+|[Viva Learning activity](viva-learning-activity.md)|Yes|N/A¹|N/A¹|N/A¹|N/A²|

+|[Viva Insights activity](viva-insights-activity.md)|Yes|Yes|N/A¹|N/A¹|N/A²|

+|[Project activity](project-activity.md)|Yes|Yes|N/A¹|N/A¹|N/A²|

+|[Visio activity](visio-activity.md)|Yes|Yes|N/A¹|N/A¹|N/A²|

+|Office Apps admin | Assign the Office Apps admin role to users who need to do the following: <br> - Use the Cloud Policy service for Microsoft 365 to create and manage cloud-based policies. <br> - Create and manage service requests <br> - Manage the What's New content that users see in their Microsoft 365 apps <br> - Monitor service health |

+description: Learn about how to upgrade Microsoft Office to the latest Microsoft 365 apps for users in your organization.

+# Upgrade your Microsoft 365 for business users to the latest Microsoft 365 apps

+The steps below will guide you through the process of upgrading your users to the latest Microsoft 365 desktop apps. We recommend you read through these steps before beginning the upgrade process.

+## Working with device policies in the Microsoft 365 Defender portal

+ - [Understand next-generation configuration settings](../security/defender-business/mdb-next-generation-protection.md)

+6. On the **Configuration settings** tab, specify the settings for your policy, and then choose **Next**. For more information about the individual settings, see [Understand next-generation configuration settings in Microsoft Defender for Business](../security/defender-business/mdb-next-generation-protection.md).

+[Set up and manage device groups](m365bp-device-groups-mdb.md).

+This article lists the top 10 ways to secure your data with Microsoft 365 for business, and includes links for more information. Microsoft 365 for business plans include security capabilities, such as antiphishing, antispam, and antimalware protection. Microsoft 365 Business Premium includes even more capabilities, such as device security, advanced threat protection, and information protection.

+## Top 10 ways to secure your business data

+The following table lists the top 10 ways to secure business data and describes capabilities that are included in Microsoft 365 for business plans. It's not intended to be an exhaustive list of all capabilities in each plan. For more details about what each plan includes, see [Microsoft 365 User Subscription Suites for Small and Medium-sized Businesses](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWR6bM).

+| What to do | [Microsoft 365 Business Premium](index.md) | [Microsoft 365 Business Standard](../admin/setup/setup-business-standard.md) | [Microsoft 365 Business Basic](../admin/setup/setup-business-basic.md) |

+|||||

+| 1. **[Use multi-factor authentication](../admin/security-and-compliance/multi-factor-authentication-microsoft-365.md)**.<br/><br/>[Multi-factor authentication](../admin/security-and-compliance/multi-factor-authentication-microsoft-365.md) (MFA), also known as two-step verification, requires people to use a code or authentication app on their phone to sign into Microsoft 365, and is a critical first step to protecting your business data. Using MFA can prevent bad actors from taking over your account if they know your password. <br/><br/>*Microsoft 365 Business Basic, Standard, and Premium include [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) (Azure AD), which includes security defaults to simplify the process of enabling MFA.*<br/><br/>*Microsoft 365 Business Premium also includes [Azure AD Premium P1](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses), and that includes Conditional Access for more stringent requirements.* <br/><br/>For more information, see [security defaults and MFA](m365bp-conditional-access.md). | <br/>*Azure AD Premium P1, with security defaults and Conditional Access* |  <br/>*Azure AD Free, with security defaults* |  <br/>*Azure AD Free, with security defaults* |

+| 2. **[Protect your administrator accounts](m365bp-protect-admin-accounts.md)**.<br/><br/>Administrator accounts (also called admins) have elevated privileges, making these accounts more susceptible to cyberattacks. Whether you're using Microsoft 365 Business Basic, Standard, or Premium, you'll need to set up and manage the right number of admin and user accounts for your business. <br/><br/>We also recommend adhering to the information security principle of least privilege, which means that users and applications should be granted access only to the data and operations they require to perform their jobs.<br/><br/>*Microsoft 365 Business Basic, Standard, and Premium include Azure AD.*<br/><br/>*Microsoft 365 Business Premium also includes Azure AD Premium Plan 1.*<br/><br/>For more information, see [Protect your administrator accounts](m365bp-protect-admin-accounts.md). | <br/>*Azure AD Premium P1* |  <br/>*Azure AD Free* |  <br/>*Azure AD Free* |

+| 3. **[Use preset security policies](m365bp-increase-protection.md)**.<br/><br/>Preset security policies save time by applying recommended spam, malware, and phishing policies to users all at once. <br/><br/>*Microsoft 365 Basic, Standard, and Premium include preset security policies with recommended settings for anti-spam, anti-malware, and anti-phishing included in [Exchange Online Protection](../security/office-365-security/eop-about.md) (EOP).* <br/><br/>*Microsoft 365 Business Premium also includes [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet), preset security policies include advanced anti-phishing, spoof settings, impersonation settings, Safe Links, and Safe Attachments.* <br/><br/>For more information, see the following articles: <br/>- [Preset security policies](../security/office-365-security/preset-security-policies.md)<br/>- [Protect against malware and other cyberthreats](m365bp-increase-protection.md) |  <br/>*EOP plus Defender for Office 365 Plan 1* |  <br/>*EOP* |  <br/>*EOP* |

+| 4. **[Protect all devices](m365bp-devices-overview.md)**.<br/><br/>Every device is a possible attack avenue into your network and must be configured properly, even those devices that are personally owned but used for work. Your security team and employees can all take steps to protect devices. All users can use MFA on their devices.<br/><br/>*Microsoft 365 Business Standard and Premium include Microsoft 365 Apps that can be installed on computers, tablets, and phones.* <br/><br/>*Microsoft 365 Business Premium also includes Microsoft Intune and Microsoft Defender for Business for securing and managing devices.*<br/><br/>For more information, see the following articles:<br/>- [Secure managed and unmanaged devices](m365bp-managed-unmanaged-devices.md) <br/>- [Set up unmanaged (BYOD) devices](m365bp-devices-overview.md)<br/>- [Set up and secure managed devices](m365bp-protect-devices.md) |  <br/>*MFA, Microsoft 365 Apps, Intune, and Defender for Business* |  <br/>*MFA and Microsoft 365 Apps* |  <br/>*MFA* |

+| 5. **[Train everyone on email best practices](m365bp-avoid-phishing-and-attacks.md)**.<br/><br/>Email can contain malicious attacks cloaked as harmless communications. Email systems are especially vulnerable, because email is handled by everyone in the organization, and safety relies on humans making consistently good decisions with those communications. Train everyone to know what to watch for spam or junk mail, phishing attempts, spoofing, and malware in their email. <br/><br/>*Microsoft 365 Basic, Standard, and Premium include [Exchange Online Protection](../security/office-365-security/eop-about.md) (EOP).* <br/><br/>*Microsoft 365 Business Premium also includes [Defender for Office 365 Plan 1](/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet), which provides more advanced protection for email and collaboration, with advanced anti-phishing, anti-spam, and anti-malware protection, Safe Attachments, and Safe Links.*<br/><br/>For more information, see the following articles: <br/>- [Protect yourself against phishing and other attacks](m365bp-avoid-phishing-and-attacks.md)<br/>- [Anti-phishing protection in Defender for Office 365](/microsoft-365/security/office-365-security/anti-phishing-protection-about#additional-anti-phishing-protection-in-microsoft-defender-for-office-365)<br/>- [Safe Attachments](/microsoft-365/security/office-365-security/safe-attachments-about) <br/>- [Safe Links](/microsoft-365/security/office-365-security/safe-links-about) |  <br/>*EOP, advanced anti-phishing and anti-malware, Safe Links, and Safe Attachments* |  <br/>*EOP* |  <br/>*EOP* |

+| 6. **[Use Microsoft Teams for collaboration and sharing](m365bp-collaborate-share-securely.md)**.<br/><br/>The best way to collaborate and share securely is to use Microsoft Teams. With Microsoft Teams, all your files and communications are in a protected environment and aren't being stored in unsafe ways outside of it.<br/><br/> *Microsoft 365 Business Basic, Standard, and Premium include Microsoft Teams.*<br/><br/>*Microsoft 365 Business Premium also includes Defender for Office 365 Plan 1 (with [Safe Links](/microsoft-365/security/office-365-security/safe-links-about#safe-links-settings-for-microsoft-teams) and [Safe Attachments](/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-about)) and [Azure Information Protection Plan 1](/azure/information-protection/what-is-information-protection) (with capabilities to discover, classify, protect, and govern sensitive information).* <br/><br/>For more information, see the following articles: <br/>- [Use Microsoft Teams for collaboration](create-teams-for-collaboration.md) <br/>- [Set up meetings with Microsoft Teams](set-up-meetings.md) <br/>- [Share files and videos in a safe environment](share-files-and-videos.md)<br/>- [Defender for Office 365 support for Microsoft Teams](/microsoft-365/security/office-365-security/mdo-support-teams-about)<br/>- [Data Loss Prevention (DLP) in Microsoft Teams](/microsoft-365/compliance/dlp-teams-default-policy)<br/>- [Use sensitivity labels to protect calendar items, Teams meetings, and chat](/microsoft-365/compliance/sensitivity-labels-meetings) | <br/>*Microsoft Teams, Safe Links, Safe Attachments, sensitivity labels, and Data Loss Prevention (DLP)* | <br/>*Microsoft Teams* | <br/>*Microsoft Teams* |

+| 7. **[Set sharing settings for SharePoint and OneDrive files and folders](m365bp-increase-protection.md)**.<br/><br/>Your default sharing levels for SharePoint and OneDrive might be set to a more permissive level than you should use. We recommend reviewing and if necessary, changing the default settings to better protect your business. Grant people only the access they need to do their jobs. <br/><br/>*Microsoft 365 Business Basic, Standard, and Premium include OneDrive and SharePoint.*<br/><br/>*Microsoft 365 Business Premium also includes Defender for Office 365 Plan 1 (with [Safe Links](/microsoft-365/security/office-365-security/safe-links-about) and [Safe Attachments](/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-about)) and [Azure Information Protection Plan 1](/azure/information-protection/what-is-information-protection) (with capabilities to discover, classify, protect, and govern sensitive information).*<br/><br/>For more information, see the following articles: <br/>- [Set sharing settings for SharePoint and OneDrive](m365bp-increase-protection.md#set-sharing-settings-for-sharepoint-and-onedrive-files-and-folders)<br/>- [Sensitivity labels for Office files in SharePoint and OneDrive](/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files) | <br/>*SharePoint and OneDrive, with Safe Links, Safe Attachments, sensitivity labels, and DLP* | <br/>*SharePoint and OneDrive* | <br/>*SharePoint and OneDrive* |

+| 8. **[Use Microsoft 365 Apps on devices](https://support.microsoft.com/topic/train-your-users-on-office-and-microsoft-365-7cba3c97-7f19-46ed-a1c6-763971a26c27)**.<br/><br/>Outlook and Microsoft 365 Apps (also referred to as Office apps) enable people to work productively and more securely across devices. Start a document on one device, and pick it up later on another device. Instead of sending files as email attachments, you can share links to documents that are stored in SharePoint or OneDrive.<br/><br/>*Microsoft 365 Basic, Standard, and Premium include Outlook and Web/mobile versions of the Microsoft 365 Apps (Word, Excel, and PowerPoint).*<br/><br/>*Microsoft 365 Business Standard and Premium also include desktop versions of Microsoft 365 Apps.* <br/><br/>*Microsoft 365 Business Premium also includes Defender for Office 365 Plan 1 (with Safe Links and Safe Attachments), and Azure Information Protection Plan 1 (with sensitivity labels).* <br/><br/>For more information, see the following articles: <br/>- [Install Microsoft 365 Apps on all devices](m365bp-install-office-apps.md).<br/>- [Train your users on Microsoft 365](https://support.microsoft.com/topic/train-your-users-on-office-and-microsoft-365-7cba3c97-7f19-46ed-a1c6-763971a26c27)<br/>- [How Safe Links works in Microsoft 365 Apps](/microsoft-365/security/office-365-security/safe-links-about#how-safe-links-works-in-office-apps)<br/>- [Sensitivity bar in Microsoft 365 Apps](/microsoft-365/compliance/sensitivity-labels-office-apps#sensitivity-bar)| <br/>*Outlook and Web, mobile, and desktop versions of Microsoft 365 Apps, with Safe Links and sensitivity labels* |  <br/>*Outlook and Web/mobile/desktop versions of Microsoft 365 Apps* |  <br/>*Outlook and Web/mobile versions of Microsoft 365 Apps* |

+| 9. **[Manage calendar sharing for your business](m365bp-increase-protection.md#manage-calendar-sharing)**.<br/><br/>You can help people in your organization share their calendars appropriately for better collaboration. You can manage what level of detail they can share, such as by limiting the details that are shared to free/busy times only.<br/><br/>*Microsoft 365 Business Basic, Standard, and Premium include Outlook and Exchange Online.* <br/><br/>*Microsoft 365 Business Premium also includes Azure Information Protection Plan 1, and that includes DLP policies to protect sensitive information.*<br/><br/>For more information, see the following articles: <br/>- [Manage calendar sharing](m365bp-increase-protection.md#manage-calendar-sharing) <br/>- [Get started with the default DLP policy](/microsoft-365/compliance/get-started-with-the-default-dlp-policy) | <br/>*Outlook, Exchange Online, and DLP* | <br/>*Exchange Online* | <br/>*Exchange Online* |

+| 10. **[Maintain your environment](m365bp-maintain-environment.md)**.<br/><br/>After your initial setup and configuration of Microsoft 365 for business is complete, your organization needs a maintenance and operations plan. As employees come and go, you'll need to add or remove users, reset passwords, and maybe even reset devices to factory settings. You'll also want to make sure people have only the access they need to do their jobs.<br/><br/>*Microsoft 365 Business Basic, Standard, and Premium include the [Microsoft 365 admin center](https://admin.microsoft.com) and the [Azure AD portal](https://entra.microsoft.com) for managing user accounts.*<br/><br/>*Microsoft 365 Business Premium also includes the [Microsoft 365 Defender portal](https://security.microsoft.com) and the [Microsoft 365 Purview compliance portal](https://compliance.microsoft.com/) for viewing and managing security & compliance capabilities.* <br/><br/>For more information, see the following articles: <br/>- [Maintain your environment](m365bp-maintain-environment.md) <br/>- [Security incident management in Microsoft 365 Business Premium](m365bp-security-incident-management.md)<br/>- [Microsoft 365 Business Premium security operations guide](m365bp-security-incident-quick-start.md) | <br/>*Azure AD portal, Microsoft 365 admin center, Microsoft 365 Defender portal, and Microsoft 365 Purview compliance portal* | <br/>*Azure AD portal and Microsoft 365 admin center* | <br/>*Azure AD portal and Microsoft 365 admin center* |

+These tables group related activities or the activities from a specific service. The tables include the friendly name that's displayed in the **Activities** drop-down list (or that are available in PowerShell) and the name of the corresponding operation that appears in the detailed information of an audit record and in the CSV file when you export the search results. For descriptions of the detailed information, see [Audit log detailed properties](audit-log-detailed-properties.md).

+> [!NOTE]

+> These activities are available when using the [Search-UnifiedAuditLog](/powershell/module/exchange/search-unifiedauditlog) PowerShell cmdlet. These activities aren't available in the **Activities** drop-down list.

+Each audit entry for a tracked message contains the following fields:

+|Updated response|UpdateResponse|Form owner has updated a comment or score on a quiz. <br><br>Property ResponseId:string and Property ResponderId:string indicates which result is being viewed. <br><br>For an anonymous responder, the ResponderId property is null.|

+|Viewed response|ViewResponse|Form owner views a particular response. <br><br>Property ResponseId:string and Property ResponderId:string indicates which result is being viewed. <br><br>For an anonymous responder, the ResponderId property is null.|

+|Created new sensitive information type| CreateRulePackage / EditRulePackage* | A new sensitive information type was [created](/microsoft-365/compliance/create-a-custom-sensitive-information-type). This includes SIT created by copying an [out of the box SIT](/microsoft-365/compliance/create-a-custom-sensitive-information-type). </br><p>**Note**: This activity surfaces under the audit activities 'Created rule package' or 'Edited rule package'. </p>|

+The following table describes activities related to when users interact with lists and list items in SharePoint Online. Audit records for some SharePoint activities indicate the app@sharepoint user performed the activity of behalf of the user or admin who initiated the action. For more information, see [The app\@sharepoint user in audit records](#the-appsharepoint-user-in-audit-records).

+|Changed exempt user agents|CustomizeExemptUsers|A SharePoint or global administrator customized the list of exempt user agents in the SharePoint admin center. You can specify which user agents to exempt from receiving an entire web page to index. This means when a user agent you've specified as exempt encounters an InfoPath form, the form is returned as an XML file, instead of an entire web page. This makes indexing InfoPath forms faster.|

+- **Business conduct**: Discrimination, Profanity, Threat, and Targeted harassment classifiers

+- **Regulatory compliance**: Corporate sabotage, customer complaints, gifts & entertainment, money laundering, regulatory collusion, stock manipulation, unauthorized disclosure classifiers

+This playbook helps you make the most of your 90-day free trial by teaching you how to use the comprehensive set of premium assessment templates (add-on).

+1. [Overview of key elements: controls, assessments, regulation, and improvement actions](compliance-manager.md#key-elements-controls-assessments-regulations-improvement-actions)

+1. [Choose a prebuilt template to create and manage your first assessment](compliance-manager-assessments.md)

+Compliance Manager also offers 300+ regulatory or premium templates that can be purchased as an add-on. See the list [here](compliance-manager-templates-list.md#premium-regulations). With any premium templates (included with your subscription or purchased as add-on) you'll receive the universal version of those templates, allowing you to manage your compliance with any product or service. You can try out these premium assessment templates during the premium assessment trial.

+Trial licenses allow you to use 25 premium templates for 90 days. You'll be able to choose from a list of 300+ premium templates. You aren't required to select all 25 templates at once. Once selected, the licensed templates are available for your use within 4 hours of obtaining your trial license.

+1. In the Microsoft Purview compliance portal, select **Trials** in the left navigation pane. The available trials will display.

+1. You'll be presented with an information page and the ability to learn more before setting up the trial.

+1. When you choose **Set up**, it might take up to two hours for changes to take effect. You'll need to sign in again to see available templates.

+After starting the premium assessment trial, you'll see a summary on the dashboard that updates you on:

+- [Overview of key elements](compliance-manager.md#key-elements-controls-assessments-regulations-improvement-actions): controls, assessments, regulations, and improvement actions

+description: "Build assessments in Microsoft Purview Compliance Manager that help your organization track and manage compliance activities in a multicloud environment."

+Compliance Manager assessments help your organization evaluate its compliance with industry and regional regulations. Setting up the most relevant assessments for your organization can help you implement policies and operational procedures to limit your compliance risk. Ready-to-use regulatory templates for over 360 regulations contain the necessary controls and improvement actions for completing the assessment.

+All of your assessments are listed on the Assessments tab of Compliance Manager. You can create one assessment that covers multiple services. For example, you can create a single EU GDPR assessment that covers Microsoft 365, Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP) and. Your assessment details page shows a breakdown of control progress by service to help you evaluate how youΓÇÖre doing across all your services. Learn more about [monitoring assessment progress from the assessment details page](#monitor-assessment-progress-and-controls).

+> The regulations that are available for your organization's use by default depend on your licensing agreement. [Review licensing details](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-purview-compliance-manager).

+#### Data Protection Baseline default assessment

+To get you started, Microsoft provides a **default** assessment for the **Microsoft 365 data protection baseline**. This baseline assessment has a set of controls for key regulations and standards for data protection and general data governance. This baseline draws elements primarily from NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) and ISO (International Organization for Standardization), as well as from FedRAMP (Federal Risk and Authorization Management Program) and GDPR (General Data Protection Regulation of the European Union).

+This assessment is used to calculate your initial compliance score the first time you come to Compliance Manager, before you configure any other assessments. Compliance Manager collects initial signals from your Microsoft 365 solutions. You'll see at a glance how your organization is performing relative to key data protection standards and regulations, and see suggested improvement actions to take. Compliance Manager becomes more helpful as you build and manage your own assessments to meet your organization's particular needs.

+When you create an assessment, you must assign it to a group. Groups are containers that allow you to organize assessments in a way that is logical to you, such as by year or regulation, or based on your organization's divisions or geographies. This is why we recommend planning a grouping strategy before you create assessments. Below are examples of two groups and their underlying assessments:

+#### What to know when working with groups

+- You can create a group during the process of creating an assessment.

+- Groups can't be standalone entities. A group must contain at least one assessment.

+Before you begin, be sure you know which group you'll assign it to, or be prepared to create a new group for this assessment. Read details about [groups and assessments](#understand-groups-before-creating-assessments). To create an assessment, you'll use a guided process to select a regulation and designate services.

+#### Create an assessment using a guided process

+1. From your **Assessments** page, select **Add assessment** to begin the assessment creation wizard.

+1. On the **Base your assessment on a regulation** page, select **Select regulation** to choose the regulatory template for the assessment. The **Select regulation** flyout page will open.

+1. Use the search box to find your desired regulation, then select the check bubble to the left of the regulation name. Select **Save**, confirm your selection, then select **Next**.

+1. On the **Add name and group** page, enter values in the following fields:

+ - **Assessment name**: Assessment names must be unique. If the name matches another assessment in any group, youΓÇÖll receive an error asking you to create a different name.

+ - **Assessment group**: Assign your assessment to a group in one of two ways:

+ - **Use existing group** to assign it to a group you've already created; or

+ - **Create new group** that you'll assign this assessment to. Enter a name for this group. You also have the option to **Copy data from an existing group**, such as implementation and testing details and documents, by selecting the appropriate boxes.

+ When finished, select **Next**.

+1. On the **Select services** page, designate which services this assessment applies to (learn more about [multicloud support](compliance-manager-multicloud.md)) using the **Select services** command. The flyout pane shows which services are available for your chosen regulation. Place a check next to your desired services, then select **Add**. Then select **Next**.

+1. If you selected a service that has more than one subscription covered by Microsoft Defender for Cloud, you arrive at a sub-step for **Select service subscriptions**. Select **Manage subscriptions**. On the flyout pane, a tab for each service displays a list of all subscriptions within that service. All subscriptions are selected by default, but you can remove any by selecting the **X** next to the name. On the **Select services** page, select **Next**.

+1. **Review and finish:** Review all your selections and make any necessary edits. When you're satisfied with the settings, select **Create assessment**.

+The next screen confirms the assessment was created. When you select **Done**, you are taken to your new assessment's details page.

+If you see an **Assessment failed** screen after selecting **Create assessment**, select **Try again** to re-create your assessment.

+#### Edit an assessment

+After creating an assessment, you can edit it to update its name and add or remove services and subscriptions. To update an assessment:

+1. From the assessment details page, select the ellipses in the upper right corner and select **Edit assessment**. The assessment update wizard will open.

+1. You can update the assessment name on the **Update assessment name** page, or leave it as-is, then select **Next**.

+1. On the **Select services** page, add or remove services, then select **Next**.

+1. On the **Select service subscriptions** page, select **Manage subscriptions** to make any changes to your subscriptions. Then select **Next**.

+1. Review your updates, then select **Modify assessment** to save your changes.

+Each assessment has a details page that gives an at-a-glance view of your progress in completing the assessment. The page shows how your services are performing, and the status of controls and improvement actions. Expand the **Overview** section at the left side of the page to see basic details about the assessment, including its group, regulation, associated services, completion status, and a description.

+The **Progress** tab shows the percentage of progress toward assessment completion. The progress bar displays a breakdown showing the number of points achieved within each service covered by the assessment. Get details on each service by [viewing service details](#assessment-progress-by-service). See all controls within the assessment and their current status on the [Controls tab](#controls-tab). Quickly access the status of all your improvement actions for the assessment the [Your improvement actions tab](#your-improvement-actions-tab). The actions handled by Microsoft for the assessment are listed on the [Microsoft actions tab](#microsoft-actions-tab).

+#### Assessment progress by service

+The **Service** section on the assessmentΓÇÖs **Progress** tab helps you understand how youΓÇÖre doing with respect to a regulation with each of your services individually, even at the subscription level, and collectively across your organization. The assessment gets its data on available subscriptions and improvement action status from Microsoft Defender for Cloud. Any errors associated with subscription accessibility should be addressed in your Defender for Cloud. See [Configure cloud settings](compliance-manager-cloud-settings.md) for more information.

+Select the **View service details** command, located next to or under the **Assessment progress** bar graph or in the upper-right command bar, to view a flyout pane with more details. The **View service details** flyout pane lists each service and its progress toward completing the assessment. Selecting **View** next to a service name displays another pane that lists each subscription within the service and its status.

+On a service's details panel, you see the list of subscriptions within the service that are covered by the assessment. The **Service progress** counter indicates the number of points achieved so far by improvement actions pertaining to the service for the assessment out of the total number of achievable points.

+You can add more subscriptions to the service that you want the assessment to cover by [editing the assessment](#edit-an-assessment).

+#### Controls tab

+The **Controls** tab displays detailed information for each control in the assessment. The **Control status breakdown** chart shows the status of controls by family (for example, Configuration Management and Incident Response) so you can see at a glance which groupings of controls need attention. The table underneath the breakdown chart lists all controls. You can filter the list by control family, status, and service. The table shows the following details about each control:

+- **Control title**

+- **Status**: The test status of the improvement actions within the control:

+ - **Passed**: All improvement actions have a test status of "passed," or at least one is passed and the rest are "out of scope."

+ - **Failed** At least one improvement action has a test status of "failed."

+ - **None**: All improvement actions haven't been tested.

+ - **Out of scope**: All improvement actions are out of scope for this assessment.

+ - **In progress**: Improvement actions have a status other than the ones listed above, which could include "in progress," "partial credit," or "undetected."

+- **Control ID**: The control's identification number, assigned by its corresponding regulation, standard, or policy.

+- **Points achieved**: The number of points earned by completing actions, out of the total number achievable.

+- **Your improvement actions**: The number of your actions completed out of the total number to be done.

+- **Microsoft actions**: The number of actions completed by Microsoft.

+Select a control from the list to view its details page. A graph indicates the test status of the improvement actions within the control. A table below the graph lists the improvement actions for that control. Select an improvement action from the list to drill into the improvement action's details page, from where you can manage implementation and testing. Get details about [working with improvement actions](compliance-manager-improvement-actions.md).

+#### Your improvement actions tab

+The **Improvement actions** tab on the assessment details page lists all your improvement actions for the control. The status bar chart details the aggregated test status of your improvement actions in the assessment so you can quickly gauge what has been tested and what still needs to be done. Hover over or select a test status label to highlight only that status on the bar.

+Beneath the bar, a table lists all the actions and key details, including: service, test status, the number of potential and earned points, associated regulations and standards, applicable solution, action type, and control family.

+Filter by **Service** to view actions related to a service and their progress. From the table, select an improvement action to go to its details page, from where you can manage implementation and testing.

+Get details about [working with improvement actions](compliance-manager-improvement-actions.md).

+#### Microsoft actions tab

+The Microsoft actions tab appears for assessments based on templates that support Microsoft products. It lists all the actions in the assessment that are managed by Microsoft. The list shows key action details, including: service, test status, points that contribute to your overall compliance score, associated regulations and standards, applicable solution, action type, and control family. Select an improvement action to view its details page.

+External users who need access for auditing or other purposes can also be assigned a role for viewing assessments and editing test data. You provide access to external individual by assigning them an Azure Active Directory (AD) role. Learn more about [assigning Azure AD roles](compliance-manager-setup.md#setting-permissions-in-azure-ad).

+1. The flyout pane closes and you arrive back at your assessment details page. A confirmation message at the top confirms the new role assignment for that assessment.

+ - For example, if you've assigned a user a **Compliance Manager Reader** role in Microsoft Purview compliance portal **Permissions,** you can also assign that user a **Compliance Manager Assessor** role for a specific assessment. In effect, the user holds the two roles at the same time, but their ability to edit data will be limited to the assessment to which they've been assigned the **Assessor** role.

+ - Removing an assessment-based role won't remove the user's overall Compliance Manager role if they have one. If you want to change a user's overall role, you have to change it from the **Permissions** page in the Microsoft Purview compliance portal.

+When an update is available for an assessment, you'll see a notification and have the option to accept the update or defer it for a later time. Updates are available for assessments based on the regulatory templates provided in Compliance Manager. If your organization is using universal templates for assessing other products, inheritance may not be supported.

+When you select **Review update** from the assessment details page, a flyout pane appears on the right side of your screen. The flyout pane provides the key details below about the pending update:

+- **Why we recommend accepting updates**: Accepting updates helps ensure you have the most updated guidance on using solutions and taking appropriate improvement actions to help you meet the requirements of the certification at hand.

+- **Why you might want to defer an update**: If you're in the middle of completing an assessment, you may want to ensure you've finished work on it before you accept an update to the assessment that could disrupt control mapping. You can defer the update for a later time by selecting **Cancel** on the review update flyout pane.

+ Title: "Configure cloud settings for use with Microsoft Purview Compliance Manager"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- purview-compliance

+- m365solution-compliancemanager

+- m365initiative-compliance

+- tier1

+search.appverid:

+- MOE150

+- MET150

+description: "Set up your Azure and other non-Microsoft services for using Microsoft Purview Compliance Manager to assess compliance across multiple cloud services."

+# Configure cloud settings for use with Compliance Manager

+## Setting up for multicloud support

+Compliance Manager integrates with [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction) to provide multicloud support. Organizations must have at least one subscription within Microsoft Azure and then enable Defender for Cloud so that Compliance Manager can receive the necessary signals to monitor your cloud services. Once you have Defender for Cloud, you need to assign the relevant industry and regulatory standards to your subscriptions.

+Depending on what your organization has already set up, jump to the section below that aligns to your situation in order to get started:

+- **You don't have Azure**: [Activate Azure and create a subscription](#activate-azure-and-create-a-subscription)

+- **You have Azure but don't have Defender for Cloud**: [Enable Defender for Cloud on your Azure subscription](#enable-defender-for-cloud)

+- **You have Defender for Cloud but haven't assigned standards**: [Assign standards to your cloud service subscriptions](#add-standards-to-your-subscriptions)

+##### Standards supported by Compliance Manager and Defender for Cloud

+The standards or regulations listed below are supported across Defender for Cloud and Compliance Manager. Each standard is available to support Microsoft 365 in addition to the other cloud services listed in parentheses.

+> [!TIP]

+> Defender for Cloud refers to ΓÇ£standards,ΓÇ¥ while Compliance Manager uses ΓÇ£regulationsΓÇ¥ to refer to the same thing.

+- AWS Foundational Security Best Practices

+- CIS 1.1.0 (GCP)

+- CIS Microsoft Azure Foundations Benchmark v1.1.0 (Azure)

+- CIS 1.2.0 (AWS, GCP)

+- CIS Microsoft Azure Foundations Benchmark v1.3.0 (Azure)

+- CIS Microsoft Azure Foundations Benchmark v1.4.0 (Azure)

+- FedRAMP High (Azure)

+- FedRAMP Moderate (Azure)

+- ISO 27001 (Azure, GCP)

+- NIST SP 800-171 Rev.2 (Azure)

+- NIST SP 800-53 Rev.4 (Azure)

+- NIST SP 800 53 Rev.5 (Azure, AWS, GCP)

+- PCI DSS 3.2.1 (AWS, GCP)

+- PSC DSS v4 (Azure)

+- SOC 2 Type 2 (Azure)

+- SWIFT CSP-CDCF v2022 (Azure)

+## Activate Azure and create a subscription

+Setting up a subscription within Microsoft Azure is a prerequisite for getting started with Defender for Cloud. If you donΓÇÖt have a subscription, you can [sign up for a free account](https://azure.microsoft.com/pricing/free-trial/).

+## Enable Defender for Cloud

+Visit [Quickstart: Set up Microsoft Defender for Cloud](/azure/defender-for-cloud/get-started). Follow the steps to enable Defender for Cloud on your Azure subscription and become familiar with the Defender for Cloud Overview page. Once you've enabled Defender for Cloud, follow the additional steps below to make sure you're set up for Compliance Manager integration.

+Most setup functions require the user to hold the [Owner role in Azure](/azure/role-based-access-control/built-in-roles#owner). Get more details about [User roles and permissions for Defender for Cloud](/azure/defender-for-cloud/permissions).

+#### Confirm access to Defender for Cloud Regulatory compliance

+1. Go to [Microsoft Defender for Cloud | Regulatory compliance](https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/22).

+1. Validate that you see a dashboard like this:

+ 

+1. If you donΓÇÖt see the dashboard above and instead see a notice about insufficient licensing, follow the prompts to activate an applicable Defender for Cloud plan. We recommend enabling one of these two plans: **Foundational CSPM** or **Defender CSPM**, which are currently free to use and provide sufficient functionality ([learn more about these plans](/azure/defender-for-cloud/concept-cloud-security-posture-management)). You can manually select the plans by following the steps below:

+ 1. In Defender for Cloud, select **Environment settings** on the left navigation.

+ 1. Select **Azure** from your list of environments. Expand the item underneath **Azure** to view the subscription, then select the subscription. You'll arrive at the **Defender plans** page.

+ 1. In the **Plan** column, find the rows for **Foundational CSPM** and **Defender CSPM**. In the **Status** row, select the **On** button for both plans.

+#### View available environments

+1. In Defender for Cloud, select **Environment settings** on the left navigation.

+1. View the available environments and subscriptions currently visible to MDC for your tenant. You may need to expand your management groups to view subscriptions, which you can do by selecting **Expand all** below the search bar. In addition to your Azure subscriptions, you'll also see any Google Cloud Platform (GCP) projects or Amazon Web Services (AWS) accounts connected to Defender for Cloud.

+1. If you don't see an expected subscription and have already confirmed your Defender for Cloud licensing in the previous steps, check your current directory and subscription filters in your Azure [Portal settings](https://portal.azure.com/#settings/directory). In this view, you can adjust any subscription filters or switch to a different directory if one is available, and then return to the **Environment settings** view to check the results.

+1. If you don't see an expected AWS or GCP environment, account, or project, proceed to the next step to set up the necessary connectors.

+#### Connect to your Amazon Web Services or Google Cloud Provider accounts (optional)

+Follow these instructions if you have an Amazon Web Services (AWS) account or Google Cloud Platform (GCP) project that you want Compliance Manager to assess compliance posture, and you donΓÇÖt already see those accounts or projects in your Azure Environment settings. When you complete this process, you can begin assigning standards to your connected AWS or GCP subscriptions within about an hour, though full data can take up to 24 hours to appear.

+1. In Defender for Cloud, select **Environment settings** on the left navigation.

+1. Select **Add environment** and choose either **Amazon Web Services** or **Google Cloud Platform**.

+ 

+1. Follow the wizard steps to complete the account setup. Connecting to the accounts requires admin permissions in the AWS or GCP accounts being used, and some configuration steps within AWS or GCP. These steps are detailed in the wizard.

+ 1. For a simple setup option, consider starting with just one account such as GCP. In the first step of **Account details**, at **Onboard**, select **Single account**. This option requires the least amount of configuration effort.

+## Add standards to your subscriptions

+Check the [list of standards supported by Defender for Cloud and Compliance Manager](#standards-supported-by-compliance-manager-and-defender-for-cloud) to ensure your desired standard is supported. Then follow the steps below.

+1. In Defender for Cloud, select **Environment settings** on the left navigation.

+1. Your available environments and subscriptions will be listed on the page. You may need to expand your management groups to view subscriptions, which you can do by selecting **Expand all** below the search bar. Find the subscription to which you want to add a standard.

+1. On the row for the subscription, select the ellipses on the far right and select **Edit settings**.

+ 

+1. On the left navigation, under **Policy settings**, select **Security policy**.

+1. Browse the list of available standards under **Industry & regulatory standards**. You can view more standards by selecting the **Add more standards** button at the bottom of the list. Assign at least one of the supported standards listed below to your subscription by selecting **Enable** on the standard's row.

+## Resources

+- [Quickstart: Set up Microsoft Defender for Cloud](/azure/defender-for-cloud/get-started)

+- [User roles and permissions for Defender for Cloud](/azure/defender-for-cloud/permissions)

+ Title: "Glossary of terms for Microsoft Purview Compliance Manager"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- purview-compliance

+- m365solution-compliancemanager

+- m365initiative-compliance

+- tier1

+search.appverid:

+- MOE150

+- MET150

+description: "Get definitions of key terms used in Microsoft Purview Compliance Manager."

+# Compliance Manager glossary

+This glossary provides a brief description of important terms and concepts in the context of Microsoft Purview Compliance Manager. This glossary can help you learn and use the solution tools and features quickly and effectively.

+| Term | Description |

+| :- | :- |

+| **Assessment**| A grouping of controls from a specific regulation, standard, or policy. Completing the actions within an assessment helps you meet the requirements of a standard, regulation, or law. |

+| **Control**| Generally, a specific measure or action that an organization implements to mitigate or manage risks associated with a particular requirement or objective of a regulation, standard, or policy. As used in Compliance

+| **Improvement action**| A compliance activity with recommended implementation instructions, intended to help towards completion of a control. |

+| **License** | In the context of Compliance Manager regulations: A single Compliance Manager license allows you to create an unlimited number of assessments for multiple versions of a regulation. |

+| **Regulation**| A rule or requirement imposed by a governing authority, such as a government agency, to achieve a specific purpose. Also commonly understood as a standard or framework. Compliance Manager supports several industry regulations, providing over 360 regulatory templates for building assessments. |

+| **Service**| A data source, such as Microsoft Azure or Amazon Web Services (AWS); or more broadly, the digital entity thatΓÇÖs being assessed and that benefits from the actions taken. For an assessment, you designate the service that it should evaluate. Completing an improvement action in the assessment will benefit the service. |

+| **Solution**| A feature or capability used to complete an improvement action. For example, a Microsoft product, such as Microsoft Data Loss Prevention, or a setting in a service like Azure or AWS. |

+| **Subscription**| A type of account to create, assess, and manage a service such as Azure, Google Cloud Platform, or Amazon Web Services. Examples: an Azure account for development and testing purposes, an Azure account for production, etc. |

+| **Virtual resources**| A cloud computing-based resource that is managed virtually, such as VMs and virtual storage disks. |

+description: "Learn how to implement and test controls by working with improvement actions in Microsoft Purview Compliance Manager. Automate testing, store documentation, and export reports."

+**In this article:** This article explains how to **manage your compliance workflow** with improvement actions. Learn how to **assign improvement actions** for implementation and testing, set action **testing source**, **accept updates**, and export **reports**.

+## Overview

+Improvement actions help centralize your compliance activities. Each improvement action recommends an action to take, with detailed guidance intended to help you align with data protection regulations and standards. Improvement actions can be assigned to users in your organization to perform implementation and testing work. You can also store documentation, add notes, and record status updates within the action. Many improvement actions come with automatic testing and monitoring.

+## Automated testing and monitoring

+While some improvement actions must be manually tested by your organization, many actions can be automatically tested and monitored for you. Compliance Manager automatically identifies settings in your Microsoft 365 environment and your multicloud environment that help determine when certain configurations meet improvement action implementation requirements. Compliance Manager utilizes three types of automation, explained below.

+#### Built-in automation

+Compliance Manager has built-in functionality to receive signals from other Microsoft solutions and non-Microsoft services. Compliance Manager detects signals from other Microsoft Purview solutions that your organization may subscribe to, including Data Lifecycle Management, Information Protection, Data Loss Prevention, Communication Compliance, and Insider Risk Management. Compliance Manager also detects signals from Microsoft Priva (this capability is in preview). The automation applies specifically to the solution and isnΓÇÖt scoped to cloud services. Learn more about [automatic testing settings](compliance-manager-setup.md#testing-source-for-automated-testing).

+#### Microsoft Secure Score automation

+Compliance Manager detects signals from complementary improvement actions that are monitored by Microsoft Secure Score. Through these signals, Compliance Manager can automatically test certain improvement actions in order to provide continuous control assessment. When an improvement action is successfully tested and implemented, you receive the maximum possible points for that action, which gets credited to your overall compliance score.

+#### Microsoft Defender for Cloud automation

+Integration with Defender for Cloud allows Compliance Manager to facilitate improvement actions and provide continuous monitoring across multiple Microsoft and non-Microsoft cloud services, such as Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). The cloud infrastructure of this monitoring means that action status can be evaluated and graded at the subscription level of the intended service. You can see specific implementation and testing results for each improvement action within each subscription of your service. The overall score you receive for the improvement action is an aggregate of the individual scores of each subscription within that service. Learn more about [multicloud support](compliance-manager-multicloud.md) and [scoring](compliance-score-calculation.md).

+#### Data connectors (coming soon)

+A selection of data connectors built specifically for Compliance Manager to support other non-Microsoft services such as Salesforce and Zoom are rolling out in the near future. Check back with this page for updates.

+## Improvement actions details page

+All of the improvement actions managed by your organization are listed on the **Improvement actions** tab. Each improvement action provides detailed implementation guidance and a link to launch you into the appropriate solution or service.

+Select an improvement action from the list to view its details page. You can also select an assessment, then go to the **Your improvement actions** tab and select an action from the list. Each improvement actionΓÇÖs details page contains the sections below:

+- **Overview**: Contains a **Summary** of basic information such as the implementation and test status, points achieved, and associated assessments; and a **Testing source** section for viewing and changing [how the action is tested](#testing-source).

+- **Implementation** tab: Contains implementation status, date, notes, detailed instructions, and for [technical actions](compliance-score-calculation.md#technical-and-non-technical-actions), a **Launch now** link taking you to the appropriate solution or service for implementation.

+- **Testing** tab: Contains testing status, date, notes, and a link to download a testing history report.

+- **Related controls** tab: Lists the controls associated with the improvement action, including the control ID and the associated regulation. Select a control name to view a flyout pane with a detailed description.

+- **Evidence** tab: Location where you can upload and view files and links related to implementation and testing work.

+## Implementation and testing

+### Assign improvement actions

+To begin implementation work on an improvement action, you can do the work yourself or assign it to another user. The assigned person could be a business policy owner, an IT implementer, or another employee with responsibility to perform the task. Once you identify the appropriate assignee, be sure they hold a sufficient [Compliance Manager role](compliance-manager-setup.md#set-user-permissions-and-assign-roles) to perform the work. Then follow the steps below to assign the improvement action:

+##### Assign multiple improvement actions to a single user

+2. Select the area to the left of the improvement action's name. A round check icon appears, indicating you've selected that action. Check all the actions you want to assign.

+6. You'll then see your **Improvement actions** page with the new assignee listed for the actions you assigned.

+### Implementation work

+Implementation guidance will vary depending on whether you go to Microsoft Defender for Cloud to perform the work to complete the action. Learn more about [multicloud support](compliance-manager-multicloud.md).

+##### Actions for services supported by Defender for Cloud

+Improvement actions that pertain to cloud services such as Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP) are implemented and monitored using Compliance ManagerΓÇÖs integration with Defender for Cloud. The action description on the **Implementation** tab will indicate that implementation occurs through Defender for Cloud, with a link taking you there to perform the work.

+These infrastructure cloud actions can be of two types:

+- Technical actions, which are monitored and tested by Defender for Cloud automatically; and

+- Non-technical actions, which pertain to Defender for Cloud but require manual testing.

+The **Implementation** tab shows a list of all related subscriptions, indicating subscription type, the number of virtual resources completed, points achieved, and the assessments in which the action appears. Select a subscription from the list to view more details in a flyout pane.

+To begin implementation, first locate the actionΓÇÖs **Testing source** to determine if the action is automatic or manual. Then review the subscriptions listed for the action. Each subscription will have its own test status.

+**For manual actions**:

+- Review the **How to implement** guidance and perform the necessary steps. This may involve non-technical work that takes place offline.

+- Then attest to the completion of this work in Compliance Manager and/or Defender for Cloud by completing the implementation and testing status fields.

+ > [!NOTE]

+ > Manual actions donΓÇÖt synchronize status between Compliance Manager and Defender for Cloud. You can update the status in either location, however the statuses won't synch.

+- Each subscription will need to have its status updated. Each subscription will contain a single virtual resource, which represents the subscription itself.

+**For automatic actions**:

+- For each subscription listed on the **Implementation** tab, view the **Virtual resources completed** column.

+- If a subscription shows that there are virtual resources that are not complete, select the subscription and on the flyout pane, select the **Virtual resources** tab.

+- Inspect the status of each resource to determine which require ones require remediation.

+- For the resources needing remediation, review the **How to implement guidance** on the actionΓÇÖs **Implementation** tab. Then select the Defender for Cloud link to make the necessary changes in Defender for Cloud.

+Updates to the improvement actionΓÇÖs status will show within 24 hours.

+##### Actions not implemented through Defender for Cloud

+The implementation guidance on the **Implementation** tab provides instructions and a link into the related solution. You can record the implementation status and date for each improvement action and add notes for internal reference. These fields can be edited by any user with editing permissions, not just by the assigned person.

+To edit an improvement actionΓÇÖs status, select **Edit implementation details** on the details page. Below are the available fields and status options:

+- **Implementation status**: Select one:

+ - **Not implemented**

+ - **Implemented**

+ - **Alternative implementation**: Select this option if you used other non-Microsoft tools or took other actions not included in Microsoft recommendations.

+ - **Planned**

+ - **Out of scope**: Not relevant to your organization and doesnΓÇÖt contribute to your score.

+- **Implementation date**: Available to select when implementation status is "implemented" or "alternative implementation."

+- **Implementation notes**: No character limit. We recommend keeping notes brief so that you can easily view and edit them from the improvement actions details page.

+### Testing work

+From the **Testing** tab, you can view the testing status of your improvement action, the testing date, and any notes. A user with editing permissions can select **Edit testing details** to edit content on the **Testing** tab.

+##### Actions for Defender for Cloud-supported services

+The **Testing** tab on these actions displays a list of each subscription and its testing details. Select a subscription to view its testing details flyout pane. If the action is manually tested, you can edit test status, test date, and notes. You canΓÇÖt edit test status and notes for automatically tested actions.

+You can edit test status when an improvement action's implementation status is "implemented" or "alternative implementation. Below are the test status for manually tested actions:

+ - **Failed low risk**

+ - **Failed medium risk**

+ - **Failed high risk**

+ - **In progress**

+Automatically tested actions may also show one of the following states in the **Test status** column on the **Improvement actions** page:

+You can export a report that will show you a history of all changes in test status for an improvement action. These reports are especially helpful for monitoring progress on [actions that are automatically tested](#testing-source), since such actions are regularly or frequently updated based on your tenant's data.

+## Testing source

+Compliance Manager provides options for how to test improvement actions. In the **Overview** section of each improvement action, the **Testing Source** area has a drop-down menu from which you can choose how you want the action to be tested: **Manual**, **Automatic**, and **Parent**.

+> [!NOTE]

+> Testing source canΓÇÖt be changed on actions for services supported by Defender for Cloud. If you donΓÇÖt agree with an automated testing result, you can go to the related assessment in Defender for Cloud to alter the testing logic and scope.

+#### Manual

+#### Automatic

+When signals indicate that an improvement action has been successfully implemented, you'll automatically receive the points eligible for that action, which will factor into scores for any related controls and assessments. Learn more about [scoring](compliance-score-calculation.md).

+#### Parent

+## Storing evidence

+##### What causes an update

+##### Where youΓÇÖll see assessment update notifications

+##### Review update to accept or defer

+When you select **Review update** from the improvement action details page, a flyout pane appears on the right side of your screen. The flyout pane provides key details about the update, such as the assessments impacted and changes in score and scope.

+- **Why we recommend accepting updates**: Accepting updates helps ensure you have the most updated guidance on using solutions and taking appropriate improvement actions to help you meet the requirements of the certification at hand.

+- **Why you might want to defer an update**: If youΓÇÖre in the middle of completing an assessment that includes the improvement action, you may want to ensure youΓÇÖve finished work on it before you accept the update. You can defer the update for a later time by selecting **Cancel** on the review update flyout pane.

+##### Accept all updates at once

+The exported Excel file is also what you use to update multiple improvement actions at once. Get details about how to edit the export file to [update multiple improvement actions](compliance-manager-update-actions.md).

+ Title: "Multicloud support in Microsoft Purview Compliance Manager"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- purview-compliance

+- m365solution-compliancemanager

+- m365initiative-compliance

+- tier1

+search.appverid:

+- MOE150

+- MET150

+description: "Learn how Microsoft Purview Compliance Manager provides multicloud support so you can track and manage compliance for your organization's cloud services."

+# Multicloud support in Compliance Manager

+**In this article:** Learn how Compliance Manager helps you automatically assess and manage compliance across your multicloud environment.

+## Overview

+Compliance Manager now integrates with [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction), which allows you to assess your compliance posture across Microsoft 365, Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS) with resource-level testing and cloud-specific guidance. This new integration provides customers with a single interface in Compliance Manager to help make it easier to manage compliance across the organizationΓÇÖs digital estate.

+This integration allows Compliance Manger to track configurations in your organizationΓÇÖs Microsoft Azure environment and detect signals from other services like GCP and AWS, so that you can assess your progress in meeting controls for the regulations you need to comply with. Compliance Manager provides guidance for implementing improvement actions in non-Microsoft services for meeting controls.

+The integration with Defender for Cloud surfaces in two contexts within Compliance

+1. [Assessments](compliance-manager-assessments.md): When you create an assessment in Compliance Manager, youΓÇÖll select a supported regulation and then choose one or more services to assess. Compliance Manger then provides automatic monitoring of configurations in your selected services to determine whether controls are passing or failing.

+1. [Improvement actions](compliance-manager-improvement-actions.md): Using signals from Defender for Cloud, Compliance Manager automatically detects the test status and test result of improvement actions that pertain to Azure and to your non-Microsoft services. With these signals, Compliance Manager automatically tracks the status of actions and resource-level testing details from cloud services like AWS and GCP.

+## Supported services

+The services listed below can be assessed by Compliance

+- Microsoft 365

+- Microsoft Azure cloud services

+- Google Cloud Platform

+- Amazon Web Services

+In addition, Compliance Manager provides a [universal version of regulatory templates](compliance-manager-templates.md#regulations-overview) that allows you to track compliance with any unsupported service through manual implementation and testing.

+WeΓÇÖll soon roll out a selection of data connectors built specifically for Compliance Manager that can support other non-Microsoft services such as Salesforce and Zoom.

+## Service subscriptions

+When creating assessments, you can select a subscription if the service you choose for the assessment is monitored by Defender for Cloud. Your choice of subscription will affect the evaluation of improvement actions for that service. Learn more about [monitoring assessment progress by service](compliance-manager-assessments.md#assessment-progress-by-service).

+If you choose subscriptions that are in scope within Defender for Cloud for a matching regulation, automated test results are pulled from Defender for Cloud and shown in the assessment.

+## Supported regulations

+View the [list of regulations supported by both Compliance Manager and Defender for Cloud](compliance-manager-cloud-settings.md#standards-supported-by-compliance-manager-and-defender-for-cloud).

+## Known issues

+In cases where an infrastructure cloud action in Compliance Manager receives an automated test result from Defender for Cloud, and the corresponding assessment in Defender for Cloud doesn't have any resources listed or all associated resources are listed as **Not applicable**, Compliance Manager will show the test status of this action as **Failed High Risk**. This is a known issue and will be resolved soon.

+## Get started

+There are setup steps required before you can start building assessments for your cloud services. Visit [Configure cloud settings](compliance-manager-cloud-settings.md) to get started.

+## Resources

+- [Quickstart: Set up Microsoft Defender for Cloud](/azure/defender-for-cloud/get-started)

+| **Manage assessments, regulatory templates, and tenant data; assign improvement actions**| Compliance Manager Administration | Compliance Administrator, Compliance Data Administrator, Security Administrator |

+The Compliance Manager premium assessments trial is a great way to quickly set up assessments that are most relevant to your organization. Our library of over 360 regulatory templates correspond to governmental regulations and industry standards around the world.

+Compliance Manager detects a variety of signals to provide automated testing and monitoring of improvement actions. This automation derives from three primary sources: built-in, Microsoft Secure Score, and Microsoft Defender for Cloud ([get details about automated testing sources](compliance-manager-improvement-actions.md#automated-testing-and-monitoring)). Compliance Manager also detects signals from Microsoft Priva (this capability is in preview; [learn more](/privacy/priva/priva-overview#how-priva-works-with-microsoft-purview-risk-and-compliance-solutions)). When an improvement action is successfully tested and implemented, you receive the maximum possible points for that action, which gets credited to your overall compliance score.

+On your **Improvement actions** page, find the **Testing source** column. If the value is listed as **Automatic**, then the action is automatically tested by Compliance Manager. If the value is **Manual**, then the action is tested by your organization. If the value is **Parent**, then the action inherits the testing status of another action to which it's linked. Get details about [improvement action testing source](compliance-manager-improvement-actions.md#testing-source).

+### Improvement actions page

+#### View your improvement actions

+### Solutions page

+The **Solutions** page shows the share of earned and potential points as organized by solution. Viewing your remaining points and improvement actions from this view helps you understand which solutions need more immediate attention.

+Find the solutions page by selecting the **Solutions** tab on your Compliance Manager dashboard. You can also select **View all solutions** underneath **Solutions that affect your score** in the upper-right section of your dashboard. To filter your view of solutions:

+#### Taking action from the solution page

+The **Solutions** page displays your organizationΓÇÖs solutions that are connected to improvement actions. The table lists each solutionΓÇÖs contribution to your overall score, the points achieved and possible within that solution, and the remaining number of improvement actions grouped in that solution that can increase your score.

+### Assessments page

+The **Assessments** page lists all the [assessments](compliance-manager-assessments.md) you set up for your organization. Your compliance score denominator is determined by all your tracked assessments. As you add more assessments, you'll see more improvement actions listed on your improvement actions page, and your compliance score denominator increases.

+The **Activated/Regulation** counter near the top of the page shows the number of regulations currently in use out of the total number available for your organization to use. Learn more about [active regulations](compliance-manager-templates.md#regulation-availability-and-licensing).

+### Regulations page

+A regulatory template is a framework for creating an assessment in Compliance Manager. The **Regulations** page displays a list of regulatory templates and key details. The **Activated/Regulation** counter near the top of the page shows the number of active regulations currently in use out of the total number available for your organization to use. See [Regulation availability and licensing](compliance-manager-templates.md#regulation-availability-and-licensing) for more information.

+ Title: "Microsoft Purview Compliance Manager regulations list"

+description: "Find the list of regulatory templates provided in Microsoft Purview Compliance Manager for creating assessments."

+# Compliance Manager regulations list

+**In this article:** View the comprehensive list of **regulations** available to build assessments in Compliance Manager.

+> The regulations that are available for your organization's use by default depend on your licensing agreement. [Review licensing details](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-purview-compliance-manager).

+Compliance Manager provides a comprehensive set of regulatory templates for creating assessments. These **regulations**, as they're referred to in Compliance Manager, can help your organization comply with national, regional, and industry-specific requirements governing the collection and use of data. Regulations are added to Compliance Manager as new laws and regulations are enacted. Compliance Manager also updates its regulations when the underlying laws or regulations change. Learn more about how to [review and accept updates](compliance-manager-assessments.md#accept-updates-to-assessments).

+## List of regulations and where to find them

+Below is the complete list of regulations in Compliance Manager. In Compliance Manager, go to the **Regulations** tab, and select a regulation's name to view its description, properties, controls, and associated improvement actions. Jump to a section below to view templates by area or industry:

+## Included regulations

+Some regulations are included in Compliance Manager by default, depending on subscription level:

+- **Customers at all subscription levels**: The [Microsoft Data Protection Baseline](compliance-manager-assessments.md#data-protection-baseline-default-assessment) is included for all organizations as part of their subscription.

+- **Customers at the A5/E5/G5 subscription levels**: In addition to the Microsoft Data Protection baseline, you can choose any three premium regulations to use for free.

+- **US Government Community (GCC) Moderate, GCC High, and Department of Defense (DoD) customers**: Cybersecurity Maturity Model Certification (CMMC), levels 1 through 5, is included in addition to the Microsoft Data Protection Baseline.

+#### Preview regulations

+The regulations listed below are available in preview. Creating assessments from these regulations won't count toward your total of licensed regulations used.

+## Premium regulations

+The regulatory templates listed below may be purchased by your organization. Certain licensing agreements allow for the use of three premium regulations for free. Review [licensing details](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-purview-compliance-manager).

+ Title: "Learn about regulations in Microsoft Purview Compliance Manager"

+description: "Understand how to use and manage regulatory templates for building assessments in Microsoft Purview Compliance Manager."

+# Learn about regulations in Compliance Manager

+> The regulations that are available for your organization's use by default depend on your licensing agreement. [Review licensing details](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-purview-compliance-manager).

+## Regulations overview

+The **Regulations** tab displays the list of regulations and certifications for which Compliance Manager provides control-mapping templates. When you build an assessment, you choose the underlying regulation by selecting from among our [set of regulatory templates](compliance-manager-templates-list.md), then select the services you want to assess for that regulation. Setting up Compliance Manager for multicloud support provides you with greater automation in testing and monitoring of controls.

+Each regulatory template also comes in a universal version, which provides general control mapping that can broadly apply to services. Universal templates provide the most general type of implementation guidance and require manual implementation and testing by the organization. Note that US Government Community (GCC) Moderate, GCC High, and Department of Defense (DoD) customers can't currently use universal templates.

+## Regulation availability and licensing

+The [Microsoft data protection baseline](compliance-manager-assessments.md#data-protection-baseline-default-assessment) regulatory template is available for all organizations. The regulations designated as **premium** require purchase of a license to use them. Once you purchase a license for a regulation, you can create as many assessments for that regulation as you wish. Depending on your [licensing agreement](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-purview-compliance-manager), your organization may be able to use up to three additional **premium** regulatory templates for free. When you begin creating assessments, Compliance Manager tracks how many templates are active so you can monitor your usage. To learn more, see [Active and inactive regulations](#active-and-inactive-regulations).

+### Purchasing premium regulations

+Licenses for premium regulatory templates can be obtained in various ways, depending on your Compliance Manager licensing agreement. Once your purchase has been finalized, the templates should become available in your tenant within 48 hours. Licenses for [activated regulations](#active-and-inactive-regulations) are good for one year.

+- **Commercial and GCC Moderate**: Purchase licenses in the admin center ([learn more about subscriptions, licenses, and billing](/microsoft-365/commerce/)). Select the quantity of licenses you wish to purchase and your payment plan.

+ - [Commercial](https://admin.microsoft.com/Adminportal/Home?#/catalog/offer-details/compliance-manager-premium-assessment-add-on/46E9BF2A-3C8D-4A69-A7E7-3DA04687636D)

+ - [GCC Moderate](https://admin.microsoft.com/Adminportal/Home?#/catalog/offer-details/compliance-manager-premium-assessment-add-on/3129986d-5f4b-413b-a34b-b706db5a7669)

+ - You may also acquire licenses through your participation in the [Cloud Solution Provider program](https://partner.microsoft.com/membership/cloud-solution-provider) or [volume licensing](https://www.microsoft.com/licensing/licensing-programs/licensing-programs).

+- **GCC High and DOD accounts**: Purchase through [volume licensing](https://www.microsoft.com/licensing/licensing-programs/licensing-programs).

+##### Staring a premium trial

+You can try out premium regulation templates by acquiring trial versions of the licenses. Trial licenses are good for up to 25 templates for 90 days. Once you obtain your trial license, the templates should become available in your tenant within 48 hours. If your organization has a commercial license for Compliance Manager, you can learn how to start your trial at [About the free trial for Microsoft Purview Compliance Manager premium assessments](compliance-easy-trials-compliance-manager-assessments.md). If your organization is under a GCC or DOD license, choose the appropriate trial link for your organization:

+## Active and inactive regulations

+Regulations display a status as either active or inactive:

+- **Active** indicates use in at least one assessment.

+- **Inactive** indicates it's not being used for an assessment.

+When you use a premium regulation to create an assessment, that regulation's availability status changes to **Active** and the purchased license is active for one year. Your purchase will automatically renew unless you cancel.

+### Activated regulations counter

+The **Activated/Regulation** counter near the top of the **Regulations** page represents the number of regulatory templates in use out of the number you're eligible to use according to your licensing agreement and any purchased licenses. For example, if your counter shows 2/5, this means your organization has activated 2 regulations out of the 5 that are available to use. If your counter shows 5/2, this indicates that your organization exceeds its limits and needs to purchase 3 of the premium regulations in use.

+Select **View details** the counter to view a detailed list of all regulations in use and their corresponding assessments.

+## Regulations details page

+Select a regulation from the list on the **Regulations** page to bring up its details page. This page contains a description of the regulation and details about applicable services, the date it was last updated, and tabs for viewing controls and improvement actions.

+- [Add test results and evidence](compliance-manager-improvement-actions.md#storing-evidence) to multiple improvement actions that were tested in a system other than Compliance Manager.

+- Update the implementation status or testing status of multiple improvement actions all at one time.

+- Change improvement actions' [testing source](compliance-manager-improvement-actions.md#testing-source) from automatic to manual implementation and testing.

+- [Parent the testing source](compliance-manager-improvement-actions.md#parent) of multiple actions at one time, so that those actions inherit the implementation and testing status of another action.

+> - Only the improvement actions managed by your organization, not Microsoft managed actions, can be updated by this process. (Learn more about [types of improvement actions](compliance-score-calculation.md#action-types-and-scoring).)

+## May 2023

+Compliance Manager now integrates with Microsoft Defender for Cloud so you can assess your compliance posture across Microsoft 365, Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS) with resource-level testing and cloud-specific guidance. This new integration provides customers with a single interface in Compliance Manager to help make it easier to manage compliance across the organizationΓÇÖs digital estate. Learn more about [multicloud support in Compliance Manager](compliance-manager-multicloud.md).

+Also new in December: Improvement actions now provide greater visibility into related controls and assessments so you can better understand the impact of completing an action. Each improvement action details page has a new [**Related controls** tab](compliance-manager-improvement-actions.md#improvement-actions-details-page) that lists all the controls associated to the action, with a link to each control's description. In the **Summary** section, the number underneath **Assessments** is now linked. When you select the number, you'll see a flyout pane listing all the assessments related to that action.

+Each assessment page and assessment template page has an activated templates counter. This counter shows how many eligible templates you're using according to your licensing agreement. View [Template availability and licensing](compliance-manager-templates.md#regulation-availability-and-licensing) to learn more.

+description: "Microsoft Purview Compliance Manager helps organizations automatically assess and manage compliance across their multicloud environment."

+[Microsoft Purview Compliance Manager](https://compliance.microsoft.com/compliancemanager) is a solution in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">Microsoft Purview compliance portal</a> that helps you automatically assess and manage compliance across your multicloud environment. Compliance Manager can help you throughout your compliance journey, from taking inventory of your data protection risks to managing the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors.

+Compliance Manager awards you points for completing improvement actions taken to comply with a regulation, standard, or policy, and combines those points into an overall compliance score. Each action has a different impact on your score depending on the potential risks involved. Your compliance score can help prioritize which action to focus on to improve your overall compliance posture. Compliance Manager gives you an initial score based on the Microsoft 365 data protection baseline. This baseline is a set of controls that includes key regulations and standards for data protection and general data governance.

+## Key elements: controls, assessments, regulations, improvement actions

+Compliance Manager uses several data elements to help you manage your compliance activities. As you use Compliance Manager to assign, test, and monitor compliance activities, itΓÇÖs helpful to have a basic understanding of the key elements: controls, assessments, regulations, and improvement actions.

+Be sure to check out the [Compliance Manager glossary of terms](compliance-manager-glossary.md).

+##### Controls

+A control is a requirement of a regulation, standard, or policy. It defines how you assess and manage system configuration, organizational process, and people responsible for meeting a specific requirement of a regulation, standard, or policy. Compliance Manager tracks the following types of controls:

+Learn more about [monitoring control progress](compliance-manager-assessments.md#monitor-assessment-progress-and-controls).

+##### Assessments

+An assessment is grouping of controls from a specific regulation, standard, or policy. Completing the actions within an assessment help you meet the requirements of a standard, regulation, or law. For example, you may have an assessment that, when you complete all actions within it, helps to bring your Microsoft 365 settings in line with ISO 27001 requirements. Assessments have several components:

+Learn more about [creating and managing assessments](compliance-manager-assessments.md).

+##### Regulations

+Compliance Manager provides over 360 regulatory templates to help you quickly create assessments. Learn more about working with [regulations in Compliance Manager](compliance-manager-templates.md) and view the full [list of regulations](compliance-manager-templates-list.md).

+##### Improvement actions

+Improvement actions help centralize your compliance activities. Each improvement action provides recommended guidance thatΓÇÖs intended to help you align with data protection regulations and standards. Improvement actions can be assigned to users in your organization to perform implementation and testing work. You can also store documentation, notes, and record status updates within the improvement action. Learn more about [working with improvement actions](compliance-manager-improvement-actions.md).

+- [Sign in, assign permissions and roles, configure settings, and personalize your dashboard view](compliance-manager-setup.md).

+- [Learn about and set up for multicloud support](compliance-manager-multicloud.md).

+- [Create assessments to help you comply with industry standards that matter most to your organization](compliance-manager-assessments.md).

+To help you comply with data privacy regulations, weΓÇÖve designed a workflow to guide you through an end-to-end process to plan and implement capabilities across Microsoft 365, including using Compliance Manager. For more information, see [Deploy information protection for data privacy regulations with Microsoft 365](../solutions/information-protection-deploy.md).

+## Understanding your compliance score

+1. **Improvement action**: Each action has a different impact on your score depending on the potential risk involved. See [Action types and points](#action-types-and-scoring) below for details.

+The overall compliance score is calculated using action scores, where each Microsoft action is counted once, each technical action you manage is counted once, and each non-technical action you manage is counted once per group. This logic is designed to provide the most accurate accounting of how actions are implemented and tested in your organization. You may notice that this can cause your overall compliance score to differ from the average of your assessment scores. Read more below about [how actions are scored](#action-types-and-scoring).

+#### Initial score based on Microsoft 365 data protection baseline

+Your initial score is calculated according to the default Data Protection Baseline assessment provided to all organizations. Upon your first visit, Compliance Manager is already collecting signals from your Microsoft 365 solutions. You see at a glance how your organization is performing relative to key data protection standards and regulations, and see suggested improvement actions to take.

+## Action types and scoring

+Compliance Manager tracks two types of actions:

+1. **Your improvement actions**: Managed by your organization

+2. **Microsoft actions**: Managed by Microsoft

+Both types of actions have points that count toward your overall score when completed. Your action status is updated on your dashboard within 24 hours of a change being made. Once you follow a recommendation to implement a control, youΓÇÖll typically see the control status updated the next day.

+Points are awarded per action per assessment. For example, if an action is worth 10 points but it appears in two assessments, the action is worth 20 points overall for your tenant.

+### Actions for services supported by Microsoft Defender for Cloud

+An improvement actionΓÇÖs overall score is based on the average of scores received by its subscriptions. Each subscription is scored based on the status of the relevant virtual resources.

+For example, consider an action with two subscriptions, A and B. Subscription A has 0 out of 1 resources completed, and subscription B has 1 out of 2 resources completed. The subscription scores are: A is 0%, B is 50%. The two subscription scores are averaged to get the overall action score of 25%.

+- **Non-technical actions** are managed by your organization and implemented in ways other than working with the technology of a solution. There are two types of non-technical actions: **documentation** and **operational**. The points for these actions are applied to your compliance score at a group level. This means that if an action exists in multiple groups, you receive the action's point value each time you implement it within a group.

+|Windows 10, Windows 11, and macOS devices |Yes |

+The Endpoint DLP events for devices running Windows 10, Windows 11, and any of the three most recently release major versions of mac OS are:

+Activity explorer gathers information from the audit logs of multiple sources of activities.

+Some examples of the **Sensitivity label activities** and **Retention labeling activities** from applications native to Microsoft Office, the Azure Information Protection (AIP) unified labeling client and scanner, SharePoint, Exchange (sensitivity labels only), and OneDrive include:

+In addition, using **Endpoint data loss prevention (DLP)**, Activity explorer gathers **DLP policy matches** events from Exchange, SharePoint, OneDrive, Teams Chat and Channel, on-premises SharePoint folders and libraries, on-premises file shares, and devices running Windows 10, Windows 11, and any of the three most recent major macOS versions. Some example events gathered from Windows 10 devices include the following actions taken on files:

+> Activity explorer doesn't currently monitor retention activities for Exchange.

+- Content Explorer - for SharePoint sites, OneDrive sites

+- Sensitive Information Type Matched Items page - for SharePoint sites, OneDrive sites

+- Trainable Classifier Matched Items page - for SharePoint sites, OneDrive sites

+- Microsoft Purview Data Loss Prevention (DLP) Alerts page - for SharePoint sites, OneDrive, and emails in Exchange

+- Microsoft Threat Protection (MTP) Alerts page - for SharePoint sites, OneDrive sites, and emails in Exchange

+For information on the relevant licensing and subscriptions,7 -

+b

+ see the [licensing requirements for Data classification analytics: Overview Content & Activity Explorer](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#information-protection-data-classification-analytics-overview-content--activity-explorer).

+## Known limitations for this preview

+- The contextual summary and feedback experience is only available for items created or updated after the feedback experience was enabled for the tenant. Items that were classified before the feature was enabled may not have the contextual summary and feedback experience available.

+1. Select the link in the **Sensitive info type** column for the document to see which SITs the item matched and the [confidence level](sensitive-information-type-learn-about.md#more-on-confidence-levels).

+1. Select the link in the **Sensitive info type** column for an item to see which SITs the item matched and the [confidence level](sensitive-information-type-learn-about.md#more-on-confidence-levels).

+- Create the user groups that you're going to assign the configuration updates to.

+- OPTIONAL: Install the v95+ Microsoft Edge browser on your macOS devices to have native Endpoint DLP support on Microsoft Edge.

+1. The following profiles are now listed:

+9. Choose the **Scope** tab and then target computers before choosing **Save**.

+2. Restart the macOS device. (Some applications may lose printing functionality until they're restarted.)

+ - Custodian (and non-custodial) data is reindexed (by a process called *Advanced indexing*). This helps optimize searching for it in the next step.

+ - You can place a hold on custodian (and non-custodial) data. This preserves data that may be relevant to the case during the investigation.

+| Encrypted mail and attachment | Search | No | Yes (with Advanced indexing)¹ |

+¹ Encrypted files located on a local computer and copied to an email message aren't decrypted and indexed for eDiscovery. For eDiscovery (Premium), encrypted email and attachments in recipient mailbox needs to be advanced indexed to be decrypted. For more information about Advanced indexing, see [Advanced indexing of custodian data](ediscovery-indexing-custodian-data.md).

+ Title: "Advanced indexing of custodian and non-custodial data sources"

+description: "When a custodian or non-custodial data source is added to an eDiscovery (Premium) case, any content that was deemed as partially indexed is reprocessed to make it fully searchable."

+# Advanced indexing of custodian and non-custodial data sources

+When a custodian or non-custodial data source is added to an eDiscovery (Premium) case, any content that was deemed as partially indexed or had indexing errors is reindexed. The reindexing process is called *Advanced indexing*. There are many reasons that content is partially indexed or has indexing errors. This includes image files or the presence of images in a file, unsupported file types, or file sized indexing limits.

+For SharePoint files, Advanced indexing only runs on items marked as partially indexed or items with indexing errors. In Exchange, email messages with image attachments aren't marked as partially indexed or with indexing errors. This means that those files won't be reindexed by the Advanced indexing process.

+## Updating the Advanced index

+When a custodian or non-custodial data source is added to an eDiscovery (Premium) case, all partially indexed items are reprocessed. However, as time passes, more partially indexed items may be added to a user's mailbox or OneDrive account. If necessary, you can update the index for specific custodian or non-custodial data source. For more information, see [Manage custodians in an eDiscovery (Premium) case](ediscovery-manage-new-custodians.md#reindex-custodian-data). You can also update the index for all custodians and non-custodial data sources in a case by selecting the **Update index** on the **Processing** tab.

+> Updating custodian and non-custodial indexes is a long running process. It's recommended that you don't update indexes more than once a day in a case.

+In most eDiscovery workflows for legal investigations, a subset of a custodian's data is searched after the custodian is added to a legal case. Because of very large file sizes or possible data corruption, some items in the data sources associated with a custodian may be partially indexed. Using the [Advanced indexing](ediscovery-indexing-custodian-data.md) capability in the eDiscovery (Premium), most partially indexed items can be automatically remediated by reindexing these items on demand.

+When a custodian is added to a case, the data located in the data sources associated with the custodian is automatically reindexed (by the Advanced indexing process). This means you can leave the data in-place instead of having to download and remediate it and then search it offline). However, during the lifecycle of a legal case new data sources might be associated with a custodian. In this case, you can reindex the custodian's data by rerunning the Advanced indexing process to remediate any partially indexed items and update the index for the custodian's data.

+|Maximum Advanced indexing throughput | 2 GB per hour |

+The **Processing** tab in eDiscovery (Premium) provides insight into the status of Advanced indexing for different processing scenarios.

+After you've selected **Use new query builder**, you're ready to get started. To create a query and custom filtering for your search, use the following controls:

+- **Value**: Depending on the selected filter, the values compatible for the filter are available. Additionally, some filters support multiple values and some filters support one specific value. For example, if the *Date* filter is selected, select date values. If the *Size (in bytes)* filter is selected, select a value for bytes.

+Set-SPOSite -Identity <siteurl> -InformationBarriersMode OwnerModerated

+Set-SPOSite -Identity <siteurl> -InformationBarriersMode Mixed

+- **Severity**: Select one or more alert risk severity levels to filter the alert list. The options are *High*, *Medium*, and *Low*.

+Organizations can purchase the add-on in units of 100 GB per month. Purchased capacity applies to the ingestion of forensic evidence beginning on the date of purchase and resets on the first of the month. Unused capacity does not carry over. We recommend you purchase the license at the beginning of the month to maximize the value of the license. 100 GB is roughly equal to around 1,100 hours of forensic evidence captures per tenant, at a video resolution of 1080p. You can [download the capacity calculator](https://aka.ms/ForensicEvidenceCapacityCalculator) to help estimate the number of GBs needed per month.

+Once the forensic evidence is ingested, it will be retained for 120 days. You can export forensic evidence if needed after the 120-day retention period.

+- **Pay yearly (available in all channels).** The annual commitment option allows you to buy the number of licenses you specify each month for 12 months. ItΓÇÖs suitable for customers who want to ensure they have capacity available each month to ingest forensic evidence without interruption. This payment plan will automatically replenish the number of licenses purchased each month. Purchased capacity applies to the ingestion of forensic evidence beginning on the date of purchase and resets on the first of the month. Unused capacity does not carry over. Customers can choose to be billed one time or split the bill into 12 monthly payments.

+- **Pay monthly (only available in web direct).** If you don't want to make an annual commitment, you can buy the number of licenses needed each month. Purchased capacity applies to the ingestion of forensic evidence beginning on the date of purchase and resets on the first of the month. Unused capacity does not carry over.

+

+> [!NOTE]

+> The commerce platform has [a legacy billing platform and a modern billing platform](https://partner.microsoft.com/partnership/new-commerce). Insider risk management billing is designed to work with the modern billing platform. Purchased capacity is enforced on the ingestion of forensic evidence on a monthly basis, starting on the date of purchase and resetting the first of every month. Any purchased capacity can be fully used in that month and will be reset on the first of the next month. You can continue to [use the capacity until the date the license expires](https://partner.microsoft.com/partnership/new-commerce).

+- **Show anonymized versions of usernames**: Names of users are anonymized to prevent admins, data investigators, and reviewers from seeing who is associated with policy alerts. For example, a user 'Grace Taylor' would appear with a randomized pseudonym such as 'AnonIS8-988' in all areas of the insider risk management experience. Choosing this setting anonymizes all users with current and past policy matches and applies to all policies. User profile information in the insider risk alert and case details won't be available when this option is chosen. However, usernames are displayed when adding new users to existing policies or when assigning users to new policies. If you choose to turn off this setting, usernames are displayed for all users that have current or past policy matches.

+- **Global settings indicators**: Indicators enabled in global settings for insider risk management define both the indicators available for configuration in policies and the types of events signals collected by insider risk management. For example, if a user copies data to personal cloud storage services or portable storage devices and these indicators are selected only in global settings, the user's potentially risky activity is available for review in the Activity explorer. However, if this user wasn't defined in an insider risk management policy, the user isn't evaluated by the policy as a potential risk and therefore won't be assigned a risk score or generate an alert.

+- **Cumulative exfiltration detection (preview)**: Detects when a user's exfiltration activities across all exfiltration channels over the last 30 days exceeds organization or peer group norms. For example, if a user is in a sales role and communicates regularly with customers and partners outside of the organization, their external email activity will likely be higher than the organization's average. However, the user's activity may not be unusual compared to the user's teammates, or others with similar job titles. A risk score is assigned if the user's cumulative exfiltration activity is unusual and exceeds organization or peer group norms.

+3. Choose **Device management** to open the **Devices** list. The list is empty until you onboard devices.

+If Microsoft Defender for Endpoint is already deployed and there are endpoints reporting in, all these endpoints appear in the managed devices list. You can continue to onboard new devices into insider risk management to expand coverage by using the [Step 2: Onboarding devices](insider-risk-management-settings.md#OnboardStep2) section.

+ > For email activities, the past activity detection period is 10 days.

+### Ignore email signature attachments (preview)

+One of the main sources of 'noise' in insider risk management policies is images in email signatures, which are often detected as attachments in emails. This can lead to false positives of users sending potentially confidential files via email. If the *Sending email with attachments to recipients outside the organization* indicator is selected, the attachment is scored like any other email attachment sent outside the organization, even if the only thing in the attachment is the email signature. You can exclude email signature attachments from being scored in this situation by turning on the **Ignore email signature attachments** setting.

+Turning on this setting significantly eliminates noise from email signature attachments, but won't completely eliminate all noise. This is because only the email signature attachment of *the email sender* (the person who initiates the email or replies to the email) is excluded from scoring. A signature attachment for anyone on the To, CC, or BCC line will still be scored. Also, if someone changes their email signature, the new signature has to be profiled, which can cause alert noise for a short period of time.

+> [!NOTE]

+> The **Ignore email signature attachments** setting is off by default.

+- **Unallowed domains:** By specifying unallowed domains, risk management activity that takes place with these domains have *higher* risk scores. Some examples are activities involving sharing content with someone (such as sending email to someone with a gmail.com address) and when users download content to a device from one of these unallowed domains.

+[Sensitive info types](sensitive-information-type-learn-about.md) excluded in settings map to indicators and triggers involving file-related activities for Endpoint, SharePoint, Teams, OneDrive, and Exchange. These excluded types are treated as non-sensitive info types. For those files that contain any sensitive info types identified here, they'll be risk scored but not shown as activities involving content related to sensitive info types. For a complete list, see [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md).

+- ID

+For example, you need to protect against data leaks for a highly confidential project where users have access to sensitive information. You choose to create *Confidential Project* *Users* priority user group for users in your organization that work on this project. Also, this priority user group shouldn't have users, alerts, cases, and reports associated with group visible to all the default insider risk management admins, analysts, and investigators. In **Settings**, you create the *Confidential Project Users* priority users group and assign two users as reviewer that can view data related to the groups. Use the policy wizard and the *Data leaks by priority users* policy template to create a new policy and assign the *Confidential Project Users* priority users group to the policy. Activities examined by the policy for members of the *Confidential Project Users* priority user group are more sensitive to risk and activities by these users are more likely to generate an alert and have alerts with higher severity levels.

+7. Select **Close** to return to the **Power Automate flow** page. The new template is listed as a flow on the **My flows** tabs and is automatically available from the **Automate** dropdown control when working with insider risk management cases for the user creating the flow.

+**Limitations:**

+- Currently, if you use any label policy settings with a sensitivity label that's scoped to just **Files** or scoped to just **Emails**, the same policy must also include at least one label with both scope options.

+### Insider risk management

+- Updates for forensic evidence policy enforcement SLA: [Get started with insider risk management forensic evidence](insider-risk-management-forensic-evidence-configure.md#next-steps).

+- Assessment templates that belong to the same regulation family now count as one template. The [definition of **included templates**](compliance-manager-templates-list.md#included-regulations) has been updated to align with [template licensing changes starting December 2022](compliance-manager-faq.yml#what-changed-with-template-licensing-in-december-2022-).

+- Improvement actions now provide greater visibility into related controls and assessments. Improvement action details pages have a new [**Related controls** tab](compliance-manager-improvement-actions.md#improvement-actions-details-page), and the **Summary** section has a clickable **Assessments** number that, when selected, lists all the assessments related to that action.

+- If a OneDrive site already exists for the user on the target tenant the migration fails.

+**Answer:** No, before starting any migrations, ensure that your source OneDrive accounts are NOT set to Read-only. Otherwise, the migration fails.

+We hope to increase those limits in the future to ensure larger OneDrive accounts can be migrated via the process. **IMPORTANT** If you attempt to migrate any OneDrive site that exceeds the 2GB quota, the transfer fails.

+Like most migrations it's difficult to assign an exact length of time for how long a migration might take. So many factors play into this, such as number of users/sites, number of files/folders, when you're running your migrations, etc. However, you'll find our process is substantially faster than existing third party migration tools. Bulk migrations complete faster than using standard migration tools.

+**Answer:** After the migration is complete, the user needs to sign in to their OneDrive Sync client using their new identity and to the new OneDrive location. Once this is done, files and folders begin resyncing to the device.

+**Answer:** See the question above. The identity map informs how files are shared. The previous answer highlights how to apply this.

+**Answer:** See the question above. The identity map informs how files are shared. If a user selects the link, it attempts to redirect to the new location. The file is accessible as long as the user has permissions to access the file on the destination.

+If you are an Enterprise Agreement customer who will be purchasing Cross-Tenant User Content Migration licenses, and you would like to evaluate Cross-Tenant SharePoint migration to improve your migration experience, sign-up at:

+- **https://aka.ms/ODSPSecurityPreviews**

+

+Make sure to include all of the requested information, and indicate your interest in "**SharePoint cross-tenant data migration (Mergers and Acquisition scenario)**".

+For more information on licensing:

+- Contact your Microsoft account team

+- [**Learn more at Cross-Tenant User Content Migration Licensing**](/microsoft-365/enterprise/cross-tenant-mailbox-migration).

+When you have set up and configured all of the other services you need, you can set up Microsoft Teams.

+- Expand the number of teams.

+Follow the guidance in [Deploy Teams at scale for frontline workers](deploy-teams-at-scale.md).

+Run one of these two scripts, depending on whether you're creating a new team or mapping to an existing team:

+- To set up a connection while creating a new team within Microsoft Teams and mapping a Blue Yonder team to the new team, run the [new teams script](#set-up-a-connection-and-create-a-new-team).

+- To set up a connection and map to an existing team within Microsoft Teams, run the [existing teams script](#set-up-a-connection-and-map-an-existing-team).

+Follow the on-screen instructions when you run the script. The script will complete these actions:

+1. Test and verify the connection to Blue Yonder WFM using the Blue Yonder WFM service account credentials and service URLs that you enter.

+1. Apply sync settings. These settings include the sync frequency (in minutes) and the schedule data synced between Blue Yonder WFM and Shifts. You can enable schedule data defined by these scenarios: `Shift`, `SwapRequest`, `UserShiftPreferences`, `OpenShift`, `OpenShiftRequest`, `TimeOff`, `TimeOffRequest`.

+ > [!NOTE]

+ > The script you select will enable sync for each supported sync option. If you want to change sync settings, you can do so after the connection is set up. To learn more, see [Use PowerShell to manage your Shifts connection to Blue Yonder Workforce Management](shifts-connector-powershell-manage.md).

+1. Map Blue Yonder WFM instances to your teams within Microsoft Teams.

+ - If you select the new teams script to create new teams, mappings are based on the new teams you create.

+ - If you select the existing teams script to map existing teams, mappings are based on Blue Yonder instance IDs and TeamIds that you enter. If a team has an existing schedule, the script removes all schedule data.

+After you run the script, a **Success** message confirms if your connection is successfully set up.

+### Set up a connection and create a new team

+Write-Output "Map WFM sites to teams"

+Write-Output "Checking Teams module version"

+ Get-InstalledModule -Name "MicrosoftTeams" -MinimumVersion 5.2.0

+Write-Output "Listing connector types available"

+Write-Output $connectors

+$WfmUserName = Read-Host -Prompt 'Input your Blue Yonder account username'

+$WfmPwd = Read-Host -Prompt 'Input your Blue Yonder account password' -AsSecureString

+Write-Output "Testing connection settings"

+$ConnectionName = Read-Host -Prompt 'Input connection name'

+ -Name $ConnectionName `

+if ($NULL -ne $testResult.Code) {

+ Write-Output $testResult

+Write-Output "Test complete, no conflicts found"

+#Create a connection

+Write-Output "Creating a connection"

+$ConnectionResponse = New-CsTeamsShiftsConnection `

+ -Name $ConnectionName `

+$ConnectionId = $ConnectionResponse.Id

+if ($null -ne $ConnectionId){

+ Write-Output "Successfully created connection"

+ throw "Connection creation failed"

+#Create a connection instance

+Write-Output "Creating a connection instance"

+$designatedActorName = Read-Host -Prompt "Input Microsoft 365 System Account (person@contoso.com)"

+$designator = Get-MgUser -UserId $designatedActorName

+$teamsUserId = $designator.Id

+$syncFreq = Read-Host -Prompt "Input sync frequency in minutes"

+$InstanceName = Read-Host -Prompt "Input connection instance name"

+#Read sync scenarios for connection instance

+function GetSyncScenarioSetting {

+ param (

+ $SettingName

+ )

+ $TwoWay = New-Object System.Management.Automation.Host.ChoiceDescription '&TwoWay', 'TwoWay'

+ $Disabled = New-Object System.Management.Automation.Host.ChoiceDescription '&Disabled', 'Disabled'

+ $FromWfmToShifts = New-Object System.Management.Automation.Host.ChoiceDescription '&FromWfmToShifts', 'FromWfmToShifts'

+ $options = [System.Management.Automation.Host.ChoiceDescription[]]($TwoWay, $Disabled, $FromWfmToShifts)

+ $result = $host.ui.PromptForChoice("Set sync scenario for $SettingName", "", $options, 0)

+ switch ($result)

+ {

+ 0 { return "TwoWay" }

+ 1 { return "Disabled" }

+ 2 { return "FromWfmToShifts" }

+ }

+$SyncScenarioOfferShiftRequest = GetSyncScenarioSetting "Offer Shift Request"

+$SyncScenarioOpenShift = GetSyncScenarioSetting "Open Shift"

+$SyncScenarioOpenShiftRequest = GetSyncScenarioSetting "Open Shift Request"

+$SyncScenarioShift = GetSyncScenarioSetting "Shift"

+$SyncScenarioSwapRequest = GetSyncScenarioSetting "Swap Request"

+$SyncScenarioTimeCard = GetSyncScenarioSetting "Time Card"

+$SyncScenarioTimeOff = GetSyncScenarioSetting "Time Off"

+$SyncScenarioTimeOffRequest = GetSyncScenarioSetting "Time Off Request"

+$SyncScenarioUserShiftPreference = GetSyncScenarioSetting "User Shift Preferences"

+#Read admin email list

+[psobject[]]$AdminEmailList = @()

+while ($true){

+ $AdminEmail = Read-Host -Prompt "Enter admin's email to receive error report"

+ $AdminEmailList += $AdminEmail

+ $title = 'Adding another email'

+ $question = 'Would you like to add another admin email?'

+ $choices = '&Yes', '&No'

+ $decision = $Host.UI.PromptForChoice($title, $question, $choices, 1)

+ if ($decision -eq 1) {

+ break

+ }

+$InstanceResponse = New-CsTeamsShiftsConnectionInstance `

+ -ConnectionId $ConnectionId `

+ -ConnectorAdminEmail $AdminEmailList `

+ -DesignatedActorId $teamsUserId `

+ -Name $InstanceName `

+ -SyncFrequencyInMin $syncFreq `

+ -SyncScenarioOfferShiftRequest $SyncScenarioOfferShiftRequest `

+ -SyncScenarioOpenShift $SyncScenarioOpenShift `

+ -SyncScenarioOpenShiftRequest $SyncScenarioOpenShiftRequest `

+ -SyncScenarioShift $SyncScenarioShift `

+ -SyncScenarioSwapRequest $SyncScenarioSwapRequest `

+ -SyncScenarioTimeCard $SyncScenarioTimeCard `

+ -SyncScenarioTimeOff $SyncScenarioTimeOff `

+ -SyncScenarioTimeOffRequest $SyncScenarioTimeOffRequest `

+ -SyncScenarioUserShiftPreference $SyncScenarioUserShiftPreference

+$InstanceId = $InstanceResponse.id

+if ($null -ne $InstanceId){

+ Write-Output "Success"

+} else {

+ throw "Connector instance creation failed"

+}

+$mappings=@()

+ #Create a new Teams team with owner set to system account and name set to the site name

+ Write-Output "Creating a Teams team"

+ $teamsTeamName = Read-Host -Prompt "Input the Teams team name"

+ $Team = New-Team -DisplayName $teamsTeamName -Visibility "Public" -Owner $teamsUserId

+ Write-Output "Successfully created a team"

+ $TeamsTeamId=$Team.GroupId

+ #Retrieve the list of wfm locations

+ Write-Output "Listing the WFM team sites"

+ $WfmTeamIds = Get-CsTeamsShiftsConnectionWfmTeam -ConnectorInstanceId $InstanceId

+ Write-Output $WfmTeamIds

+ if (($NULL -ne $WfmTeamIds) -and ($WfmTeamIds.Count -gt 0)){

+ [System.String]$WfmTeamId = Read-Host -Prompt "Input the ID of WFM team you want to map"

+ }

+ else {

+ throw "The WfmTeamId list is null or empty"

+ }

+ #Retrieve the list of WFM users and their roles

+ Write-Output "Listing WFM users and roles"

+ $WFMUsers = Get-CsTeamsShiftsConnectionWfmUser -ConnectorInstanceId $InstanceId -WfmTeamId $WfmTeamId

+ Write-Output $WFMUsers

+ #Add users to the Team for Shifts

+ Write-Output "Adding users to Teams team"

+ $currentUser = Read-Host -Prompt "Input the current user's user name or AAD ID"

+ Add-TeamUser -GroupId $TeamsTeamId -User $currentUser -Role Owner

+ $failedWfmUsers=@()

+ foreach ($user in $WFMUsers) {

+ try {

+ $userEmail = $user.Name + "@" +$domain

+ Add-TeamUser -GroupId $TeamsTeamId -User $userEmail

+ } catch {

+ $failedWfmUsers+=$user

+ }

+ }

+ if($failedWfmUsers.Count -gt 0){

+ Write-Output "There are WFM users not existed in Teams tenant:"

+ Write-Output $failedWfmUsers

+ #Enable scheduling in the group

+ $RequestBody = @{

+ Enabled = $true

+ TimeZone = "America/Los_Angeles"

+ }

+ $teamUpdateUrl="https://graph.microsoft.com/v1.0/teams/"+$TeamsTeamId+"/schedule"

+ Invoke-MgGraphRequest -Uri $teamUpdateUrl -Method PUT -Body $RequestBody

+ #Create a mapping of the new team to the instance

+ Write-Output "Create a mapping of the new team to the site"

+ $TimeZone = Read-Host -Prompt "Input the time zone of team mapping"

+ $mapping = @{

+ teamId = $TeamsTeamId

+ wfmTeamId = $WfmTeamId

+ timeZone = $TimeZone

+ }

+ $mappings += , $mapping

+ $title = 'Connecting another team'

+ $question = 'Would you like to connect another team?'

+ $choices = '&Yes', '&No'

+ $decision = $Host.UI.PromptForChoice($title, $question, $choices, 1)

+ if ($decision -eq 1) {

+ break

+ }

+$batchMappingResponse = New-CsTeamsShiftsConnectionBatchTeamMap -ConnectorInstanceId $InstanceId -TeamMapping @($mappings)

+if ($null -ne $batchMappingResponse.OperationId){

+ "The mapping has begun asynchronously. To query mapping results run Get-CsTeamsShiftsConnectionOperation with the operation Id."

+else {

+ throw "The mapping has failed due to validation errors."

+Write-Output $batchMappingResponse

+### Set up a connection and map an existing team

+Write-Output "Map WFM sites to existing teams"

+Write-Output "Checking Teams module version"

+ Get-InstalledModule -Name "MicrosoftTeams" -MinimumVersion 5.2.0

+Write-Output "Listing connector types available"

+Write-Output $connectors

+$WfmUserName = Read-Host -Prompt 'Input your Blue Yonder account username'

+$WfmPwd = Read-Host -Prompt 'Input your Blue Yonder account password' -AsSecureString

+Write-Output "Testing connection settings"

+$ConnectionName = Read-Host -Prompt 'Input connection name'

+ -Name $ConnectionName `

+

+if ($NULL -ne $testResult.Code) {

+ Write-Output $testResult

+#Create a connection

+Write-Output "Creating a connection"

+$ConnectionResponse = New-CsTeamsShiftsConnection `

+ -Name $ConnectionName `

+ })

+$ConnectionId = $ConnectionResponse.Id

+if ($null -ne $ConnectionId){

+ Write-Output "Successfully created connection"

+ throw "Connection creation failed"

+#Create a connection instance

+Write-Output "Creating a connection instance"

+$designatedActorName = Read-Host -Prompt "Input Microsoft 365 System Account (person@contoso.com)"

+$designator = Get-MgUser -UserId $designatedActorName

+$teamsUserId = $designator.Id

+$syncFreq = Read-Host -Prompt "Input sync frequency in minutes"

+$InstanceName = Read-Host -Prompt "Input connection instance name"

+#Read sync scenarios for connection instance

+function GetSyncScenarioSetting {

+ param (

+ $SettingName

+ )

+ $TwoWay = New-Object System.Management.Automation.Host.ChoiceDescription '&TwoWay', 'TwoWay'

+ $Disabled = New-Object System.Management.Automation.Host.ChoiceDescription '&Disabled', 'Disabled'

+ $FromWfmToShifts = New-Object System.Management.Automation.Host.ChoiceDescription '&FromWfmToShifts', 'FromWfmToShifts'

+ $options = [System.Management.Automation.Host.ChoiceDescription[]]($TwoWay, $Disabled, $FromWfmToShifts)

+ $result = $host.ui.PromptForChoice("Set sync scenario for $SettingName", "", $options, 0)

+ switch ($result)

+ {

+ 0 { return "TwoWay" }

+ 1 { return "Disabled" }

+ 2 { return "FromWfmToShifts" }

+ }

+$SyncScenarioOfferShiftRequest = GetSyncScenarioSetting "Offer Shift Request"

+$SyncScenarioOpenShift = GetSyncScenarioSetting "Open Shift"

+$SyncScenarioOpenShiftRequest = GetSyncScenarioSetting "Open Shift Request"

+$SyncScenarioShift = GetSyncScenarioSetting "Shift"

+$SyncScenarioSwapRequest = GetSyncScenarioSetting "Swap Request"

+$SyncScenarioTimeCard = GetSyncScenarioSetting "Time Card"

+$SyncScenarioTimeOff = GetSyncScenarioSetting "Time Off"

+$SyncScenarioTimeOffRequest = GetSyncScenarioSetting "Time Off Request"

+$SyncScenarioUserShiftPreference = GetSyncScenarioSetting "User Shift Preferences"

+#Read admin email list

+[psobject[]]$AdminEmailList = @()

+while ($true){

+ $AdminEmail = Read-Host -Prompt "Enter admin's email to receive error report"

+ $AdminEmailList += $AdminEmail

+ $title = 'Adding another email'

+ $question = 'Would you like to add another admin email?'

+ $choices = '&Yes', '&No'

+ $decision = $Host.UI.PromptForChoice($title, $question, $choices, 1)

+ if ($decision -eq 1) {

+ break

+ }

+$InstanceResponse = New-CsTeamsShiftsConnectionInstance `

+ -ConnectionId $ConnectionId `

+ -ConnectorAdminEmail $AdminEmailList `

+ -DesignatedActorId $teamsUserId `

+ -Name $InstanceName `

+ -SyncFrequencyInMin $syncFreq `

+ -SyncScenarioOfferShiftRequest $SyncScenarioOfferShiftRequest `

+ -SyncScenarioOpenShift $SyncScenarioOpenShift `

+ -SyncScenarioOpenShiftRequest $SyncScenarioOpenShiftRequest `

+ -SyncScenarioShift $SyncScenarioShift `

+ -SyncScenarioSwapRequest $SyncScenarioSwapRequest `

+ -SyncScenarioTimeCard $SyncScenarioTimeCard `

+ -SyncScenarioTimeOff $SyncScenarioTimeOff `

+ -SyncScenarioTimeOffRequest $SyncScenarioTimeOffRequest `

+ -SyncScenarioUserShiftPreference $SyncScenarioUserShiftPreference

+$InstanceId = $InstanceResponse.id

+if ($null -ne $InstanceId){

+ Write-Output "Success"

+} else {

+ throw "Connector instance creation failed"

+}

+$mappings=@()

+ $TeamsTeamId = Read-Host -Prompt "Input the ID of the Teams team to be mapped"

+ #Clear schedule of the Teams team

+ Write-Host "Clear schedule of the existing team"

+ $entityTypeString = Read-Host -Prompt 'Input the entity types of clear schedule'

+ $Delimiters = ",", ".", ":", ";", " ", "`t"

+ $entityType = $entityTypeString -Split {$Delimiters -contains $_}

+ $entityType = $entityType.Trim()

+ $entityType = $entityType.Split('',[System.StringSplitOptions]::RemoveEmptyEntries)

+ Remove-CsTeamsShiftsScheduleRecord -TeamId $TeamsTeamId -ClearSchedulingGroup:$True -EntityType $entityType

+ #Retrieve the list of wfm locations

+ Write-Output "Listing the WFM team sites"

+ $WfmTeamIds = Get-CsTeamsShiftsConnectionWfmTeam -ConnectorInstanceId $InstanceId

+ Write-Output $WfmTeamIds

+ if (($NULL -ne $WfmTeamIds) -and ($WfmTeamIds.Count -gt 0)){

+ [System.String]$WfmTeamId = Read-Host -Prompt "Input the ID of WFM team you want to map"

+ }

+ else {

+ throw "The WfmTeamId list is null or empty"

+ }

+ #Retrieve the list of WFM users and their roles

+ Write-Output "Listing WFM users and roles"

+ $WFMUsers = Get-CsTeamsShiftsConnectionWfmUser -ConnectorInstanceId $InstanceId -WfmTeamId $WfmTeamId

+ Write-Output $WFMUsers

+ #Create a mapping of the existing team to the instance

+ Write-Host "Create a mapping of the existing team to the site"

+ $TimeZone = Read-Host -Prompt "Input the time zone of team mapping"

+ $mapping = @{

+ teamId = $TeamsTeamId

+ wfmTeamId = $WfmTeamId

+ timeZone = $TimeZone

+ }

+ $mappings += , $mapping

+ $title = 'Connecting another team'

+ $question = 'Would you like to connect another team?'

+ $choices = '&Yes', '&No'

+ $decision = $Host.UI.PromptForChoice($title, $question, $choices, 1)

+ if ($decision -eq 1) {

+ break

+ }

+}

+$batchMappingResponse = New-CsTeamsShiftsConnectionBatchTeamMap -ConnectorInstanceId $InstanceId -TeamMapping @($mappings)

+if ($null -ne $batchMappingResponse.OperationId){

+ "The mapping has begun asynchronously. To query mapping results run Get-CsTeamsShiftsConnectionOperation with the operation Id."

+else {

+ throw "The mapping has failed due to validation errors."

+Write-Output $batchMappingResponse

+For help with Shifts connector cmdlets, including the cmdlets used in the scripts, search for **CsTeamsShiftsConnection** in the [Teams PowerShell cmdlet reference](/powershell/teams/intro). Here are links to some commonly used cmdlets, grouped by category:

+Connections

+- [New-CsTeamsShiftsConnection](/powershell/module/teams/new-csteamsshiftsconnection)

+- [Get-CsTeamsShiftsConnection](/powershell/module/teams/get-csteamsshiftsconnection)

+- [Update-CsTeamsShiftsConnection](/powershell/module/teams/update-csteamsshiftsconnection)

+WFM systems credentials

+- [Test-CsTeamsShiftsConnectionValidate](/powershell/module/teams/test-csteamsshiftsconnectionvalidate)

+Sync options for supported scenarios

+- [Get-CsTeamsShiftsConnectionConnector](/powershell/module/teams/get-csteamsshiftsconnectionconnector)

+Remove schedule data

+- [Remove-CsTeamsShiftsScheduleRecord](/powershell/module/teams/remove-csteamsshiftsschedulerecord)

+Connection instances

+User mapping and successful syncing

+Team mapping

+- [Get-CsTeamsShiftsConnectionTeamMap](/powershell/module/teams/get-csteamsshiftsconnectionteammap)

+- [Remove-CsTeamsShiftsConnectionTeamMap](/powershell/module/teams/remove-csteamsshiftsconnectionteammap)

+Operation ID

+- [Get-CsTeamsShiftsConnectionOperation](/powershell/module/teams/get-csteamsshiftsconnectionoperation)

+Error reports

+To set up the connection, you run a PowerShell script. The script configures the connector, applies sync settings, creates the connection, and maps UKG Dimensions instances to teams. Sync settings determine the features enabled in Shifts and the schedule information that's synced between UKG Dimensions and Shifts. Mappings define the sync relationship between your UKG Dimensions instances and teams in Microsoft Teams. You can map to existing teams and new teams.

+Run the following to connect to Microsoft Teams.

+Run one of these two scripts, depending on whether you're creating a new team or mapping to an existing team:

+- To set up a connection while creating a new team within Microsoft Teams and mapping a UKG team to the new team, run the [new teams script](#set-up-a-connection-and-create-a-new-team).

+- To set up a connection and map to an existing team within Microsoft Teams, run the [existing teams script](#set-up-a-connection-and-map-an-existing-team).

+Follow the on-screen instructions when you run the script. The script will complete these actions:

+1. Test and verify the connection to UKG Dimensions using the UKG Dimensions service account credentials and service URLs that you enter.

+1. Apply sync settings. These settings include the sync frequency (in minutes) and the schedule data synced between UKG Dimensions and Shifts. You can enable schedule data defined by these scenarios: `Shift`, `SwapRequest`, `OfferShiftRequest`, `UserShiftPreferences`, `OpenShift`, `OpenShiftRequest`, `TimeOff`, `TimeOffRequest`.

+> [!NOTE]

+> The script you select will enable sync for each supported sync option. If you want to change sync settings, you can do so after the connection is set up. To learn more, see [Use PowerShell to manage your Shifts connection to UKG Dimensions](shifts-connector-ukg-powershell-manage.md).

+1. Map UKG Dimensions instances to your teams within Microsoft Teams.

+ - If you select the new teams script to create new teams, mappings are based on the new teams you create.

+ - If you select the existing teams script above to map existing teams, mappings are based on UKG Dimensions instance IDs and TeamIds that you enter. If a team has an existing schedule, the script removes all schedule data.

+After you run the script, a **Success** message confirms if your connection is successfully set up.

+### Set up a connection and create a new team

+Write-Output "Map WFM sites to teams"

+Write-Output "Checking Teams module version"

+ Get-InstalledModule -Name "MicrosoftTeams" -MinimumVersion 5.2.0

+#List connector types available

+Write-Output "Listing connector types available"

+Write-Output $connectors

+$Ukg = $connectors | Where-Object {$_.Id -match $UkgId}

+if ($NULL -eq $Ukg) {

+ throw "UKG Dimensions not currently supported"

+}

+$WfmUserName = Read-Host -Prompt 'Input your UKG account username'

+$WfmPwd = Read-Host -Prompt 'Input your UKG account password' -AsSecureString

+Write-Output "Testing connection settings"

+$ConnectionName = Read-Host -Prompt 'Input connection name'

+ -Name $ConnectionName `

+if ($NULL -ne $testResult.Code) {

+ Write-Output $testResult

+Write-Output "Test complete, no conflicts found"

+#Create a connection

+Write-Output "Creating a connection"

+$ConnectionResponse = New-CsTeamsShiftsConnection `

+ -Name $ConnectionName `

+$ConnectionId = $ConnectionResponse.Id

+if ($null -ne $ConnectionId){

+ Write-Output "Successfully created connection"

+ throw "Connection creation failed"

+#Create a connection instance

+Write-Output "Creating a connection instance"

+$designatedActorName = Read-Host -Prompt "Input Microsoft 365 System Account (person@contoso.com)"

+$designator = Get-MgUser -UserId $designatedActorName

+$teamsUserId = $designator.Id

+$syncFreq = Read-Host -Prompt "Input sync frequency in minutes"

+$InstanceName = Read-Host -Prompt "Input connection instance name"

+#Read sync scenarios for connection instance

+function GetSyncScenarioSetting {

+ param (

+ $SettingName

+ )

+ $TwoWay = New-Object System.Management.Automation.Host.ChoiceDescription '&TwoWay', 'TwoWay'

+ $Disabled = New-Object System.Management.Automation.Host.ChoiceDescription '&Disabled', 'Disabled'

+ $FromWfmToShifts = New-Object System.Management.Automation.Host.ChoiceDescription '&FromWfmToShifts', 'FromWfmToShifts'

+ $options = [System.Management.Automation.Host.ChoiceDescription[]]($TwoWay, $Disabled, $FromWfmToShifts)

+ $result = $host.ui.PromptForChoice("Set sync scenario for $SettingName", "", $options, 0)

+ switch ($result)

+ {

+ 0 { return "TwoWay" }

+ 1 { return "Disabled" }

+ 2 { return "FromWfmToShifts" }

+ }

+$SyncScenarioOfferShiftRequest = GetSyncScenarioSetting "Offer Shift Request"

+$SyncScenarioOpenShift = GetSyncScenarioSetting "Open Shift"

+$SyncScenarioOpenShiftRequest = GetSyncScenarioSetting "Open Shift Request"

+$SyncScenarioShift = GetSyncScenarioSetting "Shift"

+$SyncScenarioSwapRequest = GetSyncScenarioSetting "Swap Request"

+$SyncScenarioTimeCard = GetSyncScenarioSetting "Time Card"

+$SyncScenarioTimeOff = GetSyncScenarioSetting "Time Off"

+$SyncScenarioTimeOffRequest = GetSyncScenarioSetting "Time Off Request"

+$SyncScenarioUserShiftPreference = GetSyncScenarioSetting "User Shift Preferences"

+#Read admin email list

+[psobject[]]$AdminEmailList = @()

+while ($true){

+ $AdminEmail = Read-Host -Prompt "Enter admin's email to receive error report"

+ $AdminEmailList += $AdminEmail

+ $title = 'Adding another email'

+ $question = 'Would you like to add another admin email?'

+ $choices = '&Yes', '&No'

+ $decision = $Host.UI.PromptForChoice($title, $question, $choices, 1)

+ if ($decision -eq 1) {

+ break

+ }

+$InstanceResponse = New-CsTeamsShiftsConnectionInstance `

+ -ConnectionId $ConnectionId `

+ -ConnectorAdminEmail $AdminEmailList `

+ -DesignatedActorId $teamsUserId `

+ -Name $InstanceName `

+ -SyncFrequencyInMin $syncFreq `

+ -SyncScenarioOfferShiftRequest $SyncScenarioOfferShiftRequest `

+ -SyncScenarioOpenShift $SyncScenarioOpenShift `

+ -SyncScenarioOpenShiftRequest $SyncScenarioOpenShiftRequest `

+ -SyncScenarioShift $SyncScenarioShift `

+ -SyncScenarioSwapRequest $SyncScenarioSwapRequest `

+ -SyncScenarioTimeCard $SyncScenarioTimeCard `

+ -SyncScenarioTimeOff $SyncScenarioTimeOff `

+ -SyncScenarioTimeOffRequest $SyncScenarioTimeOffRequest `

+ -SyncScenarioUserShiftPreference $SyncScenarioUserShiftPreference

+$InstanceId = $InstanceResponse.id

+if ($null -ne $InstanceId){

+ Write-Output "Success"

+} else {

+ throw "Connector instance creation failed"

+}

+$mappings=@()

+ #Create a new Teams team with owner set to system account and name set to the site name

+ Write-Output "Creating a Teams team"

+ $teamsTeamName = Read-Host -Prompt "Input the Teams team name"

+ $Team = New-Team -DisplayName $teamsTeamName -Visibility "Public" -Owner $teamsUserId

+ Write-Output "Successfully created a team"

+ $TeamsTeamId=$Team.GroupId

+ #Retrieve the list of wfm locations

+ Write-Output "Listing the WFM team sites"

+ $WfmTeamIds = Get-CsTeamsShiftsConnectionWfmTeam -ConnectorInstanceId $InstanceId

+ Write-Output $WfmTeamIds

+ if (($NULL -ne $WfmTeamIds) -and ($WfmTeamIds.Count -gt 0)){

+ [System.String]$WfmTeamId = Read-Host -Prompt "Input the ID of WFM team you want to map"

+ }

+ else {

+ throw "The WfmTeamId list is null or empty"

+ }

+ #Retrieve the list of WFM users and their roles

+ Write-Output "Listing WFM users and roles"

+ $WFMUsers = Get-CsTeamsShiftsConnectionWfmUser -ConnectorInstanceId $InstanceId -WfmTeamId $WfmTeamId

+ Write-Output $WFMUsers

+ #Add users to the Team for Shifts

+ Write-Output "Adding users to Teams team"

+ $currentUser = Read-Host -Prompt "Input the current user's user name or AAD ID"

+ Add-TeamUser -GroupId $TeamsTeamId -User $currentUser -Role Owner

+ $failedWfmUsers=@()

+ foreach ($user in $WFMUsers) {

+ try {

+ $userEmail = $user.Name + "@" +$domain

+ Add-TeamUser -GroupId $TeamsTeamId -User $userEmail

+ } catch {

+ $failedWfmUsers+=$user

+ }

+ }

+ if($failedWfmUsers.Count -gt 0){

+ Write-Output "There are WFM users not existed in Teams tenant:"

+ Write-Output $failedWfmUsers

+ #Enable scheduling in the group

+ $RequestBody = @{

+ Enabled = $true

+ TimeZone = "America/Los_Angeles"

+ }

+ $teamUpdateUrl="https://graph.microsoft.com/v1.0/teams/"+$TeamsTeamId+"/schedule"

+ Invoke-MgGraphRequest -Uri $teamUpdateUrl -Method PUT -Body $RequestBody

+ #Create a mapping of the new team to the instance

+ Write-Output "Create a mapping of the new team to the site"

+ $TimeZone = Read-Host -Prompt "Input the time zone of team mapping"

+ $mapping = @{

+ teamId = $TeamsTeamId

+ wfmTeamId = $WfmTeamId

+ timeZone = $TimeZone

+ }

+ $mappings += , $mapping

+ $title = 'Connecting another team'

+ $question = 'Would you like to connect another team?'

+ $choices = '&Yes', '&No'

+ $decision = $Host.UI.PromptForChoice($title, $question, $choices, 1)

+ if ($decision -eq 1) {

+ break

+ }

+$batchMappingResponse = New-CsTeamsShiftsConnectionBatchTeamMap -ConnectorInstanceId $InstanceId -TeamMapping @($mappings)

+if ($null -ne $batchMappingResponse.OperationId){

+ "The mapping has begun asynchronously. To query mapping results run Get-CsTeamsShiftsConnectionOperation with the operation Id."

+else {

+ throw "The mapping has failed due to validation errors."

+Write-Output $batchMappingResponse

+### Set up a connection and map an existing team

+ Get-InstalledModule -Name "MicrosoftTeams" -MinimumVersion 5.2.0

+#List connector types available

+Write-Output "Listing connector types available"

+Write-Output $connectors

+$Ukg = $connectors | Where-Object {$_.Id -match $UkgId}

+if ($NULL -eq $Ukg) {

+ throw "UKG Dimensions not currently supported"

+}

+$WfmUserName = Read-Host -Prompt 'Input your UKG account username'

+$WfmPwd = Read-Host -Prompt 'Input your UKG account password' -AsSecureString

+Write-Output "Testing connection settings"

+$ConnectionName = Read-Host -Prompt 'Input connection name'

+ -Name $ConnectionName `

+if ($NULL -ne $testResult.Code) {

+ Write-Output $testResult

+Write-Output "Test complete, no conflicts found"

+#Create a connection

+Write-Output "Creating a connection"

+$ConnectionResponse = New-CsTeamsShiftsConnection `

+ -Name $ConnectionName `

+$ConnectionId = $ConnectionResponse.Id

+if ($null -ne $ConnectionId){

+ Write-Output "Successfully created connection"

+ throw "Connection creation failed"

+#Create a connection instance

+Write-Output "Creating a connection instance"

+$designatedActorName = Read-Host -Prompt "Input Microsoft 365 System Account (person@contoso.com)"

+$designator = Get-MgUser -UserId $designatedActorName

+$teamsUserId = $designator.Id

+$syncFreq = Read-Host -Prompt "Input sync frequency in minutes"

+$InstanceName = Read-Host -Prompt "Input connection instance name"

+#Read sync scenarios for connection instance

+function GetSyncScenarioSetting {

+ param (

+ $SettingName

+ )

+ $TwoWay = New-Object System.Management.Automation.Host.ChoiceDescription '&TwoWay', 'TwoWay'

+ $Disabled = New-Object System.Management.Automation.Host.ChoiceDescription '&Disabled', 'Disabled'

+ $FromWfmToShifts = New-Object System.Management.Automation.Host.ChoiceDescription '&FromWfmToShifts', 'FromWfmToShifts'

+ $options = [System.Management.Automation.Host.ChoiceDescription[]]($TwoWay, $Disabled, $FromWfmToShifts)

+ $result = $host.ui.PromptForChoice("Set sync scenario for $SettingName", "", $options, 0)

+ switch ($result)

+ {

+ 0 { return "TwoWay" }

+ 1 { return "Disabled" }

+ 2 { return "FromWfmToShifts" }

+ }

+$SyncScenarioOfferShiftRequest = GetSyncScenarioSetting "Offer Shift Request"

+$SyncScenarioOpenShift = GetSyncScenarioSetting "Open Shift"

+$SyncScenarioOpenShiftRequest = GetSyncScenarioSetting "Open Shift Request"

+$SyncScenarioShift = GetSyncScenarioSetting "Shift"

+$SyncScenarioSwapRequest = GetSyncScenarioSetting "Swap Request"

+$SyncScenarioTimeCard = GetSyncScenarioSetting "Time Card"

+$SyncScenarioTimeOff = GetSyncScenarioSetting "Time Off"

+$SyncScenarioTimeOffRequest = GetSyncScenarioSetting "Time Off Request"

+$SyncScenarioUserShiftPreference = GetSyncScenarioSetting "User Shift Preferences"

+#Read admin email list

+[psobject[]]$AdminEmailList = @()

+while ($true){

+ $AdminEmail = Read-Host -Prompt "Enter admin's email to receive error report"

+ $AdminEmailList += $AdminEmail

+ $title = 'Adding another email'

+ $question = 'Would you like to add another admin email?'

+ $choices = '&Yes', '&No'

+ $decision = $Host.UI.PromptForChoice($title, $question, $choices, 1)

+ if ($decision -eq 1) {

+ break

+ }

+$InstanceResponse = New-CsTeamsShiftsConnectionInstance `

+ -ConnectionId $ConnectionId `

+ -ConnectorAdminEmail $AdminEmailList `

+ -DesignatedActorId $teamsUserId `

+ -Name $InstanceName `

+ -SyncFrequencyInMin $syncFreq `

+ -SyncScenarioOfferShiftRequest $SyncScenarioOfferShiftRequest `

+ -SyncScenarioOpenShift $SyncScenarioOpenShift `

+ -SyncScenarioOpenShiftRequest $SyncScenarioOpenShiftRequest `

+ -SyncScenarioShift $SyncScenarioShift `

+ -SyncScenarioSwapRequest $SyncScenarioSwapRequest `

+ -SyncScenarioTimeCard $SyncScenarioTimeCard `

+ -SyncScenarioTimeOff $SyncScenarioTimeOff `

+ -SyncScenarioTimeOffRequest $SyncScenarioTimeOffRequest `

+ -SyncScenarioUserShiftPreference $SyncScenarioUserShiftPreference

+$InstanceId = $InstanceResponse.id

+if ($null -ne $InstanceId){

+ Write-Output "Success"

+} else {

+ throw "Connector instance creation failed"

+}

+$mappings=@()

+ $TeamsTeamId = Read-Host -Prompt "Input the ID of the Teams team to be mapped"

+ #Clear schedule of the Teams team

+ Write-Host "Clear schedule of the existing team"

+ $entityTypeString = Read-Host -Prompt 'Input the entity types of clear schedule'

+ $Delimiters = ",", ".", ":", ";", " ", "`t"

+ $entityType = $entityTypeString -Split {$Delimiters -contains $_}

+ $entityType = $entityType.Trim()

+ $entityType = $entityType.Split('',[System.StringSplitOptions]::RemoveEmptyEntries)

+ Remove-CsTeamsShiftsScheduleRecord -TeamId $TeamsTeamId -ClearSchedulingGroup:$True -EntityType $entityType

+ #Retrieve the list of wfm locations

+ Write-Output "Listing the WFM team sites"

+ $WfmTeamIds = Get-CsTeamsShiftsConnectionWfmTeam -ConnectorInstanceId $InstanceId

+ Write-Output $WfmTeamIds

+ if (($NULL -ne $WfmTeamIds) -and ($WfmTeamIds.Count -gt 0)){

+ [System.String]$WfmTeamId = Read-Host -Prompt "Input the ID of WFM team you want to map"

+ }

+ else {

+ throw "The WfmTeamId list is null or empty"

+ }

+ #Retrieve the list of WFM users and their roles

+ Write-Output "Listing WFM users and roles"

+ $WFMUsers = Get-CsTeamsShiftsConnectionWfmUser -ConnectorInstanceId $InstanceId -WfmTeamId $WfmTeamId

+ Write-Output $WFMUsers

+ #Create a mapping of the existing team to the instance

+ Write-Host "Create a mapping of the existing team to the site"

+ $TimeZone = Read-Host -Prompt "Input the time zone of team mapping"

+ $mapping = @{

+ teamId = $TeamsTeamId

+ wfmTeamId = $WfmTeamId

+ timeZone = $TimeZone

+ }

+ $mappings += , $mapping

+ $title = 'Connecting another team'

+ $question = 'Would you like to connect another team?'

+ $choices = '&Yes', '&No'

+ $decision = $Host.UI.PromptForChoice($title, $question, $choices, 1)

+ if ($decision -eq 1) {

+ break

+ }

+}

+$batchMappingResponse = New-CsTeamsShiftsConnectionBatchTeamMap -ConnectorInstanceId $InstanceId -TeamMapping @($mappings)

+if ($null -ne $batchMappingResponse.OperationId){

+ "The mapping has begun asynchronously. To query mapping results run Get-CsTeamsShiftsConnectionOperation with the operation Id."

+else {

+ throw "The mapping has failed due to validation errors."

+Write-Output $batchMappingResponse

+For help with Shifts connector cmdlets, including the cmdlets used in the scripts, search for **CsTeamsShiftsConnection** in the [Teams PowerShell cmdlet reference](/powershell/teams/intro). Here are links to some commonly used cmdlets, grouped by category:

+Connections

+- [New-CsTeamsShiftsConnection](/powershell/module/teams/new-csteamsshiftsconnection)

+- [Get-CsTeamsShiftsConnection](/powershell/module/teams/get-csteamsshiftsconnection)

+- [Update-CsTeamsShiftsConnection](/powershell/module/teams/update-csteamsshiftsconnection)

+WFM systems credentials

+- [Test-CsTeamsShiftsConnectionValidate](/powershell/module/teams/test-csteamsshiftsconnectionvalidate)

+Sync options for supported scenarios

+- [Get-CsTeamsShiftsConnectionConnector](/powershell/module/teams/get-csteamsshiftsconnectionconnector)

+Remove schedule data

+- [Remove-CsTeamsShiftsScheduleRecord](/powershell/module/teams/remove-csteamsshiftsschedulerecord)

+Connection instances

+User mapping and successful syncing

+Team mapping

+- [Get-CsTeamsShiftsConnectionTeamMap](/powershell/module/teams/get-csteamsshiftsconnectionteammap)

+- [Remove-CsTeamsShiftsConnectionTeamMap](/powershell/module/teams/remove-csteamsshiftsconnectionteammap)

+Operation ID

+- [Get-CsTeamsShiftsConnectionOperation](/powershell/module/teams/get-csteamsshiftsconnectionoperation)

+Error reports

+##### Manually map instances to teams

+##### Use a CSV file to map instances to teams

+1. On the **Mapping** page, choose **CSV upload tool**.

+2. Select **Download template** to get the CSV mapping file. The template will include a list of all your UKG Dimensions instances and their IDs. The top rows of your template will look like this:

+ |UKG Dimensions Instance ID |UKG Dimensions Instance Name |Team ID |Team Name |Time Zone |

+ ||||||

+ |Automatically pre-filled |Automatically pre-filled |Blank |Blank |Default*|

+ And the bottom rows of your template will look like this:

+ |UKG Dimensions Instance ID |UKG Dimensions Instance Name |Team ID |Team Name |Time Zone |

+ ||||||

+ |Blank |Blank |Automatically pre-filled |Automatically pre-filled |Default*|

+3. Choose a team that you want to map to a UKG Dimensions instance. Cut and paste the Team ID and Team Name from the bottom half of your template to be in line with the desired UKG Dimensions instance. A completed row of your template should look like this:

+ |UKG Dimensions Instance ID |UKG Dimensions Instance Name |Team ID |Team Name |Time Zone |

+ ||||||

+ |Automatically pre-filled |Automatically pre-filled |Team ID that you moved |Team Name that you moved |Default*|

+Repeat this for all your desired mappings.

+4. Enter the correct location in the Time Zone column if needed.

+>[!NOTE]

+>The wizard supports approximately 460 locations. If the specific location you chose isn't supported, you'll be shown an error in the wizard. Try using the closest city or major city within the same time zone.

+5. On the **Mapping** page, select **Browse** to find and upload your completed CSV file.

+6. Choose **Done** if your file has uploaded correctly. Otherwise, review the provided error report and upload a corrected file.

+7. Your new mappings will appear on the **Mappings** page.

+8. Choose **Next**.

+##### Manually map instances to teams

+##### Use a CSV file to map instances to teams

+1. On the **Mapping** page, choose **CSV upload tool**.

+2. Select **Download template** to get the CSV mapping file. The template will include a list of all your Blue Yonder WFM instances and their IDs. The top rows of your template will look like this:

+|Blue Yonder WFM Instance ID |Blue Yonder WFM Instance Name |Team ID |Team Name |Time Zone |

+||||||

+|Automatically pre-filled |Automatically pre-filled |Blank |Blank |Default*|

+And the bottom rows of your template will look like this:

+|Blue Yonder WFM Instance ID |Blue Yonder WFM Instance Name |Team ID |Team Name |Time Zone |

+||||||

+|Blank |Blank |Automatically pre-filled |Automatically pre-filled |Default*|

+3. Choose a team that you want to map to a Blue Yonder WFM instance. Cut and paste the Team ID and Team Name from the bottom half of your template to be in line with the desired Blue Yonder WFM instance. A completed row of your template should look like this:

+|Blue Yonder WFM Instance ID |Blue Yonder WFM Instance Name |Team ID |Team Name |Time Zone |

+||||||

+|Automatically pre-filled |Automatically pre-filled |Team ID that you moved |Team Name that you moved |Default*|

+Repeat this for all your desired mappings.

+4. Enter the correct location in the Time Zone column if needed.

+>[!NOTE]

+>The wizard supports approximately 460 locations. If the specific location you chose isn't supported, you'll be shown an error in the wizard. Try using the closest city or major city within the same time zone.

+5. On the **Mapping** page, select **Browse** to find and upload your completed CSV file.

+6. Choose **Done** if your file has uploaded correctly. Otherwise, review the provided error report and upload a corrected file.

+7. Your new mappings will appear on the **Mappings** page.

+8. Choose **Next**.

+ Title: "Understanding deployment insights in Microsoft 365 Lighthouse"

+f1.keywords: NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- Tier1

+- scotvorg

+- M365-subscription-management

+- Adm_O365

+- AdminSurgePortfolib

+- M365-Lighthouse

+search.appverid: MET150

+description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthouse, learn more about deployment insights."

+# Understanding deployment insights in Microsoft 365 Lighthouse

+Microsoft 365 Lighthouse provides deployment insights within and across the tenants you manage. Deployment insights are derived from a combination of signals that are either detected by Lighthouse or entered into Lighthouse by a user in the partner tenant. The single view enables you to:

+- Understand the deployment status across all tenants, users, and tasks

+- Review deployment exceptions such as **Dismissed** tasks and **Excluded** users

+- Review regressions such as tasks the change from a **Compliant** or **Dismissed** status to a status of **Not compliant** or **Not licensed**.

+- Quantify threats based on user- and task-level deployment progress

+- Prioritize deployment activities based on risk

+To access Deployment insights, in the left navigation pane in Lighthouse, select **Deployment \> Deployment insights**.

+The Deployment insights page includes the following:

+- Tenant progress

+- User progress

+- Deployment insights based on tenants and tasks

+**Note:** The Deployment insights page measures deployment progress across all tenants that have an Onboarding Status of **Active**. By default, the deployment insights are filtered to display insights for all tenants but can be filtered by tenant tag.

+## Tenant progress

+The tenant progress graph measures deployment progress by tenant, reporting the status of each tenantsΓÇÖ deployment plans as either:

+- **Complete** ΓÇô the status of all deployment tasks is **Compliant** or **Dismissed**.

+- **Not complete** ΓÇô the status of for one or more of the deployment tasks is **Not compliant** or **Not licensed**.

+## User progress

+The user progress graph measures deployment progress by user, reporting users as either:

+- **Complete** ΓÇô the status for all deployment tasks is either **Compliant**, **Excluded**, or **Not targeted**.

+- **Not complete** ΓÇô the status for one or more of the deployment tasks is either **Not compliant** or **Not licensed**.

+## Deployment insights table

+The deployment insights table organizes information by tenant and task.

+The **Tenants** tab pivot can be filtered by deployment plan status and baseline. It provides the following information for each tenant:

+| **Column** | **Description** |

+|||

+| Tenant | The name of the tenant. |

+| Baseline | The baseline that is assigned to the tenant. |

+| Deployment plan status | The status of the deployment plan; either **Complete** or **Not complete**. |

+| Task progress | The number of total tasks that are in a state of completion; either **Compliant** or **Dismissed**. |

+| Dismissed tasks | The number of tasks that have been **Dismissed**. |

+| Not licensed tasks | The number of tasks for which the tenant is **Not licensed**. |

+| Regressed tasks | The number of tasks that have regressed from a state of completion (either **Compliant** or **Dismissed**) to a state of either **Not compliant** or **Not licensed**. |

+| User progress | The number of users for which all deployment tasks are either **Compliant**, **Excluded**, or **Not targeted**. |

+| Excluded users | The number of users that have a status of **Excluded** for one or more deployment tasks. |

+| Exclusions | The number of instances of a user having a status of **Excluded** across all deployment tasks. |

+To better understand deployment insights, here are a few examples for how different tenant configurations and deployment activities are reflected in the deployment insights table.

+In this example, all tenants have 100 users and have been assigned a baseline that includes 10 tasks:

+- A ΓÇô Complete, with no tasks that have been **Dismissed** and no users that have been **Excluded**

+- B ΓÇô Complete, with one task that has been **Dismissed**

+- C ΓÇô Complete, with 1 user **Excluded** from 1 task

+- D ΓÇô Complete, with 1 user **Excluded** from 5 tasks

+- E ΓÇô Complete, with 5 users **Excluded** from 1 task

+- F ΓÇô Complete, with 50 users **Excluded** from 5 tasks

+- G ΓÇô Complete, with 100 users **Excluded** from 10 tasks

+- H ΓÇô Not complete, with 1 user that is **Not compliant** for 1 task

+- I ΓÇô Not complete, with 1 task for which 100 users are **Not compliant**

+- J ΓÇô Not complete, with 1 task that has regressed to a state of **Not licensed**

+- K ΓÇô Not complete, with 1 newly detected user with a status of **Not Licensed** for all tasks

+- L ΓÇô Not complete, with 1 user with from which all licenses have been unassigned

+| Tenant | Baseline | Deployment plan status | Task progress | Dismissed tasks | Not licensed tasks | Regressed tasks | User progress | Users excluded | User exclusions |

+|--||||--|--|--||-|--|

+| A | Default baseline | Complete | 10/10 | 0 | 0 | 0 | 100/100 | 0 | 0 |

+| B | Default baseline | Complete | 10/10 | 1 | 0 | 0 | 100/100 | 0 | 0 |

+| C | Default baseline | Complete | 10/10 | 0 | 0 | 0 | 100/100 | 1 | 1 |

+| D | Default baseline | Complete | 10/10 | 0 | 0 | 0 | 100/100 | 1 | 5 |

+| E | Default baseline | Complete | 10/10 | 0 | 0 | 0 | 100/100 | 5 | 5 |

+| F | Default baseline | Complete | 10/10 | 0 | 0 | 0 | 100/100 | 50 | 250 |

+| G | Default baseline | Complete | 10/10 | 0 | 0 | 0 | 100/100 | 100 | 1,000 |

+| H | Default baseline | Not complete | 9/10 | 0 | 0 | 0 | 99/100 | 0 | 0 |

+| I | Default baseline | Not complete | 9/10 | 0 | 0 | 0 | 0/100 | 0 | 0 |

+| J | Default baseline | Not complete | 9/10 | 0 | 1 | 1 | 0/100 | 0 | 0 |

+| K | Default baseline | Not complete | 0/10 | 0 | 0 | 10 | 99/100 | 0 | 0 |

+| L | Default baseline | Not complete | 0/10 | 0 | 0 | 10 | 99/100 | 0 | 0 |

+## Deployment insights details by tenant

+Selecting any tenant from the list opens the deployment insights details pane for that tenant, which provides the following information for each tenant:

+- Overview

+- Dismissed tasks

+- Excluded users

+- Required licenses

+**NOTE**: Deployment insights around dismissed tasks, excluded users, and required licenses are also available from the **Tenant** page.

+### Overview tab

+The **Overview** tab provides the status of each deployment task assigned to the tenant with the following information:

+| **Column** | **Description** |

+|-||

+| Tasks | The name of the task. |

+| Task Status | The status of the deployment task. |

+| User status | The number of users who have completed the task, who have been excluded from the task, or who haven't been targeted for the task. |

+### Dismissed tasks tab

+The **Dismissed tasks** tab provides details around tasks that have been dismissed from the deployment plan and allows you to reinstate tasks. The tab includes the following information:

+| **Column** | **Description** |

+||--|

+| Task | The name of the task. |

+| Reason | The reason provided for the dismissal of the task. |

+| Justification | The justification provided for the dismissal of the task. |

+### Excluded users tab

+The **Excluded users** tab provides details around users that have been excluded from a deployment task. This tab includes the following information:

+| **Column** | **Description** |

+|--|-|

+| Task with excluded users | The name of the task from which one or more users has been excluded. |

+| Excluded users | The names of each user that has been excluded. |

+### Required licenses tab

+The **Required licenses** tab provides details around deployment tasks for which one or more users requires additional licensing to complete the task. This tab includes the following information:

+| **Column** | **Description** |

+|-||

+| Tasks with not licensed users | The name of the task from which one or more users aren't licensed. |

+| Not licensed users | The name of each user who isn't licensed to complete the task. |

+## Deployment insights table by task

+To view deployment insights by task, select the **Tasks** tab. The **Tasks** tab can be filtered by baseline and category. It provides the following information for each tenant:

+| **Column** | **Description** |

+||--|

+| Task | The name of the task. |

+| Baseline | The baseline associated with the task. |

+| Assigned tenants | The number of tenants to which this task has been assigned. |

+| Compliant | The number of tenants in which the status of the task is **Compliant**. |

+| Not compliant | The number of tenants in which the status of the task is **Not compliant**. |

+| Dismissed | The number of tenants in which the status of the task is **Dismissed**. |

+| Not licensed | The number of tenants in which the status of the task is **Not licensed**. |

+Selecting any task from the list opens the deployment insights details pane for that task, which provides the following information:

+| **Column** | **Description** |

+|||

+| Tenant | The name of the tenant. |

+| Task status | The deployment status of the task for the tenant. |

+| Total users | The number of users who are assigned to the task. |

+| Compliant users | The number of users who are **Compliant**. |

+| Not compliant users | The number of users who are **Not compliant**. |

+| Excluded users | The number of users who are **Excluded** from this task. |

+| Not licensed users | The number of users who are **Not licensed** to complete the task. |

+| Not targeted users | The number of users who are **Not targeted** to complete this task. |

+## Next Steps

+For information on how to manage tenants using deployment insights, see [Manage deployments using insights in Microsoft 365 Lighthouse](m365-lighthouse-manage-tenants-using-deployment-insights.md).

+## Related content

+[Overview of deployment tasks](m365-lighthouse-overview-deployment-task.md) (article)\

+[Overview of using baselines to deploy standard tenant configurations](m365-lighthouse-deploy-standard-tenant-configurations-overview.md) (article)\

+[Understand deployment statuses](m365-lighthouse-understand-deployment-statuses.md) (article)

+ Title: "Manage tenants using insights in Microsoft 365 Lighthouse"

+f1.keywords: NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- Tier1

+- scotvorg

+- M365-subscription-management

+- Adm_O365

+- AdminSurgePortfolib

+- M365-Lighthouse

+search.appverid: MET150

+description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthouse, learn how to manage tenants using insights."

+# Manage tenants using insights in Microsoft 365 Lighthouse

+Microsoft 365 Lighthouse provides deployment insights within and across the tenants you manage. The single view enables you to:

+- Understand the deployment status across all tenants, users, and tasks.

+- Review deployment exceptions such as **Dismissed** tasks and **Excluded** users.

+- Review regressions such as tasks the change from a **Compliant** or **Dismissed** status to a status of **Not compliant** or **Not licensed**.

+- Quantify threats based on user- and task-level deployment progress.

+- Prioritize deployment activities based on risk.

+## Manage deployment progress using deployment insights

+1. In the left navigation pane in Lighthouse, select **Deployment \> Deployment insights**.

+2. On the **Deployment insights** page, review the following areas to gather insight on your tenantsΓÇÖ deployment progress.

+|Area |Description |

+|--|-|

+|Tenant progress | Provides deployment progress summary across all tenants. You can hover over the graph to see the number of tenants with deployment plans that are **Complete** and **Not complete**. Tenants for which all tasks are **Compliant** or **Dismissed** are **Complete**. Tenants for which one or more tasks are **Not compliant** or **Not Licensed**. |

+|User progress | Provides user deployment progress summary for all users. You can hover over the graph to the exact number of users that are **Complete** and **Not complete**. <br>Users for whom all tasks are **Compliant**, **Dismissed**, or **Not targeted** are **Complete**. Users for whom one or more assigned tasks is **Not compliant** or **Not Licensed**. |

+|Tenants tab | Provides detailed deployment progress for each tenant. You can use various data points from the table to determine the appropriate action. For example, the **Not licensed tasks** column indicates the number of tasks for which the tenant is not licensed. To resolve the issue, you can add a license or exclude the user from the task. The **Regressed tasks** column indicates a task status changed from a **Compliant** or **Dismissed** state. You can go to the specific tenant deployment plan and take the appropriate action. |

+|Tasks tab | Provides deployment progress for all tasks, including how many tenants the task is assigned to. For tasks that are **Not compliant** or **Not licensed**, you can take action to resolve the issue. |

+For additional solutions for common deployment issues, see [Deploying baselines](m365-lighthouse-faq.yml) section in Microsoft 365 Lighthouse frequently asked questions (FAQs).

+## Review regressed tasks

+1. In the left navigation pane in Lighthouse, select **Deployment \> Deployment insights**.

+2. From the Tenants list, review tenants with regressed tasks indicated by the **Regressed tasks** column.

+3. Select the desired tenant to see specific regressed tasks.

+4. Select **View tenant deployment plan** to navigate you to the tenantΓÇÖs deployment plan.

+5. From the **Deployment plan** tab, select the regressed task from the list.

+6. Review the tenant's configuration and depending on the regression scenario, you can modify the deployment task, modify the tenant's configuration, modify the tenant's licensing, or dismiss the task to resolve the regression.

+## Audit deployment exceptions using deployment insights

+Every dismissed task and excluded user represent a potential threat. You can audit these exceptions to ensure they still meet your requirements.

+### Audit dismissed tasks

+1. In the left navigation pane in Lighthouse, select **Deployment \> Deployment insights**.

+2. From the Tenants list, select the tenant with a dismissed task.

+3. From the tenant details pane, select the **Dismissed tasks** tab.

+4. From the list, review the reason and justification sections to determine if a task dismissal is still valid.

+5. If no longer valid, select the task from the list and then select **Reinstate**.

+### Audit excluded users

+1. In the left navigation pane in Lighthouse, select **Deployment \> Deployment insights**.

+2. From the Tenants list, select the tenant with an **Excluded** user.

+3. From the tenant details pane, select the **Excluded users** tab.

+4. From the task list, expand each task and determine if the listed user should still be **Excluded**.

+5. If a user should no longer be excluded, select **View tenant deployment plan**.

+6. From the tenantΓÇÖs **Deployment plan** tab, select the applicable deployment task.

+7. From the task details pane, select **Deploy**. The deployment wizard is launched.

+8. On the **Review deployment task** page, remove the user from the **Excluded users** field.

+9. Select **Next**.

+10. Select **Exit Wizard**.

+## Related content

+[Overview of deployment tasks](m365-lighthouse-overview-deployment-task.md) (article)\

+[Overview of using baselines to deploy standard tenant configurations](m365-lighthouse-deploy-standard-tenant-configurations-overview.md) (article)\

+[Understand deployment statuses](m365-lighthouse-understand-deployment-statuses.md) (article)\

+[Microsoft 365 Lighthouse frequently asked questions (FAQs)](m365-lighthouse-troubleshoot.md) (article)

+By default, each task is designated as **Compliant**, **Not compliant**, or **Not licensed**. For a definition of deployment statuses, see [Understand deployment statuses in Microsoft 365 Lighthouse](m365-lighthouse-understand-deployment-statuses.md). You can deploy, dismiss, or reinstate tasks from this view.

+The task details pane provides an overview of the task, user progress information for the task, and a history of task status for the previous 30 days.

+The Overview tab provides the following information:

+The Detection history tab lists and shows a graphical view of each time Lighthouse has scanned the tenant to detect its configuration in the previous 30 days, providing the deployment status for the task and the number of users in each deployment status for each scan.

+> 4. In Defender for Business, automated investigation and response is turned on by default, tenant wide. Turning off automated investigation and response affects real-time protection. See [View settings for advanced features](mdb-portal-advanced-feature-settings.md#view-settings-for-advanced-features).

+- [Get Microsoft Defender for Business servers](get-defender-business-servers.md) for your Windows and Linux servers.

+- [Step 3: Assign security roles and permissions in Microsoft Defender for Business](mdb-roles-permissions.md).

+- [Step 4: Set up email notifications for your security team](mdb-email-notifications.md).

+ Title: Enable your attack surface reduction rules in Microsoft Defender for Business

+description: Get an overview of attack surface reduction capabilities, including ASR rules, in Microsoft Defender for Business

+# Enable your attack surface reduction rules in Microsoft Defender for Business

+To help protect your network and devices, Microsoft Defender for Business includes several attack surface reduction (ASR) capabilities, including ASR rules. This article describes how to set up your ASR rules and describes attack surface reduction capabilities.

+> [!NOTE]

+> Intune is not included in the standalone version of Defender for Business, but it can be added on.

+## Standard protection ASR rules

+There are lots of ASR rules available. You don't have to set them all up at once. And, you can set some rules up in audit mode just to see how they'll work for your organization, and change them to work in block mode later. That said, we recommend enabling the following standard protection rules as soon as possible:

+## Set up ASR rules using Intune

+## View your attack surface reduction report

+Defender for Business includes an attack surface reduction report that will show you how ASR rules are working for you.

+## Attack surface reduction capabilities in Defender for Business

+ASR rules are part of your attack surface reduction capabilities that are available in Defender for Business. The following table summarizes attack surface reduction capabilities in Defender for Business. Notice how other capabilities, such as next-generation protection and web content filtering, work together with your attack surface reduction capabilities.

+| Capability | How to set it up |

+|:|:|

+| **Attack surface reduction rules** <br/> Also referred to as ASR rules, attack surface reduction rules prevent specific actions that are commonly associated with malicious activity to run on Windows devices. | [Enable your standard protection ASR rules](#standard-protection-asr-rules) (section in this article). |

+| **Controlled folder access** <br/>Controlled folder access allows only trusted apps to access protected folders on Windows devices. Think of this capability as ransomware mitigation. | [Set up controlled folder access policy in Microsoft Defender for Business](mdb-controlled-folder-access.md). |

+| **Network protection** <br/>Network protection prevents people from accessing dangerous domains through applications on their Windows and Mac devices. Network protection is also a key component of [Web content filtering in Microsoft Defender for Business](mdb-web-content-filtering.md). | Network protection is already enabled by default when devices are onboarded to Defender for Business and [next-generation protection policies in Defender for Business](mdb-next-generation-protection.md) are applied. Your default policies are configured to use recommended security settings. |

+| **Web protection** <br/>Web protection integrates with web browsers and works with network protection to protect against web threats and unwanted content. Web protection includes web content filtering and web threat reports. | [Set up Web content filtering in Microsoft Defender for Business](mdb-web-content-filtering.md). |

+| **Firewall protection** <br/>Firewall protection determines what network traffic is permitted to flow to or from your organization's devices. | Firewall protection is already enabled by default when devices are onboarded to Defender for Business and [firewall policies in Defender for Business](mdb-firewall.md) are applied. |

+- [Review settings for advanced features and the Microsoft 365 Defender portal](mdb-portal-advanced-feature-settings.md).

+- [View reports](mdb-reports.md)

+ Title: Set up, review, and edit your security policies and settings in Microsoft Defender for Business

+# Set up, review, and edit your security policies and settings in Microsoft Defender for Business

+This article walks you through how to review, create, or edit your security policies, and how to navigate advanced settings in Defender for Business.

+When you're setting up (or maintaining) Defender for Business, an important part of the process includes reviewing your default policies, such as:

+- [Next-generation protection](mdb-next-generation-protection.md)

+- [Firewall protection](mdb-firewall.md)

+In addition to your default security policies, you can add other policies, such as:

+- [Web content filtering](mdb-web-content-filtering.md)

+- [Controlled folder access](mdb-controlled-folder-access.md)

+- [Attack surface reduction rules](mdb-asr.md)

+And, you can view and edit settings for advanced features, such as:

+- [Turning on (or off) advanced features](mdb-portal-advanced-feature-settings.md#view-settings-for-advanced-features);

+- [Specifying which time zone to use in the Microsoft 365 Defender portal](mdb-portal-advanced-feature-settings.md#view-and-edit-other-settings-in-the-microsoft-365-defender-portal); and

+- [Whether to receive preview features as they become available](mdb-preview.md#turn-on-preview-features).

+Before you begin setting up your security policies, you'll need to choose which portal you want to use. You can choose to use either the Microsoft 365 Defender portal or the Microsoft Intune admin center to onboard devices and create or edit security policies. The following table explains both options.

+| **Microsoft 365 Defender portal** | The Microsoft 365 Defender portal ([https://security.microsoft.com/](https://security.microsoft.com/)) is a one-stop shop for managing your company's devices, security policies, and security settings in Defender for Business. With a simplified configuration process, you can use the Microsoft 365 Defender portal to onboard devices, access your security policies and settings, use the [Microsoft Defender Vulnerability Management dashboard](mdb-view-tvm-dashboard.md), and [view and manage incidents](mdb-view-manage-incidents.md) in one place. <br/><br/>Note that currently, controlled folder access and attack surface reduction rules are set up and configured in the Microsoft Intune admin center. |

+| **Microsoft Intune admin center** | The Microsoft Intune admin center ([https://intune.microsoft.com/](https://intune.microsoft.com/)) lets you manage your workforce's devices and apps, including how they access your company data. You can onboard devices and access your security policies and settings in Intune. You can also use Intune to set up and configure attack surface reduction rules in Defender for Business. Intune is not included in the standalone version of Defender for Business, but it can be added on. <br/><br/>If your company has been using Intune, you can choose to continue using it to manage your devices and security policies. To learn more, see [Manage device security with endpoint security policies in Microsoft Intune](/mem/intune/protect/endpoint-security-policy) |

+If you're using Intune, and you attempt to view or edit security policies in the Microsoft 365 Defender portal by going to **Configuration management** > **Device configuration**, you'll be prompted to choose whether to continue using Intune, or switch to using the Microsoft 365 Defender portal instead, as shown in the following screenshot:

+Note that in the preceding image, **Use Defender for Business configuration instead** refers to using the Microsoft 365 Defender portal, with a simplified configuration experience designed for small and medium-sized businesses. If you opt to use the Microsoft 365 Defender portal, you must delete any existing security policies in Intune to avoid policy conflicts. For more details, see [I need to resolve a policy conflict](/microsoft-365/security/defender-business/mdb-troubleshooting#i-need-to-resolve-a-policy-conflict).

+> If you're managing your security policies in the Microsoft 365 Defender portal, you can view those policies in the Intune admin center, where they're listed as **Antivirus** or **Firewall** policies. When you view your firewall policies in the Intune admin center, you'll see two policies listed: one policy for firewall protection and another for custom rules.

+1. [Review or edit your next-generation protection policies](mdb-next-generation-protection.md) to apply antivirus/antimalware protection, and enable network protection.

+2. [Review or edit your firewall policies](mdb-firewall.md).

+3. [Set up your web content filtering policy](mdb-web-content-filtering.md) and enable web protection automatically.

+4. [Set up your controlled folder access policy](mdb-controlled-folder-access.md) for ransomware protection.

+5. [Enable your attack surface reduction rules](mdb-asr.md).

+6. [Review settings for advanced features and the Microsoft 365 Defender portal](mdb-portal-advanced-feature-settings.md).

+ Title: Set up or edit your controlled folder access policy in Microsoft Defender for Business

+description: Get an overview of attack surface reduction capabilities in Microsoft Defender for Business

+ms.localizationpriority: medium

+- m365-security

+- tier1

+search.appverid: MET150

+f1.keywords: NOCSH

+audience: Admin

+# Set up or edit your controlled folder access policy in Microsoft Defender for Business

+Controlled folder access allows only trusted apps to access protected folders on Windows devices. Think of this capability as ransomware mitigation. You can set up or edit your controlled folder access policy in Microsoft Intune.

+> [!NOTE]

+> Intune is not included in the standalone version of Defender for Business, but it can be added on.

+## Set up controlled folder access

+1. As a global administrator, in the Microsoft Intune admin center ([https://intune.microsoft.com/](https://intune.microsoft.com/)), go to **Endpoint security** > **Attack surface reduction**.

+2. Select an existing policy, or choose **Create policy** to create a new policy.

+ - For **Platform**, choose **Windows 10 and later**.

+ - For Profile, select **Attack Surface Reduction Rules**, and then choose **Create**.

+3. Set up your policy as follows:

+ 1. Specify a name and description, and then choose **Next**.

+

+ 2. Scroll down, and set **Enable Controlled Folder Access** to **Enabled**. Then choose **Next**.

+ 3. On the **Scope tags** step, choose **Next**.

+ 4. On the **Assignments** step, choose the users or devices to receive the rules, and then choose **Next**. (We recommend selecting **Add all devices**.)

+ 5. On the **Review + create** step, review the information, and then choose **Create**.

+To learn more about controlled folder access, see [Protect important folders with controlled folder access](../defender-endpoint/controlled-folders.md).

+## Next steps

+- [Enable your attack surface reduction rules](mdb-asr.md)

+- [Review settings for advanced features and the Microsoft 365 Defender portal](mdb-portal-advanced-feature-settings.md).

+9. On the **Configuration settings** page, review and edit settings as needed, and then choose **Next**. For more information about these settings, see [Configuration settings](mdb-next-generation-protection.md).

+- [Step 6: Set up, review, and edit your security policies and settings in Microsoft Defender for Business](mdb-configure-security-settings.md)

+- [How to view or edit your firewall policies and custom rules](#view-or-edit-your-firewall-policies-and-custom-rules)

+## View or edit your firewall policies and custom rules

+Depending on whether you're using the Microsoft 365 Defender portal or Intune to manage your firewall protection, use one of the following procedures.

+| Portal | Procedure |

+|:|:|

+| Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) |1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.<br/>2. In the navigation pane, choose **Device configuration**. Policies are organized by operating system and policy type.<br/>3. Select an operating system tab (such as **Windows clients**).<br/>4. Expand **Firewall** to view your list of policies.<br/>5. Select a policy to view the details. <br/><br/>To make changes or to learn more about policy settings, see the following articles:<br/>- [View or edit device policies](mdb-view-edit-policies.md)<br/>- [Firewall settings](mdb-firewall.md)<br/>- [Manage your custom rules for firewall policies](mdb-firewall.md) |

+| Microsoft Intune admin center ([https://intune.microsoft.com](https://intune.microsoft.com)) |1. Go to [https://intune.microsoft.com](https://intune.microsoft.com) and sign in. You're now in the Intune admin center.<br/>2. Select **Endpoint security**.<br/>3. Select **Firewall** to view your policies in that category. Custom rules that are defined for firewall protection are listed as separate policies. <br/><br/>For help with managing your security settings in Intune, start with [Manage endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security).|

+## Manage your custom rules for firewall policies in Microsoft Defender for Business

+You can use custom rules to define exceptions for your firewall policies. That is, you can use custom rules to block or allow specific connections.

+### Create a custom rule for a firewall policy

+1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.

+2. Go to **Endpoints** > **Device configuration**, and review the list of policies.

+3. In the **Firewall** section, select an existing policy, or add a new policy.

+4. On the **Configuration settings** step, review the settings. Make any needed changes to **Domain network**, **Public network**, and **Private network**.

+5. To create a custom rule, follow these steps:

+ 1. Under **Custom rules**, choose **+ Add rule**. (You can have up to 150 custom rules.)

+ 2. On the **Create new rule** flyout, specify a name and description for the rule.

+ 3. Select a profile. (Your options include **Domain network**, **Public network**, or **Private network**.)

+ 4. In the **Remote address type** list, select either **IP** or **Application file path**.

+ 5. In the **Value** box, specify an appropriate value. Depending on what you selected in step 6d, you might specify an IP address, an IP address range, or an application file path. (See [Firewall settings](mdb-firewall.md).)

+ 6. On the **Create new rule** flyout, select **Create rule**.

+6. On the **Configuration settings** screen, choose **Next**.

+7. On the **Review your policy** screen, review the changes that were made to firewall policy settings. Make any needed changes, and then choose **Create policy**.

+### Edit a custom rule for a firewall policy

+1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.

+2. Go to **Endpoints** > **Device configuration**, and review the list of policies.

+3. In the **Firewall** section, select an existing policy, or add a new policy.

+4. Under **Custom rules**, review the list of rules.

+5. Select a rule, and then choose **Edit**. Its flyout opens.

+6. To edit your custom rule, follow these steps:

+ 1. On the **Edit rule** flyout, review and edit the rule's name and description.

+ 2. Review and if necessary, edit the rule's profile. (Your options include **Domain network**, **Public network**, or **Private network**.)

+ 3. In the **Remote address type** list, select either **IP** or **Application file path**.

+ 4. In the **Value** box, specify an appropriate value. Depending on what you selected in step 6c, you might specify an IP address, an IP address range, or an application file path. (See [Firewall settings](mdb-firewall.md).)

+ 5. Set **Enable rule** to **On** to make the rule active. Or, to disable the rule, set the switch to **Off**.

+ 6. On the **Edit rule** flyout, select **Update rule**.

+7. On the **Configuration settings** screen, choose **Next**.

+8. On the **Review your policy** screen, review the changes that were made to firewall policy settings. Make any needed changes, and then choose **Create policy**.

+### Delete a custom rule

+1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.

+2. Go to **Endpoints** > **Device configuration**, and review the list of policies.

+3. In the **Firewall** section, select an existing policy, or add a new policy.

+4. Under **Custom rules**, review the list of rules.

+5. Select a rule, and then choose **Delete**. Its flyout opens.

+6. On the confirmation screen, choose **Delete**.

+In Defender for Business, you can define exceptions to block or allow incoming connections. You define these exceptions by creating [custom rules](#manage-your-custom-rules-for-firewall-policies-in-microsoft-defender-for-business).

+| **Custom rules** | [Custom rules](mdb-firewall.md) let you block or allow specific connections. For example, suppose that you want to block all incoming connections on devices that are connected to a private network except for connections through a specific app on a device. In this case, you'd set **Private network** to block all incoming connections, and then add a custom rule to define the exception. <p>You can use custom rules to define exceptions for specific files or apps, an Internet protocol (IP) address, or a range of IP addresses. Depending on the type of custom rule you're creating, here are some examples of values you could use: <br/>- Application file path: `C:\Windows\System\Notepad.exe or %WINDIR%\Notepad.exe` <br/>- IP: A valid IPv4/IPv6 address, such as `192.168.11.0` or `192.168.1.0/24` <br/>- IP: A valid IPv4/IPv6 address range, formatted like `192.168.1.0-192.168.1.9` (with no spaces included) |

+- [Manage firewall settings in Defender for Business](mdb-firewall.md)

+| **Web Protection** <br/>Anti-phishing, blocking unsafe network connections, and support for custom indicators. <br/>Web protection is turned on by default with [web content filtering](mdb-web-content-filtering.md). | :::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included checkmark."::: | :::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included checkmark."::: |

+| **Network Protection** <br/>Protection against rogue Wi-Fi related threats and rogue certificates. <br/>Network protection is turned on by default with [next-generation protection](mdb-next-generation-protection.md). <br/>As part of mobile threat defense, network protection also includes the ability to allow root certification authority and private root certification authority certificates in Intune. It also establishes trust with endpoints. | See note 2 (below) | See note 2 (below) |

+3. Review, and if necessary, edit your [next-generation protection policies](mdb-next-generation-protection.md).

+4. Review, and if necessary, edit your [firewall policies and custom rules](mdb-firewall.md).

+5. Review, and if necessary, edit your [web content filtering](mdb-web-content-filtering.md) policy.

+ Title: Review or edit your next-generation protection policies Microsoft Defender for Business

+description: Learn how to view and edit your next-generation protection policies in Defender for Business. These policies pertain to antivirus and anti-malware protection.

+search.appverid: MET150

+audience: Admin

+ms.localizationpriority: medium

+f1.keywords: NOCSH

+- SMB

+- m365-security

+- tier1

+# Review or edit your next-generation protection policies in Microsoft Defender for Business

+In Defender for Business, next-generation protection includes robust antivirus and antimalware protection for computers and mobile devices. Default policies with recommended settings are included in Defender for Business. The default policies are designed to protect your devices and users without hindering productivity. However, you can customize your policies to suit your business needs.

+You can choose from several options for managing your next-generation protection policies:

+- Use the Microsoft 365 Defender portal at [https://security.microsoft.com](https://security.microsoft.com) (recommended if you're using the standalone version of Defender for Business without Intune); or

+- Use the Microsoft Intune admin center at [https://intune.microsoft.com](https://intune.microsoft.com) (available if your subscription includes Intune)

+## [**Microsoft 365 Defender portal**](#tab/M365D)

+1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.

+2. In the navigation pane, choose **Device configuration**. Policies are organized by operating system and policy type.

+3. Select an operating system tab (such as **Windows clients**).

+4. Expand **Next-generation protection** to view your list of policies.

+5. Select a policy to view more details about the policy, and make any needed changes.

+ To make changes or to learn more about policy settings, see the following articles:

+

+ - [View or edit device policies](mdb-view-edit-policies.md)

+ - [Understand next-generation configuration settings](mdb-next-generation-protection.md)

+## [**Intune admin center**](#tab/Intune)

+1. Go to [https://intune.microsoft.com](https://intune.microsoft.com) and sign in. You're now in the Intune admin center.<

+2. Select **Endpoint security**.

+3. Select **Antivirus** to view your policies in that category.

+4. Select an individual policy to edit it.

+ For help with managing your security settings in Intune, start with [Manage endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security).

+## Next-generation protection settings and options

+The following table lists settings and options for next-generation protection in Defender for Business.

+| Setting | Description |

+|:|:|

+| **Real-time protection** | |

+| **Turn on real-time protection** | Enabled by default, real-time protection locates and stops malware from running on devices. *We recommend keeping real-time protection turned on.* When real-time protection is turned on, it configures the following settings: <br/>- Behavior monitoring is turned on ([AllowBehaviorMonitoring](/windows/client-management/mdm/policy-csp-defender#defender-allowbehaviormonitoring)).<br/> - All downloaded files and attachments are scanned ([AllowIOAVProtection](/windows/client-management/mdm/policy-csp-defender#defender-allowioavprotection)).<br/> - Scripts that are used in Microsoft browsers are scanned ([AllowScriptScanning](/windows/client-management/mdm/policy-csp-defender#defender-allowscriptscanning)). |

+| **Block at first sight** | Enabled by default, block at first sight blocks malware within seconds of detection, increases the time (in seconds) allowed to submit sample files for analysis, and sets your detection level to High. *We recommend keeping block at first sight turned on.*<br/><br/>When block at first sight is turned on, it configures the following settings for Microsoft Defender Antivirus: <br/>- Blocking and scanning of suspicious files is set to the High blocking level ([CloudBlockLevel](/windows/client-management/mdm/policy-csp-defender#defender-cloudblocklevel)).<br/> - The number of seconds for a file to be blocked and checked is set to 50 seconds ([CloudExtendedTimeout](/windows/client-management/mdm/policy-csp-defender#defender-cloudextendedtimeout)). <br/>**Important** If block at first sight is turned off, it affects `CloudBlockLevel` and `CloudExtendedTimeout` for Microsoft Defender Antivirus. |

+| **Turn on network protection** | When turned on, network protection helps protect against phishing scams, exploit-hosting sites, and malicious content on the internet. It also prevents users from turning network protection off.<br/><br/>Network protection can be set to the following modes: <br/>- **Block mode** is the default setting. It prevents users from visiting sites that are considered unsafe. *We recommend keeping network protection set to Block mode.*<br/> - **Audit mode** allows users to visit sites that might be unsafe and tracks network activity to/from such sites.<br/> - **Disabled mode** neither blocks users from visiting sites that might be unsafe nor tracks network activity to/from such sites. |

+| **Remediation** | |

+| **Action to take on potentially unwanted apps (PUA)** | PUA can include advertising software; bundling software that offers to install other, unsigned software; and evasion software that attempts to evade security features. Although PUA isn't necessarily a virus, malware, or other type of threat, it can affect device performance. PUA protection blocks items that are detected as PUA. You can set PUA protection to the following modes: <br/>- **Enabled** is the default setting. It blocks items detected as PUA on devices. *We recommend keeping PUA protection enabled.*<br/> - **Audit mode** takes no action on items detected as PUA.<br/> - **Disabled** doesn't detect or take action on items that might be PUA. |

+| **Scan** | |

+| **Scheduled scan type** | Consider running a weekly antivirus scan on your devices. You can choose from the following scan type options: <br/>- **Quickscan** checks locations, such as registry keys and startup folders, where malware could be registered to start along with a device. *We recommend using the quickscan option.* <br/> - **Fullscan** checks all files and folders on a device.<br/> - **Disabled** means no scheduled scans will take place. Users can still run scans on their own devices. (In general, we don't recommend disabling scheduled scans.) <br/> [Learn more about scan types](../defender-endpoint/schedule-antivirus-scans.md). |

+| **Day of week to run a scheduled scan** | Select a day for your regular, weekly antivirus scans to run. |

+| **Time of day to run a scheduled scan** | Select a time to run your regularly scheduled antivirus scans to run. |

+| **Use low performance** | This setting is turned off by default. *We recommend keeping this setting turned off.* However, you can turn on this setting to limit the device memory and resources that are used during scheduled scans. **Important** If you turn on **Use low performance**, it configures the following settings for Microsoft Defender Antivirus: <br/>- Archive files aren't scanned ([AllowArchiveScanning](/windows/client-management/mdm/policy-csp-defender#defender-allowarchivescanning)).<br/> - Scans are assigned a low CPU priority ([EnableLowCPUPriority](/windows/client-management/mdm/policy-csp-defender#defender-enablelowcpupriority)).<br/> - If a full antivirus scan is missed, no catch-up scan will run ([DisableCatchupFullScan](/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupfullscan)).<br/> - If a quick antivirus scan is missed, no catch-up scan will run ([DisableCatchupQuickScan](/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupquickscan)).<br/> - Reduces the average CPU load factor during an antivirus scan from 50 percent to 20 percent ([AvgCPULoadFactor](/windows/client-management/mdm/policy-csp-defender#defender-avgcpuloadfactor)). |

+| **User experience** | |

+| **Allow users to access the Windows Security app** | Turn on this setting to enable users to open the Windows Security app on their devices. Users won't be able to override settings that you configure in Defender for Business, but they'll be able to run a quick scan or view any detected threats. |

+| **Antivirus exclusions** | Exclusions are processes, files, or folders that are skipped by Microsoft Defender Antivirus scans. *In general, you shouldn't need to define exclusions.* Microsoft Defender Antivirus includes many automatic exclusions that are based on known operating system behavior and typical management files. [Learn more about exclusions](../defender-endpoint/configure-exclusions-microsoft-defender-antivirus.md). |

+| **Process exclusions** | Process exclusions prevent files that are opened by specific processes from being scanned by Microsoft Defender Antivirus. [Learn more about process exclusions](../defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md). |

+| **File extension exclusions** | File extension exclusions prevent files with specific extensions from being scanned by Microsoft Defender Antivirus. [Learn more about file extension exclusions](../defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus.md). |

+| **File and folder exclusions** | File and folder exclusions prevent files that are in specific folders from being scanned by Microsoft Defender Antivirus. [Learn more about file and folder exclusions](../defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus.md). |

+## Other preconfigured settings in Defender for Business

+The following security settings are preconfigured in Defender for Business:

+- Scanning of removable drives is turned on ([AllowFullScanRemovableDriveScanning](/windows/client-management/mdm/policy-csp-defender#defender-allowfullscanremovabledrivescanning)).

+- Daily quick scans don't have a preset time ([ScheduleQuickScanTime](/windows/client-management/mdm/policy-csp-defender#defender-schedulequickscantime)).

+- Security intelligence updates are checked before an antivirus scan runs ([CheckForSignaturesBeforeRunningScan](/windows/client-management/mdm/policy-csp-defender#defender-checkforsignaturesbeforerunningscan)).

+- Security intelligence checks occur every four hours ([SignatureUpdateInterval](/windows/client-management/mdm/policy-csp-defender#defender-signatureupdateinterval)).

+## How default settings in Defender for Business correspond to settings in Microsoft Intune

+The following table describes settings that are preconfigured for Defender for Business and how those settings correspond to what you might see in Intune. If you're using the [simplified configuration process in Defender for Business](mdb-setup-configuration.md), you don't need to edit these settings.

+| Setting | Description |

+|||

+| [Cloud protection](/windows/client-management/mdm/policy-csp-defender#defender-allowcloudprotection) | Sometimes referred to as cloud-delivered protection or Microsoft Advanced Protection Service (MAPS), cloud protection works with Microsoft Defender Antivirus and the Microsoft cloud to identify new threats, sometimes even before a single device is affected. By default, [AllowCloudProtection](/windows/client-management/mdm/policy-csp-defender#defender-allowcloudprotection) is turned on. [Learn more about cloud protection](../defender-endpoint/cloud-protection-microsoft-defender-antivirus.md). |

+| [Monitoring for incoming and outgoing files](/windows/client-management/mdm/policy-csp-defender#defender-realtimescandirection) | To monitor incoming and outgoing files, [RealTimeScanDirection](/windows/client-management/mdm/policy-csp-defender#defender-realtimescandirection) is set to monitor all files. |

+| [Scan network files](/windows/client-management/mdm/policy-csp-defender#defender-allowscanningnetworkfiles) | By default, [AllowScanningNetworkFiles](/windows/client-management/mdm/policy-csp-defender#defender-allowscanningnetworkfiles) isn't enabled, and network files aren't scanned. |

+| [Scan email messages](/windows/client-management/mdm/policy-csp-defender#defender-allowemailscanning) | By default, [AllowEmailScanning](/windows/client-management/mdm/policy-csp-defender#defender-allowemailscanning) isn't enabled, and email messages aren't scanned. |

+| [Number of days (0-90) to keep quarantined malware](/windows/client-management/mdm/policy-csp-defender#defender-daystoretaincleanedmalware) | By default, the [DaysToRetainCleanedMalware](/windows/client-management/mdm/policy-csp-defender#defender-daystoretaincleanedmalware) setting is set to zero (0) days. Artifacts that are in quarantine aren't removed automatically. |

+| [Submit samples consent](/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent) | By default, [SubmitSamplesConsent](/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent) is set to send safe samples automatically. Examples of safe samples include `.bat`, `.scr`, `.dll`, and `.exe` files that don't contain personally identifiable information (PII). If a file does contain PII, the user receives a request to allow the sample submission to proceed. [Learn more about cloud protection and sample submission](../defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission.md). |

+| [Scan removable drives](/windows/client-management/mdm/policy-csp-defender#defender-allowfullscanremovabledrivescanning) | By default, [AllowFullScanRemovableDriveScanning](/windows/client-management/mdm/policy-csp-defender#defender-allowfullscanremovabledrivescanning) is configured to scan removable drives, such as USB thumb drives on devices. [Learn more about antimalware policy settings](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#list-of-antimalware-policy-settings). |

+| [Run daily quick scan time](/windows/client-management/mdm/policy-csp-defender#defender-schedulequickscantime) | By default, [ScheduleQuickScanTime](/windows/client-management/mdm/policy-csp-defender#defender-schedulequickscantime) is set to 2:00 AM. [Learn more about scan settings](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings). |

+| [Check for signature updates before running scan](/windows/client-management/mdm/policy-csp-defender#defender-checkforsignaturesbeforerunningscan) | By default, [CheckForSignaturesBeforeRunningScan](/windows/client-management/mdm/policy-csp-defender#defender-checkforsignaturesbeforerunningscan) is configured to check for security intelligence updates prior to running antivirus/antimalware scans. [Learn more about scan settings](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings) and [Security intelligence updates](../defender-endpoint/microsoft-defender-antivirus-updates.md#security-intelligence-updates). |

+| [How often (0-24 hours) to check for security intelligence updates](/windows/client-management/mdm/policy-csp-defender#defender-signatureupdateinterval) | By default, [SignatureUpdateInterval](/windows/client-management/mdm/policy-csp-defender#defender-signatureupdateinterval) is configured to check for security intelligence updates every four hours. [Learn more about scan settings](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings) and [Security intelligence updates](../defender-endpoint/microsoft-defender-antivirus-updates.md#security-intelligence-updates). |

+## Next steps

+- [Set up your firewall policies](mdb-firewall.md) and [custom rules for firewall policies](mdb-firewall.md).

+- [Set up your web content filtering policy](mdb-web-content-filtering.md) and enable web protection automatically.

+- [Set up your controlled folder access policy](mdb-controlled-folder-access.md) for ransomware protection.

+- [Enable your attack surface reduction rules](mdb-asr.md).

+- [Review settings for advanced features and the Microsoft 365 Defender portal](mdb-portal-advanced-feature-settings.md).

+- [Use your vulnerability management dashboard in Microsoft Defender for Business](mdb-view-tvm-dashboard.md)

+Defender for Business includes [predefined policies](mdb-view-edit-create-policies.md#default-policies-in-defender-for-business) to help ensure the devices your employees use are protected. Your security team can [add new policies](mdb-view-edit-create-policies.md#create-a-new-policy) as well.

+For example, suppose that your security team wants to apply certain settings to some devices, and different settings to other devices. You can do that by adding policies, such as additional next-generation protection policies or firewall policies. As policies are added, policy order comes into play.

+When policies are added, an order of priority is assigned to all of the policies in the group, as shown in the following screenshot:

+The **Order** column lists the priority for each policy. Predefined policies move down in the order of priority when new policies are added. You can edit the order of priority for the policies that you define (select a policy, and then choose **Change order**). You can't change the order of priority for default policies.

+For example, suppose that for your Windows client devices, you have three next-generation protection policies. In this case, your default policy is number 3 in priority. You can change the order of your policies that are numbered 1 and 2, but the default policy will remain number 3 in your list.

+**The important thing to remember about multiple policies is that devices will receive the first applied policy only.** Referring to our earlier example of three next-generation policies, suppose that you have devices that are targeted by all three policies. In this case, those devices receive policy number 1, but won't receive policies numbered 2 and 3.

+- Policies are assigned an order of priority automatically.

+- You can change the order of priority for policies that are added, but not for default policies.

+- Default policies are given the lowest order of priority as new policies are added.

+- Devices receive the first applied policy only, even if those devices are included in multiple policies.

+## See also

+- [Set up, review, and edit your security policies and settings](mdb-configure-security-settings.md)

+- [View or edit policies](mdb-view-edit-create-policies.md)

+- [Onboard devices](mdb-onboard-devices.md)

+ Title: Review and edit settings in Microsoft Defender for Business

+description: View and edit settings for the Microsoft 365 Defender portal and advanced features in Defender for Business

+search.appverid: MET150

+audience: Admin

+ms.localizationpriority: medium

+f1.keywords: NOCSH

+ - SMB

+ - m365-security

+ - m365solution-mdb-setup

+ - highpri

+ - tier2

+# Review and edit settings in Microsoft Defender for Business

+You can view and edit settings, such as portal settings and advanced features, in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). Use this article to get an overview of the various settings that are available and how to edit your Defender for Business settings.

+## View settings for advanced features

+In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), go to **Settings** > **Endpoints** > **General** > **Advanced features**.

+The following table describes advanced feature settings.

+| Setting | Description |

+|:|:|

+| **Automated Investigation** <br/>(turned on by default) | As alerts are generated, automated investigations can occur. Each automated investigation determines whether a detected threat requires action and then takes or recommends remediation actions, such as sending a file to quarantine, stopping a process, isolating a device, or blocking a URL. While an investigation is running, any related alerts that arise are added to the investigation until it's completed. If an affected entity is seen elsewhere, the automated investigation expands its scope to include that entity, and the investigation process repeats.<br/><br/>You can view investigations on the **Incidents** page. Select an incident, and then select the **Investigations** tab.<br/><br/>By default, automated investigation and response capabilities are turned on, tenant wide. **We recommend keeping automated investigation turned on**. If you turn it off, real-time protection in Microsoft Defender Antivirus will be affected, and your overall level of protection will be reduced. <br/><br/>[Learn more about automated investigations](../defender-endpoint/automated-investigations.md). |

+| **Live Response** | Defender for Business includes the following types of manual response actions: <br/>- Run antivirus scan<br/>- Isolate device<br/>- Stop and quarantine a file<br/>- Add an indicator to block or allow a file <br/><br/>[Learn more about response actions](../defender-endpoint/respond-machine-alerts.md). |

+| **Live Response for Servers** | (This setting is currently not available in Defender for Business.) |

+| **Live Response unsigned script execution** | (This setting is currently not available in Defender for Business.) |

+| **Enable EDR in block mode**<br/>(turned on by default) | Provides added protection from malicious artifacts when Microsoft Defender Antivirus isn't the primary antivirus product and is running in passive mode on a device. Endpoint detection and response (EDR) in block mode works behind the scenes to remediate malicious artifacts detected by EDR capabilities. Such artifacts might have been missed by the primary, non-Microsoft antivirus product.<br/><br/>[Learn more about EDR in block mode](../defender-endpoint/edr-in-block-mode.md). |

+| **Allow or block a file** <br/>(turned on by default) | Enables you to allow or block a file by using [indicators](../defender-endpoint/indicator-file.md). This capability requires Microsoft Defender Antivirus to be in active mode and [cloud protection](../defender-endpoint/cloud-protection-microsoft-defender-antivirus.md) turned on.<br/><br/>Blocking a file prevents it from being read, written, or executed on devices in your organization. <br/><br/>[Learn more about indicators for files](../defender-endpoint/indicator-file.md). |

+| **Custom network indicators**<br/>(turned on by default) | Enables you to allow or block an IP address, URL, or domain by using [network indicators](../defender-endpoint/indicator-ip-domain.md). This capability requires Microsoft Defender Antivirus to be in active mode and [network protection](../defender-endpoint/enable-network-protection.md) turned on.<br/><br/>You can allow or block IPs, URLs, or domains based on your threat intelligence. You can also prompt users if they open a risky app, but the prompt won't stop them from using the app.<br/><br/>[Learn more about network protection](../defender-endpoint/network-protection.md). |

+| **Tamper protection**<br/>(we recommend you turn on this setting) | Tamper protection prevents malicious apps from doing actions such as:<br/>- Disable virus and threat protection<br/>- Disable real-time protection<br/>- Turn off behavior monitoring<br/>- Disable cloud protection<br/>- Remove security intelligence updates<br/>- Disable automatic actions on detected threats<br/><br/>Tamper protection essentially locks Microsoft Defender Antivirus to its secure, default values and prevents your security settings from being changed by apps and unauthorized methods. <br/><br/>[Learn more about tamper protection](../defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md). |

+| **Show user details**<br/>(turned on by default) | Enables people in your organization to see details, such as employees' pictures, names, titles, and departments. These details are stored in Azure Active Directory (Azure AD).<br/><br/>[Learn more about user profiles in Azure AD](/azure/active-directory/fundamentals/active-directory-users-profile-azure-portal). |

+| **Skype for Business integration**<br/>(turned on by default) | Skype for Business was retired in July 2021. If you haven't already moved to Microsoft Teams, see [Set up Microsoft Teams in your small business](/microsoftteams/deploy-small-business). <br/><br/>Integration with Microsoft Teams (or the former Skype for Business) enables one-click communication between people in your business. |

+| **Web content filtering**<br/>(turned on by default) | Blocks access to websites that contain unwanted content and tracks web activity across all domains. See [Set up web content filtering](mdb-web-content-filtering.md). |

+| **Microsoft Intune connection**<br/>(we recommend you turn on this setting if you have Intune) | If your organization's subscription includes Microsoft Intune (included in [Microsoft 365 Business Premium](../../business/index.yml)), this setting enables Defender for Business to share information about devices with Intune. |

+| **Device discovery**<br/>(turned on by default) | Enables your security team to find unmanaged devices that are connected to your company network. Unknown and unmanaged devices introduce significant risks to your network, whether it's an unpatched printer, a network device with a weak security configuration, or a server with no security controls.<br/><br/>Device discovery uses onboarded devices to discover unmanaged devices, so your security team can onboard the unmanaged devices and reduce your vulnerability. <br/><br/>[Learn more about device discovery](../defender-endpoint/device-discovery.md). |

+| **Preview features** | Microsoft is continually updating services such as Defender for Business to include new feature enhancements and capabilities. If you opt in to receive preview features, you'll be among the first to try upcoming features in the preview experience. <br/><br/>[Learn more about preview features](../defender-endpoint/preview.md). |

+## View and edit other settings in the Microsoft 365 Defender portal

+In addition to security policies applied to devices, there are other settings you can view and edit in Defender for Business. For example, you specify the time zone to use, and you can onboard (or offboard) devices.

+> [!NOTE]

+> You might see more settings in your tenant than are listed in this article. This article highlights the most important settings that you should review in Defender for Business.

+### Settings to review for Defender for Business

+The following table describes settings you can view and edit in Defender for Business:

+| Category | Setting | Description |

+|:|:|:|

+| **Security center** | **Time zone** | Select the time zone to use for the dates and times displayed in incidents, detected threats, and automated investigation and remediation. You can either use UTC or your local time zone (*recommended*). |

+| **Microsoft 365 Defender** | **Account** | View details such where your data is stored, your tenant ID, and your organization (org) ID. |

+| **Microsoft 365 Defender** | **Preview features** | Turn on preview features to try upcoming features and new capabilities. You can be among the first to preview new features and provide feedback. |

+| **Endpoints** | **Email notifications** | Set up or edit your email notification rules. When vulnerabilities are detected or an alert is created, the recipients specified in your email notification rules will receive an email. [Learn more about email notifications](mdb-email-notifications.md). |

+| **Endpoints** | **Device management** > **Onboarding** | Onboard devices to Defender for Business by using a downloadable script. To learn more, see [Onboard devices to Defender for Business](mdb-onboard-devices.md). |

+| **Endpoints** | **Device management** > **Offboarding** | Offboard (remove) devices from Defender for Business. When you offboard a device, it no longer sends data to Defender for Business, but data received prior to offboarding is retained. To learn more, see [Offboarding a device](mdb-offboard-devices.md). |

+### Access your settings in the Microsoft 365 Defender portal

+1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com/](https://security.microsoft.com/)), and sign in.

+2. Select **Settings**, and then select a category (such as **Security center**, **Microsoft 365 Defender**, or **Endpoints**).

+3. In the list of settings, select an item to view or edit.

+- Proceed to [Step 4: Set up email notifications for your security team](mdb-email-notifications.md).

+- [Step 5: Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md)

+After reading this article, proceed to:

+1. [Get Microsoft Defender for Business](get-defender-business.md) and [Microsoft Defender for Business servers](get-defender-business-servers.md).

+2. [Add users and assign licenses in Microsoft Defender for Business](mdb-add-users.md).

+After you have set up and configured Defender for Business, your next steps are to:

+In Defender for Business, security settings are configured through policies that are applied to devices. To help simplify your setup and configuration experience, Defender for Business includes several preconfigured policies to help protect your company's devices as soon as they are onboarded. There are other types of policies you can create as well (see [Set up, review, and edit your security policies and settings in Microsoft Defender for Business](mdb-configure-security-settings.md)).

+This article describes how to view, edit, and create security policies in Defender for Business.

+**This article includes**:

+- [A list of default policies that are included in Defender for Business](#default-policies-in-defender-for-business) (Next-generation protection and firewall)

+- [Additional policies that can be set up in Defender for Business](#policies-to-set-up-in-defender-for-business) (Web content filtering, controlled folder access, and attack surface reduction rules)

+- [How to view existing policies](#view-your-existing-policies)

+- [How to edit an existing policy](#edit-an-existing-policy)

+- [How to create a new policy](#create-a-new-policy)

+In Defender for Business, there are two main types of default policies that are designed to protect your company's devices as soon as they're onboarded:

+- **Next-generation protection policies**, which determine how Microsoft Defender Antivirus and other threat protection features are configured; and

+- **Firewall policies**, which determine what network traffic is permitted to flow to and from your company's devices.

+[Next-generation protection](mdb-next-generation-protection.md) includes robust antivirus and antimalware protection for computers and mobile devices. The default policies are designed to protect your devices and users without hindering productivity. However, you can customize your policies to suit your business needs. For more details, see [Review or edit your next-generation protection policies](mdb-next-generation-protection.md).

+[Firewall policies](mdb-firewall.md) help secure devices by establishing rules that determine what network traffic is permitted to flow to and from devices. You can use firewall protection to specify whether to allow or to block connections on devices in various locations. For example, your firewall settings can allow inbound connections on devices that are connected to your company's internal network, but prevent connections when the device is on a network with untrusted devices. For more details, see [Firewall](mdb-firewall.md).

+## Policies to set up in Defender for Business

+In addition to next-generation protection and firewall policies, there are three other types of policies to configure for the best protection with Defender for Business:

+- **Web content filtering**, which turns on web protection for your organization.

+- **Controlled folder access**, which is an important part of ransomware protection (Intune is required to set up and manage)

+- **Attack surface reduction rules**, which help reduce device vulnerability (Intune is required to set up and manage)

+[Web content filtering](mdb-web-content-filtering.md), which enables your security team to track and regulate access to websites based on content categories. Examples of categories include adult content, high bandwidth content, and legal liability content. When you set up your web content filtering policy, you enable web protection for your organization. For more information, see [Web content filtering](mdb-web-content-filtering.md).

+[Controlled folder access](mdb-controlled-folder-access.md) allows only trusted apps to access protected folders on Windows devices. Think of this capability as ransomware mitigation. You can set up or edit your controlled folder access policy in Microsoft Intune. For more information, see [Set up or edit your controlled folder access policy](mdb-controlled-folder-access.md).

+[Attack surface reduction rules](mdb-asr.md) target certain software behaviors that are often considered risky because they're commonly abused by attackers through malware. Examples of such behaviors include launching executable files and scripts that attempt to download or run files. Attack surface reduction rules can constrain software-based risky behaviors, and help keep your organization safe. At a minimum, we recommend configuring standard protection rules to help protect your network without causing disruption for users. For more information, see [Enable your attack surface reduction rules in Microsoft Defender for Business](mdb-asr.md).

+> [!NOTE]

+> Intune is required to configure [controlled folder access](mdb-controlled-folder-access.md) and [attack surface reduction rules](mdb-asr.md). Intune is not included in the standalone version of Defender for Business, but can be added on to your subscription.

+You can view your existing policies in either Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) or the Intune admin center ([https://intune.microsoft.com](https://intune.microsoft.com)) (if you're using Intune).

+## [**Microsoft 365 Defender portal**](#tab/M365D)

+2. In the navigation pane, choose **Configuration management** > **Device configuration**. Policies are organized by operating system (such as **Windows client**) and policy type (such as **Next-generation protection** and **Firewall**).

+3. Select an operating system tab (for example, **Windows clients**), and then review the list of policies under each category (such as **Next-generation protection** and **Firewall**).

+## [**Intune admin center**](#tab/intune)

+1. Go to the Intune admin center ([https://intune.microsoft.com/](https://intune.microsoft.com)) and sign in.

+2. In the navigation pane, select **Endpoint security**, and then choose a category, such as **Antivirus**, **Firewall**. or **Attack surface reduction**.

+3. Any existing policies are listed for the category you selected. To view more details about a policy, select its name.

+You can view your existing policies in either Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) or the Intune admin center ([https://intune.microsoft.com](https://intune.microsoft.com)) (if you're using Intune).

+## [**Microsoft 365 Defender portal**](#tab/M365D)

+ - To set up a new device group, select **Create new group**, and then set up your device group. (To get help with this task, see [Device groups](mdb-create-edit-device-groups.md).)

+ - [Understand next-generation configuration settings](mdb-next-generation-protection.md)

+## [**Intune admin center**](#tab/intune)

+1. Go to the Intune admin center ([https://intune.microsoft.com/](https://intune.microsoft.com)) and sign in.

+2. In the navigation pane, select **Endpoint security**, and then choose a category, such as **Antivirus**, **Firewall**. or **Attack surface reduction**.

+3. Existing policies are listed. Select a policy to view more details about it.

+4. Next to **Configuration settings**, choose **Edit**.

+ To get help with this task, see [Edit a policy in Intune](/mem/intune/protect/endpoint-security-policy#to-edit-a-policy).

+## [**Microsoft 365 Defender portal**](#tab/M365D)

+ To learn more about device groups, see [Device groups](mdb-create-edit-device-groups.md).

+8. On the **Configuration settings** tab, specify the settings for your policy, and then choose **Next**. For more information about the individual settings, see [Configuration settings for Defender for Business](mdb-next-generation-protection.md).

+## [**Intune admin center**](#tab/intune)

+1. Go to the Intune admin center ([https://intune.microsoft.com/](https://intune.microsoft.com)) and sign in.

+2. In the navigation pane, select **Endpoint security**, and then choose a category, such as **Antivirus**, **Firewall**. or **Attack surface reduction**.

+3. Select **+ Create Policy**.

+ - If your policy is for Windows devices, in the **Platform** list, choose **Windows 10, Windows 11, and Windows Server**.

+ - If your policy is for Mac, in the **Platform** list, choose **macOS**.

+4. In the **Profile** list, select a profile, and then choose **Create**.

+ The **Profile** list varies depending on what you selected for **Platform**, as summarized in the following table:

+ | Platform | Profile | Description |

+ ||||

+ | Windows 10, Windows 11, and Windows Server | Microsoft Defender Antivirus exclusions | Select this template to define [exclusions for Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/defender-endpoint-antivirus-exclusions#microsoft-defender-antivirus-exclusions). |

+ | Windows 10, Windows 11, and Windows Server | Microsoft Defender Antivirus | Select this template to set up your [next-generation protection policy](mdb-next-generation-protection.md). |

+ | Windows 10, Windows 11, and Windows Server | Windows Security Experience | Select this template to turn on [tamper protection](../defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md) and to configure what users can see or do with the Windows Security app on their computer. |

+ | macOS | Antivirus | Select this template to set up your [next-generation protection policy](mdb-next-generation-protection.md) for devices running macOS. |

+ | Windows 10, Windows 11, and Windows Server | Microsoft Defender Firewall | Select this template to set up your [firewall protection policy](mdb-firewall.md). |

+ | Windows 10, Windows 11, and Windows Server | Microsoft Defender Firewall Rules | Select this template to set up exceptions to your firewall policy. These exceptions are defined through [custom rules](mdb-firewall.md#manage-your-custom-rules-for-firewall-policies-in-microsoft-defender-for-business). |

+ | Windows 10, Windows 11, and Windows Server | Attack Surface Reduction Rules | Select this template to set up [attack surface reduction rules](mdb-asr.md) or [controlled folder access](mdb-controlled-folder-access.md). |

+5. Use the wizard to set up your policy. To get help, see [Manage device security with endpoint security policies in Microsoft Intune](/mem/intune/protect/endpoint-security-policy).

+## See also

+- [Understand policy order](mdb-policy-order.md)

+- [Set up your security policies and settings](mdb-configure-security-settings.md)

+ Title: Set up web content filtering in Microsoft Defender for Business

+description: Learn how to set up, view, and edit your web content filtering policy in Microsoft Defender for Business.

+ms.localizationpriority: medium

+f1.keywords: NOCSH

+- SMB

+- m365-security

+- tier1

+search.appverid: MET150

+audience: Admin

+# Web content filtering in Microsoft Defender for Business

+Web content filtering enables your security team to track and regulate access to websites based on content categories. When you set up your web content filtering policy, you enable web protection for your organization.

+Web content filtering is available on the major web browsers, with blocks performed by Windows Defender SmartScreen (Microsoft Edge) and Network Protection (Chrome, Firefox, Brave, and Opera). For more information, see [Prerequisites for web content filtering](../defender-endpoint/web-content-filtering.md#prerequisites).

+## Set up web content filtering

+1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), choose **Settings** > **Web content filtering** > **+ Add policy**.

+2. Specify a name and description for your policy.

+3. Select the categories to block. Use the expand icon to fully expand each parent category, and then select specific web content categories. To set up an audit-only policy that doesn't block any websites, don't select any categories.

+ Don't select **Uncategorized**.

+4. Specify the policy scope by selecting device groups to apply the policy to. Only devices in the selected device groups will be prevented from accessing websites in the selected categories.

+5. Review the summary and save the policy. The policy refresh might take up to two hours to apply to your selected devices.

+> [!TIP]

+> To learn more about web content filtering, see [Web content filtering](../defender-endpoint/web-content-filtering.md).

+## Categories for web content filtering

+Not all websites in these categories are malicious, but they could be problematic for your company because of compliance regulations, bandwidth usage, or other concerns. You can create an audit-only policy to get a better understanding of whether your security team should block any website categories.

+The following table describes web content categories you can choose for your web content filtering policy:

+| Category | Description |

+|:|:|

+| **Adult content** | Sites that are related to cults, gambling, nudity, pornography, sexually explicit material, or violence |

+| **High bandwidth** | Download sites, image sharing sites, or peer-to-peer hosts |

+| **Legal liability** | Sites that include child abuse images, promote illegal activities, foster plagiarism or school cheating, or that promote harmful activities |

+| **Leisure** | Sites that provide web-based chat rooms, online gaming, web-based email, or social networking |

+| **Uncategorized** | Sites that have no content or that are newly registered |

+## Next steps

+- [Set up controlled folder access](mdb-controlled-folder-access.md)

+- [Enable your attack surface reduction rules](mdb-asr.md).

+- [Review settings for advanced features and the Microsoft 365 Defender portal](mdb-portal-advanced-feature-settings.md).

+- [Next-generation protection policies](mdb-next-generation-protection.md) which determine antivirus and antimalware protection for your company's devices

+- [Firewall protection and rules](mdb-firewall.md) which determine what network traffic is allowed to flow to and from your company's devices

+- [Web content filtering](mdb-web-content-filtering.md) which prevents people from visiting certain websites (URLs) based on categories, such as adult content or legal liability

+- [Advanced features](mdb-portal-advanced-feature-settings.md#view-settings-for-advanced-features) such as automated investigation and response and endpoint detection and response (EDR) in block mode

+The following table summarizes at a high level what's included in Microsoft endpoint security plans.

+| [Defender for Business](../defender-business/mdb-overview.md) | [Services optimized for small and medium-sized businesses](../defender-business/compare-mdb-m365-plans.md) include: <br/>- Antispam protection<br/>- Antimalware protection<br/>- Next-generation protection<br/>- Attack surface reduction<br/>- Endpoint detection and response<br/>- Automated investigation and response <br/>- Vulnerability management<br/>- Centralized reporting<br/>- APIs (for integration with custom apps or reporting solutions)<br/>- [Integration with Microsoft 365 Lighthouse](../defender-business/mdb-lighthouse-integration.md) |

+> [Mixed-licensing scenarios](#mixed-licensing-scenarios) in Defender for Endpoint are now in preview! You can manage your subscription settings to use a combination of Defender for Endpoint Plan 1 and Plan 2 licenses across devices. See [Manage Microsoft Defender for Endpoint subscription settings across client devices (preview!)](defender-endpoint-subscription-settings.md).

+>

+Application|Machine.Read.All|Read all machine profiles

+Application|Machine.ReadWrite.All|Read and write all machine information

+> When tamper protection is turned on, [tamper-protected settings](prevent-changes-to-security-settings-with-tamper-protection.md#what-is-tamper-protection) cannot be changed. To avoid breaking management experiences, including Intune and Configuration Manager, keep in mind that changes to tamper-protected settings might appear to succeed but are actually blocked by tamper protection. You can use [Intune](manage-tamper-protection-intune.md) and Configuration Manager to exclude devices from tamper protection. And, if you're managing tamper protection through Intune, you can change [tamper-protected antivirus exclusions](manage-tamper-protection-intune.md#tamper-protection-for-antivirus-exclusions).

+> When tamper protection is turned on, [tamper-protected settings](prevent-changes-to-security-settings-with-tamper-protection.md#what-happens-when-tamper-protection-is-turned-on) cannot be changed. To avoid breaking management experiences, including Intune and Configuration Manager, keep in mind that changes to tamper-protected settings might appear to succeed but are actually blocked by tamper protection. You can use Intune and [Configuration Manager](manage-tamper-protection-configuration-manager.md) to exclude devices from tamper protection. And, if you're managing tamper protection through Intune, you can change [tamper-protected antivirus exclusions](#tamper-protection-for-antivirus-exclusions).

+- You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or later).

+- Devices must be using anti-malware platform version `4.18.1906.3` (or above) and anti-malware engine version `1.1.15500.X` (or later). (See [Manage Microsoft Defender Antivirus updates and apply baselines](microsoft-defender-antivirus-updates.md).)

+- Your Intune and Defender for Endpoint tenants must share the same Azure Active Directory infrastructure.

+If your organization has [exclusions defined for Microsoft Defender Antivirus](configure-exclusions-microsoft-defender-antivirus.md), tamper protection protects those exclusions, provided all of the following conditions are met:

+- Tamper protection is deployed through Intune, and devices are managed in Intune only.

+You can use a registry key to determine whether the functionality to protect Microsoft Defender Antivirus exclusions is enabled. The following procedure describes how to view, but not change, tamper protection status.

+1. On a Windows device open Registry Editor. (Read-only mode is fine; you're not editing the registry key.)

+We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Windows Server 2022, Windows Server 2019, Windows Server 2016, and Windows Server 2012 R2 OS installation images with the latest antivirus and antimalware updates. Keeping your OS installation images up to date helps avoid a gap in protection.

+### 20230503.1

+- Defender package version: **20230503.1**

+- Security intelligence version: **1.389.44.0**

+- Engine version: **1.1.20300.3**

+- Platform version: **4.18.2304.8**

+#### Fixes

+- None

+#### Additional information

+- None

+When tamper protection is turned on, tamper-protected settings can't be changed.

+> When tamper protection is turned on, the tamper-protected settings listed above cannot be changed. To avoid breaking management experiences, including [Intune](manage-tamper-protection-intune.md) and [Configuration Manager](manage-tamper-protection-configuration-manager.md), keep in mind that changes made to tamper-protected settings might appear to succeed but are actually blocked by tamper protection. You can use Intune and Configuration Manager to exclude devices from tamper protection. And, if you're managing tamper protection through Intune, you can [change tamper-protected antivirus exclusions](manage-tamper-protection-intune.md#tamper-protection-for-antivirus-exclusions).

+1. Ignore the `/etc/cron.d` directory, you will see `/etc/cron.daily, hourly, monthly, and weekly`.

+- **Custom time range picker:** You can choose a timeframe to focus your investigation on the last 24 hours, the last 3 days and so on. Or you can choose a specific timeframe by clicking on **Custom range**. For example:

+ 

+

+- **Timeline filters:** In order to improve your investigation experience, you can use the timeline filters: Type (Alerts and/or user's related activities), Alert severity, Activity type, App, Location, Protocol. Each filter depends on the others, and the options in each filter (drop-down) only contains the data that is relevant for the specific user. 

+- **Export button:** You can export the timeline to a CSV file. Export is limited to the first 5000 records and contains the data as it displays in the UI (same filters and columns).

+- **Customized columns:** You can choose which columns to expose in the timeline by selecting the **Customize columns** button. For example:

+ 

+For example:

+ > - Disabling anti-spoofing protection only disables _implicit_ spoofing protection from [composite authentication](email-authentication-about.md#composite-authentication) checks. For information about how _explicit_ [DMARC](email-authentication-dmarc-configure.md) checks are affected by anti-spoofing protection and the configuration of the DMARC policy (`p=quarantine` or `p=reject` in the DMARC record), see the [Spoof protection and sender DMARC policies](#spoof-protection-and-sender-dmarc-policies) section.

+### Spoof protection and sender DMARC policies

+> [!NOTE]

+> The features described in this section are currently in Preview, aren't available in all organizations, and are subject to change.

+In ant-phishing policies, you can control whether `p=quarantine` or `p=reject` values in sender DMARC policies are honored. If a messages fails DMARC checks, you can specify separate actions for `p=quarantine` or `p=reject` in the sender's DMARC policy. The following settings are involved:

+- **Honor DMARC record policy when the message is detected as spoof**: This setting turns on honoring the sender's DMARC policy for explicit email authentication failures. When you select this setting, the following settings are available:

+ - **If the message is detected as spoof and DMARC Policy is set as p=quarantine**: The available actions are:

+ - **Quarantine the message**

+ - **Move the message to the recipients' Junk Email folders**

+ - **If the message is detected as spoof and DMARC Policy is set as p=reject**: The available actions are:

+ - **Quarantine the message**

+ - **Reject the message**

+The relationship between spoof intelligence and whether sender DMARC policies are honored are described in the following table:

+|&nbsp;|Honor DMARC policy On|Honor DMARC policy Off|

+||||

+|**Spoof intelligence On**|Separate actions for implicit and explicit email authentication failures: <ul><li>Implicit failures use the **If the message is detected as spoof by spoof intelligence** action the anti-phishing policy.</li><li>Explicit failures for `p=quarantine` and `p=reject` DMARC policies use the **If the message is detected as spoof and DMARC policy is set as p=quarantine** and **If the message is detected as spoof and DMARC policy is set as p=reject** actions in the anti-phishing policy.</li></ul>|The **If the message is detected as spoof by spoof intelligence** action in the anti-phishing policy is used for both implicit and explicit email authentication failures. In other words, explicit email authentication failures ignore `p=quarantine` and `p=reject` in the DMARC policy.|

+|**Spoof intelligence Off**|Implicit email authentication checks aren't used. Explicit email authentication failures for `p=quarantine` and `p=reject` DMARC policies use the **If the message is detected as spoof and DMARC policy is set as p=quarantine** and **If the message is detected as spoof and DMARC policy is set as p=reject** actions in anti-phishing policies.|Implicit email authentication checks aren't used. Explicit email authentication failures for `p=quarantine` DMARC policies are quarantined, and failures for `p=reject` DMARC policies are rejected.|

+ - **Honor DMARC record policy when the message when the message is detected as spoof** (currently in Preview): When this setting is turned on, you control what happens to messages where the sender fails explicit [DMARC](email-authentication-dmarc-configure.md) checks and the DMARC policy is set to `p=quarantine` or `p=reject`:

+ - **If the message is detected as spoof and DMARC Policy is set as p=quarantine**: Select one of the following actions:

+ - **Quarantine the message**: This is the default value.

+ - **Move message to the recipients' Junk Email folders**

+ - **If the message is detected as spoof and DMARC Policy is set as p=reject**: Select one of the following actions:

+ - **Quarantine the message**: This is the default value.

+ - **Reject the message**

+ For more information, see [Spoof protection and sender DMARC policies](anti-phishing-policies-about.md#spoof-protection-and-sender-dmarc-policies).

+New-AntiPhishPolicy -Name "<PolicyName>" [-AdminDisplayName "<Comments>"] [-EnableSpoofIntelligence <$true | $false>] [-AuthenticationFailAction <MoveToJmf | Quarantine>] [-HonorDmarcPolicy <$true | $false>] [-DmarcQuarantineAction <MoveToJmf | Quarantine>] [-DmarcRejectAction <Quarantine | Reject>] [-EnableUnauthenticatedSender <$true | $false>] [-EnableViaTag <$true | $false>] [-SpoofQuarantineTag <QuarantineTagName>]

+> [!NOTE]

+> The DMARC-related parameters are currently in Preview. For more information, see [Spoof protection and sender DMARC policies](anti-phishing-policies-about.md#spoof-protection-and-sender-dmarc-policies).

+- Turns on honoring `p=quarantine` and `p=reject` in sender DMARC policies.

+ - Messages that fail DMARC where the sender's DMARC policy is `p=quarantine` are quarantined (we aren't using the _DmarcQuarantineAction_ parameter, and the default value is Quarantine).

+ - Messages that fail DMARC where the sender's DMARC policy is `p=reject` are rejected.

+New-AntiPhishPolicy -Name "Monitor Policy" -AdminDisplayName "Research department policy" -AuthenticationFailAction Quarantine -HonorDmarcPolicy $true -DmarcRejectAction Reject

+- The _MakeDefault_ switch that turns the specified policy into the default policy (applied to everyone, always **Lowest** priority, and you can't delete it) is available only when you modify an anti-phish policy in PowerShell.

+ - **Honor DMARC record policy when the message when the message is detected as spoof** (currently in Preview): When this setting is turned on, you control what happens to messages where the sender fails explicit [DMARC](email-authentication-dmarc-configure.md) checks and the DMARC policy is set to `p=quarantine` or `p=reject`:

+ - **If the message is detected as spoof and DMARC Policy is set as p=quarantine**: Select one of the following actions:

+ - **Quarantine the message**: This is the default value.

+ - **Move message to the recipients' Junk Email folders**

+ - **If the message is detected as spoof and DMARC Policy is set as p=reject**: Select one of the following actions:

+ - **Quarantine the message**: This is the default value.

+ - **Reject the message**

+ For more information, see [Spoof protection and sender DMARC policies](anti-phishing-policies-about.md#spoof-protection-and-sender-dmarc-policies).

+> [!NOTE]

+> The DMARC-related parameters are currently in Preview. For more information, see [Spoof protection and sender DMARC policies](anti-phishing-policies-about.md#spoof-protection-and-sender-dmarc-policies).

+- Changes the default action for spoofing detections to Quarantine, and uses the default quarantine policy for the quarantined messages (we aren't using the _SpoofQuarantineTag_ parameter).

+- Turns on honoring `p=quarantine` and `p=reject` in sender DMARC policies.

+ - Messages that fail DMARC where the sender's DMARC policy is `p=quarantine` are quarantined (we aren't using the _DmarcQuarantineAction_ parameter, and the default value is Quarantine).

+ - Messages that fail DMARC where the sender's DMARC policy is `p=reject` are rejected.

+New-AntiPhishPolicy -Name "Monitor Policy" -AdminDisplayName "Research department policy" -EnableOrganizationDomainsProtection $true -EnableTargetedDomainsProtection $true -TargetedDomainsToProtect fabrikam.com -TargetedDomainProtectionAction Quarantine -EnableTargetedUserProtection $true -TargetedUsersToProtect "Mai Fujito;mfujito@fabrikam.com" -TargetedUserProtectionAction Quarantine -EnableMailboxIntelligence $true -EnableMailboxIntelligenceProtection $true -MailboxIntelligenceProtectionAction -AuthenticationFailAction Quarantine -HonorDmarcPolicy $true -DmarcRejectAction Reject Quarantine -EnableSimilarUsersSafetyTips $true -EnableSimilarDomainsSafetyTips $true -EnableUnusualCharactersSafetyTips $true

+ **Honor the sender's DMARC policy when the message is detected as spoof** (currently in Preview): Control what happens to messages where the sender fails explicit [DMARC](email-authentication-dmarc-configure.md) checks and the DMARC policy is set to `p=quarantine` or `p=reject`. For more information, see [Spoof protection and sender DMARC policies](anti-phishing-policies-about.md#spoof-protection-and-sender-dmarc-policies).

+- **Built-in protection**: A profile that enables a base level of Safe Links and Safe Attachments protection that's on by default for all Defender for Office 365 customers. To learn more about this new policy and order of precedence, see [Preset security policies](preset-security-policies.md) and to learn about the specific Safe Links and Safe Attachment controls set, see [Safe Attachments settings](recommended-settings-for-eop-and-office365.md#safe-attachments-settings) and [Safe Links policy settings](recommended-settings-for-eop-and-office365.md#safe-links-policy-settings).

+> [!NOTE]

+> The features described in this section are currently in Preview, aren't available in all organizations, and are subject to change.

+Configuration can be done in the Microsoft 365 Defender portal, or by the [New-AntiPhishPolicy](/powershell/module/exchange/new-antiphishpolicy) or [Set-AntiPhishPolicy](/powershell/module/exchange/set-antiphishpolicy) cmdlets in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). For more information, see the following articles:

+- [Spoof protection and sender DMARC policies](anti-phishing-policies-about.md#spoof-protection-and-sender-dmarc-policies)

+- [Configure anti-phishing policies in EOP](anti-phishing-policies-eop-configure.md)

+- [Configure anti-phishing policies in Microsoft Defender for Office 365](anti-phishing-policies-mdo-configure.md)

+If the DMARC policy of the sending server is `p=reject`, [Exchange Online Protection](eop-about.md) (EOP) marks the message as spoof instead of rejecting it. In other words, for inbound email, Microsoft 365 treats `p=reject` and `p=quarantine` the same way, or you can configure anti-phishing policies to honor `p=quarantine` and `p=reject` in sender DMARC policies and specify separate actions for each DMARC policy. For more information, see [Spoof protection and sender DMARC policies](anti-phishing-policies-about.md#spoof-protection-and-sender-dmarc-policies).

+- *Exchange mail flow rules (also known as transport rules)*: These rules are applied to a message at the transport layer and take precedence over phish and spam verdicts. Mail flow rules are created and modified in the Exchange admin center at <https://admin.exchange.microsoft.com/#/transportrules>, but if any mail flow rule applies to a message, the rule name and GUID will be shown here. Valuable information for tracking purposes.

+- *Primary Override: Source*: Primary override and source refer to the tenant or user setting which impacted the delivery of the email, overriding the delivery location given by the system (as per the threat and detection technology). As an example, this could be an email blocked due to a tenant configured mail flow rule or an email allowed due to an end-user setting for Safe Senders.

+- *All Overrides*: All Overrides refer to the list of overrides (tenant or user settings) that was applied on the email, which may or may not have impacted the delivery of an email. As an example, if a tenant configured mail flow rule, as well as a tenant configured policy setting (for example, from the Tenant Allow/Block List), is applied to an email, then both will be listed in this field. You can check the primary override field to determine the setting that impacted the delivery of the email.

+ [Submission portal](https://security.microsoft.com/reportsubmission) (for submissions), and in the [Tenant Allow/Block List](https://security.microsoft.com/tenantAllowBlockList) page for (Tenant Allow/Block List blocks).

+We're also bringing Tenant level block URL and attachment to the respective Email entity URL and Attachments tabs. Upon approval, the block URL and block attachment entries can be tracked on the **URLs** and **Files** tabs on the Tenant Allow/Block List page.

+Continuous access evaluation for Microsoft 365 and Azure Active Directory (Azure AD) proactively terminates active user sessions and enforces tenant policy changes in near real time instead of relying on access token expiration. Azure AD notifies continuous access evaluation-enabled Microsoft 365 services (such as SharePoint, Teams, and Exchange) when the user account or tenant has changed in a way that requires reevaluation of the user account's authentication state.

+|Technologies include:<ul><li>spam</li><li>phish</li><li>malware</li><li>bulk mail</li><li>spoof intelligence</li><li>impersonation detection</li><li>Admin Quarantine</li><li>False positives and false negative reporting by admin submissions and user reported messages</li><li>Allow and block entries for URLs and files in the Tenant Allow/Block List</li><li>Reports</li></ul>|<li>Audit log search</li><li>Message Trace</li>|<li>Zero-hour auto purge (ZAP)</li><li>Refinement and testing of entries in the Tenant Allow/Block List</li>|

+For the recommended settings, see [Recommended Safe Attachments policy settings](recommended-settings-for-eop-and-office365.md#safe-attachments-policy-settings). The Standard and Strict recommendations are the same. To create the policy, see [Set up Safe Attachments policies](safe-attachments-policies-configure.md). Be sure to use the group **MDOPilot\_SafeAttachments** as the condition of the policy (who the policy applies to).

+For the recommended settings, see [Safe Links policy settings](recommended-settings-for-eop-and-office365.md#safe-links-policy-settings). The Standard and Strict recommendations are the same. To create the policy, see [Set up Safe Links policies](safe-links-policies-configure.md). Be sure to use the group **MDOPilot\_SafeLinks** as the condition of the policy (who the policy applies to).

+You tune spoofing protection (adjust allows and blocks) and turn on each impersonation protection action to quarantine or move the messages to the Junk Email folder (based on the Standard or Strict recommendations). You can observe the results and adjust their settings as necessary.

+For more information, see the following articles:

+For more information about the recommended settings for Safe Links, see [Safe Links policy settings](recommended-settings-for-eop-and-office365.md#safe-links-policy-settings).

+- **On the Email tab**: Select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Approve release** or :::image type="icon" source="../../media/m365-cc-sc-deny-icon.png" border="false"::: **Deny**.

+- **In the details flyout of the selected message**: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More** and then select **Approve release** or :::image type="icon" source="../../media/m365-cc-sc-deny-icon.png" border="false"::: **Deny release**.

+#### Actions for quarantined email messages in Defender for Office 365 Plan 2

+In organizations with Microsoft Defender for Office 365 Plan 2 (add-on licenses or included in subscriptions like Microsoft 365 E5), the following actions are also available in the details flyout of a selected message:

+- :::image type="icon" source="../../medi#how-to-read-the-email-entity-page).

+- :::image type="icon" source="../../medi#actions-you-can-take-on-the-email-entity-page).

+|**Honor DMARC record policy when the message when the message is detected as spoof** <br><br> _HonorDmarcPolicy_|Not selected <br><br> `$false`|Not selected <br><br> `$false`|Not selected <br><br> `$false`|**This setting is currently in Preview.** <br><br> When this setting is turned on, you control what happens to messages where the sender fails explicit [DMARC](email-authentication-dmarc-configure.md) checks when the policy action in the DMARC TXT record is set to `p=quarantine` or `p=reject`. For more information, see [Spoof protection and sender DMARC policies](anti-phishing-policies-about.md#spoof-protection-and-sender-dmarc-policies).|

+|**If the message is detected as spoof and DMARC Policy is set as p=quarantine** <br><br> _DmarcQuarantineAction_|**Quarantine the message** <br><br> _Quarantine_|**Quarantine the message** <br><br> _Quarantine_|**Quarantine the message** <br><br> _Quarantine_|**This setting is currently in Preview.** <br><br> This action is meaningful only when **Honor DMARC record policy when the message when the message is detected as spoof** is turned on.|

+|**If the message is detected as spoof and DMARC Policy is set as p=reject** <br><br> _DmarcRejectAction_|**Quarantine the message** <br><br> _Quarantine_|**Quarantine the message** <br><br> _Quarantine_|**Quarantine the message** <br><br> _Quarantine_|**This setting is currently in Preview.** <br><br> This action is meaningful only when **Honor DMARC record policy when the message when the message is detected as spoof** is turned on.|

+|**If the message is detected as spoof and DMARC Policy is set as p=reject** <br><br> _DmarcRejectAction_|**Quarantine the message** <br><br> _Quarantine_|**Quarantine the message** <br><br> _Quarantine_|**Quarantine the message** <br><br> _Quarantine_|**This setting is currently in Preview.** <br><br> This action is meaningful only when **Honor DMARC record policy when the message when the message is detected as spoof** is turned on.|

+### Safe Links policy settings

+For more information about Safe Links protection, see [Safe Links in Defender for Office 365](safe-links-about.md).

+To configure Sae Links policy settings, see [Set up Safe Links policies in Microsoft Defender for Office 365](safe-links-policies-configure.md).

+In PowerShell, you use the [New-SafeLinksPolicy](/powershell/module/exchange/new-safelinkspolicy) and [Set-SafeLinksPolicy](/powershell/module/exchange/set-safelinkspolicy) cmdlets for Safe Links policy settings.

+Safe Links protection by Safe Links policies is available in the following locations:

+- **Email messages**: Safe Links protection for links in email messages.

+- **Microsoft Teams**: Safe Links protection for links in Teams conversations, group chats, or from channels.

+- **Office apps**: Safe Links protection for supported Office desktop, mobile, and web apps.

+|Jean is a member of the marketing department. Safe Links protection for Office apps is turned on in a Safe Links policy that applies to members of the marketing department. Jean opens a PowerPoint presentation in an email message, and then clicks a URL in the presentation.|Jean is protected by Safe Links. <br><br> Jean is included in a Safe Links policy where Safe Links protection for Office apps is turned on. <br><br> For more information about the requirements for Safe Links protection in Office apps, see the [Safe Links settings for Office apps](#safe-links-settings-for-office-apps) section later in this article.|

+|Chris's Microsoft 365 E5 organization has no Safe Links policies configured. Chris receives an email from an external sender that contains a URL to a malicious website that he ultimately clicks.|Chris is protected by Safe Links. <br><br> The **Built-in protection** preset security policy provides Safe Links protection to all recipients (users who aren't defined in the Standard or Strict preset security policies or in custom Safe Links policies). For more information, see [Preset security policies in EOP and Microsoft Defender for Office 365](preset-security-policies.md).|

+|In Pat's organization, admins have created a Safe Links policy that applies Pat, but Safe Links protection for Office apps is turned off. Pat opens a Word document and clicks a URL in the file.|Pat isn't protected by Safe Links. <br><br> Although Pat is included in an active Safe Links policy, Safe Links protection for Office apps is turned off in that policy, so the protection can't be applied.|

+For more information about the recommended values for Standard and Strict policy settings, see [Safe Links policy settings](recommended-settings-for-eop-and-office365.md#safe-links-policy-settings).

+|`*.contoso.com/*`|Allows access to a domain, subdomains, and paths (for example, `https://www.contoso.com`, `https://www.contoso.com`, `https://maps.contoso.com`, or `https://www.contoso.com/a`). <br><br> This entry is inherently better than `*contoso.com*`, because it doesn't allow potentially fraudulent sites, like `https://www.falsecontoso.com` or `https://www.false.contoso.completelyfalse.com`|

+|**Tenant AllowBlockList Manager**|Manage Tenant Allow/Block List settings.|Security Operator|

+ Title: Configure the advanced delivery policy for third-party phishing simulations and email delivery to SecOps mailboxes

+description: Admins can learn how to use the advanced delivery policy in Exchange Online Protection (EOP) to identify messages that shouldn't be filtered in specific supported scenarios (third-party phishing simulations and messages delivered to security operations (SecOps) mailboxes.

+# Configure the advanced delivery policy for third-party phishing simulations and email delivery to SecOps mailboxes

+To keep your organization [secure by default](secure-by-default.md), Exchange Online Protection (EOP) doesn't allow safe lists or filtering bypass for messages that are identified as malware or high confidence phishing. But, there are specific scenarios that require the delivery of unfiltered messages. For example:

+You use the _advanced delivery policy_ in Microsoft 365 to prevent inbound messages _in these specific scenarios_ from being filtered┬╣. The advanced delivery policy ensures that messages in these scenarios achieve the following results:

+- Filters in EOP and Defender for Office 365 take no action on these messages.┬╣

+- [Zero-hour Purge (ZAP)](zero-hour-auto-purge.md) for spam and phishing take no action on these messages┬▓.

+ - [Admin submissions](submissions-admin.md) generates an automatic response saying that the message is part of a phishing simulation campaign and isn't a real threat. Alerts and AIR aren't triggered. The admin submissions experience shows these messages as a simulated threat.

+ - When a user reports a phishing simulation message using the [built-in Report button in Outlook on the web](submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook-on-the-web) or the [Microsoft Report Message or Report Phishing add-ins](submissions-outlook-report-messages.md#use-the-report-message-and-report-phishing-add-ins-in-outlook), the system doesn't generate an alert, investigation, or incident. The links or files aren't detonated, but the message appears on the **User reported** tab of the **Submissions** page.

+ - [Safe Links in Defender for Office 365](safe-links-about.md) doesn't block or detonate the specified URLs in these messages at time of click. URLs are still wrapped, but they aren't blocked.

+┬╣ You can't bypass malware filtering.

+┬▓ You can bypass ZAP for malware by creating an anti-malware policy for the SecOps mailbox where ZAP for malware is turned off. For instructions, see [Configure anti-malware policies in EOP](anti-malware-policies-configure.md).

+Messages that are identified by the advanced delivery policy aren't security threats, so the messages are marked with system overrides. Admin experiences show these messages as **Phishing simulation** or **SecOps mailbox** system overrides. Admins can filter and analyze on these system overrides in the following experiences:

+- [Advanced hunting in Microsoft Defender for Endpoint](../defender-endpoint/advanced-hunting-overview.md): Phishing simulation and SecOps mailbox system overrides are options within OrgLevelPolicy in EmailEvents.

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Advanced delivery** in the **Rules** section. Or, to go directly to the **Advanced delivery** page, use <https://security.microsoft.com/advanceddelivery>.

+ On the **Advanced delivery** page, verify that the **SecOps mailbox** tab is selected.

+2. On the **SecOps mailbox** tab, select the **Add** button in the **No SecOps mailboxes configured** area of the page.

+ If there are already existing entries on the **SecOps mailbox** tab, select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit** (the **Add** button isn't available).

+3. In the **Add SecOps mailboxes** flyout that opens, enter an existing Exchange Online mailbox that you want to designate as SecOps mailbox by doing either of the following steps:

+ Repeat this step as many times as necessary. Distribution groups aren't allowed.

+ To remove an existing value, select remove :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.

+4. When you're finished in the **Add SecOps mailboxes** flyout, select **Add**..

+5. Review the information in the **Changes to SecOps mailbox override saved** flyout, and then select **Close**.

+Back on the **SecOps mailbox** tab, the SecOps mailbox entries that you configured are now listed:

+- The **Display name** column contains display name of the mailboxes.

+- The **Email** column contains the email address for each entry.

+- To change the list of entries from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false":::.

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Advanced delivery** in the **Rules** section. Or, to go directly to the **Advanced delivery** page, use <https://security.microsoft.com/advanceddelivery>.

+ On the **Advanced delivery** page, verify that the **SecOps mailbox** tab is selected.

+2. On the **SecOps mailbox** tab, select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit**.

+3. In **Edit SecOps mailboxes** flyout that opens, add or remove mailboxes as described in Step 3 in the [Use the Microsoft 365 Defender portal to configure SecOps mailboxes in the advanced delivery policy](#use-the-microsoft-365-defender-portal-to-configure-secops-mailboxes-in-the-advanced-delivery-policy) section.

+ To remove all mailboxes, select remove :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to each value until there are no more mailboxes selected.

+4. When you're finished in the **Edit SecOps mailboxes** flyout, select **Save**.

+5. Review the information in the **Changes to SecOps mailbox override saved** flyout, and then select **Close**.

+Back on the **SecOps mailbox** tab, the SecOps mailbox entries that you configured are displayed. If you removed all entries, the list is empty.

+> [!NOTE]

+> To configure a third-party phishing simulation, you need to provide the following information:

+>

+> - At least one **Domain**.

+> - At least one **Sending IP**.

+> - You should also add all possible URLs that are used in phishing simulation messages in **Simulation URLs to allow**. These URL entries prevent the URLS from being treated as real threats at time of click: the URLs aren't blocked or detonated, and no URL click alerts or resulting incidents are generated.

+>

+> There must be a match on at least one **Domain** and one **Sending IP**, but no association between values is maintained.

+>

+> If your MX record doesn't point to Microsoft 365, the IP address in the `Authentication-results` header must match the IP address in the advanced delivery policy. If the IP addresses don't match, you might need to configure [Enhanced Filtering for Connectors](/Exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors) so the correct IP address is detected.

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Advanced delivery** in the **Rules** section. Or, to go directly to the **Advanced delivery** page, use <https://security.microsoft.com/advanceddelivery>.

+ On the **Advanced delivery** page, select the **Phishing simulation** tab.

+2. On the **Phishing simulation** tab, select the **Add** button in the **No third party phishing simulations configured** area of the page.

+ If there are already existing entries on the **Phishing simulation** tab, select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit** (the **Add** button isn't available).

+3. In the **Add third party phishing simulations** flyout that opens, configure the following settings:

+ - **Domain**: Expand this setting and enter at least one email address domain by clicking in the box, entering a value (for example, contoso.com), and then pressing the ENTER key or selecting the value that's displayed below the box. Repeat this step as many times as necessary. You can add up to 20 entries.

+ > Use the domain in the `5321.MailFrom` address (also known as the **MAIL FROM** address, P1 sender, or envelope sender) that's used in the SMTP transmission of the message **or** a DKIM domain as specified by the phishing simulation vendor.

+ - **Sending IP**: Expand this setting and enter at least one valid IPv4 address by clicking in the box, entering a value, and then pressing the ENTER key or selecting the value that's displayed below the box. Repeat this step as many times as necessary. You can add up to 10 entries. Valid values are:

+ - **Simulation URLs to allow**: Expand this setting and enter specific URLs that are part of your phishing simulation campaign that shouldn't be blocked or detonated by clicking in the box, entering a value, and then pressing the ENTER key or selecting the value that's displayed below the box. You can add up to 30 entries. For the URL syntax, see [URL syntax for the Tenant Allow/Block List](tenant-allow-block-list-urls-configure.md#url-syntax-for-the-tenant-allowblock-list). These URLs are wrapped at the time of click, but they aren't blocked.

+ To remove an existing value, select remove :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.

+4. When you're finished in the **Add third party phishing simulations** flyout, select **Add**.

+5. Review the information in the **Changes to phishing simulation override saved** flyout, and then select **Close**.

+Back on the **Phishing simulation** tab, the third-party phishing simulation entries that you configured are now listed:

+- The **Value** column contains the domain, IP address or URL entry.

+- The **Type** column contains the value **Sending IP**, **Domain**, or **Allowed simulation URL** for each entry.

+- The **Date** column shows when the entry was created.

+- To change the list of entries from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false":::.

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Advanced delivery** in the **Rules** section. Or, to go directly to the **Advanced delivery** page, use <https://security.microsoft.com/advanceddelivery>.

+ On the **Advanced delivery** page, select the **Phishing simulation** tab.

+2. On the **Phishing simulation** tab, select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit**.

+3. In the **Edit third-party phishing simulation** flyout that opens, add or remove entries for **Domain**, **Sending IP**, and **Simulation URLs** as described in Step 3 in the [Use the Microsoft 365 Defender portal to configure SecOps mailboxes in the advanced delivery policy](#use-the-microsoft-365-defender-portal-to-configure-secops-mailboxes-in-the-advanced-delivery-policy) section.

+ To remove all entries, select remove :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to each value until there are no more domains, IPs, or URLs selected.

+4. When you're finished in the **Edit third-party phishing simulation** flyout, select **Save**.

+5. Review the information in the **Changes to phishing simulation override saved** flyout, and then select **Close**.

+Back on the **Phishing simulation** tab, the third-party phishing simulation entries that you configured are displayed. If you removed all entries, the list is empty.

+In addition to the two scenarios that the advanced delivery policy can help you with, there are other scenarios where you might need to bypass filtering for messages:

+- **Third-party filters**: If your domain's MX record _doesn't_ point to Office 365 (messages are routed somewhere else first), [secure by default](secure-by-default.md) _isn't available_. If you'd like to add protection, you need to enable Enhanced Filtering for Connectors (also known as _skip listing_). For more information, see [Manage mail flow using a third-party cloud service with Exchange Online](/exchange/mail-flow-best-practices/manage-mail-flow-using-third-party-cloud). If you don't want Enhanced Filtering for Connectors, use mail flow rules (also known as transport rules) to bypass Microsoft filtering for messages that have already been evaluated by third-party filtering. For more information, see [Use mail flow rules to set the SCL in messages](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl).

+- **False positives under review**: You might want to _temporarily_ allow good messages that are incorrectly identified as bad (false positives) that you reported via [admin submissions](submissions-admin.md), but the messages are still being analyzed by Microsoft. As with all overrides, we _**highly recommended**_ that these allowances are temporary.

+- When you remove a rule from PowerShell, the corresponding policy isn't removed. You need to remove the corresponding policy manually.

+Regardless of the Name value you specify, the policy name is _SecOpsOverridePolicy_, so you might as well use that value.

+Regardless of the Name value you specify, the rule name is _SecOpsOverrideRule_\<GUID\> where \<GUID\> is a unique GUID value (for example, 6fed4b63-3563-495d-a481-b24a311f8329).

+> If an associated, valid SecOps override rule exists, the email addresses in the rule is also updated.

+The **Set-SecOpsOverrideRule** cmdlet doesn't modify the email addresses in the SecOps override rule. To modify the email addresses in the SecOps override rule, use the **Set-SecOpsOverridePolicy** cmdlet.

+- When you remove a rule from PowerShell, the corresponding policy isn't removed. You need to remove the corresponding policy manually.

+Regardless of the Name value you specify, the policy name is _PhishSimOverridePolicy_, so you might as well use that value.

+Regardless of the Name value you specify, the rule name is _PhishSimOverrideRule_\<GUID\> where \<GUID\> is a unique GUID value (for example, a0eae53e-d755-4a42-9320-b9c6b55c5011).

+These changes don't affect existing entries.

+1. If you receive complaints from users about too many bulk emails being blocked, you can adjust this threshold, or alternatively, submit the message to us, which will also add the sender to the Tenant Allow/Block List.

+> Review this step-by-step guide for more details on allowing senders using the Tenant Allow/Block List: [How to handle legitimate emails getting blocked from delivery using Microsoft Defender for Office 365](how-to-handle-false-positives-in-microsoft-defender-for-office-365.md).

+ - If the message was blocked by [spoof intelligence](anti-spoofing-spoof-intelligence.md), an allow entry for the sender is created, and the entry appears on the **Spoofed senders** tab in the Tenant Allow/Block List.

+ - If the message was blocked due to file-based filers, an allow entry for the file is created, and the entry appears on the **Files** tab in the Tenant Allow/Block List.

+ - If the message was blocked due to URL-based filters, an allow entry for the URL is created, and the entry appears on the **URL** tab in the Tenant Allow/Block List.

+ - If the message was blocked for any other reason, an allow entry for the sender email address or domain is created, and the entry appears on the **Domains & addresses** tab in the Tenant Allow/Block List.

+|**Safe Links in Microsoft Defender for Office 365**|No|Create a Safe Links policy as described here: [Configure Safe Links settings in Microsoft Defender for Office 365](protect-against-threats.md#safe-links-policies-in-microsoft-defender-for-office-365). <p> More information: <ul><li>[Safe Links policy settings](recommended-settings-for-eop-and-office365.md#safe-links-policy-settings)</li><li>[Set up Safe Links policies](safe-links-policies-configure.md)</li><li>[Safe Links in Microsoft Defender for Office 365](safe-links-about.md)</li></ul>|

+|Facilitate the work of assessors and auditors. | Make sure that individuals who oversee compliance activities in the organization have the right roles and can access evidence files and reporting. Compliance Manager allows scoped access to individual assessment for specific users. <br><br>You can upload evidence files to improvement actions that document your implementation and testing work. Assign improvement actions to users serving as assessors so they can determine a pass or fail status.<br><br>Provide reporting on your assessments to compliance stakeholders, auditors, and regulators. Exported reports contain details about control implementation status, test date, and test results.| [Grant user access to individual assessments](../compliance/compliance-manager-assessments.md#grant-user-access-to-individual-assessments)<br><br>[Store evidence documentation](../compliance/compliance-manager-improvement-actions.md#storing-evidence)<br><br>[Assign improvement actions to assessors](../compliance/compliance-manager-improvement-actions.md#assign-improvement-action-to-assessor-for-completion)<br><br>[Export an assessment report](../compliance/compliance-manager-assessments.md#export-an-assessment-report)|

+The prebuilt *contracts model* analyzes and extracts key information from contract documents. The model recognizes contracts in various formats and extracts key contract information, such as client name and address, contract duration, and renewal date.

+- The prebuilt *contracts model* analyzes and extracts key information from contract documents. The model recognizes contracts in various formats and extracts key contract information, such as client name and address, contract duration, and renewal date.