Updates from: 04/09/2021 04:05:38
Category Microsoft Docs article Related commit history on GitHub Change details
admin Microsoft365 Apps Usage Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft365-apps-usage-ww.md
The Microsoft 365 **Reports** dashboard shows you the activity overview across t
You can get a view into your user's Microsoft 365 Apps activity by looking at the **Users** and **Platform** charts.
-![Microsoft 365 Apps usage report](../../media/0bcf67e6-a6e4-4109-a215-369f9f20ad84.png)
+> [!div class="mx-imgBorder"]
+> ![Microsoft 365 Apps usage report](../../media/0bcf67e6-a6e4-4109-a215-369f9f20ad84.png)
|Item|Description| |:--|:--|
admin About Admin Roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/about-admin-roles.md
You'll probably only need to assign the following roles in your organization. By
|Global reader | Assign the global reader role to users who need to view admin features and settings in admin centers that the global admin can view. The global reader admin can't edit any settings. | |Groups admin | Assign the groups admin role to users who need to manage all groups settings across admin centers, including the Microsoft 365 admin center and Azure Active Directory portal. <br><br> Groups admins can:<br> - Create, edit, delete, and restore Microsoft 365 groups <br> - Create and update group creation, expiration, and naming policies <br> - Create, edit, delete, and restore Azure Active Directory security groups| |Helpdesk admin | Assign the Helpdesk admin role to users who need to do the following:<br> - Reset passwords <br> - Force users to sign out <br> - Manage service requests <br> - Monitor service health <br> <br> **Note**: The Helpdesk admin can only help non-admin users and users assigned these roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, and Reports reader. |
-|License admin | Assign the License admin role to users who need to assigm amd remove licenses from users and edit their usage location. <br/><br/> License admins also can: <br> - Reprocess license assignments for group-based licensing <br> - Assign product licenses to groups for group-based licensing |
+|License admin | Assign the License admin role to users who need to assign and remove licenses from users and edit their usage location. <br/><br/> License admins also can: <br> - Reprocess license assignments for group-based licensing <br> - Assign product licenses to groups for group-based licensing |
|Office Apps admin | Assign the Office Apps admin role to users who need to do the following: <br> - Use the Office cloud policy service to create and manage cloud-based policies for Office <br> - Create and manage service requests <br> - Manage the What's New content that users see in their Office apps <br> - Monitor service health | |Password admin | Assign the Password admin role to a user who needs to reset passwords for non-administrators and Password Administrators. | |Service support admin | Assign the Service Support admin role as an additional role to admins or users need to do the following in addition to their usual admin role: <br> - Open and manage service requests <br> - View and share message center posts <br> - Monitor service health |
admin Manage Feedback Ms Org https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/manage-feedback-ms-org.md
+
+ Title: "Manage Microsoft feedback for your organization"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- M365-subscription-management
+- Adm_O365
+- Adm_TOC
+
+search.appverid:
+- BCS160
+- MET150
+- MOE150
+description: "Manage feedback your users can send to Microsoft about Microsoft products."
++
+# Manage Microsoft feedback for your organization
+
+As the admin of a Microsoft 365 organization, there are now several policies to help you manage the feedback collection and the customer engagement experience of your users when using Microsoft 365 applications. You can create and use existing Azure Active directory groups in your organization for each of these policies. With these polices, you can control how different departments in your organization can send feedback to Microsoft. Microsoft reviews all feedback submitted by customers and uses this feedback to improve the product. Keeping the feedback experiences turned **On** allows you to see what your users are saying about the Microsoft products they're using. The feedback we collect from your users will soon be available in the Microsoft 365 admin center.ΓÇ¥
+
+To learn more about the types of feedback and how Microsoft uses user feedback, see [Learn about Microsoft feedback for your organization](../misc/feedback-user-control.md).
+
+The table below represents which apps and services are currently connected to the feedback policies shown in the feedback policies table below. See below the table for screenshot examples.
+
+|**Apps & Services**|**In-product feedback** <br> |**In-product surveys** <br> |**Metadata collection** <br> |**Customer engagement** <br> |
+|:--|:--|:--|:--|:--|
+|**Access**|Yes|Yes|Yes|Yes|
+|**Excel**|Yes|Yes|Yes|Yes|
+|**Office.com**|Coming soon|Coming soon|Coming soon|Coming soon|
+|**OneNote**|Yes|Yes|Yes|Yes|
+|**OneDrive**|[Some settings currently managed by other controls.](/onedrive/disable-contact-support-send-feedback)||||
+|**Outlook**|Coming soon|Coming soon|Coming soon|Coming soon|
+|**PowerPoint**|Yes|Yes|Yes|Yes|
+|**Project**|Coming soon|Coming soon|Coming soon|Coming soon|
+|**Publisher**|Yes|Yes|Yes|Yes|
+|**SharePoint**|[Some settings currently managed by other controls.](/powershell/module/sharepoint-online/set-spotenant)||||
+|**Teams**|[Some settings currently managed by other controls.](/microsoftteams/manage-feedback-policies-in-teams)||||
+|**Word**|Yes|Yes|Yes|Yes|
+|**Visio**|Yes|Yes|Yes|Yes|
+|**Yammer**|Yes|Yes|Yes|Yes|
+
+[See here for some examples of in-product surveys and feedback.](https://docs.microsoft.com/microsoft-365/admin/misc/feedback-user-control?view=o365-worldwide#in-product-surveys)
+
+**Metadata collection**
++
+**Customer engagement**
++
+## Before you begin
+
+Your devices must be on a minimum build number to use these policies. See the table below for more information.
+
+|**Build #**|**Win32**|**iOS**|**Android**|**Mac**|**Web**|
+|:--|:--|:--|:--|:--|:--|
+|In-product feedback|At least 16.0.13328|At least 2.42|At least 16.0.13328|At least 16.42|Publicly available|
+|In-product surveys|At least 16.0.13328|At least 2.42|At least 16.0.13426|At least 16.42|Pending rollout|
+|Metadata collection|At least 16.0.13328|At least 2.42|At least 16.0.13328|At least 16.42|Publicly available|
+|Customer engagement|At least 16.0.13328|At least 2.42|At least 16.0.13426|At least 16.42|Pending rollout|
+
+## Specific policies you can configure
+
+### Feedback policies
+
+|**Policy name**|**Default state**|**Control summary**|
+|:--|:--|:--|
+|Allow users to submit feedback to Microsoft|On|Controls feedback entry points across applications|
+|Allow users to receive and respond to in-product surveys from Microsoft|On|Controls survey prompts within product|
+|Allow users to include screenshots and attachments when they submit feedback to Microsoft|Off|Determines what metadata the user can decide to submit with feedback/survey|
+|Allow Microsoft to follow up on feedback submitted by users|Off|Determines if user can share contact info with feedback/survey|
+|Allow users to include log files and content samples when feedback is submitted to Microsoft|Off|Determines metadata the user can decide to submit with feedback/survey|
+
+## Configure policies
+
+1. Go to [https://config.office.com](https://config.office.com) and login as a user with global admin permissions.
+1. Select **Customization** then **Policy Management**.
+1. Select **Create**.
+1. Enter **name** and **description**.
+1. Choose the Azure Active directory groups that you want to configure.
+1. Search for **Feedback** and **Survey**.
+1. For each policy listed, set the value you want.
+
+For more information, see [Overview of the Office cloud policy service](/deployoffice/overview-office-cloud-policy-service).
+
+These policy settings are also available if you use Group Policy. To use these policy settings, download at least version 5146.1000 of the [Administrative Template files (ADMX/ADML)](https://www.microsoft.com/download/details.aspx?id=49030), released on March 22, 2021.
+
+You can find these policy settings under User Configuration -> Policies -> Administrative Templates -> Microsoft Office 2016 -> Privacy -> Trust Center.
+
+> [!NOTE]
+> It takes a few hours for the client applications to update.
admin Manage Industry News https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/manage-industry-news.md
description: "Provide your users with up-to-date news headlines about your indus
# Manage Industry news
-To provide your users with up-to-date news headlines about your industry and info from your organization, use the [News](https://admin.microsoft.com/adminportal/home?#/Settings/Services/:/Settings/L1/BingNews) service to enable a customized news feed for your organization. You can also manage settings for the Bing homepage and Microsoft Edge new tab page (Starting with the release of Edge 87).
+To provide your users with up-to-date news headlines about your industry and info from your organization, use the News service to enable a customized news feed for your organization. You can also enable a daily Industry Updates email, and manage settings for the Bing homepage and Microsoft Edge new tab page (starting with release of Edge 87).
## What your users will see+
+You have the option to send your users a daily Industry Updates email with headlines and links to full articles. Users can customize their email updates by following additional topics, choosing when the update is delivered, excluding articles behind paywalls, and selecting the number of articles they want to see.
+
+Signed-in users who go to the Bing homepage see your industry's news feed under the personalized info for your organization. 
-Signed-in users who go to the Bing homepage will see your industry's news feed under the personalized info for your organization. 
:::image type="content" source="../../media/manage-industry-news-2.jpg" alt-text="Screenshot of image carousel with industry news from the web":::++ They can also see company, industry, and internal news or personalized work information on their Microsoft Edge new tab page. :::image type="content" source="../../media/manage-industry-news-3.png" alt-text="Microsoft in news homepage"::: ## News settings
-As an admin, you control the News feed settings for your organization, including the selected industry and the Bing homepage, along with the Microsoft Edge new tab page (Starting with the release of Edge 87).
+As an admin, you control the News feed settings for your organization, including the selected industry and the Bing homepage, the Microsoft Edge new tab page (Starting with the release of Edge 87), and the email experiences.
+
+1. In the Microsoft 365 admin center, go to **Settings** > **Org settings** > **Services** > [**News**](https://admin.microsoft.com/adminportal/home?#/Settings/Services/:/Settings/L1/BingNews).
+
+1. In the **News** panel, click the **General** tab.
+
+1. In the **Industry** list, select your organization's industries. This determines the general news that appears in your organization news feed. Microsoft may pre-select an industry using information from your account. You can remove or add industries by updating the **Industry** list.
+
+1. In the **Topics** field, enter topics that you want see news articles about. Your users can't change these topics.
+
+1. You can block articles containing keywords in the **Exclude content** field. For example, to avoid articles containing the keyword ΓÇ£bakeΓÇ¥ from showing up in the news feed, add the keyword ΓÇ£bakeΓÇ¥ in the **Exclude content** field. Avoid including general terms (the, it, and, etc.); they can block relevant content from appearing in your enterprise news feeds.
-1. In the Microsoft 365 admin center, go to **Settings** > **Org settings** > **Services** > [News](https://admin.microsoft.com/adminportal/home?#/Settings/Services/:/Settings/L1/BingNews)
-2. In the **News** panel, click the **General** tab
-3. In the **Industry** list, select your organization's industries. This determines the general news that appears in your organization's new feed. Microsoft may pre-select an industry using information from your account. You may remove or add industries by updating the Industry list.
-4. In the **Topics** field, enter topics that you want see news articles about. Your users will not be able to change these topics.
-5. You can block articles containing keywords in the **Exclude content** field. For example, to avoid articles containing the keyword ΓÇ£bakeΓÇ¥ from showing up in the news feed, add the keyword ΓÇ£bakeΓÇ¥ in the Exclude content field. Avoid including general terms (the, it, and, etc.), they can block relevant content from appearing in your enterprise news feeds.
-6. Select **Save**. It may take up to 24 hours for changes to appear.
+1. Select **Save**. It may take up to 24 hours for changes to appear.
+
+## Industry updates in email
+
+You can send a daily email update with relevant industry news to your users' inboxes. To set daily email updates for users:
+
+1. In the Microsoft 365 admin center, go to **Settings** > **Org settings** > **Services** > [**News**](https://admin.microsoft.com/adminportal/home?#/Settings/Services/:/Settings/L1/BingNews).
+
+1. In the **News** panel, click the **Industry Updates** tab.
+
+1. Select **Send daily email updates** to send an email to your users.
+
+1. To give users the ability to customize the news they get in their email updates, select **Allow users to customize their own topics**.
## Bing homepage You can customize the Bing homepage to include news about your industry.
-1. In the Microsoft 365 admin center, go to **Settings** > **Org settings** > **Services** > [News](https://admin.microsoft.com/adminportal/home?#/Settings/Services/:/Settings/L1/BingNews).
-2. In the **News** panel, click the **Bing homepage** tab, and select **Include on Bing homepage**.
-3. The industry news appears under the personalized info from your organization on Bing.com.
+1. In the Microsoft 365 admin center, go to **Settings** > **Org settings** > **Services** > [**News**](https://admin.microsoft.com/adminportal/home?#/Settings/Services/:/Settings/L1/BingNews).
+
+1. In the **News** panel, click the **Bing homepage** tab, and select **Include on Bing homepage**.
+
+ The industry news appears under the personalized info from your organization on Bing.com.
## Microsoft Edge new tab page When your users sign in to Microsoft Edge (release 87 or higher) with a valid work or school account, they can see news tailored to your organization.
When your users sign in to Microsoft Edge (release 87 or higher) with a valid wo
1. In the Microsoft 365 admin center, go to **Settings** > **Org settings** > **Services** > [News](https://admin.microsoft.com/adminportal/home?#/Settings/Services/:/Settings/L1/BingNews). 2. In the **News** panel, click **Microsoft Edge new tab page**. 3. Select **Allow Office 365 content on the new tab page**. When enabled, users can customize their new tab to show information from Office 365, including recommended and recent files, along with frequently used SharePoint sites and other information.
-4. Select **Show company information and industry news on the new tab page**. News articles about your organization and industry will appear for users that choose to see articles on their new tab page.
+4. Select **Show company information and industry news on the new tab page**. News articles about your organization and industry appear for users that choose to see articles on their new tab.
## Related articles
admin Test And Deploy Microsoft 365 Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/test-and-deploy-microsoft-365-apps.md
For additional information about purchasing and licensing Microsoft 365 apps fro
For more info on how partners create these apps, see [How to plan a SaaS offer for the commercial marketplace](https://go.microsoft.com/fwlink/?linkid=2158277)
-The Integrated apps portal is only accessible to global admins and available to WorldWide customers only. This feature is not available in sovereign and government clouds.
+The Integrated apps portal is only accessible to global admins and available to world wide customers only. This feature is not available in sovereign and government clouds.
The Integrated apps portal displays a list of apps, which includes single apps and Microsoft 365 apps from partners which are deployed your organization. Only web apps, SPFx apps, Office add-ins and Teams apps are listed. For web apps, we you can see 2 kinds of apps.
admin Feedback User Control https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/feedback-user-control.md
+
+ Title: "Learn about Microsoft feedback for your organization"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- M365-subscription-management
+- Adm_O365
+- Adm_TOC
+
+search.appverid:
+- BCS160
+- MET150
+- MOE150
+description: "Learn about feedback your users can send to Microsoft about Microsoft products."
++
+# Learn about Microsoft feedback for your organization
+
+User feedback is a critical signal for Microsoft to understand user experiences with Microsoft products. Microsoft values our usersΓÇÖ opinions. User feedback goes directly to our engineers and helps us shape the future of Microsoft products and services for all our users.
+In this topic, you'll find information on what types of feedback exist, how we collect it, what we collect and how we handle the data.
+
+As an admin, you can manage the feedback signal for your organization. WeΓÇÖre introducing a new set of policy settings to help you manage user feedback collection within the Microsoft 365 applications for your organization. These policy settings will help you target Azure Active Directory groups and configure the feedback collection experience for your organization. User feedback goes directly to our engineers and helps us shape the future of Microsoft products and services for all our users. You can learn more about these policy settings, which applications they apply to, and best practices at [Manage Microsoft feedback for your organization](../manage/manage-feedback-ms-org.md).
+
+## Feedback types
+
+### In-product feedback
+
+If your users are using one of Microsoft's apps and wish to provide feedback, there are various ways to do that from within the apps they're using. Users can use these different ways to share product and feature feedback with us. One of the most common ways to share feedback through Microsoft apps is under the Help menu. Selecting **Help** > **Feedback** from most Microsoft apps launches a feedback page, which allows users to submit feedback to Microsoft.
+
+#### In-product feedback examples
++
+### In-product surveys
+
+Users can also rate their experience and provide additional information about their experience via system-initiated survey prompts. These prompts occur within the Microsoft 365 products from time to time. When prompted, users can choose if they want to provide feedback. The survey prompts typically appears at the bottom right of the app. If the user decides to provide feedback, dismisses the prompt, or lets the prompt disappear on its own, that user will not see the survey again for some time. Microsoft also leverages a governance process to limit the number of these system-initiated surveys. The intent of governance is to ensure users aren't overwhelmed by the number of survey prompts.
+++
+## What kind of feedback is best?
+
+Detailed and actionable feedback is vital for making changes and improvements in Microsoft products. If your users have issues, or suggestions for how we can improve, weΓÇÖd like to hear it. Below are a few tips and examples on actionable feedback sent to Microsoft.
+
+- **Concise and descriptive title** Descriptive and specific titles help us understand the issue being reported. Example: ExcelΓÇÖs **Recent files** list doesn't include recently added OneDrive files.
+- **Focus on one issue at a time** Provide feedback for one issue or recommendation one item at a time. This ensures the correct logs and data are received with each submission and can be assigned for follow-up. If you have more than one issue, submit a new feedback request for each issue. This helps us identify the volume of feedback weΓÇÖre receiving on a particular issue.
+- **Write details in the Description box** Information about your device, operating system, and apps are automatically included in each reported feedback. Add any additional info about an issue you think is important. For example, include detailed steps to reproduce the issue.
+
+## How Microsoft uses feedback
+
+Microsoft uses feedback to improve Microsoft products. We get user feedback in the form of questions, problems, compliments, and suggestions. We make sure this feedback makes it back to the appropriate teams, who use feedback to identify, prioritize and make improvements to Microsoft products. Feedback is essential for our product teams to understand our user's experiences, and directly influences the priority of fixes and improvements.
+
+### What do we collect?
+
+When a user submits feedback, app information is usually collected along with app ratings and feedback descriptions. If you've enabled the policy, we may allow users to submit screenshots and logs to help us debug and resolve problems the user may be running into. Here are the most common items collected or calculated.
+
+- **Comments** User submitted comments in the original language.
+- **App** Microsoft product we got the feedback from.
+- **Date Submitted** Date and time we got the feedback.
+- **User Id** Azure Active directory Id or email address of the authenticated user submitting the feedback. Anonymous feedback is allowed but not shown in this view.
+- **User Email** If the user is ok with providing their email address for follow-up.
+- **Language or Comment Language** Original language the comment was submitted in.
+- **Feedback Type** Survey feedback or in-app feedback.
+- **Survey Questions** Questions that we asked the user during the survey.
+- **Survey Responses** User responses to survey questions.
+- **Channel** Channel of Microsoft product related to the feedback.
+- **App Build** Build number of Microsoft product that was captured on submission.
+- **App Language** Language of Microsoft product that was captured on submission.
+- **Attachments** Were any attachments (i.e screenshots, files) collected as part of the feedback? (Yes/No).
+- **TenantId** If feedback is submitted from an Azure Active Directory account, which TenantId was associated.
+
+## Data handling and privacy
+
+We work to earn trust by ensuring that we focus on core data handling and data privacy principles.
+We make sure the feedback we receive is stored and handled under Microsoft governance rules, and that it can only be accessed for approved uses.
+
+We put you in control of your privacy with easy-to-use tools and clear choices. We're transparent about how we collect and use data, so you can make informed decisions about what you want to share. We protect the data you entrust to us with strong security and encryption. We respect local privacy laws and fight for legal protection of your privacy as a human right. We don't use your email, chat, files, or other personal content to target ads to you. When we collect data, we use it to make your experiences better. Learn more about MicrosoftΓÇÖs approach to privacy [here](https://privacy.microsoft.com/). Learn more about our [Privacy overview](/compliance/assurance/assurance-privacy).
+
+## How can I see my user's feedback?
+
+Coming soon, we'll be sharing the feedback data we collect for Microsoft products back to you. We're working on a new experience in the Microsoft 365 admin center that let's you view, delete and export the feedback data for your organization. This gives you direct transparency and useful insights into your usersΓÇÖ experiences with Microsoft 365 products.
admin Microsoft Bing News For Work https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/microsoft-bing-news-for-work.md
Title: "Microsoft Bing News for Work"
+ Title: "Microsoft Industry Updates"
f1.keywords: - NOCSH
description: "A daily roundup of news, trends, and stories related to your company, work, or industry delivered fresh to your inbox."
-# Microsoft Bing News for Work
+# Microsoft Industry Updates
Stay up to date with what's happening in your industry. Every morning, you'll get a roundup of news, interesting trends, and stories related to your company, work, or industryΓÇödelivered fresh to your inbox. [Subscribe now](https://www.bing.com/news/professional?pn=setting&mkt=en-us&asnl=1&form). ## What is it?
-Leveraging the power of MicrosoftΓÇÖs Bing search engine, News for Work is a collection of the most important work news from around the web, selected just for you.
+Leveraging the power of MicrosoftΓÇÖs Bing search engine, Industry Updates is a collection of the most important work news from around the web, selected just for you.
## How does it work? Customize your experience by following topics and interests. Get news about your company, track industry trends and be the first to know about key product launches. Plus get caught up on skills and information youΓÇÖll need to grow your career.
-## How do I customize my News for Work email?
+## How do I customize my Industry Updates email?
-To customize your experience, visit the settings page to follow the topics and interests important to you. Access your personal settings page by bookmarking [Customize your content on Bing, Edge and Industry Updates newsletter](https://www.bing.com/news/professional?pn=setting&mkt=en-us&form=BAWLOG&frb=1) or clicking on the settings button in your News for Work email.
+To customize your experience, visit the settings page to follow the topics and interests important to you. Access your personal settings page by bookmarking [Customize your content on Bing, Edge and Industry Updates newsletter](https://www.bing.com/news/professional?pn=setting&mkt=en-us&form=BAWLOG&frb=1) or clicking on the settings button in your Industry Updates email.
-[Subscribe](https://www.bing.com/news/professional?pn=setting&mkt=en-us&asnl=1&form=BAWLOG&frb=1) and get News for Work email delivered to your inbox today!
+[Subscribe](https://www.bing.com/news/professional?pn=setting&mkt=en-us&asnl=1&form=BAWLOG&frb=1) and get Industry Updates email delivered to your inbox today!
## Contact us
-If you have more questions or feedback, contact Bing Industry News Customer <IndustryNewsSupport@microsoft.com>.
+If you have more questions or feedback, email <IndustryNewsSupport@microsoft.com>.
admin Configure Focused Inbox https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/configure-focused-inbox.md
description: "Learn to configure Focused Inbox for all or specific users of your
# Configure Focused Inbox for everyone in your organization
- If you're responsible for configuring how email works for EVERYONE in a business this article is for you! It explains how to customize it or turn it off for your business, and answers [frequently asked questions](#faq-for-focused-inbox). <br/> If you would like to turn off Focused Inbox for just yourself, please see [Turn off Focused Inbox](https://support.microsoft.com/office/f714d94d-9e63-4217-9ccb-6cb2986aa1b2).
+If you're responsible for configuring how email works for EVERYONE in a business this article is for you! It explains how to customize it or turn it off for your business, and answers [frequently asked questions](#faq-for-focused-inbox).
+
+If you would like to turn off Focused Inbox for just yourself, please see [Turn off Focused Inbox](https://support.microsoft.com/office/f714d94d-9e63-4217-9ccb-6cb2986aa1b2).
If you want to be sure that your users receive business-specific email messages, for example, from HR or payroll, you can configure Focused Inbox so these messages reach the Focused view. You can also control whether users in your organization see the Focused Inbox in their mailbox.
If you want to be sure that your users receive business-specific email messages,
You use PowerShell to turn Focused Inbox on or off for everyone in your organization. Do you want to do this in the Microsoft 365 admin center? Let our Engineering team know. **[Vote here!](https://go.microsoft.com/fwlink/?linkid=862489)**
- **To turn off Focused Inbox:**
+**To turn off Focused Inbox:**
The following PowerShell example turns Focused Inbox **Off** in your organization. However, it doesn't block the availability of the feature for your users. If they want, they can still re-enable Focused Inbox again on each of their clients.
The following PowerShell example turns Focused Inbox **Off** in your organizatio
3. Run the **Get-OrganizationConfig** cmdlet.
- ``` PowerShell
-Get-OrganizationConfig
- ```
+ ```powershell
+ Get-OrganizationConfig
+ ```
4. Look for **FocusedInboxOn** to view its current setting:
Get-OrganizationConfig
5. Run the following cmdlet to turn Focused Inbox off.
- ``` PowerShell
- Set-OrganizationConfig -FocusedInboxOn $false
- ```
+ ```powershell
+ Set-OrganizationConfig -FocusedInboxOn $false
+ ```
6. Run the **Get-OrganizationConfig** cmdlet again and you'll see that FocusedInboxOn is set to $false, which means it's been turned off.
- **To turn on Focused Inbox:**
+**To turn on Focused Inbox:**
- In Step 5 above, run the following cmdlet to turn Focused Inbox on.
- ``` PowerShell
- Set-OrganizationConfig -FocusedInboxOn $true
- ```
-
+ ```powershell
+ Set-OrganizationConfig -FocusedInboxOn $true
+ ```
+
## What do users see after I turn on Focused Inbox? Your users will see the Focused view only after they close and restart Outlook. When they restart Outlook, they'll see a Tip in the Outlook user interface giving them to the option to use the new Focused Inbox.
When a user decides to start using Focused Inbox, Clutter gets disabled automati
## Turn Focused Inbox On or Off for specific users
-This example turns Focused Inbox **Off** for Tim Matthews in the Contoso organization. However, it doesn't block the availability of the feature to him. If his wants, he can still re-enable Focused Inbox again on each of his clients.
+This example turns Focused Inbox **Off** for Tim Matthews in the Contoso organization. However, it doesn't block the availability of the feature to him. If he wants, he can still re-enable Focused Inbox again on each of his clients.
1. [Connect to Exchange Online using remote PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).
This example turns Focused Inbox **Off** for Tim Matthews in the Contoso organiz
3. Run the **Get-FocusedInbox** cmdlet, for example:
- ``` PowerShell
- Get-FocusedInbox -Identity <tim@contoso.com>
- ```
+ ```powershell
+ Get-FocusedInbox -Identity <tim@contoso.com>
+ ```
4. Look for FocusedInboxOn to view its current setting: ![Response from PowerShell on state of Focused Inbox.](../../media/419d8caa-89b9-45c5-91d9-8c023297456e.png)
-5. Run the following cmdlet to turn Focused Inbox off:
+5. Run the following cmdlet to turn off Focused Inbox:
- ``` PowerShell
- Set-FocusedInbox -Identity <tim@contoso.com> -FocusedInboxOn $false
- ```
+ ```powershell
+ Set-FocusedInbox -Identity <tim@contoso.com> -FocusedInboxOn $false
+ ```
-6. OR, run the following cmdlet to turn it on:
+ OR, run the following cmdlet to turn it on:
- ``` PowerShell
- Set-FocusedInbox -Identity <tim@contoso.com> -FocusedInboxOn $true
- ```
+ ```powershell
+ Set-FocusedInbox -Identity <tim@contoso.com> -FocusedInboxOn $true
+ ```
## Use the UI to create a transport rule to direct email messages to the Focused view for all your users
This example turns Focused Inbox **Off** for Tim Matthews in the Contoso organiz
![focusedinbox payroll](../../media/focusedinbox-transport-rule.PNG)
-> [!NOTE]
-> The message header value text in this example is, **X-MS-Exchange-Organization-BypassFocusedInbox**.
+ > [!NOTE]
+ > The message header value text in this example is, **X-MS-Exchange-Organization-BypassFocusedInbox**.
## Use PowerShell to create a transport rule to direct email messages to the Focused view for all your users
This example turns Focused Inbox **Off** for Tim Matthews in the Contoso organiz
3. Run the following command to allow all messages from "Payroll Department," for example, to be delivered to the Focused Inbox.
- ``` PowerShell
- New-TransportRule -Name <name_of_the_rule> -From "Payroll Department" -SetHeaderName "X-MS-Exchange-Organization-BypassFocusedInbox" -SetHeaderValue "true"
- ```
+ ```powershell
+ New-TransportRule -Name <name_of_the_rule> -From "Payroll Department" -SetHeaderName "X-MS-Exchange-Organization-BypassFocusedInbox" -SetHeaderValue "true"
+ ```
> [!IMPORTANT] > In this example, both "X-MS-Exchange-Organization-BypassFocusedInbox" and "true" are case sensitive.
There are two cmdlets for controlling Focused Inbox. When you run Get-FocusedInb
### Can I run a script to see who has turned on Focused Inbox?
-No, and this is by design. Focused Inbox enablement is a client side setting, so all the cmdlet can do is tell you if the user's mailbox is eligible for the client experience. It is possible for it to be simultaneously enabled in some clients and disabled in others, for example, enabled in Outlook app and Outlook Mobile but disabled in Outlook on the web.
+No, and this is by design. Focused Inbox enablement is a client-side setting, so all the cmdlet can do is tell you if the user's mailbox is eligible for the client experience. It is possible for it to be simultaneously enabled in some clients and disabled in others, for example, enabled in Outlook app and Outlook Mobile but disabled in Outlook on the web.
+
compliance Apply Retention Labels Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-retention-labels-automatically.md
When you create auto-apply retention label policies for sensitive information, y
![Policy templates with sensitive information types](../media/dafd87d4-c7bb-439a-ac7b-193c018f98a5.png)
-To learn more about the sensitivity information types, see [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md).
+To learn more about the sensitivity information types, see [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md). Currently, [exact data matches](create-custom-sensitive-information-types-with-exact-data-match-based-classification.md) and [document fingerprinting](document-fingerprinting.md) are not supported for this scenario.
After you select a policy template, you can add or remove any types of sensitive information, and you can change the instance count and match accuracy. In the example screenshot shown next, a retention label will be auto-applied only when:
compliance Create A Keyword Dictionary https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-a-keyword-dictionary.md
description: "Learn the basic steps to creating a keyword dictionary in the Offi
# Create a keyword dictionary
-Data loss prevention (DLP) can identify, monitor, and protect your sensitive items. Identifying sensitive items sometimes requires looking for keywords, particularly when identifying generic content (such as healthcare-related communication), or inappropriate or explicit language. Although you can create keyword lists in sensitive information types, keyword lists are limited in size and require modifying XML to create or edit them. Keyword dictionaries provide simpler management of keywords and at a much larger scale, supporting up to 1MB of terms (post compression) in the dictionary and support any language. The tenant limit is also 1MB after compression. 1MB of post compression limit means that all dictionaries combined across a tenant can have close to 1 million character.
+Data loss prevention (DLP) can identify, monitor, and protect your sensitive items. Identifying sensitive items sometimes requires looking for keywords, particularly when identifying generic content (such as healthcare-related communication), or inappropriate or explicit language. Although you can create keyword lists in sensitive information types, keyword lists are limited in size and require modifying XML to create or edit them. Keyword dictionaries provide simpler management of keywords and at a much larger scale, supporting up to 1 MB of terms (post compression) in the dictionary and support any language. The tenant limit is also 1 MB after compression. 1 MB of post compression limit means that all dictionaries combined across a tenant can have close to 1 million character.
## Keyword dictionary limits
-There is a limit of 50 keyword dictionary based sensitive information types that can be created per tenant. To find out how many keyword dictionaries you have in your tenant, you can run this PowerShell script against your tenant.
+There is a limit of 50 keyword dictionary based sensitive information types that can be created per tenant. To find out how many keyword dictionaries you have in your tenant, connect using the procedures in [Connect to the Security & Compliance Center PowerShell](https://docs.microsoft.com/powershell/exchange/connect-to-scc-powershell) to connect to your tenant and run this PowerShell script.
```powershell $rawFile = $env:TEMP + "\rule.xml"
Remove-Item $rawFile
## Basic steps to creating a keyword dictionary
-The keywords for your dictionary could come from a variety of sources, most commonly from a file (such as a .csv or .txt list) imported in the service or by PowerShell cmdlet, from a list you enter directly in the PowerShell cmdlet, or from an existing dictionary. When you create a keyword dictionary, you follow the same core steps:
+The keywords for your dictionary could come from various sources, most commonly from a file (such as a .csv or .txt list) imported in the service or by PowerShell cmdlet, from a list you enter directly in the PowerShell cmdlet, or from an existing dictionary. When you create a keyword dictionary, you follow the same core steps:
1. Use the **Security & Compliance Center** ([https://protection.office.com](https://protection.office.com)) or connect to **Security &amp; Compliance Center PowerShell**.
Use the following steps to create and import keywords for a custom dictionary:
## Create a keyword dictionary from a file using PowerShell
-Often when you need to create a large dictionary, it's to use keywords from a file or a list exported from some other source. In this case, you'll create a keyword dictionary containing a list of inappropriate language to screen in external email. You must first [connect to Security &amp; Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell).
+Often when you need to create a large dictionary, it's to use keywords from a file or a list exported from some other source. In this case, you'll create a keyword dictionary containing a list of inappropriate language to screen in external email. You must first [Connect to Security &amp; Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell).
1. Copy the keywords into a text file and make sure that each keyword is on a separate line.
Before you modify the dictionary, you need to turn the string of terms back into
$terms = $dict.KeywordDictionary.split(',').trim() ```
-Now you'll remove some terms from the dictionary. Because the example dictionary has only a few keywords, you could just as easily skip to exporting the dictionary and editing it in Notepad, but dictionaries generally contain a large amount of text, so you'll first learn this way to edit them easily in PowerShell.
+Now you'll remove some terms from the dictionary. Because the example dictionary has only a few keywords, you could as easily skip to exporting the dictionary and editing it in Notepad, but dictionaries generally contain a large amount of text, so you'll first learn this way to edit them easily in PowerShell.
In the last step, you saved the keywords to an array. There are several ways to [remove items from an array](/previous-versions/windows/it-pro/windows-powershell-1.0/ee692802(v=technet.10)), but as a straightforward approach, you'll create an array of the terms you want to remove from the dictionary, and then copy only the dictionary terms to it that aren't in the list of terms to remove.
Save the dictionary locally by running the following:
Set-Content $updatedTerms -Path "C:\myPath\terms.txt" ```
-Now simply open the file, add your additional terms, and save with Unicode encoding (UTF-16). Now you'll upload the updated terms and update the dictionary in place.
+Now open the file, add your other terms, and save with Unicode encoding (UTF-16). Now you'll upload the updated terms and update the dictionary in place.
```powershell PS> Set-DlpKeywordDictionary -Identity "Diseases" -FileData (Get-Content -Path "C:myPath\terms.txt" -Encoding Byte -ReadCount 0) ```
-Now the dictionary has been updated in place. Note that the `Identity` field takes the name of the dictionary. If you wanted to also change the name of your dictionary using the `set-` cmdlet, you would just need to add the `-Name` parameter to what's above with your new dictionary name.
+Now the dictionary has been updated in place. The `Identity` field takes the name of the dictionary. If you wanted to also change the name of your dictionary using the `set-` cmdlet, you would just need to add the `-Name` parameter to what's above with your new dictionary name.
## Using keyword dictionaries in custom sensitive information types and DLP policies
compliance Dlp Sensitivity Label As Condition https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-sensitivity-label-as-condition.md
Title: "Use sensitivity labels as conditions in DLP policies (preview)"
+ Title: "Use sensitivity labels as conditions in DLP policies"
f1.keywords: - CSH
description: learn about the services and item types that you can use sensitivity labels as conditions in DLP policies
-# Use sensitivity labels as conditions in DLP policies (preview)
+# Use sensitivity labels as conditions in DLP policies
You can use [sensitivity labels](sensitivity-labels.md) as a condition in DLP policies for these location:
You can use sensitivity labels as conditions on these items and in these scenari
|Service |Item type |Available to policy tip |Enforceable | ||||| |Exchange |email message |yes |yes |
-|Exchange |email attachment |no * |no * |
+|Exchange |email attachment |no * |yes * |
|SharePoint Online |items in SharePoint Online |yes |yes | |OneDrive for Business |items |yes |yes | |Teams |Teams and channel messages |not applicable |not applicable | |Teams |attachments |yes ** |yes ** |
-|Windows 10 devices (preview) |items |yes |yes |
+|Windows 10 devices |items |yes |yes |
|MCAS (preview) |items |yes |yes |
-\* DLP detection of sensitivity labels on emails are supported. DLP detection of sensitivity labeled email attachments are not.
+\* DLP detection of sensitivity labeled email attachments are supported for Office file types only.
\** Attachments sent in Teams over 1:1 chat or channels are automatically uploaded to OneDrive for Business and SharePoint. So if SharePoint Online or OneDrive for Business are included as locations in your DLP policy, then labeled attachments sent in Teams will be automatically included in the scope of this condition. Teams as a location does not need to be selected in the DLP policy.
compliance Retention Policies Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-policies-teams.md
For other workloads, see:
## What's included for retention and deletion
-Teams chat messages and channel messages can be deleted by using retention policies for Teams, and in addition to the text in the messages, the following items can be retained for compliance reasons: Embedded images, tables, hypertext links and links to other Teams messages and files, and [card content](/microsoftteams/platform/task-modules-and-cards/what-are-cards). Chat messages include all the names of the people in the chat, and channel messages include the team name and the message title (if supplied).
+Teams chats messages and channel messages can be deleted by using retention policies for Teams, and in addition to the text in the messages, the following items can be retained for compliance reasons: Embedded images, tables, hypertext links, links to other Teams messages and files, and [card content](/microsoftteams/platform/task-modules-and-cards/what-are-cards). Chat messages include all the names of the people in the chat, and channel messages include the team name and the message title (if supplied).
> [!NOTE] > Including card content is a recent addition and now fully rolled out to tenants. For more information, see [Microsoft 365 compliance capabilities for Adaptive Card content through apps in Teams now available](https://techcommunity.microsoft.com/t5/microsoft-teams-blog/microsoft-365-compliance-capabilities-for-adaptive-card-content/ba-p/2095869).
Emails and files that you use with Teams aren't included in retention policies f
## How retention works with Microsoft Teams
-You can use a retention policy to retain data from chats and channel messages in Teams, and delete these chats and messages. Behind the scenes, Exchange mailboxes are used to store data from these messages. Data from Teams chats is stored in a hidden folder in the mailbox of each user included in the chat, and a similar hidden folder in a group mailbox is used for Teams channel messages.
+Use this section to understand how your compliance requirements are met by backend storage and processes, and should be verified by eDiscovery tools rather than by messages that are currently visible in the Teams app.
+
+You can use a retention policy to retain data from chats and channel messages in Teams, and delete these chats and messages. Behind the scenes, Exchange mailboxes are used to store data copied from these messages. Data from Teams chats is stored in a hidden folder in the mailbox of each user included in the chat, and a similar hidden folder in a group mailbox is used for Teams channel messages. These hidden folders are not designed to be directly accessible to users or administrators, but instead, store data that compliance administrators can search with eDiscovery tools.
These mailboxes are, listed by their RecipientTypeDetails attribute:
These mailboxes are, listed by their RecipientTypeDetails attribute:
Other mailbox types, such as RoomMailbox that is used for Teams conference rooms, are not supported for Teams retention policies.
-It's important to understand that Teams uses an Azure-powered chat service as its primary storage for all messages (chats and channel messages), and by default this service stores the data indefinitely. For this reason, if you need to delete Teams messages for compliance reasons, we recommend that you use retention policies for Teams that can delete messages after a specific period, based on when they were created. Messages are then permanently deleted from both the Exchange mailboxes and the underlying Azure-powered chat service. For more information about the underlying architecture, see [Security and compliance in Microsoft Teams](/MicrosoftTeams/security-compliance-overview) and specifically, the [Information Protection Architecture](/MicrosoftTeams/security-compliance-overview#information-protection-architecture) section.
+Teams uses an Azure-powered chat service as its primary storage for all messages (chats and channel messages). If you need to delete Teams messages for compliance reasons, retention policies for Teams can delete messages after a specified period, based on when they were created. Messages are then permanently deleted from both the Exchange mailboxes where they stored for compliance operations, and from the primary storage used by the underlying Azure-powered chat service. For more information about the underlying architecture, see [Security and compliance in Microsoft Teams](/MicrosoftTeams/security-compliance-overview) and specifically, the [Information Protection Architecture](/MicrosoftTeams/security-compliance-overview#information-protection-architecture) section.
-Although data from Teams chats and channel messages are stored in mailboxes, this data is included only by a retention policy that's configured for the **Teams channel messages** and **Teams chats** locations. Teams chats and channel messages are not affected by retention policies that are configured for Exchange user or group mailboxes.
+Although this data from Teams chats and channel messages are stored in mailboxes, you must configure a retention policy for the **Teams channel messages** and **Teams chats** locations. Teams chats and channel messages are not included in retention policies that are configured for Exchange user or group mailboxes.
> [!NOTE] > If a user is included in an active retention policy that retains Teams messages and you a delete a mailbox of a user who is included in this policy, the mailbox is converted into an [inactive mailbox](inactive-mailboxes-in-office-365.md) to retain the Teams data. If you don't need to retain this Teams data for the user, exclude the user account from the retention policy before you delete their mailbox.
-After a retention policy is configured for chat and channel messages, a timer job from the Exchange service periodically evaluates items in the hidden folder where these Teams messages are stored. The timer job takes up to seven days to run. When these items have expired their retention period, they are moved to the SubstrateHolds folderΓÇöanother hidden folder that's in every user or group mailbox to store "soft-deleted" items before they are permanently deleted.
+After a retention policy is configured for chat and channel messages, a timer job from the Exchange service periodically evaluates items in the hidden folder where these Teams messages are stored. The timer job typically takes 1-7 days to run. When these items have expired their retention period, they are moved to the SubstrateHolds folderΓÇöanother hidden folder that's in every user or group mailbox to store "soft-deleted" items before they are permanently deleted.
+
+Messages remain in the SubstrateHolds folder for at least 1 day, and then if they are eligible for deletion, the timer job permanently deletes them the next time it runs.
After a retention policy is configured for chat and channel messages, the paths the content takes depend on whether the retention policy is to retain and then delete, to retain only, or delete only.
When the retention policy is to retain and then delete:
For the two paths in the diagram:
-1. **If a chat or channel message is edited or deleted** by the user during the retention period, the original message is copied (if edited) or moved (if deleted) to the SubstrateHolds folder within 21 days. The message is stored there until the retention period expires and then the message is permanently deleted within 24 hours.
+1. **If a chat or channel message is edited or deleted** by a user during the retention period, the original message is copied (if edited) or moved (if deleted) to the SubstrateHolds folder. The message is stored there for at least 1 day. When the retention period expires, the message is permanently deleted the next time the timer job runs (typically between 1-7 days).
-2. **If a chat or channel message is not deleted** and for current messages after editing, the message is moved to the SubstrateHolds folder after the retention period expires. This action takes up to 7 days from the expiry date. When the message is in the SubstrateHolds folder, it is then permanently deleted within 24 hours.
+2. **If a chat or channel message is not deleted** by a user and for current messages after editing, the message is moved to the SubstrateHolds folder after the retention period expires. This action typically takes between 1-7 days from the expiry date. When the message is in the SubstrateHolds folder, it is stored there for at least 1 day, and then the message is permanently deleted the next time the timer job runs (typically between 1-7 days).
> [!NOTE]
-> Messages in the SubstrateHolds folder are searchable by eDiscovery tools. Until messages are permanently deleted from this SubstrateHolds folder, they remain searchable by eDiscovery tools.
+> Messages stored in mailboxes, including the hidden folders, are searchable by eDiscovery tools. Until messages are permanently deleted from the SubstrateHolds folder, they remain searchable by eDiscovery tools.
+
+When messages are permanently deleted from the SubstrateHolds folder, a delete operation is communicated to the backend Azure chat service, that then relays the same operation to the Teams client app. Delays in this communication or caching can explain why, for a short period of time, users might still see these messages in their Teams app, but data from these messages isn't returned in eDiscovery searches. Messages visible in the Teams app are not an accurate reflection of whether they are retained or permanently deleted for compliance requirements.
When the retention policy is retain-only, or delete-only, the content's paths are variations of retain and delete. ### Content paths for retain-only retention policy
-1. **If a chat or channel message is edited or deleted**: A copy of the original message is created in the SubstrateHolds folder within 21 days, and retained there until the retention period expires. Then the message is permanently deleted from the SubstrateHolds folder within 24 hours.
+1. **If a chat or channel message is edited or deleted** by a user during the retention period: The original message is copied (if edited) or moved (if deleted) to the SubstrateHolds folder, and retained there for at least 1 day. If the retention policy is configured to retain forever, the item remains there. If the retention policy has an end date for the retention period and it expires, the message is permanently deleted the next time the timer job runs (typically between 1-7 days).
-2. **If the item is not modified or deleted** and for current messages after editing during the retention period: Nothing happens before and after the retention period; the message remains in its original location.
+2. **If the chat or channel message is not modified or deleted** by a user and for current messages after editing during the retention period: Nothing happens before and after the retention period; the message remains in its original location.
### Content paths for delete-only retention policy
-1. **If the message is not deleted** during the retention period: At the end of the retention period, the message is moved to the SubstrateHolds folder. This action takes up to seven days from the expiry date. Then the message is permanently deleted from the SubstrateHolds folder within 24 hours.
-
-2. **If the item is deleted by the user** during the period, the item is moved to the SubstrateHolds folder within 21 days where it is then permanently deleted within 24 hours.
+1. **If the chat or channel message is edited or deleted** by a user during the retention period: The original message is copied (if edited) or moved (if deleted) to the SubstrateHolds folder. The message is retained there for at least 1 day and permanently deleted the next time the timer job runs (typically between 1-7 days).
+2. **If a chat or channel message is not deleted** by a user during the retention period: At the end of the retention period, the message is moved to the SubstrateHolds folder. This action typically takes between 1-7 days from the expiry date. The message is retained there for at least 1 day and then permanently deleted the next time the timer job runs (typically between 1-7 days).
## Skype for Business and Teams interop chats
If the user stored any files in Teams, see the [equivalent section](retention-po
## Limitations
-We're continuously working on optimizing retention functionality in Teams. In the meantime, here are a few limitations to be aware of when you use retention for Teams channel messages and chats:
+We're continuously working on optimizing retention functionality in Teams. In the meantime, here are a few limitations to be aware of when you use retention policies for Teams channel messages and chats:
-- **Incorrect display issue in Outlook**. If you create retention policies for Skype or Teams locations, one of those policies is shown as the default folder policy when a user views the properties of a mailbox folder in the Outlook desktop client. This is an incorrect display issue in Outlook and [a known issue](https://support.microsoft.com/help/4491013/outlook-client-displays-teams-or-skype-for-business-retention-policies). What should be displayed as the default folder policy is the mailbox retention policy that's applied to the folder. The Skype or Teams retention policy is not applied to the user's mailbox.
+- **Incorrect display issue in Outlook**. If you create retention policies for Skype or Teams locations, one of those policies is shown as the default folder policy when a user views the properties of a mailbox folder in the Outlook desktop client. This is an incorrect display issue in Outlook and [a known issue](https://support.microsoft.com/help/4491013/outlook-client-displays-teams-or-skype-for-business-retention-policies). Instead, you should see the mailbox retention policy that's applied to the folder. The Skype or Teams retention policy is not applied to the user's mailbox.
- **Configuration issues**: - When you select **Choose teams** for the **Teams channel messages** location, you might see Microsoft 365 groups that aren't also teams. Don't select these groups.
enterprise Ms Cloud Germany Transition Phases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-phases.md
Additional considerations:
**Applies to:** All customers using Exchange Online
-If you're using Exchange Online hybrid: Exchange Online Hybrid administrators **must execute the Hybrid Configuration wizard (HCW) multiple times** as part of this transition. Apply the [Exchange prework](ms-cloud-germany-transition-add-pre-work.md#exchange-online-hybrid-configuration) **before the migration step phase 5 begins**. Exchange Online hybrid customers must run the latest version of the Exchange Hybrid Configuration Wizard (HCW) in "Office 365 Germany" mode to prepare the on-premises configuration for the migration to Office 365 global services.
+If you're using Exchange Online hybrid: Exchange Online Hybrid administrators **must execute the Hybrid Configuration wizard (HCW) multiple times** as part of this transition. Apply the [Exchange prework](ms-cloud-germany-transition-add-pre-work.md#exchange-online-hybrid-customers) **before the migration step phase 5 begins**. Exchange Online hybrid customers must run the latest version of the Exchange Hybrid Configuration Wizard (HCW) in "Office 365 Germany" mode to prepare the on-premises configuration for the migration to Office 365 global services.
Upon **completion of the migration phase 9** (when the Message Center notice is published), you need to run the HCW again using Office 365 Worldwide settings to point your on-premises systems to the Office 365 Global services.
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
### [Advanced hunting]() #### [Advanced hunting overview](advanced-hunting-overview.md)
-#### [Learn, train, & get examples]()
-##### [Learn the query language](advanced-hunting-query-language.md)
-##### [Use shared queries](advanced-hunting-shared-queries.md)
-#### [Work with query results](advanced-hunting-query-results.md)
-#### [Optimize & handle errors]()
-##### [Apply query best practices](advanced-hunting-best-practices.md)
-##### [Handle errors](advanced-hunting-errors.md)
-##### [Service limits](advanced-hunting-limits.md)
-#### [Data schema]()
-##### [Understand the schema](advanced-hunting-schema-reference.md)
-##### [DeviceAlertEvents](advanced-hunting-devicealertevents-table.md)
-##### [DeviceFileEvents](advanced-hunting-devicefileevents-table.md)
-##### [DeviceImageLoadEvents](advanced-hunting-deviceimageloadevents-table.md)
-##### [DeviceLogonEvents](advanced-hunting-devicelogonevents-table.md)
-##### [DeviceInfo](advanced-hunting-deviceinfo-table.md)
-##### [DeviceNetworkInfo](advanced-hunting-devicenetworkinfo-table.md)
-##### [DeviceEvents](advanced-hunting-deviceevents-table.md)
-##### [DeviceFileCertificateInfo](advanced-hunting-devicefilecertificateinfo-table.md)
-##### [DeviceNetworkEvents](advanced-hunting-devicenetworkevents-table.md)
-##### [DeviceProcessEvents](advanced-hunting-deviceprocessevents-table.md)
-##### [DeviceRegistryEvents](advanced-hunting-deviceregistryevents-table.md)
-##### [DeviceTvmSoftwareInventoryVulnerabilities](advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md)
-##### [DeviceTvmSoftwareVulnerabilitiesKB](advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md)
-##### [DeviceTvmSecureConfigurationAssessment](advanced-hunting-devicetvmsecureconfigurationassessment-table.md)
-##### [DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md)
-#### [Custom detections]()
-##### [Custom detections overview](overview-custom-detections.md)
-##### [Create detection rules](custom-detection-rules.md)
-##### [View & manage detection rules](custom-detections-manage.md)
+#### [Understand the schema](advanced-hunting-schema-reference.md)
+#### [DeviceAlertEvents](advanced-hunting-devicealertevents-table.md)
### [Microsoft Threat Experts](microsoft-threat-experts.md)
security Advanced Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-features.md
For more information about role assignments, see [Create and manage roles](user-
Enabling this feature allows you to run unsigned scripts in a live response session.
+## Always remediate PUA
+Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might be unexpected or unwanted.
+
+Turn on this feature so that potentially unwanted applications (PUA) are remediated on all devices in your tenant even if PUA protection is not configured on the devices. This will help protect users from inadvertently installing unwanted applications on their device. When turned off, remediation is dependent on the device configuration.
+ ## Restrict correlation to within scoped device groups When this setting is turned on, alerts are correlated into separate incidents based on their scoped device group. By default, incident correlation happens across the entire tenant scope.
When this setting is turned on, alerts are correlated into separate incidents ba
>[!NOTE] >Changing this setting impacts future alert correlations only. - ## Enable EDR in block mode Endpoint detection and response (EDR) in block mode provides protection from malicious artifacts, even when Microsoft Defender Antivirus is running in passive mode. When turned on, EDR in block mode blocks malicious artifacts or behaviors that are detected on a device. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post breach. + ## Autoresolve remediated alerts For tenants created on or after Windows 10, version 1809, the automated investigation and remediation capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you don't want to have alerts auto-resolved, you'll need to manually turn off the feature.
For more information, see [Manage indicators](manage-indicators.md).
> [!NOTE] > Network protection leverages reputation services that process requests in locations that might be outside of the location you have selected for your Defender for Endpoint data. - ## Tamper protection During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. Bad actors like to disable your security features to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices.
Tamper protection essentially locks Microsoft Defender Antivirus and prevents yo
Keep tamper protection turned on to prevent unwanted changes to your security solution and its essential features. + ## Show user details Turn on this feature so that you can see user details stored in Azure Active Directory. Details include a user's picture, name, title, and department information when investigating user account entities. You can find user account information in the following views:
Turn on this feature so that you can see user details stored in Azure Active Dir
For more information, see [Investigate a user account](investigate-user.md). + ## Skype for Business integration Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This can be handy when you need to communicate with the user and mitigate risks.
Enabling the Skype for Business integration gives you the ability to communicate
> [!NOTE] > When a device is being isolated from the network, there's a pop-up where you can choose to enable Outlook and Skype communications which allows communications to the user while they are disconnected from the network. This setting applies to Skype and Outlook communication when devices are in isolation mode.
-## Azure Advanced Threat Protection integration
+## Microsoft Defender for Identity integration
The integration with Azure Advanced Threat Protection allows you to pivot directly into another Microsoft Identity security product. Azure Advanced Threat Protection augments an investigation with additional insights about a suspected compromised account and related resources. By enabling this feature, you'll enrich the device-based investigation capability by pivoting across the network from an identify point of view.
When you turn this feature on, you'll be able to incorporate data from Office 36
To receive contextual device integration in Office 365 Threat Intelligence, you'll need to enable the Defender for Endpoint settings in the Security & Compliance dashboard. For more information, see [Threat investigation and response](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-ti).
-## Microsoft Threat Experts
+## Microsoft Threat Experts - Targeted Attack Notifications
Out of the two Microsoft Threat Expert components, targeted attack notification is in general availability. Experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved. You can receive targeted attack notifications from Microsoft Threat Experts through your Defender for Endpoint portal's alerts dashboard and via email if you configure it. > [!NOTE] > The Microsoft Threat Experts capability in Defender for Endpoint is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security).- ## Microsoft Cloud App Security Enabling this setting forwards Defender for Endpoint signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data.
Enabling this setting forwards Defender for Endpoint signals to Microsoft Cloud
> [!NOTE] > This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)), or later Windows 10 versions.
-## Azure Information Protection
-
-Turning on this setting allows signals to be forwarded to Azure Information Protection. It gives data owners and administrators visibility into protected data on onboarded devices and device risk ratings.
- ## Microsoft Secure Score Forwards Microsoft Defender for Endpoint signals to Microsoft Secure Score in the Microsoft 365 security center. Turning on this feature gives Microsoft Secure Score visibility into the device's security posture. Forwarded data is stored and processed in the same location as your Microsoft Secure Score data. + ### Enable the Microsoft Defender for Endpoint integration from the Microsoft Defender for Identity portal To receive contextual device integration in Microsoft Defender for Identity, you'll also need to enable the feature in the Microsoft Defender for Identity portal.
To receive contextual device integration in Microsoft Defender for Identity, you
After completing the integration steps on both portals, you'll be able to see relevant alerts in the device details or user details page.
+## Web content filtering
+Block access to websites containing unwanted content and track web activity across all domains. To specify the web content categories you want to block, create a [web content filtering policy](https://security.microsoft.com/preferences2/web_content_filtering_policy). Ensure you have network protection in block mode when deploying the [Microsoft Defender for Endpoint security baseline](https://devicemanagement.microsoft.com/#blade/Microsoft_Intune_Workflows/SecurityBaselineSummaryMenu/overview/templateType/2).
++
+## Share endpoint alerts with Microsoft Compliance Center
+Forwards endpoint security alerts and their triage status to Microsoft Compliance Center, allowing you to enhance insider risk management policies with alerts and remediate internal risks before they cause harm. Forwarded data is processed and stored in the same location as your Office 365 data.
+
+After configuring the [Security policy violation indicators](/microsoft-365/compliance/insider-risk-management-settings#indicators) in the insider risk management settings, Defender for Endpoint alerts will be shared with insider risk management for applicable users.
+++ ## Microsoft Intune connection Defender for Endpoint can be integrated with [Microsoft Intune](https://docs.microsoft.com/intune/what-is-intune) to [enable device risk-based conditional access](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). When you [turn on this feature](configure-conditional-access.md), you'll be able to share Defender for Endpoint device information with Intune, enhancing policy enforcement.
This feature is only available if you have the following:
- A licensed tenant for Enterprise Mobility + Security E3, and Windows E5 (or Microsoft 365 Enterprise E5) - An active Microsoft Intune environment, with Intune-managed Windows 10 devices [Azure AD-joined](https://docs.microsoft.com/azure/active-directory/devices/concept-azure-ad-join/). + ### Conditional Access policy When you enable Intune integration, Intune will automatically create a classic Conditional Access (CA) policy. This classic CA policy is a prerequisite for setting up status reports to Intune. It should not be deleted.
Learn about new features in the Defender for Endpoint preview release and be amo
You'll have access to upcoming features, which you can provide feedback on to help improve the overall experience before features are generally available.
-## Share endpoint alerts with Microsoft Compliance Center
-Forwards endpoint security alerts and their triage status to Microsoft Compliance Center, allowing you to enhance insider risk management policies with alerts and remediate internal risks before they cause harm. Forwarded data is processed and stored in the same location as your Office 365 data.
-After configuring the [Security policy violation indicators](/microsoft-365/compliance/insider-risk-management-settings#indicators) in the insider risk management settings, Defender for Endpoint alerts will be shared with insider risk management for applicable users.
## Related topics
security Configure Proxy Internet https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-proxy-internet.md
The WinHTTP configuration setting is independent of the Windows Internet (WinINe
Configure a registry-based static proxy to allow only Defender for Endpoint sensor to report diagnostic data and communicate with Defender for Endpoint services if a computer is not be permitted to connect to the Internet.
+> [!NOTE]
+> - When using this option on Windows 10 or Windows Server 2019, it is recommended to have the following (or later) build and cumulative update rollup:</br>
+> Windows 10, version 1909 - https://support.microsoft.com/kb/4601380</br>
+> Windows 10, version 2004 - https://support.microsoft.com/kb/4601382</br>
+> Windows 10, version 20H2 - https://support.microsoft.com/kb/4601382</br>
+> These updates improve the connectivity and reliability of the CnC (Command and Control) channel.</br>
+ The static proxy is configurable through Group Policy (GP). The group policy can be found under: - Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service
security Defender Endpoint False Positives Negatives https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-false-positives-negatives.md
Title: Address false positives/negatives in Microsoft Defender for Endpoint description: Learn how to handle false positives or false negatives in Microsoft Defender for Endpoint.
-keywords: alert, exclusion, defender atp, false positive, false negative
+keywords: antivirus, exception, exclusion, defender atp, false positive, false negative, blocked file, blocked url
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
ms.sitesec: library
ms.pagetype: security Previously updated : 02/11/2021 Last updated : 04/08/2021 localization_priority: Normal audience: ITPro
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806)
-In endpoint protection solutions, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, including [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-advanced-threat-protection).
+In endpoint protection solutions, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, including [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md).
-![Definition of false positive and negatives in Windows Defender for Endpoints](images/false-positives-overview.png)
+![Definition of false positive and negatives in Defender for Endpoint](images/false-positives-overview.png)
-Fortunately, steps can be taken to address and reduce these kinds of issues. If you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/use), your security operations can take steps to address them by using the following process:
+Fortunately, steps can be taken to address and reduce these kinds of issues. If you're seeing false positives/negatives in your [Microsoft Defender Security Center](../defender/microsoft-365-security-center-mde.md), your security operations can take steps to address them by using the following process:
1. [Review and classify alerts](#part-1-review-and-classify-alerts) 2. [Review remediation actions that were taken](#part-2-review-remediation-actions)
Fortunately, steps can be taken to address and reduce these kinds of issues. If
4. [Submit an entity for analysis](#part-4-submit-a-file-for-analysis) 5. [Review and adjust your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings)
-And, you can [get help if you still have issues with false positives/negatives](#still-need-help) after performing the tasks described in this article.
+You can get help if you still have issues with false positives/negatives after performing the tasks described in this article. See [Still need help?](#still-need-help)
![Steps to address false positives and negatives](images/false-positives-step-diagram.png)
Managing your alerts and classifying true/false positives helps to train your th
Before you classify or suppress an alert, determine whether the alert is accurate, a false positive, or benign. 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.+ 2. In the navigation pane, choose **Alerts queue**.
-3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/review-alerts).)
+
+3. Select an alert to more details about the alert. (See [Review alerts in Microsoft Defender for Endpoint](review-alerts.md).)
+ 4. Depending on the alert status, take the steps described in the following table: | Alert status | What to do |
Before you classify or suppress an alert, determine whether the alert is accurat
Alerts can be classified as false positives or true positives in the Microsoft Defender Security Center. Classifying alerts helps train Microsoft Defender for Endpoint so that, over time, you'll see more true alerts and fewer false alerts. 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.+ 2. Select **Alerts queue**, and then select an alert.+ 3. For the selected alert, select **Actions** > **Manage alert**. A flyout pane opens.+ 4. In the **Manage alert** section, select either **True alert** or **False alert**. (Use **False alert** to classify a false positive.) > [!TIP]
-> For more information about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-alerts). And, if your organization is using a security information and event management (SIEM) server, make sure to define a suppression rule there, too.
+> For more information about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](/microsoft-365/security/defender-endpoint/manage-alerts). And, if your organization is using a security information and event management (SIEM) server, make sure to define a suppression rule there, too.
### Suppress an alert If you have alerts that are either false positives or that are true positives but for unimportant events, you can suppress those alerts in the Microsoft Defender Security Center. Suppressing alerts helps reduce noise in your security operations dashboard. 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.+ 2. In the navigation pane, select **Alerts queue**.+ 3. Select an alert that you want to suppress to open its **Details** pane.+ 4. In the **Details** pane, choose the ellipsis (**...**), and then **Create a suppression rule**.+ 5. Specify all the settings for your suppression rule, and then choose **Save**. > [!TIP]
-> Need help with suppression rules? See [Suppress an alert and create a new suppression rule](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-alerts#suppress-an-alert-and-create-a-new-suppression-rule).
+> Need help with suppression rules? See [Suppress an alert and create a new suppression rule](/microsoft-365/security/defender-endpoint/manage-alerts#suppress-an-alert-and-create-a-new-suppression-rule).
## Part 2: Review remediation actions
When you're done reviewing and undoing actions that were taken as a result of fa
### Review completed actions 1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. + 2. Select the **History** tab to view a list of actions that were taken. + 3. Select an item to view more details about the remediation action that was taken. ### Undo an action 1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in.+ 2. On the **History** tab, select an action that you want to undo.+ 3. In the flyout pane, select **Undo**. If the action cannot be undone with this method, you will not see an **Undo** button. (To learn more, see [Undo completed actions](manage-auto-investigation.md#undo-completed-actions).) ### Undo multiple actions at one time 1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in.+ 2. On the **History** tab, select the actions that you want to undo.+ 3. In the pane on the right side of the screen, select **Undo**. ### Remove a file from quarantine across multiple devices
When you're done reviewing and undoing actions that were taken as a result of fa
> ![Quarantine file](images/autoir-quarantine-file-1.png) 1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in.+ 2. On the **History** tab, select a file that has the Action type **Quarantine file**.+ 3. In the pane on the right side of the screen, select **Apply to X more instances of this file**, and then select **Undo**. ## Part 3: Review or define exclusions
To define exclusions across Microsoft Defender for Endpoint, perform the followi
- [Create ΓÇ£allowΓÇ¥ indicators for Microsoft Defender for Endpoint](#indicators-for-microsoft-defender-for-endpoint) > [!NOTE]
-> Microsoft Defender Antivirus exclusions apply only to antivirus protection, not across other Microsoft Defender for Endpoint capabilities. To exclude files broadly, use exclusions for Microsoft Defender Antivirus and [custom indicators](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-indicators) for Microsoft Defender for Endpoint.
+> Microsoft Defender Antivirus exclusions apply only to antivirus protection, not across other Microsoft Defender for Endpoint capabilities. To exclude files broadly, use exclusions for Microsoft Defender Antivirus and [custom indicators](/microsoft-365/security/defender-endpoint/manage-indicators) for Microsoft Defender for Endpoint.
The procedures in this section describe how to define exclusions and indicators. ### Exclusions for Microsoft Defender Antivirus
-In general, you should not need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) to define or edit your antivirus exclusions; however, you can use other methods, such as [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy) (see [Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md)).
+In general, you should not need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) to define or edit your antivirus exclusions; however, you can use other methods, such as [Group Policy](/azure/active-directory-domain-services/manage-group-policy) (see [Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md)).
> [!TIP]
-> Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus).
+> Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus).
#### Use Microsoft Endpoint Manager to manage antivirus exclusions (for existing policies) 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.+ 2. Choose **Endpoint security** > **Antivirus**, and then select an existing policy. (If you donΓÇÖt have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-create-a-new-antivirus-policy-with-exclusions)).+ 3. Choose **Properties**, and next to **Configuration settings**, choose **Edit**.+ 4. Expand **Microsoft Defender Antivirus Exclusions** and then specify your exclusions.+ 5. Choose **Review + save**, and then choose **Save**. #### Use Microsoft Endpoint Manager to create a new antivirus policy with exclusions 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.+ 2. Choose **Endpoint security** > **Antivirus** > **+ Create Policy**. + 3. Select a platform (such as **Windows 10 and later**, **macOS**, or **Windows 10 and Windows Server**).+ 4. For **Profile**, select **Microsoft Defender Antivirus exclusions**, and then choose **Create**.+ 5. Specify a name and description for the profile, and then choose **Next**.+ 6. On the **Configuration settings** tab, specify your antivirus exclusions, and then choose **Next**.
-7. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).)
-8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).)
+
+7. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags](/mem/intune/fundamentals/scope-tags).)
+
+8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](/mem/intune/configuration/device-profile-assign).)
+ 9. On the **Review + create** tab, review the settings, and then choose **Create**. ### Indicators for Microsoft Defender for Endpoint
-[Indicators](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-indicators) (specifically, indicators of compromise, or IoCs) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, you can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs.
+[Indicators](/microsoft-365/security/defender-endpoint/manage-indicators) (specifically, indicators of compromise, or IoCs) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, you can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs.
-To specify entities as exclusions for Microsoft Defender for Endpoint, create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to [next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10), [endpoint detection and response](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response), and [automated investigation & remediation](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations).
+To specify entities as exclusions for Microsoft Defender for Endpoint, create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to [next-generation protection](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10), [endpoint detection and response](/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response), and [automated investigation & remediation](/microsoft-365/security/defender-endpoint/automated-investigations).
"Allow" indicators can be created for:
To specify entities as exclusions for Microsoft Defender for Endpoint, create "a
#### Indicators for files
-When you [create an "allow" indicator for a file, such as an executable](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/indicator-file), it helps prevent files that your organization is using from being blocked. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
+When you [create an "allow" indicator for a file, such as an executable](/microsoft-365/security/defender-endpoint/indicator-file), it helps prevent files that your organization is using from being blocked. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
Before you create indicators for files, make sure the following requirements are met:-- Microsoft Defender Antivirus is configured with cloud-based protection enabled (see [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus))
+- Microsoft Defender Antivirus is configured with cloud-based protection enabled (see [Manage cloud-based protection](/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus))
- Antimalware client version is 4.18.1901.x or later - Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019 -- The [Block or allow feature is turned on](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/advanced-features)
+- The [Block or allow feature is turned on](/microsoft-365/security/defender-endpoint/advanced-features)
#### Indicators for IP addresses, URLs, or domains
-When you [create an "allow" indicator for an IP address, URL, or domain](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/indicator-ip-domain), it helps prevent the sites or IP addresses your organization uses from being blocked.
+When you [create an "allow" indicator for an IP address, URL, or domain](/microsoft-365/security/defender-endpoint/indicator-ip-domain), it helps prevent the sites or IP addresses your organization uses from being blocked.
Before you create indicators for IP addresses, URLs, or domains, make sure the following requirements are met:-- Network protection in Defender for Endpoint is enabled in block mode (see [Enable network protection](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/enable-network-protection))
+- Network protection in Defender for Endpoint is enabled in block mode (see [Enable network protection](/microsoft-365/security/defender-endpoint/enable-network-protection))
- Antimalware client version is 4.18.1906.x or later - Devices are running Windows 10, version 1709, or later
-Custom network indicators are turned on in the Microsoft Defender Security Center (see [Advanced features](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/advanced-features))
+Custom network indicators are turned on in the Microsoft Defender Security Center (see [Advanced features](/microsoft-365/security/defender-endpoint/advanced-features))
#### Indicators for application certificates
-When you [create an "allow" indicator for an application certificate](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/indicator-certificates), it helps prevent applications, such as internally developed applications, that your organization uses from being blocked. `.CER` or `.PEM` file extensions are supported.
+When you [create an "allow" indicator for an application certificate](/microsoft-365/security/defender-endpoint/indicator-certificates), it helps prevent applications, such as internally developed applications, that your organization uses from being blocked. `.CER` or `.PEM` file extensions are supported.
Before you create indicators for application certificates, make sure the following requirements are met:-- Microsoft Defender Antivirus is configured with cloud-based protection enabled (see [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus))
+- Microsoft Defender Antivirus is configured with cloud-based protection enabled (see [Manage cloud-based protection](/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus))
- Antimalware client version is 4.18.1901.x or later - Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019 - Virus and threat protection definitions are up to date
You can submit entities, such as files and fileless detections, to Microsoft for
If you have a file that was either wrongly detected as malicious or was missed, follow these steps to submit the file for analysis.
-1. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide).
+1. Review the guidelines here: [Submit files for analysis](/windows/security/threat-protection/intelligence/submission-guide).
+ 2. Visit the Microsoft Security Intelligence submission site ([https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission)), and submit your file(s). ### Submit a fileless detection for analysis
If you have a file that was either wrongly detected as malicious or was missed,
If something was detected as malware based on behavior, and you donΓÇÖt have a file, you can submit your `Mpsupport.cab` file for analysis. You can get the *.cab* file by using the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool on Windows 10. 1. Go to ` C:\ProgramData\Microsoft\Windows Defender\Platform\<version>`, and then run `MpCmdRun.exe` as an administrator.+ 2. Type `mpcmdrun.exe -GetFiles`, and then press **Enter**. A .cab file is generated that contains various diagnostic logs. The location of the file is specified in the output of the command prompt. By default, the location is `C:\ProgramData\Microsoft\Microsoft Defender\Support\MpSupportFiles.cab`.
-3. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide).
+
+3. Review the guidelines here: [Submit files for analysis](/windows/security/threat-protection/intelligence/submission-guide).
+ 4. Visit the Microsoft Security Intelligence submission site ([https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission)), and submit your .cab files. ### What happens after a file is submitted?
For submissions that were not already processed, they are prioritized for analys
To check for updates regarding your submission, sign in at the [Microsoft Security Intelligence submission site](https://www.microsoft.com/wdsi/filesubmission). > [!TIP]
-> To learn more, see [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide#how-does-microsoft-prioritize-submissions).
+> To learn more, see [Submit files for analysis](/windows/security/threat-protection/intelligence/submission-guide#how-does-microsoft-prioritize-submissions).
## Part 5: Review and adjust your threat protection settings
Microsoft Defender for Endpoint offers a wide variety of options, including the
Check your cloud-delivered protection level for Microsoft Defender Antivirus. By default, cloud-delivered protection is set to **Not configured**, which corresponds to a normal level of protection for most organizations. If your cloud-delivered protection is set to **High**, **High +**, or **Zero tolerance**, you might experience a higher number of false positives. > [!TIP]
-> To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus).
+> To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus).
-We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) to edit or set your cloud-delivered protection settings; however, you can use other methods, such as [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy) (see [Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md)).
+We recommend using [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) to edit or set your cloud-delivered protection settings; however, you can use other methods, such as [Group Policy](/azure/active-directory-domain-services/manage-group-policy) (see [Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md)).
#### Use Microsoft Endpoint Manager to review and edit cloud-delivered protection settings (for existing policies) 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.+ 2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. (If you donΓÇÖt have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-cloud-delivered-protection-settings-for-a-new-policy)).+ 3. Under **Manage**, select **Properties**. Then, next to **Configuration settings**, choose **Edit**.+ 4. Expand **Cloud protection**, and review your current setting in the **Cloud-delivered protection level** row. We recommend setting cloud-delivered protection to **Not configured**, which provides strong protection while reducing the chances of getting false positives.+ 5. Choose **Review + save**, and then **Save**. #### Use Microsoft Endpoint Manager to set cloud-delivered protection settings (for a new policy) 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.+ 2. Choose **Endpoint security** > **Antivirus** > **+ Create policy**.+ 3. For **Platform**, select an option, and then for **Profile**, select **Antivirus** or **Microsoft Defender Antivirus** (the specific option depends on what you selected for **Platform**.) Then choose **Create**.+ 4. On the **Basics** tab, specify a name and description for the policy. Then choose **Next**.+ 5. On the **Configuration settings** tab, expand **Cloud protection**, and specify the following settings: - Set **Turn on cloud-delivered protection** to **Yes**. - Set **Cloud-delivered protection level** to **Not configured**. (This level provides a strong level of protection by default while reducing the chances of getting false positives.)
-6. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).)
-8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).)
-9. On the **Review + create** tab, review the settings, and then choose **Create**.
+
+6. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy. (See [Scope tags](/mem/intune/fundamentals/scope-tags).)
+
+7. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](/mem/intune/configuration/device-profile-assign).)
+
+8. On the **Review + create** tab, review the settings, and then choose **Create**.
### Remediation for potentially unwanted applications Potentially unwanted applications (PUA) are a category of software that can cause devices to run slowly, display unexpected ads, or install other software that might be unexpected or unwanted. Examples of PUA include advertising software, bundling software, and evasion software that behaves differently with security products. Although PUA is not considered malware, some kinds of software are PUA based on their behavior and reputation. > [!TIP]
-> To learn more about PUA, see [Detect and block potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).
+> To learn more about PUA, see [Detect and block potentially unwanted applications](/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).
Depending on the apps your organization is using, you might be getting false positives as a result of your PUA protection settings. If necessary, consider running PUA protection in audit mode for a while, or apply PUA protection to a subset of devices in your organization. PUA protection can be configured for the Microsoft Edge browser and for Microsoft Defender Antivirus.
-We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) to edit or set PUA protection settings; however, you can use other methods, such as [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy) (see [Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md)).
+We recommend using [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) to edit or set PUA protection settings; however, you can use other methods, such as [Group Policy](/azure/active-directory-domain-services/manage-group-policy) (see [Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md)).
#### Use Microsoft Endpoint Manager to edit PUA protection (for existing configuration profiles) 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.+ 2. Choose **Devices** > **Configuration profiles**, and then select an existing policy. (If you donΓÇÖt have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-pua-protection-for-a-new-configuration-profile).)+ 3. Under **Manage**, choose **Properties**, and then, next to **Configuration settings**, choose **Edit**.+ 4. On the **Configuration settings** tab, scroll down and expand **Microsoft Defender Antivirus**.+ 5. Set **Detect potentially unwanted applications** to **Audit**. (You can turn it off, but by using audit mode, you will be able to see detections.)+ 6. Choose **Review + save**, and then choose **Save**. #### Use Microsoft Endpoint Manager to set PUA protection (for a new configuration profile) 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.+ 2. Choose **Devices** > **Configuration profiles** > **+ Create profile**.+ 3. For the **Platform**, choose **Windows 10 and later**, and for **Profile**, select **Device restrictions**.+ 4. On the **Basics** tab, specify a name and description for your policy. Then choose **Next**.+ 5. On the **Configuration settings** tab, scroll down and expand **Microsoft Defender Antivirus**.+ 6. Set **Detect potentially unwanted applications** to **Audit**, and then choose **Next**. (You can turn off PUA protection, but by using audit mode, you will be able to see detections.)
-7. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).)
+
+7. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](/mem/intune/configuration/device-profile-assign).)
+ 8. On the **Applicability Rules** tab, specify the OS editions or versions to include or exclude from the policy. For example, you can set the policy to be applied to all devices certain editions of Windows 10. Then choose **Next**.+ 9. On the **Review + create** tab, review your settings, and, and then choose **Create**. ### Automated investigation and remediation [Automated investigation and remediation](automated-investigations.md) (AIR) capabilities are designed to examine alerts and take immediate action to resolve breaches. As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*.
-Depending on the [level of automation](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/automation-levels) set for your organization and other security settings, remediation actions are taken on artifacts that are considered to be *Malicious* or *Suspicious*. In some cases, remediation actions occur automatically; in other cases, remediation actions are taken manually or only upon approval by your security operations team.
+Depending on the [level of automation](/microsoft-365/security/defender-endpoint/automation-levels) set for your organization and other security settings, remediation actions are taken on artifacts that are considered to be *Malicious* or *Suspicious*. In some cases, remediation actions occur automatically; in other cases, remediation actions are taken manually or only upon approval by your security operations team.
-- [Learn more about automation levels](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/automation-levels); and then -- [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-automated-investigations-remediation).
+- [Learn more about automation levels](/microsoft-365/security/defender-endpoint/automation-levels); and then
+- [Configure AIR capabilities in Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-automated-investigations-remediation).
> [!IMPORTANT] > We recommend using *Full automation* for automated investigation and remediation. Don't turn these capabilities off because of a false positive. Instead, use ["allow" indicators to define exceptions](#indicators-for-microsoft-defender-for-endpoint), and keep automated investigation and remediation set to take appropriate actions automatically. Following [this guidance](automation-levels.md#levels-of-automation) helps reduce the number of alerts your security operations team must handle.
Depending on the [level of automation](https://docs.microsoft.com/microsoft-365/
If you have worked through all the steps in this article and still need help, contact technical support. 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.+ 2. In the upper right corner, select the question mark (**?**), and then select **Microsoft support**.
-3. In the Support Assistant window, describe your issue, and then send your message. From there, you can open a service request.
+
+3. In the **Support Assistant** window, describe your issue, and then send your message. From there, you can open a service request.
## See also [Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md)
-[Overview of Microsoft Defender Security Center](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/use)
+[Overview of Microsoft Defender Security Center](/microsoft-365/security/defender-endpoint/use)
security Linux Install Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-manually.md
When upgrading your operating system to a new major version, you must first unin
## How to migrate from Insiders-Fast to Production channel
-1. Uninstall the ΓÇ£Insiders-Fast channelΓÇ¥ version of MDE for macOS.
+1. Uninstall the ΓÇ£Insiders-Fast channelΓÇ¥ version of MDE for Linux.
`` sudo yum remove mdatp
security Network Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/network-protection.md
This procedure creates a custom view that filters to only show the following eve
| 1125 | Event when network protection fires in audit mode | | 1126 | Event when network protection fires in block mode |
+## Network protection troubleshooting
+
+Due to the environment where Network Protection runs, Microsoft might not be able to detect operating system proxy settings. In some cases, Network Protection clients are unable to reach Cloud Service. To resolve the connectivity problem, customers with E5 licenses should configure one of the following Defender registry keys:
+
+```console
+reg add "HKLM\Software\Microsoft\Windows Defender" /v ProxyServer /d "<proxy IP address: Port>" /f
+reg add "HKLM\Software\Microsoft\Windows Defender" /v ProxyPacUrl /d "<Proxy PAC url>" /f
+
+```
+ ## Related articles - [Evaluate network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrates how the feature works, and what events would typically be created.
security Advanced Hunting Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-overview.md
This capability is similar to [advanced hunting in Microsoft Defender for Endpoi
To use advanced hunting, [turn on Microsoft 365 Defender](m365d-enable.md).
+### Before you begin
+
+Users need one of the following levels of permissions to access Microsoft Defender:
+
+- Full access (read and write)
+- Read-only access
+
+**Full access**:
+Users with full access can save, modify, and share a query. Assigning full access rights requires adding the users to the "Security Administrator" or "Global Administrator" built-in roles in Azure Active Directory (AAD).
+
+**Read-only access**:
+Users with read-only access can log in and view all alerts and related information. They will not be able to save, modify, or share a query. Assigning read-only access rights requires adding the users to the "Security Reader" built-in role in AAD.
+ ## Get started with advanced hunting We recommend going through several steps to quickly get started with advanced hunting.
Time information in advanced hunting is in the UTC time zone.
- [Use shared queries](advanced-hunting-shared-queries.md) - [Understand the schema](advanced-hunting-schema-tables.md) - [Apply query best practices](advanced-hunting-best-practices.md)-- [Custom detections overview](custom-detections-overview.md)
+- [Custom detections overview](custom-detections-overview.md)
security Microsoft 365 Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-defender.md
Microsoft 365 Defender cross-product features include:
Microsoft 365 Defender licensing requirements must be met before you can enable the service in the Microsoft 365 security center at [security.microsoft.com](https://security.microsoft.com). For more information, read: - [Licensing requirements](prerequisites.md#licensing-requirements) - [Turn on Microsoft 365 Defender](m365d-enable.md)++
+## See also
+- [Deploy threat protection capabilities across Microsoft 365 E5](https://docs.microsoft.com/microsoft-365/solutions/deploy-threat-protection)
security Anti Spam Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-protection.md
Here are some best practices that apply to either scenario:
- **DMARC**: Domain-based Message Authentication, Reporting, and Conformance helps destination email systems determine what to do with messages that fail SPF or DKIM checks and provides another level of trust for your email partners. For more information, see [Use DMARC to validate email in Microsoft 365](use-dmarc-to-validate-email.md). -- **Verify your bulk email settings**: The bulk compliant level (BCL) threshold that you configure in anti-spam policies determines whether bulk email (also known as _gray mail_) is marked as spam. The PowerShell-only setting _MarkAsSpamBulkMail_ that's on by default also contributes to the results. For more information, see [Configure anti-spam policies in Microsoft 365](configure-your-spam-filter-policies.md).
+- **Verify your bulk email settings**: The bulk complaint level (BCL) threshold that you configure in anti-spam policies determines whether bulk email (also known as _gray mail_) is marked as spam. The PowerShell-only setting _MarkAsSpamBulkMail_ that's on by default also contributes to the results. For more information, see [Configure anti-spam policies in Microsoft 365](configure-your-spam-filter-policies.md).
### Prevent the delivery of spam to the Inbox
security Bulk Complaint Level Values https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/bulk-complaint-level-values.md
search.appverid:
ms.assetid: a5b03b3c-37dd-429e-8e9b-2c1b25031794 - M365-security-compliance
-description: Admins can learn about bulk compliance level (BCL) values that are used in Exchange Online Protection (EOP).
+description: Admins can learn about bulk complaint level (BCL) values that are used in Exchange Online Protection (EOP).
ms.technology: mdo ms.prod: m365-security
ms.prod: m365-security
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, EOP assigns a bulk compliant level (BCL) to inbound messages from bulk mailers. The BCL is added to the message in an X-header and is similar to the [spam confidence level (SCL)](spam-confidence-levels.md) that's used to identify messages as spam. A higher BCL indicates a bulk message is more likely to generate complaints (and is therefore more likely to be spam). Microsoft uses both internal and third party sources to identify bulk mail and determine the appropriate BCL.
+In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, EOP assigns a bulk complaint level (BCL) to inbound messages from bulk mailers. The BCL is added to the message in an X-header and is similar to the [spam confidence level (SCL)](spam-confidence-levels.md) that's used to identify messages as spam. A higher BCL indicates a bulk message is more likely to generate complaints (and is therefore more likely to be spam). Microsoft uses both internal and third party sources to identify bulk mail and determine the appropriate BCL.
Bulk mailers vary in their sending patterns, content creation, and recipient acquisition practices. Good bulk mailers send desired messages with relevant content to their subscribers. These messages generate few complaints from recipients. Other bulk mailers send unsolicited messages that closely resemble spam and generate many complaints from recipients. Messages from a bulk mailer are known as bulk mail or gray mail.
security Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/defender-for-office-365.md
- m365initiative-defender-office365 - seo-marvel-apr2020
-description: Microsoft Defender for Office 365 includes safe attachments, safe links, advanced anti-phishing tools, reporting tools and threat intelligence capabilities.
+description: Microsoft Defender for Office 365 includes Safe Attachments, Safe Links, advanced anti-phishing tools, reporting tools and threat intelligence capabilities.
ms.technology: mdo ms.prod: m365-security
If you're new to Microsoft Defender for Office 365 or learn best by *doing*, you
- anti-phishing - anti-spam - Set up everything with '*safe*' in the name.
- - safe links
- - safe attachments
+ - Safe Links
+ - Safe Attachments
- Defend the workloads (ex. SharePoint Online, OneDrive, and Teams) - Protect with Zero-Hour auto purge
security Detect And Remediate Illicit Consent Grants https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants.md
You can do this for your users with either the Azure Active Directory Portal, or
You can look up the applications to which any individual user has granted permissions by using the [Azure Active Directory Portal](https://portal.azure.com/).
-1. Sign in to the Azure Portal with administrative rights.
+1. Sign in to the Azure portal with administrative rights.
2. Select the Azure Active Directory blade.
security Mdo Email Entity Page https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-email-entity-page.md
Users will see enriched detonation details for known malicious attachments or hy
- When the Junk email rule is enabled on the mailbox, Exchange Online Protection (EOP) is able to move messages to Junk according to some criteria. The move can be based on spam filtering verdict action *Move message to Junk Email folder*, or on the Blocked Senders list on the mailbox. Disabling the Junk email rule prevents the delivery of messages to the Junk email folder based on the *Safe Senders* list on the mailbox. - When the junk email rule is *disabled* on the mailbox, EOP can't move messages to the Junk Email folder based on the spam filtering verdict action *Move message to Junk Email folder*, or the safe list collection on the mailbox. -- *Bulk Compliant Level (BCL)*: The Bulk Complaint Level (BCL) of the message. A higher BCL indicates a bulk mail message is more likely to generate complaints (the natural result if the email is likely to be spam).
+- *Bulk Complaint Level (BCL)*: The bulk complaint level (BCL) of the message. A higher BCL indicates a bulk mail message is more likely to generate complaints (the natural result if the email is likely to be spam).
- *Spam Confidence Level (SCL)*: The spam confidence level (SCL) of the message. A higher value indicates the message is more likely to be spam.
security Protect Against Threats https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/protect-against-threats.md
Threat protection features are included in *all* Microsoft or Office 365 subscri
|Anti-phishing protection|[EOP](/office365/servicedescriptions/exchange-online-protection-service-description/exchange-online-protection-service-description)| |Anti-spam protection|[EOP](/office365/servicedescriptions/exchange-online-protection-service-description/exchange-online-protection-service-description)| |Zero-hour auto purge (for email)|[EOP](/office365/servicedescriptions/exchange-online-protection-service-description/exchange-online-protection-service-description)|
-|Protection from malicious URLs and files in email and Office documents (safe links and safe attachments)|[Microsoft Defender for Office 365](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description)|
-|Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams workloads|[Defender for Office 365 ](turn-on-mdo-for-spo-odb-and-teams.md)|
+|Protection from malicious URLs and files in email and Office documents (Safe Links and Safe Attachments)|[Microsoft Defender for Office 365](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description)|
+|Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams workloads|[Defender for Office 365](turn-on-mdo-for-spo-odb-and-teams.md)|
|Advanced anti-phishing protection|[Defender for Office 365](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description)| ### Roles and permissions
security Safe Links https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-links.md
The settings in Safe Links policies that apply to email messages are described i
- **Do not rewrite the following URLs**: Leaves URLs as they are. Keeps a custom list of safe URLs that don't need scanning. The list is unique for each Safe Links policy. For more information about the **Do not rewrite the following URLs** list, see the ["Do not rewrite the following URLs" lists in Safe Links policies](#do-not-rewrite-the-following-urls-lists-in-safe-links-policies) section later in this article.
-For more information about the recommended values for Standard and Strict policy settings for Safe Links policies, see [Safe Links policy settings](recommended-settings-for-eop-and-office365.md#safe-links-policy-settings).
+ For more information about the recommended values for Standard and Strict policy settings for Safe Links policies, see [Safe Links policy settings](recommended-settings-for-eop-and-office365.md#safe-links-policy-settings).
- **Recipient filters**: You need to specify the recipient conditions and exceptions that determine who the policy applies to. You can use these properties for conditions and exceptions:
The following settings in Safe Links policies that apply to links in email messa
- **Do not track user clicks** - **Do not allow users to click through to original URL**
-These settings are explained in the previous [Safe Links settings for email messages](#safe-links-settings-for-email-messages) section.
+These settings are explained previously in [Safe Links settings for email messages](#safe-links-settings-for-email-messages).
After you turn on Safe Links protection for Microsoft Teams, URLs in Teams are checked against a list of known malicious links when the protected user clicks the link (time-of-click protection). URLs are not rewritten. If a link is found to be malicious, users will have the following experiences:
When a user in an active Safe Links policy clicks a blocked link in a supported
You configure the list of URLs in the global settings for Safe Links. For instructions, see [Configure the "Block the following URLs" list](configure-global-settings-for-safe-links.md#configure-the-block-the-following-urls-list-in-the-security--compliance-center).
-**Notes**:
--- For a truly universal list of URLs that are blocked everywhere, see [Manage the Tenant Allow/Block List](tenant-allow-block-list.md).--- Limits:
- - The maximum number of entries is 500.
- - The maximum length of an entry is 128 characters.
- - All of the entries can't exceed 10,000 characters.
--- Don't include a forward slash (`/`) at the end of the URL. For example, use `https://www.contoso.com`, not `https://www.contoso.com/`.--- A domain only-URL (for example `contoso.com` or `tailspintoys.com`) will block any URL that contains the domain.--- You can block a subdomain without blocking the full domain. For example, `toys.contoso.com*` blocks any URL that contains the subdomain, but it doesn't block URLs that contain the full domain `contoso.com`.--- You can include up to three wildcards (`*`) per URL entry.
+> [!NOTE]
+>
+> - For a truly universal list of URLs that are blocked everywhere, see [Manage the Tenant Allow/Block List](tenant-allow-block-list.md).
+>
+> - Limits:
+> - The maximum number of entries is 500.
+> - The maximum length of an entry is 128 characters.
+> - All of the entries can't exceed 10,000 characters.
+>
+> - Don't include a forward slash (`/`) at the end of the URL. For example, use `https://www.contoso.com`, not `https://www.contoso.com/`.
+>
+> - A domain only-URL (for example `contoso.com` or `tailspintoys.com`) will block any URL that contains the domain.
+>
+> - You can block a subdomain without blocking the full domain. For example, `toys.contoso.com*` blocks any URL that contains the subdomain, but it doesn't block URLs that contain the full domain `contoso.com`.
+>
+> - You can include up to three wildcards (`*`) per URL entry.
### Entry syntax for the "Block the following URLs" list
Each Safe Links policy contains a **Do not rewrite the following URLs** list tha
To add entries to the list in new or existing Safe Links policies, see [Create Safe Links policies](set-up-safe-links-policies.md#use-the-security--compliance-center-to-create-safe-links-policies) or [Modify Safe Links policies](set-up-safe-links-policies.md#use-the-security--compliance-center-to-modify-safe-links-policies).
-**Notes**:
--- The following clients don't recognize the **Do not rewrite the following URLs** lists in Safe Links policies. Users included in the polices can be blocked from accessing the URLs based on the results of Safe Links scanning in these clients:-
- - Microsoft Teams
- - Office web apps
-
- For a truly universal list of URLs that are allowed everywhere, see [Manage the Tenant Allow/Block List](tenant-allow-block-list.md).
--- Consider adding commonly used internal URLs to the list to improve the user experience. For example, if you have on-premises services, such as Skype for Business or SharePoint, you can add those URLs to exclude them from scanning.--- If you already have **Do not rewrite the following URLs** entries in your Safe Links policies, be sure to review the lists and add wildcards as required. For example, your list has an entry like `https://contoso.com/a` and you later decide to include subpaths like `https://contoso.com/a/b`. Instead of adding a new entry, add a wildcard to the existing entry so it becomes `https://contoso.com/a/*`.--- You can include up to three wildcards (`*`) per URL entry. Wildcards explicitly include prefixes or subdomains. For example, the entry `contoso.com` is not the same as `*.contoso.com/*`, because `*.contoso.com/*` allows people to visit subdomains and paths in the specified domain.
+> [!NOTE]
+>
+> - The following clients don't recognize the **Do not rewrite the following URLs** lists in Safe Links policies. Users included in the polices can be blocked from accessing the URLs based on the results of Safe Links scanning in these clients:
+>
+> - Microsoft Teams
+> - Office web apps
+>
+> For a truly universal list of URLs that are allowed everywhere, see [Manage the Tenant Allow/Block List](tenant-allow-block-list.md).
+>
+> - Consider adding commonly used internal URLs to the list to improve the user experience. For example, if you have on-premises services, such as Skype for Business or SharePoint, you can add those URLs to exclude them from scanning.
+>
+> - If you already have **Do not rewrite the following URLs** entries in your Safe Links policies, be sure to review the lists and add wildcards as required. For example, your list has an entry like `https://contoso.com/a` and you later decide to include subpaths like `https://contoso.com/a/b`. Instead of adding a new entry, add a wildcard to the existing entry so it becomes `https://contoso.com/a/*`.
+>
+> - You can include up to three wildcards (`*`) per URL entry. Wildcards explicitly include prefixes or subdomains. For example, the entry `contoso.com` is not the same as `*.contoso.com/*`, because `*.contoso.com/*` allows people to visit subdomains and paths in the specified domain.
### Entry syntax for the "Do not rewrite the following URLs" list
security Tenant Wide Setup For Increased Security https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-wide-setup-for-increased-security.md
The Microsoft 365 security center includes capabilities that protect your enviro
|**Anti-phishing**|Yes|If you have a custom domain, configure the default anti-phishing policy to protect the email accounts of your most valuable users, such as your CEO, and to protect your domain. <p> Review [Anti-phishing policies in Office 365](set-up-anti-phishing-policies.md) and see [Configure anti-phishing policies in EOP](configure-anti-phishing-policies-eop.md) or [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-atp-anti-phishing-policies.md).| |**Anti-Malware Engine**|Yes| Edit the default policy: <ul><li>Common Attachment Types Filter: Select On</li></ul> <p> You can also create custom malware filter policies and apply them to specified users, groups, or domains in your organization. <p> More information: <ul><li>[Anti-malware protection](anti-malware-protection.md)</li><li>[Configure anti-malware policies](configure-anti-malware-policies.md)</li></ul>| |**Safe Attachments in Microsoft Defender for Office 365**|No|On the main page for Safe Attachments, click **Global settings** and turn on this setting: <ul><li>**Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams**</li></ul> <p> Create a Safe Attachments policy with these settings: <ul><li> **Block**: Select **Block** as the unknown malware response.</li><li>**Enable redirect**: Check this box and enter an email address, such as an admin or quarantine account.</li><li>**Apply the above selection if malware scanning for attachments times out or error occurs**: Check this box.</li><li>***Applied to**: **The recipient domain is** \> select your domain.</li></ul> <p> More information: [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md) and [Set up Safe Attachments policies](set-up-safe-attachments-policies.md)|
-|**Safe Links in Microsoft Defender for Office 365**|Yes|On the main page for Safe Links, click **Global settings**: <ul><li>**Use Safe Links in: Office 365 applications**: Verify this setting is turned on.</li><li>**Do not track when users click Safe Links**: Turn this setting off to track user clicks.</li></ul> <p> Create a Safe Links policy with these settings: <ul><li>**Select the action for unknown potentially malicious URLs in messages**: Verify this setting is **On**.</li><li>**Select the action for unknown or potentially malicious URLs within Microsoft Teams**: Verify this setting is **On**.</li><li>**Apply real-time URL scanning for suspicious links and links that point to files**: Check this box.</li><li>**Wait for URL scanning to complete before delivering the message**: Check this box.</li><li>**Apply safe links to email messages sent within the organization**: Check this box</li><li>**Do not allow users to click through to original URL**: Check this box.</li><li>**Applied To**: **The recipient domain is** \> select your domain.</li></ul> <p> More information: [Set up Safe Links policies](set-up-safe-links-policies.md).|
+|**Safe Links in Microsoft Defender for Office 365**|Yes|On the main page for Safe Links, click **Global settings**: <ul><li>**Use Safe Links in: Office 365 applications**: Verify this setting is turned on.</li><li>**Do not track when users click Safe Links**: Turn this setting off to track user clicks.</li></ul> <p> Create a Safe Links policy with these settings: <ul><li>**Select the action for unknown potentially malicious URLs in messages**: Verify this setting is **On**.</li><li>**Select the action for unknown or potentially malicious URLs within Microsoft Teams**: Verify this setting is **On**.</li><li>**Apply real-time URL scanning for suspicious links and links that point to files**: Check this box.</li><li>**Wait for URL scanning to complete before delivering the message**: Check this box.</li><li>**Apply Safe Links to email messages sent within the organization**: Check this box</li><li>**Do not allow users to click through to original URL**: Check this box.</li><li>**Applied To**: **The recipient domain is** \> select your domain.</li></ul> <p> More information: [Set up Safe Links policies](set-up-safe-links-policies.md).|
|**Anti-Spam (Mail filtering)**|Yes| What to watch for: <ul><li>Too much spam ΓÇö Choose the Custom settings and edit the Default spam filter policy.</li><li>Spoof intelligence ΓÇö Review senders that are spoofing your domain. Block or allow these senders.</li></ul> <p> More information: [Microsoft 365 Email Anti-Spam Protection](anti-spam-protection.md).| |***Email Authentication***|Yes|Email authentication uses a Domain Name System (DNS) to add verifiable information to email messages about the sender of an email. Microsoft 365 sets up email authentication for its default domain (onmicrosoft.com), but Microsoft 365 admins can also use email authentication for custom domains. Three authentication methods are used: <ul><li>Sender Policy Framework (or SPF).</li><ul><li>For setup, see [Set up SPF in Microsoft 365 to help prevent spoofing](set-up-spf-in-office-365-to-help-prevent-spoofing.md).</li></ul> <li>DomainKeys Identified Mail (DKIM).</li><ul><li>See [Use DKIM to validate outbound email sent from your custom domain](use-dkim-to-validate-outbound-email.md).</li><li>After you've configured DKIM, enable it in the security center.</li></ul><li>Domain-based Message Authentication, Reporting, and Conformance (DMARC).</li><ul><li>For DMARC setup [Use DMARC to validate email in Microsoft 365](use-dmarc-to-validate-email.md).</li></ul></ul>| |
security User Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/user-submission.md
the following settings:
- **Before submission**: In the **Title** and **Confirmation message** boxes, enter the descriptive text that users see before they report a message using the Report Message add-in or the Report Phishing add-in. You can use the variable %type% to include the submission type (junk, not junk, phish, etc.).
- As noted, if you select an option that sends the reported messages to Microsoft, the following text is also added to the notification:
+ As noted, if you select an option that sends the reported messages to Microsoft, the following text is also added to the notification:
- > Your email will be submitted as-is to Microsoft for analysis. Some emails might contain personal or sensitive information.
+ > Your email will be submitted as-is to Microsoft for analysis. Some emails might contain personal or sensitive information.
- **After submission**: Click ![Expand icon](../../media/scc-expand-icon.png). In the **Title** and **Confirmation message** boxes, enter the descriptive text that users see after they report a message using the Report Message add-in or the Report Phishing add-in. You can use the variable %type% to include the submission type. When you're finished, click **Save**. To clear these values, click **Restore** back on the **User submissions** page.
- - **Customize the end-user reporting options**: Click this link. In the
-**Customize end-user reporting options** flyout that appears, enter the
-descriptive text for Junk email reporting options.
- Under **Options to show when messages are reported**, select at least
-one among the following options:
+ - **Customize the end-user reporting options**: Click this link. In the **Customize end-user reporting options** flyout that appears, enter the descriptive text for Junk email reporting options.
+
+ Under **Options to show when messages are reported**, select at least one among the following options:
- **Ask me before sending a report** - **Automatically send reports**
- - **Never send reports** \
- When you're finished, click **Save**.
- - **Send the reported messages to**: Make one of the following selections:
- - **Microsoft (Recommended)**: The user submissions mailbox isn't used (all reported messages go to Microsoft).
- - **Both Microsoft and a custom mailbox**: In the box that appears, enter the email address of an existing Exchange Online mailbox. Distribution groups are not allowed. User submissions will go to both Microsoft for analysis and to the custom mailbox for your admin or security operations team to analyze.
- - **Custom mailbox only**: In the box that appears, enter the email address of an existing Exchange Online mailbox. Distribution groups are not allowed. Use this option if you want the message to only go to an admin or the security operations team for analysis first. Messages will not go to Microsoft unless the admin forwards it themselves.
+ - **Never send reports**
+
+ When you're finished, click **Save**.
+
+ - **Send the reported messages to**: Make one of the following selections:
+
+ - **Microsoft (Recommended)**: The user submissions mailbox isn't used (all reported messages go to Microsoft).
+
+ - **Both Microsoft and a custom mailbox**: In the box that appears, enter the email address of an existing Exchange Online mailbox. Distribution groups are not allowed. User submissions will go to both Microsoft for analysis and to the custom mailbox for your admin or security operations team to analyze.
+
+ - **Custom mailbox only**: In the box that appears, enter the email address of an existing Exchange Online mailbox. Distribution groups are not allowed. Use this option if you want the message to only go to an admin or the security operations team for analysis first. Messages will not go to Microsoft unless the admin forwards it themselves.
- > [!NOTE]
- > U.S. Government organizations (GCC, GCC-H, and DoD) can only configure **Custom mailbox**. The other two options are disabled.
+ > [!NOTE]
+ > U.S. Government organizations (GCC, GCC-H, and DoD) can only configure **Custom mailbox**. The other two options are disabled.
- > [!NOTE]
- > If organizations are configured to send to custom mailbox only, reported messages will not be sent for rescan and results in the User reported messages portal will always be empty.
+ > [!NOTE]
+ > If organizations are configured to send to custom mailbox only, reported messages will not be sent for rescan and results in the User reported messages portal will always be empty.
When you're finished, click **Confirm**.
one among the following options:
2. **Disable the Report Message feature for Outlook**: Select this option if you use third-party reporting tools instead of the Report Message add-in, the Report Phishing add-in, or the built-in reporting in Outlook on the web, and then configure the following settings:
- Select **Use this custom mailbox to receive user reported submissions**. In the box that appears, enter the email address of an existing mailbox that is already in Office 365. This has to be an existing mailbox in Exchange Online that can receive email.
+ Select **Use this custom mailbox to receive user reported submissions**. In the box that appears, enter the email address of an existing mailbox that is already in Office 365. This has to be an existing mailbox in Exchange Online that can receive email.
- When you're finished, click **Confirm**.
+ When you're finished, click **Confirm**.
## Message submission format
solutions Deploy Threat Protection Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/deploy-threat-protection-configure.md
Title: Steps to configure threat protection capabilities across Microsoft 365 description: Use this article as a guide for implementing your threat protection solution. Deploy threat protection services and capabilities across Microsoft 365 E5.
-keywords: security, setup, configuration, Microsoft 365 E5, advanced threat protection
+keywords: security solution, setup, configuration, Microsoft 365 E5, advanced threat protection, defender
solutions Deploy Threat Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/deploy-threat-protection.md
Title: Deploy threat protection capabilities across Microsoft 365 description: Get an overview of threat protection services and security capabilities in Microsoft 365 E5. Protect your user accounts, devices, email content, and more with Microsoft 365 E5.
-keywords: threat protection, security, E5, cyberattack, malware, M365, solution
+keywords: advanced threat protection, security, microsoft 365 E5, solution, protect devices, defender