Updates from: 05/19/2023 01:29:57
Category Microsoft Docs article Related commit history on GitHub Change details
admin Get Help Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/get-help-support.md
Save time by starting your service request online. We'll help you find a solutio
> [!IMPORTANT] > You must have bought at least one subscription through Microsoft to access Microsoft support. If you bought all your subscriptions through a partner, contact your partner for support.
-1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2166757" target="_blank">https://admin.microsoft.com</a>. If you get a message that says you don't have permission to access this page or perform this action, you aren't an admin. For more information, see [Who has admin permissions in my business?](../admin/admin-overview/admin-center-overview.md#who-has-admin-permissions-in-my-business).
+1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">https://admin.microsoft.com</a>. If you get a message that says you don't have permission to access this page or perform this action, you aren't an admin. For more information, see [Who has admin permissions in my business?](../admin/admin-overview/admin-center-overview.md#who-has-admin-permissions-in-my-business).
2. On the bottom right side of the page, select **Help & support**. 3. Type a question or keyword into the text box. If you get a drop-down list, select the one closest to your question, or continue typing your question, then press **Enter**. 4. If the results don't help, at the bottom, select **Contact Support**.
commerce Allotment Basics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/allotment-basics.md
- Title: Allotment basics-- NOCSH---------- Tier1-- scotvorg-- M365-subscription-management -- Adm_O365--- commerce_licensing-- empty
-description: "Learn about the new allotments feature."
Previously updated : 05/12/2022--
-# Microsoft 365 license allotment basics
-
-License allotments let you set license limits and delegate management of license assignment to only the products and license limits that you select.
-
-Allotments use group-based licensing to assign licenses to your users. License limits provide added control over how many licenses are assigned to the users in your groups. So even as the number of users in your groups increases, you can ensure that you stay within the license limit that you have set for your allotment.
-
-You can also delegate management of your allotments. Delegated allotment owners gain access to the admin center, but can only see and manage the licenses in the allotments they own. This provides more granular delegation of license management within your organization.
-
-## Prerequisites
-
-You must meet the licensing requirements for [group-based licensing](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal#licensing-requirements).
-
-You can use allotments with any product available to users:
--- Microsoft 365 and standalone products-- Enterprise and Mobility products-- Dynamics 365 products-
-The following products can't be used with allotments:
--- Microsoft Store apps-- Perpetual software, or software that is directly assigned to a user if there's no license involved.-- Azure resources-
-You must be a global or license admin to get started with an allotment.
-
-## Getting started
-
-The allotments feature is available in a private preview to only a few customers. If you're interested in joining, fill out this form: [https://aka.ms/allotment-pilot-signup](https://aka.ms/allotment-pilot-signup).
compliance Dlp Configure Endpoint Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-configure-endpoint-settings.md
DLP can copy items that match policies on devices to an [Azure storage account](
> - Windows 10 - [March 21, 2023—KB5023773 (OS Builds 19042.2788, 19044.2788, and 19045.2788) Preview](https://support.microsoft.com/en-us/topic/march-21-2023-kb5023773-os-builds-19042-2788-19044-2788-and-19045-2788-preview-5850ac11-dd43-4550-89ec-9e63353fef23), [March 28, 2023—KB5023774 (OS Build 22000.1761) Preview](https://support.microsoft.com/en-us/topic/march-28-2023-kb5023774-os-build-22000-1761-preview-67b4cfda-120a-422f-98c0-35124ddba839)  >- Windows 11 - [March 28, 2023—KB5023778 (OS Build 22621.1485) Preview](https://support.microsoft.com/en-us/topic/march-28-2023-kb5023778-os-build-22621-1485-preview-d490bb51-492e-410c-871f-50ad01b0f765) >
-> - Microsoft Defender [April-2023 (Platform: 4.18.2304.8 | Engine: 1.1.20300.3)](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-updates.md#april-2023-platform-41823048--engine-11203003)
+> - Microsoft Defender [April-2023 (Platform: 4.18.2304.8 | Engine: 1.1.20300.3)](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-updates#april-2023-platform-41823048--engine-11203003)
**Network share coverage and exclusions** extends endpoint DLP policies and actions to new and edited files on network shares and mapped network drives. If [just in time protection (preview)](endpoint-dlp-learn-about.md#just-in-time-protection-preview) is also enabled, it will also be extended to cover network shares and mapped drives when you enable network share coverage and exclusions. If you want to exclude a specific network path for all monitored devices, add the path value in **Exclude these network share paths**.
compliance Dlp Policy Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-policy-reference.md
The available context options change depending on which location you choose. If
##### Conditions Exchange supports - Content contains
+- User's risk level for Adaptice Protection is
+- Content is not labeled
- Content is shared from Microsoft 365 - Content is received from - Sender IP address is-- Has sender overridden the policy tip-- Sender is-- Sender domain is-- Sender address contains words-- Sender address contains patterns
+- Header contains words or phrases
- Sender AD Attribute contains words or phrases
+- Content character set contains words
+- Header matches patterns
- Sender AD Attribute matches patterns
+- Recipient AD Attribute contains words or phrases
+- Recipient AD Attribute matches patterns
+- Recipient is member of
+- Document property is
+- Any email attachment's content could not be scanned
+- Document or attachment is password protected
+- Has sender overridden the policy tip
- Sender is a member of-- Any email attachment's content couldn't be scanned - Any email attachment's content didn't complete scanning-- Attachment is password protected
+- Recipient address contains words
- File extension is-- Recipient is member of - Recipient domain is - Recipient is-- Recipient address contains words
+- Sender is
+- Sender domain is
- Recipient address matches patterns-- Recipient AD Attribute contains words or phrases-- Recipient AD Attribute matches patterns - Document name contains words or phrases - Document name matches patterns-- Document property is-- Document size equals or is greater than-- Document content contains words or phrases-- Document content matches patterns - Subject contains words or phrases - Subject matches patterns-- Subject or Body contains words or phrases
+- Subject or body contains words or phrases
- Subject or body matches patterns-- Content character set contains words-- Header contains words or phrases-- Header matches patterns
+- Sender address contains words
+- Sender address matches patterns
+- Document size equals or is greater than
+- Document content contains words or phrases
+- Document content matches patterns
- Message size equals or is greater than - Message type is - Message importance is
The available context options change depending on which location you choose. If
- Content contains - Content is shared from Microsoft 365-- Document created by-- Document created by member of (currently deprecated for customers not already using this condition) -- Document name contains words or phrases-- Document size equals or is greater than-- Document name matches patterns (currently deprecated for customers not already using this condition) - Document property is - File extension is
+- Document name contains words or phrases
+- Document size equals or is greater than
+- Document created by
+- Document created by member of
##### Conditions OneDrive accounts supports - Content contains - Content is shared from Microsoft 365-- Document created by-- Document created by member of (currently deprecated for customers not already using this condition) -- Document name contains words or phrases-- Document size equals or is greater than-- Document name matches patterns (currently deprecated for customers not already using this condition) - Document property is - File extension is
+- Document name contains words or phrases
+- Document size equals or is greater than
+- Document created by
+- Document created by member of
- Document is shared ##### Conditions Teams chat and channel messages supports - Content contains
+- Users risk level for Adaptive Protection is
- Content is shared from Microsoft 365
+- Recipient domain is
+-Recipient is
- Sender is - Sender domain is-- Recipient domain is-- Recipient is ##### Conditions Devices supports - Content contains-- Document or attachment is password protected (.pdf, Office files, .zip, and Symantec PGP encrypted files are fully supported). This predicate detects only open protected files.-- Content isn't labeled (.pdf and Office files are fully supported). This predicate detects content that doesn't have a sensitivity label applied. To help ensure only supported file types are detected, you should use this condition with the **File extension is** or **File type is** conditions.-- (preview) The user accessed a sensitive website from Microsoft Edge. See, [Scenario 6 Monitor or restrict user activities on sensitive service domains (preview)](endpoint-dlp-using.md#scenario-6-monitor-or-restrict-user-activities-on-sensitive-service-domains) for more information.-- File extension is
+- User's risk level for Adaptive Protection is
+- Content is not labeled (.pdf and Office files are fully supported). This predicate detects content that doesn't have a sensitivity label applied. To help ensure only supported file types are detected, you should use this condition with the **File extension is** or **File type is** conditions.
+- Document or attachment is password protected (.pdf, Office files, .zip, and Symantec PGP encrypted files are fully supported). This condition detects only open protected files.
- File type is
+- File extension is
+- The user accessed a sensitive website from Microsoft Edge. See, [Scenario 6 Monitor or restrict user activities on sensitive service domains (preview)](endpoint-dlp-using.md#scenario-6-monitor-or-restrict-user-activities-on-sensitive-service-domains) for more information.
+ - See, [Endpoint activities you can monitor and take action on](endpoint-dlp-learn-about.md#endpoint-activities-you-can-monitor-and-take-action-on) ##### Conditions Microsoft Defender for Cloud Apps supports
To learn more about how Purview DLP implements booleans and nested groups see, [
|Document contains words | EXO | Individual word length <= 128; Count <= 600 | Medium| |Document matches patterns| EXO| Regex length <= 128 char; Count <= 300 | Medium| -
-<!--### Exceptions
-
-> [!IMPORTANT]
-> The **Exceptions** UI is only available in Classic rule builder mode. When you toggle the UI to the **New DLP rule builder**, which enabled nested groups and the boolean operators AND, OR, and, NOT, exceptions are displayed as a nested group under conditions and joined to the conditions with a boolean NOT. To learn more on how to use the **New DLP rule builder** to create exceptions see, [Complex rule design](dlp-policy-design.md#complex-rule-design)
-
-In rules, exceptions define conditions that are used to exclude an item from the policy. Logically, exclusive conditions are evaluated after the inclusive conditions and context. They tell the rule &#8212; when you find an item that looks like *this* and is being used like *that* it's a match and the rest of the actions in the policy should be taken on it ***except if***... &#8212;
-
-For example, keeping with the HIPPA policy, we could modify the rule to exclude any item that contains a Belgium drivers license number, like this:
-
-![HIPPA policy with exclusions](../media/dlp-rule-exceptions.png)
-
-The exceptions conditions that are supported by location are identical to all the inclusion conditions with the only difference being the prepending of "Except if" to each supported condition. If a rule contains only exceptions, it will apply to all emails or files that do not meet the exclusion criteria.
-
-Just as all locations support the inclusive condition:
--- Content contains-
-the exception would be:
--- **Except if** content contains-->- ### Actions Any item that makes it through the ***conditions*** <!--and exclusive ***exceptions***--> filter will have any ***actions*** that are defined in the rule applied to it. You'll have to configure the required options to support the action. For example, if you select Exchange with the **Restrict access or encrypt the content in Microsoft 365 locations** action you need to choose from these options:
The actions that are available in a rule are dependent on the locations that hav
- Add the sender's manager as recipient - Removed O365 Message Encryption and rights protection - Prepend Email Subject-- Modify Email Subject - Add HTML Disclaimer
+- Modify Email Subject
+- Deliver the message to the hosted quarantine
#### SharePoint sites location actions
The actions that are available in a rule are dependent on the locations that hav
#### Devices actions
-<!-
-- Restrict access or encrypt the content in Microsoft 365 locations.-- Audit or restricted activities when users access sensitive websites in Microsoft Edge browser on Windows devices. See, [Scenario 6 Monitor or restrict user activities on sensitive service domains)](endpoint-dlp-using.md#scenario-6-monitor-or-restrict-user-activities-on-sensitive-service-domains) for more information.
+- Restrict access or encrypt the content in Microsoft 365 locations
+- Audit or restricted activities when users access sensitive websites in Microsoft Edge browser on Windows devices (See, [Scenario 6 Monitor or restrict user activities on sensitive service domains)](endpoint-dlp-using.md#scenario-6-monitor-or-restrict-user-activities-on-sensitive-service-domains) for more information.)
- Audit or restrict activities on devices To use `Audit or restrict activities on Windows devices`, you have to configure options in **DLP settings** and in the policy in which you want to use them. See, [Restricted apps and app groups](dlp-configure-endpoint-settings.md#restricted-apps-and-app-groups) for more information.
compliance Email Encryption https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/email-encryption.md
For more information on how Microsoft 365 secures communication between servers,
|Recommendations and example scenarios|We recommend using OME when you want to send sensitive business information to people outside your organization, whether they're consumers or other businesses. For example: <br/> A bank employee sending credit card statements to customers <br/> A doctor's office sending medical records to a patient <br/> An attorney sending confidential legal information to another attorney|We recommend using IRM when you want to apply usage restrictions as well as encryption. For example: <br/> A manager sending confidential details to her team about a new product applies the "Do Not Forward" option. <br/> An executive needs to share a bid proposal with another company, which includes an attachment from a partner who is using Office 365, and require both the email and the attachment to be protected.|We recommend using S/MIME when either your organization or the recipient's organization requires true peer-to-peer encryption. <br/> S/MIME is most commonly used in the following scenarios: <br/> Government agencies communicating with other government agencies <br/> A business communicating with a government agency| ||
+Don't apply multiple email encryption technologies to the same email message. Some email clients, such as Outlook for Mac, Outlook for iOS, and Outlook for Android, aren't able to open messages with multiple email encryption technologies applied.
+ ## What encryption options are available for my Microsoft 365 subscription? For information about email encryption options for your Microsoft 365 subscription see the [Exchange Online service description](/office365/servicedescriptions/exchange-online-service-description/exchange-online-service-description). Here, you can find information about the following encryption features:
compliance Set Up Azure Rms For Previous Version Message Encryption https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/set-up-azure-rms-for-previous-version-message-encryption.md
A TPD is an XML file that contains information about your organization's rights
> [!IMPORTANT] > Previously, you could choose to import TPDs from the Active Directory Rights Management service (AD RMS) into your organization. However, doing so will prevent you from using Microsoft Purview Message Encryption and is not recommended. If your organization is currently configured this way, Microsoft recommends that you create a plan to migrate from your on-premises Active Directory RMS to cloud-based Azure Information Protection. For more information, see [Migrating from AD RMS to Azure Information Protection](/information-protection/plan-design/migrate-from-ad-rms-to-azure-rms). You will not be able to use Microsoft Purview Message Encryption until you have completed the migration to Azure Information Protection.
-**To import TPDs from Azure RMS**:
+**To import TPDs from Azure RMS (Deprecated)**:
1. [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).
enterprise Microsoft 365 Monitoring https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-monitoring.md
description: "Use Microsoft 365 monitoring for information about incidents or ad
# Learn about Microsoft 365 monitoring
-You can use dashboards in the [Microsoft 365 admin center](https://go.microsoft.com/fwlink/p/?linkid=2024339) to monitor the health of various Microsoft services for your organization's Microsoft 365 subscription. This capability was initially started with Exchange Online and now getting expanded to other Microsoft services like Microsoft Teams, Microsoft 365 Apps and more service in future. Monitoring provides you with information about incidents and advisories that are collected in these categories:
+You can use dashboards in the [Microsoft 365 admin center](https://go.microsoft.com/fwlink/p/?linkid=2024339) to monitor the health of various Microsoft services for your organization's Microsoft 365 subscription. This capability began with Exchange Online and is now being expanded to other Microsoft services like Microsoft Teams, Microsoft 365 Apps, and more services in the future.
+
+Microsoft 365 Monitoring increases observability and minimizes downtime through providing near real-time user telemetry data with enriched alerts in the Microsoft 365 admin center's Service Health dashboard.
+
+Monitoring provides you with information about incidents and advisories that are collected in these categories:
- **Infrastructure**. Issue is detected in the Microsoft 365 infrastructure that Microsoft owns for providing regular updates and resolving the issue. For example, users can't access Exchange Online because of issues with Exchange or other Microsoft 365 cloud infrastructure.
security Attack Surface Reduction Rules Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference.md
Dependencies: Microsoft Defender Antivirus
### Block all Office applications from creating child processes
-This rule blocks Office apps from creating child processes. Office apps include Word, Excel, PowerPoint, OneNote, and Access. This rule also blocks execution of untrusted files that may have been saved by Office macros that are allowed to run in Office files.
+This rule blocks Office apps from creating child processes. Office apps include Word, Excel, PowerPoint, OneNote, and Access.
Creating malicious child processes is a common malware strategy. Malware that abuses Office as a vector often runs VBA macros and exploit code to download and attempt to run more payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes; such as spawning a command prompt or using PowerShell to configure registry settings.
Dependencies: Microsoft Defender Antivirus, AMSI
This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk.
-Malware that abuses Office as a vector might attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique.
+Malware that abuses Office as a vector might attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique. This rule also blocks execution of untrusted files that may have been saved by Office macros that are allowed to run in Office files.
Intune name: `Office apps/macros creating executable content`
security Check Sensor Status https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/check-sensor-status.md
Last updated 05/16/2023
search.appverid: met150
-# Check sevice health at Microsoft Defender for Endpoint
+# Check service health at Microsoft Defender for Endpoint
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
security Respond Machine Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-machine-alerts.md
To download the package (Zip file) and investigate the events that occurred on a
Alternate steps:
-1. Select **Action center** from the response actions section of the device page.
+1. Select **Collect Investigation Package** from the response actions section of the device page.
- :::image type="content" source="images/action-center-package-collection.png" alt-text="The Action center option" lightbox="images/action-center-package-collection.png":::
+ ![Image of collect investigation package](images/collect-investigation-package.png)
+
+2. Add comments and select **Confirm**.
-2. In the Action center fly-out, select **Package collection package available** to download the zip file.
+ ![Image of confirm comment](images/comments-confirm.png)
- :::image type="content" source="images/collect-package.png" alt-text="The download package option" lightbox="images/collect-package.png":::
+3. Select **Action center** from the response actions section of the device page.
+
+ ![Image of action center](images/action-center-selected.png)
+
+4. Click the **Package collection package available** to download the collection package.
+
+ ![Image of download package](images/download-package.png)
For Windows devices, the package contains the following folders:
security Incident Queue https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/incident-queue.md
search.appverid: - MOE150 - MET150 Previously updated : 02/16/2021 Last updated : 05/18/2023 # Prioritize incidents in Microsoft 365 Defender
The **Most recent incidents and alerts** section shows a graph of the number of
By default, the incident queue in the Microsoft 365 Defender portal displays incidents seen in the last six months. The most recent incident is at the top of the list so you can see it first.
-The incident queue has customizable columns (select **Choose columns**) that give you visibility into different characteristics of the incident or the impacted entities. This helps you make an informed decision regarding the prioritization of incidents for analysis.
+The incident queue has customizable columns (select **Choose columns**) that give you visibility into different characteristics of the incident or the impacted entities. This filtering helps you make an informed decision regarding the prioritization of incidents for analysis.
-For additional visibility at a glance, automatic incident naming generates incident names based on alert attributes such as the number of endpoints affected, users affected, detection sources, or categories. This allows you to quickly understand the scope of the incident.
+For more visibility at a glance, automatic incident naming generates incident names based on alert attributes such as the number of endpoints affected, users affected, detection sources, or categories. This allows you to quickly understand the scope of the incident.
For example: *Multi-stage incident on multiple endpoints reported by multiple sources.*
This table lists the filter names that are available.
| Classification | Specify the set of classifications of the related alerts. | | Automated investigation state | Specify the status of automated investigation. | | Associated threat | Specify a named threat. |
-| Actors | Specify a named threat actor. |
-|||
+| Alert policies | Specify an alert policy title. |
+ The default filter is to show all alerts and incidents with a status of **New** and **In progress** and with a severity of **Low**, **Medium**, or **High**.
You can quickly remove a filter by selecting the **X** in the name of a filter i
## Save custom filters as URLs
-Once you have configured a useful filter in the incidents queue, you can bookmark the URL of the browser tab or otherwise save it as a link on a Web page, a Word document, or a place of your choice. This will give you single-click access to key views of the incident queue, such as:
+Once you've configured a useful filter in the incidents queue, you can bookmark the URL of the browser tab or otherwise save it as a link on a Web page, a Word document, or a place of your choice. Bookmarking gives you single-click access to key views of the incident queue, such as:
- New incidents - High-severity incidents
Once you have configured a useful filter in the incidents queue, you can bookmar
- Incidents with a specific associated threat - Incidents with a specific actor
-Once you have compiled and stored your list of useful filter views as URLs, you can use it to quickly process and prioritize the incidents in your queue and [manage](manage-incidents.md) them for subsequent assignment and analysis.
+Once you have compiled and stored your list of useful filter views as URLs, use it to quickly process and prioritize the incidents in your queue and [manage](manage-incidents.md) them for subsequent assignment and analysis.
## Search for incidents
You can name an asset&mdash;such as a user, device, mailbox, or application name
The default list of incidents is for those that occurred in the last six months. You can specify a new time range from the drop-down box next to the calendar icon by selecting:
+ - One day
+ - Three days
+ - One week
- 30 days - 30 days
+ - Six months
- A custom range in which you can specify both dates and times ## Next steps
security Manage Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/manage-incidents.md
search.appverid: - MOE150 - MET150 Previously updated : 02/16/2021 Last updated : 05/18/2023 # Manage incidents in Microsoft 365 Defender
Incident management is critical to ensuring that incidents are named, assigned,
You can manage incidents from **Incidents & alerts > Incidents** on the quick launch of the Microsoft 365 Defender portal ([security.microsoft.com](https://security.microsoft.com)). Here's an example. Here are the ways you can manage your incidents:
Here are the ways you can manage your incidents:
You can manage incidents from the **Manage incident** pane for an incident. Here's an example. You can display this pane from the **Manage incident** link on the: - **Alert story** page. - Properties pane of an incident in the incident queue. - **Summary** page of an incident.
+- Manage incident option located on the upper right side of the Incident page.
In cases where you want to move alerts from one incident to another, you can also do so from the **Alerts** tab, thus creating a larger or smaller incident that includes all relevant alerts.
security Attack Simulation Training Faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-faq.md
It's possible that the number of users who actually receive the simulation email
- Guest users. - Users that are no longer active in Azure Active Directory (Azure AD).
-Only valid, non-guest users with valid Exchange Online mailboxes will be included in simulations. If you use distribution groups or mail-enabled security groups to target users, you can use the [Get-DistributionGroupMember](/powershell/module/exchange/get-distributiongroupmember) cmdlet in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) to view and validate distribution group members.
+If you use distribution groups or mail-enabled security groups to target users, you can use the [Get-DistributionGroupMember](/powershell/module/exchange/get-distributiongroupmember) cmdlet in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) to view and validate distribution group members.
## Issues with Attack simulation training reporting
To turn on audit log search, see [Turn audit log search on or off](../../complia
> [!NOTE] > Empty activity details can also be caused by no E5 licenses being assigned to users. Verify at least one E5 license is assigned to an active user to ensure that reporting events are captured and recorded.
+### Reporting issues with on-premises mailboxes
+
+Attack simulation training supports on-premises mailboxes, but with reduced reporting functionality:
+
+- Data on whether users read, forwarded, or deleted the simulation email isn't available for on-premises mailboxes.
+- The number of users who reported the simulation email isn't available for on-premises mailboxes.
+ ### Simulation reports are not updated immediately Detailed simulation reports aren't updated immediately after you launch a campaign. Don't worry; this behavior is expected.
security Attack Simulation Training Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-get-started.md
Watch this short video to learn more about Attack simulation training.
- Attack simulation training requires a Microsoft 365 E5 or [Microsoft Defender for Office 365 Plan 2](defender-for-office-365.md) license. For more information about licensing requirements, see [Licensing terms](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#licensing-terms).
+- Attack simulation training supports on-premises mailboxes, but with reduced reporting functionality. For more information, see [Reporting issues with on-premises mailboxes](attack-simulation-training-faq.md#reporting-issues-with-on-premises-mailboxes).
+ - To open the Microsoft 365 Defender portal, go to <https://security.microsoft.com>. Attack simulation training is available at **Email and collaboration** \> **Attack simulation training**. To go directly to Attack simulation training, use <https://security.microsoft.com/attacksimulator>. - For more information about the availability of Attack simulation training across different Microsoft 365 subscriptions, see [Microsoft Defender for Office 365 service description](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description).
security Preset Security Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/preset-security-policies.md
description: Admins can learn how to apply Standard and Strict policy settings a
search.appverid: met150 Previously updated : 5/15/2023 Last updated : 5/18/2023 # Preset security policies in EOP and Microsoft Defender for Office 365
Last updated 5/15/2023
_Preset security policies_ allow you to apply protection features to users based on our recommended settings. Unlike custom policies that are infinitely configurable, virtually all of the settings in preset security policies aren't configurable, and are based on our observations in the datacenters. The settings in preset security policies provide a balance between keeping harmful content away from users while avoiding unnecessary disruptions.
-Depending on your organization, preset security policies provide the protection features that are available in [Exchange Online Protection (EOP)](eop-about.md) and[Microsoft Defender for Office 365](microsoft-defender-for-office-365-product-overview.md).
+Depending on your organization, preset security policies provide the protection features that are available in [Exchange Online Protection (EOP)](eop-about.md) and [Microsoft Defender for Office 365](microsoft-defender-for-office-365-product-overview.md).
-For details about the elements of preset security policies, see the [Appendix](#appendix) section at the end of this article.
+The following preset security policies are available:
+
+- **Standard** preset security policy
+- **Strict** preset security policy
+- **Built-in protection** preset security policy (default policies for Safe Attachments and Safe Links protection in Defender for Office 365)
+
+For details about these preset security policies, see the [Appendix](#appendix) section at the end of this article.
The rest of this article how to configure preset security policies.
The rest of this article how to configure preset security policies.
The domains you added are listed on the page. To remove a domain, select :::image type="icon" source="../../media/m365-cc-sc-close-icon.png" border="false"::: next to the entry.
- To remove an existing entry from the list, select :::image type="icon" source="../../media/m365-cc-sc-remove.png" border="false"::: next to the entry.
+ To remove an existing entry from the list, select :::image type="icon" source="../../media/m365-cc-sc-remove-icon.png" border="false"::: next to the entry.
When you're finished on the **Add domains to flag when impersonated by attackers**, select **Next**.
A profile determines the level of protection. The following profiles are availab
- **Strict protection**: A more aggressive profile for selected users (high value targets or priority users). - **Built-in protection** (Microsoft Defender for Office 365 only): Effectively provides default policies for Safe Links and Safe Attachments only.
-To compare the configurations between Standard and Strict, see the individual feature tables in [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md).
+In general, the **Strict protection** profile tends to quarantine less harmful email (for example, bulk and spam) than the **Strict protection** profile, but many of the settings in both profiles are the same (in particular, for unquestionably harmful email like malware or phishing). For a comparison of the setting differences, see the tables in the next section.
Until you turn on the profiles and assign users to them, the Standard and Strict preset security policies are assigned to no one. In contrast, the Built-in protection preset security policy is assigned to all recipients by default, but you can configure exceptions.
But, you need to configure the individual users (senders) and domains to receive
- Domain impersonation protection for all domains that you own ([accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains)). - [Mailbox intelligence protection (contact history)](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).
+The differences in meaningful policy settings in the Standard preset security policy and the Strict preset security policy are summarized in the following table:
+
+|&nbsp;|Standard|Strict|
+||::|::|
+|**Anti-malware policy**|No difference|No difference|
+|**Anti-spam policy**|||
+|&nbsp;&nbsp;**Bulk** detection action (_BulkSpamAction_)|**Move message to Junk Email folder** (`MoveToJmf`)|**Quarantine message** (`Quarantine`)|
+|&nbsp;&nbsp;**Bulk email threshold** (_BulkThreshold_)|7|6|
+|&nbsp;&nbsp;**Spam** detection action (_SpamAction_)|**Move message to Junk Email folder** (`MoveToJmf`)|**Quarantine message** (`Quarantine`)|
+|**Anti-phishing policy**|||
+|&nbsp;&nbsp;**If the message is detected as spoof by spoof intelligence** (_AuthenticationFailAction_)|**Move message to Junk Email folder** (`MoveToJmf`)|**Quarantine message** (`Quarantine`)|
+|&nbsp;&nbsp;**If mailbox intelligence detects an impersonated user** (_MailboxIntelligenceProtectionAction_)|**Move message to Junk Email folder** (`MoveToJmf`)|**Quarantine message** (`Quarantine`)|
+|&nbsp;&nbsp;**Phishing email threshold** (_PhishThresholdLevel_)|**3 - More aggressive** (`3`)|**4 - Most aggressive** (`4`)|
+|**Safe Attachments policy**|No difference|No difference|
+|**Safe Links policy**|No difference|No difference|
+
+The differences in Safe Attachments and Safe Links policy settings in the Built-in protection preset security policy and in the Standard and Strict preset security policies are summarized in the following table:
+
+|&nbsp;|Built-in protection|Standard and Strict|
+||::|::|::|
+|**Safe Attachments policy**|No difference|No difference|
+|**Safe Links policy**||||
+|&nbsp;&nbsp;**Let users click through to the original URL** (_AllowClickThrough_)|Selected (`$true`)|Not selected (`$false`)|
+|&nbsp;&nbsp;**Do not rewrite URLs, do checks via Safe Links API only** (_DisableURLRewrite_)|Selected (`$true`)|Not selected (`$false`)|
+|&nbsp;&nbsp;**Apply Safe Links to email messages sent within the organization** (_EnableForInternalSenders_)|Not selected (`$false`)|Selected (`$true`)|
+
+For details about these settings, see the feature tables in [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md).
+ ### Order of precedence for preset security policies and other policies When a recipient is defined in multiple policies, the policies are applied in the following order:
In other words, the settings of the Strict preset security policy override the s
This order is shown on the pages of the individual security policies in the Defender portal (the policies are applied in the order they're shown on the page).
-For example, an admin configures the Standard preset security policy and a custom anti-spam policy with the same recipient. The anti-spam policy settings from the Standard preset security policy are applied to the user instead of what's configured in the custom policy anti-spam policy or in the default anti-spam policy.
+For example, an admin configures the Standard preset security policy and a custom anti-spam policy with the same recipient. The anti-spam policy settings from the Standard preset security policy are applied to the user instead of what's configured in the custom anti-spam policy or in the default anti-spam policy.
Consider applying the Standard or Strict preset security policies to a subset of users, and apply custom policies to other users in your organization to meet specific needs. To meet this requirement, consider the following methods:
Consider applying the Standard or Strict preset security policies to a subset of
- If you can't avoid multiple policies applying to the same users, use the following strategies: - Configure recipients who should get the settings of the **Standard** preset security policy and custom policies as exceptions in the **Strict** preset security policy. - Configure recipients who should get the settings of custom policies as exceptions in the **Standard** preset security policy.
- - Configure the users who should get the settings of the Built-in protection preset security policy or default policies as exceptions to custom policies.
+ - Configure recipients who should get the settings of the Built-in protection preset security policy or default policies as exceptions to custom policies.
The Built-in protection** doesn't affect recipients in existing Safe Links or Safe Attachments policies. If you already configured **Standard protection**, **Strict protection** or custom Safe Links or Safe Attachments policies, those policies are _always_ applied _before_ **Built-in protection**, so there's no effect on the recipients who are already defined in those existing preset or custom policies.
security Submissions Users Report Message Add In Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-users-report-message-add-in-configure.md
Admins in Microsoft 365 Government Community Cloud (GCC) or GCC High need to use
- **Assign users** section: Select one of the following values: - **Just me** - **Entire organization**
- - **Specific users/groups**: Find and select users and groups in the search box. After each selection, the user or group appears in the **Added users** section that appears below the search box. To remove a selection, select :::image type="icon" source="../../media/m365-cc-sc-remove.png" border="false"::: on the entry.
+ - **Specific users/groups**: Find and select users and groups in the search box. After each selection, the user or group appears in the **Added users** section that appears below the search box. To remove a selection, select :::image type="icon" source="../../media/m365-cc-sc-remove-icon.png" border="false"::: on the entry.
- **Email notification** section: **Send email notification to assigned users** and **View email sample** aren't selectable.
syntex Annotations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/annotations.md
Previously updated : 02/15/2023 Last updated : 05/17/2023 audience: admin
description: Learn how to use universal annotations to mark and collaborate on i
Use the annotations feature in Microsoft Syntex to add notes and comments to your content in document librariesΓÇöeither for yourself or for collaborating with others. You can use the annotations feature without modifying the original files, so the original records are preserved.
-Annotation tools currently include pen and highlighter, where can choose the colors you want to use, and an eraser for removing ink strokes and previous annotations. The feature is currently available for .pdf, .tiff, .epub, and .ai file types. More annotation tools and file types will be added in future releases.
+Annotation tools currently include pen and highlighter, where can choose the colors you want to use, and an eraser for removing ink strokes and previous annotations. The feature is currently available for the following files types: .ai, .dwg, .epub, .pdf, .rtf, and .tiff. More annotation tools and file types will be added in future releases.
> [!NOTE] > This feature is available only for users who are licensed for Syntex.
syntex Prebuilt Model Contract https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/prebuilt-model-contract.md
audience: admin-+ search.appverid:
syntex Set Up Microsoft Syntex https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/set-up-microsoft-syntex.md
audience: admin-+ - enabler-strategic
syntex Syntex Pay As You Go Services https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/syntex-pay-as-you-go-services.md
audience: admin-+ - enabler-strategic