Updates from: 06/15/2021 03:12:48
Category Microsoft Docs article Related commit history on GitHub Change details
admin Active Users Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/active-users-ww.md
Title: "Microsoft 365 Reports in the admin center - Active Users"
+ Title: "Assess the Microsoft 365 Active Users report"
ms.assetid: fc1cf1d0-cd84-43fd-adb7-a4c4dfa8112d
description: "Learn how to get an Active Users report using the Microsoft 365 Reports dashboard in the Microsoft 365 admin center and find out how many product licenses are being used."
-# Microsoft 365 Reports in the admin center - Active Users
+# Assess the Microsoft 365 Active Users report
The Microsoft 365 **Reports** dashboard shows you the activity overview across the products in your organization. It enables you to drill in to individual product level reports to give you more granular insight about the activities within each product. Check out [the Reports overview topic](activity-reports.md).
For example, you can use the **Active Users** report to find out how many produc
You can view active users in the Office 365 report by choosing the **Active users** tab.<br/>![Microsoft 365 reports - Microsoft Office 365 active users.](../../media/56fe2e54-76ad-49e5-886f-1344c2697258.png)
-|||
-|:--|:--|
-|1. <br/> |The **Active Users** report can be viewed for trends over the last 7 days, 30 days, 90 days, or 180 days. However, if you view a particular day in the report, the table (7) will show data for up to 28 days from the current date (not the date the report was generated). <br/> |
-|2. <br/> |The data in each report usually covers up to the last 24 to 48 hours. <br/> |
-|3. <br/> |The **Users** chart shows you daily active users in the reporting period separated by product. <br/> The **Activity** chart shows you daily activity count in the reporting period separated by product. <br/> The **Services** chart shows you count of users by activity type and Service. <br/> |
-|4. <br/> | On the **Users** chart, the x axis shows the selected reporting time period and the y axis displays the daily active users separated and color coded by license type. <br/> On the **Activity** chart, the x axis shows the selected reporting time period and the y axis displays the daily activity count separated and color coded by license type. <br/> On the **Services** activity chart, the X axis displays the individual services your users are enabled for in the given time period and the Y axis is the Count of users by activity status, color coded by activity status. <br/> |
-|5. <br/> |You can filter the series you see on the chart by selecting an item in the legend. Changing this selection doesn't change the info in the grid table. <br/> |
-|6. <br/> |You can also export the report data into an Excel .csv file, by selecting the **Export** link. This exports data of all users and enables you to do simple sorting and filtering for further analysis. If you have less than 2000 users, you can sort and filter within the table in the report itself. If you have more than 2000 users, in order to filter and sort, you will need to export the data. <br/> |
-|7. <br/> |You can change what information is displayed in the grid table with column controls. <br/> If your subscription is operated by 21Vianet, then you will not see Yammer. <br/> <br/> |
-|||
+- The Active Users report can be viewed for trends over the last 7 days, 30 days, 90 days, or 180 days. However, if you view a particular day in the report, the table (7) will show data for up to 28 days from the current date (not the date the report was generated).
+
+- The data in each report usually covers up to the last 24 to 48 hours.
+
+- The Users chart shows you daily active users in the reporting period separated by product.
+The Activity chart shows you daily activity count in the reporting period separated by product.
+The Services chart shows you count of users by activity type and Service.
+
+- On the Users chart, the x axis shows the selected reporting time period and the y axis displays the daily active users separated and color coded by license type.
+On the Activity chart, the x axis shows the selected reporting time period and the y axis displays the daily activity count separated and color coded by license type.
+On the Services activity chart, the X axis displays the individual services your users are enabled for in the given time period and the Y axis is the Count of users by activity status, color coded by activity status.
+
+- You can filter the series you see on the chart by selecting an item in the legend. Changing this selection doesn't change the info in the grid table.
+
+- You can also export the report data into an Excel .csv file, by selecting the Export link. This exports data of all users and enables you to do simple sorting and filtering for further analysis. If you have less than 2000 users, you can sort and filter within the table in the report itself. If you have more than 2000 users, in order to filter and sort, you will need to export the data.
+
+- You can change what information is displayed in the grid table with column controls.
+If your subscription is operated by 21Vianet, then you will not see Yammer.
++ If your organization's policies prevents you from viewing reports where user information is identifiable, you can change the privacy setting for all these reports. Check out the **How do I hide user level details?** section in [Activity Reports in the Microsoft 365 admin center](activity-reports.md).
admin Microsoft Teams User Activity https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft-teams-user-activity.md
Title: "Microsoft 365 Reports in the admin center - Microsoft Teams user activity"
+ Title: "Microsoft 365 admin center reports - Microsoft Teams user activity"
ms.assetid: 07f67fc4-c0a4-4d3f-ad20-f40c7f6db524
description: "Learn how to get the Microsoft Teams user activity report and gain insights into the Teams activity in your organization."
-# Microsoft 365 Reports in the admin center - Microsoft Teams user activity
+# Microsoft 365 admin center reports - Microsoft Teams user activity
The Microsoft 365 **Reports** dashboard shows you the activity overview across the products in your organization. It enables you to drill in to individual product level reports to give you more granular insight about the activities within each product. Check out [the Reports overview topic](activity-reports.md). In the Microsoft Teams user activity report, you can gain insights into the Microsoft Teams activity in your organization.
admin Admin Roles Page https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/admin-roles-page.md
search.appverid:
- BCS160 - MET150 - MOE150
-description: "Admin roles map to business functions and give permissions to do specific tasks in the admin center. For example, the Service admin opens support tickets with Microsoft."
+description: "Admin roles map to business functions and provide permissions to do specific tasks in the admin center. For example, the Service admin opens support tickets with Microsoft."
# Get started with the roles page
You can export the admin list as well as search and filter by role.
![Filter or import admin roles](../../media/admin-role-page-options.png)
-|||
-|:--|:--|
-| <br/> |Use **Export admin list** to get a full list of all the admin users in your organization. The list is stored in an Excel .csv file. <br/> |
-| <br/> |Use **Search** to search for an admin role and see your users who are assigned to that role. <br/> |
-| <br/> |Use **Filter** to change your view of displayed admin roles. <br/> |
+- Use Export admin list to get a full list of all the admin users in your organization. The list is stored in an Excel .csv file.
+
+- Use Search to search for an admin role and see your users who are assigned to that role.
+
+- Use Filter to change your view of displayed admin roles.
+ ## Get the most out of the roles
admin Change Nameservers At Any Domain Registrar https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/get-help-with-domains/change-nameservers-at-any-domain-registrar.md
Depending on whether you are creating a TXT record or an MX record, do one of th
**If you create a TXT record, use these values:**
-|||||
+
+|Record type<br/> |Alias or host name <br/> |Value <br/> |TTL<br/> |
|:--|:--|:--|:--|
-|**Record Type** <br/> |**Alias** or **Host Name** <br/> |**Value** <br/> |**TTL** <br/> |
|TXT <br/> |Do one of the following: Type **@** or leave the field empty or type your domain name. <br/> > [!NOTE]> Different DNS hosts have different requirements for this field.
-|MS=ms *XXXXXXXX* <br/> > [!NOTE]> This is an example. Use your specific **Destination or Points to Address** value here, from the table in Microsoft 365. [How do I find this?](../get-help-with-domains/information-for-dns-records.md) |Set this value to **1 hour** or to the equivalent in minutes ( **60** ), seconds ( **3600** ), etc. <br/> |
+|MS=ms *XXXXXXXX* <br/>**Note:** This is an example. Use your specific **Destination or Points to Address** value here, from the table in Microsoft 365. [How do I find this?](../get-help-with-domains/information-for-dns-records.md) |Set this value to **1 hour** or to the equivalent in minutes ( **60** ), seconds ( **3600** ), etc. <br/> |
**If you create an MX record, use these values:**
-||||||
+|Record type|Alias or host name|Value|Priority|TTL|
|:--|:--|:--|:--|:--|
-|**Record Type**|**Alias** or **Host Name**|**Value**|**Priority**|**TTL**|
-|MX|Type either **@** or your domain name. |MS=ms *XXXXXXXX* > [!NOTE]> This is an example. Use your specific **Destination or Points to Address** value here, from the table in Microsoft 365. [How do I find this?](../get-help-with-domains/information-for-dns-records.md) |For **Priority**, to avoid conflicts with the MX record used for mail flow, use a lower priority than the priority for any existing MX records. For more information about priority, see [What is MX priority?](../setup/domains-faq.yml) |Set this value to **1 hour** or to the equivalent in minutes ( **60** ), seconds ( **3600** ), etc. |
+|MX|Type either **@** or your domain name. |MS=ms *XXXXXXXX* **Note:** This is an example. Use your specific **Destination or Points to Address** value here, from the table in Microsoft 365. [How do I find this?](../get-help-with-domains/information-for-dns-records.md) |For **Priority**, to avoid conflicts with the MX record used for mail flow, use a lower priority than the priority for any existing MX records. For more information about priority, see [What is MX priority?](../setup/domains-faq.yml) |Set this value to **1 hour** or to the equivalent in minutes ( **60** ), seconds ( **3600** ), etc. |
### Save the record
To change your domain's nameservers at your domain registrar's website yourself,
1. Find the area on the domain registrar's website where you can change the nameservers for your domain or an area where you can use custom nameservers. 2. Create nameserver records, or edit the existing nameserver records to match the following values:
-
-|||
-|:--|:--|
-|First nameserver <br/> |ns1.bdm.microsoftonline.com <br/> |
-|Second nameserver <br/> |ns2.bdm.microsoftonline.com <br/> |
-|Third nameserver <br/> |ns3.bdm.microsoftonline.com <br/> |
-|Fourth nameserver <br/> |ns4.bdm.microsoftonline.com <br/> |
+
+ - First nameserver: ns1.bdm.microsoftonline.com
+ - Second nameserver: ns2.bdm.microsoftonline.com
+ - Third nameserver: ns3.bdm.microsoftonline.com
+ - Fourth nameserver: ns4.bdm.microsoftonline.com
+
> [!TIP] > It's best to add all four records, but if your registrar only supports two, add **ns1.bdm.microsoftonline.com** and **ns2.bdm.microsoftonline.com**.
To change your domain's nameservers at your domain registrar's website yourself,
1. Find the area on the domain registrar's website where you can edit the nameservers for your domain. 2. Create two nameserver records, or edit the existing nameserver records to match the following values:+
+ - First nameserver: ns1.dns.partner.microsoftonline.cn
+ - Second nameserver: ns2.dns.partner.microsoftonline.cn
-|||
-|:--|:--|
-|First nameserver <br/> |ns1.dns.partner.microsoftonline.cn <br/> |
-|Second nameserver <br/> |ns2.dns.partner.microsoftonline.cn <br/> |
-
> [!TIP] > You should use at least two nameserver records. If there are any other nameservers listed, you can either delete them, or change them to **ns3.dns.partner.microsoftonline.cn** and **ns4.dns.partner.microsoftonline.cn**.
admin Show Hide New Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/show-hide-new-features.md
You can filter which features appear on the **Manage which ΓÇÄOfficeΓÇÄ features
New features appear on the page based on the following schedule:
-||||
+|Channel|Date|Take action|
|:--|:--|:--|
-|**Channel** <br/> |**Date** <br/> |**Take action** <br/> |
|**Current** <br/> |15th of the month <br/> |1 - 3 weeks before the monthly release <br/> | |**Monthly Enterprise** <br/> |First of the month <br/> |Two weeks before the major release that brings new features | |**Semi-Annual Enterprise (Preview)** <br/> |Sept 1 and March 1 <br/> | 2 weeks before the major release that brings new features|
admin Stay On Top Of Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/stay-on-top-of-updates.md
With Microsoft 365, you receive new product updates and features as they become
## Stay on top of Microsoft 365 changes
-||||
+|Feature|Description|How to use|
|:--|:--|:--|
-|**Feature** <br/> |**Description** <br/> |**How to use** <br/> |
|**Message center** <br/> |Learn about official service announcements and feature changes. You can read these messages in the Microsoft 365 admin center, the admin mobile app, or receive a weekly digest in email. Share these messages with others in your organization when you see a message someone else should act on. You can also use the Service Communications API to retrieve messages. <br/> |Sign in to the [admin center](../admin-overview/about-the-admin-center.md) or [admin mobile app](../admin-overview/admin-mobile-app.md). Select **Health** \> **Message center**. Select a message to read or share. <br/> Change the services you see messages about or opt-in to the weekly digest by choosing **Edit preferences** in the admin center. This is also where you can opt-out of the weekly digest. <br/> [Overview of the Microsoft 365 Message center](message-center.md) <br/> | |**Targeted release** <br/> |Sign up for Targeted release for yourself and a select group of individuals at your organization. Get the latest Microsoft 365 updates before everyone else and then inform or train your users on the new experience. <br/> |Sign in to the [admin center](../admin-overview/about-the-admin-center.md) or [admin mobile app](../admin-overview/admin-mobile-app.md). Selece **Settings** \> **Organization profile** \> **Release preferences**. Learn more about [Targeted release](release-options-in-office-365.md). <br/> | |**Roadmap** <br/> |Visit the Microsoft 365 Roadmap to learn about features that have been launched, are rolling out, are in development, have been cancelled, or previously released. The roadmap is the official site for Microsoft 365 updates and changes. <br/> |Visit the [Microsoft 365 Roadmap](https://www.microsoft.com/microsoft-365/roadmap) frequently and learn about planned updates and releases. <br/> |
admin Business Assist https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/business-assist.md
Get the most out of your subscription with expert advice from small business spe
|&nbsp;|&nbsp;|&nbsp;| |:--|:--|:--|
-|**Get up and running quickly** <br> Work with a small business specialist to set up Microsoft 365 features that protect your business and give it a professional look. |**Empower everyone in your business** <br> All your employees, not just the person in charge of IT can go directly to Microsoft experts for faster ongoing support. |**Unlock business potential** <br> Learn about underutilized features and get advice on ways to get more value out of your subscription. |
+|Work with a small business specialist to set up Microsoft 365 features that protect your business and give it a professional look. |All your employees, not just the person in charge of IT can go directly to Microsoft experts for faster ongoing support. |Learn about underutilized features and get advice on ways to get more value out of your subscription. |
|**Accelerate your cloud migration** <br> Get personalized help moving all your current files (email, storage, documents, and communication) to Microsoft 365. |**Access specialists with ease** <br> Our team will pick up the conversation where you left it last. No tickets to track, no robots, no long waiting times. |**Stay up to date** <br> Regular check-ups that help you stay current as new service capabilities are added, and your companyΓÇÖs needs evolve. | | | | |
admin Compare Ways To Block Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/compare-ways-to-block-access.md
description: "Learn how to block access to Microsoft 365 when an employee leaves
When an employee leaves your organization, on good terms or bad, you need to block their access to Microsoft 365. Here are a few ways you can do that.
-||||
+|Way to block access|Definition|Best practice|
|:--|:--|:--|
-|**Way to block access** <br/> |**Definition** <br/> |**Best practice** <br/> |
|Block sign-in <br/> |One way to block a user from accessing Microsoft 365 is to change their sign-in status to **Sign-in blocked**. This prevents them from signing into Microsoft 365 from their computers and mobile devices though they can still view previously downloaded or synced email and documents. If you're using Blackberry Enterprise Service, you can disable their access there as well. <br/> |Use when an employee plans to leave the organization or they plan to take a long-term leave of absence. <br/> | |Reset user password <br/> |Another way to prevent a user from accessing Microsoft 365 is to reset their password. This prevents them from using their account though they can still view previously downloaded or synced email and documents. You can then sign in as them and change the password to one of your choosing. <br/> |Use when an employee leaves suddenly and permanently and you feel there is concern for business data. <br/> | |Remove all assigned licenses <br/> |Another option is to remove any Microsoft 365 licenses assigned to the user. This prevents them from using applications and services like the Office suite, Office apps for the web, Yammer, and SharePoint Online. They can still sign in but cannot use these services. <br/> |Use when you feel this user no longer needs access to specific features in Microsoft 365. <br/> <br> **Important:** When you remove a license, the user's mailbox will be deleted in 30 days.
admin Gdpr Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/security-and-compliance/gdpr-compliance.md
audience: Admin
-localization_priority: Normal
+localization_priority: Priority
- M365-subscription-management - Adm_O365
description: "Learn how Microsoft 365 for business can help you with the General
# GDPR simplified: A guide for your small business
- *Using Microsoft 365 for business to mitigate and manage GDPR compliance*
+ *Using Microsoft 365 for business to help you to mitigate and manage GDPR compliance*
-The General Data Protection Regulation (GDPR) is a European Union (EU) regulation that mandates how an organization should handle personal data. The GDPR is due to come into force on May 25, 2018. If your business sells to, provides services to, or employs citizens of the European Union, then the [GDPR](https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-does-general-data-protection-regulation-gdpr-govern_en) will affect you.
-
-This article helps you understand what the GDPR is, why it came about, and how Microsoft 365 for business can help your organization comply with the GDPR.
+The General Data Protection Regulation (GDPR) is a European Union (EU) regulation that mandates how an organization should handle personal data. If your business sells to, provides services to, or employs citizens of the European Union, then the [GDPR](https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-does-general-data-protection-regulation-gdpr-govern_en) will affect you.
+
+As a small business admin, you are probably asking yourself "how do I get started"? This may be especially true if your business does not handle personal data as a core business activity, or if GDPR is totally new to you.
+
+You can get started by reviewing this article, which is aimed at helping you understand what the GDPR is, why it came about, and how Microsoft 365 for business can help your organization comply with the GDPR.
+
+It also includes answers to common questions about GDPR that small businesses may have, and highlights steps a small business can take to prepare for GDPR.
+
+> [!IMPORTANT]
+> The Microsoft 365 solutions and recommendations in this article are tools and resources that can help you manage and protect your data, but are not a guarantee of GDPR compliance. It is up to you to assess your own compliance status. Consult with your own legal and/or professional advisors when needed.
## A quick overview of the GDPR
-The GDPR is an EU regulation that updates and expands the earlier Data Protection Directive (DPD) first enacted in 1995. The GDPR is concerned with the privacy of an individual's data, be that individual a client, customer, employee, or business partner. The GDPR's goal is to strengthen personal data protection for EU citizens, whether they reside in the EU or elsewhere. The regulation sets out expectations and advises on how to achieve them. When the GDPR becomes enforceable in late May 2018, organizations must have measures in place that satisfy the requirements of the GDPR.
+The GDPR is an EU regulation that updates and expands the earlier Data Protection Directive (DPD) first enacted in 1995. The GDPR is concerned with the privacy of an individual's data, be that individual a client, customer, employee, or business partner. The GDPR's goal is to strengthen personal data protection for EU citizens, whether they reside in the EU or elsewhere. The regulation sets out expectations and advises on how to achieve them. Organizations must have measures in place that satisfy the requirements of the GDPR.
The GDPR is all about data and how it's used. Think of data as having a life cycle. The cycle starts when you collect data, continues as you store it and use it (processing), and ends when you completely delete it from your systems.
The GDPR establishes data subject rights, which means that, with respect to thei
- **Object:** An individual can object to their data being used for various uses including direct marketing. - **Ask not to be subject to automated decision-making, including profiling:** The GDPR has strict rules about using data to profile people and automate decisions based on that profiling. ++
+## Steps to prepare for GDPR
+
+This section describes steps a small business can take to help it get ready for GDPR. Much of the information for these steps was provided through [Seven steps for businesses to get ready for the General Data Protection Regulation](https://ec.europa.eu/info/sites/default/files/ds-02-18-544-en-n.pdf), a publication provided through the Publications Office of the European Union.
+
+A good way for a small business to get started with GDPR is to make sure to apply the following key principles when collecting personal data:
+
+- Collect personal data with clearly defined purposes for what you are using it for, and donΓÇÖt use them for anything else. For example, if you tell your clients to give you their email addresses so they can get your new offers or promotions, you can only use their email addresses for only that specific purpose.
+- DonΓÇÖt collect more data than you need. For example, if your business requires a mailing address for you to deliver goods, you need a customer's address and a name, but you donΓÇÖt need to know the person's marital status.
++
+### Step 1: Know the personal data that you collect and use within your business, and the reasons you need it
+
+As a small business, one of the first steps you should take is to make an inventory of the personal data you collect and use within your business, and why it is needed. This includes data on both your employees and your customers.
+
+For example, you may need your employee's personal data based
+on the employment contract and for legal reasons (for example,
+reporting taxes to the Internal Revenue Service).
+
+As another example, you may manage lists of individual customers to
+send them notices about special offers, if they have consented to this.
+
+#### Microsoft 365 features that can help
+[Microsoft Information Protection in Microsoft 365](/microsoft-365/compliance/information-protection) can help you discover, classify, and protect sensitive information in your company. You can use trainable classifiers to help you identify and label document types that contain personal data.
+
+### Step 2: Inform your customers, employees, and other individuals when you need to collect their personal data
+
+Individuals must know that you process their personal data and
+for which purpose. For example, if a customer needs to create a customer profile to access your business's online site, make sure you state specifically what you intend to do with their information.
+
+But there is no need to inform individuals when they already know how you will use the data. For example, when they provide you a home address for a delivery they ordered.
+
+You also have to be able to inform individuals on request about the personal data you hold on them and give them access to their data. Being organized with your data makes it easier to provide to them, if needed.
+
+### Step 3: Keep personal data for only as long as necessary
+
+For employees data, keep it as long as the employment relationship remains and for related legal obligations.
+For customer data, keep it as long as the customer relationship lasts and for related legal obligations (for example, tax purposes).
+Delete the data when it is no longer needed for the purposes for which you collected it.
+
+#### Microsoft 365 features that can help
+[Retention policies and labels](/microsoft-365/compliance/retention) can be used to help you keep personal data for a certain time and delete it when itΓÇÖs no longer needed.
++
+### Step 4: Secure the personal data you are processing
+
+If you store personal data on an IT system, limit the access to the
+files containing the data, for example, by a strong password. Regularly update the security settings of your system.
+
+> [!NOTE]
+> The GDPR does not prescribe the use of any specific IT system, but make that the system has the appropriate level of security. See [GDRP Article 32: Security of Processing](https://gdpr.eu/article-32-security-of-processing/) for more information.
+
+If you store physical documents with personal data, make sure
+that they are not accessible by unauthorized persons.
+
+If you choose to store personal data in the cloud, such as through Microsoft 365, you have security features such as the ability to help you to manage permissions to files and folders, centralized secure locations to save your files (OneDrive or SharePoint document libraries), and data encryption when sending or retrieving your files.
+
+#### Microsoft 365 features that can help
+You can use [Microsoft Data Loss Prevention (DLP)](/microsoft-365/business-video/set-up-dlp) to help to protect your business's sensitive information. You can [set up a DLP policy](/microsoft-365/compliance/create-a-dlp-policy-from-a-template) that uses the [GDPR template](/microsoft-365/compliance/what-the-dlp-policy-templates-include#general-data-protection-regulation-gdpr).
+
+### Step 5: Keep documentation on your data processing activities
+
+Prepare a short document explaining what personal data you
+hold and for what reasons. You might be required to make the
+documentation available to your national data protection authority
+if needed.
+
+Such documents should include the information listed below.
+
+| Information | Examples |
+|||
+|The purpose of data processing|Alerting customers about special offers such as providing home delivery; paying suppliers; salary and social security coverage for employees|
+|The types of personal data|Contact details of customers; contact details of suppliers; employee data|
+|The categories of data subjects concerned|Employees; customers; suppliers|
+|The categories of recipients|Labor authorities; tax authorities|
+|The storage periods|EmployeesΓÇÖ personal data until the end of the employment contract (and related legal obligations); customersΓÇÖ personal data until the end of the client/contractual relationship|
+|The technical and organizational security measures to protect the personal data|IT system solutions regularly updated; secured location; access control; data encryption; data backup|
+|Whether personal data is transferred to recipients outside the EU|Use of a processor outside the EU (for example, storage in the cloud); data location of the processor; contractual commitments|
+
+</br>
+
+You can find MicrosoftΓÇÖs contractual commitments with regard to the GDPR in the [Microsoft Online Services Data Protection Addendum](https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=2&Keyword=DPA), which provides MicrosoftΓÇÖs privacy and security commitments, data processing terms and GDPR Terms for Microsoft-hosted services to which customers subscribe under a volume licensing agreement.
++
+### Step 6: Make sure your subcontractors respect the rules
+
+If you sub-contract processing of personal data to another company,
+only use a service provider who guarantees the processing in
+compliance with the requirements of the GDPR (for instance, security
+measures).
+++
+### Step 7: Assign someone to oversee personal data protection
+
+To better protect personal data, organizations might have to
+appoint a <b>Data Protection Officer (DPO)</b>. However, you may not need to designate a Data Protection Officer if processing
+of personal data isnΓÇÖt a core part of your business, or if your are a small business. For example, if your business only collects data on your customers for home delivery, you should not need to appoint a DPO. Even if you need to make use of a DPO, these duties might be assigned to an existing employee in addition to his/her other tasks. Or you could chose to hire an external consultant for this duty as needed.
+
+You normally donΓÇÖt need to carry out a [Data Protection Impact Assessment](https://gdpr.eu/article-35-impact-assessment/). This is reserved for businesses that pose more risk to personal data (for example, if they do a large-scale monitoring of a publicly accessible area, such as video-surveillance).
+
+If you are a small business managing employee wages and a list
+of clients, you typically do not need to do a Data Protection Impact Assessment.
+
+ ## Common small business questions about the GDPR
Microsoft 365 for business can help you with the GDPR process in the following w
Tools such as audit logs allow you to track and report on data movement. Reports include classifying the data you collect and store, what you do with the data, and transfers of the data. Customers, employees, and clients are becoming more aware of the importance of data privacy and now expect a company or organization to respect that privacy. Microsoft 365 for business provides you with the tools to achieve and maintain GDPR compliance without a massive upheaval to your business.
-
+++ ## Next steps To get ready for the GDPR, here are some suggestions for next steps to take: - Evaluate your GDPR program with [Accountability Readiness Checklists](/compliance/regulatory/gdpr-arc). -- Investigate [Microsoft 365 for business](https://www.microsoft.com/microsoft-365/business) as a solution for achieving and maintaining compliance with GDPR.
+- Investigate [Microsoft 365 for business](/microsoft-365/business) as a solution for achieving and maintaining compliance with GDPR.
> [!IMPORTANT]
admin Multi Factor Authentication Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/security-and-compliance/multi-factor-authentication-microsoft-365.md
After being enabled, the next time the user signs in, they will be prompted to r
This table shows the results of enabling MFA with security defaults, Conditional Access policies, and per-user account settings.
-||Enabled|Disabled|Secondary authentication method|
+|*Item*|Enabled|Disabled|Secondary authentication method|
||||| |**Security defaults**|Can't use Conditional Access policies|Can use Conditional Access policies|Microsoft Authenticator app| |**Conditional Access policies**|If any are enabled, you can't enable security defaults|If all are disabled, you can enable security defaults|User-specified during MFA registration|
admin Secure Your Business Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/security-and-compliance/secure-your-business-data.md
search.appverid:
- MET150 - MOE150 ms.assetid: de2da300-dbb6-4725-bb12-b85a9d296e75
-description: "Protect your business email and data from cyber threats, including ransomware, phishing, and malicious attachments."
+description: "How to protect your business email and data from cyber threats, including ransomware, phishing, and malicious attachments."
# Top 10 ways to secure Microsoft 365 for business plans
If you are a small or medium-size organization using one of Microsoft's business
Microsoft recommends that you complete the tasks listed in the following table that apply to your service plan.
-||Task|Microsoft 365 Business Standard|Microsoft 365 Business Premium|
+|*Number*|Task|Microsoft 365 Business Standard|Microsoft 365 Business Premium|
||||| |1|[Set up multi-factor authentication](secure-your-business-data.md#setup)|![Included](../../media/d238e041-6854-4a78-9141-049224df0795.png)|![Included](../../media/d238e041-6854-4a78-9141-049224df0795.png)| |2|[Train your users](secure-your-business-data.md#train)|![Included](../../media/d238e041-6854-4a78-9141-049224df0795.png)|![Included](../../media/d238e041-6854-4a78-9141-049224df0795.png)|
admin Services In China https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/services-in-china/services-in-china.md
If you would like to learn how to get started with general Office 365 services,
## Office 365 Suite
-|||
+|Function|Availability|
|:--|:--| |Custom domains <br/> |Administrators can create and/or use custom domains registered through Chinese-specific domain providers. If you don't have a custom domain, you can [How to buy a domain name](../get-help-with-domains/buy-a-domain-name.md) from a domain name registrar. If you already have one, [Find your domain registrar or DNS hosting provider](../get-help-with-domains/find-your-domain-registrar.md). <br/> Additionally, if you create a public website using the Office 365 SharePoint Online service, China Internet compliance policy requires that you get an Internet Content Provider (ICP) number. **Note:** Automatic validation for disallowed words in custom domain names is not available. | |Subscriptions, billing, and technical support <br/> |Provided by 21Vianet. For information on how to contact support, see [Contact Office 365 for business support](../../business-video/get-help-support.md). <br/> |
If you would like to learn how to get started with general Office 365 services,
## SharePoint Online
-|||
+|Function|Availability|
|:--|:--| |Sharing a document, library, or site by email with someone outside of your organization <br/> |This feature is available, but off by default as using it could make files shared accessible outside of your country. Administrators do have the ability to turn it on, but will get a warning message indicating that it could make files shared accessible outside of your country. Users who attempt to share with someone outside of the organization will also receive a warning. For more information, see [Share SharePoint files or folders in Office 365](https://support.microsoft.com/office/1fe37332-0f9a-4719-970e-d2578da4941c). <br/> | |Access Services <br/> |Access 2013 is supported, but adding new Access apps may not be available as this feature will be retired from Office 365 and SharePoint Online. Creation of new Access-based web apps and Access web databases in Office 365 and SharePoint Online will stop starting in June 2017 and any remaining web apps and web databases by April 2018. Additionally, Access 2010 functionality is not supported, and attempting to use an Access 2010 database will result in errors and possible data loss. <br/> |
If you would like to learn how to get started with general Office 365 services,
## Outlook Web App
-|||
+|Function|Availability|
|:--|:--| |Blackberry Business Cloud Services (BBCS) <br/> |Not available, but you can use Exchange ActiveSync devices or an offering from Research in Motion (RIM, the BlackBerry wireless email solution) to run Blackberry Enterprise Server (BES). <br/> | |Information Rights Management <br/> |Coming soon. <br/> |
To learn more about configuring a hybrid deployment with Office 365 tenants host
> [!IMPORTANT] > The [Exchange Server Deployment Assistant](https://go.microsoft.com/fwlink/?LinkId=506768) is a free web-based tool that helps you configure a hybrid deployment between your on-premises organization and Office 365, or to migrate completely to Office 365. The tool asks you a small set of simple questions and then, based on your answers, creates a customized checklist with instructions to configure your hybrid deployment. We strongly recommend using the Deployment Assistant to configure a hybrid deployment. > For organizations not wishing to upgrade to or add Exchange 2013 CU5 servers, Exchange 2013 SP1 organizations can configure shared calendar free/busy sharing between their on-premises and Exchange Online organizations. To configure this hybrid deployment feature, see [Configuring Exchange hybrid deployment features with Office 365 operated by 21Vianet](https://support.microsoft.com/office/26e7cc26-c980-4cc5-a082-c333de544b6d).
-|||
-|||
+|Function|Availability|
+|:--|:--|
|Coexistence and Free/Busy Sharing|Sharing calendar free/busy information between two or more on-premises Exchange organizations or sharing between two 21Vianet Office 365 tenants isn't supported. This feature is coming soon! | |Calendar sharing|Exchange 2013 SP1 and greater supports manually configuring Internet calendar sharing with other on-premises Exchange or Exchange Online organizations. For more details about configuring this feature manually, see [Enable Internet Calendar Publishing](/exchange/enable-internet-calendar-publishing-exchange-2013-help). | Sharing Exchange contact data on Apple mobile devices to the Apple iCloud. |This setting/feature is enabled by default. Administrators should turn this feature off to help prevent users from sharing Exchange data outside of your organization. |
Sharing Exchange contact data on Apple mobile devices to the Apple iCloud. |This
## Office
-|||
+|Function|Availability|
|:--|:--| |Open an Office application from the **File** \> **Open in**… button <br/> |Available. The ability to do so while roaming is coming soon. <br/> | |Save to OneDrive for Business while signed in with a Microsoft account <br/> |To keep your data within your country, you cannot save a document to your organization site (OneDrive for Business) when you are signed in to Office with a Microsoft account. <br/> |
Sharing Exchange contact data on Apple mobile devices to the Apple iCloud. |This
## Office client
-|||
+|Function|Availability|
|:--|:--| |Manage account (from within the Office client) <br/> |This feature, and others like it that are intended to go to your Office 365 portal, currently point to the worldwide Office 365 portal, and you cannot sign in with your Office 365 operated by 21Vianet account. This is a known issue that is being fixed. In the meantime, you can use the URL https://portal.partner.microsoftonline.cn/ to sign into your account and manage settings from there. For more information, see [Manage your Microsoft 365 Apps for enterprise account for Office 365 operated by 21Vianet](https://support.microsoft.com/office/fbe473d3-69de-4d0c-aecb-b9c2d0d45bc8). <br/> | ## OneNote
-|||
+|Function|Availability|
|:--|:--| |Insert and playback online video <br/> |Not available. <br/> | |Research pane integration to Bing services <br/> |Not available. <br/> |
Sharing Exchange contact data on Apple mobile devices to the Apple iCloud. |This
## Skype for Business
-|||
+|Function|Availability|
|:--|:--| |Domain providers to support Skype for Business <br/> |You will need to register your domain with a Chinese-specific domain provider that supports SRV records. For more information on how to register domains, see [Find your domain registrar or DNS hosting provider](../get-help-with-domains/find-your-domain-registrar.md). <br/> | |Dial-in conferencing (the ability to add telephone access to meetings for users who can't get to a computer) <br/> |You may see options in Skype for Business and in the Skype for Business Admin Center for Dial-in conferencing and providers, but these features are not yet available. They are coming soon. <br/> |
admin Set Up File Storage And Sharing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/set-up-file-storage-and-sharing.md
Both OneDrive and team sites provide anywhere access for you and your employees.
![A diagram that shows how Microsoft 365 products can use OneDrive or Team sites](../../media/7493131e-665f-4dbd-9a60-f5612aea7e42.png)
-Here are recommendations for what to store in each location when you use OneDrive and team sites together:
+Here are recommendations for what to store in each location when you use OneDrive and team sites together:<br/>
+
-||||
+|Storage location|What's it for|What to store here|
|:--|:--|:--|
-|**Storage location** <br/> |**What it's for** <br/> |**What to store here** <br/> |
-|**OneDrive** <br/> |Storing content in OneDrive is like storing files on your computer; no one else can easily access them. <br/> For more info, see [What is OneDrive for Business?](https://support.microsoft.com/office/187f90af-056f-47c0-9656-cc0ddca7fdc2) <br/> |Business files that other team members won't need to collaborate on or access regularly. <br/> |
+|**OneDrive** |Storing content in OneDrive is like storing files on your computer; no one else can easily access them.<br/> For more info, see [What is OneDrive for Business?](https://support.microsoft.com/office/187f90af-056f-47c0-9656-cc0ddca7fdc2) <br/> |Business files that other team members won't need to collaborate on or access regularly.<br/> |
|**SharePoint team sites** <br/> |Collaboration. When you create a Microsoft 365 group (for example, in the Microsoft 365 admin center, in Outlook, or by creating a team in Microsoft Teams), a SharePoint team site is created for that group. Likewise, when you create a new SharePoint team site from the SharePoint home page or from the new SharePoint admin center, it also creates a Microsoft 365 group. For more info, see [What is a SharePoint team site?](https://support.microsoft.com/office/75545757-36c3-46a7-beed-0aaa74f0401e) and [Create a team site in SharePoint Online](https://support.microsoft.com/office/ef10c1e7-15f3-42a3-98aa-b5972711777d). <br/> |Files that have shared ownership. We recommend separate team sites for each unit of work in your organization. For example, to keep personnel and financial documents private to a small team, create a separate team site. <br/> | > [!NOTE]
admin Upgrade Users To Latest Office Client https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/upgrade-users-to-latest-office-client.md
- AdminSurgePortfolio ms.assetid: f6b00895-b5fd-4af6-a656-b7788ea20cbb description: Learn about how to upgrade Microsoft Office to the latest Office client for users in your organization.+ # Upgrade your Microsoft 365 for business users to the latest Office client
business App Protection Settings For Android And Ios https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/app-protection-settings-for-android-and-ios.md
The following tables give detailed information about settings available to prote
### Settings that protect work files The following settings are available to protect work files if a user's device is lost or stolen:
-
-|||
-|:--|:--|
++ |Setting <br/> |Description <br/> |
+|:--|:--|
|Delete work files from an inactive device after this many days <br/> |If a device isn't used for the number of days that you specify here, any work files stored on the device will be deleted automatically. <br/> | |Force users to save all work files to OneDrive for Business <br/> |If this setting is **On**, the only available save location for work files is OneDrive for Business. <br/> | |Encrypt work files <br/> |Keep this setting **On** so that work files are protected by encryption. Even if the device is lost or stolen, no one can read your company data. <br/> |
The following settings are available to protect work files if a user's device is
### Settings that control how users access Office files on mobile devices The following settings are available to manage how users access Office work files:
-
-|||
-|:--|:--|
++ |Setting <br/> |Description <br/> |
+|:--|:--|
|Require a PIN or fingerprint to access Office apps <br/> |If this setting is **On** users must provide another form of authentication, in addition to their username and password, before they can use Office apps on their mobile devices.<br/> | |Reset PIN when login fails this many times <br/> |To prevent an unauthorized user from randomly guessing a PIN, the PIN will reset after the number of wrong entries that you specify. <br/> | |Require users to sign in again after Office apps have been idle for <br/> |This setting determines how long a user can be idle before they're prompted to sign in again. <br/> |
business Increase Threat Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/increase-threat-protection.md
To create a mail transport rule:
6. Select **Save**.
-|Setting|Warn users before opening attachments of Office files||
-||||
+|Setting|Warn users before opening attachments of Office files|
+|||
|Name|Anti-ransomware rule: warn users| |Apply this rule if . . .|Any attachment . . . file extension matches . . .| |Specify words or phrases|Add these file types: <br/> dotm, docm, xlsm, sltm, xla, xlam, xll, pptm, potm, ppam, ppsm, sldm|
business Manage User Access On Mobile Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/manage-user-access-on-mobile-devices.md
Policy settings that control how users access Office files from their mobile dev
## Settings that control how users access Office files on mobile devices The following settings are available to manage how users access Office work files:
-
-|||
-|:--|:--|
+ |Setting <br/> |Description <br/> |
+|:--|:--|
|Require a PIN or fingerprint to access Office apps <br/> |If this setting is **On**, users must provide another form of authentication, in addition to their username and password, before they can use Office apps on their mobile device. <br/> | |Reset PIN when login fails this many times <br/> |To prevent an unauthorized user from randomly guessing a PIN, the PIN will reset after the number of wrong entries that you specify. <br/> | |Require users to sign in again after Office apps have been idle for <br/> |This setting determines how long a user can be idle before they're prompted to sign in again. <br/> |
business Prepare For Office Client Deployment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/prepare-for-office-client-deployment.md
The end user whose PC:
- **Doesn't have** any 2016 Windows Installer (MSI) standalone apps (for example, Visio or Project). Microsoft 365 for business upgrades Office to the Click-to-Run version of Office 2016 and that doesn't work with Office 2016 MSI standalone apps.
-The following table shows what action the end users/admins may need to take, depending on their beginning state, to have a successful 32-bit Click-to-Run version of Office deployment from the Microsoft 365 for business admin console.
-
-|**Starting Office install status**|**Action to take before Microsoft 365 for business Office install**|**End state**|
+The following table shows what action the end users/admins may need to take, depending on their beginning state, to have a successful 32-bit Click-to-Run version of Office deployment from the Microsoft 365 for business admin console.<br/>
++
+|Starting Office install status|Action to take before Microsoft 365 for business Office install|End state|
|:--|:--|:--| |No Office suite installed <br/> |None <br/> |Office 2016 32-bit is installed by using Click-to-Run <br/> | |Existing Click-to-Run 32-bit version of Office (2016 or earlier) and no standalone apps <br/> |None <br/> |Upgraded to the latest 32-bit Click-to-Run version of Office 2016, as needed **\*** <br/> | |Existing Click-to-Run 32-bit version of Office and Click-to-Run 32-bit or 64-bit standalone Office apps (for example, Visio, Project) <br/> |None <br/> |Standalone apps aren't affected. Suite is upgraded to Click-to-Run 32-bit version of Office 2016 <br/> |
-|Existing Click-to-Run 32-bit version of Office and any 32-bit or 64-bit (except 2016) MSI standalone Office apps <br/> |None <br/> |Standalone apps aren't affected. Suite is upgraded to Click-to-Run 32-bit version of Office 2016 <br/> ||||
+|Existing Click-to-Run 32-bit version of Office and any 32-bit or 64-bit (except 2016) MSI standalone Office apps <br/> |None <br/> |Standalone apps aren't affected. Suite is upgraded to Click-to-Run 32-bit version of Office 2016 <br/> |
|Any existing Click-to-Run 64-bit version of Office <br/> |Uninstall the 64-bit Office apps, if it's OK to replace them with 32-bit Office apps <br/> |If Office 64-bit apps are removed, the Click-to-Run 32-bit version of Office 2016 is installed <br/> | |An existing MSI install of Office 2016 with or without standalone apps <br/> |Uninstall MSI Office 2016. <br/> |Click-to-Run 32-bit version of Office 2016 is installed. No change to standalone apps <br/> | |Existing MSI install of Office 2013 (or earlier) and/or standalone Office apps <br/> |None <br/> |Click-to-Run 32-bit version of Office 2016 with the pre-existing MSI Office install (and standalone apps) exist side-by-side <br/> |
business Protect Work Files On Lost Or Stolen Device https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/protect-work-files-on-lost-or-stolen-device.md
The policy settings determine what happens automatically to protect a device tha
## Settings that protect work files The following settings are available to protect work files if a user's device is lost or stolen:
-
-|||
-|:--|:--|
++ |Setting <br/> |Description <br/> |
+|:--|:--|
|Delete work files from an inactive device after this many days <br/> |If a device isn't used for the number of days that you specify here, any work files stored on the device are automatically deleted. <br/> | |Force users to save all work files to OneDrive for Business <br/> |If this setting is **On**, the only available save location for work files is OneDrive for Business. <br/> | |Encrypt work files <br/> |Keep this setting **On** so that work files are protected by encryption. Even if the device is lost or stolen, no one can read your company data. <br/> |
business Protection Settings For Windows 10 Pcs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/protection-settings-for-windows-10-pcs.md
View a video on how to secure Windows 10 devices with Microsoft 365 Business Pre
By default all settings are **On**. The following settings are available. For more information, see [How do protection features in Microsoft 365 Premium map to Intune settings](map-protection-features-to-intune-settings.md).
-
-|||
-|:--|:--|
++ |Setting <br/> |Description <br/> |
+|:--|:--|
|Help protect PCs from viruses and other threats using Windows Defender Antivirus <br/> |Requires that Windows Defender Antivirus is turned on to protect PCs from the dangers of being connected to the internet. <br/> | |Help protect PCs from web-based threats in Microsoft Edge <br/> |Turns on settings in Edge that help protect users from malicious sites and downloads. <br/> | |Use rules that reduce the attack surface of devices <br/> |When turned On, attack surface reduction helps block actions and apps typically used by malware to infect devices. This setting is only available if Windows Defender Antivirus is set to On. See [Reduce attack surfaces](/windows/security/threat-protection/microsoft-defender-atp/exploit-protection) to learn more. <br/> |
business Secure Windows 10 Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/secure-windows-10-devices.md
The settings that you configure here are part of the default device policy for W
By default all settings are **On**. The following settings are available:
-|||
-|:--|:--|
++ |Setting <br/> |Description <br/> |
+|:--|:--|
|Help protect PCs from viruses and other threats using Windows Defender Antivirus <br/> |Requires that Windows Defender Antivirus is turned on to protect PCs from the dangers of being connected to the internet. <br/> | |Help protect PCs from web-based threats in Microsoft Edge <br/> |Turns on settings in Edge that help protect users from malicious sites and downloads. <br/> | |Help protect files and folders on PCs from unauthorized access with BitLocker <br/> |Bitlocker protects data by encrypting the computer hard drives and protect against data exposure if a computer is lost or stolen. For more information, see [Bitlocker FAQ](/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions). <br/> |
business Transition Csp Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/support/transition-csp-subscription.md
f1.keywords:
- seo-marvel-mar - AdminSurgePortfolio--+++ ms.prod: microsoft-365-business localization_priority: Normal audience: microsoft-business 
business Validate Settings On Windows 10 Pcs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/validate-settings-on-windows-10-pcs.md
Title: "Validate app protection settings on Windows 10 PCs"
+ Title: "Validate app protection settings for Windows 10 PCs"
f1.keywords: - NOCSH
ms.assetid: fae8819d-7235-495f-9f07-d016f545887f
description: "Learn how to verify that Microsoft 365 for business app protection settings took effect on your users' Windows 10 devices."
-# Validate device protection settings on Windows 10 PCs
+# Validate device protection settings for Windows 10 PCs
## Verify that Windows 10 device policies are set
campaigns M365 Campaigns Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/campaigns/m365-campaigns-users.md
For [unmanaged Windows 10 and Mac devices](m365-campaigns-protect-pcs-macs.md),
**Enable basic security capabilities on BYOD Windows 10 and Mac devices**
-| |**Windows 10**|**Mac**|
-|:--|:--|:|
-|Security capabilities|Turn on BitLocker device protection<p><p> Ensure Windows Defender remains on <p>Turn on Windows Firewall| Use FileVault to encrypt the Mac disk <p><p>Use a reliable antivirus software <p>Turn on firewall protection|
+|**Windows 10**|**Mac**|
+|:--|:|
+|Turn on BitLocker device protection<p><p> Ensure Windows Defender remains on <p>Turn on Windows Firewall| Use FileVault to encrypt the Mac disk <p><p>Use a reliable antivirus software <p>Turn on firewall protection|
To learn more about these recommendations, see [Protect your account and devices from hackers and malware](https://support.office.com/article/Protect-your-account-and-devices-from-hackers-and-malware-066d6216-a56b-4f90-9af3-b3a1e9a327d6#ID0EAABAAA=Windows_10).
commerce About Registration Numbers https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/about-registration-numbers.md
The following screenshot shows the notification displayed on the billing account
The following table contains samples of the registration numbers collected for each country. In cases where multiple IDs are listed, only one is required.
-| Country or region | Details | | | | |
-|:--|:--|:--|:--|:--|:--|
-| **Armenia** | INN ΓÇô Tax identification number<br>VAT number ΓÇô Also known as a VAT Registration Number. This is the unique number that identifies a taxable person (business) or non-taxable legal entity that is registered for VAT.<br>Public service number | | | | |
-| **Azerbaijan** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/Azerbaijan-TIN.pdf) ΓÇô Tax Identification number<br>INN ΓÇô Tax identification number | | | | |
-| **Belarus** | UNP ΓÇô This is a nine-digit number (numeric for organizations, alphanumeric for individuals) that contains a region identifier, a serial per region, and a check digit. | | | | |
-|**Brazil** | [CNPJ](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/Brazil-TIN.pdf) – (Cadastro Nacional da Pessoa Jurídica, or National Registry of Legal Entities). This is an identification number issued to Brazilian companies by the Department of Federal Revenue of Brazil | | | | |
-| **China** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/China-TIN.pdf) ΓÇô Tax Identification number | | | | |
-| **Hungary** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/Hungary-TIN.pdf) ΓÇô Tax Identification number | | | | |
-| **India** | Tax ID<br>[PAN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/India-TIN.pdf) ΓÇô (Presence Across Nation) PAN India Involvement means that there is one organization that is operating at several locations in India. | | | | |
-| **Iraq** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/) ΓÇô Tax Identification number | | | | |
-| **Kazakhstan** | BIN ΓÇô Bank identification number<br>IIN ΓÇô Issuer identification number | | | | |
-| **Kyrgyzstan** | INN ΓÇô Tax Identification number | | | | |
-| **Moldova** | IDNO ΓÇô The unique state identification number assigned to the legal entity (also known as. Fiscal code).<br>IDNP ΓÇô Birth personal code (ΓÇ£Numarul de IdentificareΓÇ¥) | | | | |
-| **Myanmar** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/) ΓÇô Tax Identification number | | | | |
-| **Poland** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/Poland-TIN.pdf) – Tax Identification number<br>[PESEL](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/Poland-TIN.pdf) – The national identification number used in Poland (Polish Powszechny Elektroniczny System Ewidencji Ludności, Universal Electronic System for Registration of the Population) | | | | |
-| **Russia** | [INN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/Russia-TIN.pdf) ΓÇô Tax identification number (Russian ΓÇ£Individualiy Nomer NalogoplatelshikaΓÇ¥) | | | | |
-| **Saudi Arabia** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/Saudi-Arabia-TIN.pdf) ΓÇô Tax Identification number | | | | |
-| **South Africa** | TRN ΓÇô tax reference number | | | | |
-| **South Sudan** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/) ΓÇô Tax Identification number | | | | |
-| **Tajikistan** | INN ΓÇô Tax Identification number<br>EIN ΓÇô Employer Identification number<br>KPP ΓÇô This is a code that reflects the reason for the organization registration. | | | | |
-| **Thailand** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/) ΓÇô Tax Identification number | | | | |
-| **Turkey** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/Turkey-TIN.pdf) ΓÇô Tax Identification number<br>NIN | | | | |
-| **Ukraine** | EGRPOU<br>EDRPOU ΓÇô Local ID | | | | |
-| **United Arab Emirates** | Tax ID<br>[VAT number](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/UAE-TIN.pdf) - Also known as a VAT Registration Number. This is the unique number that identifies a taxable person (business) or non-taxable legal entity that is registered for VAT. | | | | |
-| **United States** | [EIN](https://irs.ein-forms-gov.com/?keyword=employer%20identification%20number&source=Google&network=o&device=c&devicemodel=&mobile=&adposition%5d&targetid=kwd-81501461534755:loc-190&msclkid=458d3159f6051392f5286e8e75ed79ce) ΓÇô Employer Identification number | | | | |
-| **Uzbekistan** | INN ΓÇô Tax Identification number | | | | |
-| **Vietnam** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/) ΓÇô Tax Identification number | | | | |
-| **Venezuela** | RIF ΓÇô is a Tax number (ΓÇ£Registro de Identificaci├│n FiscalΓÇ¥) | | | | |
+| Country or region | Details |
+|:--|:--|
+| **Armenia** | INN ΓÇô Tax identification number<br>VAT number ΓÇô Also known as a VAT Registration Number. This is the unique number that identifies a taxable person (business) or non-taxable legal entity that is registered for VAT.<br>Public service number |
+| **Azerbaijan** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/Azerbaijan-TIN.pdf) ΓÇô Tax Identification number<br>INN ΓÇô Tax identification number |
+| **Belarus** | UNP ΓÇô This is a nine-digit number (numeric for organizations, alphanumeric for individuals) that contains a region identifier, a serial per region, and a check digit. |
+|**Brazil** | [CNPJ](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/Brazil-TIN.pdf) – (Cadastro Nacional da Pessoa Jurídica, or National Registry of Legal Entities). This is an identification number issued to Brazilian companies by the Department of Federal Revenue of Brazil |
+| **China** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/China-TIN.pdf) ΓÇô Tax Identification number |
+| **Hungary** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/Hungary-TIN.pdf) ΓÇô Tax Identification number |
+| **India** | Tax ID<br>[PAN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/India-TIN.pdf) ΓÇô (Presence Across Nation) PAN India Involvement means that there is one organization that is operating at several locations in India. |
+| **Iraq** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/) ΓÇô Tax Identification number |
+| **Kazakhstan** | BIN ΓÇô Bank identification number<br>IIN ΓÇô Issuer identification number |
+| **Kyrgyzstan** | INN ΓÇô Tax Identification number |
+| **Moldova** | IDNO ΓÇô The unique state identification number assigned to the legal entity (also known as. Fiscal code).<br>IDNP ΓÇô Birth personal code (ΓÇ£Numarul de IdentificareΓÇ¥) |
+| **Myanmar** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/) ΓÇô Tax Identification number |
+| **Poland** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/Poland-TIN.pdf) – Tax Identification number<br>[PESEL](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/Poland-TIN.pdf) – The national identification number used in Poland (Polish Powszechny Elektroniczny System Ewidencji Ludności, Universal Electronic System for Registration of the Population) |
+| **Russia** | [INN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/Russia-TIN.pdf) ΓÇô Tax identification number (Russian ΓÇ£Individualiy Nomer NalogoplatelshikaΓÇ¥) |
+| **Saudi Arabia** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/Saudi-Arabia-TIN.pdf) ΓÇô Tax Identification number |
+| **South Africa** | TRN ΓÇô tax reference number |
+| **South Sudan** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/) ΓÇô Tax Identification number |
+| **Tajikistan** | INN ΓÇô Tax Identification number<br>EIN ΓÇô Employer Identification number<br>KPP ΓÇô This is a code that reflects the reason for the organization registration. |
+| **Thailand** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/) ΓÇô Tax Identification number |
+| **Turkey** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/Turkey-TIN.pdf) ΓÇô Tax Identification number<br>NIN |
+| **Ukraine** | EGRPOU<br>EDRPOU ΓÇô Local ID |
+| **United Arab Emirates** | Tax ID<br>[VAT number](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/UAE-TIN.pdf) - Also known as a VAT Registration Number. This is the unique number that identifies a taxable person (business) or non-taxable legal entity that is registered for VAT. |
+| **United States** | [EIN](https://irs.ein-forms-gov.com/?keyword=employer%20identification%20number&source=Google&network=o&device=c&devicemodel=&mobile=&adposition%5d&targetid=kwd-81501461534755:loc-190&msclkid=458d3159f6051392f5286e8e75ed79ce) ΓÇô Employer Identification number |
+| **Uzbekistan** | INN ΓÇô Tax Identification number |
+| **Vietnam** | [TIN](http://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-numbers/) ΓÇô Tax Identification number |
+| **Venezuela** | RIF ΓÇô is a Tax number (ΓÇ£Registro de Identificaci├│n FiscalΓÇ¥) |
commerce Manage Third Party App Licenses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/manage-third-party-app-licenses.md
Title: "Manage third-party app licenses in the Microsoft 365 admin center"
+ Title: "Manage ISV app licenses in the Microsoft 365 admin center"
f1.keywords: - NOCSH
- commerce_licensing search.appverid: - MET150
-description: "Learn how to manage licenses for third-party apps in the Microsoft 365 admin center."
Previously updated : 04/30/2021
+description: "Learn how to manage licenses for independent software vendor (ISV) apps in the Microsoft 365 admin center."
Last updated : 06/15/2021
-# Manage third-party app licenses in the Microsoft 365 admin center
+# Manage ISV app licenses in the Microsoft 365 admin center
-A third-party app is an app that you buy from a software vendor other than Microsoft.
+An independent software vendor (ISV) app is an app that you buy from a software vendor other than Microsoft.
## Before you begin You must be a Global, License, or User admin to assign licenses. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
-## Assign third-party app licenses to users or groups
+## Assign ISV app licenses to users or groups
1. In the Microsoft 365 admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842264" target="_blank">Licenses</a> page. 2. Select the app that you want to assign licenses for.
You must be a Global, License, or User admin to assign licenses. For more inform
4. In the **Assign licenses** pane, begin typing the name of a user or group, and then choose it from the results to add it to the list. 5. When you're finished, select **Assign**, then select **Close**.
-## Unassign third-party app licenses from users or groups
+## Unassign ISV app licenses from users or groups
1. In the admin center, **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842264" target="_blank">Licenses</a> page. 2. Select the app that you want to unassign licenses for. 3. On the license details page, select the users and groups to remove licenses from, then select Unassign licenses. 4. In the dialog box, confirm that you want to remove the licenses, then select Unassign.
-## Add or remove third-party app licenses for your account
+## Add or remove ISV app licenses for your account
-Third-party app licenses are managed by the app vendor. Contact the vendor to add or remove licenses for your account.
+ISV app licenses are managed by the app vendor. Contact the vendor to add or remove licenses for your account.
## Next steps
-Depending on the third-party app that you bought, your next step might be to install the app into your organizationΓÇÖs environment. Installing the app makes it available for your users. Use the following steps to install a third-party app to your environment.
+Depending on the ISV app that you bought, your next step might be to install the app into your organizationΓÇÖs environment. Installing the app makes it available for your users. Use the following steps to install an ISV app to your environment.
1. In the admin center, **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842264" target="_blank">Licenses</a> page. 2. Select the app that you want to install into your account.
-3. On the license details page, select Install this product. You are redirected to a different platform site where you install the app into your environment.
+3. On the license details page, select **Install this product**. You are redirected to a different platform site where you install the app into your environment.
## Related content [Assign licenses to users](../../admin/manage/assign-licenses-to-users.md) (article) \
-[Unassign licenses from users](../../admin/manage/remove-licenses-from-users.md) (article)
+[Unassign licenses from users](../../admin/manage/remove-licenses-from-users.md) (article)
commerce Cancel Your Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/cancel-your-subscription.md
Last updated 04/08/2021
# Cancel your subscription
+> [!IMPORTANT]
+> This article only applies to Microsoft 365 for business subscriptions. If you have Microsoft 365 Family or Personal, see [Cancel a Microsoft 365 subscription](https://support.microsoft.com/en-us/office/cancel-a-microsoft-365-subscription-46e2634c-c64b-4c65-94b9-2cc9c960e91b).
+ *Eligibility:* If you have fewer than 25 licenses assigned to users, you can cancel your Microsoft 365 for business trial or paid subscription online in the Microsoft 365 admin center at any time. If you have more than 25 licenses assigned to users, reduce it to less than 25 or [call support to cancel your subscription](../../business-video/get-help-support.md). *Refund:* Any prorated credit will be returned to you within the next billing cycle.
compliance Audit Log Retention Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/audit-log-retention-policies.md
description: "Audit log retention policies are part of the new Advanced Audit ca
You can create and manage audit log retention policies in the Security & Compliance Center. Audit log retention policies are part of the new Advanced Audit capabilities in Microsoft 365. An audit log retention policy lets you specify how long to retain audit logs in your organization. You can retain audit logs for up to 10 years. You can create policies based on the following criteria: - All activities in one or more Microsoft 365 services- - Specific activities (in a Microsoft 365 service) performed by all users or by specific users- - A priority level that specifies which policy takes precedence in you have multiple policies in your organization ## Default audit log retention policy
Advanced Audit in Microsoft 365 provides a default audit log retention policy fo
## Create an audit log retention policy
-1. Go to [https://compliance.microsoft.com](https://compliance.microsoft.com) and sign in with a user account that's assigned the Organization Configuration role on the Permissions page in the Security & Compliance Center.
+1. Go to <https://compliance.microsoft.com> and sign in with a user account that's assigned the Organization Configuration role on the Permissions page in the Security & Compliance Center.
2. In the left pane of the Microsoft 365 compliance center, click **Show all**, and then click **Audit**.
Advanced Audit in Microsoft 365 provides a default audit log retention policy fo
4. Click **Create audit retention policy**, and then complete the following fields on the flyout page:
- ![New audit retention policy flyout page](../media/CreateAuditLogRetentionPolicy.png)
+ ![New audit retention policy flyout page](../media/CreateAuditLogRetentionPolicy.png)
1. **Policy name:** The name of the audit log retention policy. This name must be unique in your organization, and it can't be change after the policy is created.
Advanced Audit in Microsoft 365 provides a default audit log retention policy fo
3. **Users:** Select one or more users to apply the policy to. If you leave this box blank, then the policy will apply to all users. If you leave the **Record type** blank, then you must select a user. 4. **Record type:** The audit record type the policy applies to. If you leave this property blank, you must select a user in the **Users** box. You can select a single record type or multiple record types:-
- - If you select a single record type, the **Activities** field is dynamically displayed. You can use the drop-down list to select activities from the selected record type to apply the policy to. If you don't choose specific activities, the policy will apply to all activities of the selected record type.
-
- - If you select multiple record types, you don't have the ability to select activities. The policy will apply to all activities of the selected record types.
+ - If you select a single record type, the **Activities** field is dynamically displayed. You can use the drop-down list to select activities from the selected record type to apply the policy to. If you don't choose specific activities, the policy will apply to all activities of the selected record type.
+ - If you select multiple record types, you don't have the ability to select activities. The policy will apply to all activities of the selected record types.
5. **Duration:** The amount of time to retain the audit logs that meet the criteria of the policy.
Advanced Audit in Microsoft 365 provides a default audit log retention policy fo
5. Click **Save** to create the new audit log retention policy.
- The new policy is displayed in the list on the **Audit retention policies** tab.
+The new policy is displayed in the list on the **Audit retention policies** tab.
-## Manage audit log retention policies
+## Manage audit log retention policies in the Microsoft 365 compliance center
Audit log retention policies are listed on the **Audit retention policies** tab (also called the *dashboard*). You can use the dashboard to view, edit, and delete audit retention policies.
You can also select a policy to display its settings on the flyout page.
To edit a policy, select it to display the flyout page. You can modify one or more setting and then save your changes. - > [!IMPORTANT]
-> If you use the **New-UnifiedAuditLogRetentionPolicy** cmdlet, it's possible to create an audit log retention policy for record types or activities that aren't available in the **Create audit retention policy** tool in the dashboard. In this case, you won't be able to edit the policy (for example, change the retention duration or add and remove activities) from the **Audit retention policies** dashboard. You'll only be able to view and delete the policy in the compliance center. To edit the policy, you'll have to use the [Set-UnifiedAuditLogRetentionPolicy](/powershell/module/exchange/set-unifiedauditlogretentionpolicy) cmdlet in Security & Compliance Center PowerShell.<br/><br/>**Tip:** A message is displayed at the top of the flyout page for policies that have to be edited using PowerShell.
+>
+> If you use the **New-UnifiedAuditLogRetentionPolicy** cmdlet, it's possible to create an audit log retention policy for record types or activities that aren't available in the **Create audit retention policy** tool in the dashboard. In this case, you won't be able to edit the policy (for example, change the retention duration or add and remove activities) from the **Audit retention policies** dashboard. You'll only be able to view and delete the policy in the compliance center. To edit the policy, you'll have to use the [Set-UnifiedAuditLogRetentionPolicy](/powershell/module/exchange/set-unifiedauditlogretentionpolicy) cmdlet in Security & Compliance Center PowerShell.>
+>
+> **Tip:** A message is displayed at the top of the flyout page for policies that have to be edited using PowerShell.
### Delete policies in the dashboard
Follow these steps to create an audit log retention policy in PowerShell:
1. [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell).
-2. Run the following command to create an audit log retention policy.
+2. Run the following command to create an audit log retention policy:
```powershell New-UnifiedAuditLogRetentionPolicy -Name "Microsoft Teams Audit Policy" -Description "One year retention policy for all Microsoft Teams activities" -RecordTypes MicrosoftTeams -RetentionDuration TenYears -Priority 100 ```
- This example creates an audit log retention policy named "Microsoft Teams Audit Policy" with these settings:
+ This example creates an audit log retention policy named "Microsoft Teams Audit Policy" with these settings:
- A description of the policy.- - Retains all Microsoft Teams activities (as defined by the *RecordType* parameter).- - Retains Microsoft Teams audit logs for 10 years.- - A priority of 100. Here's another example of creating an audit log retention policy. This policy retains audit logs for the "User logged in" activity for six months for the user admin@contoso.onmicrosoft.com.
Use the [Remove-UnifiedAuditLogRetentionPolicy](/powershell/module/exchange/remo
As previously stated, audit records for operations in Azure Active Directory, Exchange Online, SharePoint Online, and OneDrive for Business, are retained for one year by default. The following table lists all the record types (for each of these services) included in the default audit log retention policy. This means that audit logs for any operation with this record type are retained for one year unless a custom audit log retention policy takes precedence for a specific record type, operation, or user. The Enum value (which is displayed as the value for the RecordType property in an audit record) for each record type is shown in parentheses.
-|AzureActiveDirectory |Exchange |SharePoint or OneDrive|
-|:|:|:|
+<br>
+
+****
+
+|AzureActiveDirectory|Exchange |SharePoint or OneDrive|
+||||
|AzureActiveDirectory (8)|ExchangeAdmin (1)|ComplianceDLPSharePoint (11)| |AzureActiveDirectoryAccountLogon (9)|ExchangeItem (2)|ComplianceDLPSharePointClassification (33)| |AzureActiveDirectoryStsLogon (15)|Campaign (62)|Project (35)|
compliance Bulk Create Publish Labels Using Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/bulk-create-publish-labels-using-powershell.md
f1.keywords:
Last updated + audience: Admin
compliance Retention https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention.md
Use the following table to help you identify whether to use a retention policy o
|Disposition review | No| Yes | |Proof of disposition for up to 7 years | No |Yes, when you use disposition review or item is marked a record| |Audit admin activities| Yes | Yes|
+|Audit retention actions| No | Yes <sup>\*</sup> |
|Identify items subject to retention: <br /> - Content Search <br /> - Data classification page, content explorer, activity explorer | <br /> No <br /> No | <br /> Yes <br /> Yes|
-Note that you can use both retention policies and retention labels as complementary retention methods. For example:
+**Footnote:**
+
+<sup>\*</sup>
+For retention labels that don't mark the content as a record or regulatory record, auditing events are limited to when an item in SharePoint has a label applied, changed, or removed. For auditing details for retention labels, see the [Auditing retention actions](#auditing-retention-actions) section on this page.
+
+### Combining retention policies and retention labels
+
+You don't have to choose between using retention policies only or retention labels only. Both methods can be used together and in fact, complementary each other for a more comprehensive solution. For example:
1. You create and configure a retention policy that automatically deletes content five years after it's last modified, and apply the policy to all OneDrive accounts.
For more information about the Preservation Hold library, see [How retention wor
Because of the behavior during the grace period, if you re-enable the policy or change the location status back to on within 30 days, the policy resumes without any permanent data loss during this time.
-## Auditing retention configuration
+## Auditing retention configuration and actions
+
+When [auditing is enabled](turn-audit-log-search-on-or-off.md), auditing events for retention are supported for both administration configuration (retention policies and retention labels) and retention actions (retention labels only).
+
+### Auditing retention configuration
+
+Administrator configuration for retention policies and retention labels are logged as auditing events when a retention policy or label is created, reconfigured, or deleted.
+
+For the full list of auditing events, see [Retention policy and retention label activities](search-the-audit-log-in-security-and-compliance.md#retention-policy-and-retention-label-activities).
+
+### Auditing retention actions
+
+Retention actions that are logged as auditing events are available only for retention labels and not for retention policies:
+
+- When a retention label is applied, changed, or removed from an item in SharePoint:
+ - From **File and page activities**, select **Changed retention label for a file**
+
+- When a labeled item in SharePoint is marked as a record, and it is unlocked or locked by a user:
+ - From **File and page activities**, select **Changed record status to unlocked** and **Changed record status to locked**
+
+- When a retention label that marks content as a record or regulatory record is applied to an item in Exchange:
+ - From **Exchange mailbox activities**, select **Labeled message as a record**
-Administrator actions for retention policies and retention labels are saved to the audit log when [auditing is enabled](turn-audit-log-search-on-or-off.md). For example, an audit event is created when a retention policy or label is created, configured, or deleted. For the full list, see [Retention policy and retention label activities](search-the-audit-log-in-security-and-compliance.md#retention-policy-and-retention-label-activities).
+- When a labeled item in SharePoint or Exchange is marked as a record or regulatory record, and it is permanently deleted:
+ - From **File and page activities**, select **Deleted file marked as a record**
## PowerShell cmdlets for retention policies and retention labels
compliance Sensitivity Labels Teams Groups Sites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-teams-groups-sites.md
Not all apps support authentication contexts. If a user with an unsupported app
Known limitations for this preview: -- This feature is still rolling out to some tenants. If the Conditional Access policy with your selected authentication context is not taking effect when a user accesses the site, you can use PowerShell to confirm that your configuration is correct and all prerequisites are met. You'll need to remove the sensitivity label from the site and then configure the site for the authentication context by using the [Set-SPOSite](/powershell/module/sharepoint-online/set-sposite) cmdlet from the current [SharePoint Online Management Shell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online). If this method works, wait a few more days before you try to apply the sensitivity label again.
-
- To test the authentication context by using PowerShell:
-
- ```powershell
- Set-SPOSite -Identity <site url> -ConditionalAccessPolicy AuthenticationContext -AuthenticationContextName "Name of authentication context"
- ```
-
- To remove the authentication context so you can try to apply the sensitivity label again:
-
- ```powershell
- Set-SPOSite -Identity <site url> -ConditionalAccessPolicy AuthenticationContext -AuthenticationContextName ""
- ```
- - For the OneDrive sync app, supported for OneDrive only and not for other sites. - The following features and apps might be incompatible with authentication contexts, so we encourage you to check that these continue to work after a user successfully accesses a site by using an authentication context:
enterprise Portallaunchscheduler https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/PortalLaunchScheduler.md
Formerly, portal launches could only be scheduled through SharePoint PowerShell.
7. Determine who needs to view the site right away and enter their information into the **Users exempt from waves** field. These users are excluded from waves and will not be redirected before, during, or after the launch. > [!NOTE]
- > Up to 50 distinct users or security groups max can be added. Use security groups when you need more than 50 individuals to get access to the portal before the waves start launching.
+ > Up to 50 distinct users or security groups max can be used for the entire launch. Each launch is independent of each other, so if you schedule a launch on another portal, then you could use up to 50 users/security groups for that launch. Additionally, you can use up to 20 distinct users or security groups per wave.
+
+>The portal launch scheduler supports security groups and mail enabled security groups.
+ 8. Confirm portal launch details and select **Schedule**. Once the launch has been scheduled, any changes to the SharePoint portal home page will need to receive a healthy diagnostic result before the portal launch will resume.
enterprise Additional Network Security Requirements For Office 365 Gcchigh And Dod https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/additional-network-security-requirements-for-office-365-gcchigh-and-dod.md
hideEdit: true
Office 365 GCC High and DOD are secure cloud environments to meet the needs of the United States Government and its suppliers and contractors. These cloud environments have additional network restrictions on which external endpoints the services are permitted to access.
-GCC High and DOD customers planning to use federated identities or hybrid co-existence may require Microsoft to permit inbound and/or outbound access to your existing on-premises deployments. Examples of these activities include:
+GCC High and DOD customers planning to use federated identities or hybrid coexistence may require Microsoft to permit inbound and/or outbound access to your existing on-premises deployments. Examples of these activities include:
* Use of federated identities (with Active Directory Federation Services or similar supported STS) * Hybrid coexistence with an on-premises Exchange Server or Skype for Business deployment
GCC High and DOD customers planning to use federated identities or hybrid co-exi
To permit the service to communicate with your on-premises endpoints, you **must** send an email to Office 365 engineering for network changes. > [!WARNING]
-> All requests have a **three-week** SLA and cannot be expedited due to the required security and compliance controls and deployment pipelines. This includes initial onboarding network requests as well as any changes after you have migrated to the service. Please ensure that your network teams are aware of this timeline and include it in their planning cycles.
+> All requests have a **three-week** SLA and cannot be expedited due to the required security and compliance controls and deployment pipelines. This includes initial onboarding network requests as well as any changes after you have migrated to the service. Make sure that your network teams are aware of this timeline and include it in their planning cycles.
-Please send an email to [Office 365 Government Network Whitelist](mailto:o365gwlt@microsoft.com) with the following information:
+Send an email to [Office 365 Government Allow-List Requests](mailto:o365gwlt@microsoft.com) with the following information:
-* **To**: [Office 365 Government Network Whitelist](mailto:o365gwlt@microsoft.com)
+* **To**: [Office 365 Government Allow-List Requests](mailto:o365gwlt@microsoft.com)
* **From**: A tenant administrator - the send email **must** match a Global Administrator contact in your tenant
-* **Email subject**: Office 365 GCC High Network Request - contoso.onmicrosoft.us (replace this with your tenant name)
+* **Email subject**: Office 365 GCC High Network Request - contoso.onmicrosoft.us (replace with your tenant name)
The body of your message should include the following data:
-* Your Microsoft Online Services tenant name (i.e. contoso.onmicrosoft.com, fabrikam.onmicrosoft.us)
+* Your Microsoft Online Services tenant name (for example, contoso.onmicrosoft.com, fabrikam.onmicrosoft.us)
* An email distribution list that Microsoft will communicate with for on-going communications related to network changes and/or follow up for invalid subnets
-* Indicate whether you plan to use Microsoft Teams hybrid co-existence with your on-premises deployments
-* Federated identity system externally accessible URL (e.g. sts.contoso.com) and IP address range in CIDR notation (e.g. 10.1.1.0/28)
+* Indicate whether you plan to use Microsoft Teams hybrid coexistence with your on-premises deployments
+* Federated identity system externally accessible URL (for example, sts.contoso.com) and IP address range in CIDR notation (for example,. 10.1.1.0/28)
* On-Premises PKI Certificate Revocation List URL and IP address range in CIDR notation * Externally accessible URL and IP address range for Exchange Server on-premises deployment in CIDR notation * Externally accessible URL and IP address range for Skype for Business on-premises deployment in CIDR notation
-For security and compliance reasons, please keep in mind the following restrictions on your request:
+For security and compliance reasons, keep in mind the following restrictions on your request:
* There is a four subnet limitation per tenant
-* Subnets must be in CIDR Notation (e.g. 10.1.1.0/28)
+* Subnets must be in CIDR Notation (for example, 10.1.1.0/28)
* Subnet ranges cannot be larger than /24 * We **cannot** accommodate requests to allow access to commercial cloud services (commercial Office 365, Google G-Suite, Amazon Web Services, etc.)
-Once your request has been received and approved by Microsoft, there is a three-week SLA for implementation and cannot be expedited. You will receive an initial acknowledgment when weΓÇÖve received your request and a final acknowledgement once it has been completed.
+Once your request has been received and approved by Microsoft, there is a three-week SLA for implementation and cannot be expedited. You will receive an initial acknowledgment when weΓÇÖve received your request and a final acknowledgment once it has been completed.
enterprise Configure Services And Applications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/configure-services-and-applications.md
audience: ITPro-+ localization_priority: Normal
enterprise External Domain Name System Records https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/external-domain-name-system-records.md
description: A reference list of external Domain Name System records to use when
# External Domain Name System records for Office 365
-|||
-|:--|:--|
-|![Domain](../medi). <br/> |
+![Domain](../media/e05b1c78-1df0-4200-ba40-6e26b7ead68f.png)
+
+**Want to see a customized list of DNS records for your Office 365 organization?** You can [find the info you need to create Office 365 DNS records](https://support.office.microsoft.com/article/Gather-the-information-you-need-to-create-Office-365-DNS-records-77f90d4a-dc7f-4f09-8972-c1b03ea85a67) for your domain in Office 365.
+
+**Need step-by-step help to add these records at your domain's DNS host, such as GoDaddy or eNom?** [Find links to step-by-step instructions for many popular DNS hosts](../admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider.md).
+
+**Sticking around to use the reference list for your own custom deployment?** The below list should be used as a reference for your custom Office 365 deployment. You will need to select which records apply to your organization and fill in the appropriate values.
+
+**Go back to** [Network planning and performance tuning for Office 365](./network-planning-and-performance.md).
Often the SPF and MX records are the hardest to figure out. We've updated our SPF records guidance at the end of this article. The important thing to remember is that _you can only have a single SPF record for your domain_. You can have multiple MX records; however, that can cause problems for mail delivery. Having a single MX record that directs email to one mail system removes many potential problems.
The sections below are organized by service in Office 365. To see a customized l
Every Office 365 customer needs to add two records to their external DNS. The first CNAME record ensures that Office 365 can direct workstations to authenticate with the appropriate identity platform. The second required record is to prove you own your domain name.
-||||
-|:--|:--|:--|
|**DNS record** <br/> |**Purpose** <br/> |**Value to use** <br/> |
+|-|--||
|**CNAME** <br/> **(Suite)** <br/> |Used by Office 365 to direct authentication to the correct identity platform. [More information](../admin/services-in-chin?viewFallbackFrom=o365-worldwide) <br/> **Note:** This CNAME only applies to Office 365 operated by 21Vianet. [More information](/office365/servicedescriptions/office-365-platform-service-description/office-365-operated-by-21vianet) |**Alias:** msoid <br/> **Target:** clientconfig.partner.microsoftonline-p.net.cn <br/> | |**TXT** <br/> **(Domain verification)** <br/> |Used by Office 365 to verify only that you own your domain. It doesn't affect anything else. <br/> |**Host:** @ (or, for some DNS hosting providers, your domain name) <br/> **TXT Value:** _A text string provided by_ Office 365 <br/> The Office 365 **domain setup wizard** provides the values that you use to create this record. <br/> |
Do you just want to switch a few email addresses to Office 365? You can [Pilot O
Email customers who are using Exchange Federation will also need the additional CNAME and TXT record listed at the bottom of the table.
-||||
-|:--|:--|:--|
|**DNS record** <br/> |**Purpose** <br/> |**Value to use** <br/> |
+|-|--||
|**CNAME** <br/> **(Exchange Online)** <br/> |Helps Outlook clients to easily connect to the Exchange Online service by using the Autodiscover service. Autodiscover automatically finds the correct Exchange Server host and configures Outlook for users. <br/> |**Alias:** Autodiscover <br/> **Target:** autodiscover.outlook.com <br/> | |**MX** <br/> **(Exchange Online)** <br/> |Sends incoming mail for your domain to the Exchange Online service in Office 365. <br/> [!NOTE] Once email is flowing to Exchange Online, you should remove the MX records that are pointing to your old system. |**Domain:** For example, contoso.com <br/> **Target email server:**\<MX token\>.mail.protection.outlook.com <br/> **Preference/Priority:** Lower than any other MX records (this ensures mail is delivered to Exchange Online) - for example 1 or 'low' <br/> Find your \<MX token\> by following these steps: <br/> Sign in to Office 365, go to Office 365 admin \> Domains. <br/> In the Action column for your domain, choose Fix issues. <br/> In the MX records section, choose What do I fix? <br/> Follow the directions on this page to update your MX record. <br/> [What is MX priority?](../admin/setup/domains-faq.yml) <br/> | |**SPF (TXT)** <br/> **(Exchange Online)** <br/> |Helps to prevent other people from using your domain to send spam or other malicious email. Sender policy framework (SPF) records work by identifying the servers that are authorized to send email from your domain. <br/> |[External DNS records required for SPF](external-domain-name-system-records.md#BKMK_SPFrecords) <br/> |
There are specific steps to take when you use [Office 365 URLs and IP address r
> [!NOTE] > These DNS records also apply to Teams, especially in a hybrid Teams and Skype for Business scenario, where certain federation issues could arise.
-||||
-|:--|:--|:--|
|**DNS record** <br/> |**Purpose** <br/> |**Value to use** <br/> |
+|-|--||
|**SRV** <br/> **(Skype for Business Online)** <br/> |Allows your Office 365 domain to share instant messaging (IM) features with external clients by enabling SIP federation. Read more about [Office 365 URLs and IP address ranges](https://support.office.com/article/8548a211-3fe7-47cb-abb1-355ea5aa88a2#BKMK_LYO). <br/> |**Service:** sipfederationtls <br/> **Protocol:** TCP <br/> **Priority:** 100 <br/> **Weight:** 1 <br/> **Port:** 5061 <br/> **Target:** sipfed.online.lync.com <br/> **Note:** If the firewall or proxy server blocks SRV lookups on an external DNS, you should add this record to the internal DNS record. | |**SRV** <br/> **(Skype for Business Online)** <br/> |Used by Skype for Business to coordinate the flow of information between Lync clients. <br/> |**Service:** sip <br/> **Protocol:** TLS <br/> **Priority:** 100 <br/> **Weight:** 1 <br/> **Port:** 443 <br/> **Target:** sipdir.online.lync.com <br/> | |**CNAME** <br/> **(Skype for Business Online)** <br/> |Used by the Lync client to help find the Skype for Business Online service and sign in. <br/> |**Alias:** sip <br/> **Target:** sipdir.online.lync.com <br/> For more information, see [Office 365 URLs and IP address ranges](https://support.office.com/article/8548a211-3fe7-47cb-abb1-355ea5aa88a2#BKMK_LYO). <br/> |
There are specific steps to take when you use [Office 365 URLs and IP address r
## External DNS records required for Office 365 Single Sign-On <a name="BKMK_ReqdCore"> </a>
-||||
-|:--|:--|:--|
|**DNS record** <br/> |**Purpose** <br/> |**Value to use** <br/> |
+|-|--||
|**Host (A)** <br/> |Used for single sign-on (SSO). It provides the endpoint for your off-premises users (and on-premises users, if you like) to connect to your Active Directory Federation Services (AD FS) federation server proxies or load-balanced virtual IP (VIP). <br/> |**Target:** For example, sts.contoso.com <br/> | ## External DNS records required for SPF
Values: v=spf1 include:spf.protection.outlook.com include:mail.contoso.com -all
These are some common examples that can help you adapt your existing SPF record when you add your domain to Office 365 for email. If you have a complicated scenario that includes, for example, edge email servers for managing email traffic across your firewall, you'll have a more detailed SPF record to set up. Learn how: [Set up SPF records in Office 365 to help prevent spoofing](../security/office-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing.md).
-Here's a short link you can use to come back: [https://aka.ms/o365edns]()
+Here's a short link you can use to come back: [https://aka.ms/o365edns]()
enterprise Image Optimization For Sharepoint Online https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/image-optimization-for-sharepoint-online.md
The loading speed of a webpage depends on the combined size of all the component
## Using sprites to speed up image loading
-|||
-|:--|:--|
-| An image sprite contains many smaller images. Using CSS you select a part of the composite image to display on a particular part of the page with absolute positioning. Basically, you move a single image around the page instead of loading multiple images, and make a small part of that image visible through a small window where the required part of the sprite image is shown to the end user. SharePoint Online uses sprites to display its various icons in the sprite spcommon.png. <br/> What's covered here: <br/> Image compression <br/> Image optimization <br/> SharePoint image renditions <br/> |![Screenshot of spcommon](../media/cc5cdee1-8e54-4537-9a8a-8854f4ee849f.png)|
+![Screenshot of spcommon](../media/cc5cdee1-8e54-4537-9a8a-8854f4ee849f.png)
+
+An image sprite contains many smaller images. Using CSS you select a part of the composite image to display on a particular part of the page with absolute positioning. Basically, you move a single image around the page instead of loading multiple images, and make a small part of that image visible through a small window where the required part of the sprite image is shown to the end user. SharePoint Online uses sprites to display its various icons in the sprite spcommon.png file.
+
+What's covered here:
+- Image compression
+- Image optimization
+- SharePoint image renditions
This can increase performance because you download only one image instead of several and then cache and reuse that image. Even if the image does not remain cached, by having a single image instead of multiple images, this method reduces the total number of HTTP requests to the server which will reduce page loading times. This is really a form of image bundling. This is a very useful technique if the images are not changing very often, for example, icons, as shown in the SharePoint example provided above. You can how to use [Web Essentials](https://vswebessentials.com/), a third-party, open-source, community-based project to achieve this easily in Microsoft Visual Studio. For more information, see [Minification and bundling in SharePoint Online](./minification-and-bundling-in-sharepoint-online.md).
enterprise Implementing Expressroute https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/implementing-expressroute.md
For each service that requires an inbound connection, you'll need some additiona
Inbound connections should be reviewed regardless of whether they're connecting over the internet or ExpressRoute to ensure asymmetric routing hasn't been introduced. In some cases, on-premises endpoints that Office 365 services initiate inbound connections to may also need to be accessed by other Microsoft and non-Microsoft services. It is paramount that enabling ExpressRoute routing to these services for Office 365 purposes doesn't break other scenarios. In many cases, customers may need to implement specific changes to their internal network, such as source based NAT, to ensure that inbound flows from Microsoft remain symmetric after ExpressRoute is enabled.
-Here's a sample of the level of detail required. In this case Exchange Hybrid would route to the on-premises system over ExpressRoute.
+Here's a sample of the level of detail required. In this case Exchange Hybrid would route to the on-premises system over ExpressRoute.
-|**Connection property**|**Value**|
-|:--|:--|
+|Connection property |Value |
+|-|--|
|**Network traffic direction** <br/> |Inbound <br/> | |**Service** <br/> |Exchange Hybrid <br/> | |**Public Office 365 endpoint (source)** <br/> |Exchange Online (IP addresses) <br/> |
Here's a sample of the level of detail required. In this case Exchange Hybrid wo
|**Will this on-premises endpoint be used for by other (non-Office 365) Microsoft services** <br/> |No <br/> | |**Will this on-premises endpoint be used by users/systems on the Internet** <br/> |Yes <br/> | |**Internal systems published through public endpoints** <br/> |Exchange Server client access role (on-premises) 192.168.101, 192.168.102, 192.168.103 <br/> |
-|**IP advertisement of the public endpoint** <br/> |**To Internet**: 5.5.0.0/16 <br/> **To ExpressRoute**: 5.5.5.0/24 <br/> |
-|**Security/Perimeter Controls** <br/> |**Internet path**: DeviceID_002 <br/> **ExpressRoute path**: DeviceID_003 <br/> |
-|**High Availability** <br/> |Active/Active across 2 geo-redundant <br/> ExpressRoute circuits - Chicago and Dallas <br/> |
-|**Path symmetry control** <br/> |**Method**: Source NAT <br/> **Internet path**: Source NAT inbound connections to 192.168.5.5 <br/> |**ExpressRoute path**: Source NAT connections to 192.168.1.0 (Chicago) and 192.168.2.0 (Dallas) <br/> |
+|**IP advertisement of the public endpoint** <br/> |**To Internet**: 5.5.0.0/16 **To ExpressRoute**: 5.5.5.0/24 <br/> |
+|**Security/Perimeter Controls** <br/> |**Internet path**: DeviceID_002 **ExpressRoute path**: DeviceID_003 <br/> |
+|**High Availability** <br/> |Active/Active across 2 geo-redundant / ExpressRoute circuits - Chicago and Dallas <br/> |
+|**Path symmetry control** <br/> |**Method**: Source NAT **Internet path**: Source NAT inbound connections to 192.168.5.5 **ExpressRoute path**: Source NAT connections to 192.168.1.0 (Chicago) and 192.168.2.0 (Dallas) <br/> |
Here's a sample of a service that is outbound only: |**Connection property**|**Value**|
-|:--|:--|
+|-|--|
|**Network traffic direction** <br/> |Outbound <br/> | |**Service** <br/> |SharePoint Online <br/> | |**On-premises endpoint (source)** <br/> |User workstation <br/> |
This means the most important consideration you need to make when selecting meet
Often times, there are multiple meet-me locations that could be selected within a region with relative proximity to your users. Fill out the following table to guide your decisions.
-|**Planned ExpressRoute meet-me locations in California and New York**||
-|:--|:--|
+**Planned ExpressRoute meet-me locations in California and New York**
+ |Location <br/> |Number of people <br/> |Expected latency to Microsoft network over Internet egress <br/> |Expected latency to Microsoft network over ExpressRoute <br/> |
+|-|--|-|--|
|Los Angeles <br/> |10,000 <br/> |~15ms <br/> |~10ms (via Silicon Valley) <br/> | |Washington DC <br/> |15,000 <br/> |~20ms <br/> |~10ms (via New York) <br/> | |Dallas <br/> |5,000 <br/> |~15ms <br/> |~40ms (via New York) <br/> |
Here's a short link you can use to come back: [https://aka.ms/implementexpressro
[Office 365 URLs and IP address ranges](https://support.office.com/article/8548a211-3fe7-47cb-abb1-355ea5aa88a2)
-[Office 365 network and performance tuning](network-planning-and-performance.md)
+[Office 365 network and performance tuning](network-planning-and-performance.md)
enterprise Managing Office 365 Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/managing-office-365-endpoints.md
These CNAME redirects are a normal part of the DNS and are transparent to the cl
A proxy server validates the initial URL, which in the above example is serviceA.office.com, and this URL would be included in Office 365 publishing. The proxy server requests DNS resolution of that URL to an IP Address and will receive back IP_1. It does not validate the intermediary CNAME redirection records.
-Hard-coded configurations or whitelisting based on indirect Office 365 FQDNs are not recommended, not supported by Microsoft, and are known to cause customer connectivity issues. DNS solutions that block on CNAME redirection, or that otherwise incorrectly resolve Office 365 DNS entries, can be solved via DNS forwarders with DNS recursion enabled or by using DNS root hints. Many third-party network perimeter products natively integrate recommended Office 365 endpoint whitelisting in their configuration using the [Office 365 IP Address and URL Web service](microsoft-365-ip-web-service.md).
+Hard-coded configurations or using an allowlist based on indirect Office 365 FQDNs are not recommended, not supported by Microsoft, and are known to cause customer connectivity issues. DNS solutions that block on CNAME redirection, or that otherwise incorrectly resolve Office 365 DNS entries, can be solved via DNS forwarders with DNS recursion enabled or by using DNS root hints. Many third-party network perimeter products natively integrate recommended Office 365 endpoint to include an allowlist in their configuration using the [Office 365 IP Address and URL Web service](microsoft-365-ip-web-service.md).
<a name="bkmk_akamai"> </a> ### Why do I see names such as nsatc.net or akadns.net in the Microsoft domain names?
enterprise Microsoft 365 Germany Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-germany-endpoints.md
Office 365 requires connectivity to the Internet. The endpoints below should be
**Office 365 endpoints:** [Worldwide (including GCC)](urls-and-ip-address-ranges.md) | [Office 365 operated by 21 Vianet](urls-and-ip-address-ranges-21vianet.md) | *Office 365 Germany* | [Office 365 U.S. Government DoD](microsoft-365-u-s-government-dod-endpoints.md) | [Office 365 U.S. Government GCC High](microsoft-365-u-s-government-gcc-high-endpoints.md) |
-|||
-|:--|:--|
-|**Last updated:** 12/01/2020 - ![RSS](../media/5dc6bb29-25db-4f44-9580-77c735492c4b.png) [Change Log subscription](https://endpoints.office.com/version/Germany?allversions=true&format=rss&clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7) |**Download:** all required and optional destinations in one [JSON formatted](https://endpoints.office.com/endpoints/Germany?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7) list. <br/> |
+**Last updated:** 12/01/2020 - ![RSS](../media/5dc6bb29-25db-4f44-9580-77c735492c4b.png) [Change Log subscription](https://endpoints.office.com/version/Germany?allversions=true&format=rss&clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7)
+
+**Download:** all required and optional destinations in one [JSON formatted](https://endpoints.office.com/endpoints/Germany?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7) list.
Start with [Managing Office 365 endpoints](managing-office-365-endpoints.md) to understand our recommendations for managing network connectivity using this data. Endpoints data is updated as needed at the beginning of each month with new IP Addresses and URLs published 30 days in advance of being active. This lets customers who do not yet have automated updates to complete their processes before new connectivity is required. Endpoints may also be updated during the month if needed to address support escalations, security incidents, or other immediate operational requirements. You can always refer to the [change log subscription](https://endpoints.office.com/version/Germany?allversions=true&format=rss&clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7).
enterprise Monitor Connectivity https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/monitor-connectivity.md
Once you've deployed Microsoft 365, you can maintain Microsoft 365 connectivity
## Monitoring Microsoft 365 Connectivity
-|||
+|Type of monitoring |Description |
|:--|:--| |**Getting notified of new Microsoft 365 endpoints** <br/> |If you're [Managing Microsoft 365 endpoints](https://support.office.com/article/99cab9d4-ef59-4207-9f2b-3728eb46bf9a), you'll want to receive notifications when we publish new endpoints, you can subscribe to our RSS feed using your favorite RSS reader. Here is how to [subscribe via Outlook](https://go.microsoft.com/fwlink/p/?LinkId=532416) or you can [have the RSS feed updates emailed to you](https://go.microsoft.com/fwlink/p/?LinkId=532417). <br/> | |**Use System Center to Monitor Microsoft 365** <br/> |If you're using Microsoft System Center, you can download the [System Center Management Pack for Office 365](https://www.microsoft.com/download/details.aspx?id=43708) to begin monitoring Microsoft 365 today. For more detailed guidance, please see the management pack operations guide. <br/> |
enterprise Ms Cloud Germany Transition Add Csp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-add-csp.md
Cloud Solution Providers (CSPs) supporting customers need to take additional st
## Partner tenant migration
-Partner Microsoft Cloud Deutschland tenants won't be migrated. CSP customers will be migrated to Office 365 services under the new Office 365 services tenant of the same partner. After customer migration, the partner can manage this customer only from the Office 365 services tenant.
+Partner Microsoft Cloud Deutschland tenants won't be migrated. Instead, a new Office 365 services tenant will be created for each Microsoft Partner in the new German datacenter region.
+
+CSP customer tenants will be migrated to the new German datacenter region and be linked to the new Office 365 services tenant of the same partner. After customer transition, the partner can manage the customer using the new Office 365 services tenant in the German datacenter region.
## Missing subscriptions in Azure
-After [the subscription and license transition (phase 3)](ms-cloud-germany-transition-phases.md#Phase-9-&-10:-Azure-AD-Finalization) has been completed, Cloud Solution Providers will not have access to the Azure subscription anymore.
+After [the subscription and license transition (phase 3)](ms-cloud-germany-transition-phases.md#phase-9--10-azure-ad-finalization) has been completed, Cloud Solution Providers will not have access to the Azure subscription anymore.
-To recover access, follow these steps to [elevate access to manage all Azure subscriptions and management groups](azure/role-based-access-control/elevate-access-global-admin).
+To recover access, follow these steps to [elevate access to manage all Azure subscriptions and management groups](/azure/role-based-access-control/elevate-access-global-admin).
enterprise Ms Cloud Germany Transition Phases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-phases.md
Failing to complete this task may result in hybrid free-busy requests failing to
Between Phase 2 and phase 3, Partner Portal may not be accessible. During this time, Partner may not be able to access the tenant's information on the Partner Portal. Since each migration is different, the duration of in-accessibility could be in hours.
-Additional information for Cloud Solution Providers are available [here](ms-cloud-germany-transition-add-csp.md#Partner-tenant-migration).
+Additional information for Cloud Solution Providers is available in [Partner tenant migration](ms-cloud-germany-transition-add-csp.md#partner-tenant-migration).
+ ## Phase 4: SharePoint Online
enterprise Network Planning And Performance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/network-planning-and-performance.md
description: "This article will help you plan your network bandwidth requirement
# Network planning and performance tuning for Microsoft 365 Before you deploy for the first time or migrate to Microsoft 365, you can use the information in these topics to estimate the bandwidth you need and then to test and verify that you have enough bandwidth to deploy or migrate to Microsoft 365. For an overview, see: [Network and migration planning for Microsoft 365](network-and-migration-planning.md).
-|||||
+|Category |Description |Category |Description |
|:--|:--|:--|:--| |**Network planning** <br/> ![Network](../medi#calculators). <br/> | |**Best practices** <br/> ![Best practices](../medi#NetReference). <br/> |
enterprise Protect Your Global Administrator Accounts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/protect-your-global-administrator-accounts.md
Last updated 09/30/2020 audience: Admin-+ localization_priority: Normal
enterprise Set Up Directory Synchronization https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/set-up-directory-synchronization.md
Last updated 09/30/2020 audience: Admin-+ localization_priority: Normal f1.keywords:
enterprise Skype For Business Online https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/skype-for-business-online.md
Title: "Skype for Business Online in Office 365 - Admin Help" -+ Last updated 6/29/2018 audience: Admin
enterprise Urls And Ip Address Ranges 21Vianet https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/urls-and-ip-address-ranges-21vianet.md
hideEdit: true
**Office 365 endpoints:** [Worldwide (including GCC)](urls-and-ip-address-ranges.md) | *Office 365 operated by 21 Vianet* | [Office 365 Germany](microsoft-365-germany-endpoints.md) | [Office 365 U.S. Government DoD](microsoft-365-u-s-government-dod-endpoints.md) | [Office 365 U.S. Government GCC High](microsoft-365-u-s-government-gcc-high-endpoints.md) |
-|||
-|:--|:--|
-|**Last updated:** 03/29/2021 - ![RSS](../media/5dc6bb29-25db-4f44-9580-77c735492c4b.png) [Change Log subscription](https://endpoints.office.com/version/China?allversions=true&format=rss&clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7)|**Download:** all required and optional destinations in one [JSON formatted](https://endpoints.office.com/endpoints/China?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7) list. <br/> |
+**Last updated:** 03/29/2021 - ![RSS](../media/5dc6bb29-25db-4f44-9580-77c735492c4b.png) [Change Log subscription](https://endpoints.office.com/version/China?allversions=true&format=rss&clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7)
+
+**Download:** all required and optional destinations in one [JSON formatted](https://endpoints.office.com/endpoints/China?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7) list.
Start with [Managing Office 365 endpoints](managing-office-365-endpoints.md) to understand our recommendations for managing network connectivity using this data. Endpoints data is updated as needed at the beginning of each month with new IP Addresses and URLs published 30 days in advance of being active. This allows for customers who do not yet have automated updates to complete their processes before new connectivity is required. Endpoints may also be updated during the month if needed to address support escalations, security incidents, or other immediate operational requirements. The data shown on this page below is all generated from the REST-based web services. If you are using a script or a network device to access this data, you should go to the [Web service](microsoft-365-ip-web-service.md) directly.
includes Office 365 Germany Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-germany-endpoints.md
<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.--> <!--Germany endpoints version 2020120100-->
-<!--File generated 2021-05-18 11:00:55.7922-->
+<!--File generated 2021-06-14 14:00:54.6697-->
## Exchange Online
includes Office 365 Operated By 21Vianet Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-operated-by-21vianet-endpoints.md
<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.--> <!--China endpoints version 2021032900-->
-<!--File generated 2021-05-18 11:00:53.9210-->
+<!--File generated 2021-06-14 14:00:53.2385-->
## Exchange Online
includes Office 365 U.S. Government Dod Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-u.s.-government-dod-endpoints.md
<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.--> <!--USGovDoD endpoints version 2021052800-->
-<!--File generated 2021-05-28 11:00:04.2192-->
+<!--File generated 2021-06-14 14:00:50.5186-->
## Exchange Online
includes Office 365 U.S. Government Gcc High Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-u.s.-government-gcc-high-endpoints.md
<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.--> <!--USGovGCCHigh endpoints version 2021052800-->
-<!--File generated 2021-05-28 11:00:05.5203-->
+<!--File generated 2021-06-14 14:00:51.6921-->
## Exchange Online
includes Office 365 Worldwide Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-worldwide-endpoints.md
<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.--> <!--Worldwide endpoints version 2021052800-->
-<!--File generated 2021-05-28 11:00:02.0258-->
+<!--File generated 2021-06-14 14:00:48.5739-->
## Exchange Online
knowledge Topic Experiences Security Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/topic-experiences-security-privacy.md
The following table describes what users - topic viewers, contributors, and know
|Pages|Pages are only visible to users who have permissions to the source content.| |Sites|Sites are only visible to users who have permissions to the source content.|
+## Users' personal and private data
+
+Viva Topics only discovers topics in the SharePoint sites that you specify. UsersΓÇÖ personal storage such as personal mail or OneDrive is not included.
+ ## Best practices Topics presents information to users based on their existing permissions to content. Microsoft 365 provides a variety of ways to ensure that sensitive content is restricted to appropriate users. Beyond standard team or site permissions, you can use [sensitivity labels](../compliance/sensitivity-labels.md) or [data loss prevention](../compliance/dlp-learn-about-dlp.md) to restrict access to content and [access reviews](/azure/active-directory/governance/access-reviews-overview) to periodically review user access to sensitive information.
managed-desktop MMD And ITSM https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/MMD-and-ITSM.md
keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation, ITIS
++ ms.localizationpriority: normal
managed-desktop Get Started Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/get-started-devices.md
Title: Get your users ready to use devices
-description:
+description: Information to help you get your users ready to use devices.
keywords: Microsoft Managed Desktop, device, get started, Microsoft 365 f1.keywords: - NOCSH ++ ms.localizationpriority: normal
managed-desktop Index https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/index.md
keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation
++ ms.localizationpriority: normal
managed-desktop M365 Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/m365-apps.md
f1.keywords: - NOCSH + ms.localizationpriority: normal
managed-desktop Project Visio https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/project-visio.md
keywords: Microsoft Managed Desktop, Microsoft 365, Microsoft Project, Microsoft
++ ms.localizationpriority: normal Last updated 03/07/2019
managed-desktop Technologies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/intro/technologies.md
Microsoft 365 Enterprise licensing is required for all Microsoft Managed Desktop
This article summarizes the components included in the required Enterprise licenses, with a description of how the service uses each component with Microsoft Managed Desktop devices. Specific roles and responsibilities for each area are detailed throughout Microsoft Managed Desktop documentation. ## Office 365 E3 or E5
- |
- |
+ |Product |Information
Microsoft 365 Apps for enterprise (64-bit) | These Office applications will be shipped with the device: Word, Excel, PowerPoint, Outlook, Publisher, Access, Skype for Business, OneNote.<br><br>The 64-bit full versions of Microsoft Project and Microsoft Visio aren't included. However, since the installation of these applications depends on the Microsoft 365 Apps for enterprise installation, Microsoft Managed Desktop has created default Microsoft Intune deployments and security groups that you can then use to deploy these applications to licensed users. For more information, see [Install Microsoft Project or Microsoft Visio on Microsoft Managed Desktop devices](../get-started/project-visio.md). OneDrive |Azure Active Directory Single Sign On is enabled for users when they first sign in to OneDrive.<br><br>Known Folder Redirection for "Desktop", "Document", and "Pictures" folders is included; enabled and configured by Microsoft Managed Desktop. Store Apps | Microsoft Sway and Power BI aren't shipped with the device. These apps are available for download from Microsoft Store.
Web Applications | Yammer, Office in a browser, Delve, Flow, StaffHub, PowerApps
## Windows 10 Enterprise E5 or E3 with Microsoft Defender for Endpoint We recommend that your IT admins configure the following settings. These settings aren't included or managed as part of Microsoft Managed Desktop.
- |
- |
+ |Product |Information
Windows Hello for Business | You should implement Windows Hello for Business to replace passwords with strong two-factor authentication for Microsoft Managed Desktop devices. For more information, see [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification). Application Virtualization | You can deploy Application Virtualization (App-V) packages using the Intune Win32 app management client. For more information, see [Application Virtualization](/windows/application-management/app-v/appv-technical-reference). Microsoft 365 data loss prevention | You should implement Microsoft 365 data loss prevention to monitor the actions that are being taken on items you've determined to be sensitive and to help prevent the unintentional sharing of those items. For more information, see [Microsoft 365 data loss prevention](../../compliance/endpoint-dlp-learn-about.md).
Microsoft 365 data loss prevention | You should implement Microsoft 365 data los
Features included and managed as part of Microsoft Managed Desktop:
- |
- |
+ |Product |Information
BitLocker Drive Encryption | BitLocker Drive Encryption is used to encrypt all system drives. For more information, see [BitLocker Drive Encryption](/windows/security/information-protection/bitlocker/bitlocker-overview). Windows Defender System Guard | Protects the integrity of the system at startup and validates that system integrity has truly been maintained. For more information, see [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows). Windows Defender Credential Guard | Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. For more information, see [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows).
Microsoft Defender for Endpoint - Attack Surface Reduction | Attack surface redu
Microsoft Defender for Endpoint - Exploit Protection | Protects against malware that uses exploits to infect devices and spread by automatically applying exploit mitigation techniques to both operating system processes and apps. For more information, see [Microsoft Defender for Endpoint - Exploit Protection](/windows/security/threat-protection/microsoft-defender-atp/exploit-protection). Microsoft Defender for Endpoint - Network Protection | Network protection expands the scope of Microsoft Defender SmartScreen to block all outbound HTTP and HTTPS traffic that attempts to connect to low-reputation sources. For more information, see [Microsoft Defender for Endpoint - Network Protection](/windows/security/threat-protection/microsoft-defender-atp/network-protection). Microsoft Defender Tamper Protection | Windows Tamper Protection is used to prevent security settings such as anti-virus protection from being changed. For more information, see [Microsoft Defender Tamper Protection](/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection).
-Microsoft Defender Antivirus Behavior-based, heuristic, and real-time antivirus protection | Always on scanning for file and process threats which may not be detected as malware. For more information, see [Microsoft Defender Antivirus Behavior-based, heuristic, and real-time antivirus protection](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10).
+Microsoft Defender Antivirus Behavior-based, heuristic, and real-time antivirus protection | Always on scanning for file and process threats which may not be detected as malware. For more information, see [Microsoft Defender Antivirus Behavior-based, heuristic, and real-time antivirus protection](../../security/defender-endpoint/microsoft-defender-antivirus-in-windows-10.md).
Microsoft Defender Antivirus Cloud-delivered Protection | Provides dynamic near-instant, automated protection against new and emerging threats. For more information, see [Microsoft Defender Antivirus Cloud-delivered Protection](/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus). Microsoft Defender "Block at first sight" | Provides detection and blocking of new malware when Windows detects a suspicious or unknown file. For more information, see [Microsoft Defender Block at first sight](/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus). Microsoft Defender AV Potentially Unwanted Applications | Potentially unwanted applications is used to block apps that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might be unexpected or unwanted. For more information, see [Microsoft Defender AV Potentially Unwanted Applications](/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).
User Account Control | User Account Control switches to the Secure Desktop when
## Enterprise Mobility + Security E5
+ |Product |Information
| | Enterprise Mobility + Security E3<br>Azure Active Directory Premium P2 | You can use all features of Enterprise Mobility + Security E3 to manage MDM devices. You can use Azure Active Directory Premium P2 as an optional feature with Microsoft Managed Desktop.
managed-desktop Device Services https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/device-services.md
This topic lists the services and service limitations for Microsoft Managed Desk
Microsoft will provide these services for Microsoft Managed Desktop devices. For a list of recommended Microsoft Managed Desktop program devices, filter for Microsoft Managed Desktop on the [Shop Windows 10 Pro business devices](https://www.microsoft.com/windowsforbusiness/view-all-devices) site.
- |
- |
+ |Service | Description
Support | Support agents will answer questions directly related to device functionality and diagnose device issues. Inventory | All devices are tracked in the Microsoft Managed Desktop Admin portal for inventory and status tracking. Firmware / driver updates | By default, Microsoft Managed Desktop devices receive firmware and driver updates from Windows Update. Not all hardware partners deploy their updates via Windows Update. Updates not published as Automatic require an exception and must be deployed by the customer.
For information on Surface warranties and repairs:
Microsoft will not provide service for these items.
- |
- |
+ |Service | Description
Personalization | Devices and accessories provided with the service are unable to be customized. All devices and accessories are provided with standard branding, specification, and color combinations. Application deployment and policy configurations are handled through IT-as-a-Service. Data recovery | User and team data, including personalization, is stored in OneDrive for Business, with only cache data residing locally. If data is intentionally stored on the deviceΓÇÖs internal storage system, any data recovery must be attempted and completed prior to returning the device to Microsoft. Device setup | Devices are delivered to the customer address, where they need to be powered on and set up by the customer.
managed-desktop Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/support.md
Title: Support for Microsoft Managed Desktop
-description:
+description: Describes proactive and reactive incident management for Microsoft Managed Desktop.
keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation ++ ms.localizationpriority: normal
managed-desktop Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/updates.md
f1.keywords: - NOCSH ++ ms.localizationpriority: normal
Microsoft Managed Desktop uses four Azure AD groups to manage updates:
- **Broad**: Last group to have feature and quality updates available. This group contains most of users in the tenant, and therefore favors stability over speed in deployment. Testing of apps should be done here as the environment is most stable. ### Moving devices between update groups
-You might want some devices to receive updates last and others that you want to go first. To move these devices into the appropriate update group, [submit an administrator support request](../working-with-managed-desktop/admin-support.md?view=o365-worldwide) and we will move the devices for you.
+You might want some devices to receive updates last and others that you want to go first. To move these devices into the appropriate update group, [submit an administrator support request](../working-with-managed-desktop/admin-support.md) and we will move the devices for you.
> [!NOTE] > If you need to move a user to a different update group, submit a support request. Do not move devices between update groups yourself. There are serious consequences if a device is moved incorrectly. The device could update unexpectedly and policies might conflict, changing the device configuration.
managed-desktop Manage Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/working-with-managed-desktop/manage-apps.md
f1.keywords: - NOCSH ++ ms.localizationpriority: normal Last updated 01/18/2019
microsoft-365-docs-navigation-guide Microsoft 365 Docs Navigation Guide https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/microsoft-365-docs-navigation-guide.md
+ # Microsoft 365 docs navigation guide
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
#### [Phase 1: Prepare](switch-to-microsoft-defender-prepare.md) #### [Phase 2: Setup](switch-to-microsoft-defender-setup.md) #### [Phase 3: Onboard](switch-to-microsoft-defender-onboard.md)
-### [Switch from McAfee to Microsoft Defender for Endpoint]()
-#### [Overview of migration](mcafee-to-microsoft-defender-migration.md)
-#### [Phase 1: Prepare](mcafee-to-microsoft-defender-prepare.md)
-#### [Phase 2: Setup](mcafee-to-microsoft-defender-setup.md)
-#### [Phase 3: Onboard](mcafee-to-microsoft-defender-onboard.md)
-### [Switch from Symantec to Microsoft Defender for Endpoint]()
-#### [Overview of migration](symantec-to-microsoft-defender-endpoint-migration.md)
-#### [Phase 1: Prepare](symantec-to-microsoft-defender-atp-prepare.md)
-#### [Phase 2: Setup](symantec-to-microsoft-defender-atp-setup.md)
-#### [Phase 3: Onboard](symantec-to-microsoft-defender-atp-onboard.md)
-### [Manage Microsoft Defender for Endpoint after migration]()
-#### [Overview of managing Microsoft Defender for Endpoint](manage-atp-post-migration.md)
+### [Manage Defender for Endpoint after migration]()
+#### [Overview of managing Defender for Endpoint](manage-atp-post-migration.md)
#### [Intune (recommended)](manage-atp-post-migration-intune.md) #### [Configuration Manager](manage-atp-post-migration-configuration-manager.md) #### [Group Policy Objects](manage-atp-post-migration-group-policy-objects.md)
security Audit Windows Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/audit-windows-defender.md
+ ms.technology: mde Last updated 06/02/2021- # Test attack surface reduction in Microsoft Defender for Endpoint
security Configure Extension File Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus.md
description: Exclude files from Microsoft Defender Antivirus scans based on thei
keywords: exclusions, files, extension, file type, folder name, file name, scans search.product: eADQiWindows 10XVcnh ms.prod: m365-security
+ms.technology: mde
ms.mktglfcycl: manage ms.sitesec: library localization_priority: Normal + - # Configure and validate exclusions based on file extension and folder location **Applies to:**
security Configure Local Policy Overrides Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-local-policy-overrides-microsoft-defender-antivirus.md
description: Enable or disable users from locally changing settings in Microsoft
keywords: local override, local policy, group policy, gpo, lockdown,merge, lists search.product: eADQiWindows 10XVcnh ms.prod: m365-security
+ms.technology: mde
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security localization_priority: Normal + Last updated 02/13/2020 - # Prevent or allow users to locally modify Microsoft Defender Antivirus policy settings - **Applies to:**
You can disable this setting to ensure that only globally-defined lists (such as
## Related topics - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)-- [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md)
+- [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md)
security Configure Microsoft Defender Antivirus Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features.md
description: You can configure Microsoft Defender Antivirus features with Intune
keywords: Microsoft Defender Antivirus, antimalware, security, defender, configure, configuration, Config Manager, Microsoft Endpoint Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell search.product: eADQiWindows 10XVcnh ms.prod: m365-security
+ms.technology: mde
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security localization_priority: Normal + Last updated 06/04/2021 - # Configure Microsoft Defender Antivirus features - **Applies to:**
The following broad categories of features can be configured:
- [Prevent or allow users to locally modify Microsoft Defender Antivirus policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) > [!TIP]
-> Review [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md).
+> Review [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md).
security Configure Network Connections Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus.md
description: Configure and test your connection to the Microsoft Defender Antivi
keywords: antivirus, Microsoft Defender Antivirus, antimalware, security, defender, cloud, aggressiveness, protection level search.product: eADQiWindows 10XVcnh ms.prod: m365-security
+ms.technology: mde
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security localization_priority: Normal + Last updated 06/04/2021 - # Configure and validate Microsoft Defender Antivirus network connections
security Configure Notifications Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-notifications-microsoft-defender-antivirus.md
description: Learn how to configure and customize both standard and additional M
keywords: notifications, defender, antivirus, endpoint, management, admin search.product: eADQiWindows 10XVcnh ms.prod: m365-security
+ms.technology: mde
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security localization_priority: Normal + Last updated 05/17/2021 - # Configure the notifications that appear on endpoints
security Configure Process Opened File Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
description: You can exclude files from scans if they have been opened by a spec
keywords: Microsoft Defender Antivirus, process, exclusion, files, scans search.product: eADQiWindows 10XVcnh ms.prod: m365-security
+ms.technology: mde
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security localization_priority: Normal + - # Configure exclusions for files opened by processes - **Applies to:**
See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u
- [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md) - [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md) - [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Configure Protection Features Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-protection-features-microsoft-defender-antivirus.md
description: Enable behavior-based, heuristic, and real-time protection in Micro
keywords: heuristic, machine-learning, behavior monitor, real-time protection, always-on, Microsoft Defender Antivirus, antimalware, security, defender search.product: eADQiWindows 10XVcnh ms.prod: m365-security
+ms.technology: mde
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security localization_priority: Normal + - # Configure behavioral, heuristic, and real-time protection - **Applies to:**
See [Use next-gen Microsoft Defender Antivirus technologies through cloud-delive
Topic | Description | [Detect and block potentially unwanted applications](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md) | Detect and block apps that may be unwanted in your network, such as adware, browser modifiers and toolbars, and rogue or fake antivirus apps
-[Enable and configure Microsoft Defender Antivirus protection capabilities](configure-real-time-protection-microsoft-defender-antivirus.md) | Enable and configure real-time protection, heuristics, and other always-on Microsoft Defender Antivirus monitoring features
+[Enable and configure Microsoft Defender Antivirus protection capabilities](configure-real-time-protection-microsoft-defender-antivirus.md) | Enable and configure real-time protection, heuristics, and other always-on Microsoft Defender Antivirus monitoring features
security Configure Real Time Protection Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus.md
description: Enable and configure Microsoft Defender Antivirus real-time protect
keywords: antivirus, real-time protection, rtp, machine-learning, behavior monitoring, heuristics search.product: eADQiWindows 10XVcnh ms.prod: m365-security
+ms.technology: mde
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security localization_priority: Normal + Last updated 12/16/2019- - # Enable and configure Microsoft Defender Antivirus always-on protection in Group Policy - **Applies to:**
To disable real-time protection in Group policy:
## Related articles - [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Configure Remediation Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-remediation-microsoft-defender-antivirus.md
description: Configure what Microsoft Defender Antivirus should do when it detec
keywords: remediation, fix, remove, threats, quarantine, scan, restore search.product: eADQiWindows 10XVcnh ms.prod: m365-security
+ms.technology: mde
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security localization_priority: Normal + Last updated 03/16/2021 - # Configure remediation for Microsoft Defender Antivirus detections - **Applies to:**
Also see [Configure remediation-required scheduled full Microsoft Defender Antiv
- [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) - [Configure end-user Microsoft Defender Antivirus interaction](configure-end-user-interaction-microsoft-defender-antivirus.md) - [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Configure Server Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus.md
description: Windows Server includes automatic exclusions, based on server role.
keywords: exclusions, server, auto-exclusions, automatic, custom, scans, Microsoft Defender Antivirus search.product: eADQiWindows 10XVcnh ms.prod: m365-security
+ms.technology: mde
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security localization_priority: Normal + + Last updated 02/10/2021- # Configure Microsoft Defender Antivirus exclusions on Windows Server **Applies to:**
This section lists the folder exclusions that are delivered automatically when y
- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) - [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md) - [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Control Usb Devices Using Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/control-usb-devices-using-intune.md
audience: ITPro+ ms.technology: mde
security Customize Exploit Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/customize-exploit-protection.md
ms.mktglfcycl: manage
ms.sitesec: library localization_priority: Normal audience: ITPro+
Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlu
## Customize the notification
-For more information about customizing the notification when a rule is triggered and blocks an app or file, see [Windows Security](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center#customize-notifications-from-the-windows-defender-security-center).
+For more information about customizing the notification when a rule is triggered and blocks an app or file, see [Windows Security](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center).
## See also:
security Customize Run Review Remediate Scans Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-microsoft-defender-antivirus.md
Title: Run and customize scheduled and on-demand scans
-description: Customize and initiate Microsoft Defender Antivirus scans on endpoints across your network.
+ Title: Run and customize scheduled and on-demand scans.
+description: Customize and initiate Microsoft Defender Antivirus scans on endpoints across your network
keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Microsoft Defender Antivirus search.product: eADQiWindows 10XVcnh ms.prod: m365-security
security Deploy Manage Report Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deploy-manage-report-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: Normal
+localization_priority: normal
+
Last updated 09/03/2018
ms.technology: mde- # Deploy, manage, and report on Microsoft Defender Antivirus
security Deploy Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deploy-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: Normal
+localization_priority: normal
+
Last updated 01/06/2021
ms.technology: mde- # Deploy and enable Microsoft Defender Antivirus
security Deployment Vdi Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
-localization_priority: Normal
+localization_priority: normal
+
Last updated 06/11/2021
ms.technology: mde- # Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment
security Enable Cloud Protection Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus.md
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
-localization_priority: Normal
+localization_priority: normal
+ Last updated 05/18/2021
ms.technology: mde- # Turn on cloud-delivered protection
security Enable Controlled Folders https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-controlled-folders.md
Group Policy settings that disable local administrator list merging will overrid
* Microsoft Defender Antivirus **Configure local administrator merge behavior for lists** * System Center Endpoint Protection **Allow users to add exclusions and overrides**
-For more information about disabling local list merging, see [Prevent or allow users to locally modify Microsoft Defender AV policy settings](/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged).
+For more information about disabling local list merging, see [Prevent or allow users to locally modify Microsoft Defender AV policy settings](/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus).
## Windows Security app
For more information about disabling local list merging, see [Prevent or allow u
## Mobile Device Management (MDM)
-Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders.
+Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](/windows/client-management/mdm/policy-csp-defender) configuration service provider (CSP) to allow apps to make changes to protected folders.
## Microsoft Endpoint Configuration Manager
security Enable Network Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-network-protection.md
ms.mktglfcycl: manage
ms.sitesec: library ms.pagetype: security localization_priority: Normal+
Enable network protection by using any of these methods:
### Mobile device management (MDM)
-Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable or disable network protection or enable audit mode.
+Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](/windows/client-management/mdm/policy-csp-defender) configuration service provider (CSP) to enable or disable network protection or enable audit mode.
### Microsoft Endpoint Manager (formerly Intune)
security Evaluate Controlled Folder Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-controlled-folder-access.md
ms.mktglfcycl: manage
ms.sitesec: library localization_priority: Normal audience: ITPro+
security Evaluate Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-microsoft-defender-antivirus.md
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
-localization_priority: Normal
+localization_priority: normal
+
Last updated 09/03/2018
ms.technology: mde- # Evaluate Microsoft Defender Antivirus
security Evaluate Network Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-network-protection.md
ms.mktglfcycl: manage
ms.sitesec: library localization_priority: Normal audience: ITPro+
security Import Export Exploit Protection Emet Xml https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/import-export-exploit-protection-emet-xml.md
ms.mktglfcycl: manage
ms.sitesec: library localization_priority: Normal audience: ITPro+
security Limited Periodic Scanning Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/limited-periodic-scanning-microsoft-defender-antivirus.md
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
-localization_priority: Normal
+localization_priority: normal
+
Last updated 09/03/2018
ms.technology: mde-
security Manage Event Based Updates Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-event-based-updates-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: Normal
+localization_priority: normal
+
Last updated 09/17/2018
ms.technology: mde- # Manage event-based forced updates
security Manage Outdated Endpoints Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-outdated-endpoints-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: Normal
+localization_priority: normal
+
Last updated 09/03/2018
ms.technology: mde- # Manage Microsoft Defender Antivirus updates and scans for endpoints that are out of date
security Manage Protection Update Schedule Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-protection-update-schedule-microsoft-defender-antivirus.md
search.appverid: met150
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: Normal
+localization_priority: normal
+ ms.technology: mde- # Manage the schedule for when protection updates should be downloaded and applied
security Manage Protection Updates Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: Normal
+localization_priority: normal
+ ms.technology: mde- # Manage the sources for Microsoft Defender Antivirus protection updates
security Manage Updates Baselines Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus.md
ms.technology: mde Previously updated : 06/09/2021 Last updated : 06/14/2021 # Manage Microsoft Defender Antivirus updates and apply baselines
Last updated 06/09/2021
- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/) - Microsoft Defender Antivirus
-There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
+Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques. Make sure to update your antivirus protection, even if Microsoft Defender Antivirus is running in [passive mode](microsoft-defender-antivirus-compatibility.md). There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
- Security intelligence updates - Product updates
-> [!IMPORTANT]
-> Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques.
->
-> Make sure to update your antivirus protection even if Microsoft Defender Antivirus is running in [passive mode](./microsoft-defender-antivirus-compatibility.md).
->
-> To see the most current engine, platform, and signature date, visit the [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates).
+> [!TIP]
+> To see the most current engine, platform, and signature date, visit the [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates)
## Security intelligence updates
All our updates contain
- performance improvements; - serviceability improvements; and - integration improvements (Cloud, [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender)).
-<br/>
+<br/><br/>
<details> <summary> May-2021 (Platform: 4.18.2105.4 | Engine: 1.1.18200.4)</summary>
security Manage Updates Mobile Devices Vms Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: Normal
+localization_priority: normal
+ ms.technology: mde- # Manage updates for mobile devices and virtual machines (VMs)
security Mcafee To Microsoft Defender Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mcafee-to-microsoft-defender-migration.md
- Title: Migrate from McAfee to Microsoft Defender for Endpoint
-description: Make the switch from McAfee to Microsoft Defender for Endpoint. Read this article for an overview.
-keywords: migration, Microsoft Defender for Endpoint, edr
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
--
- - M365-security-compliance
- - m365solution-mcafeemigrate
- - m365solution-overview
-- Previously updated : 05/14/2021---
-# Migrate from McAfee to Microsoft Defender for Endpoint
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)-
-If you are planning to switch from McAfee Endpoint Security (McAfee) to [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) (Microsoft Defender for Endpoint), you're in the right place. Use this article as a guide.
---
-When you make the switch from McAfee to Defender for Endpoint, you begin with your McAfee solution in active mode, configure Defender for Endpoint in passive mode, onboard to Defender for Endpoint, and then set Defender for Endpoint to active mode and remove McAfee.
-
-## The migration process
-
-When you switch from McAfee to Microsoft Defender for Endpoint, you follow a process that can be divided into three phases: Prepare, Setup, and Onboard.
-
-![Migration phases - prepare setup onboard](images/phase-diagrams/migration-phases.png)
-
-|Phase |Description |
-|--|--|
-|[Prepare for your migration](mcafee-to-microsoft-defender-prepare.md) |During the [**Prepare**](mcafee-to-microsoft-defender-prepare.md) phase, you update your organization's devices, get Microsoft Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender for Endpoint. |
-|[Set up Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-setup.md) |During the [**Setup**](mcafee-to-microsoft-defender-setup.md) phase, you enable Microsoft Defender Antivirus and set it to passive mode. You also configure settings & exclusions for Microsoft Defender Antivirus and your existing endpoint protection solution. Then, you create your device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.|
-|[Onboard to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-onboard.md) |During the [**Onboard**](mcafee-to-microsoft-defender-onboard.md) phase, you onboard your devices to Microsoft Defender for Endpoint, confirm that Microsoft Defender Antivirus is running in passive mode, and verify that your endpoints are communicating with Defender for Endpoint. Then, you uninstall McAfee and make sure that Defender for Endpoint is working correctly. |
-
-## What's included in Microsoft Defender for Endpoint?
-
-In this migration guide, we focus on [next-generation protection](microsoft-defender-antivirus-in-windows-10.md) and [endpoint detection and response](overview-endpoint-detection-response.md) capabilities as a starting point for moving to Microsoft Defender for Endpoint. However, Microsoft Defender for Endpoint includes much more than antivirus and endpoint protection. Microsoft Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response. The following table summarizes features and capabilities in Microsoft Defender for Endpoint.
-
-| Feature/Capability | Description |
-|||
-| [Threat & vulnerability management](next-gen-threat-and-vuln-mgt.md) | Threat & vulnerability management capabilities help identify, assess, and remediate weaknesses across your endpoints (such as devices). |
-| [Attack surface reduction](overview-attack-surface-reduction.md) | Attack surface reduction rules help protect your organization's devices and applications from cyberthreats and attacks. |
-| [Next-generation protection](microsoft-defender-antivirus-in-windows-10.md) | Next-generation protection includes Microsoft Defender Antivirus to help block threats and malware. |
-| [Endpoint detection and response](overview-endpoint-detection-response.md) | Endpoint detection and response capabilities detect, investigate, and respond to intrusion attempts and active breaches. |
-| [Advanced hunting](advanced-hunting-overview.md) | Advanced hunting capabilities enable your security operations team to locate indicators and entities of known or potential threats. |
-| [Behavioral blocking and containment](behavioral-blocking-containment.md) | Behavioral blocking and containment capabilities help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. |
-| [Automated investigation and remediation](automated-investigations.md) | Automated investigation and response capabilities examine alerts and take immediate remediation action to resolve breaches. |
-| [Threat hunting service](microsoft-threat-experts.md) (Microsoft Threat Experts) | Threat hunting services provide security operations teams with expert level monitoring and analysis, and to help ensure that critical threats aren't missed. |
-
-**Want to learn more? See [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md).**
-
-## Next step
--- Proceed to [Prepare for your migration](mcafee-to-microsoft-defender-prepare.md).
security Mcafee To Microsoft Defender Onboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mcafee-to-microsoft-defender-onboard.md
- Title: McAfee to Microsoft Defender for Endpoint - Onboard
-description: This is phase 3, Onboard, for migrating from McAfee to Microsoft Defender for Endpoint.
-keywords: migration, Microsoft Defender for Endpoint, edr
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
--
- - M365-security-compliance
- - m365solution-McAfeemigrate
- - m365solution-scenario
-- Previously updated : 05/14/2021---
-# Migrate from McAfee - Phase 3: Onboard to Microsoft Defender for Endpoint
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)--
-|[![Phase 1: Prepare](images/phase-diagrams/prepare.png)](mcafee-to-microsoft-defender-prepare.md)<br/>[Phase 1: Prepare](mcafee-to-microsoft-defender-prepare.md) |[![Phase 2: Set up](images/phase-diagrams/setup.png)](mcafee-to-microsoft-defender-setup.md)<br/>[Phase 2: Set up](mcafee-to-microsoft-defender-setup.md) |![Phase 3: Onboard](images/phase-diagrams/onboard.png)<br/>Phase 3: Onboard |
-|--|--|--|
-|| |*You are here!* |
-
-**Welcome to Phase 3 of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. This migration phase includes the following steps:
-
-1. [Onboard devices to Microsoft Defender for Endpoint](#onboard-devices-to-microsoft-defender-for-endpoint).
-
-2. [Run a detection test](#run-a-detection-test).
-
-3. [Confirm that Microsoft Defender Antivirus is in passive mode](#confirm-that-microsoft-defender-antivirus-is-in-passive-mode).
-
-4. [Get updates for Microsoft Defender Antivirus](#get-updates-for-microsoft-defender-antivirus).
-
-5. [Uninstall McAfee](#uninstall-mcafee).
-
-6. [Make sure Defender for Endpoint is working correctly](#make-sure-defender-for-endpoint-is-working-correctly).
-
-## Onboard devices to Microsoft Defender for Endpoint
-
-1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
-
-2. Choose **Settings** > **Device management** > **Onboarding**.
-
-3. In the **Select operating system to start onboarding process** list, select an operating system.
-
-4. Under **Deployment method**, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See [Onboarding methods](#onboarding-methods) (in this article).
-
-### Onboarding methods
-
-Deployment methods vary, depending on which operating system is selected. Refer to the resources listed in the table below to get help with onboarding.
-
-| Operating system |Method |
-|||
-| Windows 10 | [Group Policy](configure-endpoints-gp.md)<p>[Configuration Manager](configure-endpoints-sccm.md)<p>[Mobile Device Management (Intune)](configure-endpoints-mdm.md)<p>[Local script](configure-endpoints-script.md) <br/>**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
-| Windows 8.1 Enterprise <p>Windows 8.1 Pro <p>Windows 7 SP1 Enterprise<p>Windows 7 SP1 Pro | [Microsoft Monitoring Agent](onboard-downlevel.md)<br/>**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](/azure/azure-monitor/platform/log-analytics-agent). |
-| Windows Server 2019 and later<p>Windows Server 2019 core edition<p>Windows Server version 1803 and later | [Local script](configure-endpoints-script.md)<p>[Group Policy](configure-endpoints-gp.md)<p>[Configuration Manager](configure-endpoints-sccm.md)<p>[System Center Configuration Manager](configure-endpoints-sccm.md)<p>[VDI onboarding scripts for non-persistent devices](configure-endpoints-vdi.md) <br/>**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
-| Windows Server 2016 <p>Windows Server 2012 R2<p>Windows Server 2008 R2 SP1 | [Microsoft Defender Security Center](configure-server-endpoints.md)<p>[Azure Defender](/azure/security-center/security-center-wdatp) |
-|macOS:<p>11.3.1 (Big Sur)<p>10.15 (Catalina)<p>10.14 (Mojave) |[Onboard non-Windows devices](configure-endpoints-non-windows.md) |
-|iOS |[Onboard non-Windows devices](configure-endpoints-non-windows.md) |
-|Linux:<p>RHEL 7.2+<p>CentOS Linux 7.2+<p>Ubuntu 16 LTS, or higher LTS<p>SLES 12+<p>Debian 9+<p>Oracle Linux 7.2 |[Onboard non-Windows devices](configure-endpoints-non-windows.md) |
-
-## Run a detection test
-
-To verify that your onboarded devices are properly connected to Microsoft Defender for Endpoint, you can run a detection test.
-
-|Operating system |Guidance |
-|||
-| Windows 10<p>Windows Server 2019 <p>Windows Server, version 1803 <p>Windows Server 2016 <p>Windows Server 2012 R2 |See [Run a detection test](run-detection-test.md). <p>Visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. |
-|macOS<p>11.3.1 (Big Sur)<p>10.15 (Catalina)<p>10.14 (Mojave) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy). <p>For more information, see [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md). |
-|Linux:<p>RHEL 7.2+<p>CentOS Linux 7.2+<p>Ubuntu 16 LTS, or higher LTS<p>SLES 12+<p>Debian 9+<p>Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**: <br/>`mdatp health --field real_time_protection_enabled`. <p>2. Open a Terminal window, and run the following command: <br/>`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`. <p>3. Run the following command to list any detected threats: <br/>`mdatp threat list`. <p>For more information, see [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md). |
-
-## Confirm that Microsoft Defender Antivirus is in passive mode
-
-Now that your endpoints have been onboarded to Defender for Endpoint, your next step is to make sure Microsoft Defender Antivirus is running in passive mode. You can use either Command Prompt or PowerShell to perform this task, as described in the following table:
-
-|Method |What to do |
-|||
-|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.<p> 2. Type `sc query windefend`, and then press Enter.<p> 3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
-|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.<p> 2. Run the [Get-MpComputerStatus](/powershell/module/defender/Get-MpComputerStatus) cmdlet. <p> 3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**.|
-
-> [!NOTE]
-> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
-
-### Set Microsoft Defender Antivirus on Windows Server to passive mode manually
-
-To set Microsoft Defender Antivirus to passive mode on Windows Server, version 1803 or newer, or Windows Server 2019, follow these steps:
-
-1. Open Registry Editor, and then navigate to
-`Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`.
-
-2. Edit (or create) a DWORD entry called **ForcePassiveMode**, and specify the following settings:
-
- - Set the DWORD's value to `1`.
- - Under **Base**, select **Hexadecimal**.
-
- > [!NOTE]
- > You can use other methods to set the registry key, such as the following:
- > - Group Policy Preference
- > - Local Group Policy Object tool
- > - A package in Configuration Manager
-
-### Start Microsoft Defender Antivirus on Windows Server 2016
-
-If you are using Windows Server 2016, you might have to start Microsoft Defender Antivirus manually. You can do this by using the PowerShell cmdlet `mpcmdrun.exe -wdenable` on the device.
-
-## Get updates for Microsoft Defender Antivirus
-
-Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques, even if Microsoft Defender Antivirus is running in passive mode.
-
-There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
-- Security intelligence updates-- Product updates-
-To get your updates, follow the guidance in [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).
--
-## Uninstall McAfee
-
-Now that you have onboarded your organization's devices to Microsoft Defender for Endpoint, your next step is to uninstall McAfee. To get help with this step, go to your McAfee ServicePortal ([http://mysupport.mcafee.com](http://mysupport.mcafee.com)).
-
-## Make sure Defender for Endpoint is working correctly
-
-Now that you have uninstalled McAfee, your next step is to make sure that Microsoft Defender Antivirus and endpoint detection and response are enabled and in active mode.
-
-To do this, visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)). Try one or more of the demo scenarios on that page, including at least the following:
-- Cloud-delivered protection-- Potentially Unwanted Applications (PUA)-- Network Protection (NP)-
-> [!IMPORTANT]
-> If you are using Windows Server 2016, you might have to start Microsoft Defender Antivirus manually. You can do this by using the PowerShell cmdlet `mpcmdrun.exe -wdenable` on the device.
-
-## Next steps
-
-**Congratulations**! You have completed your [migration from McAfee to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)!
--- [Visit your security operations dashboard](security-operations-dashboard.md) in the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)). -- [Manage Microsoft Defender for Endpoint, post migration](manage-atp-post-migration.md).
security Mcafee To Microsoft Defender Prepare https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mcafee-to-microsoft-defender-prepare.md
- Title: McAfee to Microsoft Defender for Endpoint - Prepare
-description: This is phase 1, Prepare, for migrating from McAfee to Microsoft Defender for Endpoint.
-keywords: migration, Microsoft Defender for Endpoint, edr
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
--
- - M365-security-compliance
- - m365solution-mcafeemigrate
- - m365solution-scenario
-- Previously updated : 05/14/2021---
-# Migrate from McAfee - Phase 1: Prepare for your migration
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)-
-|![Phase 1: Prepare](images/phase-diagrams/prepare.png)<br/>Phase 1: Prepare |[![Phase 2: Set up](images/phase-diagrams/setup.png)](mcafee-to-microsoft-defender-setup.md)<br/>[Phase 2: Set up](mcafee-to-microsoft-defender-setup.md) |[![Phase 3: Onboard](images/phase-diagrams/onboard.png)](mcafee-to-microsoft-defender-onboard.md)<br/>[Phase 3: Onboard](mcafee-to-microsoft-defender-onboard.md) |
-|--|--|--|
-|*You are here!*| | |
--
-**Welcome to the Prepare phase of [migrating from McAfee Endpoint Security (McAfee) to Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)**.
-
-This migration phase includes the following steps:
-1. [Get and deploy updates across your organization's devices](#get-and-deploy-updates-across-your-organizations-devices)
-
-2. [Get Defender for Endpoint](#get-microsoft-defender-for-endpoint).
-
-3. [Grant access to the Microsoft Defender Security Center](#grant-access-to-the-microsoft-defender-security-center).
-
-4. [Configure device proxy and internet connectivity settings](#configure-device-proxy-and-internet-connectivity-settings).
-
-## Get and deploy updates across your organization's devices
-
-As a best practice, keep your organization's devices and endpoints up to date. Make sure your McAfee Endpoint Security (McAfee) solution is up to date, and that the operating systems and apps your organization is also have the latest updates. Doing this now can help prevent problems later as you migrate to Defender for Endpoint.
-
-### Make sure your McAfee solution is up to date
-
-Keep McAfee up to date, and make sure that your organization's devices have the latest security updates. Need help? Here are some McAfee resources:
--- [McAfee Enterprise Product Documentation: How Endpoint Security Works](https://docs.mcafee.com/bundle/endpoint-security-10.7.x-common-product-guide-windows/page/GUID-1207FF39-D1D2-481F-BBD9-E4079112A8DD.html)--- [McAfee Knowledge Center Technical Article: Windows Security Center intermittently incorrectly reports that Endpoint Security is disabled when running on Windows 10](https://kc.mcafee.com/corporate/index?page=content&id=KB91830) --- [McAfee Knowledge Center Technical Article: Windows Security Center reports Endpoint Security is disabled when Endpoint Security is running](https://kc.mcafee.com/corporate/index?page=content&id=KB91428)--- Your McAfee support ServicePortal ([http://mysupport.mcafee.com](http://mysupport.mcafee.com))-
-### Make sure your organization's devices are up to date
-
-Need help updating your organization's devices? See the following resources:
-
-|OS | Resource |
-|:--|:--|
-|Windows |[Microsoft Update](https://www.update.microsoft.com) |
-|macOS | [How to update the software on your Mac](https://support.apple.com/HT201541)|
-|iOS |[Update your iPhone, iPad, or iPod touch](https://support.apple.com/HT204204)|
-|Android |[Check & update your Android version](https://support.google.com/android/answer/7680439) |
-|Linux | [Linux 101: Updating Your System](https://www.linux.com/training-tutorials/linux-101-updating-your-system) |
-
-## Get Microsoft Defender for Endpoint
-
-Now that you've updated your organization's devices, the next step is to get Defender for Endpoint, assign licenses, and make sure the service is provisioned.
-
-1. Buy or try Defender for Endpoint today. [Start a free trial or request a quote](https://aka.ms/mdatp).
-
-2. Verify that your licenses are properly provisioned. [Check your license state](production-deployment.md#check-license-state).
-
-3. As a global administrator or security administrator, set up your dedicated cloud instance of Defender for Endpoint. See [Defender for Endpoint setup: Tenant configuration](production-deployment.md#tenant-configuration).
-
-4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Defender for Endpoint setup: Network configuration](production-deployment.md#network-configuration).
-
-At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
-
-> [!NOTE]
-> The Microsoft Defender Security Center is sometimes referred to as the Defender for Endpoint portal.
-
-## Grant access to the Microsoft Defender Security Center
-
-The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) is where you access and configure features and capabilities of Defender for Endpoint. To learn more, see [Overview of the Microsoft Defender Security Center](use.md).
-
-Permissions to the Microsoft Defender Security Center can be granted by using either basic permissions or role-based access control (RBAC). We recommend using RBAC so that you have more granular control over permissions.
-
-1. Plan the roles and permissions for your security administrators and security operators. See [Role-based access control](prepare-deployment.md#role-based-access-control).
-
-2. Set up and configure RBAC. We recommend using [Intune](/mem/intune/fundamentals/what-is-intune) to configure RBAC, especially if your organization is using a combination of Windows 10, macOS, iOS, and Android devices. See [setting up RBAC using Intune](/mem/intune/fundamentals/role-based-access-control).
-
- If your organization requires a method other than Intune, choose one of the following options:
-
- - [Configuration Manager](/mem/configmgr/core/servers/deploy/configure/configure-role-based-administration)
-
- - [Advanced Group Policy Management](/microsoft-desktop-optimization-pack/agpm)
-
- - [Windows Admin Center](/windows-server/manage/windows-admin-center/overview)
-
-3. Grant access to the Microsoft Defender Security Center. (Need help? See [Manage portal access using RBAC](rbac.md)).
-
-## Configure device proxy and internet connectivity settings
-
-To enable communication between your devices and Defender for Endpoint, configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems and capabilities:
-
-|Capabilities | Operating System | Resources |
-|--|--|--|
-| [Endpoint detection and response](overview-endpoint-detection-response.md) (EDR) | [Windows 10](/windows/release-health/release-information) <p> [Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<p>[Windows Server 1803 or later](/windows-server/get-started/whats-new-in-windows-server-1803) | [Configure machine proxy and internet connectivity settings](configure-proxy-internet.md) |
-|EDR | [Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016) <p>[Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<p>[Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<p>[Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<p>[Windows 7 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) | [Configure proxy and internet connectivity settings](onboard-downlevel.md#configure-proxy-and-internet-connectivity-settings) |
-|EDR |macOS: <p>11.3.1 (Big Sur)<p>10.15 (Catalina)<p>10.14 (Mojave) | [Defender for Endpoint on macOS: Network connections](microsoft-defender-endpoint-mac.md#network-connections) |
-|[Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md) | [Windows 10](/windows/release-health/release-information) <p> [Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<p>[Windows Server 1803 or later](/windows-server/get-started/whats-new-in-windows-server-1803) <p>[Windows Server 2016](/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](configure-network-connections-microsoft-defender-antivirus.md) |
-|Antivirus |macOS: <p>11.3.1 (Big Sur)<p>10.15 (Catalina)<p>10.14 (Mojave) |[Defender for Endpoint on macOS: Network connections](microsoft-defender-endpoint-mac.md#network-connections) |
-|Antivirus |Linux: <p>RHEL 7.2+<p>CentOS Linux 7.2+<p>Ubuntu 16 LTS, or higher LTS<p>SLES 12+<p>Debian 9+<p>Oracle Linux 7.2 |[Defender for Endpoint on Linux: Network connections](microsoft-defender-endpoint-linux.md#network-connections)
-
-## Next step
-
-**Congratulations**! You have completed the **Prepare** phase of [migrating from McAfee to Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)!
--- [Proceed to set up Defender for Endpoint](mcafee-to-microsoft-defender-setup.md).
security Mcafee To Microsoft Defender Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mcafee-to-microsoft-defender-setup.md
- Title: McAfee to Microsoft Defender for Endpoint - Setup
-description: This is phase 2, Setup, for migrating from McAfee to Microsoft Defender for Endpoint.
-keywords: migration, Microsoft Defender for Endpoint, edr
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
--
- - M365-security-compliance
- - m365solution-mcafeemigrate
- - m365solution-scenario
-- Previously updated : 05/14/2021---
-# Migrate from McAfee - Phase 2: Set up Microsoft Defender for Endpoint
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)-
-|[![Phase 1: Prepare](images/phase-diagrams/prepare.png)](mcafee-to-microsoft-defender-prepare.md)<br/>[Phase 1: Prepare](mcafee-to-microsoft-defender-prepare.md) |![Phase 2: Set up](images/phase-diagrams/setup.png)<br/>Phase 2: Set up |[![Phase 3: Onboard](images/phase-diagrams/onboard.png)](mcafee-to-microsoft-defender-onboard.md)<br/>[Phase 3: Onboard](mcafee-to-microsoft-defender-onboard.md) |
-|--|--|--|
-||*You are here!* | |
-
-**Welcome to the Setup phase of [migrating from McAfee Endpoint Security (McAfee) to Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. This phase includes the following steps:
-
-1. [Reinstall or enable Microsoft Defender Antivirus on your endpoints](#reinstall-or-enable-microsoft-defender-antivirus-on-your-endpoints).
-
-2. [Configure Defender for Endpoint](#configure-defender-for-endpoint).
-
-3. [Add Microsoft Defender for Endpoint to the exclusion list for McAfee](#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-mcafee).
-
-4. [Add McAfee to the exclusion list for Microsoft Defender Antivirus](#add-mcafee-to-the-exclusion-list-for-microsoft-defender-antivirus).
-
-5. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units).
-
-6. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection).
-
-## Reinstall or enable Microsoft Defender Antivirus on your endpoints
-
-On certain versions of Windows, Microsoft Defender Antivirus is likely uninstalled or disabled when your non-Microsoft antivirus/antimalware solution was installed. For more information, see [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md).
-
-On Windows clients, when a non-Microsoft antivirus/antimalware solution is installed, Microsoft Defender Antivirus is disabled automatically until those devices are onboarded to Defender for Endpoint. When the client endpoints are onboarded to Defender for Endpoint, Microsoft Defender Antivirus goes into passive mode until the non-Microsoft antivirus solution is uninstalled. Microsoft Defender Antivirus should still be installed, but is likely disabled at this point of the migration process. Unless Microsoft Defender Antivirus has been uninstalled, you do not need to take any action for your Windows clients.
-
-On Windows servers, when a non-Microsoft antivirus/antimalware in installed, Microsoft Defender Antivirus is disabled manually (if not uninstalled). The following tasks help ensure that Microsoft Defender Antivirus is installed and set to passive mode on Windows Server.
-
-This step of the migration process includes the following tasks:
-- [Setting DisableAntiSpyware to false on Windows Server](#set-disableantispyware-to-false-on-windows-server) (only if necessary)-- [Reinstalling Microsoft Defender Antivirus on Windows Server](#reinstall-microsoft-defender-antivirus-on-windows-server);-- [Setting Microsoft Defender Antivirus to passive mode on Windows Server](#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server)-
-### Set DisableAntiSpyware to false on Windows Server
-
-The [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key was used in the past to disable Microsoft Defender Antivirus, and deploy another antivirus product, such as McAfee. In general, you should not have this registry key on your Windows devices and endpoints; however, if you do have `DisableAntiSpyware` configured, here's how to set its value to false:
-
-1. On your Windows Server device, open Registry Editor.
-
-2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`.
-
-3. In that folder, look for a DWORD entry called **DisableAntiSpyware**.
-
- - If you do not see that entry, you're all set.
-
- - If you do see **DisableAntiSpyware**, proceed to step 4.
-
-4. Right-click the DisableAntiSpyware DWORD, and then choose **Modify**.
-
-5. Set the value to `0`. (This sets the registry key's value to *false*.)
-
-> [!TIP]
-> To learn more about this registry key, see [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware).
-
-### Reinstall Microsoft Defender Antivirus on Windows Server
-
-> [!NOTE]
-> The following procedure applies only to endpoints or devices that are running the following versions of Windows:
-> - Windows Server 2019
-> - Windows Server, version 1803 (core-only mode)
-> - Windows Server 2016
-
-1. As a local administrator on the endpoint or device, open Windows PowerShell.
-
-2. Run the following PowerShell cmdlets: <br/>
-
- `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features` <br/>
-
- `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender` <br/>
-
- > [!NOTE]
- > When using the DISM command within a task sequence running PS, the following path to cmd.exe is required.
- > Examples:
- >
- > `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`<br/>
- >
- > `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`<br/>
-
-3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet: <br/>
-
- `Get-Service -Name windefend`
-
- Look for a status of *Running*.
-
-### Set Microsoft Defender Antivirus to passive mode on Windows Server
-
-1. Open Registry Editor, and then navigate to
-`Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`.
-
-2. Edit (or create) a DWORD entry called **ForcePassiveMode**, and specify the following settings:
-
- - Set the DWORD's value to `1`.
-
- - Under Base, select **Hexadecimal**.
-
-> [!NOTE]
-> After onboarding to Defender for Endpoint, you might have to set Microsoft Defender Antivirus to passive mode on Windows Server.
-
-### Are you using Windows Server 2016?
-
-If you have endpoints running Windows Server 2016, you cannot run Microsoft Defender Antivirus alongside a non-Microsoft antivirus/antimalware solution. Microsoft Defender Antivirus cannot run in passive mode on Windows Server 2016. In this case, you'll need to uninstall the non-Microsoft antivirus/antimalware solution, and install/enable Microsoft Defender Antivirus instead. To learn more, see [Antivirus solution compatibility with Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility).
-
-If you're using Windows Server 2016 and are having trouble enabling Microsoft Defender Antivirus, use the following PowerShell cmdlet:
-
-`mpcmdrun -wdenable`
-
-For more information, see [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server.md).
-
-### Set Microsoft Defender Antivirus to passive mode on Windows Server
-
-Because your organization is still using McAfee, you must set Microsoft Defender Antivirus to passive mode. That way, McAfee and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Defender for Endpoint.
-
-1. Open Registry Editor, and then navigate to <br/>
- `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`.
-
-2. Edit (or create) a DWORD entry called **ForcePassiveMode**, and specify the following settings:
-
- - Set the DWORD's value to **1**.
-
- - Under **Base**, select **Hexadecimal**.
-
-> [!NOTE]
-> You can use other methods to set the registry key, such as the following:
->- [Group Policy Preference](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922(v=ws.11))
->- [A package in Configuration Manager](/mem/configmgr/apps/deploy-use/packages-and-programs)
-
-## Configure Defender for Endpoint
-
-This step of the migration process involves configuring Defender for Endpoint. We recommend using Intune; however, you can any of the methods that are listed in the following table:
-
-|Method |What to do |
-|||
-|[Intune](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <p>**NOTE**: Intune is now part of Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<p>2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure. <br/>If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure).<p>3. Select **Properties**, and then select **Configuration settings: Edit**.<p>4. Expand **Microsoft Defender Antivirus**. <p>5. Enable **Cloud-delivered protection**.<p>6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.<p>7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.<p>8. Select **Review + save**, and then choose **Save**.<p>For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](/intune/device-profiles).|
-|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](/mem/intune/user-help/turn-on-defender-windows). <p>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
-|[Advanced Group Policy Management](/microsoft-desktop-optimization-pack/agpm/) <br/>or<br/>[Group Policy Management Console](use-group-policy-microsoft-defender-antivirus.md) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`. <p>2. Look for a policy called **Turn off Microsoft Defender Antivirus**.<p>3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus. <p>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
-
-## Add Microsoft Defender for Endpoint to the exclusion list for McAfee
-
-This step of the setup process involves adding Defender for Endpoint to the exclusion list for McAfee and any other security products your organization is using.
-
-> [!TIP]
-> To get help configuring exclusions, refer to McAfee documentation, such as the following article: [McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows: Configuring exclusions](https://docs.mcafee.com/bundle/endpoint-security-10.5.0-threat-prevention-product-guide-epolicy-orchestrator-windows/page/GUID-71C5FB4B-A143-43E6-8BF0-8B2C16ABE6DA.html).
-
-The specific exclusions to configure depend on which version of Windows your endpoints or devices are running, and are listed in the following table:
-
-|OS |Exclusions |
-|--|--|
-| Windows 10, [version 1803](/windows/release-health/status-windows-10-1803) or later (See [Windows 10 release information](/windows/release-health/release-information))<p>Windows 10, version 1703 or [1709](/windows/release-health/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed <p>[Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<p>[Windows Server, version 1803](/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`<p>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`<p>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`<p>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`<br/> |
-| [Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2) <p>[Windows 7](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<p>[Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016)<p>[Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<p>[Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`<p>**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
-
-## Add McAfee to the exclusion list for Microsoft Defender Antivirus
-
-During this step of the setup process, you add McAfee and your other security solutions to the Microsoft Defender Antivirus exclusion list.
-
-When you add [exclusions to Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md), you should add path and process exclusions.
-
-You can choose from several methods to add your exclusions to Microsoft Defender Antivirus, as listed in the following table:
-
-|Method | What to do|
-|--|--|
-|[Intune](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <p>**NOTE**: Intune is now part of Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<p>2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.<p>3. Under **Manage**, select **Properties**. <p>4. Select **Configuration settings: Edit**.<p>5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.<p>6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).<p>7. Choose **Review + save**, and then choose **Save**. |
-|[Microsoft Endpoint Configuration Manager](/mem/configmgr/) |1. Using the [Configuration Manager console](/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify. <p>2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. |
-|[Group Policy Object](/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.<p>2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.<p>3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.<br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<p>4. Double-click the **Path Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, click **Show...**.<br/>- Specify each folder on its own line under the **Value name** column.<br/>- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.<p>5. Click **OK**.<p>6. Double-click the **Extension Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, click **Show...**.<br/>- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.<p>7. Click **OK**. |
-|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor. <p>2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**. <p>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<p>3. Specify your path and process exclusions. |
-|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.<p>2. Import the registry key. Here are two examples:<br/>- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg` <br/>- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
-
-Keep the following points in mind:
--- Path exclusions exclude specific files and whatever those files access.--- Process exclusions exclude whatever a process touches, but does not exclude the process itself.--- If you list each executable (.exe) as both a path exclusion and a process exclusion, the process and whatever it touches are excluded.--- List your process exclusions using their full path and not by their name only. (The name-only method is less secure.)-
-## Set up your device groups, device collections, and organizational units
-
-| Collection type | What to do |
-|--|--|
-|[Device groups](machine-groups.md) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.<p> Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed. <p>Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).<p>2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**. <p>3. Choose **+ Add device group**.<p>4. Specify a name and description for the device group.<p>5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](automated-investigations.md#how-threats-are-remediated).<p>6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](machine-tags.md). <p>7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group. <p>8. Choose **Done**. |
-|[Device collections](/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization. <p>Device collections are created by using [Configuration Manager](/mem/configmgr/). |Follow the steps in [Create a collection](/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). |
-|[Organizational units](/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.<p> Organizational units are defined in [Azure Active Directory Domain Services](/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](/azure/active-directory-domain-services/create-ou). |
-
-## Configure antimalware policies and real-time protection
-
-Using Configuration Manager and your device collection(s), configure your antimalware policies.
--- See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies).--- While you create and configure your antimalware policies, make sure to review the [real-time protection settings](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md).-
-> [!TIP]
-> You can deploy the policies before your organization's devices on onboarded.
-
-## Next step
-
-**Congratulations**! You have completed the Setup phase of [migrating from McAfee to Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)!
--- [Proceed to Phase 3: Onboard to Defender for Endpoint](mcafee-to-microsoft-defender-onboard.md)
security Microsoft Defender Antivirus Compatibility https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility.md
ms.pagetype: security
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
-localization_priority: Normal
+localization_priority: normal
+ - ms.technology: mde Last updated 05/08/2021
security Microsoft Defender Antivirus In Windows 10 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10.md
ms.mktglfcycl: manage
ms.sitesec: library ms.pagetype: security localization_priority: Priority+ ms.technology: mde- # Next-generation protection
security Microsoft Defender Security Center Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: Normal
+localization_priority: normal
+ ms.technology: mde- # Microsoft Defender Antivirus in the Windows Security app
security Migration Guides https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/migration-guides.md
f1.keywords: NOCSH Previously updated : 09/24/2020 Last updated : 06/14/2021 ms.technology: mde
-# Make the switch to Microsoft Defender for Endpoint and Microsoft Defender Antivirus
-
+# Make the switch to Microsoft Defender for Endpoint
**Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
ms.technology: mde
## Migration guides
-If you're considering switching from a non-Microsoft 365 Defender solution to Microsoft Defender for Endpoint with Microsoft Defender Antivirus, check out our migration guidance. Select the scenario that best represents where you are in your deployment process, and see the guidance.
+If you're considering moving to Defender for Endpoint, we have guidance to help. In the following table, review the scenarios. Select the scenario that best represents your situation, and see the recommended guidance.
-|Scenario |Guidance |
-|:--|:--|
-|You do not have an endpoint protection solution yet, and you want to know more about how Microsoft Defender for Endpoint & Microsoft Defender Antivirus work. |[Microsoft Defender for Endpoint evaluation lab](evaluation-lab.md) |
-|You have Microsoft Defender for Endpoint & Microsoft Defender Antivirus and need some help getting everything set up and configured. |[Microsoft Defender for Endpoint deployment guide](deployment-phases.md) |
-|You're planning to migrate from McAfee Endpoint Security (McAfee) to Microsoft Defender for Endpoint & Microsoft Defender Antivirus. |[Switch from McAfee to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md) |
-|You're planning to migrate from Symantec Endpoint Protection (Symantec) to Microsoft Defender for Endpoint & Microsoft Defender Antivirus. |[Switch from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-endpoint-migration.md) |
-|You're planning to migrate from a non-Microsoft endpoint protection solution (other than McAfee or Symantec) to Microsoft Defender for Endpoint & Microsoft Defender Antivirus. |[Make the switch to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md) |
-|You've migrated to Microsoft Defender for Endpoint & Microsoft Defender Antivirus, and you need help with next steps, such as configuring additional features or fine-tuning your security settings. | [Manage Microsoft Defender for Endpoint, post-migration](manage-atp-post-migration.md) |
+| Scenario | Guidance |
+|:-|:-|
+| You don't have an endpoint protection solution in place yet, and you want to know more about Defender for Endpoint. <p> You want to see how Defender for Endpoint works before rolling it out in your environment. | [Microsoft Defender for Endpoint evaluation lab](evaluation-lab.md) |
+| You already have Defender for Endpoint, and you want some help getting everything set up and configured. | [Microsoft Defender for Endpoint deployment guide](deployment-phases.md) |
+| You're planning to switch from a non-Microsoft endpoint protection solution to Defender for Endpoint and Microsoft Defender Antivirus. <p> You want to get an overview of the migration process and how to make the switch. |[Make the switch to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md) |
+| You've already migrated or onboarded to Defender for Endpoint. You want some help with next steps, such as managing your security settings, configuring more features, or fine-tuning your security policies. | [Manage Microsoft Defender for Endpoint, post-migration](manage-atp-post-migration.md) |
-## Got feedback?
+## Do you have feedback for us?
Let us know what you think! Submit your feedback at the bottom of the page. We'll take your feedback into account as we continue to improve and add to our migration guidance.
security Prepare Deployment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prepare-deployment.md
Title: Prepare Microsoft Defender for Endpoint deployment
-description: Prepare stakeholder approval, timelines, environment considerations, and adoption order when deploying Microsoft Defender for Endpoint
+description: Prepare stakeholder approval, timelines, environment considerations, and adoption order for deploying Microsoft Defender for Endpoint
keywords: deploy, prepare, stakeholder, timeline, environment, endpoint, server, management, adoption search.product: eADQiWindows 10XVcnh search.appverid: met150
Defender for Endpoint supports two ways to manage permissions:
Microsoft recommends leveraging RBAC to ensure that only users that have a business justification can access Defender for Endpoint.
-You can find details on permission guidelines
-[here](/microsoft-365/security/defender-endpoint/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group).
+You can find details on permission guidelines here:
+[Create roles and assign the role to an Azure Active Directory group](/microsoft-365/security/defender-endpoint/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group).
The following example table serves to identify the Cyber Defense Operations Center structure in your environment that will help you determine the RBAC
how the endpoint security suite should be enabled.
## Next step
-![Phase 2: Setup](images/setup.png) <br>[Phase 2: Setup](production-deployment.md) | Set up Microsoft Defender for Endpoint deployment
-
+|||
+|:-|:--|
+|![Phase 2: Setup](images/setup.png) <br>[Phase 2: Setup](production-deployment.md) | Set up Microsoft Defender for Endpoint deployment |
security Prevent Changes To Security Settings With Tamper Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md
ms.mktglfcycl: manage
ms.sitesec: library localization_priority: Normal audience: ITPro+ ms.technology: mde- Last updated 05/17/2021
security Report Monitor Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/report-monitor-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: Normal
+localization_priority: normal
security Run Scan Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-scan-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: Normal
+localization_priority: normal
+
Last updated 06/10/2021
ms.technology: mde- # Configure and run on-demand Microsoft Defender Antivirus scans
security Specify Cloud Protection Level Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus.md
ms.pagetype: security
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
-localization_priority: Normal
+localization_priority: normal
+ Last updated 10/26/2020
ms.technology: mde- # Specify the cloud-delivered protection level
security Switch To Microsoft Defender Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-migration.md
- M365-security-compliance - m365solution-migratetomdatp - m365solution-overview
+ - m365solution-mcafeemigrate
+ - m365solution-symantecmigrate
Previously updated : 05/20/2021 Last updated : 06/14/2021 ms.technology: mde # Make the switch from non-Microsoft endpoint protection to Microsoft Defender for Endpoint
-If you are thinking about switching from your non-Microsoft endpoint protection to [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) (Defender for Endpoint), you're in the right place. Use this article as a guide.
+If you are thinking about switching from a non-Microsoft endpoint protection solution to [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) (Defender for Endpoint), you're in the right place. Use this article as a guide.
:::image type="content" source="images/nonms-mde-migration.png" alt-text="Overview of migrating to Defender for Endpoint":::
-When you make the switch to Defender for Endpoint, you begin with your non-Microsoft solution operating in active mode, configure Defender for Endpoint in passive mode, onboard to Defender for Endpoint, set Defender for Endpoint to active mode, and then remove the non-Microsoft solution.
-
-> [!TIP]
-> - If you're currently using McAfee Endpoint Security (McAfee), see [Migrate from McAfee to Defender for Endpoint](mcafee-to-microsoft-defender-migration.md).
-> - If you're currently using Symantec Endpoint Protection (Symantec), see [Migrate from Symantec to Defender for Endpoint](symantec-to-microsoft-defender-endpoint-migration.md).
+When you make the switch to Defender for Endpoint, you begin with your non-Microsoft solution operating in active mode. Then, you configure Defender for Endpoint in passive mode, and onboard your devices to Defender for Endpoint. Next, you set Defender for Endpoint to active mode. Finally, you remove the non-Microsoft solution.
## The migration process
security Switch To Microsoft Defender Onboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-onboard.md
audience: ITPro
- M365-security-compliance - m365solution-migratetomdatp
+ - m365solution-mcafeemigrate
+ - m365solution-symantecmigrate
Previously updated : 05/20/2021 Last updated : 06/14/2021
security Switch To Microsoft Defender Prepare https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-prepare.md
audience: ITPro
- M365-security-compliance - m365solution-migratetomdatp
+ - m365solution-mcafeemigrate
+ - m365solution-symantecmigrate
Previously updated : 05/20/2021 Last updated : 06/14/2021
security Switch To Microsoft Defender Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-setup.md
audience: ITPro
- M365-security-compliance - m365solution-migratetomdatp
+ - m365solution-mcafeemigrate
+ - m365solution-symantecmigrate
Previously updated : 05/20/2021 Last updated : 06/14/2021
The [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-m
1. As a local administrator on the endpoint or device, open Windows PowerShell. 2. Run the following PowerShell cmdlets: <br/> + `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features` <p> `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender` <br/>
- > [!NOTE]
- > When using the DISM command within a task sequence running PS, the following path to cmd.exe is required.
- > Example:<br/>
- > `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`<p>
- > `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`<br/>
+ When using the DISM command within a task sequence running PS, the following path to cmd.exe is required.
+ Example:<br/>
+
+ `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`<p>
+ `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`<br/>
3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet: <br/> `Get-Service -Name windefend`
The [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-m
`Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`. 2. Edit (or create) a DWORD entry called **ForcePassiveMode**, and specify the following settings:+ - Set the DWORD's value to **1**. - Under **Base**, select **Hexadecimal**.
security Symantec To Microsoft Defender Atp Onboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/symantec-to-microsoft-defender-atp-onboard.md
- Title: Symantec to Microsoft Defender for Endpoint - Phase 3, Onboarding
-description: This is Phase 3, Onboarding, of migrating from Symantec to Microsoft Defender for Endpoint
-keywords: migration, Microsoft Defender for Endpoint, edr
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
--
- - M365-security-compliance
- - m365solution-symantecmigrate
- Previously updated : 05/14/2021----
-# Migrate from Symantec - Phase 3: Onboard to Microsoft Defender for Endpoint
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)-
-|[![Phase 1: Prepare](images/phase-diagrams/prepare.png)](symantec-to-microsoft-defender-atp-prepare.md)<br/>[Phase 1: Prepare](symantec-to-microsoft-defender-atp-prepare.md) |[![Phase 2: Set up](images/phase-diagrams/setup.png)](symantec-to-microsoft-defender-atp-setup.md)<br/>[Phase 2: Set up](symantec-to-microsoft-defender-atp-setup.md) |![Phase 3: Onboard](images/phase-diagrams/onboard.png)<br/>Phase 3: Onboard |
-|--|--|--|
-|| |*You are here!* |
--
-**Welcome to Phase 3 of [migrating from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-endpoint-migration.md#the-migration-process)**. This migration phase includes the following steps:
-
-1. [Onboard devices to Microsoft Defender for Endpoint](#onboard-devices-to-microsoft-defender-for-endpoint).
-
-2. [Run a detection test](#run-a-detection-test).
-
-3. [Confirm that Microsoft Defender Antivirus is in passive mode on your endpoints](#confirm-that-microsoft-defender-antivirus-is-in-passive-mode-on-your-endpoints).
-
-4. [Get updates for Microsoft Defender Antivirus](#get-updates-for-microsoft-defender-antivirus).
-
-5. [Uninstall Symantec](#uninstall-symantec).
-
-6. [Make sure Microsoft Defender for Endpoint is working correctly](#make-sure-microsoft-defender-for-endpoint-is-working-correctly).
-
-## Onboard devices to Microsoft Defender for Endpoint
-
-1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
-
-2. Choose **Settings** > **Device management** > **Onboarding**.
-
-3. In the **Select operating system to start onboarding process** list, select an operating system.
-
-4. Under **Deployment method**, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See [Onboarding methods](#onboarding-methods) (in this article).
-
-### Onboarding methods
-
-Deployment methods vary, depending on which operating system is selected. Refer to the resources listed in the table below to get help with onboarding.
-
-|Operating system |Method |
-|||
-|Windows 10 | [Group Policy](configure-endpoints-gp.md)<p>[Configuration Manager](configure-endpoints-sccm.md)<p>[Mobile Device Management (Intune)](configure-endpoints-mdm.md)<p>[Local script](configure-endpoints-script.md) <br/>**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
-| Windows 8.1 Enterprise <p>Windows 8.1 Pro <p>Windows 7 SP1 Enterprise<p>Windows 7 SP1 Pro | [Microsoft Monitoring Agent](onboard-downlevel.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-for-endpoint)<br/>**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](/azure/azure-monitor/platform/log-analytics-agent). |
-| Windows Server 2019 and later <p>Windows Server 2019 core edition<p>Windows Server version 1803 and later | [Local script](configure-endpoints-script.md)<p>[Group Policy](configure-endpoints-gp.md)<p>[Configuration Manager](configure-endpoints-sccm.md)<p>[System Center Configuration Manager](configure-endpoints-sccm.md#onboard-devices-using-system-center-configuration-manager)<p>[VDI onboarding scripts for non-persistent devices](configure-endpoints-vdi.md) <br/>**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
-| Windows Server 2016<p>Windows Server 2012 R2<p>Windows Server 2008 R2 SP1 | [Microsoft Defender Security Center](configure-server-endpoints.md)<p>[Azure Defender](/azure/security-center/security-center-wdatp) |
-|macOS<p>11.3.1 (Big Sur) <p>10.15 (Catalina)<p>10.14 (Mojave) |[Onboard non-Windows devices](configure-endpoints-non-windows.md) |
-|iOS |[Onboard non-Windows devices](configure-endpoints-non-windows.md) |
-|Linux:<p>RHEL 7.2+<p>CentOS Linux 7.2+<p>Ubuntu 16 LTS, or higher LTS<p>SLES 12+<p>Debian 9+<p>Oracle Linux 7.2 |[Onboard non-Windows devices](configure-endpoints-non-windows.md) |
-
-## Run a detection test
-
-To verify that your onboarded devices are properly connected to Microsoft Defender for Endpoint, you can run a detection test.
-
-|Operating system |Guidance |
-|||
-| Windows 10<p>Windows Server 2019<p>Windows Server, version 1803<p>Windows Server 2016<p>Windows Server 2012 R2 |See [Run a detection test](run-detection-test.md). <p>Visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. |
-|macOS:<p>11.3.1 (Big Sur)<p>10.15 (Catalina)<p>10.14 (Mojave) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy). <p>For more information, see [Microsoft Defender for Endpoint on macOS](microsoft-defender-endpoint-mac.md). |
-|Linux:<p>RHEL 7.2+<p>CentOS Linux 7.2+<p>Ubuntu 16 LTS, or higher LTS<p>SLES 12+<p>Debian 9+<p>Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**: <br/>`mdatp health --field real_time_protection_enabled`. <p>2. Open a Terminal window, and run the following command: <br/>`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`. <p>3. Run the following command to list any detected threats: <br/>`mdatp threat list`. <p>For more information, see [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md). |
-
-## Confirm that Microsoft Defender Antivirus is in passive mode on your endpoints
-
-Now that your endpoints have been onboarded to Defender for Endpoint, your next step is to make sure Microsoft Defender Antivirus is running in passive mode. You can use either Command Prompt or PowerShell to perform this task, as described in the following table:
-
-| Method | What to do |
-|:--|:--|
-| Command Prompt | 1. On a Windows device, open Command Prompt as an administrator. <p>2. Type `sc query windefend`, and then press Enter. <p>3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
-|PowerShell | 1. On a Windows device, open Windows PowerShell as an administrator. <p>2. Run the `Get-MpComputerStatus` cmdlet. <p>3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**. |
-
-> [!NOTE]
-> You might see Windows Defender Antivirus instead of Microsoft Defender Antivirus in some versions of Windows.
-
-### Set Microsoft Defender Antivirus on Windows Server to passive mode manually
-
-To set Microsoft Defender Antivirus to passive mode on Windows Server, version 1803 or newer, or Windows Server 2019, follow these steps:
-
-1. Open Registry Editor, and then navigate to
-`Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`.
-
-2. Edit (or create) a DWORD entry called **ForcePassiveMode**, and specify the following settings:
-
- - Set the DWORD's value to 1.
- - Under Base, select Hexadecimal.
-
-> [!NOTE]
-> You can use other methods to set the registry key, such as the following:
-> - Group Policy Preference
-> - Local Group Policy Object tool
-> - A package in Configuration Manager
-
-### Start Microsoft Defender Antivirus on Windows Server 2016
-
-If you are using Windows Server 2016, you might have to start Microsoft Defender Antivirus manually. You can do this by using the PowerShell cmdlet `mpcmdrun.exe -wdenable` on the device.
-
-## Get updates for Microsoft Defender Antivirus
-
-Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques, even if Microsoft Defender Antivirus is running in passive mode.
-
-There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
--- Security intelligence updates-- Product updates-
-To get your updates, follow the guidance in [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).
-
-## Uninstall Symantec
-
-Now that you have onboarded your organization's devices to Microsoft Defender for Endpoint, your next step is to uninstall Symantec.
-
-1. [Disable Tamper Protection](https://knowledge.broadcom.com/external/article?legacyId=tech192023) in Symantec.
-
-2. Delete the uninstall password for Symantec:<br/>
-
- 1. On your Windows devices, open Registry Editor as an administrator.
-
- 2. Go to `HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC`.
-
- 3. Look for an entry named **SmcInstData**.
-
- 4. Right-click the item, and then choose **Delete**.
-
-3. Remove Symantec from your devices. If you need help with this, see Broadcom's documentation. Here are a few Broadcom resources:
-
- - [Uninstall Symantec Endpoint Protection](https://knowledge.broadcom.com/external/article/156148/uninstall-symantec-endpoint-protection.html)
-
- - Windows devices: [Manually uninstall Endpoint Protection 14 clients on Windows](https://knowledge.broadcom.com/external/article?articleId=170040)
-
- - macOS computers: [Remove Symantec software for Mac using RemoveSymantecMacFiles](https://knowledge.broadcom.com/external/article?articleId=151387)
-
- - Linux devices: [Frequently Asked Questions for Endpoint Protection on Linux](https://knowledge.broadcom.com/external/article?articleId=162054)
-
-## Make sure Microsoft Defender for Endpoint is working correctly
-
-Now that you have uninstalled Symantec, your next step is to make sure that Defender for Endpoint is working correctly. Visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)). Try one or more of the demo scenarios on that page, including at least the following:
-- Cloud-delivered protection-- Potentially Unwanted Applications (PUA)-- Network Protection (NP)-
-## Next steps
-
-**Congratulations**! You have completed your [migration from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-endpoint-migration.md#the-migration-process)!
-- [Visit your security operations dashboard](security-operations-dashboard.md) in the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)). -- [Manage Microsoft Defender for Endpoint, post migration](manage-atp-post-migration.md).
security Symantec To Microsoft Defender Atp Prepare https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/symantec-to-microsoft-defender-atp-prepare.md
- Title: Symantec to Microsoft Defender for Endpoint - Phase 1, Preparing
-description: This is Phase 1, Prepare, of migrating from Symantec to Microsoft Defender for Endpoint.
-keywords: migration, Microsoft Defender for Endpoint, edr
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
--
- - M365-security-compliance
- - m365solution-symantecmigrate
- Previously updated : 05/14/2021----
-# Migrate from Symantec - Phase 1: Prepare for your migration
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)-
-|![Phase 1: Prepare](images/phase-diagrams/prepare.png)<br/>Phase 1: Prepare |[![Phase 2: Set up](images/phase-diagrams/setup.png)](symantec-to-microsoft-defender-atp-setup.md)<br/>[Phase 2: Set up](symantec-to-microsoft-defender-atp-setup.md) |[![Phase 3: Onboard](images/phase-diagrams/onboard.png)](symantec-to-microsoft-defender-atp-onboard.md)<br/>[Phase 3: Onboard](symantec-to-microsoft-defender-atp-onboard.md) |
-|--|--|--|
-|*You are here!*| | |
--
-**Welcome to the Prepare phase of [migrating from Symantec to Defender for Endpoint](symantec-to-microsoft-defender-endpoint-migration.md#the-migration-process)**.
-
-This migration phase includes the following steps:
-
-1. [Update your organization's devices](#update-your-organizations-devices).
-
-2. [Get Microsoft Defender for Endpoint](#get-microsoft-defender-for-endpoint).
-
-3. [Grant access to the Microsoft Defender Security Center](#grant-access-to-the-microsoft-defender-security-center).
-
-4. [Configure device proxy and internet connectivity settings](#configure-device-proxy-and-internet-connectivity-settings)
-
-## Update your organization's devices
-
-As a best practice, keep your organization's devices and endpoints up to date. Make sure your existing endpoint protection and antivirus solution is up to date, and that the operating systems and apps your organization is also have the latest updates. Doing this now can help prevent problems later as you migrate to Defender for Endpoint.
-
-### Make sure Symantec is up to date
-
-Keep your existing endpoint protection solution up to date, and make sure that your organization's devices have the latest security updates.
-
-Need help? See Broadcom's documentation: [Symantec Endpoint Protection Installation and Administration Guide](https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all.html)
-
-### Make sure your endpoints are up to date
-
-Need help updating your organization's devices? See the following resources:
--
-|OS |Resource |
-|||
-|Windows | [Microsoft Update](https://www.update.microsoft.com/) |
-|macOS | [How to update the software on your Mac](https://support.apple.com/HT201541) |
-|iOS | [Update your iPhone, iPad, or iPod touch](https://support.apple.com/HT204204) |
-|Android | [Check & update your Android version](https://support.google.com/android/answer/7680439) |
-|Linux | [Linux 101: Updating Your System](https://www.linux.com/training-tutorials/linux-101-updating-your-system) |
--
-## Get Microsoft Defender for Endpoint
-
-Now that you've updated your organization's devices, the next step is to get Defender for Endpoint, assign licenses, and make sure the service is provisioned.
-
-1. Buy or try Defender for Endpoint today. [Visit Defender for Endpoint to start a free trial or request a quote](https://aka.ms/mdatp).
-
-2. Verify that your licenses are properly provisioned. [Check your license state](production-deployment.md#check-license-state).
-
-3. As a global administrator or security administrator, set up your dedicated cloud instance of Defender for Endpoint. See [Defender for Endpoint setup: Tenant configuration](production-deployment.md#tenant-configuration).
-
-4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Defender for Endpoint setup: Network configuration](production-deployment.md#network-configuration).
-
-At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
-
-> [!NOTE]
-> The Microsoft Defender Security Center is sometimes referred to as the Defender for Endpoint portal.
-
-## Grant access to the Microsoft Defender Security Center
-
-The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) is where you access and configure features and capabilities of Defender for Endpoint. To learn more, see [Overview of the Microsoft Defender Security Center](use.md).
-
-Permissions to the Microsoft Defender Security Center can be granted by using either basic permissions or role-based access control (RBAC). We recommend using RBAC so that you have more granular control over permissions.
-
-1. Plan the roles and permissions for your security administrators and security operators. See [Role-based access control](prepare-deployment.md#role-based-access-control).
-
-2. Set up and configure RBAC. We recommend using [Intune](/mem/intune/fundamentals/what-is-intune) to configure RBAC, especially if your organization is using a combination of Windows 10, macOS, iOS, and Android devices. See [setting up RBAC using Intune](/mem/intune/fundamentals/role-based-access-control).
-
- If your organization requires a method other than Intune, choose one of the following options:
-
- - [Configuration Manager](/mem/configmgr/core/servers/deploy/configure/configure-role-based-administration)
-
- - [Advanced Group Policy Management](/microsoft-desktop-optimization-pack/agpm)
-
- - [Windows Admin Center](/windows-server/manage/windows-admin-center/overview)
-
-3. Grant access to the Microsoft Defender Security Center. (Need help? See [Manage portal access using RBAC](rbac.md)).
-
-## Configure device proxy and internet connectivity settings
-
-To enable communication between your devices and Defender for Endpoint, configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems and capabilities:
-
-|Capabilities | Operating System | Resources |
-|:-|:-|:|
-|[Endpoint detection and response](overview-endpoint-detection-response.md) (EDR) | [Windows 10](/windows/release-health/release-information/) <p> [Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<p>[Windows Server 1803 or later](/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](configure-proxy-internet.md) |
-|EDR | [Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016) <p>[Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<p>[Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<p>[Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<p>[Windows 7 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](onboard-downlevel.md#configure-proxy-and-internet-connectivity-settings) |
-|EDR |macOS: <p>11.3.1 (Big Sur)<p>10.15 (Catalina)<p>10.14 (Mojave) |[Defender for Endpoint on macOS: Network connections](microsoft-defender-endpoint-mac.md#network-connections) |
-|[Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md) |[Windows 10](/windows/release-health/release-information/)<p>[Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<p>[Windows Server 1803 or later](/windows-server/get-started/whats-new-in-windows-server-1803)<p>[Windows Server 2016](/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](configure-network-connections-microsoft-defender-antivirus.md) |
-|Antivirus |macOS: <p>11.3.1 (Big Sur)<p>10.15 (Catalina)<p>10.14 (Mojave) |[Defender for Endpoint on Mac: Network connections](microsoft-defender-endpoint-mac.md#network-connections) |
-|Antivirus |Linux: <p>RHEL 7.2+<p>CentOS Linux 7.2+<p>Ubuntu 16 LTS, or higher LTS<p>SLES 12+<p>Debian 9+<p>Oracle Linux 7.2 |[Defender for Endpoint on Linux: Network connections](microsoft-defender-endpoint-linux.md#network-connections) |
-
-## Next step
-
-**Congratulations**! You have completed the **Prepare** phase of [migrating from Symantec to Defender for Endpoint](symantec-to-microsoft-defender-endpoint-migration.md#the-migration-process)!
-- [Proceed to set up Defender for Endpoint](symantec-to-microsoft-defender-atp-setup.md).
security Symantec To Microsoft Defender Atp Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/symantec-to-microsoft-defender-atp-setup.md
- Title: Symantec to Microsoft Defender for Endpoint - Phase 2, Setting Up
-description: This is Phase 2, Setup, of migrating from Symantec to Microsoft Defender for Endpoint
-keywords: migration, Microsoft Defender for Endpoint, edr
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
--
- - M365-security-compliance
- - m365solution-symantecmigrate
- Previously updated : 05/14/2021----
-# Migrate from Symantec - Phase 2: Set up Microsoft Defender for Endpoint
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)-
-|[![Phase 1: Prepare](images/phase-diagrams/prepare.png)](symantec-to-microsoft-defender-atp-prepare.md)<br/>[Phase 1: Prepare](symantec-to-microsoft-defender-atp-prepare.md) |![Phase 2: Set up](images/phase-diagrams/setup.png)<br/>Phase 2: Set up |[![Phase 3: Onboard](images/phase-diagrams/onboard.png)](symantec-to-microsoft-defender-atp-onboard.md)<br/>[Phase 3: Onboard](symantec-to-microsoft-defender-atp-onboard.md) |
-|--|--|--|
-||*You are here!* | |
--
-**Welcome to the Setup phase of [migrating from Symantec to Defender for Endpoint](symantec-to-microsoft-defender-endpoint-migration.md#the-migration-process)**. This phase includes the following steps:
-
-1. [Reinstall/enable Microsoft Defender Antivirus on your endpoints](#reinstallenable-microsoft-defender-antivirus-on-your-endpoints).
-
-2. [Configure Defender for Endpoint](#configure-defender-for-endpoint).
-
-3. [Add Microsoft Defender for Endpoint to the exclusion list for Symantec](#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-symantec).
-
-4. [Add Symantec to the exclusion list for Microsoft Defender Antivirus](#add-symantec-to-the-exclusion-list-for-microsoft-defender-antivirus).
-
-5. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units).
-
-6. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection).
-
-## Reinstall/enable Microsoft Defender Antivirus on your endpoints
-
-On certain versions of Windows, Microsoft Defender Antivirus is likely uninstalled or disabled when your non-Microsoft antivirus/antimalware solution was installed. For more information, see [Microsoft Defender Antivirus compatibility](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
-
-On Windows clients, when a non-Microsoft antivirus/antimalware solution is installed, Microsoft Defender Antivirus is disabled automatically until those devices are onboarded to Defender for Endpoint. When the client endpoints are onboarded to Defender for Endpoint, Microsoft Defender Antivirus goes into passive mode until the non-Microsoft antivirus solution is uninstalled. Microsoft Defender Antivirus should still be installed, but is likely disabled at this point of the migration process. Unless Microsoft Defender Antivirus has been uninstalled, you do not need to take any action for your Windows clients.
-
-On Windows servers, when a non-Microsoft antivirus/antimalware in installed, Microsoft Defender Antivirus is disabled manually (if not uninstalled). The following tasks help ensure that Microsoft Defender Antivirus is installed and set to passive mode on Windows Server.
--- Set DisableAntiSpyware to false on Windows Server (only if necessary)--- Reinstall Microsoft Defender Antivirus on Windows Server--- Set Microsoft Defender Antivirus to passive mode on Windows Server-
-### Set DisableAntiSpyware to false on Windows Server
-
-The DisableAntiSpyware registry key was used in the past to disable Microsoft Defender Antivirus, and deploy another antivirus product, Symantec. In general, you should not have this registry key on your Windows devices and endpoints; however, if you do have `DisableAntiSpyware` configured, here's how to set its value to false:
-
-1. On your Windows Server device, open Registry Editor.
-
-2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`.
-
-3. In that folder, look for a DWORD entry called **DisableAntiSpyware**.
-
- - If you do not see that entry, you're all set.
- - If you do see DisableAntiSpyware, proceed to step 4.
-
-4. Right-click the DisableAntiSpyware DWORD, and then choose **Modify**.
-
-5. Set the value to `0`. (This action sets the registry key's value to *false*.)
-
-> [!TIP]
-> To learn more about this registry key, see **[DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware)**.
-
-### Reinstall Microsoft Defender Antivirus on Windows Server
-
-> [!NOTE]
-> The following procedure applies only to endpoints or devices that are running the following versions of Windows:
-> - Windows Server 2019
-> - Windows Server, version 1803 (core-only mode)
-> - Windows Server 2016
-
-1. As a local administrator on the endpoint or device, open Windows PowerShell.
-
-1. Run the following PowerShell cmdlets:
-
- `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
-
- `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
-
- > [!NOTE]
- > When using the DISM command within a task sequence running PS, the following path to cmd.exe is required.
- > Examples:
- >
- > `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`<br/>
- >
- > `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`<br/>
-
-3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet: <br/>
- `Get-Service -Name windefend`
-
-### Set Microsoft Defender Antivirus to passive mode on Windows Server
-
-1. Open Registry Editor, and then navigate to <br/>
- `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`.
-
-2. Edit (or create) a DWORD entry called **ForcePassiveMode**, and specify the following settings:
- - Set the DWORD's value to **1**.
- - Under **Base**, select **Hexadecimal**.
-
-> [!NOTE]
-> You can use other methods to set the registry key, such as the following:
->- [Group Policy Preference](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922(v=ws.11))
->- [Local Group Policy Object tool](/windows/security/threat-protection/security-compliance-toolkit-10#what-is-the-local-group-policy-object-lgpo-tool)
->- [A package in Configuration Manager](/mem/configmgr/apps/deploy-use/packages-and-programs)
->
-> After onboarding to Defender for Endpoint, you might have to set Microsoft Defender Antivirus to passive mode on Windows Server.
-
-### Are you using Windows Server 2016?
-
-If you have endpoints running Windows Server 2016, you cannot run Microsoft Defender Antivirus alongside a non-Microsoft antivirus/antimalware solution. Microsoft Defender Antivirus cannot run in passive mode on Windows Server 2016. In this case, you'll need to uninstall the non-Microsoft antivirus/antimalware solution, and install/enable Microsoft Defender Antivirus instead. To learn more, see [Antivirus solution compatibility with Defender for Endpoint](microsoft-defender-antivirus-compatibility.md).
-
-If you're using Windows Server 2016 and are having trouble enabling Microsoft Defender Antivirus, use the following PowerShell cmdlet:
-
-`mpcmdrun -wdenable`
-
-For more information, see [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server.md).
-
-## Configure Defender for Endpoint
-
-This step of the migration process involves configuring Microsoft Defender Antivirus for your endpoints. We recommend using Intune; however, you can any of the methods that are listed in the following table:
-
-|Method |What to do |
-|||
-|[Intune](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/>**NOTE**: Intune is now part of Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<p>2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure).<p>3. Select **Properties**, and then select **Configuration settings: Edit**.<p>4. Expand **Microsoft Defender Antivirus**. <p>5. Enable **Cloud-delivered protection**.<p>6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.<p>7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.<p>8. Select **Review + save**, and then choose **Save**.<br/>For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](/intune/device-profiles).|
-|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](/mem/intune/user-help/turn-on-defender-windows). <br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
-|[Advanced Group Policy Management](/microsoft-desktop-optimization-pack/agpm/) <br/>or<br/>[Group Policy Management Console](/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`. <p>2. Look for a policy called **Turn off Microsoft Defender Antivirus**.<p>3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus. <p>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
-
-## Add Microsoft Defender for Endpoint to the exclusion list for Symantec
-
-This step of the setup process involves adding Defender for Endpoint to the exclusion list for Symantec and any other security products your organization is using. The specific exclusions to configure depend on which version of Windows your endpoints or devices are running, and are listed in the following table:
-
-|OS |Exclusions |
-|--|--|
-| Windows 10, [version 1803](/windows/release-health/status-windows-10-1803) or later (See [Windows 10 release information](/windows/release-health/release-information))<p> Windows 10, version 1703 or 1709 with [KB4493441](https://support.microsoft.com/help/4493441) installed <p> [Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<p> [Windows Server, version 1803](/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`<p>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`<p>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`<p>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`<p> |
-| [Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2) <p> [Windows 7](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<p> [Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016)<p> [Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<p> [Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`<p>**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
-
-## Add Symantec to the exclusion list for Microsoft Defender Antivirus
-
-During this step of the setup process, you add your existing solution to the Microsoft Defender Antivirus exclusion list. You can choose from several methods to add your exclusions to Microsoft Defender Antivirus, as listed in the following table:
-
-> [!NOTE]
-> To get an idea of which processes and services to exclude, see Broadcom's [Processes and services used by Endpoint Protection 14](https://knowledge.broadcom.com/external/article/170706/processes-and-services-used-by-endpoint.html).
-
-|Method | What to do|
-|--|--|
-|[Intune](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/>**NOTE**: Intune is now part of Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<p>2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.<p>3. Under **Manage**, select **Properties**. <p>4. Select **Configuration settings: Edit**.<p>5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.<p>6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).<p>7. Choose **Review + save**, and then choose **Save**. |
-|[Microsoft Endpoint Configuration Manager](/mem/configmgr/) |1. Using the [Configuration Manager console](/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify. <p>2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. |
-|[Group Policy Object](/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and then select **Edit**.<p>2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.<p>3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.<br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<p>4. Double-click the **Path Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, select **Show...**.<br/>- Specify each folder on its own line under the **Value name** column.<br/>- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.<p>5. Select **OK**.<p>6. Double-click the **Extension Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, select **Show...**.<br/>- Enter each file extension on its own line under the **Value name** column.<br/>- Enter **0** in the **Value** column.<p>7. Select **OK**. |
-|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor. <p>2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**. <br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<p>3. Specify your path and process exclusions. |
-|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.<p>2. Import the registry key. Here are two examples:<br/>- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg` <br/>- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
-
-When you add [exclusions to Microsoft Defender Antivirus scans](/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions. Keep the following points in mind:
-- Path exclusions exclude specific files and whatever those files access.-- Process exclusions exclude whatever a process touches, but does not exclude the process itself.-- If you list each executable (.exe) as both a path exclusion and a process exclusion, the process and whatever it touches are excluded.-- List your process exclusions using their full path and not by their name only. (The name-only method is less secure.)-
-## Set up your device groups, device collections, and organizational units
-
-Device groups, device collections, and organizational units enable your security team to manage and assign security policies efficiently and effectively. The following table describes each of these groups and how to configure them. Your organization might not use all three collection types.
-
-| Collection type | What to do |
-|--|--|
-|[Device groups](/microsoft-365/security/defender-endpoint/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.<br/> Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed. <br/>Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).<p>2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**. <p>3. Choose **+ Add device group**.<p>4. Specify a name and description for the device group.<p>5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](/microsoft-365/security/defender-endpoint/automated-investigations#how-threats-are-remediated).<p>6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](/microsoft-365/security/defender-endpoint/machine-tags).<p>7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group. <p>8. Choose **Done**. |
-|[Device collections](/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization. <br/>Device collections are created by using [Configuration Manager](/mem/configmgr/). |Follow the steps in [Create a collection](/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). |
-|[Organizational units](/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.<br/> Organizational units are defined in [Azure Active Directory Domain Services](/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](/azure/active-directory-domain-services/create-ou). |
-
-## Configure antimalware policies and real-time protection
-
-Using Configuration Manager and your device collection(s), configure your antimalware policies.
--- See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies).--- While you create and configure your antimalware policies, make sure to review the [real-time protection settings](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus).-
-> [!TIP]
-> You can deploy the policies before your organization's devices on onboarded.
-
-## Next step
-
-**Congratulations**! You have completed the Setup phase of [migrating from Symantec to Defender for Endpoint](symantec-to-microsoft-defender-endpoint-migration.md#the-migration-process)!
-- [Proceed to Phase 3: Onboard to Defender for Endpoint](symantec-to-microsoft-defender-atp-onboard.md)
security Symantec To Microsoft Defender Endpoint Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/symantec-to-microsoft-defender-endpoint-migration.md
- Title: Migrate from Symantec to Microsoft Defender for Endpoint
-description: Get an overview of how to make the switch from Symantec to Microsoft Defender for Endpoint
-keywords: migration, Microsoft Defender for Endpoint, edr
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
--
- - M365-security-compliance
- - m365solution-symantecmigrate
- - m365solution-overview
- Previously updated : 05/14/2021----
-# Migrate from Symantec to Microsoft Defender for Endpoint
-If you are planning to switch from Symantec Endpoint Protection (Symantec) to [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) (Microsoft Defender for Endpoint), you're in the right place. Use this article as a guide.
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)--
-When you make the switch from Symantec to Defender for Endpoint, you begin with your Symantec solution in active mode, configure Defender for Endpoint in passive mode, onboard to Defender for Endpoint, and then set Defender for Endpoint to active mode and remove Symantec.
-
-## The migration process
-
-When you switch from Symantec to Microsoft Defender for Endpoint, you follow a process that can be divided into three phases, as described in the following table:
-
-![Migration phases - prepare, setup, onboard](images/phase-diagrams/migration-phases.png)
-
-|Phase |Description |
-|--|--|
-|[Prepare for your migration](symantec-to-microsoft-defender-atp-prepare.md) |During the **Prepare** phase, you update your organization's devices, get Microsoft Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Defender for Endpoint. |
-|[Set up Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-setup.md) |During the **Setup** phase, you enable Microsoft Defender Antivirus and set it to passive mode. You also configure settings & exclusions for Microsoft Defender Antivirus and Symantec Endpoint Protection. Then, you create your device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.|
-|[Onboard to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-onboard.md) |During the **Onboard** phase, you onboard your devices to Microsoft Defender for Endpoint, confirm that Microsfot Defender Antivirus is running in passive mode, and verify that your endpoints are communicating with Defender for Endpoint. Then, you uninstall Symantec and make sure that Defender for Endpoint is working correctly. |
-
-## What's included in Microsoft Defender for Endpoint?
-
-In this migration guide, we focus on [next-generation protection](microsoft-defender-antivirus-in-windows-10.md) and [endpoint detection and response](overview-endpoint-detection-response.md) capabilities as a starting point for moving to Microsoft Defender for Endpoint. However, Microsoft Defender for Endpoint includes much more than antivirus and endpoint protection. Microsoft Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response. The following table summarizes features and capabilities in Microsoft Defender for Endpoint.
-
-| Feature/Capability | Description |
-|||
-| [Threat & vulnerability management](next-gen-threat-and-vuln-mgt.md) | Threat & vulnerability management capabilities help identify, assess, and remediate weaknesses across your endpoints (such as devices). |
-| [Attack surface reduction](overview-attack-surface-reduction.md) | Attack surface reduction rules help protect your organization's devices and applications from cyberthreats and attacks. |
-| [Next-generation protection](microsoft-defender-antivirus-in-windows-10.md) | Next-generation protection includes Microsoft Defender Antivirus to help block threats and malware. |
-| [Endpoint detection and response](overview-endpoint-detection-response.md) | Endpoint detection and response capabilities detect, investigate, and respond to intrusion attempts and active breaches. |
-| [Advanced hunting](advanced-hunting-overview.md) | Advanced hunting capabilities enable your security operations team to locate indicators and entities of known or potential threats. |
-| [Behavioral blocking and containment](behavioral-blocking-containment.md) | Behavioral blocking and containment capabilities help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. |
-| [Automated investigation and remediation](automated-investigations.md) | Automated investigation and response capabilities examine alerts and take immediate remediation action to resolve breaches. |
-| [Threat hunting service](microsoft-threat-experts.md) (Microsoft Threat Experts) | Threat hunting services provide security operations teams with expert level monitoring and analysis, and to help ensure that critical threats aren't missed. |
-
-**Want to learn more? See [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md).**
-
-## Next step
--- Proceed to [Prepare for your migration](symantec-to-microsoft-defender-atp-prepare.md).
security Threat Analytics Analyst Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-analytics-analyst-reports.md
Title: Understand the analyst report section in threat analytics
+ Title: Understand the analyst report section in threat analytics.
-description: Learn about the analyst report section of each threat analytics report. Understand how it provides information about threats, mitigations, detections, advanced hunting queries, and more.
+description: How the report section of threat analytics reports provides information about threats, mitigation, detections, advanced hunting queries, and more.
keywords: analyst report, threat analytics, detections, advanced hunting queries, mitigations, search.product: eADQiWindows 10XVcnh search.appverid: met150
ms.technology: mde
-# Understand the analyst report in threat analytics
+# The analyst report in threat analytics
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
security Threat Analytics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-analytics.md
Title: Track and respond to emerging threats with Microsoft Defender for Endpoint threat analytics
-description: Learn about emerging threats and attack techniques and how to stop them. Assess their impact to your organization and evaluate your organizational resilience.
+description: Understand emerging threats and attack techniques and how to stop them. Assess their impact to your organization and evaluate your organizational resilience.
keywords: threat analytics, risk evaluation, OS mitigation, microcode mitigation, mitigation status search.product: eADQiWindows 10XVcnh search.appverid: met150
ms.technology: mde
-# Track and respond to emerging threats with threat analytics
+# Track and respond to emerging threats through threat analytics
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
When using the reports, keep the following in mind:
## Related topics - [Proactively find threats with advanced hunting](advanced-hunting-overview.md) - [Understand the analyst report section](threat-analytics-analyst-reports.md)-- [Assess and resolve security weaknesses and exposures](next-gen-threat-and-vuln-mgt.md)
+- [Assess and resolve security weaknesses and exposures](next-gen-threat-and-vuln-mgt.md)
security Troubleshoot Exploit Protection Mitigations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-exploit-protection-mitigations.md
ms.mktglfcycl: manage
ms.sitesec: library ms.pagetype: security localization_priority: Normal+ audience: ITPro
security Troubleshoot Microsoft Defender Antivirus When Migrating https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus-when-migrating.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library localization_priority: normal+
security Troubleshoot Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus.md
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
-localization_priority: Normal
+localization_priority: normal
+
Last updated 09/11/2018
ms.technology: mde- # Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus
security Troubleshoot Onboarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-onboarding.md
The steps below provide guidance for the following scenario:
- Device is turned off or restarted before the end user performs a first logon - In this scenario, the SENSE service will not start automatically even though onboarding package was deployed
+<div class="alert"><b>NOTE:</b> User Logon after OOBE is no longer required for SENSE service to start on the following or more recent Windows versions: Windows 10, version 1809 or Windows Server 2019 with [April 22 2021 update rollup](https://support.microsoft.com/kb/5001384) </br> Windows 10, version 1909 with [April 2021 update rollup](https://support.microsoft.com/kb/5001396) </br> Windows 10, version 2004/20H2 with [April 28 2021 update rollup](https://support.microsoft.com/kb/5001391) </div>
+<br></br>
> [!NOTE] > The following steps are only relevant when using Microsoft Endpoint Configuration Manager. For more details about onboarding using Microsoft Endpoint Configuration Manager, see [Microsoft Defender for Endpoint](/mem/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection).
security Troubleshoot Reporting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-reporting.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: Normal
+localization_priority: normal
+ ms.technology: mde- # Troubleshoot Microsoft Defender Antivirus reporting in Update Compliance
security Api Error Codes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-error-codes.md
DisabledFeature | Forbidden (403) | Tenant feature is not enabled.
DisallowedOperation | Forbidden (403) | \<the disallowed operation and the reason\>. NotFound | Not Found (404) | General Not Found error message. ResourceNotFound | Not Found (404) | Resource \<the requested resource\> was not found.
-InternalServerError | Internal Server Error (500) | *Note: No error message, retry the operation or contact Microsoft if it does not get resolved*
+InternalServerError | Internal Server Error (500) | *Note: No error message, retry the operation or [contact Microsoft](/microsoft-365/business-video/get-help-support) if it does not get resolved*
## Examples
security Incident Queue https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/incident-queue.md
This table lists the filter names that are available.
| Status | You can choose to limit the list of incidents shown based on their status to see which ones are active or resolved. | |||
+## Save defined filters as URLs
+
+Once you have configured a useful filter in the incidents queue, you can bookmark the URL of the browser tab or otherwise save it as a link on a Web page, a Word document, or a place of your choice. This will give you single-click access to key views of the incident queue, such as:
+
+- New incidents
+- High-severity incidents
+- Unassigned incidents
+- High-severity, unassigned incidents
+- Incidents assigned to me
+- Incidents assigned to me and for Microsoft Defender for Endpoint
+- Incidents with a specific tag or tags
+- Incidents with a specific threat category
+- Incidents with a specific associated threat
+- Incidents with a specific actor
+
+Once you have compiled and stored your list of useful filter views as URLs, you can use it quickly process and prioritize the incidents in your queue and [manage](manage-incidents.md) them for subsequent analysis.
+ ## Next steps After you've determined which incident requires the highest priority, select it and:
security Configure Anti Malware Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-anti-malware-policies.md
Creating a custom anti-malware policy in the Microsoft 365 Defender portal creat
1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Anti-malware**. 2. On the **Anti-malware** page, the following properties are displayed in the list of anti-malware policies:- - **Name** - **Status** - **Priority**
To change the priority of a policy, you click **Increase priority** or **Decreas
2. On the **Anti-malware** page, select a custom policy from the list by clicking on the name. 3. At the top of the policy details flyout that appears, you'll see **Increase priority** or **Decrease priority** based on the current priority value and the number of custom policies:
- - The anti-malware policy with the **Priority** value **0** has only the **Decrease priority** option available.
- - The anti-malware policy with the lowest **Priority** value (for example, **3**) has only the **Increase priority** option available.
- - If you have three or more anti-malware policies, policies between the highest and lowest priority values have both the **Increase priority** and **Decrease priority** options available.
+ - The policy with the **Priority** value **0** has only the **Decrease priority** option available.
+ - The policy with the lowest **Priority** value (for example, **3**) has only the **Increase priority** option available.
+ - If you have three or more policies, the policies between the highest and lowest priority values have both the **Increase priority** and **Decrease priority** options available.
Click ![Increase priority icon](../../media/m365-cc-sc-increase-icon.png) **Increase priority** or ![Decrease priority icon](../../media/m365-cc-sc-decrease-icon.png) **Decrease priority** to change the **Priority** value.
security Configure Anti Phishing Policies Eop https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-anti-phishing-policies-eop.md
To change the priority of a policy, you click **Increase priority** or **Decreas
2. On the **Anti-phishing** page, select a custom policy from the list by clicking on the name. 3. At the top of the policy details flyout that appears, you'll see **Increase priority** or **Decrease priority** based on the current priority value and the number of custom policies:
- - The anti-phishing policy with the **Priority** value **0** has only the **Decrease priority** option available.
- - The anti-phishing policy with the lowest **Priority** value (for example, **3**) has only the **Increase priority** option available.
- - If you have three or more anti-phishing policies, policies between the highest and lowest priority values have both the **Increase priority** and **Decrease priority** options available.
+ - The policy with the **Priority** value **0** has only the **Decrease priority** option available.
+ - The policy with the lowest **Priority** value (for example, **3**) has only the **Increase priority** option available.
+ - If you have three or more policies, the policies between the highest and lowest priority values have both the **Increase priority** and **Decrease priority** options available.
Click ![Increase priority icon](../../media/m365-cc-sc-increase-icon.png) **Increase priority** or ![Decrease priority icon](../../media/m365-cc-sc-decrease-icon.png) **Decrease priority** to change the **Priority** value.
security Configure Mdo Anti Phishing Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-mdo-anti-phishing-policies.md
To change the priority of a policy, you click **Increase priority** or **Decreas
2. On the **Anti-phishing** page, select a custom policy from the list by clicking on the name. 3. At the top of the policy details flyout that appears, you'll see **Increase priority** or **Decrease priority** based on the current priority value and the number of custom policies:
- - The anti-phishing policy with the **Priority** value **0** has only the **Decrease priority** option available.
- - The anti-phishing policy with the lowest **Priority** value (for example, **3**) has only the **Increase priority** option available.
- - If you have three or more anti-phishing policies, policies between the highest and lowest priority values have both the **Increase priority** and **Decrease priority** options available.
+ - The policy with the **Priority** value **0** has only the **Decrease priority** option available.
+ - The policy with the lowest **Priority** value (for example, **3**) has only the **Increase priority** option available.
+ - If you have three or more policies, the policies between the highest and lowest priority values have both the **Increase priority** and **Decrease priority** options available.
Click ![Increase priority icon](../../media/m365-cc-sc-increase-icon.png) **Increase priority** or ![Decrease priority icon](../../media/m365-cc-sc-decrease-icon.png) **Decrease priority** to change the **Priority** value.
security Configure The Outbound Spam Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-the-outbound-spam-policy.md
To change the priority of a policy, you click **Increase priority** or **Decreas
3. At the top of the policy details flyout that appears, you'll see **Increase priority** or **Decrease priority** based on the current priority value and the number of custom policies: - The outbound spam policy with the **Priority** value **0** has only the **Decrease priority** option available. - The outbound spam policy with the lowest **Priority** value (for example, **3**) has only the **Increase priority** option available.
- - If you have three or more outbound spam policies, policies between the highest and lowest priority values have both the **Increase priority** and **Decrease priority** options available.
+ - If you have three or more outbound spam policies, the policies between the highest and lowest priority values have both the **Increase priority** and **Decrease priority** options available.
Click ![Increase priority icon](../../media/m365-cc-sc-increase-icon.png) **Increase priority** or ![Decrease priority icon](../../media/m365-cc-sc-decrease-icon.png) **Decrease priority** to change the **Priority** value.
security Configure Your Spam Filter Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-your-spam-filter-policies.md
To change the priority of a policy, you click **Increase priority** or **Decreas
3. At the top of the policy details flyout that appears, you'll see **Increase priority** or **Decrease priority** based on the current priority value and the number of custom policies: - The anti-spam policy with the **Priority** value **0** has only the **Decrease priority** option available. - The anti-spam policy with the lowest **Priority** value (for example, **3**) has only the **Increase priority** option available.
- - If you have three or more anti-spam policies, policies between the highest and lowest priority values have both the **Increase priority** and **Decrease priority** options available.
+ - If you have three or more anti-spam policies, the policies between the highest and lowest priority values have both the **Increase priority** and **Decrease priority** options available.
Click ![Increase priority icon](../../media/m365-cc-sc-increase-icon.png) **Increase priority** or ![Decrease priority icon](../../media/m365-cc-sc-decrease-icon.png) **Decrease priority** to change the **Priority** value.
security Exchange Online Protection Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/exchange-online-protection-overview.md
ms.prod: m365-security
Exchange Online Protection (EOP) is the cloud-based filtering service that protects your organization against spam, malware, and other email threats. EOP is included in all Microsoft 365 organizations with Exchange Online mailboxes. > [!NOTE]
-> EOP is also available by itself to protect on-premises mailboxes and in hybrid environments to protect on-premises Exchange mailboxes. For more information, see [Standalone Exchange Online Protection](/exchange/standalone-eop/standaonline-eop).
+> EOP is also available by itself to protect on-premises mailboxes and in hybrid environments to protect on-premises Exchange mailboxes. For more information, see [Standalone Exchange Online Protection](/exchange/standalone-eop/standalone-eop).
The steps to set up EOP security features and a comparison to the added security that you get in Microsoft Defender for Office 365, see [protect against threats](protect-against-threats.md). The recommended settings for EOP features are available in [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md).
security Mdo For Spo Odb And Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-for-spo-odb-and-teams.md
To learn more about the user experience when a file has been detected as malicio
Files that are identified as malicious by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams will show up in [reports for Microsoft Defender for Office 365](view-reports-for-mdo.md) and in [Explorer (and real-time detections)](threat-explorer.md).
-As of May 2018, when a file is identified as malicious by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, the file is also available in quarantine. For more information, see [Use the Microsoft 365 Defender portal to manage quarantined files in Defender for Office 365](manage-quarantined-messages-and-files.md#use-the-microsoft-365-defender-portal-to-manage-quarantined-files-in-defender-for-office-365).
+As of May 2018, when a file is identified as malicious by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, the file is also available in quarantine. For more information, see [Manage quarantined files in Defender for Office 365](manage-quarantined-messages-and-files.md#use-the-microsoft-365-defender-portal-to-manage-quarantined-files-in-defender-for-office-365).
## Keep these points in mind
security Old Index https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/old-index.md
Title: Office 365 Security, Microsoft Defender for Office 365, EOP, MSDO
+ Title: Office 365 Security overview, Microsoft Defender for Office 365, EOP, MSDO
search.appverid:
- M365-security-compliance - m365initiative-defender-office365
-description: Security in Office 365, from EOP to Defender for Office 365 Plans 1 and 2, Standard vs. Strict security configurations, and more. Understand what you have, and how to secure your properties.
+description: Security in Office 365, from EOP to Defender for Office 365 Plans 1 and 2, Standard vs. Strict security configurations, and more. Understand what you have and learn how to secure your properties.
ms.technology: mdo ms.prod: m365-security
-# Office 365 Security overview
+# Office 365 security
+ **Applies to** - [Exchange Online Protection](exchange-online-protection-overview.md)
Catch up on [what's new in Microsoft Defender for Office 365 (including EOP deve
[Use Threat Explorer or Real-time detections](threat-explorer.md)
-Use [Attack Simulator in Microsoft Defender for Office 365](attack-simulator.md)
+Use [Attack Simulator in Microsoft Defender for Office 365](attack-simulator.md)
security Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/overview.md
Title: Office 365 Security, Microsoft Defender for Office 365, EOP, MSDO
Previously updated : 08/13/2020 Last updated : 06/11/2021 audience: Admin
ms.technology: mdo
ms.prod: m365-security
-# Office 365 Security overview
+# Microsoft Defender for Office 365 security overview
**Applies to** - [Exchange Online Protection](exchange-online-protection-overview.md) - [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) -
-This article will introduce you to your new security properties in the Cloud. Whether you're part of a Security Operations Center, you're a Security Administrator new to the space, or you want a refresher, let's get started.
+This article will introduce you to your new Microsoft Defender for Office 365 security properties in the Cloud. Whether you're part of a Security Operations Center, you're a Security Administrator new to the space, or you want a refresher, let's get started.
> [!CAUTION] > If you're using **Outlook.com**, **Microsoft 365 Family**, or **Microsoft 365 Personal**, and need *Safe Links* or *Safe Attachments* info, ***click this link***: [Advanced Outlook.com security for Microsoft 365 subscribers](https://support.microsoft.com/office/advanced-outlook-com-security-for-office-365-subscribers-882d2243-eab9-4545-a58a-b36fee4a46e2).
-## Office 365 security spelled out
+## What is Defender for Office 365 security
Every Office 365 subscription comes with security capabilities. The goals and actions that you can take depend on the focus of these different subscriptions. In Office 365 security, there are three main security services (or products) tied to your subscription type:
You may be accustomed to seeing these three components discussed in this way:
But in terms of architecture, let's start by thinking of each piece as cumulative layers of security, each with a security emphasis. More like this:
-<!--:::image type="content" source="../../media/tp-EOPATPStack.PNG" alt-text="Placeholder graphic":::-->
- :::image type="content" source="../../media/tp_GraphicEOPATPP1P2_2.png" alt-text="EOP and Microsoft Defender for Office 365 and their relationships to one another with service emphasis, including a note for email authentication."::: Though each of these services emphasizes a goal from among Protect, Detect, Investigate, and Respond, ***all*** the services can carry out ***any*** of the goals of protecting, detecting, investigating, and responding.
If you have an Office 365 E3, or below, you have EOP, but with the option to buy
## The Office 365 security ladder from EOP to Microsoft Defender for Office 365
-![EOP and Microsoft Defender for Office 365 and their security emphasis, going from Protect and Detect to Investigate and Respond. Email Authentication configuration (at least DKIM and DMARC) should be set up for EOP and up.](../../media/tp_EOPATPP1P2Take6.gif#lightbox)
- > [!IMPORTANT] > Learn the details on these pages: [Exchange Online Protection](exchange-online-protection-overview.md), and [Defender for Office 365](defender-for-office-365.md).
Catch up on [what's new in Microsoft Defender for Office 365 (including EOP deve
[Use Threat Explorer or Real-time detections](threat-explorer.md)
-Use [Attack Simulator in Microsoft Defender for Office 365](attack-simulator.md)
+Use [Attack Simulator in Microsoft Defender for Office 365](attack-simulator.md)
+
security Permissions Microsoft 365 Security Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/permissions-microsoft-365-security-center.md
The Microsoft 365 Defender portal includes default role groups for the most comm
## Roles and role groups in the Microsoft 365 Defender portal
-The following types of roles and role groups are available in **Permissions & roles** in the Microsoft 365 Defender portalr:
+The following types of roles and role groups are available in **Permissions & roles** in the Microsoft 365 Defender portal:
- **Azure AD roles**: You can view the roles and assigned users, but you can't manage them directly in the Microsoft 365 Defender portal. Azure AD roles are central roles that assign permissions for **all** Microsoft 365 services.
security Report Junk Email And Phishing Scams In Outlook For Ios And Android https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/report-junk-email-and-phishing-scams-in-outlook-for-iOS-and-Android.md
- Title: Report junk and phishing email in Outlook for iOS and Android
- - NOCSH
--- Previously updated : -
-localization_priority: Normal
- - MET150
-
- - M365-security-compliance
-description: Admins can learn about the built-in junk, not junk, and phishing email reporting options in Outlook for iOS and Android.
--
-# Report junk and phishing email in Outlook for iOS and Android in Exchange Online
--
-**Applies to**
-- [Exchange Online Protection](exchange-online-protection-overview.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)-
-In Microsoft 365 organizations with mailboxes in Exchange Online or on-premises mailboxes using [hybrid modern authentication](../../enterprise/hybrid-modern-auth-overview.md), you can submit false positives (good email marked as spam), false negatives (bad email allowed), and phishing messages to Exchange Online Protection (EOP).
-
-## What do you need to know before you begin
--- For the best user submission experience we recommend using the Report Message and the Report Phishing add-ins. See [Enable the Report Message add-in](./enable-the-report-message-add-in.md) and [Enable the Report Phishing add-in](./enable-the-report-phish-add-in.md) for more information.--- If you're an admin in an organization with Exchange Online mailboxes, we recommend that you use the Submissions portal in the Security & Compliance Center. For more information, see [Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft](admin-submission.md).--- You can configure reported messages to be copied or redirected to a mailbox that you specify. For more information, see [User Submissions policies](user-submission.md).--- For more information about reporting messages to Microsoft, see [Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md).-
- > [!NOTE]
- > If junk email reporting is disabled for Outlook in the user submission policy, junk or phishing messages will be moved to the Junk folder and not reported to your admin or Microsoft.
security Report Junk Email And Phishing Scams In Outlook On The Web Eop https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/report-junk-email-and-phishing-scams-in-outlook-on-the-web-eop.md
- Title: Report junk and phishing email in Outlook on the web
- - NOCSH
--- Previously updated : --
-localization_priority: Normal
- - MET150
-
- - M365-security-compliance
-description: Admins can learn about the built-in junk, not junk, and phishing email reporting options in Outlook on the web (Outlook Web App) in Exchange Online, and how to disable these reporting options for users.
--
-# Report junk and phishing email in Outlook on the web in Exchange Online
--
-**Applies to**
-- [Exchange Online Protection](exchange-online-protection-overview.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)-
-In Microsoft 365 organizations with mailboxes in Exchange Online or on-premises mailboxes using [hybrid modern authentication](../../enterprise/hybrid-modern-auth-overview.md), you can submit false positives (good email marked as spam), false negatives (bad email allowed), and phishing messages to Exchange Online Protection (EOP).
-
-## What do you need to know before you begin?
-
-> [!IMPORTANT]
-> We recommend the Report Message add-in or the Report Phishing add-in for user submissions. For more information, see [Enable the Report Message or the Report Phishing add-ins](./enable-the-report-message-add-in.md). We don't recommend the built-in reporting experience in Outlook because it can't use the [user submission policy](./user-submission.md).
--- If you're an admin in an organization with Exchange Online mailboxes, we recommend that you use the Submissions portal in the Security & Compliance Center. For more information, see [Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft](admin-submission.md).--- Admins can disable or enable the ability for users to report messages to Microsoft in Outlook on the web. For details, see the [Disable or enable junk email reporting in Outlook on the web](#disable-or-enable-junk-email-reporting-in-outlook-on-the-web) section later in this article.--- You can configure reported messages to be copied or redirected to a mailbox that you specify. For more information, see [User submissions policies](user-submission.md).--- For more information about reporting messages to Microsoft, see [Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md).-
-## Disable or enable junk email reporting in Outlook on the web
-
-By default, users can report spam false positives, false negatives, and phishing messages to Microsoft for analysis in Outlook on the web. Admins can configure Outlook on the web mailbox policies in Exchange Online PowerShell to prevent users from reporting spam false positives and spam false negatives to Microsoft. You can't disable the ability for users to report phishing messages to Microsoft.
-
-### What do you need to know before you begin?
--- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).--- You need to be assigned permissions in Exchange Online before you can do the procedures in this article. Specifically you need the **Recipient Policies** or **Mail Recipients** roles, which are assigned to the **Organization Management** and **Recipient Management** role groups by default. For more information about role groups in Exchange Online, see [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo) and [Modify role groups in Exchange Online](/Exchange/permissions-exo/role-groups#modify-role-groups).--- Every organization has a default policy named OwaMailboxPolicy-Default, but you can create custom policies. Custom policies are applied to scoped users before the default policy. For more information about Outlook on the web mailbox policies, see [Outlook on the web mailbox policies in Exchange Online](/Exchange/clients-and-mobile-in-exchange-online/outlook-on-the-web/outlook-web-app-mailbox-policies).--- Disabling junk email reporting doesn't remove the ability to mark a message as junk or not junk in Outlook on the web. Selecting a message in the Junk email folder and clicking **Not junk** \> **Not junk** still moves the message back into the Inbox. Selecting a message in any other email folder and clicking **Junk** \> **Junk** still moves the message into the Junk Email folder. What's no longer available is the option to report the message to Microsoft.-
-### Use Exchange Online PowerShell to disable or enable junk email reporting in Outlook on the web
-
-1. To find your existing Outlook on the web mailbox policies and the status of junk email reporting, run the following command:
-
- ```powershell
- Get-OwaMailboxPolicy | Format-Table Name,ReportJunkEmailEnabled
- ```
-
-2. To disable or enable junk email reporting in Outlook on the web, use the following syntax:
-
- ```powershell
- Set-OwaMailboxPolicy -Identity "<OWAMailboxPolicyName>" -ReportJunkEmailEnabled <$true | $false>
- ```
-
- This example disables junk email reporting in the default policy.
-
- ```powershell
- Set-OwaMailboxPolicy -Identity "OwaMailboxPolicy-Default" -ReportJunkEmailEnabled $false
- ```
-
- This example enables junk email reporting in the custom policy named Contoso Managers.
-
- ```powershell
- Set-OwaMailboxPolicy -Identity "Contoso Managers" -ReportJunkEmailEnabled $true
- ```
-
-For detailed syntax and parameter information, see [Get-OwaMailboxPolicy](/powershell/module/exchange/get-owamailboxpolicy) and [Set-OwaMailboxPolicy](/powershell/module/exchange/set-owamailboxpolicy).
-
-### How do you know this worked?
-
-To verify that you've successfully enabled or disabled junk email reporting in Outlook on the web, use any of the following steps:
--- In Exchange Online PowerShell, run the following command and verify the **ReportJunkEmailEnabled** property value:-
- ```powershell
- Get-OwaMailboxPolicy | Format-Table Name,ReportJunkEmailEnabled
- ```
--- Open an affected user's mailbox in Outlook on the web, select a message in the Inbox, click **Junk** \> **Junk** and verify the prompt to report the message to Microsoft is or is not displayed.<sup>\*</sup>--- Open an affected user's mailbox in Outlook on the web, select a message in the Junk Email folder, click **Junk** \> **Junk** and verify the prompt to report the message to Microsoft is or is not displayed.<sup>\*</sup>-
-<sup>\*</sup> Users can hide the prompt to report the message while still reporting the message. To check this setting in Outlook on the web:
-
-1. Click **Settings** ![Outlook on the web settings icon](../../media/owa-settings-icon.png) \> **View all Outlook settings** \> **Junk email**.
-2. In the **Reporting** section, verify the value: **Ask me before sending a report**.
-
- ![Outlook on the web Junk Email Reporting settings](../../media/owa-junk-email-reporting-options.png)
security Safe Links https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-links.md
Examples of the values that you can enter and their results are described in the
Each Safe Links policy contains a **Do not rewrite the following URLs** list that you can use to specify URLs that are not rewritten by Safe Links scanning. In other words, the list allows users who are included in the policy to access the specified URLs that would otherwise be blocked by Safe Links. You can configure different lists in different Safe Links policies. Policy processing stops after the first (likely, the highest priority) policy is applied to the user. So, only one **Do not rewrite the following URLs** list is applied to a user who is included in multiple active Safe Links policies.
-To add entries to the list in new or existing Safe Links policies, see [Create Safe Links policies](set-up-safe-links-policies.md#use-the-security--compliance-center-to-create-safe-links-policies) or [Modify Safe Links policies](set-up-safe-links-policies.md#use-the-security--compliance-center-to-modify-safe-links-policies).
+To add entries to the list in new or existing Safe Links policies, see [Create Safe Links policies](set-up-safe-links-policies.md#use-the-microsoft-365-defender-portal-to-create-safe-links-policies) or [Modify Safe Links policies](set-up-safe-links-policies.md#use-the-microsoft-365-defender-portal-to-modify-safe-links-policies).
**Notes**:
security Set Up Safe Links Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/set-up-safe-links-policies.md
ms.prod: m365-security
> [!IMPORTANT] > This article is intended for business customers who have [Microsoft Defender for Office 365](defender-for-office-365.md). If you are a home user looking for information about Safelinks in Outlook, see [Advanced Outlook.com security](https://support.microsoft.com/office/882d2243-eab9-4545-a58a-b36fee4a46e2).
-Safe Links is a feature in [Microsoft Defender for Office 365](defender-for-office-365.md) that provides URL scanning of inbound email messages in mail flow, and time of click verification of URLs and links in email messages and in other locations. For more information, see [Safe Links in Microsoft Defender for Office 365](safe-links.md).
+Safe Links in [Microsoft Defender for Office 365](defender-for-office-365.md) provides URL scanning of inbound email messages in mail flow, and time of click verification of URLs and links in email messages and in other locations. For more information, see [Safe Links in Microsoft Defender for Office 365](safe-links.md).
There's no built-in or default Safe Links policy. To get Safe Links scanning of URLs, you need to create one or more Safe Links policies as described in this article. > [!NOTE]
+>
> You configure the global settings for Safe Links protection **outside** of Safe Links policies. For instructions, see [Configure global settings for Safe Links in Microsoft Defender for Office 365](configure-global-settings-for-safe-links.md).
+>
+> Admins should consider the different configuration settings for Safe Links. One of the available options is to include user identifiable information in Safe Links. This feature enables *Security Ops teams* to investigate potential user compromise, take corrective action, and limit costly breaches.
-You can configure Safe Links policies in the Security & Compliance Center or in PowerShell (Exchange Online PowerShell for eligible Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes, but with Microsoft Defender for Office 365 add-on subscriptions).
+You can configure Safe Links policies in the Microsoft 365 Defender portal or in PowerShell (Exchange Online PowerShell for eligible Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes, but with Microsoft Defender for Office 365 add-on subscriptions).
The basic elements of a Safe Links policy are: - **The safe links policy**: Turn on Safe Links protection, turn on real-time URL scanning, specify whether to wait for real-time scanning to complete before delivering the message, turn on scanning for internal messages, specify whether to track user clicks on URLs, and specify whether to allow users to click trough to the original URL. - **The safe links rule**: Specifies the priority and recipient filters (who the policy applies to).
-> [!IMPORTANT]
-> Admins should consider the different configuration settings for SafeLinks. One of the available options is to include user identifiable information in SafeLinks. This feature enables *Security Ops teams* to investigate potential user compromise, take corrective action, and limit costly breaches.
-
-The difference between these two elements isn't obvious when you manage Safe Links polices in the Security & Compliance Center:
+The difference between these two elements isn't obvious when you manage Safe Links polices in the Microsoft 365 Defender portal:
- When you create a Safe Links policy, you're actually creating a safe links rule and the associated safe links policy at the same time using the same name for both. - When you modify a Safe Links policy, settings related to the name, priority, enabled or disabled, and recipient filters modify the safe links rule. All other settings modify the associated safe links policy.
In Exchange Online PowerShell or standalone EOP PowerShell, you manage the polic
## What do you need to know before you begin? -- You open the Security & Compliance Center at <https://protection.office.com/>. To go directly to the **Safe Links** page, use <https://protection.office.com/safelinksv2>.
+- You open the Microsoft 365 Defender portal at <https://security.microsoft.com/>. To go directly to the **Safe Links** page, use <https://security.microsoft.com/safelinksv2>.
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell). - You need to be assigned permissions before you can do the procedures in this article:
- - To create, modify, and delete Safe Links policies, you need to be a member of the **Organization Management** or **Security Administrator** role groups in the Security & Compliance Center **and** a member of the **Organization Management** role group in Exchange Online.
+ - To create, modify, and delete Safe Links policies, you need to be a member of the **Organization Management** or **Security Administrator** role groups in the Microsoft 365 Defender portal **and** a member of the **Organization Management** role group in Exchange Online.
- For read-only access to Safe Links policies, you need to be a member of the **Global Reader** or **Security Reader** role groups.
- For more information, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md) and [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo).
+ For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-in-the-security-and-compliance-center.md) and [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo).
> [!NOTE]
- >
- > - Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions in the Security & Compliance Center _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
+ >
+ > - Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions in the Microsoft 365 Defender portal _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
. - The **View-Only Organization Management** role group in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups) also gives read-only access to the feature. - For our recommended settings for Safe Links policies, see [Safe Links policy settings](recommended-settings-for-eop-and-office365.md#safe-links-policy-settings).
In Exchange Online PowerShell or standalone EOP PowerShell, you manage the polic
- [New features are continually being added to Microsoft Defender for Office 365](defender-for-office-365.md#new-features-in-microsoft-defender-for-office-365). As new features are added, you may need to make adjustments to your existing Safe Links policies.
-## Use the Security & Compliance Center to create Safe Links policies
+## Use the Microsoft 365 Defender portal to create Safe Links policies
-Creating a custom Safe Links policy in the Security & Compliance Center creates the safe links rule and the associated safe links policy at the same time using the same name for both.
+Creating a custom Safe Links policy in the Microsoft 365 Defender portal creates the safe links rule and the associated safe links policy at the same time using the same name for both.
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **ATP Safe Links**.
+1. In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Threat Policies** \> **Policies** section \> **Safe Links**.
-2. On the **Safe Links** page, click **Create**.
+2. On the **Safe Links** page, click ![Create icon](../../media/m365-cc-sc-create-icon.png) **Create**.
3. The **New Safe Links policy** wizard opens. On the **Name your policy** page, configure the following settings: - **Name**: Enter a unique, descriptive name for the policy.- - **Description**: Enter an optional description for the policy. When you're finished, click **Next**.
-4. On the **Settings** page that appears, configure the following settings:
+4. On the **Users and domains** page that appears, identify the internal recipients that the policy applies to (recipient conditions):
+ - **Users**: The specified mailboxes, mail users, or mail contacts in your organization.
+ - **Groups**: The specified distribution groups, mail-enabled security groups, or Microsoft 365 Groups in your organization.
+ - **Domains**: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization.
- - **Select the action for unknown potentially malicious URLs in messages**: Select **On** to enable Safe Links protection for links in email messages.
+ Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove ![Remove icon](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
- - **Select the action for unknown or potentially malicious URLs within Microsoft Teams**: Select **On** to enable Safe Links protection for links in Teams.
+ For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (\*) by itself to see all available values.
- - **Apply real-time URL scanning for suspicious links and links that point to files**: Select this setting to enable real-time scanning of links in email messages.
+ Multiple values in the same condition use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). Different conditions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_).
- - **Wait for URL scanning to complete before delivering the message**: Select this setting to wait for real-time URL scanning to complete before delivering the message.
+ - **Exclude these users, groups, and domains**: To add exceptions for the internal recipients that the policy applies to (recpient exceptions), select this option and configure the exceptions. The settings and behavior are exactly like the conditions.
- - **Apply Safe Links to email messages sent within the organization**: Select this setting to apply the Safe Links policy to messages between internal senders and internal recipients.
+ When you're finished, click **Next**.
+5. On the **Protection settings** page that appears, configure the following settings:
+ - **Select the action for unknown potentially malicious URLs in messages**: Select **On** to enable Safe Links protection for links in email messages. If you turn this setting on, the following settings are available:
+ - **Apply real-time URL scanning for suspicious links and links that point to files**: Select this option to enable real-time scanning of links in email messages. If you turn this setting on the following setting is available:
+ - **Wait for URL scanning to complete before delivering the message**: Select this option to wait for real-time URL scanning to complete before delivering the message.
+ - **Apply Safe Links to email messages sent within the organization**: Select this option to apply the Safe Links policy to messages between internal senders and internal recipients.
+ - **Select the action for unknown or potentially malicious URLs within Microsoft Teams**: Select **On** to enable Safe Links protection for links in Teams.
- **Do not track user clicks**: Leave this setting unselected to enable the tracking user clicks on URLs in email messages.-
- - **Do not allow users to click through to original URL**: Select this setting to block users from clicking through to the original URL in [warning pages](safe-links.md#warning-pages-from-safe-links).
-
+ - **Do not allow users to click through to original URL**: Select this option to block users from clicking through to the original URL in [warning pages](safe-links.md#warning-pages-from-safe-links).
- **Do not rewrite the following URLs**: Allows access the specified URLs that would otherwise be blocked by Safe Links.
- In the box, type the URL or value that you want, and then click ![Add button icon](../../media/ITPro-EAC-AddIcon.png).
+ In the box, type the URL or value that you want, and then click **Add**. Repeat this step as many times as necessary.
- To remove an existing entry, select it and then click ![Delete button icon](../../media/ITPro-EAC-DeleteIcon.png).
+ To remove an existing entry, click ![Remove icon](../../media/m365-cc-sc-remove-selection-icon.png) next to the entry.
For entry syntax, see [Entry syntax for the "Do not rewrite the following URLs" list](safe-links.md#entry-syntax-for-the-do-not-rewrite-the-following-urls-list).
Creating a custom Safe Links policy in the Security & Compliance Center creates
When you're finished, click **Next**.
-5. On the **Applied to** page that appears, identify the internal recipients that the policy applies to.
-
- You can only use a condition or exception once, but you can specify multiple values for the condition or exception. Multiple values of the same condition or exception use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). Different conditions or exceptions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_).
-
- Click **Add a condition**. In the dropdown that appears, select a condition under **Applied if**:
-
- - **The recipient is**: Specifies one or more mailboxes, mail users, or mail contacts in your organization.
- - **The recipient is a member of**: Specifies one or more groups in your organization.
- - **The recipient domain is**: Specifies recipients in one or more of the configured accepted domains in your organization.
-
- After you select the condition, a corresponding dropdown appears with an **Any of these** box.
-
- - Click in the box and scroll through the list of values to select.
- - Click in the box and start typing to filter the list and select a value.
- - To add additional values, click in an empty area in the box.
- - To remove individual entries, click **Remove** ![Remove icon](../../media/scc-remove-icon.png) on the value.
- - To remove the whole condition, click **Remove** ![Remove icon](../../media/scc-remove-icon.png) on the condition.
-
- To add an additional condition, click **Add a condition** and select a remaining value under **Applied if**.
-
- To add exceptions, click **Add a condition** and select an exception under **Except if**. The settings and behavior are exactly like the conditions.
+6. On the **Notification** page that appears, select one of the following values for **How would you like to notify your users?**:
+ - **Use the default notification text**
+ - **Use custom notification text**: If you select this value, the following settings appear:
+ - **Use Microsoft Translator for automatic localization**
+ - **Custom notification text**: Enter the custom notification text in this box.
When you're finished, click **Next**.
-6. On the **Review your settings** page that appears, review your settings. You can click **Edit** on each setting to modify it.
+7. On the **Review** page that appears, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.
- When you're finished, click **Finish**.
+ When you're finished, click **Submit**.
-## Use the Security & Compliance Center to view Safe Links policies
+8. On the confirmation page that appears, click **Done**.
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **ATP Safe Links**.
+## Use the Microsoft 365 Defender portal to view Safe Links policies
-2. On the **Safe Links** page, select a policy from the list and click on it (don't select the check box).
+1. In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Threat Policies** \> **Policies** section \> **Safe Links**.
- The policy details appear in a fly out
+2. On the **Safe Links** page, the following properties are displayed in the list of Safe Links policies:
+ - **Name**
+ - **Status**
+ - **Priority**
-## Use the Security & Compliance Center to modify Safe Links policies
+3. When you select a policy by clicking on the name, the policy settings are displayed in a flyout.
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **ATP Safe Links**.
+## Use the Microsoft 365 Defender portal to modify Safe Links policies
-2. On the **Safe Links** page, select a policy from the list and click on it (don't select the check box).
+1. In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Threat Policies** \> **Policies** section \> **Safe Links**.
-3. In the policy details fly out that appears, click **Edit policy**.
+2. On the **Safe Links** page, select a policy from the list by clicking on the name.
-The available settings in the fly out that appears are identical to those described in the [Use the Security & Compliance Center to create Safe Links policies](#use-the-security--compliance-center-to-create-safe-links-policies) section.
+3. In the policy details flyout that appears, select **Edit** in each section to modify the settings within the section. For more information about the settings, see the previous [Use the Microsoft 365 Defender portal to create Safe Links policies](#use-the-microsoft-365-defender-portal-to-create-safe-links-policies) section in this article.
To enable or disable a policy or set the policy priority order, see the following sections. ### Enable or disable Safe Links policies
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **ATP Safe Links**.
-
-2. Notice the value in the **Status** column:
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Safe Links**.
- - Move the toggle to the left to disable the policy: ![Turn policy off](../../media/scc-toggle-off.png).
+2. On the **Safe Links** page, select a policy from the list by clicking on the name.
- - Move the toggle to the right to enable the policy: ![Turn policy on](../../media/scc-toggle-on.png).
+3. At the top of the policy details flyout that appears, you'll see one of the following values:
+ - **Policy off**: To turn on the policy, click ![Turn on icon](../../media/m365-cc-sc-turn-on-off-icon.png) **Turn on** .
+ - **Policy on**: To turn off the policy, click ![Turn off icon](../../media/m365-cc-sc-turn-on-off-icon.png) **Turn off**.
-### Set the priority of Safe Links policies
-
-By default, Safe Links policies are given a priority that's based on the order they were created in (newer polices are lower priority than older policies). A lower priority number indicates a higher priority for the policy (0 is the highest), and policies are processed in priority order (higher priority policies are processed before lower priority policies). No two policies can have the same priority, and policy processing stops after the first policy is applied.
+4. In the confirmation dialog that appears, click **Turn on** or **Turn off**.
-For more information about the order of precedence and how multiple policies are evaluated and applied, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).
+5. Click **Close** in the policy details flyout.
-Safe Links policies are displayed in the order they're processed (the first policy has the **Priority** value 0).
+Back on the main policy page, the **Status** value of the policy will be **On** or **Off**.
-> [!NOTE]
-> In the Security & Compliance Center, you can only change the priority of the Safe Links policy after you create it. In PowerShell, you can override the default priority when you create the safe links rule (which can affect the priority of existing rules).
+### Set the priority of Safe Links policies
-To change the priority of a policy, move the policy up or down in the list (you can't directly modify the **Priority** number in the Security & Compliance Center).
+By default, Safe Links are given a priority that's based on the order they were created in (newer policies are lower priority than older policies). A lower priority number indicates a higher priority for the policy (0 is the highest), and policies are processed in priority order (higher priority policies are processed before lower priority policies). No two policies can have the same priority, and policy processing stops after the first policy is applied.
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **ATP Safe Links**.
+To change the priority of a policy, you click **Increase priority** or **Decrease priority** in the properties of the policy (you can't directly modify the **Priority** number in the Microsoft 365 Defender portal). Changing the priority of a policy only makes sense if you have multiple policies.
-2. On the **Safe Links** page, select a policy from the list and click on it (don't select the check box).
+**Note**:
-3. In the policy details fly out that appears, click the available priority button:
+- In the Microsoft 365 Defender portal, you can only change the priority of the Safe Links policy after you create it. In PowerShell, you can override the default priority when you create the safe links rule (which can affect the priority of existing rules).
+- Safe Links policies are processed in the order that they're displayed (the first policy has the **Priority** value 0). For more information about the order of precedence and how multiple policies are evaluated and applied, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).
- - The Safe Links policy with the **Priority** value **0** has only the **Decrease priority** button available.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Safe Links**.
- - The Safe Links policy with the lowest **Priority** value (for example, **3**) has only the **Increase priority** button available.
+2. On the **Safe Links** page, select a policy from the list by clicking on the name.
- - If you have three or more Safe Links policies, policies between the highest and lowest priority values have both the **Increase priority** and **Decrease priority** buttons available.
+3. At the top of the policy details flyout that appears, you'll see **Increase priority** or **Decrease priority** based on the current priority value and the number of custom policies:
+ - The policy with the **Priority** value **0** has only the **Decrease priority** option available.
+ - The policy with the lowest **Priority** value (for example, **3**) has only the **Increase priority** option available.
+ - If you have three or more policies, the policies between the highest and lowest priority values have both the **Increase priority** and **Decrease priority** options available.
-4. Click **Increase priority** or **Decrease priority** to change the **Priority** value.
+ Click ![Increase priority icon](../../media/m365-cc-sc-increase-icon.png) **Increase priority** or ![Decrease priority icon](../../media/m365-cc-sc-decrease-icon.png) **Decrease priority** to change the **Priority** value.
-5. When you're finished, click **Close**.
+4. When you're finished, click **Close** in the policy details flyout.
-## Use the Security & Compliance Center to remove Safe Links policies
+## Use the Microsoft 365 Defender portal to remove Safe Links policies
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **ATP Safe Links**.
+1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Policies** section \> **Safe Links**.
-2. On the **Safe Links** page, select a policy from the list and click on it (don't select the check box).
+2. On the **Safe Links** page, select a policy from the list by clicking on the name. At the top of the policy details flyout that appears, click ![More actions icon](../../media/m365-cc-sc-more-actions-icon.png) **More actions** \> ![Delete policy icon](../../media/m365-cc-sc-delete-icon.png) **Delete policy**.
-3. In the policy details fly out that appears, click **Delete policy**, and then click **Yes** in the warning dialog that appears.
+3. In the confirmation dialog that appears, click **Yes**.
## Use Exchange Online PowerShell or standalone EOP PowerShell to configure Safe Links policies
Creating a Safe Links policy in PowerShell is a two-step process:
2. Create the safe links rule that specifies the safe links policy that the rule applies to. > [!NOTE]
->
+>
> - You can create a new safe links rule and assign an existing, unassociated safe links policy to it. A safe links rule can't be associated with more than one safe links policy.
->
-> - You can configure the following settings on new safe links policies in PowerShell that aren't available in the Security & Compliance Center until after you create the policy:
->
+>
+> - You can configure the following settings on new safe links policies in PowerShell that aren't available in the Microsoft 365 Defender portal until after you create the policy:
> - Create the new policy as disabled (_Enabled_ `$false` on the **New-SafeLinksRule** cmdlet). > - Set the priority of the policy during creation (_Priority_ _\<Number\>_) on the **New-SafeLinksRule** cmdlet).
->
-> - A new safe links policy that you create in PowerShell isn't visible in the Security & Compliance Center until you assign the policy to a safe links rule.
+>
+> - A new safe links policy that you create in PowerShell isn't visible in the Microsoft 365 Defender portal until you assign the policy to a safe links rule.
#### Step 1: Use PowerShell to create a safe links policy
New-SafeLinksPolicy -Name "<PolicyName>" [-AdminDisplayName "<Comments>"] [-IsEn
``` > [!NOTE]
->
+>
> - For details about the entry syntax to use for the _DoNotRewriteUrls_ parameter, see [Entry syntax for the "Do not rewrite the following URLs" list](safe-links.md#entry-syntax-for-the-do-not-rewrite-the-following-urls-list).
->
+>
> - For additional syntax that you can use for the _DoNotRewriteUrls_ parameter when you modify existing safe links policies by using the **Set-SafeLinksPolicy** cmdlet, see the [Use PowerShell to modify safe links policies](#use-powershell-to-modify-safe-links-policies) section later in this article. This example creates a safe links policy named Contoso All with the following values:
For detailed syntax and parameter information, see [Get-SafeLinksRule](/powershe
### Use PowerShell to modify safe links policies
-You can't rename a safe links policy in PowerShell (the **Set-SafeLinksPolicy** cmdlet has no _Name_ parameter). When you rename a Safe Links policy in the Security & Compliance Center, you're only renaming the safe links _rule_.
+You can't rename a safe links policy in PowerShell (the **Set-SafeLinksPolicy** cmdlet has no _Name_ parameter). When you rename a Safe Links policy in the Microsoft 365 Defender portal, you're only renaming the safe links _rule_.
The only additional consideration for modifying safe links policies in PowerShell is the available syntax for the _DoNotRewriteUrls_ parameter (the ["Do not rewrite the following URLs" list](safe-links.md#do-not-rewrite-the-following-urls-lists-in-safe-links-policies)):
Remove-SafeLinksRule -Identity "Marketing Department"
For detailed syntax and parameter information, see [Remove-SafeLinksRule](/powershell/module/exchange/remove-safelinksrule).
-To verify that Safe Links is scanning messages, check the available Microsoft Defender for Office 365 reports. For more information, see [View reports for Defender for Office 365](view-reports-for-mdo.md) and [Use Explorer in the Security & Compliance Center](threat-explorer.md).
+To verify that Safe Links is scanning messages, check the available Microsoft Defender for Office 365 reports. For more information, see [View reports for Defender for Office 365](view-reports-for-mdo.md) and [Use Explorer in the Microsoft 365 Defender portal](threat-explorer.md).
## How do you know these procedures worked? To verify that you've successfully created, modified, or removed Safe Links policies, do any of the following steps: -- In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **ATP Safe Links**. Verify the list of policies, their **Status** values, and their **Priority** values. To view more details, select the policy from the list, and view the details in the fly out.
+- In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Threat policies** \> **Safe Links**. Verify the list of policies, their **Status** values, and their **Priority** values. To view more details, select the policy from the list, and view the details in the fly out.
- In Exchange Online PowerShell or Exchange Online Protection PowerShell, replace \<Name\> with the name of the policy or rule, run the following command, and verify the settings:
To verify that you've successfully created, modified, or removed Safe Links poli
```PowerShell Get-SafeLinksRule -Identity "<Name>"
- ```
+ ```
security Siem Integration With Office 365 Ti https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/siem-integration-with-office-365-ti.md
The following table summarizes the values of **AuditLogRecordType** that are rel
| > [!IMPORTANT]
-> You must be a global administrator or have the security administrator role assigned for the Security & Compliance Center to set up SIEM integration with Microsoft Defender for Office 365.
+> You must be a global administrator or have the security administrator role assigned for the Microsoft 365 Defender portal to set up SIEM integration with Microsoft Defender for Office 365.
> > Audit logging must be turned on for your Microsoft 365 environment. To get help with this, see [Turn audit log search on or off](../../compliance/turn-audit-log-search-on-or-off.md).
security Siem Server Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/siem-server-integration.md
A SIEM server can receive data from a wide variety of Microsoft 365 services and
Make sure that audit logging is turned on before you configure SIEM server integration. -- For SharePoint Online, OneDrive for Business, and Azure Active Directory, [audit logging is turned on in the Security & Compliance Center](../../compliance/turn-audit-log-search-on-or-off.md).
+- For SharePoint Online, OneDrive for Business, and Azure Active Directory, [audit logging is turned on in the Microsoft 365 Defender portal](../../compliance/turn-audit-log-search-on-or-off.md).
- For Exchange Online, see [Manage mailbox auditing](../../compliance/enable-mailbox-auditing.md).
security Submit Spam Non Spam And Phishing Scam Messages To Microsoft For Analysis https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis.md
ms.prod: m365-security
- [Microsoft 365 Defender](../defender/microsoft-365-defender.md) > [!NOTE]
-> If you're an admin in an organization with Exchange Online mailboxes, we recommend that you use the Submissions portal in the Security & Compliance Center. For more information, see [Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft](admin-submission.md).
+> If you're an admin in an organization with Exchange Online mailboxes, we recommend that you use the Submissions portal in the Microsoft 365 Defender portal. For more information, see [Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft](admin-submission.md).
It can be frustrating when users in your organization receive junk messages (spam) or phishing messages in their Inbox, or if they don't receive a legitimate email message because it's marked as junk. We're constantly fine-tuning our spam filters to be more accurate.
security Submitting Malware And Non Malware To Microsoft For Analysis https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submitting-malware-and-non-malware-to-microsoft-for-analysis.md
ms.prod: m365-security
- [Microsoft 365 Defender](../defender/microsoft-365-defender.md) > [!NOTE]
-> If you're an admin in an organization with Exchange Online mailboxes, we recommend that you use the Submissions portal in the Security & Compliance Center. For more information, see [Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft](admin-submission.md).
+> If you're an admin in an organization with Exchange Online mailboxes, we recommend that you use the Submissions portal in the Microsoft 365 Defender portal. For more information, see [Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft](admin-submission.md).
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, EOP includes anti-malware protection that's automatically enabled. For more information, see [Anti-malware protection in EOP](anti-malware-protection.md).
security Tenant Allow Block List https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list.md
ms.prod: m365-security
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, you might disagree with the EOP filtering verdict. For example, a good message might be marked as bad (a false positive), or a bad message might be allowed through (a false negative).
-The Tenant Allow/Block List in the Security & Compliance Center gives you a way to manually override the Microsoft 365 filtering verdicts. The Tenant Allow/Block List is used during mail flow and at the time of user clicks. You can specify the following types of overrides:
+The Tenant Allow/Block List in the Microsoft 365 Defender portal gives you a way to manually override the Microsoft 365 filtering verdicts. The Tenant Allow/Block List is used during mail flow and at the time of user clicks. You can specify the following types of overrides:
- URLs to block. - Files to block. - Spoofed senders to allow or block. If you override the allow or block verdict in the [spoof intelligence insight](learn-about-spoof-intelligence.md), the spoofed sender becomes a manual allow or block entry that only appears on the **Spoof** tab in the Tenant Allow/Block List. You can also manually create allow or block entries for spoofed senders here before they're detected by spoof intelligence.
-This article describes how to configure entries in the Tenant Allow/Block List in the Security & Compliance Center or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).
+This article describes how to configure entries in the Tenant Allow/Block List in the Microsoft 365 Defender portal or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).
## What do you need to know before you begin? -- You open the Security & Compliance Center at <https://protection.office.com/>. To go directly to the **Tenant Allow/Block List** page, use <https://protection.office.com/tenantAllowBlockList>.
+- You open the Microsoft 365 Defender portal at <https://security.microsoft.com/>. To go directly to the **Tenant Allow/Block Lists** page, use <https://security.microsoft.com/tenantAllowBlockList>.
- You specify files by using the SHA256 hash value of the file. To find the SHA256 hash value of a file in Windows, run the following command in a Command Prompt:
This article describes how to configure entries in the Tenant Allow/Block List i
> > - The **View-Only Organization Management** role group in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups) also gives read-only access to the feature.
-## Use the Security & Compliance Center to create block URL entries in the Tenant Allow/Block List
+## Use the Microsoft 365 Defender portal to create block URL entries in the Tenant Allow/Block List
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Tenant Allow/Block Lists**.
+1. In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**.
-2. On the **Tenant Allow/Block List** page, verify that the **URLs** tab is selected, and then click **Block**
+2. On the **Tenant Allow/Block List** page, verify that the **URLs** tab is selected, and then click ![Block icon](../../media/m365-cc-sc-create-icon.png) **Block**.
3. In the **Block URLs** flyout that appears, configure the following settings:-
- - **Add URLs to block**: Enter one URL per line, up to a maximum of 20. For details about the syntax for URL entries, see the [URL syntax for the Tenant Allow/Block List](#url-syntax-for-the-tenant-allowblock-list) section later in this article.
-
+ - **Add URLs with wildcards**: Enter one URL per line, up to a maximum of 20. For details about the syntax for URL entries, see the [URL syntax for the Tenant Allow/Block List](#url-syntax-for-the-tenant-allowblock-list) section later in this article.
- **Never expire**: Do one of the following steps:-
- - Verify the setting is turned off (![Toggle off](../../media/scc-toggle-off.png)) and use the **Expires on** box to specify the expiration date for the entries.
+ - Verify the setting is turned off (![Toggle off](../../media/scc-toggle-off.png)) and use the **Remove on** box to specify the expiration date for the entries.
or - Move the toggle to the right to configure the entries to never expire: ![Toggle on](../../media/scc-toggle-on.png).- - **Optional note**: Enter descriptive text for the entries. 4. When you're finished, click **Add**.
-## Use the Security & Compliance Center to create block file entries in the Tenant Allow/Block List
+## Use the Microsoft 365 Defender portal to create block file entries in the Tenant Allow/Block List
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Tenant Allow/Block Lists**.
+1. In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**.
-2. On the **Tenant Allow/Block List** page, select the **Files** tab, and then click **Block**.
-
-3. In the **Add files to block** flyout that appears, configure the following settings:
+2. On the **Tenant Allow/Block List** page, select the **Files** tab, and then click ![Block icon](../../media/m365-cc-sc-create-icon.png) **Block**.
+3. In the **Block files** flyout that appears, configure the following settings:
- **Add file hashes**: Enter one SHA256 hash value per line, up to a maximum of 20.- - **Never expire**: Do one of the following steps:-
- - Verify the setting is turned off (![Toggle off](../../media/scc-toggle-off.png)) and use the **Expires on** box to specify the expiration date for the entries.
+ - Verify the setting is turned off (![Toggle off](../../media/scc-toggle-off.png)) and use the **Remove on** box to specify the expiration date for the entries.
or - Move the toggle to the right to configure the entries to never expire: ![Toggle on](../../media/scc-toggle-on.png).- - **Optional note**: Enter descriptive text for the entries. 4. When you're finished, click **Add**.
-## Use the Security & Compliance Center to create allow or block spoofed sender entries in the Tenant Allow/Block List
+## Use the Microsoft 365 Defender portal to create allow or block spoofed sender entries in the Tenant Allow/Block List
**Notes**:
This article describes how to configure entries in the Tenant Allow/Block List i
- When you configure an allow or block entry for a domain pair, messages from that domain pair no longer appear in the spoof intelligence insight. - Entries for spoofed senders never expire.
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Tenant Allow/Block Lists**.
+1. In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**.
-2. On the **Tenant Allow/Block List** page, select the **Spoofing** tab, and then click **Add**.
+2. On the **Tenant Allow/Block List** page, select the **Spoofing** tab, and then click ![Block icon](../../media/m365-cc-sc-create-icon.png) **Add**.
3. In the **Add new domain pairs** flyout that appears, configure the following settings:- - **Add new domain pairs with wildcards**: Enter one domain pair per line, up to a maximum of 20. For details about the syntax for spoofed sender entries, see the [Domain pair syntax for spoofed sender entries in the Tenant Allow/Block List](#domain-pair-syntax-for-spoofed-sender-entries-in-the-tenant-allowblock-list) section later in this article.- - **Spoof type**: Select one of the following values: - **Internal**: The spoofed sender is in a domain that belongs to your organization (an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains)). - **External**: The spoofed sender is in an external domain.- - **Action**: Select **Allow** or **Block**. 4. When you're finished, click **Add**.
-## Use the Security & Compliance Center to view entries in the Tenant Allow/Block List
+## Use the Microsoft 365 Defender portal to view entries in the Tenant Allow/Block List
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Tenant Allow/Block Lists**.
+1. In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**.
2. Select the tab you want. The columns that are available depend on the tab you selected: - **URLs**: - **Value**: The URL. - **Action**: The value **Block**.
- - **Last updated date**
- - **Expiration date**
- - **Note**
-
+ - **Last updated**
+ - **Remove on**
+ - **Notes**
- **Files** - **Value**: The file hash. - **Action**: The value **Block**.
- - **Last updated date**
- - **Expiration date**
- - **Note**
-
+ - **Last updated**
+ - **Remove on**
+ - **Notes**
- **Spoofing** - **Spoofed user** - **Sending infrastructure**
This article describes how to configure entries in the Tenant Allow/Block List i
- **URLs**: You can group the results by **Action**. - **Files**: You can group the results by **Action**.
- - **Sender domains for BCL bypass**: **Group** is not available on this tab.
- **Spoofing**: You can group the results by **Action** or **Spoof type**.
- Click **Search**, enter all or part of a value, and then press ENTER to find a specific value. When you're finished, click **Clear search** ![Clear search icon](../../media/b6512677-5e7b-42b0-a8a3-3be1d7fa23ee.gif).
+ Click **Search**, enter all or part of a value, and then press ENTER to find a specific value. When you're finished, click ![Clear search icon](../../media/m365-cc-sc-close-icon.png) **Clear search**.
Click **Filter** to filter the results. The values that are available in **Filter** flyout that appears depend on the tab you selected:
This article describes how to configure entries in the Tenant Allow/Block List i
- **Action** - **Never expire** - **Last updated date**
- - **Expiration date**
-
+ - **Remove on**
- **Files** - **Action** - **Never expire**
- - **Last updated date**
- - **Expiration date**
-
- - **Sender domains for BCL bypass**
- - **Never expire**
- - **Last updated date**
- - **Expiration date**
-
+ - **Last updated**
+ - **Remove on**
- **Spoofing** - **Action** - **Spoof type** When you're finished, click **Apply**. To clear existing filters, click **Filter**, and in the **Filter** flyout that appears, click **Clear filters**.
-## Use the Security & Compliance Center to modify entries in the Tenant Allow/Block List
+## Use the Microsoft 365 Defender portal to modify entries in the Tenant Allow/Block List
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Tenant Allow/Block Lists**.
+1. In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**.
2. Select the tab that contains the type of entry that you want to modify: - **URLs** - **Files**
- - **Sender domains for BCL bypass**
- **Spoofing**
-3. Select the entry that you want to modify, and then click **Edit** ![Edit icon](../../media/0cfcb590-dc51-4b4f-9276-bb2ce300d87e.png). The values that you are able to modify in the flyout that appears depend on the tab you selected in the previous step:
-
+3. Select the entry that you want to modify, and then click ![Edit icon](../../media/m365-cc-sc-edit-icon.png) **Edit**. The values that you are able to modify in the flyout that appears depend on the tab you selected in the previous step:
- **URLs** - **Never expire** and/or expiration date. - **Optional note**- - **Files** - **Never expire** and/or expiration date. - **Optional note**-
- - **Sender domains for BCL bypass**
- - **Never expire** and/or expiration date.
- - **Spoofing** - **Action**: You can change the value to **Allow** or **Block**.- 4. When you're finished, click **Save**.
-## Use the Security & Compliance Center to remove entries from the Tenant Allow/Block List
+## Use the Microsoft 365 Defender portal to remove entries from the Tenant Allow/Block List
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Tenant Allow/Block Lists**.
+1. In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**.
2. Select the tab that contains the type of entry that you want to remove: - **URLs** - **Files**
- - **Sender domains for BCL bypass**
- **Spoofing**
-3. Select the entry that you want to remove, and then click **Delete** ![Delete icon](../../media/87565fbb-5147-4f22-9ed7-1c18ce664392.png).
+3. Select the entry that you want to remove, and then click ![Delete icon](../../media/m365-cc-sc-delete-icon.png) **Delete**.
4. In the warning dialog that appears, click **Delete**.
Here are some examples of valid domain pairs to identify spoofed senders:
- `chris@contoso.com, fabrikam.com` - `*, contoso.net`
-The maximum number of spoofed sender entries is 1000.
+The maximum number of spoofed sender entries is 1000.
Adding a domain pair only allows or blocks the *combination* of the spoofed user *and* the sending infrastructure. It does not allow email from the spoofed user from any source, nor does it allow email from the sending infrastructure source for any spoofed user.
security Tenant Wide Setup For Increased Security https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-wide-setup-for-increased-security.md
The Microsoft 365 Defender portal includes capabilities that protect your enviro
> [!NOTE] > For non-standard deployments of SPF, hybrid deployments, and troubleshooting: [How Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing](how-office-365-uses-spf-to-prevent-spoofing.md).
-## View dashboards and reports in the Security & Compliance Center
+## View dashboards and reports in the Microsoft 365 Defender portal
-Visit these reports and dashboards to learn more about the health of your environment. The data in these reports will become richer as your organization uses Office 365 services. For now, be familiar with what you can monitor and take action on. For more information, see [Reports in the Security & Compliance Center](../../compliance/reports-in-security-and-compliance.md).
+Visit these reports and dashboards to learn more about the health of your environment. The data in these reports will become richer as your organization uses Office 365 services. For now, be familiar with what you can monitor and take action on. For more information, see [Reports in the Microsoft 365 Defender portal](../../compliance/reports-in-security-and-compliance.md).
<br>
security Threat Explorer Views https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer-views.md
search.appverid:
- M365-security-compliance - m365initiative-defender-office365
-description: Learn about how to use Threat Explorer and the real-time detections report to investigate and respond to threats in the Security & Compliance Center.
+description: Learn about how to use Threat Explorer and the real-time detections report to investigate and respond to threats in the Microsoft 365 Defender portal.
ms.technology: mdo ms.prod: m365-security
ms.prod: m365-security
- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-![Threat Explorer](../../media/ThreatExplorerFirstOpened.png)
+![Threat Explorer](../../media/explorer.png)
-[Threat Explorer](threat-explorer.md) (and the real-time detections report) is a powerful, near real-time tool to help Security Operations teams investigate and respond to threats in the Security & Compliance Center. Explorer (and the real-time detections report) displays information about suspected malware and phish in email and files in Office 365, as well as other security threats and risks to your organization.
+[Threat Explorer](threat-explorer.md) (and the real-time detections report) is a powerful, near real-time tool to help Security Operations teams investigate and respond to threats in the Microsoft 365 Defender portal. Explorer (and the real-time detections report) displays information about suspected malware and phish in email and files in Office 365, as well as other security threats and risks to your organization.
- If you have [Microsoft Defender for Office 365](defender-for-office-365.md) Plan 2, then you have Explorer. - If you have Microsoft Defender for Office 365 Plan 1, then you have real-time detections.
When you first open Explorer (or the real-time detections report), the default v
Use the **View** menu to change what information is displayed. Tooltips help you determine which view to use.
-![Threat Explorer View menu](../../media/ThreatExplorerViewMenu.png)
+![Threat Explorer View menu](../../media/all-email.png)
Once you have selected a view, you can apply filters and set up queries to conduct further analysis. The following sections provide a brief overview of the various views available in Explorer (or real-time detections).
Once you have selected a view, you can apply filters and set up queries to condu
To view this report, in Explorer (or real-time detections), choose **View** \> **Email** \> **Malware**. This view shows information about email messages that were identified as containing malware.
-![View data about email identified as malware](../../media/ExplorerEmailMalwareMenu.png)
+![View data about email identified as malware](../../media/detection-technology.png)
Click **Sender** to open your list of viewing options. Use this list to view data by sender, recipients, sender domain, subject, detection technology, protection status, and more.
Below the chart, view more details about specific messages. When you select an i
To view this report, in Explorer (or real-time detections), choose **View** \> **Email** \> **Phish**. This view shows email messages identified as phishing attempts.
-![View data about email identified as phishing attempts](../../media/ThreatExplorerEmailPhish.png)
+![View data about email identified as phishing attempts](../../media/phish.png)
Click **Sender** to open your list of viewing options. Use this list to view data by sender, recipients, sender domain, sender IP, URL domain, click verdict, and more. For example, to see what actions were taken when people clicked on URLs that were identified as phishing attempts, choose **Click verdict** in the list, select one or more options, and then click the Refresh button.
-![Click verdict options for the Phish report](../../media/ThreatExplorerEmailPhishClickVerdictOptions.png)
+![Click verdict options for the Phish report](../../media/click-verdict.png)
Below the chart, view more details about specific messages, URL clicks, URLs, and email origin.
To view this report, in Explorer (or real-time detections), choose **View** \> *
View information by malware family, detection technology (how the malware was detected), and workload (OneDrive, SharePoint, or Teams).
-![View data about detected malware](../../media/d11dc568-b091-4159-b261-df13d76b520b.png)
+![View data about detected malware](../../media/malware-family.png)
Below the chart, view more details about specific files, such as attachment filename, workload, file size, who last modified the file, and more.
security Threat Explorer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer.md
ms.assetid: 82ac9922-939c-41be-9c8a-7c75b0a4e27d
- M365-security-compliance - m365initiative-defender-office365
-description: Use Explorer and Real-time detections in the Security &amp; Compliance Center to investigate and respond to threats efficiently.
+description: Use Explorer and Real-time detections in the Microsoft 365 security center to investigate and respond to threats efficiently.
ms.technology: mdo ms.prod: m365-security
security Threat Hunting In Threat Explorer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-hunting-in-threat-explorer.md
localization_priority: Normal
- M365-security-compliance - m365initiative-defender-office365
-description: Use Threat Explorer or Real-time detections in the Security &amp; Compliance Center to investigate and respond to threats efficiently.
+description: Use Threat Explorer or Real-time detections in the Microsoft 365 Defender portal to investigate and respond to threats efficiently.
ms.technology: mdo ms.prod: m365-security
In this article:
If your organization has [Microsoft Defender for Office 365](defender-for-office-365.md), and you have the [permissions](#required-licenses-and-permissions), you can use **Explorer** or **Real-time detections** to detect and remediate threats.
-In the **Security & Compliance Center**, go to **Threat management**, and then choose **Explorer** _or_ **Real-time detections**.
+In the **Microsoft 365 Defender portal**, go to **Email & collaboration**, and then choose **Explorer**.
<br>
In the **Security & Compliance Center**, go to **Threat management**, and then c
|With Microsoft Defender for Office 365 Plan 2, you see:|With Microsoft Defender for Office 365 Plan 1, you see:| |||
-|![Threat explorer](../../media/threatmgmt-explorer.png)|![Real-time detections](../../media/threatmgmt-realtimedetections.png)|
+|![Threat explorer](../../media/path-to-explorer.png)|![Real-time detections](../../media/threatmgmt-realtimedetections.png)|
| With these tools, you can:
In Microsoft Defender for Office 365, there are two subscription plansΓÇöPlan 1
Defender for Office 365 Plan 1 uses *Real-time detections*, which is a subset of the *Threat Explorer* (also called *Explorer*) hunting tool in Plan 2. In this series of articles, most of the examples were created using the full Threat Explorer. Admins should test any steps in Real-time detections to see where they apply.
-To open the Explorer tool, go to **Security & Compliance Center** > **Threat management** > **Explorer** (or **Real-time detections**). By default, youΓÇÖll arrive on the **Malware** page, but use the **View** drop down to get familiar with your options. If youΓÇÖre hunting Phish, or digging into a threat campaign, choose those views.
+To open the Explorer tool, go to **Microsoft 365 Defender portal** > **Email & collaboration** > **Explorer**. By default, youΓÇÖll arrive on the **Malware** page, but use the **View** drop down to get familiar with your options. If youΓÇÖre hunting Phish, or digging into a threat campaign, choose those views.
> [!div class="mx-imgBorder"]
-> ![View drop down in Threat Explorer](../../media/threat-explorer-view-drop-down.png)
+> ![View drop down in Threat Explorer](../../media/view-drop-down.png)
Once a security operations (Sec Ops) person selects the data they want to see, whether the scope is narrow view like user **Submissions**, or a wider view, like **All email**, they can use the **Sender** button to further filter. Remember to select Refresh to complete your filtering actions. > [!div class="mx-imgBorder"]
-> ![Sender button in Threat Explorer](../../media/threat-explorer-sender-button.png)
+> ![Sender button in Threat Explorer](../../media/sender-drop-down.png)
Refining focus in Explorer or Real-time detection can be thought of in layers. The first is **View**. The second can be thought of as a *filtered focus*. For example, you can retrace the steps you took in finding a threat by recording your decisions like this: To find the issue in Explorer, **I chose the Malware View with a Recipient filter focus**. This makes retracing your steps easier.
Refining focus in Explorer or Real-time detection can be thought of in layers. T
Refinements can be made on date ranges by using the date range controls. Here you can see Explorer in **Malware** view, with a **Detection Technology** filter focus. But itΓÇÖs the **Advanced filter** button that lets Sec Ops teams dig deep. > [!div class="mx-imgBorder"]
-> ![Advanced filter in Threat Explorer](../../media/threat-explorer-advanced-filter.png)
+> ![Advanced filter in Threat Explorer](../../media/advanced-filter.png)
Clicking the **Advanced filter** pops a panel that will let Sec Ops hunters build queries themselves, letting them include or exclude the information they need to see. Both the chart and table on the Explorer page will reflect their results.
Use the **Column options** button to get the kind of information on the table th
> ![Column options button highlighted](../../media/threat-explorer-column-options.png) > [!div class="mx-imgBorder"]
-> ![Available options in Columns](../../media/threat-explorer-column-options-details.png)
+> ![Available options in Columns](../../media/column-options.png)
In the same mien, make sure to test your display options. Different audiences will react well to different presentations of the same data. For some viewers, the **Email Origins** map can show that a threat is widespread or discreet more quickly than the **Campaign display** option right next to it. Sec Ops can make use of these displays to best make points that underscore the need for security and protection, or for later comparison, to demonstrate the effectiveness of their actions.
Here, the analyst can take actions like reporting the mail as Spam, Phishing, or
When navigating from an alert into Threat Explorer, the **View** will be filtered by **Alert ID**. This also applies in Real-time detection. Messages relevant to the specific alert, and an email total (a count) are shown. You will be able to see if a message was part of an alert, as well as navigate from that message to the related alert.
-Finally, alert ID is included in the URL, for example: `https://protection.office.com/viewalerts?id=372c9b5b-a6c3-5847-fa00-08d8abb04ef1`
+Finally, alert ID is included in the URL, for example: `https://https://security.microsoft.com/viewalerts`
> [!div class="mx-imgBorder"] > ![Filtering for Alert ID](../../media/AlertID-Filter.png)
You must have [Microsoft Defender for Office 365](defender-for-office-365.md) to
To view and use Explorer or Real-time detections, you must have the following: -- For the Security & Compliance Center:
+- For the Microsoft 365 Defender portal:
- Organization Management - Security Administrator (this can be assigned in the Azure Active Directory admin center (<https://aad.portal.azure.com>)
To view and use Explorer or Real-time detections, you must have the following:
To learn more about roles and permissions, see the following resources: -- [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md)
+- [Permissions in the Microsoft 365 Defender portal](permissions-in-the-security-and-compliance-center.md)
- [Feature permissions in Exchange Online](/exchange/permissions-exo/feature-permissions) - [Exchange Online PowerShell](/powershell/exchange/exchange-online-powershell)
security Threat Trackers https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-trackers.md
Most tracker pages include trending numbers that are updated periodically, widge
Trackers are just a few of the many great features you get with [Microsoft Defender for Office 365 Plan 2](office-365-ti.md). Threat Trackers include [Noteworth trackers](#noteworthy-trackers), [Trending trackers](#trending-trackers), [Tracked queries](#tracked-queries), and [Saved queries](#saved-queries).
-To view and use your Threat Trackers for your organization, go to the Security & Compliance Center (<https://protection.office.com>) and choose **Threat management** \> **Threat tracker**.
+To view and use your Threat Trackers for your organization, go to the Microsoft 365 Defender portal (<https://security.microsoft.com>) and choose **Email & collaboration** \> **Threat tracker**.
> [!NOTE]
-> To use Threat Trackers, you must be a global administrator, security administrator, or security reader. See [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md).
+> To use Threat Trackers, you must be a global administrator, security administrator, or security reader. See [Permissions in the Microsoft 365 Defender portal](permissions-in-the-security-and-compliance-center.md).
### Noteworthy trackers
You can always save a Noteworthy tracker query or any of your own Explorer queri
Whether you're reviewing email, content, or Office activities (coming soon), Explorer and Trackers work together to help you investigate and track security risks and threats. All together, Trackers provide you with information to protect your users by highlighting new, notable, and frequently searched issues - ensuring your business is better protected as it moves to the cloud.
-And remember that you can always provide us feedback on this or other Microsoft 365 security features by clicking on the **Feedback** button in the lower right corner of the [Overview of the Security & Compliance Center](https://support.microsoft.com/office/a5f2fd18-b029-4257-b5a8-ae83e7768c85).
+And remember that you can always provide us feedback on this or other Microsoft 365 security features by clicking on the **Feedback** button in the lower-right corner.
-![Security & Compliance Center](../../media/86c330db-8132-4150-8475-220258fe04fb.png)
+![Microsoft 365 Defender portal](../../media/microsoft-365-defender-portal.png)
## Trackers and Microsoft Defender for Office 365 With our inaugural Noteworthy threat, we're highlighting advanced malware threats detected by [Safe Attachments](safe-attachments.md). If you're an Office 365 Enterprise E5 customer and you're not using [Microsoft Defender for Office 365](defender-for-office-365.md), you should be - it's included in your subscription. Defender for Office 365 provides value even if you have other security tools filtering email flow with your Office 365 services. However, anti-spam and [Safe Links](safe-links.md) features work best when your main email security solution is through Office 365.
-![Microsoft Defender for Office 365 in the Security & Compliance Center](../../media/cee70d07-f0c1-459b-843c-2d10c253349f.png)
+![Microsoft Defender for Office 365 in the Microsoft 365 Defender portal](../../media/policies.png)
In today's threat-riddled world, running only traditional anti-malware scans means you are not protected well enough against attacks. Today's more sophisticated attackers use commonly available tools to create new, obfuscated, or delayed attacks that won't be recognized by traditional signature-based anti-malware engines. The Safe Attachments feature takes email attachments and detonates them in a virtual environment to determine whether they're safe or malicious. This detonation process opens each file in a virtual computer environment, then watches what happens after the file is opened. Whether it's a PDF, and compressed file, or an Office document, malicious code can be hidden in a file, activating only once the victim opens it on their computer. By detonating and analyzing the file in the email flow, Defender for Office 365 capabilities finds these threats based on behaviors, file reputation, and a number of heuristic rules.
The new Noteworthy threat filter highlights items that were recently detected th
- If your organization doesn't already have these Office 365 Threat Investigation and Response capabilities, see [How do we get Office 365 Threat Investigation and Response capabilities?](office-365-ti.md). -- Make sure that your security team has the correct roles and permissions assigned. You must be a global administrator, or have the Security Administrator or Search and Purge role assigned in the Security & Compliance Center. See [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md).
+- Make sure that your security team has the correct roles and permissions assigned. You must be a global administrator, or have the Security Administrator or Search and Purge role assigned in the Microsoft 365 Defender portal. See [Permissions in the Microsoft 365 Defender portal](permissions-in-the-security-and-compliance-center.md).
-- Watch for the new Trackers to show up in your Microsoft 365 environment. When available, you'll find your Trackers [here](https://protection.office.com/). Go to **Threat management** \> **Threat trackers**.
+- Watch for the new Trackers to show up in your Microsoft 365 environment. When available, you'll find your Trackers [here](https://https://security.microsoft.com/). Go to **Email & collaboration** \> **Threat tracker**.
- If you haven't already done so, learn more about and configure [Microsoft Defender for Office 365](defender-for-office-365.md) for your organization, including [Safe links](safe-links.md) and [Safe Attachments](safe-attachments.md).
security Turn On Mdo For Spo Odb And Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/turn-on-mdo-for-spo-odb-and-teams.md
This article contains the steps for enabling and configuring Safe Attachments fo
## What do you need to know before you begin? -- You open the Security & Compliance Center at <https://protection.office.com>. To go directly to the **ATP Safe Attachments** page, open <https://protection.office.com/safeattachmentv2>.
+- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the **Safe Attachments** page, open <https://security.microsoft.com/safeattachmentv2>.
-- To turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, you need to be a member of the **Organization Management** or **Security Administrator** role groups in the Security & Compliance Center. For more information, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md).
+- To turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, you need to be a member of the **Organization Management** or **Security Administrator** role groups in the Microsoft 365 Defender portal. For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-in-the-security-and-compliance-center.md).
- To use SharePoint Online PowerShell to prevent people from downloading malicious files, you need to be member of the [Global Administrator](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#global-administrator--company-administrator) or [SharePoint Administrator](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#sharepoint-administrator) roles in Azure AD.
This article contains the steps for enabling and configuring Safe Attachments fo
- Allow up to 30 minutes for the settings to take effect.
-## Step 1: Use the Security & Compliance Center to turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams
+## Step 1: Use the Microsoft 365 Defender portal to turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **ATP Safe Attachments**, and click **Global settings**.
+1. In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Threat policies** \> **Policies** section \> **Safe Attachments**.
-2. In the **Global settings** fly out that appears, go to the **Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams** setting. Move the toggle to the right ![Toggle on](../../media/scc-toggle-on.png) to turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
+2. On the **Safe Attachments** page, click **Global settings**.
+
+3. In the **Global settings** fly out that appears, go to the **Protect files in SharePoint, OneDrive, and Microsoft Teams** section.
+
+ Move the **Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams** toggle to the right ![Toggle on](../../media/scc-toggle-on.png) to turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
When you're finished, click **Save**.
For detailed syntax and parameter information, see [Set-AtpPolicyForO365](/power
## Step 2: (Recommended) Use SharePoint Online PowerShell to prevent users from downloading malicious files
-By default, users can't open, move, copy, or share malicious files that are detected by ATP. However, they can delete and download malicious files.
+By default, users can't open, move, copy, or share<sup>\*</sup> malicious files that are detected by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. However, they can delete and download malicious files.
+
+<sup>\*</sup> If users go to **Manage access**, the **Share** option is still available.
To prevent users from downloading malicious files, [connect to SharePoint Online PowerShell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online) and run the following command:
Set-SPOTenant -DisallowInfectedFileDownload $true
For detailed syntax and parameter information, see [Set-SPOTenant](/powershell/module/sharepoint-online/Set-SPOTenant).
-## Step 3 (Recommended) Use the Security & Compliance Center to create an alert policy for detected files
+## Step 3 (Recommended) Use the Microsoft 365 Defender portal to create an alert policy for detected files
-You can create an alert policy that notifies you and other admins when Safe Attachments for SharePoint, OneDrive, and Microsoft Teams detects a malicious file. To learn more about alerts, see [Create activity alerts in the Security & Compliance Center](../../compliance/create-activity-alerts.md).
+You can create an alert policy that notifies you and other admins when Safe Attachments for SharePoint, OneDrive, and Microsoft Teams detects a malicious file. To learn more about alerts, see [Create activity alerts in the Microsoft 365 Defender portal](../../compliance/create-activity-alerts.md).
-1. In the [Security & Compliance Center](https://protection.office.com), go to **Alerts** \> **Alert policies** or open <https://protection.office.com/alertpolicies>.
+1. In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Alert policy** or open <https://security.microsoft.com/alertpolicies>.
-2. On the **Alert policies** page, click **New alert policy**.
+2. On the **Alert policy** page, click **New alert policy**.
3. The **New alert policy** wizard opens in a fly out. On the **Name your alert** page, configure the following settings:- - **Name**: Type a unique and descriptive name. For example, Malicious Files in Libraries. - **Description**: Type an optional description. For example, Notifies admins when malicious files are detected in SharePoint Online, OneDrive, or Microsoft Teams.
- - **Severity**: Leave the default value **Low** selected, or select **Medium** or **High**.
- - **Select a category**: Select **Threat management**.
+ - **Severity**: Select **Low**, **Medium**, or **High** from the drop down list.
+ - **Category**: Select **Threat management** from the drop down list.
When you're finished, click **Next**. 4. On the **Create alert settings** page, configure the following settings:-
- - **What do you want to alert on?: Activity is**: Select **Detected malware in file**.
- - **How do you want the alert to be triggered?**: Leave the default value **Every time an activity matches the rule** selected.
+ - **What do you want to alert on?** section \> **Activity is** \> Select **Detected malware in file** from the drop down list.
+ - **How do you want the alert to be triggered?** section: Leave the default value **Every time an activity matches the rule** selected.
When you're finished, click **Next**. 5. On the **Set your recipients** page, configure the following settings:-
- - **Send email notifications**: Verify this setting is selected. In the **Email recipients** box, select one or more global administrators, security administrators, or security readers who should receive notification when a malicious file is detected.
+ - Verify **Send email notifications** is selected. In the **Email recipients** box, select one or more global administrators, security administrators, or security readers who should receive notification when a malicious file is detected.
- **Daily notification limit**: Leave the default value **No limit** selected. When you're finished, click **Next**.
-6. On the **Review your settings** page, review the settings, and click **Edit** in any of the sections to make changes.
+6. On the **Review your settings** page, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.
In the **Do you want to turn the policy on right away?** section, leave the default value **Yes, turn it on right away** selected.
For detailed syntax and parameter information, see [New-ActivityAlert](/powershe
- To verify that you've successfully turned on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, use either of the following steps:
- - In the [Security & Compliance Center](https://protection.office.com), go to **Threat management** \> **Policy** \> **ATP Safe Attachments**, select **Global settings**, and verify the value of the **Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams** setting.
+ - In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Threat Policies** \> **Policies** section \> **Safe Attachments**, select **Global settings**, and verify the value of the **Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams** setting.
- In Exchange Online PowerShell, run the following command to verify the property setting:
For detailed syntax and parameter information, see [New-ActivityAlert](/powershe
For detailed syntax and parameter information, see [Get-SPOTenant](/powershell/module/sharepoint-online/Set-SPOTenant). - To verify that you've successfully configured an alert policy for detected files, use any of the following steps:-
- - In the Security & Compliance Center, go to **Alerts** \> **Alert policies** \> select the alert policy, and verify the settings.
-
- - In Security & Compliance Center PowerShell, replace \<AlertPolicyName\> with the name of the alert policy, run the following command, and verify the property values:
+ - In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Alert policy** \> select the alert policy, and verify the settings.
+ - In Microsoft 365 Defender portal PowerShell, replace \<AlertPolicyName\> with the name of the alert policy, run the following command, and verify the property values:
```powershell Get-ActivityAlert -Identity "<AlertPolicyName>"
For detailed syntax and parameter information, see [New-ActivityAlert](/powershe
For detailed syntax and parameter information, see [Get-ActivityAlert](/powershell/module/exchange/get-activityalert). -- Use the [Threat protection status report](view-email-security-reports.md#threat-protection-status-report) to view information about detected files in SharePoint, OneDrive, and Microsoft Teams. Specifically, you can use the **View data by: Content \> Malware** view.
+- Use the [Threat protection status report](view-email-security-reports.md#threat-protection-status-report) to view information about detected files in SharePoint, OneDrive, and Microsoft Teams. Specifically, you can use the **View data by: Content \> Malware** view.
security Use Dkim To Validate Outbound Email https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email.md
Once you have published the CNAME records in DNS, you are ready to enable DKIM s
1. [Sign in to Microsoft 365](https://support.microsoft.com/office/e9eb7d51-5430-4929-91ab-6157c5a050b4) with your work or school account.
-2. Go to [protection.office.com](https://protection.office.com) or [security.microsoft.com](https://security.microsoft.com) depending on which portal you use, and follow the path below.
+2. Go to [security.microsoft.com](https://security.microsoft.com) and follow the path below.
-|protection.office.com |security.microsoft.com |
-|||
-| Threat Management > Policy > Additional Policies > DKIM | Email & Collaboration > Policies & rules > Threat policies > Additional policies > DKIM |
+3. Go to **Email & Collaboration > Policies & rules > Threat policies > DKIM**.
-3. Select the domain for which you want to enable DKIM and then, for **Sign messages for this domain with DKIM signatures**, choose **Enable**. Repeat this step for each custom domain.
+4. Select the domain for which you want to enable DKIM and then, for **Sign messages for this domain with DKIM signatures**, choose **Enable**. Repeat this step for each custom domain.
#### To enable DKIM signing for your custom domain by using PowerShell > [!IMPORTANT]
->:::image type="content" source="../../media/DKIMNoKeysSavedForThisDomain.PNG" alt-text="The 'No DKIM keys saved for this domain.' error.":::
+>:::image type="content" source="../../media/dkim.png" alt-text="The 'No DKIM keys saved for this domain.' error.":::
> If you are configuring DKIM for the first time and see the error 'No DKIM keys saved for this domain.' complete the command in step 2, below (for example, *Set-DkimSigningConfig -Identity contoso.com -Enabled $true*) to see the key. 1. [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).
security Use Spam Notifications To Release And Report Quarantined Messages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-spam-notifications-to-release-and-report-quarantined-messages.md
End User Spam notification is not supported for groups.
An end-user spam notification contains the following information for each quarantined message: - **Sender**: The send name and email address of the quarantined message.- - **Subject**: The subject line text of the quarantined message.- - **Date**: The date and time (in UTC) that the message was quarantined.- - **Block Sender**: Click this link to add the sender to the Blocked Senders list on your mailbox. For more information, see [Block a mail sender](https://support.microsoft.com/office/b29fd867-cac9-40d8-aed1-659e06a706e4).--- **Release**: For spam (not phishing) messages, you can release the message here without going to Quarantine the Security & Compliance Center.--- **Review**: Click this link to go to Quarantine in the Security & Compliance Center, where you can (depending on why the message was quarantined) view, release, delete or report your quarantined messages. For more information, see [Find and release quarantined messages as a user in EOP](find-and-release-quarantined-messages-as-a-user.md).
+- **Release**: For spam (not phishing) messages, you can release the message here without going to **Quarantine** the Microsoft 365 Defender portal.
+- **Review**: Click this link to go to **Quarantine** in the Microsoft 365 Defender portal, where you can (depending on why the message was quarantined) view, release, delete or report your quarantined messages. For more information, see [Find and release quarantined messages as a user in EOP](find-and-release-quarantined-messages-as-a-user.md).
![Example end-user spam notification](../../media/end-user-spam-notification.png) > [!NOTE]
-> A blocked sender can still send you mail. Any messages from this sender that make it to your mailbox will be immediately moved to the Junk Email folder. Future messages from this sender will go to your Junk Email folder or to the end-user quarantine. If you would like to delete these messages on arrival instead of quarantining them, use [mail flow Rules](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules) (also known as transport rules) to delete the messages on arrival.
+> A blocked sender can still send you mail. Any messages from this sender that make it to your mailbox will be immediately moved to the Junk Email folder. Future messages from this sender will go to your Junk Email folder or to the end-user quarantine. If you would like to delete these messages on arrival instead of quarantining them, use [mail flow Rules](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules) (also known as transport rules) to delete the messages on arrival.
security User Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/user-submission.md
ms.prod: m365-security
In Microsoft 365 organizations with Exchange Online mailboxes, you can specify a mailbox to receive messages that users report as malicious or not malicious. When users submit messages using the various reporting options, you can use this mailbox to intercept messages (send to the custom mailbox only) or receive copies of messages (send to the custom mailbox and Microsoft). This feature works with the following message reporting options: - [The Report Message add-in](enable-the-report-message-add-in.md)- - [The Report Phishing add-in](enable-the-report-phish-add-in.md)- - [Third-party reporting tools](#third-party-reporting-tools) Delivering user reported messages to a custom mailbox instead of directly to Microsoft allows your admins to selectively and manually report messages to Microsoft using [Admin submission](admin-submission.md).
Use the following articles to configure the prerequisites required so user repor
- Skip spam filtering on the custom mailbox by creating an exchange mail flow rule to set the spam confidence level. See [Use the EAC to create a mail flow rule that sets the SCL of a message](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl#use-the-eac-to-create-a-mail-flow-rule-that-sets-the-scl-of-a-message) to set the SCL to **Bypass spam filtering**. -- Turn off scanning attachments for malware in the custom mailbox. Use [Set up Safe Attachments policies in Defender for Office 365](set-up-safe-attachments-policies.md) to create a Safe Attachments policy with the setting **Off** for **Safe Attachments unknown malware response**.
+- [Create a Safe Attachments policy](set-up-safe-attachments-policies.md) that includes the custom mailbox where Safe Attachments scanning is turned off (**Safe Attachments unknown malware response** section \> **Off**).
-- Turn off URL scanning on messages in the custom mailbox. Use [Set up Safe Links policies in Defender for Office 365](set-up-safe-links-policies.md) to create a Safe Links policy with the setting **Off** for **Select the action for unknown potentially malicious URLs in messages**.
+- [Create a Safe Links policy](set-up-safe-links-policies.md) that includes the custom mailbox where Safe Links scanning is turned off (**Select the action for unknown potentially malicious URLs in messages** section \> **Off**).
-- Create an anti-malware policy to turn off Malware Zero-hour Auto Purge. See [Use the Security & Compliance Center to create anti-malware policies](configure-your-spam-filter-policies.md#use-the-microsoft-365-defender-portal-to-create-anti-spam-policies) to set **Malware Zero-hour Auto Purge** to **Off**.
+- [Create an anti-malware policy](configure-your-spam-filter-policies.md#use-the-microsoft-365-defender-portal-to-create-anti-spam-policies) that includes the custom mailbox where zero-hour auto purge (ZAP) for malware is turned off (**Protection settings** section \> **Enable zero-hour auto purge for malware** is not selected).
-- Create a spam filter policy to disable zero-hour auto purge (ZAP) for spam and phishing in the custom mailbox. See [Use the Security & Compliance Center to create anti-spam policies](configure-your-spam-filter-policies.md#use-the-microsoft-365-defender-portal-to-create-anti-spam-policies) and clear the **On** checkboxes for **Spam ZAP** and **Phish ZAP**.
+- [Create an anti-spam policy](configure-your-spam-filter-policies.md#use-the-microsoft-365-defender-portal-to-create-anti-spam-policies) that includes the custom mailbox where ZAP for spam and ZAP for phishing are turned off (**Zero-hour auto purge** section \> **Enabled zero-hour auto purge (ZAP)** is not selected).
-- Disable the junk email rule in the custom mailbox. Use [Configure junk email settings on Exchange Online mailboxes](configure-junk-email-settings-on-exo-mailboxes.md) to disable the junk email rule. Once disabled, EOP can't move messages to the Junk Email folder based on the spam filtering verdict action **Move message to Junk Email folder** or the safelist collection on the mailbox.
+- Disable the junk email rule in the custom mailbox. Use [Configure junk email settings on Exchange Online mailboxes](configure-junk-email-settings-on-exo-mailboxes.md) to disable the junk email rule. After it's disabled, EOP can't move messages to the Junk Email folder based on the spam filtering verdict action **Move message to Junk Email folder** or the safelist collection on the mailbox.
-After you've verified that your mailbox meets all applicable prerequisites, [Use the Security & Compliance Center to configure the user submissions mailbox](#use-the-security--compliance-center-to-configure-the-user-submissions-mailbox) (in this article).
+After you've verified that your mailbox meets all applicable prerequisites, you can use the procedures in this article to configure the user submissions mailbox.
## What do you need to know before you begin? -- You open the Security & Compliance Center at <https://protection.office.com/>. To go directly to the **User submissions** page, use <https://protection.office.com/userSubmissionsReportMessage>.
+- You open the Microsoft 365 Defender portal at <https://security.microsoft.com/>. To go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>.
- To modify the configuration for User submissions, you need to be a member of one of the following role groups:
- - **Organization Management** or **Security Administrator** in the [Security & Compliance Center](permissions-in-the-security-and-compliance-center.md).
+ - **Organization Management** or **Security Administrator** in the [Microsoft 365 Defender portal](permissions-in-the-security-and-compliance-center.md).
- **Organization Management** in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups). - You need access to Exchange Online PowerShell. If the account that you're trying to use doesn't have access to Exchange Online PowerShell, you'll receive an error that looks like this when specify the submissions mailbox:
After you've verified that your mailbox meets all applicable prerequisites, [Use
- [Enable or disable access to Exchange Online PowerShell](/powershell/exchange/disable-access-to-exchange-online-powershell) - [Client Access Rules in Exchange Online](/exchange/clients-and-mobile-in-exchange-online/client-access-rules/client-access-rules)
-## Use the Security & Compliance Center to configure the user submissions mailbox
-
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **User submissions**.
-
-2. In the **User submissions** page that appears, select one of the following options:
+## Use the Microsoft 365 Defender portal to configure the user submissions mailbox
- 1. **Enable the Report Message feature for Outlook (Recommended)**: Select
-this option if you use the Report Message add-in, the Report Phishing
-add-in or the built-in reporting in Outlook on the web, and then configure
-the following settings:
+1. In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Threat policies** \> **Others** section \> **User reported message settings** \> **User submissions**.
- - **Customize the end-user confirmation message**: Click this link. In the **Customize confirmation message** flyout that appears, configure the following settings:
-
- - **Before submission**: In the **Title** and **Confirmation message** boxes, enter the descriptive text that users see before they report a message using the Report Message add-in or the Report Phishing add-in. You can use the variable %type% to include the submission type (junk, not junk, phish, etc.).
-
- As noted, if you select an option that sends the reported messages to Microsoft, the following text is also added to the notification:
-
- > Your email will be submitted as-is to Microsoft for analysis. Some emails might contain personal or sensitive information.
+2. On the **User submissions** page, what you see is determined by whether the **Microsoft Outlook Report Message button** setting is **Off** or **On**:
- - **After submission**: Click ![Expand icon](../../media/scc-expand-icon.png). In the **Title** and **Confirmation message** boxes, enter the descriptive text that users see after they report a message using the Report Message add-in or the Report Phishing add-in. You can use the variable %type% to include the submission type.
+ - **Microsoft Outlook Report Message button** \> **On** ![Toggle on](../../media/scc-toggle-on.png): Select this option if you use the Report Message add-in, the Report Phishing add-in or the built-in reporting in Outlook on the web, and then configure the following settings:
+ - **Send the reported messages to**: Select one of the following options:
+ - **Microsoft**: The user submissions mailbox isn't used (all reported messages go to Microsoft).
+ - **Microsoft and my organization's mailbox**: In the box that appears, enter the email address of an existing Exchange Online mailbox. Distribution groups are not allowed. User submissions will go to both Microsoft for analysis and to the custom mailbox for your admin or security operations team to analyze.
+ - **My organization's mailbox**: In the box that appears, enter the email address of an existing Exchange Online mailbox. Distribution groups are not allowed. Use this option if you want the message to only go to an admin or the security operations team for analysis first. Messages will not go to Microsoft unless the admin forwards it themselves.
- When you're finished, click **Save**. To clear these values, click **Restore** back on the **User submissions** page.
-
- - **Customize the end-user reporting options**: Click this link. In the **Customize end-user reporting options** flyout that appears, enter the descriptive text for Junk email reporting options.
-
- Under **Options to show when messages are reported**, select at least one among the following options:
- - **Ask me before sending a report**
- - **Automatically send reports**
- - **Never send reports**
-
- When you're finished, click **Save**.
-
- - **Send the reported messages to**: Make one of the following selections:
-
- - **Microsoft (Recommended)**: The user submissions mailbox isn't used (all reported messages go to Microsoft).
-
- - **Both Microsoft and a custom mailbox**: In the box that appears, enter the email address of an existing Exchange Online mailbox. Distribution groups are not allowed. User submissions will go to both Microsoft for analysis and to the custom mailbox for your admin or security operations team to analyze.
-
- - **Custom mailbox only**: In the box that appears, enter the email address of an existing Exchange Online mailbox. Distribution groups are not allowed. Use this option if you want the message to only go to an admin or the security operations team for analysis first. Messages will not go to Microsoft unless the admin forwards it themselves.
+ > [!IMPORTANT]
+ >
+ > U.S. Government organizations (GCC, GCC High, and DoD) can only configure **My organization's mailbox**. The other two options are disabled.
+ >
+ > If organizations are configured to send to custom mailbox only, reported messages will not be sent for rescan and results in the User reported messages portal will always be empty.
- > [!NOTE]
- > U.S. Government organizations (GCC, GCC-H, and DoD) can only configure **Custom mailbox**. The other two options are disabled.
+ Regardless of the value you selected for **Send the reported messages to**, the following settings are available:
- > [!NOTE]
- > If organizations are configured to send to custom mailbox only, reported messages will not be sent for rescan and results in the User reported messages portal will always be empty.
+ - **Let users choose if they want to report their message to Microsoft**
+ - **Select reporting options that are available to users** section: Select at least one among the following options:
+ - **Ask me before sending the message**
+ - **Always report the message**
+ - **Never report the message**
- When you're finished, click **Confirm**.
+ > [!CAUTION]
+ > If you have [disabled junk email reporting in Outlook on the web](report-junk-email-and-phishing-scams-in-outlook-on-the-web-eop.md#disable-or-enable-junk-email-reporting-in-outlook-on-the-web) using Outlook on the web mailbox policies, but you configured any of the previous settings to report messages to Microsoft, users will be able to report messages to Microsoft in Outlook on the web using the Report Message add-in or the Report Phishing add-in.
- > [!CAUTION]
- > If you have [disabled junk email reporting in Outlook on the web](report-junk-email-and-phishing-scams-in-outlook-on-the-web-eop.md#disable-or-enable-junk-email-reporting-in-outlook-on-the-web) using Outlook on the web mailbox policies, but you configure either of the previous settings to report messages to Microsoft, users will be able to report messages to Microsoft in Outlook on the web using the Report Message add-in or the Report Phishing add-in.
+ - **User reporting experience section**
+ - **Before reporting** tab: In the **Title** and **Message body** boxes, enter the descriptive text that users see before they report a message using the Report Message add-in or the Report Phishing add-in. You can use the variable %type% to include the submission type (junk, not junk, phish, etc.).
+ - **After reporting** tab: In the **Title** and **Confirmation message** boxes, enter the descriptive text that users see after they report a message using the Report Message add-in or the Report Phishing add-in. You can use the variable %type% to include the submission type.
+ As shown on the page, if you select an option that sends the reported messages to Microsoft, the following text is also added to the notification:
- 2. **Disable the Report Message feature for Outlook**: Select this option if you use third-party reporting tools instead of the Report Message add-in, the Report Phishing add-in, or the built-in reporting in Outlook on the web, and then configure the following settings:
+ > Your email will be submitted as-is to Microsoft for analysis. Some emails might contain personal or sensitive information.
- Select **Use this custom mailbox to receive user reported submissions**. In the box that appears, enter the email address of an existing mailbox that is already in Office 365. This has to be an existing mailbox in Exchange Online that can receive email.
+ - **Microsoft Outlook Report Message button** \> **Off** ![Toggle off](../../media/scc-toggle-off.png): Select this option if you use third-party reporting tools instead of the Report Message add-in, the Report Phishing add-in, or the built-in reporting in Outlook on the web, and then configure the following settings:
+ - Select **Use this custom mailbox to receive user reported submissions**. In the box that appears, enter the email address of an existing Exchange Online mailbox that can receive email.
- When you're finished, click **Confirm**.
+ When you're finished, click **Confirm**. To clear these values, click **Restore**
## Third-party reporting tools
security View And Release Quarantined Messages From Shared Mailboxes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/view-and-release-quarantined-messages-from-shared-mailboxes.md
ms.prod: m365-security
> [!NOTE] > The features that are described in this article are currently in Preview, aren't available to everyone, and are subject to change.
-Users can manage quarantined messages where they are one of the recipients as described in [Find and release quarantined messages as a user in EOP](find-and-release-quarantined-messages-as-a-user.md). But what about shared mailboxes where the user has Full Access and Send As or Send on Behalf permissions to the mailbox as described in [Shared mailboxes in Exchange Online](/exchange/collaboration-exo/shared-mailboxes)?
+Users can manage quarantined messages where they are one of the recipients as described in [Find and release quarantined messages as a user in EOP](find-and-release-quarantined-messages-as-a-user.md). But what about **shared mailboxes** where the user has Full Access and Send As or Send on Behalf permissions to the mailbox as described in [Shared mailboxes in Exchange Online](/exchange/collaboration-exo/shared-mailboxes)?
Previously, the ability for users to manage quarantined messages sent to a shared mailbox required admins to leave automapping enabled for the shared mailbox (it's enabled by default when an admin gives a user access to another mailbox). However, depending on the size and number of mailboxes that the user has access to, performance can suffer as Outlooks tries to open *all* mailboxes that the user has access to. For this reason, many admins choose to [remove automapping for shared mailboxes](/outlook/troubleshoot/profiles-and-accounts/remove-automapping-for-shared-mailbox). Now, automapping is no longer required for users to manage quarantined messages that were sent to shared mailboxes. It just works. There are two different methods to access quarantined messages that were sent to a shared mailbox: -- If the admin has [enabled end-user spam notifications in anti-spam policies](configure-your-spam-filter-policies.md#configure-end-user-spam-notifications), any user that has access to the end-user spam notifications in the shared mailbox can click the **Review** button in the notification to go to quarantine in the Security & Compliance Center. Note that this method only allows users to manage quarantined messages that were sent to the shared mailbox. Users can't manage their own quarantine messages in this context.--- The user can [go to the quarantine in the Security & Compliance Center](find-and-release-quarantined-messages-as-a-user.md). By default, only messages that were sent to the user are shown. However, the user can change the **Sort results** (the **Message ID button** by default) to **Recipient email address**, enter the shared mailbox email address, and then click **Refresh** to see the quarantined messages that were sent to the shared mailbox.
+- If the admin has [enabled end-user spam notifications in anti-spam policies](configure-your-spam-filter-policies.md#configure-end-user-spam-notifications), any user that has access to the end-user spam notifications in the shared mailbox can click the **Review** button in the notification to go to quarantine in the Microsoft 365 Defender portal. Note that this method only allows users to manage quarantined messages that were sent to the shared mailbox. Users can't manage their own quarantine messages in this context.
+- The user can [go to the quarantine in the Microsoft 365 Defender portal](find-and-release-quarantined-messages-as-a-user.md). By default, only messages that were sent to the user are shown. However, the user can change the **Sort results** (the **Message ID button** by default) to **Recipient email address**, enter the shared mailbox email address, and then click **Refresh** to see the quarantined messages that were sent to the shared mailbox.
![Sorting quarantined messages by recipient email address.](../../media/quarantine-sort-results-by-recipient-email-address.png)
security View Email Security Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/view-email-security-reports.md
Title: View email security reports in the Security & Compliance Center
+ Title: View email security reports in the Microsoft 365 Defender portal
f1.keywords: - NOCSH
search.appverid:
ms.assetid: 3a137e28-1174-42d5-99af-f18868b43e86 - M365-security-compliance
-description: Learn how to find and use email security reports for your organization. Email security reports are available in the Security & Compliance Center.
+description: Learn how to find and use email security reports for your organization. Email security reports are available in the Microsoft 365 Defender portal.
ms.technology: mdo ms.prod: m365-security
-# View email security reports in the Security & Compliance Center
+# View email security reports in the Microsoft 365 Defender portal
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
ms.prod: m365-security
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-A variety of reports are available in the [Security & Compliance Center](https://protection.office.com) to help you see how email security features, such as anti-spam, anti-malware, and encryption features in Microsoft 365 are protecting your organization. If you have the [necessary permissions](#what-permissions-are-needed-to-view-these-reports), you can view these reports in the Security & Compliance Center by going to **Reports** \> **Dashboard**. To go directly to the Reports dashboard, open <https://protection.office.com/insightdashboard>.
+A variety of reports are available in the [Microsoft 365 Defender portal](https://security.microsoft.com) to help you see how email security features, such as anti-spam, anti-malware, and encryption features in Microsoft 365 are protecting your organization. If you have the [necessary permissions](#what-permissions-are-needed-to-view-these-reports), you can view these reports in the Microsoft 365 Defender portal by going to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. To go directly to the Reports dashboard, open <https://security.microsoft.com/emailandcollabreport>.
-![Reports dashboard in the Security & Compliance Center](../../media/6b213d34-adbb-44af-8549-be9a7e2db087.png)
+![Reports dashboard in the Microsoft 365 Defender portal](../../media/email-collaboration-reports.png)
## Compromised users report
The **Compromised users** report shows shows the number of user accounts that we
The aggregate view shows data for the last 90 days and the detail view shows data for the last 30 days.
-To view the report, open the [Security & Compliance Center](https://protection.office.com), go to **Reports** \> **Dashboard** and select **Compromised users**. To go directly to the report, open <https://protection.office.com/reportv2?id=CompromisedUsers>.
+To view the report, open the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports** and click **View details** under **Compromised users**. To go directly to the report, open <https://security.microsoft.com/reports/CompromisedUsers>.
You can filter both the chart and the details table by clicking **Filters** and selecting one or more of the following values:
The **Encryption report** is available in EOP (subscriptions with mailboxes in E
The aggregate view allows filtering for the last 90 days, while the detail view allows filtering for 10 days.
-To view the report, open the [Security & Compliance Center](https://protection.office.com), go to **Reports** \> **Dashboard** and select **Encryption report**. To go directly to the report, open <https://protection.office.com/reportv2?id=EncryptionReport>.
+To view the report, open the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports** and click **View details** under **Encryption report**. To go directly to the report, open <https://protection.office.com/reportv2?id=EncryptionReport>.
To learn more about encryption, see [Email encryption in Microsoft 365](../../compliance/email-encryption.md).
The **Malware detections in email** report shows information about malware detec
The aggregate view filter allows for 90 days, while the details table filter only allows for 10 days.
-To view the report, open the [Security & Compliance Center](https://protection.office.com), go to **Reports** \> **Dashboard** and select **Malware detections in email**. To go directly to the report, open <https://protection.office.com/reportv2?id=MalwareDetections>.
+To view the report, open the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports** and click **View details** under **Malware detected in email**. To go directly to the report, open <https://security.microsoft.com/reports/MalwareDetections>.
![Malware detections in email widget in the Reports dashboard](../../media/malware-detections-widget.png)
The **Spam detections** report shows spam email messages that were blocked by EO
The aggregate view allows for 90 days filtering, while the details table allows for 10 days filtering.
-To view the report, open the [Security & Compliance Center](https://protection.office.com), go to **Reports** \> **Dashboard** and select **Spam detections**. To go directly to the report, open <https://protection.office.com/reportv2?id=SpamDetections>.
+To view the report, open the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports** and click click **View details** under **Spam detections**. To go directly to the report, open <https://security.microsoft.com/reports/SpamDetections>.
![Spam detections widget in the Reports dashboard](../../media/spam-detections-report-widget.png)
The aggregate view of the report allows for 45 days of filtering<sup>\*</sup>, w
<sup>\*</sup> Eventually, you'll be able to use up to 90 days of filtering.
-To view the report, open the [Security & Compliance Center](https://protection.office.com), go to **Reports** \> **Dashboard** and select **Spoof detections**. To go directly to the report, open <https://protection.office.com/reportv2?id=SpoofMailReport>.
+To view the report, open the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports** and click **View details** under **Spoof detections**. To go directly to the report, open <https://security.microsoft.com/reports/SpoofMailReport>.
![Spoof detections widget in the Reports dashboard](../../media/spoof-detections-widget.png)
The report provides the count of email messages with malicious content, such as
**Note**: It's important to understand that if a message is sent to five recipients we count it as five different messages and not one message.
-To view the report, open the [Security & Compliance Center](https://protection.office.com), go to **Reports** \> **Dashboard** and select **Threat protection status**. To go directly to the report, open one of the following URLs:
+To view the report, open the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports** and click **View details** under **Threat protection status**. To go directly to the report, open one of the following URLs:
- Microsoft Defender for Office 365: <https://protection.office.com/reportv2?id=TPSAggregateReportATP> - EOP: <https://protection.office.com/reportv2?id=TPSAggregateReport>
If you click **View details table**, the information that's shown depends on the
The **Top malware** report shows the various kinds of malware that was detected by [anti-malware protection in EOP](anti-malware-protection.md).
-To view the report, open the [Security & Compliance Center](https://protection.office.com), go to **Reports** \> **Dashboard** and select **Top malware**. To go directly to the report, open <https://protection.office.com/reportv2?id=TopMalware>.
+To view the report, open the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports** and click **View details** under **Top malware**. To go directly to the report, open <https://security.microsoft.com/reports/TopMalware>.
![Top malware widget in the Reports dashboard](../../media/top-malware-report-widget.png)
If you click **Filters** in the report view or details table view, you can speci
The **URL threat protection report** is available in Microsoft Defender for Office 365. For more information, see [URL threat protection report](view-reports-for-mdo.md#url-threat-protection-report).
-## User-reported messages report
+## User reported messages report
-The **User-reported messages** report shows information about email messages that users have reported as junk, phishing attempts, or good mail by using the [Report Message add-in](enable-the-report-message-add-in.md) or [The Report Phishing add-in](enable-the-report-phish-add-in.md).
+The **User reported messages** report shows information about email messages that users have reported as junk, phishing attempts, or good mail by using the [Report Message add-in](enable-the-report-message-add-in.md) or [The Report Phishing add-in](enable-the-report-phish-add-in.md).
Details are available for each message, including the delivery reason, such a spam policy exception or mail flow rule configured for your organization. To view details, select an item in the user-reports list, and then view the information on the **Summary** and **Details** tabs.
-![The User-Reported Messages report shows messages users labeled as junk, not junk, or phishing attempts.](../../media/ad5e9a3d-b833-419c-bcc9-3425d9604ead.png)
+![The User reported messages report shows messages users labeled as junk, not junk, or phishing attempts.](../../media/ad5e9a3d-b833-419c-bcc9-3425d9604ead.png)
-To view this report, in the [Security & Compliance Center](https://protection.office.com), do one of the following:
+To view this report, in the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Reports** \> **Email & collaboration** \>**Email & collaboration reports** \> **User reported messages**.
-- Go to **Threat management** \> **Dashboard** \> **User-reported messages**.
+- Go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports** \> **User reported messages**.
-- Go to **Threat management** \> **Review** \> **User-reported messages**.-
-![In the Security & Compliance Center, choose Threat management \> Review \> User reported messages](../../media/e372c57c-1414-4616-957b-bc933b8c8711.png)
+![In the Microsoft 365 Defender portal, choose Reports \> Email & collaboration \> Email & collaboration reports \> User reported messages](../../media/user-reported-messages.png)
> [!IMPORTANT]
-> In order for the User-reported messages report to work correctly, **audit logging must be turned on** for your Office 365 environment. This is typically done by someone who has the Audit Logs role assigned in Exchange Online. For more information, see [Turn Microsoft 365 audit log search on or off](../../compliance/turn-audit-log-search-on-or-off.md).
+> In order for the User reported messages report to work correctly, **audit logging must be turned on** for your Office 365 environment. This is typically done by someone who has the Audit Logs role assigned in Exchange Online. For more information, see [Turn Microsoft 365 audit log search on or off](../../compliance/turn-audit-log-search-on-or-off.md).
## What permissions are needed to view these reports?
-In order to view and use the reports described in this article, you need to be a member of one of the following role groups in the Security & Compliance Center:
+In order to view and use the reports described in this article, you need to be a member of one of the following role groups in the Microsoft 365 Defender portal:
- **Organization Management** - **Security Administrator** - **Security Reader** - **Global Reader**
-For more information, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md).
+For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-in-the-security-and-compliance-center.md).
-**Note**: Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions in the Security & Compliance Center _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
+**Note**: Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions in the Microsoft 365 Defender portal _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
## What if the reports aren't showing data?
If you are not seeing data in your reports, double-check that your policies are
[Anti-spam and anti-malware protection in EOP](anti-spam-and-anti-malware-protection.md)
-[Smart reports and insights in the Security & Compliance Center](reports-and-insights-in-security-and-compliance.md)
+[Smart reports and insights in the Microsoft 365 Defender portal](reports-and-insights-in-security-and-compliance.md)
-[View mail flow reports in the Security & Compliance Center](view-mail-flow-reports.md)
+[View mail flow reports in the Microsoft 365 Defender portal](view-mail-flow-reports.md)
[View reports for Defender for Office 365](view-reports-for-mdo.md)
security View Reports For Mdo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/view-reports-for-mdo.md
ms.assetid: e47e838c-d99e-4c0b-b9aa-e66c4fae902f
- M365-security-compliance - m365initiative-defender-office365
-description: Find and use reports for Microsoft Defender for Office 365 in the Security & Compliance Center.
+description: Find and use reports for Microsoft Defender for Office 365 in the Microsoft 365 Defender portal.
ms.technology: mdo ms.prod: m365-security
-# View Defender for Office 365 reports in the Reports dashboard in the Security & Compliance Center
+# View Defender for Office 365 reports in the Reports dashboard in the Microsoft 365 Defender portal
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
ms.prod: m365-security
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-Microsoft Defender for Office 365 organizations (for example, Microsoft 365 E5 subscriptions or Microsoft Defender for Office 365 Plan 1 or Microsoft Defender for Office 365 Plan 2 add-ons) contain a variety of security-related reports. If you have the [necessary permissions](#what-permissions-are-needed-to-view-the-defender-for-office-365-reports), you can view these reports in the Security & Compliance Center by going to **Reports** \> **Dashboard**. To go directly to the Reports dashboard, open <https://protection.office.com/insightdashboard>.
+Microsoft Defender for Office 365 organizations (for example, Microsoft 365 E5 subscriptions or Microsoft Defender for Office 365 Plan 1 or Microsoft Defender for Office 365 Plan 2 add-ons) contain a variety of security-related reports. If you have the [necessary permissions](#what-permissions-are-needed-to-view-the-defender-for-office-365-reports), you can view these reports in the Microsoft 365 Defender portal by going to **Reports** \> **Email collaboration** \> **Email collaboration reports**. To go directly to the Reports dashboard, open <https://security.microsoft.com/emailandcollabreport>.
-![The Reports dashboard in the Security & Compliance Center](../../media/6b213d34-adbb-44af-8549-be9a7e2db087.png)
+![The Reports dashboard in the Microsoft 365 Defender portal](../../media/user-reported-messages.png)
## Defender for Office 365 file types report
The **Defender for Office 365 file types report** report shows you the type of f
The aggregate view of the report allows for 90 days of filtering, while the detail view only allows for 10 days of filtering.
-To view the report, open the [Security & Compliance Center](https://protection.office.com), go to **Reports** \> **Dashboard** and select **Defender for Office 365 file types**. To go directly to the report, open <https://protection.office.com/reportv2?id=ATPFileReport>.
+To view the report, open the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Reports** \> **Dashboard** and select **Defender for Office 365 file types**. To go directly to the report, open <https://protection.office.com/reportv2?id=ATPFileReport>.
![Defender for Office 365 file types widget in the Reports dashboard](../../media/atp-file-types-report-widget.png)
To get back to the reports view, click **View report**.
The **ATP Message Disposition** report shows you the actions that were taken for email messages that were detected as having malicious content.
-To view the report, open the [Security & Compliance Center](https://protection.office.com), go to **Reports** \> **Dashboard** and select **Defender for Office 365 message disposition**. To go directly to the report, open <https://protection.office.com/reportv2?id=ATPMessageReport>.
+To view the report, open the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports** and select **Defender for Office 365 message disposition**. To go directly to the report, open <https://protection.office.com/reportv2?id=ATPMessageReport>.
![Defender for Office 365 message disposition widget in the Reports dashboard](../../media/atp-message-disposition-report-widget.png)
The **Mail latency report** shows you an aggregate view of the mail delivery and
Client side and network latency are not included.
-To view the report, open the [Security & Compliance Center](https://protection.office.com), go to **Reports** \> **Dashboard** and select **Mail latency report**. To go directly to the report, open <https://protection.office.com/mailLatencyReport?viewid=P50>.
+To view the report, open the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports** and click **View details** under **Mail latency report**. To go directly to the report, open <https://security.microsoft.com/mailLatencyReport>.
![Mail latency report widget in the Reports dashboard](../../media/mail-latency-report-widget.png)
The **Threat protection status** report is a single view that brings together in
The **URL threat protection report** provides summary and trend views for threats detected and actions taken on URL clicks as part of [Safe Links](safe-links.md). This report will not have click data from users where the Safe Links policy applied has the **Do not track user clicks** option selected.
-To view the report, open the [Security & Compliance Center](https://protection.office.com), go to **Reports** \> **Dashboard** and select **URL protection report**. To go directly to the report, open <https://protection.office.com/reportv2?id=URLProtectionActionReport>.
+To view the report, open the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports** and click **View details** under **URL protection report**. To go directly to the report, open <https://security.microsoft.com/reports/URLProtectionActionReport>.
![URL protection report widget in the Reports dashboard](../../media/url-protection-report-widget.png)
In addition to the reports described in this article, several other reports are
|Report|Topic| ||| |**Explorer** (Microsoft Defender for Office 365 Plan 2) or **real-time detections** (Microsoft Defender for Office 365 Plan 1)|[Threat Explorer (and real-time detections)](threat-explorer.md)|
-|**Email security reports**, such as the Top senders and recipients report, the Spoof mail report, and the Spam detections report.|[View email security reports in the Security & Compliance Center](view-email-security-reports.md)|
-|**Mail flow reports**, such as the Forwarding report, the Mailflow status report, and the Top senders and recipients report.|[View mail flow reports in the Security & Compliance Center](view-mail-flow-reports.md)|
+|**Email security reports**, such as the Top senders and recipients report, the Spoof mail report, and the Spam detections report.|[View email security reports in the Microsoft 365 Defender portal](view-email-security-reports.md)|
+|**Mail flow reports**, such as the Forwarding report, the Mailflow status report, and the Top senders and recipients report.|[View mail flow reports in the Microsoft 365 Defender portal](view-mail-flow-reports.md)|
|**URL trace for Safe Links** (PowerShell only). The output of this cmdlet shows you the results of Safe Links actions over the past seven days.|[Get-UrlTrace](/powershell/module/exchange/get-urltrace)| |**Mail traffic results for EOP and Microsoft Defender for Office 365** (PowerShell only). The output of this cmdlet contains information about Domain, Date, Event Type, Direction, Action, and Message Count.|[Get-MailTrafficATPReport](/powershell/module/exchange/get-mailtrafficatpreport)| |**Mail detail reports for EOP and Defender for Office 365 detections** (PowerShell only). The output of this cmdlet contains details about malicious files or URLs, phishing attempts, impersonation, and other potential threats in email or files.|[Get-MailDetailATPReport](/powershell/module/exchange/get-maildetailatpreport)|
In addition to the reports described in this article, several other reports are
## What permissions are needed to view the Defender for Office 365 reports?
-In order to view and use the reports described in this article, you need to be a member of one of the following role groups in the Security & Compliance Center:
+In order to view and use the reports described in this article, you need to be a member of one of the following role groups in the Microsoft 365 Defender portal:
- **Organization Management** - **Security Administrator** - **Security Reader** - **Global Reader**
-For more information, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md).
+For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-in-the-security-and-compliance-center.md).
-**Note**: Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions in the Security & Compliance Center _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
+**Note**: Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions in the Microsoft 365 Defender portal _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
## What if the reports aren't showing data?
If you are not seeing data in your Defender for Office 365 reports, double-check
## Related topics
-[Smart reports and insights in the Security & Compliance Center](reports-and-insights-in-security-and-compliance.md)
+[Smart reports and insights in the Microsoft 365 Defender portal](reports-and-insights-in-security-and-compliance.md)
[Role permissions (Azure Active Directory](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#role-permissions)
security Virus Detection In Spo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/virus-detection-in-spo.md
Here's what happens:
## What happens when the OneDrive sync client tries to sync an infected file?
-OneDrive sync clients will not download files that contain viruses. The sync client will display a notification that the file can't be synced.
+When a malicious file is uploaded to OneDrive, it will be synced to the local machine before it's marked as malware. After it's marked as malware, the user can't open the synced file anymore from their local machine.
## Extended capabilities with Microsoft Defender for Office 365
security Whats New In Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/whats-new-in-defender-for-office-365.md
search.appverid: met150
ms.sitesec: library ms.pagetype: security
+f1.keywords:
- NOCSH localization_priority: Normal audience: ITPro-+ - M365-security-compliance - m365initiative-defender-office365
Learn more by watching [this video](https://www.youtube.com/watch?v=Tdz6KfruDGo&
> [!TIP] > Don't have Microsoft Defender for Office 365 yet? [Contact sales to start a trial](https://info.microsoft.com/ww-landing-M365SMB-web-contact.html).
-## April/May 2021
+## April/May 2021
- [Email entity page](mdo-email-entity-page.md): A unified 360-degree view of an email with enriched information around threats, authentication and detections, detonation details, and a brand-new email preview experience. - [Office 365 Management API](/office/office-365-management-api/office-365-management-activity-api-schema#email-message-events): Updates to EmailEvents (RecordType 28) to add delivery action, original and latest delivery locations, and updated detection details.-- [Threat Analytics for Defender for Office 365](/microsoft-365/security/defender/threat-analytics): View active threat actors, popular techniques and attack surfaces, along with extensive reporting from Microsoft researchers around ongoing campaigns.
+- [Threat Analytics for Defender for Office 365](/microsoft-365/security/defender/threat-analytics): View active threat actors, popular techniques and attack surfaces, along with extensive reporting from Microsoft researchers around ongoing campaigns.
-## February/March 2021
+## February/March 2021
- Alert ID integration (search using Alert ID and Alert-Explorer navigation) in [hunting experiences](threat-explorer.md) - Increasing the limits for Export of records from 9990 to 200,000 in [hunting experiences](threat-explorer.md)
Learn more by watching [this video](https://www.youtube.com/watch?v=Tdz6KfruDGo&
- Advanced NOT filters (these are advanced filtering options that include does not contain, does not include, etc.) - Granular time filters (day, hour, half-hour) -- The **Incidents** widget is now the **Action Center** widget. (To view your security widgets, in the Security & Compliance Center, go to **Threat management** \> **Review**.) (Microsoft Defender for Office 365 Plan 2)
+- The **Incidents** widget is now the **Action Center** widget. (To view your security widgets in the Security & Compliance Center, go to **Threat management** \> **Review**.) (Microsoft Defender for Office 365 Plan 2)
- [Safe Documents in Microsoft 365](safe-docs.md) **(preview)**
solutions Allow Members To Send As Or Send On Behalf Of Group https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/allow-members-to-send-as-or-send-on-behalf-of-group.md
audience: Admin-+ localization_priority: Normal
solutions Microsoft 365 Groups Expiration Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/microsoft-365-groups-expiration-policy.md
audience: Admin-+ localization_priority: Normal
solutions Setup Secure Collaboration With Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/setup-secure-collaboration-with-teams.md
These training modules can help your users use Teams, groups, and SharePoint for
|:|:| |![Set up and customize your team training icon](../media/set-up-customize-team-training.png)<br>**[Set up and customize your team](https://support.microsoft.com/office/702a2977-e662-4038-bef5-bdf8ee47b17b)**|![SharePoint share and sync training icon](../media/sharepoint-share-sync-training.png)<br>**[Share and sync](https://support.microsoft.com/office/98cb2ff2-c27e-42ea-b055-c2d895f8a5de)**| |![Teams upload and find files training icon](../media/smc-teams-upload-find-files-training.png)<br>**[Upload and find files](https://support.microsoft.com/office/57b669db-678e-424e-b0a0-15d19215cb12)**||
-|![Collaborate in teams and channels icon](../media/teams-collaborate-channels-training.png)<br>**[Collaborate in teams and channels](https://support.microsoft.com/office/c3d63c10-77d5-4204-a566-53ddcf723b46)**|||
+|![Collaborate in teams and channels icon](../media/teams-collaborate-channels-training.png)<br>**[Collaborate in teams and channels](https://support.microsoft.com/office/c3d63c10-77d5-4204-a566-53ddcf723b46)**||
## Illustrations