-> To access a shared mailbox, a user must have an Exchange Online license, but the shared mailbox doesn't require a separate license. Every shared mailbox has a corresponding user account. Notice how you weren't asked to provide a password when you created the shared mailbox? The account has a password, but it's system-generated (unknown). You shouldn't use the account to log in to the shared mailbox. Without a license, shared mailboxes are limited to 50 GB. To increase the size limit to 100 GB, the shared mailbox must be assigned an Exchange Online Plan 2 license. The Exchange Online Plan 1 license with an Exchange Online Archiving add-on license will only increase the size of the archive mailbox. This will also let you enable auto-expanding archiving for additional archive storage capacity. Similarly, if you want to place a shared mailbox on litigation hold, the shared mailbox must have an Exchange Online Plan 2 license or an Exchange Online Plan 1 license with an Exchange Online Archiving add-on license. If you want to apply advanced features such as Microsoft Defender for Office 365, eDiscovery (Premium), or retention policies, the shared mailbox must be licensed for those features.

-You can't encrypt inbound mail from senders outside of your Exchange Online organization. If a mail flow rule is set up to encrypt mail from outside the organization, the mail will be rejected and returned to the sender.

-Here's a list of applicable role groups. To learn more about the, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md).

-#### Adding the Chrome Extension to the ForceInstall List

-|Exchange email online|Yes |distribution group | data-in-motion| No |

-|SharePoint online sites|No |sites | data-at-rest </br> data-in-use | No|

-|OneDrive for Business accounts|Yes| account or distribution group |data-at-rest </br> data-in-use|No|

-|Teams chat and channel messages|Yes | account or distribution group |data-in-motion </br> data-in-use | No |

-|Microsoft Defender for Cloud Apps|No | cloud app instance |data-at-rest | - [Use data loss prevention policies for non-Microsoft cloud apps](dlp-use-policies-non-microsoft-cloud-apps.md#use-data-loss-prevention-policies-for-non-microsoft-cloud-apps) |

-|Devices|Yes |user or group |data-at-rest </br> data-in-use </br> data-in-motion |- [Learn about Endpoint data loss prevention](endpoint-dlp-learn-about.md) </br>- [Get started with Endpoint data loss prevention](endpoint-dlp-getting-started.md) </br>- [Configure device proxy and internet connection settings for Information Protection](device-onboarding-configure-proxy.md#configure-device-proxy-and-internet-connection-settings-for-information-protection) |

-|On-premises repositories (file shares and SharePoint)|No |repository | data-at-rest | - [Learn about the data loss prevention on-premises repositories](dlp-on-premises-scanner-learn.md) </br> - [Get started with the data loss prevention on-premises repositories](dlp-on-premises-scanner-get-started.md#get-started-with-the-data-loss-prevention-on-premises-repositories) |

-|Power BI |No| workspaces | data-in-use | No|

-#### Exchange location scoping

-**Double Key Encryption** comes with Microsoft 365 E5. If you donΓÇÖt have a Microsoft 365 E5 license, you can sign up for a [trial](https://aka.ms/M365E5ComplianceTrial). For more information about these licenses, see [Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).

-**Azure Information Protection**. DKE works with sensitivity labels and requires Azure Information Protection.

-DKE sensitivity labels are made available to end users through the sensitivity button in the AIP Unified Labeling client in Office Desktop Apps, File Explorer right-click, AIP Powershell and the AIP scanner. Install these prerequisites on each client computer where you want to protect and consume protected documents.

-**Microsoft Office Apps for enterprise** version 2009 or later (Desktop versions of Word, Excel, PowerPoint and Outlook) on Windows.

-**Azure Information Protection Unified Labeling Client** versions 2.14.94.0 or later. Download and install the Unified Labeling client from the [Microsoft download center](https://www.microsoft.com/download/details.aspx?id=53018) for DKE label support in Word, Excel and PowerPoint. [Open a support case](/azure/information-protection/information-support#to-contact-microsoft-support) for Unified Labeling client versions with DKE label support in Outlook.

- If the value of either properties is set to **False**, a delay hold is not applied to the mailbox, and you can skip Step 4.

-4. Run the following command to prevent the Managed Folder Assistant from processing the mailbox. As previously explained, you can disable the Managed Folder Assistant only if a retention policy with a Preservation Lock is not applied to the mailbox.

-Organization-wide, Exchange-wide, and Teams-wide retention policies are applied to every mailbox in the organization. They are applied at the organization level (not the mailbox level) and are returned when you run the **Get-OrganizationConfig** cmdlet in Step 1. Run the following command in [Security & Compliance PowerShell](/powershell/exchange/exchange-online-powershell) to identify the organization-wide retention policies. Use the GUID (not including the `mbx` prefix) for the organization-wide retention policies that you identified in Step 1.

-After you identify the organization-wide retention policies, go to the **Data lifecycle management** > **Microsoft 365** > **Retention** page in the compliance portal, edit each organization-wide retention policy that you identified in the previous step, and add the mailbox to the list of excluded recipients. Doing this will remove the user's mailbox from the retention policy.

-After you've identified the name of the eDiscovery case and the hold, go to the **eDiscovery** \> **eDiscovery** page in the compliance center, open the case, and remove the mailbox from the hold. For more information about identifying eDiscovery holds, see the "eDiscovery holds" section in [How to identify the type of hold placed on an Exchange Online mailbox](ediscovery-identify-a-hold-on-an-exchange-online-mailbox.md#ediscovery-holds).

- - **Deletions**: Contains soft-deleted items whose deleted item retention period has not expired. Users can recover soft-deleted items from this subfolder using the Recover Deleted Items tool in Outlook.

-3. Use the **New-ComplianceSearch** cmdlet (in Security & Compliance PowerShell) or use the Content search tool in the compliance center to create a content search that returns items from the target user's Recoverable Items folder. You can do this by including the FolderId in the search query for all subfolders that you want to search. For example, the following query returns all messages in the Deletions and eDiscoveryHolds subfolders:

- Use the compliance portal to add the mailbox back to the retention policy. Go to the **Data lifecycle management** > **Microsoft 365** > **Retention** page in the compliance center, edit the retention policy, and add the mailbox back to the list of recipients that the retention policy is applied to.

- If you removed an organization-wide or Exchange-wide retention policy by excluding it from the policy, then use the compliance portal to remove the mailbox from the list of excluded users. Go to the **Data lifecycle management** > **Microsoft 365** > **Retention** page in the compliance center, edit the organization-wide retention policy, and remove the mailbox from the list of excluded recipients. Doing this will reapply the retention policy to the user's mailbox.

-After a sensitivity label has been applied to a site, you must be a [site admin](/sharepoint/site-permissions#site-admins) to change the label in SharePoint or Teams.

-Start-SPOCrossTenantGroupContentMove  -SourceGroupAlias <…> -TargetGroupAlias <…> -TargetCrossTenantHostUrl <…>

-|SourceSiteUrl|Full URL of the SharePoint Site of the on the Source tenant, for example: https://sourcetenant.sharepoint.com/sites/sitename|

-|TargetSiteUrl |Full URL of the SharePoint Site of the on the Target tenant, for example: https://targettenant.sharepoint.com/sites/newsitename.|

-The Device protection card on the **Reports** dashboard shows the number of audit events generated by media type, over the last 180 days; the raw events under the **View details** shows events over the last 30 days.

-Answer: Run _mdatp device-control policy preferences list_, you will see all the iOS policies on this machine:

-Answer: Run _mdatp device-control policy rules list_, you will see all the iOS policies on this machine:ΓÇ»

-Answer 2: Run _mdatp device-control policy groups list_, you will see all the iOS groups on this machine:ΓÇ»

-Now, you have ΓÇÿgroupsΓÇÖ and ΓÇÿrulesΓÇÖ and ΓÇÿsettingsΓÇÖ, combine ΓÇÿsettingsΓÇÖ and ΓÇÿgroupsΓÇÖ and rules into one JSON, here is the demo file: [mdatp-devicecontrol/deny_removable_media_except_kingston.json at main ┬╖ microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/macOS/policy/examples/deny_removable_media_except_kingston.json). Make sure to validate your policy with the JSON schema to make ensure your policy format is correct: [mdatp-devicecontrol/device_control_policy_schema.json at main ┬╖ microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/macOS/policy/device_control_policy_schema.json).

-## Overveiw

-Microsoft Defender for Endpoint Device Control feature enables you to audit, allow, or prevent the read, write, or execute access to removable storage, and allows you to manage iOS and Portable device and Apple APFS encrypted device and Bluetooth media with or without exclusions.

- - Run _mdatp version_ through Terminal, you will see product version on your client machine:

-| features | Feature specific configurations | You can set ΓÇÿdisableΓÇÖ false/true for following features: <br> <ul><li>removableMedia</li><li>appleDevice</li><li>portableDevice, including camera or PTP media</li><li>bluetoothDevice</li></ul> <br> Default is true, so if you do not configure this value, even you create custom policy for removableMedia, system will not apply because it is disabled by default. |

-| global | Set default enforcement | You can set **defaultEnforcement**: <br> <ul><li>allow: _default_</li><li>deny</li></ul> |

-| ux | You can set hyperlink on notification. | navigationTarget: string, for example, "http://www.microsoft.com". |

-| $type | The kind of group | ΓÇ£deviceΓÇ¥ |

-| id | GUID, a unique ID, represents the group and will be used in the policy. | You can generate ID through [New-Guid (Microsoft.PowerShell.Utility) - PowerShell](/powershell/module/microsoft.powershell.utility/new-guid?view=powershell-7.2&preserve-view=true) or the uuidgen command on macOS |

-| name | Friendly name for the group. | string |

-| query | The media coverage under this group | See the **query** properties tables below for details. |

-| $type | Identify the logical operation to perform on the clauses | **all**: Any attributes under the **clauses** will be an _And_ relationship. For example, if the administrator puts `vendorId` and `serialNumber`, for every connected USB, the system will check to see whether the USB meets both values.<br> **and**: is equivalent to _all_ <br> **any:** The attributes under the **clauses** will be _Or_ relationship. For example, if administrator puts `vendorId` and `serialNumber`, for every connected USB, system will do the enforcement as long as the USB has either an identical `vendorId` or `serialNumber` value. <br> **or**: is equivalent to _any_ |

-| clauses | Use media device property to set group condition. | An array of clause objects which are evaluated to determine group membership. See the [Clause](#clause) section below. |

-| $type | Identify the logical operation to perform on the subquery | not: logical negation of a query |

-| query | A subquery | **A query which will be negated.** |

-| $type | The type of clause | See the following table for supported clauses. |

-| value | $type specific value to use | |

-| primaryId | One of: <br>- apple_devices <br>-removable_media_devices <br>- portable_devices <br>- bluetooth_devices | |

-| vendorId | 4 digit hexadecimal string | Matches a deviceΓÇÖs vendor ID |

-| productId | 4 digit hexadecimal string | Matches a deviceΓÇÖs product ID |

-| serialNumber | string | Matches a deviceΓÇÖs serial number. Will not match if device does not have a serial number. |

-| encryption | apfs | Match if a device is apfs-encrypted. |

-| groupId | UUID string | Match if a device is a member of another group. ΓÇÿvalueΓÇÖ represents the UUID of the group to match against. <br> Note: The group must be defined within the policy prior to the clause. |

-| id | GUID, a unique ID, represents the rule and will be used in the policy. | New-Guid (Microsoft.PowerShell.Utility) - PowerShell <br> uuidgen |

-| name | String, the name of the policy and will display on the toast based on the policy setting. | |

-| includeGroups | The group(s) that the policy will be applied to. If multiple groups are specified, the policy will be applied to any media in all those groups. If not specified, the rule will be applied to all devices. | The **id** value inside the group must be used at this instance. If there are multiple groups in the `includeGroups`, it will be _AND_. <br> `"includeGroups": ["3f082cd3-f701-4c21-9a6a-ed115c28e217"]` |

-| excludeGroups | The group(s) that the policy will not be applied to. | The **id** value inside the group must be used at this instance. If there are multiple groups in the excludeGroups, it will be _OR_. |

-| entries | One rule can have multiple entries; each entry with a unique GUID tells Device Control one restriction.| See entry properties table below to get details. |

-The following table lists the properties you can use in entry:

-| $type | | Includes: <br> <ul><li>removableMedia</li><li>appleDevice</li><li>PortableDevice</li><li>bluetoothDevice</li><li>generic</li></ul> |

-| enforcement | | <ul><li>$type:</li><ul><li>allow</li><li>deny</li><li>auditAllow</li><li>auditDeny</li></ul></ul><br> **When $type allow is selected, options value supports:** <br> <ul><li>`disable_audit_allow`: Even if **Allow** happens and the **auditAllow** is setting configured, the system won't send event.</li></ul> <br> **When $type deny is selected, options value supports:** <br> <ul><li>`disable_audit_deny`: Even if **Block** happens and the **auditDeny** is setting configured, the system won't show notification or send event.</li></ul><br> **When $type auditAllow is selected, options value supports:** <br> <ul><li>send_event</li></ul> <br> **When $type auditDeny is selected, options value supports: <br> <ul><li>send_event</li><li>show_notification</li></ul> |

-| access| |Specify one or more access rights for this rule. These may include either device specific granular permissions, or broader generic permissions. See table below for more details on the valid access types for a given entry $type. |

-| id| UUID| |

-| $type | The type of enforcement | See table below for supported enforcements |

-| options | $type specific value to use | An array of options for the entry. May be omitted if not options are desired. |

-|Enforcement $type | ΓÇÿoptionsΓÇÖ values [string] | Description |

-| allow | disable_audit_allow | Even if **Allow** happens and the **auditAllow** is setting configured, the system won't send event. |

-| deny | disable_audit_deny | Even if **Block** happens and the auditDeny is setting configured, the system won't show notification or send event. |

-| auditAllow | send_event | Send telemetry |

-| auditDeny | <ol><li>send_event</li><li>show_notification/li></ol> | <ol><li>Send telemetry</li><li>Display Block UX to user/li></ol> |

-## Enduser experience

-Once Deny happens and the notification is enabled in the policy, the end user will see a dialog:

-You will be able to see the policy event on Advanced hunting and Device Control report. For more details, see [Protect your organization's data with Device Control](device-control-report.md).

-In this scenario, you need to create two groups: one group for any removable medias, and another group for approved USBs group. You also need to create an access policy rule.

-In this case, only have one access rule policy, but if you have multiple, make sure add all into ΓÇÿrulesΓÇÖ.

-# Expanded Microsoft Defender Experts for XDR preview

-The **Microsoft Defender Experts for XDR** (Defender Experts for XDR) preview is a managed detection and response service that helps your security operations centers (SOCs) focus and accurately respond to incidents that matter. It provides extended detection and response for customers who use Microsoft 365 Defender workloads: Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Azure Active Directory (Azure AD).

-In addition to the constantly updated research and intelligence tailored for the threats currently seen across the various Microsoft 365 Defender signals, as part of the preview, you'll receive guided response from our security analysts and support from Microsoft's security-focused service delivery managers (SDMs). In this preview, you can try the service for free and enjoy the following capabilities:

-## Prerequisites

-> [!NOTE]

-> The prerequisites specified in this section are currently applicable for preview.

-To enable us to get started with this managed service, we require the following prerequisites:

-Aside from the requirements stated above, to get Defender Experts for XDR coverage for the following eligible products, you must have their appropriate product licenses:

-This service is available worldwide for our customers in our commercial public clouds. We're gradually expanding the preview to more customers. If you're interested to learn more, reach out to your Microsoft account team.

-## Go to the next step

-[Get started](get-started-xdr.md)

-| **How is Microsoft Defender Experts for XDR different from Microsoft Defender Experts for Hunting?** | [Microsoft Defender Experts for Hunting](../defender/defender-experts-for-hunting.md) provides threat hunting service to proactively find threats. This service is meant for customers that have a robust security operations center and want that deep expertise in hunting to expose advanced threats. Microsoft Defender Experts for XDR provides end-to-end security operations capabilities to monitor, investigate, and respond to security alerts. This service is meant for customers with constrained security operations centers (SOCs) that are overburdened with alert volume, in need of skilled experts, or both. Defender Experts for XDR also includes the proactive threat hunting offered by Defender Experts for Hunting|

-| **What products does Defender Experts for XDR operate on?** | Refer to the [Prerequisites](/microsoft-365/security/defender/dex-xdr-overview#prerequisites) section for details. |

-| **Is there a minimum criteria or size requirements to get Defender Experts for XDR?** | Not in preview. We'll evaluate and provide these requirements as part of our general availability. |

-| **Does Defender Experts for XDR replace my SOC team?** | No. Defender Experts for XDR is meant to augment your SOC team reducing their workload and collaborating with them to protect your organization from threat actors. But we don't replace your SOC team or their processes. |

-| **What actions can your experts take during incident investigation?** | Our expert analysts can take actions based on the roles granted to them in your Microsoft 365 Defender portal. If our analysts are granted a security reader role, they can investigate and provide guided response for your SOC team to act on. If our analysts are granted a security operator role, they can also take specific remediation actions agreed upon with your SOC team. Finally, if they're granted a security administrator role, they can take higher privilege actions like managing certain settings as agreed upon with you. |

-| **Can your experts help me improve my security posture?** | Yes, our experts will provide necessary guidance before and during the preview to improve your security posture. |

-| **Can Defender Experts for XDR help with an active compromise or vulnerability?** | No, Defender Experts currently don't provide incident response services. Contact your Microsoft representative to engage Microsoft Detection and Response Team (DART) for incident response assistance. |

-| **How can my organization participate in the Defender Experts for XDR preview?** |We're gradually expanding the preview to more customers. Contact your Microsoft representative to access the preview.|

-| **When will Defender Experts for XDR be generally available?** | We'll announce general availability dates closer to the launch date. |

-description: Once the Defender Experts for XDR team are ready to onboard you, we'll reach out to get you started.

-Once the Defender Experts for XDR team is ready to onboard you, we'll reach out to get you started.

-## Activate your trial license

-1. Select the link in the welcome email to go directly to the Defender Experts settings page in the Microsoft 365 Defender portal. You can also open this page by going to **Settings** > **Defender Experts**.

-2. Read the Defender Experts for XDR preview terms and conditions then select **Accept** to accept them.

-3. Get your free license in Microsoft 365 admin center. In the checkout page, select **Place order**.

-By default, Defender Experts for XDR requires the following permissions to investigate incidents and notify you when you need to take action:

-You can also provide our experts the following permissions to investigate incidents on your behalf:

-[Learn more about Azure AD roles and permissions](/azure/active-directory/roles/permissions-reference)

-Follow these steps to grant our experts additional permissions:

-1. In the same Defender Experts settings page mentioned earlier, select **Manage permissions**.

-2. Under **Additional permissions**, select the other role(s) you want to grant.

-3. Select **Give access**.

-> If you skip providing additional permissions, our experts won't be able to take certain response actions to secure your network.

-## Go to the next step

-[Start using Microsoft Defender Experts for XDR preview service](start-using-mdex-xdr.md)

-description: Defender Experts for XDR will help prioritizing and customizing recommendations to fit your environment

-# Start using Defender Experts for XDR preview service

-## Run initial Defender readiness checks

-Apart from onboarding service delivery, our expertise on the Microsoft 365 Defender product suite enables Defender Experts for XDR to run an initial readiness engagement to help you get the most out of your Microsoft security products. This engagement will be based on your [Microsoft Secure Score](microsoft-secure-score.md) and Defender Experts' policy recommendations. Our experts will help prioritizing and customizing our recommendations to fit your environment. They'll request your engagement to get those configurations implemented.

-Through a combination of automation and human expertise, our service triages Microsoft 365 Defender incidents, prioritizes them on your behalf, filters out the noise, carries out detailed investigations, and provides detailed guided response to your security operations center (SOC) teams. Alternatively, our analysts can take a response step on your behalf.

-You'll receive detailed response playbooks via emails. You'll also be able to filter the Microsoft 365 Defender portal incident view using the _Defender Experts_ tag to see the current state of the incidents Defender Experts are actively investigating, or the incidents that require your action. Our analysts will also add relevant comments in Microsoft 365 Defender portal's **Comments & history** section so you and your SOC analysts can track the investigation progress.

-Response recommendations include, but aren't limited to:

-These recommendations also appear in the **Comments & history** section of each related incident in the Microsoft 365 Defender portal so you can view them at your convenience.

-Defender Experts for XDR will include an interactive, on-demand report that provides a clear summary of the work our expert analysts are doing on your behalf, aggregate information about your incident landscape, and granular details about specific incidents. Your service delivery manager (SDM) will also use the report to provide you with more context regarding your XDR Experts service during a monthly business review.

- - Provide unique service delivery content and reporting, including periodic business reviews.

-## Opt out of preview

-Consult your service delivery manager (SDM) to opt out of the preview.

-## See also

-[Read through frequently asked questions and answers](frequently-asked-questions.md)

-## SharePoint Syntex per-user licensing

-To use Microsoft Syntex, you must have a license for each Syntex user. If you remove all Syntex per-user licenses from your tenant at a future date (or your trial expires), users will no longer be able to create, publish, or run custom models. Additionally, term store reports, SKOS taxonomy import, and content type push will no longer be available. No models, content, or metadata will be deleted, and site permissions won't be changed.