Updates from: 06/16/2021 03:13:40
Category Microsoft Docs article Related commit history on GitHub Change details
admin About Admin Roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/about-admin-roles.md
You'll probably only need to assign the following roles in your organization. By
|Office Apps admin | Assign the Office Apps admin role to users who need to do the following: <br> - Use the Office cloud policy service to create and manage cloud-based policies for Office <br> - Create and manage service requests <br> - Manage the What's New content that users see in their Office apps <br> - Monitor service health | |Password admin | Assign the Password admin role to a user who needs to reset passwords for non-administrators and Password Administrators. | |Message center reader | Assign the Reports reader role to users who need to do the following: <br> - Monitor message center notifications <br> - Get weekly email digests of message center posts and updates <br> - Share message center posts <br> - Have read-only access to Azure AD services, such as users and groups|
-|Power Platform admin | Assign the Reports reader role to users who need to do the following: <br> - Manage all admin features for PowerApps, Microsoft Flow, and data loss prevention <br> - Create and manage service requests <br> - Monitor service health |
+|Power Platform admin | Assign the Reports reader role to users who need to do the following: <br> - Manage all admin features for Power Apps, Power Automate, and data loss prevention <br> - Create and manage service requests <br> - Monitor service health |
|Reports reader | Assign the Reports reader role to users who need to do the following: <br> - View usage data and the activity reports in the Microsoft 365 admin center <br> - Get access to the Power BI adoption content pack <br> - Get access to sign-in reports and activity in Azure AD <br> - View data returned by Microsoft Graph reporting API| |Service Support admin | Assign the Service Support admin role as an additional role to admins or users who need to do the following in addition to their usual admin role: <br> - Open and manage service requests <br> - View and share message center posts <br> - Monitor service health | |SharePoint admin | Assign the SharePoint admin role to users who need to access and manage the SharePoint Online admin center. <br><br>SharePoint admins can also: <br> - Create and delete sites <br> - Manage site collections and global SharePoint settings |
admin About The Admin Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/admin-overview/about-the-admin-center.md
audience: Admin
-localization_priority: Normal
+localization_priority: Priority
- M365-subscription-management - Adm_O365
Here are the features and settings you'll find in the left-hand navigation of th
## Related content
-[Microsoft 365 for business training videos](../../business-video/index.yml) (link page)
+[Microsoft 365 for business training videos](../../business-video/index.yml) (link page)
admin Centralized Deployment FAQ https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/centralized-deployment-FAQ.md
We suggest reaching out to the ISV Developer for the paid add-in to request a ma
ΓÇ» ## Which admin role do I need to manage add-ins for my organization?ΓÇ»
-Global Admin is the recommended role with complete access to add-in management lifecycle. Other Admin roles have a limited access to add-in deployment lifecycle. If you're the person who purchased your Microsoft 365 for business subscription, you are the Global admin.
+Global Admin is the recommended role with complete access to add-in management lifecycle. If you're the person who purchased your Microsoft 365 Business subscription, you are the Global admin.
Your subscription comes with a set of admin roles that you can assign to other users in your organization. Each admin role maps to common business functions and gives people in your organization permissions to perform specific tasks in the Microsoft 365 admin center.
-For more information, see [Assign admin roles](../add-users/assign-admin-roles.md?view=o365-worldwide).ΓÇ»
+For more information, see [Assign admin roles](../add-users/assign-admin-roles.md?view=o365-worldwide).ΓÇ»
admin Upgrade Distribution Lists https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/upgrade-distribution-lists.md
You can only upgrade cloud-managed, simple, non-nested distribution lists. The t
|Security groups <br/> |No <br/> | |Dynamic Distribution lists <br/> |No <br/> | |Distribution lists that were converted to **RoomLists** <br/> |No <br/> |
-|Distribution lists where **MemberJoinRestriction** and/or **MemberDepartRestriction** is **Closed** <br/> |No <br/> |
### Check which DLs are eligible for upgrade
commerce View Your Bill Or Invoice https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/view-your-bill-or-invoice.md
audience: Admin
localization_priority: Priority
+search.appverid: GEA150
- M365-subscription-management - Adm_O365
commerce Cancel Your Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/cancel-your-subscription.md
Last updated 04/08/2021
# Cancel your subscription > [!IMPORTANT]
-> This article only applies to Microsoft 365 for business subscriptions. If you have Microsoft 365 Family or Personal, see [Cancel a Microsoft 365 subscription](https://support.microsoft.com/en-us/office/cancel-a-microsoft-365-subscription-46e2634c-c64b-4c65-94b9-2cc9c960e91b).
+> This article only applies to Microsoft 365 for business subscriptions. If you have Microsoft 365 Family or Personal, see [Cancel a Microsoft 365 subscription](https://support.microsoft.com/en-us/office/cancel-a-microsoft-365-subscription-46e2634c-c64b-4c65-94b9-2cc9c960e91b?OCID=M365_DocsCancel_Link).
*Eligibility:* If you have fewer than 25 licenses assigned to users, you can cancel your Microsoft 365 for business trial or paid subscription online in the Microsoft 365 admin center at any time. If you have more than 25 licenses assigned to users, reduce it to less than 25 or [call support to cancel your subscription](../../business-video/get-help-support.md).
commerce Try Or Buy Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/try-or-buy-microsoft-365.md
- AdminSurgePortfolio - commerce_purchase
+search.appverid: GEA150
description: "Sign up for a free 30-day trial for Microsoft 365 Business Standard, Microsoft 365 Business Premium, or Microsoft 365 Apps for business." Last updated 08/07/2020
compliance Alert Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/alert-policies.md
After alerts have been generated and displayed on the **View alerts** page in th
- **Assign a status to alerts.** You can assign one of the following statuses to alerts: **Active** (the default value), **Investigating**, **Resolved**, or **Dismissed**. Then, you can filter on this setting to display alerts with the same status setting. This status setting can help track the process of managing alerts. -- **View alert details.** You can select an alert to display a flyout page with details about the alert. The detailed information depends on the corresponding alert policy, but it typically includes the following: name of the actual operation that triggered the alert (such as a cmdlet), a description of the activity that triggered the alert, the user (or list of users) who triggered the alert, and the name (and link to) of the corresponding alert policy.
+- **View alert details.** You can select an alert to display a flyout page with details about the alert. The detailed information depends on the corresponding alert policy, but it typically includes the following:
- The name of the actual operation that triggered the alert, such as a cmdlet or an audit log operation. - A description of the activity that triggered the alert.
- - The user who triggered the alert. This is included only for alert policies that are set up to track a single user or a single activity.
+ - The user (or list of users) who triggered the alert. This is included only for alert policies that are set up to track a single user or a single activity.
- The number of times the activity tracked by the alert was performed. This number may not match that actual number of related alerts listed on the View alerts page because more alerts may have been triggered.
- - A link to an activity list that includes an item for each activity that was performed that triggered the alert. Each entry in this list identifies when the activity occurred, the name of actual operation (such as "FileDeleted"), and the user who performed the activity, the object (such as a file, an eDiscovery case, or a mailbox) that the activity was performed on, and the IP address of the user's computer. For malware-related alerts, this links to a message list.
+ - A link to an activity list that includes an item for each activity that was performed that triggered the alert. Each entry in this list identifies when the activity occurred, the name of the actual operation (such as "FileDeleted"), the user who performed the activity, the object (such as a file, an eDiscovery case, or a mailbox) that the activity was performed on, and the IP address of the user's computer. For malware-related alerts, this links to a message list.
- - The name (and link to) of the corresponding alert policy.
+ - The name (and link) of the corresponding alert policy.
-- **Suppress email notifications.** You can turn off (or suppress) email notifications from the flyout page for an alert. When you suppress email notifications, Microsoft won't send notifications when activities or events that match the conditions of the alert policy. But alerts will be triggered when activities performed by users match the conditions of the alert policy. You can also turn off email notifications by editing the alert policy.
+- **Suppress email notifications.** You can turn off (or suppress) email notifications from the flyout page for an alert. When you suppress email notifications, Microsoft won't send notifications when activities or events that match the conditions of the alert policy occur. But alerts will be triggered when activities performed by users match the conditions of the alert policy. You can also turn off email notifications by editing the alert policy.
- **Resolve alerts.** You can mark an alert as resolved on the flyout page for an alert (which sets the status of the alert to **Resolved**). Unless you change the filter, resolved alerts aren't displayed on the **View alerts** page.
compliance Create Custom Sensitive Information Types With Exact Data Match Based Classification https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-custom-sensitive-information-types-with-exact-data-match-based-classification.md
These locations are support EDM sensitive information types:
- Microsoft Teams (conversations) - DLP for SharePoint (files) - Microsoft Cloud App Security DLP policies-- Server-side auto-labeling policies - available for commercial cloud customers <!--, UNCOMMENT THIS ON 6/15 and government cloud customers-->
+- Server-side auto-labeling policies - available for commercial cloud customers and government cloud customers
#### To create a DLP policy with EDM
compliance Retention https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention.md
Use the following table to help you identify whether to use a retention policy o
**Footnote:** <sup>\*</sup>
-For retention labels that don't mark the content as a record or regulatory record, auditing events are limited to when an item in SharePoint has a label applied, changed, or removed. For auditing details for retention labels, see the [Auditing retention actions](#auditing-retention-actions) section on this page.
+For retention labels that don't mark the content as a record or regulatory record, auditing events are limited to when an item in SharePoint or OneDrive has a label applied, changed, or removed. For auditing details for retention labels, see the [Auditing retention actions](#auditing-retention-actions) section on this page.
### Combining retention policies and retention labels
For the full list of auditing events, see [Retention policy and retention label
Retention actions that are logged as auditing events are available only for retention labels and not for retention policies: -- When a retention label is applied, changed, or removed from an item in SharePoint:
+- When a retention label is applied, changed, or removed from an item in SharePoint or OneDrive:
- From **File and page activities**, select **Changed retention label for a file** - When a labeled item in SharePoint is marked as a record, and it is unlocked or locked by a user:
Retention actions that are logged as auditing events are available only for rete
- When a retention label that marks content as a record or regulatory record is applied to an item in Exchange: - From **Exchange mailbox activities**, select **Labeled message as a record** -- When a labeled item in SharePoint or Exchange is marked as a record or regulatory record, and it is permanently deleted:
+- When a labeled item in SharePoint, OneDrive, or Exchange is marked as a record or regulatory record, and it is permanently deleted:
- From **File and page activities**, select **Deleted file marked as a record** ## PowerShell cmdlets for retention policies and retention labels
enterprise Setup Guides For Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/setup-guides-for-microsoft-365.md
Use the [Deploy Office to remote users guide](https://aka.ms/officeremoteinstall
For organizations using Configuration Manager, you can use the [Deploy and update Microsoft 365 Apps with Configuration Manager advisor](https://aka.ms/oppinstall) to generate a script that will automatically configure your Microsoft 365 Apps deployment using best practices recommended by FastTrack engineers. Use this guide to build your deployment groups, customize your Office apps and features, configure dynamic or lean installations, and then run the script to create the applications, automatic deployment rules, and device collections you need to target your deployment.
-### Integrate a third-party cloud app with Azure AD
-
-Improve the user experience and provide an additional layer of security by integrating your third-party app with ΓÇÄAzure Active Directory (Azure AD). With this end-to-end experience, you can do most of the configuration directly from this wizard. Where appropriate, we'll redirect you to the corresponding configuration page.
-
-Use the [Integrate third-party cloud app](https://admin.microsoft.com/Adminportal/Home?#/azureadappintegration) wizard to integrate a third-party cloud app with Azure AD.
knowledge Topic Experiences Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/topic-experiences-overview.md
Users with edit or create topics permissions can make updates to topic pages dir
Users that you allow access to see topics in their daily work might be asked if the topic was useful to them. The system looks at these responses and uses them to improve the topic highlight, and help determine what's shown on topic summaries and in topic details.
-Additionally, users with proper permissions can tag items such as Yammer conversation that are relevant to a topic, and add them to a specific topic.
- For more information, see [Topic discovery and curation](./topic-experiences-discovery-curation.md). ## See also
-[Use Microsoft Search to find topics in Viva Topics](./search.md)
+[Use Microsoft Search to find topics in Viva Topics](./search.md)
security Common Exclusion Mistakes Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/common-exclusion-mistakes-microsoft-defender-antivirus.md
ms.technology: mde Previously updated : 05/17/2021 Last updated : 06/15/2021 # Common mistakes to avoid when defining exclusions -
-You can define an exclusion list for items that you don't want Microsoft Defender Antivirus to scan. Such excluded items could contain threats that make your device vulnerable.
-
-This article describes some common mistake that you should avoid when defining exclusions.
+You can define an exclusion list for items that you don't want Microsoft Defender Antivirus to scan. Such excluded items could contain threats that make your device vulnerable. This article describes some common mistake that you should avoid when defining exclusions.
Before defining your exclusion lists, see [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions).
In general, do not define exclusions for the following processes:
`dbgsvc.exe`
-`dnx.exe`
+`dnx.exe`
+
+`dotnet.exe`
`fsi.exe`
Microsoft Defender Antivirus Service runs in system context using the LocalSyste
See [Use wildcards in the file name and folder path or extension exclusion lists](configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for information on how to use wildcards in exclusion lists.
-## Related articles
--- [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)-- [Configure and validate exclusions based on file extension and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)-- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)-- [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md)
security Configure Advanced Scan Types Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus.md
## Use Microsoft Intune to configure scanning options
-See the following resources:
--- [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure) -- [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](/intune/device-restrictions-windows-10#microsoft-defender-antivirus)
+For more information, see [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](/intune/device-restrictions-windows-10#microsoft-defender-antivirus).
## Use Microsoft Endpoint Manager to configure scanning options
-See [How to create and deploy antimalware policies: Scan settings](/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings).
+For details on configuring Microsoft Endpoint Manager (current branch), see [How to create and deploy antimalware policies: Scan settings](/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings).
## Use Group Policy to configure scanning options
See [How to create and deploy antimalware policies: Scan settings](/configmgr/pr
4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus**, and then select a location (refer to [Settings and locations](#settings-and-locations) in this article). + 5. Edit the policy object. 6. Click **OK**, and repeat for any other settings.
See [How to create and deploy antimalware policies: Scan settings](/configmgr/pr
| Specify the maximum CPU load (as a percentage) during a scan. <p> **Scan** > **Specify the maximum percentage of CPU utilization during a scan** | 50 | `-ScanAvgCPULoadFactor` <p>**NOTE**: The maximum CPU load is not a hard limit, but is guidance for the scanning engine to not exceed the maximum on average. Manually run scans will ignore this setting and run without any CPU limits. | | Specify the maximum size (in kilobytes) of archive files that should be scanned. <p> **Scan** > **Specify the maximum size of archive files to be scanned** | No limit | Not available <p>The default value of 0 applies no limit | | Configure low CPU priority for scheduled scans <p> **Scan** > **Configure low CPU priority for scheduled scans** | Disabled | Not available |+ > [!NOTE] > If real-time protection is turned on, files are scanned before they are accessed and executed. The scanning scope includes all files, including files on mounted removable media, such as USB drives. If the device performing the scan has real-time protection or on-access protection turned on, the scan will also include network shares. ## Use PowerShell to configure scanning options
-See the following resources:
+
+For more information on how to use PowerShell with Microsoft Defender Antivirus, see
- [Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md) - [Defender cmdlets](/powershell/module/defender/)
If Microsoft Defender Antivirus detects a threat inside an email message, it wil
- Email subject - Attachment name +
+## Scanning mapped network drives
+
+On any OS, only the network drives that are mapped at system level, are scanned. User-level mapped network drives aren't scanned. User-level mapped network drives are those that a user maps in their session manually and using their own credentials.
+ ## See also + - [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md) - [Configure and run on-demand Microsoft Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md) - [Configure scheduled Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
security Configure Block At First Sight Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus.md
Previously updated : 04/28/2021 Last updated : 06/15/2021 ms.technology: mde # Turn on block at first sight -- **Applies to:** - [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
This article describes an antivirus/antimalware feature known as "block at first sight", and describes how to enable block at first sight for your organization. > [!TIP]
-> This article is intended for enterprise admins and IT Pros who manage security settings for organizations. If you are not an enteprise admin or IT Pro but you have questions about block at first sight, see [Not an enterprise admin or IT Pro?](#not-an-enterprise-admin-or-it-pro).
+> This article is intended for enterprise admins and IT Pros who manage security settings for organizations. If you are not an enteprise admin or IT Pro but you have questions about block at first sight, see the [Not an enterprise admin or IT Pro?](#not-an-enterprise-admin-or-it-pro) section.
## What is "block at first sight"?
Microsoft Defender Antivirus uses multiple detection and prevention technologies
![List of Microsoft Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png) > [!TIP]
-> To learn more, see this blog: [Get to know the advanced technologies at the core of Microsoft Defender for Endpoint next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
+> To learn more, see [(Blog) Get to know the advanced technologies at the core of Microsoft Defender for Endpoint next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
## A few things to know about block at first sight
You can confirm that block at first sight is enabled on individual client device
## Validate block at first sight is working
-To validate that the feature is working, follow the guidance in [Validate connections between your network and the cloud](configure-network-connections-microsoft-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud).
+To validate that the feature is working, download the [Block at first sight sample file](https://demo.wd.microsoft.com/Page/BAFS). To download the file, you will need an account in Azure AD that has either the Security Administrator or Global Administrator role assigned.
+
+To validate that cloud-enabled protection is working, follow the guidance in [Validate connections between your network and the cloud](configure-network-connections-microsoft-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud).
## Turn off block at first sight
If you have a personal device that is not managed by an organization, you might
- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) - [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)-- [Stay protected with Windows Security](https://support.microsoft.com/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963)
+- [Stay protected with Windows Security](https://support.microsoft.com/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963)
security Exploit Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exploit-protection.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: Normal
+localization_priority: Priority
audience: ITPro Previously updated : 10/21/2020 Last updated : 06/12/2021
# Protect devices from exploits -- **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
security Migration Guides https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/migration-guides.md
If you're considering moving to Defender for Endpoint, we have guidance to help.
| Scenario | Guidance | |:-|:-|
-| You don't have an endpoint protection solution in place yet, and you want to know more about Defender for Endpoint. <p> You want to see how Defender for Endpoint works before rolling it out in your environment. | [Microsoft Defender for Endpoint evaluation lab](evaluation-lab.md) |
+| You don't have an endpoint protection solution in place yet, and you want to know more about Defender for Endpoint. You want to see how Defender for Endpoint works before rolling it out in your environment. | [Microsoft Defender for Endpoint evaluation lab](evaluation-lab.md) |
| You already have Defender for Endpoint, and you want some help getting everything set up and configured. | [Microsoft Defender for Endpoint deployment guide](deployment-phases.md) |
-| You're planning to switch from a non-Microsoft endpoint protection solution to Defender for Endpoint and Microsoft Defender Antivirus. <p> You want to get an overview of the migration process and how to make the switch. |[Make the switch to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md) |
+| You're planning to switch from a non-Microsoft endpoint protection solution to Defender for Endpoint and Microsoft Defender Antivirus. You want to get an overview of the migration process and how to make the switch. |[Make the switch to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md) |
| You've already migrated or onboarded to Defender for Endpoint. You want some help with next steps, such as managing your security settings, configuring more features, or fine-tuning your security policies. | [Manage Microsoft Defender for Endpoint, post-migration](manage-atp-post-migration.md) |
security Mssp List https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mssp-list.md
The following managed security service providers can be accessed through the por
Logo |Partner name | Description :|:|:
+![Image of Accenture logo](images/accenture-logo.png)|[Accenture Managed Detection & Response (MDR)](https://go.microsoft.com/fwlink/?linkid=2164353) | Manage, maintain, and enhance global cybersecurity operations with extended capabilities that detect, proactively hunt for and respond to advanced cyber-attacks across both IT and OT environments located in the cloud and on-premise.
![Image of Aujas logo](images/aujas-logo.png) | [Aujas managed MDE Service](https://go.microsoft.com/fwlink/?linkid=2162429) | Aujas cybersecurity provides 24*7 managed security services across the entire enterprise spectrum, using Microsoft Defender for endpoints through its Cyber Defense Centers.
-![Image of BDO Digital logo](images/bdo-logo.png)| [BDO Digital](https://go.microsoft.com/fwlink/?linkid=2090394) | BDO Digital's Managed Defense leverages best practice tools, AI, and in-house security experts for 24/7/365 identity protection
+![Image of BDO Digital logo](images/bdo-logo.png)| [BDO Digital](https://go.microsoft.com/fwlink/?linkid=2090394) | BDO Digital's Managed Defense uses best practice tools, AI, and in-house security experts for 24/7/365 identity protection
![Image of BlueVoyant logo](images/bluevoyant-logo.png)| [BlueVoyant](https://go.microsoft.com/fwlink/?linkid=2121401) | MDR for Microsoft Defender for Endpoint provides support in monitoring, investigating, and mitigating advanced attacks on endpoints ![Image of Cloud Security Center logo](images/cloudsecuritycenter-logo.png)| [Cloud Security Center](https://go.microsoft.com/fwlink/?linkid=2099315) | InSpark's Cloud Security Center is a 24x7 managed service that delivers protect, detect & respond capabilities ![Image of Cloud SOC logo](images/cloudsoc-logo.png)| [Cloud SOC](https://go.microsoft.com/fwlink/?linkid=2104265) | Cloud SOC provides 24/7 security monitoring services based on Microsoft cloud and helps you to continuously improve your security posture ![Image of CSIS Managed Detection & Response logo](images/csis-logo.png)| [CSIS Managed Detection & Response](https://go.microsoft.com/fwlink/?linkid=2091005) | 24/7 monitoring and analysis of security alerts giving companies actionable insights into what, when and how security incidents have taken place
+![Image of CyberProof logo](images/cyberproof-logo.png) |[CyberProof Managed Detection & Response (MDR)](https://go.microsoft.com/fwlink/?linkid=2163964) | 24x7 managed threat detection and response services fully integrated with Azure Sentinel and Defender for Endpoint.
![Image of Dell Technologies Advanced Threat Protection logo](images/dell-logo.png)| [Dell Technologies Advanced Threat Protection](https://go.microsoft.com/fwlink/?linkid=2091004) | Professional monitoring service for malicious behavior and anomalies with 24/7 capability ![Image of DXC-Managed Endpoint Threat Detection and Response logo](images/dxc-logo.png)| [DXC-Managed Endpoint Threat Detection and Response](https://go.microsoft.com/fwlink/?linkid=2090395) | Identify endpoint threats that evade traditional security defenses and contain them in hours or minutes, not days ![Image of eSentire log](images/esentire-logo.png) | [eSentire Managed Detection and Response](https://go.microsoft.com/fwlink/?linkid=2154970) | 24x7 threat investigations and response via Microsoft Defender for Endpoint. ![Image of expel logo](images/expel-logo.png)| [Expel Managed detection and response for Microsoft Defender Endpoint](https://go.microsoft.com/fwlink/?linkid=2162430) | Expel helps your security keep up by detecting security risks in Microsoft Defender Endpoint.
+![Image of Mandiant logo](images/mandiant-logo.png) | [Mandiant Managed Defense (MDR) for Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2164352) | Fortify your Defender for Endpoint with 24/7 frontline MDR intelligence and expertise from Mandiant.
![Image of NTT Security logo](images/ntt-logo.png)| [NTT Security](https://go.microsoft.com/fwlink/?linkid=2095320) | NTT's EDR Service provides 24/7 security monitoring & response across your endpoint and network ![Image of OneVinn logo](images/onevinn-logo.png) | [Onevinn MDR](https://go.microsoft.com/fwlink/?linkid=2155203)| 24/7 Managed Detection and Response built on Microsoft Defender and Azure Sentinel, enriched with Onevinn's threat intelligence. ![Image of Quorum Cyber logo](images/quorum-logo.png) | [Quorum Cyber](https://go.microsoft.com/fwlink/?linkid=2155202)| A cutting-edge Threat Hunting & Security Engineering service. ![Image of Red Canary logo](images/redcanary-logo.png)| [Red Canary](https://go.microsoft.com/fwlink/?linkid=2103852) | Red Canary is a security operations partner for modern teams, MDR deployed in minutes ![Image of SecureWorks Managed Detection and Response Powered by Red Cloak logo](images/secureworks-logo.png)| [SecureWorks Managed Detection and Response Powered by Red Cloak](https://go.microsoft.com/fwlink/?linkid=2133634) | Secureworks combines threat intelligence and 20+ years of experience into SaaS and managed security solutions ![Image of sepagoSOC logo](images/sepago-logo.png)| [sepagoSOC](https://go.microsoft.com/fwlink/?linkid=2090491) | Ensure holistic security through sophisticated automated workflows in your zero trust environment
-![Image of Trustwave Threat Detection & Response Services logo](images/trustwave-logo.png)| [Trustwave Threat Detection & Response Services](https://go.microsoft.com/fwlink/?linkid=2127542) | Threat Detection and Response services for Azure leveraging integrations with Sentinel and Defender for Endpoint
+![Image of Trustwave Threat Detection & Response Services logo](images/trustwave-logo.png)| [Trustwave Threat Detection & Response Services](https://go.microsoft.com/fwlink/?linkid=2127542) | Threat Detection and Response services for Azure using integrations with Sentinel and Defender for Endpoint
![Image of White Shark Managed Security Services](images/white-shark.png)| [White Shark Managed Security Services](https://go.microsoft.com/fwlink/?linkid=2154210) |True expert approach to cyber security with transparent pricing on every platform, mobile included. ![Image of Wortell's cloud SOC logo](images/wortell-logo.png)| [Wortell's cloud SOC](https://go.microsoft.com/fwlink/?linkid=2108415) | 24x7 managed Defender for Endpoint service for monitoring & response ![Image of Zero Trust Analytics Platform (ZTAP) logo](images/ztap-logo.png)| [Zero Trust Analytics Platform (ZTAP)](https://go.microsoft.com/fwlink/?linkid=2090971) | Reduce your alerts by 99% and access a full range of security capabilities from mobile devices
security Non Windows https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/non-windows.md
benefits, read our
For more details on how to get started, visit the Defender for Endpoint on macOS [documentation](microsoft-defender-endpoint-mac.md).
+>[!NOTE]
+>The following capabilities are not currently supported on macOS endpoints:
+>- Data loss prevention
+>- Live response
+>- SIEM
++ ## Microsoft Defender for Endpoint on Linux Microsoft Defender for Endpoint on Linux offers preventative (AV) capabilities for Linux
For more details on how to get started, visit the Microsoft Defender for Endpoin
Linux [documentation](microsoft-defender-endpoint-linux.md).
+>[!NOTE]
+>The following capabilities are not currently supported on Linux endpoints:
+>- Data loss prevention
+>- Live response
+>- SIEM
+++ ## Microsoft Defender for Endpoint on Android Microsoft Defender for Endpoint on Android is our mobile threat defense solution for
security Prepare Deployment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prepare-deployment.md
how the endpoint security suite should be enabled.
## Next step
-|||
-|:-|:--|
-|![Phase 2: Setup](images/setup.png) <br>[Phase 2: Setup](production-deployment.md) | Set up Microsoft Defender for Endpoint deployment |
+
+![Phase 2: Setup](images/setup.png) <br>[Phase 2: Setup](production-deployment.md)
+
+Set up Microsoft Defender for Endpoint deployment
security Advanced Hunting Example https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-example.md
+
+ Title: Advanced hunting example for Microsoft Defender for Office 365
+description: Get started searching for email threats using advanced hunting
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, custom detections, schema, kusto
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++
+localization_priority: Normal
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365initiative-m365-defender
+
+ms.technology: m365d
++
+# Advanced hunting example for Microsoft Defender for Office 365
+++
+**Applies to:**
+- Microsoft 365 Defender
+
+Want to get started searching for email threats using advanced hunting? Try this:
+
+The [Getting Started](/microsoft-365/security/office-365-security/defender-for-office-365#getting-started) section of the [Microsoft Defender for Office 365 article](/microsoft-365/security/office-365-security/defender-for-office-365) has logical early configuration chunks that look like this:
+
+1. Configure everything with 'Anti' in the name.
+ - Anti-malware
+ - Anti-phishing
+ - Anti-spam
+2. Set up everything with 'Safe' in the name.
+ - Safe Links
+ - Safe Attachments
+3. Defend the workloads (ex. SharePoint Online, OneDrive, and Teams).
+4. Protect with zero-Hour auto purge.
+
+Along with a [link](../office-365-security/protect-against-threats.md) to jump right in and get configuration going on Day 1.
+
+The last step in **Getting Started** is protecting users with **Zero-Hour auto purge**, also known as ZAP. Knowing if your efforts to ZAP a suspicious or malicious mail, post-delivery, were successful can be very important.
+
+Quickly navigating to Kusto query language to hunt for issues is an advantage of converging these two security centers. Security teams can monitor ZAP misses by taking their next steps [here](https://security.microsoft.com/advanced-hunting), under **Hunting** \> **Advanced Hunting**.
+
+1. On the Advanced Hunting page, click **Query**.
+1. Copy the query below into the query window.
+1. Select **Run query**.
+
+```kusto
+EmailPostDeliveryEvents
+| where Timestamp > ago(7d)
+//List malicious emails that were not zapped successfullyconverge-2-endpoints-new.png
+| where ActionType has "ZAP" and ActionResult == "Error"
+| project ZapTime = Timestamp, ActionType, NetworkMessageId , RecipientEmailAddress
+//Get logon activity of recipients using RecipientEmailAddress and AccountUpn
+| join kind=inner IdentityLogonEvents on $left.RecipientEmailAddress == $right.AccountUpn
+| where Timestamp between ((ZapTime-24h) .. (ZapTime+24h))
+//Show only pertinent info, such as account name, the app or service, protocol, the target device, and type of logon
+| project ZapTime, ActionType, NetworkMessageId , RecipientEmailAddress, AccountUpn,
+LogonTime = Timestamp, AccountDisplayName, Application, Protocol, DeviceName, LogonType
+```
++
+The data from this query will appear in the results panel below the query itself. Results include information like 'DeviceName', 'AccountDisplayName', and 'ZapTime' in a customizable result set. Results can also be exported for your records. If the query is one you'll need again, select **Save** > **Save As** and add the query to your list of queries, shared, or community queries.
+
+## Related information
+- [Advanced hunting best practices](advanced-hunting-best-practices.md)
+- [Overview - Advanced hunting](advanced-hunting-overview.md)
security Advanced Hunting Query Emails Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-query-emails-devices.md
DeviceInfo
| project AlertId, Timestamp, Title, Severity, Category ``` +
+### Get file event information
+
+Use the following query to get information on file related events.
+
+```kusto
+DeviceInfo
+| where Timestamp > ago(1d)
+| where ClientVersion startswith "20.1"
+| summarize by DeviceId
+| join kind=inner (
+ DeviceFileEvents
+ | where Timestamp > ago(1d)
+) on DeviceId
+| take 10
+```
++
+### Get network event information
+
+Use the following query to get information on network related events.
+
+```kusto
+DeviceInfo
+| where Timestamp > ago(1d)
+| where ClientVersion startswith "20.1"
+| summarize by DeviceId
+| join kind=inner (
+ DeviceNetworkEvents
+ | where Timestamp > ago(1d)
+) on DeviceId
+| take 10
+```
+
+### Get device agent version information
+
+Use the following query to get the version of the agent running on a device.
+
+```kusto
+DeviceInfo
+| where Timestamp > ago(1d)
+| where ClientVersion startswith "20.1"
+| summarize by DeviceId
+| join kind=inner (
+ DeviceNetworkEvents
+ | where Timestamp > ago(1d)
+) on DeviceId
+| take 10
+```
++
+### Example query for macOS devices
+
+Use the following example query to see all devices running macOS with a version older than Catalina.
+
+```kusto
+DeviceInfo
+| where Timestamp > ago(1d)
+| where OSPlatform == "macOS" and OSVersion !contains "10.15" and OSVersion !contains "11."
+| summarize by DeviceId
+| join kind=inner (
+ DeviceInfo
+ | where Timestamp > ago(1d)
+) on DeviceId
+| take 10
+```
+
+### Get device status info
+
+Use the following query to get status of a device. In the following example, the query checks to see if the device is onboarded.
+
+```kusto
+DeviceInfo
+| where Timestamp > ago(1d)
+| where OnboardingStatus != "Onboarded"
+| summarize by DeviceId
+| join kind=inner (
+ DeviceInfo
+ | where Timestamp > ago(1d)
+) on DeviceId
+| take 10
+```
++ ## Hunting scenarios ### List logon activities of users that received emails that were not zapped successfully
DeviceProcessEvents
- [Work with query results](advanced-hunting-query-results.md) - [Use shared queries](advanced-hunting-shared-queries.md) - [Understand the schema](advanced-hunting-schema-tables.md)-- [Apply query best practices](advanced-hunting-best-practices.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
security Microsoft 365 Security Center Mdo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-mdo.md
ms.technology: m365d
**Applies to:** - [Microsoft 365 Defender](microsoft-365-defender.md)-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365) ## Quick reference
-The image and the table below lists the changes in navigation between the Office 365 Security & Compliance Center and Microsoft 365 Defender.
-
-> [!div class="mx-imgBorder"]
-> ![Image of what moved to where](../../media/mdo-m3d-security-center.png)
+The table below lists the changes in navigation between the Office 365 Security & Compliance Center and the Microsoft 365 Defender.
<br> ****
-|Office 365 Security & Compliance|Microsoft 365 Defender|Microsoft 365 compliance center|Exchange admin center|
+|[Office 365 Security & Compliance](https://protection.office.com)|[Microsoft 365 Defender](https://security.microsoft.com)|[Microsoft 365 compliance center](https://compliance.microsoft.com/homepage)|[Exchange admin center](https://admin.exchange.microsoft.com/#/)|
|||||
-|Alerts|Email & collaboration|||
+|Alerts|<ul><li>[Alert Policies](https://security.microsoft.com/alertpolicies)</li><li>[Incidents & alerts](https://security.microsoft.com/alerts)</li></ul>|[Alerts page](https://compliance.microsoft.com/homepage)||
|Classification||See [Microsoft 365 compliance center](https://compliance.microsoft.com/homepage)|| |Data loss prevention||See [Microsoft 365 compliance center](https://compliance.microsoft.com/homepage)||
-|Records management||See [Microsoft 365 compliance center](https://compliance.microsoft.com/homepage) ||
+|Records management||See [Microsoft 365 compliance center](https://compliance.microsoft.com/homepage)||
|Information governance||See [Microsoft 365 compliance center](https://compliance.microsoft.com/homepage)||
-|Threat management|Email & collaboration|||
+|Threat management|[Email & Collaboration](https://security.microsoft.com/homepage)|||
+|Permissions|[Permissions & roles](https://security.microsoft.com/emailandcollabpermissions)|See [Microsoft 365 compliance center](https://compliance.microsoft.com/homepage)||
|Mail flow|||See [Exchange admin center](https://admin.exchange.microsoft.com/#/)| |Data privacy||See [Microsoft 365 compliance center](https://compliance.microsoft.com/homepage)||
-|Search|Search|||
-|Reports|Report|||
-|Service assurance|Settings|||
-|
+|Search|[Audit](https://security.microsoft.com/auditlogsearch?viewid=Async%20Search)|Search (content search)||
+|Reports|[Report](https://security.microsoft.com/emailandcollabreport)|||
+|Service assurance||See [Microsoft 365 compliance center](https://compliance.microsoft.com/homepage)||
+|Supervision||See [Microsoft 365 compliance center](https://compliance.microsoft.com/homepage)||
+|eDiscovery||See [Microsoft 365 compliance center](https://compliance.microsoft.com/homepage)||
-[Microsoft 365 Defender](./overview-security-center.md) at <https://security.microsoft.com> combines security capabilities from existing Microsoft security portals, including Microsoft Defender Security Center and the Office 365 Security & Compliance Center. This improved center helps security teams protect their organization from threats more effectively and efficiently.
+[Microsoft 365 Defender](./overview-security-center.md) at <https://security.microsoft.com> combines security capabilities from existing Microsoft security portals, including the Office 365 Security & Compliance Center. This improved center helps security teams protect their organization from threats more effectively and efficiently.
If you are familiar with the Office 365 Security and Compliance portal (protection.office.com), this article describes some of the changes and improvements in Microsoft 365 Defender.
Learn more about the benefits: [Overview of Microsoft 365 Defender](overview-sec
If you are looking for compliance-related items, visit the [Microsoft 365 compliance center](https://compliance.microsoft.com/homepage).
-## What's changed
-
-This table is a quick reference of Email & Collaboration areas where change has occurred between the **Security & Compliance center** and the **Microsoft 365 Security** portal. Click the links to read more about these areas.
-
-<br>
-
-****
-
-|Area|Description of change|
-|||
-|[Email entity page](../office-365-security/mdo-email-entity-page.md)|This page **unifies** email information that had been scattered across different pages or views in the past. Investigating email for threats and trends is *centralized*. Header information and email preview are accessible through the same email page, along with other useful email-related information. Likewise, the detonation status for malicious file attachments or URLs can be found on a tab of the same page. The Email entity page empowers admins and security operations teams to understand an email threat and its status, fast, and then act quickly determine handling.|
-|[Investigation](../office-365-security/office-365-air.md#changes-are-coming-soon-in-your-microsoft-365-defender-portal)|Brings together AIR capabilities in [Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365) and [Defender for Endpoint](../defender-endpoint/automated-investigations.md). With these updates and improvements, your security operations team will be able to view details about automated investigations and remediation actions across your email, collaboration content, user accounts, and devices, all in one place.|
-|[Alert view](../../compliance/alert-policies.md)|The **View alerts** flyout pane in the Office Security and Compliance center now includes links to Microsoft 365 Defender. Click on the **Open Alert Page** link and Microsoft 365 Defender opens. You can access the **View alerts** page by clicking on any Office 365 alert in the Alerts queue.|
-|[Attack Simulation training](../office-365-security/attack-simulation-training-insights.md)|Use Attack Simulation training to run realistic attack scenarios in your organization. These simulated attacks can help train your workforce before a real attack impacts your organization. Attack simulation training includes, more options, enhanced reports, and improved training flows help make your attack simulation and training scenarios easier to deliver and manage.|
-|
-
-No changes to these areas:
--- [Explorer](../office-365-security/threat-explorer.md)-- [Policies & Rules](../../compliance/alert-policies.md)-- [Campaign](../office-365-security/campaigns.md)-- [Submissions](../office-365-security/admin-submission.md)-- [Review](./m365d-action-center.md)-- [Threat Tracker](../office-365-security/threat-trackers.md)-
-Also, check the **Related Information** section at the bottom of this article.
-
-> [!IMPORTANT]
-> The Microsoft 365 Security portal (<https://security.microsoft.com>) combines security features in <https://securitycenter.windows.com>, and <https://protection.office.com>. However, what you see will depend on your subscription. If you only have Microsoft Defender for Office 365 Plan 1 or 2, as standalone subscriptions, for example, you won't see capabilities around Security for Endpoints and Defender for Office Plan 1 customers won't see items such as Threat Analytics.
-
-> [!TIP]
-> All Exchange Online Protection (EOP) functions will be included in Microsoft 365 Defender, as EOP is a core element of Defender for Office 365.
-
-## Microsoft 365 Defender Home page
-
-The Home page of the portal surfaces:
+## New and improved capabilities
-- Secure Score ratings-- the number of users and devices at risk-- active incident queue-- lists of privileged OAuth apps-- device health data-- tweets from MicrosoftΓÇÖs security intelligence twitter feed-- and more summary information
+The left navigation, or quick launch bar, will look familiar. However, there are some new and updated elements in this security center.
-Using the **Guided tour** you can take a quick tour of Endpoint or Email & collaboration pages. Note that what you see here will depend on if you have license for Defender for Office 365 and/or Defender for Endpoint.
+With the unified Microsoft 365 Defender solution, you can stitch together the threat signals and determine the full scope and impact of the threat, and how it's currently impacting the organization.
-Also included is a link to the **Office 365 Security and Compliance center** for comparison. The last link is to the **What's New** page that describes recent updates.
-## Improved capabilities
+Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools.
-The left navigation, or quick launch bar, will look familiar. However, there are some new and updated elements in this security center.
### Incidents and alerts
Brings together incident and alert management across your email, devices, and id
Proactively search for threats, malware, and malicious activity across your endpoints, Office 365 mailboxes, and more by using [advanced hunting queries](advanced-hunting-overview.md). These powerful queries can be used to locate and review threat indicators and entities for both known and potential threats.
-[Custom detection rules](/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules) can be built from advanced hunting queries to help you proactively watch for events that might be indicative of breach activity and misconfigured devices.
+[Custom detection rules](/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules) can be built from advanced hunting queries to help you proactively watch for events that might be indicative of breach activity and misconfigured devices.
+
+Here is an [example on advanced hunting](advanced-hunting-example.md) in Microsoft Defender for Office 365.
### Action center Action center shows you the investigations created by automated investigation and response capabilities. This automated, self-healing in Microsoft 365 Defender can help security teams by automatically responding to specific events.
-[Learn more about Action center](m365d-action-center.md)
+Learn more about [Action center](m365d-action-center.md).
#### Threat Analytics
Get threat intelligence from expert Microsoft security researchers. Threat Analy
- Email-related detections and mitigations from Microsoft Defender for Office 365. This is in addition to the endpoint data already available from Microsoft Defender for Endpoint. - Incidents view related to the threats. - Enhanced experience for quickly identifying and using actionable information in the reports.+ You can access Threat analytics either from the upper left navigation bar in Microsoft 365 Defender, or from a dedicated dashboard card that shows the top threats for your organization.
-Learn more about how to [track and respond to emerging threats with threat analytics](./threat-analytics.md)
+Learn more about how to [track and respond to emerging threats with threat analytics](./threat-analytics.md).
### Email & collaboration
Track and investigate threats to your users' email, track campaigns, and more. I
:::image type="content" source="../../media/converge-3-email-and-collab-new.png" alt-text="The quick launch menu for Email & Collab (or MSDO), on the left side of Microsoft 365 Defender.":::
+#### Email entity page
+
+The [Email entity page](../office-365-security/mdo-email-entity-page.md) *unifies* email information that had been scattered across different pages or views in the past. Investigating email for threats and trends is *centralized*. Header information and email preview are accessible through the same email page, along with other useful email-related information. Likewise, the detonation status for malicious file attachments or URLs can be found on a tab of the same page. The Email entity page empowers admins and security operations teams to understand an email threat and its status, fast, and then act quickly determine handling.
+ ### Access and Reports View reports, change your settings, and modify user roles.
View reports, change your settings, and modify user roles.
:::image type="content" source="../../media/converge-4-access-and-reporting-new.png" alt-text="The quick launch menu for Microsoft 365 Defender permissions and reporting, on the left side of the security center."::: > [!NOTE]
-> For Defender for Office 365 users, you can now *manage and rotate* DomainKeys Identified Mail (DKIM) keys through Microsoft 365 Defender: <https://security.microsoft.com/threatpolicy>, or navigate to **Policy & rules** \> **Threat policies** \> **DKIM**.
+> DomainKeys Identified Mail (DKIM) ensures that destination email systems trust messages sent outbound from your custom domain.
+> For Defender for Office 365 users, you can now *manage and rotate* DKIM keys through Microsoft 365 Defender: <https://security.microsoft.com/threatpolicy>, or navigate to **Policy & rules** \> **Threat policies** \> **DKIM**.
+>
+> For more information, see [Use DKIM to validate outbound email sent from your custom domain](/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email).
-## Advanced Hunting example for Microsoft Defender for Office 365
+## What's changed
-Want to get started searching for email threats using advanced hunting? Try this:
+This table is a quick reference of Threat management where change has occurred between the **Security & Compliance center** and the **Microsoft 365 Defender** portal. Click the links to read more about these areas.
-The [Getting Started](/microsoft-365/security/office-365-security/defender-for-office-365.md#getting-started) section of the [Microsoft Defender for Office 365 article](/microsoft-365/security/office-365-security/defender-for-office-365) has logical early configuration chunks that look like this:
+<br>
-1. Configure everything with 'Anti' in the name.
- - Anti-malware
- - Anti-phishing
- - Anti-spam
-2. Set up everything with 'Safe' in the name.
- - Safe Links
- - Safe Attachments
-3. Defend the workloads (ex. SharePoint Online, OneDrive, and Teams).
-4. Protect with zero-Hour auto purge.
+****
-Along with a [link](../office-365-security/protect-against-threats.md) to jump right in and get configuration going on Day 1.
+|Area|Description of change|
+|||
+|[Investigation](../office-365-security/office-365-air.md#changes-are-coming-soon-in-your-microsoft-365-defender-portal)|Brings together AIR capabilities in [Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365) and [Defender for Endpoint](../defender-endpoint/automated-investigations.md). With these updates and improvements, your security operations team will be able to view details about automated investigations and remediation actions across your email, collaboration content, user accounts, and devices, all in one place.|
+|[Alert queue](../../compliance/alert-policies.md)|The **View alerts** flyout pane in the Office Security and Compliance center now includes links to Microsoft 365 Defender. Click on the **Open Alert Page** link and Microsoft 365 Defender opens. You can access the **View alerts** page by clicking on any Office 365 alert in the Alerts queue.|
+|[Attack Simulation training](../office-365-security/attack-simulation-training-insights.md)|Use Attack Simulation training to run realistic attack scenarios in your organization. These simulated attacks can help train your workforce before a real attack impacts your organization. Attack simulation training includes, more options, enhanced reports, and improved training flows help make your attack simulation and training scenarios easier to deliver and manage.|
+|
-The last step in **Getting Started** is protecting users with **Zero-Hour auto purge**, also known as ZAP. Knowing if your efforts to ZAP a suspicious or malicious mail, post-delivery, were successful can be very important.
+No changes to these areas:
-Quickly navigating to Kusto query language to hunt for issues is an advantage of converging these two security centers. Security teams can monitor ZAP misses by taking their next steps [here](https://security.microsoft.com/advanced-hunting), under **Hunting** \> **Advanced Hunting**.
+- [Explorer](../office-365-security/threat-explorer.md)
+- [Policies & Rules](../../compliance/alert-policies.md)
+- [Campaign](../office-365-security/campaigns.md)
+- [Submissions](../office-365-security/admin-submission.md)
+- [Review](./m365d-action-center.md)
+- [Threat Tracker](../office-365-security/threat-trackers.md)
+
+Also, check the **Related Information** section at the bottom of this article.
-1. On the Advanced Hunting page, click Query.
-1. Copy the query below into the query window.
-1. Select Run query.
+> [!IMPORTANT]
+> The Microsoft 365 Defender portal (<https://security.microsoft.com>) combines security features in <https://securitycenter.windows.com>, and <https://protection.office.com>. However, what you see will depend on your subscription. If you only have Microsoft Defender for Office 365 Plan 1 or 2, as standalone subscriptions, for example, you won't see capabilities around Security for Endpoints and Defender for Office Plan 1 customers won't see items such as Threat Analytics.
+
+> [!TIP]
+> All Exchange Online Protection (EOP) functions will be included in Microsoft 365 Defender, as EOP is a core element of Defender for Office 365.
-```kusto
-EmailPostDeliveryEvents
-| where Timestamp > ago(7d)
-//List malicious emails that were not zapped successfullyconverge-2-endpoints-new.png
-| where ActionType has "ZAP" and ActionResult == "Error"
-| project ZapTime = Timestamp, ActionType, NetworkMessageId , RecipientEmailAddress
-//Get logon activity of recipients using RecipientEmailAddress and AccountUpn
-| join kind=inner IdentityLogonEvents on $left.RecipientEmailAddress == $right.AccountUpn
-| where Timestamp between ((ZapTime-24h) .. (ZapTime+24h))
-//Show only pertinent info, such as account name, the app or service, protocol, the target device, and type of logon
-| project ZapTime, ActionType, NetworkMessageId , RecipientEmailAddress, AccountUpn,
-LogonTime = Timestamp, AccountDisplayName, Application, Protocol, DeviceName, LogonType
-```
+## Microsoft 365 Defender Home page
+
+The Home page of the portal surfaces important summary information about the security status of your Microsoft 365 environment.
+Using the **Guided tour** you can take a quick tour of Endpoint or Email & collaboration pages. Note that what you see here will depend on if you have license for Defender for Office 365 and/or Defender for Endpoint.
-The data from this query will appear in the results panel below the query itself. Results include information like 'DeviceName', 'AccountDisplayName', and 'ZapTime' in a customizable result set. Results can also be exported for your records. If the query is one you'll need again, select **Save** > **Save As** and add the query to your list of queries, shared, or community queries.
+Also included is a link to the **Office 365 Security and Compliance center** for comparison. The last link is to the **What's New** page that describes recent updates.
## Related information -- [Microsoft Defender for Office 365 in Microsoft 365 Defender](microsoft-365-security-center-mdo.md)
+- [Redirecting Office 365 Security and Compliance Center to Microsoft 365 Defender](microsoft-365-security-mdo-redirection.md)
- [The Action center](./m365d-action-center.md) - [Email & collaboration alerts](../../compliance/alert-policies.md#default-alert-policies)-- [Hunt for threats across devices, emails, apps, and identities](./advanced-hunting-query-emails-devices.md) - [Custom detection rules](/microsoft-365/security/defender-endpoint/custom-detection-rules) - [Create a phishing attack simulation](../office-365-security/attack-simulation-training.md) and [create a payload for training your people](../office-365-security/attack-simulation-training-payloads.md)
security Admin Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/admin-submission.md
For other ways to submit email messages, URLs, and attachments to Microsoft, see
- You can sort the entries by clicking on an available column header. Click **Customize columns** to show a maximum of seven columns. The default values are marked with an asterisk (<sup>\*</sup>): - **Submission name**<sup>\*</sup>
- - **Sender**<su>\*</sup>
+ - **Sender**<sup>\*</sup>
- **Date submitted**<sup>\*</sup> - **Submission type**<sup>\*</sup> - **Reason for submitting**<sup>\*</sup>
If you've deployed the [Report Message add-in](enable-the-report-message-add-in.
- You can sort the entries by clicking on an available column header. Click **Customize columns** to show a maximum of seven columns. The default values are marked with an asterisk (<sup>\*</sup>): - **Email subject**<sup>\*</sup>
- - **Reported by**<su>\*</sup>
+ - **Reported by**<sup>\*</sup>
- **Date reported**<sup>\*</sup> - **Sender**<sup>\*</sup> - **Reported reason**<sup>\*</sup>
security Set Up Anti Phishing Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/set-up-anti-phishing-policies.md
The following impersonation settings are only available in anti-phishing policie
- **Show tip for unusual characters**: The From address contains unusual character sets (for example, mathematical symbols and text or a mix of uppercase and lowercase letters) in a protected sender or domain. > [!IMPORTANT]
+ > Even if the impersonation safety tips are turned off, **we recommend** that you use a mail flow rule (also known as a transport rule) to add a the following message header to messages:
>
- > Even when the impersonation safety tips are turned off, **we recommend** that you use a mail flow rule (also known as a transport rule) to add a message header named **X-MS-Exchange-EnableFirstContactSafetyTip** with value **enable** to messages. A safety tip will notify recipients the first time they get a message from the sender or if they don't often get messages from the sender. This capability adds an extra layer of security protection against potential impersonation attacks.
+ > - Header name: **X-MS-Exchange-EnableFirstContactSafetyTip**
+ > - Header value: **Enable**
>
- > :::image type="content" source="../../media/safety-tip-first-contact-multiple-recipients.png" alt-text="The text of the safety tip for impersonation protection with multiple recipients.":::
+ > A safety tip will notify recipients the first time they get a message from the sender or if they don't often get messages from the sender. This capability adds an extra layer of security protection against potential impersonation attacks.
+ >
+ > ![The text of the safety tip for impersonation protection with multiple recipients.](../../media/safety-tip-first-contact-multiple-recipients.png)
- **Mailbox intelligence**: Enables or disables artificial intelligence (AI) that determines user email patterns with their frequent contacts. This setting helps the AI distinguish between messages from legitimate and impersonated senders.