+ Title: "Microsoft 365 admin center Copilot for Microsoft 365 readiness"

+audience: Admin

+ms.localizationpriority: medium

+- Tier2

+- scotvorg

+- M365-subscription-management

+- Adm_O365

+- Adm_NonTOC

+- m365copilot

+- magic-ai-copilot

+search.appverid:

+- BCS160

+- MST160

+- MET150

+- MOE150

+description: "Learn about the Copilot for Microsoft 365 readiness report and how it can help you assess your organization's readiness to adopt Copilot."

+# Microsoft 365 reports in the Admin Center ΓÇô Copilot for Microsoft 365 readiness

+The Microsoft 365 Usage dashboard shows you the activity overview across the Microsoft 365 apps in your organization. It enables you to drill into individual product-level reports to give you more granular insight about the activities within each app. To view all reports, check out the [Reports overview article](activity-reports.md).

+In the Copilot for Microsoft 365 readiness report, which is in continuous enhancement, you can view which users are technically eligible for Copilot, assign licenses, and monitor usage of Microsoft 365 apps that Copilot integrates best with. The report becomes available within 72 hours, and once available, the usage data shown on the report can have up to a maximum of 72 hours latency.

+## How do I get to the Copilot for Microsoft 365 report?

+1. In the admin center, go to **Reports** > **Usage**.

+1. Select the **Copilot for Microsoft 365** page.

+1. You can view Readiness on the first tab. Switch to the Usage tab to view adoption and usage metrics.

+## Interpret the Readiness section in the Copilot for Microsoft 365 report

+You can use this report to see how ready your organization is to adopt Copilot for Microsoft 365. The Readiness section is set up to show your data over the past 28 days. Currently this portion does not include any other time period options, but we'll be rolling out updates soon to enable 7-day, 30-day, 90-day, and 180-day periods.

+You can see the following summary charts in this report:

+**Total Prerequisite Licenses** The number is the sum of all users who have at least one license assigned to them or who could be assigned a license. The following license types are eligible for Copilot:

+**For Business and Enterprise**:

+- Microsoft 365 E5

+- Microsoft 365 E3

+- Microsoft 365 F1

+- Microsoft 365 F3

+- Office 365 E5

+- Office 365 E3

+- Office 365 E1

+- Office 365 F3

+- Microsoft 365 Business Basic

+- Microsoft 365 Business Premium

+- Microsoft 365 Business Standard

+**For Education Faculty and Higher Education Students Aged 18+**:

+- Microsoft 365 A1*

+- Microsoft 365 A3*

+- Microsoft 365 A5*

+- Office 365 A1*

+- Office 365 A3*

+- Office 365 A5*

+*Available via Enrollment for Education Solutions (EES) or Cloud Solution Provider (CSP) only.

+**Users on an eligible update channel** This number is the sum of all users who are enrolled in Current Channel or Monthly Enterprise Channel for app updates in your organization and could be assigned with a Copilot license.

+**Assigned Licenses** This number is the sum of all users who have already been assigned with a Copilot license in your organization.

+**Available Licenses** This number is the sum of all users who do not have a Copilot license assigned, and should be prioritized first.

+Recommended action cards highlight important actions to take to prepare your organization for Copilot, such as moving users to a monthly app update channel and assigning available Copilot licenses.

+The last recommended action card promotes [Microsoft Copilot Dashboard](/viva/insights/org-team-insights/copilot-dashboard), where you can deliver insights to your IT leaders to explore Copilot readiness, adoption, and impact in Viva Insights.

+This graph shows the sum of users that could benefit the most from having Copilot deployed based on where Copilot provides the most value in day-to-day scenarios.

+You can use the user table to get an at-a-glance view at which users are assigned a Copilot license, whether their devices are configured correctly, and if theyΓÇÖre using a Microsoft 365 app that has Copilot enabled.

+You can also export the report data into an Excel .csv file by selecting the Export link. This exports the Copilot for Microsoft 365 readiness data of all users with any engagement on Teams meetings, Teams chat, and Outlook email for Office docs in past 30 days, and enables you to do simple sorting, filtering, and searching for further analysis.

+To ensure data quality, we perform daily data validation checks for the past three days and will fill any gaps detected. You may notice differences in historical data during the process.

+### User activity table

+| Item | Description |

+|--||

+| User name | The user's principal name. |

+| Has Copilot license been assigned | Yes/No field indicating if the user has a Copilot license assigned to them. |

+| Uses eligible update channel | Yes/No field indicating if devices are configured to get the latest or monthly updates. |

+| Uses Teams Meetings | Indicates whether the user has attended at least one meeting using Teams in the past 30 days. |

+| Uses Teams chat | Indicates whether the user has participated in at least one chat using Teams in the past 30 days. |

+| Uses Outlook Email | Indicates whether the user has sent at least one email using Outlook in the past 30 days. |

+| Uses Office docs | Indicates whether the user has collaborated on at least one document or file using OneDrive or sharepoint in the past 30 days. |

+## Make the user-specific data anonymous

+To make the data in the Copilot for Microsoft 365 report anonymous, you must be a global administrator. This will hide identifiable information (using MD5 hashes) such as display name, email, and Microsoft Entra Object ID in report and their export.

+1. In Microsoft 365 admin center, go to the **Settings** \> **Org Settings**, and under **Services** tab, choose **Reports**.

+2. Select **Reports**, and then choose to **Display anonymous identifiers**. This setting gets applied both to the usage reports in Microsoft 365 admin center and Teams admin center.

+3. Select **Save changes**.

+ Title: "Microsoft 365 admin center Copilot for Microsoft 365 usage"

+description: "Learn how to get the Copilot for Microsoft 365 usage report and gain insights into the Copilot for Microsoft 365 activity in your organization."

+# Microsoft 365 reports in the Admin Center ΓÇô Copilot for Microsoft 365 usage

+In the Copilot for Microsoft 365 usage report, which is in continuous enhancement, you can view a summary of how usersΓÇÖ adoption, retention, and engagement are with Copilot for Microsoft 365, and the activity of every Copilot user in your organization. The report becomes available within 72 hours, and once available, the usage data shown on the report can have up to a maximum of 72 hours latency.

+## How do I get to the Copilot for Microsoft 365 usage report?

+1. Select the Usage tab to view adoption and usage metrics.

+## Interpret the Copilot for Microsoft 365 usage report

+| Last activity date (UTC (Universal Time Code)) | The latest date the user had activity in Copilot for Microsoft 365 among all Microsoft 365 products, including any of the intentional activities, over the selected time period. |

+| Last activity date of Teams Copilot (UTC) | The latest date the user had activity in Microsoft Teams Copilot, including any of the intentional activities, over the selected time period. |

+| Last activity date of Word Copilot (UTC) | The latest date the user had activity in Word Copilot, including any of the intentional activities, over the selected time period. |

+| Last activity date of Excel Copilot (UTC) | The latest date the user had activity in Excel Copilot, including any of the intentional activities, over the selected time period. |

+| Last activity date of PowerPoint Copilot (UTC) | The latest date the user had activity in PowerPoint Copilot, including any of the intentional activities, over the selected time period. |

+| Last activity date of Outlook Copilot (UTC) | The latest date the user had activity in Outlook Copilot, including any of the intentional activities, over the selected time period. |

+| Last activity date of OneNote Copilot (UTC) | The latest date the user had activity in OneNote Copilot, including any of the intentional activities, over the selected time period. |

+| Last activity date of Loop Copilot (UTC) | The latest date the user had activity in Loop Copilot, including any of the intentional activities, over the selected time period. |

+| Last activity date of Copilot chat (UTC) | The latest date the user had activity in Copilot chat, including any of the intentional activities, over the selected time period. |

+### Does Teams Copilot usage include Copilot chat usage in Teams?

+Teams Copilot usage excludes Copilot chat usage within Teams, as Copilot chat is a Teams app. In the future, we will add the Copilot chat usage breakdown in Teams, Bing, and more.

+### What are the behaviors of 'All up last activity date' and 'last activity date per app' in the user-level table?

+All up last activity date and last activity date per app are reflecting different narratives now. All up last activity date is reflecting the historical last activity date no matter what period is selected on the page, while last activity date per app is reflecting the last activity date within the selected time period; hence, if there's no activity in selected time period, the last activity date per app will be empty. We are planning to make them consistent to reflect the historical last activity date narrative and will provide update once itΓÇÖs done.

+Currently, you can configure the photo update settings using Microsoft Graph only. For more information, see [Manage user profile photo settings in Microsoft 365 using Microsoft Graph](/graph/profilephoto-configure-settings).

+1. In the admin center, expand **Teams & groups**, and then select **[Active teams & groups](https://go.microsoft.com/fwlink/p/?linkid=2052855)**.

+1. Select **Add Microsoft 365 group**.

+1. On the **Membership** tab, select **Members**.

+- AdminSurgePortfolio

+- AdminTemplateSet

+- admindeeplinkMAC

+- has-azure-ad-ps-ref

+1. In the admin center, go to **Teams & g****roups** > **[Active teams & groups](https://go.microsoft.com/fwlink/p/?linkid=2052855)**.

+1. Select the group you want to add the guest to, and select **Membership > Members**.

+- must-keep

+1. Select the three dots (more actions) \> choose **Manage DNS**.

+1. On the Overview page for your domain, select **DNS** from the navigation bar.

+1. On the Domains page, select the domain that you're verifying, and select **Manage DNS**.

+1. On the Overview page for your domain, select **DNS** from the navigation bar.

+1. On the Overview page for your domain, select **DNS** from the navigation bar.

+1. On the Overview page for your domain, select **DNS** from the navigation bar.

+ :::image type="content" source="../../media/dns-cloudflare/cloudflare-domains-TXT-spf-protection.png" alt-text="Screenshot of where you select Save to add an SPF TXT record.":::

+1. On the Overview page for your domain, select **DNS** from the navigation bar.

+1. On the Overview page for your domain, select **DNS** from the navigation bar.

+1. Select **Save**.

+1. On the Overview page for your domain, select **DNS** from the navigation bar.

+ Title: Set up third-party billing for Microsoft 365 Backup Storage (Preview)

+audience: admin

+search.appverid:

+ - essentials-overview

+ms.localizationpriority: medium

+description: Set up third-party billing for Microsoft 365 Backup Storage.

+# Set up third-party billing for Microsoft 365 Backup Storage (Preview)

+Developers can create an application to manage Microsoft 365 Backup Storage in their customer's tenants. However, a Billing Policy must be created that associates your Microsoft 365 Backup Storage application to pay-as-you-go billing that has been configured in your tenant.

+To create a Billing Policy, you need to perform the following steps:

+1. [Set up pay-as-you-go billing](#step-1-set-up-pay-as-you-go-billing).

+2. [Submit a request to Microsoft to create a Billing Policy for your application](#step-2-submit-a-request-to-microsoft-to-create-a-billing-policy-for-your-application).

+> [!NOTE]

+> An application and tenant can only be associated to one and only one Billing Policy. That is, a tenant can't have more than one Billing Policy and an application can't be associated with more than one Billing Policy.

+### Step 1: Set up pay-as-you-go billing

+> [!WARNING]

+> This step needs to be performed in the same tenant that your Microsoft 365 Backup Storage application was created and registered in. That is, this should be performed in your tenant (and not your customer's tenants). Failure to do so will mean that your request to create a Billing Policy will be rejected.

+Microsoft 365 Backup is a pay-as-you-go offering that charges based on consumption, unlike traditional seat-based licenses. To set up pay-as-you-go for Microsoft 365 Backup, you'll need to have this information:

+- **Valid Azure subscription.** An Azure subscription provides a logical container for your resources. Each Azure resource is associated with only one subscription. Creating a subscription is the first step in adopting Azure. To learn more about Azure, see [Azure fundamental concepts](/azure/cloud-adoption-framework/ready/considerations/fundamental-concepts).

+- **Resource group.** A resource group provides a logical grouping of resources within an Azure subscription.

+- **Region.** The region in which you want to register the service.

+- **Owner or contributor.** Name of an owner or contributor role on the Azure subscription.

+Once you have the information on this list, you're ready to perform the following steps:

+1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com/Adminportal/Home).

+2. Select **Setup**.

+3. On the **Setup** page, in the **Files and content** section, select **Use content AI with Microsoft Syntex**.

+4. On the **Use content AI with Microsoft Syntex** page, select **Set up billing**.

+

+> [!NOTE]

+> To set up pay-as-you-go billing for Microsoft 365 Backup, you must be an owner or contribution role on the Azure subscription to be used.

+5. If you *don't* have an Azure subscription or resource group, follow these steps. If you have an Azure subscription and resource group, go directly to step 6.

+ To create a new Azure subscription with the same organization and Microsoft Entra tenant as your Microsoft 365 subscription:

+ 1. Sign in to the [Azure portal](https://portal.azure.com/) with your Microsoft 365 admin, Microsoft Entra DC admin, or Global admin account.

+ 2. In the left navigation, select **Subscriptions**, and then select **Add**.

+ 3. On the **Add subscription** page, select an offer and complete the payment information and agreement.

+ To create a new Azure resource group:

+ 1. On the **Set up pay-as-you-go billing** panel, select **Learn more about Azure resource groups**.

+ 2. Or, you can follow steps in [Manage Azure resource groups by using the Azure portal](/azure/azure-resource-manager/management/manage-resource-groups-portal) to create a resource group.

+> [!NOTE]

+> The resource group should be mapped to the Azure subscription you provided when you set up pay-as-you-go.

+6. If you ***have*** an Azure subscription, follow these steps:

+ 1. On the **Set up pay-as-you-go billing** panel, under **Azure subscription**, select the subscription from the dropdown list.

+ 2. Under **Resource group**, select the resource group from the dropdown list.

+ 3. Under **Region**, select the region from the dropdown list.

+ 4. Review and accept the terms of service, and then select **Save**.

+> [!NOTE]

+> The subscription dropdown list will not populate if you are not an owner or contributor on the subscription.

+You have successfully set up pay-as-you-go billing.

+> [!IMPORTANT]

+> Any subsequent changes made to the billing for Microsoft 365 Backup Storage in the Microsoft 365 admin center or the Azure portal can take up to 24 hours to become effective.

+### Step 2: Submit a request to Microsoft to create a Billing Policy for your application

+To create a Billing Policy for your application and the pay-as-you-go billing configured in the previous step, you'll need to perform the following steps:

+1. Review the [Microsoft 365 Backup Storage - Third-Party public preview terms of service and conditions](../backup-preview-terms-third-party.md).

+2. Email *M365Backup3PBilling@microsoft.com* with the following information: We'll reply back to this email once the request is complete.

+ - Subject line containing your **Microsoft Entra tenant ID**.

+ - Message body containing your **Microsoft Entra tenant ID** and **Application Id** of your Microsoft 365 Backup Storage application.

+ - Screenshot of your **application registration details** in [Microsoft Azure > App registrations](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps) for example: [https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/~/Overview/appId/{ApplicationId}](https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/~/Overview/appId/{ApplicationId}).

+For details on how to find your Microsoft Entra tenant ID, refer to [How to find your Microsoft Entra tenant ID](/entra/fundamentals/how-to-find-tenant).

+> [!IMPORTANT]

+> Submitting a request to Microsoft indicates that you have accepted the [Microsoft 365 Backup Storage - Third Party public preview terms of service and conditions](../backup-preview-terms-third-party.md).

+> [!WARNING]

+> The domain of the email address from which you email Microsoft must be registered in the same tenant where you configured the pay-as-you-go billing in the previous step. That is, your email domain must be listed in [Microsoft 365 admin center > Domains](https://admin.microsoft.com/Adminportal/?#/Domains). Failure to do so will mean that your request to create a Billing Policy will be rejected.

+> [!NOTE]

+> - All requests are processed on a "first come, first served" basis and can take 3 to 5 business days to be processed.

+> - If any invalid information is provided, then your request might be rejected without any further correspondence.

+Once your request is processed and you receive a confirmation email, your application is able to enable Microsoft 365 Backup Storage in your customer's tenants using your Billing Policy.

+ Title: Application lifecycle for Microsoft 365 Backup Storage (Preview)

+audience: admin

+search.appverid:

+ - essentials-overview

+ms.localizationpriority: medium

+description: Application lifecycle for Microsoft 365 Backup Storage.

+# Application lifecycle for Microsoft 365 Backup Storage (Preview)

+## Onboard a third-party Microsoft 365 Backup Storage application

+Once your Microsoft 365 Backup Storage application is given consent to execute in the Consuming Tenant, to enable it to be the Microsoft 365 Backup Storage Controller in a Consuming Tenant, you'll need to perform the following programmatic tasks (via your application):

+1. [Register your application as a Microsoft 365 Backup Storage Controller](#step-1-register-your-application-as-a-microsoft-365-backup-storage-controller).

+2. [Check if the Microsoft 365 Backup Service is enabled in the Consuming Tenant](#step-2-check-if-the-microsoft-365-backup-service-is-enabled-in-the-consuming-tenant).

+3. [Activate your application to be the Microsoft 365 Backup Storage Controller](#step-3-activate-your-application-to-be-the-microsoft-365-backup-storage-controller).

+ - If there was an existing Controller, wait for the [Grace Period](#existing-microsoft-365-backup-storage-controller-grace-period) to complete.

+4. [Enable your Billing Policy in the Consuming Tenant](#step-4-enable-your-billing-policy-in-the-consuming-tenant).

+After your application is registered, you can always check the state of your application as the Microsoft 365 Backup Storage Controller by executing the [Get serviceApp](/graph/api/serviceapp-get?view=graph-rest-beta) API:

+```http

+GET /solutions/backupRestore/serviceApps/{serviceAppId}

+```

+### Step 1: Register your application as a Microsoft 365 Backup Storage Controller

+To register your application to be a Microsoft 365 Backup Storage Controller, you first need to register your application by executing the [Create service App](/graph/api/backuprestoreroot-post-serviceapps?view=graph-rest-beta) API:

+```http

+POST /solutions/backupRestore/serviceApps/

+```

+If your application was successfully registered, it has a state of **inactive**. The returned ID is the Service App ID of your application (which is your Application ID).

+### Step 2: Check if the Microsoft 365 Backup Service is enabled in the Consuming Tenant

+To check if the Microsoft 365 Backup Service is enabled in the Consuming Tenant, your application needs to execute the [Get backupRestoreRoot](/graph/api/backuprestoreroot-get?view=graph-rest-beta) API:

+```http

+GET /solutions/backupRestore/

+```

+If the returned state is **enabled**, then this state indicates that there's an active Microsoft 365 Backup Storage Controller and that changing the Controller enforces a grace period.

+All other states indicate that there's no active Microsoft 365 Backup Storage Controller and that an application can immediately become the Controller when registering.

+### Step 3: Activate your application to be the Microsoft 365 Backup Storage Controller

+To activate your application as the Microsoft 365 Backup Storage Controller depends on whether or not there's already an existing Microsoft 365 Backup Storage Controller (either first-party or third-party).

+> [!NOTE]

+> Activating your application as the Microsoft 365 Backup Storage Controller will notify all of the Consuming Tenant Backup Admins via an email.

+#### No existing Microsoft 365 Backup Storage Controller

+If there's no existing Microsoft 365 Backup Storage Controller, then you can immediately activate your application as the Controller. To do this, you execute the [serviceApp: activate](/graph/api/serviceapp-activate?view=graph-rest-beta) API:

+```http

+POST /solutions/backupRestore/serviceApps/{serviceAppId}/activate

+```

+If your application was immediately activated successfully, it has a state of **active**.

+#### Existing Microsoft 365 Backup Storage Controller

+If there's an existing Microsoft 365 Backup Storage Controller, then when activating your application as the Controller you need to specify a date/time as to when the change is effective. The date/time needs to be at least 7-days in the future, but not greater than 30-days.

+To activate your application, you need to execute the [serviceApp: activate](/graph/api/serviceapp-activate?view=graph-rest-beta) API specifying the effective date/time in the Request JSON body:

+```http

+POST /solutions/backupRestore/serviceApps/{serviceAppId}/activate

+```

+> [!NOTE]

+> If there is already a pending change to the Microsoft 365 Backup Storage Controller already in progress, then your request will fail with a HTTP 403 error code. You will not be able to activate your application until the pending change has completed.

+If your application was successfully activated for a date/time in the future, it has a state of **pendingActive**.

+### Existing Microsoft 365 Backup Storage Controller Grace Period

+If there was an existing Microsoft 365 Backup Storage Controller when you activated your application, this enforces a Grace Period of between 7 to 30 days (as specified when you activated your application).

+**During the Grace Period:**

+- Your application has a state of **pendingActive**.

+- Your application has read-only access to any existing Protection Policies. Your application won't be able to change or create Protection Policies or perform any Restores.

+- The Consuming Tenant Backup Admin can cancel the pending change of the Microsoft 365 Backup Storage Controller and revert back to original state.

+- Your application can cancel the pending change of the Microsoft 365 Backup Storage Controller and revert back to original state by executing the [serviceApp: deactivate](/graph/api/serviceapp-deactivate?view=graph-rest-beta) API:

+```http

+POST /solutions/backupRestore/serviceApps/{serviceAppId}/deactivate

+```

+- Your application can check the state of your application as the Microsoft 365 Backup Storage Controller by executing the [Get serviceApp](/graph/api/serviceapp-get?view=graph-rest-beta) API:

+```http

+GET /solutions/backupRestore/serviceApps/{serviceAppId}

+```

+**On completion of the Grace Period:**

+- Your application has a state of **active**.

+> [!NOTE]

+> Any state changes made to the Microsoft 365 Backup Storage Controller will notify all of the Consuming Tenant Backup Admins via an email. This includes the following events:

+> - Activating a Service App as the Microsoft 365 Backup Storage Controller

+> - Canceling the pending change to the Microsoft 365 Backup Storage Controller

+> - Deactivating a Service App as the Microsoft 365 Backup Storage Controller

+> - Completion of the Grace Period

+### Step 4: Enable your Billing Policy in the Consuming Tenant

+Once your application has a status of active, you'll need to enable your Billing Policy in the Consuming Tenant. This step is performed by executing the [backupRestoreRoot: enable](/graph/api/backuprestoreroot-enable?view=graph-rest-beta) API:

+```http

+POST /solutions/backupRestore/enable

+```

+After you have enabled the Billing Policy, your application will be the Microsoft 365 Backup Storage Controller in the Consuming Tenant and will now be able to maintain the Microsoft 365 Backup Service (as per your applicationΓÇÖs oAuth permission scopes).

+> [!NOTE]

+> You can execute this API multiple times in that it is idempotent. It is recommended to enable the Billing Policy in the Consuming Tenant if, for whatever reason, your Billing Policy changes. For example, if you want to change the Azure Subscription Id or Resource Group.

+## Offboarding a Microsoft 365 Backup application

+### Another application is Activated as the Microsoft 365 Backup Storage Controller

+If your application is the active Microsoft 365 Backup Storage Controller, it's possible that another application (first-party or third-party) can also be activated as per the onboarding process defined in [Existing-Microsoft 365 Backup Storage Controller](#existing-microsoft-365-backup-storage-controller) and [Existing Microsoft 365 Backup Storage Controller Grace Period](#existing-microsoft-365-backup-storage-controller-grace-period). If this event occurs, your application won't be explicitly notified. However, the state of your application becomes **pendingInactive**.

+T

+o get the state of your application being the Microsoft 365 Backup Storage Controller your application can execute the [Get serviceApp](/graph/api/serviceapp-get?view=graph-rest-beta) API:

+```http

+GET /solutions/backupRestore/serviceApps/{serviceAppId}

+```

+**During the Grace Period:**

+- Your application has a state of **pendingInactive**.

+- Your application continues to have access to the existing Protection Policies and is able to change or create Protection Policies or perform any Restores (as per your oAuth permission scopes).

+- Your application continues to be responsible for the Microsoft 365 Backup billing and hence the consumption in the Consuming Tenant.

+- The Consuming Tenant Backup Admin can cancel the pending change of the Microsoft 365 Backup Storage Controller and revert back to original state such that your application is restored as the active Microsoft 365 Backup Storage Controller.

+**On completion of the Grace Period:**

+- Your application has a state of **inactive**.

+- Your application is no longer responsible for the Microsoft 365 Backup billing and hence the pay-as-you-go billing in the Consuming Tenant.

+### Deactivate your application as the Microsoft 365 Backup Storage Controller

+To deactivate your application from being the Microsoft 365 Backup Service in the Consuming Tenant, your application needs to execute the [serviceApp: deactivate](/graph/api/serviceapp-deactivate?view=graph-rest-beta) API:

+```http

+POST /solutions/backupRestore/serviceApps/{serviceAppId}/deactivate

+```

+The outcome of deactivating your application depends on the current state of your application.

+#### Deactivating with current state of inactive

+Deactivating your application that has a state of **inactive** does nothing.

+#### Deactivating with current state of pendingActive

+Deactivating your application that has a state of **pendingActive** cancels your pending change to become the Microsoft 365 Backup Storage Controller.

+After successfully invoking the API:

+- Your application has a state of **inactive**.

+- The application that is currently the Microsoft 365 Backup Storage Controller has a state of **active**.

+

+> [!NOTE]

+> Deactivating your application as the Microsoft 365 Backup Storage Controller will notify all of the Consuming Tenant Backup Admins via an email.

+#### Deactivating with current state of pendingInactive

+Deactivating your application that has a state of **pendingInactive** won't do anything to the pending change of the Microsoft 365 Backup Storage Controller. That is, the pending change continues until the Grace Period is complete.

+#### Deactivating with current state of active

+You can't deactivate your application that has a state of **active** and your request fails with an HTTP error 403 code.

+To deactivate your application as the Microsoft 365 Backup Storage Controller, either another application needs to be activated, or you can [unregister your application](#unregister-your-application-as-the-microsoft-365-backup-storage-controller) to be a Microsoft 365 Backup Storage Controller.

+### Unregister your application as the Microsoft 365 Backup Storage Controller

+To unregister your application from being the Microsoft 365 Backup Storage Controller in the Consuming Tenant, your application needs to execute the [Delete serviceApp](/graph/api/backuprestoreroot-delete-serviceapps?view=graph-rest-beta) API:

+```http

+DELETE /solutions/backupRestore/serviceApps/{serviceAppId}

+```

+The outcome of unregistering your application depends on the current state of your application.

+> [!NOTE]

+> Unregistering your application as the Microsoft 365 Backup Storage Controller will notify all of the Consuming Tenant Backup Admins via an email.

+#### Unregistering with current state of inactive

+Unregistering your application that has a state of **inactive** removes your application as being available to be the Microsoft 365 Backup Storage Controller.

+After successfully invoking the API:

+- Your application is no longer available to become the Microsoft 365 Backup Storage Controller (unless it's reregistered).

+#### Unregistering with current state of pendingActive

+Unregistering your application that has a state of **pendingActive** cancels your pending change to become the Microsoft 365 Backup Storage Controller.

+After successfully invoking the API:

+- Your application is no longer available to become the Microsoft 365 Backup Storage Controller (unless it's reregistered).

+- Your application no longer has read-only access to any existing Protection Policies.

+- The application that is currently the Microsoft 365 Backup Storage Controller has a state of **active**.

+#### Unregistering with current state of pendingInactive

+You can't unregister your application that has a state of **pendingInactive** and your request fails with an HTTP 403 error code.

+To unregister your application as the Microsoft 365 Backup Storage Controller, you'll need to wait for the Grace Period to be complete (or if the pending change is canceled and your application is reinstated as the Microsoft 365 Backup Storage Controller).

+#### Unregistering with current state of active

+Unregistering your application that has a state of **active** automatically initiates a pending change of the Microsoft 365 Backup Storage Controller with a mandatory 7-day Grace Period.

+**After successfully invoking the API and during the Grace Period:**

+- Your application won't be able access, create, or change any Protection Policies or perform any Restores.

+- Your application is no longer be available to become the Microsoft 365 Backup Storage Controller (unless it's reregistered).

+- Your application continues to be responsible for the Microsoft 365 Backup billing and hence the consumption in the Consuming Tenant until another application is activated to become the Microsoft 365 Backup Storage Controller.

+**On completion of the Grace Period:**

+- Your application is still no longer available to become the Microsoft 365 Backup Storage Controller (unless it's reregistered).

+- If another application is not activated to be the Microsoft 365 Backup Storage Controller, then the offboarding of the Microsoft 365 Backup Service in the Consuming Tenant is initiated.

+- Your application continues to be responsible for the Microsoft 365 Backup billing and hence the consumption in the Consuming Tenant until another application is activated to be the Microsoft 365 Backup Storage Controller or until the billing period expires (30-days) as per the offboarding of the Microsoft 365 Backup Service in the Consuming Tenant.

+> [!WARNING]

+> If your application is the active Microsoft 365 Backup Storage Controller when you unregister it, you are potentially responsible for an additional 37 days (7 days plus 30 days) for the Microsoft 365 Backup pay-as-you-go billing in the Consuming Tenant.

+ Title: Overview for third-party developers of Microsoft 365 Backup Storage (Preview)

+audience: admin

+search.appverid:

+ - essentials-overview

+ms.localizationpriority: medium

+description: Overview for third-party developers for Microsoft 365 Backup Storage.

+# Overview for third-party developers of Microsoft 365 Backup Storage (Preview)

+Third-party developers can create their own applications to manage Microsoft 365 Backup Storage instead of using the out-of-the-box experience provided by Microsoft.

+Creating an application means that your third-party application becomes the Microsoft 365 Backup Storage **Controller** in the tenant where your application is deployed.

+To create and deploy an application, the third-party developers perform the following tasks:

+1. Develop your third-party Microsoft 365 Backup Storage application with the required oAuth permissions scopes and [Backup storage Graph APIs](/graph/api/resources/backuprestoreroot?view=graph-rest-beta).

+2. Create a Billing Policy for your Microsoft 365 Backup Storage application as per [Set up third-party billing for Microsoft 365 Backup Storage](backup-3p-billing.md).

+3. Request the Consuming Tenant Backup Admin to consent your Microsoft 365 Backup Storage application to be able to execute in the Consuming Tenant.

+> [!NOTE]

+> This is the standard app registration workflow that is typically invoked by the Consuming Tenant Admin clicking on the following URL:

+> ```

+> https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={applicationId}&response_type=code&scope=https://graph.microsoft.com/.default

+> ```

+- **Organizer view**: An organizer is someone who creates meeting types and shares the booking page with others so that they can easily schedule meetings with them. A personal booking page is where you can create meeting types that others can book with you. Custom meeting types give you the ability to customize when you want to meet and how that meeting type is shared with others. You control whether each meeting type is public to your scheduling page or is private and can only be accessed by a select group of people. You can access your Bookings with me page through Outlook, web and Teams. After you set up your page and publish it, you can share it with others. For example, you can add it to your Outlook signature.

+Public meeting types can be accessed by anyone that has your Bookings with me page address. You decide who you share your Bookings with me page address with.

+Private meeting types can also generate single use links. Single use links expire after their first booking.

+ Title: "Configure Exchange Server to use Hybrid Modern Auth"

+## Overview

+Hybrid Modern Authentication (HMA) in Microsoft Exchange Server is a feature that allows users to access mailboxes, which are hosted on-premises, by using authorization tokens obtained from the cloud.

+HMA enables Outlook to obtain Access and Refresh OAuth tokens from Microsoft Entra ID, either directly for password hash sync or Pass-Through Auth identities, or from their own Secure Token Service (STS) for federated identities. Exchange on-premises accepts these tokens and provide mailbox access. The method of obtaining these tokens and the credentials required are determined by the capabilities of the identity provider (iDP), which could range from simple username and password to more complex methods such as certificates, phone auth, or biometric methods.

+For HMA to work, the user's identity must be present in Microsoft Entra ID, and some configuration is required, which is handled by the Exchange Hybrid Configuration Wizard (HCW).

+In comparison to legacy authentication methods such as NTLM, HMA offers several advantages. It provides a more secure and flexible authentication method, leveraging the power of cloud-based authentication. Unlike NTLM, which relies on a challenge-response mechanism and doesn't support modern authentication protocols, HMA uses OAuth tokens, which are more secure and offer better interoperability.

+HMA is a powerful feature that enhances the flexibility and security of accessing on-premises applications, leveraging the power of cloud-based authentication. It represents a significant improvement over legacy authentication methods, offering enhanced security, flexibility, and user convenience.

+## Prerequisites to enable Hybrid Modern Auth

+In this section, we provide information and steps that need to be done to successfully configure and enable Hybrid Modern Auth in Microsoft Exchange Server.

+### Protocols that work with Hybrid Modern Auth

+Hybrid Modern Authentication works for the following Exchange Server protocols:

+|Protocol|Hybrid Modern Auth Supported|

+|--||

+|MAPI over HTTP (MAPI/HTTP)|Yes|

+|Outlook Anywhere (RPC/HTTP)|No|

+|Exchange Active Sync (EAS)|Yes|

+|Exchange Web Services (EWS)|Yes|

+|Outlook on the Web (OWA)|Yes|

+|Exchange Admin Center (ECP)|Yes|

+|Offline Address Book (OAB)|Yes|

+|IMAP|No|

+|POP|No|

+### Steps to follow to configure and enable Hybrid Modern Auth

+To enable Hybrid Modern Authentication (HMA), you must ensure that your organization meets all necessary prerequisites. Additionally, you should confirm that your Office client is compatible with Modern Authentication. For more details, refer to the documentation on [How modern authentication works for Office 2013 and Office 2016 client apps](modern-auth-for-office-2013-and-2016.md).

+1. Make sure you meet the prerequisites before you begin. Since many prerequisites are common for both Skype for Business and Exchange Server, review them in [Hybrid Modern Authentication overview and prerequisites for using it with on-premises Skype for Business and Exchange servers](hybrid-modern-auth-overview.md).

+2. [Add on-premises web service URLs to Microsoft Entra ID](#add-on-premises-web-service-urls-as-spns-in-microsoft-entra-id). The URLs must be added as `Service Principal Names (SPNs)`. In case that your Exchange Server setup is in hybrid with **multiple tenants**, these on-premises web service URLs must be added as SPNs in the Microsoft Entra ID of all the tenants, which are in hybrid with Exchange Server on-premises.

+3. [Ensure that all virtual directories are enabled for HMA](#verify-virtual-directories-are-properly-configured). If you want to configure [Hybrid Modern Authentication for Outlook on the Web (OWA) and Exchange Control Panel (ECP)](#enable-hybrid-modern-authentication-for-owa-and-ecp), it's important to also verify the respective directories.

+4. [Check for the EvoSTS Auth Server object](#confirm-the-evosts-auth-server-object-is-present).

+5. Ensure that the [Exchange Server OAuth certificate](/exchange/plan-and-deploy/integration-with-sharepoint-and-skype/maintain-oauth-certificate) is valid.

+6. Ensure that all user identities are synchronized with Microsoft Entra ID.

+7. (Optional) If you want to use the Outlook for iOS and Android client, make sure to [allow the AutoDetect service to connect to your Exchange Server](#using-hybrid-modern-authentication-with-outlook-for-ios-and-android).

+8. [Enable HMA in Exchange on-premises](#enable-hma).

+ Get-ActiveSyncVirtualDirectory -ADPropertiesOnly | fl server,*url*

+3. Next, connect to Microsoft Entra ID by following [these instructions](connect-to-microsoft-365-powershell.md). To consent to the required permissions, run the following command:

+ Note down the output of this command, which should include an `https://*autodiscover.yourdomain.com*` and `https://*mail.yourdomain.com*` URL, but mostly consist of SPNs that begin with `00000002-0000-0ff1-ce00-000000000000/`. If there are `https://` URLs from your on-premises that are missing, those specific records should be added to this list.

+5. If you don't see your internal and external `MAPI/HTTP`, `EWS`, `ActiveSync`, `OAB`, and `AutoDiscover` records in this list, you must add them. Use the following command to add all URLs that are missing. In our example, the URLs that are added are `mail.corp.contoso.com` and `owa.contoso.com`. Make sure that they're replaced by the URLs that are configured in your environment.

+6. Verify that your new records were added by running the `Get-MsolServicePrincipal` command from step 2 again, and validate the output. Compare the list from before to the new list of SPNs. You might also note down the new list for your records. If you're successful, you should see the two new URLs in the list. Going by our example, the list of SPNs now includes the specific URLs `https://mail.corp.contoso.com` and `https://owa.contoso.com`.

+## Verify virtual directories are properly configured

+Now verify OAuth is properly enabled in Exchange on all of the virtual directories Outlook might use by running the following commands:

+Get-MapiVirtualDirectory | fl server,*url*,*auth*

+Get-WebServicesVirtualDirectory | fl server,*url*,*oauth*

+Get-OABVirtualDirectory | fl server,*url*,*oauth*

+Get-AutoDiscoverVirtualDirectory | fl server,*oauth*

+Get-ActiveSyncVirtualDirectory | fl server,*url*,*auth*

+Check the output to make sure `OAuth` is enabled for each of these virtual directories, it looks something like this (and the key thing to look at is `OAuth` as mentioned before):

+Now on the Exchange Server on-premises Management Shell (EMS) run this last command. You can validate that your Exchange Server on-premises returns an entry for the evoSTS authentication provider:

+Your output should show an AuthServer of the Name `EvoSts - <GUID>` and the `Enabled` state should be `True`. If that's not the case, you should download and run the most recent version of the [Hybrid Configuration Wizard](https://aka.ms/HybridWizard).

+In case that Exchange Server on-premises runs a hybrid configuration with **multiple tenants**, your output shows one AuthServer with the Name `EvoSts - <GUID>` for each tenant in hybrid with Exchange Server on-premises and the `Enabled` state should be `True` for all of these AuthServer objects.

+Run the following commands in the Exchange Server on-premises Management Shell (EMS) and replace the `<GUID>` in the command line with the GUID from the output of the last command you ran. In older versions of the Hybrid Configuration Wizard the EvoSts AuthServer was named `EvoSTS` without a GUID attached. There's no action you need to take, just modify the preceding command line by removing the GUID portion of the command.

+If the Exchange Server on-premises version is Exchange Server 2016 (CU18 or higher) or Exchange Server 2019 (CU7 or higher) and hybrid was configured by the help of the HCW downloaded **after September 2020**, run the following command in the Exchange Server on-premises Management Shell (EMS). For the `DomainName` parameter, use the tenant domain value, which is usually in the form `contoso.onmicrosoft.com`:

+In case Exchange Server on-premises is in hybrid with **multiple tenants**, there are multiple AuthServer objects present in the Exchange Server on-premises organizations with domains corresponding to each tenant. The `IsDefaultAuthorizationEndpoint` flag should be set to `True` for any one of these AuthServer objects. The flag can't be set to true for all the AuthServer objects and HMA would be enabled even if one of these AuthServer object `IsDefaultAuthorizationEndpoint` flag is set to true.

+You should also hold down the `CTRL` key at the same time you right-click the icon for the Outlook client (also in the Windows Notifications tray) and select `Connection Status`. Look for the client's SMTP address against an `AuthN` type of `Bearer\*`, which represents the bearer token used in OAuth.

+After the Hybrid Modern Authentication was enabled for `OWA` and `ECP`, each end user and administrator who tries to log in into `OWA` or `ECP` will be redirected to the Microsoft Entra ID authentication page first. After the authentication was successful, the user will be redirected to `OWA` or `ECP`.

+> [!IMPORTANT]

+> All servers must have at least the [Exchange Server 2019 CU14](https://techcommunity.microsoft.com/t5/exchange-team-blog/released-2024-h1-cumulative-update-for-exchange-server/ba-p/4047506) update installed. They must also run the [Exchange Server 2019 CU14 April 2024 HU](https://support.microsoft.com/help/5037224) or a later update.

+Customers who have already run the Hybrid Configuration Wizard (HCW) to configure hybrid, have an OAuth configuration in place. If OAuth wasn't configured before, it can be done by running the HCW or by following the steps as outlined in the [Configure OAuth authentication between Exchange and Exchange Online organizations](/exchange/configure-oauth-authentication-between-exchange-and-exchange-online-organizations-exchange-2013-help) documentation.

+It's recommended to document the `OwaVirtualDirectory` and `EcpVirtualDirectory` settings before making any changes. This documentation will enable you to restore the original settings if any issues arise after configuring the feature.

+> [!WARNING]

+> Publishing Outlook Web App (OWA) and Exchange Control Panel (ECP) through Microsoft Entra application proxy is unsupported.

+1. Query the `OWA` and `ECP` URLs that are configured on your Exchange Server on-premises. This is important because they must be added as reply url to Microsoft Entra ID:

+2. Install the Microsoft Graph PowerShell module if it hasn't yet been installed:

+8. (Optional) Only required if [Download Domains](/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-download-domains) are used:

+9. (Optional) Only required in [Exchange resource forest topology](/exchange/deploy-exchange-2013-in-an-exchange-resource-forest-topology-exchange-2013-help) scenarios:

+10. To enable Hybrid Modern Authentication for `OWA` and `ECP`, you must first disable any other authentication method on these virtual directories. It's important to perform the configuration in the given order. Failing to do so may result in an error message during the command execution.<br><br>After running these commands, login to `OWA` and `ECP` will stop work until the OAuth authentication for those virtual directories has been activated. Ensure that all accounts are synchronized to Microsoft Entra ID, especially all accounts, which are used for administration. Otherwise, the login stops working until they're synchronized.<br>Accounts, such as the built-in Administrator, won't be synchronized with Microsoft Entra ID and, therefore, can't be used for administration once HMA for OWA and ECP has been enabled. This behavior is due to the `isCriticalSystemObject` attribute, which is set to `True` for some accounts.<br><br>Run these commands for each `OWA` and `ECP` virtual directory on each Exchange Server:

+11. Enable OAuth for the `OWA` and `ECP` virtual directory. It's important to perform the configuration in the given order. Failing to do so may result in an error message during the command execution. For each `OWA` and `ECP` virtual directory on every Exchange Server, these commands must be run:

+If you want to use the Outlook for iOS and Android client together with Hybrid Modern Authentication, make sure to allow the AutoDetect service to connect to your Exchange Server on `TCP 443` (HTTPS):

+The IP address ranges can also be found in the [Additional endpoints not included in the Office 365 IP Address and URL Web service](/microsoft-365/enterprise/additional-office365-ip-addresses-and-urls) documentation.

+Use of the multitenant organization feature requires Microsoft Entra ID P1 licenses or above in all multitenant organization tenants. For additional details, see [Entra multitenant organization licensing requirements](/entra/identity/multi-tenant-organizations/multi-tenant-organization-overview#license-requirements). If you plan on utilizing [Entra cross-tenant sync](/entra/identity/multi-tenant-organizations/cross-tenant-synchronization-overview) via the Microsoft 365 admin center or Microsoft Entra ID, also see [Entra cross-tenant sync licensing requirements](/entra/identity/multi-tenant-organizations/cross-tenant-synchronization-overview#license-requirements).

+- Through the **App usage - Microsoft Teams** card. If you leave the **Usage** tab before your report is generated, you can come back to the Manage frontline teams page to view your report later. When your report finishes loading, the card shows the overall percentage of users across all your frontline teams that have been active on Teams in the last 30 days. Choose **View details** to go to the dashboard and view your report.

+> [!IMPORTANT]

+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

+## Global Administrator permissions in the partner tenant

+Partner tenant users assigned the Global Administrator role in Microsoft Entra ID can do the following:

+- Sign up for Lighthouse in the Microsoft 365 admin center.

+- Activate and inactive a tenant.

+- Create, update, and delete tags.

+- Assign tags to and remove tags from a customer tenant.

+- Review audit logs.

+- Create, edit, and view alert rules.

+The following tasks in Lighthouse have specific Microsoft Entra role requirements:

+- To create and manage service requests, Lighthouse users must have at least one Microsoft Entra role assigned to them with the following property set: **microsoft.office365.supportTickets/allEntities/allTasks**.

+- To monitor service health, Lighthouse users must have at least one Microsoft Entra role assigned to them with the following property set: **microsoft.office365.serviceHealth/allEntities/allTasks**.

+For a complete list of Microsoft Entra roles, see [Microsoft Entra built-in roles](/azure/active-directory/roles/permissions-reference). For information on how to assign roles, see [Assign Microsoft Entra roles to users](/azure/active-directory/roles/manage-roles-portal).

+Where the loop content was originally created determines its storage location. See the [Loop Storage](/microsoft-365/loop/loop-compliance-summary#loop-storage) section in [Summary of governance, lifecycle, and compliance capabilities](/microsoft-365/loop/loop-compliance-summary) for Loop for a diagram and more information.

+Loop app workspaces are stored inside your tenant. Loop workspaces and pages count against your tenant's storage quota, starting November 2023. During the Loop app's Public Preview in 2023, Loop app content did **not** use your existing storage quota.

+When you share only a Loop page, you're giving users access to that specific page exclusively (not the whole workspace). The user can choose to use a company share link or people-specific share link; unless their tenant admin disabled some of the share link types. When sharing a page, you can choose to grant the user "*edit*", or "*read only*" access.

+## Guest/External sharing

+You can share Loop workspaces, pages, and components with users external to your company (guests) so they can collaborate with you. There are a few requirements that must be met for guest sharing to be possible:

+- Your organization must allow sharing files with guest users. Learn how to [manage this policy](/sharepoint/turn-external-sharing-on-or-off#change-the-organization-level-external-sharing-setting).

+- The user you're sharing with must have a guest account in your tenant or [Business-to-Business Invitation Manager is enabled](/entra/external-id/what-is-b2b).

+- Your organization doesn't have sensitivity labels configured. Loop external sharing won't work for companies with sensitivity labels configured. Once sensitivity labels for Loop workspaces, pages, and components are generally available, then external sharing for companies with sensitivity labels configured will function.

+Workspaces can only be shared with users that have an existing guest account in your tenant. If Business-to-business Invitation Manager is enabled, users can share a page or component with a guest user which will enable the flow to create a guest account for the user.

+If the above conditions are met, then you can share with guest users by:

+1. Navigate to the Loop workspace or page you want to share (or, navigate to the Loop file within OneDrive).

+1. Open the share menu in the top right of the screen within Loop (or, open the share menu next to the file while viewing it within OneDrive).

+1. Choose if you want to share the workspace or page (only applies within Loop).

+1. Enter the user's email address you wish to share with.

+1. Select **Send** or **Invite**.

+Sharing with external participants is done through "Share with specific people" links. Company-wide share links won't work with external participants. You must designate the guest user explicitly in the share dialog.

+When a guest user accesses the Loop workspace, page, or component from the link from your organization, they sign in and access the shared content using their guest account. They'll need to utilize the share link again to access the Loop workspace, page, or component in the future, as the content from your organization will not be accessible via their standard account.

+Loop workspaces currently have one type, with membership visible and manageable within the Loop app by the workspace owner. However, there's no integration with Microsoft 365 groups or Security groups.

+Currently, owners can't assign new members as owners. If the owner leaves the company, the workspace becomes ownerless. Administrators can't assign new owners to ownerless workspaces.

+PowerShell support for number of owners on a SharePoint Embedded container isn't yet available. Once it is, to find ownerless workspaces, query Loop workspace containers in SharePoint Embedded. For more information, see [Consuming Tenant Admin](/sharepoint/dev/embedded/concepts/admin-exp/cta), and [Get-SPO Container](/powershell/module/sharepoint-online/get-spocontainer). The Loop Application ID is listed in [Summary of governance, lifecycle, and compliance capabilities](/microsoft-365/loop/loop-compliance-summary).

+There are other types of groups and membership lists in the Microsoft ecosystem, such as Microsoft 365 groups and Security groups. Currently, Loop workspace membership does not use these groups or lists.

+Shared workspaces are permissioned with a roster and continue to exist even if someone leaves the company. However, if the creator of the workspace is the person who left the company, then others can't delete the workspace.

+Personal workspaces are also permissioned with a roster, but there's only one person in them by design. When a user leaves a company, their personal workspaces become ownerless.

+See [available admin capabilities](/microsoft-365/loop/loop-compliance-summary#available-admin-capabilities) section of the [Summary of governance, lifecycle, and compliance capabilities](/microsoft-365/loop/loop-compliance-summary) for more information.

+[Summary of governance, lifecycle, and compliance capabilities](/microsoft-365/loop/loop-compliance-summary)

+## Microsoft Entra External ID external collaboration settings

+Sharing in Microsoft 365 is governed at its highest level by the [B2B external collaboration settings in Microsoft Entra External ID](/azure/active-directory/external-identities/delegate-invitations). If guest sharing is disabled or restricted in Microsoft Entra External ID, this setting overrides any sharing settings that you configure in Microsoft 365.

+Check the external collaboration settings to ensure that sharing with guests isn't blocked.

+1. Sign in to Microsoft Entra External ID at [https://entra.microsoft.com/](https://entra.microsoft.com/).

+Teams has an on/off switch for guest access and various settings available to control what guests can do in a team. The **Allow guest access in Teams** setting must be **On** for guest access to work in Teams.

+1. Sign in to the Microsoft 365 admin center at [https://admin.microsoft.com](https://admin.microsoft.com).

+The organization-level settings determine what settings are available for individual sites, including sites associated with teams. Site settings can't be more permissive than the organization-level settings.

+Choose any one of the following link-types, which will be selected by default when users share files and folders:

+- **Anyone with the link** - Choose this option if you expect to do many unauthenticated sharing of files and folders. If you want to allow *Anyone* links but are concerned about accidental unauthenticated sharing, consider one of the other options as the default. This link type is only available if you've enabled **Anyone** sharing.

+- **Specific people** - Consider this option if you expect to do many file and folder sharing with guests. This type of link works with guests and requires them to authenticate.

+1. Select **View** if you don't want users to make changes to the files and folders.

+## Related articles

+[SharePoint and OneDrive integration with Microsoft Entra External ID](/sharepoint/sharepoint-azureb2b-integration-preview)

+## Microsoft Entra External ID external collaboration settings

+Sharing in Microsoft 365 is governed at its highest level by the [external collaboration settings in Microsoft Entra External ID](/azure/active-directory/external-identities/delegate-invitations). If guest sharing is disabled or restricted in Microsoft Entra External ID, this setting overrides any sharing settings that you configure in Microsoft 365.

+Check the external collaboration settings to ensure that sharing with guests isn't blocked.

+1. Sign in to Microsoft Entra External ID at [https://entra.microsoft.com/](https://entra.microsoft.com/).

+1. Select **Org settings**.

+1. In the list, select **Microsoft 365 Groups**.

+1. If you made changes, select **Save changes**.

+The organization-level settings determine the settings that are available for individual sites. Site settings can't be more permissive than the organization-level settings.

+Note that the site can't be shared with unauthenticated people (**Anyone** setting), but individual files and folders can.

+1. Select **Members** link in the upper right, which denotes the member count.

+[SharePoint and OneDrive integration with Microsoft Entra External ID](/sharepoint/sharepoint-azureb2b-integration-preview)

+## Microsoft Entra External ID external collaboration settings

+Sharing in Microsoft 365 is governed at its highest level by the [external collaboration settings in Microsoft Entra External ID](/azure/active-directory/external-identities/delegate-invitations). If guest-sharing is disabled or restricted in Microsoft Entra External ID, this setting overrides any sharing settings that you configure in Microsoft 365.

+Check the external collaboration settings to ensure that sharing with guests isn't blocked.

+

+1. Sign in to Microsoft Entra External ID at [https://entra.microsoft.com/](https://entra.microsoft.com/).

+The organization-level settings for SharePoint determine the settings that are available for individual SharePoint sites. Site settings can't be more permissive than the organization-level settings. The organization-level setting for OneDrive determines the level of sharing that's available in users' OneDrive libraries.

+1. Ensure that external sharing for SharePoint or OneDrive is set to **Anyone** or **New and existing guests**. (Note that the OneDrive setting can't be more permissive than the SharePoint setting.)

+Choose a link from any of the following types, which is then selected by default when users share files and folders:

+- **Specific people** - Consider this option if you expect to do many file and folder sharing with guests. This type of link works with guests and requires them to authenticate.

+1. If you made changes, select **Save**.

+1. Select **View** if you don't want users to make changes to the files and folders.

+1. Under the **These links can give these permissions:** subpane,

+ - Select **View** if you don't want unauthenticated users to make changes to the files.

+ - Select **View** if you don't want unauthenticated users to make changes to the folders.

+[SharePoint and OneDrive integration with Microsoft Entra External ID](/sharepoint/sharepoint-azureb2b-integration-preview)

+> Through June 2025, you can try out autofill columns and other selected Syntex services at no cost if you have [pay-as-you-go billing](syntex-azure-billing.md) set up. For information and limitations, see [Try out Microsoft Syntex and explore its services](promo-syntex.md).

+You must be a [SharePoint Administrator](/entra/identity/role-based-access-control/permissions-reference#sharepoint-administrator) or [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator) to be able to access the Microsoft 365 admin center and set up autofill columns.

+ b. To restrict user access to this service, under **Sites where autofill columns can be used when it's turned on**, select **Edit**. On the **Where can autofill columns be used?** panel, change the setting from **All sites** to **Selected sites (up to 100)** or **No sites**. For selected sites, follow the instructions to select the sites or upload a CSV listing of the sites. You can then manage site access permissions for the sites you selected.

+You must be a [SharePoint Administrator](/entra/identity/role-based-access-control/permissions-reference#sharepoint-administrator) or [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator) to be able to access the Microsoft 365 admin center and set up content assembly.

+> Through June 2025, you can try out content assembly and other selected Syntex services at no cost if you have [pay-as-you-go billing](syntex-azure-billing.md) set up. For information and limitations, see [Try out Microsoft Syntex and explore its services](promo-syntex.md).

+> Through June 2025, you can try out unstructured document processing and other selected Syntex services at no cost if you have [pay-as-you-go billing](syntex-azure-billing.md) set up. For information and limitations, see [Try out Microsoft Syntex and explore its services](promo-syntex.md).

+> Through June 2025, you can try out eSignature and other selected Syntex services at no cost if you have [pay-as-you-go billing](syntex-azure-billing.md) set up. For information and limitations, see [Try out Microsoft Syntex and explore its services](promo-syntex.md).

+The SharePoint eSignature service is set up in the Microsoft 365 admin center. Before you begin, determine whether this feature is appropriate for your needs by reading the [Before you begin section](esignature-overview.md#before-you-begin).

+### Licensing

+Before you can use SharePoint eSignature, you must first link an Azure subscription in [Syntex pay-as-you-go](syntex-azure-billing.md). Taxonomy tagging in Syntex is billed based on the [type and number of transactions](syntex-pay-as-you-go-services.md).

+### Permissions

+You must be a [SharePoint Administrator](/entra/identity/role-based-access-control/permissions-reference#sharepoint-administrator) or [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator) to be able to access the Microsoft 365 admin center and set up SharePoint eSignature.

+description: Read the Microsoft Syntex features limited time license to see the Microsoft Syntex features available as a preview for all pay-as-you-go users on a limited time basis.

+This License governs the limited time use of the following features, individually and collectively, and is referred to as "Features":

+&emsp;&emsp;b)&emsp;A Microsoft 365 tenancy with either Microsoft 365 admin access or SharePoint admin access

+This Limited Time License is effective on your acceptance and terminates on the earlier of (i) 30 days following first general availability of a commercial release of the Features in a Microsoft product or a future Microsoft product or (ii) September 20, 2024.

+After the Evaluation Period, Microsoft reserves the right to require an additional SKU for these capabilities. You won't be billed for use during the Evaluation Period.

+The Features are licensed, not sold. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you won't (and have no right to):

+> Through June 2025, you can try out structured and freeform document processing and other selected Syntex services at no cost if you have [pay-as-you-go billing](syntex-azure-billing.md) set up. For information and limitations, see [Try out Microsoft Syntex and explore its services](promo-syntex.md).

+> Through June 2025, you can try out image tagging and other selected Syntex services at no cost if you have [pay-as-you-go billing](syntex-azure-billing.md) set up. For information and limitations, see [Try out Microsoft Syntex and explore its services](promo-syntex.md).

+The image tagging feature makes it even easier to tag images without any training, which means reducing the need for manual tagging or custom AI model building. This result means you can quickly find images in your libraries and set up processes based on the tags for the images.

+You must be a [SharePoint Administrator](/entra/identity/role-based-access-control/permissions-reference#sharepoint-administrator) or [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator) to be able to access the Microsoft 365 admin center and set up image tagging.

+> Through June 2025, you can try out optical character recognition and other selected Syntex services at no cost if you have [pay-as-you-go billing](syntex-azure-billing.md) set up. For information and limitations, see [Try out Microsoft Syntex and explore its services](promo-syntex.md).

+Before you can use the OCR service in Microsoft Syntex, you must first link an Azure subscription in [Syntex pay-as-you-go](syntex-azure-billing.md). OCR in Syntex is billed based on the [type and number of transactions](syntex-pay-as-you-go-services.md).

+You must be a [SharePoint Administrator](/entra/identity/role-based-access-control/permissions-reference#sharepoint-administrator) or [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator) to be able to access the Microsoft 365 admin center and set up the OCR service.

+After an [Azure subscription is linked to Microsoft Syntex](syntex-azure-billing.md), OCR will be automatically set up and enabled for all SharePoint sites for Microsoft Syntex.

+Follow these steps to manage which SharePoint sites have OCR enabled for Microsoft Syntex in the Microsoft 365 admin center.

+> Through June 2025, you can try out prebuilt document processing and other selected Syntex services at no cost if you have [pay-as-you-go billing](syntex-azure-billing.md) set up. For information and limitations, see [Try out Microsoft Syntex and explore its services](promo-syntex.md).

+You must be a [SharePoint Administrator](/entra/identity/role-based-access-control/permissions-reference#sharepoint-administrator) or [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator) to be able to access the Microsoft 365 admin center and set up prebuilt document processing.

+Through June 2025, your organization can use included monthly capacity for some of these services when you set up [pay-as-you-go billing](syntex-azure-billing.md). It's a great way to try out Syntex capabilities, such as document processing, document tagging, and content assembly, to see how you can use them to streamline processes in your organization.

+You must be a [SharePoint Administrator](/entra/identity/role-based-access-control/permissions-reference#sharepoint-administrator) or [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator) to be able to access the Microsoft 365 admin center and set up structured and freeform document processing.

+- You must be a [SharePoint Administrator](/entra/identity/role-based-access-control/permissions-reference#sharepoint-administrator) or [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator) to be able to access the Microsoft 365 admin center and set up Syntex.

+ [!INCLUDE [global-administrator-note](../includes/global-administrator-note.md)]

+Pay-as-you-go licensing includes access to additional Syntex features for a limited time as a preview. The feature limited preview ends September 20, 2024. You won't be charged on a pay-as-you-go basis during the preview. These features include:

+> Through June 2025, if you have [pay-as-you-go billing](syntex-azure-billing.md) set up, your organization will receive a limited amount of included capacity each month for selected services, letting you try these services at no cost. This offering does not include capacity for Microsoft 365 Archive or Microsoft 365 Backup. For more information, see [Try out Microsoft Syntex and explore its services](promo-syntex.md).

+When you use Microsoft Syntex [pay-as-you-go](syntex-azure-billing.md), services are billed using Syntex meters in the Azure subscription that you specified when you set up Microsoft Syntex.

+The following table describes each meter, its pricing, and how it measures usage. When you connect your Azure subscription to Microsoft Syntex, users in your organization are able to take advantage of Syntex services right away. Your tenant is billed according to the details shown in this article.

+To help your organization in planning for pay-as-you-go services, you can use the [SharePoint cost calculator](https://aka.ms/SharePoint/PAYG-Calculator). This tool gives you a better understanding of your organizationΓÇÖs usage patterns and estimated costs so you can make more informed decisions.

+> Through June 2025, you can try out taxonomy tagging and other selected Syntex services at no cost if you have [pay-as-you-go billing](syntex-azure-billing.md) set up. For information and limitations, see [Try out Microsoft Syntex and explore its services](promo-syntex.md).

+You must be a [SharePoint Administrator](/entra/identity/role-based-access-control/permissions-reference#sharepoint-administrator) or [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator) to be able to access the Microsoft 365 admin center and set up taxonomy tagging.

+> Through June 2025, you can try out document translation and other selected Syntex services at no cost if you have [pay-as-you-go billing](syntex-azure-billing.md) set up. For information and limitations, see [Try out Microsoft Syntex and explore its services](promo-syntex.md).

+You must be a [SharePoint Administrator](/entra/identity/role-based-access-control/permissions-reference#sharepoint-administrator) or [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator) to be able to access the Microsoft 365 admin center and set up document translation.

+ b. To restrict user access to this service, under **Sites where document translation can be used when it's turned on**, select **Edit**. On the **Where can document translation be used?** panel, change the setting from **All sites** to **Selected sites (up to 100)** or **No sites**. For selected sites, follow the instructions to select the sites or upload a CSV listing of the sites. You can then manage site access permissions for the sites you selected.

+You must be a [SharePoint Administrator](/entra/identity/role-based-access-control/permissions-reference#sharepoint-administrator) or [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator) to be able to access the Microsoft 365 admin center and set up unstructured document processing.

+Topics builds an index similar to search, and relies on the SharePoint search crawler to keep the index up to date. The search crawler detects changes in SharePoint, performs basic parsing of various document formats; examples of this include files with the extensions: aspx, doc, docx, htm, html, mht, msg, one, pdf, ppt, pptx, pub, txt, xls, xlsx, visio. This list is subject to change as we learn more about what files are important to customers to include. Topics currently doesn't index image, video or audio file types. The file name, title, subject, author, last saved person, create date and its recent activities all play a role in contributing to the information used to discover topics. To inform suggestions for the topic description, people and resources, information from people and collaboration insights in the Microsoft Cloud that are available through [Microsoft Graph](/graph/overview) are used. Topics observes existing content security features in Microsoft 365.

+All the data is kept within the Microsoft Purview boundary, which is encrypted at rest and in transit. The content is decrypted when being processed. When the data is written to storage, it will be encrypted according to the tenant configuration.

+You can manage topic discovery settings in the [Microsoft 365 admin center](https://admin.microsoft.com). You must be a SharePoint administrator to perform these tasks.

+You can manage who can see topic highlights, topic cards, and the topic center in the [Microsoft 365 admin center](https://admin.microsoft.com). You must be a SharePoint administrator and Groups admin to do these tasks.

+You must be [subscribed to Topics](https://www.microsoft.com/microsoft-viva/topics) and be both SharePoint and Groups administrator to access the Microsoft 365 admin center and set up Topics.

+You can change the name of your topic center in the [Microsoft 365 admin center](https://admin.microsoft.com). You must be a SharePoint administrator to perform these tasks.

+You must be [subscribed to a license that includes Topics](https://www.microsoft.com/microsoft-viva/topics) and be both SharePoint administrator and groups administrator to access the Microsoft 365 admin center and set up Topics.

+- Suggested connections - You will see topics listed under **We've listed you on these topics. Did we get it right?** These are topics in which your connection to the topic has been suggested through AI. For example, you might be an author of a related file or site. You're asked to confirm that you should stay listed as a related person for the topic.

+- Confirmed connections - These are topics in which you're pinned on the topic page or you've confirmed a suggested connection to the topic. Topics will move from the suggested to confirmed section when you confirm a suggested connection.

+- Knowledge admins: Admins set up Topics and manage it through the admin controls in the Microsoft 365 admin center. A SharePoint administrator can serve as a knowledge admin.

+Admin controls in the Microsoft 365 admin center allow you to manage Topics. They allow a Microsoft 365 SharePoint administrator to:

+Topics admins are admins who set up and configure Topics in your Microsoft 365 environment. They also manage the Topics settings after set up has completed. To administer Topics, you must be a SharePoint administrator and Groups administrator, since setup and management are done in the Microsoft 365 admin center.

+You can manage topic permissions settings in the [Microsoft 365 admin center](https://admin.microsoft.com). You must be a SharePoint administrator to perform these tasks.

+You must be a Microsoft 365 billing administrator to activate a trial.

+|Microsoft 365 billing admin|Activate the trial and assign licenses|

+|Microsoft 365 SharePoint admin|Configure Topics and create topic centers|