Updates from: 05/13/2021 03:12:10
Category Microsoft Docs article Related commit history on GitHub Change details
admin What Is A Domain https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/get-help-with-domains/what-is-a-domain.md
You can use a default domain like *yourcompany.onmicrosoft.<span>com* to log i
## Feeling stuck? Call Microsoft Support - [Get help setting up a domain](../../business-video/get-help-support.md)
-
+
+## Related content
+
+[Buy a domain](buy-a-domain-name.md) (article)
+
+[Add a domain to Microsoft 365](../setup/add-domain.md) (article)
+
+[Pilot Microsoft 365 from my custom domain](../misc/pilot-microsoft-365-from-my-custom-domain.md) (article)
+
admin Centralized Deployment Of Add Ins https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/centralized-deployment-of-add-ins.md
If you or your users encounter problems loading the add-in while using Office ap
|**Platform**|**Debug information**| |:--|:--|
-|Office <br/> | Charles/Fiddler logs <br/> Tenant ID ( [learn how](https://docs.microsoft.com/onedrive/find-your-office-365-tenant-id)) <br/> CorrelationID. View the source of one of the office pages and look for the Correlation ID value and send it to support: <br/>`<input name=" **wdCorrelationId**" type="hidden" value=" **{BC17079E-505F-3000-C177-26A8E27EB623}**">` <br/> `<input name="user_id" type="hidden" value="1003bffd96933623"></form>` <br/> |
+|Office <br/> | Charles/Fiddler logs <br/> Tenant ID ( [learn how](/onedrive/find-your-office-365-tenant-id.md)) <br/> CorrelationID. View the source of one of the office pages and look for the Correlation ID value and send it to support: <br/>`<input name=" **wdCorrelationId**" type="hidden" value=" **{BC17079E-505F-3000-C177-26A8E27EB623}**">` <br/> `<input name="user_id" type="hidden" value="1003bffd96933623"></form>` <br/> |
|Rich clients (Windows, Mac) <br/> | Charles/Fiddler logs <br/> Build numbers of the client app (preferably as a screenshot from **File/Account**) <br/> |+
+## Related content
+
+[Deploy add-ins in the admin center](../manage/manage-deployment-of-add-ins.md) (article)
+
+[Manage add-ins in the admin center](manage-addins-in-the-admin-center.md) (article)
+
+[Centralized Deployment FAQ](../manage/centralized-deployment-faq.md) (article)
+
+[Upgrade your Microsoft 365 for business users to the latest Office client](../setup/upgrade-users-to-latest-office-client.md) (article)
+
admin Manage Microsoft Rewards https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/manage-microsoft-rewards.md
Unless the user opts out of this feature, their personal Microsoft account will
For administrators of educational organizations with minor children, a parental Microsoft account is required for the child to participate in Microsoft Rewards. The parental account will not be associated with the studentΓÇÖs organizational account. For more information about Microsoft accounts for children, see [Parental consent and Microsoft child accounts](https://support.microsoft.com/account-billing/c6951746-8ee5-8461-0809-fbd755cd902e). This feature is not available for Government users. Administrators should ensure that their organizationΓÇÖs compliance policies permit the use of personal Microsoft Rewards accounts with work searches.+
+## Related content
+
+[Set up Microsoft Search](/microsoftsearch/setup-microsoft-search.md) (article)
+
+[Top 12 tasks for security teams to support working from home](../../security/top-security-tasks-for-remote-work.md) (article)
+
+[What's new in Microsoft 365](https://support.microsoft.com/en-us/office/what-s-new-in-microsoft-365-95c8d81d-08ba-42c1-914f-bca4603e1426) (article)
++
admin Productivity Score https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/productivity/productivity-score.md
Your Productivity Score is based on the combined scores of your people and techn
- Microsoft 365 Apps Health (100 points) - **Total possible = 800 points**
- In each score category, we quantify the key indicators for how your organization is using Microsoft 365 in its journey towards digital transformation. We provide 28-day and 180-day views of the key activities. We also provide supporting metrics that are not part of the score calculation, but are important for helping you identify underlying usage statistics and configurations that you can address.
+In each score category, we quantify the key indicators for how your organization is using Microsoft 365 in its journey towards digital transformation. We provide 28-day and 180-day views of the key activities. We also provide supporting metrics that are not part of the score calculation, but are important for helping you identify underlying usage statistics and configurations that you can address.
### Products included in Productivity Score
Your organization's score is updated daily and reflects user actions completed i
## Prerequisites
-For people experiences data, you need a Microsoft 365 for business or Office 365 for enterprise subscription. For endpoint analytics data for your tenant, you need to add Microsoft Intune to your subscription. Intune helps you protect your organizationΓÇÖs data by managing devices and apps. Once you have Intune, you can turn on endpoint analytics within the Intune experience. Learn more about [Microsoft Intune](/mem/intune/).
+For people experiences data, you need a Microsoft 365 for business or Office 365 for enterprise subscription. For endpoint analytics data for your tenant, you need to add Microsoft Intune to your subscription. Intune helps protect your organization's data by managing devices and apps. Once you have Intune, you can turn on endpoint analytics within the Intune experience. To learn more about Microsoft Intune, see the [Microsoft Intune documentation](/mem/intune/).
> [!NOTE] > A license to Workplace Analytics is not required to get the Productivity Score features.
The Productivity Score home page shows your organization's total score and score
**Your organization's score** is shown as a percent value and in points. You can see your points in the numerator and the maximum possible points in the denominator.
-**Peer benchmarks** allow you to compare your organization's score with organizations like yours. The peer benchmark for the people experiences categories is calculated as the average of measures within a set of similar organizations. The set of organizations is composed of organizations in your region with a similar number of licensed users, types of licenses, industry, and tenure with Microsoft 365.
+**Peer benchmarks** allow you to compare your organization's score with organizations like yours. The peer benchmark for the people experiences categories is calculated as the average of measures within a set of similar organizations. The set of organizations is composed of organizations in your region with a similar number of licensed users, types of licenses, industry, and tenure with Microsoft 365.
+
+> [!NOTE]
+> Microsoft uses internal data to determine the industry that an organization maps to. Tenants under a parent organization get mapped to the same industry as the parent organization. Organizations cannot view or modify industry mappings.
The endpoint analytics peer benchmark includes targets for device startup performance and recommended software configuration based on aggregated median values across all tenants.
Share your thoughts about Productivity Score and your ideas about how to improve
## Related content
-[Monitor Microsoft 365 activity by using reports](https://docs.microsoft.com/microsoft-365/admin/activity-reports/activity-reports) (article)
-
-[Enable Microsoft 365 usage analytics](https://docs.microsoft.com/microsoft-365/admin/usage-analytics/enable-usage-analytics) (article)
-
-[Overview of the Microsoft 365 admin center](https://docs.microsoft.com/microsoft-365/business-video/admin-center-overview) (video)
+[Monitor Microsoft 365 activity by using reports](/microsoft-365/admin/activity-reports/activity-reports) (article)\
+[Enable Microsoft 365 usage analytics](/microsoft-365/admin/usage-analytics/enable-usage-analytics) (article)\
+[Overview of the Microsoft 365 admin center](/microsoft-365/business-video/admin-center-overview) (video)
business-video Admin Center Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-video/admin-center-overview.md
description: "Learn more about the Microsoft 365 admin center."
- [The admin center in simplified view](#the-admin-center-in-simplified-view) - [The admin center in dashboard view](#the-admin-center-in-dashboard-view)
+The Microsoft 365 admin center has two views: simplified view helps smaller organizations manage their most common tasks. Dashboard view includes more complex settings and tasks. You can switch between them from a button at the top of the admin center.
+ ## The admin center in simplified view > [!VIDEO https://www.microsoft.com/videoplayer/embed/RWD3sq?autoplay=false]
business-video Install Office https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-video/install-office.md
Microsoft Office apps can be found on your **Start** menu. If you don&#39;t see
4. To install Microsoft Teams, go to the office.com page, and choose **Teams**. 5. Get the Windows app, and then select **Run**. Teams displays a prompt when installation is complete.
-The Office apps you installed now appear in your **Start** menu.
+The Office apps you installed now appear in your **Start** menu.
+
+## Related content
+
+[Migrate your content to Microsoft 365](/sharepointmigration/migrate-to-sharepoint-online.md) (article)
+
+[Install the Microsoft 365 Admin mobile app on your phone](admin-mobile.md) (video)
+
+[Get started with Microsoft Teams in your small business](get-started-teams-small-business.md) (video)
+
+[Easily share files externally](share-files-externally.md) (video)
+
business-video Shared Calendar https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-video/shared-calendar.md
A shared calendar can help you quickly see when people are available for meeting
## Related content [Manage your calendar and contacts in Outlook](https://support.microsoft.com/office/manage-your-calendar-and-contacts-in-outlook-631a182a-21e0-4e41-8fa2-0d83e55da02d) (article)
-[Email collaboration](https://docs.microsoft.com/microsoft-365/admin/email/email-collaboration) (article)
-[Overview of the Microsoft 365 admin center](https://docs.microsoft.com/microsoft-365/business-video/admin-center-overview) (article)
+
+[Email collaboration](../admin/email/email-collaboration.md) (article)
+
+[Overview of the Microsoft 365 admin center](admin-center-overview.md) (article)
commerce Allowselfservicepurchase Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/allowselfservicepurchase-powershell.md
You can use the **MSCommerce** PowerShell module to:
To use the **MSCommerce** PowerShell module, you need: - A Windows 10 device
+- PowerShell 5 or below. Currently, PowerShell 6.x/7.x isn't supported with this module.
- Administrator permission for the device - Global or Billing Admin role for your tenant
commerce Change Plans Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/change-plans-manually.md
- AdminSurgePortfolio - commerce_subscriptions search.appverid: MET150- description: "Change subscriptions manually by buying a new subscription and ensuring that both the subscriptions are listed and active."+ Last updated 03/17/2021 # Change plans manually
commerce Important Information E4 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/important-information-e4.md
- customer-email - commerce_subscriptions search.appverid: MET150- description: "Important information about upgrading or changing plans for customers with an Office 365 E4 subscription."+ Last updated 08/14/2020
commerce Manage Self Service Signup Subscriptions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/manage-self-service-signup-subscriptions.md
- Adm_O365 - AdminSurgePortfolio-- commerce_subscriptions
+- commerce_subscriptions
search.appverid: MET150 description: "Learn how to manage free self-service sign-up subscriptions for your organization." Last updated 03/17/2021
commerce Reactivate Your Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/reactivate-your-subscription.md
- fwlink 874703 - AdminSurgePortfolio - commerce_subscriptions
+search.appverid: MET150
description: "Learn how to reactivate your subscription when it expires, is disabled, or canceled." Last updated 04/07/2021
commerce Renew Your Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/renew-your-subscription.md
- SaRA - AdminSurgePortfolio - commerce_subscriptions
+search.appverid: MET150
description: "Learn how to renew your Microsoft 365 by turning recurring billing off or on." Last updated 05/04/2021
commerce Upgrade Office 365 E4 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/upgrade-Office-365-E4.md
- customer-email - commerce_subscriptions
+search.appverid: MET150
description: "Learn how to upgrade from an Office 365 E4 subscription." Last updated 08/14/2020
commerce Upgrade From Teams Free https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/upgrade-from-teams-free.md
- Adm_O365 - commerce_subscriptions
+search.appverid: MET150
description: "Learn how to upgrade from Microsoft Teams Free to a new Microsoft 365 for business subscription." Last updated 07/08/2020
commerce Upgrade To Different Plan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/upgrade-to-different-plan.md
- SaRA - AdminSurgePortfolio - commerce_subscriptions
+search.appverid: MET150
description: "Learn how to upgrade to a different plan." Last updated 04/21/2021
commerce Try Or Buy Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/try-or-buy-microsoft-365.md
- AdminSurgePortfolio - commerce_purchase
+search.appverid: MET150
description: "Learn how to get a free trial or buy a subscription for Microsoft 365 for business." Last updated 08/07/2020
commerce Understand Proposal Workflow https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/understand-proposal-workflow.md
- AdminSurgePortfolio - commerce_purchase
+search.appverid: MET150
description: "Learn about proposals to help you buy Microsoft products and services." Last updated 03/17/2021
commerce Use A Promo Code https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/use-a-promo-code.md
- AdminSurgePortfolio - okr_SMB - commerce_purchase
+search.appverid: MET150 S
description: "Learn how to apply a promotional code to your Microsoft 365 subscription to reduce price, and how to troubleshoot promo code in case of an error." Last updated 03/17/2021
compliance Create Custom Sensitive Information Types With Exact Data Match Based Classification https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-custom-sensitive-information-types-with-exact-data-match-based-classification.md
audience: Admin
Last updated
-localization_priority: Priority
+localization_priority: Normal
- M365-security-compliance search.appverid:
These locations are support EDM sensitive information types:
- Microsoft Teams (conversations) - DLP for SharePoint (files) - Microsoft Cloud App Security DLP policies
+- Server-side auto-labeling policies
EDM sensitive information types for following scenarios are currently in development, but not yet available:
compliance Customer Key Availability Key Roll https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/customer-key-availability-key-roll.md
Title: "Roll or rotate a Customer Key or an availability key"
Previously updated : 02/05/2020 audience: ITPro
For example:
2. Run the Add-AzKeyVaultKey cmdlet as shown in the following example: ```powershell
- Add-AzKeyVaultKey -VaultName Contoso-O365EX-NA-VaultA1 -Name Contoso-O365EX-NA-VaultA1-Key001 -Destination HSM -KeyOps @('wrapKey','unwrapKey') -NotBefore (Get-Date -Date "12/27/2016 12:01 AM")
+ Add-AzKeyVaultKey -VaultName Contoso-CK-EX-NA-VaultA1 -Name Contoso-CK-EX-NA-VaultA1-Key001 -Destination HSM -KeyOps @('wrapKey','unwrapKey') -NotBefore (Get-Date -Date "12/27/2016 12:01 AM")
```
- In this example, since a key named **Contoso-O365EX-NA-VaultA1-Key001** exists in the **Contoso-O365EX-NA-VaultA1** vault, the cmdlet creates a new version of the key. This operation preserves the previous key versions in the version history for the key. You need the previous key version to decrypt the data that it still encrypts. Once you complete rolling any key associated with a DEP, run an extra cmdlet to ensure that Customer Key begins using the new key. The following sections describe the cmdlets in more detail.
+ In this example, since a key named **Contoso-CK-EX-NA-VaultA1-Key001** exists in the **Contoso-CK-EX-NA-VaultA1** vault, the cmdlet creates a new version of the key. This operation preserves the previous key versions in the version history for the key. You need the previous key version to decrypt the data that it still encrypts. Once you complete rolling any key associated with a DEP, run an extra cmdlet to ensure that Customer Key begins using the new key. The following sections describe the cmdlets in more detail.
-## Update the Customer Key for Exchange Online and Skype for Business
+## Update the keys for multi-workload DEPs
+
+When you roll either of the Azure Key Vault keys associated with a DEP used with multiple workloads, you must update the DEP to point to the new key. This process does not rotate the availability key.
+
+To instruct Customer Key to use the new key to encrypt multiple workloads, complete these steps:
+
+1. On your local computer, using a work or school account that has global administrator or compliance admin permissions in your organization, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) in a Windows PowerShell window.
+
+2. Run the Set-M365DataAtRestEncryptionPolicy cmdlet.
+
+ ```powershell
+ Set-M365DataAtRestEncryptionPolicy -[Identity] "PolicyName" -Refresh
+ ```
+
+Where *PolicyName* is the name or unique ID of the policy. For example, Contoso_Global.
+
+Example:
+
+```powershell
+Set-M365DataAtRestEncryptionPolicy -Identity "Contoso_Global" -Refresh
+```
+
+## Update the keys for Exchange Online DEPs
When you roll either of the Azure Key Vault keys associated with a DEP used with Exchange Online and Skype for Business, you must update the DEP to point to the new key. This does not rotate the availability key.
To instruct Customer Key to use the new key to encrypt mailboxes, run the Set-Da
Set-DataEncryptionPolicy -Identity <DataEncryptionPolicyID> -Refresh ```
- Within 72 hours, the active mailboxes associated with this DEP become encrypted with the new key.
- 2. To check the value for the DataEncryptionPolicyID property for the mailbox, use the steps in [Determine the DEP assigned to a mailbox](customer-key-manage.md#determine-the-dep-assigned-to-a-mailbox). The value for this property changes once the service applies the updated key.
-## Update the Customer Key for SharePoint Online, OneDrive for Business, and Teams files
+## Update the keys for SharePoint Online, OneDrive for Business, and Teams files
SharePoint Online only allows you to roll one key at a time. If you want to roll both keys in a key vault, wait for the first operation to complete. Microsoft recommends that you stagger your operations to avoid this issue. When you roll either of the Azure Key Vault keys associated with a DEP used with SharePoint Online and OneDrive for Business, you must update the DEP to point to the new key. This does not rotate the availability key.
compliance Customer Key Availability Key Understand https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/customer-key-availability-key-understand.md
Title: "Learn about the availability key for Customer Key"
Previously updated : 02/05/2020 audience: ITPro
compliance Customer Key Manage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/customer-key-manage.md
Title: "Manage Customer Key"
Previously updated : 02/05/2020 audience: ITPro
search.appverid:
- MET150 - M365-security-compliance
-description: "After you set up Customer Key, learn how to manage it by restoring AKV keys, and managing permissions and your data encryption policies."
+description: "After you set up Customer Key, learn how to manage it by restoring AKV keys, and managing permissions and creating and assigning data encryption policies."
# Manage Customer Key
-After you've set up Customer Key for Office 365, you can manage your keys as described in this article. Learn more about Customer Key in the related topics.
+After you've set up Customer Key for Office 365, you'll need to create and assign one or more data encryption policies (DEP). Once you've assigned your DEPs, you can manage your keys as described in this article. Learn more about Customer Key in the related topics.
-## Restore Azure Key Vault keys
+## Create a DEP for use with multiple workloads for all tenant users
-Before performing a restore, use the recovery capabilities provided by soft delete. All keys that are used with Customer Key are required to have soft delete enabled. Soft delete acts like a recycle bin and allows recovery for up to 90 days without the need to restore. Restore should only be required in extreme or unusual circumstances, for example if the key or key vault is lost. If you must restore a key for use with Customer Key, in Azure PowerShell, run the Restore-AzureKeyVaultKey cmdlet as follows:
-
-```powershell
-Restore-AzKeyVaultKey -VaultName <vault name> -InputFile <filename>
-```
+Before you begin, ensure that you've completed the tasks required to set up Customer. For information, see [Set up Customer Key](customer-key-set-up.md). To create the DEP, you need the Key Vault URIs you obtained during setup. For information, see [Obtain the URI for each Azure Key Vault key](customer-key-set-up.md#obtain-the-uri-for-each-azure-key-vault-key).
-For example:
+To create a multi-workload DEP, follow these steps:
+1. On your local computer, using a work or school account that has global administrator or compliance admin permissions in your organization, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) in a Windows PowerShell window.
+
+2. To create a DEP, use the New-M365DataAtRestEncryptionPolicy cmdlet.
+
+ ```powershell
+ New-M365DataAtRestEncryptionPolicy -Name <PolicyName> -AzureKeyIDs <KeyVaultURI1, KeyVaultURI2> [-Description <String>]
+ ```
+
+ Where:
+
+ - *PolicyName* is the name you want to use for the policy. Names can't contain spaces. For example, Contoso_Global.
+
+ - *KeyVaultURI1* is the URI for the first key in the policy. For example, <https://contosoWestUSvault1.vault.azure.net/keys/Key_01>.
+
+ - *KeyVaultURI2* is the URI for the second key in the policy. For example, <https://contosoCentralUSvault1.vault.azure.net/keys/Key_02>. Separate the two URIs by a comma and a space.
+
+ - *Policy Description* is a user-friendly description of the policy that will help you remember what the policy is for. You can include spaces in the description. For example, "Root policy for multiple workloads for all users in the tenant.".
+
+Example:
+ ```powershell
-Restore-AzKeyVaultKey -VaultName Contoso-O365EX-NA-VaultA1 -InputFile Contoso-O365EX-NA-VaultA1-Key001-Backup-20170802.backup
+New-M365DataAtRestEncryptionPolicy -Name "Contoso_Global" -AzureKeyIDs "https://contosoWestUSvault1.vault.azure.net/keys/Key_01","https://contosoCentralUSvault1.vault.azure.net/keys/Key_02" -Description "Policy for multiple workloads for all users in the tenant."
```
-If the key vault already contains a key with the same name, the restore operation fails. Restore-AzKeyVaultKey restores all key versions and all metadata for the key including the key name.
-
-## Manage key vault permissions
+### Assign multi-workload policy
-Several cmdlets are available that enable you to view and, if necessary, remove key vault permissions. You might need to remove permissions, for example, when an employee leaves the team. For each of these tasks, you will use Azure PowerShell. For information about Azure Powershell, see [Overview of Azure PowerShell](/powershell/azure/).
-
-To view key vault permissions, run the Get-AzKeyVault cmdlet.
+Assign the DEP by using the Set-M365DataAtRestEncryptionPolicyAssignment cmdlet. Once you assign the policy, Microsoft 365 encrypts the data with the key identified in the DEP.
```powershell
-Get-AzKeyVault -VaultName <vault name>
+Set-M365DataAtRestEncryptionPolicyAssignment -DataEncryptionPolicy <PolicyName or ID>
```
-For example:
+ Where *PolicyName* is the name of the policy. For example, Contoso_Global.
+
+Example:
```powershell
-Get-AzKeyVault -VaultName Contoso-O365EX-NA-VaultA1
+Set-M365DataAtRestEncryptionPolicyAssignment -DataEncryptionPolicy "Contoso_Global"
```
-To remove an administrator's permissions, run the Remove-AzKeyVaultAccessPolicy cmdlet:
+## Create a DEP for use with Exchange Online mailboxes
+
+Before you begin, ensure that you've completed the tasks required to set up Azure Key Vault. For information, see [Set up Customer Key](customer-key-set-up.md). You'll complete these steps by remotely connecting to Exchange Online with Windows PowerShell.
+
+A DEP is associated with a set of keys stored in Azure Key Vault. You assign a DEP to a mailbox in Microsoft 365. Microsoft 365 will then use the keys identified in the policy to encrypt the mailbox. To create the DEP, you need the Key Vault URIs you obtained during setup. For information, see [Obtain the URI for each Azure Key Vault key](customer-key-set-up.md#obtain-the-uri-for-each-azure-key-vault-key).
+
+Remember! When you create a DEP, you specify two keys in two different Azure Key Vaults. Create these keys in two separate Azure regions to ensure geo-redundancy.
+
+To create a DEP to use with a mailbox, follow these steps:
+
+1. On your local computer, using a work or school account that has global administrator or Exchange Online admin permissions in your organization, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) in a Windows PowerShell window.
+
+2. To create a DEP, use the New-DataEncryptionPolicy cmdlet by typing the following command.
+
+ ```powershell
+ New-DataEncryptionPolicy -Name <PolicyName> -Description "Policy Description" -AzureKeyIDs <KeyVaultURI1>, <KeyVaultURI2>
+ ```
+
+ Where:
+
+ - *PolicyName* is the name you want to use for the policy. Names can't contain spaces. For example, USA_mailboxes.
+
+ - *Policy Description* is a user-friendly description of the policy that will help you remember what the policy is for. You can include spaces in the description. For example, "Root key for mailboxes in USA and its territories".
+
+ - *KeyVaultURI1* is the URI for the first key in the policy. For example, <https://contoso_EastUSvault01.vault.azure.net/keys/USA_key_01>.
+
+ - *KeyVaultURI2* is the URI for the second key in the policy. For example, <https://contoso_EastUS2vault01.vault.azure.net/keys/USA_Key_02>. Separate the two URIs by a comma and a space.
+
+ Example:
+
+ ```powershell
+ New-DataEncryptionPolicy -Name USA_mailboxes -Description "Root key for mailboxes in USA and its territories" -AzureKeyIDs https://contoso_EastUSvault02.vault.azure.net/keys/USA_key_01, https://contoso_CentralUSvault02.vault.azure.net/keys/USA_Key_02
+ ```
+
+For detailed syntax and parameter information, see [New-DataEncryptionPolicy](/powershell/module/exchange/new-data-encryptionpolicy).
+
+### Assign a DEP to a mailbox
+
+Assign the DEP to a mailbox by using the Set-Mailbox cmdlet. Once you assign the policy, Microsoft 365 can encrypt the mailbox with the key identified in the DEP.
```powershell
-Remove-AzKeyVaultAccessPolicy -VaultName <vault name> -UserPrincipalName <UPN of user>
+Set-Mailbox -Identity <MailboxIdParameter> -DataEncryptionPolicy <PolicyName>
```
-For example:
+Where *MailboxIdParameter* specifies a user mailbox. For more information about the Set-Mailbox cmdlet, see [Set-Mailbox](/powershell/module/exchange/set-mailbox).
+
+In hybrid environments, you can assign a DEP to the on-premises mailbox data that is synchronized into your Exchange Online tenant. To assign a DEP to this synchronized mailbox data, you'll use the Set-MailUser cmdlet. For more information about mailbox data in the hybrid environment, see [on-premises mailboxes using Outlook for iOS and Android with hybrid Modern Authentication](/exchange/clients/outlook-for-ios-and-android/use-hybrid-modern-auth).
```powershell
-Remove-AzKeyVaultAccessPolicy -VaultName Contoso-O365EX-NA-VaultA1 -UserPrincipalName alice@contoso.com
+Set-MailUser -Identity <MailUserIdParameter> -DataEncryptionPolicy <PolicyName>
```
-## Manage data encryption policies (DEPs) with Customer Key
+Where *MailUserIdParameter* specifies a mail user (also known as a mail-enabled user). For more information about the Set-MailUser cmdlet, see [Set-MailUser](/powershell/module/exchange/set-mailuser).
-Customer Key handles DEPs differently between the different services. For example, you can create a different number of DEPs for the different services.
+## Create a DEP for use with SharePoint Online, OneDrive for Business, and Teams files
-**Exchange Online and Skype for Business:** You can create up to 50 DEPs. For instructions, see [Create a data encryption policy (DEP) for use with Exchange Online and Skype for Business](customer-key-set-up.md#create-a-data-encryption-policy-dep-for-use-with-exchange-online-and-skype-for-business).
+Before you begin, ensure that you've completed the tasks required to set up Azure Key Vault. For information, see [Set up Customer Key](customer-key-set-up.md).
+
+To set up Customer Key for SharePoint Online, OneDrive for Business, and Teams files you complete these steps by remotely connecting to SharePoint Online with Windows PowerShell.
+
+You associate a DEP with a set of keys stored in Azure Key Vault. You apply a DEP to all of your data in one geographic location, also called a geo. If you use the multi-geo feature of Office 365, you can create one DEP per geo with the capability to use different keys per geo. If you aren't using multi-geo, you can create one DEP in your organization for use with SharePoint Online, OneDrive for Business, and Teams files. Microsoft 365 uses the keys identified in the DEP to encrypt your data in that geo. To create the DEP, you need the Key Vault URIs you obtained during setup. For information, see [Obtain the URI for each Azure Key Vault key](customer-key-set-up.md#obtain-the-uri-for-each-azure-key-vault-key).
+
+Remember! When you create a DEP, you specify two keys in two different Azure Key Vaults. Create these keys in two separate Azure regions to ensure geo-redundancy.
+
+To create a DEP, you need to remotely connect to SharePoint Online by using Windows PowerShell.
+
+1. On your local computer, using a work or school account that has global administrator permissions in your organization, [Connect to SharePoint Online PowerShell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online?preserve-view=true&view=sharepoint-ps).
-**SharePoint Online, OneDrive for Business, and Teams files:** A DEP applies to data in one geographic location, also called a _geo_. If you use the multi-geo feature of Office 365, you can create one DEP per geo. If you are not using multi-geo, you can create one DEP. Normally, you create the DEP when you set up Customer Key. For instructions, see [Create a data encryption policy (DEP) for each SharePoint Online and OneDrive for Business geo](customer-key-set-up.md#create-a-data-encryption-policy-dep-for-each-sharepoint-online-and-onedrive-for-business-geo).
+2. In the Microsoft SharePoint Online Management Shell, run the Register-SPODataEncryptionPolicy cmdlet as follows:
-### View the DEPs you've created for Exchange Online and Skype for Business
+ ```powershell
+ Register-SPODataEncryptionPolicy -Identity <adminSiteCollectionURL> -PrimaryKeyVaultName <PrimaryKeyVaultName> -PrimaryKeyName <PrimaryKeyName> -PrimaryKeyVersion <PrimaryKeyVersion> -SecondaryKeyVaultName <SecondaryKeyVaultName> -SecondaryKeyName <SecondaryKeyName> -SecondaryKeyVersion <SecondaryKeyVersion>
+ ```
-To view a list of all the DEPs you've created for Exchange Online and Skype for Business using the Get-DataEncryptionPolicy PowerShell cmdlet, complete these steps.
+ Example:
+
+ ```powershell
+ Register-SPODataEncryptionPolicy -Identity https://contoso.sharepoint.com -PrimaryKeyVaultName 'stageRG3vault' -PrimaryKeyName 'SPKey3' -PrimaryKeyVersion 'f635a23bd4a44b9996ff6aadd88d42ba' -SecondaryKeyVaultName 'stageRG5vault' -SecondaryKeyName 'SPKey5' -SecondaryKeyVersion '2b3e8f1d754f438dacdec1f0945f251aΓÇÖ
+ ```
+
+ When you register the DEP, encryption begins on the data in the geo. Encryption can take some time. For more information on using this parameter, see [Register-SPODataEncryptionPolicy](/powershell/module/sharepoint-online/register-spodataencryptionpolicy?preserve-view=true&view=sharepoint-ps).
+
+### View the DEPs you've created for Exchange Online mailboxes
+
+To view a list of all the DEPs you've created for mailboxes, use the Get-DataEncryptionPolicy PowerShell cmdlet.
1. Using a work or school account that has global administrator permissions in your organization, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).
To determine the DEP assigned to a mailbox, use the Get-MailboxStatistics cmdlet
## Verify that Customer Key has finished encryption
-Whether you've just rolled a Customer Key, assigned a new DEP, or migrated a mailbox, use the steps in this section to ensure that encryption completes.
+Whether you've rolled a Customer Key, assigned a new DEP, or migrated a mailbox, use the steps in this section to ensure that encryption completes.
-### Verify encryption completes for Exchange Online and Skype for Business
+### Verify encryption completes for Exchange Online mailboxes
-Encrypting a mailbox can take some time. We recommend that you wait 72 hours before you attempt to validate encryption after you change a DEP or the first time you assign a DEP to a mailbox.
+Encrypting a mailbox can take some time. For first time encryption, the mailbox must also completely move from one database to another before the service can encrypt the mailbox.
Use the Get-MailboxStatistics cmdlet to determine if a mailbox is encrypted.
Use the Get-MailboxStatistics cmdlet to determine if a mailbox is encrypted.
Get-MailboxStatistics -Identity <GeneralMailboxOrMailUserIdParameter> | fl IsEncrypted ```
-The IsEncrypted property returns a value of **true** if the mailbox is encrypted and a value of **false** if the mailbox is not encrypted.
+The IsEncrypted property returns a value of **true** if the mailbox is encrypted and a value of **false** if the mailbox isn't encrypted. The time to complete mailbox moves depends on the number of mailboxes to which you assign a DEP for the first time, and the size of the mailboxes. If the mailboxes haven't been encrypted after a week from the time you assigned the DEP, contact Microsoft.
-The time to complete mailbox moves depends on the size of the mailbox. If Customer Key hasn't completely encrypted the mailbox after 72 hours from the time you assign a new DEP, contact Microsoft support for help. The New-MoveRequest cmdlet is no longer available for local mailbox moves. Refer to [this announcement](https://techcommunity.microsoft.com/t5/exchange-team-blog/disabling-new-moverequest-for-local-mailbox-moves/bc-p/1332141) for additional information.
+The New-MoveRequest cmdlet is no longer available for local mailbox moves. Refer to [this announcement](https://techcommunity.microsoft.com/t5/exchange-team-blog/disabling-new-moverequest-for-local-mailbox-moves/bc-p/1332141) for additional information.
### Verify encryption completes for SharePoint Online, OneDrive for Business, and Teams files Check on the status of encryption by running the Get-SPODataEncryptionPolicy cmdlet as follows:
-```powershell
-Get-SPODataEncryptionPolicy -Identity <SPOAdminSiteUrl>
+```PowerShell
+ Get-SPODataEncryptionPolicy -Identity <SPOAdminSiteUrl>
``` The output from this cmdlet includes:
The output from this cmdlet includes:
- **Rolling:** A key roll is in progress. If the key for the geo is rolling, you'll also be shown information on what percentage of sites have completed the key roll operation so that you can monitor progress.
+## Get details about DEPs you use with multiple workloads
+
+To get details about all of the DEPs you've created to use with multiple workloads, complete these steps:
+
+1. On your local computer, using a work or school account that has global administrator or compliance admin permissions in your organization, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) in a Windows PowerShell window.
+
+ - To return the list of all multi-workload DEPs in the organization, run this command.
+
+ ```powershell
+ Get-M365DataAtRestEncryptionPolicy
+ ```
+
+ - To return details about a specific DEP, run this command. This example returns detailed information for the DEP named "Contoso_Global".
+
+ ```powershell
+ Get-M365DataAtRestEncryptionPolicy -Identity "Contoso_Global"
+ ```
+
+## Get multi-workload DEP assignment information
+
+To find out which DEP is currently assigned to your tenant, follow these steps.
+
+1. On your local computer, using a work or school account that has global administrator or compliance admin permissions in your organization, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) in a Windows PowerShell window.
+
+2. Type this command.
+
+ ```powershell
+ Get-M365DataAtRestEncryptionPolicyAssignment
+ ```
+
+## Disable a multi-workload DEP
+
+Before you disable a multi-workload DEP, unassign the DEP from workloads in your tenant. To disable a DEP used with multiple workloads, complete these steps:
+
+1. On your local computer, using a work or school account that has global administrator or compliance admin permissions in your organization, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) in a Windows PowerShell window.
+
+2. Run the Set-M365DataAtRestEncryptionPolicy cmdlet.
+
+ ```powershell
+ Set-M365DataAtRestEncryptionPolicy -[Identity] "PolicyName" -Enabled $false
+ ```
+
+Where *PolicyName* is the name or unique ID of the policy. For example, Contoso_Global.
+
+Example:
+
+```powershell
+Set-M365DataAtRestEncryptionPolicy -Identity "Contoso_Global" -Enabled $false
+```
+
+## Restore Azure Key Vault keys
+
+Before performing a restore, use the recovery capabilities provided by soft delete. All keys that are used with Customer Key are required to have soft delete enabled. Soft delete acts like a recycle bin and allows recovery for up to 90 days without the need to restore. Restore should only be required in extreme or unusual circumstances, for example if the key or key vault is lost. If you must restore a key for use with Customer Key, in Azure PowerShell, run the Restore-AzureKeyVaultKey cmdlet as follows:
+
+```powershell
+Restore-AzKeyVaultKey -VaultName <vault name> -InputFile <filename>
+```
+
+For example:
+
+```powershell
+Restore-AzKeyVaultKey -VaultName Contoso-O365EX-NA-VaultA1 -InputFile Contoso-O365EX-NA-VaultA1-Key001-Backup-20170802.backup
+```
+
+If the key vault already contains a key with the same name, the restore operation fails. Restore-AzKeyVaultKey restores all key versions and all metadata for the key including the key name.
+
+## Manage key vault permissions
+
+Several cmdlets are available that enable you to view and, if necessary, remove key vault permissions. You might need to remove permissions, for example, when an employee leaves the team. For each of these tasks, you will use Azure PowerShell. For information about Azure PowerShell, see [Overview of Azure PowerShell](/powershell/azure/).
+
+To view key vault permissions, run the Get-AzKeyVault cmdlet.
+
+```powershell
+Get-AzKeyVault -VaultName <vault name>
+```
+
+For example:
+
+```powershell
+Get-AzKeyVault -VaultName Contoso-O365EX-NA-VaultA1
+```
+
+To remove an administrator's permissions, run the Remove-AzKeyVaultAccessPolicy cmdlet:
+
+```powershell
+Remove-AzKeyVaultAccessPolicy -VaultName <vault name> -UserPrincipalName <UPN of user>
+```
+
+For example:
+
+```powershell
+Remove-AzKeyVaultAccessPolicy -VaultName Contoso-O365EX-NA-VaultA1 -UserPrincipalName alice@contoso.com
+```
+ ## Roll back from Customer Key to Microsoft managed Keys
-For Customer Key at the tenant level, you'll need to reach out to Microsoft with a request for ΓÇ£offboardingΓÇ¥ from Customer Key. The request will be handled by the On Call Engineering team.
+If you need to revert to Microsoft-managed keys, you can. When you offboard, your data is re-encrypted using default encryption supported by each individual workload. For example, Exchange Online supports default encryption using Microsoft-managed keys.
+
+> [!IMPORTANT]
+> Offboarding is not the same as a data purge. A data purge permanently crypto-deletes your organization's data from Microsoft 365, offboarding does not. You can't perform a data purge for a multiple workload policy.
-For Customer Key at the application level, you do this by unassigning a DEP from mailboxes using the Set-mailbox PowerShell cmdlet and setting the `DataEncryptionPolicy` to `$NULL`. Running this cmdlet unassigns the currently assigned DEP and reencrypts the mailbox using the DEP associated with default Microsoft managed keys. You can't unassign the DEP used by Microsoft managed keys. If you don't want to use Microsoft managed keys, you can assign another Customer Key DEP to the mailbox.
+If you decide not to use Customer Key for assigning multi-workload DEPs anymore then you'll need to reach out to Microsoft support with a request to ΓÇ£offboardΓÇ¥ from Customer Key. Ask the support team to file a service request against Microsoft 365 Customer Key team. Reach out to m365-ck@service.microsoft.com if you have any questions.
-To unassign the DEP from a mailbox using the Set-Mailbox PowerShell cmdlet, complete these steps.
+If you do not want to encrypt individual mailboxes using mailbox level DEPs anymore, then you can unassign mailbox level DEPs from all your mailboxes.
+
+To unassign mailbox DEPs, use the Set-Mailbox PowerShell cmdlet.
1. Using a work or school account that has global administrator permissions in your organization, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).
To unassign the DEP from a mailbox using the Set-Mailbox PowerShell cmdlet, comp
Set-Mailbox -Identity <mailbox> -DataEncryptionPolicy $NULL ```
+Running this cmdlet unassigns the currently assigned DEP and reencrypts the mailbox using the DEP associated with default Microsoft-managed keys. You can't unassign the DEP used by Microsoft managed keys. If you don't want to use Microsoft-managed keys, you can assign another Customer Key DEP to the mailbox.
+ ## Revoke your keys and start the data purge path process
-You control the revocation of all root keys including the availability key. Customer Key provides control of the exit planning aspect of the regulatory requirements for you. If you decide to revoke your keys to purge your data and exit the service, the service deletes the availability key once the data purge process completes. You can't perform a data purge for a tenant-level policy.
+You control the revocation of all root keys including the availability key. Customer Key provides control of the exit planning aspect of the regulatory requirements for you. If you decide to revoke your keys to purge your data and exit the service, the service deletes the availability key once the data purge process completes. This is supported for Customer Key DEPs that are assigned to individual mailboxes.
Microsoft 365 audits and validates the data purge path. For more information, see the SSAE 18 SOC 2 Report available on the [Service Trust Portal](https://servicetrust.microsoft.com/). In addition, Microsoft recommends the following documents:
Microsoft 365 audits and validates the data purge path. For more information, se
- [O365 Exit Planning Considerations](https://servicetrust.microsoft.com/ViewPage/TrustDocuments?command=Download&downloadType=Document&downloadId=77ea7ebf-ce1b-4a5f-9972-d2d81a951d99&docTab=6d000410-c9e9-11e7-9a91-892aae8839ad_FAQ_and_White_Papers)
-The data purge path differs slightly between the different services.
+Purging of multi-workload DEP is not supported for Microsoft 365 Customer Key. The multi-workload DEP is used to encrypt data across multiple workloads across all tenant users. Purging such DEP would result into data from across multiple workloads become inaccessible. If you decide to exit Microsoft 365 services altogether then you could pursue the path of tenant deletion per the documented process. See [how to delete a tenant in Azure Active Directoy](/azure/active-directory/enterprise-users/directory-delete-howto).
### Revoke your Customer Keys and the availability key for Exchange Online and Skype for Business
compliance Customer Key Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/customer-key-overview.md
Title: "Service encryption with Customer Key"
Previously updated : 02/05/2020 audience: ITPro
- m365solution-mip - m365initiative-compliance
-description: "In this article, you will learn about how service encryption works with the customer key in Microsoft 365."
+description: "In this article, you will learn about how service encryption works with Customer Key in Microsoft 365."
# Service encryption with Customer Key
-Microsoft 365 provides baseline, volume-level encryption enabled through BitLocker and Distributed Key Manager (DKM). Microsoft 365 offers an added layer of encryption at the application layer for your content. This content includes data from Exchange Online, Skype for Business, SharePoint Online, OneDrive for Business, and Teams files. This added layer of encryption is called service encryption.
+Microsoft 365 provides baseline, volume-level encryption enabled through BitLocker and Distributed Key Manager (DKM). Microsoft 365 offers an added layer of encryption for your content. This content includes data from Exchange Online, Skype for Business, SharePoint Online, OneDrive for Business, and Microsoft Teams.
## How service encryption, BitLocker, and Customer Key work together
-Service encryption ensures that content at rest is encrypted at the service layer. **Your data is always encrypted at rest in the Microsoft 365 service with BitLocker and DKM**. For more information, see the "Security, Privacy, and Compliance Information", and [How Exchange Online secures your email secrets](exchange-online-secures-email-secrets.md). Customer Key provides additional protection against viewing of data by unauthorized systems or personnel, and complements BitLocker disk encryption in Microsoft datacenters. Service encryption is not meant to prevent Microsoft personnel from accessing customer data. The primary purpose is to assist customers in meeting regulatory or compliance obligations for controlling root keys. Customers explicitly authorize O365 services to use their encryption keys to provide value added cloud services, such as eDiscovery, anti-malware, anti-spam, search indexing, etc.
+Your data is always encrypted at rest in the Microsoft 365 service with BitLocker and DKM. For more information, see [How Exchange Online secures your email secrets](exchange-online-secures-email-secrets.md). Customer Key provides extra protection against viewing of data by unauthorized systems or personnel, and complements BitLocker disk encryption in Microsoft data centers. Service encryption is not meant to prevent Microsoft personnel from accessing your data. Instead, Customer Key helps you meet regulatory or compliance obligations for controlling root keys. You explicitly authorize Microsoft 365 services to use your encryption keys to provide value added cloud services, such as eDiscovery, anti-malware, anti-spam, search indexing, and so on.
Customer Key is built on service encryption and lets you provide and control encryption keys. Microsoft 365 then uses these keys to encrypt your data at rest as described in the [Online Services Terms (OST)](https://www.microsoft.com/licensing/product-licensing/products.aspx). Customer Key helps you meet compliance obligations because you control the encryption keys that Microsoft 365 uses to encrypt and decrypt data.
-Customer Key enhances the ability of your organization to meet the demands of compliance requirements that specify key arrangements with the cloud service provider. With Customer Key, you provide and control the root encryption keys for your Microsoft 365 data at-rest at the application level. As a result, you exercise control over your organization's keys. If you decide to exit the service, you revoke access to your organization's root keys. For all Microsoft 365 services, revoking access to the keys is the first step on the path towards data deletion. By revoking access to the keys, the data is unreadable to the service.
+Customer Key enhances the ability of your organization to meet the demands of compliance requirements that specify key arrangements with the cloud service provider. With Customer Key, you provide and control the root encryption keys for your Microsoft 365 data at-rest at the application level. As a result, you exercise control over your organization's keys.
-## Customer Key encrypts data at rest in Office 365
+## Customer Key with hybrid deployments
-Using keys you provide, Customer Key at the application level encrypts:
+Customer Key only encrypts data at rest in the cloud. Customer Key does not work to protect your on-premises mailboxes and files. You can encrypt your on-premises data using another method, such as BitLocker.
-- SharePoint Online, OneDrive for Business, and Teams files.-- Files uploaded to OneDrive for Business.-- Exchange Online mailbox content including e-mail body content, calendar entries, and the content within email attachments.-- Text conversations from Skype for Business.
+## About data encryption policies
-We don't currently offer customer control of the encryption keys for Skype Meeting Broadcast and Skype Meeting content uploads. Instead, this content is encrypted along with all other content in Office 365.
+A data encryption policy (DEP) defines the encryption hierarchy. This hierarchy is used by the service to encrypt data using each of the keys you manage and the availability key that's protected by Microsoft. You create DEPs using PowerShell cmdlets, and then assign those DEPs to encrypt application data. There are three types of DEPs supported by Microsoft 365 Customer Key, each policy type uses different cmdlets and provides coverage for a different type of data. The DEPs you can define include:
-### Customer Key with hybrid deployments
+**DEP for multiple Microsoft 365 workloads** These DEPs encrypt data across multiple M365 workloads for all users within the tenant. These workloads include:
-Customer Key only encrypts data at rest in the cloud. Customer Key does not work to protect your on-premises mailboxes and files. You can encrypt your on-premises data using another method, such as BitLocker.
+- Teams chat messages (1:1 chats, group chats, meeting chats and channel conversations)
+- Teams media messages (images, code snippets, video messages, audio messages, wiki images)
+- Teams call and meeting recordings stored in Teams storage
+- Teams chat notifications
+- Teams chat suggestions by Cortana
+- Teams status messages
+- User and signal information for Exchange Online
+- Exchange Online mailboxes that aren't already encrypted by mailbox DEPs
+- MIP exact data match (EDM) data ΓÇô (data file schemas, rule packages, and the salts used to hash the sensitive data).
+ For MIP exact data match (EDM) and Microsoft Teams, the multi-workload DEP encrypts new data from the time you assign the DEP to the tenant. For Exchange Online, Customer Key encrypts all existing and new data.
+
+Multi-workload DEPs don't encrypt the following types of data. Instead, Microsoft 365 uses other types of encryption to protect this data.
-## About the data encryption policy (DEP)
+- SharePoint and OneDrive for Business data.
+- Microsoft Teams files and some Teams call and meeting recordings saved in OneDrive for Business and SharePoint Online are encrypted using the SharePoint Online DEP.
+- Other Microsoft 365 workloads such as Yammer and Planner that aren't currently supported by Customer Key.
+- Teams Live Events and Q&A in Live Events. For Teams, this scenario is the only one that isn't encrypted by Customer Key using multi-workload DEP.
-A data encryption policy defines the encryption hierarchy to encrypt data using each of the keys you provide as well as the availability key protected by Microsoft. You create DEPs using PowerShell cmdlets, which are different for each service, and assign those DEPs to encrypt application data. For example:
+You can create multiple DEPs per tenant but only assign one DEP at a time. When you assign the DEP, encryption begins automatically but takes some time to complete depending on the size of your tenant.
-**Exchange Online and Skype for Business** You can create up to 50 DEPs per tenant. You associate DEPs to your Customer Keys in Azure Key Vault and then assign DEPs to individual mailboxes. When you assign a DEP to a mailbox:
+**DEPs for Exchange Online mailboxes** Mailbox DEPs provide more precise control over individual mailboxes within Exchange Online. Use mailbox DEPs to encrypt data stored in EXO mailboxes of different types such as UserMailbox, MailUser, Group, PublicFolder, and Shared mailboxes. You can have up to 50 active DEPs per tenant and assign those DEPs to individual mailboxes. You can assign one DEP to multiple mailboxes.
-- the mailbox is marked for a mailbox move. Based on priorities in Microsoft 365 as described here [Move requests in the Microsoft 365 service](/exchange/mailbox-migration/office-365-migration-best-practices#move-requests-in-the-office-365-service).
+By default your mailboxes get encrypted using Microsoft-managed keys. When you assign a Customer Key DEP to a mailbox:
-- The encryption takes place while the mailbox is moved. Allow 72 hours for the mailbox to become encrypted with the new DEP. If the mailboxes aren't encrypted after waiting 72 hours from the time you assigned the DEP, contact Microsoft.
+- If the mailbox is encrypted using a multi-workload DEP, the service rewraps the mailbox using the new mailbox DEP as long as a user or a system operation accesses the mailbox data.
-Later, you can either refresh the DEP or assign a different DEP to the mailbox as described in [Manage Customer Key for Office 365](customer-key-manage.md). Each mailbox must have appropriate licenses in order to assign a DEP. For more information about licensing, see [Before you set up Customer Key](customer-key-set-up.md#before-you-set-up-customer-key).
+- If the mailbox is already encrypted using Microsoft-managed keys, the service rewraps the mailbox using the new mailbox DEP as long as a user or a system operation accesses the mailbox data.
-> [!NOTE]
-> The DEP can be applied to a shared mailbox, public folder mailbox, and Microsoft 365 group mailbox for tenants that meet the licensing requirement for user mailboxes, even though some of these mailbox types cannot be an assigned license (public folder mailbox and Microsoft 365 group mailbox) or need a license for increasing storage (shared mailbox).
+- If the mailbox is not yet encrypted using default encryption, then the service marks the mailbox for a move. The encryption takes place once the move is complete. Mailbox moves are governed based on priorities set for all of Microsoft 365. For more information, see, [Move requests in the Microsoft 365 service](/exchange/mailbox-migration/office-365-migration-best-practices#move-requests-in-the-office-365-service). If the mailboxes aren't encrypted within the specified time, contact Microsoft.
-**SharePoint Online, OneDrive for Business, and Teams files** If you're using the multi-geo feature, you can create up to one DEP per geo for your organization. You can use different Customer Keys for each geo. If you're not using the multi-geo feature, you can only create one DEP per tenant. When you assign the DEP, encryption begins automatically but can take some time to complete. Refer to the details in [Set up Customer Key](customer-key-set-up.md).
+Later, you can either refresh the DEP or assign a different DEP to the mailbox as described in [Manage Customer Key for Office 365](customer-key-manage.md). Each mailbox must have appropriate licenses to be assigned a DEP. For more information about licensing, see [Before you set up Customer Key](customer-key-set-up.md#before-you-set-up-customer-key).
-## Leaving the service
+DEPs can be assigned to a shared mailbox, public folder mailbox, and Microsoft 365 group mailbox for tenants that meet the licensing requirement for user mailboxes. You don't need separate licenses for non-user-specific mailboxes to assign Customer Key DEP.
-Customer Key assists you in meeting compliance obligations by allowing you to revoke your keys when you leave the Microsoft 365 service. When you revoke your keys as part of leaving the service, the availability key is deleted resulting in cryptographic deletion of your data. Cryptographic deletion mitigates the risk of data remanence which is important for meeting both security and compliance obligations. For information about the data purge process and key revocation, see [Revoke your keys and start the data purge path process](customer-key-manage.md#revoke-your-keys-and-start-the-data-purge-path-process).
+For Customer Key DEPs that you assign to individual mailboxes, you can request that Microsoft purge specific DEPs when you leave the service. For information about the data purge process and key revocation, see [Revoke your keys and start the data purge path process](customer-key-manage.md#revoke-your-keys-and-start-the-data-purge-path-process).
+
+When you revoke access to your keys as part of leaving the service, the availability key is deleted, resulting in cryptographic deletion of your data. Cryptographic deletion mitigates the risk of data remanence, which is important for meeting both security and compliance obligations.
+
+**DEP for SharePoint Online and OneDrive for Business** This DEP is used to encrypt content stored in SPO and OneDrive for Business, including Microsoft Teams files stored in SPO. If you're using the multi-geo feature, you can create one DEP per geo for your organization. If you're not using the multi-geo feature, you can only create one DEP per tenant. Refer to the details in [Set up Customer Key](customer-key-set-up.md).
### Encryption ciphers used by Customer Key
-Customer Key uses a variety of encryption ciphers to encrypt keys as shown in the following figures.
+Customer Key uses various encryption ciphers to encrypt keys as shown in the following figures.
+
+The key hierarchy used for DEPs that encrypt data for multiple Microsoft 365 workloads is similar to the hierarchy used for DEPs for individual Exchange Online mailboxes. The only difference is that the Mailbox Key is replaced with the corresponding Microsoft 365 Workload Key.
#### Encryption ciphers used to encrypt keys for Exchange Online and Skype for Business
compliance Customer Key Set Up https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/customer-key-set-up.md
Title: "Set up Customer Key at the application level"
+ Title: "Set up Customer Key"
Previously updated : 02/05/2020 audience: ITPro
search.appverid:
- MET150 - M365-security-compliance
-description: "Learn how to set up Customer Key for Microsoft 365 for Exchange Online, Skype for Business, SharePoint Online, OneDrive for Business, and Teams files."
+description: "Learn how to set up Customer Key for Microsoft 365."
-# Set up Customer Key at the application level
+# Set up Customer Key
-With Customer Key, you control your organization's encryption keys and then configure Microsoft 365 to use them to encrypt your data at rest in Microsoft's data centers. In other words, Customer Key allows customers to add a layer of encryption that belongs to them, with their keys. Data at rest includes data from Exchange Online and Skype for Business that is stored in mailboxes and files that are stored in SharePoint Online and OneDrive for Business.
+With Customer Key, you control your organization's encryption keys and then configure Microsoft 365 to use them to encrypt your data at rest in Microsoft's data centers. In other words, Customer Key allows customers to add a layer of encryption that belongs to them, with their keys.
-You must set up Azure before you can use Customer Key for Office 365. This article describes the steps you need to follow to create and configure the required Azure resources and then provides the steps for setting up Customer Key in Office 365. After you have completed Azure setup, you determine which policy, and therefore, which keys, to assign to mailboxes and files in your organization. Mailboxes and files for which you don't assign a policy will use encryption policies that are controlled and managed by Microsoft. For more information about Customer Key, or for a general overview, see [Service encryption with Customer Key in Office 365](customer-key-overview.md).
+Set up Azure before you can use Customer Key for Office 365. This article describes the steps you need to follow to create and configure the required Azure resources and then provides the steps for setting up Customer Key in Office 365. After you set up Azure, you determine which policy, and therefore, which keys, to assign to encrypt data across various Microsoft 365 workloads in your organization. For more information about Customer Key, or for a general overview, see [Service encryption with Customer Key in Office 365](customer-key-overview.md).
> [!IMPORTANT] > We strongly recommend that you follow the best practices in this article. These are called out as **TIP** and **IMPORTANT**. Customer Key gives you control over root encryption keys whose scope can be as large as your entire organization. This means that mistakes made with these keys can have a broad impact and may result in service interruptions or irrevocable loss of your data. ## Before you set up Customer Key
-Before you get started, ensure that you have the appropriate licensing for your organization. Use a paid, invoiced Azure Subscription using either an Enterprise Agreement or a Cloud Service Provider. Azure Subscriptions purchased using Pay As You Go plans or using a credit card aren't supported for Customer Key. Starting April 1, 2020, Customer Key in Office 365 is offered in Office 365 E5, M365 E5, M365 E5 Compliance, and M365 E5 Information Protection & Governance SKUs. Office 365 Advanced Compliance SKU is no longer available for procuring new licenses. Existing Office 365 Advanced Compliance licenses will continue to be supported.
+Before you get started, ensure that you have the appropriate Azure subscriptions and licensing for your organization. Use paid Azure Subscriptions using either an Enterprise Agreement or a Cloud Service Provider. Credit Card based payments are not accepted. Approve and set up the account needs for invoicing. Subscriptions you got through Free, Trial, Sponsorships, MSDN Subscriptions, and those under Legacy Support are not eligible.
-To understand the concepts and procedures in this article, review the [Azure Key Vault](/azure/key-vault/) documentation. Also, become familiar with the terms used in Azure, for example, [Azure AD tenant](/previous-versions/azure/azure-services/jj573650(v=azure.100)#what-is-an-azure-ad-tenant).
+Office 365 E5, Microsoft 365 E5, Microsoft 365 E5 Compliance, and Microsoft 365 E5 Information Protection & Governance SKUs offer Customer Key. Office 365 Advanced Compliance SKU is no longer available for procuring new licenses. Existing Office 365 Advanced Compliance licenses will continue to be supported.
-FastTrack is only used to collect the required tenant and service configuration information used to register for Customer Key. The Customer Key Offers are published via FastTrack so that it is convenient for you and our partners to submit the required information using the same method. FastTrack also makes it easy to archive the data that you provide in the Offer.
+To understand the concepts and procedures in this article, review the [Azure Key Vault](/azure/key-vault/) documentation. Also, become familiar with the terms used in Azure, for example, [Azure AD tenant](/previous-versions/azure/azure-services/jj573650(v=azure.100)#what-is-an-azure-ad-tenant).
If you need more support beyond the documentation, contact Microsoft Consulting Services (MCS), Premier Field Engineering (PFE), or a Microsoft partner for assistance. To provide feedback on Customer Key, including the documentation, send your ideas, suggestions, and perspectives to customerkeyfeedback@microsoft.com.
To set up Customer Key, complete these tasks in the listed order. The rest of th
**In Azure and Microsoft FastTrack:**
-You will complete most of these tasks by remotely connecting to Azure PowerShell. For best results, use version 4.4.0 or later of Azure PowerShell.
+You'll complete most of these tasks by remotely connecting to Azure PowerShell. For best results, use version 4.4.0 or later of Azure PowerShell.
- [Create two new Azure subscriptions](#create-two-new-azure-subscriptions)
+- [Submit a request to activate Customer Key for Office 365](#submit-a-request-to-activate-customer-key-for-office-365)
+
- [Register Azure subscriptions to use a mandatory retention period](#register-azure-subscriptions-to-use-a-mandatory-retention-period) Registration can take from one to five business days. -- [Submit a request to activate Customer Key for Office 365](#submit-a-request-to-activate-customer-key-for-office-365)-
-Once you've created the two new Azure subscriptions, you'll need to submit the appropriate Customer Key offer request by completing a web form that is hosted in the Microsoft FastTrack portal. **The FastTrack team doesn't provide assistance with Customer Key. Office simply uses the FastTrack portal to allow you to submit the form and to help us track the relevant offers for Customer Key**.
- - [Create a premium Azure Key Vault in each subscription](#create-a-premium-azure-key-vault-in-each-subscription) - [Assign permissions to each key vault](#assign-permissions-to-each-key-vault) -- [Enable and then confirm soft delete on your key vaults](#enable-and-then-confirm-soft-delete-on-your-key-vaults)
+- [Make sure soft delete is enabled on your key vaults](#make-sure-soft-delete-is-enabled-on-your-key-vaults)
- [Add a key to each key vault either by creating or importing a key](#add-a-key-to-each-key-vault-either-by-creating-or-importing-a-key)
Once you've created the two new Azure subscriptions, you'll need to submit the a
- [Validate Azure Key Vault configuration settings](#validate-azure-key-vault-configuration-settings) - [Obtain the URI for each Azure Key Vault key](#obtain-the-uri-for-each-azure-key-vault-key)-
-**In Office 365:**
-
-Exchange Online and Skype for Business:
-- [Create a data encryption policy (DEP) for use with Exchange Online and Skype for Business](#create-a-data-encryption-policy-dep-for-use-with-exchange-online-and-skype-for-business)--- [Assign a DEP to a mailbox](#assign-a-dep-to-a-mailbox)--- [Validate mailbox encryption](#validate-mailbox-encryption)-
-SharePoint Online and OneDrive for Business:
-
-- [Create a data encryption policy (DEP) for each SharePoint Online and OneDrive for Business geo](#create-a-data-encryption-policy-dep-for-each-sharepoint-online-and-onedrive-for-business-geo)--- [Validate file encryption for SharePoint Online, OneDrive for Business, and Teams files](#validate-file-encryption)- ## Complete tasks in Azure Key Vault and Microsoft FastTrack for Customer Key
-Complete these tasks in Azure Key Vault. You'll need to complete these steps regardless of whether you intend to set up Customer Key for Exchange Online and Skype for Business or for SharePoint Online, OneDrive for Business, and Teams files, or for all supported services in Office 365.
+Complete these tasks in Azure Key Vault. You'll need to complete these steps for all DEPs you use with Customer Key.
### Create two new Azure subscriptions
Customer Key requires two Azure subscriptions. As a best practice, Microsoft rec
> [!IMPORTANT] > Customer Key requires two keys for each data encryption policy (DEP). In order to achieve this, you must create two Azure subscriptions. As a best practice, Microsoft recommends that you have separate members of your organization configure one key in each subscription. You should only use these Azure subscriptions to administer encryption keys for Office 365. This protects your organization in case one of your operators accidentally, intentionally, or maliciously deletes or otherwise mismanages the keys for which they are responsible.
->
There is no practical limit to the number of Azure subscriptions that you can create for your organization. Following these best practices will minimize the impact of human error while helping to manage the resources used by Customer Key. ### Submit a request to activate Customer Key for Office 365
-Once you've completed the Azure steps, you'll need to submit an offer request in the [Microsoft FastTrack portal](https://fasttrack.microsoft.com/). Once you've submitted a request through the FastTrack web portal, Microsoft verifies the Azure Key Vault configuration data and contact information you provided. The selections that you make in the offer form about the authorized officers of your organization is critical and necessary for completion of Customer Key registration. The officers of your organization ensure the authenticity of any request to revoke and destroy all keys used with a Customer Key data encryption policy. You'll need to do this step once to activate Customer Key for Exchange Online and Skype for Business coverage and a second time to activate Customer Key for SharePoint Online and OneDrive for Business.
+Once you've created the two new Azure subscriptions, you'll need to submit the appropriate Customer Key offer request in the [Microsoft FastTrack portal](https://fasttrack.microsoft.com/). The selections that you make in the offer form about the authorized designations within your organization are critical and necessary for completion of Customer Key registration. The officers in those selected roles within your organization ensure the authenticity of any request to revoke and destroy all keys used with a Customer Key data encryption policy. You'll need to do this step once for each Customer Key DEP type that you intend to use for your organization.
+
+**The FastTrack team doesn't provide assistance with Customer Key. Office 365 simply uses the FastTrack portal to allow you to submit the form and to help us track the relevant offers for Customer Key. Once you've submitted the FastTrack request, reach out to the corresponding Customer Key onboarding team to start the onboarding process.**
To submit an offer to activate Customer Key, complete these steps: 1. Using a work or school account that has global administrator permissions in your organization, sign in to the [Microsoft FastTrack portal](https://fasttrack.microsoft.com/).
-2. Once you're logged in, browse to the **Dashboard**.
+2. Once you're logged in, select the appropriate domain.
-3. Choose **Deploy** from the navigation bar **OR** select **View all deployment resources** on the **Deploy** information card, and review the list of current offers.
+3. For the selected domain, choose **Request services** from the top navigation bar, and review the list of available offers.
4. Choose the information card for the offer that applies to you:
- - **Exchange Online and Skype for Business:** Choose the **Request encryption key help for Exchange online** offer.
+ - **Multiple Microsoft 365 workloads:** Choose the **Request encryption key help for Microsoft 365** offer.
- - **SharePoint Online, OneDrive, and Teams files:** Choose the **Request encryption key help for Sharepoint and OneDrive** offer.
+ - **Exchange Online and Skype for Business:** Choose the **Request encryption key help for Exchange** offer.
+
+ - **SharePoint Online, OneDrive, and Teams files:** Choose the **Request encryption key help for SharePoint and OneDrive for Business** offer.
5. Once you've reviewed the offer details, choose **Continue to step 2**.
Before contacting the Microsoft 365 team, you must do the following steps for ea
Register-AzProviderFeature -FeatureName mandatoryRetentionPeriodEnabled -ProviderNamespace Microsoft.Resources ```
-3. Contact Microsoft to complete the process. For the SharePoint and OneDrive for Business team, contact [spock@microsoft.com](mailto:spock@microsoft.com). For Exchange Online and Skype for Business, contact [exock@microsoft.com](mailto:exock@microsoft.com). Include the following information in your email:
+3. Contact Microsoft to complete the process.
+
+ - For enabling Customer Key for assigning DEP to individual Exchange Online mailboxes, contact [exock@microsoft.com](mailto:exock@microsoft.com).
+
+ - For enabling Customer Key for assigning DEPs to encrypt SharePoint Online and OneDrive for Business content (including Teams files) for all tenant users, contact [spock@microsoft.com](mailto:spock@microsoft.com).
+
+ - For enabling Customer Key for assigning DEPs to encrypt content across multiple Microsoft 365 workloads (Exchange Online, Teams, MIP EDM) for all tenant users, contact [m365-ck@service.microsoft.com](mailto:m365-ck@service.microsoft.com).
+
+- Include the following information in your email:
**Subject**: Customer Key for \<*Your tenant's fully qualified domain name*\>
When you create a key vault, you must choose a SKU: either Standard or Premium.
> [!IMPORTANT] > Use the Premium SKU key vaults and HSM-protected keys for production data, and only use Standard SKU key vaults and keys for testing and validation purposes.
-For each Microsoft 365 service with which you will use Customer Key, create a key vault in each of the two Azure subscriptions that you created. For example, for Exchange Online and Skype for Business only or SharePoint Online and OneDrive for Business only, you'll create only one pair of vaults. To enable Customer Key for both Exchange Online and SharePoint Online, you will create two pairs of key vaults.
+For each Microsoft 365 service with which you will use Customer Key, create a key vault in each of the two Azure subscriptions that you created. For example, to enable Customer Key to use DEPs for Exchange Online, SharePoint Online, and multi-workload scenarios, you'll create three pairs of key vaults.
Use a naming convention for key vaults that reflects the intended use of the DEP with which you will associate the vaults. See the Best Practices section below for naming convention recommendations.
-Create a separate, paired set of vaults for each data encryption policy. For Exchange Online, the scope of a data encryption policy is chosen by you when you assign the policy to mailbox. A mailbox can have only one policy assigned, and you can create up to 50 policies. The scope of a SharePoint Online policy includes all of the data within an organization in a geographic location, or _geo_.
+Create a separate, paired set of vaults for each data encryption policy. For Exchange Online, the scope of a data encryption policy is chosen by you when you assign the policy to mailbox. A mailbox can have only one policy assigned, and you can create up to 50 policies. The scope of a SharePoint Online policy includes all of the data within an organization in a geographic location, or _geo_. The scope for a multi-workload policy includes all of the data across the supported workloads for all users.
The creation of key vaults also requires the creation of Azure resource groups, since key vaults need storage capacity (though small) and Key Vault logging, if enabled, also generates stored data. As a best practice Microsoft recommends using separate administrators to manage each resource group, with the administration that's aligned with the set of administrators that will manage all related Customer Key resources. > [!IMPORTANT]
-> To maximize availability, your key vaults should be in regions close to your Microsoft 365 service. For example, if your Exchange Online organization is in North America, place your key vaults in North America. If your Exchange Online organization is in Europe, place your key vaults in Europe.
->
-> Use a common prefix for key vaults, and include an abbreviation of the use and scope of the key vault and keys (e.g., for the Contoso SharePoint service where the vaults will be located in North America, a possible pair of names is Contoso-O365SP-NA-VaultA1 and Contoso-O365SP-NA-VaultA2. Vault names are globally unique strings within Azure, so you may need to try variations of your desired names in case the desired names are already claimed by other Azure customers. As of July 2017 vault names cannot be changed, so a best practice is to have a written plan for setup and use a second person to verify the plan is executed correctly.
->
+> To maximize availability, place your key vaults in regions close to your Microsoft 365 service For example, if your Exchange Online organization is in North America, place your key vaults in North America. If your Exchange Online organization is in Europe, place your key vaults in Europe.
+>
+> Use a common prefix for key vaults, and include an abbreviation of the use and scope of the key vault and keys (e.g., for the Contoso SharePoint service where the vaults will be located in North America, a possible pair of names is Contoso-CK-SP-NA-VaultA1 and Contoso-CK-SP-NA-VaultA2. Vault names are globally unique strings within Azure, so you may need to try variations of your desired names in case the desired names are already claimed by other Azure customers. As of July 2017 vault names cannot be changed, so a best practice is to have a written plan for setup and use a second person to verify the plan is executed correctly.
+>
> If possible, create your vaults in non-paired regions. Paired Azure regions provide high availability across service failure domains. Therefore, regional pairs can be thought of as each other's backup region. This means that an Azure resource that is placed in one region is automatically gaining fault tolerance through the paired region. For this reason, choosing regions for two vaults used in a data encryption policy where the regions are paired means that only a total of two regions of availability are in use. Most geographies only have two regions, so it's not yet possible to select non-paired regions. If possible, choose two non-paired regions for the two vaults used with a data encryption policy. This benefits from a total of four regions of availability. For more information, see [Business continuity and disaster recovery (BCDR): Azure Paired Regions](/azure/best-practices-availability-paired-regions) for a current list of regional pairs. ### Assign permissions to each key vault
You'll need to define three separate sets of permissions for each key vault, dep
For example: ```powershell
- Set-AzKeyVaultAccessPolicy -VaultName Contoso-O365EX-NA-VaultA1 -UserPrincipalName alice@contoso.com -PermissionsToKeys create,import,list,get,backup,restore
+ Set-AzKeyVaultAccessPolicy -VaultName Contoso-CK-EX-NA-VaultA1 -UserPrincipalName alice@contoso.com -PermissionsToKeys create,import,list,get,backup,restore
``` - **Key vault contributors** that can change permissions on the Azure Key Vault itself. You'll need to change these permissions as employees leave or join your team. In the rare situation that the key vault administrators legitimately need permission to delete or restore a key you'll also need to change the permissions. This set of key vault contributors needs to be granted the **Contributor** role on your key vault. You can assign this role by using Azure Resource Manager. For detailed steps, see [Use Role-Based Access Control to manage access to your Azure subscription resources](/azure/active-directory/role-based-access-control-configure). The administrator who creates a subscription has this access implicitly, and the ability to assign other administrators to the Contributor role. -- If you intend to use Customer Key with Exchange Online and Skype for Business, you need to give permission to Microsoft 365 to use the key vault on behalf of Exchange Online and Skype for Business. Likewise, if you intend to use Customer Key with SharePoint Online and OneDrive for Business, you need to add permission for the Microsoft 365 to use the key vault on behalf of SharePoint Online and OneDrive for Business. To give permission to Microsoft 365, run the **Set-AzKeyVaultAccessPolicy** cmdlet using the following syntax:
+- **Permissions to Microsoft 365 applications** for every key vault that you use for Customer Key, you need to give wrapKey, unwrapKey, and get permissions to the corresponding Microsoft 365 Service Principal.
+
+To give permission to Microsoft 365 Service Principal, run the **Set-AzKeyVaultAccessPolicy** cmdlet using the following syntax:
```powershell Set-AzKeyVaultAccessPolicy -VaultName <vault name> -PermissionsToKeys wrapKey,unwrapKey,get -ServicePrincipalName <Office 365 appID>
You'll need to define three separate sets of permissions for each key vault, dep
Where:
- - *vault name* is the name of the key vault you created.
-
- - For Exchange Online and Skype for Business, replace *Office 365 appID* with `00000002-0000-0ff1-ce00-000000000000`
-
- - For SharePoint Online, OneDrive for Business, and Teams files, replace *Office 365 appID* with `00000003-0000-0ff1-ce00-000000000000`
+ - *vault name* is the name of the key vault you created.
+ - For Exchange Online and Skype for Business, replace *Office 365 appID* with `00000002-0000-0ff1-ce00-000000000000`
+ - For SharePoint Online, OneDrive for Business, and Teams files, replace *Office 365 appID* with `00000003-0000-0ff1-ce00-000000000000`
+ - For multi-workload policy (Exchange, Teams, MIP EDM) that applies to all tenant users, replace *Office 365 appID* with `c066d759-24ae-40e7-a56f-027002b5d3e4`
Example: Setting permissions for Exchange Online and Skype for Business: ```powershell
- Set-AzKeyVaultAccessPolicy -VaultName Contoso-O365EX-NA-VaultA1 -PermissionsToKeys wrapKey,unwrapKey,get -ServicePrincipalName 00000002-0000-0ff1-ce00-000000000000
+ Set-AzKeyVaultAccessPolicy -VaultName Contoso-CK-EX-NA-VaultA1 -PermissionsToKeys wrapKey,unwrapKey,get -ServicePrincipalName 00000002-0000-0ff1-ce00-000000000000
``` Example: Setting permissions for SharePoint Online, OneDrive for Business, and Teams files: ```powershell
- Set-AzKeyVaultAccessPolicy -VaultName Contoso-O365SP-NA-VaultA1 -PermissionsToKeys wrapKey,unwrapKey,get -ServicePrincipalName 00000003-0000-0ff1-ce00-000000000000
+ Set-AzKeyVaultAccessPolicy -VaultName Contoso-CK-SP-NA-VaultA1 -PermissionsToKeys wrapKey,unwrapKey,get -ServicePrincipalName 00000003-0000-0ff1-ce00-000000000000
```
-### Enable and then confirm soft delete on your key vaults
+### Make sure soft delete is enabled on your key vaults
-When you can quickly recover your keys, you are less likely to experience an extended service outage due to accidentally or maliciously deleted keys. You need to enable this configuration, referred to as Soft Delete, before you can use your keys with Customer Key. Enabling Soft Delete allows you to recover keys or vaults within 90 days of deletion without having to restore them from backup.
+When you can quickly recover your keys, you are less likely to experience an extended service outage due to accidentally or maliciously deleted keys. Enable this configuration, referred to as Soft Delete, before you can use your keys with Customer Key. Enabling Soft Delete allows you to recover keys or vaults within 90 days of deletion without having to restore them from backup.
To enable Soft Delete on your key vaults, complete these steps: 1. Sign in to your Azure subscription with Windows PowerShell. For instructions, see [Sign in with Azure PowerShell](/powershell/azure/authenticate-azureps).
-2. Run the [Get-AzKeyVault](/powershell/module/az.keyvault/get-azkeyvault) cmdlet. In this example, *vault name* is the name of the key vault for which you are enabling soft delete:
+2. Run the [Get-AzKeyVault](/powershell/module/az.keyvault/get-azkeyvault) cmdlet. In this example, *vault name* is the name of the key vault for which you're enabling soft delete:
```powershell $v = Get-AzKeyVault -VaultName <vault name>
To enable Soft Delete on your key vaults, complete these steps:
### Add a key to each key vault either by creating or importing a key
-There are two ways to add keys to an Azure Key Vault; you can create a key directly in Key Vault, or you can import a key. Creating a key directly in Key Vault is the less complicated method, while importing a key provides total control over how the key is generated. Use the RSA keys. Azure Key Vault doesn't support wrapping and unwrapping with elliptical curve keys.
+There are two ways to add keys to an Azure Key Vault; you can create a key directly in Key Vault, or you can import a key. Creating a key directly in Key Vault is less complicated, but importing a key provides total control over how the key is generated. Use the RSA keys. Azure Key Vault doesn't support wrapping and unwrapping with elliptical curve keys.
To create a key directly in your key vault, run the [Add-AzKeyVaultKey](/powershell/module/az.keyvault/add-azkeyvaultkey) cmdlet as follows:
If you intend to protect the key with an HSM, ensure that you specify **HSM** as
For example, ```powershell
-Add-AzKeyVaultKey -VaultName Contoso-O365EX-NA-VaultA1 -Name Contoso-O365EX-NA-VaultA1-Key001 -Destination HSM -KeyOps wrapKey,unwrapKey
+Add-AzKeyVaultKey -VaultName Contoso-CK-EX-NA-VaultA1 -Name Contoso-CK-EX-NA-VaultA1-Key001 -Destination HSM -KeyOps wrapKey,unwrapKey
``` To import a key directly into your key vault, you need to have a nCipher nShield Hardware Security Module.
Some organizations prefer this approach to establish the provenance of their key
- The toolset used for import includes attestation from nCipher that the Key Exchange Key (KEK) that is used to encrypt the key you generate is not exportable and is generated inside a genuine HSM that was manufactured by nCipher. -- The toolset includes attestation from nCipher that the Azure Key Vault security world was also generated on a genuine HSM manufactured by nCipher. This attestation proves to you that Microsoft is also using genuine nCipher hardware.
+- The toolset includes attestation from nCipher that the Azure Key Vault security world was also generated on a genuine HSM manufactured by nCipher. This attestation proves that Microsoft is also using genuine nCipher hardware.
Check with your security group to determine if the above attestations are required. For detailed steps to create a key on-premises and import it into your key vault, see [How to generate and transfer HSM-protected keys for Azure Key Vault](/azure/key-vault/keys/hsm-protected-keys). Use the Azure instructions to create a key in each key vault.
If the _Recovery Level_ property returns anything other than a value of **Recove
### Back up Azure Key Vault
-Immediately following creation or any change to a key, perform a backup and store copies of the backup, both online and offline. Offline copies should not be connected to any network, such as in a physical safe or commercial storage facility. At least one copy of the backup should be stored in a location that will be accessible in the event of a disaster. The backup blobs are the sole means of restoring key material should a Key Vault key be permanently destroyed or otherwise rendered inoperable. Keys that are external to Azure Key Vault and were imported to Azure Key Vault do not qualify as a backup because the metadata necessary for Customer Key to use the key does not exist with the external key. Only a backup taken from Azure Key Vault can be used for restore operations with Customer Key. Therefore, you must create a backup of Azure Key Vault after you upload or create a key.
+Immediately following creation or any change to a key, perform a backup and store copies of the backup, both online and offline. Don't connect offline copies to any network. Instead store them in an offline location, such as in a physical safe or commercial storage facility. At least one copy of the backup should be stored in a location that will be accessible if a disaster occurs. The backup blobs are the sole means of restoring key material should a Key Vault key be permanently destroyed or otherwise rendered inoperable. Keys that are external to Azure Key Vault and imported to Azure Key Vault don't qualify as a backup because the metadata necessary for Customer Key to use the key doesn't exist with the external key. Only a backup taken from Azure Key Vault can be used for restore operations with Customer Key. Therefore, you must create a backup of Azure Key Vault after you upload or create a key.
To create a backup of an Azure Key Vault key, run the [Backup-AzKeyVaultKey](/powershell/module/az.keyvault/backup-azkeyvaultkey) cmdlet as follows:
The output file resulting from this cmdlet is encrypted and cannot be used outsi
For example: ```powershell
-Backup-AzKeyVaultKey -VaultName Contoso-O365EX-NA-VaultA1 -Name Contoso-O365EX-NA-VaultA1-Key001 -OutputFile Contoso-O365EX-NA-VaultA1-Key001-Backup-20170802.backup
+Backup-AzKeyVaultKey -VaultName Contoso-CK-EX-NA-VaultA1 -Name Contoso-CK-EX-NA-VaultA1-Key001 -OutputFile Contoso-CK-EX-NA-VaultA1-Key001-Backup-20170802.backup
``` ### Validate Azure Key Vault configuration settings
Set-AzKeyVaultAccessPolicy -VaultName <vault name> -PermissionsToKeys wrapKey,un
For example, for Exchange Online and Skype for Business: ```powershell
-Set-AzKeyVaultAccessPolicy -VaultName Contoso-O365EX-NA-VaultA1
+Set-AzKeyVaultAccessPolicy -VaultName Contoso-CK-EX-NA-VaultA1
-PermissionsToKeys wrapKey,unwrapKey,get -ServicePrincipalName 00000002-0000-0ff1-ce00-000000000000 ``` For example, for SharePoint Online and OneDrive for Business: ```powershell
-Set-AzKeyVaultAccessPolicy -VaultName Contoso-O365SP-NA-VaultA1
+Set-AzKeyVaultAccessPolicy -VaultName Contoso-CK-SP-NA-VaultA1
-PermissionsToKeys wrapKey,unwrapKey,get -ServicePrincipalName 00000003-0000-0ff1-ce00-000000000000 ```
To verify that an expiration date isn't set for your keys, run the [Get-AzKeyVau
Get-AzKeyVaultKey -VaultName <vault name> ```
-Customer Key can't use an expired key. Operations attempted with an expired key will fail, and possibly result in a service outage. We strongly recommend that keys used with Customer Key do not have an expiration date. An expiration date, once set, cannot be removed, but can be changed to a different date. If a key must be used that has an expiration date set, change the expiration value to 12/31/9999. Keys with an expiration date set to a date other than 12/31/9999 will not pass Microsoft 365 validation.
+Customer Key can't use an expired key. Operations attempted with an expired key will fail, and possibly result in a service outage. We strongly recommend that keys used with Customer Key don't have an expiration date. An expiration date, once set, cannot be removed, but can be changed to a different date. If a key must be used that has an expiration date set, change the expiration value to 12/31/9999. Keys with an expiration date set to a date other than 12/31/9999 won't pass Microsoft 365 validation.
To change an expiration date that has been set to any value other than 12/31/9999, run the [Update-AzKeyVaultKey](/powershell/module/az.keyvault/update-azkeyvaultkey) cmdlet as follows:
Update-AzKeyVaultKey -VaultName <vault name> -Name <key name> -Expires (Get-Date
### Obtain the URI for each Azure Key Vault key
-Once you've set up your key vaults and added your keys, run the following command to get the URI for the key in each key vault. You'll need to use these URIs when you create and assign each DEP later, so save this information in a safe place. Run this command once for each key vault.
+Once you've set up your key vaults and added your keys, run the following command to get the URI for the key in each key vault. You'll use these URIs when you create and assign each DEP later, so save this information in a safe place. Run this command once for each key vault.
In Azure PowerShell:
In Azure PowerShell:
(Get-AzKeyVaultKey -VaultName <vault name>).Id ```
-## Office 365: Setting up Customer Key for Exchange Online and Skype for Business
-
-Before you begin, ensure that you've completed the tasks required to set up Azure Key Vault. See [Complete tasks in Azure Key Vault and Microsoft FastTrack for Customer Key](#complete-tasks-in-azure-key-vault-and-microsoft-fasttrack-for-customer-key) for information.
-
-To set up Customer Key for Exchange Online and Skype for Business, you'll complete these steps by remotely connecting to Exchange Online with Windows PowerShell.
-
-### Create a data encryption policy (DEP) for use with Exchange Online and Skype for Business
-
-A DEP is associated with a set of keys stored in Azure Key Vault. You assign a DEP to a mailbox in Microsoft 365. Microsoft 365 will then use the keys identified in the policy to encrypt the mailbox. To create the DEP, you need the Key Vault URIs you obtained earlier. See [Obtain the URI for each Azure Key Vault key](#obtain-the-uri-for-each-azure-key-vault-key) for instructions.
-
-Remember! When you create a DEP, you specify two keys in two different Azure Key Vaults. Create these keys in two separate Azure regions to ensure geo-redundancy.
-
-To create the DEP, follow these steps:
-
-1. On your local computer, using a work or school account that has global administrator permissions in your organization, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) in a Windows PowerShell window.
-
-2. To create a DEP, use the New-DataEncryptionPolicy cmdlet by typing the following command.
-
- ```powershell
- New-DataEncryptionPolicy -Name <PolicyName> -Description "Policy Description" -AzureKeyIDs <KeyVaultURI1>, <KeyVaultURI2>
- ```
-
- Where:
-
- - *PolicyName* is the name you want to use for the policy. Names can't contain spaces. For example, USA_mailboxes.
-
- - *Policy Description* is a user-friendly description of the policy that will help you remember what the policy is for. You can include spaces in the description. For example, "Root key for mailboxes in USA and its territories".
-
- - *KeyVaultURI1* is the URI for the first key in the policy. For example, <https://contoso_EastUSvault01.vault.azure.net/keys/USA_key_01>.
-
- - *KeyVaultURI2* is the URI for the second key in the policy. For example, <https://contoso_EastUS2vault01.vault.azure.net/keys/USA_Key_02>. Separate the two URIs by a comma and a space.
-
- Example:
-
- ```powershell
- New-DataEncryptionPolicy -Name USA_mailboxes -Description "Root key for mailboxes in USA and its territories" -AzureKeyIDs https://contoso_EastUSvault01.vault.azure.net/keys/USA_key_01, https://contoso_EastUS2vault01.vault.azure.net/keys/USA_Key_02
- ```
-
-For detailed syntax and parameter information, see [New-DataEncryptionPolicy](/powershell/module/exchange/new-data-encryptionpolicy).
-
-### Assign a DEP to a mailbox
-
-Assign the DEP to a mailbox by using the Set-Mailbox cmdlet. Once you assign the policy, Microsoft 365 can encrypt the mailbox with the key identified in the DEP.
-
-```powershell
-Set-Mailbox -Identity <MailboxIdParameter> -DataEncryptionPolicy <PolicyName>
-```
-
-Where *MailboxIdParameter* specifies a user mailbox. For more information about the Set-Mailbox cmdlet, see [Set-Mailbox](/powershell/module/exchange/set-mailbox).
-
-In hybrid environments, you can assign a DEP to the on-premises mailbox data that is synchronized into your Exchange Online tenant. To assign a DEP to this synchronized mailbox data, you'll use the Set-MailUser cmdlet. For more information about mailbox data in the hybrid environment, see [on-premises mailboxes using Outlook for iOS and Android with hybrid Modern Authentication](/exchange/clients/outlook-for-ios-and-android/use-hybrid-modern-auth).
-
-```powershell
-Set-MailUser -Identity <MailUserIdParameter> -DataEncryptionPolicy <PolicyName>
-```
-
-Where *MailUserIdParameter* specifies a mail user (also known as a mail-enabled user). For more information about the Set-MailUser cmdlet, see [Set-MailUser](/powershell/module/exchange/set-mailuser).
-
-### Validate mailbox encryption
-
-Encrypting a mailbox can take some time. For first-time policy assignment, the mailbox must also completely move from one database to another before the service can encrypt the mailbox. We recommend that you wait 72 hours before you attempt to validate encryption after you change a DEP or the first time you assign a DEP to a mailbox.
-
-Use the Get-MailboxStatistics cmdlet to determine if a mailbox is encrypted.
-
-```powershell
-Get-MailboxStatistics -Identity <GeneralMailboxOrMailUserIdParameter> | fl IsEncrypted
-```
-
-The IsEncrypted property returns a value of **true** if the mailbox is encrypted and a value of **false** if the mailbox isn't encrypted. The time to complete mailbox moves depends on the number of mailboxes to which you assign a DEP for the first time, and the size of the mailboxes. If the mailboxes haven't been encrypted after a week from the time you assigned the DEP, contact Microsoft.
-
-## Office 365: Setting up Customer Key for SharePoint Online, OneDrive for Business, and Teams files
-
-Before you begin, ensure that you've completed the tasks required to set up Azure Key Vault. See [Complete tasks in Azure Key Vault and Microsoft FastTrack for Customer Key](#complete-tasks-in-azure-key-vault-and-microsoft-fasttrack-for-customer-key) for information.
-
-To set up Customer Key for SharePoint Online, OneDrive for Business, and Teams files you complete these steps by remotely connecting to SharePoint Online with Windows PowerShell.
-
-### Create a data encryption policy (DEP) for each SharePoint Online and OneDrive for Business geo
-
-You associate a DEP with a set of keys stored in Azure Key Vault. You apply a DEP to all of your data in one geographic location, also called a geo. If you use the multi-geo feature of Office 365, you can create one DEP per geo with the capability to use different keys per geo. If you aren't using multi-geo, you can create one DEP in your organization for use with SharePoint Online, OneDrive for Business, and Teams files. Microsoft 365 uses the keys identified in the DEP to encrypt your data in that geo. To create the DEP, you need the Key Vault URIs you obtained earlier. See [Obtain the URI for each Azure Key Vault key](#obtain-the-uri-for-each-azure-key-vault-key) for instructions.
-
-Remember! When you create a DEP, you specify two keys in two different Azure Key Vaults. Create these keys in two separate Azure regions to ensure geo-redundancy.
-
-To create a DEP, you need to remotely connect to SharePoint Online by using Windows PowerShell.
-
-1. On your local computer, using a work or school account that has global administrator permissions in your organization, [Connect to SharePoint Online PowerShell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online?preserve-view=true&view=sharepoint-ps).
-
-2. In the Microsoft SharePoint Online Management Shell, run the Register-SPODataEncryptionPolicy cmdlet as follows:
-
- ```powershell
- Register-SPODataEncryptionPolicy -Identity <adminSiteCollectionURL> -PrimaryKeyVaultName <PrimaryKeyVaultName> -PrimaryKeyName <PrimaryKeyName> -PrimaryKeyVersion <PrimaryKeyVersion> -SecondaryKeyVaultName <SecondaryKeyVaultName> -SecondaryKeyName <SecondaryKeyName> -SecondaryKeyVersion <SecondaryKeyVersion>
- ```
-
- Example:
-
- ```powershell
- Register-SPODataEncryptionPolicy -Identity https://contoso.sharepoint.com -PrimaryKeyVaultName 'stageRG3vault' -PrimaryKeyName 'SPKey3' -PrimaryKeyVersion 'f635a23bd4a44b9996ff6aadd88d42ba' -SecondaryKeyVaultName 'stageRG5vault' -SecondaryKeyName 'SPKey5' -SecondaryKeyVersion '2b3e8f1d754f438dacdec1f0945f251aΓÇÖ
- ```
-
- When you register the DEP, encryption begins on the data in the geo. Encryption can take some time. For more information on using this parameter, see [Register-SPODataEncryptionPolicy](/powershell/module/sharepoint-online/register-spodataencryptionpolicy?preserve-view=true&view=sharepoint-ps).
-
-### Validate file encryption
+## Next steps
- To validate encryption of SharePoint Online, OneDrive for Business, and Teams files, [connect to SharePoint Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), and then use the Get-SPODataEncryptionPolicy cmdlet to check the status of your tenant. The _State_ property returns a value of **registered** if Customer Key encryption is enabled and all files in all sites have been encrypted. If encryption is still in progress, this cmdlet returns a value of **registering**.
+Once you've completed the steps in this article, you're ready to create and assign DEPs. For instructions, see [Manage Customer Key](customer-key-manage.md).
## Related articles
compliance Customer Key Tenant Level https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/customer-key-tenant-level.md
- Title: "Customer Key for Microsoft 365 at the tenant level (public preview)"-----
-localization_priority: Normal
-- MET150--- M365-security-compliance-- m365solution-mip-- m365initiative-compliance
-description: "Learn how to set up Customer Key for your data within Microsoft 365 at the tenant level."
--
-# Overview of Customer Key for Microsoft 365 at the tenant level (public preview)
-
-Using keys you provide, you can create a data encryption policy (DEP) and assign it to the tenant. The tenant-wide DEP you create encrypts the following data:
--- Teams chat messages (1:1 chats, group chats, meeting chats and channel conversations)-- Teams media messages (images, code snippets, video messages, audio messages, wiki images)-- Teams call and meeting recordings stored in Teams storage-- Teams chat notifications-- Teams chat suggestions by Cortana-- Teams status messages-- User and signal information for Exchange Online-- Exchange Online mailboxes that aren't already encrypted Customer Key DEPs at the application level-- MIP exact data match (EDM) data ΓÇô (data file schemas, rule packages, and the salts used to hash the sensitive data)-
-For Microsoft Information Protection and Microsoft Teams, Customer Key at the tenant level encrypts new data from the time you assign the DEP to the tenant. Public preview doesn't support encrypting past data. For Exchange Online, Customer Key encrypts all existing and new data.
-
-You can create multiple DEPs per tenant but can only assign one DEP at a time. When you assign the DEP, encryption begins automatically but takes some time to complete depending on the size of your tenant.
-
-## Tenant level policies add broader control to Customer Key for Microsoft 365
-
-If you already have Customer Key set up for Exchange Online and Sharepoint Online, here's how the new tenant-level public preview fits in.
-
-The tenant-level encryption policy you create encrypts all data for the Microsoft Teams and Exchange Online workloads in Microsoft 365. However, for Exchange Online, if you have already assigned Customer Key DEPs to individual mailboxes, the tenant-level policy won't override those DEPs. The tenant-level policy will only encrypt mailboxes that aren't assigned a mailbox level Customer Key DEP already. When you encrypt a user mailbox using a tenant level DEP, all its content gets encrypted. For information about what gets encrypted with a DEP at the application level, see [Service encryption with Customer Key](customer-key-overview.md).
-
-## Data that isn't encrypted with Customer Key at the tenant level
-
-Customer Key doesn't encrypt the following types of data at the tenant level. Instead, Microsoft 365 uses other types of encryption to protect this data.
--- Exchange online mailboxes that you've already encrypted using a Customer Key DEP at the application level. Mailboxes that don't have a Customer Key DEP assigned to them will be encrypted using the tenant level DEP. This arrangement means that you may have some mailboxes encrypted with a tenant level DEP and some mailboxes encrypted with application level DEPs.-- SharePoint and OneDrive for Business use Customer Key at the application level. A single DEP encrypts content in SharePoint for a single geo.-- Microsoft Teams files and some Teams call and meeting recordings saved in OneDrive for Business and SharePoint are encrypted by a SharePoint Online DEP.-
-Any workloads or scenarios that aren't currently supported by Customer Key for Microsoft 365.
--- Other Microsoft 365 workloads such as Yammer, Planner, and so on.-- Teams Live Events and Q&A in Live Events. For Teams, this scenario is the only one that isn't encrypted by Customer Key at the tenant level.-
-## Set up Customer Key at the tenant level (public preview)
-
-These steps are similar but not identical to the steps for setting up Customer Key at the application level. Only use this public preview with test data in test tenants. Don't use this release with production data or in your production environment. If you already have a production deployment of Customer Key, use these steps to set up Customer Key at the tenant level in a test environment. Once you've assigned a tenant level DEP to your tenant, you can start the validation process and contact m365ck@microsoft.com with any questions or concerns. You can also find documented validation steps in the public preview of [Validation Instructions for Data-at-rest Encryption for Microsoft 365](https://aka.ms/CustomerKey/PublicPreviewValidation).
-
-You'll complete most of these tasks by remotely connecting to Azure PowerShell. For best results, use version 4.4.0 or later of Azure PowerShell.
-
-Before you begin:
--- You'll need to use a work or school account that has the compliance admin role to set up Customer Key at the tenant level.-- Ensure that you have the appropriate licensing for your organization. Use a paid, invoiced Azure Subscription using either an Enterprise Agreement or a Cloud Service Provider. Azure Subscriptions purchased using Pay As You Go plans or using a credit card aren't supported for Customer Key. Starting April 1, 2020, Customer Key in Office 365 is offered in Office 365 E5, Microsoft 365 E5, Microsoft 365 E5 Compliance, and Microsoft 365 E5 Information Protection & Governance SKUs. Office 365 Advanced Compliance SKU is no longer available for new licenses. Existing Office 365 Advanced Compliance licenses will continue to be supported. While the service can be enabled with a minimum of one appropriately licensed user under the tenant, you should still make sure all users that benefit from the service have appropriate licenses.-
-### Create two new Azure subscriptions
-
-Customer Key requires two keys for each data encryption policy (DEP). To create two keys, you must create two Azure subscriptions. As a best practice, Microsoft recommends that you have separate members of your organization configure one key in each subscription. Only use these Azure subscriptions to administer encryption keys for Microsoft 365. Following these guidelines helps protect your organization in case one of your operators accidentally, intentionally, or maliciously deletes or otherwise mismanages the keys for which they are responsible.
-
-There is no practical limit to the number of Azure subscriptions that you can create for your organization. Following this best practice helps minimize the impact of human error while helping to manage the resources used by Customer Key.
-
-### Register Azure subscriptions to use a mandatory retention period
-
-The temporary or permanent loss of root encryption keys can be disruptive or even catastrophic to service operation and can result in data loss. For this reason, the resources used with Customer Key require strong protection. All the Azure resources that are used with Customer Key offer protection mechanisms beyond the default configuration. Azure subscriptions can be tagged or registered in a way that will prevent immediate and irrevocable cancellation. This process is referred to as registering for a mandatory retention period. The steps required to register Azure subscriptions for a mandatory retention period require collaboration with the Microsoft. This process can take up to five business days. Previously, this process was sometimes referred to as "Do Not Cancel".
-
-Before contacting the Microsoft 365 team, you must perform the following steps for each Azure subscription that you use with Customer Key. Ensure that you have the [Azure PowerShell Az](/powershell/azure/new-azureps-module-az) module installed before you start.
-
-1. Sign in with Azure PowerShell. For instructions, see [Sign in with Azure PowerShell](/powershell/azure/authenticate-azureps).
-
-2. Run the Register-AzProviderFeature cmdlet to register your subscriptions to use a mandatory retention period. Perform this action for each subscription.
-
- ```powershell
- Set-AzContext -SubscriptionId <SubscriptionId>
- Register-AzProviderFeature -FeatureName mandatoryRetentionPeriodEnabled -ProviderNamespace Microsoft.Resources
- ```
-
-3. Contact Microsoft to have the process finalized at [m365ck@microsoft.com](mailto:m365ck@microsoft.com). Include the following content in your email:
-
- **Subject**: Customer Key for \<*Your tenant's fully-qualified domain name*\>
-
- **Body**:
- Subscription IDs for which you want to have the mandatory retention period finalized.
- The output of Get-AzProviderFeature for each subscription.
-
- The Service Level Agreement (SLA) for completion of this process is five business days once Microsoft has been notified (and verified) that you have registered your subscriptions to use a mandatory retention period.
-
-4. Once you receive notification from Microsoft that registration is complete, verify the status of your registration by running the Get-AzProviderFeature command as follows. If verified, the Get-AzProviderFeature command returns a value of **Registered** for the **Registration State** property. Perform this action for each subscription.
-
- ```powershell
- Set-AzContext -SubscriptionId <SubscriptionId>
- Get-AzProviderFeature -ProviderNamespace Microsoft.Resources -FeatureName mandatoryRetentionPeriodEnabled
- ```
-
-5. To complete the process, run the Register-AzResourceProvider command. Perform this action for each subscription.
-
- ```powershell
- Set-AzContext -SubscriptionId <SubscriptionId>
- Register-AzResourceProvider -ProviderNamespace Microsoft.KeyVault
- ```
-
-### Create a premium Azure Key Vault in each subscription
-
-The steps to create a key vault are documented in [Getting Started with Azure Key Vault](/azure/key-vault/general/overview), which guides you through installing and launching Azure PowerShell, connecting to your Azure subscription, creating a resource group, and creating a key vault in that resource group.
-
-When you create a key vault, you must choose a SKU: either Standard or Premium. The Standard SKU allows Azure Key Vault keys to be protected with software - there is no Hardware Security Module (HSM) key protection - and the Premium SKU allows the use of HSMs for protection of Key Vault keys. Customer Key accepts key vaults that use either SKU, though Microsoft strongly recommends that you use only the Premium SKU. The cost of operations with keys of either type is the same, so the only difference in cost is the cost per month for each HSM-protected key. See [Key Vault pricing](https://azure.microsoft.com/pricing/details/key-vault/) for details.
-
-> [!IMPORTANT]
-> Use the Premium SKU key vaults and HSM-protected keys for production data, and only use Standard SKU key vaults and keys for testing and validation purposes.
-
-Use a common prefix for key vaults and include an abbreviation of the use and scope of the key vault and keys. For example, for the Contoso service where the vaults will be located in North America, a possible pair of names is Contoso-O365-NA-VaultA1 and Contoso-O365-NA-VaultA2. Vault names are globally unique strings within Azure, so you may need to try variations of your desired names in case the desired names are already claimed by other Azure customers. Once configured, vault names cannot be changed, so the best practice is to have a written plan for setup and use a second person to verify the plan is executed correctly.
-
-If possible, create your vaults in non-paired regions. Paired Azure regions provide high availability across service failure domains. Therefore, regional pairs can be thought of as each other's backup region. An Azure resource that is placed in one region is automatically gaining fault tolerance through the paired region. Choosing regions for two vaults used in a data encryption policy where the regions are paired means that only a total of two regions of availability are in use. Most geographies only have two regions, so it's not yet possible to select non-paired regions. If possible, choose two non-paired regions for the two vaults used with a data encryption policy. This scenario benefits from a total of four regions of availability. For more information, see [Business continuity and disaster recovery (BCDR): Azure Paired Regions](/azure/best-practices-availability-paired-regions) for a current list of regional pairs.
-
-### Assign permissions to each key vault
-
-For each key vault, you'll need to define three separate sets of permissions for Customer Key, depending on your implementation. For example, you'll need to define one set of permissions for each of these:
-
-- **Key vault administrators** that will perform day-to-day management of your key vault for your organization. These tasks include backup, create, get, import, list, and restore.-
- > [!IMPORTANT]
- > The set of permissions assigned to key vault administrators does not include the permission to delete keys. This is intentional and an important practice. Deleting encryption keys is not typically done, since doing so permanently destroys data. As a best practice, do not grant this permission to key vault administrators by default. Instead, reserve this for key vault contributors and only assign it to an administrator on a short term basis once a clear understanding of the consequences is understood.
-
- To assign these permissions to a user in your organization, sign in to your Azure subscription with Azure PowerShell. For instructions, see [Sign in with Azure PowerShell](/powershell/azure/authenticate-azureps).
-
- Run the Set-AzKeyVaultAccessPolicy cmdlet to assign the necessary permissions.
-
- ```powershell
- Set-AzKeyVaultAccessPolicy -VaultName <vault name> -UserPrincipalName <UPN of user> -PermissionsToKeys create,import,list,get,backup,restore
- ```
-
- For example:
-
- ```powershell
- Set-AzKeyVaultAccessPolicy -VaultName Contoso-O365EX-NA-VaultA1 -UserPrincipalName alice@contoso.com -PermissionsToKeys create,import,list,get,backup,restore
- ```
--- **Key vault contributors** that can change permissions on the Azure Key Vault itself. You'll need to change these permissions as employees leave or join your team, or in the rare situation that the key vault administrators legitimately need permission to delete or restore a key. This set of key vault contributors needs to be granted the Contributor role on your key vault. You can assign this role by using Azure Resource Manager. For detailed steps, see [Use Role-Based Access Control](/azure/active-directory/role-based-access-control-configure) to manage access to your Azure subscription resources. The administrator who creates a subscription has this access by default, and the ability to assign other administrators to the Contributor role.--- **Microsoft 365 data at rest encryption service** that does the work of Customer Key at the tenant level. To give permission to Microsoft 365, run the **Set-AzKeyVaultAccessPolicy** cmdlet using the following syntax:-
- ```powershell
- Set-AzKeyVaultAccessPolicy -VaultName <vault name> -PermissionsToKeys wrapKey,unwrapKey,get -ServicePrincipalName <Microsoft 365 appID>
- ```
-
- Where:
-
- - *vault name* is the name of the key vault you created.
-
- Example: For the Microsoft 365 Data at Rest Encryption service, replace *Microsoft 365 appID* with `c066d759-24ae-40e7-a56f-027002b5d3e4`
-
- ```powershell
- Set-AzKeyVaultAccessPolicy -VaultName Contoso-O365EX-NA-VaultA1 -PermissionsToKeys wrapKey,unwrapKey,get -ServicePrincipalName c066d759-24ae-40e7-a56f-027002b5d3e4
- ```
-
-### Enable and then confirm soft delete on your key vaults
-
-When you can quickly recover your keys, you are less likely to experience an extended service outage due to accidentally or maliciously deleted keys. Enable this configuration, referred to as Soft Delete, before you can use your keys with Customer Key. Enabling Soft Delete allows you to recover keys or vaults within 90 days of deletion without having to restore them from backup.
-
-To enable Soft Delete on your key vaults, complete these steps:
-
-1. Sign in to your Azure subscription with Windows PowerShell. For instructions, see [Sign in with Azure PowerShell](/powershell/azure/authenticate-azureps).
-
-2. Run the [Get-AzKeyVault](/powershell/module/az.keyvault/get-azkeyvault) cmdlet. In this example, *vault name* is the name of the key vault for which you are enabling soft delete:
-
- ```powershell
- $v = Get-AzKeyVault -VaultName <vault name>
- $r = Get-AzResource -ResourceId $v.ResourceId
- $r.Properties | Add-Member -MemberType NoteProperty -Name enableSoftDelete -Value 'True'
- Set-AzResource -ResourceId $r.ResourceId -Properties $r.Properties
- ```
-
-3. Confirm soft delete is configured for the key vault by running the **Get-AzKeyVault** cmdlet. If soft delete is configured properly for the key vault, then the _Soft Delete Enabled_ property returns a value of **True**:
-
- ```powershell
- Get-AzKeyVault -VaultName <vault name> | fl
- ```
-
-### Add a key to each key vault either by creating or importing a key
-
-There are two ways to add keys to an Azure Key Vault; you can create a key directly in Key Vault, or you can import a key. Creating a key directly in Key Vault is the less complicated method, while importing a key provides total control over how the key is generated. Use the RSA keys. Azure Key Vault doesn't support wrapping and unwrapping with elliptical curve keys.
-
-To create a key directly in your key vault, run the [Add-AzKeyVaultKey](/powershell/module/az.keyvault/add-azkeyvaultkey) cmdlet as follows:
-
-```powershell
-Add-AzKeyVaultKey -VaultName <vault name> -Name <key name> -Destination <HSM|Software> -KeyOps wrapKey,unwrapKey
-```
-
-Where:
--- *vault name* is the name of the key vault in which you want to create the key.--- *key name* is the name you want to give the new key.-
- > [!TIP]
- > Name keys using a similar naming convention as described above for key vaults. This way, in tools that show only the key name, the string is self-describing.
-
-If you intend to protect the key with an HSM, ensure that you specify **HSM** as the value of the _Destination_ parameter, otherwise, specify **Software**.
-
-For example,
-
-```powershell
-Add-AzKeyVaultKey -VaultName Contoso-O365EX-NA-VaultA1 -Name Contoso-O365EX-NA-VaultA1-Key001 -Destination HSM -KeyOps wrapKey,unwrapKey
-```
-
-### Check the recovery level of your keys
-
-Microsoft 365 requires that the Azure Key Vault subscription is set to Do Not Cancel and that the keys used by Customer Key have soft delete enabled. You can confirm these settings by looking at the recovery level on your keys.
-
-To check the recovery level of a key, in Azure PowerShell, run the Get-AzKeyVaultKey cmdlet as follows:
-
-```powershell
-(Get-AzKeyVaultKey -VaultName <vault name> -Name <key name>).Attributes
-```
-
-If the _Recovery Level_ property returns anything other than a value of **Recoverable+ProtectedSubscription**, you will need to review this article and ensure that you have followed all of the steps to put the subscription on the Do Not Cancel list and that you enabled "soft delete" on each of your key vaults. Next, send a screenshot of the output of `(Get-AzKeyVaultKey -VaultName <vault name> -Name <key name>).Attributes` in email to m365ck@microsoft.com.
-
-### Back up Azure Key Vault
-
-Immediately following creation or any change to a key, back up the key and store copies of the backup, both online and offline. Don't connect offline copies to any network. Instead, store them in a physical safe or commercial storage facility. At least one copy of the backup should be stored in a location that will be accessible if a disaster happens. The backup blobs are the sole means of restoring key material should a Key Vault key be permanently destroyed or otherwise rendered inoperable. Keys that are external to Azure Key Vault and were imported to Azure Key Vault don't qualify as a backup because the metadata necessary for Customer Key to use the key doesn't exist with the external key. Only a backup taken from Azure Key Vault can be used for restore operations with Customer Key. So, it's essential that you make a backup of Azure Key Vault once a key is uploaded or created.
-
-To create a backup of an Azure Key Vault key, run the [Backup-AzKeyVaultKey](/powershell/module/az.keyvault/backup-azkeyvaultkey) cmdlet as follows:
-
-```powershell
-Backup-AzKeyVaultKey -VaultName <vault name> -Name <key name>
--OutputFile <filename.backup>
-```
-
-Ensure that your output file uses the suffix `.backup`.
-
-The output file resulting from this cmdlet is encrypted and cannot be used outside of Azure Key Vault. The backup can be restored only to the Azure subscription from which the backup was taken.
-
-For example:
-
-```powershell
-Backup-AzKeyVaultKey -VaultName Contoso-O365EX-NA-VaultA1 -Name Contoso-O365EX-NA-VaultA1-Key001 -OutputFile Contoso-O365EX-NA-VaultA1-Key001-Backup-20170802.backup
-```
-
-### Validate Azure Key Vault configuration settings
-
-Performing validation before using keys in a DEP is optional, but highly recommended. In particular, if you use steps to set up your keys and vaults other than the ones described in this topic, you should validate the health of your Azure Key Vault resources before you configure Customer Key.
-
-To verify that your keys have get, wrapKey, and unwrapKey operations enabled:
-
-Run the [Get-AzKeyVault](/powershell/module/az.keyvault/get-azkeyvault) cmdlet as follows:
-
-```powershell
-Get-AzKeyVault -VaultName <vault name>
-```
-
-In the output, look for the Access Policy and for the Microsoft 365 app ID (GUID) as appropriate. All three operations, get, wrapKey, and unwrapKey, must be shown under Permissions to Keys.
-
-If the access policy configuration is incorrect, run the Set-AzKeyVaultAccessPolicy cmdlet as follows:
-
-```powershell
-Set-AzKeyVaultAccessPolicy -VaultName <vault name> -PermissionsToKeys wrapKey,unwrapKey,get -ServicePrincipalName <Microsoft 365 appID>
-```
-
-Example: For the Microsoft 365 Data at Rest Encryption service, replace *Microsoft 365 appID* with `c066d759-24ae-40e7-a56f-027002b5d3e4`
-
- ```powershell
- Set-AzKeyVaultAccessPolicy -VaultName Contoso-O365EX-NA-VaultA1 -PermissionsToKeys wrapKey,unwrapKey,get -ServicePrincipalName c066d759-24ae-40e7-a56f-027002b5d3e4
- ```
-
-To verify that an expiration date is not set for your keys, run the [Get-AzKeyVaultKey](/powershell/module/az.keyvault/get-azkeyvault) cmdlet as follows:
-
-```powershell
-Get-AzKeyVaultKey -VaultName <vault name>
-```
-
-An expired key cannot be used by Customer Key and operations attempted with an expired key will fail and possibly result in a service outage. We strongly recommend that keys used with Customer Key do not have an expiration date. An expiration date, once set, cannot be removed, but can be changed to a different date. If a key must be used that has an expiration date set, change the expiration value to 12/31/9999. Keys with an expiration date set to a date other than 12/31/9999 won't pass Microsoft 365 validation.
-
-To change an expiration date that has been set to any value other than 12/31/9999, run the [Update-AzKeyVaultKey](/powershell/module/az.keyvault/update-azkeyvaultkey) cmdlet as follows:
-
-```powershell
-Update-AzKeyVaultKey -VaultName <vault name> -Name <key name> -Expires (Get-Date -Date "12/31/9999")
-```
-
-### Obtain the URI for each Azure Key Vault key
-
-Once you've completed all the steps in Azure to set up your key vaults and added your keys, run the following command to get the URI for the key in each key vault. You will need to use these URIs when you create and assign each DEP later, so save this information in a safe place. Remember to run this command once for each key vault.
-
-In Azure PowerShell:
-
-```powershell
-(Get-AzKeyVaultKey -VaultName <vault name>).Id
-```
-
-## Set up the Customer Key encryption policy for your tenant
-
-You need to be assigned permissions before you can run these cmdlets. Although this article lists all parameters for the cmdlets, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see [Find the permissions required to run any Exchange cmdlet](/powershell/exchange/exchange-server/find-exchange-cmdlet-permissions).
-
-### Create policy
-
-```powershell
- New-M365DataAtRestEncryptionPolicy [-Name] <String> -AzureKeyIDs <MultiValuedProperty> [-Description <String>]
-```
-
-Description: Enable compliance admin to create a new data encryption policy (DEP) using two AKV root keys. Once created, a policy can then be assigned using Set-M365DataAtRestEncryptionPolicyAssignment cmdlet. Upon first assignment of keys or after you rotate keys, it can take up to 24 hours for the new keys to take effect. If the new DEP takes more than 24 hours to take effect, contact Microsoft.
-
-Example:
-
-```powershell
-New-M365DataAtRestEncryptionPolicy -Name "Default_Policy" -AzureKeyIDs "https://contosoWestUSvault01.vault.azure.net/keys/Key_01","https://contosoEastUSvault01.vault.azure.net/keys/Key_02" -Description "Tenant default policy"
-```
-
-Parameters:
-
-| Name | Description | Optional (Y/N) |
-|-|-||
-|Name|Friendly name of the data encryption policy|N|
-|AzureKeyIDs|Specifies two URI values of the Azure Key Vault keys, separated by a comma, to associate with the data encryption policy|N|
-|Description|Description of the data encryption policy|N|
-
-### Assign policy
-
-```powershell
-Set-M365DataAtRestEncryptionPolicyAssignment -DataEncryptionPolicy "<Default_PolicyName or Default_PolicyID>"
-```
-
-Description:
-This cmdlet is used for configuring default Data Encryption Policy. This policy will be used to then encrypt data across all support workloads.
-
-Example:
-
-```powershell
-Set-M365DataAtRestEncryptionPolicyAssignment -DataEncryptionPolicy "Default_PolicyName"
-```
-
-Parameters:
-
-| Name | Description | Optional (Y/N) |
-|-|-||
--DataEncryptionPolicy|Specifies the data encryption policy that needs to be assigned; specify either the Policy Name or the Policy ID.|N|-
-### Modify or Refresh policy
-
-```powershell
-Set-M365DataAtRestEncryptionPolicy [-Identity] <M365DataAtRestEncryptionPolicy DataEncryptionPolicyIdParameter> -Refresh [-Enabled <Boolean>] [-Name <String>] [-Description <String>]
-```
-
-Description:
-The cmdlet can be used either to modify or refresh an existing policy. It can also be used to enable or disable a policy. Upon first assignment of keys or after you rotate keys, it can take up to 24 hours for the new keys to take effect. If the new DEP takes more than 24 hours to take effect, contact Microsoft.
-
-Examples:
-
-Disable a data encryption policy.
-
-```powershell
-Set-M365DataAtRestEncryptionPolicy -Identity "NAM Policy" -Enabled $false
-```
-
-Refresh a data encryption policy.
-
-```powershell
-Set-M365DataAtRestEncryptionPolicy -Identity "EUR Policy" -Refresh
-```
-
-Parameters:
-
-| Name | Description | Optional (Y/N) |
-|-|-||
-|-Identity|Specifies the data encryption policy that you want to modify.|N|
-|-Refresh|Use the Refresh switch to update the data encryption policy after you rotate any of the associated keys in the Azure Key Vault. You don't need to specify a value with this switch.|Y|
-|-Enabled|The Enabled parameter enables or disables the data encryption policy. Before you disable a policy, you must unassign it from your tenant. Valid values are:</br > $true: The policy is enabled</br > $false: The policy is disabled.|Y|
-|-Name|The Name parameter specifies the unique name for the data encryption policy.|Y|
-|-Description|The Description parameter specifies an optional description for the data encryption policy.|Y|
-
-### Get policy details
-
-```powershell
-Get-M365DataAtRestEncryptionPolicy [-Identity] <M365DataAtRestEncryptionPolicy DataEncryptionPolicyIdParameter>
-```
-
-Description: This cmdlet lists all of M365DataAtRest encryption policies that are created for the tenant or details about a specific policy.
-
-Examples:
-
-This example returns a summary list of M365DatAtRest Encryption policies in the organization.
-
-```powershell
-Get-M365DataAtRestEncryptionPolicy
-```
-
-This example returns detailed information for the data encryption policy named "NAM Policy".
-
-```powershell
-Get-M365DataAtRestEncryptionPolicy -Identity "NAM Policy"
-```
-
-Parameters:
-
-| Name | Description | Optional (Y/N) |
-|-|-||
-|-Identity|Specifies the data encryption policy that you want to list the details for.|Y|
-
-### Get policy assignment info
-
-```powershell
-Get-M365DataAtRestEncryptionPolicyAssignment
-```
-
-Description:
-This cmdlet lists the policy thatΓÇÖs currently assigned to the tenant.
-
-## Offboarding from Customer Key at the tenant level
-
-If you need to revert to Microsoft-managed keys, you can. When you offboard, your data is re-encrypted using default encryption supported by each individual workload. For example, Exchange Online supports default encryption using Microsoft-managed keys.
-
-If you decide to offboard your tenant from Customer Key at the tenant level, email [m365ck@microsoft.com](mailto:m365ck@microsoft.com) with a request to "disable" the service for the tenant.
-
-> [!IMPORTANT]
-> Offboarding is not the same as a data purge. A data purge permanently crypto-deletes your organization's data from Microsoft 365, offboarding does not. You can't perform a data purge for a tenant-level policy. For information about data purge path, see [Revoke your keys and start the data purge path process](customer-key-manage.md#revoke-your-keys-and-start-the-data-purge-path-process).
-
-## About the availability key
-
-For information about the availability key, see [Learn about the availability key](customer-key-availability-key-understand.md).
-
-## Key rotation
-
-For information about rotating or rolling keys that you use with Customer Key, see [Roll or rotate a Customer Key or an availability key](customer-key-availability-key-roll.md). When you update the DEP to use the new version of the keys, you'll run the Set-M365DataAtRestEncryptionPolicy cmdlet as described earlier in this article.
-
-## Related articles
--- [Service encryption with Customer Key](customer-key-overview.md)--- [Roll or rotate a Customer Key or an availability key](customer-key-availability-key-roll.md)--- [Learn about the availability key](customer-key-availability-key-understand.md)--- [Service Encryption](office-365-service-encryption.md)
compliance Disposition https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/disposition.md
search.appverid: - MOE150 - MET150
-description: "Monitor and manage the disposal of content, whether you use a disposition review or content is automatically deleted according to the settings you configured."
+description: "Monitor and manage the disposal of content for when you use a disposition review or items marked as records are automatically deleted according to the settings you configured."
# Disposition of content >*[Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).*
-Use the **Disposition** tab from **Records Management** in the Microsoft 365 compliance center to manage disposition reviews and view [records](records-management.md#records) that have been automatically deleted at the end of their retention period.
+Use the **Disposition** page from **Records Management** in the Microsoft 365 compliance center to manage disposition reviews and view the metadata of [records](records-management.md#records) that have been automatically deleted at the end of their retention period.
+
+> [!NOTE]
+> Rolling out in preview: **multi-stage disposition review**
+>
+> An administrator can now add up to five consecutive stages of disposition review in a retention label, and reviewers can add others users to their disposition review stage. You can also customize the email notifications and reminders. The following sections have more information about the changes in this preview.
## Prerequisites for viewing content dispositions
To manage disposition reviews and confirm that records have been deleted, you mu
### Permissions for disposition
-To successfully access the **Disposition** tab in the Microsoft 365 compliance center, users must have the **Disposition Management** admin role. From December 2020, this role is now included in the **Records Management** default admin role group.
+To successfully access the **Disposition** tab in the Microsoft 365 compliance center, users must have the **Disposition Management** role. From December 2020, this role is now included in the **Records Management** default role group.
> [!NOTE] > By default, a global admin isn't granted the **Disposition Management** role.
-To grant users just the permissions they need for disposition reviews without granting them permissions to view and configure other features for retention and records management, create a custom role group (for example, named "Disposition Reviewers") and grant this group the Disposition Management role.
-
-Additionally, to view the contents of items during the disposition process, add users to the following two role groups: **Content Explorer Content Viewer** and **Content Explorer List Viewer**. If users don't have the permissions from these role groups, they can still select a disposition review action to complete the disposition review, but must do so without being able to view the item's contents from the compliance center.
+To grant users just the permissions they need for disposition reviews without granting them permissions to view and configure other features for retention and records management, create a custom role group (for example, named "Disposition Reviewers") and grant this group the **Disposition Management** role.
For instructions to configure these permissions, see [Give users access to the Office 365 Security & Compliance Center](../security/office-365-security/grant-access-to-the-security-and-compliance-center.md).
+Additionally:
+
+- To view the contents of items during the disposition process, add users to the **Content Explorer Content Viewer** role group. If users don't have the permissions from this role group, they can still select a disposition review action to complete the disposition review, but must do so without being able to view the item's contents from the mini-preview pane in the compliance center.
+
+- In preview: By default, each person that accesses the **Disposition** page sees only items that they are assigned to review. For a records management administrator to see all items assigned to all users, and all retention labels that are configured for disposition review: Navigate to **Records management settings** > **General** > **Record Manager Security Group** to select and then enable a mail-enabled security group that contains the administrator accounts.
+
+ Microsoft 365 groups and security groups that aren't mail-enabled doesn't support this feature and wouldn't be displayed in the list to select. If you need to create a new mail-enabled security group, use the link to the Microsoft 365 admin center to create the new group.
+
+ > [!IMPORTANT]
+ > You can't disable this permission or replace the group that you enabled from the compliance center. However, you can enable another mail-enabled security group by using the [Enable-ComplianceTagStorage](/powershell/module/exchange/enable-compliancetagstorage) cmdlet.
+ >
+ > For example: `Enable-ComplianceTagStorage -RecordsManagementSecurityGroupEmail dispositionreviewers@contosoi.com`
+
+- In preview: The **Records management settings** option is visible only to record management administrators.
+ ### Enable auditing Make sure that auditing is enabled at least one day before the first disposition action. For more information, see [Search the audit log in the Office 365 Security &amp; Compliance Center](search-the-audit-log-in-security-and-compliance.md).
Make sure that auditing is enabled at least one day before the first disposition
When content reaches the end of its retention period, there are several reasons why you might want to review that content and confirm whether it can be permanently deleted ("disposed"). For example, instead of deleting the content, you might need to: -- Suspend the deletion of relevant content in the event of litigation or an audit.
+- Suspend the deletion of relevant content for litigation or an audit.
- Assign a different retention period to the content, perhaps because the original retention settings were a temporary or provisional solution.
When content reaches the end of its retention period, there are several reasons
When a disposition review is triggered at the end of the retention period: -- The people you choose receive an email notification that they have content to review. These reviewers can be individual users or mail-enabled security groups. Note that notifications are sent on a weekly basis.
-
-- The reviewers go to the **Disposition** tab in the Microsoft 365 compliance center to review the content and decide whether to permanently delete it, extend its retention period, or apply a different retention label.
+- The reviewers you choose receive an email notification that they have content to review. These reviewers can be individual users or mail-enabled security groups. New in preview:
+ - You can customize the email that they receive, including instructions in different languages. For multi-language support, you must specify the translations yourself and this custom text is displayed to all reviewers irrespective of their locale.
+ - Users receive an initial email notification per label at the end of the item's retention period, with a reminder per label once a week of all disposition reviews that they are assigned. They can click the link in the notification and reminder emails to go to the **Disposition** page in the Microsoft 365 compliance center to review the content and take an action. Alternately, the reviewers can go directly to the **Disposition** page in the compliance center.
+ - Reviewers see only the disposition reviews that are assigned to them, whereas administrators who are added to the selected Record Manager Security Group see all disposition reviews.
+ - Reviewers can add new users to the same disposition review. Currently, this action doesn't automatically grant these added users the [required permissions](#permissions-for-disposition).
+ - For the disposition review process, a mini-review pane for each item shows a preview of the content if they have permissions to see it. If they don't have permissions, they can select the content link and request permissions. This mini-review pane also has tabs for additional information about the content:
+ - **Details** to display indexed properties, where it's located, who created it and when, and who last modified it and when.
+ - **History** that shows the history of any disposition review actions to date, with reviewer comments if available.
-A disposition review can include content in Exchange mailboxes, SharePoint sites, OneDrive accounts, and Microsoft 365 groups. Content awaiting a disposition review in those locations is deleted only after a reviewer chooses to permanently delete the content.
+A disposition review can include content in Exchange mailboxes, SharePoint sites, and OneDrive accounts. Content pending a disposition review in those locations is permanently deleted only after a reviewer for the final stage of disposition chooses to permanently delete the content.
> [!NOTE] > A mailbox must have at least 10 MB data to support disposition reviews.
-You can see an overview of all pending dispositions in the **Overview** tab. For example:
+Administrators can see an overview of all pending dispositions in the **Overview** tab. Reviewers see only their items pending disposition. For example:
![Pending dispositions in Records management overview](../media/dispositions-overview.png)
When you select the **View all pending dispositions**, you're taken to the **Dis
### Workflow for a disposition review
-The following diagram shows the basic workflow for a disposition review when a retention label is published and then manually applied by a user. Alternatively, a retention label configured for a disposition review can be auto-applied to content.
+The following diagram shows the basic workflow for a disposition review when a retention label is published and then manually applied by a user. Alternatively, a retention label configured for a disposition review can be automatically applied to content.
![Chart showing flow of how disposition works](../media/5fb3f33a-cb53-468c-becc-6dda0ec52778.png)
-
-Triggering a disposition review at the end of the retention period is a configuration option that's available only with a retention label. This option is not available for a retention policy. For more information about these two retention solutions, see [Learn about retention policies and retention labels](retention.md).
+
+### How to configure a retention label for disposition review
+
+Triggering a disposition review at the end of the retention period is a configuration option that's available only with a retention label. Disposition review is not available for a retention policy. For more information about these two retention solutions, see [Learn about retention policies and retention labels](retention.md).
From the **Define retention settings** page for a retention label: ![Retention settings for a label](../media/disposition-review-option.png)
-After you select this **Trigger a disposition review** option, you specify the disposition reviewers on the next page of the wizard:
+After you select this **Trigger a disposition review** option, on the next page of the wizard, you specify how many consecutive stages of disposition you want and the disposition reviewers for each stage:
+
+![Specifying disposition reviewers](../media/disposition-reviewers.png)
+
+Select **Add a stage**, and name your stage for identification purposes. Then specify the reviewers for that stage.
+
+For the reviewers, specify a user or a mail-enabled security group. Microsoft 365 groups ([formerly Office 365 groups](https://techcommunity.microsoft.com/t5/microsoft-365-blog/office-365-groups-will-become-microsoft-365-groups/ba-p/1303601)) are currently not supported for this option.
+
+If you need more than one person to review an item at the end of its retention period, select **Add a stage** again and repeat the configuration process for the number of stages that you need, with a maximum of five stages.
+
+Within each individual stage of disposition, any of the users you specify for that stage are authorized to take the next action for the item at the end of its retention period. These users can also add other users to their disposition review stage.
+
+> [!NOTE]
+> Existing retention labels that are configured for disposition review can be upgraded to use multi-staged disposition review by configuring the label. In the label wizard, select **Add a stage**, or edit the existing reviewers or add new reviewers.
+
+During the configuration phase, for each stage specified, you can rename it, reorder it, or remove it by selecting the Stage actions option (**...**):
+
+![Stage actions for disposition reviews](../media/stage-actions-disposition-review.png)
+
+However, you can't reorder or remove a stage after you have created the retention label.
+
+After you have specified your reviewers, remember to grant them the **Disposition Management** role permission. For more information, see the [Permissions for disposition](#permissions-for-disposition) section on this page.
+
+### How to customize email messages for disposition review
+
+Also in preview, you can customize the email messages that are sent to disposition reviewers for the initial notification and then reminders.
+
+From any of the Disposition pages in the compliance center, select **Record management settings**:
+
+![Record management settings](../media/record-management-settings.png)
+
+Then select the **Email templates** tab, and specify whether you want to use just the default email templates, or add your own text to the default template. Your custom text is added to the email instructions after the information about the retention label and before the next steps instructions.
-![Specifying disposition reviewers](../media/disposition-reviewers.png)
+Text for all languages can be added, but formatting and images are currently unsupported. URLs and email addresses can be entered as text and depending on the email client, display as hyperlinks or unformatted text in the customized email.
-For the reviewers, specify a user or mail-enabled security group. Microsoft 365 groups ([formerly Office 365 groups](https://techcommunity.microsoft.com/t5/microsoft-365-blog/office-365-groups-will-become-microsoft-365-groups/ba-p/1303601)) are not supported for this option.
+Example text to append:
+
+```console
+If you need additional information, visit the helpdesk website (https://support.contoso.com) or send them an email (helpdesk@contoso.com).
+```
+
+Select **Save** to save any changes.
### Viewing and disposing of content
-When a reviewer is notified by email that content is ready to review, they go to the **Disposition** tab from **Records Management** in the Microsoft 365 compliance center. The reviewers can see how many items for each retention label are awaiting disposition, and then select a retention label to see all content with that label.
+When a reviewer is notified by email that content is ready to review, they go to the **Disposition** tab from **Records Management** in the Microsoft 365 compliance center. The reviewers can see how many items for each retention label are awaiting disposition with the **Type** displaying **Pending disposition**. They then select a retention label, and **Open in new window** to see all content with that label:
-After you select a retention label, you then see all pending dispositions for that label from the **Pending disposition** tab. Select one or more items where you can then choose an action and enter a justification comment:
+![Open in new window for disposition review](../media/open-in-new-window.png)
-![Disposition options](../media/retention-disposition-options.png)
+From the **Pending dispositions** page, they see all pending dispositions for that label. When one or more items are selected, they can use the mini-preview pane and the **Source**, **Details**, and **History** tab to inspect the content before taking action on it:
-As you can see from the picture, the actions supported are:
-
-- Permanently delete the item-- Extend the retention period-- Apply a different retention label
+![Disposition options](../media/retention-disposition-options.png)
-Providing you have permissions to the location and the content, you can use the link in the **Location** column to view documents in their original location. During a disposition review, the content never moves from its original location, and it's never deleted until the reviewer chooses to do so.
+If you use the horizontal scroll bar, or close the min-review pane, you see more columns that include the expiry date and the name of the disposition review stage.
-The email notifications are sent automatically to reviewers on a weekly basis. This scheduled process means that when content reaches the end of its retention period, it might take up to seven days for reviewers to receive the email notification that content is awaiting disposition.
+As you can see from the example shown, the actions supported are:
-All disposition actions can be audited and the justification text entered by the reviewer is saved and displayed in the **Comment** column on the **Disposed items** page.
-
-### How long until disposed content is permanently deleted
+- **Approve disposal**:
+ - When this action is selected for an interim stage of disposition review (you have configured multiple stages): The item moves to the next disposition stage.
+ - When this action is selected for the final stage of disposition review, or there is only one stage of disposition: The item is marked as eligible for permanent deletion. The exact timing for that deletion depends on the workload. For more information, see [How retention settings work with content in place](retention.md#how-retention-settings-work-with-content-in-place).
+- **Relabel**:
+ - When this action is selected, the item exits the disposition review process for the original label. The item is then subject to the retention settings of the newly selected retention label.
+- **Extend**:
+ - When this action is selected, disposition review is effectively suspended until the end of the extended period and then disposition review is triggered again from the first stage.
+- **Add reviewers**:
+ - When this action is selected, the user is prompted to specify and add other users for review.
+
+ > [!NOTE]
+ > This action doesn't automatically grant the [required permissions](#permissions-for-disposition) to the users who are added. If they don't have these permissions, they won't be able to participate in the disposition review.
-Content awaiting a disposition review is deleted only after a reviewer chooses to permanently delete the content. When the reviewer chooses this option, the content in the SharePoint site or OneDrive account becomes eligible for the standard cleanup process described in [How retention settings work with content in place](retention.md#how-retention-settings-work-with-content-in-place).
+Each action taken is saved and stored although you can't yet search for them in the audit log.
+
+During a disposition review, the content never moves from its original location, and it's not marked for permanent deletion until this action is selected by a reviewer for the final or only disposition stage.
## Disposition of records
For auditing of deleted items that were marked as records or regulatory records,
## Filter and export the views
-When you select a retention label from the **Disposition** page, the **Pending disposition** tab (if applicable) and the **Disposed items** tab let you filter the views to help you more easily find items.
+When you select a retention label from the **Disposition** page, the **Pending disposition** tab (if applicable) and the **Disposed items** tab let you filter the views to help you more easily find items.
For pending dispositions, the time range is based on the expiration date. For disposed items, the time range is based on the deletion date.
-You can export information about the items in either view as a .csv file that you can then sort and manage using Excel:
-
-![Export option for disposition](../media/retention-export-option.png)
+You can export information about the items in either view as a .csv file that you can then sort and manage using Excel.
compliance Review Set Search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/review-set-search.md
In addition to queries that you can save, you can use review set filters to quic
Filters differ from queries in two significant ways: -- Filters are transient. They don't persist beyond the existing session. In other words, you can't save a filter. Queries are saved to the review set, and access them whenever open the review set.
+- Filters are transient. They don't persist beyond the existing session. In other words, you can't save a filter. Queries are saved to the review set, and access them whenever you open the review set.
- Filters are always additive. Filters are applied in addition to the current review set query. Applying a different query will replace the results returned by the current query.
compliance Sensitivity Labels Office Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md
The numbers listed are the minimum Office application version required for each
|[Require users to apply a label to their email and documents](#require-users-to-apply-a-label-to-their-email-and-documents) | 2101+ | 16.43+ <sup>\*</sup> | 4.2111+ | 4.2111+ | Yes | |[Audit label-related user activity](data-classification-activity-explorer.md) | 2011+ | Under review | Under review | Under review | Under review | |[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) | 2009+ | 16.44+ <sup>\*</sup> | Under review | Under review | Yes |
-|[Different settings for default label and mandatory labeling](#outlook-specific-options-for-default-label-and-mandatory-labeling) | Rolling out in Preview: [Beta Channel](https://office.com/insider) | 16.43.1108+ | 4.2111+ | 4.2111+ | Yes |
+|[Different settings for default label and mandatory labeling](#outlook-specific-options-for-default-label-and-mandatory-labeling) | 2105+ | 16.43.1108+ | 4.2111+ | 4.2111+ | Yes |
| **Footnotes:**
enterprise Azure Expressroute https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/azure-expressroute.md
description: Learn how to use Azure ExpressRoute with Office 365 and plan the ne
Learn how Azure ExpressRoute is used with Office 365 and how to plan the network implementation project that will be required if you are deploying Azure ExpressRoute for use with Office 365. Infrastructure and platform services running in Azure will often benefit by addressing network architecture and performance considerations. We recommend ExpressRoute for Azure in these cases. Software as a Service offerings like Office 365 and Dynamics 365 have been built to be accessed securely and reliably via the Internet. You can read about Internet performance and security and when you might consider Azure ExpressRoute for Office 365 in the article [Assessing Office 365 network connectivity](assessing-network-connectivity.md). > [!NOTE]
-> Microsoft Defender for Endpoint is not supported in Azure Express Route.
+> Microsoft Defender for Endpoint does not provide integration with Azure ExpressRoute. While this does not stop customers from defining ExpressRoute rules that enable connectivity from a private network to Microsoft Defender for Endpoint cloud services, it is up to the customer to maintain rules as the service or cloud infrastructure evolves.
> [!NOTE] > We do not recommend ExpressRoute for Microsoft 365 because it does not provide the best connectivity model for the service in most circumstances. As such, Microsoft authorization is required to use this connectivity model for Microsoft 365. We review every customer request and authorize ExpressRoute for Microsoft 365 only in the rare scenarios where it is necessary. Please read the [ExpressRoute for Microsoft 365 guide](https://aka.ms/erguide) for more information and following a comprehensive review of the document with your productivity, network, and security teams, work with your Microsoft account team to submit an exception if needed. Unauthorized subscriptions trying to create route filters for Office 365 will receive an [error message](https://support.microsoft.com/kb/3181709).
enterprise Ms Cloud Germany Transition Add Pre Work https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-add-pre-work.md
Title: "Pre-migration activities for the migration from Microsoft Cloud Deutschl
Previously updated : 03/09/2021 Last updated : 05/12/2021 audience: ITPro
If you're using
- **Skype for Business Online**, do [this step](#skype-for-business-online). - **Dynamics 365**, do [this step](#dynamics365). - **Power BI**, do [this step](#power-bi).- - **Active Directory Federation Services** for Azure AD Connect, do [these steps](#active-directory-federation-services-ad-fs). - **Third-party services** or **line-of-business (LOB) apps** that are integrated with Office 365, do [this step](#line-of-business-apps). - A third-party mobile device management (MDM) solution, do [this step](#mobile-device-management).
enterprise Ms Cloud Germany Transition Phases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-phases.md
Title: "Migration phases actions and impacts for the migration from Microsoft Cl
Previously updated : 03/05/2021 Last updated : 05/12/2021 audience: ITPro
Tenant migrations from Microsoft Cloud Deutschland (MCD) to the region "Germany"
The migration process will complete over many weeks depending on the overall size and complexity of the organization. While the migration is underway, users and administrators are able to continue utilizing the services with notable changes detailed in this documentation. The graphic and table define phases and steps during the migration.
+> [!NOTE]
+> The migration of Azure services is not part of this documentation. For that information, see [Migration guidance for Azure Germany](/azure/germany/germany-migration-main).
+ |Step|Duration|Responsible party|Description| |:--|:--|:--|:--| |Opt-In|Hours|Customer|Opt your organization into the migration.| |Pre-Work|Days|Customer|Complete the work needed to prepare users, workstations, and network for migration.| |Azure Active Directory (Azure AD)|1-2 days|Microsoft|Migrate Azure AD organization to worldwide.|
-|Azure|Weeks|Customer|Create new worldwide Azure subscriptions and transition Azure services.|
+|Azure|Weeks|Customer|Create new worldwide Azure subscriptions and [transition Azure services](/azure/azure-resource-manager/management/move-resource-group-and-subscription).|
|Subscription & License Transition|1-2 days|Microsoft|Purchase worldwide subscriptions, cancel Microsoft Cloud Deutschland subscriptions, and transition user licenses.| |SharePoint and OneDrive|15+ days|Microsoft|Migrate SharePoint and OneDrive for Business content, persisting sharepoint.de URLs.| |Exchange Online|15+ days|Microsoft|Migrate Exchange Online content and transition to worldwide URLs.|
Make sure the [Exchange prework](ms-cloud-germany-transition-add-pre-work.md#exc
Set-SendConnector -Identity <SendConnectorName> -TlsDomain "mail.protection.outlook.com" ```
-## Phase 7: Skype for Business Online
-
+## Phase 7: Skype for Business Online - Transition to Microsoft Teams
**Applies to:** All customers using Skype for Business Online Review the [pre-migration steps for Skype for Business Online migration](ms-cloud-germany-transition-add-pre-work.md#skype-for-business-online) and make sure you completed all steps.
In this phase, Skype for Business will be migrated to Microsoft Teams. Existing
- Contacts and meetings will be migrated to Microsoft Teams. - Users won't be able to sign in to Skype for Business between time service transitions to Office 365 services, and not until customer DNS entries are completed. - Contacts and existing meetings will continue to function as Skype for Business meetings.-- The web browser version of Microsoft Teams will not work until phase 9 has been completed.+
+When a vanity domain has been configured for Skype for Business, the DNS entries must be updated. Please refer to [Domains in the Microsoft 365 admin center](https://admin.microsoft.com/Adminportal/Home#/Domains) and apply the changes in your DNS configuration.
If you have to connect to Skype for Business Online with PowerShell after migration phase 9 has been completed, use the following PowerShell code to connect: ```powershell Import-Module MicrosoftTeams $userCredential = Get-Credential
-Connect-MicrosoftTeams -Credential $userCredential -OverridePowershellUri "https://admin4E.online.lync.com/OcsPowershellOAuth"
+Connect-MicrosoftTeams -Credential $userCredential
```
+### Known limitations until finalizing Azure AD migration
+Microsoft Teams is leveraging features of Azure AD. While the migration of Azure AD is not completed, some features of Microsoft Teams are not fully available. After phase 9, when the migration of Azure AD has been finalized, the following features become fully available:
+
+- Apps cannot be managed in the Microsoft Teams admin center.
+- New teams can be created in the Microsoft Teams client only unless the Teams administrator has limited the permissions for users to create new teams. New teams cannot be created in the Microsoft Teams admin center.
+- The web version of Microsoft Teams is not available.
+ ## Phase 8: Dynamics 365 **Applies to:** All customers using Microsoft Dynamics 365
enterprise Ms Cloud Germany Transition https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition.md
Title: "Migration from Microsoft Cloud Deutschland to Office 365 services in the
Previously updated : 12/01/2020 Last updated : 05/12/2021 audience: ITPro
The following services will be migrated as part of the Microsoft-driven approach
- Exchange Online Protection - SharePoint Online - OneDrive for Business- - Skype for Business Online\*\* - Office 365 Groups - Dynamics 365 / Power Platform\*\*\*
Existing Microsoft Cloud Deutschland customers can now begin to migrate their Of
As a result of the migration, core customer data and subscriptions are moved to the new German datacenter regions.
+> [!NOTE]
+> This article includes guidance for the migration of Office 365 services only. If you are running additional Azure workloads in Microsoft Cloud Deutschland, see the [Migration guidance for Azure Germany](/azure/germany/germany-migration-main).
+ ## How to prepare for migration to Office 365 services in the new German datacenter regions The first step is to notify Microsoft so that we have your permission to migrate your subscription and data from Microsoft Cloud Deutschland to Office 365 services in the new German datacenter regions. Please refer to the [opt-in process](./ms-cloud-germany-migration-opt-in.md) for instructions and note that:
Cloud apps:
- [Dynamics 365 migration program information](/dynamics365/get-started/migrate-data-german-region) - [Power BI migration program information](/power-bi/admin/service-admin-migrate-data-germany)-- [Getting started with your Microsoft Teams upgrade](/microsoftteams/upgrade-start-here)
+- [Getting started with your Microsoft Teams upgrade](/microsoftteams/upgrade-start-here)
enterprise Office 365 Network Mac Location Services https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/office-365-network-mac-location-services.md
Title: "Microsoft 365 Network Connectivity Location Services (preview)"
+ Title: "Microsoft 365 Network Connectivity Location Services"
search.appverid:
- Ent_O365 - Strat_O365_Enterprise
-description: "Microsoft 365 Network Connectivity Location Services (preview)"
+description: "Microsoft 365 Network Connectivity Location Services"
-# Microsoft 365 Network Connectivity Location Services (preview)
+# Microsoft 365 Network Connectivity Location Services
-The Microsoft 365 Admin Center now shows **Network Insights and performance recommendations**, which are live performance metrics collected from your Microsoft 365 tenant and available to view only by administrative users in your tenant. Organizational network connectivity is designed per office location through a network egress location to the Internet. Microsoft 365 client connectivity uses that route and then across the Internet to Microsoft service front door servers. Identifying office locations is key to being able to show these network insights.
+The Microsoft 365 Admin Center now shows **Network Insights and performance recommendations**, which are live performance metrics that are collected from your Microsoft 365 tenant. These metrics can be viewed only by administrative users in your tenant. Organizational network connectivity is designed per office location through a network egress location to the Internet. Microsoft 365 client connectivity uses that route and then across the Internet to Microsoft service front door servers. Identifying office locations is key to being able to show these network insights.
## Location in network measurements
-An organization's administrator can opt in for location to be included in the network measurements used by this feature. This enables auto-discovery of the city where each office is located. Location information is not precise and is obfuscated to 300m and categorized by city. At the time when location is captured on a Windows device it will show a **Location In-Use** icon in the tool tray and administrators may want to notify users of this. With this processing, the location is treated as the organization office location and not the location of a person or a device. Network insights can be shown at these discovered office location cities. If greater accuracy of recommendations is desired, an administrator can enter specific office location addresses and the network insights will be aggregated to those instead. Office locations cannot be aggregated more closely than 300 meters.
+An organization's administrator can opt in for location to be included in the network measurements used by this feature. This enables auto-discovery of the city where each office is located. Location information is not precise and is obfuscated to 300m and categorized by city. At the time when location is captured on a Windows device, the device will show a **Location In-Use** icon in the tool tray. Administrators may want to notify users of the appearance of this icon. With this processing, the location is treated as the organization office location and not the location of a person or a device. Network insights can be shown at these discovered office location cities. If you want higher accuracy in the recommendations, you can enter specific office location addresses. The network insights will be aggregated to those locations instead. Office locations cannot be aggregated more closely than 300 meters.
## Location in the Microsoft 365 Admin Center
-In the Microsoft 365 Admin Center, Bing map controls are used to show where organization office locations are and to show network perimeter topology for a selected office location. When an administrator adds specific address details for office locations, Bing Maps is also used to suggest addresses to make data entry easier.
+In the Microsoft 365 Admin Center, Bing map controls are used to show where organization office locations are. The controls also show network perimeter topology for a selected office location. When an administrator adds specific address details for office locations, Bing Maps is also used to suggest addresses to make data entry easier.
## Terms of Use
-Any content provided through Bing Maps, including geocodes, can only be used within the product through which the content is provided. Customer's use of the Microsoft 365 Admin Center Location Services feature, powered by Bing Maps, is governed by the _Bing Maps End User Terms of Use_ available at <https://go.microsoft.com/?linkid=9710837> and the _Microsoft Privacy Statement_ available at <https://go.microsoft.com/fwlink/?LinkID=248686.>
+Any content provided through Bing Maps, including geocodes, can only be used within the product through which the content is provided. Customer's use of the Microsoft 365 Admin Center Location Services feature, powered by Bing Maps, is governed by the _Bing Maps End-User Terms of Use_ available at <https://go.microsoft.com/?linkid=9710837> and the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?LinkID=248686).
-This feature, provided through Bing Maps, is also supported by **Here Technologies**. How Bing Maps leverages location services provided by Here Technologies is governed by the _Here Technologies Service Terms_ available at <https://legal.here.com/en-gb/terms>.
+This feature, provided through Bing Maps, is also supported by **TomTom**. More information about TomTom's products and services may be found at [https://www.tomtom.com/legal](https://www.tomtom.com/legal).
## Related topics
This feature, provided through Bing Maps, is also supported by **Here Technologi
[Microsoft 365 network assessment (preview)](office-365-network-mac-perf-score.md)
-[Microsoft 365 connectivity test in the M365 Admin Center (preview)](office-365-network-mac-perf-onboarding-tool.md)
+[Microsoft 365 connectivity test in the Microsoft 365 admin center (preview)](office-365-network-mac-perf-onboarding-tool.md)
enterprise Office 365 Network Mac Perf Insights https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/office-365-network-mac-perf-insights.md
Title: "Microsoft 365 Network Insights (preview)"
+ Title: "Microsoft 365 Network Insights"
search.appverid:
- Ent_O365 - Strat_O365_Enterprise
-description: "Microsoft 365 Network Insights (preview)"
+description: "Microsoft 365 Network Insights"
-# Microsoft 365 Network Insights (preview)
+# Microsoft 365 Network Insights
**Network insights** are performance metrics collected from your Microsoft 365 tenant, and available to view only by administrative users in your tenant. Insights are displayed in the Microsoft 365 Admin Center at <https://portal.microsoft.com/adminportal/home#/networkperformance>.
enterprise Office 365 Network Mac Perf Onboarding Tool https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/office-365-network-mac-perf-onboarding-tool.md
Title: "Microsoft 365 network connectivity test tool (preview)"
+ Title: "Microsoft 365 network connectivity test tool"
search.appverid:
- Ent_O365 - Strat_O365_Enterprise
-description: "Microsoft 365 network connectivity test tool (preview)"
+description: "Microsoft 365 network connectivity test tool"
-# Microsoft 365 network connectivity test tool (preview)
+# Microsoft 365 network connectivity test tool
The Microsoft 365 network connectivity test tool is located at <https://connectivity.office.com>. It is an adjunct tool to the network assessment and network insights information available in the Microsoft 365 admin center under the **Health | Connectivity** menu. > [!IMPORTANT] > It is important to sign in to your Microsoft 365 tenant as all test reports are shared with your administrator and uploaded to the tenant while you are signed in.
-![Connectivity test tool](../media/m365-mac-perf/m365-mac-perf-test-tool-page.png)
+> [!div class="mx-imgBorder"]
+> ![Connectivity test tool](../media/m365-mac-perf/m365-mac-perf-test-tool-page.png)
>[!NOTE] >The network connectivity test tool supports tenants in WW Commercial and Germany but not GCC Moderate, GCC High, DoD or China.
-The network insights in the Microsoft 365 Admin Center are based on regular in-product measurements for your Microsoft 365 tenant which are aggregated each day. In comparison, the network insights from the Microsoft 365 network connectivity test are run locally and one time in the tool. Testing that can be done in-product is limited and by running tests local to the user more data can be gathered resulting in deeper insights. Consider then that the network insights in the Microsoft 365 Admin Center will show that there is a networking problem for use of Microsoft 365 at a specific office location. The Microsoft 365 connectivity test can help to identify the root cause of that problem leading to a recommended network performance improvement action.
+The network insights in the Microsoft 365 Admin Center are based on regular in-product measurements for your Microsoft 365 tenant, which are aggregated each day. In comparison, the network insights from the Microsoft 365 network connectivity test are run locally and one time in the tool. Testing that can be done in-product is limited and by running tests local to the user more data can be gathered resulting in deeper insights. Consider then that the network insights in the Microsoft 365 Admin Center will show that there is a networking problem for use of Microsoft 365 at a specific office location. The Microsoft 365 connectivity test can help to identify the root cause of that problem leading to a recommended network performance improvement action.
-We recommend that these be used together where networking quality status can be assessed for each office location in the Microsoft 365 Admin Center and more specifics can be found after deployment of testing based on the Microsoft 365 connectivity test.
+We recommend that these insights be used together where networking quality status can be assessed for each office location in the Microsoft 365 Admin Center and more specifics can be found after deployment of testing based on the Microsoft 365 connectivity test.
>[!IMPORTANT] >Network insights, performance recommendations and assessments in the Microsoft 365 Admin Center is currently in preview status, and is only available for Microsoft 365 tenants that have been enrolled in the feature preview program.
We recommend that these be used together where networking quality status can be
### Office location identification
-When you click the run test button we show the running test page and identify the office location. You can type in your location by city, state, and country or you can have it detected from the web browser. If you detect it then we request the latitude and longitude from the web browser and limit the accuracy to 300m by 300m before use. We do this because it is not necessary to identify the location more accurately than the building for network performance.
+When you click the run test button, we show the running test page and identify the office location. You can type in your location by city, state, and country or you can have it detected from the web browser. If you detect it, then we request the latitude and longitude from the web browser and limit the accuracy to 300 meters by 300 meters before use. We do this because it is not necessary to identify the location more accurately than the building for network performance.
### JavaScript tests
-After office location identification we run a TCP latency test in JavaScript and we request data from the service about in-use and recommended Office 365 service front door servers. When these are completed we show them on the map and in the details tab where they can be viewed prior to the next step.
+After office location identification, we run a TCP latency test in JavaScript and we request data from the service about in-use and recommended Office 365 service front door servers. When these tests are completed, we show them on the map and in the details tab where they can be viewed prior to the next step.
### Download the advanced tests client application
-Next we start the download of the advanced tests client application. We rely on the user to launch the client application and they must also have .NET Core installed.
+Next, we start the download of the advanced tests client application. We rely on the user to launch the client application and they must also have .NET Core installed.
-There are two parts to the Microsoft 365 network connectivity test; the web site <https://connectivity.office.com> and a downloadable Windows client application that runs advanced network connectivity tests. Most of the tests require the application to be run. It will populate results back into the web page as it runs.
+There are two parts to the Microsoft 365 network connectivity test: the web site <https://connectivity.office.com> and a downloadable Windows client application that runs advanced network connectivity tests. Most of the tests require the application to be run. It will populate results back into the web page as it runs.
You will be prompted to download the advanced client test application from the web site after the web browser tests have completed. Open and run the file when prompted.
-![Advanced tests client application](../media/m365-mac-perf/m365-mac-perf-open-run-file.png)
+> [!div class="mx-imgBorder"]
+> ![Advanced tests client application](../media/m365-mac-perf/m365-mac-perf-open-run-file.png)
### Start the advanced tests client application
-Once the client application starts the web page will update to show this and test data will start to be received to the web page. It updates each time new data is received and you can review the data as it arrives.
+Once the client application starts, the web page will update to show this result. Test data will start to be received to the web page. The page updates each time new data is received and you can review the data as it arrives.
### Advanced tests completed and test report upload
-Once the tests are completed the web page and the advanced tests client will both indicate this and if the user is signed in the test report will be uploaded to the customers tenant.
+When the tests are completed, the web page and the advanced tests client will both show that. If the user is signed in, the test report will be uploaded to the customer's tenant.
## Sharing your test report
The test report requires sign-in to your Office 365 account. Your administrator
### Sharing your report with your administrator
-All test reports while you are signed in are shared with your administrator.
+If you are signed in when a test report occurs, that reports is shared with your administrator.
### Sharing with your Microsoft account team, support or other personnel
-Test reports excluding any personal identification are shared with Microsoft employees. This is enabled by default and can be disabled by your administrator in the **Health | Network Connectivity** page in the Microsoft 365 Admin Center.
+Test reports (excluding any personal identification) are shared with Microsoft employees. This sharing is enabled by default and can be disabled by your administrator in the **Health | Network Connectivity** page in the Microsoft 365 Admin Center.
### Sharing with other users who sign in to the same Office 365 tenant
-You can choose users to share your report with and this is enabled by default. It can also be disabled by your administrator.
+You can choose users to share your report with. Being able to choose is enabled by default, but it can be disabled by your administrator.
-![Sharing a link to your test results with a user](../media/m365-mac-perf/m365-mac-perf-share-to-user.png)
+> [!div class="mx-imgBorder"]
+> ![Sharing a link to your test results with a user](../media/m365-mac-perf/m365-mac-perf-share-to-user.png)
### Sharing with anyone using a ReportID link
-You can share your test report with anyone by providing access to a ReportID link. This generates a URL that you can send to someone so that they can bring up the test report without signing in. This is disabled by default and must be enabled by your administrator.
+You can share your test report with anyone by providing access to a ReportID link. This link generates a URL that you can send to someone so that they can bring up the test report without signing in. This sharing is disabled by default and must be enabled by your administrator.
-![Sharing a link to your test results](../media/m365-mac-perf/m365-mac-perf-share-link.png)
+> [!div class="mx-imgBorder"]
+> ![Sharing a link to your test results](../media/m365-mac-perf/m365-mac-perf-share-link.png)
## Network Connectivity Test Results
-The results are shown in the **Summary** and **Details** tabs. The summary tab shows a map of the detected network perimeter and a comparison of the network assessment to other Office 365 customers nearby. It also allows for sharing of the test report. Here's what the summary results view looks like.
+The results are shown in the **Summary** and **Details** tabs. The summary tab shows a map of the detected network perimeter and a comparison of the network assessment to other Office 365 customers nearby. It also allows for sharing of the test report. Here's what the summary results view looks like:
-![Network connectivity test tool summary results](../media/m365-mac-perf/m365-mac-perf-summary-page.png)
+> [!div class="mx-imgBorder"]
+> ![Network connectivity test tool summary results](../media/m365-mac-perf/m365-mac-perf-summary-page.png)
-Here is an example of the details tab output that the tool shows. On the details tab we show a green circle check mark if the result was compared favorably to a threshold. We show a red triangle exclamation point if the result exceeded a threshold indicating a network insight. The following sections describe each of the details tab results rows and explains the thresholds used for network insights.
+Here is an example of the details tab output that the tool shows. On the details tab we show a green circle check mark if the result was compared favorably to a threshold. We show a red triangle exclamation point if the result exceeded a threshold indicating a network insight. The following sections describe each of the details tab results rows and explain the thresholds used for network insights.
-![Network connectivity test tool example test results](../media/m365-mac-perf/m365-mac-perf-all-details.png)
+> [!div class="mx-imgBorder"]
+> ![Network connectivity test tool example test results](../media/m365-mac-perf/m365-mac-perf-all-details.png)
### Your location information
This section shows test results related to your location.
#### Your location
-The user location is detected from the users web browser, or it can be typed in at the users choice. It is used to identify network distances to specific parts of the enterprise network perimeter. Only the city from this location detection and the distance to other network points are saved in the report.
+The user location is detected from the users web browser. It can also be typed in at the user's choice. It is used to identify network distances to specific parts of the enterprise network perimeter. Only the city from this location detection and the distance to other network points are saved in the report.
The user office location is shown on the map view.
We identify the network egress IP address on the server side. Location databases
#### Your distance from the network egress location
-We determine the distance from that location to the office location. This is shown as a network insight if the distance is greater than **500 miles** (800 kilometers) since that is likely to increase the TCP latency by more than 25ms and may affect user experience.
+We determine the distance from that location to the office location. This is shown as a network insight if the distance is greater than **500 miles** (800 kilometers) since that is likely to increase the TCP latency by more than 25 ms and may affect user experience.
The network egress location is shown on the map view and connected to the user office location indicating the network backhaul inside of the enterprise WAN.
This detects if you are using a VPN to connect to Office 365. A passing result w
#### VPN Split Tunnel
-Each optimize category route for Exchange Online, SharePoint Online, and Microsoft Teams is tested to see if it is tunneled on the VPN or not. A split out workload avoids the VPN entirely. A tunneled workload is all sent over the VPN. A selective tunneled workload has some routes sent over the VPN and some split out. A passing result will show if all workloads are split out or selective tunneled.
+Each optimized category route for Exchange Online, SharePoint Online, and Microsoft Teams is tested to see if it is tunneled on the VPN or not. A split out workload avoids the VPN entirely. A tunneled workload is all sent over the VPN. A selective tunneled workload has some routes sent over the VPN and some split out. A passing result will show if all workloads are split out or selective tunneled.
#### Customers in your metropolitan area with better performance
This network insight is generated on the basis that all users in a city have acc
#### Time to make a DNS request on your network
-This shows the DNS server configured on the client machine that ran the tests. It might be a DNS Recursive Resolver server however this is uncommon. It is more likely to be a DNS forwarder server which caches DNS results and forwards any uncached DNS requests to another DNS server.
+This shows the DNS server configured on the client machine that ran the tests. It might be a DNS Recursive Resolver server however this is uncommon. It is more likely to be a DNS forwarder server, which caches DNS results and forwards any uncached DNS requests to another DNS server.
This is provided for information only and does not contribute to any network insight.
This section shows test results related to Microsoft Teams.
#### Media connectivity (audio, video, and application sharing)
-This tests for UDP connectivity to the Microsoft Teams service front door. If this is blocked then Microsoft Teams may still work using TCP, but audio and video will be impaired. Read more about these UDP network measurements which also apply to Microsoft Teams at [Media Quality and Network Connectivity Performance in Skype for Business Online](/skypeforbusiness/optimizing-your-network/media-quality-and-network-connectivity-performance)
+This tests for UDP connectivity to the Microsoft Teams service front door. If this is blocked then Microsoft Teams may still work using TCP, but audio and video will be impaired. Read more about these UDP network measurements, which also apply to Microsoft Teams at [Media Quality and Network Connectivity Performance in Skype for Business Online](/skypeforbusiness/optimizing-your-network/media-quality-and-network-connectivity-performance).
#### Packet loss
Shows the measured UDP jitter, which should be lower than **30ms**.
#### Connectivity
-We test for HTTP connectivity from the user office location to all of the required Microsoft 365 network endpoints. These are published at [https://aka.ms/o365ip](./urls-and-ip-address-ranges.md). A network insight is shown for any required network endpoints which cannot be connected to.
+We test for HTTP connectivity from the user office location to all of the required Microsoft 365 network endpoints. These are published at [https://aka.ms/o365ip](./urls-and-ip-address-ranges.md). A network insight is shown for any required network endpoints, which cannot be connected to.
-Connectivity may be blocked by a proxy server, a firewall, or another network security device on the enterprise network perimeter. Connectivity to TCP port 80 is tested with an HTTP request and connectivity to TCP port 443 is tested with an HTTPS request. If there is no response the FQDN is marked as a failure. If there is an HTTP response code 407 the FQDN is marked as a failure. If there is an HTTP response code 403 then we check the Server attribute of the response and if it appears to be a proxy server we mark this as a failure. You can simulate the tests we perform with the Windows command line tool curl.exe.
+Connectivity may be blocked by a proxy server, a firewall, or another network security device on the enterprise network perimeter. Connectivity to TCP port 80 is tested with an HTTP request and connectivity to TCP port 443 is tested with an HTTPS request. If there is no response the FQDN is marked as a failure. If there is an HTTP response code 407 the FQDN is marked as a failure. If there is an HTTP response code 403 then we check the Server attribute of the response and if it appears to be a proxy server we mark this as a failure. You can simulate the tests we perform with the Windows command-line tool curl.exe.
We test the SSL certificate at each required Microsoft 365 network endpoint that is in the optimize or allow category as defined at [https://aka.ms/o365ip](./urls-and-ip-address-ranges.md). If any tests do not find a Microsoft SSL certificate, then the encrypted network connected must have been intercepted by an intermediary network device. A network insight is shown on any intercepted encrypted network endpoints.
This section shows the results of an ICMP traceroute to the Exchange Online serv
When you are signed in you can review previous reports that you have run. You can also share them or delete them from the list.
-![Reports](../media/m365-mac-perf/m365-mac-perf-reports-list.png)
+> [!div class="mx-imgBorder"]
+> ![Reports](../media/m365-mac-perf/m365-mac-perf-reports-list.png)
## Network health status
-This shows any significant health issues with Microsoft's global network which might impact Microsoft 365 customers.
+This shows any significant health issues with Microsoft's global network, which might impact Microsoft 365 customers.
-![Network health status](../media/m365-mac-perf/m365-mac-perf-status-page.png)
+> [!div class="mx-imgBorder"]
+> ![Network health status](../media/m365-mac-perf/m365-mac-perf-status-page.png)
## FAQ
Here are answers to some of our frequently asked questions.
### Is this tool released and supported by Microsoft?
-It is currently a preview and we plan to provide updates regularly until we reach general availability release status with support from Microsoft. Please provide feedback to help us improve. We are planning to publish a more detailed Office 365 Network Onboarding guide as part of this tool which is customized for the organization by its test results.
+It is currently a preview and we plan to provide updates regularly until we reach general availability release status with support from Microsoft. Please provide feedback to help us improve. We are planning to publish a more detailed Office 365 Network Onboarding guide as part of this tool, which is customized for the organization by its test results.
### What is required to run the advanced test client?
-The advanced test client requires .NET Core 3.1 Desktop Runtime. If you run the advanced test client without that installed you will be directed to [the .NET Core 3.1 installer page](https://dotnet.microsoft.com/download/dotnet-core/3.1). Be sure to install the Desktop Runtime and not the SDK, or the ASP.NET Core Runtime which are higher up on the page. Administrator permissions on the machine is required to install .NET Core.
+The advanced test client requires .NET Core 3.1 Desktop Runtime. If you run the advanced test client without that installed you will be directed to [the .NET Core 3.1 installer page](https://dotnet.microsoft.com/download/dotnet-core/3.1). Be sure to install the Desktop Runtime and not the SDK, or the ASP.NET Core Runtime, which are higher up on the page. Administrator permissions on the machine are required to install .NET Core.
### What is Microsoft 365 service front door? The Microsoft 365 service front door is an entry point on Microsoft's global network where Office clients and services terminate their network connection. For an optimal network connection to Microsoft 365, it is recommended that your network connection is terminated into the closest Microsoft 365 front door in your city or metro.
-Note: Microsoft 365 service front door has no direct relationship to the **Azure Front Door Service** product available in the Azure marketplace.
+> [!NOTE]
+> Microsoft 365 service front door has no direct relationship to the **Azure Front Door Service** product available in the Azure marketplace.
### What is the best Microsoft 365 service front door?
enterprise Office 365 Network Mac Perf Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/office-365-network-mac-perf-overview.md
Title: "Network connectivity in the Microsoft 365 Admin Center (preview)"
+ Title: "Network connectivity in the Microsoft 365 Admin Center"
- Ent_O365 - Strat_O365_Enterprise - m365initiative-coredeploy
-description: "Overview of network connectivity in the Microsoft 365 Admin Center (preview)"
+description: "Overview of network connectivity in the Microsoft 365 Admin Center"
-# Network connectivity in the Microsoft 365 Admin Center (preview)
+# Network connectivity in the Microsoft 365 Admin Center
The Microsoft 365 Admin Center now includes aggregated network connectivity metrics collected from your Microsoft 365 tenant and available to view only by administrative users in your tenant.
enterprise Office 365 Network Mac Perf Score https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/office-365-network-mac-perf-score.md
Title: "Microsoft 365 network assessment (preview)"
+ Title: "Microsoft 365 network assessment"
search.appverid:
- Ent_O365 - Strat_O365_Enterprise
-description: "Microsoft 365 network assessment (preview)"
+description: "Microsoft 365 network assessment"
-# Microsoft 365 network assessment (preview)
+# Microsoft 365 network assessment
-In the Microsoft 365 Admin Center's network connectivity, **network assessments** distill an aggregate of many network performance metrics into a snapshot of your enterprise network perimeter health, represented by a points value from 0 - 100. A network assessment tells you how much the customer responsible network design is impacting Office 365 user experience. Network assessments are scoped to both the entire tenant and for each geographic location from which users connect to your tenant, providing Microsoft 365 administrators with an easy way to instantly grasp a gestalt of the enterprise's network health and quickly drill down into a detailed report for any global office location.
+In the Microsoft 365 Admin Center's network connectivity, **network assessments** distill an aggregate of many network performance metrics into a snapshot of your enterprise network perimeter health. A network assessment tells you how much the customer responsible network design is impacting Office 365 user experience. Network assessments are scoped to both the entire tenant and to each geographic location from which users connect to your tenant. The assessments provide Microsoft 365 administrators with an easy way to instantly get a sense of the enterprise's network health and quickly drill down into a detailed report for any global office location.
-The network assessment points value is an average of TCP latency, download speed and UDP connection quality metrics compiled once a day. Performance metrics for Microsoft-owned networks are excluded from these measurements to ensure that assessment results are unambiguous and specific to the corporate network.
+The network assessment points value is from 0 to 100 and is an average of TCP latency, download speed, and UDP connection quality metrics. These metrics are compiled once a day. Performance metrics for Microsoft-owned networks are excluded from these measurements to ensure that assessment results are unambiguous and specific to the corporate network.
-![Network assessment value](../media/m365-mac-perf/m365-mac-perf-overview-score-top.png)
+> [!div class="mx-imgBorder"]
+> ![Network assessment value](../media/m365-mac-perf/m365-mac-perf-overview-score-top.png)
-A very low network assessment value suggests that Microsoft 365 clients will have significant problems connecting to the tenant or maintaining a responsive user experience, while a high value indicates a properly configured network with few ongoing performance issues. A value of 80% represents a healthy baseline where you should not expect to receive regular user complaints about Microsoft 365 connectivity or responsiveness due to network performance. As iterative network connectivity improvements are made, this value will increase along with user experience.
+A very low network assessment value suggests that Microsoft 365 clients will have significant problems connecting to the tenant or maintaining a responsive user experience. A high value indicates a properly configured network with few ongoing performance issues. A value of 80% represents a healthy baseline, above which you should not expect to receive regular user complaints about Microsoft 365 connectivity or responsiveness due to network performance. As iterative network connectivity improvements are made, this value will increase along with user experience.
| Network assessment | Expected user experience | | :-- | :-- |
A very low network assessment value suggests that Microsoft 365 clients will hav
Each network assessment, whether scoped to the tenant or to a specific office location, shows a panel with details about the assessment. This panel shows a bar chart of the assessment both as a percentage and as the total points for each component workload including only workloads where measurement data was received. For an office location network assessment, we also show a comparison to the percent of Microsoft 365 customers in each of five quintiles that reported data in the same city as your office location.
-![Example network assessment value](../media/m365-mac-perf/m365-mac-perf-overview-score.png)
+> [!div class="mx-imgBorder"]
+> ![Example network assessment value](../media/m365-mac-perf/m365-mac-perf-overview-score.png)
The **Assessment breakdown** in the panel shows the assessment for each of the component workloads.
-The **Assessment history** shows the past 30 days of the assessment and the benchmark. You can also report on the metrics history for any office location for up to two years using the history tab. The history tab allows you to select your attributes to report on and by choosing a report timeframe you can highlight the impact of a network update project and see the improvement to your network assessment.
+The **Assessment history** shows the past 30 days of the assessment and the benchmark. You can also report on the metrics history for any office location for up to two years using the history tab. The history tab allows you to select your attributes to report on. By choosing a report time frame, you can highlight the impact of a network update project and see the improvement to your network assessment.
## Tenant network assessments and office location network assessments
-A network assessment measures the design of the network perimeter of an office location to Microsoft's network. Improvements to the network perimeter is best done at each office location.
+A network assessment measures the design of the network perimeter of an office location to Microsoft's network. Improvements to the network perimeter are best done at each office location.
-We show a network assessment value for the whole Microsoft 365 tenant on the network performance overview page which is a weighted average of the network assessments for all office locations. There is also a specific network assessment value for each detected office location on that location's summary page.
+We show a network assessment value for the whole Microsoft 365 tenant on the network performance overview page. This value is a weighted average of the network assessments for all office locations. There is also a specific network assessment value for each detected office location on that location's summary page.
## Exchange Online
-For Exchange Online the TCP latency from the client machine to the Exchange service front door is measured. This can be impacted by the distance the network travels over the customers LAN and WAN. It can also be impacted by network intermediary devices or services which delay the connectivity or cause packets to be resent. And it is impacted by how far away the nearest Exchange service front door is. The median (also known as the 50th percentile or P50 measure) is taken for all measurements over the previous three days.
+For Exchange Online, the TCP latency from the client machine to the Exchange service front door is measured. This latency can be impacted by the distance the network travels over the customers LAN and WAN. It can also be impacted by network intermediary devices or services, which delay the connectivity or cause packets to be resent. And it is impacted by how far away the nearest Exchange service front door is. The median (also known as the 50th percentile or P50 measure) is taken for all measurements over the previous three days.
The Exchange Online assessment is made using the following table. Any TCP latency number between the thresholds are assigned points linearly within the band. | TCP Latency | Points | | : | :-- |
-| 10ms or less | 100 |
-| 25ms | 80 |
-| 100ms | 60 |
-| 200ms | 40 |
-| 300ms | 20 |
-| 350ms or more | 0 |
+| 10 ms or less | 100 |
+| 25 ms | 80 |
+| 100 ms | 60 |
+| 200 ms | 40 |
+| 300 ms | 20 |
+| 350 ms or more | 0 |
## SharePoint Online
-For SharePoint Online the download speed available for a user to access a document from SharePoint or OneDrive is measured. This can be impacted by the bandwidth available on network circuits between the client machine and Microsoft's network. It is also often impacted by network congestion that exists in bottlenecks in complex network devices or in poor coverage Wi-Fi areas. The download speed is measured in megabytes per second which is approximately one tenth of a circuits rated megabits per second. The MegaByte per second unit is helpful because you can directly see what size file can be downloaded in 1 second. The 25th percentile (also known as the P25 measure) is taken for all measurements over the previous three days. This 25th percentile helps reduce the impact of varying congestion over time.
+For SharePoint Online the download speed available for a user to access a document from SharePoint or OneDrive is measured. This can be impacted by the bandwidth available on network circuits between the client machine and Microsoft's network. It is also often impacted by network congestion that exists in bottlenecks in complex network devices or in poor coverage Wi-Fi areas. The download speed is measured in megabytes per second, which is approximately one tenth of a circuits rated megabits per second. The MegaByte per second unit is helpful because you can directly see what size file can be downloaded in 1 second. The 25th percentile (also known as the P25 measure) is taken for all measurements over the previous three days. This 25th percentile helps reduce the impact of varying congestion over time.
The SharePoint Online assessment is made using the following table. Any download speed number between the thresholds are assigned points linearly within the band.
security Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction.md
If you are configuring attack surface reduction rules by using Group Policy or P
### Block abuse of exploited vulnerable signed drivers
-This rule prevents an application from writing a vulnerable signed driver to disk. In-the-wild, vulnerable signed drivers can be exploited by local applications \- _that have sufficient privileges_ \- to gain access to the kernel. Vulnerable signed drivers enable attackers to disable or circumvent security solutions, eventually leading to system compromise.
+This rule prevents an application from writing a vulnerable, signed driver to disk. In-the-wild, vulnerable signed drivers can be exploited by local applications \- _that have sufficient privileges_ \- to gain access to the kernel. Vulnerable signed drivers enable attackers to disable or circumvent security solutions, eventually leading to system compromise.
This rule does not block a driver already existing on the system from being loaded.
security Enable Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction.md
You can use a Microsoft Endpoint Manager (MEM) admin center to configure custom
![MEM rule profile attributes](images/mem02-profile-attributes.png)
-3. The Custom template tool opens to step **1 Basics**. In **1 Basics**, in **Name**, type a name for your template, and in **Description** you can type an optional description.
+3. The Custom template tool opens to step **1 Basics**. In **1 Basics**, in **Name**, type a name for your template, and in **Description** you can type a description (optional ).
![MEM basic attributes](images/mem03-1-basics.png)
You can use a Microsoft Endpoint Manager (MEM) admin center to configure custom
- In **Property**, select the property to which you want this rule to apply - In **Value**, enter the applicable value or value range
- ![MEM Applicability rules](images/mem07-5-applicability -rules.png)
+ ![MEM Applicability rules](images/mem07-5-applicability-rules.png)
10. Click **Next**. In step **6 Review + create**, review the settings and information you have selected and entered, and then click **Create**.
You can use a Microsoft Endpoint Manager (MEM) admin center to configure custom
Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Warn ```
+ To enable ASR Block abuse of exploited vulnerable signed drivers, use the following cmdlet:
+
+ ```PowerShell
+ "& {&'Add-MpPreference' -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Enabled"}
+ ```
+ To turn off ASR rules, use the following cmdlet: ```PowerShell
security Mac Install With Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-intune.md
ms.technology: mde
This topic describes how to deploy Microsoft Defender for Endpoint on macOS through Intune. A successful deployment requires the completion of all of the following steps:
-1. [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
+1. [Download the onboarding package](#download-the-onboarding-package)
1. [Client device setup](#client-device-setup) 1. [Approve system extensions](#approve-system-extensions) 1. [Create System Configuration profiles](#create-system-configuration-profiles)
The following table summarizes the steps you would need to take to deploy and ma
| Step | Sample file names | BundleIdentifier | |-|-|-|
-| [Download installation and onboarding packages](#download-installation-and-onboarding-packages) | WindowsDefenderATPOnboarding__MDATP_wdav.atp.xml | com.microsoft.wdav.atp |
+| [Download the onboarding package](#download-the-onboarding-package) | WindowsDefenderATPOnboarding__MDATP_wdav.atp.xml | com.microsoft.wdav.atp |
| [Approve System Extension for Microsoft Defender for Endpoint](#approve-system-extensions) | MDATP_SysExt.xml | N/A |
-| [Approve Kernel Extension for Microsoft Defender for Endpoint](#download-installation-and-onboarding-packages) | MDATP_KExt.xml | N/A |
-| [Grant full disk access to Microsoft Defender for Endpoint](#create-system-configuration-profiles-step-8) | MDATP_tcc_Catalina_or_newer.xml | com.microsoft.wdav.tcc |
-| [Network Extension policy](#create-system-configuration-profiles-step-9) | MDATP_NetExt.xml | N/A |
-| [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/mac-updates#intune) | MDATP_Microsoft_AutoUpdate.xml | com.microsoft.autoupdate2 |
-| [Microsoft Defender for Endpoint configuration settings](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/mac-preferences#intune-profile-1)<br/><br/> **Note:** If you're planning to run a third-party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.xml | com.microsoft.wdav |
-| [Configure Microsoft Defender for Endpoint and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-10) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdav.tray |
+| [Approve Kernel Extension for Microsoft Defender for Endpoint](#download-the-onboarding-package) | MDATP_KExt.xml | N/A |
+| [Grant full disk access to Microsoft Defender for Endpoint](#full-disk-access) | MDATP_tcc_Catalina_or_newer.xml | com.microsoft.wdav.tcc |
+| [Network Extension policy](#network-filter) | MDATP_NetExt.xml | N/A |
+| [Configure Microsoft AutoUpdate (MAU)](mac-updates.md#intune) | MDATP_Microsoft_AutoUpdate.xml | com.microsoft.autoupdate2 |
+| [Microsoft Defender for Endpoint configuration settings](mac-preferences.md#intune-profile-1)<br/><br/> **Note:** If you're planning to run a third-party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.xml | com.microsoft.wdav |
+| [Configure Microsoft Defender for Endpoint and MS AutoUpdate (MAU) notifications](mac-updates.md) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdav.tray |
+ ## Download the onboarding package
In the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/
This profile contains a license information for Microsoft Defender for Endpoint, without it it will report that it is not licensed.
-1. Select **Create Profile** under **Configuration Profiles**
+1. Select **Create Profile** under **Configuration Profiles**.
1. Select **Platform**=**macOS**, **Profile type**=**Templates**. **Template name**=**Custom**. Click **Create**.
- ![Custom Configuration Profile creation](images/mdatp-6-systemconfigurationprofiles-1.png)
+ > [!div class="mx-imgBorder"]
+ > ![Custom Configuration Profile creation](images/mdatp-6-systemconfigurationprofiles-1.png)
-1. Choose a name for the profile, e.g. "MDATP onboarding for macOS". Click **Next**.
+1. Choose a name for the profile, e.g., "MDATP onboarding for macOS". Click **Next**.
- ![Custom Configuration Profile - name](images/mdatp-6-systemconfigurationprofiles-2.png)
+ > [!div class="mx-imgBorder"]
+ > ![Custom Configuration Profile - name](images/mdatp-6-systemconfigurationprofiles-2.png)
-1. Choose a name for the configuration profile name, e.g. "MDATP onboarding for macOS".
+1. Choose a name for the configuration profile name, e.g., "MDATP onboarding for macOS".
1. Select intune/WindowsDefenderATPOnboarding.xml that you extracted from the onboarding package above as configuration profile file.
- ![Import a configuration from a file for Custom Configuration Profile](images/mdatp-6-systemconfigurationprofiles.png)
+ > [!div class="mx-imgBorder"]
+ > ![Import a configuration from a file for Custom Configuration Profile](images/mdatp-6-systemconfigurationprofiles.png)
1. Click **Next**. 1. Assign devices on the **Assignment** tab. Click **Next**.
- ![Custom Configuration Profile - assignment](images/mdatp-6-systemconfigurationprofiles-2.png)
+ > [!div class="mx-imgBorder"]
+ > ![Custom Configuration Profile - assignment](images/mdatp-6-systemconfigurationprofiles-2.png)
1. Review and **Create**. 1. Open **Devices** > **Configuration profiles**, you can see your created profile there.
- ![Custom Configuration Profile - done](images/mdatp-6-systemconfigurationprofiles-3.png)
+ > [!div class="mx-imgBorder"]
+ > ![Custom Configuration Profile - done](images/mdatp-6-systemconfigurationprofiles-3.png)
### Approve System Extensions This profile is needed for macOS 10.15 (Catalina) or newer. It will be ignored on older macOS.
-1. Select **Create Profile** under **Configuration Profiles**
+1. Select **Create Profile** under **Configuration Profiles**.
1. Select **Platform**=**macOS**, **Profile type**=**Templates**. **Template name**=**Extensions**. Click **Create**. 1. In the **Basics** tab, give a name to this new profile. 1. In the **Configuration settings** tab, expand **System Extensions** add the following entries in the **Allowed system extensions** section:
This profile is needed for macOS 10.15 (Catalina) or older. It will be ignored o
> [!CAUTION] > Apple Silicon (M1) devices do not support KEXT. Installation of a configuration profile consisting KEXT policies will fail on these devices.
-1. Select **Create Profile** under **Configuration Profiles**
+1. Select **Create Profile** under **Configuration Profiles**.
1. Select **Platform**=**macOS**, **Profile type**=**Templates**. **Template name**=**Extensions**. Click **Create**. 1. In the **Basics** tab, give a name to this new profile. 1. In the **Configuration settings** tab, expand **Kernel Extensions**.
-1. Set **Team identifier** to **UBF8T346G9** and click Next.
+1. Set **Team identifier** to **UBF8T346G9** and click **Next**.
+ > [!div class="mx-imgBorder"]
> ![Kernel extension settings](images/mac-kernel-extension-intune2.png) 1. In the **Assignments** tab, assign this profile to **All Users & All devices**.
This step enables deploying Microsoft Defender for Endpoint to enrolled machines
1. In the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/), open **Apps**.
+ > [!div class="mx-imgBorder"]
> ![Ready to create application](images/mdatp-8-app-before.png)
-1. Select By platform => macOS => Add.
-1. Choose **App type**=**macOS**, click **Select**
+1. Select By platform > macOS > Add.
+1. Choose **App type**=**macOS**, click **Select**.
+ > [!div class="mx-imgBorder"]
> ![Specify application type](images/mdatp-9-app-type.png) 1. Keep default values, click **Next**.
+ > [!div class="mx-imgBorder"]
> ![Application properties](images/mdatp-10-properties.png)
-1. Add assignments, click **Next***.
+1. Add assignments, click **Next**.
+ > [!div class="mx-imgBorder"]
> ![Intune assignments info screenshot](images/mdatp-11-assignments.png) 1. Review and **Create**.
-1. You can visit **Apps** => **By platform** => **macOS** to see it on the list of all applications.
+1. You can visit **Apps** > **By platform** > **macOS** to see it on the list of all applications.
+ > [!div class="mx-imgBorder"]
> ![Applications list](images/mdatp-12-applications.png)
-(You can find detailed information on the [Intune's page for Defender deployment](https://docs.microsoft.com/en-us/mem/intune/apps/apps-advanced-threat-protection-macos))
+(You can find detailed information on the [Intune's page for Defender deployment](/mem/intune/apps/apps-advanced-threat-protection-macos).)
> [!CAUTION] > You have to create all required configuration profiles and push them to all machines, as explained above. ## Client device setup
-You don't need any special provisioning for a Mac device beyond a standard [Company Portal installation](https://docs.microsoft.com/intune-user-help/enroll-your-device-in-intune-macos-cp).
+You don't need any special provisioning for a Mac device beyond a standard [Company Portal installation](/intune-user-help/enroll-your-device-in-intune-macos-cp).
1. Confirm device management.
- ![Confirm device management screenshot](images/mdatp-3-confirmdevicemgmt.png)
+ > [!div class="mx-imgBorder"]
+ > ![Confirm device management screenshot](images/mdatp-3-confirmdevicemgmt.png)
Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**:
You don't need any special provisioning for a Mac device beyond a standard [Comp
1. After the configuration profiles are deployed to your devices, open **System Preferences** > **Profiles** on your Mac device.
- ![System Preferences screenshot](images/mdatp-13-systempreferences.png)<br/>
+ > [!div class="mx-imgBorder"]
+ > ![System Preferences screenshot](images/mdatp-13-systempreferences.png)
+ ![System Preferences Profiles screenshot](images/mdatp-14-systempreferencesprofiles.png) 2. Verify that the following configuration profiles are present and installed. The **Management Profile** should be the Intune system profile. _Wdav-config_ and _wdav-kext_ are system configuration profiles that were added in Intune:+ ![Profiles screenshot](images/mdatp-15-managementprofileconfig.png) 3. You should also see the Microsoft Defender for Endpoint icon in the top-right corner:
You don't need any special provisioning for a Mac device beyond a standard [Comp
## Troubleshooting
-Issue: No license found
+Issue: No license found.
-Solution: Follow the steps above to create a device profile using WindowsDefenderATPOnboarding.xml
+Solution: Follow the steps above to create a device profile using WindowsDefenderATPOnboarding.xml.
## Logging installation issues
security Switch To Microsoft Defender Onboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-onboard.md
- m365solution-migratetomdatp Previously updated : 05/10/2021 Last updated : 05/11/2021
**Welcome to Phase 3 of [switching to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)**. This migration phase includes the following steps: 1. [Onboard devices to Microsoft Defender for Endpoint](#onboard-devices-to-microsoft-defender-for-endpoint).+ 2. [Run a detection test](#run-a-detection-test).+ 3. [Uninstall your non-Microsoft solution](#uninstall-your-non-microsoft-solution).+ 4. [Make sure Microsoft Defender for Endpoint is in active mode](#make-sure-microsoft-defender-for-endpoint-is-in-active-mode). ## Onboard devices to Microsoft Defender for Endpoint 1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.+ 2. Choose **Settings** > **Device management** > **Onboarding**. + 3. In the **Select operating system to start onboarding process** list, select an operating system. + 4. Under **Deployment method**, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See [Onboarding methods](#onboarding-methods) (in this article). ### Onboarding methods
To do this, visit the Microsoft Defender for Endpoint demo scenarios site ([http
**Congratulations**! You have completed your [migration to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)! - [Visit your security operations dashboard](security-operations-dashboard.md) in the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)). + - [Manage Microsoft Defender for Endpoint, post migration](manage-atp-post-migration.md).
security Switch To Microsoft Defender Prepare https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-prepare.md
- m365solution-migratetomdatp Previously updated : 05/10/2021 Last updated : 05/11/2021
**Welcome to the Prepare phase of [switching to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)**. This migration phase includes the following steps:+ 1. [Get and deploy updates across your organization's devices](#get-and-deploy-updates-across-your-organizations-devices)+ 2. [Get Microsoft Defender for Endpoint](#get-microsoft-defender-for-endpoint).+ 3. [Grant access to the Microsoft Defender Security Center](#grant-access-to-the-microsoft-defender-security-center).+ 4. [Configure device proxy and internet connectivity settings](#configure-device-proxy-and-internet-connectivity-settings). ## Get and deploy updates across your organization's devices
Need help updating your organization's devices? See the following resources:
Now that you've updated your organization's devices, the next step is to get Microsoft Defender for Endpoint, assign licenses, and make sure the service is provisioned. 1. Buy or try Microsoft Defender for Endpoint today. [Start a free trial or request a quote](https://aka.ms/mdatp).
-2. Verify that your licenses are properly provisioned. [Check your license state](/microsoft-365/security/defender-endpoint/production-deployment#check-license-state).
-3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender for Endpoint. See [Microsoft Defender for Endpoint setup: Tenant configuration](/microsoft-365/security/defender-endpoint/production-deployment#tenant-configuration).
-4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Microsoft Defender for Endpoint setup: Network configuration](/microsoft-365/security/defender-endpoint/production-deployment#network-configuration).
+
+2. Verify that your licenses are properly provisioned. [Check your license state](production-deployment.md#check-license-state).
+
+3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender for Endpoint. See [Microsoft Defender for Endpoint setup: Tenant configuration](production-deployment.md#tenant-configuration).
+
+4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Microsoft Defender for Endpoint setup: Network configuration](production-deployment.md#network-configuration).
At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka
Permissions to the Microsoft Defender Security Center can be granted by using either basic permissions or role-based access control (RBAC). We recommend using RBAC so that you have more granular control over permissions. 1. Plan the roles and permissions for your security administrators and security operators. See [Role-based access control](prepare-deployment.md#role-based-access-control).+ 2. Set up and configure RBAC. We recommend using [Intune](/mem/intune/fundamentals/what-is-intune) to configure RBAC, especially if your organization is using a combination of Windows 10, macOS, iOS, and Android devices. See [setting up RBAC using Intune](/mem/intune/fundamentals/role-based-access-control).+ If your organization requires a method other than Intune, choose one of the following options:+ - [Configuration Manager](/mem/configmgr/core/servers/deploy/configure/configure-role-based-administration)+ - [Advanced Group Policy Management](/microsoft-desktop-optimization-pack/agpm)+ - [Windows Admin Center](/windows-server/manage/windows-admin-center/overview)+ 3. Grant access to the Microsoft Defender Security Center. (Need help? See [Manage portal access using RBAC](rbac.md)). ## Configure device proxy and internet connectivity settings
To enable communication between your devices and Microsoft Defender for Endpoint
|Capabilities | Operating System | Resources | |--|--|--|
-|[Endpoint detection and response](overview-endpoint-detection-response.md) (EDR) |- [Windows 10](/windows/release-health/release-information) <br/>- [Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<br/>- [Windows Server 1803 or later](/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](configure-proxy-internet.md) |
-|EDR |- [Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016) <br/>- [Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/>- [Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<br/>- [Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/>- [Windows 7 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](onboard-downlevel.md#configure-proxy-and-internet-connectivity-settings) |
-|EDR |macOS: <br/>- 10.15 (Catalina)<br/>- 10.14 (Mojave) <br/>- 10.13 (High Sierra) |[Microsoft Defender for Endpoint on macOS: Network connections](microsoft-defender-endpoint-mac.md#network-connections) |
-|[Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md) |- [Windows 10](/windows/release-health/release-information) <br/>- [Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<br/>- [Windows Server 1803 or later](/windows-server/get-started/whats-new-in-windows-server-1803) <br/>- [Windows Server 2016](/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](configure-network-connections-microsoft-defender-antivirus.md)<br/> |
+|[Endpoint detection and response](overview-endpoint-detection-response.md) (EDR) |[Windows 10](/windows/release-health/release-information) <p>[Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<p>[Windows Server 1803 or later](/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](configure-proxy-internet.md) |
+|EDR |[Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016) <p>[Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<p>[Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<p>[Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<p>[Windows 7 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](onboard-downlevel.md#configure-proxy-and-internet-connectivity-settings) |
+|EDR |macOS: <br/>- 11.3.1 (Big Sur)<br/>- 10.15 (Catalina)<br/>- 10.14 (Mojave) |[Microsoft Defender for Endpoint on macOS: Network connections](microsoft-defender-endpoint-mac.md#network-connections) |
+|[Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md) |[Windows 10](/windows/release-health/release-information) <p>[Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<p>[Windows Server 1803 or later](/windows-server/get-started/whats-new-in-windows-server-1803) <p>[Windows Server 2016](/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](configure-network-connections-microsoft-defender-antivirus.md)<br/> |
|Antivirus |macOS: <br/>- 11.3.1 (Big Sur)<br/>- 10.15 (Catalina)<br/>- 10.14 (Mojave) |[Microsoft Defender for Endpoint on macOS: Network connections](microsoft-defender-endpoint-mac.md#network-connections) | |Antivirus |Linux: <br/>- RHEL 7.2+<br/>- CentOS Linux 7.2+<br/>- Ubuntu 16 LTS, or higher LTS<br/>- SLES 12+<br/>- Debian 9+<br/>- Oracle Linux 7.2 |[Microsoft Defender for Endpoint on Linux: Network connections](microsoft-defender-endpoint-linux.md#network-connections) |
security Switch To Microsoft Defender Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-setup.md
- m365solution-migratetomdatp Previously updated : 05/10/2021 Last updated : 05/11/2021
||*You are here!* | | **Welcome to the Setup phase of [switching to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)**. This phase includes the following steps:+ 1. [Enable Microsoft Defender Antivirus and confirm it's in passive mode](#enable-microsoft-defender-antivirus-and-confirm-its-in-passive-mode).+ 2. [Get updates for Microsoft Defender Antivirus](#get-updates-for-microsoft-defender-antivirus).+ 3. [Add Microsoft Defender for Endpoint to the exclusion list for your existing endpoint solution](#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-your-existing-solution).+ 4. [Add your existing solution to the exclusion list for Microsoft Defender Antivirus](#add-your-existing-solution-to-the-exclusion-list-for-microsoft-defender-antivirus).+ 5. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units).+ 6. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection). ## Enable Microsoft Defender Antivirus and confirm it's in passive mode
On certain versions of Windows, such as Windows Server, Microsoft Defender Antivirus might have been uninstalled or disabled when your McAfee solution was installed. When you get ready to onboard your endpoints to Defender for Endpoint, Microsoft Defender Antivirus does not enter passive or disabled mode automatically. In addition, on Windows Server, you cannot have Microsoft Defender Antivirus in active mode alongside a non-Microsoft antivirus/antimalware solution, such as McAfee, Symantec, or others. To learn more about what happens with Defender for Endpoint and antivirus solutions, see [Microsoft Defender Antivirus compatibility](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility). To help ensure that Microsoft Defender Antivirus is enabled and in passive mode, complete the following tasks described in this article:+ - [Setting DisableAntiSpyware to false on Windows Server](#set-disableantispyware-to-false-on-windows-server)+ - [Reinstalling Microsoft Defender Antivirus on Windows Server](#reinstall-microsoft-defender-antivirus-on-windows-server);+ - [Setting Microsoft Defender Antivirus to passive mode on Windows Server](#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server)+ - [Enabling Microsoft Defender Antivirus on your Windows client devices](#enable-microsoft-defender-antivirus-on-your-windows-client-devices); and+ - [Confirming that Microsoft Defender Antivirus is set to passive mode](#confirm-that-microsoft-defender-antivirus-is-in-passive-mode). ### Set DisableAntiSpyware to false on Windows Server
Microsoft Defender Antivirus can run alongside your existing endpoint protection
|Method |What to do | |||
-|Command Prompt | 1. On a Windows device, open Command Prompt as an administrator. <p> 2. Type `sc query windefend`, and then press Enter.<p> 3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
-|PowerShell | 1. On a Windows device, open Windows PowerShell as an administrator.<p> 2. Run the [Get-MpComputerStatus](/powershell/module/defender/Get-MpComputerStatus) cmdlet. <p> 3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**. |
+|Command Prompt | 1. On a Windows device, open Command Prompt as an administrator.<p>2. Type `sc query windefend`, and then press Enter.<p>3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
+|PowerShell | 1. On a Windows device, open Windows PowerShell as an administrator.<p>2. Run the [Get-MpComputerStatus](/powershell/module/defender/Get-MpComputerStatus) cmdlet. <p>3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**. |
> [!NOTE] > You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
The specific exclusions to configure will depend on which version of Windows you
|OS |Exclusions | |--|--|
-|- Windows 10, [version 1803](/windows/release-health/status-windows-10-1803) or later (See [Windows 10 release information](/windows/release-health/release-information))<br/>- Windows 10, version 1703 or 1709 with [KB4493441](https://support.microsoft.com/help/4493441) installed <br/>- [Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<br/>- [Windows Server, version 1803](/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`<p>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`<p>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`<p>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`<p> |
-|- [Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2) <br/>- [Windows 7](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<br/>- [Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016)<br/>- [Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/>- [Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`<br/>**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders. <br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`<br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
+|Windows 10, [version 1803](/windows/release-health/status-windows-10-1803) or later (See [Windows 10 release information](/windows/release-health/release-information))<p>Windows 10, version 1703 or 1709 with [KB4493441](https://support.microsoft.com/help/4493441) installed <p>[Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<p>[Windows Server, version 1803](/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`<p>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`<p>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`<p>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`<p> |
+|[Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2) <p>[Windows 7](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<p>[Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016)<p>[Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<p>[Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`<p>**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders. <p>`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`<br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
## Add your existing solution to the exclusion list for Microsoft Defender Antivirus During this step of the setup process, you add your existing solution to the Microsoft Defender Antivirus exclusion list. When you add [exclusions to Microsoft Defender Antivirus scans](/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions. Keep the following points in mind:+ - Path exclusions exclude specific files and whatever those files access.+ - Process exclusions exclude whatever a process touches, but does not exclude the process itself.+ - If you list each executable (.exe) as both a path exclusion and a process exclusion, the process and whatever it touches are excluded.+ - List your process exclusions using their full path and not by their name only. (The name-only method is less secure.) You can choose from several methods to add your exclusions to Microsoft Defender Antivirus, as listed in the following table:
You can choose from several methods to add your exclusions to Microsoft Defender
| Collection type | What to do | |--|--|
-|[Device groups](/microsoft-365/security/defender-endpoint/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.<br/> Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed. <br/>Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).<p>2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**. <p>3. Choose **+ Add device group**.<p>4. Specify a name and description for the device group.<p>5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](/microsoft-365/security/defender-endpoint/automated-investigations#how-threats-are-remediated).<p>6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](/microsoft-365/security/defender-endpoint/machine-tags).<p>7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group. <p>8. Choose **Done**. |
-|[Device collections](/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization.<br/>Device collections are created by using [Configuration Manager](/mem/configmgr/). |Follow the steps in [Create a collection](/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). |
-|[Organizational units](/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.<br/> Organizational units are defined in [Azure Active Directory Domain Services](/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](/azure/active-directory-domain-services/create-ou). |
+|[Device groups](/microsoft-365/security/defender-endpoint/machine-groups) (formerly called *machine groups*) enable your security operations team to configure security capabilities, such as automated investigation and remediation.<p>Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed. <p>Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).<p>2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**. <p>3. Choose **+ Add device group**.<p>4. Specify a name and description for the device group.<p>5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](/microsoft-365/security/defender-endpoint/automated-investigations#how-threats-are-remediated).<p>6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](/microsoft-365/security/defender-endpoint/machine-tags).<p>7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group. <p>8. Choose **Done**. |
+|[Device collections](/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization.<p>Device collections are created by using [Configuration Manager](/mem/configmgr/). |Follow the steps in [Create a collection](/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). |
+|[Organizational units](/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.<p> Organizational units are defined in [Azure Active Directory Domain Services](/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](/azure/active-directory-domain-services/create-ou). |
## Configure antimalware policies and real-time protection Using Configuration Manager and your device collection(s), configure your antimalware policies.+ - See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies).-- While you create and configure your antimalware policies, make sure to review the [real-time protection settings](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus).+
+- While you create and configure your antimalware policies, make sure to review the [real-time protection settings](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md).
> [!TIP] > You can deploy the policies before your organization's devices on onboarded.
security Advanced Hunting Appfileevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-appfileevents-table.md
- Title: AppFileEvents table in the advanced hunting schema
-description: Learn about file-related events associated with cloud apps and services in the AppFileEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, AppFileEvents, Cloud App Security, MCAS
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
- - NOCSH
--
-localization_priority: Normal
--
- - M365-security-compliance
- - m365initiative-m365-defender
---
-# AppFileEvents
---
-**Applies to:**
-- Microsoft 365 Defender-
-The `AppFileEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about file-related activities in cloud apps and services monitored by Microsoft Cloud App Security. Use this reference to construct queries that return information from this table.
-
->[!WARNING]
->This table will be retired soon. As of March 7, 2021, the `AppFileEvents` table is no longer logging records. Users hunting through file-related activities in cloud services on and beyond the said date should use the [CloudAppEvents](advanced-hunting-cloudappevents-table.md) table instead. <br><br>Make sure to search for queries and custom detection rules that still use the `AppFileEvents` table and edit them to use the `CloudAppEvents` table. More guidance about converting affected queries can be found in [Hunt across cloud app activities with Microsoft 365 Defender advanced hunting](https://techcommunity.microsoft.com/t5/microsoft-365-defender/hunt-across-cloud-app-activities-with-microsoft-365-defender/ba-p/1893857).
--
-For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
-
-| Column name | Data type | Description |
-|-|--|-|
-| `Timestamp` | datetime | Date and time when the event was recorded |
-| `ActionType` | string | Type of activity that triggered the event. See the [in-portal schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) for details |
-| `Application` | string | Application that performed the recorded action |
-| `FileName` | string | Name of the file that the recorded action was applied to |
-| `FolderPath` | string | Folder containing the file that the recorded action was applied to |
-| `PreviousFileName` | string | Original name of the file that was renamed as a result of the action |
-| `PreviousFolderPath` | string | Original folder containing the file before the recorded action was applied |
-| `Protocol` | string | Network protocol used |
-| `AccountName` | string | User name of the account |
-| `AccountDomain` | string | Domain of the account |
-| `AccountSid` | string | Security Identifier (SID) of the account |
-| `AccountUpn` | string | User principal name (UPN) of the account |
-| `AccountObjectId` | string | Unique identifier for the account in Azure AD |
-| `AccountDisplayName` | string | Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initiation, and a last name or surname. |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `DeviceType` | string | Type of device |
-| `OSPlatform` | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
-| `IPAddress` | string | IP address assigned to the endpoint and used during related network communications |
-| `Port` | string | TCP port used during communication |
-| `DestinationDeviceName` | string | Name of the device running the server application that processed the recorded action |
-| `DestinationIPAddress` | string | IP address of the device running the server application that processed the recorded action |
-| `DestinationPort` | string | Destination port of related network communications |
-| `Location` | string | City, country, or other geographic location associated with the event |
-| `Isp` | string | Internet service provider (ISP) associated with the endpoint IP address |
-| `ReportId` | long | Unique identifier for the event |
-| `AdditionalFields` | string | Additional information about the entity or event |
-
->[!TIP]
-> For detailed information about the events types (`ActionType` values) supported by a table, use the built-in schema reference available in the security center.
--
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)-- [Learn the query language](advanced-hunting-query-language.md)-- [Use shared queries](advanced-hunting-shared-queries.md)-- [Hunt across devices, emails, apps, and identities](advanced-hunting-query-emails-devices.md)-- [Understand the schema](advanced-hunting-schema-tables.md)-- [Apply query best practices](advanced-hunting-best-practices.md)
security Advanced Hunting Expert Training https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-expert-training.md
DeviceLogonEvents
// - Network information (for network logons) // - Timestamp
-AppFileEvents
+CloudAppEvents
| take 100 | sort by Timestamp desc ```
security Advanced Hunting Migrate From Mde https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-migrate-from-mde.md
The [Microsoft 365 Defender advanced hunting schema](advanced-hunting-schema-tab
||-| | [AlertEvidence](advanced-hunting-alertevidence-table.md) | Files, IP addresses, URLs, users, or devices associated with alerts | | [AlertInfo](advanced-hunting-alertinfo-table.md) | Alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Cloud App Security, and Microsoft Defender for Identity, including severity information and threat categories |
-| [AppFileEvents](advanced-hunting-appfileevents-table.md) | File-related activities in cloud apps and services |
| [EmailAttachmentInfo](advanced-hunting-emailattachmentinfo-table.md) | Information about files attached to emails | | [EmailEvents](advanced-hunting-emailevents-table.md) | Microsoft 365 email events, including email delivery and blocking events | | [EmailPostDeliveryEvents](advanced-hunting-emailpostdeliveryevents-table.md) | Security events that occur post-delivery, after Microsoft 365 has delivered the emails to the recipient mailbox |
New alerts generated by custom detection rules in Microsoft 365 Defender portal
- Query results that triggered the alert - Information on the custom detection rule
-![Image of new alert page](../../media/new-alert-page.png)
+> [!div class="mx-imgBorder"]
+> ![Image of new alert page](../../media/new-alert-page.png)
## Write queries without DeviceAlertEvents
security Advanced Hunting Schema Changes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-schema-changes.md
Naming changes are automatically applied to queries that are saved in the securi
1. In the [EmailAttachmentInfo](advanced-hunting-emailattachmentinfo-table.md) and [EmailEvents](advanced-hunting-emailevents-table.md) tables, the `MalwareFilterVerdict`and `PhishFilterVerdict` columns have been replaced by the `ThreatTypes` column. The `MalwareDetectionMethod` and `PhishDetectionMethod` columns were also replaced by the `DetectionMethods` column. This streamlining allows us to provide more information under the new columns. The mapping is provided below.
-| Table name | Original column name | New column name | Reason for change
-|--|--|--|--|
-| `EmailAttachmentInfo` | `MalwareDetectionMethod` <br> `PhishDetectionMethod` | `DetectionMethods` | Include more detection methods |
-| `EmailAttachmentInfo` | `MalwareFilterVerdict` <br>`PhishFilterVerdict` | `ThreatTypes` | Include more threat types |
-| `EmailEvents` | `MalwareDetectionMethod` <br> `PhishDetectionMethod` | `DetectionMethods` | Include more detection methods |
-| `EmailEvents` | `MalwareFilterVerdict` <br>`PhishFilterVerdict` | `ThreatTypes` | Include more threat types |
+ | Table name | Original column name | New column name | Reason for change
+ |--|--|--|--|
+ | `EmailAttachmentInfo` | `MalwareDetectionMethod` <br> `PhishDetectionMethod` | `DetectionMethods` | Include more detection methods |
+ | `EmailAttachmentInfo` | `MalwareFilterVerdict` <br>`PhishFilterVerdict` | `ThreatTypes` | Include more threat types |
+ | `EmailEvents` | `MalwareDetectionMethod` <br> `PhishDetectionMethod` | `DetectionMethods` | Include more detection methods |
+ | `EmailEvents` | `MalwareFilterVerdict` <br>`PhishFilterVerdict` | `ThreatTypes` | Include more threat types |
2. In the `EmailAttachmentInfo` and `EmailEvents` tables, the `ThreatNames` column was added to give more information about the email threat. This column contains values like Spam or Phish.
Naming changes are automatically applied to queries that are saved in the securi
4. In the [DeviceEvents](advanced-hunting-deviceevents-table.md) table, several ActionType names were modified to better reflect the description of the action. Details of the changes can be found below.
-| Table name | Original ActionType name | New ActionType name | Reason for change
-|--|--|--|--|
-| `DeviceEvents` | `DlpPocPrintJob` | `FilePrinted` | Customer feedback |
-| `DeviceEvents` | `UsbDriveMount` | `UsbDriveMounted` | Customer feedback |
-| `DeviceEvents` | `UsbDriveUnmount` | `UsbDriveUnmounted` | Customer feedback |
-| `DeviceEvents` | `WriteProcessMemoryApiCall` | `WriteToLsassProcessMemory` | Customer feedback |
+ | Table name | Original ActionType name | New ActionType name | Reason for change
+ |--|--|--|--|
+ | `DeviceEvents` | `DlpPocPrintJob` | `FilePrinted` | Customer feedback |
+ | `DeviceEvents` | `UsbDriveMount` | `UsbDriveMounted` | Customer feedback |
+ | `DeviceEvents` | `UsbDriveUnmount` | `UsbDriveUnmounted` | Customer feedback |
+ | `DeviceEvents` | `WriteProcessMemoryApiCall` | `WriteToLsassProcessMemory` | Customer feedback |
## March 2021 The `DeviceTvmSoftwareInventoryVulnerabilities` table has been deprecated. Replacing it are the `DeviceTvmSoftwareInventory` and `DeviceTvmSoftwareVulnerabilities` tables.
+## May 2021
+The `AppFileEvents` table has been deprecated. The `CloudAppEvents` table includes information that used to be in the `AppFileEvents` table, along with other activities in cloud services.
## Related topics - [Advanced hunting overview](advanced-hunting-overview.md)
security Advanced Hunting Schema Tables https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-schema-tables.md
The following reference lists all the tables in the schema. Each table name link
||-| | **[AlertEvidence](advanced-hunting-alertevidence-table.md)** | Files, IP addresses, URLs, users, or devices associated with alerts | | **[AlertInfo](advanced-hunting-alertinfo-table.md)** | Alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Cloud App Security, and Microsoft Defender for Identity, including severity information and threat categorization |
-| **[AppFileEvents](advanced-hunting-appfileevents-table.md)** | File-related activities in cloud apps and services |
| **[CloudAppEvents](advanced-hunting-cloudappevents-table.md)** | Events involving accounts and objects in Office 365 and other cloud apps and services | | **[DeviceEvents](advanced-hunting-deviceevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection | | **[DeviceFileCertificateInfo](advanced-hunting-DeviceFileCertificateInfo-table.md)** | Certificate information of signed files obtained from certificate verification events on endpoints |
security Identity Access Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/identity-access-policies.md
For **System security**, see this table.
|Type|Properties|Value|Action| |||||
-|Microsoft Defender for Endpoint rules in the Microsoft Endpoint Manager admin center|[Require the device to be at or under the machine-risk score](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection-configure#create-and-assign-compliance-policy-to-set-device-risk-level)|Medium|Select|
+|Microsoft Defender for Endpoint rules in the Microsoft Endpoint Manager admin center|[Require the device to be at or under the machine-risk score](/mem/intune/protect/advanced-threat-protection-configure#create-and-assign-compliance-policy-to-set-device-risk-level)|Medium|Select|
| ## Require compliant PCs (but not compliant phones and tablets)
security Secure By Default https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/secure-by-default.md
Our data indicates that a user is 30 times more likely to click a malicious link
We also determined that the allowed sender and allowed domain lists in anti-spam policies and Safe Senders in Outlook were too broad and were causing more harm than good.
-To put it another way: as a security service, we're acting on your behalf to prevent your users from being compromised.
+To put it another way: as a security service, we're acting on your behalf to prevent your users from being compromised.
## Exceptions
-The only override that allows high confidence phishing message to bypass filtering is Exchange mail flow rules (also known as transport rules). To use mail flow rules to bypass filtering, see [Use mail flow rules to set the SCL in messages](use-mail-flow-rules-to-set-the-spam-confidence-level-scl-in-messages.md).
+> [!NOTE]
+> In July 2021, secure by default will be extended to Exchange mail flow rules (also known as transport rules). If you use mail flow rules to allow third-party phishing simulations or unfiltered delivery to security operation mailboxes, you eventually need to eliminate these rules and switch to using the [advanced delivery policy](configure-advanced-delivery.md) _when the feature is available to you_.
+
+The only override that allows high confidence phishing message to bypass filtering is mail flow rules. To use mail flow rules to bypass filtering, see [Use mail flow rules to set the SCL in messages](use-mail-flow-rules-to-set-the-spam-confidence-level-scl-in-messages.md).
You should only consider using overrides in the following scenarios:
solutions End Life Cycle Groups Teams Sites Yammer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/end-life-cycle-groups-teams-sites-yammer.md
description: "End of lifecycle options for groups, teams, and Yammer."
# End of lifecycle options for groups, teams, and Yammer
-Microsoft 365 Groups and Microsoft Teams work with a variety of connected services. When a group or team is deleted, most of the information in the connected services is also deleted. This article describes options for retaining information by moving it out of the group or team prior to deletion.
+Microsoft 365 Groups and Microsoft Teams work with multiple connected services. When a group or team is deleted, most of the information in the connected services is also deleted. This article describes options for retaining information by moving it out of the group or team before deletion.
-A common practice for groups or teams that are no longer required is to move the files out of the team and store them in another location such as a SharePoint document library acting as a repository or archive. This practice is based on a legacy style of working where information is stored within files and folders, and communications are conducted via email.
+A common practice for groups or teams that are no longer required is to move the files out of the team and archive them in another location such as a SharePoint document library. This practice is based on a legacy style of working where information is stored in files and folders, and communications are conducted via email.
The following table outlines the services associated with groups and teams and key types of content found in each of them:
The following table outlines the services associated with groups and teams and k
|Stream|Videos| |Yammer|Conversations|
-When deleting a group or team, most of the associated resources are also deleted. Some of the exceptions to this include videos in Stream ΓÇô these remain and are still owned by the person who uploaded/recorded them, as do flows in Power Automate. Project and roadmap data in Project on the web remains in the CDS and can be restored separately.
+When deleting a group or team, most of the associated resources are also deleted. Exceptions include:
-Groups and teams remain in a soft-delete state for 30 days and can be restored at any time. However, after the 30 days they, and any associated resources such as services and content, are completely purged from the Microsoft 365 environment. Any content protected by a retention policy remains available through eDiscovery searches.
+- Videos in Stream remain and are owned by the person who uploaded/recorded them
+- Flows in Power Automate remain and are owned by the person who created them.
+- Project and roadmap data in Project on the web remains in the CDS and can be restored separately.
+
+Groups and teams remain in a soft-delete state for 30 days and can be restored at any time. However, after the 30 days they, and any associated resources such as services and content, are purged from the Microsoft 365 environment. Any content protected by a retention policy remains available through eDiscovery searches.
## End of life cycle considerations for group-connected services
There are three key areas that team and group owners and IT administrators need
**Content**
-Does the content need to be retained after the team is no longer functional or in existence? Is it sufficient to rely on retention capabilities of Microsoft 365, or is some of the content in apps and services that do not offer retention? Does the content need to be retained for record management purposes, for archival purposes, or for future use and reference purposes?
+Does the content need to be retained after the team is no longer there? Is it sufficient to rely on retention capabilities of Microsoft 365, or is some of the content in apps and services that don't offer retention? Does the content need to be retained for record management, archival, or future use and reference purposes?
-These questions must be asked before any team is archived or deleted, to avoid any potential data loss.
+To avoid any potential data loss, these questions must be asked before any team is archived or deleted.
**Services**
-On top of the content across various apps and services, do they need to stay in their current working form? For example, does the Power BI report need to continue to be accessible, do the Form results need to be available in the visual summary view, are the lists in SharePoint linked to or embedded anywhere?
+Does content need to stay in its current working form? For example, does the Power BI report need to continue to be accessible? Do the Form results need to be available in the visual summary view? Are the lists in SharePoint linked to or embedded anywhere?
-Similar to the content considerations, these questions must be asked before the underlying group is deleted as simply exporting the content may not be sufficient.
+These questions must be asked before the underlying group is deleted because exporting the content may not be sufficient.
**Guests**
-When guests are invited to a team, the workflow creates their identity in the host organizationΓÇÖs Azure Active Directory before adding them to the team. When a team is deleted, guests are not removed from Azure Active Directory and as such still exist in the Microsoft Teams environment. While guests cannot access groups, sites, teams, or content which has not been shared with them, they can still potentially utilize features within Microsoft Teams such as initiating chats, voice and video calls, and using apps.
+When guests are invited to a team, a guest account is created in the host organizationΓÇÖs Azure Active Directory before adding them to the team. When a team is deleted, guests aren't removed from Azure Active Directory. While guests can't access groups, sites, teams, or content which hasn't been shared with them, they can still potentially use features within Microsoft Teams such as starting chats, voice and video calls, and using apps.
-A team or group owner can invite an external user to become a guest in Azure Active Directory, add them to the team, as well as remove them from the team. A team owner cannot, however, remove the guest from Azure Active Directory ΓÇô this can only be performed by a global admin or user admin.
+A team or group owner can invite someone from outside the organization to become a guest in Azure Active Directory by adding them to a team. A team owner can't, however, remove the guest from Azure Active Directory. Deleting accounts can only be performed by a global admin or user admin.
-Therefore it is important to perform guest reviews, as well as to understand whether guests need to be removed from Azure Active Directory upon team deletion. There may be a valid case for guests to remain in the directory, such as being a member of one or more other teams or using other Microsoft 365 or Azure services.
+It's important to perform guest reviews and to understand whether guests need to be removed from Azure Active Directory upon team deletion. There may be a valid case for guests to remain in the directory, such as being a member of other teams or using other Microsoft 365 or Azure services.
## Teams Teams-specific content is primarily in the form of conversations.
-Conversations in channels cannot be copied or moved using native Microsoft Teams functionality. They can however be exported using the Graph API.
+Conversations in channels can't be copied or moved using native Microsoft Teams functionality. They can however be exported using the Graph API.
Additionally, if a retention policy is applied to Teams, the conversations are retained and available through eDiscovery searches. Using advanced eDiscovery you can [reconstruct a Teams chat conversation](/microsoft-365/compliance/conversation-review-sets). ### Archiving a team
-The benefit of [archiving a team](/microsoftteams/archive-or-delete-a-team) is that it provides full access to the team as it was, so that users can still browse channel conversations and open files even if they are not active. Additionally, teams can be unarchived if there is a need to continue working on them (such as in the case of a project extension).
+The benefit of [archiving a team](/microsoftteams/archive-or-delete-a-team) is that it provides full access to the team as it was. Users can still browse channel conversations and open files even if they aren't active. Additionally, teams can be unarchived if there's a need to continue working on them (for example, if a project is extended).
-When a team is archived by an owner, it is set to read-only for members both for content within the team as well as if selected, the associated SharePoint site. The objective of this action is to ensure that conversations in channels are preserved in their existing state, along with SharePoint-based content such as files and wikis.
+When a team is archived by an owner, it's set to read-only for members both for content within the team and if selected, the associated SharePoint site. The objective of this action is to ensure that conversations in channels are preserved in their existing state, along with SharePoint-based content such as files and wikis.
-In the SharePoint site there are no visible changes, however no changes can be made to any files or lists as the SharePoint-based permissions group for the Microsoft 365 Group is set to Site Visitors level. This includes the OneNote notebook for the team, as this is stored in the Site Assets library within the SharePoint site.
+In the SharePoint site there are no visible changes. However, no changes can be made to any files or lists because the SharePoint permissions for the Microsoft 365 Group are set to **Site visitors**. This includes the OneNote notebook for the team, which is stored in the Site Assets library within the SharePoint site.
When a team is archived, the underlying Microsoft 365 group is still subject to the expiration policy (if set), and as such the owner must continue to renew the team.
-While the teamΓÇÖs channel conversations and SharePoint site contents are set to read-only, the same is not applied to other associated
+While the teamΓÇÖs channel conversations and SharePoint site contents are set to read-only, the same isn't applied to other associated
-- Planner buckets and tasks can still be created, modified, and deleted-- Forms can still receive submissions-- The Outlook mailbox can still receive emails-- Power BI dashboards, reports and data can still be modified-- Projects and roadmaps can still be edited in Project on the web-- Videos can still be uploaded, modified, and deleted in Stream-- Flows in Power Automate can still be created, modified, deleted, and will continue to run (they will fail however, if required to post a message to a channel of the archived team)
+- Planner buckets and tasks can still be created, modified, and deleted.
+- Forms can still receive submissions.
+- The Outlook mailbox can still receive emails.
+- Power BI dashboards, reports and data can still be modified.
+- Projects and roadmaps can still be edited in Project on the web.
+- Videos can still be uploaded, modified, and deleted in Stream.
+- Flows in Power Automate can still be created, modified, deleted, and will continue to run. (They will fail however, if required to post a message to a channel of the archived team.)
## Forms
-While a form can be moved from an individual account to a group, it cannot be moved or copied from one group to another. There are three options available for a form when a team is deleted.
+While a form can be moved from an individual account to a group, it can't be moved or copied from one group to another. There are three options available for a form when a team is deleted.
**Duplicate the form**
-Forms can be [shared as templates](https://support.microsoft.com/office/82ea9d8a-260a-47a0-afdb-497f3d746e3f), allowing other users to copy it to their own account or a group. This does not retain the data from result submissions; only form structure such as questions and settings.
+Forms can be [shared as templates](https://support.microsoft.com/office/82ea9d8a-260a-47a0-afdb-497f3d746e3f), allowing other users to copy it to their own account or a group. This doesn't retain the data from result submissions; only form structure such as questions and settings.
**Export results to a spreadsheet**
-If the data of the form responses needs to be retained, this can be achieved by [exporting the results to an Excel spreadsheet](https://support.office.com/article/02859424-341d-406f-b32a-9a0fbaf357af). This will only export the questions and their responses as data ΓÇô it does not include graphs created by Forms.
-
+If the data of the form responses needs to be retained, this can be achieved by [exporting the results to an Excel spreadsheet](https://support.office.com/article/02859424-341d-406f-b32a-9a0fbaf357af). This will only export the questions and their responses as data ΓÇô it doesn't include graphs created by Forms.
**Delete the Form**
-While deletion of the group will also result in the deletion of any associated forms, group members can [directly delete them](https://support.microsoft.com/office/2207e468-ce1b-4c4a-a256-caf631d87af0) without being an owner of the group ΓÇô however this is a manual step that does not provide any additional benefit.
+While deletion of the group will also result in the deletion of any associated forms, group members can [directly delete them](https://support.microsoft.com/office/2207e468-ce1b-4c4a-a256-caf631d87af0) without being an owner of the group. However, this is a manual step that doesn't provide any additional benefit.
## OneNote
-The OneNote notebook included in a group is stored in the Site Assets library within the associated SharePoint site. While notebook files can sometimes be spread across multiple individual files, they cannot be simply copied and opened independently. Instead, the contents of the OneNote notebook must be moved or exported using OneNote 2016.
+The OneNote notebook included in a group is stored in the Site Assets library within the associated SharePoint site. While notebook files can sometimes be spread across multiple individual files, they can't be copied and opened independently. Instead, the contents of the OneNote notebook must be moved or exported using OneNote 2016.
**Move pages and sections to another notebook**
The OneNote notebook included in a group is stored in the Site Assets library wi
**Export the entire notebook as a package**
-If the entire notebook needs to be retained with its existing structure, it can be [exported as a OneNote package](https://support.office.com/article/a4b60da5-8f33-464e-b1ba-b95ce540f309) file and then imported to a new location. Alternatively, this can be used as a method to retain the contents in a single file instead of the existing multi-file structure.
+If the entire notebook needs to be retained with its existing structure, it can be [exported as a OneNote package](https://support.office.com/article/a4b60da5-8f33-464e-b1ba-b95ce540f309) file and then imported to a new location. Instead, this can be used as a method to retain the contents in a single file instead of the existing multi-file structure.
**Print to PDF**
In scenarios where some of the contents of the notebook need only to be retained
## Mailbox and calendar
-It is not uncommon for the group-associated mailbox to be utilized, even though many conversations may have been conducted within team channels. The mailbox only stores emails that were emailed directly to it and does not include emails that were sent directly to channels.
+It's not uncommon for the group-associated mailbox to be used, even though many conversations may have been conducted within team channels. The mailbox only stores emails that were emailed directly to it and doesn't include emails that were sent directly to channels.
-In some cases, the emails stored within the mailbox may simply be notifications of meetings, Planner task updates, and other app or system generated messages. It is important that the contents of the mailbox be reviewed to determine whether the content should be retained or deleted.
+In some cases, the emails stored within the mailbox may be notifications of meetings, Planner task updates, and other app or system-generated messages. it's important that the contents of the mailbox be reviewed to determine whether the content should be retained or deleted.
-If a retention policy is applied to Exchange, the emails and calendar items are retained and available through eDiscovery searches.
+If a retention policy is applied in Exchange, the emails and calendar items are retained and available through eDiscovery searches.
**Export mail and calendar**
-Team or group members can [export the contents of the mailbox and calendar to an Outlook Data / Personal Storage (PST) file](https://support.office.com/article/14252b52-3075-4e9b-be4e-ff9ef1068f91). This file can then be stored elsewhere, or the contents can be imported into a different mailbox. The former is not recommended as the contents of the PST file are not searchable without opening it in Outlook, and the file itself can become corrupted over time.
+Team or group members can [export the contents of the mailbox and calendar to an Outlook Data / Personal Storage (PST) file](https://support.office.com/article/14252b52-3075-4e9b-be4e-ff9ef1068f91). This file can then be stored elsewhere, or the contents can be imported into a different mailbox. The former isn't recommended as the contents of the PST file aren't searchable without opening it in Outlook, and the file itself can become corrupted over time.
**IT-performed content migration**
Administrators can use third-party tools to migrate email and calendar contents
## Planner
-Each group or team can have multiple plans. It is important during the offboarding process to ensure that each plan is addressed as to whether its contents are retained. Like the other products, there are several approaches to offboard content in Planner.
+Each group or team can have multiple plans. It's important during the off-boarding process to ensure that retention requirements are addressed for each plan. Like the other services, there are several approaches to off-board content in Planner.
**Export the plan to a spreadsheet**
-If it is only required to keep a copy of the plan for record-keeping purposes, the simplest approach is to [export the plan to an Excel spreadsheet](https://support.microsoft.com/office/4d850c6e-e548-4aab-83b4-b62b68662d2a). This is a one-way action, as there is no option to import plans from a spreadsheet.
+If it's only required to keep a copy of the plan for record-keeping purposes, the simplest approach is to [export the plan to an Excel spreadsheet](https://support.microsoft.com/office/4d850c6e-e548-4aab-83b4-b62b68662d2a). This is a one-way action - there's no option to import plans from a spreadsheet.
> [!IMPORTANT]
-> Exporting a plan to Excel will take most information within the plan, but will not include comments, links, or files.
+> Exporting a plan to Excel will take most information within the plan, but won't include comments, links, or files.
**Copy and move tasks to another Plan**
-While this seems like a solution, individual tasks can only be [copied or moved between plans](https://support.microsoft.com/office/ad43a5d8-c1ad-42fd-b3da-fe97d72c8a1b) within the same group, which negates the benefit in if the group associated With the plan is being deleted.
+While copying or moving tasks to another plan seems like a solution, individual tasks can only be [copied or moved between plans](https://support.microsoft.com/office/ad43a5d8-c1ad-42fd-b3da-fe97d72c8a1b) within the same group. This won't back up the data if the group associated With the plan is being deleted.
**Copy entire plan**
-It is also possible to [copy the entire plan](https://support.microsoft.com/office/50401e13-a25f-40df-93c6-b608cc28c3d4). However this cannot be to an existing group or even within the same group. Copying the plan will create a new group. Additionally, copying the entire plan will not include comments, assignments, links, attachments, or dates.
+It's also possible to [copy the entire plan](https://support.microsoft.com/office/50401e13-a25f-40df-93c6-b608cc28c3d4). Copying can't be done to an existing group. Copying the plan will create a new group. Additionally, copying the entire plan won't include comments, assignments, links, attachments, or dates.
## Power Automate
-Flows created in Power Automate and associated with a group or team do not belong to the group, and instead are owned by the creator and merely shared with other users and groups. As such they are not affected if a group or team is deleted.
+Flows created in Power Automate and associated with a group or team don't belong to the group. They are owned by the creator and merely shared with other users and groups. As such they aren't affected if a group or team is deleted.
**Change ownership of the flow**
-If the workflow needs to continue operating, any owners can simply add other users or Microsoft 365 groups as owners.
+If the flow needs to continue operating, any owners can add other users or Microsoft 365 groups as owners.
**Export the flow**
-If the workflow does not need to continue operating but it needs to be preserved for potential future use, it can be [exported as a file](https://flow.microsoft.com/blog/import-export-bap-packages/) and imported again later.
+If the flow doesn't need to continue operating but it needs to be preserved for potential future use, it can be [exported as a file](https://flow.microsoft.com/blog/import-export-bap-packages/) and imported again later.
## Power BI
-Power BI data and workspaces can operate independently from groups and teams and like other workloads offer different ways of being offboarded.
+Power BI data and workspaces can operate independently from groups and teams and like other workloads offer different ways of being off-boarded.
**Copy reports to another workspace**
-If the report needs to be preserved in its functional state beyond the life of the group or team, it can be [copied from the existing workspace to another workspace within Power BI](/power-bi/connect-data/service-datasets-copy-reports).
+If you need the report once the group or team is deleted, it can be [copied from the existing workspace to another workspace within Power BI](/power-bi/connect-data/service-datasets-copy-reports).
**Export data from a dashboard or report**
-Alternatively, if the report no longer needs to be active but the data needs to be retained, it can be [exported to Excel](/power-bi/visuals/power-bi-visualization-export-data).
+Instead, if the report no longer needs to be active but the data needs to be retained, it can be [exported to Excel](/power-bi/visuals/power-bi-visualization-export-data).
## Project
-Projects and Roadmaps created in Project on the web can be associated with Microsoft 365 groups and offers approaches to offboarding similar to Power BI.
+Projects and Roadmaps created in Project for the web are associated with Microsoft 365 groups and have approaches to off-boarding similar to Power BI.
**Assign the project to another group**
-If the project needs to be preserved in its functional state beyond the life of the group or team, it can be [assigned to a different Microsoft 365 group](/project-for-the-web/access-a-project-after-group-is-deleted#reassign-the-project) using the Dynamics 365 Administration Center.
+If the project needs to be preserved in its functional state beyond the life of the group or team, it can be [assigned to a different Microsoft 365 group](/project-for-the-web/access-a-project-after-group-is-deleted#reassign-the-project). This can be done using the Dynamics 365 Administration Center.
**Export data from the project or roadmap**
-Using the Dynamics 365 Administration Center it is possible to [export user data from the project](/project-for-the-web/export-user-data-from-project-for-the-web) to a spreadsheet, or if using a PowerShell script the data can be exported to Project file (.MPP) and XML file formats.
+Using the Dynamics 365 Administration Center, it's possible to [export user data from the project](/project-for-the-web/export-user-data-from-project-for-the-web) to a spreadsheet. The data can also be exported to Project file (.MPP) and XML file formats by using PowerShell.
## SharePoint
-All files in team channels are stored in the document library in the SharePoint site of the associated group. In some cases, content other than documents may exist in SharePoint, such as lists or pages.
+
+All files in team channels are stored in the SharePoint site of the associated group. In some cases, content other than documents may exist in SharePoint, such as lists or pages.
+ Files are generally stored in three primary locations within a SharePoint site: - Pages - Site Pages library
Files are generally stored in three primary locations within a SharePoint site:
- Files in channels ΓÇô Documents library - Wiki pages ΓÇô Teams Wiki Data library
-If the site has one or more sub-sites nested underneath it, the offboarding process will need to be repeated for each sub-site. If the team contains private channels, there is a separate SharePoint site for each channel.
+If the site has one or more subsites, the off-boarding process will need to be repeated for each subsite. If the team contains private channels, there's a separate SharePoint site for each channel.
-It is important when removing files from a group or team to consider that they may be shared with users who are not members of the group or team (whether internal or external to the organization), and as such it may be worthwhile communicating the impending change to them.
+It's important when removing files from a group or team to consider that they may be shared with users who aren't members of the group or team. You may want to communicate the impending change to them.
**Download files**
-In the case of files stored within SharePoint in one of the libraries mentioned above, these can be [downloaded to a local computer](https://support.office.com/article/5c7397b7-19c7-4893-84fe-d02e8fa5df05).
+Files stored in SharePoint in one of the libraries mentioned above can be [downloaded to a local computer](https://support.office.com/article/5c7397b7-19c7-4893-84fe-d02e8fa5df05).
**Move files**
-Additionally, files can be moved to another location within SharePoint such as a library in a different site.
-Reference: https://support.office.com/article/move-or-copy-files-in-sharepoint-00e2f483-4df3-46be-a861-1f5f0c1a87bc
+Additionally, files can be [moved to another location within SharePoint such as a library in a different site](https://support.office.com/article/00e2f483-4df3-46be-a861-1f5f0c1a87bc).
**Export list**+ Data stored within SharePoint lists can be [exported to an Excel spreadsheet](https://support.office.com/article/bfb2ea48-6118-4fa9-abb6-cced9424e5d9), and imported again to a list in another site. Alternatively, a third-party tool can be used to migrate the list between sites in order to retain function, list views, formatting, and other attributes. **ΓÇ£ExportΓÇ¥ wiki files**
-Wiki contents within team channels are stored in a HTML formatted file in a dedicated library of the associated SharePoint site. They cannot be readily exported and imported to another channel wiki but can be converted to a HTML file and opened as a web page.
+Wiki contents within team channels are stored in an HTML formatted file in a dedicated library of the associated SharePoint site. They can't be readily exported and imported to another channel wiki but can be converted to an HTML file and opened as a web page.
## Microsoft Stream
-Like Power Automate, videos in Stream associated with a group or team are not actually owned by the group and are not deleted when the group is deleted. Videos in Stream are owned by the person who uploaded or created the video, even if they add users or groups as owners. This is also the case for meetings recorded in a Teams channel; they are owned by the person who initiated the recording.
+Like Power Automate, videos in Stream associated with a group or team aren't actually owned by the group and aren't deleted when the group is deleted. Videos in Stream are owned by the person who uploaded or created the video, even if they add users or groups as owners. Meetings recorded in a Teams channel are owned by the person who started the recording.
**Adding other owners**
-As the video is retained in Stream regardless of group deletion, the original owner can [share the video with other users and groups, even adding them as owners](/stream/portal-edit-video).
+Because the video is retained in Stream when the group is deleted, the original owner can [share the video with other users and groups, even adding them as owners](/stream/portal-edit-video).
**Download the video**
-In scenarios where the video does not need to be retained in Stream or needs to be stored in an alternate location such as a records management system, an owner can be [download it locally](/stream/portal-download-video)
+In scenarios where the video doesn't need to be retained in Stream or needs to be stored in an alternate location such as a records management system, an owner can [download it locally](/stream/portal-download-video).
## Yammer
Unlike conversations in Microsoft Teams, Yammer offers both users and administra
**Move conversations to another group or community**
-Conversations can be moved to another Yammer group by any user, not just owners or administrators. This is possible in both the [classic Yammer](https://support.office.com/article/149c6399-4ac1-4ced-84d7-e0660960a872), as well as the [new Yammer](https://support.office.com/article/d63debf1-1c90-4ec5-b5ae-8a00939a1680) interfaces.
+Conversations can be moved to another Yammer group by any user, not just owners or administrators. This is possible in both the [classic Yammer](https://support.office.com/article/149c6399-4ac1-4ced-84d7-e0660960a872) and the [new Yammer](https://support.office.com/article/d63debf1-1c90-4ec5-b5ae-8a00939a1680) interfaces.
**Export network data**
-Yammer network administrators can perform an [export of network data](/yammer/manage-security-and-compliance/export-yammer-enterprise-data), however doing so will export all conversations for the entire network. The resulting export however lists the Group ID, so it is possible to filter conversations based on this.
+Yammer network administrators [export network data](/yammer/manage-security-and-compliance/export-yammer-enterprise-data). However, doing so will export all conversations for the entire network. The resulting export lists the Group ID. It's possible to filter conversations based on this ID.