Updates from: 05/05/2021 03:15:10
Category Microsoft Docs article Related commit history on GitHub Change details
admin Remove Former Employee Step 1 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee-step-1.md
+
+ Title: "Step 1 - Stop an employee from logging in to Microsoft 365"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- M365-subscription-management
+- Adm_O365
+- Adm_TOC
+- SPO_Content
+
+- MSStore_Link
+- TRN_M365B
+- OKR_SMB_Videos
+- AdminSurgePortfolio
+search.appverid:
+- BCS160
+- MET150
+- MOE150
+description: "Block a former employee from logging in and block access to Microsoft 365 services."
++
+# Step 1 - Prevent a former employee from logging in and block access to Microsoft 365 services
+
+If you need to immediately prevent a user's sign-in access, you should reset their password. In this step, force a sign out of the user from Microsoft 365.
+
+1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.
+2. Select the box next to the user's name, and then select **Reset password**.
+3. Enter a new password, and then select **Reset**. (Don't send it to them.)
+4. Select the user's name to go to their properties pane, and on the **Account** tab, select **Initiate sign-out**.
+
+Within an hour - or after they leave the current Microsoft 365 page they are on - they're prompted to sign in again. An access token is good for an hour, so the timeline depends on how much time is left on that token, and whether they navigate out of their current webpage.
+
+> [!IMPORTANT]
+> If the user is in Outlook on the web, just clicking around in their mailbox, they may not be kicked out immediately. As soon as they select a different tile, such as OneDrive, or refresh their browser, the sign-out is initiated.
+
+To use PowerShell to sign out a user immediately, see the [Revoke-AzureADUserAllRefreshToken](/powershell/module/azuread/revoke-azureaduserallrefreshtoken) cmdlet.
+
+For more information about how long it takes to get someone out of email, see [What you need to know about terminating an employee's email session](remove-former-employee-step-7.md#what-you-need-to-know-about-terminating-an-employees-email-session).
+
+## Block a former employee's access to Microsoft 365 services
+
+> [!IMPORTANT]
+ > Blocking an account can take up to 24 hours to take effect. If you need to immediately prevent a user's sign-in access, follow the steps above and reset their password.
+
+1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.
+2. Select the name of the employee that you want to block, and under the user's name, select the symbol for **Block this user**.
+3. Select **Block the user from signing in**, and then select **Save**.
+
+## Block a former employee's access to email (Exchange Online)
+
+If you have email as part of your Microsoft 365 subscription, sign in to the Exchange admin center and follow these steps to block your former employee from accessing their email.
+
+1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a>.
+2. In the Exchange admin center, navigate to **Recipients** \> **Mailboxes**.
+3. Double-click the user and go to the **Mailbox features** page. Under **Mobile Devices**, select **Disable Exchange ActiveSync** and **Disable OWA for Devices,** and answer **Yes** to both when prompted.
+4. Under **Email Connectivity**, select **Disable** and answer **Yes** when prompted.
admin Remove Former Employee Step 2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee-step-2.md
+
+ Title: "Step 2 - Save the contents of a former employee's mailbox"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- M365-subscription-management
+- Adm_O365
+- Adm_TOC
+- SPO_Content
+
+- MSStore_Link
+- TRN_M365B
+- OKR_SMB_Videos
+- AdminSurgePortfolio
+search.appverid:
+- BCS160
+- MET150
+- MOE150
+description: "Learn how to save the content of a former employee's mailbox."
++
+# Step 2 - Save the contents of a former employee's mailbox
+
+Once you've blocked a user from being able to log into your organization you can save the contents of their mailbox. There are two ways you can save the contents of the former employee's mailbox.
+
+1. Place a Litigation Hold or In-Place Hold on the mailbox before the deleting the user account. This is much more complicated than the second option but worth doing if: your Enterprise plan includes archiving and legal hold, litigation is a possibility, and you have a technically strong IT department.
+
+ After you convert the mailbox to an "inactive mailbox," administrators, compliance officers, or records managers can use In-Place eDiscovery tools in Exchange Online to access and search the contents.
+
+ Inactive mailboxes can't receive email and aren't displayed in your organization's shared address book or other lists.
+
+ To learn how to place a hold on a mailbox, see [Manage inactive mailboxes in Exchange Online](../../compliance/create-and-manage-inactive-mailboxes.md).
+
+ **OR**
+
+2. Add the former employee's email address to your version of Outlook web app, and then export the data to a .pst file. You can import the data to another email account as needed. Check out [Step 6 - Give another employee access to OneDrive and Outlook data](remove-former-employee-step-6.md).
admin Remove Former Employee Step 3 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee-step-3.md
+
+ Title: "Step 3 - Forward a former employee's email to another employee or convert to a shared mailbox"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- M365-subscription-management
+- Adm_O365
+- Adm_TOC
+- SPO_Content
+
+- MSStore_Link
+- TRN_M365B
+- OKR_SMB_Videos
+- AdminSurgePortfolio
+search.appverid:
+- BCS160
+- MET150
+- MOE150
+description: "Follow these steps to forward a former employee's email to another employee or convert to a shared mailbox."
++
+# Step 3 - Forward a former employee's email to another employee or convert to a shared mailbox
+
+In this step, you assign the former employee's email address to another employee, or convert the user's mailbox to a shared mailbox.
+
+## Convert former employee's mailbox to a shared mailbox
+
+When you convert a user's mailbox to a shared mailbox, all of the existing email and calendar is retained. Only now it's in a shared mailbox where several people will be able to access it instead of one person. You can convert a shared mailbox back to a user (private) mailbox at a later date if you want.
+
+- Creating a shared mailbox is the less expensive way to go because you won't have to pay for a license **as long as the mailbox is smaller than 50GB**. Over 50GB and you'll need to assign a license to it.
+- If you convert the mailbox to a shared mailbox, all the old email will be available, too. This can take up a lot of space.
+- If you set up email forwarding, only *new* emails sent to the former employee will now be sent to the current employee.
+
+Follow these steps on how to [convert the user's mailbox to a shared mailbox](../email/convert-user-mailbox-to-shared-mailbox.md).
+
+## Forward a former employee's email to another employee
+
+ > [!IMPORTANT]
+ > If you're setting up email forwarding or a shared mailbox, at the end, don't delete the former employee's account. The account needs to be there to anchor the email forwarding or shared mailbox.
+
+1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.
+2. Select the name of the employee that you want to block, and then select the **Mail** tab.
+3. Under **Email Forwarding**, select **Manage email forwarding**.
+4. Turn on **Forward all email sent to this mailbox**. In the **Forwarding address** box, type the email address of the current employee who's going to get the email.
+5. Select **Save**.
+6. Remember, don't delete the former employee's account.
admin Remove Former Employee Step 4 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee-step-4.md
+
+ Title: "Step 4 - Give another employee access to OneDrive and Outlook data"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- M365-subscription-management
+- Adm_O365
+- Adm_TOC
+- SPO_Content
+
+- MSStore_Link
+- TRN_M365B
+- OKR_SMB_Videos
+- AdminSurgePortfolio
+search.appverid:
+- BCS160
+- MET150
+- MOE150
+description: "Follow these steps to give another employee access to the former employee's OneDrive and Outlook data."
++
+# Step 4 - Give another employee access to OneDrive and Outlook data
+
+When an employee leaves your organization, you'll want to access their OneDrive and Outlook data, back it up, and choose whether to give it to another employee.
+
+## Access a former user's OneDrive documents
+
+If you remove a user's license but don't delete the account, you can give yourself access to the content in the user's OneDrive. If you delete the user's account, you have 30 days by default to access the former user's OneDrive data. [Learn how to set the OneDrive retention for deleted users](/onedrive/set-retention). If you don't [restore a user account](/office365/admin/add-users/restore-user) within this time, their OneDrive content is deleted.
+
+To preserve a former user's OneDrive files, first give yourself access to their OneDrive, and then move the files you want to keep.
+
+1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.
+
+2. Select a user.
+
+3. In the right pane, select **OneDrive**. Under **Get access to files**, select **Create link to files**.
+
+4. Select the link to open the file location. Download the files to your computer, or select **Move to** or **Copy to** to move or copy them to your own OneDrive or to a shared library.
+
+> [!NOTE]
+> You can move or copy up to 500 MB of files and folders at a time.<br/>
+> When you move or copy documents that have version history, only the latest version is moved.
+
+### Revoke admin access to a user's OneDrive
+
+You can give yourself access to the content in a user's OneDrive, but you may want to remove your access when you no longer need it.
+
+1. Sign in to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a> as a global admin or SharePoint admin.
+
+ If you get a message that you don't have permission to access the admin center, then you don't have administrator permissions in your organization.
+
+2. In the left pane, select **Admin centers** \> **SharePoint**. (You might need to select **Show all** to see the list of admin centers.)
+
+3. If the classic SharePoint admin center appears, select **Open it now** at the top of the page to open the SharePoint admin center.
+
+4. In the left pane, select **More features**.
+
+5. Under **User profiles**, select **Open**.
+
+6. Under **People**, select **Manage User Profiles**.
+
+7. Enter the user's name and select **Find**.
+
+8. Right-click the user, and then choose **Manage site collection owners**.
+
+9. Remove the person who no longer needs access to the user's data, and then select **OK**.
+
+## Access the Outlook data of a former user
+
+To save the email messages, calendar, tasks, and contacts of the former employee, export the information to an Outlook Data File (.pst).
+
+1. [Add the former employee's email](https://support.microsoft.com/office/6e27792a-9267-4aa4-8bb6-c84ef146101b) to your Outlook (If you [reset the user's password](reset-passwords.md), you can set it to something only you know.)
+
+2. In Outlook, select **File**.
+
+ ![This is what the ribbon looks like in Outlook 2016.](../../media/d7f66ed3-9861-4521-b410-e86a58ab15a7.png)
+
+3. Select **Open &amp; Export** \> **Import/Export**.
+
+ ![Import/Export command in the Backstage view](../../media/6013919e-d8ce-4902-b7b4-78ff4260a2f8.jpg)
+
+4. Select **Export to a file**, and then select **Next**.
+
+ ![Export to a file option in the Import and Export Wizard](../../media/458466a0-366b-4fbf-a2db-1919412c6527.jpg)
+
+5. Select **Outlook Data File (.pst)**, and then select **Next**.
+
+6. Select the account you want to export by selecting the name or email address, such as Mailbox - Anne Weiler or anne@contoso.com. If you want to export everything in your account, including mail, calendar, contacts, tasks, and notes, make sure the **Include subfolders** check box is selected.
+
+ > [!NOTE]
+ > You can export one account at a time. If you want to export multiple accounts, after one account is exported, repeat these steps.
+
+ ![Export Outlook Data File dialog box with top folder selected and Include subfolders checked](../../media/ce36616f-d76d-4ce2-b517-8ac4874e0971.jpg)
+
+7. Select **Next**.
+
+8. Select **Browse** to select where to save the Outlook Data File (.pst). Type a *file name*, and then select **OK** to continue.
+
+ > [!NOTE]
+ > If you've used export before, the previous folder location and file name appear. Type a *different file name* before selecting **OK**.
+
+9. If you are exporting to an existing Outlook Data File (.pst), under **Options**, specify what to do when exporting items that already exist in the file.
+
+10. Select **Finish**.
+
+Outlook begins the export immediately unless a new Outlook Data File (.pst) is created or a password-protected file is used.
+
+- If you're creating an Outlook Data File (.pst), an optional password can help protect the file. When the **Create Outlook Data File** dialog box appears, type the *password* in the **Password** and **Verify Password** boxes, and then select **OK**. In the **Outlook Data File Password** dialog box, type the *password*, and then select **OK**.
+
+- If you're exporting to an existing Outlook Data File (.pst) that is password protected, in the **Outlook Data File Password** dialog box, type the *password*, and then select **OK**.
+
+See how to [Export or backup email, contacts, and calendar to an Outlook .pst file](https://support.microsoft.com/office/14252b52-3075-4e9b-be4e-ff9ef1068f91) in Outlook 2010.
+
+ > [!NOTE]
+ > By default, your email is available offline for a period of 12 months. If required, see how to [increase the data available offline](/outlook/troubleshoot/mailboxes/only-subset-items-synchronized).
+
+### Give another user access to a former user's email
+
+To give access to the email messages, calendar, tasks, and contacts of the former employee to another employee, import the information to another employee's Outlook inbox.
+
+> [!NOTE]
+> You can also [convert the former user's mailbox to a shared mailbox](/office365/admin/email/convert-user-mailbox-to-shared-mailbox) or [forward a former employee's email to another employee](/office365/admin/add-users/remove-former-employee#forward-a-former-employees-email-to-another-employee-or-convert-to-a-shared-mailbox).
+
+1. In Outlook, go to **File** \> **Open &amp; Export** \> **Import/Export**.
+
+ This starts the Import and Export Wizard.
+
+2. Select **Import from another program or file**, and then select **Next**.
+
+ ![Import and Export Wizard](../../media/15cdd674-cd7b-492c-8e93-992cfa890f26.jpg)
+
+3. Select **Outlook Data File (.pst)**, and select **Next**.
+
+4. Browse to the .pst file you want to import.
+
+5. Under **Options**, choose how you want to deal with duplicates
+
+6. Select **Next**.
+
+7. If a password was assigned to the Outlook Data File (.pst), enter the password, and then select **OK**.
+
+8. Set the options for importing items. The default settings usually don't need to be changed.
+
+9. Select **Finish**.
+
+> [!NOTE]
+> The steps remain the same for accessing an existing user's OneDrive and email data.
+
+> [!TIP]
+> If you want to import or restore only a few items from an Outlook Data File (.pst), you can open the Outlook Data File. Then, in the navigation pane, drag the items from Outlook Data File folders to your existing Outlook folders.
+
+## Related articles
+
+[Add and remove admins on a OneDrive account](/sharepoint/manage-user-profiles#add-and-remove-admins-for-a-users-onedrive)
+
+[Restore a deleted OneDrive](/onedrive/restore-deleted-onedrive)
+
+[OneDrive retention and deletion](/onedrive/retention-and-deletion)
admin Remove Former Employee Step 5 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee-step-5.md
+
+ Title: "Step 5 - Wipe and block a former employee's mobile device"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- M365-subscription-management
+- Adm_O365
+- Adm_TOC
+- SPO_Content
+
+- MSStore_Link
+- TRN_M365B
+- OKR_SMB_Videos
+- AdminSurgePortfolio
+search.appverid:
+- BCS160
+- MET150
+- MOE150
+description: "Follow these steps to block a former employee's mobile device access."
++
+# Step 5 - Wipe and block a former employee's mobile device
+
+If your former employee had an organization phone, you can use the Exchange admin center to wipe and block that device so that all organization data is removed from the device and it can no longer connect to Office 365. If your organization uses Basic Mobility and Security to manage mobile devices, you can wipe and block those devices using Basic Mobility and Security.
+
+## Wipe mobile device using the Exchange admin center
+
+1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a>.
+2. In the Exchange admin center, navigate to **Recipients** \> **Mailboxes**.
+3. Select the user, and under **Mobile Devices**, select **View details**.
+4. On the **Mobile Device Details** page, under **Mobile devices**, select the mobile device, select **Wipe Data**![Wipe Device](../../media/1c113a36-53cb-4974-884f-3ecd9535506e.png), and then select **Block**.
+5. Select **Save**.
+ > [!TIP]
+ > Be sure you remove or disable the user from your on-premises Blackberry Enterprise Service. You should also disable any Blackberry devices for the user. Refer to the Blackberry Business Cloud Services Administration Guide if you need specific steps on how to disable the user.
admin Remove Former Employee Step 6 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee-step-6.md
+
+ Title: "Step 6 - Remove and delete the Microsoft 365 license from a former employee"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- M365-subscription-management
+- Adm_O365
+- Adm_TOC
+- SPO_Content
+
+- MSStore_Link
+- TRN_M365B
+- OKR_SMB_Videos
+- AdminSurgePortfolio
+search.appverid:
+- BCS160
+- MET150
+- MOE150
+description: "Follow these steps to remove the Microsoft 365 license from a former employee."
++
+# Step 6 - Remove the Microsoft 365 license from a former employee
+
+If you don't want to pay for a license after someone leaves your organization, you need to remove their Microsoft 365 license and then delete it from your subscription. You can assign a license to another user if you don't delete it.
+
+When you remove the license, all that user's data is held for 30 days. You can [access](get-access-to-and-back-up-a-former-user-s-data.md) the data, or [restore](restore-user.md) the account if the user comes back. After 30 days, all the user's data (except for documents stored on SharePoint Online) is permanently deleted from Microsoft 365 and can't be recovered.
+
+1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.
+2. Select the name of the employee that you want to block, and then select the **Licenses and Apps** tab.
+3. Clear the check boxes for the license(s) you want to remove, and then select **Save changes**.
+
+**To reduce the number of licenses you're paying for** until you hire another person, do the following steps:
+
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page, and select the **Products** tab.
+2. Select the subscription from which you want to remove licenses.
+3. On the details page, select **Remove licenses**.
+4. In the **Remove licenses** pane, under New quantity, in the **Total licenses** box, enter the total number of licenses that you want for this subscription. For example, if you have 25 licenses and you want to remove one of them, enter 24.
+5. Select **Save**.
+
+When you [add another person](add-users.md) to your business, you'll be prompted to buy a license at the same time, with just one step!
+
+For more information about managing user licenses for Microsoft 365 for business, see [Assign licenses to users in Microsoft 365 for business](../manage/assign-licenses-to-users.md), and [Unassign licenses from users in Microsoft 365 for business](../manage/remove-licenses-from-users.md).
+
+## How the deleted employee account affects Skype for Business
+
+When you remove a user's license from Office 365, the PSTN calling number associated with the user will be released. You can assign it to another user.
+
+If the user belongs to a queue group, they will no longer be a viable target of the call queue agents. So, we recommend also removing the user from the groups associated with the call queue.
+
+## Set up call forwarding to people in your organization
+
+If you need to set up call forwarding for the terminated employee's phone number, the call forwarding setting under calling policies can set up forwarding where incoming calls can be forwarded to other users or can ring another person at the same time. For more information, see [Calling policies in Microsoft Teams](/microsoftteams/teams-calling-policy).
admin Remove Former Employee Step 7 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee-step-7.md
+
+ Title: "Step 7 - Delete a former employee's user account"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- M365-subscription-management
+- Adm_O365
+- Adm_TOC
+- SPO_Content
+
+- MSStore_Link
+- TRN_M365B
+- OKR_SMB_Videos
+- AdminSurgePortfolio
+search.appverid:
+- BCS160
+- MET150
+- MOE150
+description: "Follow these steps to delete a former employee's user account."
++
+# Step 7 - Delete a former employee's user account
+
+After you've saved and accessed all the former employee's user data, you can delete the former employee's account.
+
+> [!IMPORTANT]
+> Don't delete the account if you've set up email forwarding or converted it to a shared mailbox. Both need the account to anchor the forwarding or shared mailbox.
+
+1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.
+2. Select the name of the employee that you want to delete.
+3. Under the user's name, select **Delete user**. Choose the options you want for this user, and then select **Delete user**. If you've already given another user access to this user's email and OneDrive, you don't have to do it again here.
+
+When you delete a user, the account becomes inactive for approximately 30 days. You have until then to restore the account before it is permanently deleted.
+
+## Does your organization use Active Directory?
+
+If your organization synchronizes user accounts to Microsoft 365 from a local Active Directory environment, you must delete and restore those user accounts in your local Active Directory service. You can't delete or restore them in Office 365.
+
+To learn how to delete and restore user account in Active Directory, see [Delete a User Account](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753730(v=ws.11)).
+
+If you're using Azure Active Directory, see the [Remove-MsolUser](https://go.microsoft.com/fwlink/?linkid=842230) PowerShell cmdlet.
+
+## What you need to know about terminating an employee's email session
+
+Here's information about how to get an employee out of email (Exchange).
+
+|||
+|:--|:--|
+|**What you can do** <br/> |**How you do it** <br/> |
+|Terminate a session (such as Outlook on the web, Outlook, Exchange active sync, etc.) and force to open a new session <br/> |Reset password <br/> |
+|Terminate a session and block access to future sessions (for all protocols) <br/> |Disable the account. For example, (in the Exchange admin center or using PowerShell): <br/> `Set-Mailbox user@contoso.com -AccountDisabled:$true` <br/> |
+|Terminate the session for a particular protocol (such as ActiveSync) <br/> |Disable the protocol. For example, (in the Exchange admin center or using PowerShell): <br/> `Set-CASMailbox user@contoso.com -ActiveSyncEnabled:$false` <br/> |
+
+The above operations can be done in three places:
+
+|||
+|:--|:--|
+|**If you terminate the session here** <br/> |**How long it takes** <br/> |
+|In the Exchange admin center or using PowerShell <br/> |Expected delay is within 30 min <br/> |
+|In the Azure Active Directory admin center <br/> |Expected delay is 60 min <br/> |
+|In an on-premises environment <br/> |Expected delay is 3 hours or more <br/> |
+
+### How to get fastest response for account termination
+
+ **Fastest**: Use the Exchange admin center (use PowerShell) or Azure Active Directory admin center. In an on-premises environment, it can take several hours to sync the change through DirSync.
+
+ **Fastest for a user with presence on-premises and in the Exchange Datacenter**: Terminate the session using Azure Active Directory admin center/Exchange admin center AND make the change in the on-premises environment as well. Otherwise, the change in Azure Active Directory admin center/Exchange admin center will be overwritten by DirSync.
+
+## Related articles
+
+[Restore a user](restore-user.md)
admin Remove Former Employee https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee.md
Title: "Remove a former employee"
+ Title: "Remove a former employee - Overview"
f1.keywords: - NOCSH
search.appverid:
- BCS160 - MET150 - MOE150
-description: "Follow this checklist to remove an employee from Microsoft 365 and secure data. "
+description: "Follow the steps in this solution to remove a former employee from Microsoft 365 and secure your organization's data."
-# Remove or Delete a former employee
+# Overview: Remove a former employee and secure data
-## Sign out now!
+A question we often get is, "What should I do to secure data and protect access when an employee leaves my organization?" This article series explains how to block access to Microsoft 365, the steps you should take to secure your data, and how to allow other employees to access the data.
-
-Watch a short video about removing an employee. <br><br>
-
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE1FOfR]
-
-If you found this video helpful, check out the [complete training series for small businesses and those new to Microsoft 365](../../business-video/index.yml).
-
-To prevent an employee from logging in:
-
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.
-2. Select the box next to the user's name, and then select **Reset password**.
-3. Enter a new password, and then select **Reset**. (Don't send it to them.)
-4. Select the user's name to go to their properties pane, and on the **Account** tab, select **Initiate sign-out**.
---
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a> page.
-
-2. Select the user, and then select **Reset password**.
-
-3. Enter a new password, and then select **Reset**. (Don't send it to them.)
-
-4. Select the user's name to go to their properties pane, and on the **Account** tab, select **Initiate sign-out**.
---
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a> page.
-
-2. Select the user, and then select **Reset password**.
-
-3. Enter a new password, and then select **Reset**. (Don't send it to them.)
-
-4. Select the user's name to go to their properties pane, and on the **Account** tab, select **Initiate sign-out**.
--
-> [!NOTE]
-> You need to be a global administrator to initiate sign-out.
-
-Within an hour - or after they leave the current Microsoft 365 page they are on - they're prompted to sign in again. An access token is good for an hour, so the timeline depends on how much time is left on that token, and whether they navigate out of their current webpage.
-
> [!IMPORTANT]
-> If the user is in Outlook on the web, just clicking around in their mailbox, they may not be kicked out immediately. As soon as they select a different tile, such as OneDrive, or refresh their browser, the sign-out is initiated.
-
-To use PowerShell to sign out a user immediately, see [Revoke-AzureADUserAllRefreshToken](/powershell/module/azuread/revoke-azureaduserallrefreshtoken) cmdlet.
-
-For more information about how long it takes to get someone out of email, see [What you need to know about terminating an employee's email session](#what-you-need-to-know-about-terminating-an-employees-email-session).
-
-## Overview of all the steps to remove an employee and secure data
-
-A question we often get is, "What should I do to protect data when an employee leaves the organization?" This article explains how to block access to Microsoft 365 and the steps you should take to secure your data.
-
-> [!NOTE]
-> If you are a global administrator you can delete the employee, forward their email, choose what to do with their OneDrive content using the new guided experience. For more information, see [Global admin: Delete a user](remove-former-employee.md). However, we recommend completing all of the additional steps listed here to ensure the employee doesn't have access to your company's data.
-
-Here's a quick overview. Each step is explained in detail in this article.
-
-|||
-|:--|:--|
-|**Step** <br/> |**Why do this** <br/> |
-|1. [Save the contents of a former employee's mailbox](#save-the-contents-of-a-former-employees-mailbox) <br/> |This is useful for the person who is going to take over the employee's work, or if there is litigation. <br/> |
-|2. [Forward a former employee's email to another employee or convert to a shared mailbox](#forward-a-former-employees-email-to-another-employee-or-convert-to-a-shared-mailbox) <br/> |This lets you keep the former employee's email address active. If you have customers or partners still sending email to the former employee's address, this gets them to the person taking over the work. <br/> |
-|3. [Wipe and block a former employee's mobile device](#wipe-and-block-a-former-employees-mobile-device) <br/> |Removes your business data from the phone or tablet. <br/> |
-|4. [Block a former employee's access to Microsoft 365 data](#block-a-former-employees-access-to-microsoft-365-data)<br/> |It prevents the person from accessing their old Microsoft 365 mailbox and data. <br/><br/> **Tip**: When you block a user's access, you're still paying for their license. To stop paying for it, delete the license from your subscription (step 5). |
-|5. [Move the employee's OneDrive content](get-access-to-and-back-up-a-former-user-s-data.md) <br/> |If you only remove a user's license but don't delete the account, the content in the user's OneDrive will remain accessible to you even after 30 days. <br/><br/> Before you delete the account, you should move the content of their OneDrive to another location that's easy for you to access. After you delete an employee's account, the content in their OneDrive is retained for **30** days. During that 30 days, however, you can restore the user's account, and gain access to their OneDrive content. If you restore the user's account, the OneDrive content will remain accessible to you even after 30 days. <br/> |
-|5a. What if the person used their personal computer to access OneDrive and SharePoint? <br/> |If they used a personal computer instead of a company-issued computer to download files from OneDrive and SharePoint, there's no way for you to wipe those files they stored. <br/><br/> They continue to have access to any files that were synced to their computer. <br/> |
-|6. [Remove and delete the Microsoft 365 license from a former employee](#remove-and-delete-the-microsoft-365-license-from-a-former-employee)<br/> |When you remove a license, you can assign it to someone else. Or, you can delete the license so you don't pay for it until you hire another person. <br/><br/> When you remove or delete a license, the user's old email, contacts, and calendar are retained for **30 days**, then permanently deleted. If you remove or delete a license but don't delete the account, the content in the user's OneDrive will remain accessible to you even after 30 days. <br/> |
-|7. [Delete a former employee's user account](#delete-a-former-employees-user-account)<br/> |This removes the account from your admin center. Keeps things clean. <br/> |
-
-## Save the contents of a former employee's mailbox
-
-There are two ways you can save the contents of the former employee's mailbox:
-
-1. Add the former employee's email address to your version of Outlook 2013 or 2016, and then export the data to a .pst file. You can import the data to another email account as needed. To learn how to do this, see [Get access to and back up a former user's data](get-access-to-and-back-up-a-former-user-s-data.md).
-
- OR
-
-2. Place a Litigation Hold or In-Place Hold on the mailbox before the deleting the user account. This is much more complicated than the first option but worth doing if: your Enterprise plan includes archiving and legal hold, litigation is a possibility, and you have a technically strong IT department.
-
- After you convert the mailbox to an "inactive mailbox," administrators, compliance officers, or records managers can use In-Place eDiscovery tools in Exchange Online to access and search the contents.
-
- Inactive mailboxes can't receive email and aren't displayed in your organization's shared address book or other lists.
-
- To learn how to place a hold on a mailbox, see [Manage inactive mailboxes in Exchange Online](../../compliance/create-and-manage-inactive-mailboxes.md).
-
-## Forward a former employee's email to another employee or convert to a shared mailbox
-
-In this step, you assign the former employee's email address to another employee, or [convert the user's mailbox to a shared mailbox](../email/convert-user-mailbox-to-shared-mailbox.md) that you've created.
-
-- Creating a shared mailbox is the less expensive way to go because you won't have to pay for a license **as long as the mailbox is smaller than 50GB**. Over 50GB and you'll need to assign a license to it.-- If you convert the mailbox to a shared mailbox, all the old email will be available, too. This can take up a lot of space.-- If you set up email forwarding, only *new* emails sent to the former employee will now be sent to the current employee.-
- > [!IMPORTANT]
- > If you're setting up email forwarding or a shared mailbox, at the end, don't delete the former employee's account. The account needs to be there to anchor the email forwarding or shared mailbox.
--
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.
-2. Select the name of the employee that you want to block, and then select the **Mail** tab.
-3. Under **Email Forwarding**, select **Manage email forwarding**.
-4. Turn on **Forward all email sent to this mailbox**. In the **Forwarding address** box, type the email address of the current employee who's going to get the email.
-5. Select **Save**.
-6. Remember, don't delete the former employee's account.
---
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a> page.
-
-2. Select the employee that you want to block and expand **Mail Settings**.
-
-3. Next to **Email forwarding**, select **Edit**.
-
-4. Turn on **Forward all email sent to this mailbox**. In the **Forwarding address** box, type the email address of the current employee (or shared mailbox) who's going to get the email.
-
-5. Select **Save**.
-
-6. Remember, don't delete the former employee's account.
---
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a> page.
-
-2. Select the employee that you want to block and expand **Mail Settings**.
-
-3. Next to **Email forwarding**, select **Edit**.
-
-4. Turn on **Forward all email sent to this mailbox**. In the **Forwarding address** box, type the email address of the current employee (or shared mailbox) who's going to get the email.
-
-5. Select **Save**.
-
-6. Remember, don't delete the former employee's account.
--
-## Wipe and block a former employee's mobile device
-
-If your former employee had an organization phone, you can use the Exchange admin center to wipe and block that device so that all organization data is removed from the device and it can no longer connect to Office 365.
-
-1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a>.
-2. In the Exchange admin center, navigate to **Recipients** \> **Mailboxes**.
-3. Select the user, and under **Mobile Devices**, select **View details**.
-4. On the **Mobile Device Details** page, under **Mobile devices**, select the mobile device, select **Wipe Data**![Wipe Device](../../media/1c113a36-53cb-4974-884f-3ecd9535506e.png), and then select **Block**.
-5. Select **Save**.
- > [!TIP]
- > Be sure you remove or disable the user from your on-premises Blackberry Enterprise Service. You should also disable any Blackberry devices for the user. Refer to the Blackberry Business Cloud Services Administration Guide if you need specific steps on how to disable the user.
-
-## Block a former employee's access to Microsoft 365 data
-
- > [!IMPORTANT]
- > Blocking an account can take up to 24 hours to take effect. If you need to immediately prevent a user's sign-in access, you should [reset their password](reset-passwords.md) and then initiate a one-time event that will sign them out of Microsoft 365 sessions across all devices. See [Sign out now!](#sign-out-now)
-
+> Although we've numbered the steps in this solution and you don't have to complete the solution using the exact order, we do recommend doing the steps this way.
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.
-2. Select the name of the employee that you want to block, and under the user's name, select the symbol for **Block this user**.
-3. Select **Block the user from signing in**, and then select **Save**.
+## Before you begin
+You need to be a global administrator to complete the steps in this solution.
-
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a> page.
-
-2. Select the employee that you want to block, and then select **Block sign-in**.
-
-3. Select **Block the user from signing in**, and then select **Save**.
---
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a> page.
-
-2. Select the employee that you want to block, and then select **Block sign-in**.
-
-3. Select **Block the user from signing in**, and then select **Save**.
--
-## Block a former employee's access to email (Exchange Online)
-
-If you have email as part of your Microsoft 365 subscription, you need to sign in to the Exchange admin center to follow these steps to block your former employee from accessing their email.
-
-1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a>.
-2. In the Exchange admin center, navigate to **Recipients** \> **Mailboxes**.
-3. Double-click the user and go to the **Mailbox features** page. Under **Mobile Devices**, select **Disable Exchange ActiveSync** and **Disable OWA for Devices,** and answer **Yes** to both when prompted.
-4. Under **Email Connectivity**, select **Disable** and answer **Yes** when prompted.
-
-## Remove and delete the Microsoft 365 license from a former employee
-
-So you don't continue paying for a license after someone leaves your organization, you need to remove their Microsoft 365 license and then delete it from your subscription. If you choose not to delete the license from your subscription, you can assign it to another user.
-
-When you remove the license, all that user's data is held for 30 days. You can [access](get-access-to-and-back-up-a-former-user-s-data.md) the data, or [restore](restore-user.md) the account if the user comes back. After 30 days, all the user's data (except for documents stored on SharePoint Online) is permanently deleted from Microsoft 365 and can't be recovered.
--
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.
-2. Select the name of the employee that you want to block, and then select the **Licenses and Apps** tab.
-3. Clear the check boxes for the license(s) you want to remove, and then select **Save changes**.
---
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a> page.
-
-2. Select the employee that you want to block, and then next to **Product licenses**, select **Edit**.
-
-3. On the **Product licenses** page, toggle off the license(s) you want to remove, and then select **Save**.
---
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a> page.
-
-2. Select the employee that you want to block, and then next to **Product licenses**, select **Edit**.
-
-3. On the **Product licenses** page, toggle off the license(s) you want to remove, and then select **Save**.
--
-**To reduce the number of licenses you're paying for** until you hire another person, do the following steps:
-
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page, and select the **Products** tab.
-2. Select the subscription from which you want to remove licenses.
-3. On the details page, select **Remove licenses**.
-4. In the **Remove licenses** pane, under New quantity, in the **Total licenses** box, enter the total number of licenses that you want for this subscription. For example, if you have 25 licenses and you want to remove one of them, enter 24.
-5. Select **Save**.
-
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Subscriptions</a> page.
-2. Select **Add/Remove licenses** to delete the license so you don't pay for it until you hire another person.
-
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Subscriptions</a> page.
-2. Select **Add/Remove licenses** to delete the license so you don't pay for it until you hire another person.
-
-When you [add another person](add-users.md) to your business, you'll be prompted to buy a license at the same time, with just one step!
-
-For more information about managing user licenses for Microsoft 365 for business, see [Assign licenses to users in Microsoft 365 for business](../manage/assign-licenses-to-users.md), and [Unassign licenses from users in Microsoft 365 for business](../manage/remove-licenses-from-users.md).
-
-## How the deleted employee account affects Skype for Business
-
-When you remove a user's license from Office 365, the PSTN calling number associated with the user will be released. You can assign it to another user.
-
-If the user belongs to a queue group, they will no longer be a viable target of the call queue agents. So, we recommend also removing the user from the groups associated with the call queue.
-
-## Set up call forwarding to people in your organization
-
-If you need to set up call forwarding for the terminated employee's phone number, the call forwarding setting under calling policies can set up forwarding where incoming calls can be forwarded to other users or can ring another person at the same time. For more information, see [Calling policies in Microsoft Teams](/microsoftteams/teams-calling-policy).
-
-## Delete a former employee's user account
-
-After you've saved and accessed all the former employee's user data, you can delete the former employee's account.
-
-Don't delete the account if you've set up email forwarding or converted it to a shared mailbox. Both need the account to anchor the forwarding or shared mailbox.
--
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.
-2. Select the name of the employee that you want to delete.
-3. Under the user's name, select the symbol for **Delete user**. Choose the options you want for this user, and then select **Delete user**.
---
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a> page.
-
-2. Select the name of the employee that you want to delete.
-
-3. At the top of the page, select **Delete user**. Choose the options you want for this user, and then select **Delete user**.
---
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a> page.
-
-2. Select the name of the employee that you want to delete.
-
-3. At the top of the page, select **Delete user**. Choose the options you want for this user, and then select **Delete user**.
--
-When you delete a user, the account becomes inactive for approximately 30 days. You have until then to restore the account before it is permanently deleted.
-
-### Does your organization use Active Directory?
-
-If your organization synchronizes user accounts to Microsoft 365 from a local Active Directory environment, you must delete and restore those user accounts in your local Active Directory service. You can't delete or restore them in Office 365.
-
-To learn how to delete and restore user account in Active Directory, see [Delete a User Account](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753730(v=ws.11)).
-
-If you're using Azure Active Directory, see the [Remove-MsolUser](https://docs.microsoft.com/powershell/module/msonline/remove-msoluser) PowerShell cmdlet.
-
-## What you need to know about terminating an employee's email session
-
-Here's information about how to get an employee out of email (Exchange).
-
||| |:--|:--|
-|**What you can do** <br/> |**How you do it** <br/> |
-|Terminate a session (such as Outlook on the web, Outlook, Exchange active sync, etc.) and force to open a new session <br/> |Reset password <br/> |
-|Terminate a session and block access to future sessions (for all protocols) <br/> |Disable the account. For example, (in the Exchange admin center or using PowerShell): <br/> `Set-Mailbox user@contoso.com -AccountDisabled:$true` <br/> |
-|Terminate the session for a particular protocol (such as ActiveSync) <br/> |Disable the protocol. For example, (in the Exchange admin center or using PowerShell): <br/> `Set-CASMailbox user@contoso.com -ActiveSyncEnabled:$false` <br/> |
-
-The above operations can be done in three places:
-
-|||
-|:--|:--|
-|**If you terminate the session here** <br/> |**How long it takes** <br/> |
-|In the Exchange admin center or using PowerShell <br/> |Expected delay is within 30 min <br/> |
-|In the Azure Active Directory admin center <br/> |Expected delay is 60 min <br/> |
-|In an on-premises environment <br/> |Expected delay is 3 hours or more <br/> |
-
-### How to get fastest response for account termination
+|**Step** <br/> |**Why do this** <br/> |
+|[Step 1 - Prevent a former employee from logging in and block access to Microsoft 365 services](remove-former-employee-step-1.md) <br/> |This blocks your former employee from logging in to Microsoft 365 and prevents the person from accessing Microsoft 365 services. <br/> |
+|[Step 2 - Save the contents of a former employee's mailbox](remove-former-employee-step-2.md) <br/> |This is useful for the person who is going to take over the employee's work, or if there is litigation. <br/> |
+|[Step 3 - Forward a former employee's email to another employee or convert to a shared mailbox](remove-former-employee-step-3.md) <br/> |This lets you keep the former employee's email address active. If you have customers or partners still sending email to the former employee's address, this gets them to the person taking over the work. <br/> |
+|[Step 4 - Give another employee access to OneDrive and Outlook data](remove-former-employee-step-6.md) <br/> |If you only remove a user's license but don't delete the account, the content in the user's OneDrive will remain accessible to you even after 30 days. <br/><br/> Before you delete the account, you should give access of their OneDrive and Outlook to another user. After you delete an employee's account, the content in their OneDrive and Outlook is retained for **30** days. During that 30 days, however, you can restore the user's account, and gain access to their content. If you restore the user's account, the OneDrive and Outlook content will remain accessible to you even after 30 days. <br/> |
+|[Step 5 - Wipe and block a former employee's mobile device](remove-former-employee-step-4.md) <br/> |Removes your business data from the phone or tablet. <br/> |
+|[Step 6 - Remove and delete the Microsoft 365 license from a former employee](remove-former-employee-step-7.md) <br/> |When you remove a license, you can assign it to someone else. Or, you can delete the license so you don't pay for it until you hire another person. <br/><br/> When you remove or delete a license, the user's old email, contacts, and calendar are retained for **30 days**, then permanently deleted. If you remove or delete a license but don't delete the account, the content in the user's OneDrive will remain accessible to you even after 30 days. <br/> |
+|[Step 7 - Delete a former employee's user account](remove-former-employee-step-7.md) <br/> |This removes the account from your admin center. Keeps things clean. <br/> |
- **Fastest**: Use the Exchange admin center (use PowerShell) or Azure Active Directory admin center. In an on-premises environment, it can take several hours to sync the change through DirSync.
-
- **Fastest for a user with presence on-premises and in the Exchange Datacenter**: Terminate the session using Azure Active Directory admin center/Exchange admin center AND make the change in the on-premises environment as well. Otherwise, the change in Azure Active Directory admin center/Exchange admin center will be overwritten by DirSync.
-
## Related articles
-[Restore a user](restore-user.md)
+[Restore a user](restore-user.md)
admin Compare Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/create-groups/compare-groups.md
Distribution groups are best for situations where you need to broadcast informat
Distribution groups can be [upgraded to Microsoft 365 groups](../manage/upgrade-distribution-lists.md).
-Distriburion groups can be added to a team in Microsoft Teams.
+Distribution groups can be added to a team in Microsoft Teams.
## Security groups
admin Message Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/message-center.md
If administration is distributed across your organization, you may not want or n
2. In the **Custom View** tab, make sure that the check box is selected for each service that you want to monitor. Clear the check boxes for the services you want to filter out of your Message center view.
-3. Digest emails are turned on by default and are sent to your primary email address. To stop receiving the weekly digest, clear the **Send me email notifications from message center** check box in he **Email tab**.
+3. Digest emails are turned on by default and are sent to your primary email address. To stop receiving the weekly digest, clear the **Send me email notifications from message center** check box in he **Email tab**.
You can also enter up to two email addresses, separated by a semicolon. <br><br/>You can also choose the emails you want to get, as well as a weekly digest of services you select.
If administration is distributed across your organization, you may not want or n
We use machine translation to automatically display messages in your preferred language. Read [Language translation for Message center posts](language-translation-for-message-center-posts.md) for more information on how to set your language. > [!NOTE]
-> The weekly digest and any posts that are emailed are sent in English-only. Recipients can use [Translator for Outlook](https://support.microsoft.com/office/3d7e12ed-99d6-406e-a453-b9db0d9653fa) to read the message in their preferred language.
+> The weekly digest and any posts that are emailed are sent in English-only. Recipients can use [Translator for Outlook](https://support.microsoft.com/office/3d7e12ed-99d6-406e-a453-b9db0d9653fa) to read the message in their preferred language.
## Choose columns
A lot of actionable information about changes to Microsoft 365 services arrives
For an overview of Message center, see [Message center in Microsoft 365](message-center.md). Or, to learn how to set your language preferences to enable machine translation for Message center posts, see [Language translation for Message center posts](language-translation-for-message-center-posts.md). If you'd like to program an alternative way to get real-time service health information and Message Center communications, please reference [Microsoft 365 Service Communications API Overview](/previous-versions/office/developer/o365-enterprise-developers/jj984343(v=office.15)). ## Unsubscribe from Message center emails
-ary email address. To stop receiving the weekly digest, select **Preferences** and then **Email**.
-1. Digest emails are turned on by default and are sent to your prim
+1. Digest emails are turned on by default and are sent to your primary email address. To stop receiving the weekly digest, select **Preferences** and then **Email**.
- De-select the **Send a weekly digest of my messages** checkbox. - Email notification for major updates is a separate control. If you don't want to receive email notices about major updates, verify that **Send me emails for major updates** checkbox is not selected. - To stop receiving email notices about data privacy messages, verify that **Send me emails for data privacy messages** checkbox is not selected. (Data privacy messages are not included in the weekly digest.)
ary email address. To stop receiving the weekly digest, select **Preferences** a
[Manage which Office features appear in What's New](../manage/show-hide-new-features.md) (article)
-[Business subscriptions and billing documentation](../../commerce/index.yml) (links)
+[Business subscriptions and billing documentation](../../commerce/index.yml) (links)
commerce Manage Payment Methods https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/manage-payment-methods.md
Last updated 04/02/2021
# Manage payment methods
+> [!IMPORTANT]
+> As of January 26, 2021, new bank accounts are no longer supported for customers in Belgium, France, Italy, Luxembourg, Portugal, Spain, and the United States. If youΓÇÖre an existing customer in one of those countries, you can continue paying for your subscription with an existing bank account, and you can add new subscriptions to it, but only as long as the bank account is in good standing.
+ When you buy business products or services from Microsoft, you can use an existing payment method, or add a new one. You can use a credit or debit card, or bank account to pay for the things you buy. If your business account has a billing profile, and you are a billing profile owner or billing profile contributor, you can use the billing profile that's backed by a credit card or invoice payment to make purchases or pay bills. If you're a billing invoice manager, you can only use a billing profile to pay bills. To learn more about billing profiles and roles, see [Manage billing profiles](manage-billing-profiles.md).
commerce Pay For Your Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/pay-for-your-subscription.md
# How to pay for your subscription
+> [!IMPORTANT]
+> As of January 26, 2021, new bank accounts are no longer supported for customers in Belgium, France, Italy, Luxembourg, Portugal, Spain, and the United States. If youΓÇÖre an existing customer in one of those countries, you can continue paying for your subscription with an existing bank account, and you can add new subscriptions to it, but only as long as the bank account is in good standing.
+ You can use a credit or debit card, or bank account to pay for your subscription. In some cases, you can pay by invoice, using check or electronic funds transfer (EFT). If you have a billing profile, your options are slightly different. For more information, see [How to pay for your subscription with a billing profile](pay-for-subscription-billing-profile.md). If youΓÇÖre not sure if your account has a billing profile, see [Understand billing profiles](manage-billing-profiles.md). **Just want to find out where to send your invoice payment?** If you pay your invoice by check or electronic funds transfer (EFT), see [Where do I send my check or EFT payment?](#where-do-i-send-my-check-or-eft-payment)
commerce Understand Your Invoice https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/understand-your-invoice.md
keywords: billing accounts, organization info, invoices
The invoice provides a summary of your charges and instructions for payment. You can [view your online invoice](#view-your-online-invoice) in the Microsoft 365 admin center. You can also download it in the Portable Document Format (.pdf) to send via email.
+To view and print your invoice:
+
+1. On the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">Bills & payments</a> page, select an invoice date range.
+2. To print or save a PDF copy of the bill, select **Download invoice PDF**, and then print the PDF.
+
+To learn more, see [View your bill or invoice](view-your-bill-or-invoice.md).
+ If you only have a Microsoft 365 subscription, see [Understand your bill or invoice for Microsoft 365 for business](understand-your-invoice2.md). ## Understand the invoice header
Payment instructions depend on your payment method and are provided at the botto
- **Service period:** The time period during which you're charged to use the service. - **Billing period:** The time period since the last invoice date.
-### How do I view and print my bill?
-
-1. On the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">Bills & payments</a> page, select an invoice date range.
-2. To print or save a PDF copy of the bill, select **Download invoice PDF**, and then print the PDF.
-
-To learn more, see [View your bill or invoice](view-your-bill-or-invoice.md).
- ### Why don't I see Azure prepayment as a payment method? Azure prepayment is available as a payment method only for eligible Azure product and services.
commerce Understand Your Invoice2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/understand-your-invoice2.md
description: "Learn how to interpret the charges, billing, and payment informati
# Understand your bill or invoice for Microsoft 365 for business
+> [!IMPORTANT]
+> As of January 26, 2021, new bank accounts are no longer supported for customers in Belgium, France, Italy, Luxembourg, Portugal, Spain, and the United States. If youΓÇÖre an existing customer in one of those countries, you can continue paying for your subscription with an existing bank account, and you can add new subscriptions to it, but only as long as the bank account is in good standing.
+ Either monthly or annually (depending on the option you chose when you purchased your subscription), you'll receive an email that tells you that your new billing statement is available in the admin center. [Learn how to find and view your bill or invoice](view-your-bill-or-invoice.md). Your invoice contains two pages. Page 1 is the invoice summary, and contains general information about the invoice, order, amount due, how to make a payment, and how to contact support.
commerce Mexico https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/mexico.md
description: Learn where to send the payment for your subscription.
-# Payment information for Mexico
+# Payment information by deposit or electronic transfer (only for Mexico)
[Find another country or region](../billing-and-payments/pay-for-your-subscription.md).
-Please pay in Mexican Pesos only. For your payment to be processed, your company name and invoice(s) number must be provided on remittance payment.
+To pay by deposit or electronic transfer:
-## Electronic Funds Transfer
+1. Please select at checkout the payment method "Invoice (pay by check or wire transfer)". Within the next 24 to 72 hours you will receive the invoice of the product in the email registered as contact. The invoice will include the instructions to complete the payment.
+2. Pay to the following bank account (in order for your payment to be processed correctly, please indicate the name of purchaser and the corresponding invoice number):
**Bank:** Citibank/Banamex
-**Branch:** Act. Roberto Medellin 800, P.B. Sur,Col. Santa Fe, Mexico City C.P. 01210, Mexico
+**Branch:** Act. Roberto Medellin 800, P.B. Sur, Col. Santa Fe, Mexico City C.P. 01210, Mexico
**SWIFT Code:** BNMXMM **CLABE** 002180002337160225 **Account Number:** 0233716022
-**Account Name:** Microsoft Payments Inc.
+**Account Name:** Microsoft Payments Inc.
+**Currency:** Mexican pesos
+
+## Important Information
+
+1. Payment by deposit or electronic transfer is only available for amounts greater than MXN $3,500.
+2. Payment must be made within 30 days; otherwise the order will be automatically cancelled.
commerce Renew Your Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/renew-your-subscription.md
description: "Learn how to renew your Microsoft 365 by turning recurring billing
# Renew Microsoft 365 for business
+> [!IMPORTANT]
+> As of January 26, 2021, new bank accounts are no longer supported for customers in Belgium, France, Italy, Luxembourg, Portugal, Spain, and the United States. If youΓÇÖre an existing customer in one of those countries, you can continue paying for your subscription with an existing bank account, and you can add new subscriptions to it, but only as long as the bank account is in good standing.
+ This article applies to most paid Microsoft 365 for business subscriptions. To renew by using a product key that you bought from a retail store or Microsoft partner, see [Find and enter your product key](../enter-your-product-key.md).
compliance Create Sensitivity Labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-sensitivity-labels.md
In comparison, when you delete a label:
- If the label applied encryption, the underlying protection template is archived so that previously protected content can still be opened. Because of this archived protection template, you won't be able to create a new label with the same name. Although it's possible to delete a protection template by using [PowerShell](/powershell/module/aipservice/remove-aipservicetemplate), don't do this unless you're sure you don't need to open content that was encrypted with the archived template. -- For desktop apps: The label information in the metadata remains, but because a label ID to name mapping is no longer possible, users don't see the applied label name displayed (for example, on the status bar) so users will assume the content isn't labeled. If the label applied encryption, the encryption remains and when the content is opened, uses still see the name and description of the now archived protection template.
+- For desktop apps: The label information in the metadata remains, but because a label ID to name mapping is no longer possible, users don't see the applied label name displayed (for example, on the status bar) so users will assume the content isn't labeled. If the label applied encryption, the encryption remains and when the content is opened, users still see the name and description of the now archived protection template.
-- For Office on the web: Users don't see the label name on status bar or in the **Sensitivity** column. The label information in the metadata remains only if the label didn't apply encryption. If the label applied encryption, and you've enabled [sensitivity labels for SharePoint and OneDrive](sensitivity-labels-sharepoint-onedrive-files.md), the label information in the metadata is removed and the encryption is removed.
+- For Office on the web: Users don't see the label name on the status bar or in the **Sensitivity** column. The label information in the metadata remains only if the label didn't apply encryption. If the label applied encryption, and you've enabled [sensitivity labels for SharePoint and OneDrive](sensitivity-labels-sharepoint-onedrive-files.md), the label information in the metadata is removed and the encryption is removed.
When you remove a sensitivity label from a label policy, or delete a sensitivity label, these changes can take up to 24 hours to replicate to all users and services.
To configure and use your sensitivity labels for specific scenarios, use the fol
- [Enable sensitivity labels for Office files in SharePoint and OneDrive](sensitivity-labels-sharepoint-onedrive-files.md)
-To monitor how your labels are being used, see [Get started with data classification](data-classification-overview.md).
+To monitor how your labels are being used, see [Get started with data classification](data-classification-overview.md).
compliance Limits Ediscovery20 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/limits-ediscovery20.md
The limits described in this section are related to using the search tool on the
|Maximum number of mailboxes or sites that can be searched in a single search. |No limit| |Maximum number of searches that can run at the same time. |No limit | |Maximum number of searches that a single user can start at the same time. |10 |
-|Maximum number of characters for a search query (including operators and conditions). |10,000&nbsp;<sup>2</sup>|
+|Maximum number of characters for a search query (including operators and conditions). |10,000 &nbsp;<sup>2</sup>|
+|Maximum number of characters for a search query for SharePoint and OneDrive for Business sites (including operators and conditions). |10,000<br>4,000 with Wildcards&nbsp;<sup>2</sup>|
|Minimum number of alpha characters for prefix wildcards; for example, **one\*** or **set\***.|3 | |Maximum variants returned when using prefix wildcard to search for an exact phrase or when using a prefix wildcard and the **NEAR** Boolean operator. |10,000&nbsp;<sup>3</sup>| |Maximum number of items per user mailbox that are displayed on preview page for searches. The newest items are displayed. |100|
The limits described in this section are related to exporting documents out of a
> [!NOTE] > <sup>1</sup> Any item that exceeds a single file limit will show up as a processing error. >
-> <sup>2</sup> When searching SharePoint and OneDrive for Business locations, the characters in the URLs of the sites being searched count against this limit.
+> <sup>2</sup> When searching SharePoint and OneDrive for Business locations, the characters in the URLs of the sites being searched count against this limit. The total number of characters consists of:<br>
+> - All characters in both the Users and Filters fields.
+> - All search permissions filters that apply to the user.
+> - The characters from any location properties in the search; this includes ExchangeLocation,PublicFolderLocation,SharPointLocation,ExchangeLocationExclusion,PublicFolderLocationExclusion,SharePointLocationExclusion, OneDriveLocationExclusion.
+> For example, including all SharePoint sites and OneDrive accounts in the search will count as six characters, as the word "ALL" will appear for both the SharePointLocation and OneDriveLocation field.
> > <sup>3</sup> For non-phrase queries (a keyword value that doesn't use double quotation marks) we use a special prefix index. This tells us that a word occurs in a document, but not where it occurs in the document. To do a phrase query (a keyword value with double quotation marks), we need to compare the position within the document for the words in the phrase. This means that we can't use the prefix index for phrase queries. In this case, we internally expand the query with all possible words that the prefix expands to; for example, **time\*** can expand to **"time OR timer OR times OR timex OR timeboxed OR …"**. The limit of 10,000 is the maximum number of variants the word can expand to, not the number of documents matching the query. There is no upper limit for non-phrase terms. >
compliance Limits For Content Search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/limits-for-content-search.md
The following table lists the search limits when using the content search tool i
|The maximum number of items per public folder mailbox that are displayed on the preview page when previewing content search results. <br/> |100 <br/> | |The maximum number of items found in all public folder mailboxes that are displayed on the preview page when previewing content search results. <br/> |200 <br/> | |The maximum number of public mailboxes that can be previewed for search results. If there are more than 500 public folder mailboxes that contain content that matches the search query, only the top 500 public folder mailboxes with the most search results will be available for preview. <br/> |500 <br/> |
-|The maximum number of characters for the search query (including operators and conditions) for a search. <br/><br/> **Note:** This limit takes effect after the query is expanded, which means the query will get expanded against each of the keywords. For example, if a search query has 15 keywords and additional parameters and conditions, the query gets expanded 15 times, each with the other parameters and conditions in the query. So even though the number of characters in search query may be below the limit, it's the expanded query that may contribute to exceeding this limit. <br/> |**Mailboxes:** 10,000 <br/> **Sites:** 4,000 when searching all sites or 2,000 when searching up to 20 sites <sup>2</sup> <br/> |
+|The maximum number of characters for the search query (including operators and conditions) for a search. <br/><br/> **Note:** This limit takes effect after the query is expanded and includes characters from the keyword query, any search permissions filters applied to the user, and the URLs of all site locations. This means the query will get expanded against each of the keywords. For example, if a search query has 15 keywords and additional parameters and conditions, the query gets expanded 15 times, each with the other parameters and conditions in the query. So even though the number of characters in the search query may be below the limit, it's the expanded query that may contribute to exceeding this limit. <br/> |**Mailboxes:** 10,000 <br/> **Sites:** 4,000 when searching all sites or 2,000 when searching up to 20 sites <sup>2</sup> <br/> |
|Maximum number of variants returned when using a prefix wildcard to search for an exact phrase in a search query or when using a prefix wildcard and the **NEAR** Boolean operator. <br/> |10,000 <sup>3</sup> <br/> | |The minimum number of alpha characters for prefix wildcards; for example, `time*`, `one*`, or `set*`. <br/> |3 <br/> | |The maximum number of mailboxes in a search that you can delete items in by doing a "search and purge" action (by using the **New-ComplianceSearchAction -Purge** command). If the search that you're doing a purge action for has more source mailboxes than this limit, the purge action will fail. For more information about search and purge, see [Search for and delete email messages in your organization](search-for-and-delete-messages-in-your-organization.md). <br/> |50,000 <br/> |
compliance Permissions Filtering For Content Search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/permissions-filtering-for-content-search.md
The **Remove-ComplianceSecurityFilter** is used to delete a search filter. Use t
- **Does search permissions filtering work for inactive mailboxes?** Yes, you can use mailbox and mailbox content filters to limit who can search inactive mailboxes in your organization. Like a regular mailbox, an inactive mailbox has to be configured with the recipient property that's used to create a permissions filter. If necessary, you can use the **Get-Mailbox -InactiveMailboxOnly** command to display the properties of inactive mailboxes. For more information, see [Create and manage inactive mailboxes in Office 365](create-and-manage-inactive-mailboxes.md). - **Does search permissions filtering work for public folders?** No. As previously explained, search permissions filtering can't be used to limit who can search public folders in Exchange. For example, items in public folder locations can't be excluded from the search results by a permissions filter.
-
-- **Does allowing a user to search all content locations in a specific service also prevent them from searching content locations in a different service?** No. As previously explained, you have to create a search permissions filter to explicitly prevent users from searching content locations in a specific service (such as preventing a user from searching any Exchange mailbox or any SharePoint site). In other words, creating a search permissions filter that allows a user to search all SharePoint sites in the organization doesn't prevent that user from searching mailboxes. For example, to allow SharePoint admins to only search SharePoint sites, you have to create a filter that prevents them from searching mailboxes. Similarly, to allow Exchange admins to only search mailboxes, you have to create a filter that prevents them from searching sites.+
+- **Does allowing a user to search all content locations in a specific service also prevent them from searching content locations in a different service?** No. As previously explained, you have to create a search permissions filter to explicitly prevent users from searching content locations in a specific service (such as preventing a user from searching any Exchange mailbox or any SharePoint site). In other words, creating a search permissions filter that allows a user to search all SharePoint sites in the organization doesn't prevent that user from searching mailboxes. For example, to allow SharePoint admins to only search SharePoint sites, you have to create a filter that prevents them from searching mailboxes. Similarly, to allow Exchange admins to only search mailboxes, you have to create a filter that prevents them from searching sites.
+
+- **Do search permissions filters count against search query character limits?** Yes. Search permissions filters count against the character limit for search queries. For more information, see [Limits in Advanced eDiscovery](limits-ediscovery20.md).
+
enterprise Configure Exchange Server For Hybrid Modern Authentication https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/configure-exchange-server-for-hybrid-modern-authentication.md
Get-WebServicesVirtualDirectory | FL server,*url*
Get-ClientAccessServer | fl Name, AutodiscoverServiceInternalUri Get-OABVirtualDirectory | FL server,*url* Get-AutodiscoverVirtualDirectory | FL server,*url*
-Get-OutlookAnywhere | FL server,*url*
``` Ensure the URLs clients may connect to are listed as HTTPS service principal names in AAD. In case EXCH is in hybrid with **multiple tenants**, these HTTPS SPNs should be added in the AAD of all the tenants in hybrid with EXCH.
enterprise Office 365 Network Mac Perf Insights https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/office-365-network-mac-perf-insights.md
There are six specific network insights that may be shown for each office locati
- [Low download speed from SharePoint front door](#low-download-speed-from-sharepoint-front-door) - [China user optimal network egress](#china-user-optimal-network-egress)
-There are two tenant level network insights that may be shown for the tenant. These also appear in the producvitivy score pages:
+There are two tenant level network insights that may be shown for the tenant. These also appear in the productivity score pages:
- [Exchange sampled connections impacted by connectivity issues](#exchange-sampled-connections-impacted-by-connectivity-issues) - [SharePoint sampled connections impacted by connectivity issues](#sharepoint-sampled-connections-impacted-by-connectivity-issues)
This insight will be displayed if the network insights service detects that the
This insight is abbreviated as "Egress" in some summary views.
-![Backhauled network egress](../media/m365-mac-perf/m365-mac-perf-insights-detail-backhauled.png)
+> [!div class="mx-imgBorder"]
+> ![Backhauled network egress](../media/m365-mac-perf/m365-mac-perf-insights-detail-backhauled.png)
### What does this mean?
This insight will be displayed if the network insights service detects that a si
This insight is abbreviated as "Peers" in some summary views.
-![Relative network performance](../media/m365-mac-perf/m365-mac-perf-insights-detail-cust-near-you.png)
+> [!div class="mx-imgBorder"]
+> ![Relative network performance](../media/m365-mac-perf/m365-mac-perf-insights-detail-cust-near-you.png)
### What does this mean?
This insight will be displayed if the network insights service detects that user
This insight is abbreviated as "Routing" in some summary views.
-![Non-optimal EXO front door](../media/m365-mac-perf/m365-mac-perf-insights-detail-front-door-exo.png)
+> [!div class="mx-imgBorder"]
+> ![Non-optimal EXO front door](../media/m365-mac-perf/m365-mac-perf-insights-detail-front-door-exo.png)
### What does this mean?
This insight will be displayed if the network insights service detects that user
This insight is abbreviated as "Afd" in some summary views.
-![Non-optimal SPO front door](../media/m365-mac-perf/m365-mac-perf-insights-detail-front-door-spo.png)
+> [!div class="mx-imgBorder"]
+> ![Non-optimal SPO front door](../media/m365-mac-perf/m365-mac-perf-insights-detail-front-door-spo.png)
### What does this mean?
enterprise Office 365 Network Mac Perf Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/office-365-network-mac-perf-overview.md
For this option, you must have at least two computers running at each office loc
Windows Location Service must be consented on the machines. You can test this by running the **Maps** app and locating yourself. It can be enabled on a single machine with **Settings | Privacy | Location** where the setting _Allow apps to access your location_ must be enabled. Windows Location Services consent can be deployed to PCs using MDM or Group Policy with the setting _LetAppsAccessLocation_.
-You do not need to add locations in the Admin Center with this method as they are automatically identified at the city resolution. Multiple office locations within the same city will not be shown when using Windows Location Services. Location information is rounded to the nearest 300 metres by 300 metres so that more precise location information is not accessed.
+You do not need to add locations in the Admin Center with this method as they are automatically identified at the city resolution. Multiple office locations within the same city will not be shown when using Windows Location Services. Location information is rounded to the nearest 300 meters by 300 meters so that more precise location information is not accessed.
The machines should have Wi-Fi networking rather than an ethernet cable. Machines with an ethernet cable do not have accurate location information.
includes Microsoft 365 Client Support Conditional Access Include https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/microsoft-365-client-support-conditional-access-include.md
|POWER BI|Planned|Planned|N/A|Planned|Planned| |POWERPOINT|Γ£ö|Planned|Planned|Planned|Planned| |PROJECT|N/A|N/A|N/A|Planned|N/A|
-|PUBLISHER|N/A|N/A|N/A|Planned|N/A|
+|PUBLISHER|N/A|N/A|N/A|Γ£ö|N/A|
|SHAREPOINT ADMIN|N/A|N/A|N/A|Planned|N/A| |SHAREPOINT|Planned|Planned|N/A|N/A|N/A| |STICKY NOTES|N/A|N/A|N/A|N/A|Planned|
learning Configure Sharepoint Content Source https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/learning/configure-sharepoint-content-source.md
Viva Learning (Preview) supports the following document types:
- Audio (.m4a) - Video (.mov, .mp4, .avi)
-For more information, see the [SharePoint Online documentation](/office365/servicedescriptions/sharepoint-online-service-description/sharepoint-online-limits?redirectSourcePath=%252farticle%252fSharePoint-Online-limits-8f34ff47-b749-408b-abc0-b605e1f6d498).
+For more information, see [SharePoint limits](/office365/servicedescriptions/sharepoint-online-service-description/sharepoint-online-limits?redirectSourcePath=%252farticle%252fSharePoint-Online-limits-8f34ff47-b749-408b-abc0-b605e1f6d498).
## Permissions
-Document library folder URLs can be collected from any SharePoint site in the organization. Viva Learning (Preview) follows all existing content permissions. Therefore, only content for which a user has permission to access is searchable and visable within Viva Learning (Preview). Any content within these folders will be searchable, but only content to which the individual employee has permissions can be used.
+Document library folder URLs can be collected from any SharePoint site in the organization. Viva Learning (Preview) follows all existing content permissions. Therefore, only content for which a user has permission to access is searchable and visible within Viva Learning (Preview). Any content within these folders will be searchable, but only content to which the individual employee has permissions can be used.
Content deletion from your organizationΓÇÖs repository is not currently supported.
To configure SharePoint as a learning content sources in for Viva Learning (Prev
1. In the left navigation of the Microsoft 365 admin center, go to **Settings** > **Org settings**.
-2. On the **Org settings** page, on the **Services** tab, select **Learning app (Preview)**.
+2. On the **Org settings** page, on the **Services** tab, select **Viva Learning (Preview)**.
![Settings page in the Microsoft 365 admin center showing Viva Learning listed.](../media/learning/learning-sharepoint-configure1.png)
-3. On the **Learning app (Preview)** panel, under SharePoint, provides the site URL to the SharePoint site where you want Viva Learning to create a centralized repository.
+3. On the **Viva Learning (Preview)** panel, under SharePoint, provides the site URL to the SharePoint site where you want Viva Learning (Preview) to create a centralized repository.
![Learning panel in the Microsoft 365 admin center showing SharePoint selected.](../media/learning/learning-sharepoint-configure2.png)
learning Content Sources 365 Admin Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/learning/content-sources-365-admin-center.md
The administrator selects which other learning content sources (for example, Sha
> [!NOTE] > Users sign in to non-Microsoft and LinkedIn Learning Pro learnings in a browser or embedded viewer. This configured learning is subject to the separate license, privacy and service terms between your organization and the third party, and not the Viva Learning (Preview) terms. Before selecting this type of learning, verify you have an agreement in place for your organization and users.
-## Assign the knowledge admin role [Optional]
+## Assign the knowledge admin role (Optional)
You must be a Microsoft 365 global administrator to perform these tasks.
To configure settings for learning content sources in Viva Learning, follow thes
1. In the left navigation of the Microsoft 365 admin center, go to **Settings** > **Org settings**.
-2. On the **Org settings** page, on the **Services** tab, select **Learning app (Preview)**.
+2. On the **Org settings** page, on the **Services** tab, select **Viva Learning (Preview)**.
![Settings page in the Microsoft 365 admin center showing the Learning app listed.](../media/learning/learning-sharepoint-configure1.png)
-3. On the **Learning app (Preview)** panel, select the learning content sources you want to configure for the organization, and then select **Save**.
+3. On the **Viva Learning (Preview)** panel, select the learning content sources you want to configure for the organization, and then select **Save**.
![Learning panel in the Microsoft 365 admin center showing content sources options.](../media/learning/learning-sharepoint-configure2.png)
managed-desktop Index https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/intro/index.md
Your IT admins benefit from these features:
## Device management Microsoft Managed Desktop takes on the burden of managing registered devices and the Microsoft software they use. -- **Hardware:** Instead of your IT department having to research and test devices (and their drivers), specific devices are carefully tested by Microsoft Managed Desktop, resulting in a curated list of devices that meet enterprise-level performance requirements and are guaranteed to work with the service. You can find approved devices by filtering for Microsoft Managed Desktop on the [Shop Windows 10 Pro business devices](https://www.microsoft.com/windowsforbusiness/view-all-devices) site. You can either obtain devices yourself (or work with a partner) or reuse devices you already have, provided they are on the approved list. Registering devices is easy and straightforward, and before they're deployed, you can also [customize](../working-with-managed-desktop/config-setting-overview.md) certain aspects of the device experience for your users.
+- **Hardware:** Instead of your IT department having to research and figure out if a device is compatible with the service, we've provided specific hardware and software requirements, tools, and processes to streamline selection so you can choose devices with confidence. You can find recommended devices by filtering for Microsoft Managed Desktop on the [Shop Windows 10 Pro business devices](https://www.microsoft.com/windowsforbusiness/view-all-devices) site. You can either obtain devices yourself (or work with a partner) or reuse devices you already have, provided they are on the approved list. Registering devices is easy and straightforward, and before they're deployed, you can also [customize](../working-with-managed-desktop/config-setting-overview.md) certain aspects of the device experience for your users.
- **Updates:** Microsoft Managed Desktop sets up and manages all aspects of [deployment groups](../service-description/updates.md) for Windows 10 quality and feature updates, drivers, firmware, anti-virus definitions, and Microsoft 365 Apps for enterprise updates. This includes extensive testing and verification of all updates, assuring that registered devices are always up to date and minimizing disruptions, freeing your IT department from that ongoing task.
managed-desktop Device Inventory Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/working-with-managed-desktop/device-inventory-report.md
In the **Devices** view, you can select the **Export all** tab to download a com
- Age (Months) - Profile - Logged in Users
+- TPM version
+- Secure Boot Enabled
+- Primary Disk Type
+- Total Physical Memory
-
-![Devices view showing list of devices and related details. Check boxes near the top select filters for activity, registration status. Above that is a search box. Tabs at the top for registering new devices, refreshing the view, exporting errors, and exporting the data. ](../../medi-devices-view.png)
+![Devices view showing list of devices and related details. Check boxes near the top select filters for activity, registration status. Above that is a search box. Tabs at the top for registering new devices, refreshing the view, exporting errors, and exporting the data. ](../../medi-devices-view.png)
security Android Support Signin https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-support-signin.md
You do not have Microsoft 365 license assigned, or your organization does not ha
Contact your administrator for help.
+## Report unsafe site
+
+Phishing websites impersonate trustworthy websites for the purpose of obtaining your personal or financial information. Visit the [Provide feedback about network protection](https://www.microsoft.com/wdsi/filesubmission/exploitguard/networkprotection) page if you want to report a website that could be a phishing site.
+ ## Phishing pages aren't blocked on some OEM devices **Applies to:** Specific OEMs only
security Get Remediation All Activities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-remediation-all-activities.md
Returns information about all remediation activities.
**URL:** GET: /api/remediationTasks
-**Properties** details
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs for details.](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:|:|:
+Application | RemediationTask.Read.All | \'Read Threat and Vulnerability Management vulnerability information\'
+Delegated (work or school account) | RemediationTask.Read.Read | \'Read Threat and Vulnerability Management vulnerability information\'
+
+## Properties
Property (id) | Data type | Description | Example of a returned value :|:|:|:
completerEmail | String | If the remediation activity was manually completed by
completerId | String | If the remediation activity was manually completed by someone, this column contains their object id | null completionMethod | String | A remediation activity can be completed ΓÇ£automaticallyΓÇ¥ (if all the devices are patched) or ΓÇ£manuallyΓÇ¥ by a person who selects ΓÇ£mark as completedΓÇ¥ | Automatic createdOn | DateTime | Time this remediation activity was created | 2021-01-12T18:54:11.5499478Z
-description | String | Description of this remediation activity | Update Chrome to a later version to mitigate 1248 known vulnerabilities affecting your devices.
+description | String | Description of this remediation activity | Update Microsoft Silverlight  to a later version to mitigate known vulnerabilities affecting your devices.
dueOn | DateTime | Due date the creator set for this remediation activity | 2021-01-13T00:00:00Z fixedDevices | . | The number of devices that have been fixed | 2 id | String | ID of this remediation activity | 097d9735-5479-4899-b1b7-77398899df92
-nameId | String | Related product name | chrome
+nameId | String | Related product name | Microsoft Silverlight
priority | String | Priority the creator set for this remediation activity (High\Medium\Low) | High
-productId | String | Related product ID | google-_-chrome
+productId | String | Related product ID | microsoft-_-silverlight
productivityImpactRemediationType | String | A few configuration changes could be requested only for devices with no user impact. This value indicate the selection between “all exposed devices” or “only devices with no user impact.” | AllExposedAssets rbacGroupNames | String | Related device group names | [ "Windows Servers", "Windows 10" ] recommendedProgram | String | Recommended program to upgrade to | null recommendedVendor | String | Recommended vendor to upgrade to | null recommendedVersion | String | Recommended version to update/upgrade to | null
-relatedComponent | String | Related component of this remediation activity (similar to the related component for a security recommendation) | Google Chrome
+relatedComponent | String | Related component of this remediation activity (similar to the related component for a security recommendation) | Microsoft Silverlight
requesterEmail | String | Creator email address | globaladmin@UserName.contoso.com requesterId | String | Creator object id | r647211f-2e16-43f2-a480-16ar3a2a796r requesterNotes | String | The notes (free text) the creator added for this remediation activity | null
scid | String | SCID of the related security recommendation | null
status | String | Remediation activity status (Active/Completed) | Active statusLastModifiedOn | DateTime | Date when the status field was updated | 2021-01-12T18:54:11.5499487Z targetDevices | Long | Number of exposed devices that this remediation is applicable to | 43
-title | String | Title of this remediation activity | Update Google Chrome
+title | String | Title of this remediation activity | Update Microsoft Silverlight
type | String | Remediation type | Update
-vendorId | String | Related vendor name | google
+vendorId | String | Related vendor name | Microsoft
## Example
-**Request** example
+### Request example
```http GET https://api-luna.securitycenter.windows.com/api/remediationtasks/ ```
-**Response** example
+### Response example
```json {
security Get Remediation Exposed Devices Activities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-remediation-exposed-devices-activities.md
Returns information about exposed devices for the specified remediation task.
**URL:** GET: /api/remediationTasks/\{id\}/machineReferences
-**Properties** details
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs for details.](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:|:|:
+Application | RemediationTask.Read.All | \'Read Threat and Vulnerability Management vulnerability information\'
+Delegated (work or school account) | RemediationTask.Read.Read | \'Read Threat and Vulnerability Management vulnerability information\'
+
+## Properties details
Property (id) | Data type | Description | Example :|:|:|:
rbacGroupName | String | Name of the device group this device is associated with
## Example
-**Request** example
+### Request example
```http GET https://api-luna.securitycenter.windows.com/api/remediationtasks/03942ef5-aecb-4c6e-b555-d6a97013844c/machinereferences ```
-**Response** example
+### Response example
```json {
security Get Remediation One Activity https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-remediation-one-activity.md
Returns information for the specified remediation activity. Presents the same co
**URL:** GET: /api/remediationTasks/\{id\}
-**Properties** details
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs for details.](apis-intro.md)
+
+Permission type | Permission | Permission display name
+:|:|:
+Application | RemediationTask.Read.All | \'Read Threat and Vulnerability Management vulnerability information\'
+Delegated (work or school account) | RemediationTask.Read.Read | \'Read Threat and Vulnerability Management vulnerability information\'
+
+## Properties
Property (id) | Data type | Description | Example of a returned value :|:|:|:
completerEmail | String | If the remediation activity was manually completed by
completerId | String | If the remediation activity was manually completed by someone, this column contains their object id | null completionMethod | String | A remediation activity can be completed ΓÇ£automaticallyΓÇ¥ (if all the devices are patched) or ΓÇ£manuallyΓÇ¥ by a person who selects ΓÇ£mark as completedΓÇ¥ | Automatic createdOn | DateTime | Time this remediation activity was created | 2021-01-12T18:54:11.5499478Z
-description | String | Description of this remediation activity | Update Chrome to a later version to mitigate 1248 known vulnerabilities affecting your devices.
+description | String | Description of this remediation activity | Update Microsoft Silverlight  to a later version to mitigate known vulnerabilities affecting your devices.
dueOn | DateTime | Due date the creator set for this remediation activity | 2021-01-13T00:00:00Z fixedDevices | | The number of devices that have been fixed | 2 id | String | ID of this remediation activity | 097d9735-5479-4899-b1b7-77398899df92
-nameId | String | Related product name | chrome
+nameId | String | Related product name | Microsoft Silverlight
priority | String | Priority the creator set for this remediation activity (High\Medium\Low) | High
-productId | String | Related product ID | google-_-chrome
+productId | String | Related product ID | microsoft-_-silverlight
productivityImpactRemediationType | String | A few configuration changes could be requested only for devices with no user impact. This value indicate the selection between “all exposed devices” or “only devices with no user impact.” | AllExposedAssets rbacGroupNames | String | Related device group names | [ "Windows Servers", "Windows 10" ] recommendedProgram | String | Recommended program to upgrade to | null recommendedVendor | String | Recommended vendor to upgrade to | null recommendedVersion | String | Recommended version to update/upgrade to | null
-relatedComponent | String | Related component of this remediation activity (similar to the related component for a security recommendation) | Google Chrome
+relatedComponent | String | Related component of this remediation activity (similar to the related component for a security recommendation) | Microsoft Microsoft Silverlight
requesterEmail | String | Creator email address | globaladmin@UserName.contoso.com requesterId | String | Creator object id | r647211f-2e16-43f2-a480-16ar3a2a796r requesterNotes | String | The notes (free text) the creator added for this remediation activity | null
scid | String | SCID of the related security recommendation | null
status | String | Remediation activity status (Active/Completed) | Active statusLastModifiedOn | DateTime | Date when the status field was updated | 2021-01-12T18:54:11.5499487Z targetDevices | Long | Number of exposed devices that this remediation is applicable to | 43
-title | String | Title of this remediation activity | Update Google Chrome
+title | String | Title of this remediation activity | Microsoft Silverlight
type | String | Remediation type | Update
-vendorId | String | Related vendor name | google
+vendorId | String | Related vendor name | Microsoft
## Example
-**Request** example
+### Request example
```http GET https://api-luna.securitycenter.windows.com/api/remediationtasks/03942ef5-aecb-4c6e-b555-d6a97013844c ```
-**Response** example
+### Response example
```json {
security Ios Configure Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-configure-features.md
ms.technology: mde
## Conditional Access with Defender for Endpoint on iOS Microsoft Defender for Endpoint on iOS along with Microsoft Intune and Azure Active Directory enables enforcing Device compliance and Conditional Access policies
-based on device risk levels. Defender for Endpoint is a Mobile Threat Defense (MTD) solution that you can deploy to leverage this capability via Intune.
+based on device risk score. Defender for Endpoint is a Mobile Threat Defense (MTD) solution that you can deploy to leverage this capability via Intune.
For more information about how to set up Conditional Access with Defender for Endpoint on iOS, see [Defender for Endpoint and Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection).
+> [!NOTE]
+> **Jailbreak detection by Microsoft Defender for Endpoint on iOS is currently in preview**. If a device is detected to be jailbroken by Microsoft Defender for Endpoint, a **High**-risk alert will be reported to Security Center and if Conditional Access is setup based on device risk score, then the device will be blocked from accessing corporate data.
+ ## Web Protection and VPN By default, Defender for Endpoint on iOS includes and enables the web protection feature. [Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks. Defender for Endpoint on iOS uses a VPN in order to provide this protection. Please note this is a local VPN and unlike traditional VPN, network traffic is not sent outside the device.
Apple iOS does not support multiple device-wide VPNs to be active simultaneously
To protect corporate data from being accessed on jailbroken iOS devices, we recommend that you set up the following compliance policy on Intune. > [!NOTE]
-> At this time Microsoft Defender for Endpoint on iOS does not provide protection against jailbreak scenarios. If used on a jailbroken device, then in specific scenarios data that is used by the application like your corporate email id and corporate profile picture (if available) can be exposed locally
+> At this time jailbreak detection by Microsoft Defender for Endpoint on iOS is in preview. We recommend that you setup this policy as an additional layer of defense against jailbreak scenarios.
Follow the steps below to create a compliance policy against jailbroken devices.
security Ios Install https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-install.md
Deploy Defender for Endpoint on iOS via Intune Company Portal.
> [!div class="mx-imgBorder"] > ![Image of Microsoft Endpoint Manager Admin Center3](images/ios-deploy-3.png)
+## Auto-Onboarding of VPN profile (Simplified Onboarding)
+
+> [!NOTE]
+> Auto-onboarding of VPN profile is currently in preview and the steps mentioned in this section may be substantially modified before it's commercially released.
+
+Admins can configure auto-setup of VPN profile. This will automatically setup the Defender for Endpoint VPN profile without having the user to do so while onboarding. Note that VPN is used in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
+
+1. In [Microsoft Endpoint manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** -> **Configuration Profiles** -> **Create** -> **iOS store app** and click **Select**.
+1. Choose **Platform** as **iOS/iPadOS** and **Profile type** as **VPN**. Click **Create**.
+1. Type a name for the profile and click **Next**.
+1. Select **Custom VPN** for Connection Type and in the **Base VPN** section, enter the following:
+ - Connection Name = Microsoft Defender for Endpoint
+ - VPN server address = 127.0.0.1
+ - Auth method = "Username and password"
+ - Split Tunneling = Disable
+ - VPN identifier = com.microsoft.scmx
+ - In the key-value pairs, enter the key **AutoOnboard** and set the value to **True**.
+ - Type of Automatic VPN = On-demand VPN
+ - Click **Add** for **On Demand Rules** and select **I want to do the following = Establish VPN**, **I want to restrict to = All domains**.
+
+ ![A screen shot of VPN profile configuration](images/ios-deploy-8.png)
+
+1. Click Next and assign the profile to targeted users.
+1. In the *Review + Create* section, verify that all the information entered is correct and then select **Create**.
+ ## Complete onboarding and check status 1. Once Defender for Endpoint on iOS has been installed on the device, you
security Microsoft Defender Endpoint Android https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-android.md
This topic describes how to install, configure, update, and use Defender for End
center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the app to enrolled user groups in your organization.
-###Network Requirements
+### Network Requirements
+
+- For Microsoft Defender for Endpoint on Android to function when connected to a network the firewall/proxy will need to be configured to [enable access to Microsoft Defender for Endpoint service URLs](configure-proxy-internet.md#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server).
-- For Microsoft Defender for Endpoint on Android to function when connected to a network the firewall/proxy will need to be configured to [enable access to Microsoft Defender for Endpoint service URLs](configure-proxy-internet.md#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server)-- ### System Requirements - Android devices running Android 6.0 and above.
security Set Up Spf In Office 365 To Help Prevent Spoofing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing.md
ms.prod: m365-security
# Set up SPF to help prevent spoofing
+- [Prerequisites](#prerequisites)
+- [Create or update your SPF TXT record](#create-or-update-your-spf-txt-record)
+- [How to handle subdomains?](#how-to-handle-subdomains)
+- [Troubleshooting SPF](#troubleshooting-spf)
+
+<!--
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)] **Applies to** - [Exchange Online Protection](exchange-online-protection-overview.md) - [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
+-->
-This article describes how to update an Domain Name Service (DNS) record so that you can use Sender Policy Framework (SPF) email authentication with your custom domain in Office 365.
+This article describes how to update a Domain Name Service (DNS) record so that you can use Sender Policy Framework (SPF) email authentication with your custom domain in Office 365.
-Using SPF helps to validate outbound email sent from your custom domain. It's a first step in setting up other recommended email authentication methods DMARC and DKIM (two further email authentication methods supported in Office 365).
+SPF helps *validate* outbound email sent from your custom domain (is coming from who it says it is). It's a first step in setting up the full recommended email authentication methods of SPF, [DKIM](use-dkim-to-validate-outbound-email.md), and [DMARC](use-dmarc-to-validate-email.md).
## Prerequisites > [!IMPORTANT]
-> If you are a **small business**, or are unfamiliar with IP addresses or DNS configuration, call your Internet domain registrar (ex. GoDaddy, Bluehost, web.com) to ask for help with DNS configuration of SPF (and any other email authentication method). *Also*, if you haven't bought, or don't use a custom URL (in other words the URL you and your customers browse to reach Office 365 ends in **onmicrosoft.com**), SPF has been set up for you in the Office 365 service. No further steps are required in that case. Thanks for reading.
+> If you are a **small business**, or are unfamiliar with IP addresses or DNS configuration, call your Internet domain registrar (ex. GoDaddy, Bluehost, web.com) & ask for help with *DNS configuration of SPF* (and any other email authentication method). <p> **If you don't use a custom URL** (and the URL used for Office 365 ends in **onmicrosoft.com**), SPF has already been set up for you in the Office 365 service.
-Before you create or update the SPF TXT record for Office 365 in external DNS, you need to gather some information needed to make the record. For advanced examples and a more detailed discussion about supported SPF syntax, see [How SPF works to prevent spoofing and phishing in Office 365](how-office-365-uses-spf-to-prevent-spoofing.md#HowSPFWorks).
+Let's get started.
-Gather this information:
+The SPF TXT record for Office 365 will be made in external DNS for any custom domains or subdomains. You need some information to make the record. Gather this information:
-- The current SPF TXT record for your custom domain, if one exists. For instructions, see [Gather the information you need to create Office 365 DNS records](../../admin/get-help-with-domains/information-for-dns-records.md).
+- The SPF TXT record for your custom domain, if one exists. For instructions, see [Gather the information you need to create Office 365 DNS records](../../admin/get-help-with-domains/information-for-dns-records.md).
- Go to your messaging server(s) and find out the External IP addresses (needed from all on-premises messaging servers). For example, **131.107.2.200**.
Gather this information:
|2|Exchange Online|Common|`include:spf.protection.outlook.com`| |3|Exchange Online dedicated only|Not common|`ip4:23.103.224.0/19` <br> `ip4:206.191.224.0/19` <br> `ip4:40.103.0.0/16` <br> `include:spf.protection.outlook.com`| |4|Office 365 Germany, Microsoft Cloud Germany only|Not common|`include:spf.protection.outlook.de`|
- |5|Third-party email system|Not common|`include:<domain_name>` <p> \<domain_name\> is the domain of the third party email system.|
+ |5|Third-party email system|Not common|`include:<domain_name>` <p> \<domain_name\> is the domain of the third-party email system.|
|6|On-premises email system. For example, Exchange Online Protection plus another email system|Not common|Use one of these for each additional mail system: <p> `ip4:<IP_address>` <br> `ip6:<IP_address>` <br> `include:<domain_name>` <p> \<IP_address\> and \<domain_name\> are the IP address and domain of the other email system that sends mail on behalf of your domain.| |7|Any email system (required)|Common. All SPF TXT records end with this value|`<enforcement rule>` <p> This can be one of several values. We recommend the value `-all`.| | 2. If you haven't already done so, form your SPF TXT record by using the syntax from the table.
- For example, if you are fully-hosted in Office 365, that is, you have no on-premises mail servers, your SPF TXT record would include rows 1, 2, and 7 and would look like this:
+ For example, if you are hosted entirely in Office 365, that is, you have no on-premises mail servers, your SPF TXT record would include rows 1, 2, and 7 and would look like this:
```text v=spf1 include:spf.protection.outlook.com -all ```
- This is the most common SPF TXT record. This record works for just about everyone, regardless of whether your Microsoft datacenter is located in the United States, or in Europe (including Germany), or in another location.
+ **The example above is the most common SPF TXT record**. This record works for just about everyone, regardless of whether your Microsoft datacenter is located in the United States, or in Europe (including Germany), or in another location.
- However, if you have purchased Office 365 Germany, part of Microsoft Cloud Germany, you should use the include statement from line 4 instead of line 2. For example, if you are fully-hosted in Office 365 Germany, that is, you have no on-premises mail servers, your SPF TXT record would include rows 1, 4, and 7 and would look like this:
+ However, if you bought Office 365 Germany, part of Microsoft Cloud Germany, you should use the include statement from line 4 instead of line 2. For example, if you are hosted entirely in Office 365 Germany, that is, you have no on-premises mail servers, your SPF TXT record would include rows 1, 4, and 7 and would look like this:
```text v=spf1 include:spf.protection.outlook.de -all
Gather this information:
If you're already deployed in Office 365 and have set up your SPF TXT records for your custom domain, and you're migrating to Office 365 Germany, you need to update your SPF TXT record. To do this, change `include:spf.protection.outlook.com` to `include:spf.protection.outlook.de`.
-3. Once you have formed your SPF TXT record, you need to update the record in DNS. You can only have one SPF TXT record for a domain. If an SPF TXT record exists, instead of adding a new record, you need to update the existing record. Go to [Create DNS records for Office 365](../../admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider.md), and then click the link for your DNS host.
+3. Once you have formed your SPF TXT record, you need to update the record in DNS. **You can only have one SPF TXT record for a domain.** If an SPF TXT record exists, instead of adding a new record, you need to update the existing record. Go to [Create DNS records for Office 365](../../admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider.md), and then select the link for your DNS host.
4. Test your SPF TXT record. ## How to handle subdomains?
-It is important to note that *you need to create a separate record for each subdomain as subdomains don't inherit the SPF record of their top level domain*.
+It's important to note that *you need to create a separate record for each subdomain as subdomains don't inherit the SPF record of their top-level domain*.
-An additional wildcard SPF record (`*.`) is required for every domain and subdomain to prevent attackers from sending email claiming to be from non-existent subdomains. For example:
+A wildcard SPF record (`*.`) is required for every domain and subdomain to prevent attackers from sending email claiming to be from non-existent subdomains. For example:
```text *.subdomain.contoso.com. IN TXT "v=spf1 -all"
If you've already set up mail for Office 365, then you have already included Mic
For advanced examples, a more detailed discussion about supported SPF syntax, spoofing, troubleshooting, and how Office 365 supports SPF, see [How SPF works to prevent spoofing and phishing in Office 365](how-office-365-uses-spf-to-prevent-spoofing.md#HowSPFWorks).
-## Links to configure DKIM and DMARC
+## Next Steps: DKIM and DMARC
SPF is designed to help prevent spoofing, but there are spoofing techniques that SPF can't protect against. To defend against these, once you've set up SPF, you should configure DKIM and DMARC for Office 365. [DKIM](use-dkim-to-validate-outbound-email.md) email authentication's goal is to prove the contents of the mail haven't been tampered with. [DMARC](use-dmarc-to-validate-email.md) email authentication's goal is to make sure that SPF and DKIM information matches the From address.+
+ For advanced examples and a more detailed discussion about supported SPF syntax, see [How SPF works to prevent spoofing and phishing in Office 365](how-office-365-uses-spf-to-prevent-spoofing.md#HowSPFWorks).
+
+*Select 'This page' under 'Feedback' if you have feedback on this documentation.*
security Use Dkim To Validate Outbound Email https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email.md
ms.prod: m365-security
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
- **Summary:** This article describes how you use DomainKeys Identified Mail (DKIM) with Microsoft 365 to ensure that destination email systems trust messages sent outbound from your custom domain.
+ This article lists the steps to use DomainKeys Identified Mail (DKIM) with Microsoft 365 to ensure that destination email systems trust messages sent outbound from your custom domain.
-You should use DKIM in addition to SPF and DMARC to help prevent spoofers from sending messages that look like they are coming from your domain. DKIM lets you add a digital signature to outbound email messages in the message header. It may sound complicated, but it's really not. When you configure DKIM, you authorize your domain to associate, or sign, its name to an email message by using cryptographic authentication. Email systems that receive email from your domain can use this digital signature to help determine if incoming email that they receive is legitimate.
+In this article:
-Basically, you use a private key to encrypt the header in your domain's outgoing email. You publish a public key to your domain's DNS records that receiving servers can then use to decode the signature. They use the public key to verify that the messages are really coming from you and not coming from someone *spoofing* your domain.
+- [How DKIM works better than SPF alone to prevent malicious spoofing](use-dkim-to-validate-outbound-email.md#HowDKIMWorks)
-Microsoft 365 automatically sets up DKIM for its initial 'onmicrosoft.com' domains. That means you don't need to do anything to set up DKIM for any initial domain names (for example, litware.onmicrosoft.com). For more information about domains, see [Domains FAQ](../../admin/setup/domains-faq.yml#why-do-i-have-an--onmicrosoft-com--domain).
+- [Steps to manually upgrade your 1024-bit keys to 2048-bit DKIM encryption keys](use-dkim-to-validate-outbound-email.md#1024to2048DKIM)
-You can choose to do nothing about DKIM for your custom domain too. If you don't set up DKIM for your custom domain, Microsoft 365 creates a private and public key pair, enables DKIM signing, and then configures the Microsoft 365 default policy for your custom domain. While this is sufficient coverage for most customers, you should manually configure DKIM for your custom domain in the following circumstances:
+- [Steps to manually set up DKIM](use-dkim-to-validate-outbound-email.md#SetUpDKIMO365)
-- You have more than one custom domain in Microsoft 365
+- [Steps to configure DKIM for more than one custom domain](use-dkim-to-validate-outbound-email.md#DKIMMultiDomain)
-- You're going to set up DMARC too (recommended)
+- [Disabling the DKIM signing policy for a custom domain](use-dkim-to-validate-outbound-email.md#DisableDKIMSigningPolicy)
-- You want control over your private key
+- [Default behavior for DKIM and Microsoft 365](use-dkim-to-validate-outbound-email.md#DefaultDKIMbehavior)
-- You want to customize your CNAME records
+- [Set up DKIM so that a third-party service can send, or spoof, email on behalf of your custom domain](use-dkim-to-validate-outbound-email.md#SetUp3rdPartyspoof)
-- You want to set up DKIM keys for email originating out of a third-party domain, for example, if you use a third-party bulk mailer.
+- [Next steps: After you set up DKIM for Microsoft 365](use-dkim-to-validate-outbound-email.md#DKIMNextSteps)
-In this article:
+> [!NOTE]
+> Microsoft 365 automatically sets up DKIM for its initial 'onmicrosoft.com' domains. That means you don't need to do anything to set up DKIM for any initial domain names (for example, litware.onmicrosoft.com). For more information about domains, see [Domains FAQ](../../admin/setup/domains-faq.yml#why-do-i-have-an--onmicrosoft-com--domain).
-- [How DKIM works better than SPF alone to prevent malicious spoofing](use-dkim-to-validate-outbound-email.md#HowDKIMWorks)
+DKIM is one of the trio of Authentication methods (SPF, DKIM and DMARC) that help prevent spoofers from sending messages that look like they come from your domain.
-- [Steps to manually upgrade your 1024-bit keys to 2048-bit DKIM encryption keys](use-dkim-to-validate-outbound-email.md#1024to2048DKIM)
+DKIM lets you add a digital signature to outbound email messages in the message header. When you configure DKIM, you authorize your domain to associate, or sign, its name to an email message using cryptographic authentication. Email systems that get email from your domain can use this digital signature to help verify whether incoming email is legitimate.
-- [Steps you need to do to manually set up DKIM](use-dkim-to-validate-outbound-email.md#SetUpDKIMO365)
+In basic, a private key encrypts the header in a domain's outgoing email. The public key is published in the domain's DNS records, and receiving servers can use that key to decode the signature. DKIM verification helps the receiving servers confirm the mail is really coming from your domain and not someone *spoofing* your domain.
-- [Steps to configure DKIM for more than one custom domain](use-dkim-to-validate-outbound-email.md#DKIMMultiDomain)
+> [!TIP]
+>You can choose to do nothing about DKIM for your custom domain too. If you don't set up DKIM for your custom domain, Microsoft 365 creates a private and public key pair, enables DKIM signing, and then configures the Microsoft 365 default policy for your custom domain.
-- [Disabling the DKIM signing policy for a custom domain](use-dkim-to-validate-outbound-email.md#DisableDKIMSigningPolicy)
+ Microsoft-365's built-in DKIM configuration is sufficient coverage for most customers. However, you should manually configure DKIM for your custom domain in the following circumstances:
-- [Default behavior for DKIM and Microsoft 365](use-dkim-to-validate-outbound-email.md#DefaultDKIMbehavior)
+- You have more than one custom domain in Microsoft 365
-- [Set up DKIM so that a third-party service can send, or spoof, email on behalf of your custom domain](use-dkim-to-validate-outbound-email.md#SetUp3rdPartyspoof)
+- You're going to set up DMARC too (**recommended**)
+
+- You want control over your private key
+
+- You want to customize your CNAME records
+
+- You want to set up DKIM keys for email originating out of a third-party domain, for example, if you use a third-party bulk mailer.
-- [Next steps: After you set up DKIM for Microsoft 365](use-dkim-to-validate-outbound-email.md#DKIMNextSteps) ## How DKIM works better than SPF alone to prevent malicious spoofing <a name="HowDKIMWorks"> </a>
-SPF adds information to a message envelope but DKIM actually encrypts a signature within the message header. When you forward a message, portions of that message's envelope can be stripped away by the forwarding server. Since the digital signature stays with the email message because it's part of the email header, DKIM works even when a message has been forwarded as shown in the following example.
+SPF adds information to a message envelope but DKIM *encrypts* a signature within the message header. When you forward a message, portions of that message's envelope can be stripped away by the forwarding server. Since the digital signature stays with the email message because it's part of the email header, DKIM works even when a message has been forwarded as shown in the following example.
![Diagram showing a forwarded message passing DKIM authentication where the SPF check fails](../../media/28f93b4c-97e7-4309-acc4-fd0d2e0e3377.jpg)
-In this example, if you had only published an SPF TXT record for your domain, the recipient's mail server could have marked your email as spam and generated a false positive result. The addition of DKIM in this scenario reduces false positive spam reporting. Because DKIM relies on public key cryptography to authenticate and not just IP addresses, DKIM is considered a much stronger form of authentication than SPF. We recommend using both SPF and DKIM, as well as DMARC in your deployment.
+In this example, if you had only published an SPF TXT record for your domain, the recipient's mail server could have marked your email as spam and generated a false positive result. **The addition of DKIM in this scenario reduces *false positive* spam reporting.** Because DKIM relies on public key cryptography to authenticate and not just IP addresses, DKIM is considered a much stronger form of authentication than SPF. We recommend using both SPF and DKIM, as well as DMARC in your deployment.
+
+> [!TIP]
+> DKIM uses a private key to insert an encrypted signature into the message headers. The signing domain, or outbound domain, is inserted as the value of the **d=** field in the header. The verifying domain, or recipient's domain, then uses the **d=** field to look up the public key from DNS, and authenticate the message. If the message is verified, the DKIM check passes.
-The nitty gritty: DKIM uses a private key to insert an encrypted signature into the message headers. The signing domain, or outbound domain, is inserted as the value of the **d=** field in the header. The verifying domain, or recipient's domain, then use the **d=** field to look up the public key from DNS and authenticate the message. If the message is verified, the DKIM check passes.
## Steps to manually upgrade your 1024-bit keys to 2048-bit DKIM encryption keys <a name="1024to2048DKIM"> </a>
+> [!NOTE]
+> Microsoft 365 automatically sets up DKIM for *onmicrosoft.com* domains. No steps are needed to use DKIM for any initial domain names (like litware.*onmicrosoft.com*). For more information about domains, see [Domains FAQ](../../admin/setup/domains-faq.yml#why-do-i-have-an--onmicrosoft-com--domain).
+ Since both 1024 and 2048 bitness are supported for DKIM keys, these directions will tell you how to upgrade your 1024-bit key to 2048 in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). The steps below are for two use-cases, please choose the one that best fits your configuration. - When you **already have DKIM configured**, you rotate bitness by running the following command:
If you want to rotate to the second selector, your options are a) let the Micros
For detailed syntax and parameter information, see the following articles: [Rotate-DkimSigningConfig](/powershell/module/exchange/rotate-dkimsigningconfig), [New-DkimSigningConfig](/powershell/module/exchange/new-dkimsigningconfig), and [Get-DkimSigningConfig](/powershell/module/exchange/get-dkimsigningconfig).
-## Steps you need to do to manually set up DKIM
+## Steps to manually set up DKIM
<a name="SetUpDKIMO365"> </a> To configure DKIM, you will complete these steps: