Updates from: 06/02/2021 03:14:54
Category Microsoft Docs article Related commit history on GitHub Change details
admin Remove Former Employee Step 4 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee-step-4.md
To preserve a former user's OneDrive files, first give yourself access to their
> You can move or copy up to 500 MB of files and folders at a time.<br/> > When you move or copy documents that have version history, only the latest version is moved.
+You can also grant access to another user to access a former employee's OneDrive.
+
+1. Sign in to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a> as a global admin or SharePoint admin.
+
+ If you get a message that you don't have permission to access the admin center, then you don't have administrator permissions in your organization.
+
+2. In the left pane, select **Admin centers** \> **SharePoint**. (You might need to select **Show all** to see the list of admin centers.)
+
+3. If the classic SharePoint admin center appears, select **Open it now** at the top of the page to open the SharePoint admin center.
+
+4. In the left pane, select **More features**.
+
+5. Under **User profiles**, select **Open**.
+
+6. Under **People**, select **Manage User Profiles**.
+
+7. Enter the former employee's name and select **Find**.
+
+8. Right-click the user, and then choose **Manage site collection owners**.
+
+9. Add the user to **Site collection administrators** and select **Ok**.
+
+10. The user will now be able to access the former employee's OneDrive using the OneDrive URL.
+ ### Revoke admin access to a user's OneDrive You can give yourself access to the content in a user's OneDrive, but you may want to remove your access when you no longer need it.
admin Remove Former Employee https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee.md
You need to be a global administrator to complete the steps in this solution.
|[Step 3 - Forward a former employee's email to another employee or convert to a shared mailbox](remove-former-employee-step-3.md) <br/> |This lets you keep the former employee's email address active. If you have customers or partners still sending email to the former employee's address, this gets them to the person taking over the work. <br/> | |[Step 4 - Give another employee access to OneDrive and Outlook data](remove-former-employee-step-4.md) <br/> |If you only remove a user's license but don't delete the account, the content in the user's OneDrive will remain accessible to you even after 30 days. <br/><br/> Before you delete the account, you should give access of their OneDrive and Outlook to another user. After you delete an employee's account, the content in their OneDrive and Outlook is retained for **30** days. During that 30 days, however, you can restore the user's account, and gain access to their content. If you restore the user's account, the OneDrive and Outlook content will remain accessible to you even after 30 days. <br/> | |[Step 5 - Wipe and block a former employee's mobile device](remove-former-employee-step-5.md) <br/> |Removes your business data from the phone or tablet. <br/> |
-|[Step 6 - Remove and delete the Microsoft 365 license from a former employee](remove-former-employee-step-7.md) <br/> |When you remove a license, you can assign it to someone else. Or, you can delete the license so you don't pay for it until you hire another person. <br/><br/> When you remove or delete a license, the user's old email, contacts, and calendar are retained for **30 days**, then permanently deleted. If you remove or delete a license but don't delete the account, the content in the user's OneDrive will remain accessible to you even after 30 days. <br/> |
+|[Step 6 - Remove and delete the Microsoft 365 license from a former employee](remove-former-employee-step-6.md) <br/> |When you remove a license, you can assign it to someone else. Or, you can delete the license so you don't pay for it until you hire another person. <br/><br/> When you remove or delete a license, the user's old email, contacts, and calendar are retained for **30 days**, then permanently deleted. If you remove or delete a license but don't delete the account, the content in the user's OneDrive will remain accessible to you even after 30 days. <br/> |
|[Step 7 - Delete a former employee's user account](remove-former-employee-step-7.md) <br/> |This removes the account from your admin center. Keeps things clean. <br/> | ## Related content
admin Configure Email Forwarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/configure-email-forwarding.md
You must be an Exchange administrator or Global administrator in Microsoft 365 t
4. On the email forwarding page, select **Forward all emails sent to this mailbox**, enter the forwarding address, and choose whether you want to keep a copy of forwarded emails. If you don't see this option, make sure a license is assigned to the user account. Select **Save changes**.
- **To forward to multiple email addresses**, you can ask the user to set up a rule in Outlook to forward to the addresses. To learn more, see [Use rules to automatically forward messages](https://support.microsoft.com/office/45aa9664-4911-4f96-9663-ece42816d746).
+ **To forward to multiple email addresses**, you can ask the user to set up a rule in Outlook to forward to the addresses.
+
+ 1. Open **outlook** > **Home** > **Rules** > Select **Manage Rules & Alerts**
+ 1. Select **New Rule** > **Select Apply rule on message I receive** located near bottom of list, then click **Next**.
+ 1. Click **Yes** when asked This rule will be applied to every message you receive.
+ 1. On the next list select the actions **redirect it to people or public group** and **stop processing more rules**
+ 1. Click the underlined phrase **people or public group** in the bottom part of window.
+ 1. Type the **email address** to forward mail to in the To field, then click **OK**.
+ 1. Select **Finish**
+
Or, in the admin center, [create a distribution group](../setup/create-distribution-lists.md), [add the addresses to it](add-user-or-contact-to-distribution-list.md), and then set up forwarding to point to the DL using the instructions in this article.
compliance Declare Records https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/declare-records.md
You can then either publish those labels in a retention label policy so that use
By default, the retention label option to mark content as a regulatory record isn't displayed in the retention label wizard. To display this option, you must first run a PowerShell command:
-1. [Connect to the Office 365 Security & Compliance Center Powershell](/powershell/exchange/office-365-scc/connect-to-scc-powershell/connect-to-scc-powershell).
+1. [Connect to the Office 365 Security & Compliance Center PowerShell](/powershell/exchange/office-365-scc/connect-to-scc-powershell/connect-to-scc-powershell).
2. Run the following cmdlet:
If you change your mind about seeing this option in the retention label wizard,
## Configuring retention labels to declare records
-When you create or edit a retention label from the **Records Management** solution in the Microsoft 365 compliance center, you have the option to mark items as a record. If you ran the PowerShell command from the previous section, you can alternatively mark items as a regulatory record.
+When you create a retention label from the **Records Management** solution in the Microsoft 365 compliance center, you have the option to mark items as a record. If you ran the PowerShell command from the previous section, you can alternatively mark items as a regulatory record.
For example:
Example of a document marked as record by using a retention label:
## Next steps
-For a list of scenarios supported by records management, see [Common scenarios for records management](get-started-with-records-management.md#common-scenarios-for-records-management).
+For a list of scenarios supported by records management, see [Common scenarios for records management](get-started-with-records-management.md#common-scenarios-for-records-management).
compliance Dlp Chrome Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-chrome-get-started.md
Title: "Get started with the Microsoft Compliance Extension (preview)"
+ Title: "Get started with the Microsoft Compliance Extension"
f1.keywords: - CSH
search.appverid:
description: "Prepare for and deploy the Microsoft Compliance Extension."
-# Get started with Microsoft Compliance Extension (preview)
+# Get started with Microsoft Compliance Extension
Use these procedures to roll out the Microsoft Compliance Extension.
Now that youΓÇÖve removed Chrome from the disallowed browsers/apps list, you can
### Known Issues and Limitations
-1. Drag & Drop enforcement for folder upload is not supported.
-2. Block Override enforcement for cloud egress is not supported.
-3. Incognito mode is not supported and must be disabled.
+1. Block Override enforcement for cloud egress is not supported.
+2. Incognito mode is not supported and must be disabled.
## Next steps Now that you have onboarded devices and can view the activity data in Activity explorer, you are ready to move on to your next step where you create DLP policies that protect your sensitive items.
compliance Dlp Chrome Learn About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-chrome-learn-about.md
Title: "Learn about the Microsoft Compliance Extension (preview)"
+ Title: "Learn about the Microsoft Compliance Extension"
f1.keywords: - CSH
search.appverid:
description: "The Microsoft Compliance Extension extends monitoring and control of file activities and protective actions to the Google Chrome browser"
-# Learn about the Microsoft Compliance Extension (preview)
+# Learn about the Microsoft Compliance Extension
[Endpoint data loss prevention (endpoint DLP)](endpoint-dlp-learn-about.md) extends the activity monitoring and protection capabilities of [Microsoft 365 data loss prevention (DLP)](dlp-learn-about-dlp.md) to sensitive items that are on Windows 10 devices. Once devices are onboarded into the Microsoft 365 compliance solutions, the information about what users are doing with sensitive items is made visible in [activity explorer](data-classification-activity-explorer.md) and you can enforce protective actions on those items via [DLP policies](create-test-tune-dlp-policy.md).
compliance Filter Data When Importing Pst Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/filter-data-when-importing-pst-files.md
search.appverid:
- MET150 ms.assetid: 26af16df-34cd-4f4a-b893-bc1d2e74039e
-description: "Learn how to filter data using the intelligent import feature in the Office 365 import service when you import PST files to Office 365."
+description: "Learn how to filter data using the intelligent import feature in the Microsoft 365 import service when you import PST files to Microsoft 365."
# Filter data when importing PST files
-Use the new Intelligent Import feature in the Office 365 Import service to filter the items in PST files that actually get imported to the target mailboxes. Here's how it works:
+Use the new Intelligent Import feature in the Microsoft 365 Import service to filter the items in PST files that actually get imported to the target mailboxes. Here's how it works:
- After you create and submit a PST import job, PST files are uploaded to an Azure storage area in the Microsoft cloud.
compliance Sensitive Information Type Entity Definitions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitive-information-type-entity-definitions.md
nine digits that may be in a formatted or unformatted pattern
### Pattern
-Formatted:
-- four digits beginning with 0, 1, 2, 3, 6, 7, or 8-- a hyphen
+- two digits in the ranges 00-12, 21-32, 61-72, or 80
+- two digits
+- an optional hyphen
- four digits-- a hyphen
+- an optional hyphen
- a digit
-Unformatted:
-nine consecutive digits beginning with 0, 1, 2, 3, 6, 7, or 8
### Checksum
-No
+Yes
### Definition
A DLP policy has high confidence that it's detected this type of sensitive infor
### Format
-A letter followed by seven digits
+eight or nine alphanumeric characters
### Pattern
-A letter (not case-sensitive) followed by seven digits
+- one letter (N, E, D, F, A, C, U, X) followed by 7 digits
+or
+- 2 letters (PA, PB, PC, PD, PE, PF, PU, PW, PX, PZ) followed by 7 digits.
### Checksum
No
### Definition A DLP policy has medium confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:-- The regular expression Regex_australia_passport_number finds content that matches the pattern.-- A keyword from Keyword_passport or Keyword_australia_passport_number is found.
+- The regular expression `Regex_australia_passport_number` finds content that matches the pattern.
+- A keyword from `Keyword_australia_passport_number` is found.
+
+A DLP policy has low confidence that it's detected this type of sensitive information if, within a proximity of 300 characters:
+- The regular expression `Regex_australia_passport_number` finds content that matches the pattern.
```xml
-<!-- Australia Passport Number -->
-<Entity id="29869db6-602d-4853-ab93-3484f905df50" patternsProximity="300" recommendedConfidence="75">
- <Pattern confidenceLevel="75">
+ <!-- Australia Passport Number -->
+ <Entity id="29869db6-602d-4853-ab93-3484f905df50" patternsProximity="300" recommendedConfidence="75" relaxProximity="true">
+ <Pattern confidenceLevel="75">
<IdMatch idRef="Regex_australia_passport_number" />
- <Any minMatches="1">
- <Match idRef="Keyword_passport" />
- <Match idRef="Keyword_australia_passport_number" />
- </Any>
- </Pattern>
-</Entity>
+ <Match idRef="Keyword_australia_passport_number" />
+ </Pattern>
+ <Pattern confidenceLevel="65">
+ <IdMatch idRef="Regex_australia_passport_number" />
+ </Pattern>
+ </Entity>
``` ### Keywords
-#### Keyword_passport
+#### Keyword_australia_passport_number
-- Passport Number-- Passport No-- Passport #-- Passport#-- PassportID-- Passportno
+- passport#
+- passport #
+- passportid
+- passports
+- passportno
+- passport no
- passportnumber-- パスポート-- パスポート番号-- パスポートのNum-- パスポート # -- Numéro de passeport-- Passeport n °-- Passeport Non-- Passeport #-- Passeport#-- PasseportNon-- Passeportn °
+- passport number
+- passportnumbers
+- passport numbers
+- passport details
+- immigration and citizenship
+- commonwealth of australia
+- department of immigration
+- national identity card
+- travel document
+- issuing authority
-#### Keyword_australia_passport_number
-- passport-- passport details-- immigration and citizenship-- commonwealth of australia-- department of immigration-- residential address-- department of immigration and citizenship-- visa-- national identity card-- passport number-- travel document-- issuing authority
-
## Australia tax file number ### Format
compliance Sensitivity Labels Office Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md
For guidance about when to use this setting, see the information about [policy s
## Outlook-specific options for default label and mandatory labeling
-For built-in labeling, identify the minimum versions of Outlook that support these features by using the [capabilities table for Outlook](#sensitivity-label-capabilities-in-outlook) on this page, and the row **Different settings for default label and mandatory labeling**.
+For built-in labeling, identify the minimum versions of Outlook that support these features by using the [capabilities table for Outlook](#sensitivity-label-capabilities-in-outlook) on this page, and the row **Different settings for default label and mandatory labeling**. All versions of the Azure Information Protection unified labeling client support these Outlook-specific options.
-By default, when you select the label policy settings **Apply this label by default to documents and email** and **Requires users to apply a label to their email or documents**, your configuration choice applies to emails as well as to documents.
+When the Outlook app supports a default label setting that's different from the default label setting for documents:
-To apply different settings to emails, use PowerShell advanced settings:
+- In the label policy wizard, on the **Apply a default label to emails** page, you can specify your choice of sensitivity label that will be applied to all unlabeled emails, or no default label. This setting is independent from the **Apply this label by default to documents** setting on the previous **Policy settings for documents** page of the wizard.
-- **OutlookDefaultLabel**: Use this setting if you want Outlook to apply a different default label, or no label.
+When the Outlook app doesn't support a default label setting that's different from the default label setting for documents: Outlook will always use the value you specify for **Apply this label by default to documents** on the **Policy settings for documents** page of the label policy wizard.
-- **DisableMandatoryInOutlook**: Use this setting if you want Outlook to be exempt from prompting users to select a label for unlabeled email messages.
+When the Outlook app supports turning off mandatory labeling:
-For more information about configuring these settings by using PowerShell, see the next section.
+- In the label policy wizard, on the **Policy settings** page, select **Require users to apply a label to their email or documents**. Then select **Next** > **Next** and clear the checkbox **Require users to apply a label to their emails**. Keep the checkbox selected if you want mandatory labeling to apply to emails as well as to documents.
-### PowerShell advanced settings OutlookDefaultLabel and DisableMandatoryInOutlook
-
-These settings are supported by using PowerShell with the *AdvancedSettings* parameter and the [Set-LabelPolicy](/powershell/module/exchange/set-labelpolicy) and [New-LabelPolicy](/powershell/module/exchange/new-labelpolicy) cmdlets from [Security & Compliance Center PowerShell](/powershell/exchange/scc-powershell). Previously supported only by the Azure Information Protection unified labeling client, these two advanced settings are now supported for built-in labeling.
-
-PowerShell examples, where the label policy is named **Global**:
--- To exempt Outlook from a default label:
-
- ````powershell
- Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookDefaultLabel="None"}
- ````
--- To exempt Outlook from mandatory labeling:
-
- ````powershell
- Set-LabelPolicy -Identity Global -AdvancedSettings @{DisableMandatoryInOutlook="True"}
- ````
-
-Currently, OutlookDefaultLabel and DisableMandatoryInOutlook are the only PowerShell advanced settings that are supported for both built-in labeling and the Azure Information Protection client.
-
-The other PowerShell advanced settings remain supported for the Azure Information Protection client only. For more information about using advanced settings for the Azure Information Protection client, see [Admin Guide: Custom configurations for the Azure Information Protection unified labeling client](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#configuring-advanced-settings-for-the-client-via-powershell).
-
-#### PowerShell tips for specifying the advanced settings
-
-To specify a different default label for Outlook, identify the label by its GUID. To find this value, can you use the following command:
-
-````powershell
-Get-Label | Format-Table -Property DisplayName, Name, Guid
-````
-
-To remove either of these advanced settings from a label policy, use the same AdvancedSettings parameter syntax, but specify a null string value. For example:
-
-````powershell
-Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookDefaultLabel=""}
-````
+When the Outlook app doesn't support turning off mandatory labeling: If you select **Require users to apply a label to their email or documents** as a policy setting, Outlook will always prompt users to select a label for unlabeled emails.
+> [!NOTE]
+> If you have configured the PowerShell advanced settings **OutlookDefaultLabel** and **DisableMandatoryInOutlook** by using the [Set-LabelPolicy](/powershell/module/exchange/set-labelpolicy) or [New-LabelPolicy](/powershell/module/exchange/new-labelpolicy) cmdlets:
+>
+> Your chosen values for these PowerShell settings are reflected in the label policy wizard and automatically work for Outlook apps that support these settings. The other PowerShell advanced settings remain supported for the Azure Information Protection unified labeling client only.
## End-user documentation
compliance Sensitivity Labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels.md
If you edit a sensitivity label, the version of the label that was applied to co
## What label policies can do
-After you create your sensitivity labels, you need to publish them, to make them available to people and services in your organization. The sensitivity labels can then be applied to Office documents and emails, and other items that support sensitivity labels.
+After you create your sensitivity labels, you need to publish them to make them available to people and services in your organization. The sensitivity labels can then be applied to Office documents and emails, and other items that support sensitivity labels.
Unlike retention labels, which are published to locations such as all Exchange mailboxes, sensitivity labels are published to users or groups. Apps that support sensitivity labels can then display them to those users and groups as applied labels, or as labels that they can apply.
When you configure a label policy, you can:
- **Choose which users and groups see the labels.** Labels can be published to any specific user or email-enabled security group, distribution group, or Microsoft 365 group (which can have [dynamic membership](/azure/active-directory/users-groups-roles/groups-create-rule)) in Azure AD. -- **Apply a default label** to all new documents and unlabeled emails created by the users and groups included in the label policy, and the same or different default label to containers (if you've [enabled sensitivity labels for Microsoft Teams, Microsoft 365 groups, and SharePoint sites](sensitivity-labels-teams-groups-sites.md)). With this setting, the Azure Information Protection unified labeling client also applies the default label to existing documents that are unlabeled. Users can always change the default label if it's not the right label for their document or email.
+- **Specify a default label** for new documents, unlabeled emails, and new containers (when you've [enabled sensitivity labels for Microsoft Teams, Microsoft 365 groups, and SharePoint sites](sensitivity-labels-teams-groups-sites.md)). You can specify the same label for all three types of items, or different labels. When you specify a default label for documents, the Azure Information Protection unified labeling client also applies this label to existing documents that are unlabeled. Users can always change the default label if it's not the right label for their document or email.
Consider using a default label to set a base level of protection settings that you want applied to all your content. However, without user training and other controls, this setting can also result in inaccurate labeling. It's usually not a good idea to select a label that applies encryption as a default label to documents. For example, many organizations need to send and share documents with external users who might not have apps that support the encryption or they might not use an account that can be authorized. For more information about this scenario, see [Sharing encrypted documents with external users](sensitivity-labels-office-apps.md#sharing-encrypted-documents-with-external-users).
When you configure a label policy, you can:
![Prompt where users enter a justification](../media/Sensitivity-label-justification-required.png) -- **Require users to apply a label** with one option for email and documents, and another for containers. Also known as mandatory labeling, these options ensure a label must be applied before users can save documents and send emails, and create new groups or sites.
+- **Require users to apply a label** for documents and emails, just documents, and for containers. Also known as mandatory labeling, these options ensure a label must be applied before users can save documents and send emails, and create new groups or sites.
For documents and emails, a label can be assigned manually by the user, automatically as a result of a condition that you configure, or be assigned by default (the default label option previously described). An example prompt shown in Outlook when a user is required to assign a label:
enterprise Portallaunchscheduler https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/PortalLaunchScheduler.md
Formerly, portal launches could only be scheduled through SharePoint PowerShell.
### Launch portal with over 100k users
-If you are planning to migrate over 100TB, please submit a support request following the steps listed below. Make sure to include all requested information.
+If you are planning to launch a portal with over 100,000 users, please submit a support request following the steps listed below. Make sure to include all requested information.
Follow these steps: 1. Navigate to https://admin.microsoft.com
enterprise Manage Microsoft 365 Groups With Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/manage-microsoft-365-groups-with-powershell.md
This article provides the steps for doing common management tasks for Groups in
When users [create or edit a group in Outlook](https://support.office.com/article/04d0c9cf-6864-423c-a380-4fa858f27102.aspx), you can show them a link to your organization's usage guidelines. For example, if you require a specific prefix or suffix to be added to a group name.
-Use the Azure Active Directory (Azure AD) PowerShell to point your users to your organization's usage guidelines for Microsoft 365 groups. Check out [Azure Active Directory cmdlets for configuring group settings](/azure/active-directory/enterprise-users/groups-settings-cmdlets) and follow the steps in the **Create settings at the directory level** to define the usage guideline hyperlink. Once you run the AAD cmdlet, user's will see the link to your guidelines when they create or edit a group in Outlook.
+Use the Azure Active Directory (Azure AD) PowerShell to point your users to your organization's usage guidelines for Microsoft 365 groups. Check out [Azure Active Directory cmdlets for configuring group settings](/azure/active-directory/enterprise-users/groups-settings-cmdlets) and follow the steps in the **Create settings at the directory level** to define the usage guideline hyperlink. Once you run the AAD cmdlet, users will see the link to your guidelines when they create or edit a group in Outlook.
![Create a new group with usage guidelines link](../media/3f74463f-3448-4f24-a0ec-086d9aa95caa.png)
The following cmdlets can be used with Microsoft 365 Groups.
[Manage guest access to Microsoft 365 Groups](https://support.office.com/article/bfc7a840-868f-4fd6-a390-f347bf51aff6)
-[Change static group membership to dynamic in](/azure/active-directory/users-groups-roles/groups-change-type)
+[Change static group membership to dynamic in](/azure/active-directory/users-groups-roles/groups-change-type)
enterprise Microsoft 365 Client Support Single Sign On https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-client-support-single-sign-on.md
The latest versions of the following clients and platforms support single sign-o
## Supported PowerShell modules -- [Azure Active Directory PowerShell](/powershell/azure/active-directory/overview?view=azureadps-2.0)
+- [Azure Active Directory PowerShell](/powershell/azure/active-directory/overview)
- [Exchange Online PowerShell](/powershell/exchange/exchange-online-powershell) - [SharePoint Online PowerShell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online)
enterprise Microsoft 365 U S Government Dod Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-u-s-government-dod-endpoints.md
Title: Office 365 US Government DOD endpoints
Previously updated : 04/29/2021 Last updated : 05/28/2021 audience: ITPro
||| |:--|:--|
-|**Last updated:** 04/29/2021 - ![RSS](../media/5dc6bb29-25db-4f44-9580-77c735492c4b.png) [Change Log subscription](https://endpoints.office.com/version/USGOVDoD?allversions=true&format=rss&clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7) <br/> |**Download:** the full list in [JSON format](https://endpoints.office.com/endpoints/USGOVDoD?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7) <br/> |
+|**Last updated:** 05/28/2021 - ![RSS](../media/5dc6bb29-25db-4f44-9580-77c735492c4b.png) [Change Log subscription](https://endpoints.office.com/version/USGOVDoD?allversions=true&format=rss&clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7) <br/> |**Download:** the full list in [JSON format](https://endpoints.office.com/endpoints/USGOVDoD?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7) <br/> |
Start with [Managing Office 365 endpoints](managing-office-365-endpoints.md) to understand our recommendations for managing network connectivity using this data. Endpoints data is updated as needed at the beginning of each month with new IP Addresses and URLs published 30 days in advance of being active. This lets customers who do not yet have automated updates to complete their processes before new connectivity is required. Endpoints may also be updated during the month if needed to address support escalations, security incidents, or other immediate operational requirements. The data shown on this page below is all generated from the REST-based web services. If you are using a script or a network device to access this data, you should go to the [Web service](microsoft-365-ip-web-service.md) directly.
enterprise Microsoft 365 U S Government Gcc High Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-u-s-government-gcc-high-endpoints.md
Title: "Office 365 U.S. Government GCC High endpoints"
Previously updated : 01/28/2021 Last updated : 05/28/2021 audience: ITPro
Office 365 requires connectivity to the Internet. The endpoints below should be
||| |:--|:--|
-|**Last updated:** 01/28/2021 - ![RSS](../media/5dc6bb29-25db-4f44-9580-77c735492c4b.png) [Change Log subscription](https://endpoints.office.com/version/USGOVGCCHigh?allversions=true&format=rss&clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7) <br/> |**Download:** the full list in [JSON format](https://endpoints.office.com/endpoints/USGOVGCCHigh?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7) <br/> |
+|**Last updated:** 05/28/2021 - ![RSS](../media/5dc6bb29-25db-4f44-9580-77c735492c4b.png) [Change Log subscription](https://endpoints.office.com/version/USGOVGCCHigh?allversions=true&format=rss&clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7) <br/> |**Download:** the full list in [JSON format](https://endpoints.office.com/endpoints/USGOVGCCHigh?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7) <br/> |
Start with [Managing Office 365 endpoints](managing-office-365-endpoints.md) to understand our recommendations for managing network connectivity using this data. Endpoints data is updated as needed at the beginning of each month with new IP Addresses and URLs published 30 days in advance of being active. This lets customers who do not yet have automated updates to complete their processes before new connectivity is required. Endpoints may also be updated during the month if needed to address support escalations, security incidents, or other immediate operational requirements. The data shown on this page below is all generated from the REST-based web services. If you are using a script or a network device to access this data, you should go to the [Web service](microsoft-365-ip-web-service.md) directly.
enterprise Modern Desktop Deployment And Management Lab https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/modern-desktop-deployment-and-management-lab.md
Title: Windows and Office deployment lab kit
+ Title: Windows 10 and Office 365 deployment lab kit
f1.keywords: - NOCSH
description: Learn about and where to access the Windows and Office Deployment Lab Kit.
-# Windows and Office deployment lab kit
+# Windows 10 and Office 365 deployment lab kit
-The Windows and Office deployment lab kit is designed to help you plan, test, and validate your deployment and management of desktops running Windows 10 Enterprise and Microsoft 365 Apps for enterprise. The labs in the kit cover using Microsoft Endpoint Configuration Manager, Desktop Analytics, the Office Customization Tool, OneDrive, Windows Autopilot, and more.
+The Windows 10 and Office 365 deployment lab kit is designed to help you plan, test, and validate your deployment and management of desktops running Windows 10 Enterprise and Microsoft 365 Apps for enterprise. The labs in the kit cover using Microsoft Endpoint Configuration Manager, Desktop Analytics, the Office Customization Tool, OneDrive, Windows Autopilot, and more.
This kit is highly recommended for organizations preparing for Windows 8.1 upgrades to Windows 10. It also applies if you're currently using Windows 10, Microsoft 365 Apps for enterprise (formerly Office 365 ProPlus), or Office 2019. As an isolated environment, the resulting lab is ideal for exploring deployment tool updates and testing your deployment-related automation.
This kit is highly recommended for organizations preparing for Windows 8.1 upgra
The kit provides you with an automatically provisioned virtual lab environment, including domain-joined desktop clients, a domain controller, an Internet gateway, and a fully configured Configuration Manager instance. The kit contains the latest evaluation versions of the following products:
- - NEW! Windows 10 Enterprise, Version 20H2
+ - NEW! Windows 10 Enterprise, Version 21H1
- Windows 7 Enterprise
- - Microsoft Endpoint Configuration Manager, Version 2010*
+ - NEW! Microsoft Endpoint Configuration Manager, Version 2103*
- Windows Assessment and Deployment Kit for Windows 10 - Microsoft Deployment Toolkit - Microsoft Application Virtualization (App-V)
The kit provides you with an automatically provisioned virtual lab environment,
The resulting lab is designed to be connected to trials for: - Microsoft 365 E5
+ - Microsoft 365 Apps for enterprise
- Office 365 E5 with Enterprise Mobility + Security (EMS) ## Step-by-step labs
Detailed lab guides take you through multiple deployment and management scenario
- Prepare, deploy, optimize
-## Where to find the Windows and Office Deployment Lab Kit
+## Where to find the Windows 10 and Office 365 deployment lab kit
[Download the Windows and Office Deployment Lab Kit](https://www.microsoft.com/evalcenter/evaluate-lab-kit).
-* The installed baseline version 2002 can be updated to Version 2010 using and in-console update. Please use a broad bandwidth Internet connection to download this content and allow 30-45 minutes for automatic provisioning. The lab environment requires a minimum of 16 GB of available memory and 150 GB of free disk space. For optimal performance, 32 GB of available memory and 300 GB of free space is recommended. The kit expires July 22, 2021. A new version will be published prior to expiration.
+Note: Please use a broad bandwidth Internet connection to download this content and allow 30-45 minutes for automatic provisioning. The lab environment requires a minimum of 16 GB of available memory and 150 GB of free disk space. For optimal performance, 32 GB of available memory and 300 GB of free space is recommended. The kit expires August 23, 2021. A new version will be published prior to expiration.
## Additional guidance
enterprise Urls And Ip Address Ranges https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/urls-and-ip-address-ranges.md
Title: "Office 365 URLs and IP address ranges"
Previously updated : 05/19/2021 Last updated : 05/28/2021 audience: Admin
Office 365 requires connectivity to the Internet. The endpoints below should be
|||| |:--|:--|:--|
-|**Last updated:** 05/19/2021 - ![RSS](../medi#pacfiles) <br/> |
+|**Last updated:** 05/28/2021 - ![RSS](../medi#pacfiles) <br/> |
Start with [Managing Office 365 endpoints](managing-office-365-endpoints.md) to understand our recommendations for managing network connectivity using this data. Endpoints data is updated as needed at the beginning of each month with new IP Addresses and URLs published 30 days in advance of being active. This allows for customers who do not yet have automated updates to complete their processes before new connectivity is required. Endpoints may also be updated during the month if needed to address support escalations, security incidents, or other immediate operational requirements. The data shown on this page below is all generated from the REST-based web services. If you are using a script or a network device to access this data, you should go to the [Web service](microsoft-365-ip-web-service.md) directly.
managed-desktop Change History Managed Desktop https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/change-history-managed-desktop.md
New or changed article | Description
New or changed article | Description | [Prerequisites](get-ready/prerequisites.md) | Updated article
-[Work with insights](working-with-managed-desktop/insights.md) | Updated article
+Work with insights | Updated article
[Steps for Partners to register devices](get-started/register-devices-partner.md) | Updated article [Access the admin portal](get-started/access-admin-portal.md) | Updated article [Deploy apps to devices](get-started/deploy-apps.md) | Updated article
New or changed article | Description
[Register new devices yourself](get-started/register-devices-self.md) | Updated article [Prepare certificates and network profiles for Microsoft Managed Desktop](get-ready/certs-wifi-lan.md) | Updated article [Prerequisites for Microsoft Managed Desktop](get-ready/prerequisites.md) | Updated article
-[Work with insights](working-with-managed-desktop/insights.md) | Updated article
+Work with insights| Updated article
## August 2020 New or changed article | Description
New or changed article | Description
New or changed article | Description | [Security in Microsoft Managed Desktop](service-description/security.md)| Updated article
-[Work with insights](working-with-managed-desktop/insights.md) | Updated article
-[Windows security update insights](working-with-managed-desktop/security-update-insights.md) | New article
+Work with insights | Updated article
+Windows security update insights| New article
[How updates are handled in Microsoft Managed Desktop](service-description/updates.md) | Updated article [Microsoft Managed Desktop device services](service-description/device-services.md) | Updated article
New or changed article | Description
## November 2019 New or changed article | Description |
-[Work with insights](working-with-managed-desktop/insights.md) | New article
-[Usage insights](working-with-managed-desktop/usage-insights.md) | New article
-[Reliability insights](working-with-managed-desktop/reliability-insights.md) | New article
+Work with insights | New article
+Usage insights | New article
+Reliability insights | New article
[Microsoft Managed Desktop devices](service-description/device-list.md) | Updated article [Microsoft Managed Desktop main page](./index.yml) | Updated article [What is Microsoft Managed Desktop?](./intro/index.md) | Updated article
managed-desktop Battery Insights https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/working-with-managed-desktop/battery-insights.md
- Title: Battery insights
-description: A report that shows data about predicted battery life and top power consumers
-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation
--------
-# Battery insights
-This view provides power, battery, and app usage metrics for your Microsoft Managed Desktop devices. For these purposes, an app is considered "in use" if it is running and in focus.
-
-To view usage data, select the **Battery** tab.
-
-![Battery pane: predicted battery life per device model in upper left, top energy consumers (by app) in upper right, insights table across the bottom. Documentation link in upper right](../../media/insights_battery.png)
-
-## Predicted battery life
-
-In the **Predicted battery life** area, we provide predictions for the expected battery life for your devices, organized by device model.
-
-> [!NOTE]
-> This data is derived from sampling energy usage, usage time, and battery capacity from a random <em>selection</em> of the devices in your Microsoft Managed Desktop deployment that are also reporting data.
-
-The table provides the predicted battery life (in hours), average battery life for the same models in other Microsoft Managed Desktop deployments, and the number of devices reporting this data in your environment. Sort the data by selecting the column headings.
---
-## Top energy consumers
-
-In the **Top energy consumers** area youΓÇÖll find the apps in your environment that consume the most energy in milliWatt-hours (mWh). The apps shown are per specific device, which you select in the **Predicted battery life** section to the left. For example, to see the per-app consumption for your Microsoft Surface Book 2 devices, select that row in the battery life area. If you don't select any model, the app consumption data shown is for all apps that we have data for collectively.
-
- For each app, colored segments show you the distribution of the app's energy use among these categories:
--- CPU-- Display-- Network-- Other-
-"Other" could include energy consumption by a variety of sources, such as disk activity, mobile broadband usage, and energy lost to internal resistance.
-
-You can filter this view to show only foreground apps, background apps, or both by using the menu in the upper right. Foreground apps are those that have had user interaction in the last 28 days, such as selecting something with a mouse.
-
-## Insights
-
-The **Insights** area shows the top three energy consumers in the CPU and network categories. These items are consuming higher than average energy compared to all Microsoft Managed Desktop deployments. We don't show the display resource because it depends heavily on device usage time and screen brightness settings.
-
-Select the listings in the **Details** column for more information.
-
-## Battery optimization
-
-Windows 10 offers numerous [device settings](https://support.microsoft.com/help/20443/windows-10-battery-saving-tips) to improve power usage and increase the battery life of your Microsoft Managed Desktop devices. Some of these settings can decrease other Windows functionality, so you'll also have to consider other factors such as the role of the device in your organization. Windows support maintains a list of these [battery saving tips](https://support.microsoft.com/help/20443/windows-10-battery-saving-tips).
-
-Users can adjust some settings on their own without the need for admin elevation or support. Other settings require support from your organization's IT administrator.
managed-desktop Index https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/working-with-managed-desktop/index.md
Title: Working with Microsoft Managed Desktop
-description:
+description: Landing page for the "working with" section
keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation
This section includes information about your day-to-day life with the service, such as how your IT admins can get support if needed, how your users get support, managing your apps once deployed, and how to work the customizable settings on devices. -- [Work with insights](insights.md)+ - [Admin support for Microsoft Managed Desktop](admin-support.md) - [Getting help for users](end-user-support.md) - [Manage line-of-business apps in Microsoft Managed Desktop](manage-apps.md)
managed-desktop Insights https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/working-with-managed-desktop/insights.md
- Title: Work with insights
-description: Overview of the insights available in Microsoft Managed Desktop
-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation
--------
-# Work with insights
-
-Microsoft Managed Desktop provides a number of dashboards that IT admins in your tenant can use to understand various aspects of the population of devices. You access these directly, in the [Microsoft 365 Admin Center](https://admin.microsoft.com/adminportal/home?previewoff=false#/microsoftmanageddesktop).
-
-With these dashboards you can find the answers to questions like these:
--- How many devices are active and when were they last used?-- Which apps are most used and during which times?-- Which apps are causing trouble by crashing or hanging a lot?-- How is Microsoft Managed Desktop Operations mitigating or resolving such problems?-- Which apps are consuming the most energy?-- What's the predicted battery life my devices?-- What is the current status of security updates on devices?-- How long did it take for 95% of the devices to get current with the latest security update?--
-To access these views from the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/), navigate to the Microsoft Managed Desktop tab on the homepage and select **View details** in the **Reporting** area:
--
-![Admin center main page with Reporting area in lower left and View details link](../../media/insights-main.png)
--
-## Usage insights
-This view provides usage metrics for your Microsoft Managed Desktop devices.
-
-To view usage data, select the **Usage** tab.
-
-Learn more about [usage insights](usage-insights.md).
-
-## Reliability insights
-This view provides you with a health summary of your managed devices. To view reliability data, select the **Reliability** tab.
-
-Learn more about [reliability insights](reliability-insights.md).
-
-## Battery insights
-This view shows you information about the energy consumption of apps and projected battery life for devices in your environment. To view this information, select the **Battery** tab.
-
-Learn more about [Battery insights](battery-insights.md).
-
-## Windows security update insights
-This view shows you information about the status of security updates for your Microsoft Managed Desktop devices. To view this information, select the **Windows security updates** tab.
-
-Learn more about [Security update insights](security-update-insights.md).
managed-desktop Reliability Insights https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/working-with-managed-desktop/reliability-insights.md
- Title: Reliability insights
-description:
-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation
------
-# Reliability insights
-
-This view provides you with a health summary of your managed devices. To view reliability data, select the **Reliability** tab.
--
-![Reliability pane: reliability across devices in upper left, reliability over time graph in upper right, top issues table across the bottom. Help and feedback buttons in lower right.](../../media/insights_reliability.png)
-
-The **Reliability across devices** section offers a quick health summary of your deployment over the last 14 days by reporting the percentage of devices considered to be ΓÇ£healthyΓÇ¥ and the mean time observed since the last reported failure.
-
-
-The **Reliability over time** graph on the right reports the number of devices with critical errors and the total number of observed critical errors over time.
-
-The **Top issues** section details specific detected issues that affect at least 5% of your managed devices. Reported details include:
--- The type of issue
- - Application crashes, in which an app stops functioning or unexpectedly stops
- - Application hangs, where an application stops responding to input
- - Critical errors, which occur when Windows has encountered an issue it can't recover from
-- The number of devices affected by the same issue-- The percentage of managed devices that number represents-- The total count of occurrences of the specific issue-- The software component that appears to be the source of the problem-- The category of the detected problem:
- - Browser (Edge, Chrome, IE)
- - Unknown (Non-Microsoft components)
- - Driver (audio, graphics, or other drivers)
- - Productivity (Slack, G-Suites, Microsoft Office and its add-ons or extensions, Teams)
- - Media (image, music, or video apps
- - Security (Windows security components)
-- The current status as Microsoft Managed Desktop Operations investigates and remediates the issue-
managed-desktop Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/working-with-managed-desktop/reports.md
Title: Work with reports
-description:
+description: The various reports available in Microsoft Managed Desktop
keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation
Additionally, in several locations throughout Microsoft Endpoint Manager you can
> [!NOTE] > Custom Microsoft Managed Desktop roles guarantee access only to the Microsoft Managed Desktop reports. To access other parts of Microsoft Endpoint Manager, such as **All devices**, see [Role-based access control with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control).
-## Reports in Microsoft 365 Admin Center
-
-You can find Microsoft Managed Desktop insights reports by opening the [Microsoft 365 Admin Center](https://admin.microsoft.com/adminportal/home?previewoff=false#/microsoftmanageddesktop), and then navigating to **Reports** and selecting **Microsoft Managed Desktop**. You can also follow the direct link to these reports from the **Microsoft Managed Desktop** tab on the homepage [Microsoft Endpoint Manager](https://endpoint.microsoft.com).
-
-These reports include:
--- [Usage insights](usage-insights.md) - This view provides usage metrics for your Microsoft Managed Desktop devices.-- [Reliability insights](reliability-insights.md) - This view provides you with a health summary of your managed devices.-- [Battery insights](battery-insights.md) - This view shows you information about the energy consumption of apps and projected battery life for devices in your environment.-- [Windows security update insights](security-update-insights.md) - This view shows you information about the status of security updates for your Microsoft Managed Desktop devices. ## Inventory data
managed-desktop Security Update Insights https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/working-with-managed-desktop/security-update-insights.md
- Title: Windows security update insights
-description:
-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation
------
-# Windows security update insights
-This view provides an overview of the status of security updates for your Microsoft Managed Desktop devices.
-
-To view usage data, select the <strong>Windows security updates</strong> tab.
-
-![Windows security updates pane: bar graphs of device status and update version in left column, update deployment progress over time in center column, and percentage of active devices by deployment group, as well as the number of days taken to reach the 95% deployment target in right column.](../../media/update-insights.jpg)
-
-## Device status
-
-For devices to be updated by Windows Update, they must be connected to the Internet and not hibernating for a minimum of six hours, two of which must be continuous. Although it's possible that a device that doesn't meet these requirements will be updated, devices that meet them have the highest likelihood of being updated.
-
-We categorize device activity in the context of Windows Update with these terms:
--- <strong>Active:</strong> Devices that have met the minimum activity criteria (six hours, two continuous) for the most recent security update release and have checked in with Microsoft Intune at least every five days-- <strong>Synced:</strong> Devices that have checked in with Intune within the last 28 days-- <strong>Out of sync:</strong> Devices that have <i>not</i> checked in with Intune in the last 28 days----
-## Update version status
-
-Microsoft releases security updates every second Tuesday of the month. Each release adds important updates for known security vulnerabilities. Microsoft Managed Desktop ensures that 95% of its managed devices are updated with the latest available security update every month. Security updates are sometimes released at other times to urgently address new threats. Microsoft Managed Desktop deploys these updates in a similar fashion.
-
-We categorize the status of security update versions with these terms:
--- <strong>Current:</strong> Devices that are running the update released in the current month-- <strong>Previous:</strong> Devices running the update that was released in the previous month-- <strong>Older:</strong> Devices running any security update released prior to the previous month-
-You should see few devices in the <strong>Older</strong> category--a large or growing population probably indicates a systemic problem that you should report to Microsoft Managed Desktop so we can investigate.
--
-## Deployment progress
-
-At the beginning of each security update release cycle, Microsoft Managed Desktop takes a snapshot of the device population and sets its deployment target at 95% of that population. The <strong>Deployment progress</strong> area shows a historical trend, updated daily, tracking how closely the update deployment meets this target for each release. This graph only shows devices with Active status.
-
-You can view this data for previous update cycles by using the dropdown menu in the upper right. The period you select in this menu applies to all of the information on the whole page.
-
-The <strong>Updated active devices by deployment group</strong> area offers a different view by showing the progress of the update installation for each of the Microsoft Managed Desktop deployment groups.
-
-The <strong>Days to reach target</strong> area displays how long it took for 95% of the total number of devices to be updated with the current security update. While deployment is underway, this area displays <strong>Still updating</strong> until the 95% target is reached for the selected update.
-
-## Device details area
-
-The bottom of the dashboard is a table showing detailed information for your devices, including the [Device status](#device-status) and the [Update version status](#update-version-status). You can search this list or filter it by any listed value.
--
-![Device details table showing columns for device name, assigned user, device status, update version, operating system version, and the date the device last synced.](../../media/security-update-insights-device-table-sterile.png)
managed-desktop Usage Insights https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/working-with-managed-desktop/usage-insights.md
- Title: Usage insights
-description:
-keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation
------
-# Usage insights
-This view provides usage metrics for your Microsoft Managed Desktop devices. For these purposes, an app is considered "in use" if it is running and in focus.
-
-To view usage data, select the **Usage** tab.
-
-![Usage pane. Device usage graph (percentage usage versus time) in upper left. Application usage table in upper right. Device listing table across the bottom with columns device name, model, serial number, display name, user name, current state (active, low, or inactive), total device usage in hours, and number of active days.](../../media/insights_usage.png)
-
-## Device usage
-
-In the **Device usage** area, we display the usage level of reporting devices over time, as well as how many registered devices are reporting data. For all data displayed on this page, you can change the interval to view reported data in either the last 14 or 28 days by using the drop-down menu in the upper right.
-
-We categorize the usage level with these terms:
--- **Active:** at least 55 hours of usage-- **Low:** between 8 and 55 hours of usage-- **Inactive:** less than 8 hours of usage----
-## Application usage
-
-The **Application usage** area details the applications in order of usage and their respective hours of usage for your managed devices. It also shows the total number of managed devices using a given application. Select **Search** to find a specific application if it isn't already listed.
--
-## Device details
-The detail area provides information on specific devices, including total device hours and number of active days over the time period. Use the filters to limit the view to those devices with a ΓÇ£ActiveΓÇ¥, ΓÇ£InactiveΓÇ¥, or ΓÇ£LowΓÇ¥ usage pattern or those that are ΓÇ£Not ReportingΓÇ¥.
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
###### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) ###### [Using OData Queries](exposed-apis-odata-samples.md)
-#### [Raw data streaming API]()
-##### [Raw data streaming](raw-data-export.md)
-##### [Stream advanced hunting events to Azure Events hub](raw-data-export-event-hub.md)
-##### [Stream advanced hunting events to your storage account](raw-data-export-storage.md)
- #### [SIEM integration]() ##### [Understand threat intelligence concepts](threat-indicator-concepts.md) ##### [Learn about different ways to pull detections](configure-siem.md)
security Evaluation Lab https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluation-lab.md
You can access the lab from the menu. In the navigation menu, select **Evaluatio
>[!NOTE] >- Depending the type of environment structure you select, devices will be available for the specified number of hours from the day of activation.
->- Each environment is provisioned with a limited set of test devices. When you've used up the provisioned devices, no new devices are provided. A deleted device does not refresh the available test device count.
->- You can no longer use the lab when the resources have been used up. It does not reset nor refresh.
->- It is advisable to use the resources carefully.The lab resources are limited. They will not reset nor refresh.
+>- Each environment is provisioned with a limited set of test devices. When you've used up the provisioned devices and have deleted them, you can request for more devices.
+>- You can request for lab resources once a month.
Already have a lab? Make sure to enable the new threat simulators and have active devices.
When you add a device to your environment, Defender for Endpoint sets up a well-
The device will be configured with the most up-to-date version of the OS and Office 2019 Standard as well as other apps such as Java, Python, and SysIntenals.
- >[!TIP]
- > Need more devices in your lab? Submit a support ticket to have your request reviewed by the Defender for Endpoint team.
- If you chose to add a threat simulator during the lab setup, all devices will have the threat simulator agent installed in the devices that you add. The device will automatically be onboarded to your tenant with the recommended Windows security components turned on and in audit mode - with no effort on your side. The following security components are pre-configured in the test devices: -- [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)-- [Block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus)-- [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard)-- [Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection)-- [Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)-- [Potentially unwanted application detection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus)-- [Cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus)-- [Microsoft Defender SmartScreen](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview)
+- [Attack surface reduction](attack-surface-reduction.md)
+- [Block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md)
+- [Controlled folder access](controlled-folders.md)
+- [Exploit protection](enable-exploit-protection.md)
+- [Network protection](network-protection.md)
+- [Potentially unwanted application detection](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md)
+- [Cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md)
+- [Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)
>[!NOTE]
-> Microsoft Defender Antivirus will be on (not in audit mode). If Microsoft Defender Antivirus blocks you from running your simulation, you can turn off real-time protection on the device through Windows Security. For more information, see [Configure always-on protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus).
+> Microsoft Defender Antivirus will be on (not in audit mode). If Microsoft Defender Antivirus blocks you from running your simulation, you can turn off real-time protection on the device through Windows Security. For more information, see [Configure always-on protection](configure-real-time-protection-microsoft-defender-antivirus.md).
Automated investigation settings will be dependent on tenant settings. It will be configured to be semi-automated by default. For more information, see [Overview of Automated investigations](automated-investigations.md).
Automated investigation settings will be dependent on tenant settings. It will b
![Image of devices tab](images/machines-tab.png)
- >[!TIP]
- >In the **Simulator status** column, you can hover over the information icon to know the installation status of an agent.
+ > [!TIP]
+ > In the **Simulator status** column, you can hover over the information icon to know the installation status of an agent.
+
+## Request for more devices
+When all existing devices are used and deleted, you can request for more devices. You can request for lab resources once a month.
++
+1. From the evaluation lab dashboard, select **Request for more devices**.
+
+ ![Image of request for more devices](images/request-more-devices.png)
+
+2. Choose your configuration.
+3. Submit the request.
+
+When the request is submitted successfully you'll see a green confirmation banner and the date of the last submission.
+
+You can find the status of your request in the **User Actions** tab, which will be approved in a matter of hours.
+
+When approved, the requested devices will be added to your lab set up and youΓÇÖll be able to create more devices.
+> [!TIP]
+> To get more out of your lab, donΓÇÖt forget to check out our simulations library.
## Simulate attack scenarios Use the test devices to run your own attack simulations by connecting to them.
You can simulate attack scenarios using:
- The ["Do It Yourself" attack scenarios](https://securitycenter.windows.com/tutorials) - Threat simulators
-You can also use [Advanced hunting](advanced-hunting-query-language.md) to query data and [Threat analytics](threat-analytics.md) to view reports about emerging threats.
+You can also use [Advanced hunting](advanced-hunting-overview.md) to query data and [Threat analytics](threat-analytics.md) to view reports about emerging threats.
### Do-it-yourself attack scenarios If you are looking for a pre-made simulation, you can use our ["Do It Yourself" attack scenarios](https://securitycenter.windows.com/tutorials). These scripts are safe, documented, and easy to use. These scenarios will reflect Defender for Endpoint capabilities and walk you through investigation experience.
security Indicator File https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-file.md
Cert and File IoC policy handling conflict will follow the below order:
- If the file is not allowed by Windows Defender Application Control and AppLocker enforce mode policy/policies, then **Block** -- Else if the file is allowed by the Defender Anti-Virus Exclusion, then **Allow**
+- Else if the file is allowed by the Microsoft Defender Antivirus exclusion, then **Allow**
- Else if the file is blocked or warned by a block or warn file IoC, then **Block/Warn** -- Else if the file is allowed by an allow file IOC policy, then **Allow**
+- Else if the file is allowed by an allow file IoC policy, then **Allow**
- Else if the file is blocked by ASR rules, CFA, AV, SmartScreen, then **Block**
security Linux Update MDE Linux https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-update-MDE-Linux.md
ms.technology: mde
# Schedule an update of the Microsoft Defender for Endpoint (Linux)
-To run an update on Microsoft Defender for Endpoint on Linux, see [Deploy updates for Microsoft Defender for Endpoint on Linux](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/linux-updates).
+To run an update on Microsoft Defender for Endpoint on Linux, see [Deploy updates for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-updates).
Linux (and Unix) have a tool called **crontab** (similar to Task Scheduler) to be able to run scheduled tasks.
CRON_TZ=America/Los_Angeles
> #!Ubuntu and Debian systems
-`06**sun [$(date +\%d) -le 15] sudo apt-get install --only-upgrade mdatp>>~/mdatp_cron_job.log`
+`0 6 * * sun [$(date +\%d) -le 15] sudo apt-get install --only-upgrade mdatp>>~/mdatp_cron_job.log`
> [!NOTE] > In the examples above, we are setting it to 00 minutes, 6 a.m.(hour in 24 hour format), any day of the month, any month, on Sundays.[$(date +\%d) -le 15] == WonΓÇÖt run unless itΓÇÖs equal or less than the 15th day (3rd week). Meaning it will run every 3rd Sundays(7) of the month at 6:00 a.m. Pacific (UTC -8).
security Management Apis https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/management-apis.md
The **Investigation API** exposes the richness of Defender for Endpoint - exposi
The **Response API** exposes the ability to take actions in the service and on devices, enabling customers to ingest indicators, manage settings, alert status, as well as take response actions on devices programmatically such as isolate devices from the network, quarantine files, and others.
-## Raw data streaming API
-Defender for Endpoint raw data streaming API provides the ability for customers to ship real-time events and alerts from their instances as they occur within a single data stream, providing a low latency, high throughput delivery mechanism.
+## Streaming API
+Streaming API provides the ability for customers to ship real-time events and alerts from their instances as they occur within a single data stream, providing a low latency, high throughput delivery mechanism.
-The Defender for Endpoint event information is pushed directly to Azure storage for long-term data retention, or to Azure Event Hubs for consumption by visualization services or additional data processing engines.
+Event information is pushed directly to Azure storage for long-term data retention, or to Azure Event Hubs for consumption by visualization services or additional data processing engines.
-For more information, see [Raw data streaming API](raw-data-export.md).
+>[!NOTE]
+>Streaming API has now moved to Microsoft 365 Defender. For more information, see [Streaming API](raw-data-export.md).
## SIEM API
security Microsoft Defender Endpoint Linux https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux.md
If you experience any installation failures, refer to [Troubleshooting installat
### System requirements -- Supported Linux server distributions and versions:
+- Supported Linux server distributions and x64 (AMD64/EM64T) versions:
- Red Hat Enterprise Linux 7.2 or higher - CentOS 7.2 or higher
security Minimum Requirements https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/minimum-requirements.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**+ - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
There are some minimum requirements for onboarding devices to the service. Learn
> - Defender for Endpoint demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). ## Licensing requirements+ Microsoft Defender for Endpoint requires one of the following Microsoft volume licensing offers: - Windows 10 Enterprise E5
For more information on the array of features in Windows 10 editions, see [Compa
For a detailed comparison table of Windows 10 commercial edition comparison, see the [comparison PDF](https://wfbdevicemanagementprod.blob.core.windows.net/windowsforbusiness/Windows10_CommercialEdition_Comparison.pdf). ## Browser requirements+ Access to Defender for Endpoint is done through a browser, supporting the following browsers: - Microsoft Edge
Access to Defender for Endpoint is done through a browser, supporting the follow
## Hardware and software requirements ### Supported Windows versions-- Windows 7 SP1 Enterprise ([Requires ESU for support](https://docs.microsoft.com/troubleshoot/windows-client/windows-7-eos-faq/windows-7-extended-security-updates-faq).)-- Windows 7 SP1 Pro ([Requires ESU for support](https://docs.microsoft.com/troubleshoot/windows-client/windows-7-eos-faq/windows-7-extended-security-updates-faq).)+
+- Windows 7 SP1 Enterprise ([Requires ESU for support](/troubleshoot/windows-client/windows-7-eos-faq/windows-7-extended-security-updates-faq).)
+- Windows 7 SP1 Pro ([Requires ESU for support](/troubleshoot/windows-client/windows-7-eos-faq/windows-7-extended-security-updates-faq).)
- Windows 8.1 Enterprise - Windows 8.1 Pro - Windows 10 Enterprise
The hardware requirements for Defender for Endpoint on devices are the same for
### Other supported operating systems+ - [Android](microsoft-defender-endpoint-android.md) - [iOS](microsoft-defender-endpoint-ios.md) - [Linux](microsoft-defender-endpoint-linux.md) - [macOS](microsoft-defender-endpoint-mac.md) > [!NOTE]
-> You'll need to confirm the Linux distributions and versions of Android, iOS and macOS you've are compatible with Defender for Endpoint for the integration to work.
+> You'll need to confirm the Linux distributions and versions of Android, iOS, and macOS are compatible with Defender for Endpoint for the integration to work.
### Network and data storage and configuration requirements+ When you run the onboarding wizard for the first time, you must choose where your Microsoft Defender for Endpoint-related information is stored: in the European Union, the United Kingdom, or the United States datacenter. > [!NOTE]
You'll need to set the service to automatically start if the **START_TYPE** isn'
#### Internet connectivity+ Internet connectivity on devices is required either directly or through proxy. The Defender for Endpoint sensor can use a daily average bandwidth of 5 MB to communicate with the Defender for Endpoint cloud service and report cyber data. One-off activities such as file uploads and investigation package collection aren't included in this daily average bandwidth.
Before you onboard devices, the diagnostic data service must be enabled. The ser
## Microsoft Defender Antivirus configuration requirement+ The Defender for Endpoint agent depends on the ability of Microsoft Defender Antivirus to scan files and provide information about them.
-Configure Security intelligence updates on the Defender for Endpoint devices whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus).
+Configure Security intelligence updates on the Defender for Endpoint devices whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus).
When Microsoft Defender Antivirus isn't the active antimalware in your organization and you use the Defender for Endpoint service, Microsoft Defender Antivirus goes on passive mode. If your organization has turned off Microsoft Defender Antivirus through group policy or other methods, devices that are onboarded must be excluded from this group policy.
-If you're onboarding servers and Microsoft Defender Antivirus isn't the active antimalware on your servers, Microsoft Defender Antivirus will either need to be configured to go on passive mode or uninstalled. The configuration is dependent on the server version. For more information, see [Microsoft Defender Antivirus compatibility](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus-compatibility.md).
+If you're onboarding servers and Microsoft Defender Antivirus isn't the active antimalware on your servers, Microsoft Defender Antivirus will either need to be configured to go on passive mode or uninstalled. The configuration is dependent on the server version. For more information, see [Microsoft Defender Antivirus compatibility](/security/defender-endpoint/microsoft-defender-antivirus-compatibility).
> [!NOTE] > Your regular group policy doesn't apply to Tamper Protection, and changes to Microsoft Defender Antivirus settings will be ignored when Tamper Protection is on. ## Microsoft Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled+ If you're running Microsoft Defender Antivirus as the primary antimalware product on your devices, the Defender for Endpoint agent will successfully onboard. If you're running a third-party antimalware client and use Mobile Device Management solutions or Microsoft Endpoint Manager (current branch), you'll need to ensure the Microsoft Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Microsoft Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy). ## Related topics+ - [Set up Microsoft Defender for Endpoint deployment](production-deployment.md) - [Onboard devices](onboard-configure.md)
security Onboard Downlevel https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-downlevel.md
Review the following details to verify minimum system requirements:
> Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro. > Don't install .NET Framework 4.0.x, since it will negate the above installation. -- Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in you environment with Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-concept-hybrid#prerequisites)
+- Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in your environment with Log Analytics](/azure/log-analytics/log-analytics-concept-hybrid#prerequisites).
Once completed, you should see onboarded endpoints in the portal within an hour.
To offboard, you can uninstall the MMA agent from the endpoint or detach it from reporting to your Defender for Endpoint workspace. After offboarding the agent, the endpoint will no longer send sensor data to Defender for Endpoint. > Want to experience Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-downlevele-belowfoldlink).-
security Raw Data Export Event Hub https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/raw-data-export-event-hub.md
Title: Stream Microsoft Defender for Endpoint events to Azure Event Hubs
-description: Learn how to configure Microsoft Defender for Endpoint to stream Advanced Hunting events to your Event Hub.
+ Title: Stream Microsoft 365 Defender events to Azure Event Hubs
+description: Learn how to configure Microsoft 365 Defender to stream Advanced Hunting events to your Event Hub.
keywords: raw data export, streaming API, API, Azure Event Hubs, Azure storage, storage account, Advanced Hunting, raw data sharing search.product: eADQiWindows 10XVcnh search.appverid: met150
ms.technology: mde
-# Configure Microsoft Defender for Endpoint to stream Advanced Hunting events to your Azure Event Hubs
+# Configure Microsoft 365 Defender to stream Advanced Hunting events to your Azure Event Hubs
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)-
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
## Before you begin:
-1. Create an [event hub](https://docs.microsoft.com/azure/event-hubs/) in your tenant.
+1. Create an [event hub](/azure/event-hubs/) in your tenant.
+
+2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to Microsoft.Insights**.
+
+3. Create an Event Hub Namespace, go to **Event Hubs > Add** and select the pricing tier, throughput units and Auto-Inflate appropriate for expected load. For more information, see [Pricing - Event Hubs | Microsoft Azure](https://azure.microsoft.com/en-us/pricing/details/event-hubs/).
-2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights**.
+4. Once the event hub namespace is created you will need to add the App Registration Service Principal as Reader, Azure Event Hubs Data Receiver and the user who will be logging into Microsoft 365 Defender as Contributor (this can also be done at Resource Group or Subscription level). Go to **Event hubs namespace > Access control (IAM) > Add** and verify under **Role assignements**.
## Enable raw data streaming:
-1. Log in to the [Microsoft Defender Security Center](https://securitycenter.windows.com) as a ***Global Administrator*** or ***Security Administrator***.
+1. Log in to the [Microsoft 365 Defender security center](https://security.microsoft.com) as a ***Global Administrator*** or ***Security Administrator***.
-2. Go to the [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center.
+2. Go to the [Data export settings page](https://security.microsoft.com/settings/mtp_settings/raw_data_export).
-3. Click on **Add data export settings**.
+3. Click on **Add**.
4. Choose a name for your new settings. 5. Choose **Forward events to Azure Event Hubs**.
-6. Type your **Event Hubs name** and your **Event Hubs resource ID**.
+6. You can select if you want to export the event data to a single event hub, or to export each event table to a different even hub in your event hub namespace.
- In order to get your **Event Hubs resource ID**, go to your Azure Event Hubs namespace page on [Azure](https://ms.portal.azure.com/) > properties tab > copy the text under **Resource ID**:
+7. To export the event data to a single event hub, Enter your **Event Hub name** and your **Event Hub resource ID**.
+
+ To get your **Event Hubs resource ID**, go to your Azure Event Hubs namespace page on [Azure](https://ms.portal.azure.com/) > **Properties** tab > copy the text under **Resource ID**:
![Image of event hub resource Id1](images/event-hub-resource-id.png)
-7. Choose the events you want to stream and click **Save**.
+8. Choose the events you want to stream and click **Save**.
## The schema of the events in Azure Event Hubs:
ms.technology: mde
{ "records": [ {
- "time": "<The time WDATP received the event>"
+ "time": "<The time Microsoft 365 Defender received the event>"
"tenantId": "<The Id of the tenant that the event belongs to>" "category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>"
- "properties": { <WDATP Advanced Hunting event as Json> }
+ "properties": { <Microsoft 365 Defender Advanced Hunting event as Json> }
} ... ]
ms.technology: mde
- Each event hub message in Azure Event Hubs contains list of records. -- Each record contains the event name, the time Microsoft Defender for Endpoint received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "**properties**".
+- Each record contains the event name, the time Microsoft 365 Defender received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "**properties**".
+
+- For more information about the schema of Microsoft 365 Defender events, see [Advanced Hunting overview](../defender/advanced-hunting-overview.md).
+
+- In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the device. Here every event will be decorated with this column as well.
-- For more information about the schema of Microsoft Defender for Endpoint events, see [Advanced Hunting overview](advanced-hunting-overview.md).
+9. To export each event table to a different event hub, simply leave the **Event hub name** empty, and Microsoft 365 Defender will do the rest.
-- In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the device. Here every event will be decorated with this column as well. See [Device Groups](machine-groups.md) for more information. ## Data types mapping: To get the data types for event properties do the following:
-1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com) and go to [Advanced Hunting page](https://securitycenter.windows.com/hunting-package).
+1. Log in to [Microsoft 365 security center](https://security.microsoft.com) and go to [Advanced Hunting page](https://security.microsoft.com/hunting-package).
2. Run the following query to get the data types mapping for each event:
To get the data types for event properties do the following:
![Image of event hub resource Id2](images/machine-info-datatype-example.png) ## Related topics-- [Overview of Advanced Hunting](advanced-hunting-overview.md)-- [Microsoft Defender for Endpoint streaming API](raw-data-export.md)-- [Stream Microsoft Defender for Endpoint events to your Azure storage account](raw-data-export-storage.md)-- [Azure Event Hubs documentation](https://docs.microsoft.com/azure/event-hubs/)-- [Troubleshoot connectivity issues - Azure Event Hubs](https://docs.microsoft.com/azure/event-hubs/troubleshooting-guide)
+- [Overview of Advanced Hunting](../defender/advanced-hunting-overview.md)
+- [Microsoft 365 Defender streaming API](raw-data-export.md)
+- [Stream Microsoft 365 Defender events to your Azure storage account](raw-data-export-storage.md)
+- [Azure Event Hubs documentation](/azure/event-hubs/)
+- [Troubleshoot connectivity issues - Azure Event Hubs](/azure/event-hubs/troubleshooting-guide)
security Raw Data Export Storage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/raw-data-export-storage.md
Title: Stream Microsoft Defender for Endpoint events to your Storage account
-description: Learn how to configure Microsoft Defender for Endpoint to stream Advanced Hunting events to your Storage account.
+ Title: Stream Microsoft 365 Defender events to your Storage account
+description: Learn how to configure Microsoft 365 Defender to stream Advanced Hunting events to your Storage account.
keywords: raw data export, streaming API, API, Event Hubs, Azure storage, storage account, Advanced Hunting, raw data sharing search.product: eADQiWindows 10XVcnh search.appverid: met150
ms.technology: mde
-# Configure Microsoft Defender for Endpoint to stream Advanced Hunting events to your Storage account
+# Configure Microsoft 365 Defender to stream Advanced Hunting events to your Storage account
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
## Before you begin:
-1. Create a [Storage account](https://docs.microsoft.com/azure/storage/common/storage-account-overview) in your tenant.
+1. Create a [Storage account](/azure/storage/common/storage-account-overview) in your tenant.
-2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to Microsoft.insights**.
+2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to Microsoft.Insights**.
## Enable raw data streaming:
-1. Log in to [Microsoft Defender for Endpoint portal](https://securitycenter.windows.com) as a ***Global Administrator*** or ***Security Administrator***.
+1. Log in to [Microsoft 365 Defender security center](https://security.microsoft.com) as a ***Global Administrator*** or ***Security Administrator***.
-2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center.
+2. Go to [Data export settings page](https://security.microsoft.com/settings/mtp_settings/raw_data_export) in Microsoft Defender Security Center.
3. Click on **Add data export settings**.
ms.technology: mde
5. Choose **Forward events to Azure Storage**.
-6. Type your **Storage Account Resource ID**. In order to get your **Storage Account Resource ID**, go to your Storage account page on [Azure portal](https://ms.portal.azure.com/) > properties tab > copy the text under **Storage account resource ID**:
+6. Type your **Storage Account Resource ID**. In order to get your **Storage Account Resource ID**, go to your Storage account page on [Azure portal](https://ms.portal.azure.com/) > properties tab > copy the text under **Storage Account Resource ID**:
![Image of event hub resource ID1](images/storage-account-resource-id.png)
ms.technology: mde
``` {
- "time": "<The time WDATP received the event>"
+ "time": "<The time Microsoft 365 Defender received the event>"
"tenantId": "<Your tenant ID>" "category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>"
- "properties": { <WDATP Advanced Hunting event as Json> }
+ "properties": { <Microsoft 365 Defender Advanced Hunting event as Json> }
} ```
ms.technology: mde
- Each row contains the event name, the time Defender for Endpoint received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "properties". -- For more information about the schema of Microsoft Defender for Endpoint events, see [Advanced Hunting overview](advanced-hunting-overview.md).
+- For more information about the schema of Microsoft 365 Defender events, see [Advanced Hunting overview](../defender/advanced-hunting-overview.md).
-- In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the device. Here every event will be decorated with this column as well. See [Device Groups](machine-groups.md) for more information. ## Data types mapping: In order to get the data types for our events properties do the following:
-1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com) and go to [Advanced Hunting page](https://securitycenter.windows.com/hunting-package).
+1. Log in to [Microsoft 365 security center](https://security.microsoft.com) and go to [Advanced Hunting page](https://security.microsoft.com/hunting-package).
2. Run the following query to get the data types mapping for each event:
In order to get the data types for our events properties do the following:
![Image of event hub resource ID3](images/machine-info-datatype-example.png) ## Related topics-- [Overview of Advanced Hunting](advanced-hunting-overview.md)-- [Microsoft Defender for Endpoint Streaming API](raw-data-export.md)-- [Stream Microsoft Defender for Endpoint events to your Azure storage account](raw-data-export-storage.md)-- [Azure Storage Account documentation](https://docs.microsoft.com/azure/storage/common/storage-account-overview)
+- [Overview of Advanced Hunting](../defender/advanced-hunting-overview.md)
+- [Microsoft 365 Defender Streaming API](raw-data-export.md)
+- [Stream Microsoft 365 Defender events to your Azure storage account](raw-data-export-storage.md)
+- [Azure Storage Account documentation](/azure/storage/common/storage-account-overview)
security Raw Data Export https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/raw-data-export.md
Title: Stream Microsoft Defender for Endpoint event
-description: Learn how to configure Microsoft Defender for Endpoint to stream Advanced Hunting events to Event Hubs or Azure storage account
+ Title: Stream Microsoft 365 Defender events
+description: Learn how to configure Microsoft 365 Defender to stream Advanced Hunting events to Event Hubs or Azure storage account
keywords: raw data export, streaming API, API, Event hubs, Azure storage, storage account, Advanced Hunting, raw data sharing search.product: eADQiWindows 10XVcnh search.appverid: met150
ms.technology: mde
-# Raw Data Streaming API
+# Streaming API
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
## Stream Advanced Hunting events to Event Hubs and/or Azure storage account.
-Defender for Endpoint supports streaming all the events available through [Advanced Hunting](advanced-hunting-overview.md) to an [Event Hubs](https://docs.microsoft.com/azure/event-hubs/) and/or [Azure storage account](https://docs.microsoft.com/azure/event-hubs/).
+Microsoft 365 Defender supports streaming all the events available through [Advanced Hunting](../defender/advanced-hunting-overview.md) to an [Event Hubs](/azure/event-hubs/) and/or [Azure storage account](/azure/event-hubs/).
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4r4ga]
## In this section Topic | Description :|:
-[Stream Microsoft Defender for Endpoint events to Azure Event Hubs](raw-data-export-event-hub.md)| Learn about enabling the streaming API in your tenant and configure Defender for Endpoint to stream [Advanced Hunting](advanced-hunting-overview.md) to Event Hubs.
-[Stream Defender for Endpoint events to your Azure storage account](raw-data-export-storage.md)| Learn about enabling the streaming API in your tenant and configure Defender for Endpoint to stream [Advanced Hunting](advanced-hunting-overview.md) to your Azure storage account.
+[Stream events to Azure Event Hubs](raw-data-export-event-hub.md)| Learn about enabling the streaming API in your tenant and configure Microsoft 365 Defender to stream [Advanced Hunting](../defender/advanced-hunting-overview.md) to Event Hubs.
+[Stream events to your Azure storage account](raw-data-export-storage.md)| Learn about enabling the streaming API in your tenant and configure Microsoft 365 Defender to stream [Advanced Hunting](../defender/advanced-hunting-overview.md) to your Azure storage account.
## Related topics-- [Overview of Advanced Hunting](advanced-hunting-overview.md)-- [Azure Event Hubs documentation](https://docs.microsoft.com/azure/event-hubs/)-- [Azure Storage Account documentation](https://docs.microsoft.com/azure/storage/common/storage-account-overview)
+- [Overview of Advanced Hunting](../defender/advanced-hunting-overview.md)
+- [Azure Event Hubs documentation](/azure/event-hubs/)
+- [Azure Storage Account documentation](/azure/storage/common/storage-account-overview)
security Api Incident https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-incident.md
Title: Microsoft 365 Defender incidents APIs and the incident resource type
-description: Learn about the methods and properties of the Incident resource type in Microsoft 365 Defender
+ Title: Microsoft 365 Defender incidents APIs and the incidents resource type
+description: Learn about the methods and properties of the Incidents resource type in Microsoft 365 Defender
keywords: incident, incidents, api search.product: eADQiWindows 10XVcnh ms.prod: m365-security
search.appverid:
ms.technology: m365d
-# Microsoft 365 Defender incidents API and the incident resource type
+# Microsoft 365 Defender incidents API and the incidents resource type
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)] **Applies to:** -- Microsoft 365 Defender
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
> [!IMPORTANT] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
security Api List Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-list-incidents.md
ms.technology: m365d
**Applies to:** -- Microsoft 365 Defender
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
> [!IMPORTANT] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
security Api Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-overview.md
Use the Microsoft 365 Defender APIs to automate workflows based on the shared in
- **[Cross-product threat hunting](api-advanced-hunting.md)** - Leverage your security team's organizational knowledge to hunt for signs of compromise, by creating your own custom queries to sift over raw data collected across multiple protection products.
+Use the [Streaming API](../defender-endpoint/raw-data-export.md) to ship real-time events and alerts from instances as they occur within a single data stream.
++ Along with these Microsoft 365 Defender-specific APIs, each of our other security products expose [additional APIs](api-articles.md) to help you take advantage of their unique capabilities.
security Api Supported https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-supported.md
Article | Description
-|- [Advanced Hunting API](api-advanced-hunting.md) | Run Advanced Hunting queries. [Incident APIs](api-incident.md) | List and update incidents, along with other practical tasks.
+[Streaming API](../defender-endpoint/raw-data-export.md) (Preview) | Ship real-time events and alerts as they occur in a single data stream.
### Endpoint URIs
All APIs along the `/api` path use the [OData](/odata/overview) Protocol; for ex
- [Microsoft 365 Defender APIs overview](api-overview.md) - [Access the Microsoft 365 Defender APIs](api-access.md)
+- [Streaming API](../defender-endpoint/raw-data-export.md)
- [Learn about API limits and licensing](api-terms.md)-- [Understand error codes](api-error-codes.md)
+- [Understand error codes](api-error-codes.md)
security Api Update Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-update-incidents.md
Title: Update incident API
+ Title: Update incidents API
description: Learn how to update incidents using Microsoft 365 Defender API keywords: update, api, incident search.product: eADQiWindows 10XVcnh
search.appverid:
ms.technology: m365d
-# Update incident API
+# Update incidents API
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)] **Applies to:** -- Microsoft 365 Defender
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
> [!IMPORTANT] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
security Preview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/preview.md
You'll know you have preview features turned on when you see that the **Turn on
The following features and enhancements are currently available on preview:
+- **[Streaming API](../defender-endpoint/raw-data-export.md)** - Microsoft 365 Defender supports streaming all the events available through Advanced Hunting to an Event Hubs and/or Azure storage account.
- **[Microsoft 365 Defender APIs](api-overview.md)** - The top-level Microsoft 365 Defender APIs will enable you to automate workflows based on the shared incident and advanced hunting tables. -- **[Take action in advanced hunting](advanced-hunting-take-action.md)**ΓÇöQuickly contain threats or address compromised assets that you find in [advanced hunting](advanced-hunting-overview.md).-- **[In-portal schema reference](advanced-hunting-schema-tables.md#get-schema-information-in-the-security-center)**ΓÇöGet information about advanced hunting schema tables directly in the security center. In addition to table and column descriptions, this reference includes supported event types (`ActionType` values) and sample queries.-- **[DeviceFromIP() function](advanced-hunting-devicefromip-function.md)**ΓÇöGet information about which devices have been assigned a specific IP address or addresses at a given time range.
+- **[Take action in advanced hunting](advanced-hunting-take-action.md)** - Quickly contain threats or address compromised assets that you find in [advanced hunting](advanced-hunting-overview.md).
+- **[In-portal schema reference](advanced-hunting-schema-tables.md#get-schema-information-in-the-security-center)** - Get information about advanced hunting schema tables directly in the security center. In addition to table and column descriptions, this reference includes supported event types (`ActionType` values) and sample queries.
+- **[DeviceFromIP() function](advanced-hunting-devicefromip-function.md)** - Get information about which devices have been assigned a specific IP address or addresses at a given time range.
security Admin Review Reported Message https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/admin-review-reported-message.md
+
+ Title: Admin review for reported messages
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+ - M365-security-compliance
+description: Learn how to review messages that are reported and give feedback to your users.
+ms.technology: mdo
++
+# Admin review for reported messages
++
+> [!NOTE]
+> The information in this article relates to a preview product that may be substantially modified before it's commercially released. This document is provided for evaluation and exploration purposes only.
+
+**Applies to**
+- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)
+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
+
+In Microsoft 365 organizations with Exchange Online mailboxes and Microsoft Defender for Office 365, admins can now send templated messages back to end users after they review reported messages. This can be customized for your organization and based on your adminΓÇÖs verdict as well.
+
+This feature is designed to give feedback to your users but does not change the verdicts of messages in the system. To help Microsoft update and improve its filters, you will need to submit messages for analysis using [Admin submission](admin-submission.md).
+
+You will only be able to mark and notify users of review results if the message was reported as a [false positives or false negatives](report-false-positives-and-false-negatives.md).
+
+## What do you need to know before you begin?
+
+- To modify the configuration for User submissions, you need to be a member of one of the following role groups:
+ - Organization Management or Security Administrator in the [Security center](permissions-microsoft-365-compliance-security.md).
+ - Organization Management in [Exchange Online](/Exchange/permissions-exo/permissions-exo).
+
+- You'll also need access to the Exchange Online PowerShell. If the account that you're trying to use doesn't have access to Exchange Online PowerShell, you'll receive an error that says *Specify an email address in your domain*. For more information about enabling or disabling access to Exchange Online PowerShell, see the following topics:
+ - [Enable or disable access to Exchange Online PowerShell](/powershell/exchange/disable-access-to-exchange-online-powershell)
+ - [Client Access Rules in Exchange Online](/exchange/clients-and-mobile-in-exchange-online/client-access-rules/client-access-rules)
+
+## Configure the messages used to notify users
+
+1. In the [Microsoft 365 security center](../defender/overview-security-center.md), go to **Policies & rules** \> **Threat policies** \> **User reported message settings**.
+
+2. If you want to specify the sender display name, check the box for **Specify Office 365 email address to use as sender** under the **Email notifications for admin review results** section, and enter in the name you wish to use. This is the email address that will be visible in Outlook and where replies will go to.
+
+3. If you want to customize any of the templates, click **Customize email notification**. In this flyout, you will be able to customize only the following:
+ - Phishing
+ - Junk
+ - No threats found
+ - Awareness training
+ - Footer
+
+4. When you're finished, click **Save**. To clear these values, click **Discard** on the User submissions page.
security Attack Simulation Training Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-get-started.md
If your organization has Microsoft 365 E5 or Microsoft Defender for Office 365 P
- Attack simulation and training related data is stored with other customer data for Microsoft 365 services. For more information see [Microsoft 365 data locations](../../enterprise/o365-data-locations.md). Attack simulation is available in the following regions: NAM, APC, EUR, IND, CAN, AUS, FRA, GBR, JPN, and KOR.
+- As of June 15 2021, Attack simulation training is available in GCC. If your organization has Office 365 G5 GCC or Microsoft Defender for Office 365 (Plan 2) for Government, you can use Attack simulation training in the Microsoft Security Center to run realistic attack scenarios in your organization as described in this article. Attack simulation training is not yet available in GCC High or DoD environments.
+
+> [!NOTE]
+> Attack simulation training offers a subset of capabilities to E3 customers as a trial. The trial offering contains the ability to use a Credential Harvest payload and the ability to select 'ISA Phishing' or 'Mass Market Phishing' training experiences. No other capabilities are part of the E3 trial offering.
+ ## Simulations *Phishing* is a generic term for email attacks that try to steal sensitive information in messages that appear to be from legitimate or trusted senders. *Phishing* is a part of a subset of techniques we classify as _social engineering_.
For step by step instructions on how to create a payload for use within a simula
For step by step instructions on how to gain insights with reporting, see [Gain insights through Attack simulation training](attack-simulation-training-insights.md). > [!NOTE]
-> Attack Simulator uses Safe Links in Defender for Office 365 to securely track click data for the URL in the payload message that's sent to targeted recipients of a phishing campaign, even if the **Do not track user clicks** setting in Safe Links policies is turned on.
+> Attack Simulator uses Safe Links in Defender for Office 365 to securely track click data for the URL in the payload message that's sent to targeted recipients of a phishing campaign, even if the **Do not track user clicks** setting in Safe Links policies is turned on.
security Zero Hour Auto Purge https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/zero-hour-auto-purge.md
By default, ZAP for phishing is enabled in anti-spam policies, and the default a
For more information about configuring spam filtering verdicts, see [Configure anti-spam policies in Microsoft 365](configure-your-spam-filter-policies.md).
+### ZAP for high confidence phishing
+
+For **read or unread messages** that are identified as high confidence phishing after delivery, ZAP quarantines the message. Only admins can view and manage high confidence phish messages from quarantine.
+
+ZAP for high confidence phish is enabled by default. For more information, see [Secure by Default in Office 365](secure-by-default.md).
+ ### ZAP for spam For **unread messages** that are identified as spam after delivery, the ZAP outcome depends on the action that's configured for the **Spam** filtering verdict in the applicable anti-spam policy. The available filtering verdict actions for spam and their possible ZAP outcomes are described in the following list:
ZAP still works as long as the message has not been deleted, or as long as the s
### How does ZAP affect mailboxes on hold?
-ZAP won't quarantine messages from mailboxes on hold. ZAP can move messages to the Junk Email folder based on the action that's configured for a spam or phishing verdict in anti-spam policies.
+ZAP will quarantine messages from mailboxes on hold. ZAP can move messages to the Junk Email folder based on the action that's configured for a spam or phishing verdict in anti-spam policies.
-For more information about holds in Exchange Online, see [In-Place Hold and Litigation Hold in Exchange Online](/Exchange/security-and-compliance/in-place-and-litigation-holds).
+For more information about holds in Exchange Online, see [In-Place Hold and Litigation Hold in Exchange Online](/Exchange/security-and-compliance/in-place-and-litigation-holds).