+# Change user profile photos and settings

+This article explains how to manage profile photos and photo update settings on user accounts and [Microsoft 365 Groups](../create-groups/office-365-groups.md).

+> If you need help with the steps in this article, consider [working with a Microsoft small business specialist](https://go.microsoft.com/fwlink/p/?linkid=2186871). With Business Assist, you and your employees get around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use.

+User profile photo updates don't affect other user account properties. Configuration of the environment where new updates can be performed doesn't affect existing user profile photos in the cloud or in on-premises environments. 

+## Configure photo update settings in your Microsoft 365 organization

+Photo update settings in your organization include controlling the environment where user profile photos can be updated and which roles are required.

+> [!IMPORTANT]

+> When you change photo update settings, it can take up to 24 hours for the changes to reflect throughout Microsoft 365. For example, if you block cloud user profile photo updates, it can take up to 24 hours before the users are blocked from making updates.

+### Select where user profile photos can be edited using Microsoft Graph

+Currently, you can configure the photo update settings using Microsoft Graph only. For more information, see Manage user profile photo settings in Microsoft 365 using Microsoft Graph.

+ > [!NOTE]

+ > If prompted, select Sign In.

+ > [!NOTE]

+ > If others are also editing the document, Microsoft 365 alerts you to their presence, and shows you where in the file theyΓÇÖre working.

+ > [!NOTE]

+ > The link works until the expiration date.

+ > [!NOTE]

+ > If you donΓÇÖt immediately see this option, first select **Show all**.

+ Title: Compliance for Microsoft 365

+f1.keywords:

+- NOCSH

+audience: ITPro

+ms.localizationpriority: high

+- scotvorg

+- must-keep

+- essentials-compliance

+- it-pro

+- intro-overview

+description: Learn about compliance for Microsoft 365 for enterprise.

+# Compliance for Microsoft 365 for enterprise

+Most organizations have business or legal requirements that govern how data is used, shared, and retained. Some organizations also have data residency requirements or regulatory requirements that restrict communication between certain users and groups.

+[Microsoft Compliance](/compliance) contains a plethora of information to help organizations understand how we as a cloud service provider can satisfy those requirements. See the [comprehensive list of compliance offerings](/compliance/regulatory/offering-home) for information detailing how Microsoft complies with national, regional, and industry-specific requirements governing the collection and use and data.

+## Shared responsibility model

+Security and compliance in the cloud is a [shared responsibility](/compliance/assurance/assurance-risk-assessment-guide) and the division of those responsibilities between the cloud service provider and customer depends on the cloud offering utilized. Microsoft works to ensure that we are compliant with industry and international standards, and customers are responsible for ensuring their data within the [Microsoft Cloud](https://www.microsoft.com/en-us/trust-center/compliance/compliance-overview#compliance) is protected in a manner that is compliant with the standards and regulations imposed on the customer.

+## Inheritance of compliance features and settings

+Microsoft 365 apps, depending on the app, inherit compliance features and settings from Microsoft Teams, Exchange Online, SharePoint Online, Azure, and Viva Engage. In addition, all Microsoft 365 services are built on the [Microsoft Graph API](/graph/overview).

+For detailed information on each service, see:

+**Microsoft 365** [Plan for security and compliance](/microsoft-365/compliance/plan-for-security-and-compliance)

+**Microsoft Teams** [Overview of security and compliance in Microsoft Teams](/microsoftteams/security-compliance-overview)

+**Microsoft SharePoint** [Plan compliance requirements for SharePoint and OneDrive](/SharePoint/compliant-environment)

+**Microsoft Graph** [Use the Microsoft Graph compliance and privacy APIs](/graph/api/resources/complianceapioverview)

+**Viva Engage** [Overview of security and compliance in Viva Engage](/viva/engage/manage-security-and-compliance/security-and-compliance)

+**Microsoft Entra ID** [Microsoft Entra security baseline for Microsoft Entra ID](/security/benchmark/azure/baselines/aad-security-baseline)

+**Azure** [Azure, Dynamics 365, Microsoft 365, and Power Platform compliance offerings](/azure/compliance/offerings/)

+## General Data Protection Regulation (GDPR)

+All Microsoft 365 apps and services support compliance with EU General Data Protection Regulation (GDPR) requirements.

+For detailed information, see [the GDPR Overview](/compliance/regulatory/gdpr).

+## Data residency

+Multi-Geo is Microsoft 365 feature that allows organizations to span their storage over multiple geo locations and specify where to store users' data. For multinational customers with data residency requirements, you can use this feature to ensure that each user's data is stored in the geo location necessary for compliance. For more info about this feature, see [Multi-Geo Capabilities in OneDrive and SharePoint](/office365/enterprise/multi-geo-capabilities-in-onedrive-and-sharepoint-online-in-office-365/).

+For more information about Microsoft 365 Multi-Geo, see [Microsoft 365 Multi-Geo](/microsoft-365/enterprise/microsoft-365-multi-geo).

+## Microsoft Purview

+[Microsoft Purview](/purview/purview) is a family of data governance, risk, and compliance solutions that can help your organization govern, protect, and manage your entire data estate.

+### Data lifecycle management

+Use data lifecycle management capabilities in Microsoft Purview to govern your OneDrive and SharePoint content for compliance or regulatory requirements. The following table describes the capabilities to help you keep the content you need you and delete what you don't need.

+|Capability|What problems does it solve?|Get started|

+|:|:|:-|

+|[Retention policies and retention labels](/microsoft-365/compliance/retention)<br /><br />[Learn about retention for SharePoint and OneDrive](/microsoft-365/compliance/retention-policies-sharepoint) | Retain or delete content with policy management for SharePoint and OneDrive documents | [Create and configure retention policies](/microsoft-365/compliance/create-retention-policies) <br /><br /> [Create retention labels for exceptions to your retention policies](/microsoft-365/compliance/create-retention-labels-information-governance)|

+#### Deleted users' data

+When a user leaves your organization and you've deleted that user's account, what happens to the user's data? When considering data retention compliance, determine what needs to happen with the deleted user's data. For some organizations, retaining deleted user data could be important continuity and preventing critical data loss.

+If a user's Microsoft 365 account is deleted, their OneDrive files are preserved for 30 days. To change this setting, [Set the OneDrive retention for deleted users](/onedrive/set-retention).

+By default, when a user is deleted, the user's manager is automatically given access to the user's OneDrive. To change this, see [OneDrive retention and deletion](/onedrive/retention-and-deletion).

+### Information protection

+Microsoft Purview Information Protection capabilities help you discover, classify, and protect sensitive information in OneDrive and SharePoint. The following table describes these capabilities. Consider if you want to implement any of these capabilities as part of your OneDrive and SharePoint rollout.

+|Capability|What problems does it solve?|Get started|

+|:|:|:--|

+|[Sensitive information types](/microsoft-365/compliance/sensitive-information-type-learn-about)| Identifies sensitive data by using built-in or custom regular expressions or a function. Corroborative evidence includes keywords, confidence levels, and proximity.| [Customize a built-in sensitive information type](/microsoft-365/compliance/customize-a-built-in-sensitive-information-type)|

+|[Trainable classifiers](/microsoft-365/compliance/classifier-learn-about)| Identifies sensitive data by using examples of the data you're interested in rather than identifying elements in the item (pattern matching). You can use built-in classifiers or train a classifier with your own content.| [Get started with trainable classifiers](/microsoft-365/compliance/classifier-get-started-with) |

+|[Sensitivity labels](/microsoft-365/compliance/sensitivity-labels)| A single solution across apps, services, and devices to label and protect your data as it travels inside and outside your organization. <br /><br /> Sensitivity labels can be used to protect files themselves or individual SharePoint sites and teams.|[Enable sensitivity labels for Office files in SharePoint and OneDrive](/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files) <br /><br /> [Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 Groups, and SharePoint sites](/microsoft-365/compliance/sensitivity-labels-teams-groups-sites)|

+|[Data loss prevention](/microsoft-365/compliance/dlp-learn-about-dlp)| Helps prevent unintentional sharing of sensitive items. | [Get started with the default DLP policy](/microsoft-365/compliance/get-started-with-the-default-dlp-policy)|

+### File sync

+The OneDrive sync app has policies that you can use to help you maintain a compliant environment. Consider configuring these policies before you roll out SharePoint and OneDrive.

+|Policy|Windows GPO|Mac|

+|:--|:-|:--|

+|Allow syncing OneDrive accounts for only specific organizations|[AllowTenantList](/onedrive/use-group-policy#allow-syncing-onedrive-accounts-for-only-specific-organizations)|[AllowTenantList](/onedrive/deploy-and-configure-on-macos#allowtenantlist)|

+|Block syncing OneDrive accounts for specific organizations|[BlockTenantList](/onedrive/use-group-policy#block-syncing-onedrive-accounts-for-specific-organizations)|[BlockTenantList](/onedrive/deploy-and-configure-on-macos#blocktenantlist)|

+|Prevent users from syncing libraries and folders shared from other organizations|[BlockExternalSync](/onedrive/use-group-policy#prevent-users-from-syncing-libraries-and-folders-shared-from-other-organizations)|[BlockExternalSync](/onedrive/deploy-and-configure-on-macos#blockexternalsync)|

+|Prevent users from syncing personal OneDrive accounts|[DisablePersonalSync](/onedrive/use-group-policy#prevent-users-from-syncing-personal-onedrive-accounts)|[DisablePersonalSync](/onedrive/deploy-and-configure-on-macos#disablepersonalsync)|

+|Exclude specific kinds of files from being uploaded|[EnableODIgnoreListFromGPO](/onedrive/use-group-policy#exclude-specific-kinds-of-files-from-being-uploaded)|[EnableODIgnore](/onedrive/deploy-and-configure-on-macos#enableodignore)|

+### Information barriers

+Microsoft Purview Information Barriers is a compliance solution that allows you to restrict two-way communication and collaboration between groups and users in Microsoft Teams, SharePoint, and OneDrive. Often used in highly regulated industries, information barriers can help to avoid conflicts of interest and safeguard internal information between users and organizational areas.

+When information barrier policies are in place, users who shouldn't communicate or share files with other specific users won't be able to find, select, chat, or call those users. Information barrier policies automatically put checks in place to detect and prevent unauthorized communication and collaboration among defined groups and users.

+If your business requires information barriers, see [Learn about information barriers](/microsoft-365/compliance/information-barriers) and [Use information barriers with SharePoint](/sharepoint/information-barriers) to get started.

+## Related articles

+[Implement compliance in Microsoft 365](/training/paths/implement-data-governance-microsoft-365-intelligence/)

+[Compliance in Microsoft Teams](/microsoftteams/security-compliance-overview#compliance)

+[Compliance in Microsoft Viva](/viva/viva-compliance)

+[Compliance in SharePoint and OneDrive](/sharepoint/compliant-environment)

+[Compliance in Microsoft Cloud for Retail](/industry/retail/compliance-overview)

+[Windows Privacy Compliance Guide](/windows/privacy/windows-10-and-privacy-compliance)

+[Microsoft Purview Compliance Portal](/purview/purview-compliance-portal)

+ Title: Privacy for Microsoft 365

+f1.keywords:

+- NOCSH

+audience: ITPro

+ms.localizationpriority: high

+- scotvorg

+- must-keep

+- essentials-privacy

+- it-pro

+- intro-overview

+description: Learn about privacy for Microsoft 365 for enterprise.

+# Privacy for Microsoft 365 for enterprise

+When an organization is considering relying on Microsoft 365 for communication and collaboration, privacy is something that needs to be addressed at every level. The topics we discuss in this article should address your privacy concerns when planning your Microsoft 365 implementation, or at any point during Microsoft 365 usage.

+## What personal data does Microsoft 365 collect and for what purposes does Microsoft 365 use this data?

+Microsoft processes the personal data in Microsoft 365 to deliver the services and for the purposes outlined in the [Product Terms](https://www.microsoft.com/licensing/terms/product/PrivacyandSecurityTerms/all) and the [Microsoft Online Services Data Protection Addendum (DPA)](https://aka.ms/dpa). Microsoft 365, as an integrated set of cloud-based services, processes various types of personal data as part of delivering the services.

+To the extent Microsoft 365 processes personal data with Microsoft's legitimate business operations, Microsoft is an independent data controller for such use and is responsible for complying with all applicable laws and controller obligations.

+## Legal Basis of Processing

+Our customers are controllers for the data provided to Microsoft, as set forth in the [Product Terms](https://www.microsoft.com/licensing/terms/product/PrivacyandSecurityTerms/all) and the [Microsoft Online Services Data Protection Addendum (DPA)](https://aka.ms/dpa), and they determine legal basis of processing. Microsoft, in turn, processes the data on the customers' instructions, as a processor.

+## What third parties have access to personal data?

+Microsoft won't disclose personal data except:

+1. as the customer directs (including as required to complete phone calls);

+1. as described in the Online Service Terms (such as the use of authorized subcontractors to provide certain components of services);

+1. as required by law.

+If law enforcement contacts Microsoft with a demand, Microsoft will attempt to redirect the law enforcement agency to request that personal data directly from the customer. If compelled to disclose personal data to law enforcement, Microsoft will promptly notify the customer and provide a copy of the demand unless legally prohibited from doing so. For more information about data that we disclose in response to requests from law enforcement and other government agencies, please see our [Law Enforcement Requests Report](https://www.microsoft.com/corporate-responsibility/law-enforcement-requests-report).

+## Where does Microsoft 365 transfer and store personal data?

+Personal data is transferred and stored as set forth in the [Online Service Terms](https://go.microsoft.com/fwlink/p/?linkid=2050263), the [Product Terms](https://www.microsoft.com/licensing/terms/product/PrivacyandSecurityTerms/all) and the [Microsoft Online Services Data Protection Addendum (DPA)](https://aka.ms/dpa).

+We have information on the [Microsoft 365 Data Residency overview and definitions](m365-dr-overview.md) if you need to learn more.

+## How long does Microsoft 365 retain personal data?

+Microsoft 365 retains your data for the minimum amount of time necessary to deliver the service.

+Because this data is required to provide the service, this typically means that we retain personal data until the user stops using Microsoft 365, or until the user deletes personal data. If a user (or an administrator on the user's behalf) deletes the data, Microsoft will ensure that all copies of the personal data are deleted within 30 days.

+If a company terminates service with Microsoft, corresponding personal data will all be deleted between 90 and 180 days of service termination.

+In some circumstances, local laws require that Microsoft 365 retains telephone records (for billing purposes) for a specific period of time, in those circumstances Microsoft 365 follows the law for each region.

+Additionally, if a company requests that Microsoft 365 holds a user's data to support a legal obligation, Microsoft will respect the company administrator's request.

+### Right to withdraw consent

+If Microsoft 365 processes any personal data based on consent, you may have the right to withdraw your consent at any time. You should direct your request to withdraw consent to your administrator, where your administrator is the controller of the personal data at issue.

+## Contact Details of Microsoft's Data Protection Officer

+If you have a privacy concern, complaint or question for the Microsoft Chief Privacy Officer and EU Data Protection Officer, contact us by using [our web form](https://go.microsoft.com/fwlink/?LinkId=321116). Our EU Data Protection Officer is located at Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. Telephone: +353 1 706 3117. You can also raise a concern or lodge a complaint with a data protection authority or other official with jurisdiction.

+## Related articles

+[Windows Privacy Compliance Guide](/windows/privacy/windows-10-and-privacy-compliance)

+[Understand how privacy works in Microsoft Viva](/viva/viva-privacy)

+[Microsoft Teams privacy](/microsoftteams/teams-privacy)

+[Overview of privacy controls for Microsoft 365 Apps for enterprise](/deployoffice/privacy/overview-privacy-controls)

+[Online Service Terms](https://go.microsoft.com/fwlink/p/?linkid=2050263)

+[Product Terms](https://www.microsoft.com/licensing/terms/product/PrivacyandSecurityTerms/all)

+[Microsoft Online Services Data Protection Addendum (DPA)](https://aka.ms/dpa)

+ Title: Security for Microsoft 365

+f1.keywords:

+- NOCSH

+audience: ITPro

+ms.localizationpriority: high

+- scotvorg

+- must-keep

+- essentials-security

+- it-pro

+- intro-overview

+description: Learn about security for Microsoft 365 for enterprise.

+# Security for Microsoft 365 for enterprise

+Microsoft 365 for enterprise follows all the security best practices and procedures such as service-level security through defense-in-depth, customer controls within the services, security hardening, and operational best practices. For full details, see the [Microsoft Trust Center](https://microsoft.com/trustcenter) and [Microsoft Compliance](/compliance).

+## Trustworthy by design

+Microsoft 365 is designed and developed in compliance with the Microsoft Trustworthy Computing Security Development Lifecycle (SDL), which is described at [Microsoft Security Development Lifecycle (SDL)](https://www.microsoft.com/sdl/default.aspx). The first step in creating a more secure unified communications, collaboration, and productivity system was to design threat models and test each feature as it was designed. Multiple security-related improvements were built into the coding process and practices. Build-time tools detect buffer overruns and other potential security threats before the code is checked in to the final product. It's impossible to design against all unknown security threats. No system can guarantee complete security. However, because product development embraced secure design principles from the start, Microsoft 365 incorporates industry standard security technologies as a fundamental part of its architecture.

+## Security Framework for Microsoft 365

+Microsoft 365 endorses security ideas like Zero Trust, and principles of Least Privilege access. This section gives an overview of fundamental elements that form a security framework for Microsoft 365.

+Core elements include:

+- Microsoft Entra ID, which provides a single trusted back-end repository for user accounts. User profile information is stored in Microsoft Entra ID through the actions of Microsoft Graph.

+ - There might be multiple tokens issued which you might see if tracing your network traffic.

+- Transport Layer Security (TLS) encrypts the channel in motion. Authentication takes place using either mutual TLS (MTLS), based on certificates, or using Service-to-Service authentication based on Microsoft Entra ID.

+- Point-to-point audio, video, and application sharing streams are encrypted and integrity checked using Secure Real-Time Transport Protocol (SRTP).

+- You'll see OAuth traffic in your trace, particularly around token exchanges and negotiating permissions while switching between tabs in Teams, for example to move from Posts to Files. For an example of the OAuth flow for tabs, [see this document](/microsoftteams/platform/tabs/how-to/authentication/auth-flow-tab).

+- Microsoft 365 uses industry-standard protocols for user authentication, wherever possible.

+<a name='azure-active-directory'></a>

+### Microsoft Entra ID

+Microsoft Entra ID functions as the directory service for Microsoft 365 and Office 365. It stores all user and application directory information and policy assignments.

+### Encryption in Microsoft 365

+There are multiple layers of encryption at work within Microsoft 365 to protect your organization's content. For an overview of encryption in Microsoft 365, see [Encryption in Microsoft 365](/microsoft-365/compliance/encryption).

+### User and Client Authentication

+A trusted user is one whose credentials have been authenticated by Microsoft Entra ID in Microsoft 365 or Office 365.

+Authentication is the provision of user credentials to a trusted server or service. Microsoft 365 uses the following authentication protocols, depending on the status and location of the user.

+- **Modern Authentication (MA)** is the Microsoft implementation of OAUTH 2.0 for client to server communication. It enables security features such as multifactor authentication and Conditional Access. To use MA, both the online tenant and the clients need to be enabled for MA. The Microsoft 365 clients across PC and mobile, and the web clients, all support MA.

+> [!NOTE]

+> If you want more information on Microsoft Entra authentication and authorization methods, this article's Introduction and 'Authentication basics in Microsoft Entra ID' sections will help.

+Microsoft 365 authentication is accomplished through Microsoft Entra ID and OAuth. The process of authentication can be simplified to:

+- User sign in > token issuance > next request use issued token.

+Requests from clients to cloud services are authenticated and authorized by Microsoft Entra ID with the use of OAuth. Users with valid credentials issued by a federated partner are trusted and pass through the same process as native users. However, further restrictions can be put into place by administrators.

+For media authentication, the ICE and TURN protocols also use the Digest challenge as described in the IETF TURN RFC.

+### Endpoint security

+Microsoft is unifying user-facing Microsoft 365 apps and services to a single and consistent domain: `**cloud.microsoft**`.

+The growth of Microsoft cloud services led to the expansion of the domain space they occupy, resulting in hundreds of domains. This fragmentation is a challenge for end user navigation, administrative simplicity, and the development of cross-app experiences.

+The `*.microsoft*` top-level domain is exclusive to Microsoft. The new domain doesn’t have traditional suffixes such as .com or .net in the end. This is by design. `cloud.microsoft` resides under the `.microsoft` top-level domain, for which Microsoft is a registry operator and the sole registrant. This domain allows for extra security, privacy, and protection against spoofing when you interact with apps within that domain. You can trust that any website or app that ends with `cloud.microsoft` is an official Microsoft product or service.

+For more information, see [Unified cloud.microsoft domain for Microsoft 365 apps](cloud-microsoft-domain.md).

+## Related articles

+[Top 12 tasks for security teams to support working from home](/microsoft-365/security/top-security-tasks-for-remote-work)

+[Microsoft Trust Center](https://microsoft.com/trustcenter)

+[Optimize Microsoft 365 or Office 365 connectivity for remote users using VPN split tunneling](/Office365/Enterprise/office-365-vpn-split-tunnel)

+[Understand how security works in Microsoft Viva](/viva/viva-security)

+[Security guide for Microsoft Teams overview](/microsoftteams/teams-security-guide)

+[Security in Microsoft Teams](/microsoftteams/security-compliance-overview#security)

+[Windows operating system security](/windows/security/operating-system-security/)

+[Dynamics 365 security](/dynamics365/get-started/security)

+[Security in Microsoft Cloud for Retail](/industry/retail/security-overview)

+### Lighthouse RBAC Account Manager role requirement update

+You no longer need to have a Microsoft Entra ID P1 license to manage the Lighthouse RBAC Account Manager role. This change means that security groups assigned to the Lighthouse RBAC Account Manager role no longer need to be a role-assignable group. You can now assign any security group, including existing security groups, to the Lighthouse RBAC Account Manager role.

+[Go to the Lighthouse permissions page now ](https://lighthouse.microsoft.com/#view/Microsoft_Intune_MTM/RBAC.ReactView)

+To learn more, see [Overview of permissions in Microsoft 365 Lighthouse](m365-lighthouse-overview-of-permissions.md).

+Autofill columns in Microsoft Syntex automatically extract, summarize, or generate content from files uploaded to a SharePoint document library. By using large language models (LLMs) through generative AI, autofill columns can save metadata automatically, streamlining the process of managing files and their associated information.

+### Support languages

+Currently, autofill columns are available for English language files. Other languages will be added in future releases.

+Autofill columns are available for the following file types: .csv, .doc, .docx, .eml, .heic, .heif, .htm, .html, .jpeg, .jpg, .md, .msg, .pdf, .png, .ppt, .pptx, .rtf, .tif, .tiff, .txt, .xls, and .xlsx.

+Currently, autofill columns are available for the following column data types:

+- Multiple lines of text

+- Number

+- Yes/No

+- Date and time

+- Choice

+- Hyperlink

+Currently, autofill columns are not available for the following column data types:

+- Person or Group

+- Location

+- Image

+- Lookup

+- Managed metadata

+- Currently, autofill columns don't support the following library types: FormServerTemplates, SitePages, Style Library, and SiteAssets.

+- Documents with sensitivity labels aren't analyzed or included in the results.

+- Document changes are captured only if the file is reprocessed, which must be done manually by the user.

+> [!NOTE]

+> AI-generated content might be incorrect. Be sure to check column results.

+## Responsible AI FAQs

+An AI system includes not only the technology, but also the people who use it, the people affected by it, and the environment in which it's deployed. Microsoft's Responsible AI FAQs are intended to help you understand how AI technology works, the choices system owners and users can make that influence system performance and behavior, and the importance of thinking about the whole system, including the technology, the people, and the environment. You can use Responsible AI FAQs to better understand specific AI systems and features that Microsoft develops.

+Responsible AI FAQs are part of a broader effort to put Microsoft's AI principles into practice. To find out more, see [Microsoft AI principles](https://www.microsoft.com/ai/responsible-ai).

+### Responsible AI FAQs for autofill columns

+#### What are autofill columns?

+Autofill columns provide a column setting that allows users to construct large language model (LLM) prompts that will automatically classify the file, extract or generate information from the fileΓÇÖs contents (extract a specific value or string or generate a summary or response based on some criteria), and save the output to the column.

+#### What can autofill columns do?

+Autofill columns allow a saved prompt to be used to process files created or uploaded to a SharePoint library, and the response is saved to a corresponding column. The constructed prompt is grounded to the file and can be used to extract, classify, summarize, and analyze its contents. The saved metadata, like other column data, can be indexed, used to trigger workflow, or even define criteria for setting an information protection label.

+#### What are the intended uses of autofill columns?

+Autofill columns provide metadata automation for users. A user can use it to classify, extract, summarize, or even analyze a file, and then save the response to the column where it can then be indexed and used for search or other downstream workflow processes. Autofill columns can also be a useful complement for other machine language models, where a users could supplement the extracted metadata from a configured model with a summary or other analysis response.

+#### How was autofill columns evaluated? What metrics were used to measure performance?

+- Performance factors such as coherence, fluency, and accuracy relied on the base modelΓÇÖs performance (in this case, GPT-4 Turbo).

+- Evaluated feature specific performances. Testing included:

+ - Created sample libraries, each included typical business documents categorized as contracts, statements of work, benefit change notices, invoices, and resumes.

+ - Created autofill columns covering different column types, including single line text and multiple choices.

+ - Designed prompts such as ΓÇ£What is the category of the document, choose from A, B, C. Reply none if itΓÇÖs none of them.ΓÇ¥ Or "What is the candidate education background" for resumes.

+- Reviewed the results. The results aligned with expectations in most cases. For the results that did not meet the satisfactory threshold, function calling was used to improve the results. Some of the results were compared across different LLM versions.

+- Evaluated risk and safety metrics.

+ - Setup: Used automated programs to send similar requests as the feature does in the real world, combining metadata prompts, system prompts, and user question or document content, run on the same base model (in this case, GPT-4 Turbo) with same configuration.

+ - Assessment: Because the featureΓÇÖs prompt comes from two parts (one is the document content, the other is the question), we prepared several hundred test cases.

+ - Evaluated test cases with standard business documents, and harmful questions. These questions contained self-harm, sexual, violence, or racial information.

+ - Evaluated test cases with harmful content, and questions prompting the model to answer something it shouldnΓÇÖt. For example, ΓÇ£Summarize the content in the document.ΓÇ¥

+ - Evaluation: Followed Microsoft curated risk and safety metrics instructions, which is provided in Microsoft Azure AI Studio, to measure the results using LLM (in this case GPT-4 Turbo) from four aspects: self-harm-related content, hateful and unfair content, violent content, and sexual content.

+ The evaluation rated the inputs and outputs 0-7, scaling from the least harmful to the most severe level.

+#### What are the limitations of autofill columns? How can users minimize the impact of these limitations when using the system?

+- Scope of the prompt is restricted to just the text contents of the file. The response is text-only that can be saved to the associated column. While other actions can be configured based on the saved response, the output itself can't execute a process.

+- Only users with sufficient site library permissions can create or edit autofill column prompts.

+- The service is managed by a tenant setting in the Microsoft 365 admin center. Its availability across the tenant or to specific sites can be set by the administrator.

+#### What operational factors and settings allow for effective and responsible use of autofill columns?

+- If any harmful content is generated that is unacceptable to users, either the tenant admin or Microsoft support can turn off this feature at the site or tenant level.

+- A **Send feedback** link is provided in the user interface. Feedback is monitored, reviewed, and appropriate actions taken as needed, including in some cases updating the product experience.