+|[Project activity](project-activity.md)|Yes|Yes|N/A|N/A|N/A|

+ Title: "Microsoft 365 admin center Project activity "

+audience: Admin

+ms.localizationpriority: medium

+- M365-subscription-management

+- Adm_O365

+- Adm_NonTOC

+search.appverid:

+- BCS160

+- MST160

+- MET150

+- MOE150

+description: "Learn how to get the Project activity report and gain insights into the Project activity in your organization."

+# Microsoft 365 Reports in the admin center - Project activity

+The Microsoft 365 Reports dashboard shows you the activity overview across the products in your organization. It enables you to drill in to individual product level reports to give you more granular insight about the activities within each product. Check out [the Reports overview topic](activity-reports.md).

+In the **Project activity report**, you can understand the activity of every user licensed to use Microsoft Project by looking at their interaction with Project. It also helps you to understand the level of collaboration going on by looking at the number of projects visited and tasks created or edited.

+

+## How to get to the Project activity report

+1. In the admin center, go to the **Reports** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2074756" target="_blank">Usage</a> page.

+2. From the dashboard homepage, click on the **View more** button on the Project card.

+## Interpret the Project activity report

+You can use this report to see the activity and usage of Project in your environment. You will see four summary charts in this report: <br/>

+- **Active users** - Shows you the daily active users on each day over time. Currently, this includes only Project for the Web and Project Online desktop client.

+- **Active users (by client)** - Shows you the daily active users on each day over time, broken out by client (Project for the Web vs. Project Online desktop client).

+- **Project Activity** - Shows you the number of daily sessions of Project over time, for each client (Project for the Web and Project Online desktop client).

+- **Task activity** - Shows you the daily number of tasks created or edited over time in Project for the Web

+The report also has a table that shows activity for each project user in your environment.

+Select **Choose columns** to add or remove columns from the table. <br/> 

+You can also export the report data into an Excel .csv file by selecting the **Export** link. This exports data of all users and enables you to do simple sorting and filtering for further analysis.

+The **Project activity** report can be viewed for trends over the last 7 days, 30 days, 90 days, or 180 days. If you select a particular day in the report, the per user data table will be updated accordingly to display users' usage on that day. However, this feature only works for the most recent 28 days.

+### Privacy settings impact on the dashboard

+If users or admins hae their privacy settings set to **Neither**, we do not have accurate metrics for the **Project activity** chart for the Project Online desktop client. The numbers shown will be undercounted. For more information on privacy settings, see [Use policy settings to manage privacy controls for for Microsoft 365 Apps for enterprise](/deployoffice/privacy/manage-privacy-controls.md).

+## User activity table

+The following are definitions for each metric in the user activity table.

+|Item|Description|

+|:--|:--|

+|**Metric**|**Definition**|

+|User name <br/> |The userΓÇÖs principal name. <br/> |

+|Display name <br/> |The full name of the user . <br/> |

+|Last activity date <br/> |The latest date the user in that row had activity in Project, including any of the activities in the summary reports. <br/> |

+|Projects visited (Desktop) <br/> |The number of projects opened by the user in the Project Online desktop client during the time range selected in the top right of the page. <br/> |

+|Projects visited (Web) <br/> | The number of tasks created by the user in Project for the Web during the time range selected in the top right of the page. <br/> |

+|Tasks created (Web) <br/> |The number of tasks created by the user in Project for the Web during the time range selected in the top right of the page. <br/> |

+|Tasks edited (Web) <br/> |The number of tasks edited by the user in Project for the Web during the time range selected in the top right of the page. <br/> |

+|Other <br/> |This value is true if the user has performed an activity in Project Online desktop client or in Project for the Web (that is not covered by the other columns) in the time range selected in the top right of the page. If the user has not, this value is false. <br/>|

+|||

+Here are the features and settings you'll find in the left-hand navigation of the admin center. Learn more about admin tasks in [admin help](/microsoft-365/admin/).

+> If you don't want to use this feature, you must file a request with Microsoft Support. This will disable the display of your sensitive data that's not used in any labeling policies within Content Explorer. You can disable scanning of your data as well. If scanning is turned off, sensitivity labeling and DLP policies with those classifiers will not work

+Yammer is more than just community messages and private messages. To retain and delete email messages for your Yammer network, configure an additional retention policy that includes any Microsoft 365 groups that are used for Yammer, by using the **Microsoft 365 Groups** location.

+This location will also include files that are uploaded to Yammer communities. These files are stored in the group-connected SharePoint site for the Yammer community.

+It's possible that a retention policy that's applied to SharePoint sites could delete a file that's referenced in a Yammer message before those messages get deleted. In this scenario, the file still displays in the Yammer message, but when users select the file, they get a "File not found" error. This behavior isn't specific to retention policies and could also happen if a user manually deletes a file from SharePoint.

+For many DNS providers, there are specific instructions to change your MX record. If your DNS provider isn't included, or if you want to get a sense of the general directions, [general MX record instructions](/microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider?view=o365-worldwide#add-an-mx-record-for-email-outlook-exchange-online) are provided as well.

+ - [How to Uninstall Exchange Server 2003](/previous-versions/tn-archive/bb125110(v=exchg.65))

+Either Granular Delegated Admin Privileges (GDAP) plus an indirect reseller relationship or a Delegated Admin Privileges (DAP) relationship is required to onboard customers to Lighthouse. If DAP and GDAP coexist in a customer tenant, GDAP permissions take precedence for MSP technicians in GDAP-enabled security groups. Customers with GDAP-only relationships (without indirect reseller relationships) currently can't onboard to Lighthouse, but will be able to onboard in a future release.<br><br>

+|Microsoft Threat Experts||||

+ Sudo bash -x MicrosoftDefenderATPOnboardingMacOs.sh

+**Registry Key Method**

+**GPO Method**

+- Open Group Policy Management Editor > **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus**.

+- Select **Turn Off Microsoft Defender Antivirus**.

+- Set the GPO to **Enabled**.

+You can view the Protection status in PowerShell with the command "Get-MpComputerStatus" and the key "AMRunningMode".

+## SYNTAX

+```

+PS C:\Users\tommaso> Get-MpComputerStatus

+AMEngineVersion : 0.0.0.0

+AMProductVersion : 4.18.2205.4

+AMRunningMode : Not running

+AMServiceEnabled : False

+AMServiceVersion : 0.0.0.0

+AntispywareEnabled : False

+AntispywareSignatureAge : 4294967295

+AntispywareSignatureLastUpdated :

+AntispywareSignatureVersion : 0.0.0.0

+AntivirusEnabled : False

+AntivirusSignatureAge : 4294967295

+AntivirusSignatureLastUpdated :

+AntivirusSignatureVersion : 0.0.0.0

+BehaviorMonitorEnabled : False

+ComputerID : 5CF99D95-BF09-4B2E-9911-8E01C55642E5

+ComputerState : 0

+DefenderSignaturesOutOfDate : False

+DeviceControlDefaultEnforcement : N/A

+DeviceControlPoliciesLastUpdated : 01/01/1601 00:00:00

+DeviceControlState : N/A

+FullScanAge : 4294967295

+FullScanEndTime :

+FullScanOverdue : False

+FullScanRequired : False

+FullScanSignatureVersion :

+FullScanStartTime :

+IoavProtectionEnabled : False

+IsTamperProtected : False

+IsVirtualMachine : True

+LastFullScanSource : 0

+LastQuickScanSource : 0

+NISEnabled : False

+NISEngineVersion : 0.0.0.0

+NISSignatureAge : 4294967295

+NISSignatureLastUpdated :

+NISSignatureVersion : 0.0.0.0

+OnAccessProtectionEnabled : False

+ProductStatus : 1

+QuickScanAge : 4294967295

+QuickScanEndTime :

+QuickScanOverdue : False

+QuickScanSignatureVersion :

+QuickScanStartTime :

+RealTimeProtectionEnabled : False

+RealTimeScanDirection : 0

+RebootRequired : False

+TamperProtectionSource : Signatures

+TDTMode : N/A

+TDTStatus : N/A

+TDTTelemetry : N/A

+TroubleShootingDailyMaxQuota :

+TroubleShootingDailyQuotaLeft :

+TroubleShootingEndTime :

+TroubleShootingExpirationLeft :

+TroubleShootingMode :

+TroubleShootingModeSource :

+TroubleShootingQuotaResetTime :

+TroubleShootingStartTime :

+PSComputerName :

+```

+In the following example, the Defender status is **Not Running**.

+> Threat Experts is not currently available in the Microsoft 365 for U.S. Government clouds.

+ Title: Allow or block emails using the Tenant Allow/Block List

+f1.keywords:

+ - NOCSH

+audience: ITPro

+ms.localizationpriority: medium

+search.appverid:

+ - MET150

+ - M365-security-compliance

+description: Admins can learn how to allow or block emails and spoofed sender entries in the Tenant Allow/Block List in the Security portal.

+ms.technology: mdo

+# Allow or block emails using the Tenant Allow/Block List

+**Applies to**

+- [Exchange Online Protection](exchange-online-protection-overview.md)

+- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)

+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)

+You can use the Microsoft 365 Defender portal or PowerShell to allow or block emails (including spoofing emails) using the Tenant Allow/Block List.

+## Create block sender entries

+### Use the Microsoft 365 Defender portal

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block List** page, use <https://security.microsoft.com/tenantAllowBlockList>.

+2. On the **Tenant Allow/Block List** page, verify that the **Senders** tab is selected, and then click  **Block**.

+3. In the **Block senders** flyout that appears, configure the following settings:

+ - **Sender email addresses or domains**: Enter one sender (email address or domain) per line, up to a maximum of 20.

+ - **Never expire**: Do one of the following steps:

+ - Verify the setting is turned off () and use the **Remove on** box to specify the expiration date for the entries.

+ or

+ - Move the toggle to the right to configure the entries to never expire: .

+ - **Optional note**: Enter descriptive text for the entries.

+4. When you're finished, click **Add**.

+> [!NOTE]

+> The emails from these senders will be blocked as _high confidence spam_ (SCL = 9).

+### Use PowerShell

+To add block sender entries in the Tenant Allow/Block List, use the following syntax:

+```powershell

+New-TenantAllowBlockListItems -ListType <Sender> -Block -Entries "Value1","Value2",..."ValueN" <-ExpirationDate Date | -NoExpiration> [-Notes <String>]

+```

+This example adds a block sender entry for the specified sender that expires on a specific date.

+```powershell

+New-TenantAllowBlockListItems -ListType Sender -Block -Entries "test@badattackerdomain.com", "test2@anotherattackerdomain.com" -ExpirationDate 8/20/2021

+```

+For detailed syntax and parameter information, see [New-TenantAllowBlockListItems](/powershell/module/exchange/new-tenantallowblocklistitems).

+## Create allow sender entries

+### Use Microsoft 365 Defender

+Allow senders (or domains) on the **Submissions** page in Microsoft 365 Defender.

+Note that admins can't add allows directly to the Tenant Allow/Block List. Instead, you use the admin submission process to submit the message that were blocked so the corresponding URL, file, and/or senders will be added to the Tenant Allow/Block List. If a block of the file, URL, or sender has not happened, then the allow will not be created. In most cases where the message was determined to be a false positive that was incorrectly blocked, the allows are kept for as long as needed to give the system time to allow them naturally.

+> [!IMPORTANT]

+> Since Microsoft manages the allows for you, sender, URL, or file allows that are not needed or considered to be bad will be removed. This is to protect your environment and prevent a misconfiguration of allows. In cases where you may disagree, a support cases may be needed to help determine why a message is still considered as bad.

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Actions & submissions** \> **Submissions**. Or, to go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>.

+2. On the **Submissions** page, verify that the **Emails** tab is selected, and then click  **Submit to Microsoft for analysis**.

+3. Use the **Submit to Microsoft for review** flyout to submit a message by adding the network message ID or uploading the email file.

+4. In the **Select a reason for submitting to Microsoft** section, select **Should not have been blocked (false positive)**.

+5. Turn on **Allow messages like this** option.

+6. From the **Remove after** drop-down list, specify how long you want the allow option to work.

+7. When you're finished, click the **Submit** button.

+ :::image type="content" source="../../media/admin-submission-allow-messages.png" alt-text="Submit malware to Microsoft for analysis example." lightbox="../../media/admin-submission-allow-messages.png":::

+> [!NOTE]

+>

+> - During mail flow, Based on which filters determined the mail to be malicious, the allows are added. For example, the sender and URL are determined to be bad, an allow will be added for each.

+> - When that entity (sender, domain, URL, file) is encountered again, all filters associated with that entity are skipped.

+> - During mail flow, if the rest of the filters find the email containing this entity to be clean, the email will be delivered. For example, a sender allow (when authentication passes) will bypass all verdicts except malware and high confidence phishing associated with an attachment or URL.

+## View sender entries

+To view block sender entries in the Tenant Allow/Block List, use the following syntax:

+```powershell

+Get-TenantAllowBlockListItems -ListType <Sender> [-Entry <SenderValue | FileHashValue | URLValue>] [<-ExpirationDate Date | -NoExpiration>]

+```

+For detailed syntax and parameter information, see [Get-TenantAllowBlockListItems](/powershell/module/exchange/get-tenantallowblocklistitems).

+## Modify sender entries

+To modify allow or block sender entries in the Tenant Allow/Block List, use the following syntax:

+```powershell

+Set-TenantAllowBlockListItems -ListType <Sender> -Ids <"Id1","Id2",..."IdN"> [<-ExpirationDate Date | -NoExpiration>] [-Notes <String>]

+```

+For detailed syntax and parameter information, see [Set-TenantAllowBlockListItems](/powershell/module/exchange/set-tenantallowblocklistitems).

+## Remove sender entries

+To remove allow or block sender entries from the Tenant Allow/Block List, use the following syntax:

+```powershell

+Remove-TenantAllowBlockListItems -ListType <Sender> -Ids <"Id1","Id2",..."IdN">

+```

+For detailed syntax and parameter information, see [Remove-TenantAllowBlockListItems](/powershell/module/exchange/remove-tenantallowblocklistitems).

+## Domain pair syntax for spoofed sender entries

+A domain pair for a spoofed sender in the Tenant Allow/Block List uses the following syntax: `<Spoofed user>, <Sending infrastructure>`.

+- **Spoofed user**: This value involves the email address of the spoofed user that's displayed in the **From** box in email clients. This address is also known as the `5322.From` address. Valid values include:

+ - An individual email address (for example, chris@contoso.com).

+ - An email domain (for example, contoso.com).

+ - The wildcard character (for example, \*).

+- **Sending infrastructure**: This value indicates the source of messages from the spoofed user. Valid values include:

+ - The domain found in a reverse DNS lookup (PTR record) of the source email server's IP address (for example, fabrikam.com).

+ - If the source IP address has no PTR record, then the sending infrastructure is identified as \<source IP\>/24 (for example, 192.168.100.100/24).

+ - A verified DKIM domain.

+Here are some examples of valid domain pairs to identify spoofed senders:

+- `contoso.com, 192.168.100.100/24`

+- `chris@contoso.com, fabrikam.com`

+- `*, contoso.net`

+The maximum number of spoofed sender entries is 1000.

+Adding a domain pair only allows or blocks the *combination* of the spoofed user *and* the sending infrastructure. It does not allow email from the spoofed user from any source, nor does it allow email from the sending infrastructure source for any spoofed user.

+For example, you add an allow entry for the following domain pair:

+- **Domain**: gmail.com

+- **Infrastructure**: tms.mx.com

+Only messages from that domain *and* sending infrastructure pair are allowed to spoof. Other senders attempting to spoof gmail.com aren't allowed. Messages from senders in other domains originating from tms.mx.com are checked by spoof intelligence.

+## Create blocked spoofed sender entries

+### Use Microsoft 365 Defender

+**Notes**:

+- Only the _combination_ of the spoofed user _and_ the sending infrastructure as defined in the domain pair is specifically allowed or blocked from spoofing.

+- When you configure an allow or block entry for a domain pair, messages from that domain pair no longer appear in the spoof intelligence insight.

+- Entries for spoofed senders never expire.

+- Spoof supports both allow and block.

+1. In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**.

+2. On the **Tenant Allow/Block List** page, select the **Spoofing** tab, and then click  **Add**.

+3. In the **Add new domain pairs** flyout that appears, configure the following settings:

+ - **Add new domain pairs with wildcards**: Enter one domain pair per line, up to a maximum of 20. For details about the syntax for spoofed sender entries, see [Manage the Tenant Allow/Block List](tenant-allow-block-list.md).

+ - **Spoof type**: Select one of the following values:

+ - **Internal**: The spoofed sender is in a domain that belongs to your organization (an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains)).

+ - **External**: The spoofed sender is in an external domain.

+ - **Action**: Select **Block**.

+4. When you're finished, click **Add**.

+> [!NOTE]

+> The emails from these senders will be blocked as _phish_.

+### Use PowerShell

+To add spoofed sender entries in the Tenant Allow/Block List, use the following syntax:

+```powershell

+New-TenantAllowBlockListSpoofItems -SpoofedUser <Domain | EmailAddress | *> -SendingInfrastructure <Domain | IPAddress/24> -SpoofType <External | Internal> -Action <Allow | Block>

+```

+For detailed syntax and parameter information, see [New-TenantAllowBlockListSpoofItems](/powershell/module/exchange/new-tenantallowblocklistspoofitems).

+## Create allowed spoofed sender entries

+### Use Microsoft 365 Defender

+> [!NOTE]

+>

+> - Only the _combination_ of the spoofed user _and_ the sending infrastructure as defined in the domain pair is specifically allowed or blocked from spoofing.

+> - When you configure an allow or block entry for a domain pair, messages from that domain pair no longer appear in the spoof intelligence insight.

+> - Entries for spoofed senders never expire.

+> - Spoof supports both allow and block. URL supports only block.

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Policies & rules** \> **Threat policies** \> **Tenant Allow/Block Lists** in the **Rules** section. Or, to go directly to the **Tenant Allow/Block Lists** page, use <https://security.microsoft.com/tenantAllowBlockList>.

+2. On the **Tenant Allow/Block List** page, select the **Spoofing** tab, and then click  **Add**.

+3. In the **Add new domain pairs** flyout that appears, configure the following settings:

+ - **Add new domain pairs with wildcards**: Enter one domain pair per line, up to a maximum of 20. For details about the syntax for spoofed sender entries, see [Manage the Tenant Allow/Block List](tenant-allow-block-list.md).

+ - **Spoof type**: Select one of the following values:

+ - **Internal**: The spoofed sender is in a domain that belongs to your organization (an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains)).

+ - **External**: The spoofed sender is in an external domain.

+ - **Action**: Select **Allow**.

+4. When you're finished, click **Add**.

+### Use PowerShell

+To add spoofed sender entries in the Tenant Allow/Block List in [Exchange Online PowerShell](/powershell/exchange/exchange-online-powershell), use the following syntax:

+```powershell

+New-TenantAllowBlockListSpoofItems -SpoofedUser <Domain | EmailAddress | *> -SendingInfrastructure <Domain | IPAddress/24> -SpoofType <External | Internal> -Action <Allow | Block>

+```

+For detailed syntax and parameter information, see [New-TenantAllowBlockListSpoofItems](/powershell/module/exchange/new-tenantallowblocklistspoofitems).

+## View spoofed sender entries

+To view spoofed sender entries in the Tenant Allow/Block List, use the following syntax:

+```powershell

+Get-TenantAllowBlockListSpoofItems [-Action <Allow | Block>] [-SpoofType <External | Internal>

+```

+This example returns all spoofed sender entries in the Tenant Allow/Block List.

+```powershell

+Get-TenantAllowBlockListSpoofItems

+```

+This example returns all allow spoofed sender entries that are internal.

+```powershell

+Get-TenantAllowBlockListSpoofItems -Action Allow -SpoofType Internal

+```

+This example returns all blocked spoofed sender entries that are external.

+```powershell

+Get-TenantAllowBlockListSpoofItems -Action Block -SpoofType External

+```

+For detailed syntax and parameter information, see [Get-TenantAllowBlockListSpoofItems](/powershell/module/exchange/get-tenantallowblocklistspoofitems).

+## Modify spoofed sender entries

+To modify allow or block spoofed sender entries in the Tenant Allow/Block List, use the following syntax:

+```powershell

+Set-TenantAllowBlockListSpoofItems -Ids <"Id1","Id2",..."IdN"> -Action <Allow | Block>

+```

+This example changes spoofed sender entry from allow to block.

+```powershell

+Set-TenantAllowBlockListItems -Ids "RgAAAAAI8gSyI_NmQqzeh-HXJBywBwCqfQNJY8hBTbdlKFkv6BcUAAAl_QCZAACqfQNJY8hBTbdlKFkv6BcUAAAl_oSRAAAA" -Action Block

+```

+For detailed syntax and parameter information, see [Set-TenantAllowBlockListSpoofItems](/powershell/module/exchange/set-tenantallowblocklistspoofitems).

+## Remove spoofed sender entries

+To remove allow or block spoof sender entries from the Tenant Allow/Block List, use the following syntax:

+```powershell

+Remove-TenantAllowBlockListSpoofItems -Ids <"Id1","Id2",..."IdN">

+```

+For detailed syntax and parameter information, see [Remove-TenantAllowBlockListSpoofItems](/powershell/module/exchange/remove-tenantallowblocklistspoofitems).

+## Related articles

+- [Admin submissions](admin-submission.md)

+- [Report false positives and false negatives](report-false-positives-and-false-negatives.md)

+- [Manage your allows and blocks in the Tenant Allow/Block List](manage-tenant-allow-block-list.md)

+- [Allow or block files in the Tenant Allow/Block List](allow-block-files.md)

+- [Allow or block URLs in the Tenant Allow/Block List](allow-block-urls.md)

+ Title: Allow or block files using the Tenant Allow/Block List

+f1.keywords:

+ - NOCSH

+audience: ITPro

+ms.localizationpriority: medium

+search.appverid:

+ - MET150

+ - M365-security-compliance

+description: Admins can learn how to allow or block files in the Tenant Allow/Block List in the Security portal.

+ms.technology: mdo

+# Allow or block files using the Tenant Allow/Block List

+**Applies to**

+- [Exchange Online Protection](exchange-online-protection-overview.md)

+- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)

+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)

+You can use the Microsoft 365 Defender portal or PowerShell to allow or block files in the Tenant Allow/Block List.

+## Create block file entries

+### Use Microsoft 365 Defender

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block List** page, use <https://security.microsoft.com/tenantAllowBlockList>.

+2. On the **Tenant Allow/Block List** page, select the **Files** tab, and then click  **Block**.

+3. In the **Block files** flyout that appears, configure the following settings:

+ - **Add file hashes**: Enter one SHA256 hash value per line, up to a maximum of 20.

+ - **Never expire**: Do one of the following steps:

+ - Verify the setting is turned off () and use the **Remove on** box to specify the expiration date for the entries.

+ or

+ - Move the toggle to the right to configure the entries to never expire: .

+ - **Optional note**: Enter descriptive text for the entries.

+4. When you're finished, click **Add**.

+> [!NOTE]

+> The emails containing these files will be blocked as _malware_.

+### Use PowerShell

+To add block file entries in the Tenant Allow/Block List, use the following syntax:

+```powershell

+New-TenantAllowBlockListItems -ListType <FileHash> -Block -Entries "Value1","Value2",..."ValueN" <-ExpirationDate Date | -NoExpiration> [-Notes <String>]

+```

+This example adds a block file entry for the specified files that never expires.

+```powershell

+New-TenantAllowBlockListItems -ListType FileHash -Block -Entries "768a813668695ef2483b2bde7cf5d1b2db0423a0d3e63e498f3ab6f2eb13ea3","2c0a35409ff0873cfa28b70b8224e9aca2362241c1f0ed6f622fef8d4722fd9a" -NoExpiration

+```

+For detailed syntax and parameter information, see [New-TenantAllowBlockListItems](/powershell/module/exchange/new-tenantallowblocklistitems).

+## Create allow file entries

+### Use Microsoft 365 Defender

+Allow Files on the **Submissions** page in Microsoft 365 Defender.

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Actions & submissions** \> **Submissions**. Or, to go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>.

+2. On the **Submissions** page, select the **Email attachments** tab, and then click  **Submit to Microsoft for analysis**.

+3. Use the **Submit to Microsoft for review** flyout to submit a message by adding the file or files.

+4. In the **Select a reason for submitting to Microsoft** section, select **Should not have been blocked (false positive)**.

+5. Turn on the **Allow files like this** option.

+6. From the **Remove after** drop-down list, specify for how long you want the allow option to work.

+7. When you're finished, click the **Submit** button.

+ :::image type="content" source="../../media/submit-email-for-analysis.png" alt-text="Submit email for analysis." lightbox="../../media/submit-email-for-analysis.png":::

+> [!NOTE]

+>

+> When the file is encountered again, it is not sent for detonation or reputation checks, and all other file-based filters are skipped. During mail flow, if the rest of the filters find the email that contains the file to be clean, then the email will be delivered.

+## View file entries

+To view block file entries in the Tenant Allow/Block List, use the following syntax:

+```powershell

+Get-TenantAllowBlockListItems -ListType <FileHash> [-Entry <SenderValue | FileHashValue | URLValue>] [<-ExpirationDate Date | -NoExpiration>]

+```

+This example returns information for the specified file hash value.

+```powershell

+Get-TenantAllowBlockListItems -ListType FileHash -Entry "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08"

+```

+For detailed syntax and parameter information, see [Get-TenantAllowBlockListItems](/powershell/module/exchange/get-tenantallowblocklistitems).

+## Modify file entries

+To modify allow or block file entries in the Tenant Allow/Block List, use the following syntax:

+```powershell

+Set-TenantAllowBlockListItems -ListType <FileHash> -Ids <"Id1","Id2",..."IdN"> [<-ExpirationDate Date | -NoExpiration>] [-Notes <String>]

+```

+For detailed syntax and parameter information, see [Set-TenantAllowBlockListItems](/powershell/module/exchange/set-tenantallowblocklistitems).

+## Remove file entries

+To remove allow or block file entries from the Tenant Allow/Block List, use the following syntax:

+```powershell

+Remove-TenantAllowBlockListItems -ListType <FileHash> -Ids <"Id1","Id2",..."IdN">

+```

+For detailed syntax and parameter information, see [Remove-TenantAllowBlockListItems](/powershell/module/exchange/remove-tenantallowblocklistitems).

+## Related articles

+- [Admin submissions](admin-submission.md)

+- [Report false positives and false negatives](report-false-positives-and-false-negatives.md)

+- [Manage your allows and blocks in the Tenant Allow/Block List](manage-tenant-allow-block-list.md)

+- [Allow or block emails in the Tenant Allow/Block List](allow-block-email-spoof.md)

+- [Allow or block URLs in the Tenant Allow/Block List](allow-block-urls.md)

+ Title: Allow or block URLs using the Tenant Allow/Block List

+f1.keywords:

+ - NOCSH

+audience: ITPro

+ms.localizationpriority: medium

+search.appverid:

+ - MET150manage-tenant-allows.md

+ - M365-security-compliance

+description: Admins can learn how to allow or block URLs in the Tenant Allow/Block List in the Security portal.

+ms.technology: mdo

+# Allow or block URLs using the Tenant Allow/Block List

+**Applies to**

+- [Exchange Online Protection](exchange-online-protection-overview.md)

+- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)

+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)

+You can use the Microsoft 365 Defender portal or PowerShell to allow or block URLs in the Tenant Allow/Block List.

+## URL syntax for the Tenant Allow/Block List

+- IPv4 and IPv6 addresses are allowed, but TCP/UDP ports are not.

+- Filename extensions are not allowed (for example, test.pdf).

+- Unicode is not supported, but Punycode is.

+- Hostnames are allowed if all of the following statements are true:

+ - The hostname contains a period.

+ - There is at least one character to the left of the period.

+ - There are at least two characters to the right of the period.

+ For example, `t.co` is allowed; `.com` or `contoso.` are not allowed.

+- Subpaths are not implied for allows.

+ For example, `contoso.com` does not include `contoso.com/a`.

+- Wildcards (*) are allowed in the following scenarios:

+ - A left wildcard must be followed by a period to specify a subdomain. (only applicable for blocks)

+ For example, `*.contoso.com` is allowed; `*contoso.com` is not allowed.

+ - A right wildcard must follow a forward slash (/) to specify a path.

+ For example, `contoso.com/*` is allowed; `contoso.com*` or `contoso.com/ab*` are not allowed.

+ - `*.com*` is invalid (not a resolvable domain and the right wildcard does not follow a forward slash).

+ - Wildcards are not allowed in IP addresses.

+- The tilde (~) character is available in the following scenarios:

+ - A left tilde implies a domain and all subdomains.

+ For example `~contoso.com` includes `contoso.com` and `*.contoso.com`.

+- A username or password isn't supported or required.

+- Quotes (' or ") are invalid characters.

+- A URL should include all redirects where possible.

+### URL entry scenarios

+Valid URL entries and their results are described in the following sections.

+#### Scenario: No wildcards

+**Entry**: `contoso.com`

+- **Allow match**: contoso.com

+- **Allow not matched**:

+ - abc-contoso.com

+ - contoso.com/a

+ - payroll.contoso.com

+ - test.com/contoso.com

+ - test.com/q=contoso.com

+ - contoso.com

+ - contoso.com/q=a@contoso.com

+- **Block match**:

+ - contoso.com

+ - contoso.com/a

+ - payroll.contoso.com

+ - test.com/contoso.com

+ - test.com/q=contoso.com

+ - contoso.com

+ - contoso.com/q=a@contoso.com

+- **Block not matched**: abc-contoso.com

+#### Scenario: Left wildcard (subdomain)

+> [!NOTE]

+> This scenario applies only to blocks.

+**Entry**: `*.contoso.com`

+- **Block match**:

+ - contoso.com

+ - xyz.abc.contoso.com

+- **Block not matched**:

+ - 123contoso.com

+ - contoso.com

+ - test.com/contoso.com

+ - contoso.com/abc

+#### Scenario: Right wildcard at top of path

+**Entry**: `contoso.com/a/*`

+- **Allow match** and **Block match**:

+ - contoso.com/a/b

+ - contoso.com/a/b/c

+ - contoso.com/a/?q=joe@t.com

+- **Allow not matched** and **Block not matched**:

+ - contoso.com

+ - contoso.com/a

+ - contoso.com

+ - contoso.com/q=a@contoso.com

+#### Scenario: Left tilde

+**Entry**: `~contoso.com`

+- **Allow match** and **Block match**:

+ - contoso.com

+ - contoso.com

+ - xyz.abc.contoso.com

+- **Allow not matched** and **Block not matched**:

+ - 123contoso.com

+ - contoso.com/abc

+ - contoso.com/abc

+#### Scenario: Right wildcard suffix

+**Entry**: `contoso.com/*`

+- **Allow match** and **Block match**:

+ - contoso.com/?q=whatever@fabrikam.com

+ - contoso.com/a

+ - contoso.com/a/b/c

+ - contoso.com/ab

+ - contoso.com/b

+ - contoso.com/b/a/c

+ - contoso.com/ba

+- **Allow not matched** and **Block not matched**: contoso.com

+#### Scenario: Left wildcard subdomain and right wildcard suffix

+> [!NOTE]

+> This scenario applies only to blocks.

+**Entry**: `*.contoso.com/*`

+- **Block match**:

+ - abc.contoso.com/ab

+ - abc.xyz.contoso.com/a/b/c

+ - contoso.com/a

+ - contoso.com/b/a/c

+ - xyz.contoso.com/ba

+- **Block not matched**: contoso.com/b

+#### Scenario: Left and right tilde

+**Entry**: `~contoso.com~`

+- **Allow match** and **Block match**:

+ - contoso.com

+ - contoso.com/a

+ - contoso.com

+ - contoso.com/b

+ - xyz.abc.contoso.com

+- **Allow not matched** and **Block not matched**:

+ - 123contoso.com

+ - contoso.org

+#### Scenario: IP address

+**Entry**: `1.2.3.4`

+- **Allow match** and **Block match**: 1.2.3.4

+- **Allow not matched** and **Block not matched**:

+ - 1.2.3.4/a

+ - 11.2.3.4/a

+#### IP address with right wildcard

+**Entry**: `1.2.3.4/*`

+- **Allow match** and **Block match**:

+ - 1.2.3.4/b

+ - 1.2.3.4/baaaa

+### Examples of invalid entries

+The following entries are invalid:

+- **Missing or invalid domain values**:

+ - contoso

+ - \*.contoso.\*

+ - \*.com

+ - \*.pdf

+- **Wildcard on text or without spacing characters**:

+ - \*contoso.com

+ - contoso.com\*

+ - \*1.2.3.4

+ - 1.2.3.4\*

+ - contoso.com/a\*

+ - contoso.com/ab\*

+- **IP addresses with ports**:

+ - contoso.com:443

+ - abc.contoso.com:25

+- **Non-descriptive wildcards**:

+ - \*

+ - \*.\*

+- **Middle wildcards**:

+ - conto\*so.com

+ - conto~so.com

+- **Double wildcards**

+ - contoso.com/\*\*

+ - contoso.com/\*/\*

+## Create block URL entries in the Tenant Allow/Block List

+### Use Microsoft 365 Defender

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block List** page, use <https://security.microsoft.com/tenantAllowBlockList>.

+2. On the **Tenant Allow/Block List** page, verify that the **URLs** tab is selected, and then click  **Block**.

+3. In the **Block URLs** flyout that appears, configure the following settings:

+ - **Add URLs with wildcards**: Enter one URL per line, up to a maximum of 20. For details about the syntax for URL entries, see the URL syntax section in [Manage the Tenant Allow/Block List](tenant-allow-block-list.md).

+ - **Never expire**: Do one of the following steps:

+ - Verify the setting is turned off () and use the **Remove on** box to specify the expiration date for the entries.

+ or

+ - Move the toggle to the right to configure the entries to never expire: .

+ - **Optional note**: Enter descriptive text for the entries.

+4. When you're finished, click **Add**.

+> [!NOTE]

+> The emails containing these URLs will be blocked as _phish_.

+### Use PowerShell

+To add block URL entries in the Tenant Allow/Block List, use the following syntax:

+```powershell

+New-TenantAllowBlockListItems -ListType <Url> -Block -Entries "Value1","Value2",..."ValueN" <-ExpirationDate Date | -NoExpiration> [-Notes <String>]

+```

+This example adds a block URL entry for contoso.com and all subdomains (for example, contoso.com and xyz.abc.contoso.com). Because we didn't use the ExpirationDate or NoExpiration parameters, the entry expires after 30 days.

+```powershell

+New-TenantAllowBlockListItems -ListType Url -Block -Entries ~contoso.com

+```

+For detailed syntax and parameter information, see [New-TenantAllowBlockListItems](/powershell/module/exchange/new-tenantallowblocklistitems).

+## Create allow URL entries

+### Use Microsoft 365 Defender

+Allow URLs on the **Submissions** page in Microsoft 365 Defender.

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Actions & submissions** \> **Submissions**. Or, to go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>.

+2. On the **Submissions** page, select the **URLs** tab, and then click  **Submit to Microsoft for analysis**.

+3. Use the **Submit to Microsoft for review** flyout to submit a message by adding the URL.

+4. In the **Select a reason for submitting to Microsoft** section, select **Should not have been blocked (false positive)**.

+5. Turn on the **Allow URLs like this** option.

+6. From the **Remove after** drop-down list, specify for how long you want the allow option to work.

+7. When you're finished, click the **Submit** button.

+ :::image type="content" source="../../media/submit-url-for-analysis.png" alt-text="Submit URL for analysis" lightbox="../../media/submit-url-for-analysis.png":::

+> [!NOTE]

+>

+> - When the URL is encountered again, the URL is not sent for detonation or reputation checks and all other URL-based filters are skipped.

+> - So for an email (containing this URL), during mail flow, if the rest of the filters find the email to be clean then the email will be delivered.

+## View URL entries

+To view block URL entries in the Tenant Allow/Block List, use the following syntax:

+```powershell

+Get-TenantAllowBlockListItems -ListType <URL> [-Entry <SenderValue | FileHashValue | URLValue>] [<-ExpirationDate Date | -NoExpiration>]

+```

+This example returns all blocked URLs.

+```powershell

+Get-TenantAllowBlockListItems -ListType Url -Block

+```

+For detailed syntax and parameter information, see [Get-TenantAllowBlockListItems](/powershell/module/exchange/get-tenantallowblocklistitems).

+## Modify URL entries

+To modify allow or block URL entries in the Tenant Allow/Block List, use the following syntax:

+```powershell

+Set-TenantAllowBlockListItems -ListType <URL> -Ids <"Id1","Id2",..."IdN"> [<-ExpirationDate Date | -NoExpiration>] [-Notes <String>]

+```

+This example changes the expiration date of the specified block URL entry.

+```powershell

+Set-TenantAllowBlockListItems -ListType Url -Ids "RgAAAAAI8gSyI_NmQqzeh-HXJBywBwCqfQNJY8hBTbdlKFkv6BcUAAAl_QCZAACqfQNJY8hBTbdlKFkv6BcUAAAl_oSRAAAA" -ExpirationDate "5/30/2020"

+```

+For detailed syntax and parameter information, see [Set-TenantAllowBlockListItems](/powershell/module/exchange/set-tenantallowblocklistitems).

+## Remove URL entries

+To remove allow or block URL entries from the Tenant Allow/Block List, use the following syntax:

+```powershell

+Remove-TenantAllowBlockListItems -ListType <URL> -Ids <"Id1","Id2",..."IdN">

+```

+This example removes the specified block URL entry from the Tenant Allow/Block List.

+```powershell

+Remove-TenantAllowBlockListItems -ListType Url -Ids "RgAAAAAI8gSyI_NmQqzeh-HXJBywBwCqfQNJY8hBTbdlKFkv6BcUAAAl_QCZAACqfQNJY8hBTbdlKFkv6BcUAAAl_oSPAAAA0"

+```

+For detailed syntax and parameter information, see [Remove-TenantAllowBlockListItems](/powershell/module/exchange/remove-tenantallowblocklistitems).

+## Related articles

+- [Admin submissions](admin-submission.md)

+- [Report false positives and false negatives](report-false-positives-and-false-negatives.md)

+- [Manage your allows and blocks in the Tenant Allow/Block List](manage-tenant-allow-block-list.md)

+- [Allow or block files in the Tenant Allow/Block List](allow-block-files.md)

+- [Allow or block emails in the Tenant Allow/Block List](allow-block-email-spoof.md)

+ Title: Manage allows and blocks in the Tenant Allow/Block List

+f1.keywords:

+ - NOCSH

+audience: ITPro

+ms.localizationpriority: medium

+search.appverid:

+ - MET150

+ - M365-security-compliance

+description: Learn how to manage allows and blocks in the Tenant Allow/Block List in the Security portal.

+ms.technology: mdo

+# Manage your allows and blocks in the Tenant Allow/Block List

+**Applies to**

+- [Exchange Online Protection](exchange-online-protection-overview.md)

+- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)

+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)

+In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, you might disagree with the EOP filtering verdict. For example, a good message might be marked as bad (a false positive), or a bad message might be allowed through (a false negative).

+The Tenant Allow/Block List in the Microsoft 365 Defender portal gives you a way to manually override the Microsoft 365 filtering verdicts. The Tenant Allow/Block List is used during mail flow for incoming messages (does not apply to intra-org messages) and at the time of user clicks. You can specify the following types of overrides:

+- URLs to block.

+- Files to block.

+- Sender emails or domains to block.

+- Spoofed senders to allow or block. If you override the allow or block verdict in the [spoof intelligence insight](learn-about-spoof-intelligence.md), the spoofed sender becomes a manual allow or block entry that only appears on the **Spoof** tab in the Tenant Allow/Block List. You can also manually create allow or block entries for spoofed senders here before they're detected by spoof intelligence.

+- URLs to allow.

+- Files to allow.

+- Sender emails or domains to allow.

+This article describes how to configure entries in the Tenant Allow/Block List in the Microsoft 365 Defender portal or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).

+## What do you need to know before you begin?

+- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the **Tenant Allow/Block Lists** page, use <https://security.microsoft.com/tenantAllowBlockList>.

+- You specify files by using the SHA256 hash value of the file. To find the SHA256 hash value of a file in Windows, run the following command in a Command Prompt:

+ ```console

+ certutil.exe -hashfile "<Path>\<Filename>" SHA256

+ ```

+ An example value is `768a813668695ef2483b2bde7cf5d1b2db0423a0d3e63e498f3ab6f2eb13ea3a`. Perceptual hash (pHash) values are not supported.

+- For senders, URLs, and file hashes, the Tenant Allow/Block List allows 500 entries each for both allows and blocks, making it a total of 1000 entries. For spoofing (spoofed senders), the total number of entries allowed is 1024.

+- The maximum number of characters for each entry is:

+ - File hashes = 64

+ - URL = 250

+- An entry should be active within 30 minutes.

+- By default, entries in the Tenant Allow/Block List will expire after 30 days. You can specify a date or set them to never expire (for block type of entries).

+- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell).

+- You need to be assigned permissions in Exchange Online before you can do the procedures in this article:

+ - To add and remove values from the Tenant Allow/Block List, you need to be a member of

+ - **Organization Management** or **Security Administrator** role group (**Security admin role**)

+ - **Security Operator** role group (**Tenant AllowBlockList Manager**).

+ - For read-only access to the Tenant Allow/Block List, you need to be a member of

+ - **Global Reader** role group

+ - **Security Reader** role group

+ - **View-Only configuration** role group

+ For more information, see [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo).

+ > [!NOTE]

+ >

+ > - Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions *and* permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).

+ > - The **View-Only Organization Management** role group in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups) also gives read-only access to the feature.

+## Configure the Tenant Allow/Block List

+### Use the Microsoft 365 Defender portal

+In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Tenant Allow/Block Lists** in the **Rules** section. To go directly to the **Tenant Allow/Block Lists** page, use <https://security.microsoft.com/tenantAllowBlockList>.

+### Use Exchange Online PowerShell or standalone EOP PowerShell

+To allow or block emails, see [Allow or block emails using the Tenant Allow/Block List](allow-block-email-spoof.md).

+To allow or block files, see [Allow or block files using the Tenant Allow/Block List](allow-block-files.md).

+To allow or block URLs, see [Allow or block URLs using the Tenant Allow/Block List](allow-block-urls.md).

+### What to expect after you add an allow or block entry

+After you add an allow entry through the Submissions portal or a block entry in the Tenant Allow/Block List, the entry should start working immediately.

+We recommend letting entries automatically expire after 30 days to see if the system has learned about the allow or block. If not, you should make another entry to give the system another 30 days to learn.

+## View entries in the Tenant Allow/Block List

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Tenant Allow/Block Lists** in the **Rules** section. Or, to go directly to the **Tenant Allow/Block Lists** page, use <https://security.microsoft.com/tenantAllowBlockList>.

+2. Select the tab you want. The columns that are available depend on the tab you selected:

+ - **Senders**:

+ - **Value**: The sender domain or email address.

+ - **Action**: The value **Allow** or **Block**.

+ - **Modified by**

+ - **Last updated**

+ - **Remove on**

+ - **Notes**

+ - **Spoofing**

+ - **Spoofed user**

+ - **Sending infrastructure**

+ - **Spoof type**: The value **Internal** or **External**.

+ - **Action**: The value **Block** or **Allow**.

+ - **URLs**:

+ - **Value**: The URL.

+ - **Action**: The value **Allow** or **Block**.

+ - **Modified by**

+ - **Last updated**

+ - **Remove on**

+ - **Notes**

+ - **Files**

+ - **Value**: The file hash.

+ - **Action**: The value **Allow** or **Block**.

+ - **Modified by**

+ - **Last updated**

+ - **Remove on**

+ - **Notes**

+ You can click on a column heading to sort in ascending or descending order.

+ You can click **Group** to group the results. The values that are available depend on the tab you selected:

+ - **Senders**: You can group the results by **Action**.

+ - **Spoofing**: You can group the results by **Action** or **Spoof type**.

+ - **URLs**: You can group the results by **Action**.

+ - **Files**: You can group the results by **Action**.

+ Click **Search**, enter all or part of a value, and then press ENTER to find a specific value. When you're finished, click  **Clear search**.

+ Click **Filter** to filter the results. The values that are available in **Filter** flyout that appears depend on the tab you selected:

+ - **Senders**

+ - **Action**

+ - **Never expire**

+ - **Last updated date**

+ - **Remove on**

+ - **Spoofing**

+ - **Action**

+ - **Spoof type**

+ - **URLs**

+ - **Action**

+ - **Never expire**

+ - **Last updated date**

+ - **Remove on**

+ - **Files**

+ - **Action**

+ - **Never expire**

+ - **Last updated**

+ - **Remove on**

+ When you're finished, click **Apply**. To clear existing filters, click **Filter**, and in the **Filter** flyout that appears, click **Clear filters**.

+## Modify entries in the Tenant Allow/Block List

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block List** page, use <https://security.microsoft.com/tenantAllowBlockList>.

+2. Select the tab that contains the type of entry that you want to modify:

+ - **Senders**

+ - **Spoofing**

+ - **URLs**

+ - **Files**

+3. Select the entry that you want to modify, and then click  **Edit**. The values that you are able to modify in the flyout that appears depend on the tab you selected in the previous step:

+ - **Senders**

+ - **Never expire** and/or expiration date.

+ - **Optional note**

+ - **Spoofing**

+ - **Action**: You can change the value to **Allow** or **Block**.

+ - **URLs**

+ - **Never expire** and/or expiration date.

+ - **Optional note**

+ - **Files**

+ - **Never expire** and/or expiration date.

+ - **Optional note**

+ Note that the values for senders, URLs, and files never expire for blocked entries only.

+4. When you're finished, click **Save**.

+> [!NOTE]

+> You can only extend allows for a maximum of 30 days after the creation date. Blocks can be extended for up to 90 days, but unlike allows, they can also be set to Never expire.

+## Remove entries from the Tenant Allow/Block List

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block List** page, use <https://security.microsoft.com/tenantAllowBlockList>.

+2. Select the tab that contains the type of entry that you want to remove:

+ - **Senders**

+ - **Spoofing**

+ - **URLs**

+ - **Files**

+3. Select the entry that you want to remove, and then click  **Delete**.

+4. In the warning dialog that appears, click **Delete**.

+## Related articles

+- [Allow or block files in the Tenant Allow/Block List](allow-block-files.md)

+- [Allow or block emails in the Tenant Allow/Block List](allow-block-email-spoof.md)

+- [Allow or block URLs in the Tenant Allow/Block List](allow-block-urls.md)

+ Title: Deploy Microsoft Whiteboard on Windows 10 devices

+audience: admin

+search.appverid: MET150

+ms.localizationpriority: medium

+description: Learn how to deploy Microsoft Whiteboard on devices running Windows 10 or later versions.

+# Deploy Microsoft Whiteboard on Windows 10 devices

+Whiteboard can be deployed on devices that run Windows 10 or later using Microsoft Intune or Microsoft Configuration Manager (formerly System Center Configuration Manager). Whiteboard isn't supported on Windows Server.

+- **Microsoft Intune using an online license mode** ΓÇô This process allows you to specify groups of users who will receive access to the Whiteboard app.

+- **Microsoft Configuration Manager using manual offline installation and updates** ΓÇô This process allows you to install Whiteboard and then manually update it every 2ΓÇô4 weeks.

+>[!NOTE]

+> We recommend using Microsoft Intune. Using Microsoft Configuration Manager requires IT to continuously repackage and install updates to ensure users are running an up-to-date version.

+## Install Whiteboard using Microsoft Intune

+1. Add Whiteboard as an available app using the steps in this article: [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps-windows).

+2. Assign the app to a group using the steps in this article: [Assign apps to groups with Microsoft Intune](/mem/intune/apps/apps-deploy).

+## Install Whiteboard using Microsoft Configuration Manager

+1. Using a global administrator account, sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com).

+2. In the header, select **Manage**.

+3. In the right-hand navigation pane, select **Settings**, and then turn on **Show offline apps**.

+4. Wait 10ΓÇô15 minutes for propagation.

+5. Next, go to the [Whiteboard app](https://businessstore.microsoft.com/store/details/microsoft-whiteboard/9mspc6mp8fm4).

+6. Select **Get the app**, and then accept the license terms.

+7. Go back to the application page.

+8. In the **License type** drop-down menu, select **Offline**.

+9. Select **Manage**.

+10. This action takes you to the inventory management page, which will now offer the option to **Download package for offline use**.

+11. Choose the architecture version, and then download it.

+12. As soon as you've downloaded the app, you can deploy it through Configuration Manager. To create an update package, follow steps 7ΓÇô10 to download a newer version and package it for Configuration Manager.

+13. For more information, see [Install applications for a device](/mem/configmgr/apps/deploy-use/install-app-for-device).

+## See also

+[Enable and manage access to Whiteboard](enable-whiteboard-access-organizations.md)

+[Manage data for Whiteboard](manage-data-organizations.md)

+[Manage sharing for Whiteboard](manage-sharing-organizations.md)

+ Title: Enable and manage access to Microsoft Whiteboard for GCC High environments

+audience: admin

+search.appverid: MET150

+ms.localizationpriority: medium

+description: Learn how to enable, disable, and manage Whiteboard data.

+# Enable and manage access to Microsoft Whiteboard for GCC High environments

+>[!NOTE]

+> This guidance applies to US Government Community Cloud (GCC) High environments.

+Microsoft Whiteboard on OneDrive for Business is enabled by default for applicable Microsoft 365 tenants. It can be enabled or disabled at a tenant-wide level. You should also ensure that **Microsoft Whiteboard Services** is enabled in the **Azure Active Directory admin center** > **Enterprise applications**.

+The following URLs are required:

+- 'https://*.office365.us/'

+- 'https://login.microsoftonline.us/'

+- 'https://graph.microsoft.us/'

+- 'https://graph.microsoftazure.us/'

+- 'https://admin.onedrive.us'

+- 'https://shell.cdn.office.net/'

+- 'https://config.ecs.gov.teams.microsoft.us'

+- 'https://tb.events.data.microsoft.com/'

+You can control access to Whiteboard in the following ways:

+- Enable or disable Whiteboard for your entire tenant using the [SharePoint Online PowerShell module](/microsoft-365/enterprise/manage-sharepoint-online-with-microsoft-365-powershell).

+- Show or hide Whiteboard for specific users in meetings using a Teams meeting policy. It will still be visible via the web, native clients, and the Teams tab app.

+- Require conditional access policies for accessing Whiteboard using the Azure Active Directory admin center.

+>[!NOTE]

+> Whiteboard on OneDrive for Business doesn't appear in the Microsoft 365 admin center. Teams meeting policy only hides Whiteboard entry points, it doesn't prevent users from using Whiteboard. Conditional access ploicies prevent access to Whiteboard, but doesn't hide the entry points.

+## Enable or disable Whiteboard

+To enable or disable Whiteboard for your tenant, do the following steps:

+1. Use the [SharePoint Online PowerShell module](/microsoft-365/enterprise/manage-sharepoint-online-with-microsoft-365-powershell) to enable or disable all Fluid Experiences across your Microsoft 365 tenant.

+2. Connect to [SharePoint Online PowerShell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online).

+3. Enable Fluid using the following <code>Set-SPOTenant</code> cmdlet:

+ <pre><code class="lang-powershell">Set-SPOTenant -IsWBFluidEnabled $true</code></pre>

+The change should take approximately 60 minutes to apply across your tenancy. If you don't see this option, you'll need to update the module.

+>[!NOTE]

+> By default, Whiteboard is enabled. If it has been disabled in the Azure Active Directory enterprise applications, then Whiteboard on OneDrive for Business will not work.

+## Show or hide Whiteboard

+To show or hide Whiteboard in meetings, see [Meeting policy settings](/microsoftteams/meeting-policies-content-sharing).

+## See also

+[Manage data for Whiteboard - GCC High](manage-data-gcc-high.md)

+[Manage sharing for Whiteboard - GCC High](manage-sharing-gcc-high.md)

+[Manage clients for Whiteboard - GCC High](manage-clients-gcc-high.md)

+ Title: Enable and manage access to Microsoft Whiteboard for your organization

+audience: admin

+search.appverid: MET150

+ms.localizationpriority: medium

+description: Learn how to set up Microsoft Whiteboard for your organization in the Microsoft 365 admin center.

+# Enable and manage access to Microsoft Whiteboard for your organization

+>[!NOTE]

+> This article applies to Enterprise or Education organizations who use Whiteboard. For US Government GCC High environments, see [Enable and manage access to Microsoft Whiteboard for GCC High environments](enable-whiteboard-access-gcc-high.md).

+Microsoft Whiteboard is a visual collaboration canvas where people, content, and ideas come together. Today, Whiteboard runs on Azure for Enterprise and Education customers. Whiteboard is transitioning to be run on top of OneDrive for Business. This transition will bring many new capabilities and allow you to create, share, discover, and manage whiteboards as easily as any Office document.

+Whiteboard is automatically enabled for applicable Microsoft 365 tenants.

+Whiteboard conforms to global standards including SOC 1, SOC 2, ISO 27001, HIPAA, and EU Model Clauses.

+The following admin settings are required for Whiteboard:

+- Whiteboard must be enabled globally in the Microsoft 365 admin center.

+- The <code>Set-SPOTenant -IsWBFluidEnabled</code> cmdlet must be enabled using [SharePoint Online PowerShell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online).

+>[!NOTE]

+> The roll out of OneDrive for Business storage is in progress. When you go to the Microsoft 365 admin center, the option to opt in or out of OneDrive for Business storage is disabled if your tenant already has been transitioned to OneDrive for Business.

+You can control access to Whiteboard in the following ways:

+- Enable or disable Whiteboard for your entire tenant using the Microsoft 365 admin center.

+- Show or hide Whiteboard for specific users in meetings using a Teams meeting policy. It will still be visible via the web, native clients, and the Teams tab app.

+- Require conditional access policies for accessing Whiteboard using the Azure Active Directory admin center.

+>[!NOTE]

+> Teams meeting policies only hide Whiteboard entry points; it doesn't prevent the users from using Whiteboard. Conditional access policies prevent any access to Whiteboard, but doesn't hide the entry points.

+## Enable or disable Whiteboard

+To enable or disable Whiteboard for your tenant, do the following steps:

+1. Go to the Microsoft 365 admin center.

+2. On the home page of the admin center, in the Search box on the top right, type *Whiteboard*.

+3. In the search results, select **Whiteboard settings**.

+4. On the Whiteboard panel, toggle **Turn Whiteboard on or off for your entire organization** to **On**.

+5. Select **Save**.

+6. Connect to [SharePoint Online PowerShell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online).

+7. Enable Fluid using the following <code>Set-SPOTenant</code> cmdlet:

+ <pre><code class="lang-powershell">Set-SPOTenant -IsWBFluidEnabled $true</code></pre>

+

+## Show or hide Whiteboard

+To show or hide Whiteboard in meetings, see [Meeting policy settings](/microsoftteams/meeting-policies-content-sharing).

+## Prevent access to Whiteboard

+To prevent access to Whiteboard for specific users, see [Building a Conditional Access policy](/azure/active-directory/conditional-access/concept-conditional-access-policies).

+## See also

+[Manage data for Whiteboard](manage-data-organizations.md)

+[Manage sharing for Whiteboard](manage-sharing-organizations.md)

+[Deploy Whiteboard on Windows](deploy-on-windows-organizations.md)

+ Title: Introduction to Microsoft Whiteboard

+audience: admin

+search.appverid: MET150

+ms.localizationpriority: medium

+description: Find resources about how to set up and manage Microsoft Whiteboard.

+# Introduction to Microsoft Whiteboard

+Microsoft Whiteboard in Microsoft 365 is a free-form, digital canvas where people, content, and ideas come together. Whiteboard lets team members collaborate in real time, wherever you are. It also gives your ideas room to grow with an infinite canvas designed for pen, touch, and keyboard.

+## Get started

+The resources in this section help you learn more about what Microsoft Whiteboard is and how it can help your organization.

+| If you're looking for this information: | Go to this resource: |

+|:--|:--|

+|Learn how to get Microsoft Whiteboard|[Microsoft Whiteboard product page](https://www.microsoft.com/en-us/microsoft-365/microsoft-whiteboard/digital-whiteboard-app)|

+|Find resources in the Microsoft Tech Community Resource Center|[Microsoft 365 Whiteboard blog](https://techcommunity.microsoft.com/t5/microsoft-365-blog/bg-p/microsoft_365blog/label-name/Microsoft%20Whiteboard)|

+|Watch videos to explore helpful tips|[Microsoft Whiteboard YouTube channel](https://www.youtube.com/c/MicrosoftWhiteboard/videos/Microsoft%20Whiteboard)|

+|Find Microsoft Whiteboard guidance for end users|[Microsoft Whiteboard help](https://support.microsoft.com/office/microsoft-whiteboard-help-d236aef8-fcdf-4b5e-b5d7-7f157461e920)|

+## Setup and management

+The resources in this section help the admin in your organization to set up and configure Microsoft Whiteboard in your Microsoft 365 environment.

+### For organizations

+| If you're looking for this information: | Go to this resource: |

+|:--|:--|

+|Learn how to set up and manage access to Whiteboard for your organization|[Enable and manage access to Whiteboard](enable-whiteboard-access-organizations.md)|

+|Find where your Whiteboard content and data are stored in Azure and OneDrive for Business |[Manage data for Whiteboard](manage-data-organizations.md) |

+|Learn about the sharing experience in Teams and how to share links to specific users |[Manage sharing for Whiteboard](manage-sharing-organizations.md) |

+|Deploy Whiteboard on devices that run Windows 10 or later using Microsoft Intune or Microsoft Configuration Manager |[Deploy Whiteboard on Windows](deploy-on-windows-organizations.md) |

+### For government

+| If you're looking for this information: | Go to this resource: |

+|:--|:--|

+|Learn how to set up and manage access to Whiteboard for US Government GCC High environments|[Enable and manage access to Whiteboard - GCC High](enable-whiteboard-access-gcc-high.md)|

+|Find where your Whiteboard content and data are stored in Azure and OneDrive for Business in US Government GCC High environments |[Manage data for Whiteboard - GCC High](manage-data-gcc-high.md) |

+|Learn about the sharing experience in Teams and how to share links to specific users in US Government GCC High environments |[Manage sharing for Whiteboard - GCC High](manage-sharing-gcc-high.md) |

+|Learn which clients are currently supported for Whiteboard in US Government GCC High environments |[Manage clients for Whiteboard - GCC High](manage-clients-gcc-high.md) |

+## Whiteboard PowerShell

+| If you're looking for this information: | Go to this resource: |

+|:--|:--|

+|Find PowerShell cmdlet help references to manage Microsoft Whiteboard|[PowerShell for Whiteboard](/powershell/module/whiteboard/)|

+ Title: Manage clients for Microsoft Whiteboard in GCC High environments

+audience: admin

+search.appverid: MET150

+ms.localizationpriority: medium

+description: Learn which clients are currently supported for Whiteboard.

+# Manage clients for Microsoft Whiteboard in GCC High environments

+>[!NOTE]

+> This guidance applies to US Government Community Cloud (GCC) High environments.

+Whiteboard clients are currently being updated to support One Drive for Business.

+## Clients supported

+The following clients are currently supported in Whiteboard:

+- Standalone Whiteboard web application at [https://whiteboard.office365.us](https://whiteboard.office365.us)

+- Microsoft Teams meetings, chats, and channels using Teams desktop and web

+- Standalone Whiteboard application for mobile

+## Clients planned

+The following clients are planned for future releases of Whiteboard:

+- Standalone Whiteboard application for Windows 10 or later versions

+- Standalone Whiteboard application for Surface Hub (currently can be used in anonymous mode)

+- Whiteboard in the Office.com app launcher

+- Whiteboard in Teams meetings on Surface Hub and Teams meeting rooms

+- Whiteboard in 1:1 calls in Teams

+>[!NOTE]

+> While users can install the Windows client, they won't be able to sign in until the client is updated.

+## See also

+[Enable and manage access to Whiteboard - GCC High](enable-whiteboard-access-gcc-high.md)

+[Manage data for Whiteboard - GCC High](manage-data-gcc-high.md)

+[Manage sharing for Whiteboard - GCC High](manage-sharing-gcc-high.md)

+ Title: Manage data for Microsoft Whiteboard in GCC High environments

+audience: admin

+search.appverid: MET150

+ms.localizationpriority: medium

+description: Learn how to enable, disable, and manage access to Whiteboard.

+# Manage data for Microsoft Whiteboard in GCC High environments

+>[!NOTE]

+> This guidance applies to US Government Community Cloud (GCC) High environments.

+Data is stored as .whiteboard files in OneDrive for Business. An average whiteboard might be anywhere from 50 KB to 1 MB in size and located wherever your OneDrive for Business content resides. To check where new data is created, see [Where your Microsoft 365 customer data is stored](/microsoft-365/enterprise/o365-data-locations). Look at the location for OneDrive for Business. All properties that apply to general files in OneDrive for Business also apply to Whiteboard, except for external sharing.

+You can manage Whiteboard data using existing OneDrive for Business controls. For more information, see [OneDrive guide for enterprises](/onedrive/plan-onedrive-enterprise).

+You can use existing OneDrive for Business tooling to satisfy data subject requests (DSRs) for General Data Protection Regulation (GDPR). Whiteboard files can be moved in the same way as other content in OneDrive for Business. However, share links and permissions might not move.

+## Data controls supported

+The following data controls are currently supported in Whiteboard:

+- Retention policies

+- Quota

+- DLP

+- eDiscovery

+- Legal hold

+## Data controls planned

+The following data controls are planned for future releases of Whiteboard:

+- Sensitivity labels

+- Auditing

+- Analytics

+- Storing whiteboards in SharePoint sites

+## See also

+[Enable and manage access to Whiteboard - GCC High](enable-whiteboard-access-gcc-high.md)

+[Manage sharing for Whiteboard - GCC High](manage-sharing-gcc-high.md)

+[Manage clients for Whiteboard - GCC High](manage-clients-gcc-high.md)

+ Title: Manage data for Microsoft Whiteboard

+audience: admin

+search.appverid: MET150

+ms.localizationpriority: medium

+description: Learn about data retention for Microsoft Whiteboard in Azure and OneDrive for Business.

+# Manage data for Microsoft Whiteboard

+Whiteboard content is stored in both Azure and OneDrive for Business. New whiteboards will be stored in OneDrive for Business; the only exception is whiteboards started from a Surface Hub will be stored in Azure (which will be moved to OneDrive for Business in the future). For more information, see [Manage sharing in Whiteboard](manage-sharing-organizations.md).

+## Azure storage overview

+Whiteboard currently stores content securely in Azure. Data might be stored in different locations, depending on the country and when Whiteboard switched to storing new content in those locations. To check where new data is created, see [Where your Microsoft 365 customer data is stored](/microsoft-365/enterprise/o365-data-locations).

+Content in Azure doesn't support Data Loss Prevention (DLP), eDiscovery, retention policies, and similar features. Content can be managed using [Whiteboard PowerShell cmdlets](/powershell/module/whiteboard/) and over time, this content will need to be either migrated to OneDrive for Business or deleted.

+### If a user account is deleted in Azure

+We're changing how whiteboards are stored when a user's account is deleted in Azure. Prior to the change, when a user's account was deleted, whiteboards that the user owned was also deleted, but whiteboards that were shared with others weren't deleted.

+>[!NOTE]

+> Whiteboards stored in OneDrive for Business will be handled like any other content in OneDrive for Business. For more information, see [Set the OneDrive retention for deleted users](/onedrive/set-retention).

+As of **June 1, 2022**, the behavior of whiteboards on Azure has changed. Any whiteboards shared with other users will be deleted.

+If you want to retain a deleted userΓÇÖs whiteboards, *before* you delete the account, you can transfer ownership. You can transfer a single whiteboard or all of them to another user.

+- Follow these instructions to [transfer all whiteboards](/powershell/module/whiteboard/invoke-transferallwhiteboards).

+- For more information about how to delete user accounts, see [Delete a user from your organization](/microsoft-365/admin/add-users/delete-a-user).

+Ensure that any deletion process or script handles this change. If you're fine with the whiteboards being deleted, then no action is required.

+## OneDrive for Business storage overview

+Whiteboards will be created in the OneDrive for Business folder of the person who starts the whiteboard (SharePoint isn't yet supported). This process applies to all whiteboards created in the standalone Whiteboard applications, and in Microsoft Teams meetings, chats, and channels. The only exception is whiteboards started from a Surface Hub will be stored in Azure (which will be moved to OneDrive for Business in the future).

+Any users who do not have OneDrive for Business provisioned will no longer be able to create new whiteboards when this change is implemented. However, they can still edit their previously created boards. They can also collaborate on any whiteboards that are shared with them by others who have OneDrive for Business.

+An average whiteboard might be anywhere from 50 KB to 1 MB in size and located wherever your OneDrive for Business content resides. To check where data for your tenant is stored, see [Where your Microsoft 365 customer data is stored](/microsoft-365/enterprise/o365-data-locations). Then look at the location for OneDrive for Business.

+### Controls for OneDrive for Business storage

+You can manage Whiteboard data using existing OneDrive for Business controls. For more information, see [OneDrive guide for enterprises](/onedrive/plan-onedrive-enterprise).

+You can use existing OneDrive for Business tooling to satisfy data subject requests (DSRs) for General Data Protection Regulation (GDPR). If you want to ensure that all previous changes are removed from the file, you must delete the entire file.

+Whiteboard files can be moved in the same way as other content in OneDrive for Business. However, share links and permissions might not move.

+Data controls supported today:

+- Retention policies

+- Quota

+- Legal hold

+- DLP

+- Basic eDiscovery ΓÇô The .whiteboard files are stored as files in the creator's OneDrive for Business. They're indexed for keyword and file type search, but aren't available to preview or review. Upon export, an admin needs to upload the file back to OneDrive for Business to view the content. Additional support is planned for the future.

+Data controls planned for future releases:

+- Sensitivity labels

+- Analytics

+- Additional eDiscovery support

+## See also

+[Enable and manage access to Whiteboard](enable-whiteboard-access-organizations.md)

+[Manage sharing for Whiteboard](manage-sharing-organizations.md)

+[Deploy Whiteboard on Windows](deploy-on-windows-organizations.md)

+ Title: Manage sharing for Microsoft Whiteboard in GCC High environments

+audience: admin

+search.appverid: MET150

+ms.localizationpriority: medium

+description: Learn how to manage sharing for Microsoft Whiteboard in GCC High environments.

+# Manage sharing for Microsoft Whiteboard in GCC High environments

+>[!NOTE]

+> This guidance applies to US Government Community Cloud (GCC) High environments.

+The sharing experience differs based on the device and client being used.

+## Share in Teams meetings

+When you share a whiteboard in a Teams meeting, Whiteboard creates a sharing link thatΓÇÖs accessible by anyone within the organization. It then automatically shares the whiteboard with any in-tenant users in the meeting.

+>[!NOTE]

+> External sharing during a Teams meeting is not yet available, but will be added in a future release.

+|Scenario |Storage and ownership |Sharing settings |Sharing experience |

+|||||

+|Start the whiteboard from a desktop or mobile device |Storage: OneDrive for Business<br><br>Owner: User who creates the whiteboard |Not yet available |In-tenant users: Can create, view, and collaborate<br><br>External users: Not yet available<br><br>Shared device accounts: Not yet available |

+|Start the whiteboard from a Surface Hub or Microsoft Teams Rooms |Not yet available | | |

+## Add as a tab in Teams channels and chats

+When you add a whiteboard as a tab in a Teams channel or chat, Whiteboard will create a sharing link thatΓÇÖs accessible by anyone in the organization.

+|Scenario |Storage and ownership |Sharing settings |Sharing experience |

+|||||

+|Add the whiteboard to a channel or chat from a desktop or mobile device |Storage: OneDrive for Business<br><br>Owner: User who creates the whiteboard |Not applicable |In-tenant users: Can initiate, view, and collaborate<br><br>External users: Not supported |

+## Create and share in Whiteboard native clients

+When you share a whiteboard from the web, desktop, or mobile clients, you can choose specific people. You can also create a sharing link thatΓÇÖs accessible by anyone in the organization.

+>[!NOTE]

+> External sharing during a Teams meeting is not yet available, but will be added in a future release.

+|Scenario |Storage and ownership |Sharing settings |Sharing experience |

+|||||

+|Create the whiteboard from a desktop or mobile device |Storage: OneDrive for Business<br><br>Owner: User who creates the whiteboard |Not applicable |In-tenant users: Can share within their organization<br><br>External users: Sharing with external users isn't supported at this time |

+|Create the whiteboard from a Surface Hub |Storage: Local<br><br>Owner: None |Not applicable |In-tenant users (coming soon): User will be able to sign in to save and share the board<br><br>External users: Sharing with external users isn't supported at this time |

+|Create the whiteboard from Microsoft Teams Rooms |Not yet available | | |

+## See also

+[Enable and manage access to Whiteboard - GCC High](enable-whiteboard-access-gcc-high.md)

+[Manage data for Whiteboard - GCC High](manage-data-gcc-high.md)

+[Manage clients for Whiteboard - GCC High](manage-clients-gcc-high.md)

+ Title: Manage sharing for Microsoft Whiteboard

+audience: admin

+search.appverid: MET150

+ms.localizationpriority: medium

+description: Learn how to manage sharing for Microsoft Whiteboard.

+# Manage sharing for Microsoft Whiteboard

+The sharing experience differs based on whether youΓÇÖre in a Teams meeting, if you're using a shared device, or what tenant-level sharing settings are enabled. The following scenarios apply only to new whiteboards created after Whiteboard switches to using OneDrive for Business storage. There's no change to previously created boards still stored in Azure.

+## Share in Teams meetings

+When you share a whiteboard in a Teams meeting, Whiteboard creates a sharing link thatΓÇÖs accessible by anyone within the organization. It then automatically shares the whiteboard with any in-tenant users in the meeting.

+ThereΓÇÖs an additional capability for temporary collaboration by external and shared device accounts during a meeting. This capability allows these users to temporarily view and collaborate on whiteboards when theyΓÇÖre shared in a Teams meeting, similar to PowerPoint Live sharing.

+>[!NOTE]

+> This isn't a share link and doesn't grant access to the file. It provides temporary viewing and collaboration on the whiteboard for the duration of the Teams meeting only.

+If you have external sharing enabled for OneDrive for Business, no further action is required.

+If you restrict external sharing for OneDrive for Business, you can keep it restricted and just enable a new setting in order for external and shared device accounts to work. To do so, follow these steps:

+1. Using PowerShell, connect to your tenant and ensure the SharePoint Online module is updated by running the following command:

+ <pre><code class="lang-powershell">Update-Module -Name Microsoft.Online.SharePoint.PowerShell</code></pre>

+

+2. Then run the following <code>Set-SPOTenant</code> cmdlet:

+ <pre><code class="lang-powershell">Set-SPOTenant -AllowAnonymousMeetingParticipantsToAccessWhiteboards On</code></pre>

+This setting applies only to whiteboards and replaces the previously shared settings, **OneDriveLoopSharingCapability** and **CoreLoopSharingCapability**. Those settings are no longer applicable and can be disregarded.

+>[!NOTE]

+> By default, the Teams meeting setting **Anonymous users can interact with apps in meetings** is enabled. If you have disabled it, any anonymous users (as opposed to guests or federated users) won't have access to the whiteboard during the meeting.

+These changes should take approximately 60 minutes to apply across your tenancy.

+|Scenario |Storage and ownership |Sharing settings |Sharing experience |

+|||||

+|Start the whiteboard from a desktop or mobile device |Storage: OneDrive for Business<br><br>Owner: User who creates the whiteboard |Enabled |In-tenant users: Can create, view, and collaborate<br><br>External users: Can view and collaborate during the meeting only (the button to share a whiteboard won't appear for external users)<br><br>Shared device accounts: Can view and collaborate during the meeting only |

+|Start the whiteboard from a desktop or mobile device |Storage: OneDrive for Business<br><br>Owner: User who creates the whiteboard |Disabled |In-tenant users: Can initiate, view, and collaborate<br><br>External users: Can't view or collaborate<br><br>Shared device accounts: Can't view or collaborate |

+|Start the whiteboard from a Surface Hub or Microsoft Teams Rooms |Storage: Azure (this will be moved to OneDrive for Business in the future)<br><br>Owner: Meeting participant |Not applicable |In-tenant users: Can initiate, view, and collaborate<br><br>External users: Can view and collaborate during the meeting only<br><br>Shared device accounts: Can view and collaborate during the meeting only |

+## Add as a tab in Teams channels and chats

+When you add a whiteboard as a tab in a Teams channel or chat, Whiteboard will create a sharing link thatΓÇÖs accessible by anyone in the organization.

+|Scenario |Storage and ownership |Sharing settings |Sharing experience |

+|||||

+|Add the whiteboard to a channel or chat from a desktop or mobile device |Storage: OneDrive for Business<br><br>Owner: User who creates the whiteboard |Not applicable (only applies to meetings) |In-tenant users: Can initiate, view, and collaborate<br><br>External users: Not supported<br><br>Teams guests: Can view and collaborate<br><br>Shared device accounts: Not applicable |

+## Create and share in Whiteboard native clients

+When you share whiteboards from the web, desktop, or mobile clients, you can choose specific people. You can also create a sharing link thatΓÇÖs accessible by anyone in the organization.

+>[!NOTE]

+> External sharing during a Teams meeting isn't yet available, but will be added in a future release.

+|Scenario |Storage and ownership |Sharing settings |Sharing experience |

+|||||

+|Create the whiteboard from a desktop or mobile device |Storage: OneDrive for Business<br><br>Owner: User who creates the whiteboard |Not applicable (only applies to meetings) |In-tenant users: Can share within their organization<br><br>External users: Sharing with external users isn't supported at this time |

+|Create the whiteboard from a Surface Hub |Storage: Local<br><br>Owner: None (Unless user sign ins to save and share the board, which saves to OneDrive for Business. Easy share will be added back in the future. |Not applicable (only applies to meetings) |In-tenant users: User must sign in to save and share the board (Easy share will be added in the future)<br><br>External users: Sharing with external users isn't supported at this time outside of a Teams meeting |

+|Create the whiteboard from Microsoft Teams Rooms |Not yet supported |Not applicable (only applies to meetings) |Not yet supported |

+## See also

+[Enable and manage access to Whiteboard](enable-whiteboard-access-organizations.md)

+[Manage data for Whiteboard](manage-data-organizations.md)

+[Deploy Whiteboard on Windows](deploy-on-windows-organizations.md)