Updates from: 05/27/2021 03:25:43
Category Microsoft Docs article Related commit history on GitHub Change details
admin About Guest Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/about-guest-users.md
Title: "Guest users in the Microsoft 365 admin center" f1.keywords: - NOCSH--++ audience: Admin
search.appverid:
- BCS160 - MET150 - MOE150
-description: "Learn how to create a team with guests in the Microsoft 365 admin center and how to join a team as a guest."
+description: "Learn how the Guest users list is populated in the Microsoft 365 admin center."
# Guest users in Microsoft 365 admin center
Once a user shows up in the **Guest users** list, you can remove their access th
To view guest users, in the Microsoft 365 admin center, in the left nav, expand **Users**, and then choose **Guest users**.
-## Watch: Create a team with guests
+## Before you begin
-To see how to add a guest to Teams, see the following video: <br><br>
+You must be a global administrator to perform this task.
+
+## Watch: Add guests to Teams
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE1FQMp] ## Watch: Join a team as a guest
-To join a team as a guest, see the following video:<br><br>
- > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4tyys]
-## Add guests in Azure Active Directory
+## Steps: Add guests in Azure Active Directory
-To add guests in the Azure Active Directory, see [add guest users](/azure/active-directory/b2b/b2b-quickstart-add-guest-users-portal).
+To add guests in the Azure Active Directory, see [add guest users](https://docs.microsoft.com/azure/active-directory/b2b/b2b-quickstart-add-guest-users-portal).
After you add a user you can also assign them to a group, or give them access to an app in your organization. Once you have added a user in the Azure AD portal, that user will also be listed on the **Guest users** page in the Microsoft 365 admin center. After a user is added to the **Guest users** list, they can be [added to Groups](../create-groups/manage-guest-access-in-groups.md#add-guests-to-a-microsoft-365-group-from-the-admin-center) in the Microsoft 365 admin center.
-See [add guests in bulk](/azure/active-directory/b2b/tutorial-bulk-invite) to invite multiple guests to collaborate with your organization.
+See [add guests in bulk](https://docs.microsoft.com/azure/active-directory/b2b/tutorial-bulk-invite) to invite multiple guests to collaborate with your organization.
-## Remove a guest
+## Next steps: Remove a guest
+
+Once you're done collaborating with a guest user, you can remove them and they'll no longer have access to your organization.
1. In the Microsoft 365 admin center, expand **Users** and then choose **Guest users**.
-1. On the **Guest users** page, choose the user you want to remove and then choose **Delete a user**.
+1. On the **Guest users** page, choose the user you want to remove and then choose **Delete a user**.
-To remove users in the Azure AD portal, see [remove a guest user and resources](/azure/active-directory/b2b/b2b-quickstart-add-guest-users-portal#clean-up-resources).
+To remove users in the Azure AD portal, see [remove a guest user and resources](https://docs.microsoft.com/azure/active-directory/b2b/b2b-quickstart-add-guest-users-portal#clean-up-resources).
## Related content
-[Manage guest access in Microsoft 365 groups](../create-groups/manage-guest-access-in-groups.md) (article)\
-[Prevent guests from being added to a specific Microsoft 365 group or Microsoft Teams team](../../solutions/per-group-guest-access.md) (article)
+[guest users in microsoft 365 admin center](about-guest-users.md)
+
+[prevent guests from being added to a specific microsoft 365 group or microsoft teams team](../../solutions/per-group-guest-access.md)
admin Assign Admin Roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/assign-admin-roles.md
If you found this video helpful, check out the [complete training series for sma
## Assign admin roles - You can assign users to a role in 2 different ways: - You can go to the user's details and **Manage roles** to assign a role to the user.
You can assign users to a role in 2 different ways:
### Assign a user to an admin role from Active users
-1. In the admin center, go to **Users** > [Active users](https://go.microsoft.com/fwlink/p/?linkid=834822) page.
-
-2. On the **Active users** page, select the user whose admin role you want to change. In the flyout pane, under **Roles**, select **Manage roles**.
-3. Select the admin role that you want to assign to the user. If you don't see the role you're looking for, select **Show all** at the bottom of the list.
+1. In the admin center, go to **Users** > [Active users](https://go.microsoft.com/fwlink/p/?linkid=834822) page.
::: moniker-end
You can assign users to a role in 2 different ways:
1. In the admin center, go to the **Users** > <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a> page.
-2. On the **Active users** page, select the user whose admin role you want to change. In the flyout pane, next to **Roles**, select **Edit**.
-
- If you don't see the **Edit** option, then you don't have a permission to edit and can't assign admin roles to other people. Ask a global admin in your business to assign roles for you. In a small business, the business owner (the person who purchased your subscription) is a global admin. In a large business, key people in the IT department are global admins.
-
-3. Select **Customized administrator** to see a list of roles we've customized for you. For a description of each role, see [About admin roles.](about-admin-roles.md)
- ::: moniker-end ::: moniker range="o365-21vianet" 1. In the admin center, go to the **Users** > <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a> page.
-2. On the **Active users** page, select the user whose admin role you want to change. In the flyout pane, next to **Roles**, select **Edit**.
-
- If you don't see the **Edit** option, then you don't have a permission to edit and can't assign admin roles to other people. Ask a global admin in your business to assign roles for you. In a small business, the business owner (the person who purchased your subscription) is a global admin. In a large business, key people in the IT department are global admins.
-3. Select **Customized administrator** to see a list of roles we've customized for you. For a description of each role, see [About admin roles.](about-admin-roles.md)
+2. On the **Active users** page, select the user whose admin role you want to change. In the flyout pane, under **Roles**, select **Manage roles**.
+3. Select the admin role that you want to assign to the user. If you don't see the role you're looking for, select **Show all** at the bottom of the list.
## Assign admin roles to multiple users
If you know PowerShell, see [Assign roles to user accounts with PowerShell](../.
Use the following instructions to assign roles to tens of users. - ## Check admin roles in your organization You might not have the correct permissions to assign admin roles to other users. Check to make sure you have the correct permissions or ask another admin to assign roles for you.
You can check admin role permissions in 2 different ways:
- You can go to the user's details and look under **Roles** on the **Account** page. - Or you can go to **Roles** and select the admin role, and select assigned admins to see which users are assigned. - ## Related content [About Microsoft 365 admin roles](about-admin-roles.md) (article)\
admin Change A User Name And Email Address https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/change-a-user-name-and-email-address.md
You must be a [global admin](about-admin-roles.md) to do these steps.
::: moniker range="o365-worldwide" 1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.
-
-2. Select the user's name, and then on the **Account** tab select **Manage username**.
-
-3. In the first box, type the first part of the new email address. If you added your own domain to Microsoft 365, choose the domain for the new email alias by using the drop-down list.
-
-4. Select **Save changes**.
-
::: moniker-end ::: moniker range="o365-germany" 1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a> page.
-2. Select the user. In the flyout pane, next to **Username / Email**, select **Edit**.
-
-3. In the first box, type the first part of the new email address. If you added your own domain to Microsoft 365, you can choose the domain for the new email alias by using the drop-down list.
-
-4. Select **Save**.
- ::: moniker-end ::: moniker range="o365-21vianet" 1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a> page.
-2. Select the user. In the flyout pane, next to **Username / Email**, select **Edit**.
-
-3. In the first box, type the first part of the new email address. If you added your own domain to Microsoft 365, you can choose the domain for the new email alias by using the drop-down list.
-4. Select **Save**.
+1. Select the user's name, and then on the **Account** tab select **Manage username**.
+
+1. In the first box, type the first part of the new email address. If you added your own domain to Microsoft 365, choose the domain for the new email alias by using the drop-down list.
+1. Select **Save changes**.
> [!IMPORTANT] > If you get an error message, see [Resolve error messages](#resolve-error-messages).
You must be a [global admin](about-admin-roles.md) to do these steps.
::: moniker range="o365-worldwide" 1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.
-
-2. Select the user's name, and then on the **Account** tab select **Manage email aliases**.
-3. Select **Set as Primary** for the email address that you want to set as the primary email address for that person.
-
- > [!IMPORTANT]
- > You won't see this option to Set as Primary if you purchased Microsoft 365 from GoDaddy or another Partner service that provides a management console. Instead, sign in to the GoDaddy / partner's management console to set the primary alias.
- >
- > Also, you'll only see this option if you're a global admin. If you don't see the option, you don't have permissions to change a user's name and primary email address.
-
-4. You'll see a big yellow warning that you're about to change the person's sign-in information. Select **Save**, then **Close**.
-
-5. Give the person the following information:
-
- - This change could take a while.
-
- - Their new username. They'll need it to sign in to Microsoft 365.
-
- - If they are using Skype for Business Online, they must reschedule any Skype for Business Online meetings that they organized, and tell their external contacts to update their contact information.
-
- - If they are using OneDrive, the URL to this location has changed. If they have OneNote notebooks in their OneDrive, they might need to close and reopen them in OneNote. If they have shared files from their OneDrive, the links to the files might not work and the user can reshare.
-
- - If their password changed too, they are prompted to enter the new password on their mobile device, or it won't sync.
-
::: moniker-end ::: moniker range="o365-germany"
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a> page.
-
-2. Select the user. In the flyout pane, next to **Username / Email**, select **Edit**.
-
-3. Select **Set as Primary** for the email address that you want to set as the primary email address for that person.
-
- > [!IMPORTANT]
- > You won't see this option to Set as Primary if you purchased Microsoft 365 from GoDaddy or another Partner service that provides a management console. Instead, sign in to the GoDaddy / partner's management console to set the primary alias.
- >
- > Also, you'll only see this option if you're a global admin. If you don't see the option, you don't have permissions to change a user's name and primary email address.
-
-4. You'll see a big yellow warning that you're about to change the person's sign-in information. Select **Save**, then **Close**.
-
-5. Tell the person the following information:
-
- - This change may take a while to take effect.
-
- - What their new username is. They'll need it to sign in to Microsoft 365.
-
- - If they are using Skype for Business Online, tell them they will need to reschedule any Skype for Business Online meetings that they organized, and that they will need to tell their external contacts to update the old contact information.
-
- - If they are using OneDrive, tell them that the URL to this location has been changed. If they have OneNote notebooks in their OneDrive, then they may need to close and reopen them in OneNote. If they have shared files from their OneDrive, then the links to the files may not work and the user can reshare.
-
- - If their password changed too, tell them that they will be prompted to enter the new password on their mobile device, or it won't sync.
+1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a> page.
::: moniker-end ::: moniker range="o365-21vianet"
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a> page.
+1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a> page.
-2. Select the user. In the flyout pane, next to **Username / Email**, select **Edit**.
+
+2. Select the user's name, and then on the **Account** tab select **Manage email aliases**.
3. Select **Set as Primary** for the email address that you want to set as the primary email address for that person.
You must be a [global admin](about-admin-roles.md) to do these steps.
4. You'll see a big yellow warning that you're about to change the person's sign-in information. Select **Save**, then **Close**.
-5. Tell the person the following information:
+5. Give the person the following information:
- - This change may take a while to take effect.
+ - This change could take a while.
- - What their new username is. They'll need it to sign in to Microsoft 365.
+ - Their new username. They'll need it to sign in to Microsoft 365.
- - If they are using Skype for Business Online, tell them they will need to reschedule any Skype for Business Online meetings that they organized, and that they will need to tell their external contacts to update the old contact information.
+ - If they are using Skype for Business Online, they must reschedule any Skype for Business Online meetings that they organized, and tell their external contacts to update their contact information.
- - If they are using OneDrive, tell them that the URL to this location has been changed. If they have OneNote notebooks in their OneDrive, then they may need to close and reopen them in OneNote. If they have shared files from their OneDrive, then the links to the files may not work and the user can reshare.
+ - If they are using OneDrive, the URL to this location has changed. If they have OneNote notebooks in their OneDrive, they might need to close and reopen them in OneNote. If they have shared files from their OneDrive, the links to the files might not work and the user can reshare.
- - If their password changed too, tell them that they will be prompted to enter the new password on their mobile device, or it won't sync.
-
+ - If their password changed too, they are prompted to enter the new password on their mobile device, or it won't sync.
## Change a user's display name
You must be a [global admin](about-admin-roles.md) to do these steps.
1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.
-2. Select the user's name, and then on the **Account** tab select **Manage contact information**.
-
-3. In the **Display name** box, type a new name for the person, and then select **Save**.
-
- If you get the error message "**We're sorry, the user couldn't be edited. Review the user information and try again**, see [Resolve error messages](#resolve-error-messages).
-
-It might take up to 24 hours for this change to take effect across all services. After the change has taken effect, the person will have to sign in to Outlook, Skype for Business and SharePoint with their updated username.
- ::: moniker-end ::: moniker range="o365-germany"
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a> page.
-
-2. Select the user. In the flyout pane, next to **Contact information**, select **Edit**.
-
-3. In the **Display name** box, type a new name for the person, and then select **Save**.
-
- If you get the error message "**We're sorry, the user couldn't be edited. Review the user information and try again**, see [Resolve error messages](#resolve-error-messages).
-
-It might take up to 24 hours for this change to take effect across all services. After the change has taken effect, the person will have to sign in to Outlook, Skype for Business and SharePoint with their updated username, so be sure to tell them about this change.
+1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a> page.
::: moniker-end
It might take up to 24 hours for this change to take effect across all services.
1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a> page.
-2. Select the user. In the flyout pane, next to **Contact information**, select **Edit**.
+
+2. Select the user's name, and then on the **Account** tab select **Manage contact information**.
3. In the **Display name** box, type a new name for the person, and then select **Save**. If you get the error message "**We're sorry, the user couldn't be edited. Review the user information and try again**, see [Resolve error messages](#resolve-error-messages).
-It might take up to 24 hours for this change to take effect across all services. After the change has taken effect, the person will have to sign in to Outlook, Skype for Business and SharePoint with their updated username, so be sure to tell them about this change.
--
+It might take up to 24 hours for this change to take effect across all services. After the change has taken effect, the person will have to sign in to Outlook, Skype for Business and SharePoint with their updated username.
+
## Resolve error messages ### "A parameter cannot be found that matches parameter name 'EmailAddresses"
admin Create Edit Or Delete A Custom User View https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/create-edit-or-delete-a-custom-user-view.md
You can also filter by additional user profile details used in your organization
::: moniker range="o365-worldwide" 1. In the admin center, go to **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a>.
-
-2. On the **Active users** page, select **Filters** and select **New filter**.
-3. On the **Custom filter** page, enter the name for your filter, choose the conditions for your custom filter, and then select **Add**. Your custom view is now included in the drop-down list of filters.
-
::: moniker-end ::: moniker range="o365-germany"
-1. In the admin center, go to **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a>.
-
-2. On the **Active users** page, select **Views** and select **Add custom view**.
-
-3. On the **Custom view** page, enter the name for your filter, choose the conditions for your custom filter, and then select **Add**. Your custom view is now included in the drop-down list of filters.
+1. In the admin center, go to **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a>.
::: moniker-end - ::: moniker range="o365-21vianet"
-1. In the admin center, go to **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a>.
-
-2. On the **Active users** page, select **Views** and select **Add custom view**.
-
-3. On the **Custom view** page, enter the name for your filter, choose the conditions for your custom filter, and then select **Add**. Your custom view is now included in the drop-down list of filters.
+1. In the admin center, go to **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a>.
::: moniker-end
+2. On the **Active users** page, select **Filters** and select **New filter**.
+
+3. On the **Custom filter** page, enter the name for your filter, choose the conditions for your custom filter, and then select **Add**. Your custom view is now included in the drop-down list of filters.
## Edit or delete a custom user view ::: moniker range="o365-worldwide" 1. In the admin center, go to **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a>.
-
-2. On the **Active users** page, select **Filter**, select the filter you want to change, and then select **Edit filter**.
-
- > [!TIP]
- > You can edit only custom views.
-
-3. On the **Custom filter** page, edit the information as needed, and then select **Save**. Or, to delete the filter, at the bottom of the page select **Delete**.
-
+ ::: moniker-end ::: moniker range="o365-germany"
-1. In the admin center, go to **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a>.
-
-2. On the **Active users** page, select **Views**, select the filter you want to change, and then select **Edit this view**.
-
- > [!TIP]
- > You can edit only custom views.
-
-3. On the **Custom view** page, edit the information as needed, and then select **Save**. Or, to delete the filter, at the bottom of the page select **Delete custom view**.
+1. In the admin center, go to **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a>.
::: moniker-end
You can also filter by additional user profile details used in your organization
1. In the admin center, go to **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a>.
-2. On the **Active users** page, select **Views**, select the filter you want to change, and then select **Edit this view**.
+
+2. On the **Active users** page, select **Filter**, select the filter you want to change, and then select **Edit filter**.
> [!TIP] > You can edit only custom views.
-3. On the **Custom view** page, edit the information as needed, and then select **Save**. Or, to delete the filter, at the bottom of the page select **Delete custom view**.
+3. On the **Custom filter** page, edit the information as needed, and then select **Save**. Or, to delete the filter, at the bottom of the page select **Delete**.
+## Related content
+
+[Overview of the Microsoft 365 admin center](../../business-video/admin-center-overview.md) (video)\
+[About admin roles](../add-users/about-admin-roles.md) (video)\
+[Customize the Microsoft 365 theme for your organization](../setup/customize-your-organization-theme.md) (article)
admin Delete A User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/delete-a-user.md
Since the guided experience walks through the steps to delete a user, here's how
1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.
-2. Select the names of the users that you want to delete, select the three dots (more actions), and then choose **Delete user**.
-
- Although you deleted the user's account, **you're still paying for the license**. See the next procedure to stop paying for the license. Or, you can assign the license to another user. It won't be assigned to someone automatically.
- ::: moniker-end ::: moniker range="o365-germany" 1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a> page.
-2. Select the names of the users that you want to delete, and in the **Bulk actions** pane, choose **Delete users**.
-
- Although you deleted the user's account, **you're still paying for the license**. See the next procedure to stop paying for the license. Or, you can assign the license to another user. It won't be assigned to someone automatically.
- ::: moniker-end ::: moniker range="o365-21vianet" 1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a> page.
-2. Select the names of the users that you want to delete, and in the **Bulk actions** pane, choose **Delete users**.
+
+2. Select the names of the users that you want to delete, select the three dots (more actions), and then choose **Delete user**.
Although you deleted the user's account, **you're still paying for the license**. See the next procedure to stop paying for the license. Or, you can assign the license to another user. It won't be assigned to someone automatically. - ### Stop paying for the license Reducing the number of licenses is a separate step that can only be performed by the global admin or billing admin. ::: moniker range="o365-worldwide"
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page. If you don't see this option, you aren't a global admin or billing admin, and can't do this step.
-
-2. On the **Products** tab, select the subscription that you want to remove licenses for.
-
-3. On the subscription details page, select **Remove licenses**.
-
-4. In the **Remove licenses** pane, under **New quantity**, in the **Total licenses** box, enter the total number of licenses that you want for this subscription. For example, if you have 100 licenses and you want to remove five of them, enter 95.
-
-5. Select **Save**.
-
-Later when you go through the steps to add another person to your business, you'll be prompted to buy a license at the same time, with just one step!
-
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.
::: moniker-end ::: moniker range="o365-germany"
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Subscriptions</a> page. If you don't see this option, you aren't a global admin or billing admin, and can't do this step.
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Your products</a> page.
-2. Select the subscription (if you have more than one) and then select **Add/Remove licenses** to delete the license so you don't pay for it until you hire another person.
- Later when you go through the steps to add another person to your business, you'll be prompted to buy a license at the same time, with just one step!
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Your products</a> page.
::: moniker-end
+2. On the **Products** tab, select the subscription that you want to remove licenses for.
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Subscriptions</a> page. If you don't see this option, you aren't a global admin or billing admin, and can't do this step.
+3. On the subscription details page, select **Remove licenses**.
-2. Select the subscription (if you have more than one) and then select **Add/Remove licenses** to delete the license so you don't pay for it until you hire another person.
+4. In the **Remove licenses** pane, under **New quantity**, in the **Total licenses** box, enter the total number of licenses that you want for this subscription. For example, if you have 100 licenses and you want to remove five of them, enter 95.
- Later when you go through the steps to add another person to your business, you'll be prompted to buy a license at the same time, with just one step!
+5. Select **Save**.
+Later when you go through the steps to add another person to your business, you'll be prompted to buy a license at the same time, with just one step!
## Delete many users at the same time
admin Admin Mobile App https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/admin-overview/admin-mobile-app.md
If you're an admin and you're responsible for more than one Microsoft 365 organi
> [!IMPORTANT] > If you're having issues using the Admin mobile app on iOS or Android, email us at [feedback365@microsoft.com](mailto:feedback365@microsoft.com) to let us know.+
+## Before you begin
+
+You must be an administrator in a Microsoft 365 organization to use the admin mobile app.
## Download the admin mobile app
From the left navigation menu, go to **Settings** > **Notifications**. You can m
### What do I do if my question isn't answered? Email [feedback365@microsoft.com](mailto:feedback365@microsoft.com) to report an issue with the app. Or you can give feedback at the bottom of this article.+
+## Next steps
+
+Once you've downloaded the admin mobile, you can add users to get you started.
-## Related content
+## Related content
-[Microsoft 365 for business training videos](../../business-video/index.yml) (link page)
+[Microsoft 365 for business training videos](../../business-video/index.yml)
admin Sign Up For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/admin-overview/sign-up-for-office-365.md
Last updated 03/17/2021
# How to sign up - Admin Help - Sign up for Microsoft 365 for business so that your team can begin using the latest versions of Word, Excel, PowerPoint, and other Office programs.
-
--
-Sign up for Microsoft 365 for business so your team can begin using the latest versions of Word, Excel, PowerPoint, and other Office programs.
-
::: moniker range="o365-21vianet"
-Office 365 operated by 21Vianet is designed to meet the needs for secure, reliable, and scalable cloud services in China. This service is powered by technology that Microsoft has licensed to 21Vianet. Microsoft does not operate the service itself. 21Vianet operates, provides, and manages delivery of the service. 21Vianet is the largest carrier-neutral Internet data center services provider in China, providing hosting, managed network services, and cloud computing infrastructure services. By licensing Microsoft technologies, 21Vianet operates local Microsoft datacenters to provide you the ability to use Microsoft services while keeping your data within China. 21Vianet also provides your subscription and billing services, as well as support.
+If you're in China, Office 365 operated by 21Vianet is designed to meet the needs for secure, reliable, and scalable cloud services in China. This service is powered by technology that Microsoft has licensed to 21Vianet. Microsoft does not operate the service itself. 21Vianet operates, provides, and manages delivery of the service. 21Vianet is the largest carrier-neutral Internet data center services provider in China, providing hosting, managed network services, and cloud computing infrastructure services. By licensing Microsoft technologies, 21Vianet operates local Microsoft datacenters to provide you the ability to use Microsoft services while keeping your data within China. 21Vianet also provides your subscription and billing services, as well as support.
> [!NOTE] > These services are subject to Chinese laws.
Ready to sign up? [Select a Plan](https://products.office.com/zh-cn/business/com
Before you buy, put some thought into the plan you sign up for. This will help prevent growing pains later.
-Watch a short video about choosing a Microsoft 365 for business plan.<br><br>
+## Watch: Choose a Microsoft 365 subscription
> [!VIDEO https://www.microsoft.com/videoplayer/embed/906be77d-ded6-48fb-a25f-da110f787282]
If you start with a free trial, you can [buy it later](../../commerce/try-or-buy
You don't need to cancel your trial. If you don't buy the trial subscription, it automatically expires at the end of the trial period, and all the information is permanently deleted.
-Watch a short video that shows the sign up process.<br><br>
+## Watch: Set up Microsoft 365 Business Premium
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE471FJ]
admin Create A Shared Mailbox https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/create-a-shared-mailbox.md
But what if an admin simply resets the password of the shared mailbox user accou
1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.
-2. In the list of user accounts, find the account for the shared mailbox (for example, change the filter to **Unlicensed users**).
-
-3. Select the user to open their properties pane, and then select the **Block this user** icon ![Screen shot of the Block this user icon](../../media/block-user-icon.png).
-
- **Note**: If the account is already blocked, **Sign in blocked** will appear at the top and the icon will read **Unblock this user**.
-
-4. In the **Block this user?** pane, select **Block the user from signing in**, and then select **Save changes**.
- ::: moniker-end ::: moniker range="o365-germany" 1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a> page.
-2. In the list of user accounts, find the account for the shared mailbox (for example, change the view to **Unlicensed users**) and then select the account.
-
-3. In the properties flyout, select **Block sign-in**.
-
- **Note:** If the account was already blocked, the button would say **Unblock sign-in**.
-
-4. In the **Edit sign-in status** flyout, verify that Block the user from signing in is selected, select **Save** and then **Close**.
- ::: moniker-end ::: moniker range="o365-21vianet" 1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a> page.
-2. In the list of user accounts, find the account for the shared mailbox (for example, change the view to **Unlicensed users**) and then select the account.
+1. In the list of user accounts, find the account for the shared mailbox (for example, change the filter to **Unlicensed users**).
-3. In the properties flyout, select **Block sign-in**.
+1. Select the user to open their properties pane, and then select the **Block this user** icon ![Screen shot of the Block this user icon](../../media/block-user-icon.png).
- **Note:** If the account was already blocked, the button would say **Unblock sign-in**.
+ **Note**: If the account is already blocked, **Sign in blocked** will appear at the top and the icon will read **Unblock this user**.
-4. In the **Edit sign-in status** flyout, verify that Block the user from signing in is selected, select **Save** and then **Close**.
+1. In the **Block this user?** pane, select **Block the user from signing in**, and then select **Save changes**.
For instructions on how to block sign-in for accounts using Azure AD PowerShell (including many accounts at the same time), see [Block user accounts with Office 365 PowerShell](../../enterprise/block-user-accounts-with-microsoft-365-powershell.md).
To learn more about shared mailboxes in Outlook, see:
- <a href="https://support.microsoft.com/office/b0963400-2a51-4c64-afc7-b816d737d164" target="_blank">Add rules to a shared mailbox</a> - ## Use a shared mailbox on a mobile device (phone or tablet) You can access a shared mailbox on a mobile device in two ways:
admin Change Nameservers At Any Domain Registrar https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/get-help-with-domains/change-nameservers-at-any-domain-registrar.md
Follow these instructions to add and set up your domain in Microsoft 365 so your
- You want Microsoft 365 to manage your DNS records for you. (If you prefer, you can [manage your own DNS records](../setup/add-domain.md).) ## Add a TXT or MX record for verification
-<a name="BKMK_verify"> </a>
> [!NOTE] > You will create only one or the other of these records. TXT is the preferred record type, but some DNS hosting providers don't support it, in which case you can create an MX record instead.
When Microsoft 365 finds the correct TXT record, your domain is verified.
3. On the **Setup** page, select **Start setup**.
-
4. On the **Verify domain** page, select **Verify**.
-
-
> [!NOTE] > Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see [Troubleshoot issues after changing your domain name or DNS records](../get-help-with-domains/find-and-fix-issues.md). ## Change your domain's nameserver (NS) records
-<a name="BKMK_nameservers"> </a>
When you get to the last step of the domains setup wizard in Microsoft 365, you have one task remaining. To set up your domain with Microsoft 365 services, like email, you change your domain's nameserver (or NS) records at your domain registrar to point to the Microsoft 365 primary and secondary nameservers. Then, because Microsoft 365 hosts your DNS, the required DNS records for your services are set up automatically for you. You can update the nameserver records yourself by following the steps your domain registrar may provide in the help content at their website. If you're not familiar with DNS, contact support at the domain registrar.
admin Remove A Domain https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/get-help-with-domains/remove-a-domain.md
Are you removing your domain because you want to add it to a different Microsoft
1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>.
-2. Select **Users** > **Active users**.
-
-3. Select the boxes next to the names of all the users you want to move.
-
-4. At the top of the page, and then choose **Change domains**.
-
-5. In the **Change domains** pane, select a different domain.
-
-You'll need to do this for yourself, too, if you're on the domain that you want to remove. When you edit the domain for your account, you'll have to log out and log back in using the new domain you chose to continue.
- ::: moniker-end ::: moniker range="o365-germany" 1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">admin center</a>.
-2. Select **Users** > **Active users**.
-
-3. Select the boxes next to the names of all the users you want to move.
-
-4. At the top of the page, choose **More** > **Edit domains**.
-
-5. In the **Edit domains** pane, select a different domain.
-
-You'll need to do this for yourself, too, if you're on the domain that you want to remove. When you edit the domain for your account, you'll have to log out and log back in using the new domain you chose to continue.
- ::: moniker-end ::: moniker range="o365-21vianet" 1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">admin center</a>. + 2. Select **Users** > **Active users**. 3. Select the boxes next to the names of all the users you want to move.
-4. At the top of the page, choose **More** > **Edit domains**.
+4. At the top of the page, and then choose **Change domains**.
-5. In the **Edit domains** pane, select a different domain.
-
-You'll need to do this for yourself, too, if you're on the domain that you want to remove. When you edit the domain for your account, you'll have to log out and log back in using the new domain you chose to continue.
+5. In the **Change domains** pane, select a different domain.
+You'll need to do this for yourself, too, if you're on the domain that you want to remove. When you edit the domain for your account, you'll have to log out and log back in using the new domain you chose to continue.
#### Move yourself ::: moniker range="o365-worldwide"
-1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">admin center</a>.
-
-2. Go to **Users** \> **Active Users**, and select your account from the list.
-
-3. On the **Account** tab, select **Manage username**, and then choose a different domain.
-
-4. At the top, select your account name, then select **Sign Out**.
-
-5. Sign in with the new domain and your same password.
-
-You can also use PowerShell to move users to another domain. See [Set-MsolUserPrincipalName](/powershell/module/msonline/set-msoluserprincipalname?view=azureadps-1.0) for more information. To set the default domain, use [Set-MsolDomain](/powershell/module/msonline/set-msoldomain?view=azureadps-1.0).
+1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>.
::: moniker-end ::: moniker range="o365-germany"
-1. Go to **Users** \> **Active Users**, and select your name in the list.
-
-2. In the **Username / Email** section, select **Edit**, and then choose a different domain.
-
-3. Select **Set as primary** > **Save** > **Close**.
-
-4. At the top, select your account name, then select **Sign Out**.
-
-5. Sign in with the new domain and your same password.
-
-You can also use PowerShell to move users to another domain. See [Set-MsolUserPrincipalName](/powershell/module/msonline/set-msoluserprincipalname?view=azureadps-1.0) for more information. To set the default domain, use [Set-MsolDomain](/powershell/module/msonline/set-msoldomain?view=azureadps-1.0).
+1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">admin center</a>.
::: moniker-end ::: moniker range="o365-21vianet"
-1. Go to **Users** \> **Active Users**, and select your name in the list.
+1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">admin center</a>.
-2. In the **Username / Email** section, select **Edit**, and then choose a different domain.
-3. Select **Set as primary** > **Save** > **Close**.
+2. Go to **Users** \> **Active Users**, and select your account from the list.
+
+3. On the **Account** tab, select **Manage username**, and then choose a different domain.
4. At the top, select your account name, then select **Sign Out**. 5. Sign in with the new domain and your same password.
-You can also use PowerShell to move users to another domain. See [Set-MsolUserPrincipalName](/powershell/module/msonline/set-msoluserprincipalname?view=azureadps-1.0) for more information. To set the default domain, use [Set-MsolDomain](/powershell/module/msonline/set-msoldomain?view=azureadps-1.0).
-
+You can also use PowerShell to move users to another domain. See [Set-MsolUserPrincipalName](/powershell/module/msonline/set-msoluserprincipalname?view=azureadps-1.0&preserve-view=true) for more information. To set the default domain, use [Set-MsolDomain](/powershell/module/msonline/set-msoldomain?view=azureadps-1.0&preserve-view=true).
### Step 2: Move groups to another domain ::: moniker range="o365-worldwide" 1. In the admin center, go to the **Groups** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2052855" target="_blank">Groups</a> page.
-
-2. Select the group name, and then on the **General** tab under **Email address, Primary**, select **Edit**.
-
-3. Use the drop-down list to choose another domain.
-
-4. Select **Save**, then **Close**. Repeat this process for any groups or distribution lists associated with the domain that you want to remove.
::: moniker-end- ::: moniker range="o365-germany" 1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">admin center</a>, go to the **Groups** > **Groups** page.
-2. Select the group name, and then select **Edit** next to **Name**.
-
-3. Use the drop-down list to choose another domain.
-
-4. Select **Save**, then **Close**. Repeat this process for any groups or distribution lists associated with the domain that you want to remove.
- ::: moniker-end ::: moniker range="o365-21vianet" 1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">admin center</a>, go to the **Groups** > **Groups** page.
-2. Select the group name, and then select **Edit** next to **Name**.
+
+2. Select the group name, and then on the **General** tab under **Email address, Primary**, select **Edit**.
3. Use the drop-down list to choose another domain. 4. Select **Save**, then **Close**. Repeat this process for any groups or distribution lists associated with the domain that you want to remove. - ### Step 3: Remove the old domain ::: moniker range="o365-worldwide"
You can also use PowerShell to move users to another domain. See [Set-MsolUserPr
It can take as little as 5 minutes for Microsoft 365 to remove a domain if it's not referenced in a lot of places such as security groups, distribution lists, users, and Microsoft 365 groups. If there are many references that use the domain it can take several hours (a day) for the domain to be removed.
-If you have hundreds or thousands of users, use PowerShell to query for all users and then move them to another domain. Otherwise, it's possible for a handful of users to be missed in the UI, and then when you go to remove the domain, you won't be able to and you won't know why. See [Set-MsolUserPrincipalName](/powershell/module/msonline/set-msoluserprincipalname?view=azureadps-1.0) for more information. To set the default domain, use [Set-MsolDomain](/powershell/module/msonline/set-msoldomain?view=azureadps-1.0).
+If you have hundreds or thousands of users, use PowerShell to query for all users and then move them to another domain. Otherwise, it's possible for a handful of users to be missed in the UI, and then when you go to remove the domain, you won't be able to and you won't know why. See [Set-MsolUserPrincipalName](/powershell/module/msonline/set-msoluserprincipalname?view=azureadps-1.0&preserve-view=true) for more information. To set the default domain, use [Set-MsolDomain](/powershell/module/msonline/set-msoldomain?view=azureadps-1.0&preserve-view=true).
## Still need help?
Still not working? Your domain might need to be manually removed. [Give us a cal
::: moniker-end +
+> [!NOTE]
+> You can't remove the [".onmicrosoft.de"](../setup/domains-faq.yml) domain from your account. When you remove a domain, user accounts will revert back to the ".onmicrosoft.de" address as the Primary SMTP/UserprincipalName.
+
+Still not working? Your domain might need to be manually removed. [Give us a call](../../business-video/get-help-support.md?view=o365-germany&preserve-view=true) and we'll help you take care of it!
+
++
+> [!NOTE]
+> You can't remove the [".partner.onmschina.cn"](../setup/domains-faq.yml) domain from your account. When you remove a domain, user accounts will revert back to the ".partner.onmschina.cn" address as the Primary SMTP/UserprincipalName.
+
+Still not working? Your domain might need to be manually removed. [Give us a call](../../business-video/get-help-support.md?view=o365-21vianet&preserve-view=true) and we'll help you take care of it!
+
+ ## Related content [Domains FAQ](../setup/domains-faq.yml) (article)\
admin Add Partner https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/add-partner.md
An authorized partner of Microsoft who serves as your subscription advisor provi
::: moniker-end
-## Before you begin
-
-The partner you choose depends on the Microsoft services you use and the country or region where you'll use those services. If you are adding a partner, or changing the partner for your subscription, first you need to get the partner's Microsoft Partner ID by asking the partner for it.
+An authorized partner of Microsoft who serves as your subscription advisor provides the sales, support, and technical expertise you need to help you set up and maintain your subscription. You can add a subscription advisor partner as a partner of record when you purchase Office 365 or at another time. If you're not currently working with a partner, you can also find one on the [Microsoft Pinpoint](https://pinpoint.microsoft.com) website.
::: moniker-end
+## Before you begin
-An authorized partner of Microsoft who serves as your subscription advisor provides the sales, support, and technical expertise you need to help you set up and maintain your subscription. You can add a subscription advisor partner as a partner of record when you purchase Office 365 or at another time. If you're not currently working with a partner, you can also find one on the [Microsoft Pinpoint](https://pinpoint.microsoft.com) website.
+
+The partner you choose depends on the Microsoft services you use and the country or region where you'll use those services. If you are adding a partner, or changing the partner for your subscription, first you need to get the partner's Microsoft Partner ID by asking the partner for it.
::: moniker-end
As an admin for Office 365, you can create or edit users, reset user passwords,
## Add a partner at the time of purchase
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=868433" target="_blank">Purchase services</a> page.
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=868433" target="_blank">**Purchase services**</a> page.
2. Select the product that you want to purchase, and then select **Buy**. 3. To add a new partner, expand **Need help with your order?** and select **Get assistance from a Microsoft Partner**.<br> Follow the steps on the providers page to either search for, or to get matched with a partner.
To accept this offer
::: moniker range="o365-worldwide" 1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.
-2. On the subscriptions details page, under **Partner information**, select **Remove**.
-3. Type the **Microsoft Partner Network ID** for the new partner. You can get the partner's Microsoft Partner ID by asking the partner for it.
-4. Select **Add**.
-
::: moniker-end ::: moniker range="o365-germany"
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Subscriptions</a> page.
-2. If you have multiple subscriptions, select the name of the subscription that you want to edit.
-3. Under the **Partner ID**, select **Edit partner of record**.
-4. Type the new Microsoft Partner ID for the partner you're adding, select **Check ID**, and then **Submit**. You can get the partner's Microsoft Partner ID by asking the partner for it.
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Your products</a> page.
::: moniker-end ::: moniker range="o365-21vianet"
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Subscriptions</a> page.
-2. If you have multiple subscriptions, select the name of the subscription that you want to edit.
-3. Under the **Partner ID**, select **Edit partner of record**.
-4. Type the new Microsoft Partner ID for the partner you're adding, select **Check ID**, and then **Submit**. You can get the partner's Microsoft Partner ID by asking the partner for it.
-
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Your products</a> page.
::: moniker-end-
+2. On the subscriptions details page, under **Partner information**, select **Remove**.
+3. Type the **Microsoft Partner Network ID** for the new partner. You can get the partner's Microsoft Partner ID by asking the partner for it.
+4. Select **Add**.
+
## View your partner relationships - In the admin center, go to the **Settings** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2074649" target="_blank">Partner relationships</a> page. Your partners are listed on this page.
To accept this offer
::: moniker range="o365-worldwide" 1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.
-2. On the **Products** tab, select the subscription that you want to edit.
-3. On the subscription details page, under **Partner information**, select **Remove**.
- ::: moniker-end ::: moniker range="o365-germany"
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Subscriptions</a> page.
-2. If you have multiple subscriptions, select the name of the subscription that you want to edit.
-3. Under the **Partner ID**, select **Edit partner of record**.
-4. On the **Partner information** page, clear the **partner ID** box, and then select **Submit**.
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Your products</a> page.
::: moniker-end ::: moniker range="o365-21vianet"
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Subscriptions</a> page.
-2. If you have multiple subscriptions, select the name of the subscription that you want to edit.
-3. Under the **Partner ID**, select **Edit partner of record**.
-4. On the **Partner information** page, clear the **partner ID** box, and then select **Submit**.
-
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Your products</a> page.
::: moniker-end
+2. On the **Products** tab, select the subscription that you want to edit.
+3. On the subscription details page, under **Partner information**, select **Remove**.
## Remove a reseller relationship - You can't remove a reseller relationship yourself.+ If you are removing a reseller relationship the **Delete** option is grayed out, and you will have to ask your reseller partner to follow these instructions: [Remove a reseller relationship with partner](/partner-center/remove-a-relationship). ::: moniker-end ::: moniker range="o365-germany"-
-You can't remove a reseller relationship yourself.
If you are removing a reseller relationship the **Delete** option is grayed out, and you will have to ask your reseller partner to follow these instructions: [Remove a reseller relationship with partner](/partner-center/remove-a-relationship). ::: moniker-end ::: moniker range="o365-21vianet"-
-You can't remove a reseller relationship yourself.
You will have to ask your reseller partner to follow these instructions: [Remove a reseller relationship with partner](/partner-center/remove-a-relationship).
admin Power Bi In Your Organization https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/power-bi-in-your-organization.md
If a tenant was created by Microsoft, you can claim and manage that tenant by fo
::: moniker range="o365-worldwide"
-3. Go to [https://admin.microsoft.com](https://admin.microsoft.com).
+3. Go to <a href="https://admin.microsoft.com" target="_blank">https://admin.microsoft.com</a>.
::: moniker-end ::: moniker range="o365-germany"
-3. Go to [https://portal.office.de](https://portal.office.de).
+3. Go to <a href="https://portal.office.de" target="_blank">https://portal.office.de</a>
::: moniker-end ::: moniker range="o365-21vianet"
-3. Go to [https://portal.partner.microsoftonline.cn](https://portal.partner.microsoftonline.cn).
+3. Go to <a href="https://portal.partner.microsoftonline.cn" target="_blank">https://portal.partner.microsoftonline.cn</a>.
::: moniker-end
bookings Add Staff https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/bookings/add-staff.md
audience: Admin
localization_priority: Normal description: "Use this page to create your staff list and to manage staff member details such as name, phone number, and email address."
description: "Use this page to create your staff list and to manage staff member
The Staff page in Bookings is where you create your staffing list and manage staff member details such as name, phone number, and email address. You can also set working hours for each staff member from here.
-## Add staff
+## Before you begin
Although Bookings is a feature of Microsoft 365, not all of your staff members are required to have a Microsoft 365 account. All staff members must have a valid email address so they can receive bookings and schedule changes.
-Watch this video or follow the steps below to add your staff.
+## Watch: Add your staff in Microsoft Bookings
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RWuVka]
+## Steps
+ 1. Go to the [Manage staff page](https://outlook.office.com/bookings/staff) and select **Add staff** 2. Select the **Add Staff** button.
Watch this video or follow the steps below to add your staff.
> [!NOTE] > Only the first 31 staff members that you add to your staff page will appear when you assign staff members to a service.+
+## Next steps
+
+After you add staff members, you can [schedule business closures and time off](schedule-closures-time-off-vacation.md) and [set your scheduling policies](set-scheduling-policies.md).
+
+## Related content
+
+[Microsoft Bookings](bookings-overview.md)
+
+[Schedule business closures, time off, and vacation time](schedule-closures-time-off-vacation.md)
+
+[Set your scheduling policies](set-scheduling-policies.md)
commerce Change Your Billing Addresses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/change-your-billing-addresses.md
To learn more about your bill or invoice, see [View your bill or invoice](view-y
::: moniker range="o365-worldwide"
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2084771" target="_blank">Billing accounts</a> page.
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2084771" target="_blank">**Billing accounts**</a> page.
::: moniker-end
commerce Manage Self Service Purchases Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/manage-self-service-purchases-users.md
Last updated 03/17/2021
# Manage self-service purchases (Users) -
-> [!NOTE]
-> The admin center is changing. If your experience doesn't match the details presented here, see
-[About the new Microsoft 365 admin center](../../admin/microsoft-365-admin-center-preview.md?preserve-view=true&view=o365-21vianet).
-- As a user, you can buy subscriptions to certain products and assign licenses for those subscriptions to people in your team. You are responsible for paying for any self-service purchases you make. You can manage your subscriptions in the Microsoft 365 admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin.microsoft.com</a>. Your admin has a read-only view into any subscriptions that you buy. They can see the product, purchaser name, subscriptions purchased, expiry date, purchase price, and assigned users for each subscription that you buy.
Your admin has a read-only view into any subscriptions that you buy. They can se
You can view a list of all self-service purchased subscriptions that you bought. + 1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.+++
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Your products</a> page.
+++
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Your products</a> page.
2. On the **Products** tab, select the filter icon, then select **Self-service**. ## How to buy more or reduce licenses + 1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.+++
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Your products</a> page.
+++
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Your products</a> page.
2. On the **Products** tab, select the subscription that you want to buy more or reduce licenses for. 3. Choose **Buy licenses** or **Remove licenses**. 4. In the right pane, in the **Total licenses** box, enter the total number of licenses that you want for this subscription, then choose **Save**. For example, if you have 100 licenses and you want to add 5 more, enter 105.
You can view a list of all self-service purchased subscriptions that you bought.
### To assign licenses
-1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842264" target="_blank">Licenses</a> page.
+:: moniker range="o365-worldwide"
+
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842264" target="_blank">Licenses</a> page.
+++
+ 1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=848038" target="_blank">Licenses</a> page.
+++
+ 1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850625" target="_blank">Licenses</a> page.
+ 2. Choose the subscription that you want to assign licenses for. 3. Choose **Assign licenses**. 4. In the **Assign licenses to users** pane, begin typing a name, and then choose it from the results to add it to the list. You can add up to 20 users at a time.
You can view a list of all self-service purchased subscriptions that you bought.
### To unassign licenses
-1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842264" target="_blank">Licenses</a> page.
+:: moniker range="o365-worldwide"
+
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842264" target="_blank">Licenses</a> page.
+++
+ 1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=848038" target="_blank">Licenses</a> page.
+++
+ 1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850625" target="_blank">Licenses</a> page.
+ 2. Choose the product that you want to unassign licenses for. 3. Choose the users that you want to unassign licenses from. 4. Choose **Unassign licenses**.
You can view a list of all self-service purchased subscriptions that you bought.
## Cancel a subscription + 1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.+++
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Your products</a> page.
+++
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Your products</a> page.
2. On the **Products** tab, find the subscription that you want to cancel. Select the three dots (more actions), then select **Cancel subscription**. 3. In the **Cancel subscription** pane, choose a reason why you're canceling. Optionally, provide any feedback you have. 4. Select **Save**.
compliance Classifier How To Retrain Comms Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/classifier-how-to-retrain-comms-compliance.md
- Title: "How to retrain a classifier in communications compliance"-- NOCSH--- Previously updated :--
-localization_priority: None
--- MOE150-- MET150
-description: "Learn how to provide feedback to a trainable classifier in Communications compliance."
--
-# How to retrain a classifier in communications compliance
-
-A Microsoft 365 trainable classifier is a tool you can train to recognize various types of content by giving it samples to look at. Once trained, you can use it to identify item for application of Office sensitivity labels, communications compliance policies, and retention label policies.
-
-This article shows you how to improve the performance of custom trainable classifiers and some pre-trained classifiers by providing them additional feedback.
-
-To learn more about the different types of classifiers, see [Learn about trainable classifiers](classifier-learn-about.md).
-
-## Permissions
-
-To access classifiers in the Microsoft 365 Compliance center:
--- the Compliance admin role or Compliance Data Administrator is required to train a classifier-
-You'll need accounts with these permissions to use classifiers in these scenarios:
--- Communication compliance policy scenario: Insider Risk Management Admin, Supervisory Review Administrator -
-## Overall workflow
-
-> [!IMPORTANT]
-> You provide feedback in the compliance solution that is using the classifier as a condition. **If you don't have a communications compliance policy that uses a classifier as a condition, stop here.**
-
-As you use your classifiers, you may want to increase the precision of the classifications that they're making. You do this by evaluating the quality of the classifications made for items it has identified as being a match or not a match. After you make 30 evaluations for a classifier it takes that feedback and automatically retrains itself.
-
-To understand more about the overall workflow of retraining a classifier, see [Process flow for retraining a classifier](classifier-learn-about.md#retraining-classifiers).
-
-> [!NOTE]
-> A classifier must already be published and in use before it can be retrained.
-
-## How to retrain a classifier in communication compliance policies
-
-1. Open the Communication compliance policy that uses a classifier as a condition and choose one of the identified items from the **Pending** list.
-2. Choose the ellipsis and **Improve classification**.
-3. In the **Detailed feedback** pane, if the item is a true positive, choose, **Match**. If the item is a false positive, that is it was incorrectly included in the category, choose **Not a match**.
-4. If there is another classifier that would be more appropriate for the item, you can choose it from the **Suggest other trainable classifiers** list. This will trigger the other classifier to evaluate the item.
-
-> [!TIP]
-> You can provide feedback on multiple items simultaneously by choosing them all and then choosing **Provide detailed feedback** in the command bar.
-
-5. Choose **Send feedback** to send your evaluation of the `match`, `not a match` classifications and suggest other trainable classifiers. When you've provided 30 instances of feedback to a classifier, it will automatically retrain. Retraining can take from 1-4 hours. Classifiers can only be retrained twice per day.
-
-> [!IMPORTANT]
-> This information goes to the classifier in your tenant, **it does not go back to Microsoft**.
-
-6. Open the **Data classification** page in the **Microsoft 365 compliance center**.
-7. Open **Trainable classifiers**.
-8. The classifier that was used in your Communications compliance policy will appear under the **Re-training** heading.
-
-![classifier in retraining status](../media/classifier-retraining.png)
-
-9. Once retraining completes, choose the classifier to open the retraining overview.
-
-![classifier retraining results overview](../media/classifier-retraining-overview.png)
-
-10. Review the recommended action, and the prediction comparisons of the retrained and currently published versions of the classifier.
-11. If you satisfied with the results of the retraining, choose **Re-publish**.
-12. If you are not satisfied with the results of the retraining, you can choose to provide additional feedback to the classifier in the Communications compliance interface and start another retraining cycle or do nothing in which case the currently published version of the classifier will continue to be used.
-
-## Details on republishing recommendations
-
-Here is a little information on how we formulate the recommendation to re-publish a retrained classifier or suggest further retraining. This requires a little deeper understanding of how trainable classifiers work.
-
-After a retrain, we evaluate the classifier's performance on both the items with feedback as well as any items originally used to train the classifier.
--- For built-in models, items used to train the classifier are the items used by Microsoft to build the model.-- For custom models, items used in the original training the classifier are from the sites you had added for test and review.-
-We compare the performance numbers on both sets of items for the retrained and published classifier to provide a recommendation on whether there was improvement to republish.
-
-## See also
--- [Learn about trainable classifiers](classifier-learn-about.md)-- [Default crawled file name extensions and parsed file types in SharePoint Server](/sharepoint/technical-reference/default-crawled-file-name-extensions-and-parsed-file-types)
compliance Close Reopen Delete Core Ediscovery Cases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/close-reopen-delete-core-ediscovery-cases.md
Before you can delete a case (whether it's active or closed), you must first del
To delete an eDiscovery hold:
-1. Go the **Holds** tab in the case that you want to delete.
+1. Go to the **Holds** tab in the case that you want to delete.
2. Select the hold that you want to delete.
compliance Communication Compliance Investigate Remediate https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-investigate-remediate.md
After reviewing the message basics, it's time to open a message to examine the d
- **Source view**: This view is the standard message view commonly seen in most web-based messaging platforms. The header information is formatted in the normal style and the message body supports imbedded graphic files and word-wrapped text. If [optical character recognition (OCR)](communication-compliance-feature-reference.md#optical-character-recognition-ocr) is enabled for the policy, images containing printed or handwritten text that match policy conditional are viewed as a child item for the associated message in this view. - **Text view**: Text view displays a line-numbered text-only view of the message and includes keyword highlighting in messages and attachments for sensitive info type terms or keywords matched in the associated communication compliance policy. Keyword highlighting can help you quickly scan long messages and attachments for the area of interest. In some cases, highlighted text may be only in attachments for messages matching policy conditions. Keyword highlighting isn't supported for terms identified by built-in classifiers assigned to a policy. Embedded files aren't displayed and the line numbering this view is helpful for referencing pertinent details among multiple reviewers. - **Annotate view**: This view allows reviewers to add annotations directly on the message that are saved to the view of the message. If [OCR is enabled](communication-compliance-feature-reference.md#optical-character-recognition-ocr) for the policy, images containing printed or handwritten text that match policy conditional are viewed as a child item for the associated message in this view and may be annotated.
+- **Conversation view (preview)**: Available for Microsoft Teams chat messages, this view displays up to five messages before and after an alert message to help reviewers view the activity in the conversational context. This context helps reviewers to quickly evaluate messages and make more informed message resolution decisions. Real-time message additions to conversations are displayed, including all inline images, emojis, and stickers available in Teams. Image or text file attachments to messages aren't displayed. Notifications are automatically displayed for messages that have been edited or for messages that have been deleted from the conversation window. When a message is resolved, the associated conversational messages aren't retained with the resolved message. Conversation messages are available for up to 60 days after the alert message is identified.
- **User history**: User history view displays all other alerts generated by any communication compliance policy for the user sending the message. - **Pattern detected notification**: Many harassing and bullying actions over time and involve reoccurring instances of the same behavior by a user. The *Pattern detected* notification is displayed in the alert details and raises attention to the alert. Detection of patterns is on a per-policy basis and evaluates behavior over the last 30 days when at least two messages are sent to the same recipient by a sender. Investigators and reviewers can use this notification to identify repeated behavior to evaluate the alert as appropriate. - **Show Translate view**: This view automatically converts alert message text to the language configured in the *Displayed language* setting in the Microsoft 365 subscription for each reviewer. The Translate view helps broaden investigative support for organizations with multilingual users and eliminates the need for additional translation services outside of the communication compliance review process. Using Microsoft Translate services, the Translate view can be turned on and off as needed and supports a wide range of languages. For a complete list of supported languages, see [Microsoft Translator Languages](https://www.microsoft.com/translator/business/languages/). Languages listed in the *Translator Language List* are supported in the Translate view.
compliance Create A Custom Sensitive Information Type https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-a-custom-sensitive-information-type.md
audience: Admin
Last updated
-localization_priority: Priority
+localization_priority: Normal
- M365-security-compliance search.appverid: - MOE150 - MET150
-description: "Learn how to create, modify, remove, and test custom sensitive information types for DLP in the graphical user interface in Security & Compliance Center."
+description: "Learn how to create, modify, remove, and test custom sensitive information types for DLP in the Security & Compliance Center."
# Get started with custom sensitive information types
Use this procedure to create a new sensitive information type that you fully def
2. Fill in values for **Name** and **Description** and choose **Next**. 3. Choose **Create pattern**. You can create multiple patterns, each with different elements and confidence levels, as you define your new sensitive information type. 4. Choose the default confidence level for the pattern. The values are **Low confidence**, **Medium confidence**, and **High confidence**.
-5. Choose and define **Primary element**. The primary element can be a **Regular expression** with an optional validator, a **Keyword list**, a **Keyword dictionary**, or one of the pre-configured **Functions**. For more information on DLP functions, see [What the DLP functions look for](what-the-dlp-functions-look-for.md).
+5. Choose and define **Primary element**. The primary element can be a **Regular expression** with an optional validator, a **Keyword list**, a **Keyword dictionary**, or one of the pre-configured **Functions**. For more information on DLP functions, see [What the DLP functions look for](what-the-dlp-functions-look-for.md). For more information on the date and the checksum validators, see [More information on regular expression validators](#more-information-on-regular-expression-validators).
6. Fill in a value for **Character proximity**.
-7. (Optional) Add supporting elements if you have any. Supporting elements can be a regular expression with an optional validator, a keyword list, a keyword dictionary or one of the pre-defined functions.
-8. (Optional) Add any [**additional checks**](#more-information-on-additional-checks) from the list of available checks.
+7. (Optional) Add supporting elements if you have any. Supporting elements can be a regular expression with an optional validator, a keyword list, a keyword dictionary or one of the pre-defined functions. Supporting elements can have their own **Character proximity** configuration.
+8. (Optional) Add any [**additional checks**](#more-information-on-additional-checks) from the list of available checks.
9. Choose **Create**. 10. Choose **Next**. 11. Choose the **recommended confidence level** for this sensitive information type.
You can also create custom sensitive information types by using PowerShell and E
- [Create a custom sensitive information type in Security & Compliance Center PowerShell](create-a-custom-sensitive-information-type-in-scc-powershell.md) - [Create a custom sensitive information type for DLP with Exact Data Match (EDM)](create-custom-sensitive-information-types-with-exact-data-match-based-classification.md)
+## More information on regular expression validators
+
+### Checksum validator
+
+If you need to run a checksum on a digit in a regular expression, you can use the *checksum validator*. For example, say you need to create a SIT for an eight digit license number where the last digit is a checksum digit that is validated using a mod 9 calculation. You've set up the checksum algorithm like this:
+
+Sum = digit 1 * Weight 1 + digit 2 * weight 2 + digit 3 * weight 3 + digit 4 * weight 4 + digit 5 * weight 5 + digit 6 * weight 6 + digit 7 * weight 7 + digit 8 * weight 8
+Mod value = Sum % 9
+If Mod value == digit 8
+ Account number is valid
+If Mod value != digit 8
+ Account number is invalid
+
+1. Define the primary element with this regular expression:
+
+`\d{8}`
+
+2. Then add the checksum validator.
+3. Add the weight values separated by commas, the position of the check digit and the Mod value. For more information on the Modulo operation, see [Modulo operation](https://en.wikipedia.org/wiki/Modulo_operation).
+
+> [!NOTE]
+> If the check digit is not part of the checksum calculation then use 0 as the weight for the check digit. For example, in the above case weight 8 will be equal to 0 if the check digit is not to be used for calculating the check digit. Modulo_operation).
+
+![screenshot of configured checksum validator](../media/checksum-validator.png)
+
+### Date validator
+
+If a date value that is embedded in regular expression is part of a new pattern you are creating, you can use the *date validator* to test that it meets your criteria. For example, say you want to create a SIT for a nine digit employee identification number. The first six digits are the date of hire in DDMMYY format and the last three are randomly generated numbers. To validate that the first six digits are in the correct format.
+
+1. Define the primary element with this regular expression:
+
+`\d{9}`
+
+2. Then add the date validator.
+3. Select the date format and the start offset. Since the date string is the first six digits, the offset is `0`.
+
+![screenshot of configured date validator](../media/date-validator.png)
+
+### Functional processors as validators
+
+You can use function processors for some of the most commonly used SITs as validators. This allows you to define your own regular expression while ensuring they pass the additional checks required by the SIT. For example, Func_India_Aadhar will ensure that the custom regular expression defined by you passes the validation logic required for Indian Aadhar card. For more information on DLP functions that can be used as validators, see [What the DLP functions look for](what-the-dlp-functions-look-for.md#what-the-dlp-functions-look-for).
+
+### Luhn check validator
+
+You can use the Luhn check validator if you have a custom Sensitive information type that includes a regular expression which should pass the [Luhn algorithm](https://en.wikipedia.org/wiki/Luhn_algorithm).
+ ## More information on additional checks Here are the definitions and some examples for the available additional checks.
compliance Create A Keyword Dictionary https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-a-keyword-dictionary.md
Often when you need to create a large dictionary, it's to use keywords from a fi
```powershell New-DlpKeywordDictionary -Name <name> -Description <description> -FileData $fileData ```-
-## Modifying an existing keyword dictionary
-
-You might need to modify keywords in one of your keyword dictionaries, or modify one of the built-in dictionaries. Currently, your can only update a custom keyword dictionary using PowerShell.
-
-For example, we'll modify some terms in PowerShell, save the terms locally where you can modify them in an editor, and then update the previous terms in place.
-
-First, retrieve the dictionary object:
-
-```powershell
-$dict = Get-DlpKeywordDictionary -Name "Diseases"
-```
-
-Printing `$dict` will show the various variables. The keywords themselves are stored in an object on the backend, but `$dict.KeywordDictionary` contains a string representation of them, which you'll use to modify the dictionary.
-
-Before you modify the dictionary, you need to turn the string of terms back into an array using the `.split(',')` method. Then you'll clean up the unwanted spaces between the keywords with the `.trim()` method, leaving just the keywords to work with.
-
-```powershell
-$terms = $dict.KeywordDictionary.split(',').trim()
-```
-
-Now you'll remove some terms from the dictionary. Because the example dictionary has only a few keywords, you could as easily skip to exporting the dictionary and editing it in Notepad, but dictionaries generally contain a large amount of text, so you'll first learn this way to edit them easily in PowerShell.
-
-In the last step, you saved the keywords to an array. There are several ways to [remove items from an array](/previous-versions/windows/it-pro/windows-powershell-1.0/ee692802(v=technet.10)), but as a straightforward approach, you'll create an array of the terms you want to remove from the dictionary, and then copy only the dictionary terms to it that aren't in the list of terms to remove.
-
-Run the command `$terms` to show the current list of terms. The output of the command looks like this:
-
-`aarskog's syndrome`
-`abandonment`
-`abasia`
-`abderhalden-kaufmann-lignac`
-`abdominalgia`
-`abduction contracture`
-`abetalipoproteinemia`
-`abiotrophy`
-`ablatio`
-`ablation`
-`ablepharia`
-`abocclusion`
-`abolition`
-`aborter`
-`abortion`
-`abortus`
-`aboulomania`
-`abrami's disease`
-
-Run this command to specify the terms that you want to remove:
-
-```powershell
-$termsToRemove = @('abandonment', 'ablatio')
-```
-
-Run this command to actually remove the terms from the list:
-
-```powershell
-$updatedTerms = $terms | Where-Object{ $_ -notin $termsToRemove }
-```
-
-Run the command `$updatedTerms` to show the updated list of terms. The output of the command looks like this (the specified terms have been removed):
-
-`aarskog's syndrome`
-`abasia`
-`abderhalden-kaufmann-lignac`
-`abdominalgia`
-`abduction contracture`
-`abetalipo proteinemia`
-`abiotrophy`
-`ablation`
-`ablepharia`
-`abocclusion`
-`abolition`
-`aborter`
-`abortion`
-`abortus`
-`aboulomania`
-`abrami's disease`
-```
-
-Now save the dictionary locally and add a few more terms. You could add the terms right here in PowerShell, but you'll still need to export the file locally to ensure it's saved with Unicode encoding and contains the BOM.
-
-Save the dictionary locally by running the following:
-
-```powershell
-Set-Content $updatedTerms -Path "C:\myPath\terms.txt"
-```
-
-Now open the file, add your other terms, and save with Unicode encoding (UTF-16). Now you'll upload the updated terms and update the dictionary in place.
-
-```powershell
-PS> Set-DlpKeywordDictionary -Identity "Diseases" -FileData (Get-Content -Path "C:myPath\terms.txt" -Encoding Byte -ReadCount 0)
-```
-
-Now the dictionary has been updated in place. The `Identity` field takes the name of the dictionary. If you wanted to also change the name of your dictionary using the `set-` cmdlet, you would just need to add the `-Name` parameter to what's above with your new dictionary name.
## Using keyword dictionaries in custom sensitive information types and DLP policies
compliance Endpoint Dlp Getting Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-getting-started.md
Make sure that the Windows 10 devices that you plan on deploying Endpoint DLP to
4. All devices must be one of these: - [Azure Active Directory (Azure AD) joined](/azure/active-directory/devices/concept-azure-ad-join)-- AD joined - [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) - [AAD registered](/azure/active-directory/user-help/user-help-register-device-on-network)
compliance Filter Data When Importing Pst Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/filter-data-when-importing-pst-files.md
f1.keywords:
Previously updated : 10/24/2017 Last updated : audience: Admin
description: "Learn how to filter data using the intelligent import feature in t
Use the new Intelligent Import feature in the Office 365 Import service to filter the items in PST files that actually get imported to the target mailboxes. Here's how it works: - After you create and submit a PST import job, PST files are uploaded to an Azure storage area in the Microsoft cloud.
-
+
- Microsoft 365 analyzes the data in the PST files, in a safe and secure manner, by identifying the age of the mailbox items and the different message types included in the PST files.
-
+
- When the analysis is complete and the data is ready to import, you have the option to import all data in the PST files as is or trim the data that's imported by setting filters that control what data gets imported. For example, you can choose to:
-
+
- Import only items of a certain age.
-
+
- Import selected message types.
-
+
- Exclude messages sent or received by specific people.
-
+
- After you configure the filter settings, Microsoft 365 imports only the data that meets the filtering criteria to the target mailboxes specified in the import job.
-
+
The following graphic shows the Intelligent Import process, and highlights the tasks you perform and the tasks performed by Office 365. ![The Intelligent Import process in Office 365](../media/f2ec309b-11f5-48f2-939c-a6ff72152d14.png)
The following graphic shows the Intelligent Import process, and highlights the t
After you've created a PST import job, follow these steps to filter the data before you import it to Office 365.
-1. Go to [https://protection.office.com/](https://protection.office.com/) and sign in using the credentials for an administrator account in your organization.
+1. Go to <https://compliance.microsoft.com> and sign in using the credentials for an administrator account in your organization.
-2. Click **Information governance** \> **Import** \> **Import PST files**.
+2. In the left pane of the Microsoft 365 compliance center, click **Information governance** \> **Import**.
- The import jobs for your organization are listed on the **Import PST files** page. Note that the **Analysis completed** value in the **Status** column indicates the import jobs that have been analyzed by Microsoft 365 and are ready for you to import.
+ The import jobs for your organization are listed on the **Import** tab. The **Analysis completed** value in the **Status** column indicates the import jobs that have been analyzed by Microsoft 365 and are ready for you to import.
![Analysis complete status indicates Microsoft 365 has analyzed the data in PST files](../media/de5294f4-f0ba-4b92-a48a-a4b32b6da490.png)
-3. Click **Ready to import to Office 365** for the import job that you want to complete.
-
+3. Select the import job that you want to complete and click **Import to Office 365**.
+
A fly out page is displayed with information about the PST files and other information about the import job.
-
+ 4. Click **Import to Office 365**. The **Filter your data** page is displayed. It contains data insights about the data in the PST files for the import job, including information about the age of the data.
After you've created a PST import job, follow these steps to filter the data bef
![The Filter your data page shows data insights of the PST files for the import job](../media/3b537ec0-25a4-45a4-96d5-a429e2a33128.png) 5. Based on whether or not you want to trim the data that's imported to Microsoft 365, under **Do you want to filter your data?**, do one of the following:
-
+
a. Click **Yes, I want to filter it before importing** to trim the data that you import, and then click **Next**.
-
+
The **Import data to Office 365 page** page is displayed with detailed data insights from the analysis that Microsoft 365 performed.
-
+
![Microsoft 365 displays detailed data insights from its analysis of the PST files](../media/4881205f-0288-4c32-a440-37e2160295f2.png) The graph on this page shows the amount of data that will be imported. Information about each message type found in the PST files is displayed in the graph. You can hover the cursor over each bar to display specific information about that message type. There is also a drop-down list with different age values based on the analysis of the PST files. When you select an age in the drop-down list, the graph is updated to show how much data will be imported for the selected age.
-
+
b. To configure addition filters to reduce the amount of data that's imported, click **More filtering options**.
-
+
![Configure the filters on the More options page to trim the data that's imported](../media/3f8d68c3-3fe2-4b4e-9488-b368b98fa9fe.png) You can configure these filters:
-
+
- **Age** - Select an age so only items that are newer than the specified age will be imported. See the [More information](#more-information) section for a description about how Microsoft 365 determines the age buckets for the **Age** filter.
-
- - **Type** - This section shows all the message types that were found in the PST files for the import job. You can uncheck a box next to a message type that you want to exclude. Note that you can't exclude the Other message type. See the [More information](#more-information) section for a list of mailbox items that are included in the Other category.
-
+
+ - **Type** - This section shows all the message types that were found in the PST files for the import job. You can uncheck a box next to a message type that you want to exclude. You can't exclude the Other message type. See the [More information](#more-information) section for a list of mailbox items that are included in the Other category.
+
- **Users** - You can exclude messages that are sent or received by specific people. To exclude people who appear in the From: field, To: field, or the Cc: field of messages, click **Exclude users** next to that recipient type. Type the email address (SMTP address) of the person, click **Add**![New icon](../media/457cd93f-22c2-4571-9f83-1b129bcfb58e.gif) to add them to the list of excluded users for that recipient type, and then click **Save** to save the list of excluded users.
-
+
> [!NOTE] > Microsoft 365 doesn't show data insights that result from setting the **People** filter. However, if you set this filter to exclude messages sent or received by specific people, those messages will be excluded during the actual import process. c. Click **Apply** in the **More filtering options** fly out page to save your filter settings.
-
- The data insights on the **Import data to Office 365** page are updated based on your filter settings, including the total amount of data that will be imported based on the filter settings. Note that a summary of the filter settings is also shown. You can click **Edit** next to a filter to change the setting if necessary.
-
+
+ The data insights on the **Import data to Office 365** page are updated based on your filter settings, including the total amount of data that will be imported based on the filter settings. A summary of the filter settings is also shown. You can click **Edit** next to a filter to change the setting if necessary.
+
![The data insights are updated based on your filter settings](../media/897e20fb-3b13-44c3-9d56-9f330750f2a3.png) d. Click **Next**.
-
+
A status page is displayed showing your filter settings. Again, you can edit any of the filter settings.
-
- e. Click **Import data** to start the import . Note that the total amount of data that will be imported is displayed.
-
+
+ e. Click **Import data** to start the import. The total amount of data that will be imported is displayed.
+
Or
-
+
a. Click **No, I want to import everything** to import all data in the PST files to Office 365, and then click **Next**.
-
- b. On the **Import data to Office 365** page, click **Import data** to start the import. Note that the total amount of data that will be imported is displayed.
-
-6. On the **Import PST files** page, click **Refresh** ![refresh](../media/165fb3ad-38a8-4dd9-9e76-296aefd96334.png). The status for the import job is displayed in the **Status** column.
-
+
+ b. On the **Import data to Office 365** page, click **Import data** to start the import. The total amount of data that will be imported is displayed.
+
+6. On the **Import** tab, click **Refresh** ![refresh](../media/165fb3ad-38a8-4dd9-9e76-296aefd96334.png). The status for the import job is displayed in the **Status** column.
+
7. Click the import the job to display more detailed information, such as the status for each PST file and the filter settings that you configured.
-
## More information - How does Microsoft 365 determine the increments for the age filter? When Microsoft 365 analyzes a PST file, it looks at the sent or received time stamp of each item (if an item has both a sent and received timestamp, the oldest date is selected). Then Microsoft 365 looks at the year value for that timestamp and compares it to the current date to determine the age of the item. These ages are then used as the values in the drop-down list for the **Age** filter. For example, if a PST file has messages from 2016, 2015, and 2014, then values in the **Age** filter would be **1 year**, **2 years**, and **3 years**.
-
+
- The following table lists the message types that are included in the **Other** category in the **Type** filter on the **More options** fly out page (see Step 5b in the previous procedure). Currently, you can't exclude items in the "Other" category when you import PSTs to Office 365.
-
+
|**Message class ID**|**Mailbox items that use this message class**| |:--|:--| |IPM.Activity <br/> |Journal entries <br/> |
After you've created a PST import job, follow these steps to filter the data bef
|IPM.File <br/> |(same as IPM.Document) <br/> | |IPM.Note.IMC.Notification <br/> |Reports sent by Internet Mail Connect, which is the Exchange Server gateway to the Internet <br/> | |IPM.Note.Microsoft.Fax <br/> |Fax messages <br/> |
- |IPM.Note.Rules.Oof.Template.Microsoft <br/> |Out-of-office auto-reply messages <br/> |
+ |IPM.Note.Rules.Oof.Template.Microsoft <br/> |Out-of-office autoreply messages <br/> |
|IPM.Note.Rules.ReplyTemplate.Microsoft <br/> |Replies sent by an inbox rule <br/> | |IPM.OLE.Class <br/> |Exceptions for a recurring series <br/> | |IPM.Recall.Report <br/> |Message recall reports <br/> |
compliance Information Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/information-protection.md
For information about governing your data, see [Microsoft Information Governance
> [!NOTE] > For information about classifying and labeling data in Azure Purview, currently in preview, see [Automatically label your content in Azure Purview](/azure/purview/create-sensitivity-label).
->
-> For release announcements for Azure Purview, see the following blog posts: [Microsoft Information Protection and Microsoft Azure Purview: Better Together](https://techcommunity.microsoft.com/t5/microsoft-security-and/microsoft-information-protection-and-microsoft-azure-purview/ba-p/1957481) and [Azure Purview at Spring Ignite 2021](https://techcommunity.microsoft.com/t5/azure-purview/azure-purview-at-spring-ignite-2021/ba-p/2175919).
- To understand your data landscape and identify important data across your hybrid environment, use the following capabilities:
To help prevent accidental oversharing of sensitive information, use the followi
|[Microsoft Compliance Extension (preview)](dlp-chrome-learn-about.md) | Extends DLP capabilities to the Chrome browser | [Get started with the Microsoft Compliance Extension (preview)](dlp-chrome-get-started.md)| |[Microsoft 365 data loss prevention on-premises scanner (preview)](dlp-on-premises-scanner-learn.md)|Extends DLP monitoring of file activities and protective actions for those files to on-premises file shares and SharePoint folders and document libraries.|[Get started with Microsoft 365 data loss prevention on-premises scanner (preview)](dlp-on-premises-scanner-get-started.md)| |[Protect sensitive information in Microsoft Teams chat and channel messages](dlp-microsoft-teams.md) | Extends some DLP functionality to Teams chat and channel messages | [Learn about the default data loss prevention policy in Microsoft Teams (preview)](dlp-teams-default-policy.md)|+
+## Licensing requirements
+
+License requirements for MIP depend on the scenarios and features you use, rather than set licensing requirements for each capability listed on this page. To understand your licensing requirements and options for MIP, see the [Information Protection](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#information-protection) section from the Microsoft 365 licensing documentation, and download the related PDF or Excel.
compliance Manage Information Governance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/manage-Information-governance.md
To manage high-value content for legal, business, or regulatory obligations:
|Capability|What problems does it solve?|Get started| |:|:||:-|
-|[Records management](records-management.md)| A single solution for email and documents that incorporates retention schedules and requirements into a file plan that supports the full lifecycle of your content with records declaration, retention, and disposition <br /><br />Example scenario: [Disposition of records](disposition.md#disposition-of-records)|[Get started with records management](get-started-with-records-management.md) |
+|[Records management](records-management.md)| A single solution for email and documents that incorporates retention schedules and requirements into a file plan that supports the full lifecycle of your content with records declaration, retention, and disposition <br /><br />Example scenario: [Disposition of records](disposition.md#disposition-of-records)|[Get started with records management](get-started-with-records-management.md) |
+
+## Licensing requirements
+
+License requirements for Microsoft Information Governance depend on the scenarios and features you use, rather than set licensing requirements for each capability listed on this page. To understand your licensing requirements and options, see the [Information Governance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#information-governance) and [Records Management](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#records-management) sections from the Microsoft 365 licensing documentation, and download the related PDF or Excel.
compliance Sensitivity Labels Sharepoint Onedrive Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files.md
description: "Administrators can enable sensitivity label support for Word, Exce
>*[Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).*
-> [!NOTE]
-> There's a current issue that results in some labeled and encrypted files failing to open in Office on the web:
->
-> While we investigate an issue related to specific document properties, you won't be able to open many files in Office on the web. For these files, you can continue to open and edit them in your desktop and mobile Office apps. Or, do the following:
->
-> 1. Open the file in the Office desktop app.
-> 2. Remove the label that applies encryption.
-> 3. Save the file in the original location (SharePoint or OneDrive), and close the desktop app.
-> 4. Open the file in Office on the web, and reapply the original label that applies encryption.
->
-> Files that are labeled only in Office on the web aren't affected.
- Enable sensitivity labels for Office files in SharePoint and OneDrive so that users can apply your [sensitivity labels](sensitivity-labels.md) in Office for the web. When this feature is enabled, users will see the **Sensitivity** button on the ribbon so they can apply labels, and see any applied label name on the status bar. Enabling this feature also results in SharePoint and OneDrive being able to process the contents of files that have been encrypted by using a sensitivity label. The label can be applied in Office for the web, or in Office desktop apps and uploaded or saved in SharePoint and OneDrive. Until you enable this feature, these services can't process encrypted files, which means that coauthoring, eDiscovery, Data Loss Prevention, search, and other collaborative features won't work for these files.
Use the OneDrive sync app version 19.002.0121.0008 or later on Windows, and vers
## Limitations
+- SharePoint and OneDrive can't process some files that are labeled and encrypted from Office desktop apps when these files contain PowerQuery data, data stored by custom add-ins, or custom XML parts such as Cover Page Properties, content type schemas, custom Document Information Panel, and Custom XSN. This limitation also applies to files that have a [Document ID](https://support.microsoft.com/office/enable-and-configure-unique-document-ids-ea7fee86-bd6f-4cc8-9365-8086e794c984) added when they are uploaded.
+
+ For these files, either apply a label without encryption so that they can later be opened in Office on the web, or instruct users to open the files in their desktop apps. Files that are labeled and encrypted only in Office on the web aren't affected.
+ - SharePoint and OneDrive don't automatically apply sensitivity labels to existing files that you've already encrypted using Azure Information Protection labels. Instead, for the features to work after you enable sensitivity labels for Office files in SharePoint and OneDrive, complete these tasks:
- 1. Make sure you have [migrated the Azure Information Protection labels](/azure/information-protection/configure-policy-migrate-labels) to sensitivity labels and [published them](create-sensitivity-labels.md#publish-sensitivity-labels-by-creating-a-label-policy) from the Microsoft 365 compliance center, or equivalent labeling admin center.
- 2. Download the files and then upload them to SharePoint.
+ 1. Make sure you have [migrated the Azure Information Protection labels](/azure/information-protection/configure-policy-migrate-labels) to sensitivity labels and [published them](create-sensitivity-labels.md#publish-sensitivity-labels-by-creating-a-label-policy) from the Microsoft 365 compliance center.
+ 2. Download the labeled files and then upload them to their original location in SharePoint or OneDrive.
- SharePoint and OneDrive can't process encrypted files when the label that applied the encryption has any of the following [configurations for encryption](encryption-sensitivity-labels.md#configure-encryption-settings): - **Let users assign permissions when they apply the label** and the checkbox **In Word, PowerPoint, and Excel, prompt users to specify permissions** is selected. This setting is sometimes referred to as "user-defined permissions".
compliance Sit Modify Keyword Dictionary https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-modify-keyword-dictionary.md
+
+ Title: "Modify a keyword dictionary"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++ Last updated :
+localization_priority: Normal
+
+- M365-security-compliance
+search.appverid:
+- MOE150
+- MET150
+
+- seo-marvel-apr2020
+description: "Learn how to modify a keyword dictionary in the Microsoft 365 Compliance Center."
++
+# Modify a keyword dictionary
+
+You might need to modify keywords in one of your keyword dictionaries, or modify one of the built-in dictionaries. You can do this through PowerShell or through the Compliance center.
+
+## Modify a keyword dictionary in Compliance center
+
+Keyword dictionaries can be used as `Primary elements` or `Supporting elements` in sensitive information type (SIT) patterns. You can edit a keyword dictionary while creating a SIT or in an existing SIT. For example to edit an existing keyword dictionary:
+
+1. Open the pattern that has the keyword dictionary you want to update.
+2. Find the keyword dictionary you want to update and choose edit.
+3. Make your edits, using one keyword per line.
+
+![screenshot edit keywords](../media/edit-keyword-dictionary.png)
+
+4. Choose `Done`.
+
+## Modify a keyword dictionary using PowerShell
+
+For example, we'll modify some terms in PowerShell, save the terms locally where you can modify them in an editor, and then update the previous terms in place.
+
+First, retrieve the dictionary object:
+
+```powershell
+$dict = Get-DlpKeywordDictionary -Name "Diseases"
+```
+
+Printing `$dict` will show the various variables. The keywords themselves are stored in an object on the backend, but `$dict.KeywordDictionary` contains a string representation of them, which you'll use to modify the dictionary.
+
+Before you modify the dictionary, you need to turn the string of terms back into an array using the `.split(',')` method. Then you'll clean up the unwanted spaces between the keywords with the `.trim()` method, leaving just the keywords to work with.
+
+```powershell
+$terms = $dict.KeywordDictionary.split(',').trim()
+```
+
+Now you'll remove some terms from the dictionary. Because the example dictionary has only a few keywords, you could as easily skip to exporting the dictionary and editing it in Notepad, but dictionaries generally contain a large amount of text, so you'll first learn this way to edit them easily in PowerShell.
+
+In the last step, you saved the keywords to an array. There are several ways to [remove items from an array](/previous-versions/windows/it-pro/windows-powershell-1.0/ee692802(v=technet.10)), but as a straightforward approach, you'll create an array of the terms you want to remove from the dictionary, and then copy only the dictionary terms to it that aren't in the list of terms to remove.
+
+Run the command `$terms` to show the current list of terms. The output of the command looks like this:
+
+`aarskog's syndrome`
+`abandonment`
+`abasia`
+`abderhalden-kaufmann-lignac`
+`abdominalgia`
+`abduction contracture`
+`abetalipoproteinemia`
+`abiotrophy`
+`ablatio`
+`ablation`
+`ablepharia`
+`abocclusion`
+`abolition`
+`aborter`
+`abortion`
+`abortus`
+`aboulomania`
+`abrami's disease`
+
+Run this command to specify the terms that you want to remove:
+
+```powershell
+$termsToRemove = @('abandonment', 'ablatio')
+```
+
+Run this command to actually remove the terms from the list:
+
+```powershell
+$updatedTerms = $terms | Where-Object{ $_ -notin $termsToRemove }
+```
+
+Run the command `$updatedTerms` to show the updated list of terms. The output of the command looks like this (the specified terms have been removed):
+
+`aarskog's syndrome`
+`abasia`
+`abderhalden-kaufmann-lignac`
+`abdominalgia`
+`abduction contracture`
+`abetalipo proteinemia`
+`abiotrophy`
+`ablation`
+`ablepharia`
+`abocclusion`
+`abolition`
+`aborter`
+`abortion`
+`abortus`
+`aboulomania`
+`abrami's disease`
+```
+
+Now save the dictionary locally and add a few more terms. You could add the terms right here in PowerShell, but you'll still need to export the file locally to ensure it's saved with Unicode encoding and contains the BOM.
+
+Save the dictionary locally by running the following:
+
+```powershell
+Set-Content $updatedTerms -Path "C:\myPath\terms.txt"
+```
+
+Now open the file, add your other terms, and save with Unicode encoding (UTF-16). Now you'll upload the updated terms and update the dictionary in place.
+
+```powershell
+PS> Set-DlpKeywordDictionary -Identity "Diseases" -FileData (Get-Content -Path "C:myPath\terms.txt" -Encoding Byte -ReadCount 0)
+```
+
+Now the dictionary has been updated in place. The `Identity` field takes the name of the dictionary. If you wanted to also change the name of your dictionary using the `set-` cmdlet, you would just need to add the `-Name` parameter to what's above with your new dictionary name.
+
+See Also
+- [Create a keyword dictionary](create-a-keyword-dictionary.md)
+- [Create a custom sensitive information type](create-a-custom-sensitive-information-type.md)
compliance Use Drive Shipping To Import Pst Files To Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/use-drive-shipping-to-import-pst-files-to-office-365.md
For frequently asked questions about using drive shipping to import PST files to
- You have to be assigned the Mailbox Import Export role in Exchange Online to import PST files to Microsoft 365 mailboxes. By default, this role isn't assigned to any role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group. Or you can create a role group, assign the Mailbox Import Export role, and then add yourself as a member. For more information, see the "Add a role to a role group" or the "Create a role group" sections in [Manage role groups](/Exchange/permissions-exo/role-groups).
- Additionally, to create import jobs in the Security & Compliance Center, one of the following must be true:
+ Additionally, to create import jobs in the Microsoft 365 compliance center, one of the following must be true:
- You have to be assigned the Mail Recipients role in Exchange Online. By default, this role is assigned to the Organization Management and Recipient Management roles groups.
For frequently asked questions about using drive shipping to import PST files to
The first step is to download the secure storage key and the tool and that you use in Step 2 to copy PST files to the hard drive. > [!IMPORTANT]
-> You have to use Azure Import/Export tool version 1 (WAimportExportV1) to successfully import PST files by using the drive shipping method. Version 2 of the Azure Import/Export tool isn't supported and using it will result in incorrectly preparing the hard drive for the import job. Be sure to download the Azure Import/Export tool from the Security & Compliance Center by following the procedures in this step.
+> You have to use Azure Import/Export tool version 1 (WAimportExportV1) to successfully import PST files by using the drive shipping method. Version 2 of the Azure Import/Export tool isn't supported and using it will result in incorrectly preparing the hard drive for the import job. Be sure to download the Azure Import/Export tool from the Microsoft 365 compliance center by following the procedures in this step.
-1. Go to [https://protection.office.com/](https://protection.office.com/) and sign in using the credentials for an administrator account in your organization.
-
-2. In the left pane of the Security & Compliance Center, click **Information governance** \> **Import** \> **Import PST files**.
+1. Go to <https://compliance.microsoft.com> and sign in using the credentials for an administrator account in your organization.
+
+2. In the left navigation pane of the Microsoft 365 compliance center, click **Information governance** \> **Import**.
> [!NOTE]
- > As previously stated, you have to be assigned the appropriate permissions to access the **Import** page in the Security & Compliance Center.
+ > As previously stated, you have to be assigned the appropriate permissions to access the **Import** page in the Microsoft 365 compliance center.
-3. On the **Import PST files** page, click ![Add Icon](../media/ITPro-EAC-AddIcon.gif) **New import job**.
+3. On the **Import** tab, click ![Add Icon](../media/ITPro-EAC-AddIcon.gif) **New import job**.
4. In the import job wizard, type a name for the PST import job, and then click **Next**. Use lowercase letters, numbers, hyphens, and underscores. You can't use uppercase letters or include spaces in the name.
The first step is to download the secure storage key and the tool and that you u
![Copy the secure storage key and download the Azure Import Export tool on the Import data page](../media/e22e0b48-e5ce-48e0-95bc-0490a2b3b983.png)
- a. In step 2, click **Copy the secure storage key**. After the storage key is displayed, click **Copy to clipboard** and then paste it and save it to a file so you can access it later.
+ a. In step 2, click **Show the secure storage key**. After the storage key is displayed, click **Copy to clipboard** and then paste it and save it to a file so you can access it later.
b. In step 3, **Download the Azure Import/Export tool** to download and install the Azure Import/Export (version 1) tool.
The first step is to download the secure storage key and the tool and that you u
7. Click **Cancel** to close the wizard.
- You come back to the **Import** page in the Security & Compliance Center when you create the import job in Step 4.
+ You come back to the **Import** page in the Microsoft 365 compliance center when you create the import job in Step 4.
## Step 2: Copy the PST files to the hard drive
After Microsoft data center personnel upload the PST files from the hard drive t
The next step is to create the PST Import job in the Import service in Office 365. As previously explained, you submit the PST Import mapping file that you created in Step 3. After you create the job, the Import service will use the information in the mapping file to import the PST files to the specified user mailbox after the PST files are copied from the hard drive to the Azure Storage area and you create and start the import job.
-1. Go to [https://protection.office.com](https://protection.office.com) and sign in using the credentials for an administrator account in your organization.
-
-2. In the left pane of the Security & Compliance Center, click **Information governance** \> **Import** \> **Import PST files**.
-
-3. On the **Import PST files** page, click ![Add Icon](../media/ITPro-EAC-AddIcon.gif) **New import job**.
-
+1. Go to <https://compliance.microsoft.com> and sign in using the credentials for an administrator account in your organization.
+
+2. In the left navigation pane of the Microsoft 365 compliance center, click **Information governance** \> **Import**.
+
+3. On the **Import** tab, click ![Add Icon](../media/ITPro-EAC-AddIcon.gif) **New import job**.
+ > [!NOTE]
- > As previously stated, you have to be assigned the appropriate permissions to access the **Import** page in the Security & Compliance Center.
+ > As previously stated, you have to be assigned the appropriate permissions to access the **Import** page in the Microsoft 365 compliance center.
4. Type a name for the PST import job, and then click **Next**. Use lowercase letters, numbers, hyphens, and underscores. You can't use uppercase letters or include spaces in the name.
-
+ 5. On the **Choose import job type** page, click **Ship hard drives to one of our physical locations** and then click **Next**.
-
- ![Click Ship hard drives to one of our physical locations to create a drive shipping import job](../media/1584fdc5-cd4c-4e47-932e-db6c8e07f5f8.png)
6. In step 6, click the **I've prepared my hard drives and have access to the necessary drive journal files** and **I have access to the mapping file** check boxes, and then click **Next**.
-
+ ![Click the two check boxes in step 6](../media/fad43078-ea68-4acd-b2ed-75a800183262.png) 7. On the **Select the drive file** page, click **Select drive file**, and then go to the same folder where the WAImportExport.exe tool is located. The journal file that was created in Step 2 was copied to this folder.
-
+ ![Click Select drive file to submit the journal file that was created when you ran the WAImportExport.exe tool](../media/1ea35c04-bd88-4d7e-b7d9-dc390149d94f.png) 8. Select the journal file; for example, `PSTHDD1.jrn`.
-
+ > [!TIP]
- > When you ran the WAImportExport.exe tool in Step 2, the name of the journal file was specified by the `/j:` parameter.
+ > When you ran the WAImportExport.exe tool in Step 2, the name of the journal file was specified by the `/j:` parameter.
-9. After the name of the drive file appears under **Drive file name**, click **Validate** to check your drive file for errors.
-
+9. After the name of the drive file appears under **Drive file name**, click **Validate** to check your drive file for errors.
+ ![Click Validate to validate the drive file that you selected](../media/4b707f5a-152a-4e74-b9f5-449c88d1fec4.png)
- The drive file has to be successfully validated to create a PST Import job. Note that the file name is changed to green after it's successfully validated. If the validation fails, click the **View log** link. A validation error report is opened, with an error message with information about why the file failed.
-
+ The drive file has to be successfully validated to create a PST Import job. The file name is changed to green after it's successfully validated. If the validation fails, click the **View log** link. A validation error report is opened, with an error message with information about why the file failed.
+ > [!NOTE] > You must add and validate a journal file for each hard drive you ship to Microsoft. 10. After adding and validating a journal file for each hard drive that you ship to Microsoft, click **Next**. 11. Click ![Add Icon](../media/ITPro-EAC-AddIcon.gif) **Select mapping file** to submit the PST Import mapping file that you created in Step 3.
-
+ ![Click Select mapping file to submit the CSV file you created for the import job](../media/d30b1d73-80bb-491e-a642-a21673d06889.png) 12. After the name of the CSV file appears under **Mapping file name**, click **Validate** to check your CSV file for errors.
-
+ ![Click Validate to check the CSV file for errors](../media/4680999d-5538-4059-b878-2736a5445037.png)
- The CSV file has to be successfully validated to create a PST Import job. Note that the file name is changed to green after it's successfully validated. If the validation fails, click the **View log** link. A validation error report is opened, with an error message for each row in the file that failed.
-
+ The CSV file has to be successfully validated to create a PST Import job. The file name is changed to green after it's successfully validated. If the validation fails, click the **View log** link. A validation error report is opened, with an error message for each row in the file that failed.
+ 13. After the PST mapping file is successfully validated, click **Next**.
-
+ 14. On the **Provide contact information** page, type your contact information in the applicable boxes.
-
+ The address for the Microsoft location that you ship your hard drives to is displayed. This address is auto-generated based on your Microsoft datacenter location. Copy this address to a file or take a screenshot.
-
+ 15. Read the terms and conditions document, click the checkbox, and then click **Save** to submit the import job.
-
+ When the import job is successfully created, a status page is displayed that explains the next steps of the drive shipping process.
-
-16. On the **Import PST files** page, click ![Refresh icon](../mediM-Policy-RefreshIcon.gif) **Refresh** to displayed the new drive shipping import job in the list of import jobs. The status is set to **Waiting for tracking number**. You can also click the import job to display the status flyout page, which contains more detailed information about the import job.
-
+
+16. On the **Import** tab, click ![Refresh icon](../mediM-Policy-RefreshIcon.gif) **Refresh** to displayed the new drive shipping import job in the list of import jobs. The status is set to **Waiting for tracking number**. You can also click the import job to display the status flyout page, which contains more detailed information about the import job.
+ ## Step 5: Ship the hard drive to Microsoft The next step is to ship the hard drive to Microsoft, and then provide the tracking number for the shipment and return shipment information for the drive shipping job. After the drive is received by Microsoft, it will take between 7 and 10 business days for data center personnel to upload your PST files to the Azure Storage area for your organization. > [!NOTE]
-> If you don't provide the tracking number and return shipment information within 14 days of creating the import job, the import job will be expired. If this happens, you'll have to create a new drive shipping import job (see [Step 4: Create a PST Import job in Office 365](#step-4-create-a-pst-import-job-in-office-365)) and re-submit the drive file and the PST import mapping file.
+> If you don't provide the tracking number and return shipment information within 14 days of creating the import job, the import job will be expired. If this happens, you'll have to create a new drive shipping import job (see [Step 4: Create a PST Import job in Office 365](#step-4-create-a-pst-import-job-in-office-365)) and re-submit the drive file and the PST import mapping file.
### Ship the hard drive Keep the following things in mind when you ship hard drives to Microsoft: - Don't ship the SATA-to-USB adapter; you only have to ship the hard drive.
-
+ - Package the hard drive properly; for example, use an anti-static bag or bubble wrap.
-
+ - Use a delivery carrier of your choice to ship the hard drive to Microsoft.
-
+ - Ship the hard drive to the address for the Microsoft location that was displayed when you created the import job in Step 4. Be sure to include "Office 365 Import Service" in the ship-to address.
-
+ - After you ship the hard drive, be sure to write down the name of the delivery carrier and the tracking number. You'll provide these in the next step. ### Enter the tracking number and other shipping information After you've shipped the hard drive to Microsoft, complete the following procedure on the Import service page.
-1. Go to [https://protection.office.com](https://protection.office.com) and sign in using the credentials for an administrator account in your organization.
-
-2. In the left pane, click **Information governance > Import > Import PST files**.
-
-3. On the **Import PST files** page, click the job for the drive shipment that you want to enter the tracking number for.
-
+1. Go to <https://compliance.microsoft.com> and sign in using the credentials for an administrator account in your organization.
+
+2. In the left navigation pane of the Microsoft 365 compliance center, click **Information governance > Import**.
+
+3. On the **Import** tab, click the job for the drive shipment that you want to enter the tracking number for.
+ 4. On the status flyout page, click **Enter tracking number**.
-
+ 5. Provide the following shipping information:
-
-1. **Delivery carrier** Type the name of the delivery carrier that you used to ship the hard drive to Microsoft.
-
-2. **Tracking number** Type the tracking number for the hard drive shipment.
-
-3. **Return carrier account number** Type your organization's account number for the carrier that listed under **Return carrier**. Microsoft uses (and charges) this account to ship your hard drive back to you. Organizations in the USA and Europe, must have an account with FedEx. Organizations in Asia and the rest of the world, must have an account with DHL.
-
+
+ 1. **Delivery carrier** Type the name of the delivery carrier that you used to ship the hard drive to Microsoft.
+
+ 2. **Tracking number** Type the tracking number for the hard drive shipment.
+
+ 3. **Return carrier account number** Type your organization's account number for the carrier that listed under **Return carrier**. Microsoft uses (and charges) this account to ship your hard drive back to you. Organizations in the USA and Europe, must have an account with FedEx. Organizations in Asia and the rest of the world, must have an account with DHL.
+ 6. Click **Save** to save this information for the import job.
-
- On the **Import PST files** page, click ![Refresh icon](../mediM-Policy-RefreshIcon.gif) **Refresh** to update the information for your drive shipping import job. Notice that status is now set to **Drives in transit**.
+
+ On the **Import** tab, click ![Refresh icon](../mediM-Policy-RefreshIcon.gif) **Refresh** to update the information for your drive shipping import job. Notice that status is now set to **Drives in transit**.
## Step 6: Filter data and start the PST Import job
After your hard drive is received by Microsoft, the status for the import job on
After PST files are uploaded to Azure, the status is changed to **Analysis in progress**. This indicates that Microsoft 365 is analyzing the data in the PST files (in a safe and secure manner) to identify the age of the items and the different message types included in the PST files. When the analysis is completed and the data is ready to import, the status for the import job is changed to **Analysis completed**. At this point, you have the option to import all the data contained in the PST files or you can trim the data that's imported by setting filters that control what data gets imported.
-1. Go to [https://protection.office.com](https://protection.office.com) and sign in using the credentials for an administrator account in your organization.
-
-2. In the left pane, click **Information governance** \> **Import** \> **Import PST files**.
-
-3. On the **Import PST files** page, click **Ready to import to Office 365** for the import job that you created in Step 4.
-
- ![Click Ready to import to Microsoft 365 next to the import job you created](../media/5760aac3-300b-4e31-b894-253c42a4b82b.png)
+1. Go to <https://compliance.microsoft.com> and sign in using the credentials for an administrator account in your organization.
+
+2. In the left navigation pane of the Microsoft 365 compliance center, click **Information governance** \> **Import****.
+
+3. On the **Import** tab, select the import job that you created in Step 4 and click **Import to Office 365**.
A fly out page is displayed with information about the PST files and other information about the import job.
-
+ 4. Click **Import to Office 365**.
-
+ 5. The **Filter your data** page is displayed. It contains the data insights resulting from the analysis performed on the PST files by Office 365, including information about the age of the data. At this point, you have the option to filter the data that will be imported or import all the data as is.
-
+ ![You can trim the data in the PST files or import all of it](../media/287fc030-99e9-417b-ace7-f64617ea5d4e.png) 6. Do one of the following:
-
+ a. To trim the data that you import, click **Yes, I want to filter it before importing**.
-
+ For detailed step-by-step instructions about filtering the data in the PST files and then starting the import job, see [Filter data when importing PST files to Office 365](filter-data-when-importing-pst-files.md).
-
+ Or
-
+ b. To import all data in the PST files, click **No, I want to import everything,** and click **Next**.
-
+ 7. If you chose to import all the data, click **Import data** to start the import job.
-
+ The status of the import job is displayed on the **Import PST files** page. Click ![Refresh icon](../mediM-Policy-RefreshIcon.gif) **Refresh** to update the status information that's displayed in the **Status** column. Click the import job to display the status flyout page, which displays status information about each PST file being imported. When the import is complete and PST files have been imported to user mailboxes, the status will be changed to **Completed**. ## View a list of the PST files uploaded to Microsoft 365 You can install and use the Microsoft Azure Storage Explorer (which is a free, open-source tool) to view the list of the PST files that we're uploaded (by Microsoft data center personnel) to the Azure Storage area for your organization. You can do this to verify that PST files from the hard drives that you sent to Microsoft were successfully uploaded to the Azure Storage area.
-The Microsoft Azure Storage Explorer is in Preview.
-
- **Important:** You can't use the Azure Storage Explorer to upload or modify PST files. The only supported method for importing PST files to Microsoft 365 is to use AzCopy. Also, you can't delete PST files that you've uploaded to the Azure blob. If you try to delete a PST file, you receive an error about not having the required permissions. All PST files are automatically deleted from your Azure Storage area. If there are no import jobs in progress, then all PST files in the ** ingestiondata ** container are deleted 30 days after the most recent import job was created.
+> [!IMPORTANT]
+> You can't use the Azure Storage Explorer to upload or modify PST files. The only supported method for importing PST files to Microsoft 365 is to use AzCopy. Also, you can't delete PST files that you've uploaded to the Azure blob. If you try to delete a PST file, you receive an error about not having the required permissions. All PST files are automatically deleted from your Azure Storage area. If there are no import jobs in progress, then all PST files in the ** ingestiondata ** container are deleted 30 days after the most recent import job was created.
+Perform the following steps to get the Shared Access Signature (SAS) URL for your organization. This URL is a combination of the network URL for the Azure Storage location in the Microsoft cloud for your organization and an SAS key. This key provides you with the necessary permissions to access your organization's Azure Storage location.
+ To install the Azure Storage Explorer and connect to your Azure Storage area:
-
-1. Perform the following steps to get the Shared Access Signature (SAS) URL for your organization. This URL is a combination of the network URL for the Azure Storage location in the Microsoft cloud for your organization and an SAS key. This key provides you with the necessary permissions to access your organization's Azure Storage location.
-
-1. Go to [https://protection.office.com/](https://protection.office.com/) and sign in using the credentials for an administrator account in your organization.
-
-2. In the left pane of the Security & Compliance Center, click **Information governance > Import > Import PST files**.
-
-3. On the **Import PST files** page, click ![Add Icon](../media/ITPro-EAC-AddIcon.gif) **New import job**.
-
+
+1. Go to <https://compliance.microsoft.com> and sign in using the credentials for an administrator account in your organization.
+
+2. In the left pane of the Microsoft 365 compliance center, click **Information governance > Import**.
+
+3. On the **Import** tab, click ![Add Icon](../media/ITPro-EAC-AddIcon.gif) **New import job**.
+ 4. In the import job wizard, type a name for the PST import job, and then click **Next**. Use lowercase letters, numbers, hyphens, and underscores. You can't use uppercase letters or include spaces in the name.
-
+ 5. On the **Choose import job type** page, click **Upload your data**, and then click **Next**.
-
+ 6. In step 2, click **Show network upload SAS URL**.
-
+ 7. After the URL is displayed, copy it and save it to a file. Be sure to copy the entire URL.
-
+ > [!IMPORTANT]
- > Be sure to take precautions to protect the SAS URL. This can be used by anyone to access the Azure storage area for your organization.
+ > Be sure to take precautions to protect the SAS URL. This can be used by anyone to access the Azure storage area for your organization.
-8. Click **Cancel** to close the import job wizard.
-
-2. Download and install the [Microsoft Azure Storage Explorer tool](https://go.microsoft.com/fwlink/p/?LinkId=544842).
-
-3. Start the Microsoft Azure Storage Explorer, right-click **Storage Accounts** in the left pane, and then click **Connect to Azure Storage**.
-
+8. Click **Cancel** to close the import job wizard.
+
+9. Download and install the [Microsoft Azure Storage Explorer tool](https://go.microsoft.com/fwlink/p/?LinkId=544842).
+
+10. Start the Microsoft Azure Storage Explorer, right-click **Storage Accounts** in the left pane, and then click **Connect to Azure Storage**.
+ ![Right-click Storage Accounts and then click Connect to Azure Storage](../media/75b80cc3-c336-4f96-ad32-54ac9b96a7af.png)
-4. Click **Use a shared access signature (SAS) URI or connection string** and click **Next**.
-
-5. Click **Use a SAS URI**, paste the SAS URL that you obtained in step 1 in to in the box under **URI**, and then click **Next**.
-
-6. On the **Connection summary** page, you can review the connection information, and then click **Connect**.
-
+11. Click **Use a shared access signature (SAS) URI or connection string** and click **Next**.
+
+12. Click **Use a SAS URI**, paste the SAS URL that you obtained in step 1 in to in the box under **URI**, and then click **Next**.
+
+13. On the **Connection summary** page, you can review the connection information, and then click **Connect**.
+ The **ingestiondata** container is opened. It contains the PST files from your hard drive. The **ingestiondata** container is located under **Storage Accounts** \> **(SAS-Attached Services)** \> **Blob Containers**.
-
+ ![Azure Storage Explorer displays a list of the PST files that you uploaded](../media/12376fed-13a5-4a09-8fe6-e819e011b334.png)
-7. When you're finished using the Microsoft Azure Storage Explorer, right-click **ingestiondata**, and then click **Detach** to disconnect from your Azure Storage area. Otherwise, you'll receive an error the next time you try to attach.
-
+14. When you're finished using the Microsoft Azure Storage Explorer, right-click **ingestiondata**, and then click **Detach** to disconnect from your Azure Storage area. Otherwise, you'll receive an error the next time you try to attach.
+ ![Right-click ingestion and click Detach to disconnect from your Azure Storage area](../media/1e8e5e95-4215-4ce4-a13d-ab5f826a0510.png) ## Troubleshooting tips
To install the Azure Storage Explorer and connect to your Azure Storage area:
## More information - Drive shipping is an effective way to import large amounts of archival messaging data to Microsoft 365 to take advantage of the compliance features that are available to your organization. After archival data is imported to user mailboxes, you can:
-
+ - Enable [archive mailboxes](enable-archive-mailboxes.md) and [auto-expanding archiving](enable-unlimited-archiving.md) to give users more mailbox storage space for the data.
-
+ - Place mailboxes on [Litigation Hold](./create-a-litigation-hold.md) to retain the data.
-
+ - Use Microsoft [eDiscovery tools](search-for-content.md) to search the data.
-
+ - Apply [Microsoft 365 retention policies](retention.md) to control how long the data is retained, and what action to take after the retention period expires.
-
+ - Search the [audit log](search-the-audit-log-in-security-and-compliance.md) for events related to this data.
-
+ - Import data to [inactive mailboxes](create-and-manage-inactive-mailboxes.md) to archive data for compliance purposes.
-
+ - Protect your organization against [data loss](dlp-learn-about-dlp.md) of sensitive information.
-
+ - Here's an example of the secure storage account key and a BitLocker encryption key. This example also contains the syntax for the WAImportExport.exe command that you run to copy PST files to a hard drive. Be sure to take precautions to protect these just like you would protect passwords or other security-related information.
-
```text Secure storage account key:
To install the Azure Storage Explorer and connect to your Azure Storage area:
``` - As previously explained, the Office 365 Import service turns on the retention hold setting (for an indefinite duration) after PST files are imported to a mailbox. This means the *RentionHoldEnabled* property is set to `True` so that the retention policy assigned to the mailbox won't be processed. This gives the mailbox owner time to manage the newly imported messages by preventing a deletion or archive policy from deleting or archiving older messages. Here are some steps you can take to manage this retention hold:
-
+ - After a certain period of time, you can turn off the retention hold by running the `Set-Mailbox -RetentionHoldEnabled $false` command. For instructions, see [Place a mailbox on retention hold](/exchange/security-and-compliance/messaging-records-management/mailbox-retention-hold).
-
+ - You can configure the retention hold so that it's turned off on some date in the future. You do this by running the `Set-Mailbox -EndDateForRetentionHold <date>` command. For example, assuming that today's date is June 1, 2016 and you want the retention hold turned off in 30 days, you would run the following command: `Set-Mailbox -EndDateForRetentionHold 7/1/2016`. In this scenario, you would leave the *RentionHoldEnabled* property set to *True*. For more information, see [Set-Mailbox](/powershell/module/exchange/set-mailbox).
-
- - You can change the settings for the retention policy that's assigned to the mailbox so that older items that were imported won't be immediately deleted or moved to the user's archive mailbox. For example, you could lengthen the retention age for a deletion or archive policy that's assigned to the mailbox. In this scenario, you would turn off the retention hold on the mailbox after you changed the settings of the retention policy. For more information, see [Set up an archive and deletion policy for mailboxes in your organization](set-up-an-archive-and-deletion-policy-for-mailboxes.md).
-
+ - You can change the settings for the retention policy that's assigned to the mailbox so that older items that were imported won't be immediately deleted or moved to the user's archive mailbox. For example, you could lengthen the retention age for a deletion or archive policy that's assigned to the mailbox. In this scenario, you would turn off the retention hold on the mailbox after you changed the settings of the retention policy. For more information, see [Set up an archive and deletion policy for mailboxes in your organization](set-up-an-archive-and-deletion-policy-for-mailboxes.md).
compliance Use Network Upload To Import Pst Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/use-network-upload-to-import-pst-files.md
You have to perform Step 1 only once to import PST files to Microsoft 365 mailbo
- You have to be assigned the Mailbox Import Export role in Exchange Online to import PST files to Microsoft 365 mailboxes. By default, this role isn't assigned to any role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group. Or you can create a role group, assign the Mailbox Import Export role, and then add yourself as a member. For more information, see the "Add a role to a role group" or the "Create a role group" sections in [Manage role groups](/Exchange/permissions-exo/role-groups).
- Also, to create import jobs in the Security & Compliance Center, one of the following must be true:
+ Also, to create import jobs in the Microsoft 365 compliance center, one of the following must be true:
- You have to be assigned the Mail Recipients role in Exchange Online. By default, this role is assigned to the Organization Management and Recipient Management roles groups.
You have to perform Step 1 only once to import PST files to Microsoft 365 mailbo
- This procedure involves copying and saving a copy of a URL that contains an access key. This information will be used in Step 2 to upload your PST files, and in Step 3 if you want to view a list of the PST files uploaded to Office 365. Be sure to take precautions to protect this URL like you would protect passwords or other security-related information. For example, you might save it to a password-protected Microsoft Word document or to an encrypted USB drive. See the [More information](#more-information) section for an example of this combined URL and key. -- You can import PST files to an inactive mailbox in Office 365. You do this by specifying the GUID of the inactive mailbox in the `Mailbox` parameter in the PST Import mapping file. See Step 4 on the **Instructions** tab in this topic for information.
+- You can import PST files to an inactive mailbox in Office 365. You do this by specifying the GUID of the inactive mailbox in the `Mailbox` parameter in the PST Import mapping file. See Step 4 on the **Instructions** tab in this topic for information.
- In an Exchange hybrid deployment, you can import PST files to a cloud-based archive mailbox for a user whose primary mailbox is on-premises. You do this by doing the following in the PST Import mapping file:
The first step is to download and install the AzCopy tool, which is the tool tha
> [!IMPORTANT] > To import PST files using the network upload method and command syntax documented in this article, you must use the version of AzCopy that can be downloaded in step 6b in the following procedure. You can also download that same version of AzCopy from [here](https://aka.ms/downloadazcopy). Using a different version of AzCopy isn't supported.
-1. Go to [https://protection.office.com](https://protection.office.com) and sign in using the credentials for an administrator account in your organization.
+1. Go to <https://compliance.microsoft.com> and sign in using the credentials for an administrator account in your organization.
-2. In the left pane of the Security & Compliance Center, click **Information governance** \> **Import** \> **Import PST files**.
+2. In the left pane of the Microsoft 365 compliance center, click **Information governance** \> **Import**.
> [!NOTE]
- > You have to be assigned the appropriate permissions to access the **Import** page in the Security & Compliance Center. See the **Before you begin** section for more information.
+ > You have to be assigned the appropriate permissions to access the **Import** page in the Microsoft 365 compliance center. See the **Before you begin** section for more information.
-3. On the **Import PST files** page, click ![Add Icon](../media/ITPro-EAC-AddIcon.gif) **New import job**.
+3. On the **Import** tab, click ![Add Icon](../media/ITPro-EAC-AddIcon.gif) **New import job**.
The import job wizard is displayed.
After the PST files have been uploaded to the Azure Storage location for your or
The next step is to create the PST Import job in the Import service in Microsoft 365. As previously explained, you submit the PST Import mapping file that you created in Step 4. After you create the job, Microsoft 365 analyzes the data in the PST files and then gives you an opportunity to filter the data that actually gets imported to the mailboxes specified in the PST import mapping file (see [Step 6](#step-6-filter-data-and-start-the-pst-import-job)).
-1. Go to [https://protection.office.com](https://protection.office.com) and sign in using the credentials for an administrator account in your organization.
+1. Go to <https://compliance.microsoft.com> and sign in using the credentials for an administrator account in your organization.
-2. In the left pane of the Security & Compliance Center, click **Information governance > Import > Import PST files**.
+2. In the left pane of the Microsoft 365 compliance center, click **Information governance > Import**.
-3. On the **Import PST files** page, click ![Add Icon](../media/ITPro-EAC-AddIcon.gif) **New import job**.
+3. On the **Import** tab, click ![Add Icon](../media/ITPro-EAC-AddIcon.gif) **New import job**.
> [!NOTE]
- > You have to be assigned the appropriate permissions to access the **Import** page in the Security & Compliance Center to create an import job. See the **Before you begin** section for more information.
+ > You have to be assigned the appropriate permissions to access the **Import** page in the Microsoft 365 compliance center to create an import job. See the **Before you begin** section for more information.
4. Type a name for the PST import job, and then click **Next**. Use lowercase letters, numbers, hyphens, and underscores. You can't use uppercase letters or include spaces in the name. 5. On the **Do you want to upload or ship data?** page, click **Upload your data** and then click **Next**.-
- ![Click Upload your data to create a network upload import job](../media/e59f9dc3-ccde-44ff-ac38-c4e39d76ae85.png)
6. In step 4 on the **Import data** page, click the **I'm done uploading my files** and **I have access to the mapping file** check boxes, and then click **Next**.
The next step is to create the PST Import job in the Import service in Microsoft
![Click Select mapping file to submit the CSV file you created for the import job](../media/d30b1d73-80bb-491e-a642-a21673d06889.png)
-8. After the name of the CSV file appears under **Mapping file name**, click **Validate** to check your CSV file for errors.
+8. After the name of the CSV file appears under **Mapping file name**, click **Validate** to check your CSV file for errors.
![Click Validate to check the CSV file for errors](../media/4680999d-5538-4059-b878-2736a5445037.png)
The next step is to create the PST Import job in the Import service in Microsoft
After you create the import job in Step 5, Microsoft 365 analyzes the data in the PST files (in a safe and secure manner) by identifying the age of the items and the different message types included in the PST files. When the analysis is completed and the data is ready to import, you have the option to import all the data contained in the PST files or you can trim the data that's imported by setting filters that control what data gets imported.
-1. On the **Import PST files** page in the Security & Compliance Center, click **Ready to import to Office 365** for the import job that you created in Step 5.
-
- ![Click Ready to import to Microsoft 365 next to the import job you created](../media/5760aac3-300b-4e31-b894-253c42a4b82b.png)
+1. On the **Import** tab in the Microsoft 365 compliance center, select the import jobs that you created in Step 5 and then click **Import to Office 365**.
- A fly out page is displayed with information about the PST files and other information about the import job.
-
-2. On the flyout page, click **Import to Office 365**.
-
- The **Filter your data** page is displayed. It contains the data insights resulting from the analysis performed on the PST files by Office 365, including information about the age of the data. At this point, you have the option to filter the data that will be imported or import all the data as is.
+ The **Filter your data** page is displayed. It contains the data insights resulting from the analysis performed on the PST files by Office 365, including information about the age of the data. At this point, you have the option to filter the data that will be imported or import all the data as is.
![You can trim the data in the PST files or import all of it](../media/287fc030-99e9-417b-ace7-f64617ea5d4e.png)
-3. Do one of the following:
+2. Do one of the following:
1. To trim the data that you import, click **Yes, I want to filter it before importing**.
After you create the import job in Step 5, Microsoft 365 analyzes the data in th
2. To import all data in the PST files, click **No, I want to import everything,** and click **Next**.
-4. If you chose to import all the data, click **Import data** to start the import job.
+3. If you chose to import all the data, click **Import data** to start the import job.
- The status of the import job is display on the **Import PST files** page. Click ![Refresh icon](../mediM-Policy-RefreshIcon.gif) **Refresh** to update the status information that's displayed in the **Status** column. Click the import job to display the status flyout page, which displays status information about each PST file being imported.
+ The status of the import job is display on the **Import PST files** page. Click ![Refresh icon](../mediM-Policy-RefreshIcon.gif) **Refresh** to update the status information that's displayed in the **Status** column. Click the import job to display the status flyout page, which displays status information about each PST file being imported.
## More information
Here's an illustration and description of the network upload process to import P
![Workflow of the network upload process to import PST files to Office 365](../media/9e05a19e-1e7a-4f1f-82df-9118f51588c4.png)
-1. **Download the PST import tool and key to private Azure Storage location:** The first step is to download the AzCopy command-line tool and an access key used to upload the PST files to an Azure Storage location in the Microsoft cloud. You obtain these from the **Import** page in the Security & Compliance Center. The key (called a secure access signature (SAS) key, provides you with the necessary permissions to upload PST files to a private and secure Azure Storage location. This access key is unique to your organization and helps prevent unauthorized access to your PST files after they're uploaded to the Microsoft cloud. Importing PST files doesn't require your organization to have a separate Azure subscription.
+1. **Download the PST import tool and key to private Azure Storage location:** The first step is to download the AzCopy command-line tool and an access key used to upload the PST files to an Azure Storage location in the Microsoft cloud. You obtain these from the **Import** page in the Microsoft 365 compliance center. The key (called a secure access signature (SAS) key, provides you with the necessary permissions to upload PST files to a private and secure Azure Storage location. This access key is unique to your organization and helps prevent unauthorized access to your PST files after they're uploaded to the Microsoft cloud. Importing PST files doesn't require your organization to have a separate Azure subscription.
2. **Upload the PST files to the Azure Storage location:** The next step is to use the AzCopy.exe tool (downloaded in step 1) to upload and store your PST files in an Azure Storage location that resides in the same regional Microsoft datacenter where your organization is located. To upload them, the PST files that you want to import have to be located in a file share or file server in your organization.
Here's an illustration and description of the network upload process to import P
3. **Create a PST import mapping file:** After the PST files have been uploaded to the Azure Storage location, the next step is to create a comma-separated value (CSV) file that specifies which user mailboxes the PST files will be imported to, note that a PST file can be imported to a user's primary mailbox or their archive mailbox. The Office 365 Import service uses the information in the CSV file to import the PST files.
-4. **Create a PST import job:** The next step is to create a PST import job on the **Import PST files** page in the Security & Compliance Center and submit the PST import mapping file created in the previous step. After you create the import job, Microsoft 365 analyzes the data in the PST files and then gives you an opportunity to set filters that control what data actually gets imported to the mailboxes specified in the PST import mapping file.
+4. **Create a PST import job:** The next step is to create a PST import job on the **Import PST files** page in the Microsoft 365 compliance center and submit the PST import mapping file created in the previous step. After you create the import job, Microsoft 365 analyzes the data in the PST files and then gives you an opportunity to set filters that control what data actually gets imported to the mailboxes specified in the PST import mapping file.
5. **Filter the PST data that will be imported to mailboxes:** After the import job is created and started, Microsoft 365 analyzes the data in the PST files (safely and securely) by identifying the age of the items and the different message types included in the PST files. When the analysis is completed and the data is ready to import, you have the option to import all the data contained in the PST files or you can trim the data that's imported by setting filters that control what data gets imported.
-6. **Start the PST import job:** After the import job is started, Microsoft 365 uses the information in the PST import mapping file to import the PSTs files from the Azure Storage location to user mailboxes. Status information about the import job (including information about each PST file being imported) is displayed on the **Import PST files** page in the Security & Compliance Center. When the import job is finished, the status for the job is set to **Complete**.
+6. **Start the PST import job:** After the import job is started, Microsoft 365 uses the information in the PST import mapping file to import the PSTs files from the Azure Storage location to user mailboxes. Status information about the import job (including information about each PST file being imported) is displayed on the **Import PST files** page in the Microsoft 365 compliance center. When the import job is finished, the status for the job is set to **Complete**.
contentunderstanding Document Understanding Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/document-understanding-overview.md
Title: "Document understanding overview"--++ + audience: admin ms.prod: microsoft-365-enterprise
Document understanding uses artificial intelligence (AI) models to automate clas
Document understanding models are created and managed in a type of SharePoint site called a *content center*. When applied to a SharePoint document library, the model is associated with a content type has columns to store the information being extracted. The content type you create is stored in the SharePoint content type gallery. You can also choose to use existing content types to use their schema. > [!NOTE]
-> Read-only or sealed content types cannot be updated, so they cannot be used in a model.
+> Read-only or sealed content types cannot be updated, so they can't be used in a model.
Add *classifiers* and *extractors* to your document understanding models to do the following:
You can use example files to train and test your classifiers and extractors in y
After publishing your model, use the content center to apply it to any SharePoint document library that you have access to.
-### File limitations
+## File limitations
Document understanding models use Optical Character Recognition (OCR) technology to scan PDFs, images, and TIFF files, both when you train a model with example files and when you run the model against files in a document library.
-Note the following differences in regards to Microsoft Office text-based files and OCR-scanned files (PDF, image, or TIFF):
+Note the following differences with regard to Microsoft Office text-based files and OCR-scanned files (PDF, image, or TIFF):
-- Office files: We truncate at 64K characters (in training and when run against files in a document library).-- OCR-scanned files: There is a 20 page limit.
+- Office files: Truncated at 64,000 characters (in training and when run against files in a document library).
-#### Supported file types
+- OCR-scanned files: There's a 20-page limit.
+
+### Requirements
+
+OCR processing works best on documents that meet the following requirements:
+
+- JPG, PNG, or PDF format (text or scanned). Text-embedded PDFs are better, because there won't be any errors in character extraction and location.
+
+- If your PDFs are password-locked, you must remove the lock before submitting them.
+
+- The combined file size of the documents used for training per collection must not exceed 50 MB, and PDF documents shouldn't have more than 500 pages.
+
+- For images, dimensions must be between 50 × 50 and 10,000 × 10,000 pixels.
+ > [!NOTE]
+ > Images that are very wide or have odd dimensions (for example, floor plans) might get truncated in the OCR process and lose accuracy.
+
+- For PDF files, dimensions must be at most 17 x 17 inches, corresponding to Legal or A3 paper sizes and smaller.
+
+- If scanned from paper documents, scans should be high-quality images.
+
+- Must use the Latin alphabet (English characters).
+
+> [!NOTE]
+> AI Builder doesn't currently support the following types of form processing input data:<br>- Check boxes or radio buttons<br>- Signatures<br>- Fillable PDFs
+
+### Supported file types
Document understanding models support the following file types:
contentunderstanding Set Up Content Understanding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/set-up-content-understanding.md
Prior to setup, make sure to plan for the best way to set up and configure conte
As an admin, you can also make changes to your selected settings anytime after setup, and throughout the content understanding management settings in the Microsoft 365 Admin Center.
+If you plan to use a custom Power Platform environment, you must [install the *AI Builder for Project Cortex* app in this environment](/power-platform/admin/manage-apps#install-an-app-in-the-environment-view) and [allocate AI Builder credits](/power-platform/admin/capacity-add-on) to it before you can create form processing models.
+ ### Licensing To use SharePoint Syntex, your organization must have a subscription to SharePoint Syntex, and each user must have the following licenses assigned:
Go to the [Power Platform admin center](https://admin.powerplatform.microsoft.co
1. In the Microsoft 365 admin center, select **Setup**, and then view the **Files and content** section.
-2. In the **Files and content** section, select **Automate content understanding**.<br/>
+2. In the **Files and content** section, select **Automate content understanding**. Note that your current AI Builder credit availability is shown in the **At a glance** section.<br/>
-3. On the **Automate content understanding** page, click **Get started** to walk through the setup process.<br/>
+3. On the **Automate content understanding** page, click **Get started** to walk through the setup process. <br/>
> [!div class="mx-imgBorder"] > ![Begin setup](../media/content-understanding/admin-content-understanding-get-started.png)</br>
Go to the [Power Platform admin center](https://admin.powerplatform.microsoft.co
For **Power Platform environment**, you can select: - **Use the default environment** to use your default Power Platform environment.
- - **Use a custom environment** to use a custom environment. Choose the environment that you want to use from the list. You must install the *AI Builder for Project Cortex* app in this environment and allocate AI Builder credits to it before you can create form processing models.
+ - **Use a custom environment** to use a custom environment. Choose the environment that you want to use from the list. ([See the requirements for a custom environment](/microsoft-365/contentunderstanding/set-up-content-understanding#requirements)).
Click **Next**.
managed-desktop Technologies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/intro/technologies.md
User Account Control | User Account Control switches to the Secure Desktop when
| |
-Enterprise Mobility + Security E3<br>Azure Active Directory Premium P2 | You can use all features of Enterprise Mobility + Security E3 and Azure Active Directory Premium P2 to manage MDM devices.
+Enterprise Mobility + Security E3<br>Azure Active Directory Premium P2 | You can use all features of Enterprise Mobility + Security E3 to manage MDM devices. You can use Azure Active Directory Premium P2 as an optional feature with Microsoft Managed Desktop.
Microsoft Cloud App Security | You can use this optional feature with Microsoft Managed Desktop.
-Azure Information Protection P2 | You can use this optional feature with Microsoft Managed Desktop.
+Azure Information Protection P2 | You can use this optional feature with Microsoft Managed Desktop.
security Api Release Notes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-release-notes.md
The following information lists the updates made to the Microsoft Defender for E
## Release notes - newest to oldest (dd.mm.yyyy)
+### 05.25.2021
+
+- Added new API [Export assessment methods and properties per device](get-assessmnt-1methods-properties.md).
+ ### 03.05.2021 - Added new API: [Remediation activity methods and properties](get-remediation-methods-properties.md).
security Configure Advanced Scan Types Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus.md
ms.technology: mde Previously updated : 05/06/2021 Last updated : 05/26/2021 # Configure Microsoft Defender Antivirus scanning options -- **Applies to:** - [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/) ## Use Microsoft Intune to configure scanning options
-See [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details.
+See the following resources:
+
+- [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure)
+- [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](/intune/device-restrictions-windows-10#microsoft-defender-antivirus)
## Use Microsoft Endpoint Manager to configure scanning options
-See [How to create and deploy antimalware policies: Scan settings](/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring Microsoft Endpoint Manager (current branch).
+See [How to create and deploy antimalware policies: Scan settings](/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings).
## Use Group Policy to configure scanning options
-To configure the Group Policy settings described in the following table:
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)).
+
+2. Right-click the Group Policy Object you want to configure, and then select **Edit**.
-1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus**, and then select a location (refer to [Settings and locations](#settings-and-locations) in this article).
-3. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below.
+5. Edit the policy object.
-4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
+6. Click **OK**, and repeat for any other settings.
-| Description | Location and setting | Default setting (if not configured) | PowerShell `Set-MpPreference` parameter or WMI property for `MSFT_MpPreference` class |
-|||||
-| Email scanning See [Email scanning limitations](#ref1)| Scan > Turn on e-mail scanning | Disabled | `-DisableEmailScanning` |
-|Scan [reparse points](/windows/win32/fileio/reparse-points) | Scan > Turn on reparse point scanning | Disabled | Not available |
-| Scan mapped network drives | Scan > Run full scan on mapped network drives | Disabled | `-DisableScanningMappedNetworkDrivesForFullScan`|
- Scan archive files (such as .zip or .rar files). The [extensions exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md) will take precedence over this setting. | Scan > Scan archive files | Enabled | `-DisableArchiveScanning` |
-| Scan files on the network | Scan > Scan network files | Disabled | `-DisableScanningNetworkFiles` |
-| Scan packed executables | Scan > Scan packed executables | Enabled | Not available |
-| Scan removable drives during full scans only | Scan > Scan removable drives | Disabled | `-DisableRemovableDriveScanning` |
-| Specify the level of subfolders within an archive folder to scan | Scan > Specify the maximum depth to scan archive files | 0 | Not available |
-| Specify the maximum CPU load (as a percentage) during a scan. Note: This is not a hard limit but rather a guidance for the scanning engine to not exceed this maximum on average. Manually run scans will ignore this setting and run without any CPU limits. | Scan > Specify the maximum percentage of CPU utilization during a scan | 50 | `-ScanAvgCPULoadFactor` |
-| Specify the maximum size (in kilobytes) of archive files that should be scanned. The default, **0**, applies no limit | Scan > Specify the maximum size of archive files to be scanned | No limit | Not available |
-| Configure low CPU priority for scheduled scans | Scan > Configure low CPU priority for scheduled scans | Disabled | Not available |
+### Settings and locations
+
+| Policy item and location | Default setting (if not configured) | PowerShell `Set-MpPreference` parameter or WMI property for `MSFT_MpPreference` class |
+||||
+| Email scanning <p> **Scan** > **Turn on e-mail scanning**<p>See [Email scanning limitations](#email-scanning-limitations) (in this article) | Disabled | `-DisableEmailScanning` |
+|Scan [reparse points](/windows/win32/fileio/reparse-points) <p> **Scan** > **Turn on reparse point scanning** | Disabled | Not available <p>See [Reparse points](/windows/win32/fileio/reparse-points) |
+| Scan mapped network drives <p> **Scan** > **Run full scan on mapped network drives** | Disabled | `-DisableScanningMappedNetworkDrivesForFullScan`|
+| Scan archive files (such as .zip or .rar files). <p> **Scan** > **Scan archive files** | Enabled | `-DisableArchiveScanning` <p>The [extensions exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md) will take precedence over this setting.|
+| Scan files on the network <p> **Scan** > **Scan network files** | Disabled | `-DisableScanningNetworkFiles` |
+| Scan packed executables <p> **Scan** > **Scan packed executables** | Enabled | Not available |
+| Scan removable drives during full scans only <p> **Scan** > **Scan removable drives** | Disabled | `-DisableRemovableDriveScanning` |
+| Specify the level of subfolders within an archive folder to scan <p>**Scan** > **Specify the maximum depth to scan archive files** | 0 | Not available |
+| Specify the maximum CPU load (as a percentage) during a scan. <p> **Scan** > **Specify the maximum percentage of CPU utilization during a scan** | 50 | `-ScanAvgCPULoadFactor` <p>**NOTE**: The maximum CPU load is not a hard limit, but is guidance for the scanning engine to not exceed the maximum on average. Manually run scans will ignore this setting and run without any CPU limits. |
+| Specify the maximum size (in kilobytes) of archive files that should be scanned. <p> **Scan** > **Specify the maximum size of archive files to be scanned** | No limit | Not available <p>The default value of 0 applies no limit |
+| Configure low CPU priority for scheduled scans <p> **Scan** > **Configure low CPU priority for scheduled scans** | Disabled | Not available |
> [!NOTE] > If real-time protection is turned on, files are scanned before they are accessed and executed. The scanning scope includes all files, including files on mounted removable media, such as USB drives. If the device performing the scan has real-time protection or on-access protection turned on, the scan will also include network shares. ## Use PowerShell to configure scanning options
-See [Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/) for more information on how to use PowerShell with Microsoft Defender Antivirus.
+See the following resources:
-## Use WMI to configure scanning options
+- [Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md)
+- [Defender cmdlets](/powershell/module/defender/)
-For using WMI classes, see [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal).
+## Use WMI to configure scanning options
-<a id="ref1"></a>
+See [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal).
## Email scanning limitations
-Email scanning enables scanning of email files used by Outlook and other mail clients during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated:
+Email scanning enables scanning of email files used by Outlook and other mail clients during on-demand and scheduled scans. Embedded objects within email (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated:
- DBX - MBX - MIME
-PST files used by Outlook 2003 or older (where the archive type is set to non-unicode) will also be scanned, but Windows Defender cannot remediate threats detected inside PST files.
+PST files used by Outlook 2003 or older (where the archive type is set to non-unicode) are also scanned, but Microsoft Defender Antivirus cannot remediate threats that are detected inside PST files.
-If Microsoft Defender Antivirus detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat manually:
+If Microsoft Defender Antivirus detects a threat inside an email message, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat manually:
- Email subject - Attachment name
-## Related topics
+## See also
- [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md) - [Configure and run on-demand Microsoft Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md)
security Exposed Apis List https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exposed-apis-list.md
Topic | Description
:|: [Advanced Hunting](run-advanced-query-api.md) | Run queries from API. [Alert methods and properties](alerts.md) | Run API calls such as \- get alerts, create alert, update alert and more.
+[Export assessment methods and properties per device](get-assessmnt-1methods-properties.md) | Run API calls such as \- export secure configuration assessment, export software inventory assessment, and export software vulnerabilities assessment.
[Automated Investigation methods and properties](investigation.md) | Run API calls such as \- get collection of Investigation. [Get domain related alerts](get-domain-related-alerts.md) | Run API calls such as \- get domain-related devices, domain statistics and more. [File methods and properties](files.md) | Run API calls such as \- get file information, file related alerts, file related devices, and file statistics.
security Mac Install With Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-intune.md
This profile is needed for macOS 10.15 (Catalina) or older. It will be ignored o
> > This configuration profile grants Full Disk Access to Microsoft Defender for Endpoint. If you previously configured Microsoft Defender for Endpoint through Intune, we recommend you update the deployment with this configuration profile.
-Download [**fulldisk.mobileconfig**](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/kext.mobileconfig) from [our GitHub repository](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles).
+Download [**fulldisk.mobileconfig**](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/fulldisk.mobileconfig) from [our GitHub repository](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles).
Follow the instructions for [Onboarding blob](#onboarding-blob) from above, using "MDATP Full Disk Access" as profile name, and downloaded **fulldisk.mobileconfig** as Configuration profile name.
Follow the instructions for [Onboarding blob](#onboarding-blob) from above, usin
As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint on macOS inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality.
-Download [**netfilter.mobileconfig**](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/kext.mobileconfig) from [our GitHub repository](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles).
+Download [**netfilter.mobileconfig**](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/netfilter.mobileconfig) from [our GitHub repository](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles).
Follow the instructions for [Onboarding blob](#onboarding-blob) from above, using "MDATP Network Filter" as profile name, and downloaded **netfilter.mobileconfig** as Configuration profile name.
Follow the instructions for [Onboarding blob](#onboarding-blob) from above, usin
This profile is used to allow Microsoft Defender for Endpoint on macOS and Microsoft Auto Update to display notifications in UI on macOS 10.15 (Catalina) or newer.
-Download [**notif.mobileconfig**](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/kext.mobileconfig) from [our GitHub repository](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles).
+Download [**notif.mobileconfig**](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/notif.mobileconfig) from [our GitHub repository](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles).
Follow the instructions for [Onboarding blob](#onboarding-blob) from above, using "MDATP Network Filter" as profile name, and downloaded **notif.mobileconfig** as Configuration profile name.
security Mac Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-updates.md
Set to false to send minimal heartbeat data, no application usage, and no enviro
## Example configuration profile The following configuration profile is used to:-- Place the device in the Beta channel
+- Place the device in the Production channel
- Automatically download and install updates - Enable the "Check for updates" button in the user interface - Allow users on the device to enroll into the Insider channels +
+>[!WARNING]
+>The below configuration is an example configuration and should not be used in production without proper review of settings and tailor of configurations.
+
+>[!TIP]
+>In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to `Beta` or `Preview`.
+ ### JAMF ```XML
The following configuration profile is used to:
<plist version="1.0"> <dict> <key>ChannelName</key>
- <string>Beta</string>
+ <string>Production</string>
<key>HowToCheck</key> <string>AutomaticDownload</string> <key>EnableCheckForUpdatesButton</key>
The following configuration profile is used to:
<key>PayloadEnabled</key> <true/> <key>ChannelName</key>
- <string>Beta</string>
+ <string>Production</string>
<key>HowToCheck</key> <string>AutomaticDownload</string> <key>EnableCheckForUpdatesButton</key>
security Machine https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machine.md
computerDnsName | String | [machine](machine.md) fully qualified name.
firstSeen | DateTimeOffset | First date and time where the [machine](machine.md) was observed by Microsoft Defender for Endpoint. lastSeen | DateTimeOffset |Time and date of the last received full device report. A device typically sends a full report every 24 hours. osPlatform | String | Operating system platform.
-osProcessor | String | Operating system processor.
+osProcessor | String | Operating system processor. Use osArchitecture property instead.
version | String | Operating system Version. osBuild | Nullable long | Operating system build number. lastIpAddress | String | Last IP on local NIC on the [machine](machine.md).
machineTags | String collection | Set of [machine](machine.md) tags.
exposureLevel | Nullable Enum | Exposure level as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Low', 'Medium' and 'High'. deviceValue | Nullable Enum | The [value of the device](tvm-assign-device-value.md). Possible values are: 'Normal', 'Low' and 'High'. ipAddresses | IpAddress collection | Set of ***IpAddress*** objects. See [Get machines API](get-machines.md).
+osArchitecture | String | Operating system architecture. Possible values are: "32-bit", "64-bit". Use this property instead of osProcessor.
security Use Intune Config Manager Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/use-intune-config-manager-microsoft-defender-antivirus.md
Title: Configure Microsoft Defender Antivirus with Configuration Manager and Intune
+ Title: Configure Microsoft Defender Antivirus using Microsoft Endpoint Manager
description: Use Microsoft Endpoint Manager and Microsoft Intune to configure Microsoft Defender AV and Endpoint Protection keywords: scep, intune, endpoint protection, configuration search.product: eADQiWindows 10XVcnh
localization_priority: Normal
Previously updated : 10/26/2018- Last updated : 05/24/2021+ ms.technology: mde audience: ITPro
-# Use Microsoft Endpoint Manager and Microsoft Intune to configure and manage Microsoft Defender Antivirus
+# Use Microsoft Endpoint Manager to configure and manage Microsoft Defender Antivirus
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-If you were using Microsoft Endpoint Manager or Microsoft Intune to manage the endpoints on your network, you can now use Microsoft Endpoint Manager to manage Microsoft Defender Antivirus scans.
+You can use [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) to configure Microsoft Defender Antivirus scans. [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Configuration Manager](/mem/configmgr/core/understand/introduction) are now part of Endpoint Manager.
-1. In the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), navigate to **Endpoint Security**.
+## Configure Microsoft Defender Antivirus scans in Endpoint Manager
-2. Under **Manage**, choose **Antivirus**.
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), and sign in.
-3. Select your Microsoft Defender Antivirus policy.
+2. Navigate to **Endpoint Security**.
-4. Under **Manage**, choose **Properties**.
+3. Under **Manage**, choose **Antivirus**.
-5. Next to **Configuration settings**, choose **Edit**.
+4. Select your Microsoft Defender Antivirus policy.
-6. Expand the **Scan** section, and review or edit your scanning settings.
+5. Under **Manage**, choose **Properties**.
-7. Choose **Review + save**
+6. Next to **Configuration settings**, choose **Edit**.
-Need help? See [Manage endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security).
+7. Expand the **Scan** section, and review or edit your scanning settings.
+
+8. Choose **Review + save**
++
+> [!TIP]
+> Need help? See [Manage endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security).
## Related articles -- [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md)
+- [Reference articles for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md)
- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Anti Malware Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-malware-protection.md
Anti-malware policies control the settings and notification options for malware
You can replace the default text in the **Malware Alert Text.txt** file with your own custom text. -- **Common Attachment Types Filter**: There are certain types of files that you really shouldn't send via email (for example, executable files). Why bother scanning these type of files for malware, when you should probably block them all, anyway? That's where the Common Attachment Types Filter comes in. It's disabled by default, but when you enable it, the file types you specify are automatically treated as malware. You can use the default list of file types or customize the list. The default file types are: `.ace, .ani, .app, .docm, .exe, .jar, .reg, .scr, .vbe, .vbs`.
+- **Common attachments filter**: There are certain types of files that you really shouldn't send via email (for example, executable files). Why bother scanning these type of files for malware, when you should probably block them all, anyway? That's where the common attachments filter comes in. It's disabled by default, but when you enable it, the file types you specify are automatically treated as malware. You can use the default list of file types or customize the list. The default file types are: `.ace, .ani, .app, .docm, .exe, .jar, .reg, .scr, .vbe, .vbs`.
- The Common Attachment Types Filter uses best effort true-typing to detect the file type regardless of the file name extension. If true-typing fails or isn't supported for the specified file type, then simple extension matching is used.
+ The common attachments filter uses best effort true-typing to detect the file type regardless of the file name extension. If true-typing fails or isn't supported for the specified file type, then simple extension matching is used.
-- **Malware zero-hour auto purge (ZAP)**: Malware ZAP quarantines messages that are found to contain malware *after* they've been delivered to Exchange Online mailboxes. By default, malware ZAP is on, and we recommend that you leave it on.
+- **Zero-hour auto purge (ZAP) for malware**: ZAP for malware quarantines messages that are found to contain malware *after* they've been delivered to Exchange Online mailboxes. By default, ZAP for malware is turned on, and we recommend that you leave it on.
- **Sender notifications**: By default, a message sender isn't told that their message was quarantined due to malware. But, you can enabled notification messages for senders based on whether the sender is internal or external. The default notification message looks like this:
Anti-malware policies control the settings and notification options for malware
For more information about the order of precedence and how multiple policies are evaluated and applied, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).
-### Anti-malware policies in the Security & Compliance Center vs PowerShell
+### Anti-malware policies in the Microsoft 365 security center vs PowerShell
The basic elements of an anti-malware policy are: -- **The malware filter policy**: Specifies the recipient notification, sender and admin notification, ZAP, and the Common Attachment Types Filter settings.
+- **The malware filter policy**: Specifies the recipient notification, sender and admin notification, ZAP, and the common attachments filter settings.
- **The malware filter rule**: Specifies the priority and recipient filters (who the policy applies to) for a malware filter policy.
-The difference between these two elements isn't obvious when you manage anti-malware polices in the Security & Compliance Center:
+The difference between these two elements isn't obvious when you manage anti-malware polices in the security center:
- When you create an anti-malware policy, you're actually creating a malware filter rule and the associated malware filter policy at the same time using the same name for both.--- When you modify an anti-malware policy, settings related to the name, priority, enabled or disabled, and recipient filters modify the malware filter rule. Other settings (recipient notification, sender and admin notification, ZAP, and the Common Attachment Types Filter) modify the associated malware filter policy.-
+- When you modify an anti-malware policy, settings related to the name, priority, enabled or disabled, and recipient filters modify the malware filter rule. Other settings (recipient notification, sender and admin notification, ZAP, and the common attachments filter) modify the associated malware filter policy.
- When you remove an anti-malware policy, the malware filter rule and the associated malware filter policy are removed. In Exchange Online PowerShell or standalone EOP PowerShell, the difference between malware filter policies and malware filter rules is apparent. You manage malware filter policies by using the **\*-MalwareFilterPolicy** cmdlets, and you manage malware filter rules by using the **\*-MalwareFilterRule** cmdlets.
In Exchange Online PowerShell or standalone EOP PowerShell, the difference betwe
Every organization has a built-in anti-malware policy named Default that has these properties: - The policy is applied to all recipients in the organization, even though there's no malware filter rule (recipient filters) associated with the policy.- - The policy has the custom priority value **Lowest** that you can't modify (the policy is always applied last). Any custom anti-malware policies that you create always have a higher priority than the policy named Default.- - The policy is the default policy (the **IsDefault** property has the value `True`), and you can't delete the default policy.
security Configure Anti Malware Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-anti-malware-policies.md
Creating a custom anti-malware policy in the security center creates the malware
When you're finished, click **Next**.
-3. On the **Users and domains** page that appears, identify the internal recipients that the policy applies to (the conditions of the policy):
+3. On the **Users and domains** page that appears, identify the internal recipients that the policy applies to (recipient conditions):
- **Users**: The specified mailboxes, mail users, or mail contacts in your organization. - **Groups**: The specified distribution groups, mail-enabled security groups, or Microsoft 365 Groups in your organization. - **Domains**: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization.
Creating a custom anti-malware policy in the security center creates the malware
Multiple values in the same condition use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). Different conditions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_).
- - **Exclude these users, groups, and domains**: To add exceptions for the internal recipients that the policy applies to, select this option and configure the exceptions. The settings and behavior are exactly like the conditions.
+ - **Exclude these users, groups, and domains**: To add exceptions for the internal recipients that the policy applies to (recpient exceptions), select this option and configure the exceptions. The settings and behavior are exactly like the conditions.
When you're finished, click **Next**.
security Protect Against Threats https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/protect-against-threats.md
To configure Defender for Office 365 policies, you must be assigned an appropria
To learn more, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md).
-## Before you begin, turn on Audit logging for reporting and investigation
+### Turn on Audit logging for reporting and investigation
-Start your audit logging early. You'll need auditing to be **ON** for certain of the steps that follow. Audit logging is available in subscriptions that include [Exchange Online](/office365/servicedescriptions/exchange-online-service-description/exchange-online-service-description). In order to view data in threat protection reports, such as the [Security Dashboard](security-dashboard.md), [email security reports](view-email-security-reports.md), and [Explorer](threat-explorer.md), audit logging must be *On*. To learn more, see [Turn audit log search on or off](../../compliance/turn-audit-log-search-on-or-off.md).
+- Start your audit logging early. You'll need auditing to be **ON** for some of the following steps. Audit logging is available in subscriptions that include [Exchange Online](/office365/servicedescriptions/exchange-online-service-description/exchange-online-service-description). In order to view data in threat protection reports, such as the [Security Dashboard](security-dashboard.md), [email security reports](view-email-security-reports.md), and [Explorer](threat-explorer.md), audit logging must be *On*. To learn more, see [Turn audit log search on or off](../../compliance/turn-audit-log-search-on-or-off.md).
## Part 1 - Anti-malware protection
-[Anti-malware protection](anti-malware-protection.md) is available in subscriptions that include [EOP](/office365/servicedescriptions/exchange-online-protection-service-description/exchange-online-protection-service-description).
+For more information about the recommended settings for anti-malware, see [EOP anti-malware policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-malware-policy-settings).
-1. In the [Security & Compliance Center](https://protection.office.com), choose **Threat management** \> **Policy** \> **Anti-malware**.
+1. Open <https://security.microsoft.com/antimalwarev2>.
-2. Double-click the **Default** policy, and then choose **settings**.
+2. Select the Default policy by clicking on the name of the policy.
-3. Specify the following settings:
+3. In the policy details flyout that opens, click **Edit protection settings**, and then configure the following settings:
+ - Select **Enable the common attachments filter** to turn on the common attachments filter. Click **Customize file types** to add more file types.
+ - Verify that **Enable zero-hour auto purge for malware** is selected.
+ - Verify that none of the settings in the **Notification** section are selected.
- - In the **Malware Detection Response** section, keep the default setting of **No**.
+ When you're finished, click **Save**
- - In the **Common Attachment Types Filter** section, choose **On**.
-
-4. Click **Save**.
-
-To learn more about anti-malware policy options, see [Configure anti-malware policies](configure-anti-malware-policies.md).
+For detailed instructions for configuring anti-malware policies, see [Configure anti-malware policies in EOP](configure-anti-malware-policies.md).
## Part 2 - Anti-phishing protection
security Protection Stack Microsoft Defender For Office365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/protection-stack-microsoft-defender-for-office365.md
The last stage takes place after mail or file delivery, acting on mail that is i
:::image type="content" source="../../medio-filter-stack-phase4.png" alt-text="Phase 4 of filtering in Defender for Office 365 is Post-delivery protection.":::
-1. **Safe Links** is MDO's time-of-click protection. Every URL in every message is wrapped to point to Microsoft Safe Links servers. When a URL is clicked it is checked against the latest reputation, before the user is redirected to the target site. The URL is asynchronously sandboxed to update its reputation.
+1. **Safe Links** is Defender for Office 365's time-of-click protection. Every URL in every message is wrapped to point to Microsoft Safe Links servers. When a URL is clicked it is checked against the latest reputation, before the user is redirected to the target site. The URL is asynchronously sandboxed to update its reputation.
-2. **Phish Zero-Hour Auto-purge (ZAP)** retroactively detects and neutralizes malicious phishing messages that have already been delivered to Exchange Online mailboxes.
+2. **Zero-Hour Auto-purge (ZAP) for phishing** retroactively detects and neutralizes malicious phishing messages that have already been delivered to Exchange Online mailboxes.
-3. **Malware ZAP** retroactively detects and neutralizes malicious malware messages that have already been delivered to Exchange Online mailboxes.
+3. **ZAP for malware** retroactively detects and neutralizes malicious malware messages that have already been delivered to Exchange Online mailboxes.
-4. **Spam ZAP** retroactively detects and neutralizes malicious spam messages that have already been delivered to Exchange Online mailboxes.
+4. **ZAP for phishing** retroactively detects and neutralizes malicious spam messages that have already been delivered to Exchange Online mailboxes.
5. **Campaign Views** let administrators see the big picture of an attack, faster and more completely, than any team could without automation. Microsoft leverages the vast amounts of anti-phishing, anti-spam, and anti-malware data across the entire service to help identify campaigns, and then allows admins to investigate them from start to end, including targets, impacts, and flows, that are also available in a downloadable campaign write-up.
The last stage takes place after mail or file delivery, acting on mail that is i
9. When a URL that points to a file is selected post delivery, **linked content detonation** displays a warning page until the sandboxing of the file is complete, and the URL is found to be safe. - ## The filtering stack diagram The final diagram (as with all parts of the diagram composing it) *is subject to change as the product grows and develops*. Bookmark this page and use the **feedback** option you'll find at the bottom if you need to ask after updates. For your records, this is the the stack with all the phases in order:
security Recommended Settings For Eop And Office365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md
To create and configure anti-malware policies, see [Configure anti-malware polic
|Security feature name|Default|Standard|Strict|Comment| ||::|::|::||
-|**Do you want to notify recipients if their messages are quarantined?** <p> _Action_|No <p> _DeleteMessage_|No <p> _DeleteMessage_|No <p> _DeleteMessage_|If malware is detected in an email attachment, the message is quarantined and can be released only by an admin.|
-|**Common Attachment Types Filter** <p> _EnableFileFilter_|Off <p> `$false`|On <p> `$true`|On <p> `$true`|This setting quarantines messages that contain executable attachments based on file type, regardless of the attachment content.|
-|**Malware Zero-hour Auto Purge** <p> _ZapEnabled_|On <p> `$true`|On <p> `$true`|On <p> `$true`||
-|**Notify internal senders** of the undelivered message <p> _EnableInternalSenderNotifications_|Disabled <p> `$false`|Disabled <p> `$false`|Disabled <p> `$false`||
-|**Notify external senders** of the undelivered message <p> _EnableExternalSenderNotifications_|Disabled <p> `$false`|Disabled <p> `$false`|Disabled <p> `$false`||
+|**Notify recipients when messages are quarantined as malware** <p> _Action_|No <p> _DeleteMessage_|No <p> _DeleteMessage_|No <p> _DeleteMessage_|If malware is detected in an email attachment, the message is quarantined and can be released only by an admin.|
+|**Enable the common attachments filter** <p> _EnableFileFilter_|Off <p> `$false`|On <p> `$true`|On <p> `$true`|This setting quarantines messages that contain executable attachments based on file type, regardless of the attachment content.|
+|**Enable zero-hour auto purge for malware** <p> _ZapEnabled_|On <p> `$true`|On <p> `$true`|On <p> `$true`||
+|**Notify internal senders when messages are quarantined as malware** <p> _EnableInternalSenderNotifications_|Disabled <p> `$false`|Disabled <p> `$false`|Disabled <p> `$false`||
+|**Notify external senders when messages are quarantined as malware** <p> _EnableExternalSenderNotifications_|Disabled <p> `$false`|Disabled <p> `$false`|Disabled <p> `$false`||
| ### EOP default anti-phishing policy settings
security Tenant Wide Setup For Increased Security https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-wide-setup-for-increased-security.md
Office 365 Secure Score analyzes your organization's security based on your regu
The Microsoft 365 security center includes capabilities that protect your environment. It also includes reports and dashboards you can use to monitor and take action. Some areas come with default policy configurations. Some areas do not include default policies or rules. Visit these policies under threat management to tune threat management settings for a more secure environment.
+<br>
+ **** |Area|Includes a default policy|Recommendation| |||| |**Anti-phishing**|Yes|<ul><li>Impersonation protection ΓÇö If you have Defender for Office 365 and a custom domain, configure the impersonation protection settings in the default anti-phishing policy to protect the email accounts of your most valuable users, such as your CEO, and to protect your domain. More information: [Impersonation settings in anti-phishing policies](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) and [Impersonation insight](impersonation-insight.md)</li><li>Spoof intelligence ΓÇö Review senders who are spoofing your domain. Block or allow these senders. More information: [Spoof intelligence insight in EOP](learn-about-spoof-intelligence.md) and [Manage the Tenant Allow/Block List](tenant-allow-block-list.md).</li></ul>|
-|**Anti-Malware Engine**|Yes| Edit the default policy: <ul><li>Common Attachment Types Filter: Select On</li></ul> <p> You can also create custom malware filter policies and apply them to specified users, groups, or domains in your organization. <p> More information: <ul><li>[Anti-malware protection](anti-malware-protection.md)</li><li>[Configure anti-malware policies](configure-anti-malware-policies.md)</li></ul>|
+|**Anti-Malware Engine**|Yes|Edit the default policy: <ul><li>Select **Enable the common attachments filter**</li></ul> <p> You can also create custom malware filter policies and apply them to specified users, groups, or domains in your organization. <p> More information: <ul><li>[Anti-malware protection](anti-malware-protection.md)</li><li>[Configure anti-malware policies](configure-anti-malware-policies.md)</li></ul>|
|**Safe Attachments in Microsoft Defender for Office 365**|No|On the main page for Safe Attachments, click **Global settings** and turn on this setting: <ul><li>**Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams**</li></ul> <p> Create a Safe Attachments policy with these settings: <ul><li> **Block**: Select **Block** as the unknown malware response.</li><li>**Enable redirect**: Check this box and enter an email address, such as an admin or quarantine account.</li><li>**Apply the above selection if malware scanning for attachments times out or error occurs**: Check this box.</li><li>***Applied to**: **The recipient domain is** \> select your domain.</li></ul> <p> More information: [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md) and [Set up Safe Attachments policies](set-up-safe-attachments-policies.md)| |**Safe Links in Microsoft Defender for Office 365**|Yes|On the main page for Safe Links, click **Global settings**: <ul><li>**Use Safe Links in: Office 365 applications**: Verify this setting is turned on.</li><li>**Do not track when users click Safe Links**: Turn this setting off to track user clicks.</li></ul> <p> Create a Safe Links policy with these settings: <ul><li>**Select the action for unknown potentially malicious URLs in messages**: Verify this setting is **On**.</li><li>**Select the action for unknown or potentially malicious URLs within Microsoft Teams**: Verify this setting is **On**.</li><li>**Apply real-time URL scanning for suspicious links and links that point to files**: Check this box.</li><li>**Wait for URL scanning to complete before delivering the message**: Check this box.</li><li>**Apply Safe Links to email messages sent within the organization**: Check this box</li><li>**Do not allow users to click through to original URL**: Check this box.</li><li>**Applied To**: **The recipient domain is** \> select your domain.</li></ul> <p> More information: [Set up Safe Links policies](set-up-safe-links-policies.md).| |**Anti-Spam (Mail filtering)**|Yes| What to watch for: Too much spam ΓÇö Choose the Custom settings and edit the Default spam filter policy. More information: [Microsoft 365 Email Anti-Spam Protection](anti-spam-protection.md).|
The Microsoft 365 security center includes capabilities that protect your enviro
Visit these reports and dashboards to learn more about the health of your environment. The data in these reports will become richer as your organization uses Office 365 services. For now, be familiar with what you can monitor and take action on. For more information, see [Reports in the Security & Compliance Center](../../compliance/reports-in-security-and-compliance.md).
+<br>
+ **** |Dashboard|Description|
Visit these reports and dashboards to learn more about the health of your enviro
Many of the controls for security and protection in the Exchange admin center are also included in the security center. You do not need to configure these in both places. Here are a couple of additional settings that are recommended.
+<br>
+ **** |Area|Includes a default policy|Recommendation|
SharePoint team sites configured at the baseline level allow sharing files with
To support the goals for baseline protection, configure tenant-wide sharing policies as recommended here. Sharing settings for individual sites can be more restrictive than this tenant-wide policy, but not more permissive.
+<br>
+ **** |Area|Includes a default policy|Recommendation|
Because this solution recommends the EMS E5 plan, we recommend you start with Cl
More information: - [Deploy Cloud App Security](/cloud-app-security/getting-started-with-cloud-app-security)- - [More information about Microsoft Cloud App Security](https://www.microsoft.com/cloud-platform/cloud-app-security)- - [What is Cloud App Security?](/cloud-app-security/what-is-cloud-app-security) ![Cloud App Security dashboard](../../media/1fb2aa65-54b8-4746-9f5e-c187d339e9f5.png)
These articles and guides provide additional prescriptive information for securi
- [Microsoft security guidance for political campaigns, nonprofits, and other agile organizations](microsoft-security-guidance-for-political-campaigns-nonprofits-and-other-agile-o.md) (you can use these recommendation in any environment, especially cloud-only environments) -- [Recommended security policies and configurations for identities and devices](microsoft-365-policies-configurations.md) (these recommendations include help for AD FS environments)
+- [Recommended security policies and configurations for identities and devices](microsoft-365-policies-configurations.md) (these recommendations include help for AD FS environments)
security User Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/user-submission.md
the following settings:
You can configure third-party message reporting tools to send reported messages to the custom mailbox. The only requirement is that the original message is included as an attachment in the message that's sent to the custom mailbox (don't just forward the original message to the custom mailbox).
-The message formatting requirements are described in the next section.
+The message formatting requirements are described in the next section. The formatting is optional, but if it does not follow the prescribed format, the reports will always be submitted as phish.
## Message submission format
security Zero Hour Auto Purge https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/zero-hour-auto-purge.md
The ZAP action is seamless for the user; they aren't notified if a message is de
[Safe sender lists](create-safe-sender-lists-in-office-365.md), mail flow rules (also known as transport rules), Inbox rules, or additional filters take precedence over ZAP. Similar to what happens in mail flow, this means that even if the service determines the delivered message needs ZAP, the message is not acted on because of the the safe senders configuration. This is another reason to be careful about configuring messages to bypass filtering.
-### Malware ZAP
+### ZAP for malware
For **read or unread messages** that are found to contain malware after delivery, ZAP quarantines the message that contains the malware attachment. Only admins can view and manage malware messages from quarantine.
-Malware ZAP is enabled by default in anti-malware policies. For more information, see [Configure anti-malware policies in EOP](configure-anti-malware-policies.md).
+ZAP for malware is enabled by default in anti-malware policies. For more information, see [Configure anti-malware policies in EOP](configure-anti-malware-policies.md).
-### Phish ZAP
+### ZAP for phishing
For **read or unread messages** that are identified as phishing after delivery, the ZAP outcome depends on the action that's configured for a **Phishing email** filtering verdict in the applicable anti-spam policy. The available filtering verdict actions for phishing and their possible ZAP outcomes are described in the following list:
For **read or unread messages** that are identified as phishing after delivery,
- **Quarantine message**: ZAP quarantines the message.
-By default, phish ZAP is enabled in anti-spam policies, and the default action for the **Phishing email** filtering verdict is **Quarantine message**, which means phish ZAP quarantines the message by default.
+By default, ZAP for phishing is enabled in anti-spam policies, and the default action for the **Phishing email** filtering verdict is **Quarantine message**, which means ZAP for phishing quarantines the message by default.
For more information about configuring spam filtering verdicts, see [Configure anti-spam policies in Microsoft 365](configure-your-spam-filter-policies.md).
-### Spam ZAP
+### ZAP for spam
For **unread messages** that are identified as spam after delivery, the ZAP outcome depends on the action that's configured for the **Spam** filtering verdict in the applicable anti-spam policy. The available filtering verdict actions for spam and their possible ZAP outcomes are described in the following list:
solutions Configure Teams Three Tiers Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/configure-teams-three-tiers-protection.md
For the sensitive and highly sensitive tiers, we restrict access to SharePoint c
Note that guests often don't have devices that are managed by your organization. If you allow guests in any of the tiers, consider what kinds of devices they'll be using to access teams and sites and set your unmanaged device policies accordingly.
+### Control device access across Microsoft 365
+
+The unmanaged devices setting in sensitivity labels only affect SharePoint access. If you want to expand control of unmanaged devices beyond SharePoint, you can [Create an Azure Active Directory conditional access policy for all apps and services in your organization](/azure/active-directory/conditional-access/howto-conditional-access-policy-compliant-device) instead. To configure this policy specifically for [Microsoft 365 services](/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps#office-365), select the **Office 365** cloud app under **Cloud apps or actions**.
+
+![Screenshot of the Office 365 cloud app in an Azure Active Directory conditional access policy](https://docs.microsoft.com/sharepoint/sharepointonline/media/azure-ca-office365-policy.png)
+
+Using a policy that affects all Microsoft 365 services can lead to better security and a better experience for your users. For example, when you block access to unmanaged devices in SharePoint only, users can access the chat in a team with an unmanaged device, but will lose access when they try to access the **Files** tab. Using the Office 365 cloud app helps avoid issues with [service dependencies](/azure/active-directory/conditional-access/service-dependencies).
+ ## Next step Start by [configuring the baseline level of protection](configure-teams-baseline-protection.md). If needed you can add [sensitive protection](configure-teams-sensitive-protection.md) and [highly sensitive protection](configure-teams-highly-sensitive-protection.md) on top of the baseline.
Start by [configuring the baseline level of protection](configure-teams-baseline
[Security and compliance in Microsoft Teams](/microsoftteams/security-compliance-overview)
-[Alert policies in the security and compliance center](../compliance/alert-policies.md)
+[Alert policies in the security and compliance center](../compliance/alert-policies.md)