Updates from: 06/18/2021 03:17:21
Category Microsoft Docs article Related commit history on GitHub Change details
admin Assign Licenses To Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/assign-licenses-to-users.md
When you use the **Active users** page to assign licenses, you assign users lice
2. Select the circles next to the names of the users that you want to assign licenses to.
-3. At the top, select the three dots (more actions), then select **Manage product licenses**.
-4. In the **Manage product licenses** pane, select **Add to existing product license assignments** \> **Next**.
-5. In the **Add to existing products** pane, switch the toggle to the **On** position for the license that you want the selected users to have.\
- By default, all services associated with those licenses are automatically assigned to the users. You can limit which services are available to the users. Switch the toggles to the **Off** position for the services that you don't want the users to have.
-6. At the bottom of the pane, select **Add** \> **Close**.
+3. At the top, select **Manage product licenses**.
+4. In the **Manage product licenses** pane, select **Assign more: Keep the existing licenses and assign more** \> **Next**.
+5. Under **Licenses**, select the box for the license(s) that you want the selected users to have.\
+ By default, all services associated with those licenses are automatically assigned to the users. You can limit which services are available to the users. Deselect the boxes for the services that you don't want the users to have.
+6. At the bottom of the pane, select **Save changes**.
+ You might have to buy additional licneses if you don't have enough licenses for everyone.
> [!NOTE]
admin Remove Licenses From Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/remove-licenses-from-users.md
When you use the **Active users** page to unassign licenses, you unassign produc
::: moniker-end
-2. Select the circles next to the names of the users that you want to unassign licenses for.
-3. At the top, select the three dots (more actions), then select **Manage product licenses**.
-4. In the **Manage product licenses** pane, select **Replace existing product license assignments** \> **Next**.
-5. At the bottom of the **Replace existing products** pane, select the **Remove all product licenses from the selected users** check box, then select **Replace** \> **Close**.
+2. Select the circles next to the names of the users who you want to unassign licenses for.
+3. At the top, select **Manage product licenses**.
+4. In the **Manage product licenses** pane, select **Unassign all** > **Save changes**.
+5. At the bottom of the pane, select **Done**.
## What happens to a user's data when you remove their license?
admin Test And Deploy Microsoft 365 Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/test-and-deploy-microsoft-365-apps.md
description: "Find, test, and deploy Microsoft and Microsoft partner apps for us
# Test and deploy Microsoft 365 Apps by partners in the Integrated apps portal
-The Microsoft 365 admin center gives you the flexibility to deploy single store apps, custom business line of apps and Microsoft 365 partner apps from a single location. The location can be accessed at Microsoft Admin center > Settings > Integrated apps. The ability to find, test, and fully deploy purchased and licensed apps by Microsoft partners from the Integrated apps portal provides the convenience and benefits your organization requires to keep business services updated regularly and running efficiently.
+The Microsoft 365 admin center gives you the flexibility to deploy single store apps, custom business line of apps and Microsoft 365 partner apps from a single location. The location can be accessed in the Microsoft Admin center settings, in Integrated apps. The ability to find, test, and fully deploy purchased and licensed apps by Microsoft partners from the Integrated apps portal provides the convenience and benefits your organization requires to keep business services updated regularly and running efficiently.
For additional information about purchasing and licensing Microsoft 365 apps from partners for your organization, see [Manage and deploy Microsoft 365 Apps from the Microsoft 365 admin center](https://techcommunity.microsoft.com/t5/microsoft-365-blog/manage-and-deploy-microsoft-365-apps-from-the-microsoft-365/ba-p/1194324). For more info on how partners create these apps, see [How to plan a SaaS offer for the commercial marketplace](https://go.microsoft.com/fwlink/?linkid=2158277)
-The Integrated apps portal is only accessible to global admins and available to world wide customers only. This feature is not available in sovereign and government clouds.
+The Integrated apps portal is only accessible to global admins and available to world-wide customers only. This feature is not available in sovereign and government clouds.
-The Integrated apps portal displays a list of apps, which includes single apps and Microsoft 365 apps from partners which are deployed your organization. Only web apps, SPFx apps, Office add-ins and Teams apps are listed. For web apps, we you can see 2 kinds of apps.
+The Integrated apps portal displays a list of apps, which includes single apps and Microsoft 365 apps from partners which are deployed your organization. Only web apps, SPFx apps, Office add-ins and Teams apps are listed. For web apps, you can see two kinds of apps.
-- SaaS apps that are available in appsource.microsoft.com, and can be deployed by admins giving consent on behalf of organization.
+- SaaS apps that are available in appsource.microsoft.com, and can be deployed by admins giving consent on behalf of the organization.
- SAML gallery apps that are linked with office add-ins. ## Manage apps in the Integrated apps portal You can manage testing and deployment of purchased and licensed Microsoft 365 Apps from partners.
-1. In the admin center, in the left nav, choose **Settings**, and then choose **Integrated apps**.
+1. In the admin center, select **Settings**, and then select **Integrated apps**.
2. Choose an app with **Status** of **More apps available** to open the **Manage** pane. The status of **more apps available** lets you know that there are more integrations from the ISVs that aren't yet deployed.
-3. On the **Overview** tab select **Deploy**. Some apps require you to add users before you can select Deploy.
+3. On the **Overview** tab, select **Deploy**. Some apps require you to add users before you can select Deploy.
4. Select **Users**, choose **Is this a test deployment**, and then choose **Entire organization**, **Specific users/groups** or **Just me**. You can also choose **Test deployment** if you prefer to wait to deploy the app to the entire organization. Specific users or groups can be a Microsoft 365 group, a security group, or a distribution group.
You won't be able to deploy a single store app or Microsoft 365 Apps by partner
- The SaaS offer is linked to add-ins, but it does not integrate with Microsoft Graph and no AAD App ID is provided. - The SaaS offer is linked to add-ins, but AAD App ID provided for Microsoft Graph integration is shared across multiple SaaS offers.
-## Upload custom line of business apps for testing and full deployment
+## Upload custom line-of-business apps for testing and full deployment
1. In the admin center, in the left nav, choose **Settings** and then **Integrated apps**.
You won't be able to deploy a single store app or Microsoft 365 Apps by partner
6. Select **Next** to review the deployment and choose **Finish deployment**. You can view the deployment from the **Overview** tab by choosing **View this deployment**.
+## Prepare to deploy add-ins in Integrated apps
+
+Office add-ins help you personalize your documents and streamline the way you access information on the web (see Start using your Office Add-in).
+
+Add-ins provides the following benefits:
+
+- When the relevant Office application starts, the add-in automatically downloads. If the add-in supports add-in commands, the add-in automatically appears in the ribbon within the Office application.
+
+- Add-ins no longer appear for users if the admin turns off or deletes the add-in, or if the user is removed from Azure Active Directory or from a group that the add-in is assigned to.
+
+Add-ins are supported in three desktop platforms Windows, Mac and Online Office apps. It is also supported in iOS and Android (Outlook Mobile Add-ins Only).
+
+It can take up to 24 hours for an add-in to show up for client for all users.
+
+Today both Exchange Admins and Global Admins can deploy add-ins from Integrated apps.
+
+### Before you begin
+
+Deployment of add-ins requires that the users are using Microsoft 365 Enterprise licenses (E3/E5/F3) or Microsoft 365 Business licenses (Business Basic, Business Standard, Business Premium). The users also need to be signed into Office using their organizational ID) and have Exchange Online and active Exchange Online mailboxes. Your subscription directory must either be in, or federated to Azure Active Directory.
+
+Deployment doesn't support the following:
+
+- Add-ins that target Word, Excel, or PowerPoint in Office 2013
+- An on-premises directory service
+- Add-in Deployment to an Exchange On-prem Mailbox
+- Deployment of Component Object Model (COM) or Visual Studio Tools for Office (VSTO) add-ins.
+- Deployments of Microsoft 365 that do not include Exchange Online such as Microsoft 365 Apps for Business and Microsoft 365 Apps for Enterprise.
+
+### Office Requirements
+
+For Word, Excel, and PowerPoint add-ins, your users must be using one of the following:
+- On a Windows device, Version 1704 or later of Microsoft 365 Enterprise licenses (E3/E5/F3) or Microsoft 365 Business licenses (Business Basic, Business Standard, Business Premium).
+- On a Mac, Version 15.34 or later.
+
+For Outlook, your users must be using one of the following:
+- Version 1701 or later of Microsoft 365 Enterprise licenses (E3/E5/F3) or Microsoft 365 Business licenses (Business Basic, Business Standard, Business Premium).
+- Version 1808 or later of Office Professional Plus 2019 or Office Standard 2019.
+- Version 16.0.4494.1000 or later of Office Professional Plus 2016 (MSI) or Office Standard 2016 (MSI).
+ > [!NOTE]
+ > MSI versions of Outlook show admin-installed add-ins in the appropriate Outlook ribbon, not the "My add-ins" section.
+- Version 15.0.4937.1000 or later of Office Professional Plus 2013 (MSI) or Office Standard 2013 (MSI).
+- Version 16.0.9318.1000 or later of Office 2016 for Mac.
+- Version 2.75.0 or later of Outlook mobile for iOS.
+- Version 2.2.145 or later of Outlook mobile for Android.
+++
+### Exchange Online requirements
+Microsoft Exchange stores the add-in manifests within your organization's tenant. The admin deploying add-ins and the users receiving those add-ins must be on a version of Exchange Online that supports OAuth authentication.
+
+Check with your organization's Exchange admin to find out which configuration is in use. OAuth connectivity per user can be verified by using the [Test-OAuthConnectivity](/powershell/module/exchange/test-oauthconnectivity) PowerShell cmdlet.
+
+### User and group assignments
+The deployment of add-in is currently supported to the majority of groups supported by Azure Active Directory, including Microsoft 365 groups, distribution lists, and security groups. Deployment supports users in top-level groups or groups without parent groups, but not users in nested groups or groups that have parent groups.
+
+> [!NOTE]
+> Non-mail enabled security groups are not currently supported.
+
+In the following example, Sandra, Sheila, and the Sales Department group are assigned to an add-in. Because the West Coast Sales Department is a nested group, Bert and Fred aren't assigned to an add-in.
+
+![Diagram of sales department](../../media/683094bb-1160-4cce-810d-26ef7264c592.png)
+
+### Find out if a group contains nested groups
+
+The easiest way to detect if a group contains nested groups is to view the group contact card within Outlook. If you enter the group name within the **To** field of an email and then select the group name when it resolves, it will show you if it contains users or nested groups. In the example below, the **Members** tab of the Outlook contact card for the Test Group shows no users and only two sub groups.
+
+![Members tab of Outlook contact card](../../media/d9db88c4-d752-426c-a480-b11a5b3adcd6.png)
+
+You can do the opposite query by resolving the group to see if it's a member of any group. In the example below, you can see under the <b>Membership</b> tab of the Outlook contact card that Sub Group 1 is a member of the Test Group.
+
+![Membership tab of the Outlook contact card](../../media/a9f9b6ab-9c19-4822-9e3d-414ca068c42f.png)
+
+Note that you can use the Azure Active Directory Graph API to run queries to find the list of groups within a group. For more information, seeΓÇ»[Operations on groups | Graph API reference](/previous-versions/azure/ad/graph/api/groups-operations).
+
+## Recommended approach for deploying Office add-ins
+To roll out add-ins by using a phased approach, we recommend the following:
+1. Roll out the add-in to a small set of business stakeholders and members of the IT department. You can turn on the flag **Is this a test deployment**. If the deployment is successful, move to step 2.
+
+2. Roll out the add-in to more individuals within the business. Again, evaluate the results and, if successful, continue with full deployment.
+
+3. Perform a full rollout to all users. Turn off the flag from **Is this a Test deployment**.
+
+Depending on the size of the target audience, you can add or remove roll-out steps.
+
+## Deploy an Office add-in using the admin center
+
+1. In the admin center, select **Settings**, then select **Integrated apps**.
+
+2. SelectΓÇ»**Get apps** at the top of the page. AppSource will load in an embedded format. Either search for an add-in or find it through clicking on Product on the left nav. If the add-in has been linked by the ISV to a SaaS app or other apps and add-ins and if the SaaS app is a paid app then you will be shown a dialog box to either buy the license or Deploy. Irrespective of whether you have bought the license or not you can go ahead with the deployment. Select **Deploy**.
+
+3. You will see the **Configuration** page where all the apps are listed. If you donΓÇÖt have permissions or the right access to deploy the app, the respective information will be highlighted. You can select the apps you want to deploy. By selecting **Next**, you will view the **Users** page. If the add-in hasnΓÇÖt been linked by the ISV, you will be routed to the Users page.
+
+4. Select **Everyone**, **Specific users/groups**, or **Just me** to specify whom the add-in is deployed to. Use the Search box to find specific users or groups. If you are testing the add-in, select **Is this a test deployment**.
+
+5. Select **Next**. All the app capabilities and permissions are displayed in a single pane along with certification info if the app has Microsoft 365 certification. Selecting the certification logo lets the user see more details about the certification.
+
+6. Review, and then select **Finish deployment**.
+
+7. A green "tick" icon appears when the add-in is deployed. Follow the on-page instructions to test the add-in.
+
+> [!NOTE]
+> Users might need to relaunch Office to view the add-in icon on the app ribbon. Outlook add-ins can take up to 24 hours to appear on app ribbons.
+
+It's good practice to inform users and groups that the deployed add-in is available. Consider sending an email that describes when and how to use the add-in. Include or link to help content or FAQs that might help users if they have problems with the add-in.
+
+## Considerations when assigning an add-in to users and groups
+
+Global admins and Exchange admins can assign an add-in to everyone or to specific users and groups. Each option has implications:
+
+- **Everyone** This option assigns the add-in to every user in the organization. Use this option sparingly and only for add-ins that are truly universal to your organization.
+
+- **Users** If you assign an add-in to an individual user, and then deploy the add-in to a new user, you must first add the new user.
+
+- **Groups** If you assign an add-in to a group, users who are added to the group are automatically assigned the add-in. When a user is removed from a group, the user loses access to the add-in. In either case, no additional action is required from the admin.
+
+- **Just me** If you assign an add-in to just yourself, the add-in is assigned to only your account, which is ideal for testing the add-in.
+
+The right option for your organization depends on your configuration. However, we recommend making assignments by using groups. As an admin, you might find it easier to manage add-ins by using groups and controlling the membership of those groups rather than assigning individual users each time. In some situations, you might want to restrict access to a small set of users by making assignments to specific users by assigning users manually.
+
+### More about Office add-ins security
+Office add-ins combine an XML manifest file that contains some metadata about the add-in, but most importantly points to a web application which contains all the code and logic. Add-ins can range in their capabilities. For example, add-ins can:
+- Display data.
+- Read a user's document to provide contextual services.
+- Read and write data to and from a user's document to provide value to that user.
+
+For more information about the types and capabilities of Office add-ins, seeΓÇ»[Office Add-ins platform overview](/office/dev/add-ins/overview/office-add-ins), especially the section "Anatomy of an Office Add-in."
+
+To interact with the user's document, the add-in needs to declare what permission it needs in the manifest. A five-level JavaScript API access-permissions model provides the basis for privacy and security for users of task pane add-ins. The majority of the add-ins in the Office Store are level ReadWriteDocument with almost all add-ins supporting at least the ReadDocument level. For more information about the permission levels, seeΓÇ»[Requesting permissions for API use in content and task pane add-ins](/office/dev/add-ins/develop/requesting-permissions-for-api-use-in-content-and-task-pane-add-ins).
+
+When updating a manifest, the typical changes are to an add-in's icon and text. Occasionally, add-in commands change. However, the permissions of the add-in do not change. The web application where all the code and logic for the add-in runs can change at any time, which is the nature of web applications.
+
+Updates for add-ins happen as follows:
+- **Line-of-business add-in**: In this case, where an admin explicitly uploaded a manifest, the add-in requires that the admin upload a new manifest file to support metadata changes. The next time the relevant Office applications start, the add-in will update. The web application can change at any time.
+
+- **Office Store add-in**: When an admin selected an add-in from the Office Store, if an add-in updates in the Office Store, the next time the relevant Office applications start, the add-in will update. The web application can change at any time.
+
+> [!NOTE]
+> For Word, Excel and PowerPoint use a [SharePoint App Catalog](https://dev.office.com/docs/add-ins/publish/publish-task-pane-and-content-add-ins-to-an-add-in-catalog) to deploy add-ins to users in an on-premises environment with no connection to Microsoft 365 and/or support for SharePoint add-ins required. For Outlook use Exchange control panel to deploy in an on-premises environment without a connection to Microsoft 365.
+
+## Add-in states
+An add-in can be in either the **On** or **Off** state.
+
+| State | How the state occurs | Impact |
+|:--|:--|:--|
+|**Active** <br/> |Admin uploaded the add-in and assigned it to users or groups. <br/> |Users and groups assigned to the add-in see it in the relevant clients. <br/> |
+|**Turned off** <br/> |Admin turned off the add-in. <br/> |Users and groups assigned to the add-in no longer have access to it. <br/> If the add-in state is changed to Active, the users and groups will have access to it again. <br/> |
+|**Deleted** <br/> |Admin deleted the add-in. <br/> |Users and groups assigned the add-in no longer have access to it. <br/> |
+
+Consider deleting an add-in if no one is using it anymore. For example, turning off an add-in might make sense if an add-in is used only during specific times of the year.
+
+## Manage an Office add-in using the admin center
+
+Post deployment, admins can also manage user access to add-ins.
+
+1. In the admin center, select **Settings**, then select **Integrated apps**.
+2. On the Integrated apps page, it will display a list of apps will be either single add-ins or add-ins that have been linked with other apps.
+3. Select an app with **Status** of **More apps available** to open the **Manage** pane. The status of **more apps available** lets you know that there are more integrations from the ISVs that aren't yet deployed.
+4. On the **Overview** tab, select **Deploy**. Some apps require you to add users before you can select Deploy.
+5. Select **Users**, select **Is this a test deployment**, and then select either **Entire organization**, **Specific users/groups** or **Just me**. You can also select **Test deployment** if you prefer to wait to deploy the app to the entire organization. Specific users or groups can be a Microsoft 365 group, a security group, or a distribution group.
+6. Select **Update** and then select **Done**. You can now select **Deploy** on the **Overview** tab.
+7. Review the app information, and then selectΓÇ»**Deploy**.
+8. Select **Done** on the **Deployment completed** page, and review the details of the test or full deployment on the **Overview** tab.
+9. If the app has a status ofΓÇ»**Update pending**, you can click on the app to open the **Manage** pane and update the app.
+10. To just update users, select the **Users** tab and make the appropriate change. Select **Update** after making your changes.
+
+## Delete an add-in
+
+You can also delete an add-in that was deployed.
+
+1. In the admin center, select **Settings**, then select **Integrated apps** .
+2. Select any row to display the management pane.
+3. Select the **Configuration** tab.
+4. Select the add-in that you want to delete and then select **Remove**.
+
+> [!NOTE]
+> If the add-in has been deployed by another admin, then the Remove button will be disabled. Only the admin who has deployed the app or a global admin can delete the add-in.
+
+## Scenarios where Exchange admin cannot deploy an add-in
+
+There are two cases in which an Exchange Admin won't be able to deploy an add-in:
+- If an add-in needs permission to MS Graph APIs and needs consent from a global admin.
+- If an add-in is linked to two or more add-ins and webapps, and at least one of these add-ins is deployed by another admin (exchange/global) and the user assignment is not uniform. We only allow deployment of add-ins when the user assignment is the same for all the already deployed apps.
++ ## Frequently asked questions ### Which administrator role do I need to access Integrated apps?
Only global administrators can access Integrated Apps. Integrated apps won't sho
There could be a few reasons: -- The logged in administrator is an Exchange admininstrator.
+- The logged in administrator is an Exchange administrator.
- The customer is in sovereign cloud and Integrated apps experience is available to sovereign cloud customers yet. ### What apps can I deploy from Integrated apps?
-Integrated apps allows deployment of Web Apps, Teams app, Excel, PowerPoint, Word, Outlook add-ins, and SPFx apps. For add-ins, Integrated apps supports deployment to Exchange online mailboxes and not on-premises Exchange mailboxes.
+Integrated apps allow deployment of Web Apps, Teams app, Excel, PowerPoint, Word, Outlook add-ins, and SPFx apps. For add-ins, Integrated apps support deployment to Exchange online mailboxes and not on-premises Exchange mailboxes.
### Can administrators delete or remove apps?
admin Password Policy Recommendations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/password-policy-recommendations.md
description: "Make your organization more secure against password attacks, and b
# Password policy recommendations
-As the admin of an organization, you're responsible for setting password policy for users in your organization. Setting password policy can be complicated and confusing, and this article provides recommendations to make your organization more secure against password attacks.
+As the admin of an organization, you're responsible for setting the password policy for users in your organization. Setting the password policy can be complicated and confusing, and this article provides recommendations to make your organization more secure against password attacks.
To determine how often Microsoft 365 passwords expire in your organization, see [Set password expiration policy for Microsoft 365](../manage/set-password-expiration-policy.md).
In contrast, here are some recommendations in encouraging password diversity.
### Ban common passwords
-The most important password requirement you should put on your users when creating passwords is to ban the use of common passwords to reduce your organization's susceptibility to brute force password attacks. Common user passwords include, **abcdefg**, **password**, **monkey**.
+The most important password requirement you should put on your users when creating passwords is to ban the use of common passwords to reduce your organization's susceptibility to brute force password attacks. Common user passwords include: **abcdefg**, **password**, **monkey**.
### Educate users to not re-use organization passwords anywhere else
Risk-based multi-factor authentication ensures that when our system detects susp
Want to know more about managing passwords? Here is some recommended reading:
+- [Microsoft Password Guidance](https://www.microsoft.com/research/wp-content/uploads/2016/06/Microsoft_Password_Guidance-1.pdf)
+ - [Do Strong Web Passwords Accomplish Anything?](https://go.microsoft.com/fwlink/p/?linkid=861008) - [Password Portfolios and the Finite-Effort User](https://go.microsoft.com/fwlink/p/?linkid=861014)
admin Customize Your Organization Theme https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/customize-your-organization-theme.md
The default theme is the first theme displayed.
You can create up to four additional group themes.
-1. On the **General** page, enter a name for your theme.
+1. On the **General** page, enter a name for your new theme.
2. Under **Groups**, you can select up to 5 Microsoft 365 Groups that can see your group theme, instead of using the default theme. You can also prevent users from overriding their theme and show the user's display name.
You can create up to four additional group themes.
On the **Logos** page, you can you can add your logos, and specify the URL where users will navigate to, when they select the logo. -- **Default logo**: Add a URL location that points to your logo. Make sure that the URL uses HTTPS. If you are uploading a logo, make sure it is less than 10kb. Your default logo can be in the JPG, PNG, GIF, or SVG format. For SVG images, they will be resized to fit 24 pixels vertically. JPG, PNG, GIF images will be scaled to fit 200 x 48 pixels.
+- **Default logo**: Add a URL location that points to your logo. Make sure that the URL uses HTTPS. Add a HTTPS image url that allows anonymous access and doesn't require authentication. For default theme, you also have an option to upload a logo image that is less than 10kb. Your default logo can be in the JPG, PNG, GIF, or SVG format. For SVG images, they will be resized to fit 24 pixels vertically. JPG, PNG, GIF images will be scaled to fit 200 x 48 pixels. Logo aspect ratio will always be preserved.
- **Alternate logo**: Add a URL location that points to your logo. Your alternate logo should be optimized for use in Office dark themes. Same requirements as the default logo. - **On-click link**: Add a URL location that points to your logo. You can use your logo as a link to any company resource, for example, your company's website. Select **Save** to save your changes. You can remove your logos at any time. Just return to the **Logos** page and select **Remove**.-
-> [!NOTE]
-> By default, we first show logo selections that most organizations use. The upload option is only applicable to default themes and not group themes.
## Colors: Choose theme colors
admin Usage Analytics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/usage-analytics/usage-analytics.md
In addition to customizing the reports from the Power BI web interface, users ca
### How can I get the pbit file that this dashboard is associated with?
-You can access to the pbit file from the [Microsoft Download center](https://download.microsoft.com/download/7/8/2/782ba8a7-8d89-4958-a315-dab04c3b620c/Microsoft%20365%20Usage%20Analytics.pbit).
+You can access to the pbit file from the [Microsoft Download center](https://download.microsoft.com/download/7/8/2/782ba8a7-8d89-4958-a315-dab04c3b620c/Microsoft%20365%20Usage%20Analytics.pbit).
### Who can view the dashboards and reports?
business-video Overview M365 Security https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-video/overview-m365-security.md
You can use [data loss prevention (DLP)](set-up-dlp.md) policies to identify and
Microsoft 365 Business Premium advanced device management features let you monitor and control what users can do with enrolled devices. These features include conditional access, [Mobile Device Management (MDM)](/microsoft-365/admin/basic-mobility-security/manage-enrolled-devices), BitLocker, and automatic updates.
-You can use conditional access policies to require additional security measures for certain users and tasks. For example, you can require multi-factor authentication (MFA) or block clients that don't support conditional access.
+You can use conditional access policies to require additional security measures for certain users and tasks. For example, you can require [multi-factor authentication (MFA)](/microsoft-365/business-video/turn-on-mfa) or block clients that don't support conditional access.
With MDM, you can help secure and manage your users' mobile devices like iPhones, iPads, Androids, and Windows phones. You can create and manage device security policies, remotely wipe a device to remove all company data, reset a device to factory settings, and view detailed device reports.
commerce Manage Billing Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/manage-billing-notifications.md
In addition to your Global and Billing admins, we send billing notifications to
## Receive your organization's invoices as email attachments
-> [!NOTE]
-> Billing admins can also do the steps in this section.
- You can have a copy of your organization's invoice attached as a PDF file to invoice notification emails when a new invoice is ready. Use the following steps to receive invoices as attachments. 1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=853212" target="_blank">Billing notifications</a> page.
compliance Define Mail Flow Rules To Encrypt Email https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/define-mail-flow-rules-to-encrypt-email.md
You can remove encryption that is accessible by your organization. This means an
5. In **Name**, type a name for the rule, such as Remove encryption from outgoing mail.
-6. In **Apply this rule if**, select the conditions where encryption should be removed from messages. Add **The sender is located** \> **Inside the organization** _or_ **The recipient is located** \> **Inside the organization**.
+6. In **Apply this rule if**, select the conditions where encryption should be removed from messages. Add **The sender is located** \> **Inside the organization** for sending mail _or_ **The recipient is located** \> **Inside the organization** for receiving mail.
7. In **Do the following**, select **Modify the message security** \> **Remove Office 365 Message Encryption and rights protection**.
compliance Insider Risk Management Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-configure.md
Depending on the structure of your compliance management team, you have options
| **Role group** | **Role permissions** | | :- | :- |
-| **Insider Risk Management** | Use this role group to manage insider risk management for your organization in a single group. By adding all user accounts for designated administrators, analysts, investigators, and auditors you can configure insider risk management permissions in a single group. This role group contains all the insider risk management permission roles and associated permissions. This configuration is the easiest way to quickly get started with insider risk management and is a good fit for organizations that do not need separate permissions defined for separate groups of users. |
-| **Insider Risk Management Admin** | Use this role group to initially configure insider risk management and later to segregate insider risk administrators into a defined group. Users in this role group can enable and view analytics insights and create, read, update, and delete insider risk management policies, global settings, and role group assignments. |
+| **Insider Risk Management** | Use this role group to manage insider risk management for your organization in a single group. By adding all user accounts for designated administrators, analysts, investigators, and auditors you can configure insider risk management permissions in a single group. This role group contains all the insider risk management permission roles and associated permissions. This configuration is the easiest way to quickly get started with insider risk management and is a good fit for organizations that do not need separate permissions defined for separate groups of users. When using this configuration, you should make sure to always have at least one user assigned to this role group to ensure that your policies work as expected and so the user can create and edit policies, configure solution settings, and review policy health warnings.|
+| **Insider Risk Management Admin** | Use this role group to initially configure insider risk management and later to separate insider risk administrators into a defined group. Users in this role group can enable and view analytics insights and create, read, update, and delete insider risk management policies, global settings, and role group assignments. When using this configuration, you should make sure to always have at least one user assigned to this role group to ensure that your policies work as expected and so the user can create and edit policies, configure solution settings, and review policy health warnings. |
| **Insider Risk Management Analysts** | Use this group to assign permissions to users that will act as insider risk case analysts. Users in this role group can access and view all insider risk management alerts, cases, analytics insights, and notices templates. They cannot access the insider risk Content explorer. | | **Insider Risk Management Investigators** | Use this group to assign permissions to users that will act as insider risk data investigators. Users in this role group can access to all insider risk management alerts, cases, notices templates, and the Content explorer for all cases. | | **Insider Risk Management Auditors** | Use this group to assign permissions to users that will audit insider risk management activities. Users in this role group can access the insider risk audit log. |
compliance Insider Risk Management Plan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-plan.md
Depending on the structure of your compliance management team, you have options
| **Role group** | **Role permissions** | | :- | :- |
-| **Insider Risk Management** | Use this role group to manage insider risk management for your organization in a single group. By adding all user accounts for designated administrators, analysts, investigators, and auditors you can configure insider risk management permissions in a single group. This role group contains all the insider risk management permission roles and associated permissions. This configuration is the easiest way to quickly get started with insider risk management and is a good fit for organizations that do not need separate permissions defined for separate groups of users. |
-| **Insider Risk Management Admin** | Use this role group to initially configure insider risk management and later to segregate insider risk administrators into a defined group. Users in this role group can enable and view analytics insights and create, read, update, and delete insider risk management policies, global settings, and role group assignments. |
+| **Insider Risk Management** | Use this role group to manage insider risk management for your organization in a single group. By adding all user accounts for designated administrators, analysts, investigators, and auditors you can configure insider risk management permissions in a single group. This role group contains all the insider risk management permission roles and associated permissions. This configuration is the easiest way to quickly get started with insider risk management and is a good fit for organizations that do not need separate permissions defined for separate groups of users. When using this configuration, you should make sure to always have at least one user assigned to this role group to ensure that your policies work as expected and so the user can create and edit policies, configure solution settings, and review policy health warnings. |
+| **Insider Risk Management Admin** | Use this role group to initially configure insider risk management and later to separate insider risk administrators into a defined group. Users in this role group can enable and view analytics insights and create, read, update, and delete insider risk management policies, global settings, and role group assignments. When using this configuration, you should make sure to always have at least one user assigned to this role group to ensure that your policies work as expected and so the user can create and edit policies, configure solution settings, and review policy health warnings. |
| **Insider Risk Management Analysts** | Use this group to assign permissions to users that will act as insider risk case analysts. Users in this role group can access and view all insider risk management alerts, cases, analytics insights, and notices templates. They cannot access the insider risk Content explorer. | | **Insider Risk Management Investigators** | Use this group to assign permissions to users that will act as insider risk data investigators. Users in this role group can access to all insider risk management alerts, cases, notices templates, and the Content explorer for all cases. | | **Insider Risk Management Auditors** | Use this group to assign permissions to users that will audit insider risk management activities. Users in this role group can access the insider risk audit log. |
compliance Prepare Tls 1.2 In Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/prepare-tls-1.2-in-office-365.md
If you are using any on-premises infrastructure for hybrid scenarios or Active D
The following resources provide guidance to help make sure that your clients are using TLS 1.2 or a later version and to disable TLS 1.0 and 1.1. - For Windows 7 clients that connect to Office 365, make sure that TLS 1.2 is the default secure protocol in WinHTTP in Windows. For more information see [KB 3140245 - Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP in Windows](https://support.microsoft.com/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in).
+- [TLS cipher suites supported by Office 365](/microsoft-365/compliance/technical-reference-details-about-encryption?view=o365-worldwide#tls-cipher-suites-supported-by-office-365)
- To start addressing weak TLS use by removing TLS 1.0 and 1.1 dependencies, see [TLS 1.2 support at Microsoft](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/20/tls-1-2-support-at-microsoft/). - [New IIS functionality](https://cloudblogs.microsoft.com/microsoftsecure/2017/09/07/new-iis-functionality-to-help-identify-weak-tls-usage/) makes it easier to find clients on [Windows Server 2012 R2](https://support.microsoft.com/help/4025335/windows-8-1-windows-server-2012-r2-update-kb4025335) and [Windows Server 2016](https://support.microsoft.com/help/4025334/windows-10-update-kb4025334) that connect to the service by using weak security protocols. - Get more information about how to [solve the TLS 1.0 problem](https://www.microsoft.com/download/details.aspx?id=55266).
The following resources provide guidance to help make sure that your clients are
- [Exchange Server TLS guidance, part 1: Getting Ready for TLS 1.2](https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-server-tls-guidance-part-1-getting-ready-for-tls-1-2/ba-p/607649) - [Exchange Server TLS guidance Part 2: Enabling TLS 1.2 and Identifying Clients Not Using It](https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-server-tls-guidance-part-2-enabling-tls-1-2-and/ba-p/607761) - [Exchange Server TLS guidance Part 3: Turning Off TLS 1.0/1.1](https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-server-tls-guidance-part-3-turning-off-tls-1-0-1-1/ba-p/607898)-- [Enable TLS 1.1 and TLS 1.2 support in Office Online Server](/officeonlineserver/enable-tls-1-1-and-tls-1-2-support-in-office-online-server)
+- [Enable TLS 1.1 and TLS 1.2 support in Office Online Server](/officeonlineserver/enable-tls-1-1-and-tls-1-2-support-in-office-online-server)
compliance Retention https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention.md
You apply Preservation Lock after the retention policy or retention label policy
## Releasing a policy for retention
-Providing your policies for retention don't have a Preservation Lock, you can delete your policies at any time, which effectively turns off the previously applied retention settings. You can also keep the policy, but remove a site for SharePoint or an account for OneDrive, or change the location status to off, or disable the policy.
+Providing your policies for retention don't have a Preservation Lock, you can delete your policies at any time, which effectively turns off the previously applied retention settings. You can also keep the policy, but change the location status to off, or disable the policy. If your policy is configured to include specific sites for SharePoint or accounts for OneDrive, you can also edit the policy to remove one or more of these entries to release the policy for those sites or accounts.
When you do any of these actions, any SharePoint or OneDrive content that's subject to retention from the policy continues to be retained for 30 days to prevent inadvertent data loss. During this 30-day grace period deleted files are still retained (files continue to be added to the Preservation Hold library), but the timer job that periodically cleans up the Preservation Hold library is suspended for these files so you can restore them if necessary.
+An exception to this 30-day grace period is when you update the policy to exclude one or more sites for SharePoint or accounts for OneDrive; in this case, the timer job deletes files for these locations in the Preservation Hold library without the 30-day delay.
+ For more information about the Preservation Hold library, see [How retention works for SharePoint and OneDrive](retention-policies-sharepoint.md#how-retention-works-for-sharepoint-and-onedrive). Because of the behavior during the grace period, if you re-enable the policy or change the location status back to on within 30 days, the policy resumes without any permanent data loss during this time.
compliance Sit Edm Notifications Activities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-edm-notifications-activities.md
Title: "Create notifications for exact data match activities (preview)"
+ Title: "Create notifications for exact data match activities"
f1.keywords: - NOCSH
description: Learn how to create notifications for exact data match activities.
-# Create notifications for exact data match activities (preview)
+# Create notifications for exact data match activities
When you [create custom sensitive information types with exact data match (EDM)](create-custom-sensitive-information-types-with-exact-data-match-based-classification.md) there are a number of activities that are created in the [audit log](search-the-audit-log-in-security-and-compliance.md#requirements-to-search-the-audit-log). You can use the [New-ProtectionAlert](/powershell/module/exchange/new-protectionalert?view=exchange-ps) PowerShell cmdlet to create notifications that let you know when these activities occur:
When you [create custom sensitive information types with exact data match (EDM)]
- UploadDataFailed - UploadDataCompleted
-> [!NOTE]
-> The ability to create notifications for EDM activities is only available for the World Wide and GCC clouds only.
- ## Pre-requisites The account you use must be one of the following:
compliance Technical Reference Details About Encryption https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/technical-reference-details-about-encryption.md
All cipher suites supported by Office 365 use algorithms acceptable under FIPS 1
TLS, and SSL that came before TLS, are cryptographic protocols that secure communication over a network by using security certificates to encrypt a connection between computers. Office 365 supports TLS version 1.2 (TLS 1.2). TLS version 1.3 (TLS 1.3) is currently not supported.+
+> [!IMPORTANT]
+> Be aware that TLS versions deprecate, and that deprecated versions *should not be used* where newer versions are available. If your legacy services do not require TLS 1.0 or 1.1 you should disable them.
## Support for TLS 1.0 and 1.1 deprecation
TLS uses *cipher suites*, collections of encryption algorithms, to establish sec
Office 365 responds to a connection request by first attempting to connect using the most secure cipher suite. If the connection doesn't work, Office 365 tries the second most secure cipher suite in the list, and so on. The service continues down the list until the connection is accepted. Likewise, when Office 365 requests a connection, the receiving service chooses whether TLS will be used and which cipher suite to use.
-> [!IMPORTANT]
-> Be aware that TLS versions deprecate, and that deprecated versions *should not be used* where newer versions are available. TLS 1.3 is currently not supported. If your legacy services do not require TLS 1.0 or 1.1 you should disable them.
-
-| Cipher suite | Key exchange algorithm/strength | Forward Secrecy | Cipher/strength | Authentication algorithm |
+| Cipher suite name | Key exchange algorithm/strength | Forward secrecy | Cipher/strength | Authentication algorithm/strength |
|:--|:--|:--|:--|:--|
-|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 <br/> |ECDH/192 <br/>|Yes <br/>|AES/256 <br/>|RSA/112 <br/> |
-|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 <br/> |ECDH/128 <br/>|Yes <br/>|AES/128 <br/>|RSA/112 <br/> |
-|TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 <br/> |ECDH/192 <br/>|Yes <br/>|AES/256 <br/>|RSA/112 <br/> |
-|TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 <br/> |ECDH/128 <br/>|Yes <br/>|AES/128 <br/>|RSA/112 <br/> |
-|TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA <br/> |ECDH/192 <br/>|Yes <br/>|AES/256 <br/>|RSA/112 <br/> |
-|TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA <br/> |ECDH/128 <br/>|Yes <br/>|AES/128 <br/>|RSA/112 <br/> |
-|TLS_RSA_WITH_AES_256_GCM_SHA384 <br/> |RSA/112 <br/> |No <br/> |AES/256 <br/>|RSA/112 <br/> |
-|TLS_RSA_WITH_AES_128_GCM_SHA256 <br/> |RSA/112 <br/> |No <br/> |AES/256 <br/>|RSA/112 <br/> |
-
-These cipher suites supported TLS 1.0 and 1.1 protocols until their deprecation date. For GCC High and DoD environments that deprecation date was January 15, 2020, and for Worldwide and GCC environments that date was October 15, 2020.
-
-| Protocols | Cipher suite name | Key exchange algorithm/Strength | Forward Secrecy support | Authentication algorithm/Strength | Cipher/Strength |
+| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 <br/> | ECDH/192 <br/> | Yes <br/> | AES/256 <br/> | RSA/112 <br/> |
+| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 <br/> | ECDH/128 <br/> | Yes <br/> | AES/128 <br/> | RSA/112 <br/> |
+| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 <br/> | ECDH/192 <br/> | Yes <br/> | AES/256 <br/> | RSA/112 <br/> |
+| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 <br/> | ECDH/128 <br/> | Yes <br/> | AES/128 <br/> | RSA/112 <br/> |
+| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA <br/> | ECDH/192 <br/> | Yes <br/> | AES/256 <br/> | RSA/112 <br/> |
+| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA <br/> | ECDH/128 <br/> | Yes <br/> | AES/128 <br/> | RSA/112 <br/> |
+| TLS_RSA_WITH_AES_256_GCM_SHA384 <br/> | RSA/112 <br/> | No <br/> | AES/256 <br/> | RSA/112 <br/> |
+| TLS_RSA_WITH_AES_128_GCM_SHA256 <br/> | RSA/112 <br/> | No <br/> | AES/256 <br/> | RSA/112 <br/> |
+
+The following cipher suites supported TLS 1.0 and 1.1 protocols until their deprecation date. For GCC High and DoD environments that deprecation date was January 15, 2020. For Worldwide and GCC environments that date was October 15, 2020.
+
+| Protocols | Cipher suite name | Key exchange algorithm/strength | Forward secrecy | Cipher/strength | Authentication algorithm/strength |
|:--|:--|:--|:--|:--|:--|
-|TLS 1.0, 1.1, 1.2 <br/> |TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA <br/> |ECDH/192 <br/> |Yes <br/> |RSA/112 <br/> |AES/256 <br/> |
-|TLS 1.0, 1.1, 1.2 <br/> |TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA <br/> |ECDH/128 <br/> |Yes <br/> |RSA/112 <br/> |AES/128 <br/> |
-|TLS 1.0, 1.1, 1.2 <br/> |TLS_RSA_WITH_AES_256_CBC_SHA <br/> |RSA/112 <br/> |No <br/> |RSA/112 <br/> |AES/256 <br/> |
-|TLS 1.0, 1.1, 1.2 <br/> |TLS_RSA_WITH_AES_128_CBC_SHA <br/> |RSA/112 <br/> |No <br/> |RSA/112 <br/> |AES/128 <br/> |
-|TLS 1.0, 1.1, 1.2 <br/> |TLS_RSA_WITH_AES_256_CBC_SHA256 <br/> |RSA/112 <br/> |No <br/> |RSA/112 <br/> |AES/256 <br/> |
-|TLS 1.0, 1.1, 1.2 <br/> |TLS_RSA_WITH_AES_128_CBC_SHA256 <br/> |RSA/112 <br/> |No <br/> |RSA/112 <br/> |AES/256 <br/> |
+| TLS 1.0, 1.1, 1.2 <br/> | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA <br/> | ECDH/192 <br/> | Yes <br/> | AES/256 <br/> | RSA/112 <br/> |
+| TLS 1.0, 1.1, 1.2 <br/> | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA <br/> | ECDH/128 <br/> | Yes <br/> | AES/128 <br/> | RSA/112 <br/> |
+| TLS 1.0, 1.1, 1.2 <br/> | TLS_RSA_WITH_AES_256_CBC_SHA <br/> | RSA/112 <br/> | No <br/> | AES/256 <br/> | RSA/112 <br/> |
+| TLS 1.0, 1.1, 1.2 <br/> | TLS_RSA_WITH_AES_128_CBC_SHA <br/> | RSA/112 <br/> | No <br/> | AES/128 <br/> | RSA/112 <br/> |
+| TLS 1.0, 1.1, 1.2 <br/> | TLS_RSA_WITH_AES_256_CBC_SHA256 <br/> | RSA/112 <br/> | No <br/> | AES/256 <br/> | RSA/112 <br/> |
+| TLS 1.0, 1.1, 1.2 <br/> | TLS_RSA_WITH_AES_128_CBC_SHA256 <br/> | RSA/112 <br/> | No <br/> | AES/256 <br/> | RSA/112 <br/> |
+
+Certain Office 365 products (including Microsoft Teams) use [Azure Front Door](/azure/frontdoor/front-door-overview) to terminate TLS connections and route network traffic efficiently. At least one of the [cipher suites supported by Azure Front Door over TLS 1.2](/azure/frontdoor/front-door-faq#what-are-the-current-cipher-suites-supported-by-azure-front-door-) must be enabled to successfully connect to these products. For Windows 10 and above, we recommend enabling one or both of the ECDHE cipher suites for better security. Windows 7, 8, and 8.1 are not compatible with Azure Front Door's ECDHE cipher suites and the DHE cipher suites have been provided for compatibility with those operating systems.
## Related articles
These cipher suites supported TLS 1.0 and 1.1 protocols until their deprecation
[TLS/SSL Cryptographic Enhancements (Windows IT Center)](/previous-versions/windows/it-pro/windows-vista/cc766285(v=ws.10))
-[Preparing for TLS 1.2 in Office 365 and Office 365 GCC](/office365/troubleshoot/security/prepare-tls-1.2-in-office-365)
+[Preparing for TLS 1.2 in Office 365 and Office 365 GCC](/office365/troubleshoot/security/prepare-tls-1.2-in-office-365)
+
+[What are the current cipher suites supported by Azure Front Door?](/azure/frontdoor/front-door-faq#what-are-the-current-cipher-suites-supported-by-azure-front-door-)
compliance Use Notifications And Policy Tips https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/use-notifications-and-policy-tips.md
A policy tip is a notification or warning that appears when someone is working w
You can use email notifications and policy tips to increase awareness and help educate people about your organization's policies. You can also give people the option to override the policy, so that they're not blocked if they have a valid business need or if the policy is detecting a false positive.
-In the Security &amp; Compliance Center, when you create a DLP policy, you can configure the user notifications to:
+In the Compliance Center, when you create a DLP policy, you can configure the user notifications to:
- Send an email notification to the people you choose that describes the issue.
+> [!NOTE]
+> Notification emails are sent unprotected.
- Display a policy tip for content that conflicts with the DLP policy:
includes Office 365 Germany Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-germany-endpoints.md
<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.--> <!--Germany endpoints version 2020120100-->
-<!--File generated 2021-06-14 14:00:54.6697-->
+<!--File generated 2021-06-16 17:00:28.7402-->
## Exchange Online
includes Office 365 Operated By 21Vianet Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-operated-by-21vianet-endpoints.md
<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.--> <!--China endpoints version 2021032900-->
-<!--File generated 2021-06-14 14:00:53.2385-->
+<!--File generated 2021-06-16 17:00:27.1271-->
## Exchange Online
includes Office 365 U.S. Government Dod Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-u.s.-government-dod-endpoints.md
<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.--> <!--USGovDoD endpoints version 2021052800-->
-<!--File generated 2021-06-14 14:00:50.5186-->
+<!--File generated 2021-06-16 17:00:24.7412-->
## Exchange Online
includes Office 365 U.S. Government Gcc High Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-u.s.-government-gcc-high-endpoints.md
<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.--> <!--USGovGCCHigh endpoints version 2021052800-->
-<!--File generated 2021-06-14 14:00:51.6921-->
+<!--File generated 2021-06-16 17:00:25.9130-->
## Exchange Online
includes Office 365 Worldwide Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-worldwide-endpoints.md
<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.--> <!--Worldwide endpoints version 2021052800-->
-<!--File generated 2021-06-14 14:00:48.5739-->
+<!--File generated 2021-06-16 17:00:22.5427-->
## Exchange Online
security Configure Block At First Sight Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus.md
Previously updated : 06/15/2021 Last updated : 06/17/2021 ms.technology: mde
Microsoft Defender Antivirus uses multiple detection and prevention technologies
- **Time extension for file scanning by the cloud**: 50 - **Prompt users before sample submission**: Send all data without prompting
- ![Intune config](images/defender/intune-block-at-first-sight.png)
+ :::image type="content" source="../../media/intune-block-at-first-sight.png" alt-text="Intune config block at first sight":::
4. Save your settings.
You can confirm that block at first sight is enabled on individual client device
2. Select **Virus & threat protection**, and then, under **Virus & threat protection settings**, select **Manage Settings**.
- ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png)
+ :::image type="content" source="../../media/wdav-protection-settings-wdsc.png" alt-text="Screenshot of the Virus & threat protection settings label in the Windows Security app":::
3. Confirm that **Cloud-delivered protection** and **Automatic sample submission** are both turned on.
security Configure Extension File Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus.md
# Configure and validate exclusions based on file extension and folder location -- **Applies to:** - [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
Get-MpPreference
In the following example, the items contained in the `ExclusionExtension` list are highlighted:
-![PowerShell output for Get-MpPreference showing the exclusion list alongside other preferences](images/defender/wdav-powershell-get-exclusions-all.png)
For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/).
$WDAVprefs.ExclusionPath
In the following example, the list is split into new lines for each use of the `Add-MpPreference` cmdlet:
-![PowerShell output showing only the entries in the exclusion list](images/defender/wdav-powershell-get-exclusions-variable.png)
For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/).
security Configure Network Connections Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus.md
Previously updated : 06/04/2021 Last updated : 06/17/2021
If you're properly connected, you'll see a warning Microsoft Defender Antivirus
If you're using Microsoft Edge, you'll also see a notification message:
-![Microsoft Edge informing the user that malware was found](images/defender/wdav-bafs-edge.png)
A similar message occurs if you're using Internet Explorer:
-![Microsoft Defender Antivirus notification informing the user that malware was found](images/defender/wdav-bafs-ie.png)
You'll also see a detection under **Quarantined threats** in the **Scan history** section in the Windows Security app:
security Enable Cloud Protection Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus.md
localization_priority: normal
Previously updated : 05/18/2021 Last updated : 06/17/2021
For more information about allowed parameters, see [Windows Defender WMIv2 APIs]
2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
- ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png)
+ :::image type="content" source="../../media/wdav-protection-settings-wdsc.png" alt-text="Screenshot of the Virus & threat protection settings":::
3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
security Get Domain Statistics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-domain-statistics.md
Here is an example of the response.
{ "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgDomainStats", "host": "example.com",
- "orgPrevalence": "4070",
- "orgFirstSeen": "2017-07-30T13:23:48Z",
- "orgLastSeen": "2017-08-29T13:09:05Z"
+ "organizationPrevalence": 4070,
+ "orgFirstSeen": "2017-07-30T13:23:48Z",
+ "orgLastSeen": "2017-08-29T13:09:05Z"
} ```
security Get File Statistics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-file-statistics.md
Here is an example of the response.
{ "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats", "sha1": "0991a395da64e1c5fbe8732ed11e6be064081d9f",
- "orgPrevalence": "14850",
+ "organizationPrevalence": 14850,
"orgFirstSeen": "2019-12-07T13:44:16Z", "orgLastSeen": "2020-01-06T13:39:36Z",
- "globalPrevalence": "705012",
+ "globallyPrevalence": 705012,
"globalFirstObserved": "2015-03-19T12:20:07.3432441Z", "globalLastObserved": "2020-01-06T13:39:36Z", "topFileNames": [
security Get Ip Statistics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-ip-statistics.md
Here is an example of the response.
{ "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats", "ipAddress": "10.209.67.177",
- "orgPrevalence": "63515",
+ "organizationPrevalence": 63515,
"orgFirstSeen": "2017-07-30T13:36:06Z", "orgLastSeen": "2017-08-29T13:32:59Z" }
Here is an example of the response.
| Name | Description | | : | :- |
-| Org prevalence | the distinct count of devices that opened network connection to this IP. |
+| Organization prevalence | the distinct count of devices that opened network connection to this IP. |
| Org first seen | the first connection for this IP in the organization. | | Org last seen | the last connection for this IP in the organization. |
security Live Response Command Examples https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/live-response-command-examples.md
getfile c:\Users\user\Desktop\work.txt -auto
> > Use PowerShell as an alternative, if you have problems using this command from within Live Response.
+## library
+
+```console
+# List files in the library
+library
+```
+
+```console
+# Delete a file from the library
+library delete script.ps1
+```
+ ## processes ```console # Show all processes
undo scheduledtask Microsoft\Windows\Subscription\LicenseAcquisition
undo file c:\Users\user\Desktop\malware.exe ``` -
-## library
-
-```console
-# List files in the library
-library
-```
-
-```console
-# Delete a file from the library
-library delete script.ps1
-```
security Manage Protection Updates Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus.md
The procedures in this article first describe how to set the order, and then how
3. Click **Policies** then **Administrative templates**.
-4. Expand the tree to **Windows components > Windows Defender > Signature updates** and configure the following settings:
+4. Expand the tree to **Windows components** > **Windows Defender** > **Signature updates** and configure the following settings:
1. Double-click the **Define the order of sources for downloading security intelligence updates** setting and set the option to **Enabled**. 2. Enter the order of sources, separated by a single pipe, for example: `InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC`, as shown in the following screenshot.
- ![Screenshot of group policy setting listing the order of sources](images/defender/wdav-order-update-sources.png)
+ :::image type="content" source="../../media/wdav-order-update-sources.png" alt-text="group policy setting listing the order of sources":::
- 3. Click **OK**. This will set the order of protection update sources.
+ 3. Select **OK**. This will set the order of protection update sources.
4. Double-click the **Define file shares for downloading security intelligence updates** setting and set the option to **Enabled**.
- 5. Enter the file share source. If you have multiple sources, enter each source in the order they should be used, separated by a single pipe. Use [standard UNC notation](/openspecs/windows_protocols/ms-dtyp/62e862f4-2a51-452e-8eeb-dc4ff5ee33cc) for denoting the path, for example: `\\host-name1\share-name\object-name|\\host-name2\share-name\object-name`. If you do not enter any paths, then this source will be skipped when the VM downloads updates.
+ 5. Specify the file share source. If you have multiple sources, enter each source in the order they should be used, separated by a single pipe. Use [standard UNC notation](/openspecs/windows_protocols/ms-dtyp/62e862f4-2a51-452e-8eeb-dc4ff5ee33cc) for denoting the path, for example: `\\host-name1\share-name\object-name|\\host-name2\share-name\object-name`. If you do not enter any paths, then this source will be skipped when the VM downloads updates.
6. Click **OK**. This will set the order of file shares when that source is referenced in the **Define the order of sources...** group policy setting.
security Microsoft Defender Offline https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-offline.md
The need to perform an offline scan will also be revealed in Microsoft Endpoint
The prompt can occur via a notification, similar to the following:
-![Windows notification showing the requirement to run Microsoft Defender Offline](images/defender/notification.png)
The user will also be notified within the Windows Defender client.
In Configuration Manager, you can identify the status of endpoints by navigating
Microsoft Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**.
-![Microsoft Endpoint Manager indicating a Microsoft Defender Offline scan is required](images/defender/sccm-wdo.png)
## Configure notifications
security Microsoft Defender Security Center Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus.md
ms.technology: mde
# Microsoft Defender Antivirus in the Windows Security app -- **Applies to:** - [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
The Windows Security app is a client interface on Windows 10, version 1703 and l
## Review virus and threat protection settings in the Windows Security app
-![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png)
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
The following sections describe how to perform some of the most common tasks whe
## Review the security intelligence update version and download the latest updates in the Windows Security app
-![Security intelligence version number information](images/defender/wdav-wdsc-defs.png)
1. Open the Windows Security app by searching the start menu for *Security*, and then selecting **Windows Security**.
security Prevent Changes To Security Settings With Tamper Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md
Title: Protect security settings with tamper protection-+ description: Use tamper protection to prevent malicious apps from changing important security settings. keywords: malware, defender, antivirus, tamper protection
ms.technology: mde Previously updated : 05/17/2021 Last updated : 06/17/2021 # Protect security settings with tamper protection
The following table provides details on the methods, tools, and dependencies.
|:-|:-| | Microsoft Intune | No | | Microsoft Endpoint Configuration Manager + Tenant Attach | No |
-| Microsoft Defender Security Center ([https://securitycenter.microsoft.com](https://securitycenter.microsoft.com)) | Yes |
-| Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)) | Yes |
+| Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) | Yes |
+| Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) | Yes |
## Manage tamper protection for your organization using the Microsoft Defender Security Center
Tamper protection can be turned on or off for your tenant using the Microsoft De
- You must have appropriate [permissions](/microsoft-365/security/defender-endpoint/assign-portal-access), such as global admin, security admin, or security operations. - Your Windows devices must be running one of the following versions of Windows:+ - Windows 10 - [Windows Server 2019](/windows-server/get-started-19/whats-new-19) - Windows Server, version [1803](/windows/release-health/status-windows-10-1803) or later
If you are part of your organization's security team, and your subscription incl
2. Select **Devices** > **Configuration Profiles**. 3. Create a profile that includes the following settings:+ - **Platform: Windows 10 and later** - **Profile type: Endpoint protection** - **Category: Microsoft Defender Security Center**
If you are part of your organization's security team, and your subscription incl
4. Assign the profile to one or more groups.
-### Are you using Windows OS 1709, 1803, or 1809?
-
-If you are using Windows 10 OS [1709](/windows/release-health/status-windows-10-1709), [1803](/windows/release-health/status-windows-10-1803), or [1809](/windows/release-health/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. Instead, you can use PowerShell to determine whether tamper protection is enabled.
+### Are you using Windows Server 2016, or Windows version 1709, 1803, or 1809?
-#### Use PowerShell to determine whether tamper protection is turned on
+If you are using Windows Server 2016, Windows 10 version 1709, 1803, or [1809](/windows/release-health/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. Instead, you can use PowerShell to determine whether tamper protection is enabled.
+
+On Windows Server 2016, the Settings app will not accurately reflect the status of real-time protection when tamper protection is enabled.
+
+#### Use PowerShell to determine whether tamper protection and/or real-time protection are turned on
1. Open the Windows PowerShell app. 2. Use the [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus?preserve-view=true&view=win10-ps) PowerShell cmdlet. 3. In the list of results, look for `IsTamperProtected`. (A value of *true* means tamper protection is enabled.)
+ In the list of results, look for `RealTimeProtectionEnabled`. (A value of true means tamper protection is enabled.)
## Manage tamper protection for your organization with Configuration Manager, version 2006
Using [endpoint detection and response](/microsoft-365/security/defender-endpoin
## Review your security recommendations
-Tamper protection integrates with [Threat & Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) capabilities. [Security recommendations](/microsoft-365/security/defender-endpoint/tvm-security-recommendation) include making sure tamper protection is turned on. For example, you can search on *tamper*, as shown in the following image:
-
-![Tamper protection results in security recommendations](/images/securityrecs-tamperprotect.jpg)
-
-In the results, you can select **Turn on Tamper Protection** to learn more and turn it on.
+Tamper protection integrates with [Threat & Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) capabilities. [Security recommendations](/microsoft-365/security/defender-endpoint/tvm-security-recommendation) include making sure tamper protection is turned on. For example, you can search on *tamper*. In the results, you can select **Turn on Tamper Protection** to learn more and turn it on.
![Turn on tamper protection](images/tamperprotectsecurityrecos.png)
Your security operations team can also use hunting queries, such as the followin
[Get an overview of Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)
-[Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](why-use-microsoft-defender-antivirus.md)
+[Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](why-use-microsoft-defender-antivirus.md)
security Prevent End User Interaction Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus.md
In Windows 10, versions 1703, hiding the interface will hide Microsoft Defender
With the setting set to **Enabled**:
-![Screenshot of Windows Security without the shield icon and virus and threat protection section](images/defender/wdav-headless-mode-1703.png)
With the setting set to **Disabled** or not configured:
-![Screenshot of Windows Security showing the shield icon and virus and threat protection section](images/defender/wdav-headless-mode-off-1703.png)
>[!NOTE] >Hiding the interface will also prevent Microsoft Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender for Endpoint notifications will still appear. You can also individually [configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning that says, "Your system administrator has restricted access to this app."
-![Warning message when headless mode is enabled in Windows 10, versions earlier than 1703](images/defender/wdav-headless-mode-1607.png)
## Use Group Policy to hide the Microsoft Defender AV interface from users
security Respond File Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-file-alerts.md
You can roll back and remove a file from quarantine if youΓÇÖve determined that
2. Enter the following command, and press **Enter**:
- ```powershell
+ ```console
ΓÇ£%ProgramFiles%\Windows Defender\MpCmdRun.exeΓÇ¥ ΓÇôRestore ΓÇôName EUS:Win32/CustomEnterpriseBlock ΓÇôAll ```
-> [!NOTE]
-> In some scenarios, the **ThreatName** may appear as: EUS:Win32/CustomEnterpriseBlock!cl.
->
-> Defender for Endpoint will restore all custom blocked files that were quarantined on this device in the last 30 days.
+ > [!NOTE]
+ > In some scenarios, the **ThreatName** may appear as: EUS:Win32/CustomEnterpriseBlock!cl.
+ >
+ > Defender for Endpoint will restore all custom blocked files that were quarantined on this device in the last 30 days.
> [!IMPORTANT] > A file that was quarantined as a potential network threat might not be recoverable. If a user attempts to restore the file after quarantine, that file might not be accessible. This can be due to the system no longer having network credentials to access the file. Typically, this is a result of a temporary log on to a system or shared folder and the access tokens expired.
You can also submit a sample through the [Microsoft Security Center Portal](http
> [!NOTE] > Only PE files are supported, including _.exe_ and _.dll_ files.
-A progress bar is displayed and provides information on the different stages of the analysis. You can then view the report when the analysis is done.
+ A progress bar is displayed and provides information on the different stages of the analysis. You can then view the report when the analysis is done.
> [!NOTE] > Depending on device availability, sample collection time can vary. There is a 3ΓÇôhour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 device reporting at that time. You can reΓÇôsubmit files for deep analysis to get fresh data on the file.
The details provided can help you investigate if there are indications of a pote
If you come across a problem when trying to submit a file, try each of the following troubleshooting steps. 1. Ensure that the file in question is a PE file. PE files typically have _.exe_ or _.dll_ extensions (executable programs or applications).+ 2. Ensure the service has access to the file, that it still exists, and hasn't been corrupted or modified.+ 3. Wait a short while and try to submit the file again. The queue may be full, or there was a temporary connection or communication error.+ 4. If the sample collection policy isn't configured, then the default behavior is to allow sample collection. If it's configured, then verify the policy setting allows sample collection before submitting the file again. When sample collection is configured, then check the following registry value:
- ```powershell
+ ```console
Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection Name: AllowSampleCollection Type: DWORD
If you come across a problem when trying to submit a file, try each of the follo
``` 1. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp.md).+ 1. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com). ## Related topics
security Review Scan Results Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/review-scan-results-microsoft-defender-antivirus.md
localization_priority: Normal
Previously updated : 09/28/2020 Last updated : 06/17/2021 ms.technology: mde
The following cmdlet will return each detection on the endpoint. If there are mu
Get-MpThreatDetection ```
-![screenshot of PowerShell cmdlets and outputs](images/defender/wdav-get-mpthreatdetection.png)
You can specify `-ThreatID` to limit the output to only show the detections for a specific threat.
If you want to list threat detections, but combine detections of the same threat
Get-MpThreat ```
-![screenshot of PowerShell](images/defender/wdav-get-mpthreat.png)
See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/) for more information on how to use PowerShell with Microsoft Defender Antivirus.
security M365d Enable https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-enable.md
Microsoft 365 Defender aggregates data from the various supported services that
To get the best protection and optimize Microsoft 365 Defender, we recommend deploying all applicable supported services on your network. For more information, [read about deploying supported services](deploy-supported-services.md). ## Onboard to the service
-Onboarding to Microsoft 365 Defender is simple. From the navigation menu, select any Microsoft 365 Defender items, such as Incidents, Hunting, Action center, or Threat analytics to initiate the onboarding process.
+Onboarding to Microsoft 365 Defender is simple. From the navigation menu, select any item, such as **Incidents & alerts**, **Hunting**, **Action center**, or **Threat analytics** to initiate the onboarding process.
### Data center location