Updates from: 05/11/2022 01:14:47
Category Microsoft Docs article Related commit history on GitHub Change details
admin Choose Device Security https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/devices/choose-device-security.md
Or use the subscriptions that include some, or all of the previous standalone pl
## See also
-[Top 10 ways to secure Microsoft 365 for business plans](../security-and-compliance/secure-your-business-data.md)
+[Best practices for securing Microsoft 365 for business plans](../security-and-compliance/secure-your-business-data.md)
admin Validate Settings On Android Or Ios https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/devices/validate-settings-on-android-or-ios.md
In the **Edit policy** pane, choose **Edit** next to **Protection against lost o
## See also
-[Top 10 ways to secure Microsoft 365 for business plans](../security-and-compliance/secure-your-business-data.md)
+[Best practices for securing Microsoft 365 for business plans](../security-and-compliance/secure-your-business-data.md)
admin Validate Settings On Windows 10 Pcs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/devices/validate-settings-on-windows-10-pcs.md
After you [set up device policies](../../business-premium/m365bp-protection-sett
[Microsoft 365 for business documentation and resources](/admin) [Set device configurations for Windows 10 PCs](../../business-premium/m365bp-protection-settings-for-windows-10-devices.md)
-[Top 10 ways to secure Microsoft 365 for business plans](../../admin/security-and-compliance/secure-your-business-data.md)
+[Best practices for securing Microsoft 365 for business plans](../../admin/security-and-compliance/secure-your-business-data.md)
admin Review Threats Take Action https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/security-and-compliance/review-threats-take-action.md
If you have a file that you think was missed or wrongly classified as malware, y
## See also
-[Top 10 ways to secure Microsoft 365 for business plans](../../admin/security-and-compliance/secure-your-business-data.md)
+[Best practices for securing Microsoft 365 for business plans](../../admin/security-and-compliance/secure-your-business-data.md)
[Overview of Microsoft Defender for Business](../../security/defender-business/mdb-overview.md) (Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022)
admin Plan Your Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/plan-your-setup.md
For larger organizations or if you're starting from Skype for Business, on-premi
## See also
-[Top 10 ways to secure Microsoft 365 for business plans](../security-and-compliance/secure-your-business-data.md)
+[Best practices for securing Microsoft 365 for business plans](../security-and-compliance/secure-your-business-data.md)
admin Set Up Windows Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/set-up-windows-devices.md
On the **Sync status** page, choose **Sync** to get the latest mobile device man
To set up your mobile devices, see [Set up mobile devices for Microsoft 365 Business Premium users](set-up-mobile-devices.md),
-To increase protection, see [Top 10 ways to secure Microsoft 365 for business plans](../security-and-compliance/secure-your-business-data.md).
+To increase protection, see [Best practices for securing Microsoft 365 for business plans](../security-and-compliance/secure-your-business-data.md).
business-premium Create And Edit Autopilot Profiles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/create-and-edit-autopilot-profiles.md
Once you've assigned a profile to a device, you can update it, even if you've al
## See also
-[Top 10 ways to secure Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)
+[Best practices for securing Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)
business-premium Create Communications Site https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/create-communications-site.md
Learn all [about Communications sites](https://support.office.com/article/What-i
If you don't see the **+ Create** site link, self-service site creation might not be available in Microsoft 365. To create a team site, contact the person administering Microsoft 365 in your organization. If you're a Microsoft 365 admin, see [Manage site creation in SharePoint Online](/sharepoint/manage-site-creation) to enable self-service site creation for your organization or [Manage sites in the new SharePoint admin center](/sharepoint/manage-sites-in-new-admin-center) to create a site from the <a href="https://go.microsoft.com/fwlink/?linkid=2185219" target="_blank">SharePoint admin center</a>.
+## Next mission
+ Congratulations &mdash; you've completed the mission! Now, immediately turn your focus toward [protecting the managed devices](m365bp-protect-devices.md) for the entire org!
business-premium Index https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/index.md
In these first missions, sign in and set up your initial walls of defense, start
## Cybersecurity playbook
-The guidance in these missions helps your business achieve the goals described in the Harvard Kennedy School [Cybersecurity Campaign Playbook](https://go.microsoft.com/fwlink/p/?linkid=2015598). A summary is available for you to download.
+The guidance in these missions is based upon the zero trust methodology and helps your business achieve the goals described in the Harvard Kennedy School [Cybersecurity Campaign Playbook](https://go.microsoft.com/fwlink/p/?linkid=2015598). A summary is available for you to download.
Click the infographic to see a larger version, or [Download a copy of the Cybersecurity playbook poster](https://download.microsoft.com/download/9/c/1/9c167271-8209-492e-acc2-38a39d1834c2/m365bp-cybersecurity-playbook.pdf)!
We've included a set of missions here with some objectives that need to be compl
## Cybersecurity playbook
-The guidance in these missions helps your business achieve the goals described in the Harvard Kennedy School [Cybersecurity Campaign Playbook](https://go.microsoft.com/fwlink/p/?linkid=2015598). A summary is available for you to download.
+The guidance in these missions is based upon the zero trust methodology and helps your business achieve the goals described in the Harvard Kennedy School [Cybersecurity Campaign Playbook](https://go.microsoft.com/fwlink/p/?linkid=2015598). A summary is available for you to download.
Click the infographic to see a larger version, or [Download a copy of the Cybersecurity playbook poster](https://download.microsoft.com/download/9/c/1/9c167271-8209-492e-acc2-38a39d1834c2/m365bp-cybersecurity-playbook.pdf)!
A safe device is one that is monitored by the organization. In this last critica
## Cybersecurity playbook
-The guidance in these missions helps your business achieve the goals described in the Harvard Kennedy School [Cybersecurity Campaign Playbook](https://go.microsoft.com/fwlink/p/?linkid=2015598). A summary is available for you to download.
+The guidance in these missions is based upon the zero trust methodology and helps your business achieve the goals described in the Harvard Kennedy School [Cybersecurity Campaign Playbook](https://go.microsoft.com/fwlink/p/?linkid=2015598). A summary is available for you to download.
Click the infographic to see a larger version, or [Download a copy of the Cybersecurity playbook poster](https://download.microsoft.com/download/9/c/1/9c167271-8209-492e-acc2-38a39d1834c2/m365bp-cybersecurity-playbook.pdf)!
business-premium M365bp Add Autopilot Devices And Profile https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-add-autopilot-devices-and-profile.md
Title: "Use this step-by-step guide to add Autopilot devices and profile"
+ Title: "Use this step-by-step guide to add AutoPilot devices and profile"
f1.keywords: - NOCSH
business-premium M365bp App Protection Settings For Android And Ios https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-app-protection-settings-for-android-and-ios.md
The following settings are available to manage how users access Office work file
## See also
-[Top 10 ways to secure Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)
+[Best practices for securing Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)
business-premium M365bp Autopilot Profile Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-autopilot-profile-settings.md
You can use AutoPilot profiles to control how Windows is installed on user devic
## See also
-[Top 10 ways to secure Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)
+[Best practices for securing Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)
business-premium M365bp Create And Edit Autopilot Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-create-and-edit-autopilot-devices.md
Devices must meet these requirements:
## See also
-[Top 10 ways to secure Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)
+[Best practices for securing Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)
business-premium M365bp Device Groups Mdb https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-device-groups-mdb.md
You can create a new device group while you are in the process of creating or ed
10. On the **Review your policy** step, review all the settings, make any needed edits, and then choose **Create policy** or **Update policy**.
+## Next steps
+ Now that you've completed your primary missions, set up your [response teams](m365bp-security-incident-management.md) and [maintain your environment](m365bp-maintain-environment.md).
business-premium M365bp Device States https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-device-states.md
Devices in the **Device actions** list (Admin home \> **Device actions**) can ha
## See also
-[Top 10 ways to secure Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)
+[Best practices for securing Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)
business-premium M365bp Glossary https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-glossary.md
description: "Glossary of terms for Microsoft 365 Business Premium"
|data exfiltration |Data files that are stolen and sent outside the network through email or other means. | |Defender |Microsoft's antivirus software, Microsoft Defender Antivirus. Go here for more information about [Microsoft Defender](https://support.microsoft.com/topic/.getting-started-with-microsoft-defender-9df0cb0f-4866-4433-9cbc-f83e5cf77693).| |Device Group |A device group is a collection of devices that are grouped together because of certain specified criteria, such as operating system version. Devices that meet the criteria are included in that device group, unless you exclude them. In Microsoft 365 Business Premium (and Defender for Business), Device groups are stored in Azure Active Directory. |
+|device management |Device management is when the organization is actively protecting resources and data on all laptops, PCs, tablets and mobile devices in the organization.|
|encryption |Encryption is the process by which information is encoded so that only an authorized recipient can decode and consume the information. | |exploit |A piece of code that uses software vulnerabilities to gain access to your device and perform other tasks, such as installing malware. | |firewall |A Firewall is a security system to protect an internal network from unauthorized servers and networks based on predefined rules. It acts as a barrier and only allows the secured network to send or receive data. |
business-premium M365bp Increase Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-increase-protection.md
You can prevent people in your organization from sharing their calendars. You ca
If your users are allowed to share their calendars, see [these instructions](https://support.office.com/article/7ecef8ae-139c-40d9-bae2-a23977ee58d5) for how to share from Outlook on the web.
-Okay, now it's time to start your mission to [**set up BYOD devices**](m365bp-devices-overview.md).
+## Next steps
+
+Okay, now let's start the mission to [**set up BYOD devices**](m365bp-devices-overview.md).
business-premium M365bp Manage Windows Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-manage-windows-devices.md
description: "Learn how to enable Microsoft 365 to protect local Active-Director
# Enable domain-joined Windows 10 devices to be managed by Microsoft 365 Business Premium
-> [!NOTE]
-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. This offering provides additional security features for devices. [Learn more about Defender for Business](../security/defender-business/mdb-overview.md).
- If your organization uses Windows Server Active Directory on-premises, you can set up Microsoft 365 Business Premium to protect your Windows 10 devices, while still maintaining access to on-premises resources that require local authentication.+ To set up this protection, you can implement **Hybrid Azure AD joined devices**. These devices are joined to both your on-premises Active Directory and your Azure Active Directory.
+> [!NOTE]
+> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. This offering provides additional security features for devices. [Learn more about Defender for Business](../security/defender-business/mdb-overview.md).
+ ## Watch: Configure Hybrid Azure Active Directory join This video describes the steps for how to set this up for the most common scenario, which is also detailed in the steps that follow.
At this point you should be able to see the policy **Enable automatic MDM enroll
## Related content -- [Synchronize domain users to Microsoft 365](../admin/setup/manage-domain-users.md)(article)\
+- [Synchronize domain users to Microsoft 365](../admin/setup/manage-domain-users.md)
+
+- [Create a group in the admin center](../admin/create-groups/create-groups.md)
+
+- [Tutorial: Configure hybrid Azure Active Directory join for managed domains](/azure/active-directory/devices/hybrid-azuread-join-managed-domains)
+
+- [Set up self-service passwords](../admin/add-users/let-users-reset-passwords.md)
+
+- [Set up self-service group management](/azure/active-directory/enterprise-users/groups-self-service-management)
-- [Create a group in the admin center](../admin/create-groups/create-groups.md) (article)\
+- [Best practices for securing Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)
-- [Tutorial: Configure hybrid Azure Active Directory join for managed domains](/azure/active-directory/devices/hybrid-azuread-join-managed-domains) (article)
+## Next objective:
-- [Top 10 ways to secure Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)
+[Prepare for Office client deployment](m365bp-prepare-for-office-client-deployment.md)
business-premium M365bp Map Protection Features To Intune Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-map-protection-features-to-intune-settings.md
To find the Intune setting, sign in with your Microsoft 365 Business Premium adm
## See also
-[Top 10 ways to secure Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)
+[Best practices for securing Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)
business-premium M365bp Multifactor Authentication https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-multifactor-authentication.md
See more at [Set up multi-factor authentication in Microsoft 365](https://suppor
## Use the Outlook app on your devices
-After an admin has required the front-line users to use MFA then the authenticator app serves as a second form of authentication. We recommend you have them install and use the Outlook app to access their Microsoft 365 email. See [Set up mobile devices](../business/set-up-mobile-devices.md) for how to install Office apps, including Outlook, on a phone.
+After an admin has required the front-line users to use MFA then the authenticator app serves as a second form of authentication. We recommend you have them install and use the Outlook app to access their Microsoft 365 email. See [Set up mobile devices](../admin/setup/set-up-mobile-devices.md) for how to install Office apps, including Outlook, on a phone.
## Next objective Follow the guidance to [Install Office apps](m365bp-install-office-apps.md).
+
business-premium M365bp Onboard Devices Mdb https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-onboard-devices-mdb.md
If you want to offboard a device, use one of the following procedures:
## Next objective
-Take time to [review and edit poicies](m365bp-view-edit-create-mdb-policies.md).
-
+[Set up protection for your Windows devices](m365bp-protection-settings-for-windows-10-devices.md).
business-premium M365bp Prepare For Office Client Deployment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-prepare-for-office-client-deployment.md
ms.assetid: ed34fff3-2881-4ed4-9906-1ba6bb8dd804
description: "Learn how to automatically install the 32-bit Office apps on Windows 10 computers and keep them updated."
-# Prepare for Office client deployment by Microsoft 365 Business Premium
+# Prepare to automatically install Office apps to client computers
-> [!NOTE]
-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. This offering provides additional security features for devices. [Learn more about Defender for Business](../security/defender-business/mdb-overview.md).
-
-## Prepare to automatically install Office apps to client computers
-
-You can use Microsoft 365 Business Premium to automatically install the 32-bit Office apps on Windows 10 computers and keep them current with updates.
+Use Microsoft 365 Business Premium to automatically install the 32-bit Office apps on Windows 10 computers and keep them current with updates.
-Automatic installation works best if the end user's computer is on Windows 10 Business and:
+Automatic installation works best if the computer:
+
+- is on Windows 10 Business.
-- Doesn't have existing Office desktop apps (Word, Excel, PowerPoint, Outlook, OneNote, Publisher, Access, and OneDrive).
-
- or
-
-- Has an existing version of Click-to-Run Office installed.
-
+- doesn't have existing Office desktop apps (Word, Excel, PowerPoint, Outlook, OneNote, Publisher, Access, and OneDrive) OR has an existing version of Click-to-Run Office installed.
+ To determine if you have the Click-to-Run version of Office, in any Office app go to **File** \> **Account** ( **Office Account** in Outlook). If you see **Office Updates** as shown in the following figure, then the installation was done by using Click-to-Run. ![Screenshot of Office updates in Office app Account.](./../media/e3439380-fa43-4ed6-ae5d-64851c297df5.png)
- **Who benefits from having this feature**
+## Requirements for using this feature
-The end user whose PC:
+Works with:
-- **Has** a Windows 10 Business user license, an active Microsoft 365 for business license, Windows 10 Creators Update, and is joined to Azure Active Directory.
-
-- **Doesn't have** 64-bit Office apps (example: Word, Excel, PowerPoint). If 64-bit Office apps are required, then this feature isn't a good fit because there's no support for triggering a 64-bit 2016 Click-to-Run version of Office from the Microsoft 365 for business admin console.
-
-- **Doesn't have** any 2016 Windows Installer (MSI) standalone apps (for example, Visio or Project). Microsoft 365 for business upgrades Office to the Click-to-Run version of Office 2016 and that doesn't work with Office 2016 MSI standalone apps.
-
-The following table shows what action the end users/admins may need to take, depending on their beginning state, to have a successful 32-bit Click-to-Run version of Office deployment from the Microsoft 365 for business admin console.<br/>
+- A user who has a Windows 10 Business user license, an active Microsoft 365 for business license, Windows 10 Creators Update, and is joined to Azure Active Directory.
+
+Doesn't work with:
+
+- 64-bit Office apps (example: Word, Excel, PowerPoint). If 64-bit Office apps are required, then this feature isn't a good fit because there's no support for triggering a 64-bit 2016 Click-to-Run version of Office from the Microsoft 365 for business admin console.
+
+- Any 2016 Windows Installer (MSI) standalone apps (for example, Visio or Project). Microsoft 365 for business upgrades Office to the Click-to-Run version of Office 2016, and that doesn't work with Office 2016 MSI standalone applications.
+
+The following table shows what action the end users or admins may need to take, depending on their beginning state, to have a successful 32-bit Click-to-Run version of Office deployment from the Microsoft 365 for business admin console.<br/>
|Starting Office install status|Action to take before Microsoft 365 for business Office install|End state|
The following table shows what action the end users/admins may need to take, dep
|Any existing Click-to-Run 64-bit version of Office |Uninstall the 64-bit Office apps, if it's OK to replace them with 32-bit Office apps |If Office 64-bit apps are removed, the Click-to-Run 32-bit version of Office 2016 is installed | |An existing MSI install of Office 2016 with or without standalone apps |Uninstall MSI Office 2016. |Click-to-Run 32-bit version of Office 2016 is installed. No change to standalone apps | |Existing MSI install of Office 2013 (or earlier) and/or standalone Office apps |None |Click-to-Run 32-bit version of Office 2016 with the pre-existing MSI Office install (and standalone apps) exist side-by-side |
-
+ **(\*) Note:** Does not upgrade to Click-to-Run 32-bit version of Office 2016 due to a known bug. A fix is in progress. +
+## Next objective
+
+[Review and edit device policies](m365bp-view-edit-create-mdb-policies.md)
business-premium M365bp Protect Admin Accounts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-protect-admin-accounts.md
To create additional admin accounts:
![Choose Users and then Active users in the left nav.](../media/Activeusers.png)
- 2. On the **Active users** page, select **Add a user** at the top of the page, and on the **New user** panel, enter the name and other information.
+ 1. On the **Active users** page, select **Add a user** at the top of the page.
- 3. Expand the **Roles** section, and choose **Global administrator** to give this user global admin access. You can also choose **Customized administrator** and choose any of the roles that are displayed.
+ 1. In the **Add a user** panel, enter basic information such as name and username information.
- Enter an alternate email in the **Alternative email address** text box. You can use this address to recover your password information if you get locked out. For Global admins, a billing statement will also be sent to this address.
+ 1. Enter and set up **Product licenses** information.
- ![Choose the administrator role.](../media/adminroles.png)
+ 1. In **Optional settings**, define the role of the user, including adding Admin center access if appropriate.
- 4. In the **Product licenses** section, move the selector for **Microsoft 365 Business** to **Off** and the **Create user without product license** to **On**.
+ :::image type="content" source="media/m365bp-global-admin.png" alt-text="Define new user roles.":::
- ![Choose the product license.](../media/productlicense.png)
+ 1. Finish and review your settings and select **Finish adding** to confirm the details.
## Create an emergency admin account
You should also create a backup account that isn't set up with multi-factor auth
## Create a user account for yourself
-Use your user account to participate in collaboration with your organization, including checking mail. This means your admin credentials might be similar to *Alice.Chavez<span></span>@Contoso.org* and your regular user account might be similar to *Alice<span></span>@Contoso.com*.
+Use your user account to participate in collaboration with your organization, including checking mail. This means your admin credentials might be similar to *Alice.Chavez<span></span>@Contoso.org*, for example, and your regular user account might be similar to *Alice<span></span>@Contoso.com*.
To create a new user account: 1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=837890" target="_blank">Microsoft 365 admin center</a> and then choose **Users** \> **Active users** in the left nav.
-2. On the **Active users** page, select **Add a user** at the top of the page, and on the **New user** panel, enter the name and other information.
+1. On the **Active users** page, select **Add a user** at the top of the page, and on the **Add a user** panel, enter the name and other information.
-3. Expand the **Roles** section, and choose **User (no administrative access)**.
+1. In the **Product Licenses** section, select the check box for **Microsoft 365 Business Premium (no administrative access)**.
-4. In the **Product licenses** section, move the selector for **Microsoft 365 Business** to **On**.
+1. In the **Optional settings** section, leave the default radio button selected for **User (no admin center access)**.
+
+1. Finish and review your settings and select **Finish adding** to confirm the details.
## Additional recommendations
business-premium M365bp Protect Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-protect-devices.md
description: "An overview for how to set up and secure managed devices from secu
# Set up and secure managed devices
-Welcome to your final critical mission. Here, you will onboard and implement protection for all the managed devices in your organization. Onboard with Defender to ensure malware and antivirus is always up-to-date, and set policies that help lock down your systems. Rest assured, you've done what you can to be protected once these objectives have been achieved!
+Welcome to your final critical mission. Here, you will onboard and implement protection for all the managed devices in your organization. You'll want to onboard with Defender to ensure malware and antivirus is always up-to-date, and set policies that help lock down your systems. Then, make sure all the Windows devices are protected and set up for Office deployment. Rest assured, you've done what you can to be protected once these objectives have been achieved!
Your mission objectives:
business-premium M365bp Protect Pcs Macs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-protect-pcs-macs.md
You can also reduce the risk of malware by using software only from reliable sou
**Turn on firewall protection**<p> Use firewall settings to protect your Mac from unwanted contact initiated by other computers when you're connected to the Internet or a network. Without this protection, your Mac might be more vulnerable to unauthorized access. See [about the application firewall](https://support.apple.com/HT201642) for instructions.
+## Next mission
+ Okay, mission complete! Now, let's work on [securing the email system](m365bp-protect-email-overview.md) against phishing and other attacks.
business-premium M365bp Protection Settings For Windows 10 Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-protection-settings-for-windows-10-devices.md
Title: "Edit or set application protection settings for Windows 10 devices"
+ Title: "Edit or set application protection settings for Windows devices"
search.appverid:
- MET150 - MOE150 ms.assetid: 02e74022-44af-414b-9d74-0ebf5c2197f0
-description: "Learn how to create or edit app management policies and protect work files on your users' personal Windows 10 devices."
+description: "Learn how to create or edit app management policies and protect work files on your users' personal Windows devices."
-# Set or edit application protection settings for Windows 10 devices
+# Set or edit application protection settings for Windows devices
-This article applies to Microsoft 365 Business Premium.
+This article describes how to set up application protection policies for your company's Windows devices.
-> [!NOTE]
-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. This offering provides additional security features for devices. [Learn more about Defender for Business](../security/defender-business/mdb-overview.md).
-
-## Edit an app management policy for Windows 10
+## Edit an app management policy for Windows devices
1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=837890" target="_blank">https://admin.microsoft.com</a>.
This article applies to Microsoft 365 Business Premium.
4. Choose **Edit** next to a setting you want to change and then **Save**.
-## Create an app management policy for Windows 10
+## Create an app management policy for Windows devices
-If your users have personal Windows 10 devices on which they perform work tasks, you can protect your data on those devices as well.
+If your users have personal Windows devices on which they perform work tasks, you can protect your data on those devices.
1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=837890" target="_blank">https://admin.microsoft.com</a>.
If your users have personal Windows 10 devices on which they perform work tasks,
## See also
-[Top 10 ways to secure Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)
+[Best practices for securing Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)
+
+## Next objective
+
+[Secure Windows devices](m365bp-secure-windows-devices.md)
business-premium M365bp Protection Settings For Windows 10 Pcs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-protection-settings-for-windows-10-pcs.md
For more information, see [How do protection features in Microsoft 365 Premium m
## See also
-[Top 10 ways to secure Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)
+[Best practices for securing Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)
business-premium M365bp Remove Company Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-remove-company-data.md
You can use Microsoft 365 for business to remove company data that your users ha
## See also
-[Top 10 ways to secure Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)
+[Best practices for securing Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)
business-premium M365bp Reset Devices To Factory Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-reset-devices-to-factory-settings.md
A factory reset reverts a device to the original settings it had when the device
## See also
-[Top 10 ways to secure Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)
+[Best practices for securing Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)
business-premium M365bp Secure Windows Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-secure-windows-devices.md
description: "Learn about configuring the settings of the default device policy
# Secure Windows devices
-This article applies to Microsoft 365 Business Premium.
-
-The settings that you configure here are part of the default device policy for Windows 10 or 11. All users who connect a Windows device, including mobile devices and PCs, by signing in with their work account will automatically receive these settings. We recommend that you accept the default policy during setup and add policies later that target specific groups of users.
+The objective here is to configure settings that are part of the default device policy for Windows 10 or 11. All users who connect a Windows device, including mobile devices and PCs, by signing in with their work account will automatically receive these settings. We recommend that you accept the default policy during setup and add policies later that target specific groups of users.
## Settings to secure Windows 10 devices
By default all settings are **On**. The following settings are available: <br/><
|Help protect PCs from web-based threats in Microsoft Edge <br/> |Turns on settings in Edge that help protect users from malicious sites and downloads. <br/> | |Help protect files and folders on PCs from unauthorized access with BitLocker <br/> |BitLocker protects data by encrypting the computer hard drives and protect against data exposure if a computer is lost or stolen. For more information, see [BitLocker FAQ](/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions). <br/> | |Turn off device screen when idle for this amount of time <br/> |Makes sure that company data is protected if a user is idle. A user may be working in a public location, like a coffee shop, and step away or be distracted for just a moment, leaving their device vulnerable to random glances. This setting lets you control how long the user can be idle before the screen shuts off. <br/> |+
+## Next objective
+
+[Manage Windows devices](m365bp-manage-windows-devices.md)
business-premium M365bp Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-setup.md
Microsoft 365 Business Premium includes a guided process for basic setup. The gu
- [Adding users and assigning licenses](../admin/add-users/add-users.md) - [Updating your DNS records](../admin/setup/setup-business-basic.md#connect-your-domain)
-The following video shows the guided setup process for Microsoft 365 Business Basic, which works the same way in Microsoft 365 Business Premium.<br/><br/>
+The following video shows the guided setup process for Microsoft 365 Business Standard, which works the same way in Microsoft 365 Business Premium.<br/><br/>
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4vk3W]
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE471FJ]
> [!TIP] > After you have added users, give them a link to the [Employee quick setup guide](../admin/setup/employee-quick-setup.md). The guide walks them through signing in, getting Office apps, and saving, copying, and sharing files.
If you'd prefer to have a Microsoft partner help you get and set up Microsoft 36
4. Review the list of results. Select a provider to learn more about their expertise and the services they provide.
-Also see [Find your partner or reseller](../admin/manage/find-your-partner-or-reseller.md).
+## See also
+- [Find your partner or reseller](../admin/manage/find-your-partner-or-reseller.md)
+
+- [Set up self-service passwords](../admin/add-users/let-users-reset-passwords.md)
+
+- [Set up self-service group management](/azure/active-directory/enterprise-users/groups-self-service-management)
## Next objectives After you have finished your initial setup process, your next objectives are to set up your security and compliance capabilities:
business-premium M365bp View Edit Create Mdb Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-view-edit-create-mdb-policies.md
audience: Admin Previously updated : 03/14/2022 Last updated : 05/10/2022 ms.prod: m365-security ms.technology: mdb ms.localizationpriority: high
- M365-security-compliance
-# View and edit your device protection policies
+# View and edit device protection policies
-In Microsoft 365 Business Premium, security settings for managed devices are configured through device protection policies. To help simplify your setup and configuration experience, you have preconfigured policies that help protect your organization's devices as soon as they are onboarded. Use the default policies, edit existing policies, or create your own policies.
+In Microsoft 365 Business Premium, security settings for managed devices are configured through device protection policies in Microsoft Defender's security center or the Admin center. To help simplify setup and configuration, there are pre-configured policies that help protect your organization's devices as soon as they are onboarded. You can use the default policies, edit existing policies, or create your own policies.
**This guidance describes how to**: - Get an overview of your default policies-- View your existing policies-- Edit an existing policy-- Create a new policy
+- Work with device policies in Defender security center, Admin center, and InTune.
-## Default device protection policies
+## About the default device protection policies
Microsoft 365 Business Premium includes two main types of policies to protect your organization's devices: -- **Next-generation protection policies**, which determine how Microsoft Defender Antivirus and other threat protection features are configured
+- **Next-generation protection policies**, which determine how Microsoft Defender Antivirus and other threat protection features are configured.
-- **Firewall policies**, which determine what network traffic is permitted to flow to and from your organization's devices
+- **Firewall policies**, which determine what network traffic is permitted to flow to and from your organization's devices.
-These policies are part of Microsoft Defender for Business, which is included in your Microsoft 365 Business Premium subscription.
+These policies are part of Microsoft Defender for Business, included in your Microsoft 365 Business Premium subscription. Information is provided for working with policies in the Microsoft Defender security center as well as how to work with policies in the Admin center and InTune.
-## View your existing device protection policies
+## Working with device polices in the Microsoft Defender security center
-1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.
+The following details apply to working with your policies in the security center.
-2. In the navigation pane, choose **Device configuration**. Policies are organized by operating system (such as **Windows client**) and policy type (such as **Next-generation protection** and **Firewall**).
+### View existing device protection policies
- :::image type="content" source="../medib-deviceconfiguration.png" alt-text="The Device Configuration page.":::
+To view your existing device protection policies in the security center:
-3. Select an operating system tab (for example, **Windows clients**), and then review the list of policies under the **Next-generation protection** and **Firewall** categories.
+1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.
-4. To view more details about a policy, select its name. A side pane will open that provides more information about that policy, such as which devices are protected by that policy.
+1. In the navigation pane, choose **Device configuration**. Policies are organized by operating system (such as **Windows client**) and policy type (such as **Next-generation protection** and **Firewall**).
- :::image type="content" source="../medib-deviceconfig-selectedpolicy.png" alt-text="Screenshot of a policy selected in the Device Configuration page..":::
+ :::image type="content" source="../medib-deviceconfiguration.png" alt-text="The Device configuration page.":::
-## Edit an existing device protection policy
+1. Select an operating system tab (for example, **Windows clients**), and then review the list of policies under the **Next-generation protection** and **Firewall** categories.
-1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.
+1. To view more details about a policy, select its name. A side pane will open that provides more information about that policy, such as which devices are protected by that policy.
-2. In the navigation pane, choose **Device configuration**. Policies are organized by operating system (such as **Windows client**) and policy type (such as **Next-generation protection** and **Firewall**).
+ :::image type="content" source="../medib-deviceconfig-selectedpolicy.png" alt-text="Screenshot of a policy selected in the Device configuration page..":::
-3. Select an operating system tab (for example, **Windows clients**), and then review the list of policies under the **Next-generation protection** and **Firewall** categories.
+### Edit an existing device protection policy
-4. To edit a policy, select its name, and then choose **Edit**.
+To edit a device policy:
-5. On the **General information** tab, review the information. If necessary, you can edit the description. Then choose **Next**.
+1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.
-6. On the **Device groups** tab, determine which device groups should receive this policy.
+1. In the navigation pane, choose **Device configuration**. Policies are organized by operating system (such as **Windows client**) and policy type (such as **Next-generation protection** and **Firewall**).
+
+1. Select an operating system tab (for example, **Windows clients**), and then review the list of policies under the **Next-generation protection** and **Firewall** categories.
+
+1. To edit a policy, select its name, and then choose **Edit**.
+
+1. On the **General information** tab, review the information. If necessary, you can edit the description. Then choose **Next**.
+
+1. On the **Device groups** tab, determine which device groups should receive this policy.
- To keep the selected device group as it is, choose **Next**. - To remove a device group from the policy, select **Remove**.
These policies are part of Microsoft Defender for Business, which is included in
After you have specified which device groups should receive the policy, choose **Next**.
-7. On the **Configuration settings** tab, review the settings. If necessary, you can edit the settings for your policy. To get help with this task, see the following articles:
+1. On the **Configuration settings** tab, review the settings. If necessary, you can edit the settings for your policy. To get help with this task, see the following articles:
- [Understand next-generation configuration settings](../security/defender-business/mdb-next-gen-configuration-settings.md) - [Firewall settings](../security/defender-business/mdb-firewall.md) After you have specified your next-generation protection settings, choose **Next**.
-8. On the **Review your policy** tab, review the general information, targeted devices, and configuration settings.
+1. On the **Review your policy** tab, review the general information, targeted devices, and configuration settings.
- Make any needed changes by selecting **Edit**. - When youΓÇÖre ready to proceed, choose **Update policy**.
-## Create a new device protection policy
+### Create a new device protection policy
-1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.
+To create a new device protection policy:
-2. In the navigation pane, choose **Device configuration**. Policies are organized by operating system (such as **Windows client**) and policy type (such as **Next-generation protection** and **Firewall**).
+1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.
-3. Select an operating system tab (for example, **Windows clients**), and then review the list of **Next-generation protection** policies.
+1. In the navigation pane, choose **Device configuration**. Policies are organized by operating system (such as **Windows client**) and policy type (such as **Next-generation protection** and **Firewall**).
-4. Under **Next-generation protection** or **Firewall**, select **+ Add**.
+1. Select an operating system tab (for example, **Windows clients**), and then review the list of **Next-generation protection** policies.
-5. On the **General information** tab, take the following steps:
+1. Under **Next-generation protection** or **Firewall**, select **+ Add**.
+
+1. On the **General information** tab, take the following steps:
1. Specify a name and description. This information will help you and your team identify the policy later on. 2. Review the policy order, and edit it if necessary. (For more information, see [Policy order](../security/defender-business/mdb-policy-order.md).)
- 3. Choose **Next**.
+ 3. Choose **Next**.
-7. On the **Device groups** tab, either create a new device group, or use an existing group. Policies are assigned to devices through device groups. Here are some things to keep in mind:
+1. On the **Device groups** tab, either create a new device group, or use an existing group. Policies are assigned to devices through device groups. Here are some things to keep in mind:
- Initially, you might only have your default device group, which includes the devices people in your organization are using to access organization data and email. You can keep and use your default device group.
- - Create a new device group to apply a policy with specific settings that are different from the default policy.
- - When you set up your device group, you specify certain criteria, such as the operating system version. Devices that meet the criteria are included in that device group, unless you exclude them.
+ - Create a new device group to apply a policy with specific settings that are different from the default policy.
+ - When you set up your device group, you specify certain criteria, such as the operating system version. Devices that meet the criteria are included in that device group, unless you exclude them.
- All device groups, including the default and custom device groups that you define, are stored in Azure Active Directory (Azure AD). To learn more about device groups, see [Device groups in Microsoft Defender for Business](../security/defender-business/mdb-create-edit-device-groups.md).
-8. On the **Configuration settings** tab, specify the settings for your policy, and then choose **Next**. For more information about the individual settings, see [Understand next-generation configuration settings in Microsoft Defender for Business](../security/defender-business/mdb-next-gen-configuration-settings.md).
+1. On the **Configuration settings** tab, specify the settings for your policy, and then choose **Next**. For more information about the individual settings, see [Understand next-generation configuration settings in Microsoft Defender for Business](../security/defender-business/mdb-next-gen-configuration-settings.md).
-9. On the **Review your policy** tab, review the general information, targeted devices, and configuration settings.
+1. On the **Review your policy** tab, review the general information, targeted devices, and configuration settings.
- Make any needed changes by selecting **Edit**. - When youΓÇÖre ready to proceed, choose **Create policy**.
-## Next objective
+## Using device policies in the Admin center
+
+The following information describes viewing and managing policies in the Microsoft Business Premium Admin center.
+
+### Working with device policies
+
+To work with policies in the Admin center:
+
+1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=837890" target="_blank">https://admin.microsoft.com</a>.
+
+1. On the left nav, choose **Devices** \> **Policies**.
+
+ On this page, you can create, edit, change target group, or delete a policy.
+
+ ![Screenshot of the Policies page.](../media/devicepolicies.png)
+
+### View and manage devices
+
+To view and manage policies:
+
+1. On the left nav, choose **Devices** \> **Manage**.
+
+ On this page, you can select one or more devices and remove company data. For Windows 10 devices for which you have set device protections settings, you can also choose to reset the device to factory settings.
+
+ ![Manage devices page.](../media/devicesmanage.png)
+
+## Working with device policies in InTune
+
+Use the following information to create and manage device policies in InTune, done through Endpoint security in the Microsoft Endpoint Manager admin center.
+
+### Create, duplicate and edit policies
+
+To create a policy in InTune
+
+1. Sign in to the Microsoft Endpoint Manager admin center.
+
+1. Select **Endpoint security** and the type of policy you want to configure, and then select **Create Policy**.
+
+1. Choose from the following policy types:
+
+ - Antivirus
+ - Disk encryption
+ - Firewall
+ - Endpoint detection and response
+ - Attack surface reduction
+ - Account protection
+ - Enter the following properties:
+
+1. Platform: Choose the platform for which you're creating the policy. The available options depend on the policy type you select.
+
+1. Profile: Choose from the available profiles for the platform you selected. For information about the profiles, see the dedicated section in this article for your chosen policy type.
+
+1. Select **Create**.
-Set up and manage [device groups](m365bp-device-groups-mdb.md).
+1. On the Basics page, enter a name and description for the profile, then choose **Next**.
+
+1. On the Configuration settings page, expand each group of settings, and configure the settings you want to manage with this profile.
+
+1. When you're done configuring settings, select **Next**.
+
+1. On the Scope tags page, choose **Select scope tags** to open the **Select tags** pane to assign scope tags to the profile.
+
+1. Select **Next** to continue.
+
+1. On the **Assignments** page, select the groups that will receive this profile. For more information on assigning profiles, see Assign user and device profiles.
+
+1. Select **Next**.
+
+1. On the Review + create page, when you're done, choose **Create**. The new profile is displayed in the list when you select the policy type for the profile you created.
+
+To duplicate a policy in InTune:
+
+1. Sign in to the Microsoft Endpoint Manager admin center.
+
+1. Select the policy that you want to copy. Next, select **Duplicate** or select the ellipsis **(…)** to the right of the policy and select **Duplicate**.
+1. Provide a New name for the policy, and then select **Save**.
+
+To edit a policy:
+
+1. Select the new policy, and then select **Properties**.
+
+1. Select **Settings** to expand a list of the configuration settings in the policy. You canΓÇÖt modify the settings from this view, but you can review how they're configured.
+
+1. To modify the policy, select **Edit** for each category where you want to make a change:
+
+ - Basics
+ - Assignments
+ - Scope tags
+ - Configuration settings
+
+1. After youΓÇÖve made changes, select **Save** to save your edits. Edits to one category must be saved before you can introduce edits to any additional categories.
+
+## Manage conflicts
+
+Many of the device settings that you can manage with Endpoint security policies are also available through other policy types in Intune. These other policy types include device configuration policies and security baselines. Because settings can be managed through several different policy types or by multiple instances of the same policy type, be prepared to identify and resolve policy conflicts for devices that don't adhere to the configurations you expect.
+
+Security baselines can set a non-default value for a setting to comply with the recommended configuration that baseline addresses.
+
+Other policy types, including the endpoint security policies, set a value of Not configured by default. These other policy types require you to explicitly configure settings in the policy.
+
+Regardless of the policy method, managing the same setting on the same device through multiple policy types, or through multiple instances of the same policy type can result in conflicts that should be avoided.
+
+## See also
+
+[Manage endpoint security in Microsoft InTune](/mem/intune/protect/endpoint-security)
+
+[Best practices for securing Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)
+
+## Next objective
+[Set up and manage device groups](m365bp-device-groups-mdb.md).
business-premium M365bp View Policies And Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-view-policies-and-devices.md
- Title: "View policies and devices"-- NOCSH-------- M365-subscription-management-- M365-identity-device-management-- Adm_TOC--- Core_O365Admin_Migration-- MiniMaven-- MSB365-- OKR_SMB_M365-- AdminSurgePortfolio-- BCS160-- MET150
-description: "View device policies and actions by signing in to Microsoft 365 for business."
--
-# View and manage policies and devices
-
-This article applies to Microsoft 365 Business Premium.
-
-> [!NOTE]
-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. This offering provides additional security features for devices. [Learn more about Defender for Business](../security/defender-business/mdb-overview.md).
-
-## View and edit device policies
-
-1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=837890" target="_blank">https://admin.microsoft.com</a>.
-2. On the left nav, choose **Devices** \> **Policies**.
-
- On this page, you can create, edit, change target group, or delete a policy.
-
- ![Screenshot of the Policies page.](../media/devicepolicies.png)
-
-## View and manage devices
-
-1. On the left nav, choose **Devices** \> **Manage**.
-
- On this page, you can select one or more devices and remove company data. For Windows 10 devices that you have set device protections settings for, you can also choose to reset the device to factory settings.
-
- ![Manage devices page.](../media/devicesmanage.png)
-
-## See also
-
-[Top 10 ways to secure Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)
business-premium Send Encrypted Email https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/send-encrypted-email.md
For more information, see [Define mail flow rules to encrypt email messages](../
You can also apply branding to customize the look and the text in the email messages. For more information, see [Add your organization's brand to your encrypted messages](../compliance/email-encryption.md).
-If you've gotten this far, you've successfully completed another mission, so congratulations! There's no time to rest on our successes, so let's get right to setting up a safe and secure environment in which the team can [collaborate safely](m365bp-collaborate-share-securely.md).
+## Next mission
+If you've gotten this far, you've successfully completed another mission, so congratulations! There's no time to rest on our successes, so let's get right to setting up a safe and secure environment in which the team can [collaborate safely](m365bp-collaborate-share-securely.md).
compliance Archive 17A 4 Blackberry Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-blackberry-data.md
After you create a BlackBerry DataParser connector, you can view the connector s
2. Click the **Connectors** tab and then select the BlackBerry DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud.
## Known issues
compliance Archive 17A 4 Bloomberg Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-bloomberg-data.md
After you create a Bloomberg DataParser connector, you can view the connector st
2. Click the **Connectors** tab and then select the Bloomberg DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive 17A 4 Cisco Jabber Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-cisco-jabber-data.md
After you create a Cisco Jabber DataParser connector, you can view the connector
2. Click the **Connectors** tab and then select the Cisco Jabber DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive 17A 4 Factset Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-factset-data.md
After you create a FactSet DataParser connector, you can view the connector stat
2. Click the **Connectors** tab and then select the FactSet DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive 17A 4 Fuze Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-fuze-data.md
After you create a Fuze DataParser connector, you can view the connector status
2. Click the **Connectors** tab and then select the Fuze DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive 17A 4 Fxconnect Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-fxconnect-data.md
After you create a FX Connect DataParser connector, you can view the connector s
2. Click the **Connectors** tab and then select the FX Connect DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive 17A 4 Ice Im Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-ice-im-data.md
After you create an ICE DataParser connector, you can view the connector status
2. Click the **Connectors** tab and then select the ICE DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive 17A 4 Investedge Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-investedge-data.md
After you create a InvestEdge DataParser connector, you can view the connector s
2. Click the **Connectors** tab and then select the InvestEdge DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive 17A 4 Liveperson Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-liveperson-data.md
After you create a LivePerson Conversational Cloud DataParser connector, you can
2. Click the **Connectors** tab and then select the LivePerson Conversational Cloud DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive 17A 4 Quip Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-quip-data.md
After you create a Quip DataParser connector, you can view the connector status
2. Click the **Connectors** tab and then select the Quip DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive 17A 4 Refinitiv Messenger Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-refinitiv-messenger-data.md
After you create a Refinitiv Eikon Messenger DataParser connector, you can view
2. Click the **Connectors** tab and then select the Refinitiv Eikon Messenger DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive 17A 4 Servicenow Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-servicenow-data.md
After you create a ServiceNow DataParser connector, you can view the connector s
2. Click the **Connectors** tab and then select the ServiceNow DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive 17A 4 Skype For Business Server Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-skype-for-business-server-data.md
After you create a Skype for Business Server DataParser connector, you can view
2. Click the **Connectors** tab and then select the Skype for Business Server DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive 17A 4 Slack Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-slack-data.md
After you create a Slack DataParser connector, you can view the connector status
2. Click the **Connectors** tab and then select the Slack DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive 17A 4 Sql Database Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-sql-database-data.md
After you create a SQL DataParser connector, you can view the connector status i
2. Click the **Connectors** tab and then select the SQL DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive 17A 4 Symphony Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-symphony-data.md
After you create a Symphony DataParser connector, you can view the connector sta
2. Click the **Connectors** tab and then select the Symphony DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive 17A 4 Webex Teams Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-webex-teams-data.md
After you create a Cisco Webex DataParser connector, you can view the connector
2. Click the **Connectors** tab and then select the Cisco Webex DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive 17A 4 Zoom Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-zoom-data.md
After you create a Zoom DataParser connector, you can view the connector status
2. Click the **Connectors** tab and then select the Zoom DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive Celltrust Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-celltrust-data.md
After you create the CellTrust connector, you can view the connector status in t
2. Click the **Connectors** tab and then select the **CellTrust** connector to display the flyout page, which contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive Ciscojabberonmssql Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-ciscojabberonmssql-data.md
After you create the Cisco Jabber on MS SQL connector, you can view the connecto
2. Click the **Connectors** tab and then select the **Cisco Jabber on MS SQL** connector to display the flyout page. This page contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive Ciscojabberonoracle Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-ciscojabberonoracle-data.md
After you create the Cisco Jabber on Oracle connector, you can view the connecto
2. Click the **Connectors** tab and then select the **Cisco Jabber on Oracle** connector to display the flyout page, which contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive Ciscojabberonpostgresql Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-ciscojabberonpostgresql-data.md
After you create the Cisco Jabber on PostgreSQL connector, you can view the conn
2. Click the **Connectors** tab and then select the **Cisco Jabber on PostgreSQL** connector to display the flyout page, which contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive Eml Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-eml-data.md
After you create the EML connector, you can view the connector status in the com
2. Click the **Connectors** tab and then select the **EML** connector to display the flyout page. This page contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive Fxconnect Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-fxconnect-data.md
After you create the FX Connect connector, you can view the connector status in
2. Click the **Connectors** tab and then select the **FX Connect** connector to display the flyout page. This page contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive Jive Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-jive-data.md
After you create the Jive connector, you can view the connector status in the co
2. Click the **Connectors** tab and then select the **Jive** connector to display the flyout page. This page contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive Mssqldatabaseimporter Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-mssqldatabaseimporter-data.md
After you create the MS SQL Database Importer connector, you can view the connec
2. Click the **Connectors** tab and then select the **MS SQL Database** **Importer** connector to display the flyout page, which contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive Pivot Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-pivot-data.md
After you create the Pivot connector, you can view the connector status in the c
2. Click the **Connectors** tab and then select the **Pivot** connector to display the flyout page. This page contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive Redtailspeak Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-redtailspeak-data.md
After you create the Redtail Speak connector, you can view the connector status
2. Select the **Connectors** tab and then select the **Redtail Speak** connector to display the flyout page. This page displays properties and information about the connector.
-3. Under **Connector status with source**, select the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, select the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive Reutersdealing Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-reutersdealing-data.md
After you create the Reuters Dealing connector, you can view the connector statu
2. Click the **Connectors** tab and then select the **Reuters Dealing** connector to display the flyout page, which contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive Reuterseikon Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-reuterseikon-data.md
After you create the Reuters Eikon connector, you can view the connector status
2. Click the **Connectors** tab and then select the **Reuters Eikon** connector to display the flyout page. This page contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive Reutersfx Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-reutersfx-data.md
After you create the Reuters FX connector, you can view the connector status in
2. Click the **Connectors** tab and then select the **Reuters FX** connector to display the flyout page, which contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive Ringcentral Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-ringcentral-data.md
After you create the RingCentral connector, you can view the connector status in
2. Click the **Connectors** tab and then select the **RingCentral** connector to display the flyout page, which contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive Servicenow Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-servicenow-data.md
After you create the ServiceNow connector, you can view the connector status in
2. Click the **Connectors** tab and then select the **ServiceNow** connector to display the flyout page, which contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive Skypeforbusiness Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-skypeforbusiness-data.md
After you create the Skype for Business connector, you can view the connector st
2. Click the **Connectors** tab and then select the **Skype for Business** connector to display the flyout page, which contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive Slack Data Microsoft https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-slack-data-microsoft.md
After you create the Slack eDiscovery connector, you can view the connector stat
2. Click the **Connectors** tab and then select the **Slack eDiscovery** connector to display the flyout page, which contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive Slack Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-slack-data.md
After you create the Slack eDiscovery connector, you can view the connector stat
2. Click the **Connectors** tab and then select the **Slack eDiscovery** connector to display the flyout page. This page contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive Symphony Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-symphony-data.md
After you create the Symphony connector, you can view the connector status in th
2. Click the **Connectors** tab and then select the **Symphony** connector to display the flyout page. This page contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive Text Delimited Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-text-delimited-data.md
After you create the Text- Delimited connector, you can view the connector statu
2. Click the **Connectors** tab and then select the **Text- Delimited** connector to display the flyout page. This page contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive Veritas Twitter Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-veritas-twitter-data.md
After you create the Twitter connector, you can view the connector status in the
2. Click the **Connectors** tab and then select the **Twitter** connector to display the flyout page, which contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive Webexteams Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-webexteams-data.md
After you create the Webex Teams connector, you can view the connector status in
2. Click the **Connectors** tab and then select the **Webex Teams** connector to display the flyout page. This page contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive Webpagecapture Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-webpagecapture-data.md
After you create the Webpage Capture connector, you can view the connector statu
2. Click the **Connectors** tab and then select the **Webpage Capture** connector to display the flyout page. This page contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive Workplacefromfacebook Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-workplacefromfacebook-data.md
After you create the Workplace from Facebook connector, you can view the connect
2. Click the **Connectors** tab and then select the **Workplace from Facebook** connector to display the flyout page. This page contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive Xip Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-xip-data.md
After you create the XIP connector, you can view the connector status in the com
2. Click the **Connectors** tab and then select the **XIP** connector to display the flyout page, which contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive Xslt Xml Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-xslt-xml-data.md
After you create the XSLT/XML connector, you can view the connector status in th
2. Click the **Connectors** tab and then select the **XSLT/XML** connector to display the flyout page. This page contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive Yieldbroker Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-yieldbroker-data.md
After you create the Yieldbroker connector, you can view the connector status in
2. Click the **Connectors** tab and then select the **Yieldbroker** connector to display the flyout page, which contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive Youtube Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-youtube-data.md
After you create the YouTube connector, you can view the connector status in the
2. Click the **Connectors** tab and then select the **YouTube** connector to display the flyout page, which contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Archive Zoommeetings Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-zoommeetings-data.md
After you create the Zoom Meetings connector, you can view the connector status
2. Click the **Connectors** tab and then select the **Zoom Meetings** connector to display the flyout page. This page contains the properties and information about the connector.
-3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that has been imported to the Microsoft cloud.
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains information about the data that's been imported to the Microsoft cloud. For more information, see [View admin logs for data connectors](data-connector-admin-logs.md).
## Known issues
compliance Close Reopen Delete Core Ediscovery Cases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/close-reopen-delete-core-ediscovery-cases.md
When the legal case or investigation supported by a eDiscovery (Standard) case i
To close a case:
-1. In the compliance portal, click **eDiscovery** > **Core** to display the list of eDiscovery (Standard) cases in your organization.
+1. In the compliance portal, click **eDiscovery** > **eDiscovery (Standard)** to display the list of eDiscovery (Standard) cases in your organization.
2. Click the name of the case that you want to close.
To delete an eDiscovery hold:
To delete a case:
-1. In the compliance portal, click **eDiscovery** > **Core** to display the list of eDiscovery (Standard) cases in your organization.
+1. In the compliance portal, click **eDiscovery** > **eDiscovery (Standard)** to display the list of eDiscovery (Standard) cases in your organization.
2. Click the name of the case that you want to delete.
compliance Communication Compliance Channels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-channels.md
Use the following group management configurations to supervise individual user c
## Exchange email
-Mailboxes hosted on Exchange Online as part of your Microsoft 365 or Office 365 subscription are all eligible for message scanning. Exchange email messages and attachments matching communication compliance policy conditions may take up to 24 hours to process. Supported attachment types for communication compliance are the same as the [file types supported for Exchange mail flow rule content inspections](/exchange/security-and-compliance/mail-flow-rules/inspect-message-attachments#supported-file-types-for-mail-flow-rule-content-inspection).
+Mailboxes hosted on Exchange Online as part of your Microsoft 365 or Office 365 subscription are all eligible for message scanning. Exchange email messages and attachments matching communication compliance policy conditions may approximately 24 hours to process. Supported attachment types for communication compliance are the same as the [file types supported for Exchange mail flow rule content inspections](/exchange/security-and-compliance/mail-flow-rules/inspect-message-attachments#supported-file-types-for-mail-flow-rule-content-inspection).
## Yammer
compliance Communication Compliance Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-configure.md
Follow these steps to test your communication compliance policy:
2. Send an email, Microsoft Teams chat, or Yammer message that meets the criteria you've defined in the communication compliance policy. This test can be a keyword, attachment size, domain, etc. Make sure you determine if your configured conditional settings in the policy are too restrictive or too lenient. > [!NOTE]
- > Email messages can take up to 24 hours to fully process in a policy. Communications in Microsoft Teams, Yammer, and third-party platforms can take up to 48 hours to fully process in a policy.
+ > Email messages can take approximately 24 hours to fully process in a policy. Communications in Microsoft Teams, Yammer, and third-party platforms can take approximately 48 hours to fully process in a policy.
3. Sign in to Microsoft 365 as a reviewer designated in the communication compliance policy. Navigate to **Communication compliance** > **Alerts** to view the alerts for your policies.
compliance Create A Report On Holds In Ediscovery Cases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-a-report-on-holds-in-ediscovery-cases.md
f1.keywords:
Previously updated : 9/11/2017 Last updated : 05/10/2022 audience: Admin
description: Learn how to generate a report that contains information about all
[!include[Purview banner](../includes/purview-rebrand-banner.md)]
-The script in this article lets eDiscovery administrators and eDiscovery managers generate a report that contains information about all holds that are associated with Core and eDiscovery (Premium) cases in the Microsoft Purview compliance portal. The report contains information such as the name of the case a hold is associated with, the content locations that are placed on hold, and whether the hold is query-based. If there are cases that don't have any holds, the script will create an additional report with a list of cases without holds.
+The script in this article lets eDiscovery administrators and eDiscovery managers generate a report that contains information about all holds that are associated with eDiscovery (Standard) and eDiscovery (Premium) cases in the Microsoft Purview compliance portal. The report contains information such as the name of the case a hold is associated with, the content locations that are placed on hold, and whether the hold is query-based. If there are cases that don't have any holds, the script will create an additional report with a list of cases without holds.
See the [More information](#more-information) section for a detailed description of the information included in the report.
The case holds report that's created when you run the script in this article con
- The name of the hold and the name of the eDiscovery case that the hold is associated with. -- Whether the hold is associated with a Core or eDiscovery (Premium) case.
+- Whether the hold is associated with a eDiscovery (Standard) or eDiscovery (Premium) case.
- Whether or not the eDiscovery case is active or closed.
compliance Create Sensitivity Labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-sensitivity-labels.md
The global admin for your organization has full permissions to create and manage
If you don't immediately see this option, first select **Show all**.
-2. On the **Labels** page, select **+ Create a label** to start the New sensitivity label configuration:
+2. On the **Labels** page, select **+ Create a label** to start the new sensitivity label configuration:
![Create a sensitivity label.](../media/create-sensitivity-label-full.png) > [!NOTE] > By default, tenants don't have any labels and you must create them. The labels in the example picture show default labels that were [migrated from Azure Information Protection](/azure/information-protection/configure-policy-migrate-labels).
-3. On the **Define the scope for this label** page, the options selected determine the label's scope for the settings that you can configure and where they will be visible when they are published:
+3. On the **Define the scope for this label** page, the options selected determine the label's scope for the settings that you can configure and where they will be visible when they're published:
![Scopes for sensitivity labels.](../media/sensitivity-labels-scopes.png)
The global admin for your organization has full permissions to create and manage
5. Repeat these steps to create more labels. However, if you want to create a sublabel, first select the parent label and select **...** for **More actions**, and then select **Add sub label**.
-6. When you have created all the labels you need, review their order and if necessary, move them up or down. To change the order of a label, select **...** for **More actions**, and then select **Move up** or **Move down**. For more information, see [Label priority (order matters)](sensitivity-labels.md#label-priority-order-matters) from the overview information.
+6. When you've created all the labels you need, review their order and if necessary, move them up or down. To change the order of a label, select **...** for **More actions**, and then select **Move up** or **Move down**. For more information, see [Label priority (order matters)](sensitivity-labels.md#label-priority-order-matters) from the overview information.
To edit an existing label, select it, and then select the **Edit label** button:
Set-Label -Identity $Label -LocaleSettings (ConvertTo-Json $DisplayNameLocaleSet
7. If you create more than one label policy that might result in a conflict for a user, review the policy order and if necessary, move them up or down. To change the order of a label policy, select **...** for **More actions**, and then select **Move up** or **Move down**. For more information, see [Label policy priority (order matters)](sensitivity-labels.md#label-policy-priority-order-matters) from the overview information.
-Completing the **Create policy** configuration automatically publishes the label policy. To make changes to a published policy, simply edit it. There is no specific publish or republish action for you to select.
+Completing the **Create policy** configuration automatically publishes the label policy. To make changes to a published policy, simply edit it. There's no specific publish or republish action for you to select.
To edit an existing label policy, select it, and then select the **Edit Policy** button:
You can also use [Remove-Label](/powershell/module/exchange/remove-label) and [R
In a production environment, it's unlikely that you will need to remove sensitivity labels from a label policy, or delete sensitivity labels. It's more likely that you might need to do one or either of these actions during an initial testing phase. Make sure you understand what happens when you do either of these actions.
-Removing a label from a label policy is less risky than deleting it, and you can always add it back to a label policy later if needed:
+Removing a label from a label policy is less risky than deleting it, and can always be added back later if needed. You won't be able to delete a label if it's still in a label policy.
-- When you remove a label from a label policy so that the label is no longer published to the originally specified users, the next time the label policy is refreshed, users no longer see that label to select in their Office app. However, if the label has been applied to documents or emails, the label isn't removed from that content. Any encryption that was applied by the label remains and the underlying protection template remains published. --- For labels that are removed but have previously been applied to content, users who are using built-in labeling for Word, Excel, and PowerPoint, still see the applied label name on the status bar. Similarly, labels that are removed that were applied to SharePoint sites still display the label name in the **Sensitivity** column.
+When you remove a label from a label policy so that the label is no longer published to the originally specified users, the next time the label policy is refreshed, users no longer see that label to select in their Office apps. If that label is already applied, the label isn't removed from the content or container. For example, users who are using built-in labeling in desktop apps for Word, Excel, and PowerPoint, still see the applied label name on the status bar. An applied container label continues to protect the Teams or SharePoint site.
In comparison, when you delete a label: - If the label applied encryption, the underlying protection template is archived so that previously protected content can still be opened. Because of this archived protection template, you won't be able to create a new label with the same name. Although it's possible to delete a protection template by using [PowerShell](/powershell/module/aipservice/remove-aipservicetemplate), don't do this unless you're sure you don't need to open content that was encrypted with the archived template. -- For desktop apps: The label information in the metadata remains, but because a label ID to name mapping is no longer possible, users don't see the applied label name displayed (for example, on the status bar) so users will assume the content isn't labeled. If the label applied encryption, the encryption remains and when the content is opened, users still see the name and description of the now archived protection template.
+- For documents stored in SharePoint or OneDrive and you've [enabled sensitivity labels for Office files](sensitivity-labels-sharepoint-onedrive-files.md): When you open the document in Office for the web, you won't see the label applied in the app, and the label name no longer displays in the **Sensitivity** column in SharePoint. If the deleted label applied encryption and the services can process the encrypted contents, the encryption is removed. Egress actions from these services result in the same outcome. For example, download, copy to, move to, and open with an Office desktop or mobile app. Although the label information remains in the file's metadata, apps can no longer map the label ID to a display name, so users will assume a file isn't labeled.
+
+- For documents stored outside SharePoint and OneDrive or you haven't enabled sensitivity labels for Office files, and for emails: When you open the content, the label information in the metadata remains, but without the label ID to name mapping, users don't see the applied label name displayed (for example, on the status bar for desktop apps). If the deleted label applied encryption, the encryption remains and users still see the name and description of the now archived protection template.
-- For Office on the web: Users don't see the label name on the status bar or in the **Sensitivity** column. The label information in the metadata remains only if the label didn't apply encryption. If the label applied encryption, and you've enabled [sensitivity labels for SharePoint and OneDrive](sensitivity-labels-sharepoint-onedrive-files.md), the label information in the metadata is removed and the encryption is removed.
+- For containers, such as sites in SharePoint and Teams: The label is removed and any settings that were configured with that label are no longer enforced. This action typically takes between 48-72 hours for SharePoint sites, and can be quicker for Teams and Microsoft 365 Groups.
-When you remove a sensitivity label from a label policy, or delete a sensitivity label, these changes can take up to 24 hours to replicate to all users and services.
+As with all label changes, removing a sensitivity label from a label policy or deleting a sensitivity label takes time to replicate to all users and services.
## Next steps
compliance Data Connector Admin Logs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-connector-admin-logs.md
+
+ Title: "Use the admin log for data connectors to view status about importing data"
+f1.keywords:
+- NOCSH
+++ Last updated :
+audience: Admin
++
+ms.localizationpriority: medium
+
+- M365-security-compliance
+search.appverid:
+- MOE150
+- MET150
+
+- seo-marvel-apr2020
+description: "Learn how to access and view admin logs for data connectors to get status information for the data imported by the connector."
++
+# View admin logs for data connectors
+
+After you create a data connector to import non-Microsoft data to Microsoft Purview, you can monitor the daily import status of the connector by downloading the admin logs for the data connector.
+
+> [!IMPORTANT]
+> Audit logging must be enabled for your organization to view admin log. It is enabled by default for Microsoft 365 and Office 365 organizations, but we strongly recommend that you verify auditing status of your organization. For instructions to check auditing status, please click here. For instructions to turn on auditing manually, please click here. Once auditing is turned on, it could take up to 48 hours to log import events. We strongly recommend enabling auditing before a connector is configured. Once a connector is configured, it could take up to 72 hours to generate logs that contains import status summary.
+
+## Before you view admin logs
+
+- Auditing must be enabled for your organization to generate and view admin log for your organization. Auditing is enabled by default in Microsoft Purview. However, we recommend that you verify auditing status of your organization. For instructions, see [Verify the auditing status for your organization](turn-audit-log-search-on-or-off.md#verify-the-auditing-status-for-your-organization). If you need to enable auditing for your organization, see [Turn on auditing](turn-audit-log-search-on-or-off.md#turn-on-auditing).
+
+- After auditing is turned on, it could take up to 48 hours to generate admin logs for data connectors. We recommend that you enable auditing before you create data connectors.
+
+- After a data connector is created, it can take up to 72 hours to generate admin logs that contain import status summary.
+
+- Admin logs are available for the previous seven days.
+
+## Download admin logs for data connectors
+
+1. Go to <https://compliance.microsoft.com/> and then click **Data connectors**.
+
+2. Click the **My connectors** tab and then select a data connector to display the fly out page, which contains information and properties about the data connector.
+
+3. Under **Admin logs**, click the **Download log** link to open an admin log.
+
+ ![Admins logs displayed on the data connector flyout page.](..\media\Data-connector-admin-logs1.png)
+
+4. View the following import status information in the admin log:
+
+ - **Import completion time**: timestamp (in UTC) when connector completes import from data source and all the below events are computed/updated against the import.
+ - **Items available from source**: count of items that were downloaded by Connector from data source.
+ - **Items available for import**: count of items that were available for import by Connector after fanout. Fanout represents the act of writing a message to all associated participants (sender, receiver etc.).
+ - **Items imported successfully**: count of items that were imported successfully by Connector into user mailboxes after fanout.
+ - **Items partially imported**: count of items that were imported successfully by Connector into user mailboxes after fanout but had attachments dropped.
+ - **Items skipped**: count of items that were skipped from being imported into user mailboxes after fanout due to it being duplicate items.
+ - **Items failed**: count of items that failed to be imported into user mailboxes after fanout due to it errors (like user mapping, item size exceeded etc.). Event is logged once per user for user mapping failures.
+
+ > [!NOTE]
+ > Items available for import should be a sum of items imported successfully, partially imported, skipped and failed.
+
+ - Summary of Failed item details:
+ - **Item id** ΓÇô unique identifier of the item
+ - **Source User ID** ΓÇô user id at source application
+ - **M365 User ID** ΓÇô User Principal Name in M365
+ - **Failure Reason** ΓÇô indicates the reason why the connector could not import the item
+
+ If there are no items ingested on a particular day, then the message below will be present in the log file:
+
+ No items ingested on date in *mm/dd/yyyy*.
+
+> [!NOTE]
+> If no items are imported on a particular day, the admin log contains the following message: `No items ingested on mm/dd/yyyy.`
compliance Encryption https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/encryption.md
To learn more, see the following resources:
[Plan for Microsoft 365 security and information protection capabilities](plan-for-security-and-compliance.md)
-[Top 10 ways to secure Microsoft 365 for business plans](/office365/admin/security-and-compliance/secure-your-business-data)
+[Best practices for securing Microsoft 365 for business plans](/office365/admin/security-and-compliance/secure-your-business-data)
[Microsoft Stream Video level encryption and playback flow](/stream/network-overview#video-level-encryption-and-playback-flow)
compliance Export Content In Core Ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/export-content-in-core-ediscovery.md
After a search associated with a Microsoft Purview eDiscovery (Standard) case is
1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">Microsoft Purview compliance portal</a> and sign in using the credentials for user account that has been assigned the appropriate eDiscovery permissions.
-2. In the left navigation pane of the compliance portal, select **Show all**, and then select **eDiscovery** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2174007" target="_blank">**Core**</a>.
+2. In the left navigation pane of the compliance portal, select **Show all**, and then select **eDiscovery** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2174007" target="_blank">**eDiscovery (Standard)**</a>.
3. On the **eDiscovery (Standard)** page, click the name of the case that you want to create the hold in.
compliance File Plan Manager https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/file-plan-manager.md
ms.localizationpriority: high + search.appverid: - MOE150 - MET150 ms.assetid: af398293-c69d-465e-a249-d74561552d30 description: File plan provides advanced management capabilities for retention labels.- # Use file plan to create and manage retention labels
To access file plan, you must have one of the following admin roles:
- View-only Retention Manager
-In the Microsoft Purview compliance portal, go to **Solutions** > **Records management** > **File plan**:
-
-![File plan page](../media/compliance-file-plan.png).
+In the [Microsoft Purview compliance portal](https://compliance.microsoft.com/), go to **Solutions** > **Records management** > **File plan**.
If **Records management** doesn't display in the navigation pane, first scroll down, and select **Show all**.
All columns except the label **Name** can be displayed or hidden by selecting th
- No - Yes
+- **Relabel to** ΓÇöcurrently rolling outΓÇöidentifies if the label is configured to apply another label at the end of the retention period. Valid values:
+ - Blank or the selected label name
+ - **Retention duration** identifies the retention period. Valid values: - Days - Months
However, it can take up to two days for content explorer to show the items that
From your file plan, you can export the details of all retention labels into a .csv file to help you facilitate periodic compliance reviews with data governance stakeholders in your organization.
-To export all retention labels: On the **File plan** page, click **Export**:
-
-![Option to export file plan.](../media/compliance-file-plan-export-labels.png)
+To export all retention labels: On the **File plan** page, click **Export**.
A *.csv file that contains all existing retention labels opens. For example:
Use the following information to help you fill out the downloaded template to im
Label settings not currently supported for import: -- Multi-stage disposition review: Although you can configure the settings for a single disposition review stage when you import retention labels with a template, you can't specify additional review stages. Instead, configure these in the compliance center after the import succeeds.
+- Multi-stage disposition review: Although you can configure the settings for a single disposition review stage when you import retention labels with a template, you can't specify additional review stages. Instead, configure these in the compliance portal after the import succeeds.
+
+- Unlock this record by default (currently rolling out in preview): This setting isn't available in the template to import, and you can't select this setting in the compliance portal after the import succeeds.
-- Unlock this record by default (currently rolling out in preview): This setting isn't available in the template to import, and you can't select this setting in the compliance center after the import succeeds.
+- Replacement label (currently rolling out in preview): This setting isn't available in the template to import, but you can select this setting in the compliance portal after the import succeeds.
## Next steps
compliance Keyword Queries And Search Conditions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/keyword-queries-and-search-conditions.md
The following table lists email message properties that can be searched by using
|Property|Property description|Examples|Search results returned by the examples| ||||| |AttachmentNames|The names of files attached to an email message.|`attachmentnames:annualreport.ppt` <p> `attachmentnames:annual*` <br/> `attachmentnames:.pptx`|Messages that have an attached file named annualreport.ppt. In the second example, using the wildcard character ( * ) returns messages with the word "annual" in the file name of an attachment. The third example returns all attachments with the pptx file extension.|
-|Bcc|The Bcc field of an email message.<sup>1</sup>|`bcc:pilarp@contoso.com` <p> `bcc:pilarp` <p> `bcc:"Pilar Pinilla"`|All examples return messages with Pilar Pinilla included in the Bcc field.<br>([See Recipient Expansion](https://docs.microsoft.com/en-us/microsoft-365/compliance/keyword-queries-and-search-conditions?view=o365-worldwide#recipient-expansionSee))|
+|Bcc|The Bcc field of an email message.<sup>1</sup>|`bcc:pilarp@contoso.com` <p> `bcc:pilarp` <p> `bcc:"Pilar Pinilla"`|All examples return messages with Pilar Pinilla included in the Bcc field.<br>([See Recipient Expansion](keyword-queries-and-search-conditions.md#recipient-expansion))|
|Category|The categories to search. Categories can be defined by users by using Outlook or Outlook on the web (formerly known as Outlook Web App). The possible values are: <ul><li>blue<li>green<li>orange<li>purple<li>red<li>yellow</li></ul>|`category:"Red Category"`|Messages that have been assigned the red category in the source mailboxes.|
-|Cc|The Cc field of an email message.<sup>1</sup>|`cc:pilarp@contoso.com` <p> `cc:"Pilar Pinilla"`|In both examples, messages with Pilar Pinilla specified in the Cc field.<br>([See Recipient Expansion](https://docs.microsoft.com/en-us/microsoft-365/compliance/keyword-queries-and-search-conditions?view=o365-worldwide#recipient-expansionSee))|
+|Cc|The Cc field of an email message.<sup>1</sup>|`cc:pilarp@contoso.com` <p> `cc:"Pilar Pinilla"`|In both examples, messages with Pilar Pinilla specified in the Cc field.<br>([See Recipient Expansion](keyword-queries-and-search-conditions.md#recipient-expansion))|
|Folderid|The folder ID (GUID) of a specific mailbox folder. If you use this property, be sure to search the mailbox that the specified folder is located in. Only the specified folder will be searched. Any subfolders in the folder won't be searched. To search subfolders, you need to use the Folderid property for the subfolder you want to search. <p> For more information about searching for the Folderid property and using a script to obtain the folder IDs for a specific mailbox, see [Use Content search for targeted collections](use-content-search-for-targeted-collections.md).|`folderid:4D6DD7F943C29041A65787E30F02AD1F00000000013A0000` <p> `folderid:2370FB455F82FC44BE31397F47B632A70000000001160000 AND participants:garthf@contoso.com`|The first example returns all items in the specified mailbox folder. The second example returns all items in the specified mailbox folder that were sent or received by garthf@contoso.com.|
-|From|The sender of an email message.<sup>1</sup>|`from:pilarp@contoso.com` <p> `from:contoso.com`|Messages sent by the specified user or sent from a specified domain.<br>([See Recipient Expansion](https://docs.microsoft.com/en-us/microsoft-365/compliance/keyword-queries-and-search-conditions?view=o365-worldwide#recipient-expansionSee))|
+|From|The sender of an email message.<sup>1</sup>|`from:pilarp@contoso.com` <p> `from:contoso.com`|Messages sent by the specified user or sent from a specified domain.<br>([See Recipient Expansion](keyword-queries-and-search-conditions.md#recipient-expansion))|
|HasAttachment|Indicates whether a message has an attachment. Use the values **true** or **false**.|`from:pilar@contoso.com AND hasattachment:true`|Messages sent by the specified user that have attachments.| |Importance|The importance of an email message, which a sender can specify when sending a message. By default, messages are sent with normal importance, unless the sender sets the importance as **high** or **low**.|`importance:high` <p> `importance:medium` <p> `importance:low`|Messages that are marked as high importance, medium importance, or low importance.| |IsRead|Indicates whether messages have been read. Use the values **true** or **false**.|`isread:true` <p> `isread:false`|The first example returns messages with the IsRead property set to **True**. The second example returns messages with the IsRead property set to **False**.| |ItemClass|Use this property to search specific third-party data types that your organization imported to Office 365. Use the following syntax for this property: `itemclass:ipm.externaldata.<third-party data type>*`|`itemclass:ipm.externaldata.Facebook* AND subject:contoso` <p> `itemclass:ipm.externaldata.Twitter* AND from:"Ann Beebe" AND "Northwind Traders"`|The first example returns Facebook items that contain the word "contoso" in the Subject property. The second example returns Twitter items that were posted by Ann Beebe and that contain the keyword phrase "Northwind Traders". <p> For a complete list of values to use for third-party data types for the ItemClass property, see [Use Content search to search third-party data that was imported to Office 365](use-content-search-to-search-third-party-data-that-was-imported.md).| |Kind|The type of email message to search for. Possible values: <p> contacts <p> docs <p> email <p> externaldata <p> faxes <p> im <p> journals <p> meetings <p> microsoftteams (returns items from chats, meetings, and calls in Microsoft Teams) <p> notes <p> posts <p> rssfeeds <p> tasks <p> voicemail|`kind:email` <p> `kind:email OR kind:im OR kind:voicemail` <p> `kind:externaldata`|The first example returns email messages that meet the search criteria. The second example returns email messages, instant messaging conversations (including Skype for Business conversations and chats in Microsoft Teams), and voice messages that meet the search criteria. The third example returns items that were imported to mailboxes in Microsoft 365 from third-party data sources, such as Twitter, Facebook, and Cisco Jabber, that meet the search criteria. For more information, see [Archiving third-party data in Office 365](https://www.microsoft.com/?ref=go).|
-|Participants|All the people fields in an email message. These fields are From, To, Cc, and Bcc.<sup>1</sup>|`participants:garthf@contoso.com` <p> `participants:contoso.com`|Messages sent by or sent to garthf@contoso.com. The second example returns all messages sent by or sent to a user in the contoso.com domain.<br>([See Recipient Expansion](https://docs.microsoft.com/en-us/microsoft-365/compliance/keyword-queries-and-search-conditions?view=o365-worldwide#recipient-expansionSee))|
+|Participants|All the people fields in an email message. These fields are From, To, Cc, and Bcc.<sup>1</sup>|`participants:garthf@contoso.com` <p> `participants:contoso.com`|Messages sent by or sent to garthf@contoso.com. The second example returns all messages sent by or sent to a user in the contoso.com domain.<br>([See Recipient Expansion](keyword-queries-and-search-conditions.md#recipient-expansion))|
|Received|The date that an email message was received by a recipient.|`received:2021-04-15` <p> `received>=2021-01-01 AND received<=2021-03-31`|Messages that were received on April 15, 2021. The second example returns all messages received between January 1, 2021 and March 31, 2021.|
-|Recipients|All recipient fields in an email message. These fields are To, Cc, and Bcc.<sup>1</sup>|`recipients:garthf@contoso.com` <p> `recipients:contoso.com`|Messages sent to garthf@contoso.com. The second example returns messages sent to any recipient in the contoso.com domain.<br>([See Recipient Expansion](https://docs.microsoft.com/en-us/microsoft-365/compliance/keyword-queries-and-search-conditions?view=o365-worldwide#recipient-expansionSee))|
+|Recipients|All recipient fields in an email message. These fields are To, Cc, and Bcc.<sup>1</sup>|`recipients:garthf@contoso.com` <p> `recipients:contoso.com`|Messages sent to garthf@contoso.com. The second example returns messages sent to any recipient in the contoso.com domain.<br>([See Recipient Expansion](keyword-queries-and-search-conditions.md#recipient-expansion))|
|Sent|The date that an email message was sent by the sender.|`sent:2021-07-01` <p> `sent>=2021-06-01 AND sent<=2021-07-01`|Messages that were sent on the specified date or sent within the specified date range.| |Size|The size of an item, in bytes.|`size>26214400` <p> `size:1..1048567`|Messages larger than 25 MB. The second example returns messages from 1 through 1,048,567 bytes (1 MB) in size.| |Subject|The text in the subject line of an email message. <p> **Note:** When you use the Subject property in a query, the search returns all messages in which the subject line contains the text you're searching for. In other words, the query doesn't return only those messages that have an exact match. For example, if you search for `subject:"Quarterly Financials"`, your results will include messages with the subject "Quarterly Financials 2018".|`subject:"Quarterly Financials"` <p> `subject:northwind`|Messages that contain the phrase "Quarterly Financials" anywhere in the text of the subject line. The second example returns all messages that contain the word northwind in the subject line.|
Create a condition using common properties when searching mailboxes and sites in
|Condition|Description| ||| |Date|For email, the date a message was received by a recipient or sent by the sender. For documents, the date a document was last modified.|
-|Sender/Author|For email, the person who sent a message. For documents, the person cited in the author field from Office documents. You can type more than one name, separated by commas. Two or more values are logically connected by the **OR** operator.<br>([See Recipient Expansion](https://docs.microsoft.com/en-us/microsoft-365/compliance/keyword-queries-and-search-conditions?view=o365-worldwide#recipient-expansionSee))|
+|Sender/Author|For email, the person who sent a message. For documents, the person cited in the author field from Office documents. You can type more than one name, separated by commas. Two or more values are logically connected by the **OR** operator.<br>([See Recipient Expansion](keyword-queries-and-search-conditions.md#recipient-expansion))|
|Size (in bytes)|For both email and documents, the size of the item (in bytes).| |Subject/Title|For email, the text in the subject line of a message. For documents, the title of the document. As previously explained, the Title property is metadata specified in Microsoft Office documents. You can type the name of more than one subject/title values, separated by commas. Two or more values are logically connected by the **OR** operator. <p> **Note**: Don't include double quotation marks to the values for this condition because quotation marks are automatically added when using this search condition. If you add quotation marks to the value, two pairs of double quotations will be added to the condition value, and the search query will return an error.| |Retention label|For both email and documents, retention labels that can be automatically or manually applied to messages and documents. Retention labels can be used to declare records and help you manage the data lifecycle of content by enforcing retention and deletion rules specified by the label. You can type part of the retention label name and use a wildcard or type the complete label name. For more information about retention labels, see [Learn about retention policies and retention labels](retention.md).|
Create a condition using mail properties when searching mailboxes or public fold
|Condition|Description| ||| |Message kind|The message type to search. This is the same property as the Kind email property. Possible values: <ul><li>contacts</li><li>docs</li><li>email</li><li>externaldata</li><li>fax</li><li>im</li><li>journals</li><li>meetings</li><li>microsoftteams</li><li>notes</li><li>posts</li><li>rssfeeds</li><li>tasks</li><li>voicemail</li></ul>|
-|Participants|All the people fields in an email message. These fields are From, To, Cc, and Bcc. ([See Recipient Expansion](https://docs.microsoft.com/en-us/microsoft-365/compliance/keyword-queries-and-search-conditions?view=o365-worldwide#recipient-expansionSee))|
+|Participants|All the people fields in an email message. These fields are From, To, Cc, and Bcc. ([See Recipient Expansion](keyword-queries-and-search-conditions.md#recipient-expansion))|
|Type|The message class property for an email item. This is the same property as the ItemClass email property. It's also a multi-value condition. So to select multiple message classes, hold the **CTRL** key and then click two or more message classes in the drop-down list that you want to add to the condition. Each message class that you select in the list will be logically connected by the **OR** operator in the corresponding search query. <p> For a list of the message classes (and their corresponding message class ID) that are used by Exchange and that you can select in the **Message class** list, see [Item Types and Message Classes](/office/vba/outlook/Concepts/Forms/item-types-and-message-classes).| |Received|The date that an email message was received by a recipient. This is the same property as the Received email property.|
-|Recipients|All recipient fields in an email message. These fields are To, Cc, and Bcc. ([See Recipient Expansion](https://docs.microsoft.com/en-us/microsoft-365/compliance/keyword-queries-and-search-conditions?view=o365-worldwide#recipient-expansionSee))|
+|Recipients|All recipient fields in an email message. These fields are To, Cc, and Bcc. ([See Recipient Expansion](keyword-queries-and-search-conditions.md#recipient-expansion))|
|Sender|The sender of an email message.| |Sent|The date that an email message was sent by the sender. This is the same property as the Sent email property.| |Subject|The text in the subject line of an email message. <p> **Note**: Don't include double quotation marks to the values for this condition because quotation marks are automatically added when using this search condition. If you add quotation marks to the value, two pairs of double quotations will be added to the condition value, and the search query will return an error.|
compliance Retention Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-settings.md
At the end of the retention period, you choose whether you want the content to b
![Retention settings page.](../media/b05f84e5-fc71-4717-8f7b-d06a29dc4f29.png)
+As explained in the next section, retention labels have another option; to apply another retention label with its own retention period.
+ Before you configure retention, first familiarize yourself with capacity and storage limits for the respective workloads: - For SharePoint and OneDrive, retained items are stored in the site's Preservation Hold library, which is included in the site's storage quota. For more information, see [Manage site storage limits](/sharepoint/manage-site-collection-storage-limits) from the SharePoint documentation.
Before you configure retention, first familiarize yourself with capacity and sto
In extreme cases where a high volume of email is deleted in a short time period, either by users or automatically from policy settings, you might also need to configure Exchange to more frequently move items from the Recoverable Items folder in the user's primary mailbox to the Recoverable Items folder in their archive mailbox. For step-by-step instructions, see [Increase the Recoverable Items quota for mailboxes on hold](increase-the-recoverable-quota-for-mailboxes-on-hold.md).
+#### Relabeling at the end of the retention period
+
+> [!NOTE]
+> This option is currently rolling out in preview and is subject to change.
+
+When you configure a retention label to automatically apply a different retention label at the end of the retention period, the item is then subject to the retention settings of the newly selected retention label. This option lets you automatically change the retention settings for the item.
+
+You can change the replacement label after you've created and saved the primary retention label. For items that already have the primary retention label applied and within the configured retention period, the change of replacement label will synchronize to these items. As with other label changes, allow up to 7 days for this synchronization period.
+
+For the replacement label, you'll typically choose a label that has a longer retention period than the primary retention label. However, that isn't necessarily the case because of the label setting when to start the retention period. For example, the primary retention label is configured to start the retention period when the item is created, and the replacement label starts the retention period when labeled, or when an event occurs.
+
+If there's also a change in whether the label [marks the item as a record or a regularly record](declare-records.md), the replacement retention label can also change the [restrictions for what action are allowed or blocked](records-management.md#records) for that item.
+
+##### Relabeling example configuration
+
+You create and configure a retention label for an industry-compliance requirement to retain content for three years after it's created, and mark the item as a record. When this label is applied, users won't be able to delete the item from their app, because that's one of the restrictions of a record.
+
+At the end of the three years, you want to automatically retain the content for two more years because of internal compliance policies, but there's no need to mark it as a record with the restrictions that this configuration applies.
+
+To complete the configuration, you select the label setting to change the label at the end of the retention period, and choose a label that retains content for five years after the content was created, and doesn't mark the item as a record.
+
+With these concatenated settings, users will be able to delete the item from their app after three years but it remains accessible for eDiscovery searches for five years.
+
+##### Considerations for the relabeling option
+
+- You can't relabel a regulatory record but the replacement label can be configured to mark the content as a regulatory record.
+
+- You won't be able to delete a retention label that's selected as a replacement label.
+
+- You can choose a replacement label that's configured to apply another replacement label. There's no limit to the number of replacement labels an item can have.
+
+- If the replacement label marks the item as a record or regulatory record but can't be applied because the file is currently checked out, the relabel process is retried when the file is checked back in again, or checkout is discarded.
+
+- As a known issue for this preview, a replacement label is visible to users in Outlook only when that label is included in a published label policy for the same location, or it's configured for delete-only.
+
+##### Configuration paths for relabeling
+
+The option to relabel at the end of the retention period has two configuration paths when you create a retention label:
+
+- If you need to initially retain content with the primary label (most typical): On the **Define label settings** page, select **Retain items indefinitely or for a specific period** and specify the retention period. Then on the **Choose what happens after the retention period** page, select **Change the label** > **Choose a label**.
+
+- If you don't need to initially retain content with the primary label: On the **Define label settings** page, select **Enforce actions after a specific period**, specify the retention period, and then select **Change the label** > **Choose a label**.
+
+In both cases, the replacement label must already be created but doesn't need to be included in an existing label policy.
+
+![Change the label option after the retention period.](../media/change-label-option.png)
+
+Alternatively, disposition reviewers can manually select a replacement label as part of the [disposition review process](disposition.md#disposition-reviews) if the label setting **Start a disposition review** is selected on this **Choose what happens after the retention period** page.
+ ### Deleting content that's older than a specific age Retention settings can retain and then delete items, or delete old items without retaining them.
compliance Retention https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention.md
Unlike retention policies, retention settings from retention labels travel with
- Use [trainable classifiers](classifier-learn-about.md) to identify content to label. -- Apply a default label for SharePoint documents.
+- Apply a default label for SharePoint items or Exchange messages.
-- Support [disposition review](./disposition.md) to review the content before it's permanently deleted.
+- Supported actions at the end retention period:
+ - [Disposition review](./disposition.md) to review the content before it's permanently deleted.
+ - Automatically apply another retention label
- Mark the content as a [record](records-management.md#records) as part of the label settings, and always have [proof of disposition](disposition.md#disposition-of-records) when content is deleted at the end of its retention period.
For standard retention labels (they don't mark items as a [record or regulatory
- When content already has a retention label applied, the existing label won't be automatically removed or replaced by another retention label with one possible exception: The existing label was applied as a default label. When you use a default label, there are some scenarios when it can be replaced by another default label, or automatically removed.
- For more information about the label behavior when it's applied by using a default label:
-
- - Default label for SharePoint: [Label behavior when you use a default label for SharePoint](create-apply-retention-labels.md#label-behavior-when-you-use-a-default-label-for-sharepoint)
- - Default label for Outlook: [Applying a default retention label to an Outlook folder](create-apply-retention-labels.md#applying-a-default-retention-label-to-an-outlook-folder)
+- When content already has a retention label applied, the existing label won't be automatically removed or replaced by another retention label with two possible exceptions:
+
+ - The existing label is configured to automatically apply a different retention label at the end of the retention period.
+ - The existing label was applied as a default label. When you use a default label, there are some scenarios when it can be replaced by another default label, or automatically removed.
+
+ For more information about the label behavior when it's applied by using a default label:
+ - Default label for SharePoint: [Label behavior when you use a default label for SharePoint](create-apply-retention-labels.md#label-behavior-when-you-use-a-default-label-for-sharepoint)
+ - Default label for Outlook: [Applying a default retention label to an Outlook folder](create-apply-retention-labels.md#applying-a-default-retention-label-to-an-outlook-folder)
- If there are multiple auto-apply label policies that could apply a retention label, and content meets the conditions of multiple policies, the retention label for the oldest auto-apply label policy (by date created) is applied.
-When retention labels mark items as a record or a regulatory record, these labels are never automatically changed. Only admins for the container can manually change or remove retention labels that mark items as a record, but not regulatory records. For more information, see [Compare restrictions for what actions are allowed or blocked](records-management.md#compare-restrictions-for-what-actions-are-allowed-or-blocked).
+When retention labels mark items as a record or a regulatory record, these labels are never automatically changed during their configured retention period. Only admins for the container can manually change or remove retention labels that mark items as a record, but not regulatory records. For more information, see [Compare restrictions for what actions are allowed or blocked](records-management.md#compare-restrictions-for-what-actions-are-allowed-or-blocked).
#### Monitoring retention labels
Use the following table to help you identify whether to use a retention policy o
|Retention settings that can retain and then delete, retain-only, or delete-only |Yes |Yes | |Workloads supported: <br />- Exchange <br />- SharePoint <br />- OneDrive <br />- Microsoft 365 groups <br />- Skype for Business <br />- Teams<br />- Yammer|<br /> Yes <br /> Yes <br /> Yes <br /> Yes <br /> Yes <br /> Yes <br /> Yes | <br /> Yes, except public folders <br /> Yes <br /> Yes <br /> Yes <br /> No <br /> No <br /> No | |Retention applied automatically | Yes | Yes |
+|Automatically apply different retention settings at the end of the retention period | No | Yes |
|Retention applied based on conditions <br /> - sensitive info types, KQL queries and keywords, trainable classifiers, cloud attachments| No | Yes | |Retention applied manually | No | Yes | |End-user interaction | No | Yes |
compliance Search And Delete Teams Chat Messages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-and-delete-Teams-chat-messages.md
ms.assetid: 3526fd06-b45f-445b-aed4-5ebd37b3762a
description: "Use eDiscovery (Premium) and the Microsoft Graph Explorer to search for and purge chat messages in Microsoft Teams, and respond to data spillage incidents in Teams."
-# Search and purge chat messages in Teams (preview)
+# Search and purge chat messages in Teams (Preview)
[!include[Purview banner](../includes/purview-rebrand-banner.md)]
Now you're ready to actually purge chat messages from Teams. You'll use the Micr
For information about using Graph Explorer, see [Use Graph Explorer to try Microsoft Graph APIs](/graph/graph-explorer/graph-explorer-overview).
+> [!IMPORTANT]
+> APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
+ > [!IMPORTANT] > To perform these three tasks in Graph Explorer, you may have to consent to the eDiscovery.Read.All and eDiscovery.ReadWrite.All permissions. For more information, see the "Consent to permissions" section in [Working with Graph Explorer](/graph/graph-explorer/graph-explorer-features#consent-to-permissions).
compliance Search For Content In Core Ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-for-content-in-core-ediscovery.md
description: "Search for content that may be relevant to a eDiscovery (Standard)
[!include[Purview banner](../includes/purview-rebrand-banner.md)]
-After a Microsoft Purview eDiscovery (Standard) case is created and people of interest in the case are placed on hold, you can create and run one or more searches for content relevant to the case. Searches associated with a eDiscovery (Standard) case aren't listed on the **Content search** page in the Microsoft Purview compliance portal. These searches are listed on the **Searches** page of the Core eDiscover case the searches are associated with. This also means that searches associated with a case can only be accessed by case members.
+After a Microsoft Purview eDiscovery (Standard) case is created and people of interest in the case are placed on hold, you can create and run one or more searches for content relevant to the case. Searches associated with a eDiscovery (Standard) case aren't listed on the **Content search** page in the Microsoft Purview compliance portal. These searches are listed on the **Searches** page of the eDiscovery (Standard) case the searches are associated with. This also means that searches associated with a case can only be accessed by case members.
To create a eDiscovery (Standard) search:
compliance Search For Ediscovery Activities In The Audit Log https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-for-ediscovery-activities-in-the-audit-log.md
f1.keywords:
Previously updated : Last updated : 05/10/2022 audience: Admin
Content Search and eDiscovery-related activities (for Microsoft Purview eDiscovery (Standard) and Microsoft Purview eDiscovery (Premium)) that are performed in Microsoft Purview compliance portal or by running the corresponding PowerShell cmdlets are logged in the audit log. Events are logged when administrators or eDiscovery managers (or any user assigned eDiscovery permissions) perform the following Content Search and eDiscovery (Standard) tasks in the compliance portal: -- Creating and managing Core and eDiscovery (Premium) cases
+- Creating and managing eDiscovery (Standard) and eDiscovery (Premium) cases
- Creating, starting, and editing Content searches
compliance Search The Audit Log In Security And Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance.md
Why a unified audit log? Because you can search the audit log for activities per
| Azure Information Protection|AipDiscover, AipSensitivityLabelAction, AipProtectionAction, AipFileDeleted, AipHeartBeat | | Communication compliance|ComplianceSuperVisionExchange| | Content explorer|LabelContentExplorer|
+| Data connectors|ComplianceConnector|
| Data loss prevention (DLP)|ComplianceDLPSharePoint, ComplianceDLPExchange, DLPEndpoint| | Dynamics 365|CRM| | eDiscovery|Discovery, AeD|
Why a unified audit log? Because you can search the audit log for activities per
| Threat Intelligence|ThreatIntelligence, ThreatIntelligenceUrl, ThreatFinder, ThreatIntelligenceAtpContent| | Workplace Analytics|WorkplaceAnalytics| | Yammer|Yammer|
-|||
For more information about the operations that are audited in each of the services listed in the previous table, see the [Audited activities](#audited-activities) section in this article.
The following table describes the file and page activities in SharePoint Online
|(none)|PageViewedExtended|This is related to the "Viewed page" (PageViewed) activity. A PageViewedExtended event is logged when the same person continually views a web page for an extended period (up to 3 hours). <br/><br/> The purpose of logging PageViewedExtended events is to reduce the number of PageViewed events that are logged when a page is continually viewed. This helps reduce the noise of multiple PageViewed records for what is essentially the same user activity, and lets you focus on the initial (and more important) PageViewed event.| |View signaled by client|ClientViewSignaled|A user's client (such as website or mobile app) has signaled that the indicated page has been viewed by the user. This activity is often logged following a PagePrefetched event for a page. <br/><br/>**NOTE**: Because ClientViewSignaled events are signaled by the client, rather than the server, it's possible the event may not be logged by the server and therefore may not appear in the audit log. It's also possible that information in the audit record may not be trustworthy. However, because the user's identity is validated by the token used to create the signal, the user's identity listed in the corresponding audit record is accurate. The system waits five minutes before it logs the same event when the same user's client signals that the page has been viewed again by the user.| |(none)|PagePrefetched|A user's client (such as website or mobile app) has requested the indicated page to help improve performance if the user browses to it. This event is logged to indicate that the page content has been served to the user's client. This event isn't a definitive indication that the user navigated to the page. <br/><br/> When the page content is rendered by the client (as per the user's request) a ClientViewSignaled event should be generated. Not all clients support indicating a pre-fetch, and therefore some pre-fetched activities might instead be logged as PageViewed events.|
-||||
#### Frequently asked questions about FileAccessed and FilePreviewed events
The following table describes the folder activities in SharePoint Online and One
|Moved folder|FolderMoved|User moves a folder to a different location on a site.| |Renamed folder|FolderRenamed|User renames a folder on a site.| |Restored folder|FolderRestored|User restores a deleted folder from the recycle bin on a site.|
-||||
### SharePoint list activities
The following table describes activities related to when users interact with lis
|Updated site column|SiteColumnUpdated|A user updated a SharePoint site column by modifying one or more properties.| |Updated site content type|SiteContentTypeUpdated|A user updated a site content type by modifying one or more properties.| |Viewed list item|ListItemViewed|A user viewed a SharePoint list item. Once a user views a list item, the ListItemViewed event is not logged again for the same user for same list item for the next five minutes.|
-||||
### Sharing and access request activities
The following table describes the user sharing and access request activities in
|User added to secure link|AddedToSecureLink|A user was added to the list of entities who can use a secure sharing link.| |User removed from secure link|RemovedFromSecureLink|A user was removed from the list of entities who can use a secure sharing link.| |Withdrew sharing invitation|SharingInvitationRevoked|User withdrew a sharing invitation to a resource.|
-||||
### Synchronization activities
The following table lists file synchronization activities in SharePoint Online a
|Downloaded file changes to computer|FileSyncDownloadedPartial|This event has been deprecated along with the old OneDrive for Business sync app (Groove.exe).| |Uploaded files to document library|FileSyncUploadedFull|User uploads a new file or changes to a file in SharePoint document library or OneDrive for Business using OneDrive sync app (OneDrive.exe).| |Uploaded file changes to document library|FileSyncUploadedPartial|This event has been deprecated along with the old OneDrive for Business sync app (Groove.exe).|
-||||
### Site permissions activities
The following table lists events related to assigning permissions in SharePoint
|Requested site admin permissions|SiteAdminChangeRequest|User requests to be added as a site collection administrator for a site collection. Site collection administrators have full control permissions for the site collection and all subsites.| |Restored sharing inheritance|SharingInheritanceReset|A change was made so that an item inherits sharing permissions from its parent.| |Updated group|GroupUpdated|Site administrator or owner changes the settings of a group for a site. This can include changing the group's name, who can view or edit the group membership, and how membership requests are handled.|
-||||
### Site administration activities
The following table lists events that result from site administration tasks in S
|Set storage quota for geo location|GeoQuotaAllocated|A SharePoint or global administrator configured the storage quota for a geo location in a multi-geo environment.| |Unjoined site from hub site|HubSiteUnjoined|A site owner disassociates their site from a hub site.| |Unregistered hub site|HubSiteUnregistered|A SharePoint or global administrator unregisters a site as a hub site. When a hub site is unregistered, it no longer functions as a hub site.|
-||||
### Exchange mailbox activities
The following table lists the activities that can be logged by mailbox audit log
|Updated message|Update|A message or its properties was changed.| |User signed in to mailbox|MailboxLogin|The user signed in to their mailbox.| |Label message as a record||A user applied a retention label to an email message and that label is configured to mark the item as a record. |
-||||
#### System accounts in Exchange mailbox audit records
The following table lists user administration activities that are logged when an
|Set property that forces user to change password|Set force change user password.|Administrator set the property that forces a user to change their password the next time the user signs in to Microsoft 365.| |Set license properties|Set license properties.|Administrator modifies the properties of a licensed assigned to a user.| |Updated user|Update user.|Administrator changes one or more properties of a user account. For a list of the user properties that can be updated, see the "Update user attributes" section in [Azure Active Directory Audit Report Events](/azure/active-directory/reports-monitoring/concept-audit-logs).|
-||||
### Azure AD group administration activities
The following table lists group administration activities that are logged when a
|Deleted group|Delete group.|A group was deleted.| |Removed member from group|Remove member from group.|A member was removed from a group.| |Updated group|Update group.|A property of a group was changed.|
-||||
### Application administration activities
The following table lists application admin activities that are logged when an a
|Removed a service principal from the directory|Remove service principal.|An application was deleted/unregistered from Azure AD. An application is represented by a service principal in the directory.| |Removed credentials from a service principal|Remove service principal credentials.|Credentials were removed from a service principal in Azure AD. A service principle represents an application in the directory.| |Set delegation entry|Set delegation entry.|An authentication permission was updated for an application in Azure AD.|
-||||
### Role administration activities
The following table lists Azure AD role administration activities that are logge
|Add member to Role|Add member to role.|Added a user to an admin role in Microsoft 365.| |Removed a user from a directory role|Remove member from role.|Removed a user to from an admin role in Microsoft 365.| |Set company contact information|Set company contact information.|Updated the company-level contact preferences for your organization. This includes email addresses for subscription-related email sent by Microsoft 365, and technical notifications about services.|
-||||
### Directory administration activities
The following table lists Azure AD directory and domain-related activities that
|Updated domain|Update domain.|Updated the settings of a domain in your organization.| |Verified domain|Verify domain.|Verified that your organization is the owner of a domain.| |Verified email verified domain|Verify email verified domain.|Used email verification to verify that your organization is the owner of a domain.|
-||||
### eDiscovery activities
Workplace Analytics provides insight into how groups collaborate across your org
|User logged in<sup>*</sup>| UserLoggedIn |A user signed in to their Microsoft 365 user account.| |User logged off<sup>*</sup>| UserLoggedOff |A user signed out of their Microsoft 365 user account. |Viewed Explore|ViewedExplore|Analyst viewed visualizations in one or more Explore page tabs.|
-||||
> [!NOTE] > <sup>*</sup>These are Azure Active Directory sign in and sign off activities. These activities are logged even if you don't have Workplace Analytics turned on in your organization. For more information about user sign in activities, see [Sign-in logs in Azure Active Directory](/azure/active-directory/reports-monitoring/concept-sign-ins).
The following table lists the user and admin activities in Yammer that are logge
|Updated message<sup>*</sup>|MessageUpdated|User updates a message.| |Viewed file|FileVisited|User views a file.| |Viewed message<sup>*</sup>|MessageViewed|User views a message.|
-||||
### Microsoft Power Automate activities
The following table lists the activities in content explorer that are logged in
|Friendly name|Operation|Description| |:--|:--|:--| |Accessed item|LabelContentExplorerAccessedItem|An admin (or a user who's a member of the Content Explorer Content Viewer role group) uses content explorer to view an email message or SharePoint/OneDrive document.|
-||||
### Quarantine activities
The following table lists the quarantine activities that you can search for in t
|Previewed quarantine message|QuarantinePreview|A user previewed an email message that was deemed to be harmful.| |Released quarantine message|QuarantineRelease|A user released an email message from quarantine that was deemed to be harmful.| |Viewed quarantine message's header|QuarantineViewHeader|A user viewed the header an email message that was deemed to be harmful.|
-||||
### Microsoft Forms activities
If a Forms activity is performed by a coauthor or an anonymous responder, it wil
|Renamed a collection|CollectionRenamed|Form owner changed the name of a collection.| |Moved a form into collection|MovedFormIntoCollection|Form owner moved a form into a collection.| |Moved a form out of collection|MovedFormOutofCollection|Form owner moved a form out of a collection.|
-||||
#### Forms activities performed by coauthors and anonymous responders
The following table describes the auditing activities and information in the aud
|Response activities|External|UPN<br>|Responder's org<br>|Responder| |Response activities|External|`urn:forms:external#a0b1c2d3@forms.office.com`<br>(The second part of the User ID is a hash, which will differ for different users)|Form owner's org|Responder| |Response activities|Anonymous|`urn:forms:anonymous#a0b1c2d3@forms.office.com`<br>(The second part of the User ID is a hash, which will differ for different users)|Form owner's org|Responder|
-||||
### Sensitivity label activities
The following table lists events that result from using [sensitivity labels](sen
|Changed sensitivity label applied to file|FileSensitivityLabelChanged<br /><br>SensitivityLabelUpdated|A different sensitivity label was applied to a document. <br /><br>The operations for this activity are different depending on how the label was changed:<br /> - Office on the web or an auto-labeling policy (FileSensitivityLabelChanged) <br /> - Microsoft 365 apps (SensitivityLabelUpdated)| |Changed sensitivity label on a site|SensitivityLabelChanged|A different sensitivity label was applied to a SharePoint or Teams site.| |Removed sensitivity label from file|FileSensitivityLabelRemoved|A sensitivity label was removed from a document by using Microsoft 365 apps, Office on the web, an auto-labeling policy, or the [Unlock-SPOSensitivityLabelEncryptedFile](/powershell/module/sharepoint-online/unlock-sposensitivitylabelencryptedFile) cmdlet.|
-||||
### Retention policy and retention label activities
The following table describes the configuration activities for [retention polici
| Updated settings for a retention policy | SetRetentionComplianceRule | Administrator changed the retention settings for an existing retention policy. Retention settings include how long items are retained, and what happens to items when the retention period expires (such as deleting items, retaining items, or retaining and then deleting them). This activity also corresponds to running the [Set-RetentionComplianceRule](/powershell/module/exchange/set-retentioncompliancerule) cmdlet. | | Updated retention label |SetComplianceTag | Administrator updated an existing retention label.| | Updated retention policy |SetRetentionCompliancePolicy |Administrator updated an existing a retention policy. Updates that trigger this event include adding or excluding content locations that the retention policy is applied to.|
-||||
### Briefing email activities
The following table lists the activities in Briefing email that are logged in th
|:-|:--|:--| |Updated organization privacy settings|UpdatedOrganizationBriefingSettings|Admin updates the organization privacy settings for Briefing email. | |Updated user privacy settings|UpdatedUserBriefingSettings|Admin updates the user privacy settings for Briefing email.
-||||
### MyAnalytics activities
The following table lists the activities in MyAnalytics that are logged in the M
|:--|:--|:--| |Updated organization MyAnalytics settings|UpdatedOrganizationMyAnalyticsSettings|Admin updates organization-level settings for MyAnalytics. | |Updated user MyAnalytics settings|UpdatedUserMyAnalyticsSettings|Admin updates user settings for MyAnalytics.|
-||||
### Information barriers activities
The following table lists the activities in information barriers that are logged
| Added segments to a site | SegmentsAdded | A SharePoint, global administrator, or site owner added one or more information barriers segments to a site. | | Changed segments of a site | SegmentsChanged | A SharePoint or global administrator changed one or more information barriers segments for a site. | | Removed segments from a site | SegmentsRemoved | A SharePoint or global administrator removed one or more information barriers segments from a site. |
-||||
### Disposition review activities
The following table lists the activities a disposition reviewer took when an ite
|Extended retention period|ExtendRetention|A disposition reviewer extended the retention period of the item.| |Relabeled item|RelabelItem|A disposition reviewer relabeled the retention label.| |Added reviewers|AddReviewer|A disposition reviewer added one or more other users to the current disposition review stage.|
-||||
### Communication compliance activities
The following table lists communication compliance activities that are logged in
|Policy update|SupervisionPolicyCreated, SupervisionPolicyUpdated, SupervisionPolicyDeleted|A communication compliance administrator has performed a policy update.| |Policy match|SupervisionRuleMatch|A user has sent a message that matches a policy's condition.| |Tag applied to message(s)|SupervisoryReviewTag|Tags are applied to messages or messages are resolved.|
-||||
### Report activities
The following table lists the activities for usage reports that are logged in th
|**Friendly name**|**Operation**|**Description**| |:--|:--|:--| |Updated usage report privacy settings|UpdateUsageReportsPrivacySetting|Admin updated privacy settings for usage reports. |
-||||
### Exchange admin audit log
compliance View Keyword Statistics For Content Search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/view-keyword-statistics-for-content-search.md
f1.keywords:
Previously updated : Last updated : 05/10/2022 audience: Admin
To display statistics for a Content search or a search associated with a eDiscov
OR
- - Click **eDiscovery** > **Core**, select a case, and then select a search on the **Searches** tab to display the flyout page.
+ - Click **eDiscovery** > **eDiscovery (Standard)**, select a case, and then select a search on the **Searches** tab to display the flyout page.
2. On the flyout page of the selected search, click the **Search statistics** tab.
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
###### [Configure and validate exclusions](mac-exclusions.md) ###### [Set preferences](mac-preferences.md) ###### [Detect and block Potentially Unwanted Applications](mac-pua.md)
+###### [Protect macOS security settings using tamper protection](tamperprotection-macos.md)
###### [Device control]() ####### [Device control overview](mac-device-control-overview.md) ####### [JAMF examples](mac-device-control-jamf.md)
security Configure Server Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus.md
Previously updated : 02/04/2022
In addition to server role-defined automatic exclusions, you can add or remove c
## A few points to keep in mind
-Keep the following important points in mind:
- - Custom exclusions take precedence over automatic exclusions.-- Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a full, quick, or on-demand scan.
+- Automatic exclusions only apply to [real-time protection (RTP)](configure-protection-features-microsoft-defender-antivirus.md) scanning.
+- Automatic exclusions are not honored during a [full, quick, or on-demand scan](schedule-antivirus-scans.md#quick-scan-full-scan-and-custom-scan).
- Custom and duplicate exclusions do not conflict with automatic exclusions. - Microsoft Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer.
+- Appropriate exclusions must be set for software that isn't included with the operating system.
- Windows Server 2012 R2 does not have Microsoft Defender Antivirus as an installable feature. When you onboard those servers to Defender for Endpoint, you will install Windows Defender Antivirus, and default exclusions for operating system files are applied. However, exclusions for server roles (as specified below) don't apply automatically, and you should configure these exclusions as appropriate. To learn more, see [Onboard Windows servers to the Microsoft Defender for Endpoint service](configure-server-endpoints.md). This article provides an overview of exclusions for Microsoft Defender Antivirus on Windows Server 2016 or later.
Because Microsoft Defender Antivirus is built into Windows Server 2016 and later
This article includes the following sections:
-<br/><br/>
- |Section|Description| ||| |[Automatic exclusions on Windows Server 2016 or later](#automatic-exclusions-on-windows-server-2016-or-later)|Describes the two main types of automatic exclusions and includes a detailed list of automatic exclusions|
The following sections contain the exclusions that are delivered with automatic
This section lists the default exclusions for all roles in Windows Server 2016, Windows Server 2019, and Windows Server 2022.
-> [!NOTE]
-> The default locations could be different than what's listed in this article.
+> [!IMPORTANT]
+> - Default locations could be different than the locations that are described in this article.
+> - To set exclusions for software that isn't included as a Windows feature or server role, refer to the software manufacturer's documentation.
##### Windows "temp.edb" files
This section lists the default exclusions for all roles in Windows Server 2016,
The following table lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role.
-<br><br/>
- |Exclusion type|Specifics| ||| |File types|`*.vhd` <br/> `*.vhdx` <br/> `*.avhd` <br/> `*.avhdx` <br/> `*.vsv` <br/> `*.iso` <br/> `*.rct` <br/> `*.vmcx` <br/> `*.vmrs`|
security Corelight Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/corelight-integration.md
To enable the Corelight integration, you'll need to take the following steps:
### Step 3: Configure your Corelight appliance to send data to Microsoft 365 Defender > [!NOTE]
-> The integration will be public in Corelight Sensor software v24 and later.
-
-To preview in v23 or v22.1 you must execute `corelight-client configuration update --enable.adfiot 1` to enable the configuration section in the GUI.
-
-In addition to this, the GUI validation requires that a broker is configured in the configuration section on all v23 releases. The broker you provide is required but won't actually be used. Enter `127.0.0.1:1234` in the _kafka broker_ field to ensure successful validation before following the steps below to enable sending data to Microsoft 365 Defender.
-
-> [!NOTE]
+> The integration is available in Corelight Sensor software v24 and later.
+>
> You will need internet connectivity for your sensor to reach both the Defender and Corelight cloud services for the solution to work.
-#### Enabling in the Corelight Sensor GUI
-
-1. In the Corelight Sensor GUI configuration section, select **Sensor** \> **Export**.
-2. From the list, go to **EXPORT TO KAFKA** and select the switch to turn it on.
+#### Enable the integration in the Corelight web interface
- :::image type="content" source="images/exporttokafka.png" alt-text="The kafka export" lightbox="images/exporttokafka.png":::
+1. In the Corelight web interface, navigate to **Sensor** \> **Export**.
-3. Next, turn on **EXPORT TO AZURE DEFENDER FOR IOT** and enter your tenant ID, noted in Step 1, in the TENANT ID field.
-
- :::image type="content" source="images/exporttodiot.png" alt-text="The iot export" lightbox="images/exporttodiot.png":::
-
-4. Select **Apply Changes**.
-
- :::image type="content" source="images/corelightapply.png" alt-text="The Apply changes icon" lightbox="images/corelightapply.png":::
-
-> [!NOTE]
-> Configuration options in Kafka (excluding Log Exclusion and Filters) should not be changed. Any changes made will be ignored.
+ :::image type="content" source="images/exporttodefender.png" alt-text="The kafka export" lightbox="images/exporttodefender.png":::
-#### Enabling in the corelight-client
+2. Enable **Export To Microsoft Defender**.
+3. Enter your Microsoft 356 Defender Tenant ID.
+4. Optionally, you can:
+ - set the **Zeek Logs to Exclude**. The minimal set of logs you must include are: dns, conn, files, http, ssl, ssh, x509, snmp, smtp, ftp, sip, dhcp, and notice.
+ - choose to create a **Microsoft Defender Log Filter**.
+5. Select **Apply Changes**.
-You can turn on **EXPORT TO KAFKA** and **EXPORT TO AZURE DEFENDER FOR IOT** using the following command in the corelight-client:
+#### Enable the integration in the corelight-client
-`corelight-client configuration update --bro.export.kafka.defender.enable true --bro.export.kafka.defender.tenant\_id <your tenant>`.
+1. Enable **Export To Microsoft Defender** using the following command in the corelight-client:
-> [!IMPORTANT]
-> If you're already using Kafka export, contact Corelight Support for an alternate configuration.
+ ``` command
+ corelight-client configuration update \
+ --bro.export.defender.enable True
+ ```
-To configure only sending the minimal set of logs:
+2. Set your tenant ID
-1. In the Corelight Sensor GUI, go to the Kafka section
-2. Go to **Zeek logs to exclude**
-3. Select **All**
-4. Then select **x** beside the following logs to ensure they continue to flow to Microsoft:
- `dns conn files http ssl ssh x509 snmp smtp ftp sip dhcp notice`
-5. Select **Apply Changes**
+3. Optionally, you can use the following command to exclude certain logs or to create a Microsoft Defender log filter. The minimal set of logs you must include are: dns, conn, files, http, ssl, ssh, x509, snmp, smtp, ftp, sip, dhcp, and notice.
-The list of logs that flow to Microsoft may expand over time.
+ ``` command
+ corelight-client configuration update \
+ --bro.export.defender.exclude=<logs_to_exclude> \
+ --bro.export.defender.filter=<logs_to_filter>
+ ```
## See also -- [Device discovery FAQ](device-discovery-faq.md)
+- [Device discovery FAQ](device-discovery-faq.md)
security Manage Updates Baselines Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus.md
We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Wind
For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images). <details>
+<summary>20220506.6</summary>
+
+&ensp;Package version: **20220506.6**<br/>
+&ensp;Platform version: **4.18.2203.5**<br/>
+&ensp;Engine version: **1.1.19200.5**<br/>
+&ensp;Signature version: **1.363.1436.0**<br/>
+
+### Fixes
+- None
+
+### Additional information
+- None
+
+<br/>
+</details><details>
<summary>20220321.1</summary> &ensp;Package version: **20220321.1**<br/>
security Tamperprotection Macos https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tamperprotection-macos.md
+
+ Title: Protect macOS security settings with tamper protection
+description: Use tamper protection to prevent malicious apps from changing important macOS security settings.
+keywords: macos, tamper protection, security settings, malware
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+ms.localizationpriority: medium
+
+audience: ITPro
+
+- M365-security-compliance
+
+ms.technology: mde
++
+# Protect macOS security settings with tamper protection
++
+**Applies to:**
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-rbac-abovefoldlink)
+
+Tamper protection in macOS helps prevent unwanted changes to security settings from being made by unauthorized users. Tamper protection helps prevent unauthorized removal of Microsoft Defender for Endpoint on macOS. This capability also helps important security files, processes, and configuration settings from being tampered.
+++
+You can set tamper protection in the following modes: 
+
+
+ Topic | Description
+:|:
+Disabled  | Tamper protection is completely off (this is the default mode after installation) 
+Audit  | Tampering operations are logged, but not blocked 
+Block  | Tamper protection is on, tampering operations are blocked 
+
+When tamper protection is set to audit or block mode, you can expect the following outcomes:
+
+**Audit mode** 
+- Actions to uninstall Defender for Endpoint agent is logged (audited)  
+- Editing/modification of Defender for Endpoint files are logged (audited) 
+- Creation of new files under Defender for Endpoint location is logged (audited) 
+- Deletion of Defender for Endpoint files is logged (audited) 
+- Renaming of Defender for Endpoint files is logged (audited) 
+- Commands to stop the agent fail 
+
+**Block mode**
+- Actions to uninstall Defender for Endpoint agent is blocked  
+- Editing/modification of Defender for Endpoint files are blocked 
+- Creation of new files under Defender for Endpoint location is blocked 
+- Deletion of Defender for Endpoint files is blocked 
+- Renaming of Defender for Endpoint files is blocked 
+- Commands to stop the agent fail 
+
+Here is an example of a system message in response to a blocked action: 
+
+![Image of operation blocked](images/operation-blocked.png)
+
+You can configure the tamper protection mode by providing the mode name as enforcement-level.
++
+>[!NOTE]
+>- The mode change will apply immediately. You donΓÇÖt need to change the feature flag nor restart Microsoft Defender for Endpoint.
+>- If you used JAMF during the initial configuration, then you'll need to update the configuration using JAMF as well.
+
+## Before you begin
+- Supported macOS versions: Monterey (12), Big Sur (11), Catalina (10.15+) 
+- Minimum required version for Defender for Endpoint: 101.49.25 
++
+**Highly recommended settings:** 
+
+1. System Integrity Protection (SIP) enabled
+1. Use a Mobile device management (MDM) tool to configure Microsoft Defender for Endpoint
+
+ 
+
+## Configure tamper protection on macOS devices
++
+There are several ways you can configure tamper protection: 
+
+- [Manual configuration](#manual-configuration)
+- [JAMF](#jamf) 
+- [Intune](#intune)
+
+ 
+
+### Before you begin
+
+Verify that "tamper_protection" is set to "disabled".  
+
+![Image of command line with tamper protection in disable mode](images/verify-tp.png)
++
+### Manual configuration
+
+1. Use the following command: 
+
+ ``` 
+ sudo mdatp config tamper-protection enforcement-level --value block
+ ```
++
+ ![Image of manual configuration command](images/manual-config-cmd.png)
++
+ >[!NOTE]
+ > If you use manual configuration to enable tamper protection, you can also disable tamper protection manually at any time. For example, you can revoke Full Disk Access from Defender in System Preferences manually. You must use MDM instead of manual configuration to prevent a local admin from doing that.
+
+2. Verify the result. 
+
+ ![Image of result of manual configuration command](images/result-manual-config.png)
++
+Notice that the "tamper_protection" is now set to "block". 
+
+### JAMF
+
+Configure tamper protection mode in Microsoft Defender for Endpoint [configuration profile](mac-jamfpro-policies.md), by adding the following settings:
+++
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+ <dict>
+ <key>tamperProtection</key>
+ <dict>
+ <key>enforcementLevel</key>
+ <string>block</string>
+ </dict>
+ </dict>
+</plist>
+```
+ 
+
+>[!NOTE]
+>If you already have a configuration profile for Microsoft Defender for Endpoint then you need to *add* settings to it. You don’t need to create a second configuration profile. 
+
+ 
+
+### Intune
+
+Follow the documented Intune profile example to configure tamper protection through Intune. For more information, see [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md). 
+
+Add the following configuration in your Intune profile:
+
+>[!NOTE]
+>For Intune configuration, you can create a new profile configuration file to add the Tamper protection configuration, or you can add these parameters to the existing one.
+
+                 
+```xml
+?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1">
+ <dict>
+ <key>PayloadUUID</key>
+ <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
+ <key>PayloadType</key>
+ <string>Configuration</string>
+ <key>PayloadOrganization</key>
+ <string>Microsoft</string>
+ <key>PayloadIdentifier</key>
+ <string>com.microsoft.wdav</string>
+ <key>PayloadDisplayName</key>
+ <string>Microsoft Defender for Endpoint settings</string>
+ <key>PayloadDescription</key>
+ <string>Microsoft Defender for Endpoint configuration settings</string>
+ <key>PayloadVersion</key>
+ <integer>1</integer>
+ <key>PayloadEnabled</key>
+ <true/>
+ <key>PayloadRemovalDisallowed</key>
+ <true/>
+ <key>PayloadScope</key>
+ <string>System</string>
+ <key>PayloadContent</key>
+ <array>
+ <dict>
+ <key>PayloadUUID</key>
+ <string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
+ <key>PayloadType</key>
+ <string>com.microsoft.wdav</string>
+ <key>PayloadOrganization</key>
+ <string>Microsoft</string>
+ <key>PayloadIdentifier</key>
+ <string>com.microsoft.wdav</string>
+ <key>PayloadDisplayName</key>
+ <string>Microsoft Defender for Endpoint configuration settings</string>
+ <key>PayloadDescription</key>
+ <string/>
+ <key>PayloadVersion</key>
+ <integer>1</integer>
+ <key>PayloadEnabled</key>
+ <true/>
+ <key>tamperProtection</key>
+ <dict>
+ <key>enforcementLevel</key>
+ <string>block</string>
+ </dict>
+ </dict>
+ </array>
+ </dict>
+</plist>
+```
++
+Check the tamper protection status by running the following command:
+ 
+
+`mdatp health --field tamper_protection`
+
+ 
+The result will show "block" if tamper protection is on: 
+
+![Image of tamper protection in block mode](images/tp-block-mode.png)
+++
+You can also run full `mdatp health` and look for the "tamper_protection" in the output: 
+
+![Image of tamper protection when in block mode](images/health-tp-audit.png)
++++
+## Verify tamper protection preventive capabilities  
+You can verify that tamper protection is on through various ways.
+ 
+
+### Verify block mode
+
+Tampering alert is raised in the Microsoft 365 Defender portal
+
+![Image of tampering alert raised in the Microsoft 365 Defender portal](images/tampering-sensor-portal.png)
+
+ 
+ 
+### Verify block mode and audit modes 
+
+- Using Advanced hunting, you'll see tampering alerts appear  
+- Tampering events can be found in the local device logs: `sudo grep -F '\[{tamperProtection}\]' /Library/Logs/Microsoft/mdatp/microsoft_defender_core.log`
+
+![Image of tamper protection log](images/tamper-protection-log.png)
++
+ 
+### DIY scenarios 
+
+- With tamper protection set to "block", attempt different methods to uninstall Defender for Endpoint. For example, drag the app tile into trash or uninstall tamper protection using the command line. 
+- Try to stop the Defender for Endpoint process (kill). 
+- Try to delete, rename, modify, move Defender for Endpoint files (similar to what a malicious user would do), for example: 
+
+ - /Applications/Microsoft Defender ATP.app/ 
+ - /Library/LaunchDaemons/com.microsoft.fresno.plist 
+ - /Library/LaunchDaemons/com.microsoft.fresno.uninstall.plist 
+ - /Library/LaunchAgents/com.microsoft.wdav.tray.plist 
+ - /Library/Managed Preferences/com.microsoft.wdav.ext.plist 
+ - /Library/Managed Preferences/mdatp_managed.json 
+ - /Library/Managed Preferences/com.microsoft.wdav.atp.plist 
+ - /Library/Managed Preferences/com.microsoft.wdav.atp.offboarding.plist 
+ - /usr/local/bin/mdatp 
+
+ 
+## Turning off tamper protection 
+
+You can turn off tamper protection using any of the following methods.  
+
+### Manual configuration
+
+Use the following command:
+
+`sudo mdatp config tamper-protection enforcement-level ΓÇô ΓÇôvalue disabled`
+
+ 
+
+## JAMF
+Change the `enforcementLevel` value to "disabled" in your configuration profile, and push it to the machine:
++
+```console
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+ <dict>
+ <key>tamperProtection</key>
+ <dict>
+ <key>enforcementLevel</key>
+ <string>disabled</string>
+ </dict>
+ </dict>
+</plist>
+
+```
++
+### Intune
+Add the following configuration in your Intune profile:
+
+```
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1">
+ <dict>
+ <key>PayloadUUID</key>
+ <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
+ <key>PayloadType</key>
+ <string>Configuration</string>
+ <key>PayloadOrganization</key>
+ <string>Microsoft</string>
+ <key>PayloadIdentifier</key>
+ <string>com.microsoft.wdav</string>
+ <key>PayloadDisplayName</key>
+ <string>Microsoft Defender for Endpoint settings</string>
+ <key>PayloadDescription</key>
+ <string>Microsoft Defender for Endpoint configuration settings</string>
+ <key>PayloadVersion</key>
+ <integer>1</integer>
+ <key>PayloadEnabled</key>
+ <true/>
+ <key>PayloadRemovalDisallowed</key>
+ <true/>
+ <key>PayloadScope</key>
+ <string>System</string>
+ <key>PayloadContent</key>
+ <array>
+ <dict>
+ <key>PayloadUUID</key>
+ <string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
+ <key>PayloadType</key>
+ <string>com.microsoft.wdav</string>
+ <key>PayloadOrganization</key>
+ <string>Microsoft</string>
+ <key>PayloadIdentifier</key>
+ <string>com.microsoft.wdav</string>
+ <key>PayloadDisplayName</key>
+ <string>Microsoft Defender for Endpoint configuration settings</string>
+ <key>PayloadDescription</key>
+ <string/>
+ <key>PayloadVersion</key>
+ <integer>1</integer>
+ <key>PayloadEnabled</key>
+ <true/>
+ <key>tamperProtection</key>
+ <dict>
+ <key>enforcementLevel</key>
+ <string>disabled</string>
+ </dict>
+ </dict>
+ </array>
+ </dict>
+</plist>
+```
+
+## Troubleshooting configuration issues
++
+### Issue: Tamper protection is reported as disabled 
+
+If running the command `mdatp health` reports that the tamper protection is disabled, even if you enabled it and more than an hour has passed since the onboarding, then you can check if you have the right configuration by running the following command: 
+
+ 
+```console
+$ sudo grep -F '\[{tamperProtection}\]: Feature state:' /Library/Logs/Microsoftmdatpmicrosoft_defender_core.log \| tail -n 1 
+
+\[85246\]\[2021-12-08 15:45:34.184781 UTC\]\[info\]: \[{tamperProtection}\]: Feature state: enabledmode: "block" 
+```
+ 
+
+The mode must be "block" (or "audit"). If it is not, then you haven’t set the tamper protection mode either through `mdatp config` command or through Intune. 
+
+ 
+
security Troubleshoot Security Config Mgt https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-security-config-mgt.md
The following table lists errors and directions on what to try/check in order to
|Error Code|Enrollment Status|Administrator Actions| ||||
-|`5-9`,`11-12`, `26-33`|General error|The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow. This could be due to the device not meeting [prerequisites for Microsoft Defender for Endpoint management channel](security-config-management.md). Running the [Client Analyzer](https://aka.ms/BetaMDEAnalyzer) on the device can help identify the root cause of the issue. If this doesn't help, please contact support.|
+|`5-7`, `9`, `11-12`, `26-33`|General error|The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow. This could be due to the device not meeting [prerequisites for Microsoft Defender for Endpoint management channel](security-config-management.md). Running the [Client Analyzer](https://aka.ms/BetaMDEAnalyzer) on the device can help identify the root cause of the issue. If this doesn't help, please contact support.|
+| `8`, `44` | Microsoft Endpoint Manager Configuration issue | The device was successfully onboarded to Microsoft Defender for Endpoint. However, Microsoft Endpoint Manager has not been configured through the Admin Center to allow Microsoft Defender for Endpoint Security Configuration. Make sure the [Microsoft Endpoint Manager tenant is configured and the feature is turned on](/mem/intune/protect/mde-security-integration#configure-your-tenant-to-support-microsoft-defender-for-endpoint-security-configuration-management).|
|`13-14`,`20`,`24`,`25`|Connectivity issue|The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow which could be due to a connectivity issue. Verify that the [Azure Active Directory and Microsoft Endpoint Manager endpoints](security-config-management.md#connectivity-requirements) are opened in your firewall.| |`10`,`42`|General Hybrid join failure|The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow and the OS failed to perform hybrid join. Use [Troubleshoot hybrid Azure Active Directory-joined devices](/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current) for troubleshooting OS-level hybrid join failures.| |`15`|Tenant mismatch|The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow because your Microsoft Defender for Endpoint tenant ID doesn't match your Azure Active Directory tenant ID. Make sure that the Azure Active Directory tenant ID from your Defender for Endpoint tenant matches the tenant ID in the SCP entry of your domain. For more details, [Troubleshoot onboarding issues related to Security Management for Microsoft Defender for Endpoint](troubleshoot-security-config-mgt.md).| |`16`,`17`|Hybrid error - Service Connection Point|The device was successfully onboarded to Microsoft Defender for Endpoint. However, Service Connection Point (SCP) record is not configured correctly and the device couldn't be joined to Azure AD. This could be due to the SCP being configured to join Enterprise DRS. Make sure the SCP record points to AAD and SCP is configured following best practices. For more information, see [Configure a service connection point](/azure/active-directory/devices/hybrid-azuread-join-manual#configure-a-service-connection-point).| |`18`|Certificate error|The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow due to a device certificate error. The device certificate belongs to a different tenant. Verify that best practices are followed when creating [trusted certificate profiles](/mem/intune/protect/certificates-trusted-root#create-trusted-certificate-profiles).|
-|`36`|LDAP API error|The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow. Verify the network topology and ensure the LDAP API is available to complete hybrid join requests.|
-|`37`|On-premise sync issue|The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow. Try again later. If that doesn't help, see [Troubleshoot object synchronization with Azure AD Connect sync](/azure/active-directory/hybrid/tshoot-connect-objectsync).|
+|`36` , `37`| AAD Connect misconfiguration |The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow due to a misconfiguration in AAD Connect. To identify what is preventing the device from registering to AAD, consider running the [Device Registration Troubleshooter Tool](/samples/azure-samples/dsregtool/dsregtool). For Windows Server 2012 R2, run the [dedicated troubleshooting instructions](/azure/active-directory/devices/troubleshoot-hybrid-join-windows-legacy). |
|`38`,`41`|DNS error|The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow due to a DNS error. Check the internet connection and/or DNS settings on the device. The invalid DNS settings might be on the workstation's side. Active Directory requires you to use domain DNS to work properly (and not the router's address). For more information, see [Troubleshoot onboarding issues related to Security Management for Microsoft Defender for Endpoint](troubleshoot-security-config-mgt.md).| |`40`|Clock sync issue|The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow. Verify that the clock is set correctly and is synced on the device where the error occurs.|
security Whats New In Microsoft Defender Endpoint https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/whats-new-in-microsoft-defender-endpoint.md
For more information on Microsoft Defender for Endpoint on other operating syste
- [What's new in Defender for Endpoint on iOS](ios-whatsnew.md) - [What's new in Defender for Endpoint on Linux](linux-whatsnew.md)
+## May 2022
+- [Tamper protection for macOS (preview)](tamperprotection-macos.md)<br>Tamper protection helps prevent unauthorized removal of Microsoft Defender for Endpoint on macOS.
++ ## April 2022 - [Updated onboarding and feature parity for Windows Server 2012 R2 and Windows Server 2016)](configure-server-endpoints.md)<br/> The new unified solution package is now generally available and makes it easier to onboard servers by removing dependencies and installation steps. In addition, this unified solution package comes with many new feature improvements. - Integration with Tunnel. Microsoft Defender for Endpoint on iOS can now integrate with Microsoft Tunnel, a VPN gateway solution to enable security and connectivity in a single app.This feature was earlier available only on Android. [Learn more](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/what-s-new-in-microsoft-endpoint-manager-2204-april-edition/ba-p/3297995)
security Defenderexpertsforhuntingprev https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/defenderexpertsforhuntingprev.md
Microsoft Defender Experts for Hunting (Defender Experts for Hunting) is a manag
[Watch this short video](https://youtu.be/4t1JgE0X0jc) to learn more about how Microsoft Defender Experts for Hunting can help you track the latest advanced threats in your environment.
-Defender Experts for Hunting provides targeted attack notifications directly through the Microsoft 365 Defender portal. These notifications will help you protect your organization's endpoints, email, cloud apps and identities. You will also receive access to Experts on Demand, that lets you click a button in the Microsoft 365 Defender portal to get expert advice about threats your organization is facing. You can consult experts and seek help with the threats your organization faces. In this preview, you can try the service for free and enjoy the following capabilities:
+Defender Experts for Hunting provides targeted attack notifications directly through the Microsoft 365 Defender portal. These notifications will help you protect your organization's endpoints, email, cloud apps, and identities. You will also receive access to Experts on Demand that lets you click a button in the Microsoft 365 Defender portal to get expert advice about threats your organization is facing. You can consult experts and seek help with the threats your organization faces. In this preview, you can try the service for free and enjoy the following capabilities:
-- **Threat hunting and analysis** ΓÇô Defender Experts for Hunting look deeper to expose advanced threats and identify the scope and impact of malicious activity associated with human adversaries or hands-on-keyboard attacks. -- **Targeted attack notification** ΓÇô Notifications show up as incidents in Microsoft 365 Defender, helping to improve your security operations' incident response with specific information about the scope, method of entry, and remediation instructions. -- **Experts on Demand** ΓÇô Consult a threat expert about a specific incident, nation-state actor, or attack vector. -- **Hunter-trained AI** ΓÇô Our Defender Experts for Hunting share their learning back into the automated tools they use to improve threat discovery and prioritization. -- **Reports** ΓÇô An interactive report summarizing what we hunted, what we found, and what we recommended
+- **Threat hunting and analysis** ΓÇô Defender Experts for Hunting look deeper to expose advanced threats and identify the scope and impact of malicious activity associated with human adversaries or hands-on-keyboard attacks.
+- **Targeted attack notification** ΓÇô Notifications show up as incidents in Microsoft 365 Defender, helping to improve your security operations' incident response with specific information about the scope, method of entry, and remediation instructions.
+- **Experts on Demand** ΓÇô Consult a threat expert about a specific incident, nation-state actor, or attack vector.
+- **Hunter-trained AI** ΓÇô Our Defender Experts for Hunting share their learning back into the automated tools they use to improve threat discovery and prioritization.
+- **Reports** ΓÇô An interactive report summarizing what we hunted, what we found, and what we recommended.
## Apply for Microsoft Defender Experts for Hunting service preview >[!IMPORTANT]
->Before you apply, make sure to discuss the eligibility requirements for Defender Experts for Hunting with your Microsoft Technical Service provider and account team. The preview is filling up fast and availability is very limited. If we can't get you in, we'll reach out to you soon as Microsoft Defender Experts for Hunting service is ready for generally availability.
+>Before you apply, make sure to discuss the eligibility requirements for Defender Experts for Hunting with your Microsoft Technical Service provider and account team. The preview is filling up fast and availability is very limited. If we can't get you in, we'll reach out to you soon as Microsoft Defender Experts for Hunting service is ready for general availability.
If you havenΓÇÖt done so yet, you can apply for Defender Experts for Hunting: 1. Click [**Apply**](https://aka.ms/expandedMTEprev). Only the global administrators can register and complete the application process. If youΓÇÖre not a global administrator, contact your global administrator to fill out the application form.
-2. Enter your **company email ID**.
+2. Enter your **company email ID**.
3. Select **Submit**. You will get a confirmation message that your application has been received. 4. Upon approval, you will receive an email to register.
You need to follow these steps to join the preview:
3. Go to **Settings > Microsoft Defender Experts**. 4. Read the **Microsoft Defender Experts for Hunting preview terms and conditions**. If you have any questions or concerns, contact the Microsoft Defender Experts Team at defenderexpertshelp@microsoft.com. 5. Click **Accept**, to accept the terms and conditions.
-6. Get your free preview in [Microsoft 365 admin center](https://www.microsoft.com/en-us/microsoft-365/business/office-365-administration).
-You can only place the order after you've accepted the terms and conditions. Select **Get license** to initiate provisioning in the admin center. This will take you to the checkout page to verify the order details. The service might become commercially available less than 6 months after you begin your free preview. Microsoft reserves the right to end your preview at that time.
+6. Get your free preview in [Microsoft 365 admin center](https://www.microsoft.com/microsoft-365/business/office-365-administration).
+You can only place the order after you've accepted the terms and conditions. Select **Get license** to initiate provisioning in the admin center. This will take you to the checkout page to verify the order details. The service might become commercially available less than six months after you begin your free preview. Microsoft reserves the right to end your preview at that time.
7. In the **Checkout** page, select **Place order**. ## Start using your Microsoft Defender Experts for Hunting service preview
-Around six hours after you place your order and get confirmation, you will receive a welcome email that says your Microsoft Defender Experts preview is set up and ready to use. Our experts will immediately start hunting for advanced threats inside your environment.
+Around six hours after you place your order and get confirmation, you'll receive a welcome email that says your Microsoft Defender Experts preview is set up and ready to use. Our experts will immediately start hunting for advanced threats inside your environment.
## Receive targeted attack notification
See the screenshot of a sample below:
## Collaborate with experts on demand
-You can consult with Defender Experts for Hunting directly inside the Microsoft 365 security portal, for a swift and accurate threat response. Experts can provide insight to better understand the complex threats your organization may face. Consult an expert to:
+You can consult with Defender Experts for Hunting directly inside the Microsoft 365 security portal for a swift and accurate threat response. Experts can provide insight to better understand the complex threats your organization may face. Consult an expert to:
- Gather additional information on alerts and incidents, including root causes and scope - Gain clarity into suspicious devices, alerts, or incidents and get next steps if faced with an advanced attacker
security How Office 365 Validates The From Address https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/how-office-365-validates-the-from-address.md
You can't override the From address requirements for outbound email that you sen
## Other ways to prevent and protect against cybercrimes in Microsoft 365
-For more information on how you can strengthen your organization against phishing, spam, data breaches, and other threats, see [Top 10 ways to secure Microsoft 365 for business plans](../../admin/security-and-compliance/secure-your-business-data.md).
+For more information on how you can strengthen your organization against phishing, spam, data breaches, and other threats, see [Best practices for securing Microsoft 365 for business plans](../../admin/security-and-compliance/secure-your-business-data.md).
security Recommended Settings For Eop And Office365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md
To create and configure anti-spam policies, see [Configure anti-spam policies in
|**Test mode** (_TestModeAction_)|**None**|**None**|**None**|This setting is part of ASF. For more information, see the [ASF settings in anti-spam policies](#asf-settings-in-anti-spam-policies) section in this article.| |**Actions**||||Wherever you select **Quarantine message**, a **Select quarantine policy** box is available. Quarantine policies define what users are allowed to do to quarantined messages. <br/><br/> When you create a new anti-spam policy, a blank value means the default quarantine policy is used to define the historical capabilities for messages that were quarantined by that particular verdict (AdminOnlyAccessPolicy for **High confidence phishing**; DefaultFullAccessPolicy for everything else). <br/><br/> Admins can create and select custom quarantine policies that define more restrictive or less restrictive capabilities for users. For more information, see [Quarantine policies](quarantine-policies.md).| |**Spam** detection action <br/><br/> _SpamAction_|**Move message to Junk Email folder** <br/><br/> `MoveToJmf`|**Move message to Junk Email folder** <br/><br/> `MoveToJmf`|**Quarantine message** <br/><br/> `Quarantine`||
-|**High confidence spam** detection action <br/><br/> _HighConfidenceSpamAction_|**Quarantine message** <br/><br/> `MoveToJmf`|**Quarantine message** <br/><br/> `Quarantine`|**Quarantine message** <br/><br/> `Quarantine`||
-|**Phishing** detection action <br/><br/> _PhishSpamAction_|**Quarantine message** <br/><br/> `MoveToJmf`|**Quarantine message** <br/><br/> `Quarantine`|**Quarantine message** <br/><br/> `Quarantine`||
+|**High confidence spam** detection action <br/><br/> _HighConfidenceSpamAction_|**Move message to Junk Email folder** <br/><br/> `MoveToJmf`|**Quarantine message** <br/><br/> `Quarantine`|**Quarantine message** <br/><br/> `Quarantine`||
+|**Phishing** detection action <br/><br/> _PhishSpamAction_|**Move message to Junk Email folder**<sup>\*</sup> <br/><br/> `MoveToJmf`|**Quarantine message** <br/><br/> `Quarantine`|**Quarantine message** <br/><br/> `Quarantine`|<sup>\*</sup> The default value is **Move message to Junk Email folder** in the default anti-spam policy and in new anti-spam policies that you create in PowerShell. The default value is **Quarantine message** in new anti-spam policies that you create in the Microsoft 365 Defender portal.|
|**High confidence phishing** detection action <br/><br/> _HighConfidencePhishAction_|**Quarantine message** <br/><br/> `Quarantine`|**Quarantine message** <br/><br/> `Quarantine`|**Quarantine message** <br/><br/> `Quarantine`|| |**Bulk** detection action <br/><br/> _BulkSpamAction_|**Move message to Junk Email folder** <br/><br/> `MoveToJmf`|**Move message to Junk Email folder** <br/><br/> `MoveToJmf`|**Quarantine message** <br/><br/> `Quarantine`||
-|**Retain spam in quarantine for this many days** <br/><br/> _QuarantineRetentionPeriod_|15 days<sup>\*</sup>|30 days|30 days|<sup>\*</sup> The default value is 15 days in the default anti-spam policy, and in new anti-spam policies that you create in PowerShell. The default value is 30 days in new anti-spam policies that you create in the Microsoft 365 Defender portal. <br/><br/> This value also affects messages that are quarantined by anti-phishing policies. For more information, see [Quarantined email messages in EOP](quarantine-email-messages.md).|
+|**Retain spam in quarantine for this many days** <br/><br/> _QuarantineRetentionPeriod_|15 days<sup>\*</sup>|30 days|30 days|<sup>\*</sup> The default value is 15 days in the default anti-spam policy and in new anti-spam policies that you create in PowerShell. The default value is 30 days in new anti-spam policies that you create in the Microsoft 365 Defender portal. <br/><br/> This value also affects messages that are quarantined by anti-phishing policies. For more information, see [Quarantined email messages in EOP](quarantine-email-messages.md).|
|**Enable spam safety tips** <br/><br/> _InlineSafetyTipsEnabled_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|| |Enable zero-hour auto purge (ZAP) for phishing messages <br/><br/> _PhishZapEnabled_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|| |Enable ZAP for spam messages <br/><br/> _SpamZapEnabled_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
To create and configure anti-malware policies, see [Configure anti-malware polic
For more information about these settings, see [Spoof settings](set-up-anti-phishing-policies.md#spoof-settings). To configure these settings, see [Configure anti-phishing policies in EOP](configure-anti-phishing-policies-eop.md).
+The spoof settings are inter-related, but the **Show first contact safety tip** setting has no dependency on spoof settings.
+ |Security feature name|Default|Standard|Strict|Comment| ||::|::|::|| |**Phishing threshold & protection**|||||
For more information about these settings, see [Impersonation settings in anti-p
These are the same settings that are available in [anti-spam policy settings in EOP](#eop-anti-spam-policy-settings).
-The spoof settings are inter-related, but the **Show first contact safety tip** setting has no dependency on spoof settings.
-
-|Security feature name|Default|Standard|Strict|Comment|
-||::|::|::||
-|**Phishing threshold & protection**|||||
-|**Enable spoof intelligence** <br/><br/> _EnableSpoofIntelligence_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`||
-|**Actions**|||||
-|**If message is detected as spoof** <br/><br/> _AuthenticationFailAction_|**Move message to the recipients' Junk Email folders** <br/><br/> `MoveToJmf`|**Move message to the recipients' Junk Email folders** <br/><br/> `MoveToJmf`|**Quarantine the message** <br/><br/> `Quarantine`|This setting applies to spoofed senders that were automatically blocked as shown in the [spoof intelligence insight](learn-about-spoof-intelligence.md) or manually blocked in the [Tenant Allow/Block List](tenant-allow-block-list.md). <br/><br/> If you select **Quarantine the message**, an **Apply quarantine policy** box is available to select the quarantine policy that defines what users are allowed to do to quarantined messages. When you create a new anti-phishing policy, a blank value means the default quarantine policy is used to define the historical capabilities for spoof quarantined messages (DefaultFullAccessPolicy). <br/><br/> Admins can create and select a custom quarantine policy that defines what recipients are allowed to do to these messages in quarantine. For more information, see [Quarantine policies](quarantine-policies.md).|
-|**Show first contact safety tip** <br/><br/> _EnableFirstContactSafetyTips_|Not selected <br/><br/> `$false`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|For more information, see [First contact safety tip](set-up-anti-phishing-policies.md#first-contact-safety-tip).|
-|**Show (?) for unauthenticated senders for spoof** <br/><br/> _EnableUnauthenticatedSender_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see [Unauthenticated sender](set-up-anti-phishing-policies.md#unauthenticated-sender).|
-|**Show "via" tag** <br/><br/> _EnableViaTag_|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Selected <br/><br/> `$true`|Adds a via tag (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the **MAIL FROM** address. <br/><br/> For more information, see [Unauthenticated sender](set-up-anti-phishing-policies.md#unauthenticated-sender).|
- ### Safe Attachments settings Safe Attachments in Microsoft Defender for Office 365 includes global settings that have no relationship to Safe Attachments policies, and settings that are specific to each Safe Links policy. For more information, see [Safe Attachments in Defender for Office 365](safe-attachments.md).
security Tenant Allow Block List https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list.md
For detailed syntax and parameter information, see [Get-TenantAllowBlockListSpoo
- Wildcards (*) are allowed in the following scenarios:
- - A left wildcard must be followed by a period to specify a subdomain.
+ - A left wildcard must be followed by a period to specify a subdomain. (only applicable for blocks)
For example, `*.contoso.com` is allowed; `*contoso.com` is not allowed.
For detailed syntax and parameter information, see [Get-TenantAllowBlockListSpoo
For example `~contoso.com` includes `contoso.com` and `*.contoso.com`. -- URL entries that contain protocols (for example, `http://`, `https://`, or `ftp://`) will fail, because URL entries apply to all protocols.- - A username or password isn't supported or required. - Quotes (' or ") are invalid characters.
Valid URL entries and their results are described in the following sections.
- **Allow match**: contoso.com - **Allow not matched**:- - abc-contoso.com - contoso.com/a - payroll.contoso.com
Valid URL entries and their results are described in the following sections.
- www.contoso.com/q=a@contoso.com - **Block match**:- - contoso.com - contoso.com/a - payroll.contoso.com
Valid URL entries and their results are described in the following sections.
#### Scenario: Left wildcard (subdomain)
-**Entry**: `*.contoso.com`
+> [!NOTE]
+> This scenario applies only to blocks.
-- **Allow match** and **Block match**:
+**Entry**: `*.contoso.com`
+- **Block match**:
- www.contoso.com - xyz.abc.contoso.com -- **Allow not matched** and **Block not matched**:-
+- **Block not matched**:
- 123contoso.com - contoso.com - test.com/contoso.com
Valid URL entries and their results are described in the following sections.
**Entry**: `contoso.com/a/*` - **Allow match** and **Block match**:- - contoso.com/a/b - contoso.com/a/b/c - contoso.com/a/?q=joe@t.com - **Allow not matched** and **Block not matched**:- - contoso.com - contoso.com/a - www.contoso.com
Valid URL entries and their results are described in the following sections.
**Entry**: `~contoso.com` - **Allow match** and **Block match**:- - contoso.com - www.contoso.com - xyz.abc.contoso.com - **Allow not matched** and **Block not matched**:- - 123contoso.com - contoso.com/abc - www.contoso.com/abc
Valid URL entries and their results are described in the following sections.
**Entry**: `contoso.com/*` - **Allow match** and **Block match**:- - contoso.com/?q=whatever@fabrikam.com - contoso.com/a - contoso.com/a/b/c
Valid URL entries and their results are described in the following sections.
#### Scenario: Left wildcard subdomain and right wildcard suffix
-**Entry**: `*.contoso.com/*`
+> [!NOTE]
+> This scenario applies only to blocks.
-- **Allow match** and **Block match**:
+**Entry**: `*.contoso.com/*`
+- **Block match**:
- abc.contoso.com/ab - abc.xyz.contoso.com/a/b/c - www.contoso.com/a - www.contoso.com/b/a/c - xyz.contoso.com/ba -- **Allow not matched** and **Block not matched**: contoso.com/b
+- **Block not matched**: contoso.com/b
#### Scenario: Left and right tilde
security Top Security Tasks For Remote Work https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/top-security-tasks-for-remote-work.md
If you are like [Microsoft](https://www.microsoft.com/microsoft-365/blog/2020/03
If you are a small or medium-size organization using one of Microsoft's business plans, see these resources instead: -- [Top 10 ways to secure Office 365 and Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)
+- [Best practices for securing Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)
- [Microsoft 365 for Campaigns](../business-premium/index.md) (includes a recommended security configuration for Microsoft 365 Business) For customers using our enterprise plans, Microsoft recommends you complete the tasks listed in the following table that apply to your service plan. If, instead of purchasing a Microsoft 365 enterprise plan, you are combining subscriptions, note the following:
solutions Collaborate Teams Direct Connect https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/collaborate-teams-direct-connect.md
When you enable shared channels in Teams with another organization:
> [!NOTE] > Shared channels is in preview and requires that you have configured [Microsoft Teams Public Preview](/MicrosoftTeams/public-preview-doc-updates). If you plan to share channels with other organizations, they must also have configured Teams public preview.
+## Video demonstration
+
+This video shows the configuration steps described in this document.
+<br>
+
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4WRMx?autoplay=false]
+ ## Enable shared channels in Teams Shared channels is enabled by default in Teams. Follow this procedure to confirm the settings.