓÇÖs protection features at the same time.
+
+## Next step
+
+Proceed to [Configure threat protection capabilities across Microsoft 365](deploy-threat-protection-configure.md).
-Your threat protection features can be configured in parallel, so if you have multiple network security teams responsible for different services, they can configure your organizationΓÇÖs protection features at the same time. The following diagram illustrates the high-level process for deploying threat protection capabilities.
-![Process for deploying threat protection capabilities](../media/deploy-threat-protection/deploy-threat-protection-across-m365-grid.png)