Updates from: 05/20/2023 01:28:21
Category Microsoft Docs article Related commit history on GitHub Change details
bookings Bookings Sms https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/bookings/bookings-sms.md
With Microsoft Bookings, you can set up SMS text notifications to be sent to the
The SMS notifications will include the Teams meeting link for virtual booking appointments. > [!NOTE]
-> We'll be providing unlimited SMS notifications through April 3rd, 2023 (previously March 1, 2023) for customers with Bookings licenses. As we get closer to the end of the promotion period, we'll provide additional details on licensing requirements. Contact your account team or support to receive pricing details after the promotion period.
+>Virtual Appointments SMS notifications are now part of [Teams Premium](/microsoftteams/teams-add-on-licensing/licensing-enhance-teams). Contact your administrator if you need a license for Teams Premium.
## Before you begin
compliance Communication Compliance Case Study https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-case-study.md
f1.keywords:
Previously updated : 02/07/2023 Last updated : 05/19/2023 audience: Admin
Contoso IT administrators take the following steps to verify the licensing suppo
### Permissions for communication compliance
-There are [five solution role groups used to configure permissions to manage communication compliance features](communication-compliance-configure.md#step-1-required-enable-permissions-for-communication-compliance). To make **Communication compliance** available as a menu option in Microsoft Purview compliance portal and to continue with these configuration steps, Contoso administrators are assigned the *Communication Compliance Admins* role.
+There are five [role groups used to configure permissions](communication-compliance-configure.md#step-1-required-enable-permissions-for-communication-compliance) to manage communication compliance features. To make **Communication compliance** available as a menu option in Microsoft Purview compliance portal and to continue with these configuration steps, Contoso administrators are assigned the *Communication Compliance Admins* role.
Contoso decides to use the *Communication Compliance* role group and assign all the communication compliance administrators, analysts, investigators, and viewers to the group. This role group configuration makes it easier for Contoso to get started quickly and best fits their compliance management requirements.
Contoso IT administrators make sure they review the information in the [Overview
### Setting up a group for in-scope users
-Contoso compliance specialists want to add all users to the communication policy that will detect potentially inappropriate text. They could decide to add each user account to the policy separately, but they've decided it's much easier and saves time to use an **All Users** distribution group for the users for this policy.
+Contoso compliance specialists want to add all users to the communication policy that will detect potentially inappropriate text. They could decide to add each user account to the policy separately, but they've decided it's easier and saves time to use an **All Users** distribution group for the users for this policy.
They need to create a new group to include all Contoso users, so they take the following steps:
With all the prerequisites completed, the IT administrators and the compliance s
## Step 4: Investigate and remediate alerts
-Now that the communication compliance policy to detect potentially inappropriate text is configured, the next step for the Contoso compliance specialists will be to investigate and remediate any alerts generated by the policy. It will take up to an hour for the policy to fully process communications in all the communication source channels and for alerts to show up in the **Alert dashboard**.
+Now that the communication compliance policy to detect potentially inappropriate text is configured, the next step for the Contoso compliance specialists is to investigate and remediate any alerts generated by the policy. It may take up to an hour for the policy to fully process communications in all the communication source channels and for alerts to show up in the **Alert dashboard**.
After alerts are generated, Contoso compliance specialists will continue to follow the [workflow instructions](/microsoft-365/compliance/communication-compliance-investigate-remediate) to investigate and remediate potentially inappropriate text issues.
compliance Communication Compliance Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-configure.md
f1.keywords:
Previously updated : 03/20/2023 Last updated : 05/19/2023 audience: Admin f1_keywords:
If you don't have an existing Office 365 Enterprise E5 plan and want to try comm
## Recommended actions
-Recommended actions can help your organization quickly get started with communication compliance. Included on the **Overview** page, recommended actions will help guide you through the steps to configure and deploy policies.
+Recommended actions can help your organization quickly get started with communication compliance. Included on the **Overview** page, recommended actions help guide you through the steps to configure and deploy policies.
The following recommendations are available to help you get started and maximize your communication compliance configuration:
Each action in communication compliance has three attributes:
- **Recommended, required or optional**: Whether the recommended action is highly recommended, required, or optional for communication compliance features to function as expected. - **Estimated time to complete**: Estimated time to complete the recommended action in minutes.
-Select recommendations from the list to get started with configuring communication compliance. Each recommended action guides you through the required activities for the recommendation, including any requirements, what to expect, and the impact of configuring the feature in your organization. Some recommended actions will be automatically marked as complete when configured. If not, you'll need to manually select the action as complete when configured.
+Select recommendations from the list to get started with configuring communication compliance. Each recommended action guides you through the required activities for the recommendation, including any requirements, what to expect, and the impact of configuring the feature in your organization. Some recommended actions are automatically marked as complete when configured. If not, you need to manually select the action as complete when configured.
Also included on the Policies page, recommended actions insights help summarize current sensitive information types and potential regulatory compliance violations in communications in your organization. Insights are supported by [data classification](/microsoft-365/compliance/data-classification-overview) and the application of sensitivity labels, retention labels, and sensitive information type classification. These insights are aggregated and don't include any personally identifiable information (PII) for users in your organization.
Choose from these solution role group options when configuring and managing comm
|Configure policies and settings|Yes|Yes|No|No|No| |Access and investigate alerts|Yes|No|Yes|Yes|No| |View **Conversation** and **Translation** tabs for a specific message|Yes|No|No|Yes|No|
-|Do advanced remediation actions: Escalate for investigation; Remove message in Teams; Download; Run Power Automate flow|Yes|No|No|Yes|No|
+|Take advanced remediation actions: <br><br>- Escalate for investigation <br>- Remove message in Teams <br> - Download items and reports <br>- Run Power Automate flows|Yes|No|No|Yes|No|
|Create message details report |Yes|No|No|Yes|No| |Access reports|Yes|No|No|No|Yes|
-|Manage settings: privacy, notice templates, and so on|Yes|Yes|No|No|No|
+|Manage privacy settings and notice templates|Yes|Yes|No|No|No|
|View and export policy updates|Yes|Yes|No|No|Yes| ### Option 1: Assign all compliance users to the Communication Compliance role group
Choose from these solution role group options when configuring and managing comm
Complete the following steps to add users to this role group: 1. Sign into the [Microsoft Purview compliance portal](https://compliance.microsoft.com) using credentials for an admin account in your Microsoft 365 organization.- 2. Select **Permissions** in the left nav, and select **Roles** under the **Microsoft Purview solutions** list.- 3. Select the *Communication Compliance* role group and then select **Edit**.- 4. Select the **Choose users** tab, then select the checkbox for all users you want to add to the role group.-
-6. Choose **Select**, then **Next**.
-
-7. Select **Save** to add the users to the role group. Select **Done** to complete the steps.
+5. Choose **Select**, then **Next**.
+6. Select **Save** to add the users to the role group. Select **Done** to complete the steps.
### Option 2: Assign users to specific communication compliance role groups Use this option to assign users to specific role groups to segment communication compliance access and responsibilities among different users in your organization. 1. Sign into the [Microsoft Purview compliance portal](https://compliance.microsoft.com) using credentials for an admin account in your Microsoft 365 organization, and then go to the **Permissions**</a>.- 2. Select the link to view and manage roles in Office 365.- 3. Select one of the communication compliance role groups, then select **Edit role group**.- 4. Select **Choose members** from the left navigation pane, then select **Edit**.- 5. Select **Add** and then select the checkbox for all users you want to add to the role group.- 6. Select **Add**, then select **Done**.- 7. Select **Save** to add the users to the role group.- 8. Select the next communication compliance role group, then repeat steps 4-7 for each required role group.- 9. Select **Close** to complete the steps.
-For more information about role groups and permissions, see [Permissions in the Compliance Center](../security/office-365-security/protect-against-threats.md).
+For more information about role groups and permissions, see [Permissions in the Microsoft Purview compliance portal](/microsoft-365/compliance/microsoft-365-compliance-center-permissions).
## Step 2 (required): Enable the audit log
For more information about configuring Yammer in Native Mode, see:
If you choose a policy template to create a policy, you will: - Confirm or update the policy name. Policy names can't be changed once the policy is created.- - Choose the users or groups to apply the policy to, including the users or groups you'd like to exclude. When using the conflict of interest template, you'll select two groups or two users to detect internal communications.- - Choose the reviewers for the policy. Reviewers are individual users and all reviewers must have mailboxes hosted on Exchange Online. Reviewers added here are the reviewers that you can choose from when escalating an alert in the investigation and remediation workflow. When reviewers are added to a policy, they automatically receive an email message that notifies them of the assignment to the policy and provides links to information about the review process.- - Choose a limited condition field, usually a sensitive info type or keyword dictionary to apply to the policy. > [!NOTE]
For more information about configuring Yammer in Native Mode, see:
If you choose to use the policy wizard to create a custom policy, you will: - Give the policy a name and description. Policy names can't be changed once the policy is created.- - Choose the users or groups to apply the policy to, including all users in your organization, specific users and groups, or other users and groups you'd like to exclude.- - Choose the reviewers for the policy. Reviewers are individual users and all reviewers must have mailboxes hosted on Exchange Online. Reviewers added here are the reviewers that you can choose from when escalating an alert in the investigation and remediation workflow. When reviewers are added to a policy, they automatically receive an email message that notifies them of the assignment to the policy and provides links to information about the review process.
-
- Choose adaptive scopes for the policy. For more information, see [Adaptive policy scopes for compliance solutions](purview-adaptive-scopes.md#advantages-of-using-adaptive-scopes). If you decide to create an adaptive policy, you must create one or more adaptive scopes before you create your policy, and then select them during the create new policy process. For instructions, see [Configuration information for adaptive scopes](purview-adaptive-scopes.md#configure-adaptive-scopes).- - Choose the communication channels to check, including Exchange, Microsoft Teams, or Yammer. You'll also choose to check third-party sources if you've configured a connector in Microsoft 365.- - Choose the communication direction to detect, including inbound, outbound, or internal communications.- - Define the communication compliance policy [conditions](/microsoft-365/compliance/communication-compliance-policies#conditional-settings). You can choose from message address, keyword, file types, and size match conditions.- - Choose if you'd like to include sensitive information types. This step is where you can select default and custom sensitive info types. Pick from existing custom sensitive information types or custom keyword dictionaries in the communication compliance policy wizard. You can create these items before running the wizard if needed. You can also create new sensitive information types from within the communication compliance policy wizard.
-
- Choose if you'd like to enable classifiers. Classifiers can detect potentially inappropriate language and images sent or received in the body of email messages or other types of text. You can choose the following built-in classifiers: *Targeted threat*, *Profanity*, *Targeted harassment*, *Adult images*, *Racy images*, and *Gory images*.- - Enable [optical character recognition (OCR)](/microsoft-365/compliance/communication-compliance-policies#optical-character-recognition-ocr) to identify embedded or attached images in messages for printed or handwritten text that match policy conditions. For custom policies, one or more conditional settings associated with text, keywords, classifiers, or sensitive info types must be configured in the policy to enable the selection of optical character recognition (OCR) documents.
+ - Choose the **Filter email blasts** check box to exclude messages sent from email blast services. Messages that match specific conditions selected here won't generate alerts. This includes bulk email (such as newsletters), spam, phishing, and malware. When this option is selected, you can view a [report](communication-compliance-reports-audits.md#detailed-reports) containing the bulk email senders that are filtered out.
- - Choose the **Filter email blasts** check box to exclude messages sent from email blast services. Messages that match specific conditions selected here won't generate alerts. This includes bulk email, such as newsletters, as well as spam, phishing, and malware. When this option is selected, you can view a [report](communication-compliance-reports-audits.md#detailed-reports) containing the bulk email senders that are filtered out.
-
> [!NOTE]
- > The list of senders is filtered before the content is analyzed so there might be senders that don't match the content conditions. In other words, there might be extra senders in the report.
+ > The list of senders is filtered before the content is analyzed so there might be senders that don't match the content conditions. In other words, there might be extra senders in the report.
- Define the percentage of communications to review.- - Review your policy selections and create the policy. 5. Depending on your selected scope:
+ - If you chose **Adaptive** scopes, on the **Choose adaptive policy scopes** page, select **Add scopes** and select one or more adaptive scopes that have been created. The scopes that you can select depend on the [scope types](purview-adaptive-scopes.md#configure-adaptive-scopes) added. For example, if you only added a scope type of **User**, you will be able to select **Groups**.
6. Select **Create policy** when using the templates or **Submit** when using the custom policy wizard.
-7. The **Your policy was created** page is displayed with guidelines on when policy will be activated and which communications will be captured.
+7. The **Your policy was created** page is displayed with guidelines on when policy will be activated and which communications are captured.
> [!TIP] > After configuring your policy, [learn about best practices for managing the volume of alerts](communication-compliance-alerts-best-practices.md).
If you want to have the option of responding to a policy alert by sending a remi
You can also choose to enable anonymization for displayed usernames when investigating policy matches and taking action on messages. 1. Sign into the [Microsoft Purview compliance portal](https://compliance.microsoft.com) using credentials for an admin account in your Microsoft 365 organization.- 2. In the Microsoft Purview compliance portal, go to **Communication compliance**.- 3. To configure anonymization for usernames, select the **Privacy** tab.- 4. To enable anonymization, select **Show anonymized versions of usernames**.- 5. Select **Save**.- 6. Navigate to the **Notice templates** tab and then select **Create notice template**.- 7. On the **Modify a notice template** page, complete the following fields: - Template name (required)
After you create a communication compliance policy, it's a good idea to test it
Follow these steps to test your communication compliance policy: 1. Open an email client, Microsoft Teams, or Yammer while signed in as a scoped user defined in the policy you want to test.- 2. Send an email, Microsoft Teams chat, or Yammer message that meets the criteria you've defined in the communication compliance policy. This test can be a keyword, attachment size, domain, etc. Make sure you determine if your configured conditional settings in the policy are too restrictive or too lenient. > [!NOTE] > Email messages can take approximately 24 hours to fully process in a policy. Communications in Microsoft Teams, Yammer, and third-party platforms can take approximately 48 hours to fully process in a policy. 3. Sign in to Microsoft 365 as a reviewer designated in the communication compliance policy. Navigate to **Communication compliance** > **Alerts** to view the alerts for your policies.- 4. Remediate the alert using the remediation controls and verify that the alert is properly resolved. ## Next steps
compliance Compliance Manager Improvement Actions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-improvement-actions.md
f1.keywords:
Previously updated : 05/04/2023 Last updated : 05/19/2023 audience: Admin
To begin implementation work on an improvement action, you can do the work yours
2. The **Assign to user** flyout pane shows a **Suggested people** list of users. You can select the user from the list, or type the email address of the person you want to assign it to.
-3. Select **Assign**. The assigned user will receive an email explaining that the improvement action has been assigned to them, with a direct link to the improvement action.
+3. Select **Assign**. The assigned user receives an email explaining that the improvement action has been assigned to them, with a direct link to the improvement action.
> [!NOTE] > US Government Community (GCC) High and Department of Defense (DoD) customers won't receive an email when improvement actions are assigned to them.
You can assign multiple improvement actions to one user by following these steps
### Implementation work
-Implementation guidance will vary depending on whether you go to Microsoft Defender for Cloud to perform the work to complete the action. Learn more about [multicloud support](compliance-manager-multicloud.md).
+Implementation guidance varies depending on whether you go to Microsoft Defender for Cloud to perform the work to complete the action. Learn more about [multicloud support](compliance-manager-multicloud.md).
##### Actions for services supported by Defender for Cloud
-Improvement actions that pertain to cloud services such as Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP) are implemented and monitored using Compliance ManagerΓÇÖs integration with Defender for Cloud. The action description on the **Implementation** tab will indicate that implementation occurs through Defender for Cloud, with a link taking you there to perform the work.
+Improvement actions that pertain to cloud services such as Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP) are implemented and monitored using Compliance ManagerΓÇÖs integration with Defender for Cloud. The action description on the **Implementation** tab indicates that implementation occurs through Defender for Cloud, with a link taking you there to perform the work.
These infrastructure cloud actions can be of two types:
These infrastructure cloud actions can be of two types:
The **Implementation** tab shows a list of all related subscriptions, indicating subscription type, the number of virtual resources completed, points achieved, and the assessments in which the action appears. Select a subscription from the list to view more details in a flyout pane.
-To begin implementation, first locate the actionΓÇÖs **Testing source** to determine if the action is automatic or manual. Then review the subscriptions listed for the action. Each subscription will have its own test status.
+To begin implementation, first locate the actionΓÇÖs **Testing source** to determine if the action is automatic or manual. Then review the subscriptions listed for the action. Each subscription has its own test status.
**For manual actions**:
To begin implementation, first locate the actionΓÇÖs **Testing source** to deter
- Then attest to the completion of this work in Compliance Manager and/or Defender for Cloud by completing the implementation and testing status fields. > [!NOTE] > Manual actions donΓÇÖt synchronize status between Compliance Manager and Defender for Cloud. You can update the status in either location, however the statuses won't synch.-- Each subscription will need to have its status updated. Each subscription will contain a single virtual resource, which represents the subscription itself.
+- Each subscription needs to have its status updated. Each subscription contains a single virtual resource, which represents the subscription itself.
**For automatic actions**: - For each subscription listed on the **Implementation** tab, view the **Virtual resources completed** column.-- If a subscription shows that there are virtual resources that are not complete, select the subscription and on the flyout pane, select the **Virtual resources** tab.
+- If a subscription shows that there are virtual resources that aren't complete, select the subscription and on the flyout pane, select the **Virtual resources** tab.
- Inspect the status of each resource to determine which require ones require remediation. - For the resources needing remediation, review the **How to implement guidance** on the actionΓÇÖs **Implementation** tab. Then select the Defender for Cloud link to make the necessary changes in Defender for Cloud.
Automatically tested actions may also show one of the following states in the **
> The test status and testing notes for automatically tested improvement actions can't be edited manually. Compliance Manager updates these fields for you. #### Exporting testing history
-You can export a report that will show you a history of all changes in test status for an improvement action. These reports are especially helpful for monitoring progress on [actions that are automatically tested](#testing-source), since such actions are regularly or frequently updated based on your tenant's data.
+You can export a report that shows you a history of all changes in test status for an improvement action. These reports are especially helpful for monitoring progress on [actions that are automatically tested](#testing-source), since such actions are regularly or frequently updated based on your tenant's data.
-On an improvement action's details page, select the **Testing** tab. Under **Testing history**, select the **Export testing history** button. The report will download as an Excel file.
+On an improvement action's details page, select the **Testing** tab. Under **Testing history**, select the **Export testing history** button. The report downloads as an Excel file.
## Testing source
Compliance Manager provides options for how to test improvement actions. In the
> Testing source canΓÇÖt be changed on actions for services supported by Defender for Cloud. If you donΓÇÖt agree with an automated testing result, you can go to the related assessment in Defender for Cloud to alter the testing logic and scope. #### Manual
-Improvement actions set for manual testing are actions which you manually test and implement. You set the necessary implementation and test status states, and upload any evidence files on the **Documents** tab. For some actions, this is the only available method for testing improvement actions.
+Improvement actions set for manual testing are actions that you manually test and implement. You set the necessary implementation and test status states, and upload any evidence files on the **Documents** tab. For some actions, this is the only available method for testing improvement actions.
#### Automatic Certain improvement actions can be automatically tested by Compliance Manager. [Get details](compliance-manager-setup.md#testing-source-for-automated-testing) on which improvement actions can and can't be tested automatically.
-For those improvement actions that can be automatically tested, you'll see the **Automatic** option for testing source. Compliance Manager will detect signals from other compliance solutions you've set up in your Microsoft 365 environment, as well as any complementary actions that Microsoft Secure Score also monitors. The **Testing logic** field on the **Testing** tab will show what kind of policy or configuration is required in another solution in order for the action to pass and earn points toward your compliance score.
-
-When signals indicate that an improvement action has been successfully implemented, you'll automatically receive the points eligible for that action, which will factor into scores for any related controls and assessments. Learn more about [scoring](compliance-score-calculation.md).
+For those improvement actions that can be automatically tested, you'll see the **Automatic** option for testing source. Compliance Manager detects signals from other compliance solutions and cloud services. The **Testing logic** field on the **Testing** tab shows what kind of policy or configuration is required in another solution or service in order for the action to pass. When signals indicate that an improvement action has been successfully implemented, you automatically receive the eligible points for that action, which factor into scores for any related controls and assessments. Learn more about [scoring](compliance-score-calculation.md).
Automatic testing is on by default for all eligible improvement actions. You can adjust these settings to automatically test only certain improvement actions, or you can turn off automatic testing for all actions. Learn more about how automated testing works and how to adjust your settings at [Set up automated testing](compliance-manager-setup.md#manage-automated-testing-settings).
When automated testing is turned on, the actionΓÇÖs test date wonΓÇÖt be updated
#### Parent
-When you select **Parent** as the testing source for an improvement action, you'll choose another action to which your action will be linked. Your action in effect becomes the "child" to the action that you designate as the "parent." When you designate a parent for an improvement action, that action inherits the implementation and testing details of the parent action. Anytime the parent action's status changes, the child's status will inherit those changes. The child action will also accept all evidence in its **Documents** tab belonging to the parent action, which could override any data that previously existed in the child action's **Documents**.
+When you select **Parent** as the testing source for an improvement action, you choose another action to which your action will be linked. Your action in effect becomes the "child" to the action that you designate as the "parent." When you designate a parent for an improvement action, that action inherits the implementation and testing details of the parent action. Anytime the parent action's status changes, the child's status inherits those changes. The child action will also accept all evidence in its **Documents** tab belonging to the parent action, which could override any data that previously existed in the child action's **Documents**.
> [!NOTE] > Having a testing source of **Parent** doesn't necessarily mean that the action is automatically tested by Compliance Manager. For example, if the parent action's testing source is **manual**, then the child action will take on the status of parent action, which is a manual test and implementation by your organization.
After you complete the work, conduct testing, and upload evidence, the next step
- **If test status is set to ΓÇ£PassedΓÇ¥**: the action is complete and the points achieved shows the maximum points achieved. The points are then counted toward your overall compliance score. -- **If test status is set to ΓÇ£FailedΓÇ¥**: the action doesn't meet the requirements, and the assessor can assign it back to the appropriate user for additional work.
+- **If test status is set to ΓÇ£FailedΓÇ¥**: the action doesn't meet the requirements, and the assessor can assign it back to the appropriate user for more work.
-Users will need a **Compliance Manager Assessor** role in order to edit improvement action testing notes. You may also want to grant users access only to certain assessments. Learn [how to set permissions](compliance-manager-setup.md#set-user-permissions-and-assign-roles) and [how to grant role-based assess to assessments](compliance-manager-setup.md#role-based-access-to-assessments).
+Users need a **Compliance Manager Assessor** role in order to edit improvement action testing notes. You may also want to grant users access only to certain assessments. Learn [how to set permissions](compliance-manager-setup.md#set-user-permissions-and-assign-roles) and [how to grant role-based assess to assessments](compliance-manager-setup.md#role-based-access-to-assessments).
## Accepting updates to improvement actions
-When an update is available for an improvement action, youΓÇÖll see a notification next to its name. You can either accept the update or defer it for a later time.
+When an update is available for an improvement action, you see a notification next to its name. You can either accept the update or defer it for a later time.
##### What causes an update
Select **Accept update** to accept all the changes to the improvement action. **
> [!NOTE] > When you accept an update to an action, youΓÇÖre also accepting updates to any other versions or instances of this action. Updates will propagate tenant-wide for technical actions, and will propagate group-wide for non-technical actions.
-If you select **Cancel**, the update wonΓÇÖt be applied to the improvement action. However, youΓÇÖll continue to see the **Pending update** notification until you accept the update.
+If you select **Cancel**, the update wonΓÇÖt be applied to the improvement action. However, you continue to see the **Pending update** notification until you accept the update.
- **Why we recommend accepting updates**: Accepting updates helps ensure you have the most updated guidance on using solutions and taking appropriate improvement actions to help you meet the requirements of the certification at hand.
If you select **Cancel**, the update wonΓÇÖt be applied to the improvement actio
##### Accept all updates at once
-If you have multiple updates and want to accept them all at one time, select the **Accept all updates** link at the top of your improvement actions table. A flyout pane will appear which lists the number of actions to be updated. Select the **Accept updates** button to apply all updates.
+If you have multiple updates and want to accept them all at one time, select the **Accept all updates** link at the top of your improvement actions table. A flyout pane appears which lists the number of actions to be updated. Select the **Accept updates** button to apply all updates.
-Note that when you return to your improvement actions page, you may see a message across the top of the page asking you to refresh the page for the updates to be completed.
+When you return to your improvement actions page, you may see a message across the top of the page asking you to refresh the page for the updates to be completed.
## Set up alerts for improvement action changes
compliance Dlp Create Deploy Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-create-deploy-policy.md
f1.keywords:
Previously updated : 01/11/2021 Last updated : 04/19/2023 audience: ITPro f1_keywords:
There are so many configuration options in the policy creation flow that it's no
> [!IMPORTANT] > This is a hypothetical scenario with hypothetical values. It's only for illustrative purposes. You should substitute your own sensitive information types, sensitivity labels, distribution groups and users.
-#### Scenario 1 pre-requisites and assumptions
+#### Scenario 1 prerequisites and assumptions
This scenario uses the *Highly confidential* sensitivity label, so it requires that you have created and published sensitivity labels. To learn more, see:
ii. move fully into production
Scenario recommendation: Restrict users from uploading sensitive data to unsanctioned locations (Web sites, USB devices, printers, etc) AND block users from copying/saving data from Sensitive sites.
-### Scenario 4
-Endpoint
-### Scenario 5
-
-Endpoint + Teams
--> ### Scenario 2 Show policy tip as oversharing popup (preview)
+Oversharing popup is an E5 feature.
> [!IMPORTANT] > This is a hypothetical scenario with hypothetical values. It's only for illustrative purposes. You should substitute your own sensitive information types, sensitivity labels, distribution groups and users. > [!IMPORTANT] > To identify the minimum version of Outlook that supports this feature, use the [capabilities table for Outlook](sensitivity-labels-versions.md#sensitivity-label-capabilities-in-outlook), and the row **Preventing oversharing as DLP policy tip**.
-#### Scenario 2 pre-requisites and assumptions
+#### Scenario 2 prerequisites and assumptions
+In Outlook Win 32 an oversharing popup displays a popup before a message is sent. Select **Show policy tip as a dialog for the user before send** in policy tip when creating a DLP rule for the Exchange location.
This scenario uses the *Highly confidential* sensitivity label, so it requires that you have created and published sensitivity labels. To learn more, see: - [Learn about sensitivity labels](sensitivity-labels.md)
This procedure uses a hypothetical company domain at Contoso.com.
|"...the user on send with a popup dialogue..."| **Policy tips**: selected </br> - **Show policy tip as a dialog for the end user before send**: selected| |"...and no one can be allowed to override the block...| **Allow overrides from M365 Services**: not selected|
+To configure oversharing popups with default text, the DLP rule must include these conditions:
+
+- Content contains > Sensitivity labels > *choose your sensitivity label(s)*
+
+and a recipient-based condition
+
+- SentTo
+- SentToAMemberOf
+- RecpientDomainIs
+
+ When these conditions are met, the policy tip displays untrusted recipients while the user is writing the mail in Outlook, before it's sent.
+ #### Steps to create policy for scenario 2
This procedure uses a hypothetical company domain at Contoso.com.
1. Select **Add group** > **AND** > **NOT** > **Add condition**. 1. Select **Recipient domain is** > **contoso.com**. Choose **Add**.+
+> [!TIP]
+> **Recipient is** and **Recipient is a member of** can also be used in the previous step and will trigger an oversharing popup.
-1. Select **Add and action** > **Restrict access or encrypt the content in Microsoft 365 locations** > **Restrict access or encrypt the content in Microsoft 365 locations** > **Block users from receiving email or accessing shared SharePoint, OneDrive, and Teams file.** > **Block everyone**.
+17. Select **Add and action** > **Restrict access or encrypt the content in Microsoft 365 locations** > **Restrict access or encrypt the content in Microsoft 365 locations** > **Block users from receiving email or accessing shared SharePoint, OneDrive, and Teams file.** > **Block everyone**.
1. Set **User notifications** to **On**.
This procedure uses a hypothetical company domain at Contoso.com.
1. Choose **Next** > **Keep it off** > **Next** > **Submit**.
+#### PowerShell steps to create policy for scenario 2
+
+DLP policies and rules can also be configured in PowerShell. To configure oversharing popups using PowerShell, first you create a DLP policy (using PowerShell) and add DLP rules for each warn, justify or block popup type.
+
+You'll configure and scope your DLP Policy using [New-DlpCompliancePolicy](/powershell/module/exchange/new-dlpcompliancepolicy). Then, you'll configure each oversharing rule using [New-DlpComplianceRule](/powershell/module/exchange/new-dlpcompliancerule)
+
+To configure a new DLP policy for the oversharing popup scenario use this code snippet:
+
+```powershell
+PS C:\> New-DlpCompliancePolicy -Name <DLP Policy Name> -ExchangeLocation All
+```
+
+This sample DLP policy is scoped to all users in your organization. Scope your DLP Policies using `-ExchangeSenderMemberOf` and `-ExchangeSenderMemberOfException`.
+
+|Parameter| Configuration|
+|||
+|[-ContentContainsSensitiveInformation](/powershell/module/exchange/new-dlpcompliancerule.md#-contentcontainssensitiveinformation)| Configures one or more sensitivity label conditions. This sample includes one. At least one label is mandatory.|
+|[-ExceptIfRecipientDomainIs](/powershell/module/exchange/new-dlpcompliancerule.md#-exceptifrecipientdomainis)| List of trusted domains.|
+|[-NotifyAllowOverride](/powershell/module/exchange/new-dlpcompliancerule.md#-notifyallowoverride)| "WithJustification" enables justification radio buttons, "WithoutJustification" disables them.|
+|[-NotifyOverrideRequirements](/powershell/module/exchange/new-dlpcompliancerule.md#-notifyoverriderequirements) "WithAcknowledgement" enables the new acknowledgment option. This is optional.|
+|
+
+To configure a new DLP rule to generate a *warn* popup using trusted domains run this PowerShell code.
+
+```powershell
+PS C:\> New-DlpComplianceRule -Name <DLP Rule Name> -Policy <DLP Policy Name> -NotifyUser Owner -NotifyPolicyTipDisplayOption "Dialog" -ContentContainsSensitiveInformation @(@{operator = "And"; groups = @(@{operator="Or";name="Default";labels=@(@{name=<Label GUID>;type="Sensitivity"})})}) -ExceptIfRecipientDomainIs @("contoso.com","microsoft.com")
+```
+
+To configure a new DLP rule to generate a *justify* popup using trusted domains run this PowerShell code.
+
+```powershell
+PS C:\> New-DlpComplianceRule -Name <DLP Rule Name> -Policy <DLP Policy Name> -NotifyUser Owner -NotifyPolicyTipDisplayOption "Dialog" -BlockAccess $true -ContentContainsSensitiveInformation @(@{operator = "And"; groups = @(@{operator = "Or"; name = "Default"; labels = @(@{name=<Label GUID 1>;type="Sensitivity"},@{name=<Label GUID 2>;type="Sensitivity"})})}) -ExceptIfRecipientDomainIs @("contoso.com","microsoft.com") -NotifyAllowOverride "WithJustification"
+```
+
+To configure a new DLP rule to generate a *block* popup using trusted domains run this PowerShell code.
+```powershell
+PS C:\> New-DlpComplianceRule -Name <DLP Rule Name> -Policy <DLP Policy Name> -NotifyUser Owner -NotifyPolicyTipDisplayOption "Dialog" -BlockAccess $true -ContentContainsSensitiveInformation @(@{operator = "And"; groups = @(@{operator = "Or"; name = "Default"; labels = @(@{name=<Label GUID 1>;type="Sensitivity"},@{name=<Label GUID 2>;type="Sensitivity"})})}) -ExceptIfRecipientDomainIs @("contoso.com","microsoft.com")
+```
## Deployment A successful policy deployment isn't just about getting the policy into your environment to enforce controls on user actions. A haphazard, rushed deployment can negatively impact business process and annoy your users. Those consequences will slow acceptance of DLP technology in your organization and the safer behaviors it promotes. Ultimately making your sensitive items less safe in the long run.
Actions are what a policy does in response to user activities on sensitive items
> The **Allow** action is only available for policies that are scoped to the **Devices** location. - **Audit only**: The user activity is allowed to occur, so no business processes are impacted. You'll get audit data and you can add notifications and alerts to raise awareness and train your users to know that what they're doing is a risky behavior. If your organization intends to enforce more restrictive actions later on, you can tell your users that too.-- **Block with override**: The user activity is blocked by default. You can audit the event, raise alerts and notifications. This will impact the business process, but your users will be given the option to override the block and provide a reason for the override. Because you get direct feedback from your users, this action can help you identify false positive matches, which you can use to further tune the policy.
+- **Block with override**: The user activity is blocked by default. You can audit the event, raise alerts and notifications. This impacts the business process, but your users are given the option to override the block and provide a reason for the override. Because you get direct feedback from your users, this action can help you identify false positive matches, which you can use to further tune the policy.
> [!NOTE] > For Exchange online and SharePoint Online, overrides are configured in the user notification section.
compliance Dlp Policy Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-policy-reference.md
for where they are used/expected behavior-->
<!--You can use notifications and overrides to educate your users about DLP policies and help them remain compliant without blocking their work. For example, if a user tries to share a document containing sensitive information, a DLP policy can both send them an email notification and show them a policy tip in the context of the document library that allows them to override the policy if they have a business justification.-->
-When a user attempts an action on a sensitive item in a context that meets the conditions of a rule, you can let them know about it through user notification emails and in- context policy tip popups. These notifications are useful because they increase awareness and help educate people about your organization's DLP policies.
+When a user attempts an activity on a sensitive item in a context that meets the conditions of a rule, you can let them know about it through user notification emails and in-context policy tip popups. These notifications are useful because they increase awareness and help educate people about your organization's DLP policies.
For example, content like an Excel workbook on a OneDrive for Business site that contains personally identifiable information (PII) and is shared with a guest.
produces this text in the customized notification:
*pasting from the clipboard File Name: Contoso doc 1 via WINWORD.EXE isn't allowed by your organization. Select the 'Allow' button if you want to bypass the policy Contoso highly confidential*
+You can localize your custom policy tips by using the [Set-DlpComplianceRule -NotifyPolicyTipCustomTextTranslations cmdlet](/powershell/module/exchange/new-dlpcompliancerule#-notifypolicytipcustomtexttranslations).
+ > [!NOTE] > User notifications and policy tips are not available for the On-premises location >
To learn more about user notification and policy tip configuration and use, incl
- [Send email notifications and show policy tips for DLP policies](use-notifications-and-policy-tips.md#send-email-notifications-and-show-policy-tips-for-dlp-policies).
-<!--The email can notify the person who sent, shared, or last modified the content and, for site content, the primary site collection administrator and document owner. In addition, you can add or remove whomever you choose from the email notification.
-
-In addition to sending an email notification, a user notification displays a policy tip:
--- In Outlook and Outlook on the web.--- For the document on a SharePoint Online or OneDrive for Business site.--- In Excel, PowerPoint, and Word, when the document is stored on a site included in a DLP policy.-
-The email notification and policy tip explain why content conflicts with a DLP policy. If you choose, the email notification and policy tip can allow users to override a rule by reporting a false positive or providing a business justification. This can help you educate users about your DLP policies and enforce them without preventing people from doing their work. Information about overrides and false positives is also logged for reporting (see below about the DLP reports) and included in the incident reports (next section), so that the compliance officer can regularly review this information.
-
-Here's what a policy tip looks like in a OneDrive for Business account.
-
-![Policy tip for a document in a OneDrive account](../media/f9834d35-94f0-4511-8555-0fe69855ce6d.png)
-
- To learn more about user notifications and policy tips in DLP policies, see [Use notifications and policy tips](use-notifications-and-policy-tips.md).
-
-> [!NOTE]
-> The default behavior of a DLP policy, when there is no alert configured, is not to alert or trigger. This applies only to default information types. For custom information types, the system will alert even if there is no action defined in the policy.
>- #### Blocking and notifications in SharePoint Online and OneDrive for Business This table shows the DLP blocking and notification behavior for policies that are scoped to SharePoint Online and OneDrive for Business.
This table shows the DLP blocking and notification behavior for policies that ar
|- **Content is shared from Microsoft 365** </br>- **with people outside my organization** | - **Restrict access or encrypt the content in Microsoft 365 locations** is selected </br>- **Block users from receiving email or accessing shared SharePoint, OneDrive, and Teams files** is selected </br>- **Block everyone** is selected | - **User notifications** set to **On** </br>- **Notify users in Office 365 service with a policy tip** is selected </br>- **Notify the user who sent, shared, or last modified the content** is selected | - **Send an alert to admins when a rule match occurs** set to **On** </br>- **Send alert every time an activity matches the rule** is selected </br>- **Use email incident reports to notify you when a policy match occurs** set to **On** |Notifications are sent when a file is shared with an external user and an external user access that file. | |- **Content is shared from Microsoft 365** |- **Restrict access or encrypt the content in Microsoft 365 locations** is selected </br>- **Block only people who were given access to the content through the "Anyone with the link" option** is selected. | - **User notifications** set to **On** </br>- **Notify users in Office 365 service with a policy tip** is selected. </br>- **Notify the user who sent, shared, or last modified the content** is selected |- **Send an alert to admins when a rule match occurs** set to **On** </br>- **Send alert every time an activity matches the rule** is selected </br>- **Use email incident reports to notify you when a policy match occurs** set to **On** |Notifications are sent as soon as a file is uploaded |
+#### Learn more URL
+
+Users may want to learn why their activity is being blocked. You can configure a site or a page that explains more about your policies. When you select **Provide a compliance URL for the end user to learn more about your organization's policies (available for Exchange workload only)**, and the user receives a policy tip notification in Outlook Win 32, the *Learn more* link will point to the site URL that you provide.
+This URL has priority over the global compliance URL configured with [Set-PolicyConfig -ComplainceURL](/powershell/module/exchange/set-policyconfig?view=exchange-ps&preserve-view=true ).
+
+> [!IMPORTANT]
+> You must configure the site or page that *Learn more* points to from scratch. Microsoft Purview doesn't provide this funcationality out of the box.
++ ### User overrides The intent of **User overrides** is to give users a way to bypass, with justification, DLP policy blocking actions on sensitive items in Exchange, SharePoint, OneDrive, or Teams so that they can continue their work. User overrides are enabled only when **Notify users in Office 365 services with a policy tip** is enabled, so user overrides go hand-in-hand with Notifications and Policy tips.
To learn more about user overrides, see:
- [View the justification submitted by a user for an override](view-the-dlp-reports.md#view-the-justification-submitted-by-a-user-for-an-override)
+#### Business justification X-Header
+
+When a user overrides a block with override action on an email, the override option and the text that they provide are stored in the [Audit log](/microsoft-365/compliance/audit-solutions-overview.md) and in the email X-header. To view the business justification overrides, open the [DLP false positives and overrides report](/microsoft-365/compliance/view-the-dlp-reports#view-the-justification-submitted-by-a-user-for-an-override) or you can [search the audit log in the compliance portal](audit-log-search.md) for `ExceptionInfo` value for the details. Here's an example of the audit log values:
+```xml
+{
+ "FalsePositive"; false,
+ "Justification"; My manager approved sharing of this content",
+ "Reason"; "Override",
+ "Rules": [
+ "<message guid>"
+ ]
+}
+```
+If you have a automated process that makes use of the business justification values, the process can access that information progamatically in the email X-header data.
+ ### Incident reports <!--DLP interacts with other M365 information protection services, like IR. Link this to a process outline for triaging/managing/resolving DLP incidents
compliance Dlp Policy Tips Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-policy-tips-reference.md
# Data Loss Prevention policy tips reference
-DLP policy tips in Outlook Web Access are supported for all the conditions, and actions that are applicable on Exchange workload in a DLP policy except the following:
+## DLP policy tips in Outlook Web Access
-**Conditions:**
+Policy tips in Outlook Web Access (OWA) are supported for these conditions and actions:
-- Recipient is a member of-- Header contains words or phrases-- Header matches patterns-- Message type is-- Content character set contains words-- Has sender overridden the policy tip-- Message size equals or is greater than-- Sender AD attribute contains words or phrases-- Sender AD attribute matches patterns-- Sender IP ranges-- Recipient AD attribute contains words or phrases-- Recipient AD attribute matches patterns
+### Conditions that support policy tips in Outlook Web Access
+
+- Content contains (SIT)
+- Content is shared from M365
+- Sender is a member of
+- Recipient Domain Is
+- Recipient is
+- Subject Contains Words or phrases
+- Sender is
+- Sender domain is
+- File extension is
+- Subject matches patterns
+- Subject or Body contains words or phrases
+- Doc or Attachment is password protected
- Document name contains words or phrases
+- Sender address contains words
+- Document size equals or is greater than
+- Subject or Body matches patterns
+- Recipient address contains words
+- Sender address matches patterns
- Document name matches patterns-- Document content contains words or phrases-- Document content matches patterns-- Any email attachment's content didn't complete scanning-- Any email attachment's content could not be scanned
+- Recipient address matches patterns
+- Message importance is
+- Any email attachment's content could not be scanned (DocIsUnsupported)
+- Document property is
-**Actions:**
+### Actions that support policty tips in Outlook Web Access
-- Forward the message for approval to senderΓÇÖs manager-- Forward the message for approval to specific approvers
+- Restrict access or encrypt the content in Microsoft 365 locations
+- Set headers
+- Remove header
- Redirect the message to specific users-- Add recipients to the To Box-- Add recipients to the Cc Box-- Add recipients to the Bcc Box-- Add the senderΓÇÖs manager as recipient-- Add HTML disclaimer-- Prepend email subject-- Remove O365 Message Encryption and rights protection
+- Forward the message for approval to sender's manager
+- Forward the message for approval to specific approvers
+- Add recipient to the To box
+- Add recipient to the Cc box
+- Add recipient to the Bcc box
+- Add the sender's manager as recipient
+- Removed O365 Message Encryption and rights protection
+- Prepend Email Subject
+- Add HTML Disclaimer
+- Modify Email Subject
+- Deliver the message to the hosted quarantine
[!INCLUDE [purview-preview](../includes/purview-preview.md)]
+<!--### Sensitive information types that support policy tips in Outlook Web Access-->
+ ## Outlook 2013 and later supports showing policy tips for only some conditions Currently, Outlook 2013 and later supports showing policy tips for policies that contain these conditions:
compliance Ediscovery Assign Permissions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-assign-permissions.md
f1.keywords:
Previously updated : 01/01/2023 Last updated : 05/19/2023 audience: Admin
The primary eDiscovery-related role group in compliance portal is called **eDisc
## Before you assign permissions - You have to be a member of the *Organization Management* role group or be assigned the *Role Management* role to assign eDiscovery permissions in the compliance portal.- - You can use the [Add-RoleGroupMember](/powershell/module/exchange/Add-RoleGroupMember) cmdlet in Security & Compliance PowerShell to add a mail-enabled security group as a member of the *eDiscovery Managers* subgroup in the *eDiscovery Manager* role group. However, you can't add a mail-enabled security group to the *eDiscovery Administrators* subgroup. For details, see [More information](#more-information). ## Assign eDiscovery permissions 1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">compliance portal</a> and sign in using an account that can assign permissions.
-2. In the left pane, select **Permissions**.
-3. On the **Permissions & Roles** page, under **Microsoft Purview solutions**, select **Roles**.
-
- To go directly to this page, use <https://compliance.microsoft.com/compliancecenterpermissions>.
-
+2. In the left pane, select **Roles & scopes** > **Permissions**.
+3. On the **Permissions** page, under **Microsoft Purview solutions**, select **Roles**.
4. On the **Role groups for Microsoft Purview solutions** page, select **eDiscovery Manager**. 5. On the **eDiscovery Manager** flyout pane, do one of the following based on the eDiscovery permissions that you want to assign.
-
- **To make a user an eDiscovery
- - Next to **eDiscovery Manager**, select **Edit**.
- - On the **Choose eDiscovery Manager** wizard page, select ![Add Icon.](../media/ITPro-EAC-AddIcon.gif) **Add**.
- - Select the user (or users) you want to add as an eDiscovery manager, and then select **Add**.
- - When you're finished adding users, select **Done**.
- - On the **Editing Choose eDiscovery Manager** wizard page, select **Save** to save the changes to the eDiscovery Manager membership.
-
- **To make a user an eDiscovery Administrator:**
- - Next to **eDiscovery Administrator**, select **Edit**.
- - On the **Choose eDiscovery Administrator** page, select ![Add Icon.](../media/ITPro-EAC-AddIcon.gif) **Add**.
- - Select the user (or users) you want to add as an **eDiscovery Administrator**, and then **Add**.
- - When you're finished adding users, select **Done**.
- - On the **Editing Choose eDiscovery Administrator** wizard page, select **Save** to save the changes to the eDiscovery Administrator membership.
+
+ - Select **Edit**.
+ - On the **Manage eDiscovery Manager** page, select **Choose users**.
+ - Search and select the user (or users) you want to add as an *eDiscovery Manager*, and then select **Select**.
+ - Select **Next**.
+ - To assign a user (or users) to the *eDiscovery Administrator* role group, select **Choose users**.
+ - Search and select the user (or users) you want to add as an *eDiscovery Administrator*, and then select **Select**.
+ - Select **Next**.
+ - On the **Review the role group and finish** page, review the role group changes. Select **Save** to save the changes to the eDiscovery role groups.
> [!NOTE] > You can also use the **Add-eDiscoveryCaseAdmin** cmdlet to make a user an eDiscovery Administrator. However, the user must be assigned the *Case Management* role before you can use this cmdlet to make them an eDiscovery Administrator. For more information, see [Add-eDiscoveryCaseAdmin](/powershell/module/exchange/add-ediscoverycaseadmin).
For more information about holds, see:
### Manage review set tags
-This role lets users create, edit, and delete review set tags for cases they can access. Users will need to at least have the *Review* role and this role to [manage tags](/microsoft-365/compliance/tagging-documents#creating-and-applying-tags) during reviews.
+This role lets users create, edit, and delete review set tags for cases they can access. Users need to at least have the *Review* role and this role to [manage tags](/microsoft-365/compliance/tagging-documents#creating-and-applying-tags) during reviews.
### Preview
You can add role groups as members of eDiscovery (Standard) and eDiscovery (Prem
- [Get started with eDiscovery (Standard)](ediscovery-standard-get-started.md#step-5-optional-add-members-to-a-ediscovery-standard-case) - [Add or remove members from an eDiscovery (Premium) case](ediscovery-add-or-remove-members-from-a-case.md)
-With this requirement in mind, it's important to know that if a role is added or removed from a role group, then that role group will be automatically removed as a member of any case the role group is a member of. The reason for this is to protect your organization from inadvertently providing additional permissions to members of a case. Similarly, if a role group is deleted, it will be removed from all cases it was a member of.
+With this requirement in mind, it's important to know that if a role is added or removed from a role group, then that role group will be automatically removed as a member of any case the role group is a member of. The reason for this is to protect your organization from inadvertently providing additional permissions to members of a case. Similarly, if a role group is deleted, it is removed from all cases it was a member of.
Before you add or remove roles to a role group that may be a member of an eDiscovery case, you can run the following commands in [Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell) to get a list of cases the role group is a member of. After you update the role group, you add the role group back as a member of those cases.
compliance Ediscovery Premium Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-premium-get-started.md
f1.keywords:
Previously updated : 04/11/2023 Last updated : 05/19/2023 audience: Admin
Licensing for eDiscovery (Premium) requires the appropriate organization subscri
To access eDiscovery (Premium) or added as a member of an eDiscovery (Premium) case, a user must be assigned the appropriate permissions. Specifically, a user must be added as a member of the eDiscovery Manager role group in the Microsoft Purview compliance portal. Members of this role group can create and manage eDiscovery (Premium) cases. They can add and remove members, place custodians and content locations on hold, manage legal hold notifications, create and edit searches associated in a case, add search results to a review set, analyze data in a review set, and export and download from an eDiscovery (Premium) case.
-Complete the following steps to add users to the eDiscovery Manager role group:
-
-1. Go to <a href="https://go.microsoft.com/fwlink/p/?linkid=2173597" target="_blank">compliance portal</a>and sign in using the credentials for an admin account in your Microsoft 365 organization.
-2. On the **Permissions** page, select the **eDiscovery Manager** role group.
-3. On the eDiscovery Manager flyout page, select **Edit** next to the **eDiscovery Manager** section.
-4. On the **Choose eDiscovery Manager** page in the edit role group wizard, select **Choose eDiscovery Manager**.
-5. Select **Add** then select the checkbox for all users you want to add to the role group.
-6. Select **Add** to add the selected users, and then select **Done**.
-7. Select **Save** to add the users to the role group, and then select **Close** to complete the step.
-
-### More information about the eDiscovery Manager role group
-
-There are two subgroups in the eDiscovery Manager role group. The difference between these subgroups is based on scope.
--- **eDiscovery Manager**: Can view and manage the eDiscovery (Premium) cases they create or are a member of. If another eDiscovery Manager creates a case but doesn't add a second eDiscovery Manager as a member of that case, the second eDiscovery Manager won't be able to view or open the case on the eDiscovery (Premium) page in the compliance center. In general, most people in your organization can be added to the eDiscovery Manager subgroup.--- **eDiscovery Administrator**: Can perform all case management tasks that an eDiscovery Manager can do. Additionally, an eDiscovery Administrator can:-
- - View all cases that are listed on the eDiscovery (Premium) page.
- - Manage any case in the organization after they add themselves as a member of the case.
- - Access and export case data for any case in the organization.
-
- Because of the broad scope of access, an organization should have only a few admins who are members of the eDiscovery Administrators subgroup.
-
-For more information about eDiscovery permissions and a description of each role that's assigned to the eDiscovery Manager role group, see [Assign eDiscovery permissions](ediscovery-assign-permissions.md).
+For step-by-step guidance to configure permissions for eDiscovery, see [Assign eDiscovery permissions](ediscovery-assign-permissions.md).
## Step 3: Configure global settings for eDiscovery (Premium)
For more information about setting up and using the attorney-client privilege de
## Step 4: Verify that required eDiscovery apps are enabled
-eDiscovery (Premium) requires the following Enterprise apps to be enabled in your Microsoft 365 or Office 365 organization. If these apps are not enabled, you won't be able to access eDiscovery (Premium) view, filter, and search features.
+eDiscovery (Premium) requires the following Enterprise apps to be enabled in your Microsoft 365 or Office 365 organization. If these apps aren't enabled, you won't be able to access eDiscovery (Premium) view, filter, and search features.
|**App**|**App ID**| |:|:|
compliance Ediscovery Standard Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-standard-get-started.md
f1.keywords:
Previously updated : 04/11/2023 Last updated : 05/19/2023 audience: Admin
Licensing for eDiscovery (Standard) requires the appropriate organization subscr
## Step 2: Verify that required eDiscovery apps are enabled
-eDiscovery (Standard) requires the following Enterprise apps to be enabled in your Microsoft 365 or Office 365 organization. If these apps are not enabled, you won't be able to access eDiscovery (Standard) view, filter, and search features.
+eDiscovery (Standard) requires the following Enterprise apps to be enabled in your Microsoft 365 or Office 365 organization. If these apps aren't enabled, you won't be able to access eDiscovery (Standard) view, filter, and search features.
|**App**|**App ID**| |:|:|
For more information about how to view and enable apps, see:
To access eDiscovery (Standard) or be added as a member of a eDiscovery (Standard) case, a user must be assigned the appropriate permissions. Specifically, a user must be added as a member of the eDiscovery Manager role group in the compliance portal. Members of this role group can create and manage eDiscovery (Standard) cases. They can add and remove members, place an eDiscovery hold on users, create and edit searches, and export content from a eDiscovery (Standard) case.
-Complete the following steps to add users to the eDiscovery Manager role group:
-
-1. Go to the compliance portal and sign in using the credentials for an admin account in your Microsoft 365 or Office 365 organization.
-2. On the <a href="https://go.microsoft.com/fwlink/p/?linkid=2173597" target="_blank">**Permissions**</a> page, select the **eDiscovery Manager** role group.
-3. On the eDiscovery Manager flyout page, select **Edit** next to the **eDiscovery Manager** section.
-4. On the **Choose eDiscovery Manager** page in the edit role group wizard, select **Choose Discovery Manager**.
-5. Select **Add** then select the checkbox for all users you want to add to the role group.
-6. Select **Add** to add the selected users, and then select **Done**.
-7. Select **Save** to add the users to the role group, and then select **Close** to complete the step.
-
-### More information about the eDiscovery Manager role group
-
-There are two subgroups in the eDiscovery Manager role group. The difference between these subgroups is based on scope.
--- **eDiscovery Manager**: Can view and manage the eDiscovery (Standard) cases they create or are a member of. If another eDiscovery Manager creates a case but doesn't add a second eDiscovery Manager as a member of that case, the second eDiscovery Manager won't be able to view or open the case on the eDiscovery (Standard) page in the compliance center. In general, most people in your organization can be added to the eDiscovery Manager subgroup.--- **eDiscovery Administrator**: Can perform all case management tasks that an eDiscovery Manager can do. Additionally, an eDiscovery Administrator can:-
- - View all cases that are listed on the eDiscovery (Standard) page.
- - Manage any case in the organization after they add themselves as a member of the case.
- - Access and export case data for any case in the organization.
- - Remove members from an eDiscovery case. Only an eDiscovery Administrator can remove members from a case. Users who are members of the eDiscovery Manager subgroup can't remove members from a case, even if the user created the case.
-
- Because of the broad scope of access, an organization should have only a few admins who are members of the eDiscovery Administrators subgroup.
-
-For more information about eDiscovery permissions and a description of each role that's assigned to the eDiscovery Manager role group, see [Assign eDiscovery permissions](ediscovery-assign-permissions.md).
+For step-by-step guidance to configure permissions for eDiscovery, see [Assign eDiscovery permissions](ediscovery-assign-permissions.md).
## Step 4: Create a eDiscovery (Standard) case
If you create a case in Step 3 and you're the only person who will use the case,
3. On the **Access & permissions** flyout page, under **Members**, select **Add** to add members to the case.
- You can also choose to add role groups as members of a case. Under **Role groups**, select **Add**. You can only assign the role groups that you are a member of to a case. That's because role groups control who can assign members to an eDiscovery case.
+ You can also choose to add role groups as members of a case. Under **Role groups**, select **Add**. You can only assign the role groups that you're a member of to a case. That's because role groups control who can assign members to an eDiscovery case.
4. In the list of people or role groups that can be added as members of the case, select to the left of the name of the people (or role groups) that you want to add. If you have a large list of people or role groups who can be added as members, use the **Search** box to search for a specific person or role group in the list.
compliance Microsoft 365 Compliance Center Permissions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/microsoft-365-compliance-center-permissions.md
The following Microsoft Purview compliance solutions support administrative unit
|**Solution**|**Configuration support**| |:--|:-|
-| [Data lifecycle management](data-lifecycle-management.md) | [Role groups, retention policies and retention label policies](get-started-with-data-lifecycle-management.md#support-for-administrative-units), and [adaptive scopes](purview-adaptive-scopes.md) |
-| [Data Loss Prevention (DLP)](/microsoft-365/compliance/dlp-learn-about-dlp) | Role groups and [DLP policies](/microsoft-365/compliance/dlp-create-deploy-policy) |
+| [Data lifecycle management](data-lifecycle-management.md) | [Role groups, retention policies, and retention label policies](get-started-with-data-lifecycle-management.md#support-for-administrative-units) |
+| [Data Loss Prevention (DLP)](/microsoft-365/compliance/dlp-learn-about-dlp) | Role groups and [DLP policies](/microsoft-365/compliance/dlp-create-deploy-policy) |
+| [Communication compliance](/microsoft-365/compliance/communication-compliance.md)|Adaptive scopes|
| [Records management](records-management.md) | [Role groups, retention policies, retention label policies](get-started-with-records-management.md#support-for-administrative-units), and [adaptive scopes](purview-adaptive-scopes.md)| | [Sensitivity labeling](/microsoft-365/compliance/sensitivity-labels) | [Role groups, sensitivity label policies, and auto-labeling policies](/microsoft-365/compliance/get-started-with-sensitivity-labels#support-for-administrative-units) |
frontline Virtual Appointments App https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/virtual-appointments-app.md
You can configure options such as whether attendees can [join from a a desktop o
![Information icon](media/info.png) **This feature is now part of [Teams Premium](/microsoftteams/teams-add-on-licensing/licensing-enhance-teams).**
-> [!NOTE]
-> We'll be providing unlimited SMS notifications through April 3, 2023 (previously March 1, 2023) for customers with Bookings licenses. As we get closer to the end of the promotion period, we'll provide more details on licensing requirements. Contact your account team or support to receive pricing details after the promotion period.
- Attendees need a valid United States, Canada, or United Kingdom phone number before they can receive SMS notifications. To send SMS notifications to attendees by default, turn on **Send them text messages**. Attendees will receive confirmation and reminder text messages that include the Teams meeting link and scheduled appointment details. They can opt out of receiving the messages by replying STOP, or resume receiving them by replying START.
security Before You Begin Defender Experts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/before-you-begin-defender-experts.md
This document outlines the key infrastructure requirements you must meet and imp
## Check if your environment meets licensing and access prerequisites
-Microsoft Defender Experts for Hunting is a separate service from your existing Defender products. Before enrolling in this service, make sure that you have the necessary license and access.
+Microsoft Defender Experts for Hunting is a separate service from your existing Defender products. Before enrolling in this service, make sure that you have the necessary license and access.
### Eligibility and licensing
-Defender Experts for Hunting customers will be assigned two Experts on Demand credits on the first of each month, which may be used to submit questions. Unused credits expire 90 days from date of assignment or at the end of the subscription term, whichever is shortest.
+Defender Experts for Hunting customers are assigned two Ask Defender Experts (Experts on Demand) credits on the first of each month, which you can use to submit questions. You can still submit inquiries beyond your initial number of allocated credits. Unused credits expire 90 days from date of assignment or at the end of the subscription term, whichever is shortest.
For more information about Microsoft's commercial licensing terms, visit [this page](https://www.microsoft.com/licensing/terms/productoffering/Microsoft365/MCA).
security Air About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-about.md
During and after each automated investigation, your security operations team can
AIR capabilities are included in [Microsoft Defender for Office 365](defender-for-office-365.md#whats-the-difference-between-microsoft-defender-for-office-365-plan-1-and-plan-2), provided your policies and alerts are configured. Need some help? Follow the guidance in [Protect against threats](protect-against-threats.md) to set up or configure the following protection settings: -- [Audit logging](../../compliance/turn-audit-log-search-on-or-off.md) (should be turned on)
+- [Verify audit logging is turned on](../../compliance/audit-log-enable-disable.md)
- [Anti-malware protection](protect-against-threats.md#part-1anti-malware-protection-in-eop) - [Anti-phishing protection](../office-365-security/protect-against-threats.md#part-2anti-phishing-protection-in-eop-and-defender-for-office-365) - [Anti-spam protection](protect-against-threats.md#part-3anti-spam-protection-in-eop)
Microsoft 365 provides many built-in alert policies that help identify Exchange
|Email messages containing malicious URL removed after delivery|**Informational**|This alert is generated when any messages containing a malicious URL are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [zero-hour auto purge (ZAP)](zero-hour-auto-purge.md).| |Email messages containing phish URLs are removed after delivery|**Informational**|This alert is generated when any messages containing phish are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [ZAP](zero-hour-auto-purge.md).| |Suspicious email sending patterns are detected|**Medium**|This alert is generated when someone in your organization has sent suspicious email and is at risk of being restricted from sending email. The alert is an early warning for behavior that might indicate that the account is compromised, but not severe enough to restrict the user. <p> Although it's rare, an alert generated by this policy may be an anomaly. However, it's a good idea to [check whether the user account is compromised](responding-to-a-compromised-email-account.md).|
-|A user is restricted from sending email|**High**|This alert is generated when someone in your organization is restricted from sending outbound mail. This alert typically results when an [email account is compromised](responding-to-a-compromised-email-account.md). <p> For more information about restricted users, see [Remove blocked users from the Restricted Users portal in Microsoft 365](removing-user-from-restricted-users-portal-after-spam.md).|
+|A user is restricted from sending email|**High**|This alert is generated when someone in your organization is restricted from sending outbound mail. This alert typically results when an [email account is compromised](responding-to-a-compromised-email-account.md). <p> For more information about restricted users, see [Remove blocked users from the Restricted entities page](removing-user-from-restricted-users-portal-after-spam.md).|
|Admin triggered manual investigation of email|**Informational**|This alert is generated when an admin triggers the manual investigation of an email from Threat Explorer. This alert notifies your organization that the investigation was started.| |Admin triggered user compromise investigation|**Medium**|This alert is generated when an admin triggers the manual user compromise investigation of either an email sender or recipient from Threat Explorer. This alert notifies your organization that the user compromise investigation was started.|
security Attack Simulation Training Faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-faq.md
If you use distribution groups or mail-enabled security groups to target users,
### Attack simulation training reports do not contain any activity details
-Attack simulation training comes with rich, actionable insights that keep you informed of the threat readiness progress of your employees. If Attack simulation training reports aren't populated with data, verify that audit log search is turned on in your organization (it's on by default).
+Attack simulation training comes with rich, actionable insights that keep you informed of the threat readiness progress of your employees. If Attack simulation training reports aren't populated with data, verify that audit logging is turned on in your organization (it's on by default).
-Audit log search is required by Attack simulation training so events can be captured, recorded, and read back. Turning off audit log search has the following consequences for Attack simulation training:
+Audit logging is required by Attack simulation training so events can be captured, recorded, and read back. Turning off audit logging has the following consequences for Attack simulation training:
- Reporting data isn't available across all reports. The reports will appear empty. - Training assignments are blocked, because data isn't available.
-To turn on audit log search, see [Turn audit log search on or off](../../compliance/turn-audit-log-search-on-or-off.md).
+To verify that audit logging is on or to turn it on, see [Turn auditing on or off](../../compliance/audit-log-enable-disable.md).
> [!NOTE] > Empty activity details can also be caused by no E5 licenses being assigned to users. Verify at least one E5 license is assigned to an active user to ensure that reporting events are captured and recorded.
security Connectors Remove Blocked https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/connectors-remove-blocked.md
Title: Remove blocked connectors from the Restricted entities portal in Microsoft 365
+ Title: Remove blocked connectors from the Restricted entities page in Microsoft 365
f1.keywords: - NOCSH
- m365-security - tier2
-description: Learn how to remove blocked connectors in Microsoft 365 Defender.
+description: Admins can learn how to remove connectors from the Restricted entities page in the Microsoft 365 Defender portal. Connectors are added to the Restricted entities page after signs of compromise.
search.appverid: met150 Previously updated : 12/01/2022 Last updated : 5/19/2023
-# Remove blocked connectors from the Restricted entities portal
+# Remove blocked connectors from the Restricted entities page
[!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)]
Last updated 12/01/2022
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-If an inbound connector is detected as potentially compromised, it is restricted from sending any relaying email. The connector is then added to the **Restricted entities** page in the Microsoft 365 Defender portal. When the connector is used to send email, the message is returned in a non-delivery report (also known as an NDR or bounced message) with the error code 550;5.7.711 and the following text:
+In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, several things happen if an [inbound connector](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/use-connectors-to-configure-mail-flow) is detected as potentially compromised:
-> Your message couldn't be delivered. The most common reason for this is that your organization's email connector is suspected of sending spam or phish and it's no
-> longer allowed to send email. Contact your email admin for assistance.
-> Remote Server returned '550;5.7.711 Access denied, bad inbound connector. AS(2204).'
+- The connector is prevented from sending or relaying email.
+- The connector is added to the **Restricted entities** page in the Microsoft 365 Defender portal.
-Admins can remove connectors from the Restricted entities page in Microsoft 365 Defender or in Exchange Online PowerShell.
+ A _restricted entity_ is a **user account** or a **connector** that's blocked from sending email due to indications of compromise, which typically includes exceeding message receiving and sending limits.
-## Learn more on restricted entities
+- If the connector is used to send email, the message is returned in a non-delivery report (also known as an NDR or bounced message) with the error code `550;5.7.711` and the following text:
-A restricted entity is an entity that has been blocked from sending email because either it has been potentially compromised, or it has exceeded a sending limit.
+> Your message couldn't be delivered. The most common reason for this is that your organization's email connector is suspected of sending spam or phish and it's no longer allowed to send email. Contact your email admin for assistance. Remote Server returned '550;5.7.711 Access denied, bad inbound connector. AS(2204).'
-There are two types of restricted entities:
+For more information about compromised connectors and how to regain control of them, see [Respond to a compromised connector](connectors-detect-respond-to-compromise.md).
-- **Restricted users**: For more information about why a user can be restricted and how to handle restricted users, see [Remove blocked users from the Restricted entities portal](removing-user-from-restricted-users-portal-after-spam.md).
+The procedures in this article explain how admins can remove connectors from the **Restricted entities** page in the Microsoft 365 Defender portal or in Exchange Online PowerShell.
-- **Restricted connectors**: Learn about why a connector can be restricted and how to handle restricted connectors (this article).
+For more information about compromised _user accounts_ and how to remove them from the **Restricted entities** page, see [Remove blocked users from the Restricted entities page](removing-user-from-restricted-users-portal-after-spam.md).
## What do you need to know before you begin?
There are two types of restricted entities:
- You need to be assigned permissions before you can do the procedures in this article. You have the following options: - [Exchange Online RBAC](/exchange/permissions-exo/permissions-exo):
- - _Remove connectors from the Restricted entities portal_: Membership in the **Organization Management** or **Security Administrator** role groups.
- - _Read-only access to the Restricted entities portal_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups.
+ - _Remove connectors from the Restricted entities page_: Membership in the **Organization Management** or **Security Administrator** role groups.
+ - _Read-only access to the Restricted entities page_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups.
- [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365. -- Before you remove the connector from the Restricted entities portal, be sure to follow the required steps to regain control of the connector. For more information, see [Respond to a compromised connector](connectors-detect-respond-to-compromise.md).
+- Before you follow the procedures in this article to remove a connector from the **Restricted entities** page, be sure to follow the required steps to regain control of the connector as described in [Respond to a compromised connector](connectors-detect-respond-to-compromise.md).
-## Use the Microsoft 365 Defender portal to remove a connector from the Restricted entities list
+## Remove a connector from the Restricted entities page in the Microsoft 365 Defender portal
-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Restricted entities**. To go directly to the **Restricted entities** page, use <https://security.microsoft.com/restrictedentities>.
+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Restricted entities**. Or, to go directly to the **Restricted entities** page, use <https://security.microsoft.com/restrictedentities>.
-2. On the **Restricted entities** page, find and select the connector that you want to unblock by clicking on the connector.
+2. On the **Restricted entities** page, identify the connector to unblock. The **Entity** value is **Connector**.
-3. Click the **Unblock** action that appears.
+ Select a column header to sort by that column.
-4. In the **Unblock entity** flyout that appears, read the details about the restricted connector. You should go through the recommendations to ensure you're taking the proper actions in case the connector is compromised.
+ To change the list of entities from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false"::: **Compact list**.
-5. When you're finished, click **Unblock**.
+ Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and a corresponding value to find specific connectors.
+
+3. Select the connector to unblock by selecting the check box for the entity, and then selecting the **Unblock** action that appears on the page.
+
+4. In the **Unblock entity** flyout that opens, read the details about the restricted connector. You should go through the recommendations to ensure you're taking the proper actions in case the connector is compromised.
+
+ When you're finished in the **Unblock entity** flyout, select **Unblock**.
> [!NOTE] > It might take up to 1 hour for all restrictions to be removed from the connector. ## Verify the alert settings for restricted connectors
-The default alert policy named **Suspicious connector activity** will automatically notify admins when connectors are blocked from relaying email. For more information about alert policies, see [Alert policies in Microsoft 365](../../compliance/alert-policies.md).
+The default alert policy named **Suspicious connector activity** automatically notifies admins when connectors are blocked from relaying email. For more information about alert policies, see [Alert policies in Microsoft 365](../../compliance/alert-policies.md).
> [!IMPORTANT]
-> For alerts to work, audit log search must to be turned on. For more information, see [Turn the audit log search on or off](../../compliance/turn-audit-log-search-on-or-off.md).
+> For alerts to work, audit logging must to be turned on (it's on by default). To verify that audit logging is turned on or to turn it on, see [Turn auditing on or off](../../compliance/audit-log-enable-disable.md).
+
+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Policies & rules** \> **Alert policy**. Or, to go directly to the **Alert policy** page, use <https://security.microsoft.com/alertpoliciesv2>.
+
+2. On the **Alert policy** page, find the alert named **Suspicious connector activity**. You can sort the alerts by name, or use the ::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to find the alert.
-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Policies & rules** \> **Alert policy**.
+ Select the **Suspicious connector activity** alert by clicking anywhere in the row other than the check box next to the name.
-2. On the **Alert policy** page, find and select the alert named **Suspicious connector activity**. You can sort the policies by name, or use the **Search box** to find the policy.
+3. In the **Suspicious connector activity** flyout that opens, verify or configure the following settings:
+ - **Status**: Verify the alert is turned on :::image type="icon" source="../../media/scc-toggle-on.png" border="false":::.
+ - Expand the **Set your recipients section** and verify the **Recipients** and **Daily notification limit** values.
-3. In the **Suspicious connector activity** flyout that appears, verify or configure the following settings:
- - **Status**: Verify the alert is turned on ![Toggle on.](../../media/scc-toggle-on.png).
- - **Email recipients**: Click **Edit** and verify or configure the following settings in the **Edit recipients** flyout that appears:
- - **Send email notifications**: Verify this is selected (**On**).
- - **Email recipients**: The default value is **TenantAdmins** (meaning, **Global admin** members). To add more recipients, click on a blank area of the box. A list of recipients will appear, and you can start typing a name to filter and select a recipient. You can remove an existing recipient from the box by clicking ![Remove icon.](../../media/m365-cc-sc-remove-selection-icon.png) next to their name.
- - **Daily notification limit**: The limit is no more than 3 notifications per connector per day.
+ To change the values, select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit recipient settings** in the section or select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit policy** at the top of the flyout.
- When you're finished, click **Save**.
+ - On the **Decide if you want to notify people when this alert is triggered** page of the wizard that opens, verify or change the following settings:
+ - Verify **Opt-in for email notifications** is selected.
+ - **Email recipients**: The default value is **TenantAdmins** (meaning, **Global Administrator** members). To add more recipients, click in the empty area of the box. A list of recipients appears, and you can start typing a name to filter and select a recipient. Remove an existing recipient from the box by selecting :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to their name.
+ - **Daily notification limit**: The default value is **No limit**.
-4. Back on the **Suspicious connector activity** flyout, click **Close**.
+ When you're finished on the **Decide if you want to notify people when this alert is triggered** page, select **Next**.
-## Use Exchange Online PowerShell to view and remove connectors from the Restricted entities list
+ - On the **Review your settings** page, select **Submit**, and then select **Done**.
+
+4. Back in the **Suspicious connector activity** flyout, select :::image type="icon" source="../../media/m365-cc-sc-close-icon.png" border="false"::: at the top of the flyout.
+
+## Use Exchange Online PowerShell to view and remove connectors from the Restricted entities page
To view the list of connectors that are restricted from sending email, run the following command in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell):
To view details about a specific blocked connector, replace \<ConnectorID\> with
Get-BlockedConnector -ConnectorId <ConnectorID> | Format-List ```
-To remove a connector from the Restricted entities list, replace \<ConnectorID\> with the GUID value, and then run the following command:
+For detailed syntax and parameter information, see [Get-BlockedConnector](/powershell/module/exchange/get-blockedconnector).
+
+To remove a connector from the Restricted entities list, replace \<ConnectorID\> with the GUID value of the connector, and then run the following command:
```powershell Remove-BlockedConnector -ConnectorId <ConnectorID> ```
+For detailed syntax and parameter information, see [Remove-BlockedConnector](/powershell/module/exchange/remove-blockedconnector).
+ ## More information - [Respond to a compromised connector](connectors-detect-respond-to-compromise.md)
security Detect And Remediate Illicit Consent Grants https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants.md
The script produces one file named Permissions.csv. Follow these steps to look f
After you have finished inventorying application access, review the **audit log** to determine the full scope of the breach. Search on the affected users, the time frames that the illicit application had access to your organization, and the permissions the app had. You can search the **audit log** in the [Microsoft 365 Defender portal](../../compliance/search-the-audit-log-in-security-and-compliance.md). > [!IMPORTANT]
-> [Mailbox auditing](../../compliance/enable-mailbox-auditing.md) and [Activity auditing for admins and users](../../compliance/turn-audit-log-search-on-or-off.md) must have been enabled prior to the attack for you to get this information.
+> [Mailbox auditing](../../compliance/audit-mailboxes.md) and [Activity auditing for admins and users](../../compliance/audit-log-enable-disable.md) must have been enabled prior to the attack for you to get this information.
## How to stop and remediate an illicit consent grant attack
security Email Authentication Anti Spoofing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-authentication-anti-spoofing.md
The following examples show how SPF works in different situations. In these exam
SPF works best when the path from sender to receiver is direct, for example:
-![Diagram showing how SPF authenticates email when it is sent directly from server to server.](../../media/835c20a7-ed4c-49c4-91fe-b8ebb3e452a1.jpg)
When woodgrovebank.com receives the message, if IP address #1 is in the SPF TXT record for contoso.com, the message passes the SPF check and is authenticated.
When woodgrovebank.com receives the message, if IP address #1 is in the SPF TXT
Suppose a phisher finds a way to spoof contoso.com:
-![Diagram showing how SPF authenticates email when it is sent from a spoofed server.](../../media/235dac3d-cdc5-466e-86e0-37b5979de198.jpg)
Since IP address #12 isn't in contoso.com's SPF TXT record, the message fails the SPF check and the receiver may choose to mark it as spam.
Since IP address #12 isn't in contoso.com's SPF TXT record, the message fails th
One drawback of SPF is that it doesn't work when an email has been forwarded. For example, suppose the user at woodgrovebank.com has set up a forwarding rule to send all email to an outlook.com account:
-![Diagram showing how SPF cannot authenticate email when the message is forwarded.](../../media/6e92acd6-463e-4a1b-8327-fb1cf861f356.jpg)
The message originally passes the SPF check at woodgrovebank.com but it fails the SPF check at outlook.com because IP #25 isn't in contoso.com's SPF TXT record. Outlook.com might then mark the message as spam. To work around this problem, use SPF with other email authentication methods such as DKIM and DMARC.
security Investigate Malicious Email That Was Delivered https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/investigate-malicious-email-that-was-delivered.md
Make sure that the following requirements are met:
- Your organization has [Microsoft Defender for Office 365](defender-for-office-365.md) and [licenses are assigned to users](../../admin/manage/assign-licenses-to-users.md). -- [Audit logging](../../compliance/turn-audit-log-search-on-or-off.md) is turned on for your organization.
+- [Audit logging](../../compliance/audit-log-enable-disable.md) is turned on for your organization (it's on by default).
- Your organization has policies defined for anti-spam, anti-malware, anti-phishing, and so on. See [Protect against threats in Office 365](protect-against-threats.md).
security Outbound Spam Policies Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/outbound-spam-policies-configure.md
You can configure outbound spam policies in the Microsoft 365 Defender portal or
- The alert policy named **User restricted from sending email** notifies admins (via email and on the **Incidents & alerts** \> **View alerts** page). - Any recipients specified in the **Notify specific people if a sender is blocked due to sending outbound spam** setting in the policy are also notified. - The user is unable to send any more messages until the following day, based on UTC time. There's no way for the admin to override this block.
- - **Restrict the user from sending mail**: Email notifications are sent, the user is added to **Restricted users** <https://security.microsoft.com/restrictedusers> in the Microsoft 365 Defender portal, and the user can't send email until they're removed from **Restricted users** by an admin. After an admin removes the user from the list, the user won't be restricted again for that day. For instructions, see [Removing a user from the Restricted Users portal after sending spam email](removing-user-from-restricted-users-portal-after-spam.md).
+ - **Restrict the user from sending mail**: Email notifications are sent, the user is added to **Restricted users** <https://security.microsoft.com/restrictedusers> in the Microsoft 365 Defender portal, and the user can't send email until they're removed from **Restricted users** by an admin. After an admin removes the user from the list, the user won't be restricted again for that day. For instructions, see [Remove blocked users from the Restricted entities page](removing-user-from-restricted-users-portal-after-spam.md).
- **No action, alert only**: Email notifications are sent. - **Forwarding rules** section: The setting in this section controls automatic email forwarding by **Exchange Online mailboxes** to external recipients. For more information, see [Control automatic external email forwarding in Microsoft 365](outbound-spam-policies-external-email-forwarding.md).
For detailed syntax and parameter information, see [Remove-HostedOutboundSpamFil
## For more information
-[Remove blocked users from the Restricted Users portal](removing-user-from-restricted-users-portal-after-spam.md)
+[Remove blocked users from the Restricted entities page](removing-user-from-restricted-users-portal-after-spam.md)
[High-risk delivery pool for outbound messages](outbound-spam-high-risk-delivery-pool-about.md)
security Protect Against Threats https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/protect-against-threats.md
To learn more, see [Permissions in the Microsoft 365 Defender portal](mdo-portal
### Turn on audit logging for reporting and investigation -- Start your audit logging early. You'll need auditing to be **ON** for some of the following steps. Audit logging is available in subscriptions that include [Exchange Online](/office365/servicedescriptions/exchange-online-service-description/exchange-online-service-description). In order to view data in threat protection reports, [email security reports](reports-email-security.md), and [Explorer](threat-explorer-about.md), audit logging must be *On*. To learn more, see [Turn audit log search on or off](../../compliance/turn-audit-log-search-on-or-off.md).
+- Start your audit logging early. You'll need auditing to be **ON** for some of the following steps. Audit logging is available in subscriptions that include [Exchange Online](/office365/servicedescriptions/exchange-online-service-description/exchange-online-service-description). In order to view data in threat protection reports, [email security reports](reports-email-security.md), and [Explorer](threat-explorer-about.md), audit logging must be *On*. To verify that audit logging is turned on or to turn it on, see [Turn auditing on or off](../../compliance/audit-log-enable-disable.md).
## Part 1 - Anti-malware protection in EOP
For more information about the recommended settings for Safe Attachments, see .[
- **Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams**: Turn on this setting (![Toggle on.](../../media/scc-toggle-on.png)). > [!IMPORTANT]
- > **Before you turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, verify that audit logging is turned in your organization**. This action is typically done by someone who has the Audit Logs role assigned in Exchange Online. For more information, see [Turn audit log search on or off](../../compliance/turn-audit-log-search-on-or-off.md)!
+ > **Before you turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, verify that audit logging is turned in your organization** (it's on by default). To verify that audit logging is turned on or to turn it on, see [Turn auditing on or off](../../compliance/audit-log-enable-disable.md).
- **Turn on Safe Documents for Office clients**: Turn on this setting (![Toggle on.](../../medi). - **Allow people to click through Protected View even if Safe Documents identified the file as malicious**: Verify this setting is turned off (![Toggle off.](../../media/scc-toggle-off.png)).
security Removing User From Restricted Users Portal After Spam https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/removing-user-from-restricted-users-portal-after-spam.md
Title: Remove blocked users from the Restricted users portal
+ Title: Remove blocked users from the Restricted entities page
f1.keywords: - NOCSH
ms.assetid: 712cfcc1-31e8-4e51-8561-b64258a8f1e5
- m365-security - tier2
-description: Admins can learn how to remove users from the Restricted users page in the Microsoft 365 Defender portal. Users are added to the Restricted users portal for sending outbound spam, typically as a result of account compromise.
+description: Admins can learn how to remove user accounts from the Restricted entities page in the Microsoft 365 Defender portal. Users are added to the Restricted entities page for sending outbound spam, typically as a result of account compromise.
- seo-marvel-apr2020 Previously updated : 1/31/2023 Last updated : 5/19/2023
-# Remove blocked users from the Restricted users portal in Microsoft 365
+# Remove blocked users from the Restricted entities page
[!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)]
Last updated 1/31/2023
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-If a user exceeds one of the outbound sending limits as specified in [the service limits](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#sending-limits-across-office-365-options) or in [outbound spam policies](outbound-spam-policies-configure.md), the user is restricted from sending email, but they can still receive email.
+In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, several things happen if a user exceeds the [outbound sending limits of the service](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#sending-limits-across-office-365-options) or the [limits in outbound spam policies](outbound-spam-policies-configure.md):
-The user is added to the **Restricted users** page in the Microsoft 365 Defender portal. When they try to send email, the message is returned in a non-delivery report (also known as an NDR or bounce message) with the error code [5.1.8](/Exchange/mail-flow-best-practices/non-delivery-reports-in-exchange-online/fix-error-code-5-1-8-in-exchange-online) and the following text:
+- The user is restricted from sending email, but they can still receive email.
+- The user is added to the **Restricted entities** page in the Microsoft 365 Defender portal.
+
+ A _restricted entity_ is a **user account** or a **connector** that's blocked from sending email due to indications of compromise, which typically includes exceeding message receiving and sending limits.
+
+- If the user tries to send email, the message is returned in a non-delivery report (also known as an NDR or bounce message) with the error code [5.1.8](/Exchange/mail-flow-best-practices/non-delivery-reports-in-exchange-online/fix-error-code-5-1-8-in-exchange-online) and the following text:
> "Your message couldn't be delivered because you weren't recognized as a valid sender. The most common reason for this is that > your email address is suspected of sending spam and it's no longer allowed to send email. Contact your email admin for > assistance. Remote Server returned '550 5.1.8 Access denied, bad outbound sender."
-Admins can remove users from the **Restricted users** page in the Microsoft 365 Defender or in Exchange Online PowerShell.
-
-## Learn more on Restricted entities
-
-A restricted entity is an entity that has been blocked from sending email because either it has been potentially compromised, or it has exceeded a sending limit.
+For more information about compromised user accounts and how to regain control of them, see [Responding to a compromised email account](responding-to-a-compromised-email-account.md).
-There are two types of restricted entities:
+The procedures in this article explain how admins can remove user accounts from the **Restricted entities** page in the Microsoft 365 Defender portal or in Exchange Online PowerShell.
-- **Restricted user**: Learn about why a user can be restricted and how to handle restricted users (this article).--- **Restricted connector**: For more information about why a connector can be restricted and how to handle restricted connectors, see [Remove blocked connectors from the Restricted entities portal](connectors-remove-blocked.md).
+For more information about compromised _connectors_ and how to remove them from the **Restricted entities** page, see [Remove blocked connectors from the Restricted entities page](connectors-remove-blocked.md).
## What do you need to know before you begin?
There are two types of restricted entities:
- You need to be assigned permissions before you can do the procedures in this article. You have the following options: - [Microsoft 365 Defender role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac): **configuration/security (manage)** or **configuration/security (read)**. Currently, this option requires membership in the Microsoft 365 Defender Preview program. - [Exchange Online RBAC](/exchange/permissions-exo/permissions-exo):
- - _Add, modify, and delete policies_: Membership in the **Organization Management** or **Security Administrator** role groups.
- - _Read-only access to policies_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups.
+ - _Remove user accounts from the Restricted entities page_: Membership in the **Organization Management** or **Security Administrator** role groups.
+ - _Read-only access to the Restricted entities page_: Membership in the **Global Reader**, **Security Reader**, or **View-Only Organization Management** role groups.
- [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365. -- A sender exceeding the outbound email limits is an indicator of a compromised account. Before you remove the user from the Restricted users portal, be sure to follow the required steps to regain control of their account. For more information, see [Responding to a compromised email account in Office 365](responding-to-a-compromised-email-account.md).
+- A sender exceeding the outbound email limits is an indicator of a compromised account. Before you follow the procedures in this article to remove a user from the **Restricted entities** page, be sure to follow the required steps to regain control of the account as described in [Responding to a compromised email account in Office 365](responding-to-a-compromised-email-account.md).
+
+## Remove a user from the Restricted entities page in the Microsoft 365 Defender portal
+
+In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Restricted entities**. Or, to go directly to the **Restricted entities** page, use <https://security.microsoft.com/restrictedentities>.
-## Use the Microsoft 365 Defender portal to remove a user from the Restricted users list
+2. On the **Restricted entities** page, identify the user account to unblock. The **Entity** value is **Mailbox**.
-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Review** \> **Restricted users**. To go directly to the **Restricted users** page, use <https://security.microsoft.com/restrictedusers>.
+ Select a column header to sort by that column.
-2. On the **Restricted users** page, find and select the user that you want to unblock by clicking on the user.
+ To change the list of entities from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false"::: **Compact list**.
-3. Click the **Unblock** action that appears.
+ Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and a corresponding value to find specific connectors.
-4. In the **Unblock user** flyout that appears, read the details about the restricted account. You should go through the recommendations to ensure you're taking the proper actions in case the account is compromised.
+3. Select the user to unblock by selecting the check box for the entity, and then selecting the **Unblock** action that appears on the page.
- When you're finished, click **Next**.
+4. In the **Unblock user** flyout that opens, read the details about the restricted account on the **Overview** page. Verify that you've gone through the suggestions in the **Recommendations** section to confirm that the account isn't compromised or to regain control of the account.
-5. The next screen has recommendations to help prevent future compromise. Enabling multi-factor authentication (MFA) and resetting the password are a good defense.
+ When you're finished on the **Overview** page, select **Next**.
- When you're finished, click **Submit**.
+5. On the **Unblock user page**, consider the recommendations and use the links in the **Multi-factor authentication** and **Change password** sections to **Enable MFA** and **Reset the user's password** if you haven't done these steps already. Enabling MFA and resetting the password are a good defense against future account compromise.
-6. Click **Yes** to confirm the change.
+ When you're finished on the **Unblock user page**, select **Submit**.
+
+6. Select **Yes** in the warning dialog that opens.
> [!NOTE] > Under most circumstances, all restrictions should be removed from the user within one hour. Transient technical issues might cause a longer wait time, but the total wait should be no longer than 24 hours. ## Verify the alert settings for restricted users
-The default alert policy named **User restricted from sending email** will automatically notify admins when users are blocked from sending outbound mail. You can verify these settings and add additional users to notify. For more information about alert policies, see [Alert policies in Microsoft 365](../../compliance/alert-policies.md).
+The default alert policy named **User restricted from sending email** automatically notifies admins when connectors are blocked from relaying email. For more information about alert policies, see [Alert policies in Microsoft 365](../../compliance/alert-policies.md).
> [!IMPORTANT]
-> For alerts to work, audit log search must to be turned on. For more information, see [Turn the audit log search on or off](../../compliance/turn-audit-log-search-on-or-off.md).
+> For alerts to work, audit logging must to be turned on (it's on by default). To verify that audit logging is turned on or to turn it on, see [Turn auditing on or off](../../compliance/audit-log-enable-disable.md).
+
+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Policies & rules** \> **Alert policy**. Or, to go directly to the **Alert policy** page, use <https://security.microsoft.com/alertpoliciesv2>.
+
+2. On the **Alert policy** page, find the alert named **User restricted from sending email**. You can sort the alerts by name, or use the ::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to find the alert.
+
+ Select the **User restricted from sending email** alert by clicking anywhere in the row other than the check box next to the name.
-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Policies & rules** \> **Alert policy**. To go directly to the **Alert policy** page, use <https://security.microsoft.com/alertpolicies>.
+3. In the **User restricted from sending email** flyout that opens, verify or configure the following settings:
+ - **Status**: Verify the alert is turned on :::image type="icon" source="../../media/scc-toggle-on.png" border="false":::.
+ - Expand the **Set your recipients section** and verify the **Recipients** and **Daily notification limit** values.
-2. On the **Alert policy** page, find and select the alert named **User restricted from sending email**. You can sort the policies by name, or use the **Search** box to find the policy.
+ To change the values, select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit recipient settings** in the section or select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit policy** at the top of the flyout.
-3. In the **User restricted from sending email** flyout that appears, verify or configure the following settings:
- - **Status**: Verify the alert is turned on ![Toggle on.](../../media/scc-toggle-on.png).
- - **Email recipients**: Click **Edit** and verify or configure the following settings in the **Edit recipients** flyout that appears:
- - **Send email notifications**: Verify this is selected (**On**).
- - **Email recipients**: The default value is **TenantAdmins** (meaning, **Global admin** members). To add more recipients, click in a blank area of the box. A list of recipients will appear, and you can start typing a name to filter and select a recipient. You can remove an existing recipient from the box by clicking ![Remove icon.](../../media/m365-cc-sc-remove-selection-icon.png) next to their name.
- - **Daily notification limit**: The default value is **No limit** but you can select a limit for the maximum number of notifications per day.
+ - On the **Decide if you want to notify people when this alert is triggered** page of the wizard that opens, verify or change the following settings:
+ - Verify **Opt-in for email notifications** is selected.
+ - **Email recipients**: The default value is **TenantAdmins** (meaning, **Global Administrator** members). To add more recipients, click in the empty area of the box. A list of recipients appears, and you can start typing a name to filter and select a recipient. Remove an existing recipient from the box by selecting :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to their name.
+ - **Daily notification limit**: The default value is **No limit**.
- When you're finished, click **Save**.
+ When you're finished on the **Decide if you want to notify people when this alert is triggered** page, select **Next**.
-4. Back on the **User restricted from sending email** flyout, click **Close**.
+ - On the **Review your settings** page, select **Submit**, and then select **Done**.
-## Use Exchange Online PowerShell to view and remove users from the Restricted users list
+4. Back in the ***User restricted from sending email** flyout, select :::image type="icon" source="../../media/m365-cc-sc-close-icon.png" border="false"::: at the top of the flyout.
-To view this list of users that are restricted from sending email, run the following command:
+## Use Exchange Online PowerShell to view and remove users from the Restricted entities page
+
+To view this list of users that are restricted from sending email, run the following command in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell):
```powershell Get-BlockedSenderAddress
Get-BlockedSenderAddress
To view details about a specific user, replace \<emailaddress\> with their email address and run the following command: ```powershell
-Get-BlockedSenderAddress -SenderAddress <emailaddress>
+Get-BlockedSenderAddress -SenderAddress <emailaddress> | Format-List
``` For detailed syntax and parameter information, see [Get-BlockedSenderAddress](/powershell/module/exchange/get-blockedsenderaddress).
Remove-BlockedSenderAddress -SenderAddress <emailaddress>
``` For detailed syntax and parameter information, see [Remove-BlockedSenderAddress](/powershell/module/exchange/remove-blockedsenderaddress).+
+## More information
+
+- [Responding to a compromised email account](responding-to-a-compromised-email-account.md)
+- [Remove blocked connectors from the Restricted entities page](connectors-remove-blocked.md)
security Responding To A Compromised Email Account https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account.md
Last updated 1/31/2023
-# Responding to a Compromised Email Account
+# Responding to a compromised email account
[!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)]
Last updated 1/31/2023
**Summary** Learn how to recognize and respond to a compromised email account in Microsoft 365.
-## What is a Compromised Email Account in Microsoft 365?
- Access to Microsoft 365 mailboxes, data and other services, is controlled by using credentials, for example a user name and password or PIN. When someone other than the intended user steals those credentials, the stolen credentials are considered to be compromised. With them the attacker can sign in as the original user and perform illicit actions.
-Using the stolen credentials, the attacker can access the user's Microsoft 365 mailbox, SharePoint folders, or files in the user's OneDrive. One action commonly seen is the attacker sending emails as the original user to recipients both inside and outside of the organization. When the attacker emails data to external recipients, this is called data exfiltration.
+Using the stolen credentials, the attacker can access the user's Microsoft 365 mailbox, SharePoint folders, or files in the user's OneDrive. One action commonly seen is the attacker sending email as the original user to recipients both inside and outside of the organization. When the attacker email data to external recipients, this is called data exfiltration.
-## Symptoms of a Compromised Microsoft Email Account
+## Symptoms of a compromised Microsoft email account
Users might notice and report unusual activity in their Microsoft 365 mailboxes. Here are some common symptoms: -- Suspicious activity, such as missing or deleted emails.-- Other users might receive emails from the compromised account without the corresponding email existing in the **Sent Items** folder of the sender.-- The presence of inbox rules that weren't created by the intended user or the administrator. These rules may automatically forward emails to unknown addresses or move them to the **Notes**, **Junk Email**, or **RSS Subscriptions** folders.
+- Suspicious activity, such as missing or deleted email.
+- Other users might receive email from the compromised account without the corresponding email existing in the **Sent Items** folder of the sender.
+- The presence of inbox rules that weren't created by the intended user or the administrator. These rules may automatically forward email to unknown addresses or move them to the **Notes**, **Junk Email**, or **RSS Subscriptions** folders.
- The user's display name might be changed in the Global Address List. - The user's mailbox is blocked from sending email. - The Sent or Deleted Items folders in Microsoft Outlook or Outlook on the web (formerly known as Outlook Web App) contain common hacked-account messages, such as "I'm stuck in London, send money."
Even after you've regained access to your account, the attacker may have added b
You must do all the following steps to regain access to your account the sooner the better to make sure that the hijacker doesn't resume control your account. These steps help you remove any back-door entries that the hijacker may have added to your account. After you do these steps, we recommend that you run a virus scan to make sure that your computer isn't compromised.
-### Step 1 Reset the user's password
+### Step 1: Reset the user's password
Follow the procedures in [Reset a business password for someone](../../admin/add-users/reset-passwords.md#reset-my-admin-password).
Follow the procedures in [Reset a business password for someone](../../admin/add
> > - We highly recommended that you enable Multi-Factor Authentication (MFA) in order to prevent compromise, especially for accounts with administrative privileges. To learn more about MFA, go to [Set up multi-factor authentication](../../admin/security-and-compliance/set-up-multi-factor-authentication.md).
-### Step 2 Remove suspicious email forwarding addresses
+### Step 2: Remove suspicious email forwarding addresses
1. In the Microsoft 365 admin center at <https://admin.microsoft.com>, go to **Users** \> **Active users**. To go directly to the **Active users** page, use <https://admin.microsoft.com/Adminportal/Home#/users>.
Follow the procedures in [Reset a business password for someone](../../admin/add
4. If the value in the **Email forwarding** section is **Applied**, click **Manage email forwarding**. In the **Manage email forwarding** flyout that appears, clear **Forward all email sent to this mailbox**, and then click **Save changes**.
-### Step 3 Disable any suspicious inbox rules
+### Step 3: Disable any suspicious inbox rules
1. Sign in to the user's mailbox using Outlook on the web.
Follow the procedures in [Reset a business password for someone](../../admin/add
4. Disable or delete suspicious rules.
-### Step 4 Unblock the user from sending mail
+### Step 4: Unblock the user from sending mail
If the suspected compromised mailbox was used illicitly to send spam email, it's likely that the mailbox has been blocked from sending mail.
-To unblock a mailbox from sending mail, follow the procedures in [Removing a user from the Restricted Users portal after sending spam email](removing-user-from-restricted-users-portal-after-spam.md).
+To unblock a mailbox from sending mail, follow the procedures in [Remove blocked users from the Restricted entities page](removing-user-from-restricted-users-portal-after-spam.md).
### Step 5 Optional: Block the user account from signing-in
security Safe Attachments For Spo Odfb Teams Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure.md
You turn on or turn off Safe Attachments for Office 365 for SharePoint, OneDrive
- To use SharePoint Online PowerShell to prevent people from downloading malicious files, you need to be member of the [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator) or [SharePoint Administrator](/azure/active-directory/roles/permissions-reference#sharepoint-administrator) roles in Azure AD. -- Verify that audit logging is enabled for your organization. For more information, see [Turn audit log search on or off](../../compliance/turn-audit-log-search-on-or-off.md).
+- Verify that audit logging is enabled for your organization (it's on by default). For instructions, see [Turn auditing on or off](../../compliance/audit-log-enable-disable.md).
- Allow up to 30 minutes for the settings to take effect.
You turn on or turn off Safe Attachments for Office 365 for SharePoint, OneDrive
3. In the **Global settings** flyout that opens, go to the **Protect files in SharePoint, OneDrive, and Microsoft Teams** section.
- Move the **Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams** toggle to the right ![Toggle on.](../../media/scc-toggle-on.png) to turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
+ Move the **Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams** toggle to the right :::image type="icon" source="../../media/scc-toggle-on.png" border="false"::: to turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
When you're finished in the **Global settings** flyout, select **Save**.
security Siem Integration With Office 365 Ti https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/siem-integration-with-office-365-ti.md
The following table summarizes the values of **AuditLogRecordType** that are rel
> [!IMPORTANT] > You must have either the global administrator or Security Administrator role assigned in the Microsoft 365 Defender portal to set up SIEM integration with Microsoft Defender for Office 365. For more information, see [Permissions in the Microsoft 365 Defender portal](mdo-portal-permissions.md). >
-> Audit logging must be turned on for your Microsoft 365 environment. To get help with this, see [Turn audit log search on or off](../../compliance/turn-audit-log-search-on-or-off.md).
+> Audit logging must be turned on for your Microsoft 365 environment (it's on by default). To verify that audit logging is turned on or to turn it on, see [Turn auditing on or off](../../compliance/audit-log-enable-disable.md).
## See also
security Siem Server Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/siem-server-integration.md
A SIEM server can receive data from a wide variety of Microsoft 365 services and
### Audit logging must be turned on
-Make sure that audit logging is turned on before you configure SIEM server integration.
+Make sure that audit logging is turned on before you configure SIEM server integration:
-- For SharePoint Online, OneDrive for Business, and Azure Active Directory, see [Turn auditing on or off](../../compliance/turn-audit-log-search-on-or-off.md).-- For Exchange Online, see [Manage mailbox auditing](../../compliance/enable-mailbox-auditing.md).
+- For SharePoint Online, OneDrive for Business, and Azure Active Directory, see [Turn auditing on or off](../../compliance/audit-log-enable-disable.md).
+- For Exchange Online, see [Manage mailbox auditing](../../compliance/audit-mailboxes.md).
## Integration steps if your SIEM is Microsoft Sentinel
security Submissions Admin https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-admin.md
After a few moments, the block entry will appear on the **URL** tab on the **Ten
For spoofed senders, this value is meaningless, because entries for spoofed senders never expire.
- - **Allow entry note**: EEnter optional information about why you're allowing and submitting this email message.
+ - **Allow entry note**: Enter optional information about why you're allowing and submitting this email message.
For spoofed senders, any value you enter here is not shown in the allow entry on the **Spoofed senders** tab on the **Tenant Allow/Block List**.
syntex Difference Between Document Understanding And Form Processing Model https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/difference-between-document-understanding-and-form-processing-model.md
Use the following table to see differences in custom models to help identify the
| Integrate with managed metadata | Yes, by training entity extractor referencing a configured managed metadata field. | No | No | | Compliance feature integration with Microsoft Purview Information Protection | Set published retention labels.<br>Set published sensitivity labels. | Set retention labels is coming. <br>Set sensitivity labels is coming. | Set published retention labels. <br>Set sensitivity labels is coming. | | Supported regions| Available in all regions. | Relies on Power Platform. For information about global availability for Power Platform and AI Builder, see [Power Platform availability](https://dynamics.microsoft.com/geographic-availability/). | Relies on Power Platform. For information about global availability for Power Platform and AI Builder, see [Power Platform availability](https://dynamics.microsoft.com/geographic-availability/). |
-| Transactional cost | Not applicable | Uses AI Builder credits.<br>3,500 credits are included for each Syntex license per month.<br>1 million credits will allow processing of 2,000 file pages. | Uses AI Builder credits.<br>3,500 credits are included for each Syntex license per month.<br>1 million credits will allow processing of 2,000 file pages. |
+| Transactional cost | Not applicable | Uses AI Builder credits.<br>3,500 credits are included for each Syntex license per month.<br>1 million credits will allow processing of 10,000 file pages. | Uses AI Builder credits.<br>3,500 credits are included for each Syntex license per month.<br>1 million credits will allow processing of 10,000 file pages. |
| Capacity | No capacity restrictions. | Uses the default Power Platform environment (custom environments with Dataverse database supported). | Uses the default Power Platform environment (custom environments with Dataverse database supported). | | Supported languages| Models work on all Latin alphabet languages. In addition to English: German, Swedish, French, Spanish, Italian, and Portuguese. | Current language support is for English. | Language support for [more than 100 languages](/ai-builder/form-processing-model-requirements#languages-supported). |
syntex Set Up Content Understanding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/set-up-content-understanding.md
As an admin, you can also make changes to your selected settings anytime after s
### Custom Power Platform environments
-If you plan to use a custom Power Platform environment, you must install the *AI Builder for Project Cortex* app in this environment. See [Manage Dynamics 365 apps](/power-platform/admin/manage-apps#install-an-app-in-the-environment-view) for details and look for the *AI Builder for Project Cortex* app in the list of Dynamics 365 apps.
+If you plan to use a custom Power Platform environment, you must install the *AI Builder for Project Cortex* app in this environment. See [Manage Dynamics 365 apps](/power-platform/admin/manage-apps#install-an-app-in-the-environment-view) for details and look for the *AI Builder for Project Cortex* app in the list of Dynamics 365 apps. The environment must not be of the Sandbox type.
You also need to [allocate AI Builder credits](/power-platform/admin/capacity-add-on) to the custom environment before you can create document processing models.