Category | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
admin | Migrate Email | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/moveto-microsoft-365/migrate-email.md | description: "Learn how to migrate email, contacts, and calendar from Google Wor # Migrate business email and calendar from Google Workspace > [!NOTE]-> The videos and content in this article are meant to give Small and Medium business (SMB) customers a high-level overview of the process of how to use an automated batch migration in the Exchange admin center to migrate your users email, contacts, and calenders from Google Workspace. +> The videos and content in this article are meant to give customers a high-level overview of the process of how to use an automated batch migration in the Exchange admin center to migrate your users email, contacts, and calenders from Google Workspace. > > Please refer to the resource links provided in this article for additional detailed information needed to use the batch migration tool successfully. You can use the batch migration tool in the Exchange admin center to migrate ema An *automated* batch migration does some of the migration tasks for you, so it is recommended over the *manual* batch migration. -If you are a VSB (very small business) where you have a small number of users, it may be easier for you to migrate your email using a different method, such as [importing to Outlook through a PST file](https://support.microsoft.com/office/import-gmail-to-outlook-20fdb8f2-fed8-4b14-baf0-bf04b9c44bf7). - For more detailed information, see [Perform a Google Workspace migration to Microsoft 365](/exchange/mailbox-migration/perform-g-suite-migration). +> [!NOTE] +> You can also migrate your email from Google Workspace to Microsoft 365 through an [IMAP migration](/exchange/mailbox-migration/migrating-imap-mailboxes/migrate-g-suite-mailboxes). You should compare methods to determine which is more suitable for migrating your email. ++It is recommended that you [get help from Microsoft](/microsoft-365/admin/get-help-support) or from a [partner](https://appsource.microsoft.com/en-us/marketplace/partner-dir) when planning to migrate with either of the above methods. ++If you are a VSB (very small business) where you have a small number of users, you should migrate your email using a different method, such as [importing to Outlook through a PST file](https://support.microsoft.com/office/import-gmail-to-outlook-20fdb8f2-fed8-4b14-baf0-bf04b9c44bf7). +++ ## Prerequisites for automated batch migration from Google Workspace Check out this video and others on our [YouTube channel](https://go.microsoft.com/fwlink/?linkid=2198034). |
compliance | Audit Mailboxes | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/audit-mailboxes.md | f1.keywords: Previously updated : 01/01/2023 Last updated : 6/20/2023 audience: Admin ms.assetid: aaca8987-5b62-458b-9882-c28476a66918 - seo-marvel-apr2020 - admindeeplinkEXCHANGE-description: "Mailbox audit logging is turned on by default in Microsoft 365 (also called 'default mailbox auditing' or 'mailbox auditing on by default'). This configuration means that certain actions performed by mailbox owners, delegates, and admins are automatically logged in a mailbox audit log, where you can search for activities performed on the mailbox." +description: "Mailbox audit logging is turned on by default in Microsoft 365 (also called 'default mailbox auditing' or 'mailbox auditing on by default'). Certain actions done by mailbox owners, delegates, and admins are automatically logged in a mailbox audit log, where you can search for those activities." # Manage mailbox auditing -Starting in January 2019, Microsoft is turning on mailbox audit logging by default for all organizations. This means that certain actions performed by mailbox owners, delegates, and admins are automatically logged, and the corresponding mailbox audit records will be available when you search for them in the mailbox audit log. Before mailbox auditing was turned on by default, you had to manually enable it for every user mailbox in your organization. +Mailbox audit logging is turned on by default in all organizations. This effort started in January 2019, and means that certain actions performed by mailbox owners, delegates, and admins are automatically logged. The corresponding mailbox audit records are available for admins to search in the mailbox audit log. Before mailbox auditing was turned on by default, you had to manually turn on mailbox auditing on each individual mailbox. Here are some benefits of mailbox auditing on by default: -- Auditing is automatically enabled when you create a new mailbox. You don't need to manually enable it for new users.-- You don't need to manage the mailbox actions that are audited. A predefined set of mailbox actions are audited by default for each logon type (Admin, Delegate, and Owner).-- When Microsoft releases a new mailbox action, the action might be added automatically to the list of mailbox actions that are audited by default (subject to the user having the appropriate license). This means you don't need to monitor add new actions on mailboxes.+- Auditing is automatically turned on when you create a new mailbox. You don't need to manually turn on mailbox auditing for new users. +- You don't need to manage the mailbox actions that are audited. A predefined set of mailbox actions are audited by default for each sign-in type (Admin, Delegate, and Owner). +- When Microsoft releases a new mailbox action, the action might be added automatically to the list of mailbox actions that are audited by default (subject to the user having the appropriate license). This result means you don't need to add new actions on mailboxes as they're released. - You have a consistent mailbox auditing policy across your organization (because you're auditing the same actions for all mailboxes). > [!NOTE] To verify that mailbox auditing on by default is turned on for your organization Get-OrganizationConfig | Format-List AuditDisabled ``` -The value **False** indicates that mailbox auditing on by default is enabled for the organization. This on by default organizational value overrides the mailbox auditing setting on specific mailboxes. For example, if mailbox auditing is disabled for a mailbox (the *AuditEnabled* property is **False** on the mailbox), the default mailbox actions will still be audited for the mailbox, because mailbox auditing on by default is enabled for the organization. +The value **False** indicates that mailbox auditing on by default is turned on for the organization. Mailbox auditing on by default in the organization overrides the mailbox auditing settings on individual mailboxes. For example, if mailbox auditing is turned off for a mailbox (the *AuditEnabled* property on the mailbox is **False**), the default mailbox actions are still audited for the mailbox, because mailbox auditing on by default is turned on for the organization. -To keep mailbox auditing disabled for specific mailboxes, you configure mailbox auditing bypass for the mailbox owner and other users who have been delegated access to the mailbox. For more information, see the [Bypass mailbox audit logging](#bypass-mailbox-audit-logging) section later in this article. +To keep mailbox auditing disabled for specific mailboxes, you configure *mailbox auditing bypass* for the mailbox owner and other users with delegated access to the mailbox. For more information, see the [Bypass mailbox audit logging](#bypass-mailbox-audit-logging) section later in this article. > [!NOTE] > When mailbox auditing on by default is turned on for the organization, the *AuditEnabled* property for affected mailboxes won't be changed from **False** to **True**. In other words, mailbox auditing on by default ignores the *AuditEnabled* property on mailboxes. ## Supported mailbox types -The following table shows the mailbox types that are currently supported by mailbox auditing on by default: +Mailbox types that are supported by mailbox auditing on by default are described in the following table: |Mailbox type|Supported| ||::|-|User mailboxes|![Check mark.](../media/checkmark.png)| -|Shared mailboxes|![Check mark.](../media/checkmark.png)| -|Microsoft 365 Group mailboxes|![Check mark.](../media/checkmark.png)| +|User mailboxes|Γ£ö| +|Shared mailboxes|Γ£ö| +|Microsoft 365 Group mailboxes|Γ£ö| |Resource mailboxes|| |Public folder mailboxes|| -## Logon types and mailbox actions +## Sign-in types and mailbox actions -Logon types classify the user that did the audited actions on the mailbox. The following list describes the logon types that are used in mailbox audit logging: +Sign-in types classify who's responsible for the audited actions on the mailbox. The following list describes the sign-in types that are used in mailbox audit logging: - **Owner**: The mailbox owner (the account that's associated with the mailbox). - **Delegate**: Logon types classify the user that did the audited actions on the mailbox. The f The following table describes the mailbox actions that are available in mailbox audit logging for user mailboxes and shared mailboxes. -- A check mark (![Check mark.](../media/checkmark.png)) indicates the mailbox action can be logged for the logon type (not all actions are available for all logon types).-- An asterisk ( <sup>\*</sup> ) after the check mark indicates the mailbox action is logged by default for the logon type.+- A check mark (Γ£ö) indicates the mailbox action can be logged for the sign-in type (not all actions are available for all sign-in types). +- An asterisk ( <sup>\*</sup> ) after the check mark indicates the mailbox action is logged by default for the sign-in type. - Remember, an admin with Full Access permission to a mailbox is considered a delegate. |Mailbox action|Description|Admin|Delegate|Owner| |||::|::|::| |**AddFolderPermissions**|Although this value is accepted as a mailbox action, it's already included in the **UpdateFolderPermissions** action and isn't audited separately. In other words, don't use this value.||||-|**ApplyRecord**|An item is labeled as a record.|![Check mark.](../media/checkmark.png)<sup>\*</sup>|![Check mark.](../media/checkmark.png)<sup>\*</sup>|![Check mark.](../media/checkmark.png)<sup>\*</sup>| -|**Copy**|A message was copied to another folder.|![Check mark.](../media/checkmark.png)||| -|**Create**|An item was created in the Calendar, Contacts, Draft, Notes, or Tasks folder in the mailbox (for example, a new meeting request is created). Creating, sending, or receiving a message isn't audited. Also, creating a mailbox folder isn't audited.|![Check mark.](../media/checkmark.png)<sup>\*</sup>|![Check mark.](../media/checkmark.png)<sup>\*</sup>|![Check mark.](../media/checkmark.png)| -|**FolderBind**|A mailbox folder was accessed. This action is also logged when the admin or delegate opens the mailbox. <br/><br/> **Note**: Audit records for folder bind actions performed by delegates are consolidated. One audit record is generated for individual folder access within a 24-hour period.|![Check mark.](../media/checkmark.png)|![Check mark.](../media/checkmark.png)|| -|**HardDelete**|A message was purged from the Recoverable Items folder.|![Check mark.](../media/checkmark.png)<sup>\*</sup>|![Check mark.](../media/checkmark.png)<sup>\*</sup>|![Check mark.](../media/checkmark.png)<sup>\*</sup>| -|**MailboxLogin**|The user signed into their mailbox.|||![Check mark](../media/checkmark.png)| -|**MailItemsAccessed**|**Note**: This value is available only for users with E5/A5/G5 licenses. For more information, see [Set up Microsoft Purview Audit (Premium)](audit-premium-setup.md). <br/><br/> Mail data is accessed by mail protocols and clients.|![Check mark.](../media/checkmark.png)<sup>\*</sup>|![Check mark.](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>| -|**MessageBind**|**Note**: This value is available only for users *without* E5/A5/G5 licenses. <br/><br/> A message was viewed in the preview pane or opened by an admin.|![Check mark](../media/checkmark.png)||| +|**ApplyRecord**|An item is labeled as a record.|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>| +|**Copy**|A message was copied to another folder.|Γ£ö||| +|**Create**|An item was created in the Calendar, Contacts, Draft, Notes, or Tasks folder in the mailbox (for example, a new meeting request is created). Creating, sending, or receiving a message isn't audited. Also, creating a mailbox folder isn't audited.|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>|Γ£ö| +|**FolderBind**|A mailbox folder was accessed. This action is also logged when the admin or delegate opens the mailbox. <br/><br/> **Note**: Audit records for folder bind actions performed by delegates are consolidated. One audit record is generated for individual folder access within a 24-hour period.|Γ£ö|Γ£ö|| +|**HardDelete**|A message was purged from the Recoverable Items folder.|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>| +|**MailboxLogin**|The user signed into their mailbox.|||Γ£ö| +|**MailItemsAccessed**|**Note**: This value is available only for users with E5/A5/G5 licenses. For more information, see [Set up Microsoft Purview Audit (Premium)](audit-premium-setup.md). <br/><br/> Occurs when mail data is accessed by mail protocols and clients.|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>| +|**MessageBind**|**Note**: This value is available only for users *without* E5/A5/G5 licenses. <br/><br/> A message was viewed in the preview pane or opened by an admin.|Γ£ö||| |**ModifyFolderPermissions**|Although this value is accepted as a mailbox action, it's already included in the **UpdateFolderPermissions** action and isn't audited separately. In other words, don't use this value.||||-|**Move**|A message was moved to another folder.|![Check mark.](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)| -|**MoveToDeletedItems**|A message was deleted and moved to the Deleted Items folder.|![Check mark.](../media/checkmark.png)<sup>\*</sup>|![Check mark.](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>| -|**RecordDelete**|An item that's labeled as a record was soft-deleted (moved to the Recoverable Items folder). Items labeled as records can't be permanently deleted (purged from the Recoverable Items folder).|![Check mark.](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)| +|**Move**|A message was moved to another folder.|Γ£ö|Γ£ö|Γ£ö| +|**MoveToDeletedItems**|A message was deleted and moved to the Deleted Items folder.|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>| +|**RecordDelete**|An item that's labeled as a record was soft-deleted (moved to the Recoverable Items folder). Items labeled as records can't be permanently deleted (purged from the Recoverable Items folder).|Γ£ö|Γ£ö|Γ£ö| |**RemoveFolderPermissions**|Although this value is accepted as a mailbox action, it's already included in the **UpdateFolderPermissions** action and isn't audited separately. In other words, don't use this value.||||-|**SearchQueryInitiated**|**Note**: This value is available only for users with E5/A5/G5 licenses. For more information, see [Set up Microsoft Purview Audit (Premium)](audit-premium-setup.md). <br/><br/> A person uses Outlook (Windows, Mac, iOS, Android, or Outlook on the web) or the Mail app for Windows 10 to search for items in a mailbox.|||![Check mark](../media/checkmark.png)| -|**Send**|**Note**: This value is available only for users with E5/A5/G5 licenses. For more information, see [Set up Microsoft Purview Audit (Premium)](audit-premium-setup.md). <br/><br/> The user sends an email message, replies to an email message, or forwards an email message.|![Check mark.](../media/checkmark.png)<sup>\*</sup>||![Check mark](../media/checkmark.png)<sup>\*</sup>| -|**SendAs**|A message was sent using the SendAs permission. This means another user sent the message as though it came from the mailbox owner.|![Check mark.](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|| -|**SendOnBehalf**|A message was sent using the SendOnBehalf permission. This means another user sent the message on behalf of the mailbox owner. The message indicates to the recipient who the message was sent on behalf of and who actually sent the message.|![Check mark.](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|| -|**SoftDelete**|A message was permanently deleted or deleted from the Deleted Items folder. Soft-deleted items are moved to the Recoverable Items folder.|![Check mark.](../media/checkmark.png)<sup>\*</sup>|![Check mark.](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>| -|**Update**|A message or any of its properties was changed.|![Check mark.](../media/checkmark.png)<sup>\*</sup>|![Check mark.](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>| -|**UpdateCalendarDelegation**|A calendar delegation was assigned to a mailbox. Calendar delegation gives someone else in the same organization permissions to manage the mailbox owner's calendar.|![Check mark.](../media/checkmark.png)<sup>\*</sup>||![Check mark](../media/checkmark.png)<sup>\*</sup>| -|**UpdateFolderPermissions**|A folder permission was changed. Folder permissions control which users in your organization can access folders in a mailbox and the messages located in those folders.|![Check mark.](../media/checkmark.png)<sup>\*</sup>|![Check mark.](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>| -|**UpdateInboxRules**|An inbox rule was added, removed, or changed. Inbox rules are used to process messages in the user's Inbox based on the specified conditions and take actions when the conditions of a rule are met, such as moving a message to a specified folder or deleting a message.|![Check mark.](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>| +|**SearchQueryInitiated**|**Note**: This value is available only for users with E5/A5/G5 licenses. For more information, see [Set up Microsoft Purview Audit (Premium)](audit-premium-setup.md). <br/><br/> A person uses Outlook (Windows, Mac, iOS, Android, or Outlook on the web) or the Mail app for Windows 10 to search for items in a mailbox.|||Γ£ö| +|**Send**|**Note**: This value is available only for users with E5/A5/G5 licenses. For more information, see [Set up Microsoft Purview Audit (Premium)](audit-premium-setup.md). <br/><br/> The user sends an email message, replies to an email message, or forwards an email message.|Γ£ö<sup>\*</sup>||Γ£ö<sup>\*</sup>| +|**SendAs**|A message was sent using the SendAs permission. This permission allows another user to send the message as though it came from the mailbox owner.|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>|| +|**SendOnBehalf**|A message was sent using the SendOnBehalf permission. This permission allows another user to send the message on behalf of the mailbox owner. The message indicates to the recipient who the message was sent on behalf of and who actually sent the message.|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>|| +|**SoftDelete**|A message was permanently deleted or deleted from the Deleted Items folder. Soft-deleted items are moved to the Recoverable Items folder.|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>| +|**Update**|A message or any of its properties was changed.|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>| +|**UpdateCalendarDelegation**|A calendar delegation was assigned to a mailbox. Calendar delegation gives someone else in the same organization permissions to manage the mailbox owner's calendar.|Γ£ö<sup>\*</sup>||Γ£ö<sup>\*</sup>| +|**UpdateComplianceTag**|A retention label was updated.|Γ£ö|Γ£ö|Γ£ö| +|**UpdateFolderPermissions**|A folder permission was changed. Folder permissions control which users in your organization can access folders in a mailbox and the messages located in those folders.|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>| +|**UpdateInboxRules**|An inbox rule was added, removed, or changed. Inbox rules process messages in the user's Inbox based on conditions. Actions specify what to do to messages that match the conditions of the rule. For example, move the message to a specified folder or delete the message.|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>| > [!IMPORTANT]-> If you customized the mailbox actions to audit for any logon type *before* mailbox auditing on by default was enabled in your organization, the customized settings are preserved on the mailbox and aren't overwritten by the default mailbox actions as described in this section. To revert the audit mailbox actions to their default values (which you can do at any time), see the [Restore the default mailbox actions](#restore-the-default-mailbox-actions) section later in this article. +> If you customized the mailbox actions to audit *before* mailbox auditing on by default was turned on in your organization, the customized mailbox auditing settings are preserved on the mailbox and aren't overwritten by the default mailbox actions as described in this section. To revert the audit mailbox actions to their default values (which you can do at any time), see the [Restore the default mailbox actions](#restore-the-default-mailbox-actions) section later in this article. ### Mailbox actions for Microsoft 365 Group mailboxes -Mailbox auditing on by default brings mailbox audit logging to Microsoft 365 Group mailboxes, but you can't customize what's being logged (you can't add or remove mailbox actions that are logged for any logon type). +Mailbox auditing on by default brings mailbox audit logging to Microsoft 365 Group mailboxes, but you can't customize what's being logged (you can't add or remove mailbox actions that are logged for any sign-in type). -The following table describes the mailbox actions that are logged by default on Microsoft 365 Group mailboxes for each logon type. +The following table describes the mailbox actions that are logged by default on Microsoft 365 Group mailboxes for each sign-in type. Remember, an admin with Full Access permission to a Microsoft 365 Group mailbox is considered a delegate. |Mailbox action|Description|Admin|Delegate|Owner| |||::|::|::|-|**Create**|Creation of a calendar Item. Creating, sending, or receiving a message isn't audited.|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|| -|**HardDelete**|A message was purged from the Recoverable Items folder.|![Check mark.](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>| -|**MoveToDeletedItems**|A message was deleted and moved to the Deleted Items folder.|![Check mark.](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>| -|**SendAs**|A message was sent using the SendAs permission.|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|| -|**SendOnBehalf**|A message was sent using the SendOnBehalf permission.|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|| -|**SoftDelete**|A message was permanently deleted or deleted from the Deleted Items folder. Soft-deleted items are moved to the Recoverable Items folder.|![Check mark.](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>| -|**Update**|A message or any of its properties was changed.|![Check mark.](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>| +|**Create**|Creation of a calendar Item. Creating, sending, or receiving a message isn't audited.|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>|| +|**HardDelete**|A message was purged from the Recoverable Items folder.|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>| +|**MoveToDeletedItems**|A message was deleted and moved to the Deleted Items folder.|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>| +|**SendAs**|A message was sent using the SendAs permission.|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>|| +|**SendOnBehalf**|A message was sent using the SendOnBehalf permission.|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>|| +|**SoftDelete**|A message was permanently deleted or deleted from the Deleted Items folder. Soft-deleted items are moved to the Recoverable Items folder.|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>| +|**Update**|A message or any of its properties was changed.|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>| -### Verify that default mailbox actions are being logged for each logon type +### Verify that default mailbox actions are being logged for each sign-in type Mailbox auditing on by default adds a new *DefaultAuditSet* property to all mailboxes. The value of this property indicates whether the default mailbox actions (managed by Microsoft) are being audited on the mailbox. Get-Mailbox -Identity <MailboxIdentity> -GroupMailbox | Format-List DefaultAudit The value `Admin, Delegate, Owner` indicates: -- The default mailbox actions for all three logon types are being audited. This is the only value you'll see on Microsoft 365 Group mailboxes.-- An admin *hasn't* changed the audited mailbox actions for any logon type on a user mailbox or a shared mailbox. Note this is the default state after mailbox auditing on by default is initially turned on in your organization.+- The default mailbox actions for all three sign-in types are being audited. This value is the only value you see on Microsoft 365 Group mailboxes. +- An admin *hasn't* changed the audited mailbox actions for any sign-in type on a user mailbox or a shared mailbox. -If an admin has ever changed the mailbox actions that are audited for a logon type (by using the *AuditAdmin*, *AuditDelegate*, or *AuditOwner* parameters on the **Set-Mailbox** cmdlet), the property value will be different. +If an admin has ever changed the mailbox actions that are audited for a sign-in type (by using the *AuditAdmin*, *AuditDelegate*, or *AuditOwner* parameters on the **Set-Mailbox** cmdlet), the property value is different. For example, the value `Owner` for the *DefaultAuditSet* property on a user mailbox or shared mailbox indicates: - The default mailbox actions for the mailbox owner are being audited.-- The audited mailbox actions for the `Delegate` and `Admin` logon types have been changed from the default actions.+- The audited mailbox actions for the `Delegate` and `Admin` sign-in types have been changed from the default actions. -A blank value for the *DefaultAuditSet* property indicates the mailbox actions for all three logon types have been changed on the user mailbox or a shared mailbox. +A blank value for the *DefaultAuditSet* property indicates the mailbox actions for all three sign-in types have been changed on the user mailbox or a shared mailbox. For more information, see the [Change or restore mailbox actions logged by default](#change-or-restore-mailbox-actions-logged-by-default) section in this article Get-Mailbox -Identity <MailboxIdentity> | Select-Object -ExpandProperty AuditAdm ## Change or restore mailbox actions logged by default -As previously explained, one of the key benefits of having mailbox auditing on by default is: you don't need to manage the mailboxes actions that are audited. Microsoft does this for you and we'll automatically add new mailbox actions to be audited by default as they're released. +As previously explained, one of the key benefits of having mailbox auditing on by default is: you don't need to manage the mailboxes actions that are audited. Microsoft manages the actions for you, and we automatically add new mailbox actions to be audited by default as they're released. -However, your organization might be required to audit a different set of mailbox actions for user mailboxes and shared mailboxes. The procedures in this section show you how to change the mailbox actions that are audited for each logon type, and how to revert back to the Microsoft-managed default actions. +However, your organization might be required to audit a different set of mailbox actions for user mailboxes and shared mailboxes. The procedures in this section show you how to change the mailbox actions that are audited for each sign-in type, and how to revert back to the Microsoft-managed default actions. > [!IMPORTANT] > If you use the following procedures to customize the mailbox actions that are logged on user mailboxes or shared mailboxes, any new default mailbox actions released by Microsoft will not be automatically audited on those mailboxes. You'll need to manually add any new mailbox actions to your customized list of actions. Set-Mailbox -Identity "Team Discussion" -AuditDelegate @{Remove="MoveToDeletedIt Regardless of the method you use, customizing the audited mailbox actions on user mailboxes or shared mailboxes has the following results: -- For the logon type that you customized, the audited mailbox actions are no longer managed by Microsoft.-- The logon type that you customized is no longer displayed in the *DefaultAuditSet* property value for the mailbox as [previously described](#verify-that-default-mailbox-actions-are-being-logged-for-each-logon-type).+- For the sign-in type that you customized, the audited mailbox actions are no longer managed by Microsoft. +- The sign-in type that you customized is no longer displayed in the *DefaultAuditSet* property value for the mailbox as [previously described](#verify-that-default-mailbox-actions-are-being-logged-for-each-sign-in-type). ### Restore the default mailbox actions > [!NOTE] > The following procedures don't apply to Microsoft 365 Group mailboxes (they're limited to the default actions as described [here](#mailbox-actions-for-microsoft-365-group-mailboxes)). -If you customized the mailbox actions that are audited on a user mailbox or a shared mailbox, you can restore the default mailbox actions for one or all logon types by using this syntax: +If you customized the mailbox actions that are audited on a user mailbox or a shared mailbox, you can restore the default mailbox actions for one or all sign-in types by using this syntax: ```PowerShell Set-Mailbox -Identity <MailboxIdentity> -DefaultAuditSet <Admin | Delegate | Owner> Set-Mailbox -Identity <MailboxIdentity> -DefaultAuditSet <Admin | Delegate | Own You can specify multiple *DefaultAuditSet* values separated by commas -This example restores the default audited mailbox actions for all logon types on the mailbox mark@contoso.onmicrosoft.com. +This example restores the default audited mailbox actions for all sign-in types on the mailbox mark@contoso.onmicrosoft.com. ```PowerShell Set-Mailbox -Identity mark@contoso.onmicrosoft.com -DefaultAuditSet Admin,Delegate,Owner ``` -This example restores the default audited mailbox actions for the Admin logon type on the mailbox chris@contoso.onmicrosoft.com, but leaves the customized audited mailbox actions for the Delegate and Owner logon types. +This example restores the default audited mailbox actions for the Admin sign-in type on the mailbox chris@contoso.onmicrosoft.com, but leaves the customized audited mailbox actions for the Delegate and Owner sign-in types. ```PowerShell Set-Mailbox -Identity chris@contoso.onmicrosoft.com -DefaultAuditSet Admin ``` -Restoring he default audited mailbox actions for a logon type has the following results: +Restoring the default audited mailbox actions for a sign-in type has the following results: -- The current list of mailbox actions is replaced with the default mailbox actions for the logon type.-- Any new mailbox actions that are released by Microsoft are automatically added to the list of audited actions for the logon type.-- The *DefaultAuditSet* property value for the mailbox is updated to include the restored logon type.+- The current list of mailbox actions is replaced with the default mailbox actions for the sign-in type. +- Any new mailbox actions that are released by Microsoft are automatically added to the list of audited actions for the sign-in type. +- The *DefaultAuditSet* property value for the mailbox is updated to include the restored sign-in type. ## Turn off mailbox auditing on by default for your organization Set-OrganizationConfig -AuditDisabled $true Turning off mailbox auditing on by default has the following results: -- Mailbox auditing is disabled for your organization.-- From the time you disabled mailbox auditing on by default, no mailbox actions are audited, even if auditing is enabled on a mailbox (the *AuditEnabled* property on the mailbox is **True**).-- Mailbox auditing isn't enabled for new mailboxes and setting the *AuditEnabled* property on a new or existing mailbox to **True** will be ignored.+- Mailbox auditing is turned off for your organization. +- From the time you turn off mailbox auditing on by default, no mailbox actions are audited, even if mailbox auditing is enabled on a mailbox (the *AuditEnabled* property on the mailbox is **True**). +- Mailbox auditing isn't turned on for new mailboxes and setting the *AuditEnabled* property on a new or existing mailbox to **True** is ignored. - Any mailbox audit bypass association settings (configured by using the **Set-MailboxAuditBypassAssociation** cmdlet) are ignored. - Existing mailbox audit records are retained until the audit log age limit for the record expires. The value **True** indicates that mailbox audit logging is bypassed for the user ## More information -- As previously mentioned, although mailbox audit logging on by default is enabled for all organizations, only users with [licenses that include Audit (Premium)](audit-solutions-overview.md#audit-premium-1) (collectively referred to in this article as *E5/A5/G5 licenses*) will return mailbox audit log events in [audit log searches in the Microsoft Purview compliance portal](audit-log-search.md) or via the [Office 365 Management Activity API](/office/office-365-management-api/office-365-management-activity-api-reference) **by default**.+- As previously mentioned, although mailbox audit logging on by default is turned on for all organizations, only users with [licenses that include Audit (Premium)](audit-solutions-overview.md#audit-premium-1) (collectively referred to in this article as *E5/A5/G5 licenses*) return mailbox audit log events in [audit log searches in the Microsoft Purview compliance portal](audit-log-search.md) or via the [Office 365 Management Activity API](/office/office-365-management-api/office-365-management-activity-api-reference) **by default**. To retrieve mailbox audit log entries for users without E5/A5/G5 licenses, you can use any of the following workarounds: - - Manually enable mailbox auditing on individual mailboxes (run the command, `Set-Mailbox -Identity <MailboxIdentity> -AuditEnabled $true`). After you do this, you can use audit log searches in the Microsoft Purview compliance portal or via the Office 365 Management Activity API. + - Manually turn on mailbox auditing on individual mailboxes (run the command, `Set-Mailbox -Identity <MailboxIdentity> -AuditEnabled $true`). After you run the command, you can use audit log searches in the Microsoft Purview compliance portal or via the Office 365 Management Activity API. > [!NOTE] > If mailbox auditing already appears to be enabled on the mailbox, but your searches return no results, change the value of the *AuditEnabled* parameter to `$false` and then back to `$true`. |
compliance | Communication Compliance Reports Audits | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-reports-audits.md | f1.keywords: Previously updated : 04/14/2023 Last updated : 06/12/2023 audience: Admin f1_keywords: Use the *Export* option to create a .csv file containing the report details for - User notified - Case created -- **Sensitive information type per location**: Review and export information about the detection of sensitive information types and the associated sources in communication compliance policies. Includes the overall total and the specific breakdown of sensitive information type instances in the sources configured in your organization. The values for each third-party source are displayed in separate columns in the .csv file. Examples are:+> [!NOTE] +> The items and actions displayed are only for the items and actions *matched* during the date range included in the date range filter mentioned above. ++- **Sensitive information type per location** (preview): Review and export information about the detection of sensitive information types and the associated sources in communication compliance policies. Includes the overall total and the specific breakdown of sensitive information type instances in the sources configured in your organization. The values for each third-party source are displayed in separate columns in the .csv file. Examples are: - **Email**: Sensitive information types detected in Exchange email messages. - **Teams**: Sensitive information types detected in Microsoft Teams channels and chat messages. |
compliance | Deploy Scanner Configure Install | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/deploy-scanner-configure-install.md | Before you install the scanner, or upgrade it from an older general availability 1. Sign in to the [Microsoft Purview compliance portal](https://compliance.microsoft.com) with one of the following roles: - - **Global administrator** - **Compliance administrator** - **Compliance data administrator**- - **Security administrator** - - **Security operator** - - **Security reader** - - **Global reader** + - **Organization Management** Then, navigate to the **Settings** pane. |
compliance | Sensitivity Labels Versions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-versions.md | The numbers listed are the minimum Office application versions required for each |[Mark the content](sensitivity-labels.md#what-sensitivity-labels-can-do) |Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ |16.21+ |2.21+ |16.0.11231+ |[Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | |[Dynamic markings with variables](sensitivity-labels-office-apps.md#dynamic-markings-with-variables) |Current Channel: 2010+ <br /><br> Monthly Enterprise Channel: 2010+ <br /><br> Semi-Annual Enterprise Channel: 2102+ |16.42+ |2.42+ |16.0.13328+ |[Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | |[Assign permissions now](encryption-sensitivity-labels.md#assign-permissions-now) |Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ |16.21+ |2.21+ |16.0.11231+ |[Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |-|[Let users assign permissions: <br /> - Prompt users for custom permissions (users and groups)](encryption-sensitivity-labels.md#let-users-assign-permissions) |Current Channel: 2004+ <br /><br> Monthly Enterprise Channel: 2004+ <br /><br> Semi-Annual Enterprise Channel: 2008+ |16.35+ |Under review | Under review | Under review | +|[Let users assign permissions: <br /> - Prompt users for custom permissions (users and groups)](encryption-sensitivity-labels.md#let-users-assign-permissions) |Current Channel: 2004+ <br /><br> Monthly Enterprise Channel: 2004+ <br /><br> Semi-Annual Enterprise Channel: 2008+ |16.35+ |Under review | Under review | [Preview: Rolling out](sensitivity-labels-sharepoint-onedrive-files.md#support-for-labels-configured-for-user-defined-permissions) | |[Let users assign permissions: <br /> - Prompt users for custom permissions (users, groups, and organizations)](encryption-sensitivity-labels.md#support-for-organization-wide-custom-permissions)|Current Channel: 2212+ <br /><br> Monthly Enterprise Channel: 2302+ <br /><br> Semi-Annual Enterprise Channel: 2302+|Under review|Under review|Under review| [Preview: Rolling out](sensitivity-labels-sharepoint-onedrive-files.md#support-for-labels-configured-for-user-defined-permissions)| |[Audit label-related user activity](sensitivity-labels-office-apps.md#auditing-labeling-activities): <br /> - Excludes encryption details |Current Channel: 2011+ <br /><br> Monthly Enterprise Channel: 2011+ <br /><br> Semi-Annual Enterprise Channel: 2108+ |16.43+ |2.46+ |16.0.13628+ |Yes | |[Audit label-related user activity](sensitivity-labels-office-apps.md#auditing-labeling-activities): <br /> - Includes encryption details |Current Channel: 2301+ <br /><br> Monthly Enterprise Channel: 2302+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |16.70+ |2.70+ |16.0.16130+ |Under review | |
enterprise | Administering Exchange Online Multi Geo | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/administering-exchange-online-multi-geo.md | Title: "Administering Exchange Online mailboxes in a multi-geo environment" Previously updated : 08/10/2020 Last updated : 6/20/2023 description: Learn how to administer Exchange Online multi-geo settings in your Exchange Online PowerShell is required to view and configure multi geo properties in your Microsoft 365 environment. To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). -You need the [Microsoft Azure Active Directory PowerShell Module](https://social.technet.microsoft.com/wiki/contents/articles/28552.microsoft-azure-active-directory-powershell-module-version-release-history.aspx) v1.1.166.0 or later in v1.x to see the **PreferredDataLocation** property on user objects. User objects synchronized via AAD Connect into AAD cannot have their **PreferredDataLocation** value directly modified via AAD PowerShell. Cloud-only user objects can be modified via AAD PowerShell. To connect to Azure AD PowerShell, see [Connect to PowerShell](connect-to-microsoft-365-powershell.md). +You need the [Microsoft Azure Active Directory PowerShell Module](https://social.technet.microsoft.com/wiki/contents/articles/28552.microsoft-azure-active-directory-powershell-module-version-release-history.aspx) v1.1.166.0 or later in v1.x to see the **PreferredDataLocation** property on user objects. User objects that are synchronized via Azure Active Direct Connect into Microsoft Azure Active Directory (Azure AD) have their **PreferredDataLocation** value directly modified via Azure AD PowerShell. Cloud-only user objects can be modified via Azure AD PowerShell. To connect to Azure AD PowerShell, see [Connect to PowerShell](connect-to-microsoft-365-powershell.md). -In Exchange Online multi-geo environments, you don't need to do any manual steps to add geos to your tenant. After you receive the Message Center post that says multi-geo is ready for Exchange Online, all available geos will be ready and configured for you to use. +In Exchange Online multi-geo environments, you don't need to do any manual steps to add geo locations to your tenant. After you receive the Message Center post that says multi-geo is ready for Exchange Online, all available geo locations are ready and configured for you to use. ## Connect directly to a geo location using Exchange Online PowerShell -Typically, Exchange Online PowerShell will connect to the central geo location. But, you can also connect directly to satellite geo locations. Because of performance improvements, we recommend connecting directly to the satellite geo location when you only manage users in that location. +Typically, Exchange Online PowerShell connects to the central geo location. But, you can also connect directly to satellite geo locations. Because of performance improvements, we recommend connecting directly to the satellite geo location when you only manage users in that location. The requirements for installing and using the Exchange Online PowerShell module are described in [Install and maintain the Exchange Online PowerShell module](/powershell/exchange/exchange-online-powershell-v2#install-and-maintain-the-exchange-online-powershell-module). To connect Exchange Online PowerShell to a specific geo location, the _ConnectionUri_ parameter is different than the regular connection instructions. The rest of the commands and values are the same. -Specifically, you need to add the `?email=<emailaddress>` value to end of the _ConnectionUri_ value. `<emailaddress>` is the email address of **any** mailbox in the target geo location. Your permissions to that mailbox or the relationship to your credentials are not a factor; the email address simply tells Exchange Online PowerShell where to connect. +Specifically, you need to add the `?email=<emailaddress>` value to end of the _ConnectionUri_ value. `<emailaddress>` is the email address of **any** mailbox in the target geo location. Your permissions to that mailbox or the relationship to your credentials aren't a factor; the email address simply tells Exchange Online PowerShell where to connect. Microsoft 365 or Microsoft 365 GCC customers typically don't need to use the _ConnectionUri_ parameter to connect to Exchange Online PowerShell. But, to connect to a specific geo location, you do need to use _ConnectionUri_ parameter so you can use `?email=<emailaddress>` in the value. Get-OrganizationConfig | Select DefaultMailboxRegion The **Get-Mailbox** cmdlet in Exchange Online PowerShell displays the following multi-geo related properties on mailboxes: -- **Database**: The first 3 letters of the database name correspond to the geo code, which tells you where the mailbox is currently located. For Online Archive Mailboxes the **ArchiveDatabase** property should be used.+- **Database**: The first three letters of the database name correspond to the geo code, which tells you where the mailbox is currently located. For Online Archive Mailboxes the **ArchiveDatabase** property should be used. - **MailboxRegion**: Specifies the geo location code that was set by the admin (synchronized from **PreferredDataLocation** in Azure AD). The output of the command looks like this: ```powershell Database : EURPR03DG077-db007 MailboxRegion : EUR-MailboxRegionLastUpdateTime : 2/6/2018 8:21:01 PM +MailboxRegionLastUpdateTime : 2/6/2023 8:21:01 PM ``` > [!NOTE]-> If the geo location code in the database name doesn't match **MailboxRegion** value, the mailbox will be automatically be put into a relocation queue and moved to the geo location specified by the **MailboxRegion** value (Exchange Online looks for a mismatch between these property values). +> If the geo location code in the database name doesn't match **MailboxRegion** value, the mailbox is automatically put into a relocation queue and moved to the geo location specified by the **MailboxRegion** value (Exchange Online looks for a mismatch between these property values). ## Move an existing cloud-only mailbox to a specific geo location -A cloud-only user is a user not synchronized to the tenant via AAD Connect. This user was created directly in Azure AD. Use the **Get-MsolUser** and **Set-MsolUser** cmdlets in the Azure AD Module for Windows PowerShell to view or specify the geo location where a cloud-only user's mailbox will be stored. +A cloud-only user (a user created directly in Azure AD) is a user that's not synchronized to the tenant via Azure AD Connect. Use the **Get-MsolUser** and **Set-MsolUser** cmdlets in the Azure AD Module for Windows PowerShell to view or specify the geo location where a cloud-only user's mailbox is stored. To view the **PreferredDataLocation** value for a user, use this syntax in Azure AD PowerShell: Set-MsolUser -UserPrincipalName michelle@contoso.onmicrosoft.com -PreferredDataL > [!NOTE] >-> - As mentioned previously, you cannot use this procedure for synchronized user objects from on-premises Active Directory. You need to change the **PreferredDataLocation** value in Active Directory and synchronize it using AAD Connect. For more information, see [Azure Active Directory Connect sync: Configure preferred data location for Microsoft 365 resources](/azure/active-directory/connect/active-directory-aadconnectsync-feature-preferreddatalocation). +> - As mentioned previously, you can't use this procedure for synchronized user objects from on-premises Active Directory. You need to change the **PreferredDataLocation** value in Active Directory and synchronize it using Azure AD Connect. For more information, see [Azure Active Directory Connect sync: Configure preferred data location for Microsoft 365 resources](/azure/active-directory/connect/active-directory-aadconnectsync-feature-preferreddatalocation). > > - How long it takes to relocate a mailbox to a new geo location depends on several factors:-> > - The size and type of mailbox. > - The number of mailboxes being moved. > - The availability of move resources. ### Move an inactive mailbox to a specific geo +> [!NOTE] +> When you move an inactive mailbox to a different geo location, you might affect content search results or the ability to search the mailbox from the former geo location. For more information, see [Searching and exporting content in Multi-Geo environments](../compliance/set-up-compliance-boundaries.md#searching-and-exporting-content-in-multi-geo-environments). + You can't move inactive mailboxes that are preserved for compliance purposes (for example, mailboxes on Litigation Hold) by changing their **PreferredDataLocation** value. To move an inactive mailbox to a different geo, do the following steps: 1. Recover the inactive mailbox. For instructions, see [Recover an inactive mailbox](../compliance/recover-an-inactive-mailbox.md). You can't move inactive mailboxes that are preserved for compliance purposes (fo 7. Make the mailbox inactive again by removing the user account that's associated with the mailbox. For instructions, see [Delete a user from your organization](../admin/add-users/delete-a-user.md). This step also releases the Exchange Online Plan 2 license for other uses. -**Note**: When you move an inactive mailbox to a different geo location, you might affect content search results or the ability to search the mailbox from the former geo location. For more information, see [Searching and exporting content in Multi-Geo environments](../compliance/set-up-compliance-boundaries.md#searching-and-exporting-content-in-multi-geo-environments). - ## Create new cloud mailboxes in a specific geo location To create a new mailbox in a specific geo location, you need to do either of these steps: - Configure the **PreferredDataLocation** value as described in the previous [Move an existing cloud-only mailbox to a specific geo location](#move-an-existing-cloud-only-mailbox-to-a-specific-geo-location) section *before* you create the mailbox in Exchange Online. For example, configure the **PreferredDataLocation** value on a user before you assign a license.- - Assign a license at the same time you set the **PreferredDataLocation** value. -To create a new cloud-only licensed user (not AAD Connect synchronized) in a specific geo location, use the following syntax in Azure AD PowerShell: +To create a new cloud-only licensed user (not Azure AD Connect synchronized) in a specific geo location, use the following syntax in Azure AD PowerShell: ```powershell New-MsolUser -UserPrincipalName <UserPrincipalName> -DisplayName "<Display Name>" [-FirstName <FirstName>] [-LastName <LastName>] [-Password <Password>] [-LicenseAssignment <AccountSkuId>] -PreferredDataLocation <GeoLocationCode> ``` -This example create a new user account for Elizabeth Brunner with the following values: +This example creates a new user account for Elizabeth Brunner with the following values: - User principal name: ebrunner@contoso.onmicrosoft.com - First name: Elizabeth - Last name: Brunner - Display name: Elizabeth Brunner-- Password: randomly-generated and shown in the results of the command (because we're not using the *Password* parameter)+- Password: randomly generated and shown in the results of the command (because we're not using the *Password* parameter) - License: `contoso:ENTERPRISEPREMIUM` (E5) - Location: Australia (AUS) New-MsolUser -UserPrincipalName ebrunner@contoso.onmicrosoft.com -DisplayName "E For more information about creating new user accounts and finding LicenseAssignment values in Azure AD PowerShell, see [Create user accounts with PowerShell](create-user-accounts-with-microsoft-365-powershell.md) and [View licenses and services with PowerShell](view-licenses-and-services-with-microsoft-365-powershell.md). > [!NOTE]-> If you are using Exchange Online PowerShell to enable a mailbox and need the mailbox to be created directly in the geo location that's specified in **PreferredDataLocation**, you need to use an Exchange Online cmdlet such as **Enable-Mailbox** or **New-Mailbox** directly against the cloud service. If you use the **Enable-RemoteMailbox** cmdlet in on-premises Exchange PowerShell, the mailbox will be created in the central geo location. +> If you're enabling a mailbox in Exchange Online PowerShell and need the mailbox to be created directly in the geo location that's specified in **PreferredDataLocation**, you need to use an Exchange Online cmdlet such as **Enable-Mailbox** or **New-Mailbox** directly in the cloud service. If you use the **Enable-RemoteMailbox** cmdlet in on-premises Exchange PowerShell, the mailbox is created in the central geo location. ## Onboard existing on-premises mailboxes in a specific geo location You can use the standard onboarding tools and processes to migrate a mailbox from an on-premises Exchange organization to Exchange Online, including the [Migration dashboard in the EAC](https://support.office.com/article/d164b35c-f624-4f83-ac58-b7cae96ab331), and the [New-MigrationBatch](/powershell/module/exchange/new-migrationbatch) cmdlet in Exchange Online PowerShell. -The first step is to verify a user object exists for each mailbox to be onboarded, and verify the correct **PreferredDataLocation** value is configured in Azure AD. The onboarding tools will respect the **PreferredDataLocation** value and will migrate the mailboxes directly to the specified geo location. +The first step is to verify a user object exists for each mailbox to be onboarded, and verify the correct **PreferredDataLocation** value is configured in Azure AD. The onboarding tools respect the **PreferredDataLocation** value and migrate the mailboxes directly to the specified geo location. Or, you can use the following steps to onboard mailboxes directly in a specific geo location using the [New-MoveRequest](/powershell/module/exchange/new-moverequest) cmdlet in Exchange Online PowerShell. -1. Verify the user object exists for each mailbox to be onboarded and that **PreferredDataLocation** is set to the desired value in Azure AD. The value of **PreferredDataLocation** will be synchronized to the **MailboxRegion** attribute of the corresponding mail user object in Exchange Online. +1. Verify the user object exists for each mailbox to be onboarded and that **PreferredDataLocation** is set to the desired value in Azure AD. The value of **PreferredDataLocation** is synchronized to the **MailboxRegion** attribute of the corresponding mail user object in Exchange Online. -2. Connect directly to the specific satellite geo location using the connection instructions from earlier in this topic. +2. Connect directly to the specific satellite geo location using the connection instructions from earlier in this article. 3. In Exchange Online PowerShell, store the on-premises administrator credentials that's used to perform a mailbox migration in a variable by running the following command: Or, you can use the following steps to onboard mailboxes directly in a specific New-MoveRequest -Remote -RemoteHostName mail.contoso.com -RemoteCredential $RC -Identity user@contoso.com -TargetDeliveryDomain <YourAppropriateDomain> ``` -5. Repeat step #4 for every mailbox you need to migrate from on-premises Exchange to the satellite geo location you are currently connected to. +5. Repeat step #4 for every mailbox you need to migrate from on-premises Exchange to the satellite geo location you're currently connected to. 6. If you need to migrate additional mailboxes to different satellite geo locations, repeat steps 2 through 4 for each specific location. Or, you can use the following steps to onboard mailboxes directly in a specific > [!NOTE] > The multi-geo reporting feature is currently in Preview, is not available in all organizations, and is subject to change. -**Multi-Geo Usage Reports** in the Microsoft 365 admin center displays the user count by geo location. The report displays user distribution for the current month and provides historical data for the past 6 months. +**Multi-Geo Usage Reports** in the Microsoft 365 admin center displays the user count by geo location. The report displays user distribution for the current month and provides historical data for the past six months. ## See also |
enterprise | Multi Geo Capabilities In Exchange Online | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/multi-geo-capabilities-in-exchange-online.md | Title: "Exchange Multi-Geo" Previously updated : 08/10/2020 Last updated : 6/20/2023 In a multi-geo environment, you can select the location of Exchange Online mailb You can place mailboxes in satellite geo locations by: - Creating a new Exchange Online mailbox directly in a satellite geo location.- - Moving an existing Exchange Online mailbox to a satellite geo location by changing the user's preferred data location.- - Onboarding a mailbox from an on-premises Exchange organization directly into a satellite geo location. > [!NOTE]-> This feature does not guarantee email routing through a dedicated geo-specific region (data in transit). +> This feature doesn't guarantee email routing through a dedicated geo-specific region (data in transit). ## Mailbox placement and moves -After Microsoft completes the prerequisite multi-geo configuration steps, Exchange Online will honor the **PreferredDataLocation** attribute on user objects in Azure AD. --Exchange Online synchronizes the **PreferredDataLocation** property from Azure AD into the **MailboxRegion** property in the Exchange Online directory service. The value of **MailboxRegion** determines the geo location where user mailboxes and any associated archive mailboxes will be placed. It is not possible to configure a user's primary mailbox and archive mailboxes to reside in different geo locations. Only one geo location may be configured per user object. --- When **PreferredDataLocation** is configured on a user with an existing mailbox, the mailbox will be put into a relocation queue and automatically moved to the specified geo location.+After Microsoft completes the prerequisite multi-geo configuration steps, Exchange Online will honor the **PreferredDataLocation** attribute on user objects in Microsoft Azure Active Directory (Azure AD). -- When **PreferredDataLocation** is configured on a user without an existing mailbox, when you provision the mailbox, it will be provisioned into the specified geo location.+Exchange Online synchronizes the **PreferredDataLocation** property from Azure AD into the **MailboxRegion** property in the Exchange Online directory service. The value of **MailboxRegion** determines the geo location where user mailboxes and any associated archive mailboxes are placed. It isn't possible to configure a user's primary mailbox and archive mailboxes to reside in different geo locations. Only one geo location per user object is allowed. -- When **PreferredDataLocation** is not specified on a user, when you provision the mailbox, it will be provisioned in the central geo location.+- When **PreferredDataLocation** is configured on a user with an existing mailbox, the mailbox is put into a relocation queue and automatically moved to the specified geo location. +- When **PreferredDataLocation** is configured on a user without an existing mailbox, the mailbox is provisioned into the specified geo location when you provision the mailbox. +- When **PreferredDataLocation** isn't specified on a user, the mailbox is provisioned in the central geo location when you provision the mailbox. +- If the **PreferredDataLocation** code is incorrect (for example, a typo of NAN instead of NAM), the mailbox is provisioned in the central geo location. -- If the **PreferredDataLocation** code is incorrect (e.g. a typo of NAN instead of NAM), the mailbox will be provisioned in the central geo location.--**Note**: Multi-geo capabilities and Skype for Business Online regionally hosted meetings both use the **PreferredDataLocation** property on user objects to locate services. If you configure **PreferredDataLocation** values on user objects for regionally hosted meetings, the mailbox for those users will be automatically moved to the specified geo location after multi-geo is enabled on the Microsoft 365 tenant. +> [!NOTE] +> Multi-geo capabilities and Microsoft Teams regionally hosted meetings both use the **PreferredDataLocation** property on user objects to locate services. If you configure **PreferredDataLocation** values on user objects for regionally hosted meetings, the mailbox for those users will be automatically moved to the specified geo location after multi-geo is enabled on the Microsoft 365 tenant. ## Feature limitations for multi-geo in Exchange Online -- Security and compliance features (for example, auditing and eDiscovery) that are available in the Exchange admin center (EAC) aren't available in multi-geo organizations. Instead, you need to use the [Microsoft 365 Security & Compliance Center](https://support.office.com/article/7e696a40-b86b-4a20-afcc-559218b7b1b8) to configure security and compliance features.- - Outlook for Mac users may experience a temporary loss of access to their Online Archive folder while you move their mailbox to a new geo location. This condition occurs when the user's the primary and archive mailboxes are in different geo locations, because cross-geo mailbox moves may complete at different times. - Users can't share *mailbox folders* across geo locations in Outlook on the web (formerly known as Outlook Web App or OWA). For example, a user in the European Union can't use Outlook on the web to open a shared folder in a mailbox that's located in the United States. However, Outlook on the Web users can open *other mailboxes* in different geo locations by using a separate browser window as described in [Open another person's mailbox in a separate browser window in Outlook Web App](https://support.office.com/article/A909AD30-E413-40B5-A487-0EA70B763081#__toc372210362). Exchange Online synchronizes the **PreferredDataLocation** property from Azure A - Public folders are supported in multi-geo organizations. However, the public folders must remain in the central geo location. You can't move public folders to satellite geo locations. -- In a multi-geo environment, cross-geo mailbox auditing is not supported. For example, if a user is assigned permissions to access a shared mailbox in a different geo location, mailbox actions performed by that user are not logged in the mailbox audit log of the shared mailbox. Exchange admin audit events are available for all locations via [Microsoft Purview](/microsoft-365/compliance/audit-solutions-overview) and the [Search-UnifiedAuditLog](/powershell/module/exchange/search-unifiedauditlog) cmdlet. For more information, see [Manage mailbox auditing](../compliance/enable-mailbox-auditing.md).+- In a multi-geo environment, cross-geo mailbox auditing isn't supported. For example, if a user is assigned permissions to access a shared mailbox in a different geo location, mailbox actions performed by that user aren't logged in the mailbox audit log of the shared mailbox. Exchange admin audit events are available for all locations via [Microsoft Purview](/microsoft-365/compliance/audit-solutions-overview) and the [Search-UnifiedAuditLog](/powershell/module/exchange/search-unifiedauditlog) cmdlet. For more information, see [Manage mailbox auditing](../compliance/enable-mailbox-auditing.md). |
enterprise | Setup Guides For Microsoft 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/setup-guides-for-microsoft-365.md | Advanced deployment guides in the admin center require authentication to a Micro ||[Deploy and update Microsoft 365 Apps with Configuration Manager advisor](https://go.microsoft.com/fwlink/?linkid=2224459)|For organizations using Configuration Manager, you can use the **Deploy and update Microsoft 365 Apps with Configuration Manager advisor** to generate a script that will automatically configure your Microsoft 365 Apps deployment using best practices recommended by FastTrack engineers. Use this guide to build your deployment groups, customize your Office apps and features, configure dynamic or lean installations, and then run the script to create the applications, automatic deployment rules, and device collections you need to target your deployment.| ||[Intune Configuration Manager co-management setup guide](https://go.microsoft.com/fwlink/?linkid=2224782)|Use the **Intune Configuration Manager co-management setup guide** to set up existing Configuration Manager client devices and new internet-based devices that your org wants to co-manage with both Microsoft Intune and Configuration Manager. Co-management allows you to manage Windows 10 devices and adds new functionality to your org's devices, while receiving the benefits of both solutions.| ||[SDS Rollover setup guide](https://go.microsoft.com/fwlink/?linkid=2224792)|The **SDS Rollover setup guide** provides the steps to help your organization sync student information data to Azure Active Directory and Office 365. This guide streamlines the term lifecycle management process by creating Office 365 Groups for Exchange Online and SharePoint Online, class teams for Microsoft Teams and OneNote, as well as Intune for Education, and rostering and single sign-on integration for third-party apps. You'll perform end-of-year closeout, tenant cleanup and archive, new school year preparation, and new school year launch. Then you can create new profiles using the sync deployment method that suits your organization.|+|[Windows 365 Enterprise checklist](https://go.microsoft.com/fwlink/?linkid=2240015)|[Windows 365 Enterprise deployment checklist](https://go.microsoft.com/fwlink/?linkid=2239740)|The **Windows 365 Enterprise deployment checklist** provides customers with information for provisioning and hosting Cloud PCs. With the deployment checklist, you can determine if Azure Active Directory join, Azure virtual network, or Microsoft-hosted networks path fits your organization. You can review resources that will assist with the required configuration for deployment features, health checks, updates, and maintenance for image configuration.| |
frontline | Deploy Dynamic Teams At Scale | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/deploy-dynamic-teams-at-scale.md | + + Title: Deploy frontline dynamic teams at scale ++++++audience: admin ++search.appverid: MET150 +description: Learn how to deploy dynamic teams at scale for your organization. +ms.localizationpriority: medium ++ - M365-collaboration + - m365-frontline + - tier2 +appliesto: + - Microsoft Teams + - Microsoft 365 for frontline workers Last updated : 06/08/2023++++# Deploy frontline dynamic teams at scale ++## Overview ++Frontline teams are a collection of people, content, and tools within an organization for different frontline worker locations. Membership of frontline dynamic teams is determined and managed by a set of Azure Active Directory (Azure AD) attributes. [Learn more about Azure AD attributes](/azure/active-directory/external-identities/customers/how-to-define-custom-attributes). ++In the setup process, you'll define the following with Azure AD attributes: ++- Who your frontline workers are +- What locations they work at ++You'll also determine team structure and team owners. ++Then, you'll be able to choose which locations you want to create dynamic frontline teams for. ++Team membership will be automatically managed over time through the power of dynamic teams. As frontline workers are onboarded, offboarded, or change locations, their membership in these teams will update accordingly. ++## Prerequisites ++- Users must have a Microsoft 365 F3, F1, E1, E3, or E5 license. If a user doesn't have one of these licenses, they'll need an Azure AD P1 add-on license to leverage dynamic teams. [Learn more about frontline licensing](flw-licensing-options.md). +- The admin running the deployment process needs Teams admin center permissions. +- Ensure you can define your frontline workers and their work locations through data available in Azure AD. If you don't have this data in Azure AD, you can sync it through a [human capital management (HCM) connector](/azure/active-directory/app-provisioning/plan-cloud-hr-provision) or [use the PowerShell solution](deploy-teams-at-scale.md) to create teams at scale. ++ >[!NOTE] + >The PowerShell solution creates static teams, which aren't managed automatically. ++## Set up your frontline dynamic teams ++1. Navigate to your [Teams admin center](https://admin.teams.microsoft.com). ++2. Open the **Teams** section on the left rail. ++3. Select **Manage frontline teams**. ++4. Choose **Setup** in the table. ++ ![Screenshot of the manage frontline teams table in the Teams admin center.](media/dtas-manage-setup.png) ++5. Review the prerequisite information. ++6. Select the Azure AD attribute that defines your frontline workers. You can only choose one Azure AD attribute, but you can define multiple values by separating them with commas. ++ ![Screenshot of where to enter your Azure AD attribute and values for frontline workers.](media/dtas-frontline-attribute.png) ++7. Select the Azure AD attribute that defines the location your frontline employees work in. You can only choose one location attribute. ++ ![Screenshot of where to enter your Azure AD attribute for frontline locations.](media/dtas-location-attribute.png) ++8. Define your team structure by choosing a prefix. The prefix will be applied in the format: "prefix-location" for all of your teams. ++ ![Screenshot of the prefix, team template, and team owner account fields.](media/dtas-prefix.png) ++9. Optionally, choose a team template. The team template you choose will define the channel structure for all of your frontline teams. [Learn more about Teams templates](/microsoftteams/get-started-with-teams-templates-in-the-admin-console). ++10. Enter a user account object ID to be the team owner. This account will be the owner for all frontline teams. It's recommended to choose a shared account rather than an individual person. + 1. To get a user's object ID, navigate to your [Azure portal](https://portal.azure.com). + 1. Select **Azure Active Directory**. + 1. Select **Users**. + 1. Choose your user. + 1. Copy the user's object ID. ++11. Review the settings and choose **Finish setup.** ++ >[!NOTE] + >The setup can take several hours to run. You can refresh the **Manage frontline teams** page to get the latest status of your setup. ++ ![Screenshot of the Manage frontline teams page with a banner showing that setup has been submitted.](media/dtas-setup-submitted.png) ++## Deploy your frontline dynamic teams ++1. After the setup is complete, go to your **Manage frontline teams** page and select the **Deploy** button. ++ ![Screenshot of the Deploy button.](media/dtas-deploy.png) ++2. From here you can review your settings and view the list of locations that don't yet have a frontline dynamic team created. ++3. Select the locations you want to create teams for in the table. ++ ![Screenshot of the table of locations.](media/dtas-deploy-locations.png) ++4. Select **Deploy**. This process can take multiple hours depending on how many teams you're creating. After the deployment is complete, you'll see the Number of frontline teams tile update. In this tile you can download a CSV file with a list of your frontline teams. If any errors occurred, you can download the error CSV file on the last deployment health tile. ++ ![Screenshot of where you can get the CSV file on your Manage frontline teams page.](media/dtas-view-errors.png) ++5. You can repeat this process for any frontline locations that don't have a team. ++## Managing your frontline dynamic teams ++You can manage your teams when changes happen in your organization. ++### Create new teams for newly opened locations ++1. First, navigate to your [Teams admin center](https://admin.teams.microsoft.com). ++2. Open the **Teams** section on the left rail. ++3. Select **Manage frontline teams**. ++4. Choose **Deploy** in the table. ++5. Select the **Refresh locations** button, and proceed when prompted by the dialog box. This process can take several hours depending on your number of new locations. ++ ![Screenshot of the Refresh locations button.](media/dtas-refresh-locations.png) ++6. After your refresh completes, your setup status will show **Complete**. You can proceed to [deploy your new teams](#deploy-your-frontline-dynamic-teams). Deployment can take several hours depending on how many new teams you're deploying. ++### Edit your frontline team settings ++1. First, navigate to your [Teams admin center](https://admin.teams.microsoft.com). +1. Open the **Teams** section on the left rail. +1. Select **Manage frontline teams**. +1. Choose **Deploy frontline teams** under the Deploy settings column. +1. Edit your settings on this page and select **Save**. Your settings may take several hours to update. Refer to the following table for the effects of updating your settings: ++|Setting |Effect on existing frontline teams |Effect on new frontline teams | +|--|--|| +|Define your frontline Azure AD attribute. |All existing frontline teams will be members that have the new Azure AD attribute defined |All new frontline teams members will have the new Azure AD attribute defined | +|Choose the values applicable to your frontline Azure AD attribute. |All existing frontline team membership will reflect your updated values. |All new teams will be populated with members who have the updated Azure AD attributes you have defined. | +|Define your frontline locations. | Existing teams will continue to persist. If a team no longer is tied a location there will be no users in that team and users will be put in their respective location teams. |You can create new frontline teams based on the locations defined by your new Azure AD attribute. | +|Set your team name prefix. |All existing team names will be updated to reflect the prefix and location name if that has been changed. |All new teams will have the updated naming convention. | +|Select your team template. |No updates to the team structure will occur. |All new teams will use the updated team template. | +|Select your team owner. |The team owner will be updated for all existing teams. |All new teams will have the updated team owner. | |
frontline | Deploy Teams At Scale | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/deploy-teams-at-scale.md | Title: Deploy Teams at scale for frontline workers-- + Title: Deploy frontline static teams at scale with PowerShell for frontline workers ++ audience: admin search.appverid: MET150-description: Learn how to deploy Teams at scale for the frontline workers in your organization. +description: Learn how to use PowerShell to deploy static teams at scale for the frontline workers in your organization. ms.localizationpriority: high - M365-collaboration appliesto: Last updated 10/28/2022 -# Deploy Teams at scale for frontline workers +# Deploy frontline static teams at scale with PowerShell for frontline workers ## Overview |
frontline | Frontline Team Options | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/frontline-team-options.md | + + Title: How to find the best frontline team solution for your organization ++++++audience: admin ++search.appverid: MET150 +description: Learn whether dynamic teams or static teams are the best option for your organization's frontline teams. +ms.localizationpriority: medium ++ - M365-collaboration + - m365-frontline + - tier2 +appliesto: + - Microsoft Teams + - Microsoft 365 for frontline workers Last updated : 06/16/2023++++# How to find the best frontline team solution for your organization ++## Overview ++Frontline teams are a collection of people, content, and tools within an organization for different frontline worker locations. When deploying your frontline teams you have different options for how you can manage team membership. You can choose between dynamic team membership, static team membership, or a combination of both. ++### Licensing ++For dynamic groups, users need one of the following licenses: Microsoft 365 F1, F3, E1, E3, or E5. If a user doesn't have one of these licenses, they'll need an Azure Active Directory P1 add-on license to leverage dynamic teams. [Learn more about frontline licensing](flw-licensing-options.md). ++### Key considerations ++- You can choose a mix of dynamic frontline teams and static frontline teams for your organization. +- You can convert static frontline teams to dynamic frontline teams in your [Azure AD portal](/azure/active-directory/enterprise-users/groups-change-type) by converting the group membership type to Dynamic and setting your dynamic team membership rules. Teams you convert with this method aren't currently possible to view in the Dynamic team management view in your Teams admin center, but this functionality is planned for future releases. ++## When should I choose dynamic teams? ++Dynamic teams will ensure your team membership is always up to date based on attributes you define in Azure Active Directory (AAD). As frontline employees onboard, offboard, or change locations, team membership will reflect the updates from AAD. ++You should use dynamic frontline teams if: ++- You want your workers' team membership to be managed automatically. +- You have AAD attributes that can define who is a frontline worker and what locations they work in. +- You want to simplify the process of creating a team for each frontline location, including support for creating new teams when a new location opens. ++[Learn more about deploying dynamic frontline teams from your Microsoft 365 admin center](deploy-dynamic-teams-at-scale.md). ++> [!NOTE] +> You can't manually add members to dynamic teams. If you need to manually add or remove members, it's recommended that you use a [static team](#when-should-i-choose-static-teams). ++## When should I choose static teams? ++Static teams let you choose which users to put in which team at the time of team creation. Team owners can manually add and remove members. Admins can also rerun the Deploy static teams at scale PowerShell script to keep membership up to date. ++You should use static teams if: ++- You want to manage team members and owners manually or delegate management to the team owner(s). +- You can't identify your frontline workforce with an AAD attribute or you can't define your frontline locations with an AAD attribute. +- Your users don't have the [required license](#licensing) for dynamic teams. ++[Learn more about deploying static frontline teams with PowerShell](deploy-teams-at-scale.md). |
security | Compare Mdb M365 Plans | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/compare-mdb-m365-plans.md | The following table summarizes what's included in each plan: | [Azure Active Directory Free](/azure/active-directory/fundamentals/active-directory-whatis) (Azure AD) (includes security defaults) | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | | [Azure AD Premium Plan 1](/azure/active-directory/fundamentals/active-directory-whatis) (includes security defaults and Conditional Access) | | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | | **Antivirus, antimalware, and ransomware protection for devices** | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::| -| [Next-generation protection](../defender-endpoint/microsoft-defender-antivirus-in-windows-10.md) (antivirus/antimalware protection on devices together with cloud protection) |:::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | -| [Attack surface reduction](../defender-endpoint/overview-attack-surface-reduction.md) (network protection, firewall, and attack surface reduction rules) (*see note 1 below*) | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | +| [Next-generation protection](mdb-next-generation-protection.md) (antivirus/antimalware protection on devices together with cloud protection) |:::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | +| [Attack surface reduction](mdb-asr.md) (network protection, firewall, and attack surface reduction rules) (*see note 1 below*) | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | +| [Web content filtering](mdb-web-content-filtering.md) (track and regulate access to websites based on content categories) | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | | [Endpoint detection and response](../defender-endpoint/overview-endpoint-detection-response.md) (behavior-based detection and manual response actions) | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | | [Automated investigation and response](../defender/m365d-autoir.md) (with self-healing for detected threats) | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | | [Microsoft Defender Vulnerability Management](mdb-view-tvm-dashboard.md) (view exposed devices and recommendations) | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | Defender for Business brings the enterprise-grade capabilities of Defender for E |[Centralized management](../defender-endpoint/manage-atp-post-migration.md)<br/>(*see note 1 below*) | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::| |[Simplified client configuration](mdb-setup-configuration.md)|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::| | | |[Microsoft Defender Vulnerability Management](../defender-endpoint/next-gen-threat-and-vuln-mgt.md)|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::| |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|-|[Attack surface reduction capabilities](../defender-endpoint/overview-attack-surface-reduction.md) <br/>(*see note 2 below*)|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::| |[Next-generation protection](../defender-endpoint/next-generation-protection.md)|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|+|[Attack surface reduction capabilities](../defender-endpoint/overview-attack-surface-reduction.md) <br/>(*see note 2 below*)|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::| |[Endpoint detection and response](../defender-endpoint/overview-endpoint-detection-response.md) <br/>(*see note 3 below*) |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::| |[Automated investigation and response](../defender-endpoint/automated-investigations.md) <br/>(*see note 4 below*) |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: ||:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::| |[Threat hunting](../defender-endpoint/advanced-hunting-overview.md) and six months of data retention | | |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::| |
security | Mdb Configure Security Settings | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-configure-security-settings.md | This article walks you through how to review, create, or edit your security poli :::image type="content" source="media/mdb-setup-step6.png" alt-text="Visual depicting step 6 - Review and edit security policies in Defender for Business."::: +## Default policies + When you're setting up (or maintaining) Defender for Business, an important part of the process includes reviewing your default policies, such as: - [Next-generation protection](mdb-next-generation-protection.md) - [Firewall protection](mdb-firewall.md) +## Additional policies + In addition to your default security policies, you can add other policies, such as: - [Web content filtering](mdb-web-content-filtering.md)-- [Controlled folder access](mdb-controlled-folder-access.md)-- [Attack surface reduction rules](mdb-asr.md)+- [Controlled folder access](mdb-controlled-folder-access.md) (*requires Microsoft Intune*) +- [Attack surface reduction rules](mdb-asr.md) (*ASR rules are configured in Intune*) ++## Advanced features and settings -And, you can view and edit settings for advanced features, such as: +You can view and edit settings for advanced features, such as: - [Turning on (or off) advanced features](mdb-portal-advanced-feature-settings.md#view-settings-for-advanced-features); - [Specifying which time zone to use in the Microsoft 365 Defender portal](mdb-portal-advanced-feature-settings.md#view-and-edit-other-settings-in-the-microsoft-365-defender-portal); and |
security | Mdb Manage Devices | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-manage-devices.md | In Defender for Business, you can manage devices as follows: - [Onboard a device to Defender for Business](#onboard-a-device) - [Offboard a device from Defender for Business](#offboard-a-device) - ## View the list of onboarded devices :::image type="content" source="../../medib-device-inventory.png" alt-text="Screenshot of device inventory"::: +> [!IMPORTANT] +> In order to view the list of onboarded devices, you must have one of the following [roles](mdb-roles-permissions.md) assigned: +> +> - Global Administrator +> - Security Administrator +> - Security Reader + 1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in. 2. In the navigation pane, go to **Assets** > **Devices**. In Defender for Business, you can manage devices as follows: :::image type="content" source="../../medib-selected-device.png" alt-text="Screenshot of a selected device with details and actions available"::: +> [!IMPORTANT] +> In order to take action on a device with detected threats, you must have one of the following [roles](mdb-roles-permissions.md) assigned: +> +> - Global Administrator +> - Security Administrator + 1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, go to **Assets** > **Devices**. 2. Select a device to open its flyout panel, and review the information that is displayed. Microsoft Defender Antivirus is a key component of next-generation protection in - Passive mode - Disabled (or uninstalled) mode +To view the state of Microsoft Defender Antivirus, you can choose from several options, such as: ++- Reports, like the [Device health report](mdb-reports.md#device-health-report); or +- One of the methods described in [How to confirm the state of Microsoft Defender Antivirus](../defender-endpoint/microsoft-defender-antivirus-compatibility.md#how-to-confirm-the-state-of-microsoft-defender-antivirus). + The following table describes each state and what it means. | Microsoft Defender Antivirus state | What it means | |
security | Mdb Next Generation Protection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-next-generation-protection.md | You can choose from several options for managing your next-generation protection ## [**Intune admin center**](#tab/Intune) -1. Go to [https://intune.microsoft.com](https://intune.microsoft.com) and sign in. You're now in the Intune admin center.< +1. Go to the Microsoft Intune admin center ([https://intune.microsoft.com](https://intune.microsoft.com)) and sign in. 2. Select **Endpoint security**. |
security | Mdb Requirements | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-requirements.md | The following table lists the basic requirements you need to configure and use D | Subscription | Microsoft 365 Business Premium or Defender for Business (standalone). <br/>See [How to get Defender for Business](get-defender-business.md). | | Datacenter | One of the following datacenter locations: <br/>- European Union <br/>- United Kingdom <br/>- United States | | User accounts | - User accounts are created in the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com)). <br/>- Licenses for Defender for Business (or Microsoft 365 Business Premium) are assigned in the Microsoft 365 admin center.<br/><br/>To get help with this task, see [Add users and assign licenses](mdb-add-users.md). |-| Permissions | To sign up for Defender for Business, you must be a Global Admin.<br/><br/>To access the Microsoft 365 Defender portal, users must have one of the following [roles in Azure AD](mdb-roles-permissions.md) assigned: <br/>- Security Reader <br/>- Security Admin <br/>- Global AdminTo learn more, see [Roles and permissions in Defender for Business](mdb-roles-permissions.md). | +| Permissions | To sign up for Defender for Business, you must be a Global Admin.<br/><br/>To access the Microsoft 365 Defender portal, users must have one of the following [roles in Azure AD](mdb-roles-permissions.md) assigned: <br/>- Security Reader <br/>- Security Admin <br/>- Global Admin<br/><br/>To learn more, see [Roles and permissions in Defender for Business](mdb-roles-permissions.md). | | Browser | Microsoft Edge or Google Chrome | | Client computer operating system | To manage devices in the Microsoft 365 Defender portal, your devices must be running one of the following operating systems: <br/>- Windows 10 or 11 Business <br/>- Windows 10 or 11 Professional <br/>- Windows 10 or 11 Enterprise <br/>- Mac (the three most-current releases are supported) <br/><br/>Make sure that [KB5006738](https://support.microsoft.com/topic/october-26-2021-kb5006738-os-builds-19041-1320-19042-1320-and-19043-1320-preview-ccbce6bf-ae00-4e66-9789-ce8e7ea35541) is installed on the Windows devices. | | Mobile devices | To onboard mobile devices, such as iOS or Android OS, you can use [Mobile threat defense capabilities (preview)](mdb-mtd.md) or Microsoft Intune (see note 1 below).<br/><br/>For more details about onboarding devices, including requirements for mobile threat defense (preview), see [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md). | |
security | Mdb Web Content Filtering | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-web-content-filtering.md | description: Learn how to set up, view, and edit your web content filtering poli Previously updated : 05/04/2023 Last updated : 06/20/2023 Web content filtering enables your security team to track and regulate access to Web content filtering is available on the major web browsers, with blocks performed by Windows Defender SmartScreen (Microsoft Edge) and Network Protection (Chrome, Firefox, Brave, and Opera). For more information, see [Prerequisites for web content filtering](../defender-endpoint/web-content-filtering.md#prerequisites). +In Defender for Business, you can have one web content filtering policy and it's applied to all users. + ## Set up web content filtering Web content filtering is available on the major web browsers, with blocks perfor 2. Specify a name and description for your policy. -3. Select the categories to block. Use the expand icon to fully expand each parent category, and then select specific web content categories. To set up an audit-only policy that doesn't block any websites, don't select any categories. +3. Select the [categories](#categories-for-web-content-filtering) to block (do not select **Uncategorized**). Use the expand icon to fully expand each parent category, and then select specific web content categories. - Don't select **Uncategorized**. + To set up an audit-only policy that doesn't block any websites, don't select any categories. -4. Specify the policy scope by selecting device groups to apply the policy to. Only devices in the selected device groups will be prevented from accessing websites in the selected categories. +4. Apply the policy to all users. (Scoping to specific devices is not available in Defender for Business.) 5. Review the summary and save the policy. The policy refresh might take up to two hours to apply to your selected devices. Web content filtering is available on the major web browsers, with blocks perfor ## Categories for web content filtering -Not all websites in these categories are malicious, but they could be problematic for your company because of compliance regulations, bandwidth usage, or other concerns. You can create an audit-only policy to get a better understanding of whether your security team should block any website categories. +Not all websites in the categories that are listed below are malicious; however, these websites could be problematic for your company because of compliance regulations, bandwidth usage, or other concerns. ++You can start with an audit-only policy to get a better understanding of whether your security team should block any website categories, and edit your policy later. The following table describes web content categories you can choose for your web content filtering policy: The following table describes web content categories you can choose for your web | **High bandwidth** | Download sites, image sharing sites, or peer-to-peer hosts | | **Legal liability** | Sites that include child abuse images, promote illegal activities, foster plagiarism or school cheating, or that promote harmful activities | | **Leisure** | Sites that provide web-based chat rooms, online gaming, web-based email, or social networking |-| **Uncategorized** | Sites that have no content or that are newly registered | +| **Uncategorized** | Sites that have no content or that are newly registered. <br/><br/>*As a best practice, do not select **Uncategorized**.* | ## Next steps |
security | Update Agent Mma Windows | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/update-agent-mma-windows.md | If you're using the Microsoft Monitoring Agent (MMA) on Windows devices, it's im *This option applies to devices running Windows 7 SP1 Enterprise, Windows 7 SP1 Pro, Windows 8.1 Pro, Windows 8.1 Enterprise, and Windows Server 2008 R2 SP1.* -To help you identify older versions of the MMA inside of your organization, you can leverage the "EOSDate" column in advanced hunting, or follow the instructions in [Plan for end-of-support software and software versions](/microsoft-365/security/defender-vulnerability-management/tvm-end-of-support-software) to leverage the vulnerability management feature inside of Microsoft Defender for Endpoint to track remediation. - - See [Manage and maintain the Log Analytics agent for Windows and Linux](/azure/azure-monitor/agents/agent-manage?tabs=PowerShellLinux) for instructions on how to upgrade the agent using Azure Automation or a command line approach for use with various deployment tools and methods at your disposal. - Update MMA by using [Microsoft Update](/windows/deployment/update/how-windows-update-works), through [Windows Server Update Services](/windows/deployment/update/waas-manage-updates-wsus) or [Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service). Use the method that was configured when MMA was first installed on the device. |
security | Outbound Spam High Risk Delivery Pool About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/outbound-spam-high-risk-delivery-pool-about.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Outbound delivery pools [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- Email servers in the Microsoft 365 datacenters might be temporarily guilty of sending spam. For example, a malware or malicious spam attack in an on-premises email organization that sends outbound mail through Microsoft 365, or compromised Microsoft 365 accounts. Attackers also try to avoid detection by relaying messages through Microsoft 365 forwarding. These scenarios can result in the IP address of the affected Microsoft 365 datacenter servers appearing on third-party blocklists. Destination email organizations that use these blocklists will reject email from those Microsoft 365 messages sources. |
security | Outbound Spam Policies Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/outbound-spam-policies-configure.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Configure outbound spam policies in EOP [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, outbound email messages that are sent through EOP are automatically checked for spam and unusual sending activity. Outbound spam from a user in your organization typically indicates a compromised account. Suspicious outbound messages are marked as spam (regardless of the spam confidence level or SCL) and are routed through the [high-risk delivery pool](outbound-spam-high-risk-delivery-pool-about.md) to help protect the reputation of the service (that is, to keep Microsoft 365 source email servers off of IP block lists). Admins are automatically notified of suspicious outbound email activity and blocked users via [alert policies](../../compliance/alert-policies.md). |
security | Outbound Spam Policies External Email Forwarding | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/outbound-spam-policies-external-email-forwarding.md | f1.keywords: Previously updated : 02/17/2023 Last updated : 06/19/2023 audience: ITPro description: This article covers topics including external email forwarding, Aut search.appverid: met150+appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Control automatic external email forwarding in Microsoft 365 [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- As an admin, you might have company requirements to restrict or control automatically forwarded messages to external recipients (recipients outside of your organization). Email forwarding can be useful, but can also pose a security risk due to the potential disclosure of information. Attackers might use this information to attack your organization or partners. The following types of automatic forwarding are available in Microsoft 365: |
security | Outbound Spam Protection About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/outbound-spam-protection-about.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Outbound spam protection in EOP [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, we take managing outbound spam seriously. Even if one customer intentionally or unintentionally sends spam from their organization, that action can degrade the reputation of the whole service and can affect email delivery for other customers. This article describes the controls and notifications that are designed to help prevent outbound spam, and what you can do if you need to send mass mailings. |
security | Preset Security Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/preset-security-policies.md | description: Admins can learn how to apply Standard and Strict policy settings a search.appverid: met150 Previously updated : 5/18/2023 Last updated : 6/19/2023+appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Preset security policies in EOP and Microsoft Defender for Office 365 [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- _Preset security policies_ allow you to apply protection features to users based on our recommended settings. Unlike custom policies that are infinitely configurable, virtually all of the settings in preset security policies aren't configurable, and are based on our observations in the datacenters. The settings in preset security policies provide a balance between keeping harmful content away from users while avoiding unnecessary disruptions. Depending on your organization, preset security policies provide the protection features that are available in [Exchange Online Protection (EOP)](eop-about.md) and [Microsoft Defender for Office 365](microsoft-defender-for-office-365-product-overview.md). |
security | Priority Accounts Security Recommendations | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/priority-accounts-security-recommendations.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Security recommendations for priority accounts in Microsoft 365 [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to:** -- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- Not all user accounts have access to the same company information. Some accounts have access to sensitive information, such as financial data, product development information, partner access to critical build systems, and more. If compromised, accounts that have access to highly confidential information pose a serious threat. We call these types of accounts _priority accounts_. Priority accounts include (but aren't limited to) CEOs, CISOs, CFOs, infrastructure admin accounts, build system accounts, and more. Microsoft Defender for Office 365 supports priority accounts as tags that can be used in filters in alerts, reports, and investigations. For more information, see [User tags in Microsoft Defender for Office 365](user-tags-about.md). |
security | Priority Accounts Turn On Priority Account Protection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/priority-accounts-turn-on-priority-account-protection.md | f1.keywords: Previously updated : 5/23/2023 Last updated : 6/19/2023 audience: ITPro ms.localizationpriority: medium+appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Configure and review priority account protection in Microsoft Defender for Office 365 [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- In Microsoft 365 organizations with Microsoft Defender for Office 365 Plan 2, _priority account protection_ is a differentiated level of protection that's applied to accounts that have the **Priority account** tag applied to them. For more information about the Priority account tag and how to apply it to users, see [Manage and monitor priority accounts](../../admin/setup/priority-accounts.md). Priority account protection offers additional heuristics that are tailored to company executives that don't benefit regular employees. Priority account protection is better suited to the mail flow patterns of company executives based on extensive data from the Microsoft datacenters. |
security | Protect Against Threats | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/protect-against-threats.md | description: Admins can learn about threat protection in Microsoft 365 and confi +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Protect against threats [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- Here's a quick-start guide that breaks the configuration of Defender for Office 365 into chunks. If you're new to threat protection features in Office 365, not sure where to begin, or if you learn best by *doing*, use this guidance as a checklist and a starting point. > [!IMPORTANT] |
security | Protection Stack Microsoft Defender For Office365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/protection-stack-microsoft-defender-for-office365.md | f1.keywords: Previously updated : 1/31/2023 Last updated : 6/19/2023 audience: ITPro +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Step-by-step threat protection in Microsoft Defender for Office 365 [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to:** -- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- The Microsoft Defender for Office 365 protection or filtering stack can be broken out into four phases, as in this article. Generally speaking, incoming mail passes through all of these phases before delivery, but the actual path email takes is subject to an organization's Defender for Office 365 configuration. > [!TIP] |
security | Quarantine About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-about.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Quarantined email messages in EOP and Defender for Office 365 [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, quarantine is available to hold potentially dangerous or unwanted messages. Whether a detected message is quarantined by default depends on the following factors: |
security | Quarantine Admin Manage Messages Files | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-admin-manage-messages-files.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> # Manage quarantined messages and files as an admin [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)- In Microsoft 365 organizations with mailboxes in Exchange Online or Microsoft Teams, or in standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes or Teams, quarantine holds potentially dangerous or unwanted messages that were detected by EOP and Defender for Office 365. Admins can view, release, and delete all types of quarantined messages and files for all users. |
security | Quarantine End User | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-end-user.md | description: Users can learn how to view and manage quarantined messages in Exch adobe-target: true Previously updated : 4/12/2023 Last updated : 6/19/2023+appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Find and release quarantined messages as a user in EOP [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, quarantine holds potentially dangerous or unwanted messages. For more information, see [Quarantine in EOP](quarantine-about.md). As an ordinary user (not an admin), the **default** capabilities that are available to you as a recipient of a quarantined message are described in the following table: |
security | Quarantine Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-policies.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Quarantine policies [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to:** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, _quarantine policies_ allow admins to define the user experience for quarantined messages: - What users are allowed to do to their own quarantined messages (messages where they're a recipient) based on why the message was quarantined. |
security | Quarantine Quarantine Notifications | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-quarantine-notifications.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Use quarantine notifications to release and report quarantined messages [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, quarantine holds potentially dangerous or unwanted messages. For more information, see [Quarantined messages in EOP](quarantine-about.md). For [supported protection features](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features), _quarantine policies_ define what users are allowed to do to quarantined messages based on why the message was quarantined. Default quarantine policies enforce the historical capabilities for the security feature that quarantined the message as described in the table [here](quarantine-end-user.md). Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users. For more information, see [Create quarantine policies](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal). |
security | Quarantine Shared Mailbox Messages | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-shared-mailbox-messages.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # View and release quarantined messages from shared mailboxes [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to:** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- Users can manage quarantined messages where they are one of the recipients as described in [Find and release quarantined messages as a user in EOP](quarantine-end-user.md). But what about **shared mailboxes** where the user has Full Access and Send As or Send on Behalf permissions to the mailbox as described in [Shared mailboxes in Exchange Online](/exchange/collaboration-exo/shared-mailboxes)? Previously, the ability for users to manage quarantined messages sent to a shared mailbox required admins to leave automapping enabled for the shared mailbox (it's enabled by default when an admin gives a user access to another mailbox). However, depending on the size and number of mailboxes that the user has access to, performance can suffer as Outlooks tries to open _all_ mailboxes that the user has access to. For this reason, many admins choose to [remove automapping for shared mailboxes](/outlook/troubleshoot/profiles-and-accounts/remove-automapping-for-shared-mailbox). |
security | Real Time Detections | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/real-time-detections.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # What is Threat Explorer and Real-time detections? [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)--In this article: --- [Differences between Explorer and Real-time detections](#differences-between-explorer-and-real-time-detections)-- [Updated experience for Explorer and Real-time detections](#updated-experience-for-explorer-and-real-time-detections)-- [Required licenses and permissions](#required-licenses-and-permissions)--> [!NOTE] -> This is part of a **3-article series** on **Explorer (also known as Threat Explorer)**, **email security**, and **Explorer and Real-time detections basics** (such as differences between the tools, and permissions needed to operate them). The other two articles in this series are [Threat hunting in Explorer](threat-explorer-threat-hunting.md) and [Email security with Explorer](email-security-in-microsoft-defender.md). - This article explains the difference between Threat Explorer and real-time detections reporting, updated experience with Threat Explorer and real-time detections where you can toggle between old and new experiences, and the licenses and permissions that are required. If your organization has [Microsoft Defender for Office 365](defender-for-office-365.md), and you have the [permissions](#required-licenses-and-permissions), you can use **Explorer** (also known as **Threat Explorer**) or **Real-time detections** to detect and remediate threats. |
security | Recommended Settings For Eop And Office365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Recommended settings for EOP and Microsoft Defender for Office 365 security [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- **Exchange Online Protection (EOP)** is the core of security for Microsoft 365 subscriptions and helps keep malicious emails from reaching your employee's inboxes. But with new, more sophisticated attacks emerging every day, improved protections are often required. **Microsoft Defender for Office 365** Plan 1 or Plan 2 contain additional features that give more layers of security, control, and investigation. Although we empower security administrators to customize their security settings, there are two security levels in EOP and Microsoft Defender for Office 365 that we recommend: **Standard** and **Strict**. Although customer environments and needs are different, these levels of filtering help prevent unwanted mail from reaching your employees' Inbox in most situations. |
security | Reference Policies Practices And Guidelines | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/reference-policies-practices-and-guidelines.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Reference: Policies, practices, and guidelines [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- Microsoft is dedicated to helping provide the most trusted user experience on the web. Therefore, Microsoft has developed various policies, procedures, and adopted several industry best practices to help protect our users from abusive, unwanted, or malicious email. Senders attempting to send email to users should ensure they fully understand and are following the guidance in this article to help in this effort and to help avoid potential delivery issues. If you are not in compliance with these policies and guidelines, it may not be possible for our support team to assist you. If you are adhering to the guidelines, practices, and policies presented in this article and are still experiencing delivery issues based on your sending IP address, please follow the steps to submit a delisting request. For instructions, see [Use the delist portal to remove yourself from the blocked senders list](use-the-delist-portal-to-remove-yourself-from-the-office-365-blocked-senders-lis.md). |
security | Remediate Malicious Email Delivered Office 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/remediate-malicious-email-delivered-office-365.md | search.appverid: MET150 description: Threat remediation Previously updated : 1/31/2023 Last updated : 6/19/2023+appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview" target="_blank">Microsoft Defender for Office 365 plan 2</a> # Remediate malicious email delivered in Office 365 [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md)- Remediation means to take a prescribed action against a threat. Malicious email sent to your organization can be cleaned up either by the system, through zero-hour auto purge (ZAP), or by security teams through remediation actions like *move to inbox*, *move to junk*, *move to deleted items*, *soft delete*, or *hard delete*. Microsoft Defender for Office 365 Plan 2/E5 enables security teams to remediate threats in email and collaboration functionality through manual and automated investigation. > [!NOTE] |
security | Removing User From Restricted Users Portal After Spam | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/removing-user-from-restricted-users-portal-after-spam.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Remove blocked users from the Restricted entities page [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, several things happen if a user exceeds the [outbound sending limits of the service](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#sending-limits-across-office-365-options) or the [limits in outbound spam policies](outbound-spam-policies-configure.md): - The user is restricted from sending email, but they can still receive email. |
security | Reports Defender For Office 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/reports-defender-for-office-365.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # View Defender for Office 365 reports in the Microsoft 365 Defender portal [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- In organizations with Microsoft Defender for Office 365 Plan 1 or Plan 2 (for example, Microsoft 365 E5 or Microsoft Business Premium) a variety of security-related reports are available. If you have the [necessary permissions](#what-permissions-are-needed-to-view-the-defender-for-office-365-reports), you can view and download these reports in the Microsoft 365 Defender portal. The reports are available in the Microsoft 365 Defender portal at <https://security.microsoft.com> on the **Email & collaboration reports** page at **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. Or, to go directly to the **Email & collaboration reports** page, use <https://security.microsoft.com/emailandcollabreport>. |
security | Reports Email Security | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/reports-email-security.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # View email security reports in the Microsoft 365 Defender portal [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- In all Microsoft 365 organizations, a variety of reports are available to help you see how email security features are protecting your organization. If you have the [necessary permissions](#what-permissions-are-needed-to-view-these-reports), you can view and download these reports as described in this article. The reports are available in the Microsoft 365 Defender portal at <https://security.microsoft.com> on the **Email & collaboration reports** page at **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. Or, to go directly to the **Email & collaboration reports** page, use <https://security.microsoft.com/emailandcollabreport>. |
security | Responding To A Compromised Email Account | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account.md | search.appverid: description: Learn how to recognize and respond to a compromised email account using tools available in Microsoft 365. Previously updated : 5/22/2023 Last updated : 6/19/2023+appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Responding to a compromised email account [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- Access to Microsoft 365 mailboxes, data, and other services is controlled by credentials (for example a username and a password or PIN). When someone other than the intended user steals those credentials, the associated account is considered to be compromised. After an attacker steals the credentials and gains access to the account, they can access the associated Microsoft 365 mailbox, SharePoint folders, or files in the user's OneDrive. Attackers often use the compromised mailbox to send email as the original user to recipients inside and outside of the organization. Attackers using email to send data to external recipients is known as _data exfiltration_. |
security | Safe Attachments About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-attachments-about.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Safe Attachments in Microsoft Defender for Office 365 [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- Safe Attachments in [Microsoft Defender for Office 365](defender-for-office-365.md) provides an additional layer of protection for email attachments that have already been scanned by [anti-malware protection in Exchange Online Protection (EOP)](anti-malware-protection-about.md). Specifically, Safe Attachments uses a virtual environment to check attachments in email messages before they're delivered to recipients (a process known as _detonation_). Safe Attachments protection for email messages is controlled by Safe Attachments policies. Although there's no default Safe Attachments policy, the **Built-in protection** preset security policy provides Safe Attachments protection to all recipients (users who aren't defined in the Standard or Strict preset security policies or in custom Safe Attachments policies). For more information, see [Preset security policies in EOP and Microsoft Defender for Office 365](preset-security-policies.md). You can also create Safe Attachments policies that apply to specific users, group, or domains. For instructions, see [Set up Safe Attachments policies in Microsoft Defender for Office 365](safe-attachments-policies-configure.md). |
security | Safe Attachments For Spo Odfb Teams About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-about.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Safe Attachments for SharePoint, OneDrive, and Microsoft Teams [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- In organizations with Microsoft Defender for Office 365, Safe Attachments for SharePoint, OneDrive, and Microsoft Teams provides an additional layer of protection against malware. After files are asynchronously scanned by the [common virus detection engine in Microsoft 365](anti-malware-protection-for-spo-odfb-teams-about.md), Safe Attachments opens files in a virtual environment to see what happens (a process known as _detonation_). Safe Attachments for SharePoint, OneDrive, and Microsoft Teams also helps detect and block existing files that are identified as malicious in team sites and document libraries. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is enabled by default. To turn it on or off, see [Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-configure.md). |
security | Safe Attachments For Spo Odfb Teams Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- In organizations with Microsoft Defender for Office 365, Safe Attachments for Office 365 for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. For more information, see [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md). You turn on or turn off Safe Attachments for Office 365 for SharePoint, OneDrive, and Microsoft Teams in the Microsoft 365 Defender portal or in Exchange Online PowerShell. |
security | Safe Attachments Policies Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-attachments-policies-configure.md | description: Learn about how to define Safe Attachments policies to protect your Previously updated : 4/12/2023 Last updated : 6/19/2023+appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Set up Safe Attachments policies in Microsoft Defender for Office 365 [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- > [!IMPORTANT] > This article is intended for business customers who have [Microsoft Defender for Office 365](defender-for-office-365-whats-new.md). If you're a home user looking for information about attachment scanning in Outlook, see [Advanced Outlook.com security](https://support.microsoft.com/office/882d2243-eab9-4545-a58a-b36fee4a46e2). |
security | Safe Documents In E5 Plus Security About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-documents-in-e5-plus-security-about.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Safe Documents in Microsoft 365 A5 or E5 Security [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- Safe Documents is a premium feature that uses the cloud back end of [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) to scan opened Office documents in [Protected View](https://support.microsoft.com/office/d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653) or [Application Guard for Office](https://support.microsoft.com/topic/9e0fb9c2-ffad-43bf-8ba3-78f785fdba46). Users don't need Defender for Endpoint installed on their local devices to get Safe Documents protection. Users get Safe Documents protection if all of the following requirements are met: |
security | Safe Links About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-links-about.md | audience: Admin f1_keywords: - '197503' Previously updated : 5/3/2023 Last updated : 6/20/2023 ms.localizationpriority: medium - Strat_O365_IP ms.assetid: dd6a1fef-ec4a-4cf4-a25a-bb591c5811e3 description: Learn about Safe Links protection in Defender for Office 365 to protect an organization from phishing and other attacks that use malicious URLs. Discover Teams Safe Links, and see graphics of Safe Links messages. +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Safe Links in Microsoft Defender for Office 365 [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- > [!IMPORTANT] > This article is intended for business customers who have [Microsoft Defender for Office 365](defender-for-office-365.md). If you're using Outlook.com, Microsoft 365 Family, or Microsoft 365 Personal, and you're looking for information about Safelinks in Outlook, see [Advanced Outlook.com security](https://support.microsoft.com/office/882d2243-eab9-4545-a58a-b36fee4a46e2). |
security | Safe Links Policies Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-links-policies-configure.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Set up Safe Links policies in Microsoft Defender for Office 365 [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- > [!IMPORTANT] > This article is intended for business customers who have [Microsoft Defender for Office 365](defender-for-office-365.md). If you are a home user looking for information about Safelinks in Outlook, see [Advanced Outlook.com security](https://support.microsoft.com/office/882d2243-eab9-4545-a58a-b36fee4a46e2). |
security | Secure By Default | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/secure-by-default.md | f1.keywords: Previously updated : 1/31/2023 Last updated : 6/20/2023 audience: ITPro ms.localizationpriority: medium+appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Secure by default in Office 365 [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- "Secure by default" is a term used to define the default settings that are most secure as possible. However, security needs to be balanced with productivity. This can include balancing across: |
security | Siem Integration With Office 365 Ti | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/siem-integration-with-office-365-ti.md | search.appverid: - MET150 - MOE150 ms.assetid: eb56b69b-3170-4086-82cf-ba40a530fa1b Previously updated : 1/31/2023 Last updated : 6/20/2023 - m365-security - tier2 description: Integrate your organization's SIEM server with Microsoft Defender f +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # SIEM integration with Microsoft Defender for Office 365 -**Applies to** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] If your organization is using a security information and event management (SIEM) server, you can integrate Microsoft Defender for Office 365 with your SIEM server. You can set up this integration by using the [Office 365 Activity Management API](/office/office-365-management-api/office-365-management-activity-api-reference). |
security | Siem Server Integration | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/siem-server-integration.md | description: Get an overview of Security Information and Event Management (SIEM) search.appverid: met150+appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Security Information and Event Management (SIEM) server integration with Microsoft 365 services and applications -**Applies to** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] ## Summary |
security | Skip Filtering Phishing Simulations Sec Ops Mailboxes | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/skip-filtering-phishing-simulations-sec-ops-mailboxes.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Configure the advanced delivery policy for third-party phishing simulations and email delivery to SecOps mailboxes [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- To keep your organization [secure by default](secure-by-default.md), Exchange Online Protection (EOP) doesn't allow safe lists or filtering bypass for messages that are identified as malware or high confidence phishing. But, there are specific scenarios that require the delivery of unfiltered messages. For example: - **Third-party phishing simulations**: Simulated attacks can help you identify vulnerable users before a real attack impacts your organization. |
security | Submissions Admin Review User Reported Messages | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-admin-review-user-reported-messages.md | description: Admins can learn how to review messages that were reported by users search.appverid: met150 Previously updated : 6/6/2023 Last updated : 6/20/2023+appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Admin review for user reported messages [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- In Microsoft 365 organizations with Exchange Online mailboxes and Microsoft Defender for Office 365, admins can send templated result messages back to users after they review the user reported messages. Admins can customize the notification message template that's used for the organization. The feature is designed to give feedback to users without changing the message verdicts in the system. To help Microsoft update and improve its filters, admins need to [submit user reported messages to Microsoft for analysis](submissions-admin.md#submit-user-reported-messages-to-microsoft-for-analysis) when the user reported settings are configured to send user reported messages to the reporting mailbox only. For more information, see [User reported settings](submissions-user-reported-messages-custom-mailbox.md). |
security | Submissions Admin | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-admin.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Use the Submissions page to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- In Microsoft 365 organizations with Exchange Online mailboxes, admins can use the **Submissions** page in the Microsoft 365 Defender portal to submit messages, URLs, and attachments to Microsoft for analysis. There are two basic types of admin submissions: - **Admin-originated submissions**: Admins identify and report messages, attachments, or URLs (entities) by selecting :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Submit to Microsoft for analysis** from the tabs on the **Submissions** page as described in the [Admin-originated submissions](#admin-originated-submissions) section. |
security | Submissions Error Messages | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-error-messages.md | description: Learn about the errors that admins might encounter when they try to search.appverid: met150 Previously updated : 6/6/2023 Last updated : 6/20/2023+appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Errors during admin submissions -**Applies to** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] This article attempts to explain the common error messages that you might receive as you try to [report messages, URLs, and email attachments to Microsoft](submissions-admin.md) |
security | Submissions Outlook Report Messages | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-outlook-report-messages.md | description: Learn how to report phishing and suspicious emails in Outlook using search.appverid: met150 Previously updated : 6/9/2023 Last updated : 6/20/2023+appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Report phishing and suspicious emails in Outlook for admins [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- In Microsoft 365 organizations with mailboxes in Exchange Online or in on-premises mailboxes that use hybrid modern authentication, users can report phishing and suspicious email in Outlook. Users can report false positives (good email that was blocked or sent to their Junk Email folder) and false negatives (unwanted email or phishing that was delivered to their Inbox) from Outlook on all platforms using free tools from Microsoft. Microsoft provides the following tools for users to report good and bad messages: |
security | Submissions Report Messages Files To Microsoft | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-report-messages-files-to-microsoft.md | f1.keywords: Previously updated : 6/6/2023 Last updated : 6/20/2023 audience: ITPro ms.localizationpriority: medium+appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # How do I report a suspicious email or file to Microsoft? [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- Wondering what to do with suspicious email messages, URLs, email attachments, or files? In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, *users* and *admins* have different ways to report suspicious email messages, URLs, and email attachments to Microsoft. In addition, admins in Microsoft 365 organizations with Microsoft Defender for Endpoint also have several methods for reporting files. |
security | Submissions Submit Files To Microsoft | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-submit-files-to-microsoft.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Submit malware, non-malware, and other suspicious files to Microsoft for analysis -**Applies to** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- > [!NOTE] > If you're an admin in an organization with Exchange Online mailboxes, we recommend that you use the **Submissions** page in the Microsoft 365 Defender portal to submit messages to Microsoft for analysis. For more information, see [Use the Submissions page to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft](submissions-admin.md). |
security | Submissions Teams | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-teams.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # User reported message settings in Microsoft Teams Last updated [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- In organizations with Microsoft Defender for Office 365 Plan 2 or Microsoft 365 Defender, admins can decide whether users can report malicious messages in Microsoft Teams. Admins can also get visibility into the Teams messages that users are reporting. Users can report messages in Teams from **internal** chats, channels and meeting conversations. Users can only report messages as malicious. |
security | Submissions User Reported Messages Custom Mailbox | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-user-reported-messages-custom-mailbox.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # User reported settings [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- In Microsoft 365 organizations with Exchange Online mailboxes, you can identify a _reporting mailbox_ (formerly known as a _custom mailbox_ or _submissions mailbox_) to hold messages that users report as malicious or not malicious using supported reporting tools in Outlook. For Microsoft reporting tools, you can decide whether to send user reported messages to the reporting mailbox, to Microsoft, or to the reporting mailbox and Microsoft. These selections were formerly part of the _User submissions policy_ or _User submissions_. User reported settings and the reporting mailbox work with the following message reporting tools: |
security | Submissions Users Report Message Add In Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-users-report-message-add-in-configure.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Enable the Microsoft Report Message or the Report Phishing add-ins [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- > [!NOTE] > If you're an admin in a Microsoft 365 organization with Exchange Online mailboxes, we recommend that you use the **Submissions** page in the Microsoft 365 Defender portal. For more information, see [Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft](submissions-admin.md). |
security | Teams Message Entity Panel | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/teams-message-entity-panel.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # The Teams Message Entity Panel for Microsoft Teams in Microsoft Defender for Office 365 [!include[Prerelease information](../../includes/prerelease.md)] -**Applies to:** -- [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- The Teams Message Entity Panel in Microsoft Defender for Office 365 puts all Microsoft Teams data about suspicious or malicious chats and channels on a *single, actionable panel*. The Teams Message Entity Panel is the single source of Teams message metadata for Security Operations team (SecOps) review. In other words, any threat coming from: |
security | Tenant Allow Block List About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list-about.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Manage allows and blocks in the Tenant Allow/Block List [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- > [!IMPORTANT] > To allow phishing URLs that are part of third-party attack simulation training, use the [advanced delivery configuration](skip-filtering-phishing-simulations-sec-ops-mailboxes.md) to specify the URLs. Don't use the Tenant Allow/Block List. |
security | Tenant Allow Block List Email Spoof Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list-email-spoof-configure.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Allow or block email using the Tenant Allow/Block List [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, admins can create and manage entries for domains and email addresses (including spoofed senders) in the Tenant Allow/Block List. For more information about the Tenant Allow/Block List, see [Manage allows and blocks in the Tenant Allow/Block List](tenant-allow-block-list-about.md). This article describes how admins can manage entries for email senders in the Microsoft 365 Defender Portal and in Exchange Online PowerShell. |
security | Tenant Allow Block List Files Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list-files-configure.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Allow or block files using the Tenant Allow/Block List [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, admins can create and manage entries for files in the Tenant Allow/Block List. For more information about the Tenant Allow/Block List, see [Manage allows and blocks in the Tenant Allow/Block List](tenant-allow-block-list-about.md). This article describes how admins can manage entries for files in the Microsoft 365 Defender Portal and in Exchange Online PowerShell. |
security | Tenant Allow Block List Urls Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list-urls-configure.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Allow or block URLs using the Tenant Allow/Block List [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, admins can create and manage entries for URLs in the Tenant Allow/Block List. For more information about the Tenant Allow/Block List, see [Manage allows and blocks in the Tenant Allow/Block List](tenant-allow-block-list-about.md). > [!NOTE] |
security | Tenant Wide Setup For Increased Security | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-wide-setup-for-increased-security.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Configure your Microsoft 365 tenant for increased security [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- Your organizational needs require security. Specifics are up to your business. |
security | Threat Explorer About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer-about.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Improvements to Threat Hunting in Threat Explorer [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- If your organization has [Microsoft Defender for Office 365](defender-for-office-365.md), and you have the [necessary permissions](#required-licenses-and-permissions), you have either **Threat Explorer** or **Real-time detections** (formerly *Real-time reports* — [see what's new](#new-features-in-threat-explorer-and-real-time-detections)!). Threat Explorer or Real-time detections helps your security operations team investigate and respond to threats efficiently. With this report, you can: |
security | Threat Explorer Threat Hunting | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer-threat-hunting.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Threat hunting in Threat Explorer for Microsoft Defender for Office 365 [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to:** -- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)--In this article: --- [Threat Explorer walk-through](#threat-explorer-walk-through)-- [Email investigation](#email-investigation)-- [Email remediation](#email-remediation)--> [!NOTE] -> This is part of a **3-article series** on **Threat Explorer (Explorer)**, **email security**, and **Explorer and Real-time detections** (such as differences between the tools, and permissions needed to operate them). The other two articles in this series are [Email security with Threat Explorer](email-security-in-microsoft-defender.md) and [Threat Explorer and Real-time detections](real-time-detections.md). - If your organization has [Microsoft Defender for Office 365](defender-for-office-365.md), and you have the [permissions](#required-licenses-and-permissions), you can use **Explorer** or **Real-time detections** to detect and remediate threats. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration**, and then choose **Explorer** or **Real-time detections**. To go directly to the page, use <https://security.microsoft.com/threatexplorer> or <https://security.microsoft.com/realtimereports>. |
security | Threat Explorer Views | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer-views.md | f1.keywords: Previously updated : 5/31/2023 Last updated : 6/20/2023 audience: ITPro +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Views in Threat Explorer and real-time detections [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- :::image type="content" source="../../media/explorer-new.png" alt-text="Screenshot of the Threat Explorer page." lightbox="../../media/explorer.png"::: [Threat Explorer](threat-explorer-about.md) (and the real-time detections report) is a powerful, near real-time tool to help Security Operations teams investigate and respond to threats in the Microsoft 365 Defender portal. Explorer (and the real-time detections report) displays information about suspected malware and phish in email and files in Office 365, as well as other security threats and risks to your organization. |
security | Threat Trackers | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-trackers.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Threat Trackers - New and Noteworthy [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to** -- [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- [Office 365 Threat Investigation and Response](office-365-ti.md) capabilities enable your organization's security team to discover and take action against cybersecurity threats. Office 365 Threat Investigation and Response capabilities include Threat Tracker features, including Noteworthy trackers. Read this article to get an overview of these new features and next steps. > [!IMPORTANT] |
security | Trial User Guide Defender For Office 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/trial-user-guide-defender-for-office-365.md | search.appverid: description: "Microsoft Defender for Office 365 solutions trial user guide." Previously updated : 1/31/2023 Last updated : 6/20/2023+appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Trial user guide: Microsoft Defender for Office 365 [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to:** -- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- Welcome to the Microsoft Defender for Office 365 trial user guide! This user guide will help you make the most of your free trial by teaching you how to safeguard your organization against malicious threats posed by email messages, links (URLs), and collaboration tools. ## What is Defender for Office 365? |
security | Use Arc Exceptions To Mark Trusted Arc Senders | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-arc-exceptions-to-mark-trusted-arc-senders.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Make a list of trusted ARC Senders to trust *legitimate* indirect mailflows -**Applies to** --- Exchange Online Protection-- Microsoft Defender for Office 365 plan 1 and plan 2-- Microsoft 365 Defender- Email authentication mechanisms like [SPF](email-authentication-spf-configure.md), [DKIM](email-authentication-dkim-configure.md), [DMARC](email-authentication-dmarc-configure.md) are used to verify the senders of emails for the *safety* of email recipients, but some legitimate services may make changes to the email between the sender and recipient. **In Microsoft 365 Defender, ARC will help reduce SPF, DKIM, and DMARC delivery failures that happen due to *legitimate* indirect mailflows.** ## Authenticated Received Chain (ARC) in Microsoft 365 Defender for Office |
security | Use The Delist Portal To Remove Yourself From The Office 365 Blocked Senders Lis | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-the-delist-portal-to-remove-yourself-from-the-office-365-blocked-senders-lis.md | f1.keywords: Previously updated : 1/31/2023 Last updated : 6/20/2023 audience: ITPro +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Use the delist portal to remove yourself from the blocked senders list and address 5.7.511 Access denied errors -**Applies to** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- Are you getting an error message when you try to send an email to a recipient whose email address is in Microsoft 365 (for example and address 5.7.511 Access denied)? If you think you shouldn't be receiving the error message, you can use the delist portal to remove yourself from the blocked senders list. ## What is the blocked senders list? |
security | User Tags About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/user-tags-about.md | f1.keywords: Previously updated : 5/23/2023 Last updated : 6/20/2023 audience: ITPro ms.localizationpriority: medium+appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # User tags in Microsoft Defender for Office 365 [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -**Applies to:** -- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- _User tags_ are identifiers for specific groups of users in [Microsoft Defender for Office 365](defender-for-office-365.md). There are two types of user tags: - **System tags**: Currently, [Priority account](../../admin/setup/priority-accounts.md) is the only type of system tag. |
security | Walkthrough Spoof Intelligence Insight | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/walkthrough-spoof-intelligence-insight.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Manage spoofed senders using the spoof intelligence policy and spoof intelligence insight in EOP -**Applies to** -- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- > [!IMPORTANT] > Spoofed sender management in the Microsoft 365 Defender portal is now available only on the **Spoofed senders** tab in the Tenant Allow/Block List. For current procedures in the Microsoft 365 Defender portal, see [Spoof intelligence insight in EOP](anti-spoofing-spoof-intelligence.md). > |
security | Why Do I Need Microsoft Defender For Office 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/why-do-i-need-microsoft-defender-for-office-365.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a> # Why do I need Microsoft Defender for Office 365? Last updated 04/27/2023 > [!IMPORTANT] > **If you are being blocked by Safe Links pages**, go here for info: [Advanced Outlook.com security for Microsoft 365 subscribers](https://support.microsoft.com/office/advanced-outlook-com-security-for-microsoft-365-subscribers-882d2243-eab9-4545-a58a-b36fee4a46e2?storagetype=live). -**Applies to** -- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)- **Microsoft Defender for Office 365 is a seamless integration into your Office 365 subscription** that provides protection against threats that arrive in email, links (URLS), attachments, or collaboration tools like SharePoint, Teams, and Outlook. With real-time views of threats and tools like Threat Explorer, you can threat hunt and stay ahead of potential threats. For email threats that you may discover after the fact, Zero-hour autopurge (ZAP) can remove those mails. Automated Investigation and Response (AIR) allows you to automate monitoring and remediation, making it more efficient for security operations (sec ops) teams. The deep integration with Office 365 and robust reporting ensures that you are always on top of security operations. |
security | Zero Hour Auto Purge | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/zero-hour-auto-purge.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> # Zero-hour auto purge (ZAP) in Microsoft Defender for Office 365 -**Applies to** -- [Exchange Online Protection](eop-about.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)- [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] ## Zero-hour auto purge (ZAP) basics |
security | Zero Trust With Microsoft 365 Defender Office 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/zero-trust-with-microsoft-365-defender-office-365.md | +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview" target="_blank">Microsoft Defender for Office 365</a> # Zero Trust with Microsoft Defender for Office 365 [!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)] -**Applies to:** --- Microsoft Defender for Office 365- Microsoft Defender for Office 365 is a cloud-based email filtering service that helps protect your organization against advanced threats to email and collaboration tools, like Phishing, business email compromise, and Malware attacks. Defender for Office 365 also provides investigation, Threat Hunting, and remediation capabilities to help security teams efficiently identify, prioritize, investigate, and respond to threats. [Zero Trust](/security/zero-trust/zero-trust-overview) is a security strategy for designing and implementing the following set of security principles: |