+ Title: "Deploy and manage Office Add-ins"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- Tier2

+- scotvorg

+- Adm_TOC

+search.appverid: MET150

+description: "An overview of how to deploy and manage Office Add-ins."

+# Deploy and manage Office Add-ins

+## What are Office add-ins?

+Microsoft has partnered with leading companies to build programs that help you get things done right from your Microsoft applications. These programs are called Office Add-ins and help you personalize your inbox, documents and streamline the way you access information on the web (see [Start using your Office Add-in](https://support.microsoft.com/office/82e665c4-6700-4b56-a3f3-ef5441996862)).

+An Office add-in can be used on Word, Excel, PowerPoint, and Outlook. These add-ins are supported in three desktop platforms Windows, Mac, and Online Office apps. It's also supported on iOS and Android (Outlook Mobile Add-ins only).

+## Before you begin

+Management and deployment via Integrated Apps require that the users are using Microsoft 365 Business licenses (Business Basic, Business Standard, Business Premium), Office 365 Enterprise licenses (E1/E3/E5/F3), or Microsoft 365 Enterprise licenses (E3/E5/F3). The users also need to be signed into Office using their organizational ID and have Exchange Online and active Exchange Online mailboxes. Your subscription directory must either be in or federated to Azure Active Directory.

+### Office Requirements

+For Word, Excel, and PowerPoint add-ins, your users must be using one of the following versions:

+- On a Windows device, Version 1704 or later of Microsoft 365 Business licenses (Business Basic, Business Standard, Business Premium), Office 365 Enterprise licenses (E1/E3/E5/F3), or Microsoft 365 Enterprise licenses (E3/E5/F3).

+- On a Mac, Version 15.34 or later.

+For Outlook, your users must be using one of the following versions:

+- Version 1701 or later of Microsoft 365 Business licenses (Business Basic, Business Standard, Business Premium), Office 365 Enterprise licenses (E1/E3/E5/F3), or Microsoft 365 Enterprise licenses (E3/E5/F3).

+- Version 1808 or later of Office Professional Plus 2019 or Office Standard 2019.

+- Version 16.0.4494.1000 or later of Office Professional Plus 2016 (MSI) or Office Standard 2016 (MSI).

+- Version 15.0.4937.1000 or later of Office Professional Plus 2013 (MSI) or Office Standard 2013 (MSI).

+- Version 16.0.9318.1000 or later of Office 2016 for Mac.

+- Version 2.75.0 or later of Outlook mobile for iOS.

+- Version 2.2.145 or later of Outlook mobile for Android.

+> [!NOTE]

+> MSI versions of Outlook show admin-installed or deployed add-ins in the appropriate Outlook ribbon, not the *My add-ins"* section.

+### Exchange Online Requirements

+Microsoft Exchange stores the add-in manifests within your organization's tenant. The admin deploying /pre-installing add-ins and the users receiving those add-ins must be on a version of Exchange Online that supports OAuth authentication.

+Check with your organization's Exchange admin to find out which configuration is in use. OAuth connectivity per user can be verified by using the *Test-OAuthConnectivity* PowerShell cmdlet.

+Deployment doesn't support the following scenarios:

+- Add-ins that target Word, Excel, or PowerPoint in Office 2013

+- An on-premises directory service

+- Add-in Deployment to an Exchange On-prem Mailbox

+- Deployment of Component Object Model (COM) or Visual Studio Tools for Office (VSTO) add-ins.

+- Deployments of Microsoft 365 that don't include Exchange Online such as Microsoft 365 Apps for Business and Microsoft 365 Apps for Enterprise.

+## Controls for managing Office add-ins

+As an admin, you can manage Office add-ins in your organization as follows:

+1. Deploy an Office Add-in for users in your organization.

+2. Manage how users can install and use Office add-ins.

+3. Upload custom Office add-ins for your organization.

+### Prepare to deploy and manage Office Add-ins via Integrated Apps

+Office Add-ins help you personalize your documents and streamline the way you access information on the web (see Start using your Office Add-in). Add-ins provide the following benefits:

+- When the relevant Office application starts, the add-in automatically downloads. If the add-in supports add-in commands, the add-in automatically appears in the ribbon within the Office application.

+- Add-ins no longer appear for users if the admin turns off or deletes the add-in. Also if the user is removed from Azure Active Directory or from a group that the add-in is assigned to. Learn how to perform these actions in the following section.

+Add-ins are supported in three desktop platforms: Windows, Mac, and Online Office apps. It's also supported in iOS and Android (Outlook Mobile Add-ins Only).

+It can take up to 24 hours for an add-in to show up for client for all users.

+Currently, Exchange admins, Global admins, and Azure Application admins can deploy add-ins from Integrated apps.

+## Deploy your Office add-ins

+Deploying an add-in means you're pre-installing the add-in for a specific set of users in your organization. All management actions taken on a deployed add-in are fully controlled by the admin. You can find, test, and fully deploy apps published by Microsoft and other leading partners. By purchasing and licensing the apps from the admin center, you can add Microsoft and Microsoft partner apps to your list from a single location.

+1. In the admin center, in the left nav, choose **Settings**, and then choose **Integrated apps**.

+2. In the Deployed Apps list, select **Get apps** to get a view of the apps.

+3. On the **Microsoft 365 Apps published apps** page, select the app you want to deploy by choosing **Get it now**. Accept the permissions and select **Continue**.

+4. Select **Deploy** at the top of the page next to the message that refers to waiting to be deployed. If the app selected is linked to a SaaS offer by an ISV, all the other apps that are part of this linked offer appear on the Configuration page. If you choose to deploy all of the apps, select **Next**. Otherwise, select **Edit**, and choose which apps you want to deploy. Some apps require you to add users before you can select **Deploy**.

+5. Select **Add users**, choose **Is this a test deployment**, and then select either **Entire organization**, **Specific users/groups**, or **Just me**. Specific users/groups can be a Microsoft 365 group, a security group, or a distributed group. You can also choose **Test deployment** if you prefer to wait to deploy the app to the entire organization.

+6. Select **Next** to get to the **Accept permission request** page. The app capabilities and permissions of each of the apps are listed. If the app needs consent, select **Accept permissions**. Only a global administrator can give consent.

+7. Select **Next** to review the deployment and choose **Finish deployment**. You can view the deployment from the **Overview** tab by choosing **View this deployment**. In the Microsoft 365 admin center, you can see the status of each deployed app and the date you deployed the app.

+It can take up to 24 hours for an add-in to show up for client for all users.

+### Considerations when deploying an add-in to users and groups

+Admins can deploy an add-in to everyone or to specific users and groups. Each option has implications:

+- **Everyone**: This option assigns the add-in to every user in the organization. Use this option sparingly and only for add-ins that are truly universal to your organization.

+- **Users**: If you assign an add-in to an individual user, and then deploy the add-in to a new user, you must first add the new user.

+- **Groups**: If you assign an add-in to a group, users who are added to the group are automatically assigned the add-in. When a user is removed from a group, the user loses access to the add-in. In either case, no other action is required from the admin.

+- **Just me**: If you assign an add-in to just yourself, the add-in is assigned to only your account, which is ideal for testing the add-in.

+The right option for your organization depends on your configuration. However, we recommend making assignments by using groups. As an admin, you might find it easier to manage add-ins by using groups and controlling the membership of those groups rather than assigning individual users each time. In some situations, you might want to restrict access to a small set of users by making assignments to specific users by assigning users manually.

+### Recommended approach for deploying Office Add-ins

+To roll out add-ins by using a phased approach, we recommend the following actions:

+1. Roll out the add-in to a small set of business stakeholders and members of the IT department. If the deployment is successful, move to step 2.

+2. Roll out the add-in to more individuals within the business. Again, evaluate the results and, if successful, continue with full deployment.

+3. Perform a full rollout to all users.

+Depending on the size of the target audience, you can add or remove roll-out steps.

+### Scenarios where Exchange admin can't deploy an add-in

+There are two cases in which an Exchange Admin aren't able to deploy an add-in:

+- If an add-in needs permission to MS Graph APIs and needs consent from a global admin.

+- If an add-in is linked to two or more add-ins and webapps, and at least one of these add-ins is deployed by another admin (Exchange or global) and the user assignment isn't uniform. We only allow deployment of add-ins when the user assignment is the same for all the already deployed apps.

+### Edit users for deployed add-ins

+Post deployment, admins can also edit the deployed to add-ins.

+1. In the admin center, select **Settings**, then select **Integrated apps**.

+2. On the **Integrated apps** page, it displays a list of apps that are either single add-ins or add-ins that have been linked with other apps.

+3. Select an app and then scroll down to select **Edit Users** or select the **User** tab in the overview pane.

+4. Select the user group you want to deploy the add-in to.

+5. Review the app information, and then select **Update**.

+> [!NOTE]

+> Only the admin who deployed the add-in or a global admin can manage that add-in.

+### Update deployed add-ins

+Post deployment, admins can also approve updates for the deployed add-ins.

+1. In the admin center, select **Settings** then select **Integrated apps**.

+2. On the **Integrated apps** page, it displays a list of apps that are either single add-ins or add-ins that have been linked with other apps.

+3. Select an app with **Status** of **More apps available** to open the **Manage** pane. The status of **More apps available** lets you know that there are more integrations from the ISVs that aren't yet deployed.

+4. On the **Overview** tab, select **Deploy**. Some apps require you to add users before you can select **Deploy**.

+5. Select **Users**, select **Is this a test deployment**, and then select either **Entire organization**, **Specific users/groups** or **Just me**. You can also select **Test deployment** if you prefer to wait to deploy the app to the entire organization. Specific users or groups can be a Microsoft 365 group, a security group, or a distribution group.

+6. Select **Update** and then select **Done**. You can now select **Deploy** on the **Overview** tab.

+7. Review the app information, and then select **Deploy**.

+8. Select **Done** on the **Deployment completed** page, and review the details of the test or full deployment on the **Overview** tab.

+9. If the app has a status of **Update pending**, you can click on the app to open the **Manage** pane and update the app.

+10. To just update users, select the **Users** tab and make the appropriate change. Select **Update** after making your changes.

+### Delete a deployed add-in

+You can also delete an add-in that was deployed.

+1. In the admin center, select **Settings**, then select **Integrated apps**.

+2. Select any row to display the management pane.

+3. Select the **Configuration** tab.

+4. Select the add-in that you want to delete and then select **Remove**.

+> [!NOTE]

+> If the add-in has been deployed by another admin, then the Remove button will be disabled. Only the admin who has deployed the app or a global admin can delete the add-in.

+## Manage how users can install and use Office add-ins

+Managing how users can install and use Office add-ins means that you decide who can or can't install and use add-ins in your organization. Unlike deploying an add-in that preinstalls for selected users, managing an add-in allows you to decide which users can self-install Office add-ins from the stores on the Microsoft applications.

+**Word, Outlook, and PowerPoint**

+1. To manage usersΓÇÖ ability to self-install and use Office add-ins from the Word, Excel and PowerPoint stores, visit the Microsoft 365 Admin Center.

+2. Choose **Settings** and the select **Org Settings**.

+3. Scroll down and select **User owned apps and services**.

+4. Make changes to the checkbox **Let users access the Office Store**.

+ - Activating the checkbox turns on access to all Word, Excel and PowerPoint add-ins for all users in your organization.

+ - Deactivating the checkbox turns off access to all Word, Excel and PowerPoint add-ins for all users in your organization.

+> [!NOTE]

+> This setting does not impact any deployed Office add-ins on Word, Excel, and PowerPoint. You can continue to deploy Office add-ins to users in your organization, even if the above setting is turned off.

+**Outlook**

+1. To manage usersΓÇÖ ability to self-install and use Office add-ins from Outlook store, log in to the classic Exchange admin center as a global administrator.

+2. Go to **Permissions** and then select **User Roles**.

+3. Select an existing role assignment policy or create a new policy.

+4. Type a name for the policy if you're creating a new policy.

+5. Select the following roles: **My Custom Apps**, **My MarketPlaceApps**, and **My ReadWriteMailbox Apps**.

+6. Select **Save**.

+ - Once the policy is created, you can assign it to users in your organization.

+ - You can also create multiple policies and assign it to different users within your organization.

+7. Activating the checkboxes above turns on access to Outlook add-ins for the users assigned to the policy.

+8. Deactivating the checkboxes turns off access to Outlook add-ins for users assigned to the policy.

+> [!NOTE]

+> This setting does not impact any deployed Office add-ins on Outlook. You can continue to deploy Office add-ins on Outlook to users in your organization, even if the above setting is turned off.

+Microsoft is now partnering with leading developers to create unified apps that work across Outlook, Word, Excel, PowerPoint, Teams and the Microsoft 365 App (formerly known as Office.com). Any settings made for Office Add-ins will continue to be honored as long as they stay as add-ins. When Office add-ins upgrade to work across different Microsoft applications, you can learn to manage them from here. For more information, see [Controls for managing Teams apps that work on Outlook and Microsoft 365](/manage/teams-apps-work-on-outlook-and-m365#controls-for-managing-teams-apps-that-work-on-outlook-and-the-microsoft-365-app).

+## Upload Custom Office Add-ins in your organization

+You can also upload custom line of business add-ins and deploy it to users in your organization:

+1. In the admin center, in the left nav, choose **Settings** and then **Integrated apps**.

+2. Select **Upload custom apps**. Custom line of business add-ins for Word, PowerPoint, Excel, and Outlook are supported.

+3. Upload the manifest file from your device or add a URL link. Some apps require you to add users before you can select **Deploy**.

+4. Select **Add users**, choose **Is this a test Deployment**, and choose either **Entire organization**, **Specific users/groups**, or **Just me.** Specific users/groups can be a Microsoft 365 group, a security group, or a distributed group. You can also choose **Test deployment** if you want to wait to deploy the app to the entire organization.

+5. Select **Next** to view the **Accept permission request** page. The app capabilities and permissions of the apps are listed. If the app needs consent, select **Accept permissions**. Only a global administrator can give consent.

+6. Select **Next** to review the deployment and choose **Finish deployment**. You can view the deployment from the Overview tab by choosing **View this deployment**.

+> [!NOTE]

+> The uploaded manifest size can't exceed 512 KB.

+## More about Office Add-ins security

+Office Add-ins combine an XML manifest file that contains some metadata about the add-in, but most importantly points to a web application that contains all the code and logic. Add-ins can range in their capabilities. For example, add-ins can:

+- Display data.

+- Read a user's document to provide contextual services.

+- Read and write data to and from a user's document to provide value to that user.

+For more information about the types and capabilities of Office Add-ins, see [Office Add-ins platform overview](/office/dev/add-ins/overview/office-add-ins), especially the section *Anatomy of an Office Add-in*.

+To interact with the user's document, the add-in needs to declare what permission it needs in the manifest. A five-level JavaScript API access-permissions model provides the basis for privacy and security for users of task pane add-ins. Most of the add-ins in the Office Store are level ReadWriteDocument with almost all add-ins supporting at least the ReadDocument level. For more information about the permission levels, see [Requesting permissions for API use in content and task pane add-ins](/office/dev/add-ins/develop/requesting-permissions-for-api-use-in-content-and-task-pane-add-ins).

+When updating a manifest, the typical changes are to an add-in's icon and text. Occasionally, add-in commands change. However, the permissions of the add-in don't change. The web application where all the code and logic for the add-in runs can change at any time, which is the nature of web applications.

+Updates for add-ins happen as follows:

+- **Line-of-business add-in**: In this case, where an admin explicitly uploaded a manifest, the add-in requires that the admin upload a new manifest file to support metadata changes. The next time the relevant Microsoft 365 apps start, the add-in will update. The web application can change at any time.

+- **Office Store add-in**: When an admin selected an add-in from the Office Store, if an add-in updates in the Office Store, the next time the relevant Microsoft 365 apps start, the add-in will update. The web application can change at any time.

+> [!NOTE]

+> For Word, Excel, and PowerPoint use a [SharePoint App Catalog](/sharepoint/dev/sp-add-ins/publish-sharepoint-add-ins) to deploy add-ins to users in an on-premises environment with no connection to Microsoft 365 and/or support for SharePoint add-ins required. For Outlook use Exchange control panel to deploy in an on-premises environment without a connection to Microsoft 365.

+ Title: "SaaS linked apps"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- Tier2

+- scotvorg

+- Adm_TOC

+search.appverid: MET150

+description: "Gives an oveview of software as a service (SaaS) linked apps."

+# SaaS linked apps

+The Microsoft 365 admin center gives you the flexibility to deploy single store apps, custom business line of apps and bundled apps - also called **SaaS linked apps** - from a single location. We have asked our ISV partners to link their SaaS offer with related free apps. such as Teams apps, Office add-ins, and SharePoint Framework solutions. For more information on how partners create these apps, see [How to plan a SaaS offer for the commercial marketplace](https://go.microsoft.com/fwlink/?linkid=2158277).

+We help our admins discover these linked apps with the SaaS offer and manage them all at once from Integrated apps. The UX on the Integrated Apps portal allows the admin to apply the same gesture across all the apps at once.

+An admin can choose not to deploy an app that is linked to a SaaS offer. On returning to Integrated apps, admins will find the status of **More apps available** in the Deployed Apps list view. This status is to inform the admins that there are more integrations from the ISVs that havenΓÇÖt been deployed yet.

+There are the scenarios when SaaS linked apps can't be managed from Integrated Apps.

+## Unsupported scenarios

+You are not able to deploy a single store add-in from the Integrated apps portal for the following scenarios:

+- The same add-in is linked to more than one SaaS offer.

+- The SaaS offer is linked to add-ins, but it doesn't integrate with Microsoft Graph and no Azure AD App ID is provided.

+- The SaaS offer is linked to add-ins, but Azure AD App ID provided for Microsoft Graph integration is shared across multiple SaaS offers.

+ Title: "Teams apps that work on Outlook and Microsoft 365"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- Tier2

+- scotvorg

+- Adm_TOC

+search.appverid: MET150

+description: "How to manage Teams apps that work in Outlook and Microsoft 365 through controls in the Integrated Apps portal."

+# Teams apps that work on Outlook and Microsoft 365

+## What are Teams apps that work on Outlook and the Microsoft 365 App?

+A Teams app that works on Outlook and the Microsoft 365 App is an upgraded Teams App with a manifest version greater than or equal to v1.13. This app can work across Outlook, and the Microsoft 365 App (formerly known as Office.com) in addition to working on Teams. Such apps use the value of Teams app capabilities and allow developers to extend these capabilities to Outlook and the Microsoft 365 App. Going forward, app developers don't need to build different apps for different platforms. They can submit a single app package that works across Teams, Outlook, and the Microsoft 365 App. These apps may be subject to different terms than other Office add-ins or pure Teams Apps. Read your license agreement for more details.

+Previously, for an app to work in Teams, Outlook, and the Microsoft 365 App, admins needed to manage each app independently across the Teams admin center, Exchange admin center, and Microsoft 365 admin center. Now that these apps can be extended to Outlook and the Microsoft 365 App, admins can manage the app once from Integrated Apps on the Microsoft 365 Admin center, and enable a single, connected experience for end-users across both Outlook, and the Microsoft 365 App.

+> [!NOTE]

+> Any changes made on Integrated Apps on the Microsoft 365 admin center will only impact these apps on Outlook and the Microsoft 365 app at this time. To manage how these apps show up on Teams, please continue to use Teams admin center.

+The following sections tell you more about the management tools available for these Teams Apps that work on Outlook and the Microsoft 365 App.

+## Before you begin

+The following controls on Integrated Apps in the Microsoft 365 Admin Center are only available to Global Admins and Azure Application Admins. Check your credentials before you proceed.

+## Controls for managing Teams apps that work on Outlook and the Microsoft 365 App

+As an admin, you can manage Teams apps that work on Outlook and the Microsoft 365 App in your organization as follows:

+1. Deploy/Pre-install an app for users in your organization on Outlook and the Microsoft 365 App.

+2. Manage how users can install and use these apps on Outlook and the Microsoft 365 App.

+3. Upload custom apps for your organization.

+## Deploy a Teams app that works on Outlook and the Microsoft 365 App via the Integrated Apps portal

+As an admin, you can now deploy these apps on Outlook, and Microsoft 365 (formerly known as Office.com) to a specific set of users, the entire organization, or just to yourself from Integrated Apps on Microsoft 365 admin center. Deploying an app means that it is preinstalled for the selected users on the applicable hosts of the app.

+1. Sign into Microsoft 365 admin center as a Global Administrator or Azure Application Admin.

+2. Select **Settings** and then select **Integrated Apps**.

+3. Select **Get apps** in the **Deployed Apps** list. This action opens up AppSource in embedded form from where you can select the app that you want to deploy.

+4. Next, you see the deployment screen where general information about the app is given and the applicable products on which the app is deployed.

+5. Click **Next** to select the set of users to whom you want to deploy the app. Read more about [user groups and assignments](/microsoft-365/admin/manage/test-and-deploy-microsoft-365-apps#user-and-group-assignments).

+6. Next, accept permissions if there are any. Then select **Next**.

+7. Review and finish the deployment of the app. This app is now preinstalled for all selected users in the applicable hosts.

+> [!NOTE]

+> Any changes made to these apps from Integrated Apps on the Microsoft 365 admin center will only impact these apps on Outlook and the Microsoft 365 app at this time. To manage how these apps show up on Teams, please continue to use Teams admin center.

+As an admin, you can also take management actions on these apps such as removing the deployment or editing user access.

+### To remove the deployment of this app

+1. Select **Remove app** in the overview tab of an app from the **Deployed Apps** list.

+2. Consent to the removal terms.

+3. Select **Remove**, then select **Done**.

+### To edit the user assignment of an app

+1. Select **Edit users** in the overview tab of an app from the **Deployed Apps** list.

+2. Change the user assignment to deploy this app for a new set of users.

+3. Select **Update**, then select **Done**.

+## Manage how users can install Teams apps on Outlook and the Microsoft 365 App

+As an admin, you can manage availability or how users can install such apps in your organization. You have complete control over who can or can't install and use apps in your organization. Unlike deploying an app that you pre-install for selected users, managing availability of an app allows you to decide which users can self-install these apps from the stores on the Microsoft applications.

+The following sections tell you more about the tools available for managing availability of these apps on Outlook and the Microsoft 365 App.

+### How to see the available and blocked apps in your organization

+1. Sign into Microsoft 365 admin center as a Global Administrator or Azure Application Admin.

+2. Select **Settings**, then select **Integrated Apps**.

+3. Select the **Available Apps** or **Blocked Apps** list. Here you can view the status of all apps in the public catalog, as well as any custom line-of-business apps uploaded from Teams admin center or Microsoft 365 admin center.

+4. Select an app to view more details about the app, applicable host products, and availability status within your organization.

+### How to block an app

+You can block an app for all users in your organization to restrict them from downloading and using the app on the Microsoft 365 app and Outlook.

+1. Sign into Microsoft 365 admin center as a Global Administrator.

+2. Select **Settings**, and then select **Integrated Apps**.

+3. Select the **Available Apps** list.

+4. Select an app from the **Available Apps** list to open the overview pane.

+5. Select **Block app**.

+6. Consent to blocking the app by selecting **Yes, I'm sure I want to block this app**.

+7. Select **Block**. You can now see this app in the **Blocked Apps** list.

+When you choose to block an app, it is blocked for all users in your organization. Blocking an app overrides any previous admin deployment or user installation in Microsoft 365 and Outlook so that the app can no longer be used by anyone in your organization.

+> [!NOTE]

+> Currently, the app will only be blocked in the Microsoft 365 app and Outlook. Teams will continue to honor the current setting for Teams Apps made in the Teams admin center and for Outlook add-ins made in the Exchange admin center. For more details, read [What happens to your existing settings for Teams and Outlook](#what-happens-to-your-settings-on-teams-and-outlook).

+### How to unblock an app

+You can unblock an app so that it can start showing up in the Microsoft 365 app and Outlook.

+1. Sign in to Microsoft 365 admin center as a Global Administrator.

+2. Select **Settings**, and then select **Integrated Apps**.

+3. Select the **Blocked Apps** list.

+4. Select an app from the **Blocked Apps** list to launch the overview pane.

+5. Select **Unblock app**.

+6. Read the availability and deployment status that the app will revert to after unblocking. These statuses are the last saved ones of the app before it was blocked.

+7. Select **Unblock**. You can now see this app in the **Available Apps** list and/or the **Deployed Apps** list.

+When you choose to unblock an app, the app reverts to the last saved state of availability and deployment. If the app doesn' have any availability status set, the app reverts to the default tenant setting. Learn more about these controls in the following section.

+### How to manage the availability of an app in your organization

+As an admin, you can control which apps can be installed and used by which users in your organization. By changing the availability, you're deciding how end users in your organization can install these apps from the store and use them on Outlook and the Microsoft 365 App. Admins can edit the availability of all 1P and 3P store apps and LOB apps uploaded by them.

+1. Sign into the Microsoft 365 admin center as a Global Administrator or Azure Application Admin.

+2. Select **Settings**, then select **Integrated Apps**.

+3. Select the **Available Apps** list.

+4. Next, select the app you want to edit. This launches the appΓÇÖs overview pane.

+5. Scroll down and select **Edit Users** or select the **Users** tab in the overview pane. Read more about user groups and assignments above.

+6. Select the availability status of the app you want to set:

+ - **No users in the organization can install** means that no one in the organization can install this app on their own from the store and use it in the client.

+ - **All users in the organization can install** means that everyone in the organization can install this app on their own from the store and use it in the client.

+ - **Specific users/group in the organization can install** means that only the users selected by you will be able to install the app on their own from the store and use it in the client. Unselected users are not able to do so.

+7. Select **Save**.

+> [!NOTE]

+> The availability setting of an app doesn't impact any admin deployed apps. The availability setting only allows you to control which end users can install and use these apps on their own. Any previous admin deployments made will still be honored.

+> [!NOTE]

+> Availability setting of an app will override the state set in default tenant setting. Learn more about default state settings in the following section.

+### Customize default settings for Teams apps that work on Outlook and the Microsoft 365 app

+As an admin, you can control the default state of any new and incoming app in your organization. The default setting for any organization is set to **All users in the organization can install**. You can change this default setting on Integrated Apps in the Microsoft 365 admin center.

+1. Sign into the Microsoft 365 admin center as a Global Administrator or Azure Application Admin.

+2. Select **Settings**, then select **Integrated Apps**.

+3. Select the **Available Apps** list.

+4. Next, select the Settings icon to open the **Customize default settings** pane.

+5. Select the dropdown menu to change the default settings to **All users in the organization can install apps on their own** or **Only admins can install apps for users in the organization**.

+ - When you select **Only admins can install apps for users in the organization**, the availability status for apps changes to **No users in the organization can install**.

+The default tenant state applies to the following apps:

+- All new and incoming Teams apps with capabilities extended to Outlook and the Microsoft 365 App.

+- All apps published in the past that weren't blocked by the admin.

+ - If an app was previously blocked for Outlook and the Microsoft 365 App, it will continue to remain blocked even after the default state for the tenant is changed. When admins unblock the app, it reverts to the default state set for the tenant on Outlook and the Microsoft 365 App.

+- All apps published in the past that were deployed by the admin.

+ - The default tenant state also applies to admin-deployed apps. If an app was previously deployed by the admin to a set of users for Outlook and the Microsoft 365 App, it will continue to remain deployed to the selected set of users, even after the default state for the tenant is changed.

+The default tenant state won't apply to the following apps:

+- Custom/LOB apps uploaded by the admin.

+ - When a custom/LOB app is uploaded by the admin via the Microsoft 365 admin center, all users in the organization have access to install the app by default. For more information, see the section about [how to upload a custom/LOB app](#upload-custom-teams-apps-that-work-on-outlook-and-the-microsoft-365-app).

+ - Admins can continue to deploy the custom/LOB app to a selected set of users.

+ - Admins can also edit which users have access to install and use the custom/LOB app. For more information, see the section about [how to upload a custom/LOB app](#upload-custom-teams-apps-that-work-on-outlook-and-the-microsoft-365-app).

+- Apps that have any user selections made by the admin.

+ - The changes made by the admin as part of **How to manage the availability of an app in your organization** are honored over the default state in the tenant. Once an admin specifies users for an app, this setting supersedes the tenant-wide default setting for that app.

+## What happens to your settings on Teams and Outlook

+Any existing settings made on the Teams admin center will continue to be honored on the Teams client.

+As an example, the Foo Teams app recently upgraded to a Teams app that also works on Outlook and the Microsoft 365 App (formerly known as Office.com).

+| |Impact on Teams client|Impact on Microsoft 365|Impact on Outlook client|

+|||||

+|**If you had previously blocked the Foo Teams App on the Teams admin center**|Users in your organization can't download and use Foo on Teams.|Users in your organization can download and use Foo in the Microsoft 365 app. This can be controlled by admins on the Microsoft 365 admin center.|Users in your organization can download and use Foo in Outlook. This can be controlled by admins on the Microsoft 365 admin center.|

+|**If you had previously allowed the Foo Teams App on the Teams admin center**|Users in your organization can download and use the Foo in Teams.|Users in your organization can download and use Foo in the Microsoft 365 app. This can be controlled by admins on the Microsoft 365 admin center.|Users in your organization can download and use Foo in Outlook. This can be controlled by admins on the Microsoft 365 admin center.|

+Now that _Foo_ is a Teams App that also works on Outlook and the Microsoft 365 app, you can make changes to its availability from the Microsoft 365 admin center.

+| |Impact on Teams client|Impact on Microsoft 365|Impact on Outlook client|

+|||||

+|**If you block Foo App in the Microsoft 365 admin center**|No impact. Users in your organization continue to experience Teams behavior for Foo based on the admin settings in Teams admin center.|Users in your organization can't download the Foo on the Microsoft 365 app, and can't use any previously installed (by user/admin) Foo app.|Users in your organization can't download the Foo App on Outlook, and can't use any previously installed (by user/admin) Foo enhanced teams app.|

+|**If you unblock Foo in the Microsoft 365 admin center.**|No impact. Users in your organization continue to experience Teams behavior for Foo based on the admin settings in Teams admin center.|Users in your organization can download and use Foo on the Microsoft 365 app. Users can use any previously installed (by user/admin) Foo app.|Users in your organization can download and use Foo in Outlook. Users can use any previously installed (by user/admin) Foo app.|

+## Upload custom Teams apps that work on Outlook and the Microsoft 365 App

+You can also upload custom line of business apps and deploy/pre-install them for users in your organization:

+1. In the Microsoft 365 admin center, in the left nav, choose **Settings** and then **Integrated apps**.

+2. Select **Upload custom apps**.

+3. Upload the manifest file from your device or add a URL link. Some apps require you to add users before you can select **Deploy**.

+4. Select **Add users**, choose **Is this a test Deployment**, and select either **Entire organization**, **Specific users/groups**, or **Just me**. Specific users/groups can be a Microsoft 365 group, a security group, or a distributed group. You can also choose Test deployment if you want to wait to deploy the app to the entire organization. Read more about [user groups and assignments](/microsoft-365/admin/manage/test-and-deploy-microsoft-365-apps#user-and-group-assignments).

+5. Select **Next** to view the **Accept permission request** page. The app capabilities and permissions of the apps are listed. If the app needs consent, select **Accept permissions**. Only a global administrator can give consent.

+6. Select **Next** to review the deployment and choose **Finish deployment**. You can view the deployment from the **Overview** tab by choosing **View this deployment**.

+Whenever a custom line of business app is uploaded, it is made available to all users in the organization for installation and use by default. You can edit the availability of this custom line of business app from the Available apps list. For more information, see the section about [how to manage availability of an app in your organization](#how-to-manage-the-availability-of-an-app-in-your-organization).

+> [!NOTE]

+> When uploading and deploying a custom app, it will only be preinstalled for selected users/groups on Outlook and the Microsoft 365 App. To manage how it is accessed by users on Teams, please visit Teams admin center.

+ Title: "Teams apps that only work on Teams"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- Tier2

+- scotvorg

+- Adm_TOC

+search.appverid: MET150

+description: "How to block and unblock apps Teams apps that only work on Teams through controls in the Integrated Apps portal."

+# Teams apps that only work on Teams

+In addition to the controls available to you in the Integrated Apps portal, admins can also block or unblock Teams apps that only work on Teams. Such apps have a manifest version less than 1.13. These apps can be identified by the availability status **Some or all users in the organization can install** in the **Available Apps** list. At this time, only blocking and unblocking of such an app is supported via the Integrated Apps portal.

+## Before you begin

+- These apps only show up on the Available Apps list based on your settings in Teams admin center. Verify if your settings in the Teams admin center are for 3P apps.

+ - If access to 3P apps on Teams admin center is turned on, admins can start seeing these apps on the **Integrated apps portal** in **Available apps** and **Blocked apps** lists based on their setting in Teams admin center.

+ - If access to 3P apps on Teams admin center is turned off, no such apps are visible on the Integrated apps portal.

+- These apps always have the availability status of **Some or all users in the organization can install**. These apps always have only Teams as the host product. To know more about which users can access this app on Teams, visit the Teams admin center.

+## How to block a Teams app on Teams

+1. Sign into Microsoft 365 admin center as a Global Administrator or Azure Application Admin.

+2. Select **Settings**, and then select **Integrated Apps**.

+3. Select the **Available Apps** list.

+4. Select an app with the status **Some or all users in the organization can install** from the **Available Apps** list to open the overview pane. These apps will always have only Teams listed as host product.

+5. Select **Block app**.

+6. Consent to blocking the app by selecting **Yes, I'm sure I want to block this app**.

+7. Select **Block**. You can now see this app in the **Blocked Apps** list.

+When the admin blocks such an app, it's blocked for all users in the organization on the Teams client.

+## How to unblock a Teams app on Teams?

+1. Sign into Microsoft 365 admin center as a Global Administrator or Azure Application Admin.

+2. Select **Settings**, and then select **Integrated Apps**.

+3. Select the **Blocked Apps** list.

+4. Select an app from the **Blocked Apps** list to open the overview pane.

+5. Select **Unblock app**.

+6. Read the availability and deployment status that the app will revert to after unblocking. These statutes are the last saved ones of the app before it was blocked.

+7. Select **Unblock**. You can now see this app in the **Available Apps** list and/or the **Deployed Apps** list based on the last saved setting.

+When the admin unblocks such an app, it's reverted to the last saved setting as set by the admin in Teams admin center. Visit Teams admin center to know the latest status of the app on Teams.

+> [!NOTE]

+> Teams apps with availability status as **Some or all users in the organization can install** can only be blocked on unblocked on Integrated Apps for the Teams client. For any other management actions on these apps or to view how these apps show up on Teams to users in your organization, please visit the Teams admin center.

+ Title: "Get started with Integrated apps"

+description: "An overview of the Integrated apps portal in the Microsoft 365 admin center."

+# Get started with Integrated apps

+## What is Integrated Apps

+Integrated Apps gives you the flexibility to deploy and manage single store apps, bundled apps, and a custom business line of apps from a single location. These apps can be built by Microsoft or by our 3P Microsoft 365 partners. The ability to find, test, and fully deploy purchased and licensed apps by Microsoft partners from the Integrated apps portal provides the convenience and benefits your organization requires to keep business services updated regularly and running efficiently.

+The Integrated apps portal displays a list of apps that can be accessed by users in your organization. The following apps can be managed via Integrated Apps:

+- Office Add-ins

+- Teams apps that work on Outlook and the Microsoft 365 app (formerly known as Office.com).

+- Teams Apps that only work on Teams.

+- SPFx apps

+- Web apps: For web apps, you can see two kinds of apps.

+ - SaaS apps that are available in appsource.microsoft.com and can be deployed by admins giving consent on behalf of the organization.

+ - SAML gallery apps that are linked with Office add-ins.

+## How to access Integrated Apps

+Integrated Apps can be accessed via the Microsoft 365 Admin Center. Select **Settings**, and then choose **Integrated apps**.

+

+## Who can access Integrated Apps

+The Integrated apps portal is available to world-wide customers only and can be accessed by Global Admins, Global Readers, Exchange admins, and Azure Application Admins (made available in May 2023). This feature is not available in sovereign and government clouds.

+To learn more about these roles, see [Azure AD built-in roles - Microsoft Entra|Microsoft Learn](/azure/active-directory/roles/permissions-reference#all-roles).

+## User and group assignments

+We currently support most groups supported by Azure Active Directory, including Microsoft 365 groups, distribution lists, and security groups. We support users in top-level groups or groups without parent groups, but not users in nested groups or groups that have parent groups. To know more, read the documentation on [Assign users and groups to application](/azure/active-directory/manage-apps/assign-user-or-group-access-portal?pivots=portal).

+In the following example, Sandra, Sheila, and the Sales Department group are assigned to an app or add-in. Because the West Coast Sales Department is a nested group, Bert and Fred aren't assigned to an app or add-in.

+## What controls are available on the Integrated Apps portal?

+As an admin, the following app/add-in types can be managed from the Integrated apps portal on the Microsoft 365 admin center.

+|Type|Supported Host Products (any or all)|What can admins control on Integrated Apps portal?|Which admins can access the controls on Integrated Apps portal?|Other admin centers & related actions|

+||||||

+|Add-in|Outlook<br/><br/><br/> Word, Excel, PowerPoint|[Deploy/Edit deployed users/Remove deployment](/microsoft-365/admin/manage/office-addins#deploy-your-office-add-ins)|Exchange Admin<br/><br/> Global Admin<br/><br/> Azure Application Admin| Exchange Admin Center for default role assignment policy.<br/><br/> Microsoft 365 Admin Center > Org Settings for Office Store setting|

+|SPFx App|SharePoint|[Deploy/Remove deployment](/microsoft-365/admin/manage/office-addins#deploy-your-office-add-ins)|Global Admin|SharePoint Admin Center|

+|Web App|N/A|[Deploy/Edit deployed users](/microsoft-365/admin/manage/office-addins#deploy-your-office-add-ins) |Global Admin<br/><br/>Azure Application Admin|Azure Active Directory portal|

+|Teams app (manifest version less than 1.13)|Teams|[Block & Unblock](/microsoft-365/admin/manage/teams-apps-work-only-on-teams)|Global Admin|Go to Teams admin center for default tenant setting, deployment and managing availability|

+|Teams app (manifest version equal to or greater than 1.13)|Outlook<br/><br/> Microsoft 365 App<br/><br/> Teams| [Deploy/Edit deployed users/Remove deployment](/microsoft-365/admin/manage/teams-apps-work-on-outlook-and-m365#deploy-a-teams-app-that-works-on-outlook-and-the-microsoft-365-app-via-the-integrated-apps-portal)<br/><br/> [Block & Unblock](/microsoft-365/admin/manage/teams-apps-work-on-outlook-and-m365#manage-how-users-can-install-teams-apps-on-outlook-and-the-microsoft-365-app) <br/><br/> [Manage availability>Edit users](/microsoft-365/admin/manage/teams-apps-work-on-outlook-and-m365#how-to-manage-the-availability-of-an-app-in-your-organization)<br/><br/> [Default setting for tenant](/microsoft-365/admin/manage/teams-apps-work-on-outlook-and-m365#customize-default-settings-for-teams-apps-that-work-on-outlook-and-the-microsoft-365-app)|Global Admin<br/><br/>Azure Application Admin|Go to Teams admin center to manage how this app shows up in Teams for users in your organization.|

+## Other admin centers

+You can continue to manage access to Office add-ins and Teams apps via the following settings:

+- Org Settings for access to Word, Excel, and PowerPoint Add-ins

+- Exchange admin center for Outlook Add-ins

+- Teams admin center for Teams Apps

+You can continue to deploy [Office Add-ins via Integrated Apps](/microsoft-365/admin/manage/test-and-deploy-microsoft-365-apps.md#deploy-an-office-add-in-using-the-admin-center) and [Teams Apps via Teams admin center](/microsoftteams/manage-apps).

+Only Global Admins, Azure Application Admins and Exchange admins can access Integrated Apps.

+- Global admins can edit all controls for all apps and add-ins in Integrated Apps

+- Azure Application admins can edit controls for Teams apps that work on Outlook and the Microsoft 365 app and Office/Outlook add-ins

+- Exchange Admins can edit any controls for Outlook add-ins.

+Integrated apps won't show up in the left nav for other administrators.

+### Why do I see Add-in in the left nav under Setting but not Integrated apps?

+Integrated apps allow deployment of Web Apps, Excel, PowerPoint, Word, Outlook add-ins, SPFx apps and Teams apps that work on Outlook and the Microsoft 365 App. For add-ins, Integrated apps support deployment to Exchange online mailboxes and not on-premises Exchange mailboxes.

+Select an app from the list view. On the Configuration tab, select which apps to remove.

+No. Integrated apps aren't available to sovereign cloud customers at this time.

+No. Integrated apps aren't available to government cloud customers at this time.

+- Document Tracking and Revocation *by users* is currently not available.

+There are [five solution role groups used to configure permissions to manage communication compliance features](communication-compliance-configure.md#step-1-required-enable-permissions-for-communication-compliance). To make **Communication compliance** available as a menu option in Microsoft Purview compliance portal and to continue with these configuration steps, Contoso administrators are assigned the *Communication Compliance Admins* role.

+Contoso decides to use the *Communication Compliance* role group and assign all the communication compliance administrators, analysts, investigators, and viewers to the group. This role group configuration makes it easier for Contoso to get started quickly and best fits their compliance management requirements.

+3. The administrators select the *Communication Compliance* role group, and then select **Edit role group**.

+4. The administrators select **Choose members** from the left navigation pane, and then select **Edit**.

+5. They select **Add**, and then select the checkbox for all Contoso users who will manage communication compliance, and who will investigate and review alerts.

+6. The administrators select **Add**, and then select **Done**.

+7. They select **Save** to add Contoso users to the role group, and then select **Close** to complete the steps.

+|Actions|Communication Compliance|Communication Compliance Admins|Communication Compliance Analysts|Communication Compliance Investigators|Communication Compliance Viewers|

+||-|-|-|-|-|

+|Configure policies and settings|Yes|Yes|No|No|No|

+|Access and investigate alerts|Yes|No|Yes|Yes|No|

+|View **Conversation** and **Translation** tabs for a specific message|Yes|No|No|Yes|No|

+|Do advanced remediation actions: Escalate for investigation; Remove message in Teams; Download; Run Power Automate flow|Yes|No|No|Yes|No|

+|Create message details report |Yes|No|No|Yes|No|

+|Access reports|Yes|No|No|No|Yes|

+|Manage settings: privacy, notice templates, and so on|Yes|Yes|No|No|No|

+|View and export policy updates|Yes|Yes|No|No|Yes|

+There are six role groups used to configure initial permissions to manage communication compliance features. To make **Communication compliance** available as a menu option in Microsoft Purview compliance portal and to continue with these configuration steps, you must be assigned to one those groups. For more information, see [Enable permissions for communication compliance](communication-compliance-configure.md#step-1-required-enable-permissions-for-communication-compliance).

+To learn more about analytics insights, see [Insider risk management settings: Analytics](insider-risk-management-settings-analytics.md) and check out the [Insider risk management analytics video](https://www.youtube.com/watch?v=5c0P5MCXNXk) to help you understand your insider risk posture and help you take action by setting up appropriate policies to identify risky users.

+**New**: With integrated connectors, you can now can build assessments for services other than Microsoft to help you manage compliance across your digital estate. See [Set up connectors](#set-up-connectors) below for details.

+## Initial steps before creating assessments

+Listed below are details about steps and information that will help you prepare for creating an assessment:

+- Plan a [grouping strategy](#groups-for-assessments) for your assesssments.

+- Understand [regulatory templates](compliance-manager-templates.md), which contain the controls and action recommendations for assessments.

+- Set up [connectors](#set-up-connectors) if you're assessing non-Microsoft services.

+## Groups for assessments

+## Set up connectors

+Compliance Manager has an integrated set of connectors to build assessments that cover non-Microsoft services like Salesforce and Zoom. Visit [Working with connectors](compliance-manager-connectors.md) to learn more and start the setup process.

+Before you begin, be sure you know which group you'll assign it to, or be prepared to create a new group for this assessment. Read details about [groups and assessments](#groups-for-assessments). To create an assessment, you'll use a guided process to select a regulation and designate services.

+The next screen confirms the assessment was created. When you select **Done**, you are taken to your new assessment's details page. If you see an **Assessment failed** screen after selecting **Create assessment**, select **Try again** to re-create your assessment.

+ Title: "Salesforce connector setup for Microsoft Purview Compliance Manager"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- purview-compliance

+- m365solution-compliancemanager

+- m365initiative-compliance

+- tier1

+search.appverid:

+- MOE150

+- MET150

+description: "Configure settings in your Salesforce accounts in order to activate connectors for Microsoft Purview Compliance Manager."

+# Salesforce setup for Compliance Manager connector

+Follow the instructions on this page to enable the connection between your Salesforce account and the Compliance Manager connector for Salesforce.

+This process involves obtaining a token for a given Salesforce account. Therefore, if you activate multiple connectors for multiple Salesforce accounts, you'll need to repeat this process for each account in order to get the token

+## Setup steps

+1. Sign in to your Salesforce account with your credentials.

+1. Go to your account **Settings** and select **Reset My Security Token**. This can be done by any user.

+1. Select **Reset Security** to get a new security token sent to your email.

+ > [!IMPORTANT]

+ > If the security token for your account is used anywhere else, resetting the token may cause issues in those locations.

+1. Activate connector in Compliance Manager. When you activate a Salesforce connector in Compliance Manager, you'll provide your **Username**, **Password**, and **Security token**. Once you validate the connection during the connector activation process, you're all set up and ready to begin using the connector. Get details at [Working with connectors in Compliance Manager](compliance-manager-connectors.md).

+ Title: "Zoom connector setup for Microsoft Purview Compliance Manager"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- purview-compliance

+- m365solution-compliancemanager

+- m365initiative-compliance

+- tier1

+search.appverid:

+- MOE150

+- MET150

+description: "Configure settings in your Zoom accounts in order to activate connectors for Microsoft Purview Compliance Manager."

+# Zoom setup for Compliance Manager connector

+Follow the instructions on this page to enable the connection between your Zoom account and the Compliance Manager connector for Zoom.

+## Overview

+Zoom must authenticate each HTTP request made to the Zoom API. Zoom supports different authentication methods. Compliance Manager connectors use the **Server-to-Server OAuth app**, which enables you to securely integrate with Zoom APIs and get your account owner access token without user interaction. This is different from the OAuth app type, which requires user authentication. This app type is added and managed across an account by account admins. This app type also enables you to utilize event subscriptions using Webhooks.

+## Setup steps

+#### 1. Enable permissions

+The user who handles the connector activation process for Zoom needs view and edit permissions so that they can set up a Server-to-Server OAuth app in Zoom. The administrator must enable the Server-to-Server OAuth app role by going to **User Management** > **Roles** > **Role Settings** > **Advanced features** and selecting the **View** and **Edit** checkboxes for **Server-to-Server OAuth** app. See Zoom's [Using role management](https://support.zoom.com/hc/articles/115001078646) for details.

+#### 2. Create a Server-to-Server OAuth app

+Follow the steps below to create a Server-to-Server OAuth app to use with account credentials.

+1. Sign in to your Zoom account and go to the Zoom App Marketplace: https://marketplace.zoom.com/develop/create.

+1. From the **Develop** drop-down menu, select **Build application**.

+1. Find the **Server-to-Server OAuth** app type card, then select **Create**.

+1. Enter a name for your app, then select **Create**.

+1. On the **App credentials** page: View and copy your Account ID, Client ID and Client secret.

+ > [!TIP]

+ > You'll enter these credendials when activating the Zoom connector in Compliance Manager. The client secret expires one hour after you generate it, so you may want to activate the Zoom connector in Compliance Manager soon after creating the Server-to-Server OAuth app.

+1. On the **Information** page: Add information about your app, such as a short description and developer contact information (name and email address is required for activation).

+1. On the **Feature** page: Set the toggle to your preferred setting for event subscriptions. If enabled, choose the event subscriptions you'd like to use.

+1. On the **Scopes** page: If you have the role permission to add scopes, add any scopes that youΓÇÖd like to enable. Choose **Add Scopes** to search for and add scopes. Select the required scopes listed below, which are required for Microsoft APIs:

+ - user:read:admin

+ - account:read:admin

+1. On the **Activation** page: Select **Activate your app**. Your app should be activated. If you see errors preventing activation, address them and retry the activation. You won't be able to generate an access token to make API calls unless your app is activated.

+If your app is deactivated, existing tokens will no longer work. You can also choose to deactivate your app in this section.

+#### 3. Activate connector in Compliance Manager

+When you activate a Zoom connector in Compliance Manager, you'll provide your Account ID, Client ID, and Client secret. Once you validate the connection during the connector activation process, you're all set up and ready to begin using the connector. Get details at [Working with connectors in Compliance Manager](compliance-manager-connectors.md).

+You can always retrieve your app credentials by following these steps:

+1. From the Zoom App Marketplace, select **Manage** in the upper right corner.

+1. Select the app you created in step 2 above.

+1. On the **App credentials** page, select **Copy** next to the credentials you need to copy.

+ Title: "Connectors for Microsoft Purview Compliance Manager"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- purview-compliance

+- m365solution-compliancemanager

+- m365initiative-compliance

+- tier1

+search.appverid:

+- MOE150

+- MET150

+description: "Set up connectors to build assessments for non-Microsoft services in Microsoft Purview Compliance Manager."

+# Working with connectors in Compliance Manager

+Compliance Manager offers a comprehensive set of connectors designed to help you gain a clear understanding of your compliance obligations across the services used in your organization. The connectors provide a seamless link to non-Microsoft services so that you can include them in your assessments and take advantage of automatic monitoring and testing of controls. Connecting your services to Compliance Manager requires a few simple setup steps. Once your connector is activated, you can select it as an in-scope service when creating an assessment.

+## Available connectors

+The connectors available for Compliance Manager are listed below, with more available in the coming months.

+- Salesforce

+- Zoom

+> [!IMPORTANT]

+> Compliance Manager connectors are unique to the Compliance Manager solution and are set up within Compliance Manager. The data connectors that are accessed from the left navigation of the Microsoft Purview compliance portal aren't compatible with Compliance Manager. We recommend interacting with connectors by always selecting **Data connectors** in the upper right corner of Compliance Manager to ensure that any connectors you activate are the ones built specifically for use with Compliance Manager.

+## Required roles for setting up connectors

+Users must have a Data Connector Admin role or Global Admin role in order to set up Compliance Manager connectors.

+## Connector setup steps

+1. [Configure settings in your service so that it can integrate with the connector.](#step-1-configure-service-settings-to-enable-the-connector)

+1. [Activate the connector in Compliance Manager.](#step-2-activate-the-connector-in-compliance-manager)

+1. [Select the connector when building an assessment.](#step-3-add-a-connector-to-assessments)

+## Step 1. Configure service settings to enable the connector

+For each service, you'll need to do some configurations and get basic information about your accounts. This information is used to create the connection between the service and the Compliance Manager connector so that the connector can retrieve the necessary signals. Visit the pages below and follow the setup instructions before you activate its connector in Compliance

+- [Salesforce setup](compliance-manager-connectors-salesforce.md)

+- [Zoom setup](compliance-manager-connectors-zoom.md)

+## Step 2. Activate the connector in Compliance Manager

+The next step is to "activate a connector" in Compliance Manager by connecting to your desired service. After you activate a connector, you can select it as a service to be monitored when creating an assessment. The connector allows Compliance Manager to receive signals from your designated non-Microsoft service and evaluate configurations in order to determine whether controls are passing or failing.

+If you have more than one account for your product, such as accounts for production, for development and testing, for backup disaster recovery, etc., you'll need to activate a connector for each separate account. We refer to each account within a service as a **service instance**.

+Follow the steps below to activate a connector:

+1. In Compliance Manager, select **Data connectors** in the upper right corner of your screen. You're taken to the Compliance Manager page within the **Data connectors** area of the Microsoft Purview compliance portal.

+1. The page displays a list of available connectors to choose from. Select the checkbox next to the name for the product whose connector you want to activate, then select **Activate connector**.

+1. You see an information page with details about the connector. Select **Add connector**, which takes you into the connector setup wizard.

+1. Review the Microsoft Terms of Service, then select **Accept**.

+1. On the **Connector name** page, enter a unique name. You might want a name that helps identify which account the connector is for; for example, "Salesforce Prod" for your Salesforce production account. Then select **Next**.

+1. On the **Authentication** page, enter the credentials for the account that you want to link to the connector. The specific fields depend on the service you're connecting to, but are usually a variation of email or account ID, password, and token. See the setup instructions for each service to learn how to get this information. When done entering authentication information, select **Validate connection**. It takes a few seconds to validate the connection.

+1. If the connection to your account is validated, you see a **Validation succeeded** message. If validation fails, enter your credentials again until the connection is validated. Select **Next**.

+1. On the **Review and finish** page, review the connector details for accuracy. Select **Back** if you need to make changes. Select **Finish** to complete the process.

+You'll arrive back at the Compliance Manager data connectors page. Go to **My activated connectors** tab to view your connector, along with any other connectors created by your organization. If you don't see the newly created connector, refresh your browser.

+## Step 3. Add a connector to assessments

+Now you're ready to build an assessment with a connector so that it tracks progress related to the desired service.

+1. From the **Assessments** page in Compliance Manager, select **Add assessment**.

+1. From here, begin following the general [assessment creations instructions](compliance-manager-assessments.md#create-an-assessment-using-a-guided-process).

+ > [!TIP]

+ > When selecting a regulation for the assessment, the **Supported services** column on the **Select regulation** flyout pane shows which services are supported by the regulation template. If the service related to your connector isn't listed, the connector won't show up as an option in step 3, below.

+1. When you arrive at the **Select services** page and choose **Select services**, you should see the name of the product related to your activated connector; for example, Salesforce. Check the box next to the service name, select **Add**, then select **Next**.

+1. At the **Service instances** page, you choose one or more connectors you've activated for the service. On the row listing your service, select **Manage service instances**.

+1. A flyout pane lists all the service instances for your connector. Each instance represents a connector activated by your organization. All service instances are checked by default. If you want the assessment to cover all instances, which means the assessment uses all connectors you activated for that service, leave them all checked and select **Cancel**. Or, uncheck any instances that you don't want to cover in the assessment and select **Update**.

+1. Back at the **Service instances** page, select **Next**.

+1. On the **Review and finish** page, confirm all your selections are correct, then select **Create assessment**.

+The next screen confirms the assessment was created. When you select **Done**, you're taken to your new assessment's details page.

+## Viewing service data in an assessment

+The assessment details page shows a detailed view of the assessment's rate of progress. When you add a connector as a service for the assessment, you see the connector name as one of the services listed on the assessment's **Progress** tab. You can view more details about service progress by selecting **View service details**.

+## Automated monitoring for connectors

+Every 24 hours, connector signals are refreshed and any updated status is reflected in your assessment. This means that Compliance Manager provides daily automated refreshed status of configurations in the products for which you've activated connectors.

+All improvement actions that are monitored through connectors are automatically monitored and tested so that Compliance Manager can determine whether controls are passing or failing. Improvement action test status is reflected in your assessments so that you can take the necessary actions in your non-Microsoft products to satisfy a control requirement.

+## Editing a connector

+If you need to edit a connector's name or account credentials, select the connector from your **My activated connectors** page and select the **Edit** command at the top of your connectors list.

+## Deleting a connector

+To delete a connector, you need to first locate your connector in the Purview **Data connectors** area. Connectors can't be deleted when you access them through the **Data connectors** link in the upper right corner of Compliance Manager. Follow the instructions below to delete a connector:

+1. In the Microsoft Purview compliance portal, select **Data connectors** in the left nav.

+1. Select the **My Connectors** tab.

+1. Locate the connector that you want to delete on the list and select the checkbox next to its name. Select the **Delete** command at the top of the list.

+1. In the delete confirmation dialog box, select **Delete**.

+Your connector is deleted and removed from the list of your connectors.

+| **Service instance**| For Compliance Manager connectors, each service instance represents an account with a non-Microsoft service provider. For example, an organization may have multple accounts in Salesforce, such as one for development and testing, one for prodcution, etc. Connectors are set up for each service instance using one email address and password. So an organization may have several connectors for one service, which enables the organization to monitor assessment progress across all instances of a service. |

+| **Subscription**| A type of account to create, assess, and manage a service coverd by Microsoft Defender for Cloud, such as Azure, Google Cloud Platform, or Amazon Web Services. Examples: an Azure account for development and testing purposes, an Azure account for production, etc. |

+> [!TIP]

+> Compliance Manager has a dedicated selection of connectors to support other non-Microsoft services such as Salesforce and Zoom. Visit [Working with connectors in Compliance Manager](compliance-manager-connectors.md).

+Compliance Manager also features an integrated set of connectors that can help you understand your compliance obligations across the many services you use in your organization. Connectors for Salesforce and Zoom are now available, with more coming soon. Learn more about [working with connectors in Compliance Manager](compliance-manager-connectors.md).

+DLP policy templates are presorted into four categories:

+|Location |Supports Administrative Units |Include/Exclude scope |Data state |Additional prerequisites |

+#### Exchange location scoping

+If you choose to include specific distribution groups in Exchange, the DLP policy is scoped only to the emails sent by members of that group. Similarly excluding a distribution group excludes all the emails sent by the members of that distribution group from policy evaluation.

+|Sender is |Recipient is |Resultant behavior |

+||||

+|In scope |N/A |Policy is applied |

+|Out of scope |In scope |Policy isn't applied |

+##### Exchange location scope calculation

+Here's an example of how Exchange location scope is calculated

+Say you have four users in your org, *U1*, *U2*, *U3*, *U4* and, two distribution groups *DG1*, and *DG2* that you'll use for defining Exchange location inclusion and exclusion scopes. Group membership is set up like this:

+|Distribution Group |Membership |

+|||

+|DG1 |U1, U2 |

+|DG2 |U2, U3 |

+U4 isn't a member of any group.

+|Include setting |Exclude setting |Policy applies to |Policy doesn't apply to |Explanation of behavior|

+||||||

+|All |None |All senders in the Exchange org (U1, U2, U3, U4) |N/A |When neither are defined, all senders are included|

+|DG1 |None |Member senders of DG1 (U1, U2) |All senders who aren't members of DG1 (U3, U4) |When one setting is defined and the other isn't the defined setting is used|

+|All |DG2 |All senders in the Exchange org who aren't members of DG2 (U1, U4) |All senders who are members of DG2 (U2, U3) |When one setting is defined and the other isn't the defined setting is used |

+|DG1 |DG2 |U1 |U2, U3, U4 |Exclude overrides include|

+

+You can choose to scope a policy to the members of distribution lists, dynamic distribution groups, and security groups. A DLP policy can contain no more than 50 such inclusions and exclusions.

+#### SharePoint and OneDrive location scoping

+SITs have a predefined [**confidence level**](https://www.microsoft.com/videoplayer/embed/RE4Hx60) which you can alter if needed. For more information, see [More on confidence levels](sensitive-information-type-learn-about.md#more-on-confidence-levels).

+actions are available.

+|Redirect the message to specific users | EXO| Total of 100 across all DLP rules. Can't be DL/SG|

+|Add recipient to the **To** box | EXO | Recipient count <= 10; Can't be DL/SG|

+|Add recipient to the **Cc** box | EXO | Recipient count <= 10; Can't be DL/SG|

+|Add recipient to the **Bcc** box | EXO | Recipient count <= 10; Can't be DL/SG|

+DLP scans email differently than it does SharePoint Online or OneDrive for Business items. In SharePoint Online and OneDrive for Business, DLP scans existing items as well as new ones and generates an incident report whenever a match is found. In Exchange Online, DLP only scans new email messages and generates a report if there's a policy match. DLP ***does not*** scan or match previously existing email items that are stored in a mailbox or archive.

+Insider risk management alerts are automatically generated by risk indicators that are defined in insider risk management policies. These alerts give compliance analysts and investigators an all-up view of the current risk status and allow your organization to triage and take actions for discovered potential risks. By default, policies generate a certain amount of low, medium, and high severity alerts, but you can [increase or decrease the alert volume](insider-risk-management-settings-intelligent-detections.md#alert-volume) to suit your needs. Additionally, you can configure the [alert threshold for policy indicators](insider-risk-management-settings-policy-indicators.md#indicator-level-settings) when creating a new policy with the policy creation tool.

+> When a user is detected as a potential high impact user, this information is highlighted in the alert header in the **User details** page. The user details also include a summary with the reasons the user has been detected as such. To learn more about setting policy indicators for potential high impact users, see [Insider risk management settings](insider-risk-management-settings-policy-indicators.md).

+- **Enable analytics**: Enabling analytics can help you quickly identify potential risk areas for your users and help determine the type and scope of insider risk management policies that you might want to configure. To learn more about analytics insights, see [Insider risk management settings: Analytics](insider-risk-management-settings-analytics.md). You can also get real-time insights from analytics if you want to take advantage of a guided (data-driven) threshold configuration experience that will help you configure the appropriate thresholds when you create a new policy or tune an existing one. These insights can help you efficiently adjust the selection of indicators and thresholds of activity occurrence so that you donΓÇÖt receive too few or too many policy alerts. For more information on real-time analytics for threshold settings, see [Indicator level settings](insider-risk-management-settings-policy-indicators.md#indicator-level-settings).

+- **Modify your insider risk settings**: Insider risk settings include a wide variety of configuration options that can impact the volume and types of alerts you'll receive. These include settings for [policy indicators](insider-risk-management-settings-policy-indicators.md), [indicator thresholds](insider-risk-management-settings-policy-indicators.md#indicator-level-settings), and [policy timeframes](insider-risk-management-settings-policy-timeframes.md). Consider configuring [intelligent detections](insider-risk-management-settings-intelligent-detections.md) options to exclude specific file types and sensitive info types, trainable classifiers, define minimum thresholds before activity alerts are reported by your policies, and change the alert volume configuration to a lower setting.

+- **Use automated insider risk features to help discover the highest risk activities**. Insider risk management [sequence detection](insider-risk-management-policies.md#sequence-detection-preview) and [cumulative exfiltration detection](insider-risk-management-policies.md#cumulative-exfiltration-detection-preview) features can help you quickly discover harder to find risks in your organization. Consider fine-tuning your [risk score boosters](insider-risk-management-settings-policy-indicators.md), [file activity detection](insider-risk-management-settings-intelligent-detections.md#file-activity-detection), [domains](insider-risk-management-settings-intelligent-detections.md#domains), and the minimum [indicator threshold settings](insider-risk-management-settings-policy-indicators.md#indicator-level-settings) for your policies.

+To learn more about Power Automate flows for insider risk management, see [Getting started with insider risk management settings](insider-risk-management-settings-power-automate.md).

+To learn more about Microsoft Teams for insider risk management, see [Getting started with insider risk management settings](insider-risk-management-settings-teams.md).

+as reports for review. To learn more about analytics insights, see [Insider risk management settings: Analytics](insider-risk-management-settings-analytics.md) and check out the [Insider Risk Management Analytics video](https://www.youtube.com/watch?v=5c0P5MCXNXk) to help understand how analytics can help accelerate the identification of potential insider risks and help you to quickly take action.

+- **Receive real-time guidance for indicator threshold settings.** Manually tuning policies to reduce "noise" can be a very time-consuming experience that requires you to do a lot of trial and error to determine the desired configuration for your policies. If analytics is turned on, and you decide to customize your indicator threshold settings, you can get real-time insights if you want to take advantage of a guided (data-driven) threshold configuration experience that will help you configure the appropriate thresholds when you create a new policy or tune an existing one. These insights can help you efficiently adjust the selection of indicators and thresholds of activity occurrence so that you donΓÇÖt receive too few or too many policy alerts. Real-time analytics (preview) is based on the last 10 days of audit data in your tenant and global exclusions are taken into account. For more information on real-time analytics for threshold settings, [see Indicator level settings](insider-risk-management-settings-policy-indicators.md#indicator-level-settings).

+See the [Getting started with insider risk management settings](insider-risk-management-settings-priority-user-groups.md) article for step-by-step configuration guidance.

+[Insider risk settings](insider-risk-management-settings.md) apply to all insider risk management policies, regardless of the template you choose when creating a policy. Settings are configured using the **Settings** button located at the top of insider risk management pages. These settings control privacy, indicators, intelligent detections, and more. [Learn more about settings to consider before you creating a policy](insider-risk-management-settings.md).

+ > To take advantage of real-time analytics (preview) for indicator threshold settings, you must scope your policy to **Include all users and groups**. Real-time analytics enables you to see estimates of the number of users that could potentially match a given set of policy conditions in real time. This helps you efficiently adjust the selection of indicators and thresholds of activity occurrence so you donΓÇÖt have too few or too many policy alerts. Scoping your policy to **Include all users and groups** also provides better overall protection across your tenant. For more information on real-time analytics for indicator threshold settings, [see Indicator level settings](insider-risk-management-settings-policy-indicators.md#indicator-level-settings).

+20. On the **Policy indicators** page, you'll see the [indicators](insider-risk-management-settings-policy-indicators.md) that you've defined as available on the **Insider risk settings** > **Indicators** page. Select the indicators you want to apply to the policy.

+ > If analytics is turned on, and if you've scoped the policy to include all users, you can take advantage of real-time analytics to tune your threshold settings. [Learn more about real-time analytics for indicator threshold settings](insider-risk-management-settings-policy-indicators.md#indicator-level-settings)

+To learn more about insider risk analytics and policy recommendations, see [Insider risk management settings: Analytics](insider-risk-management-settings-analytics.md).

+ > To take advantage of real-time analytics (preview) for indicator threshold settings, you must scope your policy to **Include all users and groups**. Real-time analytics enables you to see the number of users that could potentially match a given set of policy conditions in real time. This helps you efficiently adjust the selection of indicators and thresholds of activity occurrence so you donΓÇÖt have too few or too many policy alerts. Scoping your policy to **Include all users and groups** also provides better overall protection across your tenant. For more information on real-time analytics for threshold settings, [see Indicator level settings](insider-risk-management-settings-policy-indicators.md#indicator-level-settings).

+20. On the **Policy indicators** page, you'll see the [indicators](insider-risk-management-settings-policy-indicators.md) that you've defined as available on the **Insider risk settings** > **Indicators** page. Select the indicators you want to apply to the policy.

+ > If analytics is turned on, and if you've scoped the policy to include all users, you can take advantage of real-time analytics to tune your threshold settings. [Learn more about real-time analytics for indicator threshold settings](insider-risk-management-settings-policy-indicators.md#indicator-level-settings)

+Protecting data and preventing data leaks for users in your organization may depend on their position, level of access to sensitive information, or risk history. Data leaks can include accidental oversharing of highly sensitive information outside your organization or data theft with malicious intent. With an assigned data loss prevention (DLP) policy as a triggering event option, this template starts scoring real-time detections of suspicious activity and result in an increased likelihood of insider risk alerts and alerts with higher severity levels. Priority users are defined in [priority user groups](insider-risk-management-settings-priority-user-groups.md) configured in the insider risk management settings area.

+You'll need to have Microsoft Defender for Endpoint configured in your organization and enable Defender for Endpoint for insider risk management integration in the Defender Security Center to import security violation alerts. For more information on configuring Defender for Endpoint for insider risk management integration, see [Configure advanced features in Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/advanced-features#share-endpoint-alerts-with-microsoft-compliance-center).

+ Title: Enable admin notifications in insider risk management

+description: Learn about enabling admin notifications for Microsoft Purview Insider Risk Management.

+keywords: Microsoft 365, Microsoft Purview, insider risk, risk management, compliance

+ms.localizationpriority: medium

+f1.keywords:

+- NOCSH

+audience: itpro

+- highpri

+- tier1

+- purview-compliance

+- m365solution-insiderrisk

+- m365initiative-compliance

+- highpri

+# Enable admin notifications in insider risk management

+> [!IMPORTANT]

+> Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

+When you turn on the **Admin notifications** setting in Microsoft Purview Insider Risk Management, email notifications are automatically sent to selected role groups. You can send email notifications for the following scenarios:

+- Send a notification email when the first alert is generated for a new policy. Policies are checked every 24 hours for first-time alerts and notifications aren't sent on subsequent alerts for the policy.

+- Send a daily email when new high-severity alerts are generated. Policies are checked every 24 hours for high severity alerts.

+- Send a weekly email summarizing policies that have unresolved warnings.

+If you've enabled insider risk management analytics for your organization, members of the *Insider Risk Management Admins* role group automatically receive an email notification for initial analytics insights for data leaks, theft, and exfiltration activities.

+To disable admin and analytics notifications:

+1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com), go to **Insider risk management**, and then select the **Settings** button.

+2. Select **Admin notifications**.

+3. Clear the check boxes for the following options, as applicable:

+ - **Send a notification email when the first alert is generated for a new policy**

+ - **Send an email when an analytics scan detects an insight for the first time**

+ - **Send an email when analytics is turned off for your organization**

+4. Select **Save**.

+

+ 

+ Title: Export insider risk management alert information

+description: Learn how to export Microsoft Purview Insider Risk Management information to (SIEM) and security orchestration automated response (SOAR) solutions by using the Office 365 Management Activity API schema.

+keywords: Microsoft 365, Microsoft Purview, insider risk, risk management, compliance

+ms.localizationpriority: medium

+f1.keywords:

+- NOCSH

+audience: itpro

+- highpri

+- tier1

+- purview-compliance

+- m365solution-insiderrisk

+- m365initiative-compliance

+- highpri

+# Export insider risk management alert information

+> [!IMPORTANT]

+> Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

+Microsoft Purview Insider Risk Management alert information is exportable to security information and event management (SIEM) and security orchestration automated response (SOAR) solutions by using the [Office 365 Management Activity API schema](/office/office-365-management-api/office-365-management-activity-api-schema#security-and-compliance-alerts-schema). You can use the Office 365 Management Activity APIs to export alert information to other applications your organization may use to manage or aggregate insider risk information. Alert information is exported and available every 60 minutes via the Office 365 Management Activity APIs.

+If your organization uses Microsoft Sentinel, you can also use the out-of-the-box insider risk management data connector to import insider risk alert information to Sentinel. For more information, see [Insider Risk Management (IRM) (preview)](/azure/sentinel/data-connectors-reference#microsoft-365-insider-risk-management-irm-preview) in the Microsoft Sentinel article.

+> [!IMPORTANT]

+> To maintain referential integrity for users who have insider risk alerts or cases in Microsoft 365 or other systems, anonymization of usernames isn't preserved for exported alerts when using the exporting API or when exporting to [Microsoft Purview eDiscovery solutions](/microsoft-365/compliance/ediscovery). Exported alerts will display usernames for each alert in this case. If you're exporting to CSV files from alerts or cases, anonymization *is* preserved.

+To use the APIs to review insider risk alert information:

+1. In the insider risk management solutions, select the **Settings** button, and then select **Export alerts**. By default, this setting is disabled for your Microsoft 365 organization.

+2. Turn the setting to **On**.

+3. Filter the common Office 365 audit activities by *SecurityComplianceAlerts*.

+4. Filter *SecurityComplianceAlerts* by the *InsiderRiskManagement* category.

+ 

+Alert information contains information from the Security and Compliance Alerts schema and the [Office 365 Management Activity API](/office/office-365-management-api/office-365-management-activity-api-schema#security-and-compliance-alerts-schema) common schema.

+The following fields and values are exported for insider risk management alerts for the Security and Compliance Alerts schema:

+| **Alert parameter** | **Description** |

+|:|:-|

+| AlertType | Type of the alert is *Custom*. |

+| AlertId | The GUID of the alert. Insider risk management alerts are mutable. As alert status changes, a new log with the same AlertID is generated. This AlertID can be used to correlate updates for an alert. |

+| Category | The category of the alert is *InsiderRiskManagement*. This category can be used to distinguish from these alerts from other security and compliance alerts. |

+| Comments | Default comments for the alert. Values are *New Alert* (logged when an alert is created) and *Alert Updated* (logged when there's an update to an alert). Use the AlertID to correlate updates for an alert. |

+| Data | The data for the alert, includes the unique user ID, user principal name, and date and time (UTC) when user was triggered into a policy. |

+| Name | Policy name for insider risk management policy that generated the alert. |

+| PolicyId | The GUID of the insider risk management policy that triggered the alert. |

+| Severity | The severity of the alert. Values are *High*, *Medium*, or *Low*. |

+| Source | The source of the alert. The value is *Office 365 Security & Compliance*. |

+| Status | The status of the alert. Values are *Active* (*Needs Review* in insider risk), *Investigating* (*Confirmed* in insider risk), *Resolved* (*Resolved* in insider risk), *Dismissed* (*Dismissed* in insider risk). |

+| Version | The version of the Security and Compliance Alerts schema. |

+The following fields and values are exported for insider risk management alerts for the [Office 365 Management Activity API common schema](/office/office-365-management-api/office-365-management-activity-api-schema#common-schema).

+- UserId

+- Id

+- RecordType

+- CreationTime

+- Operation

+- OrganizationId

+- UserType

+- UserKey

+ Title: Enable analytics in insider risk management

+description: Learn about turning on the Analytics setting for Microsoft Purview Insider Risk Management to conduct an evaluation of potential insider risks and to get real-time analytics for indicator thresholds.

+keywords: Microsoft 365, Microsoft Purview, insider risk, risk management, compliance

+ms.localizationpriority: medium

+f1.keywords:

+- NOCSH

+audience: itpro

+- highpri

+- tier1

+- purview-compliance

+- m365solution-insiderrisk

+- m365initiative-compliance

+- highpri

+# Enable analytics in insider risk management

+> [!IMPORTANT]

+> Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

+Enabling Microsoft Purview Insider Risk Management analytics offers two important benefits. When analytics is enabled, you can:

+- Conduct an evaluation of potential insider risks in your organization without configuring any insider risk policies.

+- Receive real-time guidance on configuring indicator threshold settings.

+## Conduct an evaluation of insider risks in your organization

+Microsoft Purview Insider Risk Management analytics enables you to conduct an evaluation of potential insider risks in your organization without configuring any insider risk policies. This evaluation can help your organization identify potential areas of higher user risk and help determine the type and scope of insider risk management policies you might want to configure. Analytics scans offer the following advantages for your organization:

+- **Easy to configure**: To get started with analytics scans, select **Run scan** when prompted by the analytics recommendation or go to **Insider risk settings** > **Analytics** and enable analytics.

+- **Privacy by design**: Scanned results and insights are returned as aggregated and anonymized user activity. Individual usernames aren't identifiable by reviewers. Since insider risk management doesn't classify any identity in the organization for analytics, the solution accounts for all the UPNs/identities that might be involved in data leaving the organization boundary. This might involve user accounts, system accounts, guest accounts, and so on.

+- **Understand potential risks through consolidated insights**: Scan results can help you quickly identify potential risk areas for your users and which policy would be best to help mitigate these risks.

+Check out the [Insider Risk Management Analytics video](https://www.youtube.com/watch?v=5c0P5MCXNXk) to help understand how analytics can help accelerate the identification of potential insider risks.

+## Areas scanned

+Analytics scans for risk management activity from several sources to help identify insights into potential areas of risk. Depending on your current configuration, analytics looks for qualifying risk activities in the following areas:

+- **Microsoft 365 audit logs**: Included in all scans, this is the primary source for identifying most of the potentially risky activities.

+- **Exchange Online**: Included in all scans, Exchange Online activity helps identify activities where data in attachments are emailed to external contacts or services.

+- **Azure Active Directory**: Included in all scans, Azure AD history helps identify risky activities associated with users with deleted user accounts.

+- **Microsoft 365 HR data connector**: If configured, [HR connector](import-hr-data.md) events help identify risky activities associated with users that have resignation or upcoming termination dates.

+Analytics insights from scans are based on the same risk management activity signals used by insider risk management policies and report results based on both single and sequence user activities. However, the risk scoring for analytics is based on up to 10 days of activity while insider risk policies use daily activity for insights. When you first enable and run analytics in your organization, you'll see the scan results for one day. If you leave analytics enabled, you'll see the results of each daily scan added to the insight reports for a maximum range of the previous 10 days of activity.

+## Receive real-time guidance on configuring indicator threshold settings

+Manually tuning policies to reduce "noise" can be a very time-consuming experience that requires you to do a lot of trial and error to determine the desired configuration for your policies. If analytics is turned on, and you decide to customize your indicator threshold settings, you can get real-time insights from analytics if you want to take advantage of a guided (data-driven) threshold configuration experience that will help you configure the appropriate thresholds when you create a new policy or tune an existing one. These insights can help you efficiently adjust the selection of indicators and thresholds of activity occurrence so that you donΓÇÖt receive too few or too many policy alerts. Real-time analytics (preview) is based on the last 10 days of activity data in your tenant and global exclusions are taken into account. For more information on real-time analytics for threshold settings, [see Indicator level settings](insider-risk-management-settings-policy-indicators.md#indicator-level-settings).

+## Enable analytics and start a scan of potential insider risks in your organization

+To enable insider risk analytics, you must be a member of the *Insider Risk Management*, *Insider Risk Management Admins*, or *Microsoft 365 Global admin* role group.

+1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com), go to **Insider risk management**.

+2. On the **Overview** tab, scroll down to the **Insider risk analytics** card, and then under **Scan for insider risks in your organization**, select **Run scan**. This turns on analytics scanning for your organization. Analytics scan results can take up to 48 hours before insights are available as reports for review.

+ > [!TIP]

+ > You can also turn on scanning in your organization through the **Settings** button at the top of any insider risk management page. After selecting the button, select **Analytics**, and then turn the setting on.

+ >

+ >

+## View analytics insights after the first analytics scan

+After the first analytics scan is complete for your organization, members of the *Insider Risk Management Admins* role group will automatically receive an email notification and can view the initial insights and recommendations for potentially risky activities by your users. Daily scans continue unless you turn off analytics for your organization. Email notifications to admins are provided for each of the three in-scope categories for analytics (data leaks, theft, and exfiltration) after the first instance of potentially risky activity in your organization. Email notifications aren't sent to admins for follow-up risk management activity detection resulting from the daily scans.

+> [!NOTE]

+> If the **Analytics** setting is disabled and then re-enabled, automatic email notifications are reset and email notifications are sent to members of the *Insider Risk Management Admins* role group for new scanning insights.

+To view potential risks for your organization, go to the **Overview** tab, and then on the **Insider risk analytics** card, select **View results**.

+

+> [!NOTE]

+> If the scan for your organization isn't complete, you'll see a message that the scan is still active.

+For completed analyses, you'll see the potential risks discovered in your organization and insights and recommendations to address these risks. Identified risks and specific insights are included in reports grouped by area, the total number of users (all types of Azure AD accounts, including user, guest, system, and so on) with identified risks, the percentage of these users with potentially risky activities, and a recommended insider risk policy to help mitigate these risks. The reports include:

+- **Data leaks insights**: For all users that may include accidental oversharing of information outside your organization or data leaks by users with malicious intent.

+- **Data theft insights**: For departing users or users with deleted Azure AD accounts that may include risky sharing of information outside your organization or data theft by users with malicious intent.

+- **Top exfiltration insights**: For all users that may include sharing data outside of your organization.

+

+To display more information for an insight, select **View details** to display the details pane for the insight. The details pane includes the complete insight results, an insider risk policy recommendation, and the **Create policy** button to quickly help you create the recommended policy. Selecting **Create policy** takes you to the policy wizard and automatically selects the recommended policy template related to the insight. For example, if the analytics insight is for *Data Theft* activity, the *Data Theft* policy template will be pre-selected in the policy wizard for you.

+

+## Turn off analytics

+To turn off insider risk analytics, you must be a member of the *Insider Risk Management*, *Insider Risk Management Admins*, or Microsoft 365 *Global admin* role group.

+After you disable analytics:

+- Analytics insight reports will remain static and will not be updated for new risks.

+- You won't be able to [see real-time analytics when you customize indicator threshold settings for your policies](insider-risk-management-settings-policy-indicators.md#indicator-level-settings).

+To turn off analytics:

+1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com), go to **Insider risk management**.

+2. Select the **Settings** button, and then select **Analytics**.

+3. On the **Analytics** page, turn the setting to off.

+ Title: Configure inline alert customization in insider risk management

+description: Learn about the inline alert customization setting for Microsoft Purview Insider Risk Management.

+keywords: Microsoft 365, Microsoft Purview, insider risk, risk management, compliance

+ms.localizationpriority: medium

+f1.keywords:

+- NOCSH

+audience: itpro

+- highpri

+- tier1

+- purview-compliance

+- m365solution-insiderrisk

+- m365initiative-compliance

+- highpri

+# Configure inline alert customization in insider risk management

+> [!IMPORTANT]

+> Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

+Inline alert customization in Microsoft Purview Insider Risk Management allows you to quickly tune an insider risk management policy directly from the **Alert dashboard** while reviewing the alert. Alerts are generated when a risk management activity meets the thresholds configured in the related policy. To reduce the number of alerts you get from this type of activity, you can change the thresholds or remove the risk management activity from the policy altogether.

+You can enable inline alert customization to allow users assigned to the *Insider Risk Management Analysts* and *Insider Risk Management Investigators* role groups to edit policy thresholds and to disable specific indicators. If inline alert customization isn't enabled, only users assigned to the *Insider Risk Management Admins* or *Insider Risk Management* role groups can edit these policy conditions. Inline alert customization is supported for alerts regardless of the current alert status, allowing analysts and investigators to update policies for *Dismissed* and *Resolved* alerts if needed.

+When enabled, analysts and investigators can select **Reduce alerts for this activity** for an alert on the **Alert dashboard** and can view details about the risk management activity and indicators associated with the alert. Additionally, the current policy thresholds are displayed for the number of events used to create low, medium, and high severity alerts. If **Reduce alerts for this activity** is selected and a previous policy edit has been made that changes the threshold or has removed the associated indicator, you'll see a notification message detailing previous changes to the policy.

+Analysts and investigators can choose from the following options on the **Reduce alerts for this activity** pane to quickly edit the policy that created the alert:

+- **Reduce alerts using Microsoft's recommended thresholds**: This automatically increases the thresholds in the policy for you. You can review the new recommended threshold settings before changing the policy.

+- **Reduce alerts by choosing your own thresholds**: You can manually increase the thresholds for this type of activity for the current and future alerts. You can review the current threshold settings and configure the new threshold settings before changing the policy.

+- **Stop getting alerts for this activity**: This removes this indicator from the policy and the risk management activity will no longer be detected by the policy. This applies to all indicators, regardless of whether the indicator is threshold-based.

+After choosing an option, analysts and investigators can choose two options to update the policy:

+- **Save and dismiss alert**: Saves the changes to the policy and updates the alert status to *Resolved*.

+- **Save only**: Saves the changes to the policy, but the alert status remains the same.

+## Enable inline alert customization

+1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com), go to **Insider risk management**.

+2. Select the **Settings** button, and then select **Inline alert customization**.

+3. Turn the setting on.

+4. Select **Save**.

+ 

+ > [!NOTE]

+ > After turning on the **Inline alert customization** setting, it takes approximately one hour before inline alert customization is available in new and existing policy alerts.

+ Title: Configure intelligent detections in insider risk management

+description: Learn about the Intelligent detections setting in Microsoft Purview Insider Risk Management.

+keywords: Microsoft 365, Microsoft Purview, insider risk, risk management, compliance

+ms.localizationpriority: medium

+f1.keywords:

+- NOCSH

+audience: itpro

+- highpri

+- tier1

+- purview-compliance

+- m365solution-insiderrisk

+- m365initiative-compliance

+- highpri

+# Configure intelligent detections in insider risk management

+> [!IMPORTANT]

+> Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

+You can use the **Intelligent detections** setting in Microsoft Purview Insider Risk Management to set up global exclusions. For example, you might want to exclude certain file types or domains from being scored for risk. Use can also use the **Intelligent detections** setting to adjust alert volume or import Microsoft Defender for Endpoint alerts.

+## Ignore email signature attachments (preview)

+One of the main sources of 'noise' in insider risk management policies is images in email signatures, which are often detected as attachments in emails. This can lead to false positives of users sending potentially confidential files via email. If the *Sending email with attachments to recipients outside the organization* indicator is selected, the attachment is scored like any other email attachment sent outside the organization, even if the only thing in the attachment is the email signature. You can exclude email signature attachments from being scored in this situation by turning on the **Ignore email signature attachments** setting.

+Turning on this setting significantly eliminates noise from email signature attachments, but won't completely eliminate all noise. This is because only the email signature attachment of *the email sender* (the person who initiates the email or replies to the email) is excluded from scoring. A signature attachment for anyone on the To, CC, or BCC line will still be scored. Also, if someone changes their email signature, the new signature has to be profiled, which can cause alert noise for a short period of time.

+> [!NOTE]

+> The **Ignore email signature attachments** setting is off by default.

+## File activity detection

+To exclude specific file types from all insider risk management policy matching, enter file type extensions separated by commas. For example, to exclude certain types of music files from policy matches, enter *aac,mp3,wav,wma* in the **File type exclusions** field. Files with these extensions will be ignored by all insider risk management policies.

+## Alert volume

+Potentially risky activities detected by insider risk policies are assigned a specific risk score, which in turn determines the alert severity (low, medium, high). By default, insider risk management generates a certain amount of low, medium, and high severity alerts, but you can increase or decrease the volume to suit your needs.

+To adjust the volume of alerts for all insider risk management policies, choose one of the following settings:

+- **Fewer alerts**: You'll see all high-severity alerts, fewer medium-severity alerts, and no low-severity alerts. You could miss some true positives if you choose this setting level.

+- **Default volume**: You'll see all high-severity alerts and a balanced amount of medium-severity and low-severity alerts.

+- **More alerts**: You'll see all medium-severity and high-severity alerts and most low-severity alerts. This setting level might result in more false positives.

+## Microsoft Defender for Endpoint alert statuses

+> [!IMPORTANT]

+> You must configure Microsoft Defender for Endpoint in your organization and enable Defender for Endpoint for insider risk management integration in the Defender Security Center to import security violation alerts. For more information on configuring Defender for Endpoint for insider risk management integration, see [Configure advanced features in Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/advanced-features\#share-endpoint-alerts-with-microsoft-compliance-center).

+[Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. To have better visibility of security violations in your organization, you can import and filter Defender for Endpoint alerts for activities used in policies created from insider risk management security violation policy templates.

+Depending on the types of signals you're interested in, you can choose to import alerts to insider risk management based on the Defender for Endpoint alert triage status. You can define one or more of the following alert triage statuses in the global settings to import:

+- Unknown

+- New

+- In progress

+- Resolved

+Alerts from Defender for Endpoint are imported daily. Depending on the triage status you choose, you may see multiple user activities for the same alert as the triage status changes in Defender for Endpoint.

+For example, if you select *New*, *In progress*, and *Resolved* for this setting, when a Microsoft Defender for Endpoint alert is generated and the status is *New*, an initial alert activity is imported for the user in insider risk management. When the Defender for Endpoint triage status changes to *In progress*, a second activity for this alert is imported. When the final Defender for Endpoint triage status of *Resolved* is set, a third activity for this alert is imported. This functionality allows investigators to follow the progression of the Defender for Endpoint alerts and choose the level of visibility that their investigation requires.

+## Domains

+Domain settings help you define risk levels for risk management activities for specific domains. These activities include sharing files, sending email messages, downloading content, or uploading content. By specifying domains in these settings, you can increase or decrease the risk scoring for risk management activity that takes place with these domains.

+Use Add domain to define a domain for each of the domain settings. Additionally, you can use wildcards to help match variations of root domains or subdomains. For example, to specify sales.wingtiptoys.com and support.wingtiptoys.com, use the wildcard entry '*.wingtiptoys.com' to match these subdomains (and any other subdomain at the same level). To specify multi-level subdomains for a root domain, you must select the **Include Multi-Level Subdomains** check box.

+For each of the following domain settings, you can enter up to 500 domains:

+- **Unallowed domains:** When you specify an unallowed domain, risk management activity that takes place with that domains will have a *higher* risk score. For example, you might want to specify activities that involve sharing content with someone (such as sending email to someone with a gmail.com address) or activities that involve users downloading content to a device from an unallowed domain.

+- **Allowed domains:** Risk management activity related to a domain specified in **Allowed domains** will be ignored by your policies and won't generate alerts. These activities include:

+ - Email sent to external domains

+ - Files, folders, and sites shared with external domains

+ - Files uploaded to external domains (using Microsoft Edge browser)

+ When you specify an allowed domain, risk management activity with that domain is treated similarly to how internal organization activity is treated. For example, a domain added in **Allowed domains** might include an activity that involves sharing content with someone outside your organization (such as sending email to someone with a gmail.com address).

+- **Third party domains:** If your organization uses third-party domains for business purposes (such as cloud storage), include them here so you can receive alerts for potentially risky activity related to the device indicator *Use a browser to download content from a third-party site*.

+## File path exclusions

+When you specify file paths to exclude, user activities that map to specific indicators and that occur in those file path locations won't generate policy alerts. Examples include copying or moving files to a system folder or network share path. You can enter up to 500 file paths for exclusion.

+To add file paths to exclude:

+1. In the compliance portal, go to **Insider risk management** > **Settings** > **Intelligent detections**.

+2. In the **File path exclusion** section, select **Add file paths to exclude**.

+3. In the **Add a file path** pane, enter an exact network share or device path to exclude from risk scoring. You can also use * and *([0-9]) to denote specific and wildcard folders and subfolders to be excluded. For more information, see the following examples.

+ |Example|Description|

+ |--|-|

+ |**\\\\ms.temp\LocalFolder\ or C:\temp**|Excludes files directly under the folder and all subfolders for every file path starting with the entered prefix.|

+ |**\public\local\\**|Excludes files from every file path containing the entered value.<p><p>Matches with 'C:\Users\Public\local\\', 'C:\Users\User1\Public\local\', and '\\\\ms.temp\Public\local'.|

+ |**C:\Users\\\*\Desktop**|Matches with 'C:\Users\user1\Desktop' and 'C:\Users\user2\Desktop'.|

+ |**C:\Users\\\*(2)\Desktop**|Matches with 'C:\Users\user1\Desktop' and 'C:\Users\user2\Shared\Desktop'.|

+4. Select **Add file paths**.

+> [!NOTE]

+> To delete a file path exclusion, select the file path exclusion, and then select **Delete**.

+### Default file path exclusions

+By default, several file paths are automatically excluded from generating policy alerts. Activities in these file paths are typically benign and could potentially increase the volume of non-actionable alerts. If needed, you can cancel the selection for these default file path exclusions to enable risk scoring for activities in these locations.

+The default file path exclusions are:

+- \Users\\\*\AppData

+- \Users\\\*\AppData\Local

+- \Users\\\*\AppData\Local\Roaming

+- \Users\\\*\AppData\Local\Local\Temp

+The wildcards in these paths denote that all folder levels between the \Users and \AppData are included in the exclusion. For example, activities in *C:\Users\Test1\AppData\Local* and *C:\Users\Test2\AppData\Local*, *C:\Users\Test3\AppData\Local* (and so on) would all be included and not scored for risk as part of the *\Users\\\*\AppData\Local* exclusion selection.

+## Sensitive info type exclusions (preview)

+Excluded [Sensitive info types](sensitive-information-type-learn-about.md) map to indicators and triggers involving file-related activities for Endpoint, SharePoint, Teams, OneDrive, and Exchange. These excluded types are treated as non-sensitive info types. If a file contains any sensitive info type identified in this section, the file will be risk scored but not shown as activities involving content related to sensitive info types. For a complete list of sensitive info types, see [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md).

+You can select the sensitive info types to be excluded from the list of all available (out-of-box and custom) types available in the tenant. You can choose up to 500 sensitive info types to be excluded.

+> [!NOTE]

+> The exclusion list of sensitive info types takes precedence over the [priority content](insider-risk-management-policies.md#prioritize-content-in-policies) list.

+To exclude sensitive info types:

+1. In the compliance portal, go to **Insider risk management** > **Settings** > **Intelligent detections**.

+2. In the **Sensitive info types** section, select **Add sensitive info types to exclude**.

+3. In the **Add or edit sensitive info type** pane, select the types that you want to exclude.

+4. Select **Add**.

+> [!NOTE]

+> To delete a sensitive info type exclusion, select the exclusion, and then select **Delete**.

+## Trainable classifier exclusion (preview)

+Excluded [Trainable classifiers](classifier-get-started-with.md) map to indicators and triggers involving file-related activities for SharePoint, Teams, OneDrive, and Exchange. If any file contains any trainable classifier identified in this section, the file will be risk scored but not shown as activity involving content related to trainable classifiers. For a complete list of pre-trained classifiers, see [Trainable classifiers definitions](classifier-tc-definitions.md#trainable-classifiers-definitions).

+You can select the trainable classifiers to be excluded from the list of all available (out-of-box and custom) types available in the tenant. Insider risk management excludes some trainable classifiers by default, including Threat, Profanity, Targeted harassment, Offensive language, and Discrimination. You can choose up to 500 trainable classifiers to be excluded.

+> [!NOTE]

+> Optionally, you can choose trainable classifiers to be included in the [priority content](insider-risk-management-policies.md#prioritize-content-in-policies) list.

+To exclude trainable classifiers:

+1. In the compliance portal, go to **Insider risk management** > **Settings** > **Intelligent detections**.

+2. In the **Trainable classifiers** section, select **Add trainable classifiers to exclude**.

+3. In the **Add or edit trainable classifiers** pane, select the classifiers that you want to exclude.

+4. Select **Add**.

+> [!NOTE]

+> To delete a trainable classifiers exclusion, select the exclusion, and then select **Delete**.

+## Site exclusions

+Configure site URL exclusions to prevent potential risky activities that occur in SharePoint (and SharePoint sites associated with Teams channel sites) from generating policy alerts. You might want to consider excluding sites and channels that contain non-sensitive files and data that can be shared with stakeholders or the public. You can enter up to 500 site URL paths to exclude.

+To add site URL paths to exclude:

+1. In the compliance portal, go to **Insider risk management** > **Settings** > **Intelligent detections**.

+2. In the **Site URL exclusion** section, select **Add or edit SharePoint sites**.

+3. In the **Add or edit SharePoint sites** pane, enter or search for the SharePoint site to exclude from risk scoring. You'll only see SharePoint sites that you have permission to access.

+4. Select **Add**.

+To edit site URL paths to exclude:

+1. In the compliance portal, go to **Insider risk management** > **Settings** > **Intelligent detections**.

+2. In the **Site URL exclusion** section, select **Add or edit SharePoint sites**.

+3. In the **Add or edit SharePoint sites** pane, enter or search for the SharePoint site to exclude from risk scoring. You'll only see SharePoint sites that you have permission to access.

+4. Select **Edit**.

+> [!NOTE]

+> To delete a Site URL exclusion, select the site URL exclusion, and then select **Delete**.

+## Keyword exclusion

+Configure exclusions for keywords that appear in file names, file paths, or email message subject lines. This allows flexibility for organizations that need to reduce potential alert frequency due to flagging of benign terms specified for your organization. Such activities related to files or email subjects containing the keyword will be ignored by your insider risk management policies and won't generate alerts. You can enter up to 500 keywords to exclude.

+Use the **Exclude only if it does not contain** field to define specific groupings of terms to ignore for exclusion. For example, if you want to exclude the keyword 'training', but not exclude 'compliance training', enter 'compliance' (or 'compliance training') in the **Exclude only if it does not contain** field and 'training' in the **But does contain** field.

+If you just want to exclude specific standalone terms, enter the terms in the **But does contain field** only.

+To add standalone keywords to exclude:

+1. In the compliance portal, go to **Insider risk management** > **Settings** > **Intelligent detections**.

+2. In the **Keyword exclusion** section, enter the standalone keywords in the **But does contain** field.

+3. Select **Save** to configure the keyword exclusions.

+To delete a standalone keyword to exclude:

+1. In the compliance portal, go to **Insider risk management** > **Settings** > **Intelligent detections**.

+2. In the **Keyword exclusion** section, select the *X* for the specific standalone keyword in the **But does contain** field. Repeat as needed to remove multiple keywords.

+3. Select **Save**.

+ Title: Configure policy indicators in insider risk management

+description: Configure policy indicators in Microsoft Purview Insider Risk Management to define the type of risk activities that you want to detect and investigate.

+keywords: Microsoft 365, Microsoft Purview, insider risk, risk management, compliance

+ms.localizationpriority: medium

+f1.keywords:

+- NOCSH

+audience: itpro

+- highpri

+- tier1

+- purview-compliance

+- m365solution-insiderrisk

+- m365initiative-compliance

+- highpri

+# Configure policy indicators in insider risk management

+> [!IMPORTANT]

+> Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

+Insider risk policy templates in Microsoft Purview Insider Risk Management define the type of risk activities that you want to detect and investigate. Each policy template is based on specific indicators that correspond to specific triggers and risk activities. All global indicators are disabled by default; **you must select one or more indicators to configure an insider risk management policy**.

+Signals are collected and alerts are triggered by policies when users perform activities related to indicators.

+## Types of events and indicators

+Insider risk management uses different types of events and indicators to collect signals and create alerts:

+- **Triggering events**: Events that determine if a user is active in an insider risk management policy. If a user is added to an insider risk management policy that doesn't have a triggering event, the user isn't evaluated by the policy as a potential risk. For example, User A is added to a policy created from the *Data theft by departing users* policy template and the policy and Microsoft 365 HR connector are properly configured. Until User A has a termination date reported by the HR connector, User A isn't evaluated by this insider risk management policy for potential risk. Another example of a triggering event is if a user has a *High* severity DLP policy alert when using *Data leaks* policies.

+- **Global settings indicators**: Indicators enabled in global settings for insider risk management define both the indicators available for configuration in policies and the types of events signals collected by insider risk management. For example, if a user copies data to personal cloud storage services or portable storage devices and these indicators are selected only in global settings, the user's potentially risky activity will be available for review in the Activity explorer. However, if this user isn't defined in an insider risk management policy, the user isn't evaluated by the policy as a potential risk and therefore won't be assigned a risk score or generate an alert.

+- **Policy indicators**: Indicators included in insider risk management policies are used to determine a risk score for an in-scope user. Policy indicators are enabled from indicators defined in global settings and are only activated after a triggering event occurs for a user. Examples of policy indicators include:

+ - A user copies data to personal cloud storage services or portable storage devices.

+ - A user account is removed from Azure Active Directory.

+ - A user shares internal files and folders with unauthorized external parties.

+Certain policy indicators and sequences may also be used for customizing triggering events for specific policy templates. When configured in the policy wizard for the *General data leaks* or *Data leaks by priority users* templates, these indicators or sequences allow more flexibility and customization for your policies and when users are in-scope for a policy. Also, you can define risk management activity thresholds for these triggering indicators for more fine-grained control in a policy.

+## Policy indicator categories

+Policy indicators are segmented into the following areas. You can choose the indicators to activate and customize indicator event limits for each indicator level when creating an insider risk policy:

+### Office indicators

+These include policy indicators for SharePoint sites, Microsoft Teams, and email messaging.

+### Device indicators

+These include policy indicators for activity such as sharing files over the network or with devices. Indicators include activities involving all file types, excluding executable (.exe) and dynamic link library (.dll) file activity. If you select *Device indicators*, activity is processed for devices with Windows 10 Build 1809 or higher and macOS (three latest released versions) devices. For both Windows and macOS devices, you must first [onboard devices to the compliance portal](#step-2-onboard-devices). Device indicators also include browser signal detection to help your organization detect and act on exfiltration signals for non-executable files viewed, copied, shared, or printed in Microsoft Edge and Google Chrome. For more information on configuring Windows devices for integration with insider risk, see [Enable device indicators and onboard Windows devices](#enable-device-indicators-and-onboard-windows-devices) in this article. For more information on configuring macOS devices for integration with insider risk, see [Enable device indicators and onboard macOS devices](#enable-device-indicators-and-onboard-macos-devices) in this article. For more information about browser signal detection, see [Learn about and configure insider risk management browser signal detection](insider-risk-management-browser-support.md).

+### Microsoft Defender for Endpoint indicators (preview)

+These include indicators from Microsoft Defender for Endpoint related to unapproved or malicious software installation or bypassing security controls. To receive alerts in insider risk management, you must have an active Defender for Endpoint license and insider risk integration enabled. For more information on configuring Defender for Endpoint for insider risk management integration, see [Configure advanced features in Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/advanced-features\#share-endpoint-alerts-with-microsoft-compliance-center).

+### Health record access indicators

+These include policy indicators for patient medical record access. For example, attempted access to patient medical records in your electronic medical records (EMR) system logs can be shared with insider risk management healthcare policies. To receive these types of alerts in insider risk management, you must have a healthcare-specific data connector and the [HR data connector](import-hr-data.md) configured.

+### Physical access indicators

+These include policy indicators for physical access to sensitive assets. For example, attempted access to a restricted area in your physical badging system logs can be shared with insider risk management policies. To receive these types of alerts in insider risk management, you must have priority physical assets enabled in insider risk management and the [Physical badging data connector](import-physical-badging-data.md) configured. To learn more about configuring physical access, see the [Priority physical access section](insider-risk-management-settings-priority-physical-assets.md) in this article.

+### Microsoft Defender for Cloud Apps indicators

+These include policy indicators from shared alerts from Defender for Cloud Apps. Automatically enabled anomaly detection in Defender for Cloud Apps immediately starts detecting and collating results, targeting numerous behavioral anomalies across your users and the machines and devices connected to your network. To include these activities in insider risk management policy alerts, select one or more indicators in this section. To learn more about Defender for Cloud Apps analytics and anomaly detection, see [Get behavioral analytics and anomaly detection](/cloud-app-security/anomaly-detection-policy).

+### Risky browsing indicators (preview)

+These include policy indicators for user browsing activity related to websites that are considered malicious or risky and pose potential insider risk that may lead to a security or compliance incident. Risky browsing activity refers to users who visit potentially risky websites, such as those associated with malware, pornography, violence, and other unallowed activities. To include these risk management activities in policy alerts, select one or more indicators in this section. To learn about configuring browser exfiltration signals, see [Insider risk management browser signal detection](insider-risk-management-browser-support.md).

+### Cumulative exfiltration detection (preview)

+Detects when a user's exfiltration activities across all exfiltration channels over the last 30 days exceeds organization or peer group norms. For example, if a user is in a sales role and communicates regularly with customers and partners outside of the organization, their external email activity will likely be much higher than the organization's average. However, the user's activity may not be unusual compared to the user's teammates, or others with similar job titles. A risk score is assigned if the user's cumulative exfiltration activity is unusual and exceeds organization or peer group norms.

+

+ > [!NOTE]

+ > Peer groups are defined based on organization hierarchy, access to shared SharePoint resources, and job titles in Azure AD. If you enable cumulative exfiltration detection, your organization is agreeing to share Azure AD data with the compliance portal, including organization hierarchy and job titles. If your organization does not use Azure AD to maintain this information, then detection may be less accurate.

+### Risk score boosters

+These include raising the risk score for activity for the following reasons:

+ - *Activity that is above the user's usual activity for that day*: Scores are boosted if the detected activity deviates from the user's typical behavior.

+ - *User had a previous case resolved as a policy violation*: Scores are boosted if the user had a previous case in insider risk management that was resolved as a policy violation.

+ - *User is a member of a priority user group*: Scores are boosted if the user is a member of a priority user group.

+ - *User is detected as a potential high impact user*: When this is enabled, users are automatically flagged as potential high-impact users based on the following criteria:

+ - The user interacts with more sensitive content compared to others in the organization.

+ - The user's level in the organization's Azure AD hierarchy.

+ - The total number of users reporting to the user based on the Azure AD hierarchy.

+ - The user is a member of an Azure AD built-in role with elevated permissions.

+

+ > [!NOTE]

+ > When you enable the potential high impact user risk score booster, you're agreeing to share Azure AD data with the compliance portal. If your organization doesn't use sensitivity labels or has not configured organization hierarchy in Azure AD, this detection may be less accurate. If a user is detected as both a member of a priority user group and also a potential high-impact user, their risk score will only be boosted once.

+In some cases, you may want to limit the insider risk policy indicators that are applied to insider risk policies in your organization. You can turn off the policy indicators for specific areas by disabling them from all insider risk policies in global settings. Triggering events can only be modified for policies created from the *Data leaks* or *Data leaks by priority users* templates. Policies created from all other templates don't have customizable triggering indicators or events.

+## Define the insider risk policy indicators that are enabled in all insider risk policies

+1. Select the **Settings** button, and then select **Policy indicators**.

+2. Select one or more policy indicators.

+ The indicators selected on the **Policy indicators** settings page can't be individually configured when creating or editing an insider risk policy in the policy wizard.

+ > [!NOTE]

+ > It may take several hours for new manually-added users to appear in the **Users dashboard**. Activities for the previous 90 days for these users may take up to 24 hours to display. To view activities for manually added users, select the user on the **Users dashboard** and open the **User activity** tab in the details pane.

+## Enable device indicators and onboard Windows devices

+To enable the detection of risk activities on Windows devices and include policy indicators for these activities, your Windows devices must meet the following requirements and you must complete the following onboarding steps.

+### Step 1: Prepare your endpoints

+Make sure that the Windows 10 devices that you plan on reporting in insider risk management meet these requirements.

+1. The device must be running Windows 10 x64 build 1809 or later and the [Windows 10 update (OS Build 17763.1075)](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818) from February 20, 2020 must be installed.

+2. The user account used to log into the Windows 10 device must be an active Azure AD account. The Windows 10 device may be [Azure AD](/azure/active-directory/devices/concept-azure-ad-join), Azure AD hybrid, joined, or registered.

+3. Install the Microsoft Edge browser on the endpoint device to detect actions for the cloud upload activity. See [Download the new Microsoft Edge based on Chromium](https://support.microsoft.com/help/4501095/download-the-new-microsoft-edge-based-on-chromium).

+### Step 2: Onboard devices

+You must enable device checking and onboard your endpoints before you can detect insider risk management activities on a device. Both actions are done in the Microsoft Purview compliance portal.

+When you want to enable devices that haven't been onboarded yet, you need to download the appropriate script and deploy it as outlined below.

+If you already have devices onboarded into [Microsoft Defender for Endpoint](/windows/security/threat-protection/), they'll already appear in the managed devices list. [Follow Step 3: If you have devices onboarded into Microsoft Defender for Endpoint](#if-devices-are-already-onboarded-to-microsoft-defender-for-endpoint).

+In this deployment scenario, you'll enable devices that haven't been onboarded yet, and you just want to detect insider risk activities on Windows devices.

+1. Open the [Microsoft Purview compliance portal](https://compliance.microsoft.com).

+2. Open the compliance portal settings page, and then select **Onboard devices**.

+ > [!NOTE]

+ > While it usually takes about 60 seconds for device onboarding to be enabled, please allow up to 30 minutes before engaging with Microsoft support.

+3. Select **Device management** to open the **Devices** list. The list will be empty until you onboard devices.

+4. Select **Onboarding** to begin the onboarding process.

+5. Select the way you want to deploy to these devices from the **Deployment method** list, and then select **download package**.

+6. Follow the appropriate procedures in [Onboarding tools and methods for Windows machines](/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). This link takes you to a landing page where you can access Microsoft Defender for Endpoint procedures that match the deployment package you selected in step 5:

+ - Onboard Windows machines using Group Policy

+ - Onboard Windows machines using Microsoft Endpoint Configuration Manager

+ - Onboard Windows machines using Mobile Device Management tools

+ - Onboard Windows machines using a local script

+ - Onboard non-persistent virtual desktop infrastructure (VDI) machines

+When you're done and the endpoint device is onboarded, it should be visible in the devices list and the endpoint device will start reporting audit activity logs to insider risk management.

+> [!NOTE]

+> This experience is under license enforcement. Without the required license, data will not be visible or accessible.

+### If devices are already onboarded to Microsoft Defender for Endpoint

+If Microsoft Defender for Endpoint is already deployed and endpoint devices are reporting in, the endpoint devices will appear in the managed devices list. You can continue to onboard new devices into insider risk management to expand coverage by going to [Step 2: Onboarding devices](#step-2-onboard-devices).

+1. Open the [Microsoft Purview compliance portal](https://compliance.microsoft.com).

+2. Open the compliance portal settings page, and then select **Enable device monitoring**.

+3. Select **Device management** to open the **Devices** list. You should see the list of devices that are already reporting into Microsoft Defender for Endpoint.

+4. Select **Onboarding** if you need to onboard more devices.

+5. Select the way you want to deploy to these devices from the **Deployment method** list, and then select **Download package**.

+6. Follow the appropriate procedures in [Onboarding tools and methods for Windows machines](/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). This link takes you to a landing page where you can access Microsoft Defender for Endpoint procedures that match the deployment package you selected in step 5:

+ - Onboard Windows machines using Group Policy

+ - Onboard Windows machines using Microsoft Endpoint Configuration Manager

+ - Onboard Windows machines using Mobile Device Management tools

+ - Onboard Windows machines using a local script

+ - Onboard non-persistent virtual desktop infrastructure (VDI) machines

+When you're done and endpoint devices are onboarded, they should be visible under the **Devices** tab and the endpoint devices will start reporting audit activity logs to insider risk management.

+> [!NOTE]

+> This experience is under license enforcement. Without the required license, data will not be visible or accessible.

+## Enable device indicators and onboard macOS devices

+macOS devices (Catalina 10.15 or later) can be onboarded into Microsoft 365 to support insider risk management policies using either Intune or JAMF Pro. For more information and configuration guidance, see [Onboard macOS devices into Microsoft 365 overview (preview)](device-onboarding-macos-overview.md).

+## Indicator level settings

+When creating a policy using the policy wizard, you can configure how the daily number of risk events should influence the risk score for insider risk alerts. These indicator settings help you control how the number of occurrences of risk events in your organization affect the risk score (and the associated alert severity) for these events. If you prefer, you can choose to keep the default event threshold levels recommended by Microsoft for all enabled indicators.

+For example, you decide to enable SharePoint indicators in the insider risk policy settings and to set custom thresholds for SharePoint events when configuring indicators for a new insider risk *Data leaks* policy. In the insider risk policy wizard, you would configure three different daily event levels for each SharePoint indicator to influence the risk score for alerts associated with these events.

+

+For the first daily event level, you set the threshold to:

+- *10 or more events per day* for a lower impact to the risk score for the events

+- *20 or more events per day* for a medium impact to the risk score for the events

+- *30 or more events per day* for a higher impact to the risk score for the events

+These settings effectively mean:

+- If there are 1-9 SharePoint events that take place after the triggering event, risk scores are minimally impacted and would tend not to generate an alert.

+- If there are 10-19 SharePoint events that take place after a triggering event, the risk score is inherently lower and alert severity levels would tend to be at a low level.

+- If there are 20-29 SharePoint events that take place after a triggering event, the risk score is inherently higher and alert severity levels would tend to be at a medium level.

+- If there are 30 or more SharePoint events that take place after a triggering event, the risk score is inherently higher and alert severity levels would tend to be at a high level.

+Another option for policy thresholds is to assign the policy triggering event to risk management activity that is above the typical daily number of users. Instead of being defined by specific threshold settings, each threshold is dynamically customized for anomalous activities detected for in-scope policy users. If threshold activity for anomalous activities is supported for an individual indicator, you can select **Activity is above user's usual activity for the day** in the policy wizard for that indicator. If this option isn't listed, anomalous activity triggering isn't available for the indicator. If the **Activity is above user's usual activity for the day** option is listed for an indicator, but is not selectable, you need to enable this option in **Insider risk settings** > **Policy indicators**.

+### Use real-time analytics (preview) to manage alert volume

+You can use real-time analytics if you want to take advantage of a guided (data-driven) threshold configuration experience that enables you to quickly select the appropriate thresholds for each policy indicator. This guided experience can help you efficiently adjust selection of indicators and thresholds of activity occurrence so you don't have too few or too many policy alerts. When analytics is turned on, you can choose the **Customize thresholds** option in the policy wizard to see:

+- **A**. A gauge that shows the approximate number of scoped users whose activities from the past 10 days exceeded the lowest daily thresholds for at least one of the selected indicators in the policy. This gauge can help you estimate the number of alerts that might be generated if all users included in the policy were being assigned risk scores.

+- **B**. A list of the top five indicators sorted by the number of users exceeding the lowest daily thresholds. If your policies are generating a lot of alerts, these are the indicators you might want to focus on to reduce "noise."

+- **C**. An insight for each indicator, displayed below the thresholds. The insight shows the approximate number of users whose activities from the past 10 days exceeded the currently specified low thresholds for this indicator. For example, if the low threshold setting for *Downloading content from SharePoint* is set to 100, the insight shows the number of users in the policy who performed more than 100 download activities on an average in the past 10 days. If you adjust the threshold setting to 200, the insight will update in real time to show you the number of users whose activity exceeded levels that exceeded the new thresholds. This helps you quickly configure the appropriate thresholds for each indicator and achieve the highest level of alert effectiveness before activating your policies.

+ 

+Real-time analytics (preview) is based on the last 10 days of activity data in your tenant and [global exclusions (intelligent detections) are taken into account](insider-risk-management-settings-intelligent-detections.md).

+#### Prerequisites for using real-time analytics

+To use real-time analytics (preview), you must:

+1. [Enable insider risk analytics insights](insider-risk-management-configure.md#step-3-optional-enable-and-view-insider-risk-analytics-insights).

+2. Choose the **Include all users and groups** option when you [create the policy](insider-risk-management-configure.md#step-6-required-create-an-insider-risk-management-policy).

+ > [!NOTE]

+ > If you've chosen to receive alerts only for activities that include priority content for this policy, real-time analytics insights (preview) will not be displayed since they're not supported for these policies.

+ Title: Set policy timeframes in insider risk management

+description: Learn about the Policy timeframes settings in Microsoft Purview Insider Risk Management.

+keywords: Microsoft 365, Microsoft Purview, insider risk, risk management, compliance

+ms.localizationpriority: medium

+f1.keywords:

+- NOCSH

+audience: itpro

+- highpri

+- tier1

+- purview-compliance

+- m365solution-insiderrisk

+- m365initiative-compliance

+- highpri

+# Set policy timeframes in insider risk management

+> [!IMPORTANT]

+> Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

+Policy timeframes in Microsoft Purview Insider Risk Management allow you to define past and future review periods that are triggered after policy matches based on events and activities for the insider risk management policy templates. Depending on the policy template you choose, the following policy timeframes are available:

+- **Activation window**: Available for all policy templates, *Activation window* is the defined number of days that the window activates **after** a triggering event. The window activates for 1 to 30 days after a triggering event occurs for any user assigned to the policy. For example, you've configured an insider risk management policy and set *Activation window* to 30 days. Several months have passed since you configured the policy, and a triggering event occurs for one of the users included in the policy. The triggering event activates *Activation window* and the policy is active for that user for 30 days after the triggering event occurred.

+- **Past activity detection**: Available for all policy templates, *Past activity detection* is the defined number of days that the window activates **before** a triggering event. For activities in the audit log, the window activates for 0 to 90 days before a triggering event occurs for any user assigned to the policy. For example, you've configured an insider risk management policy and set *Past activity detection* to 90 days. Several months have passed since you configured the policy, and a triggering event occurs for one of the users included in the policy. The triggering event activates *Past activity detection* and the policy gathers historic activities for that user for 90 days prior to the triggering event.

+ > [!NOTE]

+ > For email activities, the past activity detection period is 10 days.

+## Set policy timeframes

+1. Select the **Settings** button, and then select **Policy timeframes**.

+2. Move the slider for **Activation window** and **Past activity detection** to the number of days that you want.

+ 

+ Title: Automate insider risk management actions with Microsoft Power Automate flows (preview)

+description: Learn how to automate Microsoft Purview Insider Risk Management actions with Microsoft Power Automate flows (preview).

+keywords: Microsoft 365, Microsoft Purview, insider risk, risk management, compliance

+ms.localizationpriority: medium

+f1.keywords:

+- NOCSH

+audience: itpro

+- highpri

+- tier1

+- purview-compliance

+- m365solution-insiderrisk

+- m365initiative-compliance

+- highpri

+# Automate insider risk management actions with Microsoft Power Automate flows (preview)

+> [!IMPORTANT]

+> Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

+[Microsoft Power Automate](/power-automate/getting-started) is a workflow service that automates actions across applications and services. By using flows from templates or created manually, you can automate common tasks associated with these applications and services. When you enable Power Automate flows for Microsoft Purview Insider Risk Management, you can automate important tasks for cases and users. You can configure Power Automate flows to retrieve user, alert, and case information and share this information with stakeholders and other applications, as well as automate actions in insider risk management, such as posting to case notes. Power Automate flows are applicable for cases and any user in scope for a policy.

+Customers with Microsoft 365 subscriptions that include insider risk management don't need additional Power Automate licenses to use the recommended insider risk management Power Automate templates. These templates can be customized to support your organization and cover core insider risk management scenarios. If you choose to use premium Power Automate features in these templates, create a custom template using the Microsoft Purview connector, or use Power Automate templates for other compliance areas in Microsoft 365, you may need more Power Automate licenses.

+The following Power Automate templates are provided to customers to support process automation for insider risk management users and cases:

+- **Notify users when they're added to an insider risk policy**: This template is for organizations that have internal policies, privacy, or regulatory requirements that users must be notified when they're subject to insider risk management policies. When this flow is configured and selected for a user in the **Users** page, users and their managers are sent an email message when the user is added to an insider risk management policy. This template also supports updating a SharePoint list hosted on a SharePoint site to help track notification message details like date/time and the message recipient. If you have chosen to anonymize users through the **Privacy** setting, flows created from this template won't function as intended so that user privacy is maintained.

+ Power Automate flows using this template are available on the **Users dashboard**.

+- **Request information from HR or business about a user in an insider risk case**: When acting on a case, insider risk analysts and investigators may need to consult with HR or other stakeholders to understand the context of the case activities. When this flow is configured and selected for a case, analysts and investigators send an email message to HR and business stakeholders configured for this flow. Each recipient is sent a message with pre-configured or customizable response options. When recipients select a response option, the response is recorded as a case note and includes recipient and date/time information. If you have chosen to anonymize users through the **Privacy** setting, flows created from this template won't function as intended so that user privacy is maintained.

+ Power Automate flows using this template are available on the **Cases dashboard**.

+- **Notify manager when a user has an insider risk alert**: Some organizations may need to have immediate management notification when a user has an insider risk management alert. When this flow is configured and selected, the manager for the case user is sent an email message with the following information about all case alerts:

+ - Applicable policy for the alert

+ - Date/time of the alert

+ - Severity level of the alert

+ The flow automatically updates the case notes that the message was sent and that the flow was activated. If you've chosen to anonymize users through the **Privacy** setting, flows created from this template won't function as intended so that user privacy is maintained.

+

+ Power Automate flows using this template are available on the **Cases dashboard**.

+- **Create record for insider risk case in ServiceNow**: This template is for organizations that want to use their ServiceNow solution to track insider risk management cases. When in a case, insider risk analysts and investigators can create a record for the case in ServiceNow. You can customize this template to populate selected fields in ServiceNow based on your organization's requirements. For more information on available ServiceNow fields, see the [ServiceNow Connector reference](/connectors/service-now/) article.

+ Power Automate flows using this template are available on the **Cases dashboard**.

+## Create a Power Automate flow from an insider risk management template

+To create a Power Automate flow in the settings area, you must be a member of the *Insider Risk Management* or *Insider Risk Management Admins* role group. To create a Power Automate flow with the **Manage Power Automate flows** option, you must be a member of at least one insider risk management role group.

+1. Do one of the following:

+ - In the [Microsoft Purview compliance portal](https://compliance.microsoft.com), go to **Insider risk management**, select the **Settings** button, and then select **Power Automate flows (preview)**.

+ - In the **Cases dashboard** or the **Users dashboards**, select **Automate** > **Manage Power Automate flows**.

+2. On the **Power Automate flows** page, select a recommended template from the **Insider risk management templates you may like** section.

+3. The flow lists the embedded connections needed for the flow and notes if the connection statuses are available. If needed, update any connections that aren't displayed as available. Select **Continue**.

+4. By default, the recommended flows are pre-configured with the recommended insider risk management and Microsoft 365 service data fields required to complete the assigned task for the flow. If needed, customize the flow components by using the **Show advanced options** control and configuring the available properties for the flow component.

+5. If needed, add any other steps to the flow by selecting the **New step** button. In most cases, this shouldn't be needed for the recommended default templates.

+6. Select **Save draft** to save the flow for further configuration or select **Save** to complete the configuration for the flow.

+7. Select **Close** to return to the **Power Automate flow** page. The new template is listed as a flow on the **My flows** tabs and is automatically available from the **Automate** dropdown control when working with insider risk management cases for the user creating the flow.

+> [!IMPORTANT]

+> If other users in your organization need access to the flow, the flow must be shared.

+## Create a custom Power Automate flow for insider risk management

+Some processes and workflows for your organization may be outside of the recommended insider risk management flow templates, in which case you may need to create custom Power Automate flows for insider risk management areas. Power Automate flows are flexible and support extensive customization, but have required steps to integrate with insider risk management features.

+To create a custom Power Automate template for insider risk management:

+1. **Check your Power Automate flow license**: To create customized Power Automate flows that use insider risk management triggers, you'll need a Power Automate license. The recommended insider risk management flow templates don't require extra licensing and are included as part of your insider risk management license.

+2. **Create an automated flow**: Create a flow that performs one or more tasks after it's triggered by an insider risk management event. For details on how to create an automated flow, see [Create a flow in Power Automate](/power-automate/get-started-logic-flow).

+3. **Select the Microsoft Purview connector**: Search for and select the Microsoft Purview connector. This connector enables insider risk management triggers and actions. For more information on connectors, see the [Connector reference overview](/connectors/connector-reference/) article.

+4. **Choose insider risk management triggers for your flow**: Insider risk management has two triggers available for custom Power Automate flows:

+ - **For a selected insider risk management case**: Flows with this trigger can be selected from the insider risk management **Cases dashboard**.

+ - **For a selected insider risk management user**: Flows with this trigger can be selected from the insider risk management **Users dashboard**.

+5. **Choose insider risk management actions for your flow:** You can choose from several actions for insider risk management to include in your custom flow:

+ - Get insider risk management alert

+ - Get insider risk management case

+ - Get insider risk management user

+ - Get insider risk management alerts for a case

+ - Add insider risk management case note

+## Share a Power Automate flow

+By default, Power Automate flows created by a user are only available to that user. For other insider risk management users to have access and use a flow, the flow must be shared by the flow creator. To share a flow, use the settings controls in the insider risk management solution or the **Manage Power Automate flows** option from the **Automate** control when working directly in the **Cases dashboard** or **Users dashboard**. Once you've shared a flow, everyone who it's shared with can access the flow in the **Automate** control dropdown in the **Cases dashboard** and **Users dashboard**.

+To share a Power Automate flow in the settings area, you must be a member of the *Insider Risk Management* or *Insider Risk Management Admins* role group. To share a Power Automate flow with the **Manage Power Automate flows** option, you must be a member of at least one insider risk management role group.

+To share a Power Automate flow:

+1. Do one of the following:

+ - In the [Microsoft Purview compliance portal](https://compliance.microsoft.com), go to **Insider risk management**, select the **Settings** button, and then select **Power Automate flows (preview)**.

+ - In the **Cases dashboard** or **Users dashboard**, select **Automate** > **Manage Power Automate flows**.

+2. On the **Power Automate flows** page, select the **My flows** or **Team flows** tab.

+3. Select the flow to share, and then select **Share** from the flow options menu.

+4. On the flow sharing page, enter the name of the user or group you want to add as an owner for the flow.

+5. In the **Connection Used** dialog box, select **OK** to acknowledge that the added user or group will have full access to the flow.

+## Edit a Power Automate flow

+To edit a Power Automate flow in the settings area, you must be a member of the *Insider Risk Management* or *Insider Risk Management Admins* role group. To edit a Power Automate flow with the **Manage Power Automate flows** option, you must be a member of at least one insider risk management role group.

+1. Do one of the following:

+ - In the [Microsoft Purview compliance portal](https://compliance.microsoft.com), go to **Insider risk management**, select the **Settings** button, and then select **Power Automate flows (preview)**.

+ - In the **Cases dashboard** or **Users dashboard**, select **Automate** > **Manage Power Automate flows**.

+2. On the **Power Automate flows** page, select a flow to edit, and then select **Edit** from the flow control menu.

+3. Select **ellipsis** > **Settings** to change a flow component setting or **ellipsis** > **Delete** to delete a flow component.

+4. Select **Save** and then **Close** to complete editing the flow.

+## Delete a Power Automate flow

+> [!NOTE]

+> When a flow is deleted, it's removed as an option for all users.

+To delete a Power Automate flow in the settings area, you must be a member of the *Insider Risk Management* or *Insider Risk Management Admins* role group. To delete a Power Automate flow with the **Manage Power Automate flows** option, you must be a member of at least one insider risk management role group.

+1. Do one of the following:

+ - In the [Microsoft Purview compliance portal](https://compliance.microsoft.com), go to **Insider risk management**, select the **Settings** button, and then select **Power Automate flows (preview)**.

+ - In the **Cases dashboard** or **Users dashboard**, select **Automate** > **Manage Power Automate flows**.

+2. On the **Power Automate flows** page, select a flow to delete, and then select **Delete** from the flow control menu.

+3. In the deletion confirmation dialog box, select **Delete**.

+ Title: Identify priority physical assets for insider risk management policies

+description: Learn about the Priority physical assets (preview) settings for Microsoft Purview Insider Risk Management.

+keywords: Microsoft 365, Microsoft Purview, insider risk, risk management, compliance

+ms.localizationpriority: medium

+f1.keywords:

+- NOCSH

+audience: itpro

+- highpri

+- tier1

+- purview-compliance

+- m365solution-insiderrisk

+- m365initiative-compliance

+- highpri

+# Identify priority physical assets for insider risk management policies

+> [!IMPORTANT]

+> Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

+Identifying access to priority physical assets and correlating access activity to user events is an important component of your Microsoft Purview Insider Risk Management compliance infrastructure. These physical assets represent priority locations in your organization, such as company buildings, data centers, or server rooms. Insider risk activities may be associated with users working unusual hours, attempting to access these unauthorized sensitive or secure areas, and requests for access to high-level areas without legitimate needs.

+With priority physical assets enabled and the [Physical badging data connector](import-physical-badging-data.md) configured, insider risk management integrates signals from your physical control and access systems with other user risk activities. By examining patterns of behavior across physical access systems and correlating these activities with other insider risk events, insider risk management can help compliance investigators and analysts make more informed response decisions for alerts.

+Access to priority physical assets is scored and identified in insights differently from access to non-priority assets. For example, your organization has a badging system for users that governs and approves physical access to normal working and sensitive project areas. You have several users working on a sensitive project and these users will return to other areas of your organization when the project is completed. As the sensitive project nears completion, you want to make sure that the project work remains confidential and that access to the project areas is tightly controlled.

+You choose to enable the Physical badging data connector in Microsoft 365 to import access information from your physical badging system and specify priority physical assets in insider risk management. By importing information from your badging system and correlating physical access information with other risk activities identified in insider risk management, you notice that one of the users on the project is accessing the project offices after normal working hours and is also exporting large amounts of data to a personal cloud storage service from their normal work area. This physical access activity associated with the online activity may point to possible data theft and compliance investigators and analysts can take appropriate actions as dictated by the circumstances for this user.

+

+## Configure priority physical assets

+To configure priority physical assets, you configure the Physical badging connector and use setting controls in the insider risk management solution. To configure priority physical assets, you must be a member of the *Insider Risk Management* or *Insider Risk Management Admin* role group.

+1. Follow the configuration steps for insider risk management in the [Getting started with insider risk management](insider-risk-management-configure.md) article. In Step 3, make sure to configure the Physical badging connector.

+ > [!IMPORTANT]

+ > For insider risk management policies to use and correlate signal data related to departing and terminated users with event data from your physical control and access platforms, you must also configure the Microsoft 365 HR connector. If you enable the Physical badging connector without enabling the Microsoft 365 HR connector, insider risk management policies will only process events for physical access activities for users in your organization.

+2. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com), go to **Insider risk management**, select the **Settings** button, and then select **Priority physical assets (preview)**.

+3. On the **Priority physical assets (preview)** page, you can either manually add the physical asset IDs imported by the Physical badging connector or import a CSV file of all physical assets IDs imported by the Physical badging connector:

+ 1. To manually add physical assets IDs, choose **Add priority physical assets**, enter a physical asset ID, and then select **Add**. Enter other physical asset IDs, and then select **Add priority physical assets** to save all the assets entered.

+ 2. To add a list of physical asset IDs from a CSV file, choose **Import priority physical assets**. In the file explorer dialog box, select the CSV file you want to import, and then select **Open**. The physical asset IDs from the CSV files are added to the list.

+4. In settings, select **Policy indicators**.

+5. On the **Policy indicators** page, go to the **Physical access indicators** section, and then select the **Physical access after termination or failed access to sensitive asset** check box.

+6. Select **Save**.

+## Delete a priority physical asset

+You must be a member of the *Insider Risk Management* or *Insider Risk Management Admins* role group to delete a priority physical asset.

+> [!IMPORTANT]

+> Deleting a priority physical asset removes it from examination by any active policy to which it was previously included. Alerts generated by activities associated with the priority physical asset aren't deleted.

+1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com), go to **Insider risk management**, select the **Settings** button, and then select **Priority physical assets (preview)**.

+2. On the **Priority physical assets (preview)** page, select the asset you want to delete.

+3. Select **Delete**.

+ Title: Prioritize user groups for insider risk management policies

+description: Learn about the Priority user groups settings for Microsoft Purview Insider Risk Management.

+keywords: Microsoft 365, Microsoft Purview, insider risk, risk management, compliance

+ms.localizationpriority: medium

+f1.keywords:

+- NOCSH

+audience: itpro

+- highpri

+- tier1

+- purview-compliance

+- m365solution-insiderrisk

+- m365initiative-compliance

+- highpri

+# Prioritize user groups for insider risk management policies

+> [!IMPORTANT]

+> Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

+Users in your organization may have different levels of risk depending on their position, level of access to sensitive information, or risk history. Prioritizing the examination and scoring of the activities of these users can help alert you to potential risks that may have higher consequences for your organization. Priority user groups in Microsoft Purview Insider Risk Management help define the users in your organization that need closer inspection and more sensitive risk scoring. Coupled with the *Security policy violations by priority users* and *Data leaks by priority users* policy templates, users added to a priority user group have an increased likelihood of insider risk alerts and alerts with higher severity levels.

+

+Instead of being open to review by all analysts and investigators, priority user groups may also need to restrict review activities to specific users or insider risk role groups. You can choose to assign individual users and role groups to review users, alerts, cases, and reports for each priority user group. Priority user groups can have review permissions assigned to the built-in *Insider Risk Management*, *Insider Risk Management Analysts*, and *Insider Risk Management Investigators* role groups, one or more of these role groups, or to a custom selection of users.

+For example, you need to protect against data leaks for a highly confidential project where users have access to sensitive information. You choose to create the *Confidential Project Users* priority user group for users in your organization that work on this project. Also, this priority user group shouldn't have users, alerts, cases, and reports associated with the group visible to all the default insider risk management admins, analysts, and investigators. In settings, you create the *Confidential Project Users* priority user group and assign two users as reviewers that can view data related to the groups. Use the policy wizard and the *Data leaks by priority users* policy template to create a new policy and assign the *Confidential Project Users* priority users group to the policy. Activities examined by the policy for members of the *Confidential Project Users* priority user group are more sensitive to risk and activities by these users are more likely to generate alerts and have alerts with higher severity levels.

+## Create a priority user group

+You must be a member of the *Insider Risk Management* or *Insider Risk Management Admins* role group to create a priority user group.

+1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com), go to **Insider risk management**, and then select the **Settings** button.

+2. Select **Priority user groups**.

+3. On the **Priority user groups** page, select **Create priority user group** to start the group creation wizard.

+4. On the **Name and describe the priority user group** page, complete the following fields:

+ - **Name (required)**: Enter a friendly name for the priority user group. You can't change the name of the priority user group after you complete the wizard.

+ - **Description (optional)**: Enter a description for the priority user group.

+5. Select **Next** to continue.

+6. On the **Choose members** page, select **Choose members** to search and select which mail-enabled user accounts are included in the group or select the **Select all** check box to add all users in your organization to the group. Select **Add** to continue.

+7. Select **Next** to continue.

+8. On the **Choose who can view this group** page, you must define who can review users, alerts, cases, and reports for the priority user group. At least one user or insider risk management role group must be assigned. Select **Choose users and role groups**, and then select the users or insider risk management role groups you want to assign to the priority user group. Select **Add** to assign the selected users or role groups to the group.

+9. Select **Next** to continue.

+10. On the **Review** page, review the settings you've chosen for the priority user group. Select the **Edit** links to change any of the group values or select **Submit** to create and activate the priority user group.

+11. On the confirmation page, select **Done**.

+## Update a priority user group

+You must be a member of the *Insider Risk Management* or *Insider Risk Management Admins* role group to update a priority user group.

+1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com), go to **Insider risk management**, and then select the **Settings** button.

+2. Select **Priority user groups**.

+3. Select the priority user group you want to edit, and then select **Edit group**.

+4. On the **Name and describe** page, update the **Description** field if needed. You can't update the name of the priority user group. Select **Next** to continue.

+5. On the **Choose members** page, add new members to the group using the **Choose members** control. To remove a user from the group, select the 'X' next to the user you want to remove. Select **Next** to continue.

+6. On the **Choose who can view this group** page, add or remove users or role groups that can review users, alerts, cases, and reports for the priority user group.

+7. Select **Next** to continue.

+8. On the **Review** page, review the update settings you've chosen for the priority user group. Select the **Edit** links to change any of the group values or select **Submit** to update the priority user group.

+9. On the confirmation page, select **Done**.

+## Delete a priority user group

+> [!IMPORTANT]

+> Deleting a priority user group will remove it from any active policy to which it is assigned. If you delete a priority user group that is assigned to an active policy, the policy will not contain any in-scope users and will effectively be idle and will not create alerts.

+You must be a member of the *Insider Risk Management* or *Insider Risk Management Admin* role group to delete a priority user group.

+1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com), go to **Insider risk management**, and then select the **Settings** button.

+2. Select **Priority user groups**.

+3. Select the priority user group you want to edit, and then select **Delete**.

+4. In the **Delete** dialog box, select **Yes**.

+ Title: Manage username privacy in insider risk management

+description: Learn about using the Privacy setting in Microsoft Purview Insider Risk Management to manage visibility of usernames.

+keywords: Microsoft 365, Microsoft Purview, insider risk, risk management, compliance

+ms.localizationpriority: medium

+f1.keywords:

+- NOCSH

+audience: itpro

+- highpri

+- tier1

+- purview-compliance

+- m365solution-insiderrisk

+- m365initiative-compliance

+- highpri

+# Manage username privacy in insider risk management

+> [!IMPORTANT]

+> Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

+Protecting the privacy of users that have policy matches in Microsoft Purview Insider Risk Management is important and can help promote objectivity in data investigation and analysis reviews for insider risk alerts. For users with an insider risk policy match, you can choose one of the following settings:

+- **Show anonymized versions of usernames**: Names of users are anonymized to prevent admins, data investigators, and reviewers from seeing who is associated with policy alerts. For example, a user 'Grace Taylor' would appear with a randomized pseudonym such as 'AnonIS8-988' in all areas of the insider risk management experience. Choosing this setting anonymizes all users with current and past policy matches and applies to all policies. User profile information in the insider risk alert and case details won't be available when this option is chosen. However, usernames are displayed when adding new users to existing policies or when assigning users to new policies. If you choose to turn off this setting, usernames will be displayed for all users that have current or past policy matches.

+ > [!IMPORTANT]

+ > To maintain referential integrity for users who have insider risk alerts or cases in Microsoft 365 or other systems, anonymization of usernames isn't preserved for exported alerts when using the exporting API or when exporting to [Microsoft Purview eDiscovery solutions](/microsoft-365/compliance/ediscovery). Exported alerts will display usernames for each alert in this case. If you're exporting to CSV files from alerts or cases, anonymization *is* preserved.

+- **Do not show anonymized versions of usernames**: Usernames are displayed for all current and past policy matches for alerts and cases. User profile information (the name, title, alias, and organization or department) is displayed for the user for all insider risk management alerts and cases.

+## Change the Privacy setting

+1. In insider risk management, select the **Settings** button.

+2. Select **Privacy**.

+3. Select the option you want, to show anonymized names or not.

+ 

+ Title: Enable Microsoft Teams for collaborating on insider risk management cases

+description: Learn about enabling Microsoft Teams for collaborating on Microsoft Purview Insider Risk Management cases.

+keywords: Microsoft 365, Microsoft Purview, insider risk, risk management, compliance

+ms.localizationpriority: medium

+f1.keywords:

+- NOCSH

+audience: itpro

+- highpri

+- tier1

+- purview-compliance

+- m365solution-insiderrisk

+- m365initiative-compliance

+- highpri

+# Enable Microsoft Teams for collaborating on insider risk management cases

+> [!IMPORTANT]

+> Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

+Compliance analysts and investigators can use Microsoft Teams to collaborate on Microsoft Purview Insider Risk Management cases. They can communicate with other stakeholders on Teams to:

+- Coordinate and review response activities for cases in private Teams channels

+- Securely share and store files and evidence related to individual cases

+- Track and review response activities by analysts and investigators

+After Teams is enabled for insider risk management, a dedicated team is created every time an alert is confirmed and a case is created. By default, the team automatically includes all members of the *Insider Risk Management*, *Insider Risk Management Analysts*, and *Insider Risk Management Investigators* role groups (up to 100 initial users). Additional organization contributors can be added to the team after it's created and as appropriate.

+For existing cases created before enabling Teams, analysts and investigators can choose to create a new team when working on a case, if needed. Once you resolve the associated case in insider risk management, the team is automatically archived (moved to hidden and read-only).

+Learn more: [Overview of teams and channels in Microsoft Teams](/MicrosoftTeams/teams-channels-overview).

+## Enable Teams support

+1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com), go to **Insider risk management**, and then select the **Settings** button.

+2. Select **Microsoft Teams (preview)**.

+3. Turn the setting on.

+4. Select **Save**.

+ 

+## Create a team for existing cases

+If you enable Teams support for insider risk management after you have existing cases, you'll need to manually create a team for each case, as needed. Users need permission to create Microsoft 365 Groups in your organization to create a team from a case. For more information about managing permissions for Microsoft 365 Groups, see [Manage who can create Microsoft 365 Groups](../solutions/manage-creation-of-groups.md).

+> [!NOTE]

+> After enabling Teams support in insider risk management settings, when a new case is created, a new team will automatically be created.

+1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com), go to **Insider risk management** > **Cases**, and then select an existing case.

+2. On the case action menu, select **Create Microsoft Team**.

+3. In the **Team name** field, enter a name for the new Microsoft Teams team.

+4. Select **Create Microsoft team**, and then select **Close**.

+Depending on the number of users assigned to insider risk management role groups, it may take 15 minutes for all investigators and analysts to be added to the team.

+ Title: Learn about insider risk management settings

+description: Learn about insider risk management settings in Microsoft Purview.

+# Learn about insider risk management settings

+> Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

+Before getting started with insider risk management policies, it's important to understand and choose the insider risk management settings that best meet the compliance needs for your organization. Insider risk management settings apply to all insider risk management policies, regardless of the template you choose when creating a policy.

+> Use the **Settings** button at the top of any insider risk management page to make settings changes.

+The following table describes each insider risk management setting and provides a link to learn more about the setting.

+|Setting|Description|

+|-||

+|[Privacy](insider-risk-management-settings-privacy.md)|Choose whether to display usernames or anonymized versions of usernames for all current and past policy matches for alerts and cases.|

+|[Policy indicators](insider-risk-management-settings-policy-indicators.md)|Each insider risk management policy template is based on specific indicators that correspond to specific triggers and risk activities. All global indicators are disabled by default; **you must select one or more indicators to configure an insider risk management policy**. Indicator level settings help you control how the number of occurrences of risk events in your organization affect the risk score.|

+|[Policy timeframes](insider-risk-management-settings-policy-timeframes.md)|The **Policy timeframes** setting allows you to define past and future review periods that are triggered after policy matches based on events and activities for the insider risk management policy templates.|

+|[Intelligent detections](insider-risk-management-settings-intelligent-detections.md)|Use the **Intelligent detections** setting to globally exclude certain file types, domains, file paths, sensitive info types, trainable classifiers, sites, or keywords from being scored for risk. You can also use the **Intelligent detections** setting to control alert volume and to import and filter Microsoft Defender for Endpoint alerts. |

+|[Export alerts](insider-risk-management-settings-alerts.md)|Insider risk management alert information is exportable to security information and event management (SIEM) and security orchestration automated response (SOAR) solutions by using the Office 365 Management Activity API schema. You can use the Office 365 Management Activity APIs to export alert information to other applications your organization may use to manage or aggregate insider risk information. |

+|[Priority user groups](insider-risk-management-settings-priority-user-groups.md)|Users in your organization may have different levels of risk depending on their position, level of access to sensitive information, or risk history. Prioritizing the examination and scoring of the activities of these users can help alert you to potential risks that may have higher consequences for your organization. Use the **Priority user groups** setting to define the users in your organization that need closer inspection and more sensitive risk scoring. |

+|[Priority physical assets (preview)](insider-risk-management-settings-priority-physical-assets.md)|Identifying access to priority physical assets and correlating access activity to user events is an important component of your compliance infrastructure. These physical assets represent priority locations in your organization, such as company buildings, data centers, or server rooms. Insider risk activities may be associated with users working unusual hours, attempting to access these unauthorized sensitive or secure areas, and requests for access to high-level areas without legitimate needs.|

+|[Power Automate flows (preview)](insider-risk-management-settings-power-automate.md)|Microsoft Power Automate is a workflow service that automates actions across applications and services. By using flows from templates or created manually, you can automate common tasks associated with these applications and services. When you enable Power Automate flows for insider risk management, you can automate important tasks for cases and users. You can configure Power Automate flows to retrieve user, alert, and case information and share this information with stakeholders and other applications, as well as automate actions in insider risk management, such as posting to case notes. Power Automate flows are applicable for cases and any user in scope for a policy.|

+|[Microsoft Teams (preview)](insider-risk-management-settings-teams.md)|You can enable Microsoft Teams support so that compliance analysts and investigators can use Teams to collaborate on insider risk management cases. Use Teams to:<br> - Coordinate and review response activities for cases in private Teams channels<br>- Securely share and store files and evidence related to individual cases<br>- Track and review response activities by analysts and investigators|

+|[Analytics](insider-risk-management-settings-analytics.md)|Insider risk analytics enables you to conduct an evaluation of potential insider risks in your organization without configuring any insider risk policies. This evaluation can help your organization identify potential areas of higher user risk and help determine the type and scope of insider risk management policies you may consider configuring. |

+|[Admin notifications](insider-risk-management-settings-admin-notifications.md)|Use the **Admin notifications** setting to automatically send an email notification to selectable insider risk management role groups. You can:<br>- Send a notification email when the first alert is generated for a new policy<br>- Send a daily email when new high-severity alerts are generated<br>- Send a weekly email summarizing policies that have unresolved warnings|

+|[Inline alert customization](insider-risk-management-settings-inline-alert-customization.md)|Inline alert customization allows you to quickly tune an insider risk management policy directly from the **Alerts dashboard** while reviewing the alert. Alerts are generated when a risk management activity meets the thresholds configured in the related policy. To reduce the number of alerts you get from this type of activity, you can change the thresholds or remove the risk management activity from the policy altogether.|

+After users are added to insider risk management policies, background processes are automatically evaluating user activities for [triggering indicators](insider-risk-management-settings-policy-indicators.md). After triggering indicators are present, user activities are assigned risk scores. Some of these activities may result in an insider risk alert, but some activities may not meet a minimum risk score level and an insider risk alert won't be created. The **Users dashboard** allows you to view users with these types of indicators and risk scores, as well users that have active insider risk alerts.

+To learn more about Power Automate flows for insider risk management, see [Getting started with insider risk management settings](insider-risk-management-settings-power-automate.md).

+To learn more about insider risk analytics, see [Insider risk management settings: Analytics](insider-risk-management-settings-analytics.md).

+- **Office 365 Management APIs integration (preview)**: Insider risk management supports exporting alert information to security information and event management (SIEM) services via the Office 365 Management APIs. Having access to alert information in the platform the best fits your organization's risk processes gives you more flexibility in how to act on risk activities. To learn more about exporting alert information with Office 365 Management APIs, see [Export alerts](insider-risk-management-settings-alerts.md).

+- **In preview**: [Fine-tune policy indicator thresholds with real-time analytics](insider-risk-management-settings-policy-indicators.md) to reduce alert noise.

+- **In preview**: New [Ignore email signature attachments setting](insider-risk-management-settings-intelligent-detections.md) reduces alert noise.

+- Clarification about the [past activity detection period for email activities (contrasted to audit activities)](insider-risk-management-settings-policy-timeframes.md).

+2. In the navigation pane, choose **Configuration management** and select **Device configuration**.

+- [Review remediation actions in the Action center](mdb-review-remediation-actions.md)

+5. Scroll down to the bottom, select the **Enable Controlled Folder Access** drop-down, and choose **Enable**.

+6. Select **Controlled Folder Access Protected Folders** and add the folders that need to be protected.

+7. Select **Controlled Folder Access Allowed Applications** and add the apps that have access to protected folders.

+> [!NOTE]

+> Example endpoints may include laptops, phones, tablets, PCs, access points, routers, and firewalls.

+- Azure Virtual Desktop

+ Title: Custom functions in the advanced hunting schema

+description: Learn about writing your own custom functions for hunting

+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, security events, antivirus, functions

+search.product: eADQiWindows 10XVcnh

+search.appverid: met150

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+ - NOCSH

+ms.localizationpriority: medium

+audience: ITPro

+- m365-security

+- tier3

+# Use custom functions

+**Applies to:**

+- Microsoft 365 Defender

+> [!IMPORTANT]

+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

+## Types of functions

+A function is a type of query in advanced hunting that can be used in other queries as if it's a command. You can create your own custom functions so you can reuse any query logic when you hunt in your environment.

+There are three different types of functions in advanced hunting:

+

+- **Built-in functions** ΓÇô Prebuilt functions included with Microsoft 365 Defender advanced hunting. These are available in all advanced hunting instances and can't be modified.

+- **Shared functions** ΓÇô Custom functions created by users, which are available for all users in a specific tenant and can be modified and controlled by users.

+- **My functions** ΓÇô Custom functions created by a user, which can be viewed and modified only by the user who created it.

+## Write your own custom function

+To create a function from the current query in the editor, select **Save** and then **Save as function**.

+

+Next, provide the following information:

+- **Name** - Name of the function. Can contain only numbers, English letters, and underscores. To avoid accidentally using Kusto keywords, begin or end function names with an underscore or begin with a capital letter.

+- **Location** - The folder in which you would like to save the function, either shared or private

+Description A description that can help other users understand the purpose of the function and how it works

+- **Parameters** - Add a parameter for each variable in the function that requires a value when it's used.

+Add parameters to a function so that you can provide the arguments or values for certain variables when calling the function. This allows the same function to be used in different queries, each allowing for different values for the parameters. Parameters are defined by the following properties:

+ - **Type** - Data type for the value

+ - **Name** - The name that must be used in the query to replace the parameter value

+ - **Default value** - Value to be used for the parameter if a value isn't provided

+ Parameters are listed in the order they were created, with parameters that have no default value listed above those that have a default value.

+

+## Use a custom function

+Use a function in a query by typing its name along with values for any parameter just as you would type in a command. The output of the function can either be returned as results or piped to another command.

+Add a function to the current query by double-clicking on its name or selecting the three dots to the right of the function and selecting **Open in query editor**.

+If a query requires arguments, provide them using the following syntax: *function_name(parameter 1, parameter 2, …)*

+

+> [!NOTE]

+> Functions canΓÇÖt be used inside another function.

+## Work with function codes

+You can view the code of a function either to gain insight into how it works or to modify its code. Select the three dots to the right of the function and select **Load function code** to open a new tab with the function code.

+

+## Edit a custom function

+Edit the properties of a function by selecting the three dots to the right of the function and selecting **Edit function**. Make any modifications that you want to the properties and parameters of the function then select **Save**.

+

+If the function code is already loaded to the editor, you can also select **Save** to apply any changes to the code or properties of the function.

+> [!NOTE]

+> Once a function is in use in a saved query or a detection rule, you canΓÇÖt edit the function to expand its scope. For example, if you saved a function that queries identity tables, and this function is used in a detection rule, you canΓÇÖt edit the function to include a device table after the fact. To do that, you can save a new function. Product scoping can be narrowed for the same function but not extended.

+## See also

+- [Advanced hunting overview](advanced-hunting-overview.md)

+- [Learn the query language](advanced-hunting-query-language.md)

+- [Understand the schema](advanced-hunting-schema-tables.md)

+- [Get more query examples](advanced-hunting-shared-queries.md)

+## May 2023

+- (Preview) [Custom functions](advanced-hunting-custom-functions.md) are now available in advanced hunting. You can now create your own custom functions so you can reuse any query logic when you hunt in your environment.

+- <https://www.attemplate.com>

+- <https://www.bankmenia.es>

+- <https://www.banknown.es>

+- <https://www.browsersch.es>

+- <https://www.docdeliveryapp.com>

+- <https://www.docdeliveryapp.net>

+- <https://www.docstoreinternal.com>

+- <https://www.docstoreinternal.net>

+- <https://www.doctorican.es>

+- <https://www.doctrical.es>

+- <https://www.doctricant.com>

+- <https://www.doctrings.es>

+- <https://www.exportants.es>

+- <https://www.financerta.es>

+- <https://www.financerts.es>

+- <https://www.hardwarecheck.net>

+- <https://www.hrsupportint.com>

+- <https://www.mcsharepoint.com>

+- <https://www.mesharepoint.com>

+- <https://www.officence.com>

+- <https://www.officenced.com>

+- <https://www.officences.com>

+- <https://www.officentry.com>

+- <https://www.officested.com>

+- <https://www.payrolltooling.com>

+- <https://www.payrolltooling.net>

+- <https://www.prizeably.es>

+- <https://www.prizegiveaway.net>

+- <https://www.prizegives.com>

+- <https://www.prizemons.com>

+- <https://www.prizesforall.com>

+- <https://www.prizewel.com>

+- <https://www.prizewings.com>

+- <https://www.resetts.es>

+- <https://www.salarytoolint.com>

+- <https://www.salarytoolint.net>

+- <https://www.securembly.es>

+- <https://www.securetta.es>

+- <https://www.shareholds.com>

+- <https://www.sharepointen.com>

+- <https://www.sharepointin.com>

+- <https://www.sharepointle.com>

+- <https://www.sharesbyte.com>

+- <https://www.sharession.com>

+- <https://www.sharestion.com>

+- <https://www.supportin.es>

+- <https://www.supportres.es>

+- <https://www.techniel.es>

+ Title: Use DMARC Reports to protect against spoofing and phishing in Microsoft Office 365

+f1.keywords:

+ - NOCSH

+audience: ITPro

+ms.localizationpriority: high

+search.appverid:

+ - MET150

+ms.assetid: 4a05898c-b8e4-4eab-bd70-ee912e349737

+ - m365-security

+ - tier1

+description: Read your DMARC Reports. If you set the rua tag while configuring, DMARC Reports are sent daily to the email addresses specified, which help admins and SecOps fight spoofing and phishing emails. Domain-based Message Authentication, Reporting, and Conformance (DMARC) validate messages sent from your organization, and generate reporting that highlights DMARC effectiveness.

+# Use DMARC Reports to validate email in Microsoft Office 365

+> [!NOTE]

+> If you haven't set up DMARC, the directions are [here](email-authentication-dmarc-configure.md). For an overview of email authentication including SPF, DKIM and DMARC in Microsoft Office 365, see this [topic](email-authentication-about.md).

+Domain-based Message Authentication, Reporting, and Conformance (**DMARC**) helps protect against spoofing and phishing, and prevents benign messages from being marked as spam.

+**DMARC Reporting** makes you aware of DMARC email authentication decisions at recipient mail server.

+## Office 365 DMARC reporting

+In Office 365, the DMARC reports are sent to all sender domain owners that have a valid rua address defined in their DMARC record (independent of your platform or configuration).

+The only exception is where the MX record for the recipient domain doesn't directly point to Office 365. In that case no DMARC Report is sent to the sender domain owner rua address.

+**Example:**

+**Mailbox A** > recipient *domain contoso.com*

+**Mailbox A MX record** > points to Office 365 at *contoso-com.mail.protection.outlook.com*

+**Mailbox A report result** > automatically sent an aggregated DMARC report to all email sender domain owners with a valid rua address in their DMARC record.

+But if the contoso.com domain's MX record points to a *different email security solution* that sits in front of Office 365, then *no DMARC aggregate reports are sent to any sender domain's rua address* (configured in their DMARC record). This is because information about the sending infrastructure is likely affected by the complex mail flow routing.

+## What DMARC Reports do for you

+It's recommended that admins set up and regularly review DMARC Reporting in their domain.

+Admins should regularly read and monitor the daily DMARC reports sent in email. The reports outline what messages from the domain pass one of email authentication methods **Sender Policy Framework (SPF)**, or **DomainKeys Identified Mail (DKIM)**, and the verdict of **DMARC** authentication.

+**DMARC Reports outline:**

+- The servers or services sending email from your domain.

+- The servers or services that pass or fail DMARC authentication.

+ - Note that email must also pass one of SPF or DKIM to pass DMARC.

+- The actions that DMARC takes on a server that gets unauthenticated mail from your domain. The options are:

+ - None

+ - Quarantine

+ - Reject

+DMARC reports let you know who is sending mail on your domain, and can alert you to potential spammers. Another advantage is that once most messages pass DMARC, admins can change enforcement by creating a stricter DMARC policy. This makes the environment increasingly unfriendly to spoofing and phishing.

+Reviewing DMARC reports can verify that messages are sent by authorized servers, and determine whether they pass authentication checks. Over time, this will allow admins to fine tune their response, choosing from amongst reject, quarantine, or no response (none).

+## Reading your DMARC Reports

+When DMARC is turned on, reports are sent daily to the email address or addresses specified in your DMARC record (reports using the rua tag in the DMARC record contain the email information).

+Every server that gets mail from your domain also sends back an XML DMARC report, including whether messages coming out of your domain pass or fail DMARC. You'll also see:

+- Any results for SPF, DKIM, and DMARC email authentication.

+- How many messages came from each IP address that day.

+## Interpreting your DMARC data

+> [!IMPORTANT]

+> The numbers of DMARC emails varies in the same way the amount of email your domain sends does. For example, there may be lulls during holidays, and peaks during an organization's events. This can add up to a lot of reporting, so it's best to dedicate a group and mailbox to the practice of getting and analyzing these reports.

+DMARC Reports can be difficult to read and interpret. Using a third-party service that specializes in DMARC, from receiving and storing this data, to analyzing and even aggregating reports, may be the answer.

+Ultimately the value of your DMARC investment, how effectively it's working, and whether or not it's meeting goals comes down to analyzing the data. If your DMARC Reports are handled by a 3rd party have a discussion about your key DMARC objectives.

+## More information

+[**SPF**](email-authentication-spf-configure.md) SPF helps *validate* outbound email sent from your custom domain (is coming from who it says it is).

+[**DKIM**](email-authentication-dkim-configure.md) email authentication's goal is to prove the contents of the mail haven't been tampered with.

+[**DMARC**](email-authentication-dmarc-configure.md) email authentication's goal is to make sure that SPF and DKIM information matches the From address.

+[**Use trusted ARC Senders for legitimate mailflows**](use-arc-exceptions-to-mark-trusted-arc-senders.md)

+Defender for Office 365 permissions in the Microsoft 365 Defender portal includes default role groups for the most common tasks and functions that you need to assign. Generally, we recommend simply adding individual users as **members** to the default role groups.

+When you open the Microsoft 365 Defender portal at <https://security.microsoft.com> and go to **Permissions** \> **Azure AD** \> **Roles** (or directly to <https://security.microsoft.com/aadpermissions>) you see the Azure AD roles that are described in this section.

+The same role groups and roles are available in the Microsoft 365 Defender portal and in the Microsoft Purview compliance portal:

+- [Defender portal](https://security.microsoft.com): **Permissions** \> **Email & collaboration roles** \> **Roles** or directly at <https://security.microsoft.com/emailandcollabpermissions>

+- [Purview compliance portal](https://compliance.microsoft.com): **Roles & Scopes** \> **Permissions** \> **Microsoft Purview solutions** \> **Roles** or directly at <https://compliance.microsoft.com/compliancecenterpermissions>

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Permissions** \> **Email & collaboration roles** \> **Roles**. Or, to go directly to the **Permissions** page, use <https://security.microsoft.com/emailandcollabpermissions>.