+- M365-subscription-management

+## Microsoft 365 for business plans

+|||

+|[Microsoft 365 Apps for Business](https://www.microsoft.com/microsoft-365/business/microsoft-365-apps-for-business)|<ul><li>Get desktop versions of Office apps: Outlook, Word, Excel, PowerPoint, OneNote (plus Access and Publisher for PC only).</li><li>Store and share files with 1 TB of OneDrive cloud storage per user.</li><li>Use one license to cover fully installed Office apps on five mobile devices, five tablets, and five PCs or Macs per user.</li><li>Automatically update your apps with new features and capabilities every month.</li><li>Get help anytime with around-the-clock phone and web support from Microsoft.</li></ul>|

+|[Microsoft 365 Business Basic](https://www.microsoft.com/microsoft-365/business/microsoft-365-business-basic)|<ul><li>Host email with a 50 GB mailbox and custom email domain address.</li><li>Create a hub for teamwork to connect people using Microsoft Teams.</li><li>Use Office apps for the web, including Outlook, Word, Excel, PowerPoint, and OneNote.</li><li>Store and share files with 1 TB of OneDrive cloud storage per user.</li><li>Facilitate online meetings and video conferencing for up to 300 users.</li><li>Get help anytime with around-the-clock phone and web support from Microsoft.</li></ul>|

+|[Microsoft 365 Business Standard](https://www.microsoft.com/microsoft-365/business/microsoft-365-business-standard)|<ul><li>Get desktop versions of Office apps, including Outlook, Word, Excel, PowerPoint, and OneNote (plus Access and Publisher for PC only).</li><li>Host email with a 50 GB mailbox and custom email domain.</li><li>Create a hub for teamwork to connect people using Microsoft Teams.</li><li>Store and share files with 1 TB of OneDrive cloud storage per user.</li><li>Use one license to cover fully installed Office apps on five mobile devices, five tablets, and five PCs or Macs per user.</li><li>Get help anytime with around-the-clock phone and web support from Microsoft.</li></ul>|

+|[Microsoft 365 Business Premium](https://www.microsoft.com/microsoft-365/business/microsoft-365-business-premium)|<ul><li>Stay up to date with the latest versions of Word, Excel, PowerPoint, and more.</li><li>Connect with customers and coworkers using Outlook, Exchange, and Microsoft Teams.</li><li>Manage your files from anywhere with 1 TB of cloud storage on OneDrive per user.</li><li>Defend your business against advanced cyberthreats with sophisticated phishing and ransomware protection.</li><li>Control access to sensitive information using encryption to help keep data from being accidentally shared.</li><li>Secure devices that connect to your data and help keep iOS, Android, Windows, and MacOS devices safe and up to date.</li></ul>|

+For more details, you can [compare plans](https://www.microsoft.com/microsoft-365/business#coreui-heading-hiatrep).

+When you buy a subscription to Microsoft 365 for business, you sign up for a set of apps and services that you pay for on either a monthly or an annual basis. The applications and services that you receive as part of your subscription depend on which product you purchased, such as Microsoft 365 Apps for business or Microsoft 365 Business Standard. You can see what comes with each product on the [Microsoft 365 for small and medium-sized businesses](https://www.microsoft.com/microsoft-365/business/compare-all-microsoft-365-business-products) page.

+|||

+|Exchange Online|A mailbox is created for that person. <br/> To learn about the SLA for this task to be completed, see ["Setting up..." messages in the Microsoft 365 admin center](https://support.microsoft.com/help/2635238/setting-up-messages-in-the-office-365-admin-center).|

+|SharePoint Online|Edit permissions to the default SharePoint Online team site are assigned to that person.|

+|Microsoft Teams|The person has access to the features associated with the license.|

+|Microsoft 365 Apps for enterprise and Microsoft 365 Apps for business|The person can download Office apps on up to five Macs or PCs, five tablets, and five smartphones.|

+||::|::|::|::|

+search.appverid:

+Overview:

+1. Copy the following sample .csv file for a template and example entries for four different retention labels, and paste them into Excel.

+3. Replace the examples with entries for your own retention labels and settings. For more information about the parameter values, see [New-ComplianceTag](/powershell/module/exchange/new-compliancetag).

+4. Save the worksheet as a .csv file in a location that's easy to find for a later step. For example: C:\>Scripts\Labels.csv

+```text

+1. Copy the following sample .csv file for a template and example entries for three different retention label policies, and paste them into Excel.

+3. Replace the examples with entries for your own retention label policies and their settings. For more information about the parameter values for this cmdlet, see [New-RetentionCompliancePolicy](/powershell/module/exchange/new-retentioncompliancepolicy).

+4. Save the worksheet as a .csv file in a location that's easy to find for a later step. For example: `<path>Policies.csv`

+```text

+ - If you don't specify the source file to create the retention labels, the script moves on to create the retention label policies.

+ - If you don't specify the source file to create the retention label policies, the script creates the retention labels only.

+ - Load retention labels csv file

+ - Validate csv file input

+ - Create retention labels

+ - Create retention policies

+ - Publish retention labels for the policies

+ - Generate the log for retention labels and policies creation

+ - Generate the csv result for the labels and policies created

+ .\Publish-ComplianceTag.ps1 [-LabelListCSV <string>] [-PolicyListCSV <string>]

+ if ($Warning -eq $false)

+ {

+ throw

+ else

+ {

+ WriteToLog -Type "Start" -Message "Execute Cmdlet : '$CmdLet'"

+ $cmdlet += " -RetentionAction " + $para

+ WriteToLog -Type "Message" -Message "Publish Tags : '$ts'"

+ ExportPublishedComplianceTagAndPolicy -PolicyFilePath $PolicyListCSV

+```DOS

+- Exchange online Plan 2

+- Sharepoint online Plan 2

+ The **RecordsSaved** field indicates the number of records in the JSON file that were uploaded. For example, if the JSON file contains four records, then the value of the **RecordsSaved** fields is 4 if the script successfully uploaded all the records in the JSON file. The **RecordsSkipped** field indicates the number of records in the JSON file that were skipped. Before uploading records in the JSON file, the Email IDs of the records will be validated. Any record with an invalid Email ID will be skipped and the corresponding Email ID is displayed in the field **EmailIdsNotSaved**

+The default Exchange retention policyΓÇönamed *Default MRM Policy*ΓÇöthat is automatically applied to new mailboxes in Exchange Online contains a retention tag named Recoverable Items 14 days move to archive. This retention tag moves items from the Recoverable Items folder in the user's primary mailbox to the Recoverable Items folder in the user's archive mailbox after the 14-day retention period expires for an item. Emails in Deletions folder will retain based on **RetainDeletedItemsFor** parameter and move to other folders in recoverable deleted items and then to archive mailbox. For this to happen, the user's archive mailbox must be enabled. If the archive mailbox isn't enabled, no action is taken, which means that items in the Recoverable Items folder for a mailbox on hold aren't moved to the archive mailbox after the 14-day retention period expires. Because nothing is deleted from a mailbox on hold, it's possible that the storage quota for the Recoverable Items folder might be exceeded, especially if the user's archive mailbox isn't enabled.

+search.appverid:

+|Job type|Description|

+|||

+|Adding data to a review set|A user adds a collection to a review set. This job consists of two sub jobs: <ul><li>**Export** - A list of items in the collection is generated.</li><li>**Ingestion & Indexing** - The items in the collection that match the search query are copied to an Azure Storage location (in a process called *ingestion*) and then those items in the Azure Storage location are reindexed. This new index is used when querying and analyzing items in the data set.</li><ul> <p> For more information, see [Add search results to a review set](add-data-to-review-set.md).|

+|Adding data to another review set|A user adds documents from one review set to a different review set in the same case. For more information, see [Add data to a review set from another review set](add-data-to-review-set-from-another-review-set.md).|

+|Adding non-Microsoft 365 data to a review set|A user uploads non-Microsoft 365 data to a review set. The data is also indexed during this process. For example, files from an on-premises file server or a client computer are uploaded to a review set. For more information, see [Load non-Microsoft 365 data into a review set](load-non-office-365-data-into-a-review-set.md).|

+|Adding remediated data to a review set|Data with processing errors is remediated and loaded back into a review set. For more information, see: <ul><li>[Error remediation when processing data](error-remediation-when-processing-data-in-advanced-ediscovery.md)</li><li>[Single item error remediation](single-item-error-remediation.md)</li></ul>|

+|Comparing load sets|A user looks at the differences between different load sets in a review set. A load set is an instance of adding data to a review set. For example, if you add the results of two different searches to the same review set, each would represent a load set.|

+|Converting redacted documents to PDF|After a user annotates a document in a review set and redacts a portion of it, they can choose to convert the redacted document to a PDF file. This ensures that the redacted portion will not be visible if the document is exported for presentation. For more information, see [View documents in a review set](view-documents-in-review-set.md).|

+|Estimating search results|After a user creates and runs or reruns a draft collection, the search tool searches the index for items that match the search query and prepares an estimate that includes the number and total size of all items by the search, and the number of data sources searched. For more information, see [Collect data for a case](collecting-data-for-ediscovery.md).|

+|Preparing data for export|A user exports documents from a review set. When the export process is complete, they can download the exported data to a local computer. For more information, see [Export case data](exporting-data-ediscover20.md).|

+|Preparing for error resolution|When a user selects a file and creates a new error remediation in the Error view on the **Processing** tab of a case, the first step in the process is to upload the file that has the processing error to an Azure Storage location in the Microsoft cloud. This job tracks the progress of the upload process. For more information about the error remediation workflow, see [Error remediation when processing data](error-remediation-when-processing-data-in-advanced-ediscovery.md).|

+|Preparing search preview|After a user creates and runs a new draft collection (or reruns an existing draft collection), the search tool prepares a sample subset of items (that match the search query) that can be previewed. Previewing search results help you determine the effectiveness of the search. For more information, see [Collect data for a case](collecting-data-for-ediscovery.md#view-search-results-and-statistics).|

+|Re-indexing custodian data|When you add a custodian to a case, all partially indexed items in the custodian's selected data sources are reindexed by a process called *Advanced indexing*. This job is also triggered when you click **Update index** on the **Processing** tab of a case, and when you update the index for a specific custodian on the custodian properties flyout page. For more information, see [Advanced indexing of custodian data](indexing-custodian-data.md).

+|Running analytics|A user analyzes data in a review set by running eDiscovery (Premium) analytics tools such as near duplicate detection, email threading analysis, and themes analysis. For more information, see [Analyze data in a review set](analyzing-data-in-review-set.md).|

+|Tagging documents|This job is triggered when a user clicks **Start tagging job** in the **Tagging panel** when reviewing documents in a review set. A user can start this job after tagging documents in a review set and then bulk-selecting them in the view document panel. For more information, see [Tag documents in a review set](tagging-documents.md).|

+- [PDF support](sensitivity-labels-office-apps.md#pdf-support) (in preview)

+When you download a PDF file from an IRM-protected library, Microsoft 365 creates a protected PDF file. The file's extension won't change, but the file is protected. To view this file you'll need the Azure Information Protection viewer, the full Azure Information Protection client, or another application that supports viewing protected PDF files.

+Expand the titles below for more network planning guidance.

+Here's an example of Contoso that compares the different Azure ExpressRoute connectivity options with the perimeter security models discussed above.

+Contoso is considering implementing Azure ExpressRoute and after planning the optimal architecture for [Routing with ExpressRoute for Office 365](routing-with-expressroute.md) and after using the above guidance to understand bandwidth requirements, they're determining the best method for securing their perimeter.

+For Contoso, a multi-national organization with locations in multiple continents, security must span all perimeters. The optimal connectivity option for Contoso is a multi-point connection with multiple peering locations around the globe to service the needs of their employees in each continent. Each continent includes redundant Azure ExpressRoute circuits within the continent and security must span all of these.

+Contoso's existing infrastructure is reliable and can handle the extra work, as a result, Contoso is able to use the infrastructure for their Azure ExpressRoute and internet perimeter security. If this weren't the case, Contoso could choose to purchase more equipment to supplement their existing equipment or to handle a different type of connection.

+Contoso's multi-geographic design has undergone a review of routing, bandwidth, security, and now must go through a high availability review. Contoso thinks about high availability as covering three categories; resiliency, reliability, and redundancy.

+Resiliency allows Contoso to recover from failures quickly. Reliability allows Contoso to offer a consistent outcome within the system. Redundancy allows Contoso to a move between one or more mirrored instances of infrastructure.

+Within each edge configuration, Contoso has redundant Firewalls, Proxies, and IDS. For North America, Contoso has one edge configuration in their Dallas datacenter and another edge configuration in their Virginia datacenter. The redundant equipment at each location offers resiliency to that location.

+The network configuration at Contoso is built based on a few key principles:

+- Failover between Azure ExpressRoute circuits happens automatically without additional configuration or action required by Contoso.

+- Failover between Internet circuits happens automatically without additional configuration or action required by Contoso.

+In this configuration, with redundancy at the physical and virtual level, Contoso is able to offer local resiliency, regional resiliency, and global resiliency in a reliable way. Contoso elected this configuration after evaluating a single Azure ExpressRoute circuit per region as well as the possibility of failing over to the internet.

+If Contoso was unable to have multiple Azure ExpressRoute circuits per region, routing traffic originating in North America to the Azure ExpressRoute circuit in Asia Pacific would add an unacceptable level of latency and the required DNS forwarder configuration adds complexity.

+Using the internet as a backup configuration isn't recommended. This breaks Contoso's reliability principle, resulting in an inconsistent experience using the connection. Additionally, manual configuration would be required to fail over considering the BGP advertisements that have been configured, NAT configuration, DNS configuration, and the proxy configuration. This added failover complexity increases the time to recover and decreases their ability to diagnose and troubleshoot the steps involved.

+The executable accepts the following command line parameters:

+- -h to show a link to this help documentation

+- -testlist &lt;test&gt; Specifies tests to run. By default only basic tests are run. Valid test names include: all, dnsConnectivityPerf, dnsResolverIdentification, bufferBloat, traceroute, proxy, vpn, skype, connectivity, networkInterface

+- -filepath &lt;filedir&gt; Directory path of test result files. Allowed value is absolute or relative path of an accessible directory

+- -city &lt;city&gt; For the city, state, and country fields the specified value will be used if provided. If not provided then Windows Location Services (WLS) will be queried. If WLS fails the location will be detected fromthe machines network egress

+- -state &lt;state&gt;

+- -country &lt;country&gt;

+- -proxy &lt;account&gt; &lt;password&gt; Proxy account name and password can be provided if you require a proxy to access the Internet

+Output of results are written to a JSON file in a folder called TestResults which is created in the current working directory of the process unless it already exists. The filename format for the output is connectivity_test_result_YYYY-MM-DD-HH-MM-SS.json. The results are in JSON nodes that match the output shown on the web page for the Microsoft 365 network connectivity test tool web site. A new result file is created each time you run it and the standalone executable does not upload results to your Microsoft tenant for viewing in the Admin Center Network Connectivity pages. Front door codes, longitudes, and latitudes are not included in the result file.

+> [!NOTE]

+> Network connectivity in the Admin Center supports tenants in WW Commercial and Germany but not GCC Moderate, GCC High, DoD or China.

+We classify network traffic logs as remote or onsite users and show their percentages in the user connection metrics section of the overview pane. For cities where you have remote users, you'll find the location specific remote network assessment score when you open that location's page. The locations list will have both office locations and remote worker cities, which can be filtered and sorted. We provide the remote worker assessment score, with points breakdown for Exchange, SharePoint and Teams.

+## CQD TSV Import for LAN subnet office locations

+If you've uploaded building data to your Call Quality Dashboard, you can add those locations here to start assessing their network connectivity. This won't affect your existing locations.

+[Go to Tenant Data Upload](https://cqd.teams.microsoft.com/spd/#/TenantDataUpload) in Call Quality Dashboard. If you've uploaded your building data, you'll see an option to download it to a .tsv file. Download the .tsv file from Call Quality Dashboard, then upload it in the CQD flyout following the steps below. If you want to create the .tsv file manually, please align the schema with that in Upload building data file, or try the CSV Import for LAN subnet office locations instead.

+1. In the main Connectivity to Microsoft 365 window, click the **Locations** tab.

+2. Click the **Manage multiple locations** button just above the locations list.

+ > [!div class="mx-imgBorder"]

+ > 

+3. Click the **Add locations from Call Quality Dashboard**, the **Add locations from Call Quality Dashboard** flyout will appear.

+ > [!div class="mx-imgBorder"]

+ > 

+4. Click the **Browse** button next to the **Select a .tsv file to upload** field and select the saved TSV file. Please make sure the value in the file is tab separated.

+5. The file will be automatically validated and parsed to the list of office locations. If there are validation errors, the **We couldn't upload your file** flyout appears to list the errors.

+ > [!div class="mx-imgBorder"]

+ > 

+6. If there are no errors in the file, you will see the message: _Your file test.tsv is uploaded and ready. Select Import to upload your information._

+ > [!div class="mx-imgBorder"]

+ > 

+7. Click **Upload** button at the bottom of the panel to upload the office locations.

+> [!NOTE]

+> Microsoft 365 service front door has no direct relationship to the Azure Front Door Service product available in the Azure marketplace.

+- [Microsoft Teams Meetings with Open LMS](open-lms-teams-classes-and-meetings.md).

+- [Microsoft Teams Classes LTI with Canvas](teams-classes-with-canvas.md).

+- [Microsoft Teams Classes LTI with Blackboard](teams-classes-with-blackboard.md).

+- [Microsoft Teams Classes LTI with Moodle](teams-classes-meetings-with-moodle.md).

+- [Microsoft Teams Classes LTI with Open LMS](open-lms-teams-classes-and-meetings.md).

+ Title: Set up and configure the Moodle plugin for Open LMS

+audience: admin

+f1.keywords:

+- CSH

+ms.localizationpriority: medium

+description: Get ready to integrate One LMS and Microsoft Teams by setting up and configuring the Moodle plugin.

+# Set up and configure the Moodle plugin

+In this article, you'll learn how to install and configure the Moodle plugin to incorporate Microsoft Teams with your Open LMS experience.

+> [!NOTE]

+> Currently, Open LMS and Microsoft Teams LTI integrations are only available in private preview.

+>

+>If you'd like to participate in the private preview program, [sign up here](https://m365crmedu.powerappsportals.com/LMSSignup)

+## Prerequisites

+Here are the prerequisites to install the Moodle plugin:

+* Moodle administrator credentials.

+* Microsoft Azure Active Directory (Azure AD) administrator credentials.

+* An Azure subscription where you can create new resources.

+## 1. Install the Microsoft 365 Moodle Plugin

+Open LMS integration in Microsoft Teams is powered by the open source [Microsoft 365 Moodle plugin set](https://moodle.org/plugins/browse.php?list=set&id=72).

+### Requisite applications and plugins

+Install and download the following items before proceeding with the Microsoft 365 Moodle plugin installation:

+1. A [current stable version of Moodle](https://download.moodle.org/releases/latest/).

+1. Download and save the Moodle [OpenID Connect](https://moodle.org/plugins/auth_oidc) and the [Microsoft 365 Integration](https://moodle.org/plugins/local_o365) plugins to your local computer.

+ > [!NOTE]

+ > Installing the OpenID Connect and Microsoft 365 Integration plugins is required for the Teams integration.

+ >

+ > The [Microsoft 365 Teams Theme](https://moodle.org/plugins/theme_boost_o365teams) plugin is recommended.

+### Microsoft 365 Moodle plugins

+#### Install plugins

+1. Download the plugins, extract them, and upload to their corresponding folders. For example, extract the OpenID Connect plugin (auth_oidc) to a folder called **oidc**, and upload to the **auth** folder of your Moodle document root.

+2. Sign in to your Moodle site as an administrator and select **Site administration**.

+3. Upon detection of new plugins to be installed, Moodle should redirect you to the install new plugins page. If this doesn't happen, in the **Site administration** page, select **Notifications** in the **General** tab as this should trigger the installation of the plugins.

+ > [!IMPORTANT]

+ >

+ > * Keep your Microsoft 365 Moodle Plugins configuration page open in a separate browser tab as you need to return to this set of pages throughout the process.

+ >

+ > * If you don't have an existing Moodle site, go to the [Moodle on Azure](https://github.com/azure/moodle) repo, and quickly deploy a Moodle instance and customize it to your needs.

+#### Enable the OpenID Connect authentication plugin

+1. Navigate to **Site Administration** > **Plugins** > **Authentication** then select **Manage Authentication**.

+1. Find the **OpenID Connect** authentication plugin and select the *eye icon* to enable it.

+1. Select **Settings** for the plugin to verify the **Authorization** and **Token** endpoints.

+ 1. The default values should be:

+ 1. Authorization endpoint: ``https://login.microsoftonline.com/common/oauth2/authorize``.

+ 1. Token endpoint: ``https://login.microsoftonline.com/common/oauth2/token``.

+1. Record the **Redirect URI** for later use.

+## 2. Configure the connection between the Microsoft 365 plugins and Azure AD

+You must configure the connection between the Microsoft 365 plugins and Azure AD.

+### Requisites

+Register Moodle as an application in your Azure AD, using the PowerShell script. The script provisions the following items:

+* A new Azure AD application for your Microsoft 365 tenant, which is used by the Microsoft 365 Moodle Plugins.

+* The app for your Microsoft 365 tenant sets up the required reply URLs and permissions for the provisioned app and returns the `AppID` and `Key`.

+Use the generated `AppID` and `Key` in your Microsoft 365 Moodle Plugins setup page to configure your Moodle server site with Azure AD.

+> [!IMPORTANT]

+> For more information on registering your Moodle instance manually, see [Register your Moodle instance as an application](https://docs.moodle.org/400/en/Microsoft_365#Azure_App_Creation_and_Configuration).

+### Teams for Open LMS setup process

+1. From the Microsoft 365 Integration plugins page, select the **Setup** tab.

+1. Select the **Download PowerShell Script** button and save it as a ZIP folder to your local computer.

+1. Prepare the PowerShell script from the ZIP file as follows:

+ 1. Download and extract the `Moodle-AzureAD-Powershell.zip` file.

+ 1. Open the extracted folder.

+ 1. Right-click on the `Moodle-AzureAD-Script.ps1` file and select **Properties**.

+ 1. Under the **General** tab of the Properties window, select the `Unblock` checkbox next to the **Security** attribute located at the bottom of the window.

+ 1. Select **OK**.

+ 1. Copy the directory path to the extracted folder.

+1. Run PowerShell as an administrator:

+ 1. Select Start.

+ 1. Type PowerShell.

+ 1. Right-click on **Windows PowerShell**.

+ 1. Select **Run as Administrator**.

+1. Navigate to the unzipped directory by typing `cd .../.../Moodle-AzureAD-Powershell` where `.../...` is the path to the directory.

+1. Execute the PowerShell script:

+ 1. Enter `Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser`.

+ 1. Enter `./Moodle-AzureAD-Script.ps1`.

+ 1. Sign in to your Microsoft 365 administrator account in the pop-up window.

+ 1. Enter the name of the Azure AD Application, for example, Moodle or Moodle plugins.

+ 1. Enter the URL for your Moodle server.

+ 1. Copy the **Application ID (`AppID`)** and **Application Key(`Key`)** generated by the script and save them.

+1. Return to the plugins administration page, **Site administration** > **Plugins** > **Authentication** > **OpenID Connect**.

+1. Paste the `AppID` value into the **Application ID** box and the `Key` value into the **Key** box, and then select **Save changes**.

+1. Navigate to **Site administration** > **Plugins** > **Local plugins** and select **Microsoft 365 Integration**.

+1. In **Choose connection method**, select **Application access**, and then select **Save changes** again.

+1. After the page refreshes, you can see another new section **Admin consent & additional information**.

+ 1. Select **Provide Admin Consent** link, enter your Microsoft 365 Global Administrator credentials, then **Accept** to grant the permissions.

+ 1. Next to the **Azure AD Tenant** field, select the **Detect** button.

+ 1. Next to the **OneDrive for Business URL**, select the **Detect** button.

+ 1. After the fields populate, select the **Save changes** button again.

+1. Select the **Update** button to verify the installation, and then select **Save changes**.

+1. Synchronize users between your Moodle server and Azure AD. Depending on your environment, you can select different options during this stage. To get started:

+ 1. Switch to the **Sync Settings tab**.

+ 1. In the **Sync users with Azure AD** section, select the checkboxes that apply to your environment. You must select the following options:

+ Γ£ö Create accounts in Open LMS for users in Azure AD.

+ Γ£ö Update all accounts in Open LMS for users in Azure AD.

+ 1. In the **User Creation Restriction** section, you can set up a filter to limit the Azure AD users that are synced to Open LMS.

+ 1. In the **Course Sync** section, you can select **Course sync customization** option to enable the automatic creation of Groups and Teams for some, or all, of your existing Open LMS courses.

+1. To validate [cron](https://docs.moodle.org/400/en/Cron) tasks and to run them manually for the first time, navigate to **Site administration** > **Server** > **Tasks** > **Scheduled tasks**.

+ 1. Scroll down and find the task **Sync users with Azure AD** and select **Run now**.

+ 1. This process will sync the Azure AD user to your Open LMS site.

+ 1. Next, find the **Sync Moodle courses to Microsoft Teams** task and select **Run now**.

+ 1. This task will create groups and Teams if an owner is found.

+ 1. If the user has `local/o365:teamowner` capability in the course context, the user is a team owner. If the user has `local/o365:teammember` capability in the course context, the user is a team member.

+ 1. The default *Teacher* role has the `local/o365:teamowner` capability, and the default *Student* role has the `local/o365:teammember` capability.

+ > [!NOTE]

+ > The Moodle [Cron](https://docs.moodle.org/400/en/Scheduled_tasks) runs according to the task schedule. The default schedule is once a day at 1:00 AM in your server's local time zone. However, the cron should run more frequently to keep everything in sync.

+1. Navigate to **Site administration** > **Plugins** > **Local plugins** > **Microsoft 365 Integration** > **Teams Settings** tab.

+1. Select the **Check Moodle settings** button will update all required configurations for the Teams integration to work.

+After the plugins are installed and configured, you can:

+* [Deploy Moodle Assistant Bot to Azure](/microsoftteams/install-moodle-integration#step-3-deploy-the-moodle-assistant-bot-to-azure).

+* [Add Moodle tabs to Teams classes](/microsoftteams/install-moodle-integration#step-4-deploy-your-microsoft-teams-app).

+* [Add Teams classes and meetings to Open LMS](open-lms-teams-classes-and-meetings.md).

+## Extra Moodle plugin documentation

+If you would like to review Open LMS's Microsoft 365 integration guides and release notes, see these resources:

+* [Microsoft 365 integration documentation on Moodle Docs](https://docs.moodle.org/400/en/Microsoft_365).

+ Title: Integrate Microsoft Teams classes and meetings with Open LMS

+audience: admin

+f1.keywords:

+- CSH

+ms.localizationpriority: medium

+description: Create and manage Teams classes and meetings with Microsoft OneDrive Learning Tools Interoperability for Open LMS.

+# Integrate Microsoft Teams classes and meetings within Open LMS

+> [!NOTE]

+> Currently, Open LMS and Microsoft Teams LTI integrations are only available in private preview.

+>

+>If you'd like to participate in the private preview program, [sign up here](https://m365crmedu.powerappsportals.com/LMSSignup/).

+This guide provides the IT admin steps for registering both Teams Classes and Teams Meetings LTI apps on Open LMS.

+For details on managing all LTI apps for any LMS, see [Manage Microsoft LMS Gateway for any LMS](manage-microsoft-one-lti.md).

+## Prerequisites before set up

+For the integration between Open LMS and Teams to function correctly, Open LMS and Teams must be set up to communicate with one another.

+Follow the [instructions for installing and configuring the Moodle plugin](open-lms-plugin-configuration.md).

+## Register Microsoft Teams LTI for use in Open LMS

+> [!IMPORTANT]

+> The person who performs this integration should be an Open LMS administrator and a Microsoft 365 tenant administrator.

+1. Visit [Microsoft LMS Gateway](https://lti.microsoft.com/) and select the **Go to registration portal** button.

+2. Sign in with a Microsoft 365 administrator account.

+3. After signing in, select **Add new registration**.

+4. Select either **Teams Meetings LTI** or **Teams Classes LTI** to register and then select **Next**.

+5. Enter in an easily identifiable **Registration** name and select **Open LMS** as the LMS platform. Select **Next**.

+6. You'll be given a list of keys that need to be added to your Open LMS site.

+7. Open Open LMS in another tab. Don't close the Microsoft LMS Gateway tab.

+8. In Open LMS, go to **Site administration** > **Plugins** > **Activity modules** > **External tools** > **Manage tools**.

+9. On the **Manage tools** page, select **configure a tool manually**.

+10. Under **Tool settings**, enter in a **Tool name** like **Microsoft Teams Classes**. For **LTI version**, select **LTI 1.3**. For **Public key type**, select **Keyset URL**.

+11. Next, copy the keys from **Microsoft LTI keys** to the corresponding tools inputs.

+ 1. Microsoft's **Target link URL** key goes into Open LMS's **Tool URL** field.

+ 1. Microsoft's **Open ID connection URL** key goes into Open LMS's **Initiate login URL** field.

+ 1. Microsoft's **Redirect URL** key goes into Open LMS's **Redirection URI(s)** field.

+12. Select **Save changes**.

+13. The new tool should now appear in the **Tools** section of Open LMS's **Manage tools** page. Select the list icon to view **Tool configuration details**.

+14. Go back to the Microsoft LMS Gateway tab. Select **Next** to go to the **LMS provided registration keys** step.

+15. Copy and paste the values from Open LMS's **Tool configuration details** to Microsoft's **LMS provided registration keys** step.

+ Paste the values as follows:

+ | On Open LMS | On Microsoft LTI registration portal |

+ | | |

+ | Platform ID | Issuer ID URL |

+ | Client ID | Client ID |

+ | Deployment ID | Deployment ID |

+ | Public keyset URL | Keyset URL |

+ | Access token URL | Access token URL |

+ | Authentication request URL | Platform authentication URL |

+ Select **Next**.

+16. Review the **Review and add** page. If there are no errors, select **Save and exit**. You should see a message indicating successful registration.

+You've completed registration of either the Teams Classes or Teams Meetings LTI app.

+If you would like to add the other app too, repeat the steps above, selecting the other Teams LTI app in step 4.

+### Add Teams LTI apps to educators' Open LMS courses

+After registering Teams LTI apps, educators can add the Teams Classes app and the Teams Meetings app to their Open LMS courses.

+- [Educator instructions on adding the Teams Classes app](https://support.microsoft.com/topic/use-microsoft-teams-classes-in-your-lms-ac6a1e34-32f7-45e6-b83e-094185a1e78a).

+- [Educator instructions on adding the Teams Meetings app](https://support.microsoft.com/topic/use-microsoft-teams-meetings-in-your-lms-11b6095d-f90b-42b9-ab77-4dcff2bb3b76).

+## Technical requirements to launch Teams LTI apps

+To launch the Teams LTI apps within Open LMS, there are a few technical requirements that need to be met.

+> [!NOTE]

+> IT admins and educators can register LTI apps on the LTI apps registration portal.

+### IT admin technical requirements

+- Use Moodle version 3.10 or above.

+- Download the latest Microsoft O365 plugin for Moodle version 3.10 or above.

+- Access the LTI apps registration portal to register the LTI apps.

+ - Registration must be on completed on a desktop device.

+- Download the latest version of Microsoft Edge, Google Chrome, Safari, or Mozilla Firefox.

+### Educator technical requirements

+- Access the LTI apps registration portal to register the LTI apps, if the IT admin hasn't registered the apps.

+ - Registration must be on completed on a desktop device.

+- Download the latest version of Microsoft Edge, Google Chrome, Safari, or Mozilla Firefox.

+- [Teams LTI apps for Classes and Meetings in Open LMS](#add-teams-lti-apps-to-educators-open-lms-courses).

+### Student technical requirements

+- Teams LTI apps for Classes and Meetings in Open LMS.

+ - Students don't need to take any actions to add the Teams Classes or Meetings LTI apps.

+ 2. Group 2: Unapproved USBs based on device properties, for example, Vendor ID / Product ID, Friendly Name - Group **65fa649a-a111-4912-9294-fb6337a25038** in the sample [Unapproved USBs Group.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.

+1. Enable or Disable Removable Storage Access Control (RSAC):

+ You can enable Removable Storage Access Control as follows:

+ - Under **Custom > Configuration settings**, click **Add**.

+ - In the **Add Row** pane, enter:

+ - **Name** as **Enable RSAC**

+ - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControlEnabled`

+ - **Data Type** as **Integer**

+ - **Value** as **1**

+ `Disable: 0`

+ `Enable: 1`

+ - Click **Save**.

+ :::image type="content" source="images/enable-rsac.png" alt-text="Screenshot of enabling Removable Storage Access Control policy" lightbox="images/enable-rsac.png":::

+2. Set Default Enforcement:

+ You can set default access (Deny or Allow) to removable media if there is no policy.

+ For example, you have either Deny or Allow policy for RemovableMediaDevices, but you do not have any policy for CdRomDevices or WpdDevices. You set Default Deny through this policy, then Read/Write/Execute access to CdRomDevices or WpdDevices will be blocked.

+ - In the **Add Row** pane, enter:

+ - **Name** as **Default Deny**

+ - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DefaultEnforcement`

+ - **Data Type** as **Integer**

+ - **Value** as **1** or **2**

+ `DefaultEnforcementAllow = 1`

+ `DefaultEnforcementDeny = 2`

+ - Click **Save**.

+ :::image type="content" source="images/default-deny.png" alt-text="Screenshot of setting Default Enforcement as Deny" lightbox="images/default-deny.png":::

+3. Audit Default Deny:

+ You can create Audit policy for Default Deny as follows:

+ - In the **Add Row** pane, enter:

+ - **Name** as **Audit Default Deny**

+ - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7bf3520ea7-fd1b-4237-8ebc-96911db44f8e%7d/RuleData`

+ :::image type="content" source="images/audit-default-deny-1.png" alt-text="Screenshot of creating Audit Default Deny policy" lightbox="images/audit-default-deny-1.png":::

+ - **Data Type** as **String (XML file)**

+ - **Custom XML** as **Audit Default Deny.xml** file.

+ XML file path: <https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Audit%20Default%20Deny.xml>

+ Use the following XML data to create Audit policy for Default Deny:

+ :::image type="content" source="images/audit-default-deny-xml-file-1.png" alt-text="Screenshot of audit default deny xml file":::

+4. ReadOnly - Group:

+ You can create removable storage group with ReadOnly access as follows:

+ - In the **Add Row** pane, enter:

+ - **Name** as **Any Removable Storage Group**

+ - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b9b28fae8-72f7-4267-a1a5-685f747a7146%7d/GroupData`

+ :::image type="content" source="images/any-removable-storage-group.png" alt-text="Screenshot of creating any Removable Storage Group" lightbox="images/any-removable-storage-group.png":::

+ - **Data Type** as **String (XML file)**

+ - **Custom XML** as **Any Removable Storage and CD-DVD and WPD Group.xml** file

+ XML file path: <https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Any%20Removable%20Storage%20and%20CD-DVD%20and%20WPD%20Group.xml>

+ Use the following XML data to create 'Any Removable Storage and CD-DVD and WPD Group' with ReadOnly access:

+ :::image type="content" source="images/read-only-group-xml-file.png" alt-text="Screenshot of read only group xml file":::

+5. ReadOnly - Policy:

+ You can create ReadOnly policy and apply to the ReadOnly removable storage group to allow read activity as follows:

+ - In the **Add Row** pane, enter:

+ - **Name** as **Allow Read Activity**

+ - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7bf7e75634-7eec-4e67-bec5-5e7750cb9e02%7d/RuleData`

+ :::image type="content" source="images/allow-read-activity.png" alt-text="Screenshot of Allow Read Activity policy" lightbox= "images/allow-read-activity.png":::

+ - **Data Type** as **String (XML file)**

+ - **Custom XML** as **Allow Read.xml** file

+ XML file path: <https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Allow%20Read.xml>

+ Use the following XML data to create ReadOnly policy and apply to the ReadOnly removable storage group:

+ :::image type="content" source="images/read-only-policy-xml-file.png" alt-text="Screenshot of read only policy xml file":::

+ - In the **Add Row** pane, enter:

+ - **Name** as **Approved USBs Group**

+ - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b65fa649a-a111-4912-9294-fb6337a25038%7d/GroupData`

+ :::image type="content" source="images/create-group-allowed-medias.png" alt-text="Screenshot of creating Approved USBs group" lightbox="images/create-group-allowed-medias.png":::

+ - **Data Type** as **String (XML file)**

+ - **Custom XML** as **Approved USBs Group.xml** file

+ XML file path: <https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Approved%20USBs%20Group.xml>

+ Use the following XML data to create allowed medias group:

+ :::image type="content" source="images/create-group-allowed-medias-xml-file.png" alt-text="Screenshot of creating group for allowed medias xml file":::

+ - In the **Add Row** pane, enter:

+ - **Name** as **Allow access and Audit file information**

+ - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7bb2061588-029e-427d-8404-6dfec096a571%7d/RuleData`

+ :::image type="content" source="images/allow-access-audit-file-information-1.png" alt-text="Screenshot of Allow access and audit file information" lightbox= "images/allow-access-audit-file-information-1.png":::

+ - **Data Type** as **String (XML file)**

+ - **Custom XML** as **Allow full access and audit file.xml** file

+ XML file path: <https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Allow%20full%20access%20and%20audit%20file.xml>

+ Use the following XML data to create policy to allow the approved USB group:

+ What does '47' mean in the policy? It's 9 + 2 + 36 = 47:

+ - Read access: 1 + 8 = 9.

+ - Write access: disk level 2.

+ - Execute: 4 + 32 = 36.

+1. Enable or Disable Removable Storage Access Control:

+ You can enable Removable Storage Access Control (RSAC) as follows:

+ - Go to **Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Features > Device Control**

+ - In the **Device Control** window, select **Enabled**.

+ :::image type="content" source="images/enable-rsac-gp.png" alt-text="Screenshot of Enabling RSAC using Group Policy " lightbox="images/enable-rsac-gp.png":::

+2. Set Default Enforcement:

+ You can set default access (Deny or Allow) to removable media if there is no policy as follows:

+ - Go to **Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Features > Device Control > Select Device Control Default Enforcement**

+ - In the **Select Device Control Default Enforcement** window, select **Default Deny**:

+ :::image type="content" source="images/set-default-enforcement-deny-gp.png" alt-text="Screenshot of setting Default Enforcement = Deny using Group Policy" lightbox="images/set-default-enforcement-deny-gp.png":::

+3. Audit Default Deny:

+ Use the following XML data to create Audit policy for Default Deny:

+ :::image type="content" source="images/audit-default-deny-gp.png" alt-text="Screenshot of audit default deny xml data":::

+4. ReadOnly - Group:

+5. ReadOnly - Policy:

+ Use the following XML data to create ReadOnly policy and apply to the ReadOnly removable storage group to allow read activity:

+6. Create Group for Allowed Medias:

+ Use the following XML data to create removable storage allowed medias group:

+7. Create Policy to allow the approved USB Group:

+ Use the following XML data to create a policy to allow approved USB group:

+ :::image type="content" source="images/create-policy-allow-approved-usb-group-xml.png" alt-text="Screenshot of XML data to create policy to allow the approved USB Group using Group Policy" lightbox="images/create-policy-allow-approved-usb-group-xml.png":::

+ What does '47' mean in the policy? It's 9 + 2 + 36 = 47:

+ - Read access: 1+8 = 9.

+ - Write access: disk level 2.

+ - Execute: 4 + 32 = 36.

+8. Combine groups into one XML file:

+ You can combine device control policy groups into one XML file as follows:

+ - Go to **Computer Configuration** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Device Control** \> **Define device control policy groups**.

+ - In the **Define device control policy groups** window, enter the file path containing the XML groups data.

+ XML file path: <https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Demo_Groups.xml>

+ The following is the device control policy groups xml schema:

+ :::image type="content" source="images/combine-grps-xml-file-gp.png" alt-text="Screenshot of combine groups into one XML file":::

+9. Combine policies into one XML file:

+ You can combine device control policy rules into one XML file as follows:

+ - Go to **Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define device control policy rules**

+ :::image type="content" source="images/define-device-cntrl-policy-rules-gp.png" alt-text="Screenshot of define device control policy rules" lightbox="images/define-device-cntrl-policy-rules-gp.png":::

+ - In the **Define device control policy rules** window, select **Enabled**, and enter the file path containing the XML rules data.

+ XML file path: <https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Demo_Policies.xml>

+ The following is the device control policy rules xml schema:

+10. Set location for a copy of the file (evidence):

+ If you want to have a copy of the file (evidence) when Write access happens, you have to set the location where system can save the copy.

+ - In the **Define Device Control evidence data remote location** window, select **Enabled** and enter the local or network share folder path.

+ :::image type="content" source="images/evidence-data-remote-location-gp.png" alt-text="Screenshot of Define Device Control evidence data remote location" lightbox="images/evidence-data-remote-location-gp.png":::

+//information of file written to removable storage

+| extend Policy = tostring(parsed.Policy)

+| extend PolicyRuleId = tostring(parsed.PolicyRuleId)

+| extend MediaProductId = tostring(parsed.ProductId)

+| extend MediaVendorId = tostring(parsed.VendorId)

+| extend MediaSerialNumber = tostring(parsed.SerialNumber)

+| extend FileEvidenceLocation = tostring(parsed.TargetFileLocation)

+Either from the Microsoft Endpoint Manager admin center (Intune) or through Microsoft Graph API, the backend call is done through OMA-URI (GET to read or PATCH to update) and therefore the limitation is the same as any OMA-URI custom configuration profile in Microsoft which is officially 350,000 characters for XML files.

+For example, if you need two blocks of entries per user SID to "Allow"/"Audit allowed" specific users and two blocks of entries at the end to "Deny" all, you will be able to manage 2,276 users.

+- Admins with "Manage Security settings" permissions will have access to turn on troubleshooting mode.

+| where _tsmodeproperties.TroubleshootingStateChangeReason contains "started"

+| where _tsmodeproperties.TroubleshootingStateChangeReason contains "started"

+| where _tsmodeproperties.TroubleshootingStateChangeReason contains "started"

+In enterprise environments, Defender for Endpoint on Linux can be managed through a configuration profile. This profile is deployed from the management tool of your choice. Preferences managed by the enterprise take precedence over the ones set locally on the device. In other words, users in your enterprise are not able to change preferences that are set through this configuration profile. If exclusions were added through the managed configuration profile, they can only be removed through the managed configuration profile. The command line works for exclusions that were added locally.

+|**Possible values**|disabled (default) <p> enabled|

+In **Configuration management** the **Onboarded via MDE security management** widget has been added to present the enrollment status breakdown of Microsoft Defender for Endpoint-managed devices.

+To see a list of all devices managed by Microsoft Defender for Endpoint, select **View all devices managed by MDE**.

+In the list, if a device's enrollment status is not "Success", select the device to see troubleshooting details in the side panel, pointing to the root cause of the error, and corresponding documentation.

+> [!NOTE]

+> We are aware of an issue impacting the accurate detection of third-party MDMs when trying to use the security management feature and are working on a fix.

+| `RemoteIP` | `string` | IP address of the device from which the logon attempt was performed |

+## View email admin submissions to Microsoft

+2. On the **Submissions** page, verify that the **Emails** tab is selected.

+ - You can sort the entries by clicking on an available column header. Click **Customize columns** to select the columns you need. All columns can be selected and showed in the submission grid. The default values are marked with an asterisk (^\*):

+ > :::image type="content" source="../../media/admin-submission-customize-columns.png" alt-text="The New Customize column options for admin submissions" lightbox="../../media/email-admin-submission-customize-columns.png":::

+ > :::image type="content" source="../../media/admin-submission-filters.png" alt-text="The New Filter options for admin submissions" lightbox="../../media/email-admin-submission-filters.png":::

+ - To group the entries, click **Group** and select one of the following values from the dropdown list:

+ - **None**

+ - **Reason**

+ - **Status**

+ - **Result**

+ - **Tags**

+ - To export the entries, click **Export**. In the dialog that appears, save the .csv file.

+## View email attachment admin submissions to Microsoft

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to the **Submissions** page at **Actions & submissions** \> **Submissions**. To go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>.

+2. On the **Submissions** page, verify that the **Email attachments** tab is selected.

+ - You can sort the entries by clicking on an available column header. Click **Customize columns** to select the columns you need. All columns can be selected and showed in the submission grid. The default values are marked with an asterisk (^\*):

+ - **Attachment name**^\*

+ - **Date submitted**^\*

+ - **Reason for submitting**^\*

+ - **Status**^\*

+ - **Result**^\*

+ - **Filter verdict**

+ - **Delivery/Block reason**

+ - **Submission ID**

+ - **Object ID**

+ - **Policy action**

+ - **Submitted by**

+ - **Tags**^\*

+ - **Allow**

+ When you're finished, click **Apply**.

+ > [!div class="mx-imgBorder"]

+ > :::image type="content" source="../../media/admin-submission-customize-columns.png" alt-text="The New Customize column options for admin submissions" lightbox="../../media/email-attachment-admin-submission-customize-columns.png":::

+ - To filter the entries, click **Filter**. The available filters are:

+ - **Date submitted**: **Start date** and **End date**.

+ - **Submission ID**: A GUID value that's assigned to every submission.

+ - **Attachment filename**

+ - **Submitted by**

+ - **Reason for submitting**

+ - **Status**

+ - **Tags**

+ When you're finished, click **Apply**.

+ > [!div class="mx-imgBorder"]

+ > :::image type="content" source="../../media/admin-submission-filters.png" alt-text="The New Filter options for admin submissions" lightbox="../../media/email-attachment-admin-submission-filters.png":::

+ - To group the entries, click **Group** and select one of the following values from the dropdown list:

+ - **None**

+ - **Reason**

+ - **Status**

+ - **Result**

+ - **Tags**

+ - To export the entries, click **Export**. In the dialog that appears, save the .csv file.

+## View URLs admin submissions to Microsoft

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to the **Submissions** page at **Actions & submissions** \> **Submissions**. To go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>.

+2. On the **Submissions** page, verify that the **URLs** tab is selected.

+ - You can sort the entries by clicking on an available column header. Click **Customize columns** to select the columns you need. All columns can be selected and showed in the submission grid. The default values are marked with an asterisk (^\*):

+ - **URL**^\*

+ - **Date submitted**^\*

+ - **Reason for submitting**^\*

+ - **Status**^\*

+ - **Result**^\*

+ - **Filter verdict**

+ - **Delivery/Block reason**

+ - **Submission ID**

+ - **Object ID**

+ - **Policy action**

+ - **Submitted by**

+ - **Tags**^\*

+ - **Allow**

+ When you're finished, click **Apply**.

+ > [!div class="mx-imgBorder"]

+ > :::image type="content" source="../../media/admin-submission-customize-columns.png" alt-text="The New Customize column options for admin submissions" lightbox="../../media/url-admin-submission-customize-columns.png":::

+ - To filter the entries, click **Filter**. The available filters are:

+ - **Date submitted**: **Start date** and **End date**.

+ - **Submission ID**: A GUID value that's assigned to every submission.

+ - **URL**

+ - **Submitted by**

+ - **Reason for submitting**

+ - **Status**

+ - **Tags**

+ When you're finished, click **Apply**.

+ > [!div class="mx-imgBorder"]

+ > :::image type="content" source="../../media/admin-submission-filters.png" alt-text="The New Filter options for admin submissions" lightbox="../../media/url-admin-submission-filters.png":::

+- Both add-ins are not available for shared, group, or delegated mailboxes (the add-ins will be greyed out).

+- The terms Standard and Strict come from our [recommended security settings](recommended-settings-for-eop-and-office365.md), which are also used in [preset security policies](preset-security-policies.md). Ideally, we would tell you to define your pilot users in the Standard and Strict preset security policies, but we can't do that. Why? Because you can't customize the settings in preset security policies (in particular, actions that are taken on messages). During your migration testing, you'll want to see what Defender for Office 365 would do to messages, verify that's what you want to happen, and possibly adjust the policy configurations to allow or prevent those results.

+ - Anti-phishing policies in Defender for Office 365 named **Standard Preset Security Policy** and **Strict Preset Security Policy**, which include:

+You can apply EOP protections to different users than Defender for Office 365 protections, or you can apply EOP and Defender for Office 365 to the same recipients.

+> [!NOTE]

+> In Defender for Office 365 protections, you need to identify the senders for [user impersonation protection](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) and the internal or external domains for [domain impersonation protection](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).

+>

+> All domains that you own ([accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains)) automatically receive domain impersonation protection in preset security policies.

+>

+> All recipients automatically receive impersonation protection from [mailbox intelligence](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) in preset security policies.

+3. The **Apply Standard protection** or **Apply Strict protection** wizard starts in a flyout.

+ On the **Apply Exchange Online Protection** page, identify the internal recipients that the [EOP protections](#policies-in-preset-security-policies) apply to (recipient conditions):

+ - **All recipients**

+ - **Specific recipients**:

+ - **Users**

+ - **Groups**

+ - **Domains**

+ Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove  next to the value.

+ For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (\*) by itself to see all available values.

+ - **None**

+ - **Exclude these recipients**: To add exceptions for the internal recipients that the policy applies to (recipient exceptions), select this option and configure the exceptions. The settings and behavior are exactly like the conditions.

+ > [!NOTE]

+ > In organizations without Defender for Office 365, clicking **Next** takes you to the **Review** page. The remaining steps/pages before the **Review** page are available only in organizations with Defender for Office 365.

+4. On the **Apply Defender for Office 365 protection** page, identify the internal recipients that the [Defender for Office 365 protections](#policies-in-preset-security-policies) apply to (recipient conditions).

+ You can also select **Previously selected recipients** to use the same recipients that you selected for EOP protection on the previous page.

+ When you're finished, click **Next**.

+5. On the **Impersonation protection** page, click **Next**.

+6. On the **Add email addresses to flag when impersonated by attackers** page, add internal and external senders who are protected by [user impersonation protection](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).

+ > [!NOTE]

+ > All recipients automatically receive impersonation protection from [mailbox intelligence](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) in preset security policies.

+ Each entry consists of a display name and an email address. Enter each value in the boxes and then click **Add**. Repeat this step as many times as necessary.

+ You can specify a maximum of 350 users, and you can't specify the same user in the user impersonation protection settings in multiple policies.

+ To remove an existing entry from the list, click .

+ When you're finished, click **Next**.

+7. On the **Add domains to flag when impersonated by attackers** page, add internal and external domains that are protected by [domain impersonation protection](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).

+ > [!NOTE]

+ > All domains that you own ([accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains)) automatically receive domain impersonation protection in preset security policies.

+ All senders in the specified domains are protected by domain impersonation protection.

+ Enter the domain in the box, and then click **Add**. Repeat this step as many times as necessary.

+ To remove an existing entry from the list, select the entry, and then click .

+ The maximum number of domains that you can specify for domain impersonation protection in all anti-phishing policies is 50.

+ When you're finished, click **Next**.

+8. On the **Add trusted email addresses and domains to not flag as impersonation** page, enter the sender email addresses and domains that you want to excluded from impersonation protection. Messages from these senders will never be flagged as an impersonation attack, but the senders are still subject to scanning by other filters in EOP and Defender for Office 365.

+ Enter the email address or domain in the box, and then click **Add**. Repeat this step as many times as necessary.

+ To remove an existing entry from the list, select the entry, and then click .

+9. On the **Review and confirm this policy** page, verify your selections, and then click **Confirm**.

+ Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove  next to the value.

+|**Enable users to protect** (impersonated user protection) <br/><br/> _EnableTargetedUserProtection_ <br/><br/> _TargetedUsersToProtect_|Not selected <br/><br/> `$false` <br/><br/> none|Selected <br/><br/> `$true` <br/><br/> \<list of users\>|Selected <br/><br/> `$true` <br/><br/> \<list of users\>|We recommend adding users (message senders) in key roles. Internally, protected senders might be your CEO, CFO, and other senior leaders. Externally, protected senders could include council members or your board of directors.|

+|**Include custom domains** <br/><br/> _EnableTargetedDomainsProtection_ <br/><br/> _TargetedDomainsToProtect_|Off <br/><br/> `$false` <br/><br/> none|Selected <br/><br/> `$true` <br/><br/> \<list of domains\>|Selected <br/><br/> `$true` <br/><br/> \<list of domains\>|We recommend adding domains (sender domains) that you don't own, but you frequently interact with.|

+2. End users can also add the sender to the [block senders list](https://support.microsoft.com/en-us/office/block-a-mail-sender-b29fd867-cac9-40d8-aed1-659e06a706e4#:~:text=1%20On%20the%20Home%20tab%2C%20in%20the%20Delete,4%20Click%20OK%20in%20both%20open%20dialog%20boxes..) in Outlook to prevent emails from this sender from being delivered to their inbox.

+3. Admins can triage the user reported messages from [user reported content](/microsoft-365/security/office-365-security/admin-submission?view=o365-worldwide#view-user-submissions-to-microsoft&preserve-view=true) portal.

+4. From those reported messages, admins can **submit to** [Microsoft for analysis](/microsoft-365/security/office-365-security/admin-submission?view=o365-worldwide#notify-users-from-within-the-portal&preserve-view=true) to learn why that email was allowed in the first place.

+5. If needed, while submitting to Microsoft for analysis, admins can create a [block for the sender](/microsoft-365/security/office-365-security/manage-tenant-blocks?view=o365-worldwide&preserve-view=true) to mitigate the problem.

+2. Admins can triage the user reported messages from the [user reported content](/microsoft-365/security/office-365-security/admin-submission?view=o365-worldwide#view-user-submissions-to-microsoft&preserve-view=true) portal.

+3. From those reported messages admins can **submit to** [Microsoft for analysis](/microsoft-365/security/office-365-security/admin-submission?view=o365-worldwide#notify-users-from-within-the-portal&preserve-view=true) and learn why that email was allowed in the first place.

+4. If needed, while submitting to Microsoft for analysis, admins can create a [block for the sender](/microsoft-365/security/office-365-security/manage-tenant-blocks?view=o365-worldwide&preserve-view=true) to mitigate the problem.

+1. End users receive an [email digest](/microsoft-365/security/office-365-security/use-spam-notifications-to-release-and-report-quarantined-messages?view=o365-worldwide&preserve-view=true) about quarantined messages as per the settings enabled by admins.

+1. Admins can view the quarantined emails (including the ones asking permission to request release) from the [review page](/microsoft-365/security/office-365-security/manage-quarantined-messages-and-files?view=o365-worldwide&preserve-view=true).

+2. Admins can submit any malicious, or suspicious messages to Microsoft for analysis, and create a block to mitigate the situation while waiting for verdict.

+3. Admins can triage the user-reported messages from [user-reported content](/microsoft-365/security/office-365-security/admin-submission?view=o365-worldwide#view-user-submissions-to-microsoft&preserve-view=true) portal.

+4. From those reported messages admins can submit to [**Microsoft for analysis**](/microsoft-365/security/office-365-security/admin-submission?view=o365-worldwide#notify-users-from-within-the-portal&preserve-view=true) and understand why was that email blocked in the first place.

+5. If needed, while submitting to Microsoft for analysis, admins can judiciously create an [**allow** for a sender](/microsoft-365/security/office-365-security/manage-tenant-allows?view=o365-worldwide#add-sender-allows-using-the-submissions-portal&preserve-view=true) to mitigate the problem.

+1. An end user receives an [email digest](/microsoft-365/security/office-365-security/use-spam-notifications-to-release-and-report-quarantined-messages?view=o365-worldwide&preserve-view=true) about quarantined messages as per the settings enabled by security admins.

+1. Admins can view the quarantined emails (including the ones asking permission to request release) from the [review page](/microsoft-365/security/office-365-security/manage-quarantined-messages-and-files?view=o365-worldwide&preserve-view=true).

+ - **View-Only Configuration** role group.

+> Quarantine notifications for messages sent to distribution groups or mail-enabled security groups are sent to all group members.

+>

+> Quarantine notifications for messages sent to Microsoft 365 Groups are sent to all group members only if the **Send copies of group conversations and events to group members** setting is turned on.