Updates from: 06/23/2023 02:59:09
Category Microsoft Docs article Related commit history on GitHub Change details
admin Mailbox Usage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/mailbox-usage.md
To access shared mailbox information, change the drop-down selection at the top
The **Mailbox usage** report can be viewed for trends over the last 7 days, 30 days, 90 days, or 180 days. However, if you select a particular day in the report, the table will show data for up to 28 days from the current date (not the date the report was generated). The data in each report usually covers up to the last 24 to 48 hours.
+The **Mailbox usage** report does not include **Recoverable Items** as they are included in the **Recoverable Items mailbox quota**.
+ ### The Mailbox chart The **Mailbox** chart shows you the total number of user or shared mailboxes in your organization, and the total number of user mailboxes that are active on any given day of the reporting period. A user mailbox is considered active if it had an email send, read, create appointment, send meeting, accept meeting, decline meeting and cancel meeting activity.
admin Manage Device Access Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/manage-device-access-settings.md
Here's a breakdown for the device details available to you.
Here are a few things you need to set up to run the commands and scripts that follow:
-### Step 1: Download and install the Azure Active Directory Module for Windows PowerShell
+### Step 1: Download and install the Microsoft Graph PowerShell SDK
-For more info on these steps, see [Connect to Microsoft 365 with PowerShell](/office365/enterprise/powershell/connect-to-office-365-powershell).
+For more info on these steps, see [Connect to Microsoft 365 with PowerShell](/powershell/microsoftgraph/installation).
-1. Go to [Microsoft Online Services Sign-In Assistant for IT Professionals RTWl](https://download.microsoft.com/download/7/1/E/71EF1D05-A42C-4A1F-8162-96494B5E615C/msoidcli_32bit.msi) and select **Download for Microsoft Online Services Sign-in Assistant**.
-
-2. Install the Microsoft Azure Active Directory Module for Windows PowerShell with these steps:
+1. Install the Microsoft Graph PowerShell SDK for Windows PowerShell with these steps:
1. Open an administrator-level PowerShell command prompt.
- 2. Run the `Install-Module MSOnline` command.
-
+ 2. Run the following command:
+ ```powershell
+ Install-Module Microsoft.Graph -Scope AllUsers
+ ```
3. If prompted to install the NuGet provider, type Y and press ENTER. 4. If prompted to install the module from PSGallery, type Y and press ENTER.
- 5. After installation, close the PowerShell command window.
+ 5. After installation, close the PowerShell command window.
### Step 2: Connect to your Microsoft 365 subscription
-1. In the Windows Azure Active Directory Module for Windows PowerShell, run the following command.
+1. In Powershell window, run the following command.
```powershell
- $UserCredential = Get-Credential
+ Connect-MgGraph -Scopes Device.Read.All, User.Read.All
```
-2. In the Windows PowerShell Credential Request dialog box, type the user name and password for your Microsoft 365 global admin account, and then select **OK**.
+2. A popup will open for you to sign in. Provide the credentials of your Administrative Account and log in.
-3. Run the following command.
-
- ```powershell
- Connect-MsolService -Credential $UserCredential
- ```
+3. If your account has the necessary permissions you'll see "Welcome To Microsoft Graph!" in the Powershell window.
### Step 3: Make sure you're able to run PowerShell scripts > [!NOTE] > You can skip this step if you're already set up to run PowerShell scripts.
-To run the Get-MsolUserDeviceComplianceStatus.ps1 script, you need to enable the running of PowerShell scripts.
+To run the Get-GraphUserDeviceComplianceStatus.ps1 script, you need to enable the running of PowerShell scripts.
1. From your Windows Desktop, select **Start**, and then type Windows PowerShell. Right-click Windows PowerShell, and then select **Run as administrator**.
To run the Get-MsolUserDeviceComplianceStatus.ps1 script, you need to enable the
3. When prompted, type Y and then press Enter.
-#### Run the Get-MsolDevice cmdlet to display details for all devices in your organization
+#### Run the Get-MgDevice cmdlet to display details for all devices in your organization
1. Open the Microsoft Azure Active Directory Module for Windows PowerShell. 2. Run the following command. ```powershell
- Get-MsolDevice -All -ReturnRegisteredOwners | Where-Object {$_.RegisteredOwners.Count -gt 0}
+ Get-MgDevice -All -ExpandProperty "registeredOwners" | Where-Object {($_.RegisteredOwners -ne $null) -and ($_.RegisteredOwners.Count -gt 0)}
```
-For more examples, see [Get-MsolDevice](https://go.microsoft.com/fwlink/?linkid=2157939).
+For more examples, see [Get-MgDevice](/powershell/module/microsoft.graph.identity.directorymanagement/get-mgdevice).
### Run a script to get device details
First, save the script to your computer.
1. Copy and paste the following text into Notepad.
- ```powershell
+```powershell
param (
- [PSObject[]]$users = @(),
- [Switch]$export,
- [String]$exportFileName = "UserDeviceComplianceStatus_" + (Get-Date -Format "yyMMdd_HHMMss") + ".csv",
- [String]$exportPath = [Environment]::GetFolderPath("Desktop")
- )
- [System.Collections.IDictionary]$script:schema = @{
- DeviceId = ''
- DeviceOSType = ''
- DeviceOSVersion = ''
- DeviceTrustLevel = ''
- DisplayName = ''
- IsCompliant = ''
- IsManaged = ''
- ApproximateLastLogonTimestamp = ''
- DeviceObjectId = ''
- RegisteredOwnerUpn = ''
- RegisteredOwnerObjectId = ''
- RegisteredOwnerDisplayName = ''
- }
- function createResultObject
- {
- [PSObject]$resultObject = New-Object -TypeName PSObject -Property $script:schema
- return $resultObject
- }
- If ($users.Count -eq 0)
- {
- $users = Get-MsolUser
- }
- [PSObject[]]$result = foreach ($u in $users)
- {
- [PSObject]$devices = get-msoldevice -RegisteredOwnerUpn $u.UserPrincipalName
- foreach ($d in $devices)
- {
- [PSObject]$deviceResult = createResultObject
- $deviceResult.DeviceId = $d.DeviceId
- $deviceResult.DeviceOSType = $d.DeviceOSType
- $deviceResult.DeviceOSVersion = $d.DeviceOSVersion
- $deviceResult.DeviceTrustLevel = $d.DeviceTrustLevel
- $deviceResult.DisplayName = $d.DisplayName
- $deviceResult.IsCompliant = $d.GraphDeviceObject.IsCompliant
- $deviceResult.IsManaged = $d.GraphDeviceObject.IsManaged
- $deviceResult.DeviceObjectId = $d.ObjectId
- $deviceResult.RegisteredOwnerUpn = $u.UserPrincipalName
- $deviceResult.RegisteredOwnerObjectId = $u.ObjectId
- $deviceResult.RegisteredOwnerDisplayName = $u.DisplayName
- $deviceResult.ApproximateLastLogonTimestamp = $d.ApproximateLastLogonTimestamp
- $deviceResult
- }
- }
- If ($export)
- {
- $result | Export-Csv -path ($exportPath + "\" + $exportFileName) -NoTypeInformation
- }
- Else
- {
- $result
- }
- ```
+ [Parameter(Mandatory = $false)]
+ [PSObject[]]$users = @(),
+ [Parameter(Mandatory = $false)]
+ [Switch]$export,
+ [Parameter(Mandatory = $false)]
+ [String]$exportFileName = "UserDeviceOwnership_" + (Get-Date -Format "yyMMdd_HHMMss") + ".csv",
+ [Parameter(Mandatory = $false)]
+ [String]$exportPath = [Environment]::GetFolderPath("Desktop")
+)
+
+#Clearing the screen
+Clear-Host
+
+#Preparing the output object
+$deviceOwnership = @()
++
+if ($users.Count -eq 0) {
+ Write-Output "No user has been provided, gathering data for all devices in the tenant"
+ #Getting all Devices and their registered owners
+ $devices = Get-MgDevice -All -Property * -ExpandProperty registeredOwners
+
+ #For each device which has a registered owner, extract the device data and the registered owner data
+ foreach ($device in $devices) {
+ $DeviceOwners = $device | Select-Object -ExpandProperty 'RegisteredOwners'
+ #Checking if the DeviceOwners Object is empty
+ if ($DeviceOwners -ne $null) {
+ foreach ($DeviceOwner in $DeviceOwners) {
+ $OwnerDictionary = $DeviceOwner.AdditionalProperties
+ $OwnerDisplayName = $OwnerDictionary.Item('displayName')
+ $OwnerUPN = $OwnerDictionary.Item('userPrincipalName')
+ $OwnerID = $deviceOwner.Id
+ $deviceOwnership += [PSCustomObject]@{
+ DeviceDisplayName = $device.DisplayName
+ DeviceId = $device.DeviceId
+ DeviceOSType = $device.OperatingSystem
+ DeviceOSVersion = $device.OperatingSystemVersion
+ DeviceTrustLevel = $device.TrustType
+ DeviceIsCompliant = $device.IsCompliant
+ DeviceIsManaged = $device.IsManaged
+ DeviceObjectId = $device.Id
+ DeviceOwnerID = $OwnerID
+ DeviceOwnerDisplayName = $OwnerDisplayName
+ DeviceOwnerUPN = $OwnerUPN
+ ApproximateLastLogonTimestamp = $device.ApproximateLastSignInDateTime
+ }
+ }
+ }
+
+ }
+}
+
+else {
+ #Checking that userid is present in the users object
+ Write-Output "List of users has been provided, gathering data for all devices owned by the provided users"
+ foreach ($user in $users) {
+ $devices = Get-MgUserOwnedDevice -UserId $user.Id -Property *
+ foreach ($device in $devices) {
+ $DeviceHashTable = $device.AdditionalProperties
+ $deviceOwnership += [PSCustomObject]@{
+ DeviceId = $DeviceHashTable.Item('deviceId')
+ DeviceOSType = $DeviceHashTable.Item('operatingSystem')
+ DeviceOSVersion = $DeviceHashTable.Item('operatingSystemVersion')
+ DeviceTrustLevel = $DeviceHashTable.Item('trustType')
+ DeviceDisplayName = $DeviceHashTable.Item('displayName')
+ DeviceIsCompliant = $DeviceHashTable.Item('isCompliant')
+ DeviceIsManaged = $DeviceHashTable.Item('isManaged')
+ DeviceObjectId = $device.Id
+ DeviceOwnerUPN = $user.UserPrincipalName
+ DeviceOwnerID = $user.Id
+ DeviceOwnerDisplayName = $user.DisplayName
+ ApproximateLastLogonTimestamp = $DeviceHashTable.Item('approximateLastSignInDateTime')
+ }
+ }
+ }
+
+}
+
+$deviceOwnership
+
+if ($export) {
+ $exportFile = Join-Path -Path $exportPath -ChildPath $exportFileName
+ $deviceOwnership | Export-Csv -Path $exportFile -NoTypeInformation
+ Write-Output "Data has been exported to $exportFile"
+}
+```
+
+2. Save it as a Windows PowerShell script file by using the file extension .ps1; for example, Get-MgGraphDeviceOwnership.ps1.
-2. Save it as a Windows PowerShell script file by using the file extension .ps1; for example, Get-MsolUserDeviceComplianceStatus.ps1.
+> [!NOTE]
+> The script is also available for download on [Github](https://github.com/Raindrops-dev/RAIN-MicrosoftGraphPowershellCode/blob/main/Get-MgGraphDeviceOwnership.ps1).
### Run the script to get device information for a single user account
-1. Open the Microsoft Azure Active Directory Module for Windows PowerShell.
+1. Open Powershell.
2. Go to the folder where you saved the script. For example, if you saved it to C:\PS-Scripts, run the following command.
First, save the script to your computer.
cd C:\PS-Scripts ```
-3. Run the following command to identify the user you want to get device details for. This example gets details for bar@example.com.
+3. Run the following command to identify the user you want to get device details for. This example gets details for user@contoso.com.
```powershell
- $u = Get-MsolUser -UserPrincipalName bar@example.com
+ $user = Get-MgUser -UserId "user@contoso.com"
``` 4. Run the following command to initiate the script. ```powershell
- .\Get-MsolUserDeviceComplianceStatus.ps1 -User $u -Export
+ .\Get-GraphUserDeviceComplianceStatus.ps1 -users $user -Export
``` The information is exported to your Windows Desktop as a CSV file. You can use additional parameters to specify the file name and path of the CSV. ### Run the script to get device information for a group of users
-1. Open the Microsoft Azure Active Directory Module for Windows PowerShell.
+1. Open Powershell.
2. Go to the folder where you saved the script. For example, if you saved it to C:\PS-Scripts, run the following command.
The information is exported to your Windows Desktop as a CSV file. You can use a
3. Run the following command to identify the group you want to get device details for. This example gets details for users in the FinanceStaff group. ```powershell
- $u = Get-MsolGroupMember -SearchString "FinanceStaff" | % { Get-MsolUser -ObjectId $_.ObjectId }
+ $groupId = Get-MgGroup -Filter "displayName eq 'FinanceStaff'" | Select-Object -ExpandProperty Id
+ $Users = Get-MgGroupMember -GroupId $groupId | Select-Object -ExpandProperty Id | % { Get-MgUser -UserId $_ }
``` 4. Run the following command to initiate the script. ```powershell
- .\Get-MsolUserDeviceComplianceStatus.ps1 -User $u -Export
+ .\Get-GraphUserDeviceComplianceStatus.ps1 -User $Users -Export
``` The information is exported to your Windows Desktop as a CSV file. You can use additional parameters to specify the file name and path of the CSV.
The information is exported to your Windows Desktop as a CSV file. You can use a
[Overview of Basic Mobility and Security](overview.md)
-[Get-MsolDevice](https://go.microsoft.com/fwlink/?linkid=2157939)
+[Retirement announcement for MSOnline and AzureAD cmdlets](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/important-azure-ad-graph-retirement-and-powershell-module/ba-p/3848270)
+
+[Get-MgUser](/powershell/module/microsoft.graph.users/get-mguser)
+
+[Get-MgDevice](/powershell/module/microsoft.graph.users/get-mgdevice)
+
+[Get-MgUserOwnedDevice](/powershell/module/microsoft.graph.users/get-mguserowneddevice)
admin M365 Copilot Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/copilot/m365-copilot-setup.md
+
+ Title: "Get started with Microsoft 365 Copilot"
+f1.keywords:
+- NOCSH
+++ Last updated : 06/19/2023
+audience: Admin
++
+ms.localizationpriority: medium
+monikerRange: 'o365-worldwide'
+
+- Tier2
+- scotvorg
+- M365-subscription-management
+- Adm_O365
+- Adm_TOC
+
+description: "Learn how to prepare your organization for Microsoft 365 Copilot."
++
+# Get started with Microsoft 365 Copilot
+
+>[!IMPORTANT]
+> The information in this article only applies to the [Microsoft 365 Copilot Early Access Program](https://www.microsoft.com/microsoft-365/blog/2023/05/09/introducing-the-microsoft-365-copilot-early-access-program-and-new-capabilities-in-copilot/), an invite-only paid preview program for commercial customers. Details are subject to change. For more information on the Early Access Program, see [Microsoft 365 Early Access Program](m365-early-access-program.md).
+
+[Microsoft 365 Copilot](https://www.microsoft.com/microsoft-365/blog/2023/03/16/introducing-microsoft-365-copilot-a-whole-new-way-to-work/) is an AI-powered productivity tool that uses large language models (LLMs) and integrates your data with the Microsoft Graph and Microsoft 365 Apps. It works alongside popular Microsoft 365 Apps such as Word, Excel, PowerPoint, Outlook, Teams, and more. Copilot provides real-time intelligent assistance, enabling users to enhance their creativity, productivity, and skills. This article covers the technical requirements to access and configure Microsoft 365 Copilot once you're invited to the Early Access Program.
+
+## Prerequisites for Microsoft 365 Copilot
+
+Before you can access Copilot, you must meet the following requirements:
+
+- **Microsoft 365 Apps for enterprise** must be deployed for your users, which seamlessly integrates with Microsoft 365 Copilot and applications such as Word, Excel, PowerPoint, Outlook, and Teams. To get started with the implementation process, see [Deployment guide for Microsoft 365 Apps](/deployoffice/deployment-guide-microsoft-365-apps).
+
+- **Azure Active Directory-based account** To use Microsoft 365 Copilot, you must have an Azure Active Directory-based account. See [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) to learn more.
+
+- **OneDrive Account** You need to have a OneDrive account for several features within Microsoft 365 Copilot, such as saving and sharing your files. For more information, see [Sign in or create an account for OneDrive](https://support.microsoft.com/office/video-sign-in-or-create-an-account-for-onedrive-3adf09fd-90e3-4420-8c4e-b55e2cde40d2?ui=en-us&rs=en-us&ad=us).
+
+- **New Outlook for Windows** For seamless integration of Microsoft 365 Copilot with Outlook, you are required to use the new Outlook for Windows, currently in preview. You can switch to Outlook Mobile to access the new Outlook experience. For more information, see [Getting started with the new Outlook for Windows](https://support.microsoft.com/office/getting-started-with-the-new-outlook-for-windows-656bb8d9-5a60-49b2-a98b-ba7822bc7627).
+
+- **Microsoft Teams** To use Microsoft 365 Copilot with Microsoft Teams, you must use the Teams desktop client or web client. You can [download the desktop client here](https://www.microsoft.com/microsoft-teams/download-app) or sign into the web app at [https://teams.microsoft.com](https://teams.microsoft.com/). Both the current and the new version of Teams are supported. For more information, see [Microsoft Teams desktop client](/microsoftteams/get-clients?tabs=Windows).
+
+- **Microsoft Loop** To use Copilot in Microsoft Loop, you must have Loop enabled for your tenant. See [Get started with Microsoft Loop](https://support.microsoft.com/office/get-started-with-microsoft-loop-9f4d8d4f-dfc6-4518-9ef6-069408c21f0c) for more information on enabling Loop.
+
+>[!NOTE]
+> Your users must be on the Current Channel or Monthly Enterprise Channel to use Copilot. See [update channels for Microsoft 365 Apps](/deployoffice/updates/overview-update-channels#current-channel-overview) to learn more.
+
+## Manage licenses for Copilot
+
+You can manage Microsoft 365 Copilot licenses from the Microsoft 365 admin center. You can assign licenses to individual users or to groups of users, as well as reassign licenses to other users.  
+
+To access license management in the Microsoft 365 admin center, go to **Billing** > **Licenses**.
+
+You can also assign licenses in bulk to [groups of users through the Azure admin center](/azure/active-directory/enterprise-users/licensing-groups-assign) or [assign licenses to users with PowerShell](/microsoft-365/enterprise/assign-licenses-to-user-accounts-with-microsoft-365-powershell). For more information, see [Assign Microsoft 365 licenses to users](/microsoft-365/admin/manage/assign-licenses-to-users).
+
+## Security and privacy
+
+Microsoft 365 Copilot ensures data security and privacy by adhering to existing obligations and integrating with your organization's policies. It utilizes your Microsoft Graph content with the same access controls as other Microsoft 365 services. To learn more about privacy with Microsoft 365 Copilot, see [Data, Privacy, and Security for Microsoft 365 Copilot](/DeployOffice/privacy/microsoft-365-copilot).
admin M365 Early Access Program https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/copilot/m365-early-access-program.md
+
+ Title: "Microsoft 365 Copilot Early Access Program"
+f1.keywords:
+- NOCSH
+++ Last updated : 06/19/2023
+audience: Admin
++
+ms.localizationpriority: medium
+monikerRange: 'o365-worldwide'
+
+- Tier2
+- scotvorg
+- M365-subscription-management
+- Adm_O365
+- Adm_TOC
+
+description: "Learn about the Microsoft 365 Copilot Early Access Program."
++
+# Microsoft 365 Copilot Early Access Program
+
+The Microsoft 365 Copilot Early Access Program is an invitation-only paid preview. If your organization is interested in the early release program, work with your Microsoft account manager to find out more details about nominations for a potential invite. The program includes licenses for Microsoft 365 Copilot within the Microsoft 365 Apps (Word, Outlook, Excel, PowerPoint, Teams, and more). To learn more, see this blog announcing the [Microsoft 365 Copilot Early Access Program](https://www.microsoft.com/microsoft-365/blog/2023/05/09/introducing-the-microsoft-365-copilot-early-access-program-and-new-capabilities-in-copilot/)
+
+## Before you begin
+
+Make sure that your organization is prepared for Microsoft 365 Copilot. To learn more about prerequisites and licensing requirements, see [Get started with Microsoft 365 Copilot](m365-copilot-setup.md).
+
+## Frequently Asked Questions
+
+This section contains answers to frequently asked questions about Microsoft 365 Copilot.
+
+### Q: How do I prepare my organizationΓÇÖs data governance for Copilot?
+
+A: Microsoft 365 Copilot is integrated into Microsoft 365 and automatically inherits all your companyΓÇÖs valuable security, compliance, and privacy policies and processes. Data permissions will be consistent and users will only be able to search the information they already have access to. Review [Data, Privacy, and Security for Microsoft 365 Copilot](/DeployOffice/privacy/microsoft-365-copilot) for more information about privacy with Microsoft 365 Copilot.
+
+To learn more about how to approach getting your organization ready to use Copilot, [watch this video](https://www.youtube.com/watch?v=oeX0lsMA69U).
+
+### Q: What happens after my organization gets invited into the program?
+
+A: Work directly with your account manager to confirm acceptance. After accepting the invitation, users with the Global admin role permissions in the organization will receive an email to complete the process in the Microsoft 365 admin center.
+
+### Q: What are the top benefits of the Microsoft 365 Copilot Early Access Program?
+
+A: With the Early Access Program, you can use Copilot prior to the general release of the product and can receive extra engineering support to deploy Copilot and promote adoption. You also have the opportunity to test use cases and provide feedback to influence the development of the product.
+
+### Q: How do I complete the purchase?
+
+A: You will use an online purchase experience in the Microsoft 365 admin center. During this purchase experience, you'll need to agree to the Microsoft Customer Agreement (MCA) if you don't already have one. There are also supplemental terms for the Early Access Program. You may work with your account team to review these documents in advance.
+
+### Q: How am I invoiced and how do I pay?
+
+A: The Microsoft 365 Copilot Early Access Pass is a one-time invoice and purchase, and there are no additional usage fees associated with the program. You will have 21 days to complete the purchase. If you need to complete an internal PO or approval process, you can view the total price including any applicable taxes based on your billing account, and then come back and complete the purchase within the 21-day period. You will receive your invoice on the 5th day of the month following your purchase. The invoice can be viewed in the Microsoft 365 admin center and can be paid by wire transfer.
+
+You can find your invoice in the Microsoft 365 admin center, go to Billing > [Bills & payments](https://admin.microsoft.com/Adminportal/Home?#/billoverview/invoice-list) page
+
+### Q: Can I cancel my organizationΓÇÖs participation in the Early Access Program? If yes, am I eligible for refund?
+
+A: You have seven days to cancel the purchase. After seven days, there are no refunds available, as this is a limited time program.
+
+### Q: What is the Microsoft Customer Agreement?
+
+A: The Microsoft Customer Agreement provides a consistent and simplified purchasing experience. Learn more [here](https://www.microsoft.com/Licensing/how-to-buy/microsoft-customer-agreement).
+
+### Q: Does accepting the Microsoft Customer Agreement impact my existing Microsoft Enterprise Agreements?
+
+A: No, the Microsoft Customer Agreement doesnΓÇÖt impact the terms of existing Enterprise Agreements.
+
+### Q: Where do I go to assign and manage licenses?
+
+A: ThereΓÇÖs no difference between Microsoft 365 Copilot licenses and other Microsoft 365 product licenses. You can assign licenses to individual users in the [Microsoft 365 admin center](https://admin.microsoft.com/adminportal/home?#/homepage).
+
+### Q: My organization has multiple tenants, can I assign licenses across tenants?
+
+A: No. During the Early Access Program, Copilot can only be deployed in one tenant and licenses can only be assigned to users in that tenant.
+
+### Q: What are technical requirements for using Microsoft 365 Copilot?
+
+A: See [Get started with Microsoft 365 Copilot](m365-copilot-setup.md) for the full list of technical requirements.
admin Customize The App Launcher https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/customize-the-app-launcher.md
description: "Create quick links to your email, documents, apps, SharePoint site
# Add custom tiles to the app launcher
-In Microsoft 365, you can quickly and easily get to your email, calendars, documents, and apps using the App launcher ([learn more](https://support.microsoft.com/office/79f12104-6fed-442f-96a0-eb089a3f476a)). These are apps you get with Microsoft 365 as well as custom apps that you add from the [SharePoint Store](https://support.microsoft.com/office/dd98e50e-d3db-4ecb-9bb7-82b189822d43) or [Azure AD](/previous-versions/office/office-365-api/).
-
-You can add your own custom tiles to the app launcher that point to SharePoint sites, external sites, legacy apps, and more. The custom tile appears under the app launcher's **All** apps, but you can pin it to the **Home** apps and instruct your users to do the same. This makes it easy to find the relevant sites, apps, and resources to do your job. In the below example, a custom tile called "Contoso Portal" is used to access an organization's SharePoint intranet site.
-
-![App launcher.](../../media/7acc06cc-ac7a-4c6e-8ea7-81570a5bdbab.png)
-
-## Add a custom tile to the app launcher
+You can add your own custom tiles to Apps that point to SharePoint sites, external sites, legacy apps, and more. The custom tile appears under the Apps section in Microsoft 365. Once your users launch the app, it's added automatically to the list of app launcher apps for access. This makes it easy to find the relevant sites, apps, and resources to do your job.
-1. Sign in to the admin center as a Global Administrator, go to **Settings** > **Org Settings**, and choose the **Organization profile** tab.
-
-2. On the **Organization profile** tab, choose **Custom app launcher tiles**.
-
-3. Select **Add a custom tile**.
-
-4. Enter a **Tile name** for the new tile. The name will appear in the tile.
-
-5. Enter a **URL of website** for the tile. This is the location where you want your users to go when they select the tile on the app launcher. Use HTTPS in the URL.
+## Add a custom tile for Apps
- > [!TIP]
- > If you're creating a tile for a SharePoint site, navigate to that site, copy the URL, and paste it here. The URL of your default team site looks like this: `https://<company_name>.sharepoint.com`
-
-6. Enter a **URL of the image** for the tile. The image appears on the My apps page and app launcher.
+1. Sign in to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>.
+
+1. Go to **Settings**ΓÇ»>ΓÇ»**Org settings**, and choose the **Organization profile** tab.
+
+1. Choose **Custom tiles for Apps** > **Add a custom tile**.
+
+1. Enter a tile name for the new tile. The name appears in the tile.
+
+1. Enter a URL of website for the tile. This is the location where you want your users to go when they select the tile on the app launcher. Use HTTPS in the URL.
+
+ > [!TIP]
+>If you're creating a tile for a SharePoint site, navigate to that site, copy the URL, and paste it here. The URL of your default team site looks like this:ΓÇ»`https://<company_name>.sharepoint.com`.
+
+1. Enter a URL of the image for the tile. The image appears on the My apps page and app launcher.
> [!TIP]
- > The image should be 60x60 pixels and be available to everyone in your organization without requiring authentication.
+>The image should be 60x60 pixels and be available to everyone in your organization without requiring authentication.
-7. Enter a **Description** for the tile. You see this when you select the tile on the My apps page and select **App details**.
-
-8. Select **Save changes** to create the custom tile.
-
- Your custom tile will appear within the next 24 hours in the app launcher on the **All** tab for you and your users.
+1. Enter a description for the tile. You see this when you select the tile on the My apps page and select **App details**.
+
+1. Select **Save changes** to create the custom tile.
+
+Your custom tile will appear within the next 24 hours in the app launcher on the **All** tab for you and your users.
+
+Your custom tile will appear within the next 24 hours in Microsoft 365 Apps for you and your users.
+
+> [!NOTE]
+> If you don't see the custom tile created in the previous steps, make sure you have an Exchange Online mailbox assigned to you and you've signed into your mailbox at least once. These steps are required for custom tiles in Microsoft 365.
- > [!NOTE]
- > If you don't see the custom tile created in the previous steps, make sure you have an Exchange Online mailbox assigned to you and you've signed into your mailbox at least once. These steps are required for custom tiles in Microsoft 365.
-
## Edit or delete a custom tile
-1. In the admin center, go to the **Settings** > **Org Settings** > **Organization profile** tab.
-
-2. On the **Organization profile** page, go to **Custom App launcher tiles**, If you select the three dots next to your **Custom Tile** and Select **Edit custom tile**.
+1. In the admin center, go to the **Settings**ΓÇ»>ΓÇ»**Org Settings**ΓÇ»>ΓÇ»**Organization profile** tab.
+
+1. On the Organization profile page, go to **Custom tiles for Apps**, select the three dots next to your Custom tile, and select **Edit custom tile**.
+
+1. Update the **Tile name**, **URL**,ΓÇ»**Description**, or **Image URL** for the custom tile (For steps, see [Add a custom tile to Apps](#add-a-custom-tile-for-apps)).
+
+1. Select **Update**ΓÇ»>ΓÇ»**Close**.
-3. Update the **Tile name**, **URL**, **Description**, or **Image URL** for the custom tile (see [Add a custom tile to the app launcher](#add-a-custom-tile-to-the-app-launcher)).
-
-4. Select **Update** \> **Close**.
-
-To delete a custom tile, from the **Custom tiles** window, select the tile, select **Remove tile** > **Delete**.
+To delete a custom tile, from the Custom tiles window, select the tile, and select **Remove tile** > **Delete**.
## Next steps
admin Manage Feedback Ms Org https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/manage-feedback-ms-org.md
f1.keywords:
Previously updated : 03/26/2021 Last updated : 06/21/2023 audience: Admin
- AdminSurgePortfolio - admindeeplinkMAC-- BCS160-- MET150-- MOE150 description: "Manage feedback your users can send to Microsoft about Microsoft products." # Manage Microsoft feedback for your organization
-As the admin of a Microsoft 365 organization, there are now several policies to help you manage the feedback collection and the customer engagement experience of your users when using Microsoft 365 applications. You can create and use existing Azure Active directory groups in your organization for each of these policies. With these polices, you can control how different departments in your organization can send feedback to Microsoft. Microsoft reviews all feedback submitted by customers and uses this feedback to improve the product. Keeping the feedback experiences turned **On** allows you to see what your users are saying about the Microsoft products they're using. The feedback we collect from your users is available in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>.
+As the admin of a Microsoft 365 organization, there are several policies to help you manage the feedback collection and the customer engagement experience of your users when using Microsoft 365 applications. You can create and use existing Azure Active directory groups in your organization for each of these policies. With these policies, you can control how different departments in your organization can send feedback to Microsoft. Microsoft reviews all feedback submitted by customers and uses this feedback to improve the product experiences for users, including by improving the quality of AI-generated responses and troubleshooting product issues. Keeping the feedback experiences turned **On** allows you to see what your users are saying about the Microsoft products they're using. The feedback we collect from your users is available in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>.
To learn more about the types of feedback and how Microsoft uses user feedback, see [Learn about Microsoft feedback for your organization](../misc/feedback-user-control.md).
The table below represents which apps and services are currently connected to th
|**Project**|Yes|Yes|Yes|Yes| |**Publisher**|Yes|Yes|Yes|Yes| |**SharePoint**|[Some settings currently managed by other controls.](/powershell/module/sharepoint-online/set-spotenant)||||
-|**Teams**|[Some settings currently managed by other controls.](/microsoftteams/manage-feedback-policies-in-teams)||||
+|**Teams**|[Some settings currently managed by other controls.](/microsoftteams/manage-feedback-policies-in-teams)||Yes||
|**To Do**|Yes|Yes|Yes|Yes| |**Word**|Yes|Yes|Yes|Yes| |**Visio**|Yes|Yes|Yes|Yes|
The table below represents which apps and services are currently connected to th
[See here for some examples of in-product surveys and feedback.](/microsoft-365/admin/misc/feedback-user-control#in-product-surveys)
-**Metadata collection**
--
-**Customer engagement**
-- ## Before you begin Your devices must be on a minimum build number to use these policies. See the table below for more information.
Your devices must be on a minimum build number to use these policies. See the ta
|**Policy name**|**Default state**|**Control summary**| |:--|:--|:--|
-|Allow users to access feedback portal|On|Manage user access to the feedback portal|
-|Allow users to submit feedback to Microsoft|On|Controls feedback entry points across applications|
-|Allow users to receive and respond to in-product surveys from Microsoft|On|Controls survey prompts within product|
-|Allow users to include screenshots and attachments when they submit feedback to Microsoft|Off|Determines what metadata the user can decide to submit with feedback/survey|
-|Allow Microsoft to follow up on feedback submitted by users|Off|Determines if user can share contact info with feedback/survey|
-|Allow users to include log files and content samples when feedback is submitted to Microsoft|Off|Determines metadata the user can decide to submit with feedback/survey|
+|Allow users to access feedback portal|On|Manage user access to the feedback portal where users can follow-up on their feedback and participate in community feedback.|
+|Allow users to submit feedback to Microsoft|On|Controls feedback entry points across applications.|
+|Allow users to receive and respond to in-product surveys from Microsoft|On|Controls survey prompts within product.|
+|Allow users to include screenshots and attachments when they submit feedback to Microsoft|Off|Allows users to choose relevant files, screen recordings and screenshots to help Microsoft better understand and troubleshoot their feedback.|
+|Allow Microsoft to follow up on feedback submitted by users|Off|Determines if user can share contact info with feedback/survey for followup by Microsoft. Also allows users to get notified of feedback status changes. Users can manage communications settings in the feedback portal.|
+|Allow users to include log files and content samples when feedback is submitted to Microsoft|Off|Allows users to include Microsoft generated files such as additional log files and content samples when relevant to feedback they are submitting. Examples may include [Microsoft 365 Copilot](https://blogs.microsoft.com/blog/2023/03/16/introducing-microsoft-365-copilot-your-copilot-for-work/) prompt and response interactions.|
> [!NOTE]
-> The **Allow users to access the feedback portal** policy is a cloud policy. This policy is not defined in ADMX and does not have a corresponding registry key available to set the policy. You should create a cloud policy to enforce it. This is a cloud policy because the feedback portal is a web application that makes a call to the cloud policy service, which is also a web application, requesting the policies for the person who signs in. If this policy is configured, the feedback portal will receive the configured policy value in the response from the cloud policy service.
+> The **Allow users to access the feedback portal** policy is a cloud policy. This policy isn't defined in ADMX and doesn't have a corresponding registry key available to set the policy. You should create a cloud policy to enforce it. This is a cloud policy because the feedback portal is a web application that makes a call to the cloud policy service, which is also a web application, requesting the policies for the person who signs in. If this policy is configured, the feedback portal will receive the configured policy value in the response from the cloud policy service.
+
+> [!NOTE]
+> The default state for **Allow users to include screenshots and attachments when they submit feedback to Microsoft**, **Allow Microsoft to follow up on feedback submitted by users**, and **Allow users to include log files and relevant content samples when feedback is submitted to Microsoft** will be changing from Off to On starting **July 21st, 2023**. Your users can decide to opt-out.
## Configure policies
You can find these policy settings under User Configuration\Policies\Administrat
> [!NOTE] > It takes a few hours for the client applications to update.+
+### User experience examples
++
admin Feedback User Control https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/feedback-user-control.md
f1.keywords:
Previously updated : 08/10/2020 Last updated : 06/21/2023 audience: Admin
- M365-subscription-management - Adm_O365 -- BCS160-- MET150-- MOE150 description: "Learn about feedback your users can send to Microsoft about Microsoft products."
Microsoft uses feedback to improve Microsoft products. We get user feedback in t
### What do we collect?
-When a user submits feedback, app information is usually collected along with app ratings and feedback descriptions. If you've enabled the policy, we may allow users to submit screenshots and logs to help us debug and resolve problems the user may be running into. Here are the most common items collected or calculated.
+When a user submits feedback, app information is usually collected along with app ratings and feedback descriptions. Here are the most common items collected or calculated.
- **Comments** User submitted comments in the original language. - **App** Microsoft product we got the feedback from.
When a user submits feedback, app information is usually collected along with ap
- **Attachments** Were any attachments (i.e screenshots, files) collected as part of the feedback? (Yes/No). - **TenantId** If feedback is submitted from an Azure Active Directory account, which TenantId was associated. - **App module** Information about app modules that may have caused a recent crash, where applicable.
+- **Optional Diagnostic data** If you are opted in, this data will be included with the feedback. [Learn more](/deployoffice/privacy/optional-diagnostic-data).
+
+If you've enabled the corresponding policies, we may allow users to submit screenshots, attachments, content samples, and logs to help us debug and resolve problems the user may be running into. Microsoft uses this data to debug and resolve problems that may be challenging or impossible to resolve without this additional information. Users choose whether or not this content and data is submitted to Microsoft.
+
+- Screenshots: Captures of the userΓÇÖs screen at the time they submitted feedback. Example: the screen including the dialog box from which the user is submitting feedback.
+- Attachments: Files the user can choose to attach to their feedback. Example: the file they were working on when they encountered a problem.
+- Content samples: Portions of content from the customerΓÇÖs document or interactions with Microsoft services. Example: the prompt the user sent to an AI service and the response the user received back from that AI service.
+- Log files: Additional log files that are not included in Overview of diagnostic log files for Office - Microsoft Support and that may include the userΓÇÖs name or contents of the userΓÇÖs files. Examples: logs that include the element of the customerΓÇÖs file that is preventing the file from saving.
## How can I see my user's feedback?
-To meet MicrosoftΓÇÖs legal obligations to customers, we've added a new experience in the Microsoft 365 admin center that lets administrators view, delete, and export the feedback data for their organizations. As part of their data controller responsibility, customers own all user feedback data and this functionality will assist administrators to provide direct transparency into their usersΓÇÖ experiences with Microsoft 365 products and enable user feedback data to be provided as part of any Data Subject Request. Global admins and compliance data administrators now have the ability to view, export and delete user feedback. All other administrators, as well as readers, are able to view and export feedback data but can't perform compliance related tasks or see information about who posted the feedback (such as user name, email, or device name). To access your organization's feedback data, sign in to the Microsoft 365 admin center and customize navigation to show the health node. Access this experience by selecting **Product Feedback** under the Health node.
+To meet MicrosoftΓÇÖs legal obligations to customers, we've added an experience in the Microsoft 365 admin center that lets administrators view, delete, and export the feedback data for their organizations. As part of their data controller responsibility, customers own all user feedback data and this functionality will assist administrators to provide direct transparency into their usersΓÇÖ experiences with Microsoft 365 products and enable user feedback data to be provided as part of any Data Subject Request. Global admins and compliance data administrators now have the ability to view, export and delete user feedback. All other administrators, as well as readers, are able to view and export feedback data but can't perform compliance related tasks or see information about who posted the feedback (such as user name, email, or device name). To access your organization's feedback data, sign in to the Microsoft 365 admin center and customize navigation to show the health node. Access this experience by selecting **Product Feedback** under the Health node.
+ ## Data handling and privacy
admin Install Applications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/install-applications.md
f1.keywords:
Previously updated : 02/19/2020 Last updated : 06/21/2023 audience: Admin
Now that you've set up Microsoft 365, you can install individual Microsoft 365 a
Microsoft 365 apps can be found on your **Start** menu. If you don't see them, you can install them yourself. 1. Go to microsoft365.com. You might need to sign in with your work account.
-2. Select **Install Microsoft 365** > **Microsoft 365 apps** > **Run** , and then select **Yes**.
-3. The Microsoft 365 apps are installed. The process may take several minutes. When it completes, select **Close**.
-4. To install Microsoft Teams, go to the microsoft365.com page, and choose **Teams**.
-5. Get the Windows app, and then select **Run**. Teams displays a prompt when installation is complete.
+2. Select **Install apps**, then select **Microsoft 365 apps**.
+1. Open the file that is downloaded to your **Downloads** folder.
+1. On the **Do you want to allow this app to make changes to your device** page, select **Yes** to begin installation.
+1. The Microsoft 365 apps are installed. The process may take several minutes. When it completes, select **Close**.
## Next steps
business-premium Secure Your Business Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/secure-your-business-data.md
audience: Admin
Previously updated : 05/15/2023 Last updated : 06/22/2023 ms.localizationpriority: medium - highpri
description: "Learn best practices to protect your data using Micrsoft 365 Busin
# Secure your data with Microsoft 365 for business
-> [!TIP]
-> **This article is for small and medium-sized businesses who have up to 300 users**.
->
-> If you're looking for information for enterprise organizations, see [Deploy ransomware protection for your Microsoft 365 tenant](../solutions/ransomware-protection-microsoft-365.md).
->
-> If you're a Microsoft partner, see [Resources for Microsoft partners working with small and medium-sized businesses](../security/defender-business/mdb-partners.md).
+When it comes to securing your business data, Microsoft 365 Business Basic, Standard, and Premium all include antiphishing, antispam, and antimalware protection. However, Microsoft 365 Business Premium includes even more security capabilities, such as advanced cybersecurity protection for devices (such as computers, tablets, and phones; also referred to as endpoints), email & collaboration content (such as Office documents), and information protection. For more information about what each plan includes, see [Microsoft 365 User Subscription Suites for Small and Medium-sized Businesses](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWR6bM).
## Top 10 ways to secure your business data :::image type="content" source="media/top-10-ways-to-secure-data.png" alt-text="Diagram listing the top 10 ways to secure business data with Microsoft 365 for business" :::
-Microsoft 365 Business Basic, Standard, and Premium include antiphishing, antispam, and antimalware protection. Microsoft 365 Business Premium includes even more security capabilities, such as advanced threat protection for devices (also referred to as endpoints), email, and collaboration, and information protection. For more information about what each plan includes, see [Microsoft 365 User Subscription Suites for Small and Medium-sized Businesses](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWR6bM).
+> [!TIP]
+> **This article is for small and medium-sized businesses who have up to 300 users**.
+> If you're looking for information for enterprise organizations, see [Deploy ransomware protection for your Microsoft 365 tenant](../solutions/ransomware-protection-microsoft-365.md).
+> If you're a Microsoft partner, see [Resources for Microsoft partners working with small and medium-sized businesses](../security/defender-business/mdb-partners.md).
The following table summarizes recommendations by subscription for securing your business data:
compliance Audit Log Activities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/audit-log-activities.md
The tables in this article describe the activities that are audited in Microsoft
These tables group related activities or the activities from a specific service. The tables include the friendly name that's displayed in the **Activities** drop-down list (or that are available in PowerShell) and the name of the corresponding operation that appears in the detailed information of an audit record and in the CSV file when you export the search results. For descriptions of the detailed information, see [Audit log detailed properties](audit-log-detailed-properties.md). > [!TIP]
-> Select one of the links in the **In this article** list on the right side of this page to go to a specific table.
+> Select one of the links in the **In this article** list at the top of this article to go directly to a specific product table.
## Application administration activities
compliance Endpoint Dlp Learn About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-learn-about.md
Just-in-time protection applies a candidate policy to onboarded Windows 10/11 de
- Items that have never been evaluated. - Items on which the evaluation has gone stale. These are previously evaluated items that haven't been reevaluated by the current, updated cloud versions of the policies.
+
+> [!NOTE]
+> - Simulate Mode: Just-in-time protection is triggered in the background. Admins can see just-in-time events in Activity explorer, without users being blocked.
+> - Enforce Mode: End users are blocked until the evaluation is complete.
-You can prevent a file from being permanently blocked if policy evaluation starts on a file, but doesn't complete. Use the **Just in time protection configuration** fallback setting to either **Allow** or **Block** egress activities if policy evaluation doesn't complete. You configure fallback settings in **Microsoft Purview compliance console** > **Settings** > **Just in time protection configuration** > **Decide what happens if JIT protection fails**.
+<!-- You can prevent a file from being permanently blocked if policy evaluation starts on a file, but doesn't complete. Use the **Just in time protection configuration** fallback setting to either **Allow** or **Block** egress activities if policy evaluation doesn't complete. You configure fallback settings in **Microsoft Purview compliance console** > **Settings** > **Just in time protection configuration** > **Decide what happens if JIT protection fails**. -->
> [!TIP] > Because the candidate policy from just-in-time protection is applied to all files on onboarded devices, it may block user activity on files that won't have a policy applied once evaluation occurs. To prevent this productivity interruption, you should configure and deploy policies to devices before enabling just in time protection.
compliance Recover An Inactive Mailbox https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/recover-an-inactive-mailbox.md
An inactive mailbox (which is a type of soft-deleted mailbox) is used to preserv
See the [More information](#more-information) section for more details about the differences between recovering and restoring an inactive mailbox, and for a description of what happens when an inactive mailbox is recovered. > [!NOTE]
-> You can't recover or restore an inactive mailbox that's configured with an auto-expanding archive. If you need to recover data from an inactive mailbox with an auto-expanding archive, use content search to export the data from the mailbox and then import to another mailbox. For instructions, see following articles:
+> You can't recover or restore an inactive mailbox that's configured with an auto-expanding archive. If, for compliance reasons, you need to recover data from an inactive mailbox with an auto-expanding archive, use content search to export the data from the mailbox. This action is supported for eDiscovery purposes only, and can't be used as a backup solution. For instructions to use content search for the recovery of data for eDiscovery, see following articles:
> > - [Content search](ediscovery-content-search.md) > - [Export content search results](export-search-results.md)
compliance Sensitivity Labels Versions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-versions.md
The numbers listed are the minimum Office application versions required for each
|[PDF support](sensitivity-labels-office-apps.md#pdf-support)|Current Channel: 2208+ <br /><br> Monthly Enterprise Channel: 2209+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Under review |Under review |Under review |[Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | |[Sensitivity bar](sensitivity-labels-office-apps.md#sensitivity-bar) and [display label color](sensitivity-labels-office-apps.md#label-colors) |Current Channel: 2302+ <br /><br> Monthly Enterprise Channel: 2303+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Under review |Under review |Under review |Under review | |[Default sublabel for parent label](sensitivity-labels-office-apps.md#specify-a-default-sublabel-for-a-parent-label)|Current Channel: 2302+ <br /><br> Monthly Enterprise Channel: 2302+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Under review |Under review |Under review |Under review |
-|[Scope labels to files or emails](sensitivity-labels-office-apps.md#scope-labels-to-just-files-or-emails) |Current Channel: 2301+ <br /><br> Monthly Enterprise Channel: 2302+ <br /><br> Semi-Annual Enterprise Channel: Under review |16.69+ |Preview: Rolling out to [Beta Channel](https://insider.office.com/join/ios) |Preview: Rolling out to [Beta Channel](https://insider.office.com/join/android)| [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |
+|[Scope labels to files or emails](sensitivity-labels-office-apps.md#scope-labels-to-just-files-or-emails) |Current Channel: 2301+ <br /><br> Monthly Enterprise Channel: 2302+ <br /><br> Semi-Annual Enterprise Channel:2302+ |16.69+ |Preview: Rolling out to [Beta Channel](https://insider.office.com/join/ios) |Preview: Rolling out to [Beta Channel](https://insider.office.com/join/android)| [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |
|[Double Key Encryption (DKE)](encryption-sensitivity-labels.md#double-key-encryption) |Preview: [Current Channel (Preview)](https://office.com/insider) |Under review |Under review |Under review| Under review | ## Sensitivity label capabilities in Outlook
The numbers listed are the minimum Office application versions required for each
|[Different settings for default label and mandatory labeling](sensitivity-labels-office-apps.md#outlook-specific-options-for-default-label-and-mandatory-labeling) |Current Channel: 2105+ <br /><br> Monthly Enterprise Channel: 2105+ <br /><br> Semi-Annual Enterprise Channel: 2108+ |16.43+ <sup>\*</sup> |4.2111+ |4.2111+ |Yes | |[PDF support](sensitivity-labels-office-apps.md#pdf-support) |Current Channel: 2205+ <br /><br> Monthly Enterprise Channel: 2205+ <br /><br> Semi-Annual Enterprise Channel: 2302+| Under review |Under review |Under review |Under review | |[Apply S/MIME protection](sensitivity-labels-office-apps.md#configure-a-label-to-apply-smime-protection-in-outlook) |Current Channel: 2211+ <br /><br> Monthly Enterprise Channel: 2211+ <br /><br> Semi-Annual Enterprise Channel: 2302+ | 16.61+ <sup>\*</sup> |4.2226+ |4.2203+ |Yes |
-|[Sensitivity bar](sensitivity-labels-office-apps.md#sensitivity-bar) |Current Channel: 2302+<br /><br> Monthly Enterprise Channel: 2303+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Under review |Under review |Preview: [Beta](https://support.google.com/googleplay/work/answer/7042126) |Under review |
-|[Display label color](sensitivity-labels-office-apps.md#label-colors) |Current Channel: 2302+ <br /><br> Monthly Enterprise Channel: 2303+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Preview: [Current Channel (Preview)](https://office.com/insider) <sup>\*</sup> |Under review |Preview: [Beta](https://support.google.com/googleplay/work/answer/7042126) |Under review |
+|[Sensitivity bar](sensitivity-labels-office-apps.md#sensitivity-bar) |Current Channel: 2302+<br /><br> Monthly Enterprise Channel: 2303+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Under review |Rolling out: 4.2316.0+ |4.2316.0+ |Under review |
+|[Display label color](sensitivity-labels-office-apps.md#label-colors) |Current Channel: 2302+ <br /><br> Monthly Enterprise Channel: 2303+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Preview: [Current Channel (Preview)](https://office.com/insider) <sup>\*</sup> |Rolling out: 4.2316.0+ |4.2316.0+ |Under review |
|[Default sublabel for parent label](sensitivity-labels-office-apps.md#specify-a-default-sublabel-for-a-parent-label)|Current Channel: 2302+ <br /><br> Monthly Enterprise Channel: 2302+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Under review |Under review |Under review |Under review | |[Scope labels to files or emails](sensitivity-labels-office-apps.md#scope-labels-to-just-files-or-emails) |Current Channel: 2302+ <br /><br> Monthly Enterprise Channel: 2302+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Rolling out: 16.70+ <sup>\*</sup> | Rolling out: 4.2309+ |Rolling out: 4.2309+ |Yes | |[Preventing oversharing as DLP policy tip](dlp-create-deploy-policy.md#scenario-2-show-policy-tip-as-oversharing-popup)|Current Channel: 2305+ <br /><br> Monthly Enterprise Channel: 2307+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Under review |Under review |Under review |Under review |
compliance Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/whats-new.md
f1.keywords:
Previously updated : 06/19/2023 Last updated : 06/21/2023 audience: Admin
Whether it be adding new solutions to the [Microsoft Purview compliance portal](
### Sensitivity labels - **General availability (GA)**: Now rolling out, Outlook for Android and Outlook for iOS support a setting for mandatory labeling that you can configure with Microsoft Intune to [prompt users to select a sensitivity label when they first compose an email](sensitivity-labels-office-apps.md#for-outlook-mobile-change-when-users-are-prompted-for-a-label) instead of when they send it.-- **In preview**: Now rolling out, OneDrive locations for [auto-labeling policies](apply-sensitivity-label-automatically.md#how-to-configure-auto-labeling-policies-for-sharepoint-onedrive-and-exchange) are changing from sites specified by URLs to users and groups. This change of configuration means that [administrative units](microsoft-365-compliance-center-permissions.md#administrative-units-preview) are now supported for OneDrive auto-labeling policies. Any existing OneDrive sites specified in auto-labeling policies as site URLs will continue to work but before you can add more OneDrive locations, or for restricted admins, you must first delete any existing OneDrive sites specified as URLs. Groups supported: distribution groups, Microsoft 365 groups, mail-enabled security groups, and security groups.
+- **General availability (GA)**: Outlook for Android and Outlook for iOS, the [sensitivity bar](sensitivity-labels-office-apps.md#sensitivity-bar) and [label colors](sensitivity-labels-office-apps.md#label-colors) are now in general availability. For iOS, the release is still rolling out.
+- **In preview**: Now rolling out in preview, OneDrive locations for [auto-labeling policies](apply-sensitivity-label-automatically.md#how-to-configure-auto-labeling-policies-for-sharepoint-onedrive-and-exchange) are changing from sites specified by URLs to users and groups. This change of configuration means that [administrative units](microsoft-365-compliance-center-permissions.md#administrative-units-preview) are now supported for OneDrive auto-labeling policies. Any existing OneDrive sites specified in auto-labeling policies as site URLs will continue to work but before you can add more OneDrive locations, or for restricted admins, you must first delete any existing OneDrive sites specified as URLs. Groups supported: distribution groups, Microsoft 365 groups, mail-enabled security groups, and security groups.
- **In preview**: Now rolling out in preview, [limited support for labels configured for user-defined permissions](sensitivity-labels-sharepoint-onedrive-files.md#support-for-labels-configured-for-user-defined-permissions) for Office on the web, SharePoint and OneDrive. - **Removal of limitations for Teams when using sensitivity labels**: Several previous limitations are removed for [Teams protected meetings](sensitivity-labels-meetings.md), which include Safari and Firefox support to prevent copy chat, support for virtual desktop infrastructure (VDI), policy settings for justification for changing a label, mandatory labeling, and a help link to a custom help page, and more methods are now supported to prevent copying chat. ## May 2023
+### Audit
+
+- Updates for audit log support for [Microsoft Project for the web](/microsoft-365/compliance/audit-log-activities#microsoft-project-for-the-web-activities), [Microsoft To Do](/microsoft-365/compliance/audit-log-activities#microsoft-to-do-activities),and [Microsoft Defender Experts](/microsoft-365/compliance/audit-log-activities#microsoft-defender-experts-activities) activities.
+- Updates to clarify [audit log rentention policies](/microsoft-365/compliance/audit-log-retention-policies) and duration options.
+ ### Compliance Manager - **General availability (GA)**: New multicloud support for Compliance Manager.
Whether it be adding new solutions to the [Microsoft Purview compliance portal](
- **Assigning user roles per regulatory template**: New capability allowing you to provide scoped access to any assessment built for a specific regulation. Updated pages include: - [Learn about regulations](compliance-manager-templates.md#grant-user-access-to-regulations) - [Get started](compliance-manager-setup.md#role-based-access-to-assessments-and-regulations)
- - [Build and manage assessments](compliance-manager-assessments.md#grant-user-access-to-individual-assessments)
+ - [Build and manage assessments](compliance-manager-assessments.md#grant-user-access-to-individual-assessments)
### Data lifecycle management and records management - **General availability (GA)**: [Simulation mode](apply-retention-labels-automatically.md#learn-about-simulation-mode) for auto-apply retention label policies is now generally available. - **General availability (GA)**: Auto-labeling retention policies for [cloud attachments](apply-retention-labels-automatically.md#auto-apply-labels-to-cloud-attachments) that are shared via Exchange or Teams are now generally available. Cloud attachments shared via Yammer remain in preview.
+### eDiscovery
+
+- **In preview**: New article for [guest access in eDiscovery (Premium)](/microsoft-365/compliance/ediscovery-guest-access). With guest access, you can provide access to an eDiscovery Premium case to people outside your organization. You can invite guests users to eDiscovery (Premium) cases just like you can invite guests into your Teams environment.
+- **In preview**: New support for *Export collected items* and *Export as report* [options for review sets](/microsoft-365/compliance/ediscovery-create-draft-collection#manage-a-collection-estimate) in eDiscovery (Premium).
+- **In preview**: New support for viewing [job reports](/microsoft-365/compliance/ediscovery-managing-jobs#jobs-report-preview) for eDiscovery (Premium). eDiscovery (Premium) now includes a jobs report tool that lists all jobs that count towards the jobs concurrency and daily limits in eDiscovery for a defined time period.
+- Updates to clarify the [indexing of non-custodial data sources](/microsoft-365/compliance/ediscovery-indexing-custodian-data) in eDiscovery (Premium) cases.
+ ### Insider risk management - **In preview**: [Fine-tune policy indicator thresholds with real-time analytics](insider-risk-management-settings-policy-indicators.md) to reduce alert noise.
Whether it be adding new solutions to the [Microsoft Purview compliance portal](
## April 2023
+### Audit
+
+- Updates for audit log support for [Microsoft Planner](/microsoft-365/compliance/audit-log-activities#microsoft-planner-activities) activities.
+ ### Communication compliance - New content on the [Filter email blasts feature](communication-compliance-policies.md#filter-email-blasts) and the [Email blasts senders report](communication-compliance-reports-audits.md#detailed-reports).
Whether it be adding new solutions to the [Microsoft Purview compliance portal](
- **In preview**: Save a copy of items that match DLP policies to Azure storage [Learn about evidence collection for file activities on devices (preview)](dlp-copy-matched-items-learn.md) and [Get started with collecting files that match data loss prevention policies from devices (preview)](dlp-copy-matched-items-get-started.md). - **General availability (GA)**: Data loss prevention policies in Power BI to automatically detect sensitive information as it is being uploaded into Power BI and take immediate remediation actions. [Learn about data loss prevention policies in Power BI)](/microsoft-365/compliance/dlp-powerbi-get-started).
+### eDiscovery
+
+- **New article**: [Configure review set grouping settings for eDiscovery (Premium) cases](/microsoft-365/compliance/ediscovery-configure-review-set-settings) details how you can configure grouping settings for each Microsoft Purview eDiscovery (Premium) case to control how the data in a review set is grouped and displayed.
+- **In preview**: New support for [upgrading a eDiscovery (Standard) case to eDiscovery (Premium)](/microsoft-365/compliance/ediscovery-close-reopen-delete-cases#upgrade-a-case-to-ediscovery-premium-preview).
+- **In preview**: New support for Microsoft Teams meeting [recordings and transcripts](/microsoft-365/compliance/ediscovery-teams-investigation).
+- **In preview**: New support for the [*Export item report* action](/microsoft-365/compliance/ediscovery-create-draft-collection) for collections in eDiscovery (Premium).
+- **In preview**: New support for using the [new query builder to create search queries](/microsoft-365/compliance/ediscovery-query-builder). The query builder option in collection search tool provides a visual filtering experience when you build search queries in Microsoft Purview eDiscovery (Premium).
+- Updates to [clarify the syntax](/microsoft-365/compliance/ediscovery-create-hold-notification) for issuance and release hold notifications for multiple users and email fields.
+- Updates for a [new script](/microsoft-365/compliance/ediscovery-use-content-search-for-targeted-collections#script-to-pull-the-folderid-from-multiple-mailboxes) to pull the FolderID from multiple mailboxes in a content search for targeted collections.
+- Update for [retry hold actions](/microsoft-365/compliance/ediscovery-add-custodians-to-case#retry-hold-action) when custodians are placed on hold.
+- Update for [character and URL limits](/microsoft-365/compliance/ediscovery-limits-for-content-search) when searching SharePoint and OneDrive for Business locations.
+- Clarification for the [data retention](/microsoft-365/compliance/ediscovery-managing-jobs) for job information.
+- Updates for [requirements for decryption](/microsoft-365/compliance/ediscovery-decryption#requirements-for-decryption-in-ediscovery) in eDiscovery.
+- **Article retired**: the *Change the size of PST files when exporting eDiscovery search results* article has been retired.
+ ### Insider risk management - **In preview**: Scan for sensitive information in images with support for [optical character recognition](ocr-learn-about.md).
+- Updates to clarify the [required enterprise apps](/microsoft-365/compliance/ediscovery-premium-get-started#step-4-verify-that-required-ediscovery-apps-are-enabled) needed to access eDiscovery (Premium) view, filter, and search features.
+- Updates to include an [example of remediating errors](/microsoft-365/compliance/ediscovery-error-remediation-when-processing-data#remediating-errors-by-uploading-the-extracted-text) by uploading the extracted text.
### Microsoft Priva
enterprise O365 Data Locations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/o365-data-locations.md
Previously updated : 08/10/2020 Last updated : 06/22/2023 audience: ITPro
See the following links to understand how you can determine current workload dat
- OneNote Services [Data Location](m365-dr-workload-other.md#onenote-services) - Power Apps for Microsoft 365 [Data Location](m365-dr-workload-other.md#power-apps-for-microsoft-365) - Stream [Data Location](m365-dr-workload-other.md#stream)
+- Shifts [Data Location](/microsoftteams/expand-teams-across-your-org/shifts/shifts-data-faq#where-is-shifts-data-stored)
lighthouse M365 Lighthouse Tenants Page Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-tenants-page-overview.md
The Deployment Plan tab also includes the following options:
[Requirements for Microsoft 365 Lighthouse](m365-lighthouse-requirements.md) (article)\ [Microsoft 365 Lighthouse FAQ](m365-lighthouse-faq.yml) (article)\ [Manage your tenant list in Microsoft 365 Lighthouse](m365-lighthouse-manage-tenant-list.md) (article)\
-[Overview of using Microsoft 365 Lighthouse baselines to deploy standard tenant configurations](m365-lighthouse-deploy-standard-tenant-configurations-overview.md) (article)\
+[Overview of using Microsoft 365 Lighthouse baselines to deploy standard tenant configurations](m365-lighthouse-deploy-standard-tenant-configurations-overview.md) (article)
loop Loop Components Configuration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/loop/loop-components-configuration.md
+ Last updated : 06/19/2023
+ Title: "Manage Loop components in OneDrive and SharePoint"
++++
+recommendations: true
+audience: Admin
+f1.keywords:
+- NOCSH
+
+ms.localizationpriority: medium
++
+- Strat_SP_admin
+- Microsoft 365-collaboration
+- Tier3
+search.appverid:
+- SPO160
+- MET150
+description: "Learn how to manage Loop components in OneDrive and SharePoint."
++
+# Manage Loop components in OneDrive and SharePoint
+
+Loop experiences on Microsoft 365 OneDrive or SharePoint are backed by .loop files (earlier releases of Loop created these as .fluid files). IT administrators need to manage access to Loop experiences from **BOTH**:
+1. Cloud Policy
+2. SharePoint PowerShell command
+
+If you're looking to manage Loop workspaces in the Loop app, see [Manage Loop workspaces in Syntex repository services](/microsoft-365/loop/loop-workspaces-configuration).
+
+## Requirements
+
+Just like other Microsoft 365 experiences, Loop also leverages core services across SharePoint and Microsoft 365. To effectively enable Loop experiences or OneDrive and SharePoint files-backed experiences powered by Fluid Framework, follow the instructions in [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) to ensure connections to Loop services.
+
+### Microsoft 365 Groups for Cloud Policy
+
+If you want to scope the Cloud Policy settings to only some users in your tenant, you must create or use an existing Microsoft 365 group that defines which users in your organization this policy will apply to. To create a Microsoft 365 group, see [Create a Microsoft 365 group](/microsoft-365/admin/create-groups/create-groups).
+
+> [!NOTE]
+> This section isn't required if you choose to apply the Loop settings to all the users in your tenant.
+
+You'll be able to use this group for the Cloud Policy setup procedure specified in [Settings management in Cloud Policy](#settings-management-in-cloud-policy).
+
+If you prefer, you can also create other types of groups to use with Cloud Policy. For more information, see [learn more about creating groups in the Microsoft 365 admin center](/microsoft-365/admin/email/create-edit-or-delete-a-security-group) or [learn more about creating dynamic groups in AzureAD](/azure/active-directory/external-identities/use-dynamic-groups).
+
+### WebSocket connections
+
+Loop's near real-time communications are enabled by the core services that run a WebSocket server. Coauthors in the same session need to establish secured WebSocket connections to this service to send and receive collaborative data such as changes made by others, live cursors, presence, and so on. These experiences are crucial to Loop, and to all the scenarios powered by Fluid framework. So, at the minimum, WebSocket will need to be unblocked from the user's endpoint.
+
+## Available policy settings
+
+There are several IT Admin settings provided to enable the Loop component experiences across Microsoft 365:
+
+|Configure |Setting Type |Specific Policy |Notes |
+|||||
+|Loop component experiences across Microsoft 365* | Cloud Policy | **Create and view Loop files in Microsoft apps that support Loop** | Applies to: <br/> - Outlook integration<br> - Word for the web integration<br> - Whiteboard integration<br> Does **NOT** apply to:<br> - Loop workspaces<br> - Teams integration |
+|Outlook integration of Loop experiences | Cloud Policy | **Create and view Loop files in Outlook** | First checks **Create and view Loop files in Microsoft apps that support Loop**; then applies **Create and view Loop files in Outlook**, if applicable. |
+|Teams integration | SharePoint property | See [Settings management for Loop components in Teams](#settings-management-for-loop-functionality-in-teams) | *Teams only checks the settings in this row. |
+
+## Example configurations
+
+|Scenario |Policies Configured |
+|||
+|Enable Loop components everywhere | **Create and view Loop files in Microsoft apps that support Loop** = Enabled<br/>[Teams-only] `Set-SPOTenant -IsLoopEnabled $true` |
+|Enable Loop components everywhere, but Disable integration in Communication app (Outlook, Teams) | **Create and view Loop files in Microsoft apps that support Loop** = Enabled<br/>**Create and view Loop files in Outlook** = Disabled<br/>[Teams-only] `Set-SPOTenant -IsLoopEnabled $false` |
+
+## Settings management in Cloud Policy
+
+The Loop experiences (except for Microsoft Teams) check the following [Cloud Policy](/deployoffice/admincenter/overview-cloud-policy) settings. See [Available policy settings](#available-policy-settings) to understand how each app checks these settings:
+
+- **Create and view Loop files in Microsoft apps that support Loop**
+- **Create and view Loop files in Outlook**
+
+1. Sign in to https://config.office.com/ with your Microsoft 365 admin credentials.
+1. Select **Customization** from the left pane.
+1. Select **Policy Management**.
+1. Create a new policy configuration or edit an existing one.
+1. From the **Choose the scope** dropdown list, choose either **All users** or select the group for which you want to apply the policy. For more information, See [Microsoft 365 Groups for Cloud Policy](#microsoft-365-groups-for-cloud-policy).
+1. In **Configure Settings**, choose one of the following settings:
+ - For **Create and view Loop files in Microsoft apps that support Loop**:
+ - **Enabled**: Loop experience is available to the users.
+ - **Disabled**: Loop experience isn't available to the users.
+ - **Not configured**: Loop experience is available to the users.
+ - For **Create and view Loop files in Outlook**:
+ - **Enabled**: Loop experience is available to the users.
+ - **Disabled**: Loop experience isn't available to the users.
+ - **Not configured**: Loop experience is available to the users.
+1. Save the policy configuration.
+1. Reassign priority for any security group, if required. (If two or more policy configurations are applicable to the same set of users, the one with the higher priority is applied.)
+
+In case you create a new policy configuration or change the configuration for an existing policy, there will be a delay in the change being reflected as described below:
+- If there were existing policy configurations prior to the change, then it will take 90 mins for the change to be reflected.
+- If there were no policy configurations prior to the change, then it will take 24 hours for the change to be reflected.
+
+## Settings management for Loop functionality in Teams
+
+You'll need the latest version of SharePoint PowerShell module to enable or disable Loop experiences in Teams. Loop components default to **ON** for all organizations. Because Loop components are designed for collaboration, the components are always shared as editable by others, even if your organization is set to create shareable links that have **view-only** permissions as the default value for other file types. For more information, see the **Learn more** link next to the setting.
+
+|Experience |SharePoint organization properties |Notes |
+||||
+|Loop components in Teams | `IsLoopEnabled` (boolean) | This property controls Loop experiences in Microsoft Teams. |
+|Collaborative meeting notes | `IsCollabMeetingNotesFluidEnabled` (boolean) | This property controls the collaborative meeting notes integration in Microsoft Teams. |
+
+To check your tenant's default file permissions, perform the following steps:
+
+1. Sign in to [Microsoft 365 admin center](https://admin.microsoft.com).
+2. Under **Admin centers**, select **SharePoint**.
+3. Select **Policies** > **Sharing**, and under **File and folder links**, view your organization's default file permissions.
+
+To check if Loop components are enabled, run `Get-SPOTenant` without any arguments. Verify the value of `IsLoopEnabled` is *true*.
+
+To enable Loop components in Teams, run `Set-SPOTenant -IsLoopEnabled $true`. The change will take a short time to apply across your organization.
+
+To disable Loop components in Teams, run `Set-SPOTenant -IsLoopEnabled $false`. The change will take a short time to apply across your organization. If your organization has multiple regions (that is, organization URLs), you need to disable loop components for all the regions to have consistent results across the organization.
+
+## Related topics
+
+- [Overview of Loop components in Teams](/microsoftteams/live-components-in-teams)
+- [Use Loop components in Outlook](https://support.microsoft.com/office/9b47c279-011d-4042-bd7f-8bbfca0cb136)
+- [Loop components in Whiteboard](https://support.microsoft.com/office/loop-components-in-whiteboard-c5f08f54-995e-473e-be6e-7f92555da347)
+- [Get started with Microsoft Loop - Microsoft Support](https://support.microsoft.com/office/get-started-with-microsoft-loop-9f4d8d4f-dfc6-4518-9ef6-069408c21f0c)
loop Loop Components Sharepoint https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/loop/loop-components-sharepoint.md
- Previously updated : 03/31/2023 Title: "Manage Loop experiences (Loop workspaces and Loop components) in SharePoint"----
-recommendations: true
-- NOCSH----- Strat_SP_admin-- Microsoft 365-collaboration-- Tier3-- SPO160-- MET150
-description: "Learn how to manage Loop experiences (Loop workspaces and Loop components) by using PowerShell and Cloud Policy."
--
-# Manage Loop experiences (Loop workspaces and Loop components) in SharePoint
-
-Loop experiences on Microsoft 365 OneDrive or SharePoint are backed by .fluid or .loop files. IT admins need to manage access to Loop experiences from **BOTH**:
-1. Cloud Policy
-2. SharePoint PowerShell command
-
-## Requirements
-
-Just like other Microsoft 365 experiences, Loop also leverages core services across SharePoint and Microsoft 365. To effectively enable Loop experiences or OneDrive and SharePoint files-backed experiences powered by Fluid Framework, follow the instructions in [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) to ensure connections to Loop services.
-
-#### Microsoft 365 Groups for Cloud Policy
-
-This section is not required if you choose to apply the Loop settings to all the users in your tenant; however, if you want to scope, you must create or use an existing Microsoft 365 group that defines which users in your organization this policy will apply to. You can learn how to create a Microsoft 365 group by visiting [Create a Microsoft 365 group](/microsoft-365/admin/create-groups/create-groups).
-
-You'll be able to use this group for the Cloud Policy setup procedure below.
-
-If you prefer, you can also create other types of groups to use with Cloud Policy. See [learn more about creating groups in the Microsoft 365 admin center](/microsoft-365/admin/email/create-edit-or-delete-a-security-group) or [learn more about creating dynamic groups in AzureAD](/azure/active-directory/external-identities/use-dynamic-groups).
-
-#### Exchange Online license
-
-The Loop app currently requires each user to have an Exchange Online license. If not, users will experience failures in the Loop app, be unable to create new Loop workspaces, will not receive notifications or signals when users collaborate and update, and other experiences may also fail.
-
-#### WebSocket connections
-
-Loop's near real-time communications are enabled by the core services that run a WebSocket server. Coauthors in the same session need to establish secured WebSocket connections to this service to send and receive collaborative data such as changes made by others, live cursors, presence, etc. These experiences are crucial to Loop, and all the scenarios powered by Fluid framework. So, at the minimum, WebSocket will need to be unblocked from the user's endpoint.
-
-## Available policy settings
-
-There are several IT Admin settings provided to enable the Loop app and Loop experiences across Microsoft 365:
-
-|Configure|Setting Type|Specific Policy|Notes
-|||||
-|Loop app workspaces|Cloud Policy|**Create and view Loop workspaces in Loop**|*Loop app only checks the setting in this row|
-|Loop component experiences across Microsoft 365*|Cloud Policy|**Create and view Loop files in Microsoft apps that support Loop**|Applies to:<br/>- Outlook integration<br/>- Word for the web integration<br/>- Whiteboard integration<br/>Does NOT apply to:<br/>- Loop app<br/>- Teams integration|
-|Outlook integration of Loop experiences|Cloud Policy|**Create and view Loop files in Outlook**|First checks **Create and view Loop files in Microsoft apps that support Loop**, then applies **Create and view Loop files in Outlook** if applicable|
-|Teams integration|SharePoint property|See [Settings management for Loop components in Teams](#settings-management-for-loop-functionality-in-teams)|*Teams only checks the setting in this row|
-
-## Example configurations
-
-|Scenario|Policies Configured|
-|||
-|Enable Loop workspaces in the app and Loop components everywhere|**Create and view Loop workspaces in Loop** = Enabled<br/>**Create and view Loop files in Microsoft apps that support Loop** = Enabled<br/>[Teams-only] `Set-SPOTenant -IsLoopEnabled $true`|
-|Enable Loop components everywhere<br/>Disable Loop workspaces in the app during public preview|**Create and view Loop workspaces in Loop** = Disabled<br/>**Create and view Loop files in Microsoft apps that support Loop** = Enabled<br/>[Teams-only] `Set-SPOTenant -IsLoopEnabled $true`|
-|Enable Loop components everywhere, but Disable in eCommunication (Outlook, Teams)<br/>Disable Loop workspaces in the app during public preview|**Create and view Loop workspaces in Loop** = Disabled<br/>**Create and view Loop files in Microsoft apps that support Loop** = Enabled<br/>**Create and view Loop files in Outlook** = Disabled<br/>[Teams-only] `Set-SPOTenant -IsLoopEnabled $false`|
-
-## Settings management in Cloud Policy
-
-The Loop experiences (except for Microsoft Teams) check the following Cloud Policy settings. See [Available policy settings](#available-policy-settings) to understand how each app checks these settings:
--- **Create and view Loop files in Microsoft apps that support Loop**-- **Create and view Loop files in Outlook**-- **Create and view Loop workspaces in Loop**
- - Note: this policy was previously mistitled 'Create and view Loop files in Loop'
-
-See the [Cloud Policy](/deployoffice/admincenter/overview-cloud-policy) setting templates for more information on the settings above.
-
-> [!TIP]
-> If you're new to Cloud Policy and looking to enable the Loop app for your organization during the public preview, you may appreciate a more step by step document for how to roll out Cloud Policy settings to your tenant. If so, check out this Tech Community blog: [Learn how to enable the Microsoft Loop app, now in Public Preview](https://techcommunity.microsoft.com/t5/microsoft-365-blog/learn-how-to-enable-the-microsoft-loop-app-now-in-public-preview/ba-p/3769013).
-
-To configure these Cloud Policy settings:
-1. Sign in to https://config.office.com/ with your Microsoft 365 admin credentials.
-2. Select **Customization** from the left pane.
-3. Select **Policy Management**.
-4. Create a new policy configuration or edit an existing one.
-5. In **Choose the scope**, choose either the "all users" option or select the group for which you want to apply the policy. See [Microsoft 365 Groups for Cloud Policy](#microsoft-365-groups-for-cloud-policy) for more information.
-6. In **Configure Settings**, choose one of the settings listed at the top of this section.
-7. In configuration setting, choose one of the following:
- - For **Create and view Loop files in Microsoft apps that support Loop**
- - **Enabled**: Loop experience is available to users.
- - **Disabled**: Loop experience is not available to users.
- - **Not configured**: Loop experience is available to users.
- - For **Create and view Loop files in Outlook**
- - **Enabled**: Loop experience is available to users.
- - **Disabled**: Loop experience is not available to users.
- - **Not configured**: Loop experience is available to users.
- - For **Create and view Loop workspaces in Loop**
- - **Enabled**: Loop app and creation of workspaces is available to users.
- - **Disabled**: Loop app creation of workspaces is not available to users.
- - **Not configured**: Loop app and creation of workspaces is not available to users.
- - Loop during Public Preview is IT Admin Opt-in by default.
- - Loop app will still open Loop components when workspaces is disabled. If this is not rolled out to your environment, Loop component will open in Office.com.
- - Ensure additional [Loop service requirements](#requirements) are met.
-8. Save the policy configuration.
-9. Reassign priority for any security group if required. (If two or more policy configurations are applicable to the same set of users, the one with the higher priority is applied.)
-10. In case you create a new policy configuration or change the configuration for an existing policy, there will be a delay in the change being reflected as follows:
- - If there were existing policy configurations prior to the change, then it will take 90 mins for the change to be reflected.
- - If there were no policy configurations prior to the change then it will take 24 hours for the change to be reflected.
-
-## Settings management for Loop functionality in Teams
-
-You'll need the latest version of SharePoint PowerShell module to enable or disable Loop experiences in Teams. Loop components default to ON for all organizations. Because Loop components are designed for collaboration, the components are always shared as editable by others, even if your organization is set to default to view-only for other file types. See the Learn more link next to the setting for more details.
-
-|Experience|SharePoint organization properties|Notes|
-||-||
-|Loop components in Teams|`IsLoopEnabled` (boolean)|This property controls Loop experiences in Microsoft Teams. |
-|Collaborative meeting notes|`IsCollabMeetingNotesFluidEnabled` (boolean)|This property controls the collaborative meeting notes integration in Microsoft Teams.|
-
-To check your tenant's default file permissions
-
-1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com).
-2. Under Admin centers, select **SharePoint**.
-3. Select **Policies** > **Sharing**, and under **File and folder links**, view your organization's default file permissions.
-
-To check if Loop components are enabled, run `Get-SPOTenant` without any arguments. Verify the value of IsLoopEnabled is true.
-
-To enable Loop components in Teams, run `Set-SPOTenant -IsLoopEnabled $true`. The change will take a short time to apply across your organization.
-
-The feature will be available on Teams Windows Desktop, Mac, iOS, Android, and web. When enabled, users will see a new option for inserting Loop components in the message compose experience for these clients.
-
-To disable Loop components in Teams, run `Set-SPOTenant -IsLoopEnabled $false`. The change will take a short time to apply across your organization. If your organization has multiple regions (that is, organization URLs), you need to disable loop components for all the regions to have consistent results across the organization.
-
-## eDiscovery for Loop components
-
-Loop components created in Teams or Outlook are discoverable and have eDiscovery workflow support using the Microsoft Purview tool. Currently, these files are stored in the creatorΓÇÖs OneDrive and are available for search and collection, and render in review for both eDiscovery (Standard) and eDiscovery (Premium). The HTML offline export format is supported on eDiscovery (Premium). You can also download and re-upload the files to any OneDrive to view them in their native format.
-
-Microsoft is currently working on a third-party export API solution for Loop components.
-
-> [!NOTE]
-> The Loop app and content created in the Loop app does not yet support eDiscovery workflows.
-
-## Related topics
-
-[Get started with Microsoft Loop - Microsoft Support](https://support.microsoft.com/office/get-started-with-microsoft-loop-9f4d8d4f-dfc6-4518-9ef6-069408c21f0c)
-
-[Overview of Loop components in Teams](loop-components-teams.md)
-
-[Use Loop components in Outlook](https://support.microsoft.com/office/9b47c279-011d-4042-bd7f-8bbfca0cb136)
-
-[Use Loop components in Word for the web](https://support.microsoft.com/office/645cc20d-5c98-4bdb-b559-380c5a27c5e5)
-
-[Loop components in Whiteboard](https://support.microsoft.com/office/c5f08f54-995e-473e-be6e-7f92555da347)
loop Loop Components Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/loop/loop-components-teams.md
appliesto:
# Overview of Loop components in the Microsoft 365 ecosystem
-Loop components in Teams chat, Outlook emails, Whiteboards, or other places in the Microsoft 365 ecosystem offer a new way to ideate, create, and make decisions together. Send a component - like a table, task list, or paragraph ΓÇö where everyone in your chat, email or document can edit inline and see changes as they're made.
+Loop components in Teams chat, Outlook emails, Whiteboards, or other places in the Microsoft 365 ecosystem offer a new way to ideate, create, and make decisions together. Send a component - like a table, task list, or paragraph ΓÇö where everyone in your chat, email, or document can edit inline and see changes as they're made.
> [!Note]
-> Loop components is the first feature of the [Microsoft Loop app](https://www.microsoft.com/en-us/microsoft-loop) to become available in Teams, Outlook, Whiteboard and Word for the web.
+> Loop components is the first feature of the [Microsoft Loop app](https://www.microsoft.com/en-us/microsoft-loop) to become available in Teams.
**Get tasks done faster together.** Crowd-source an agenda, track a group's action items, or take notes collectively. These are just a few scenarios made easier with Loop components.
-**Share components.** In this release, you can share Loop components into different Teams chats, Outlook emails, Whiteboards and other places in the Microsoft 365 ecosystem. Recipients can edit from wherever they are and see updates instantly no matter where the changes were made.
+**Share components.** In this release, you can share Loop components into different Teams chats, Outlook emails, Whiteboards, and other places in the Microsoft 365 ecosystem. Recipients can edit from wherever they are and see updates instantly, no matter where the changes were made.
-**Start in chat or email, build from there.** Every component you create from Teams chat or Outlook email is automatically saved to a file in OneDrive. So, you might begin collaborating in chat then later move to the file in a full tab on Office.com, where you have a larger visual space for editing and can add as many components as you like.
+**Start in chat or email, build from there.** Every component you create from Teams chat or Outlook email is automatically saved to a file in OneDrive. So, you might begin collaborating in chat; then, later move to the file in a full tab on Office.com, where you have a larger visual space for editing and can add as many components as you like.
-For information on admin settings for Loop components in Teams, see [Manage Loop components in SharePoint and OneDrive](loop-components-sharepoint.md).
+For information on admin settings for Loop components in Teams, see [Settings management in Cloud Policy](loop-workspaces-configuration.md#settings-management-in-cloud-policy).
## Clients and platforms
-Available on Teams apps on Windows, Mac, iOS, Android, and web.
-Available on Outlook apps on Windows and web.
-Available on Whiteboard apps on Windows, Surface, iOS, Android, and web. iOS and Android are view and edit but users cannot paste new ones.
+- Available on Teams apps on Windows, Mac, iOS, Android, and web.
+- Available on Outlook apps on Windows and web.
+- Available on Whiteboard apps on Windows, Surface, iOS, Android, and web. iOS and Android are "view and edit" but users can't paste new ones.
## Loop components and .loop files
-Loop components created in Teams, Outlook are backed by a .loop (earlier versions of Loop created .fluid) file stored in the creator's OneDrive. Being a file in OneDrive means that users can create, discover, and manage Loop components (.loop files) as easily as any Office document.
+Loop components created in Teams, Outlook are backed by a .loop (earlier versions of Loop-created .fluid) file stored in the creator's OneDrive. A file being in OneDrive means that users can create, discover, and manage Loop components (.loop files) as easily as any Office document.
## How are .loop files stored?
-.loop files appear on Office.com and OneDrive, such as in the Recent and Recommended areas. Users can search for content in .loop files from Office.com and OneDrive. .loop files can be restored to previous versions from OneDrive. To create Loop components chat or email creators must have a OneDrive account. Without a valid OneDrive account, chat or email creators might still be able to collaborate on a component created by other users who have a valid OneDrive account, but can't create their own.
+The .loop files appear on Office.com and OneDrive, such as in the Recent and Recommended areas. Users can search for content in .loop files from Office.com and OneDrive. The .loop files can be restored to previous versions from OneDrive. To create Loop components, chat or email creators must have a OneDrive account. Without a valid OneDrive account, chat or email creators might still be able to collaborate on a component created by other users who have a valid OneDrive account, but can't create their own Loop components.
-Moving a .loop file from OneDrive to a SharePoint site will result in the live component failing to load in Teams chat, Outlook email, or any other place it was previously shared.
+Moving a .loop file from OneDrive to a SharePoint site will result in the Live component failing to load in Teams chat, Outlook email, or any other place it was previously shared to.
## What happens if the owner of the file leaves the company?
-OneDrive retention policies apply to .loop files just as they do to other content created by the user.
+OneDrive retention policies apply to the .loop files just as they do to other content created by the user.
## How are .loop files shared?
-Loop components can be inserted in Teams chat, Outlook email, etc., or copied from one chat, email, etc. to another. (Loop components aren't yet supported in Teams channels.) They default to the organization's existing permissions, but users can change permissions before sending to ensure everyone has access.
+Loop components can be inserted in Teams chat, Outlook email, and so on, or be copied from one chat, email, and so on, to another. (Loop components aren't yet supported in Teams channels.) They default to the organization's existing permissions, but users can change permissions before sending to ensure everyone has access.
Opening components from Teams chat, Outlook email, or Whiteboard in Office.com offers share functionality at the top of the window, similar to the sharing options offered for other Office documents.
Version History allows you to review, restore, or copy from previous versions of
## What apps can open and edit .loop files?
-.loop files can only be opened as links in your browser, such as Office.com, and as Loop components in Teams chat, Outlook email, Whiteboard, and Word for the web. If downloaded, they can't be opened again without first uploading them back to OneDrive or SharePoint.
+The .loop files can only be opened as links in your browser, such as Office.com, and as Loop components in Teams chat, Outlook email, Whiteboard, and Word for the web. If downloaded, they can't be opened again without first uploading them back to OneDrive or SharePoint.
## Do .loop (and .fluid) files support eDiscovery?
-Loop components created in Teams, Outlook, Word for the web, are discoverable and have eDiscovery workflow support using the Microsoft Purview tool. Currently, these files are stored in the creatorΓÇÖs OneDrive and are available for search and collection, and render in review for both eDiscovery (Standard) and eDiscovery (Premium). The HTML offline export format is supported on eDiscovery (Premium). You can also download and re-upload the files to any OneDrive to view them in their native format.
+Loop components created in Teams, Outlook, and Word for the web, are discoverable and have eDiscovery workflow support using the Microsoft Purview tool. Currently, these files are stored in the creatorΓÇÖs OneDrive and are available for search and collection, and render in review for both eDiscovery (Standard) and eDiscovery (Premium). The HTML offline export format is supported on eDiscovery (Premium). You can also download and re-upload the files to any OneDrive to view them in their native format.
Microsoft is currently working on a third-party graph export API solution for Loop components. ## If Loop is disabled from the admin switch, what will the user experience be?
-If you disable these experiences as outlined in the [Settings management for Loop functionality in Teams](loop-components-sharepoint.md#settings-management-for-loop-functionality-in-teams) section, or disable these experiences as outlined in the [Settings management in Cloud Policy](loop-components-sharepoint.md#settings-management-in-cloud-policy) section, the following experience changes will apply:
--- The create/insert entry point within Teams messaging and Outlook email will be hidden. Users won't be able to create new .loop files.
+If you disable these experiences as outlined in the [Settings management](loop-workspaces-configuration.md#settings-management-in-cloud-policy) section, the following experience-changes will apply:
+- The create/insert entry point within Teams messaging and Outlook email will be hidden. The users won't be able to create new .loop files.
- Existing messages that would have formerly rendered as an interactive Loop component will instead render as a hyperlink. No interactive content will be displayed within the app that Loop components have been disabled in.-- When an end-user clicks on the hyperlink or browses to a .loop file in OneDrive for Business and clicks to open, it will open in a separate browser tab. End-users will still be able to edit the file.
+- When you click on the hyperlink or browse to a .loop file in OneDrive for Business and click it to open, it will open in a separate browser tab. You will still be able to edit the file.
## Known issues - With tenant default file permissions set to *Specific people* (only the people the user specifies), copying the link to the Loop component and pasting it in another Teams chat requires the sender to use the permissions dialog and add the recipients in the Specific people option to grant access properly.-- With tenant default file permissions set to *Specific people* (only the people the user specifies), creating a Loop component in group chat with more than 20 members will require the sender to manually select the permission options for the component.-- Searching for Loop components in Teams search or Outlook email search will return a link to the component in office.com, not the message itself that contained the Loop component link.
+- With tenant default file permissions set to *Specific people* (only the people the user specifies), creating a Loop component in a group chat with more than 20 members requires the sender to manually select the permission options for the component.
+- Searching for Loop components in Teams search or Outlook email search returns a link to the component in Office.com, not the message itself that contained the Loop component link.
- Loop components are disabled in federated chats. - Guests won't be able to view or collaborate on a Loop component. - External recipients of emails won't be able to view or collaborate on a Loop component. - Loop components aren't supported in Teams channels.-- Loop components won't load only if file was moved to a different library. If file is moved to different folder within the same library then it will continue to load in the message containing the link to the Loop component.
+- Loop components won't load only if the file was moved to a different library. If the file is moved to different folder within the same library, then the Loop components continue to load in the message containing the link to the Loop component.
## Related topics
loop Loop Workspaces Configuration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/loop/loop-workspaces-configuration.md
+ Last updated : 06/19/2023
+ Title: "Manage Loop workspaces in Syntex repository services"
++++
+recommendations: true
+audience: Admin
+f1.keywords:
+- NOCSH
+
+ms.localizationpriority: medium
++
+- Strat_SP_admin
+- Microsoft 365-collaboration
+- Tier3
+search.appverid:
+- SPO160
+- MET150
+description: "Learn how to manage Loop workspaces in Syntex repository services."
++
+# Manage Loop workspace experiences in Syntex repository services
+
+Loop workspaces and the content created in Loop workspaces are backed by [Syntex repository services](https://devblogs.microsoft.com/microsoft365dev/introducing-syntex-repository-services-microsoft-365-superpowers-for-your-app/). IT admins can manage access to Loop workspaces experiences using Cloud Policy.
+
+If you're looking to manage Loop components in the Microsoft 365 ecosystem, visit [Manage Loop components in OneDrive and SharePoint](/microsoft-365/loop/loop-components-configuration).
+
+## Requirements
+
+Just like other Microsoft 365 experiences, Loop also leverages core services across SharePoint and Microsoft 365. To effectively enable Loop workspace experiences, follow the instructions in [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) to ensure connections to Loop services.
+
+### Microsoft 365 Groups for Cloud Policy
+
+If you want to scope the Cloud Policy settings to only some users in your tenant, you must create or use an existing Microsoft 365 group that defines which users in your organization this policy will apply to. To create a Microsoft 365 group, see [Create a Microsoft 365 group](/microsoft-365/admin/create-groups/create-groups).
+
+> [!NOTE]
+> This section isn't required if you choose to apply the Loop settings to all the users in your tenant.
+
+You'll be able to use this group for the Cloud Policy setup procedure specified in [Settings management in Cloud Policy](#settings-management-in-cloud-policy).
+
+If you prefer, you can also create other types of groups to use with Cloud Policy. For more information, see [learn more about creating groups in the Microsoft 365 admin center](/microsoft-365/admin/email/create-edit-or-delete-a-security-group) or [learn more about creating dynamic groups in AzureAD](/azure/active-directory/external-identities/use-dynamic-groups).
+
+### Exchange Online license
+
+Loop workspaces currently require each user to have an Exchange Online license. If not, users will experience failures in the Loop app; won't receive notifications or signals when they collaborate and update; and encounter failures in other experiences also.
+
+### WebSocket connections
+
+Loop's near real-time communications are enabled by the core services that run a WebSocket server. Coauthors in the same session need to establish secured WebSocket connections to this service to send and receive collaborative data such as changes made by others, live cursors, presence, and so on. These experiences are crucial to Loop, and to all the scenarios powered by Fluid framework. So, at the minimum, WebSocket will need to be unblocked from the user's endpoint.
+
+## Settings management in Cloud Policy
+
+The Loop app checks the following Cloud Policy setting to see if workspaces are enabled:
+
+- **Create and view Loop workspaces in Loop**
+
+ > [!NOTE]
+ > This policy was previously mistitled **Create and view Loop files in Loop**.
+
+ > [!TIP]
+ > If you're new to Cloud Policy and are looking to enable the Loop app for your organization during the public preview, you may appreciate a step-by-step document that describes how to roll out Cloud Policy settings to your tenant. Check out this Tech Community blog: [Learn how to enable the Microsoft Loop app, now in Public Preview](https://techcommunity.microsoft.com/t5/microsoft-365-blog/learn-how-to-enable-the-microsoft-loop-app-now-in-public-preview/ba-p/3769013).
+
+To configure these Cloud Policy settings, perform the following steps:
+
+1. Sign in to https://config.office.com/ with your Microsoft 365 admin credentials.
+1. Select **Customization** from the left pane.
+1. Select **Policy Management**.
+1. Create a new policy configuration or edit an existing one.
+1. From the **Choose the scope** dropdown list, choose either **All users** or select the group for which you want to apply the policy. For more information, See [Microsoft 365 Groups for Cloud Policy](#microsoft-365-groups-for-cloud-policy).
+1. In **Configure Settings**, choose **Create and view Loop workspaces in Loop** and then choose one of the following settings:
+ - **Enabled**: Loop app and creation of workspaces is available to the users.
+ - **Disabled**: Loop app and creation of workspaces isn't available to the users.
+ - **Not configured**: Loop app and creation of workspaces isn't available to the users.
+ - Loop during Public Preview is **IT Admin Opt-in** by default.
+ - Loop app will still open Loop components when workspaces is disabled. If this isn't rolled out to your environment, Loop components will open in Office.com.
+ - Ensure additional [Loop service requirements](#requirements) are met.
+1. Save the policy configuration.
+1. Reassign priority for any security group, if required. (If two or more policy configurations are applicable to the same set of users, the one with the higher priority is applied.)
+
+In case you create a new policy configuration or change the configuration for an existing policy, there will be a delay in the change being reflected as described below:
+- If there were existing policy configurations prior to the change, then it will take 90 mins for the change to be reflected.
+- If there were no policy configurations prior to the change, then it will take 24 hours for the change to be reflected.
+
+## eDiscovery for Loop workspaces and content created in Loop workspaces
+
+Loop workspaces and the content created in Loop workspaces don't yet support eDiscovery workflows.
+
+## Related topics
+
+[Get started with Microsoft Loop - Microsoft Support](https://support.microsoft.com/office/get-started-with-microsoft-loop-9f4d8d4f-dfc6-4518-9ef6-069408c21f0c)
loop Loop Workspaces Storage Permission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/loop/loop-workspaces-storage-permission.md
+
+ Title: Overview of Loop workspaces storage and permissions
+++
+audience: Admin
+++ Last updated : 06/20/2023
+ms.localizationpriority: medium
+search.appverid: MET150
+
+ - M365-collaboration
+description: Learn about Loop workspaces storage and permissions in the Microsoft 365 ecosystem.
+f1.keywords:
+- CSH
+
+ - NewAdminCenter_Update
+ - chat-teams-channels-revamp
+appliesto:
+ - Microsoft Teams
++
+# Overview of Loop workspaces storage and permissions
+
+Microsoft [Syntex repository services](https://devblogs.microsoft.com/microsoft365dev/introducing-syntex-repository-services-microsoft-365-superpowers-for-your-app/) powered by SharePoint platform stores all Loop app content. All Loop workspaces, pages, and components created in the Loop app are stored in a container in the Syntex repository service, which is designated for that specific workspace.
+
+> [!NOTE]
+> There are limited security and compliance capabilities available specifically for the Loop app.
+
+Separately, Loop components created outside of the Loop app in other Microsoft 365 apps (such as [Teams](https://support.microsoft.com/office/first-things-to-know-about-loop-components-in-microsoft-teams-ee2a584b-5785-4dd6-8a2d-956131a29c81), [Outlook](https://support.microsoft.com/office/use-loop-components-in-outlook-9b47c279-011d-4042-bd7f-8bbfca0cb136), [Whiteboard](https://support.microsoft.com/office/loop-components-in-whiteboard-c5f08f54-995e-473e-be6e-7f92555da347), [Word for the web](https://support.microsoft.com/office/use-loop-components-in-word-for-the-web-645cc20d-5c98-4bdb-b559-380c5a27c5e5)) are stored in the creator's OneDrive. For example, if User A creates a Loop component within a Teams chat with User B, that Loop component is stored in User A's OneDrive and is shared with User B.
+
+## Loop app's usage of organization's storage quota
+
+Loop app workspaces are stored inside your tenant. During Public Preview, Loop app's content will **not** use your existing storage quota.
+
+## Content permissions mechanism
+
+Each Loop app workspace uses storage for the workspace in [Syntex repository services](https://devblogs.microsoft.com/microsoft365dev/introducing-syntex-repository-services-microsoft-365-superpowers-for-your-app/). Additionally, the Loop app creates a roster for that workspace to govern access to the full workspace. When pages are shared from the workspace, we create a sharing link using your company's default sharing link type as configured for OneDrive and SharePoint.
+
+Sharing the workspace in Loop adds the user to the workspace roster. All workspace roster members have access and "*editing*" permissions to all the Loop pages in that workspace.
++
+There's a distinction between sharing a specific Loop page with a user versus inviting them to a Workspace.
+
+When you invite a user to a workspace, that user has access to all the pages in that workspace. Loop only supports inviting users to a workspace via this Workspace roster management flow, which enables access and sends an email invite to the invited users.
+
+When you share only a Loop page, you're giving users access to that specific page exclusively (not the whole workspace). The user can choose to use a company share link or people-specific share link; unless their tenant admin has disabled some of the share link types. When sharing a page, you can choose to grant the user "*edit*" or "*read only*" access.
+
+## Loop workspaces and Microsoft 365 groups
+
+Loop workspaces don't use Microsoft 365 groups for access management, instead they create a roster for access management.
+
+## Storage management after user departure
+
+### In the Loop app
+
+The Loop app is designed for shared workspaces and personal workspaces.</br>
+Shared workspaces are backed by a roster and continue to exist even if someone leaves the company. However, if the creator of the workspace is the person who left the company, then others can't delete the workspace.
+
+Personal workspaces are also backed by a roster, but there's only one person in them by design. When a user leaves a company, their personal workspaces become "ownerless".
+
+### In Loop components created in Microsoft 365 outside of the Loop app
+
+Loop components created outside of the Loop are stored in the OneDrive of the person who created the component. Therefore, if that user leaves the organization, the standard OneDrive IT policy is applied.
+
+## Management of Loop app's storage
+
+Admin management capabilities are not yet available to enumerate, manage, delete and recover Loop content in Syntex repository storage. Therefore, an admin cannot yet query for ownerless workspaces, directly manage the rosters for workspaces, or restore workspaces deleted by end-users.
+
+## Pricing and licensing model for Loop app
+
+Loop app is free during public preview. Post-preview pricing and licensing requirements for the Loop app are yet to be determined.
security Api Power Bi https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-power-bi.md
Last updated 12/18/2020
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-> [!NOTE]
->**Before you begin**:
-You first need to [create an app](/microsoft-365/security/defender-endpoint/apis-intro).
- In this section you will learn to create a Power BI report on top of Defender for Endpoint APIs. The first example demonstrates how to connect Power BI to Advanced Hunting API, and the second example demonstrates a connection to our OData APIs, such as Machine Actions or Alerts.
security Enable Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction.md
When adding exclusions, keep in mind:
2. Attack surface reduction rules for managed devices now support behavior for merger of settings from different policies, to create a superset of policy for each device. Only the settings that aren't in conflict are merged, while those that are in conflict aren't added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either profile would be deployed. Attack surface reduction rule merge behavior is as follows: - Attack surface reduction rules from the following profiles are evaluated for each device to which the rules apply:
- - Devices > Configuration policy > Endpoint protection profile > **Microsoft Defender Exploit Guard** > [Attack Surface Reduction](/mem/intune/protect/endpoint-protection-windows-10#attack-surface-reduction-rules).
+ - Devices > Configuration profiles > Endpoint protection profile > **Microsoft Defender Exploit Guard** > [Attack Surface Reduction](/mem/intune/protect/endpoint-protection-windows-10#attack-surface-reduction-rules).
- Endpoint security > **Attack surface reduction policy** > [Attack surface reduction rules](/mem/intune/protect/endpoint-security-asr-policy#devices-managed-by-intune). - Endpoint security > Security baselines > **Microsoft Defender ATP Baseline** > [Attack Surface Reduction Rules](/mem/intune/protect/security-baseline-settings-defender-atp#attack-surface-reduction-rules). - Settings that don't have conflicts are added to a superset of policy for the device.
security Enable Troubleshooting Mode https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-troubleshooting-mode.md
During troubleshooting mode, you can use the PowerShell command `Set-MPPreferenc
- Microsoft Defender Antivirus functional troubleshooting /application compatibility (false positive application blocks).
- - Microsoft Defender Antivirus performance troubleshooting by using troubleshooting mode and manipulating tamper protection and other antivirus settings.
--- If a tampering event occurs (for example, the `MpPreference` snapshot is altered or deleted), troubleshooting mode ends and tamper protection is re-enabled on the device.- - Local admins, with appropriate permissions, can change configurations on individual endpoints that are usually locked by policy. Having a device in troubleshooting mode can be helpful when diagnosing Microsoft Defender Antivirus performance and compatibility scenarios. - Local admins won't be able to turn off Microsoft Defender Antivirus, or uninstall it.
security Linux Exclusions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-exclusions.md
Last updated 12/18/2020
This article provides information on how to define exclusions that apply to on-demand scans, and real-time protection and monitoring. > [!IMPORTANT]
-> The exclusions described in this article don't apply to other Defender for Endpoint on Linux capabilities, including endpoint detection and response (EDR). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections.
+> The exclusions described in this article don't apply to other Defender for Endpoint on Linux capabilities, including endpoint detection and response (EDR). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. For EDR exclusions, [contact support](/microsoft-365/admin/get-help-support).
You can exclude certain files, folders, processes, and process-opened files from Defender for Endpoint on Linux scans.
security Mac Preferences https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-preferences.md
Title: Set preferences for Microsoft Defender for Endpoint on Mac
description: Configure Microsoft Defender for Endpoint on Mac in enterprise organizations. keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, management, preferences, enterprise, intune, jamf, macos, big sur, monterey, ventura, mde for mac
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
search.appverid: met150 Previously updated : 12/18/2020 Last updated : 06/22/2023 # Set preferences for Microsoft Defender for Endpoint on macOS
The following configuration profile (or, in case of JAMF, a property list that c
<key>tamperProtection</key> <dict> <key>enforcementLevel</key>
- <string>block</key>
+ <string>block</string>
</dict> </dict> </array>
security Network Protection Macos https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/network-protection-macos.md
Network protection expands the scope of Microsoft 365 Defender [SmartScreen](/wi
## Availability
-Network Protection for macOS will soon be available for all Microsoft Defender for Endpoint onboarded macOS devices which meet the minimum requirements. Microsoft will begin incrementally rolling out the functionality for all macOS devices to enable Network Protection on 1/31/2023 with target completion, subject to change, in May 2023. When this feature rolls to production, all of your currently configured Network Protection and Web Threat Protection policies will be enforced on macOS devices where Network Protection is configured for block mode.
+Network Protection for macOS is now available for all Microsoft Defender for Endpoint onboarded macOS devices that meet the minimum requirements. All of your currently configured Network Protection and Web Threat Protection policies will be enforced on macOS devices where Network Protection is configured for block mode.
-To prepare for the macOS network protection rollout, we recommend the following:
+To roll out Network Protection for macOS, we recommend the following:
-- For Network Protection for macOS to be active on your devices, Network Protection must be enabled by your organization. We suggest deploying the audit or block mode policy to a small set of devices and verify there are no issues or broken workstreams before gradually deploying to a larger set of devices.-- Verify the Network Protection configuration on your macOS devices is set to the desired state.-- Understand the impact of your Web Threat Protection, Custom Indicators of Compromise, Web Content Filtering, and MDA Endpoint Enforcement policies which target those macOS devices where Network Protection is in Block mode.
+- Create a device group for a small set of devices that you can use to test Network Protection.
+- Evaluate the impact of Web Threat Protection, Custom Indicators of Compromise, Web Content Filtering, and Microsoft Defender for Cloud Apps enforcement policies that target those macOS devices where Network Protection is in Block mode.
+- Deploy an audit or block mode policy to this device group and verify there are no issues or broken workstreams.
+- Gradually deploy Network Protection to a larger set of devices until completely rolled out.
-## New and updated capabilities
+## Current capabilities
-- You can run your corporate VPN in tandem or "side by side" with network protection. Currently, no VPN conflicts are identified. If you do experience conflicts, you can provide feedback through the feedback channel listed at the bottom of this page.
- - Web content filtering is supported with network protection for macOS.
- - If network protection is configured and active on the device, web content filtering (WCF) policies created in the MDEP Portal are respected in browsers, including Chromium Microsoft Edge for macOS. Web content filtering in Microsoft Edge on Mac currently requires network protection; other E5 features, such as Microsoft Defender for Cloud Apps or Custom Indicators, currently also require network protection.
+- Custom Indicators of Compromise on Domains and IPs.
+- Web Content Filtering support:
+ - Block website categories scoped to device groups through policies created in the MDEP portal.
+ - Policies are applied to browsers, including Chromium Microsoft Edge for macOS.
+- Advanced Hunting - Network Events will be reflected in the Machine Timeline, and queryable in Advanced Hunting to aid security investigations.
+- Microsoft Defender for Cloud Apps:
+ - Shadow IT discovery - Identify which apps are being used in your organization.
+ - Block applications - Block entire applications (such as Slack and Facebook) from being used in your organization.
+- Corporate VPN in tandem or side-by-side with Network Protection:
+ - Currently, no VPN conflicts are identified.
+ - If you do experience conflicts, you can provide feedback through the feedback channel listed at the bottom of this page.
### Known issues
To prepare for the macOS network protection rollout, we recommend the following:
> [!NOTE] >
-> Microsoft Edge for macOS does not currently support web content filtering, custom indicators, or other enterprise features. However, network protection will provide this protection to Microsoft Edge for macOS as well if network protection is enabled.
+> Microsoft Edge for macOS does not currently support web content filtering, custom indicators, or other enterprise features. However, network protection will provide this protection to Microsoft Edge for macOS if network protection is enabled.
## Prerequisites
security Respond Machine Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-machine-alerts.md
Once you have selected **Isolate device** on the device page, type a comment and
> [!NOTE] > The device will remain connected to the Defender for Endpoint service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the device is isolated.
+### Forcibly release device from isolation
+
+The device isolation feature is an invaluable tool for safeguarding devices against external threats. However, there are instances when isolated devices become unresponsive.<br>
+There's a downloadable script for these instances that you can run to forcibly release devices from isolation. The script is available through a link in the UI.
+
+> [!NOTE]
+> - Admins and manage security settings in Security Center permissions can forcibly release devices from isolation.
+> - The script is valid for the specific device only.
+> - The script will expire in three days.
+
+To forcibly release device from isolation:
+
+1. On the device page, select **Download script to force-release a device from isolation** from the action menu.
+1. On the right-hand side wizard, select **Download script**.
+
+#### Minimum requirements
+The minimum requirements for 'forcibly release device from isolation' feature are:
+
+- Supports only Windows
+- The following Windows versions are supported:
+ - Windows 10 21H2 and 22H2 with KB KB5023773
+ - Windows 11 version 21H2, all editions with KB5023774
+ - Windows 11 version 22H2, all editions with KB5023778
+
+ ### Notification on device user When a device is being isolated, the following notification is displayed to inform the user that the device is being isolated from the network:
security Troubleshoot Onboarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-onboarding.md
If the deployment tools used do not indicate an error in the onboarding process,
|`63`|Updating the start type of external service. Name: %1, actual start type: %2, expected start type: %3, exit code: %4|Identify what is causing changes in start type of mentioned service. If the exit code isn't 0, fix the start type manually to expected start type.| |`64`|Starting stopped external service. Name: %1, exit code: %2|Contact support if the event keeps re-appearing.| |`68`|The start type of the service is unexpected. Service name: %1, actual start type: %2, expected start type: %3|Identify what is causing changes in start type. Fix mentioned service start type.|
- |`69`|The service is stopped. Service name: %1|Start the mentioned service. Contact support if persists.|
+ |`69`|The service is stopped. Service name: %1|Start the mentioned service. Contact support if the issue persists.|
| There are additional components on the device that the Microsoft Defender for Endpoint agent depends on to function properly. If there are no onboarding related errors in the Microsoft Defender for Endpoint agent event log, proceed with the following steps to ensure that the additional components are configured correctly.
There are additional components on the device that the Microsoft Defender for En
### Ensure the diagnostic data service is enabled
+ > [!NOTE]
+ > In Windows 10 build 1809 and later, the Defender for Endpoint EDR service no longer has a direct dependency on the DiagTrack service.
+ > The EDR cyber evidence can still be uploaded if this service is not running.
+ If the devices aren't reporting correctly, you might need to check that the Windows diagnostic data service is set to automatically start and is running on the device. The service might have been disabled by other programs or user configuration changes. First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently running (and start it if it isn't).
security Update Agent Mma Windows https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/update-agent-mma-windows.md
ms.localizationpriority: medium Previously updated : 06/20/2023 Last updated : 06/21/2023 audience: ITPro
search.appverid: met150
# Updating MMA on Windows devices for Microsoft Defender for Endpoint
+> [!IMPORTANT]
+> If you've arrived on this page as a result of clicking on a notification at the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), you have devices in your environment with outdated agents, and you need to take action (see below) to avoid service disruption. For more details, please reference message center post MC598631 (requires access to [Message Center](/microsoft-365/admin/manage/message-center])).
+ **Applies to:** - [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)
security Web Content Filtering https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-content-filtering.md
Title: Web content filtering description: Use web content filtering in Microsoft Defender for Endpoint to track and regulate access to websites based on their content categories.
-keywords: web protection, web threat protection, web browsing, monitoring, reports, cards, domain list, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium Previously updated : 01/31/2023 Last updated : 06/22/2023 audience: ITPro
Use the time range filter at the top left of the page to select a time period. Y
### Known issues and limitations
-Only Microsoft Edge is supported if your device's OS configuration is Server (**cmd** \> **Systeminfo** \> **OS Configuration**). Network Protection is only supported in Inspect mode on Server devices, which is responsible for securing traffic across supported third-party browsers.
-
-Only Microsoft Edge is supported and network protection is not supported on Windows Azure Virtual Desktop multi-session hosts.
- Network protection does not currently support SSL inspection, which might result in some sites being allowed by web content filtering that would normally be blocked. Sites would be allowed due to a lack of visibility into encrypted traffic after the TLS handshake has taken place and an inability to parse certain redirects. This includes redirections from some web-based mail login pages to the mailbox page. As an accepted workaround, you can create a custom block indicator for the login page to ensure no users are able to access the site. Keep in mind, this might block their access to other services associated with the same website. If you are using Microsoft 365 Business Premium or Microsoft Defender for Business, you can define one web content filtering policy for your environment. That policy will apply to all users by default.
security Whats New In Microsoft Defender Endpoint https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/whats-new-in-microsoft-defender-endpoint.md
For more information on Microsoft Defender for Endpoint on specific operating sy
- [What's new in Defender for Endpoint on iOS](ios-whatsnew.md) - [What's new in Defender for Endpoint on Linux](linux-whatsnew.md)
+## June 2023
+
+- Forcibly releasing devices from isolation is now available for public preview. This new capability allows you to forcibly release devices from isolation, when isolated devices become unresponsive. For more information, see [Take response actions on a device in Microsoft Defender for Endpoint](respond-machine-alerts.md).
+ ## May 2023 - Performance mode for Microsoft Defender Antivirus is now available for public preview. This new capability provides asynchronous scanning on a Dev Drive, and does not change the security posture of your system drive or other drives. For more information, see [Protecting Dev Drive using performance mode](microsoft-defender-endpoint-antivirus-performance-mode.md).
security Advanced Hunting Identityinfo Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-identityinfo-table.md
For information on other tables in the advanced hunting schema, [see the advance
| Column name | Data type | Description | |-|--|-|
+| `Timestamp` [*](#mdi-only) | `datetime` | The date and time that the line was written to the database. <br><br>This is used when there are multiple lines for each identity, such as when a change is detected, or if 24 hours have passed since the last database line was added. |
| `AccountObjectId` | `string` | Unique identifier for the account in Azure AD | | `AccountUpn` | `string` | User principal name (UPN) of the account | | `OnPremSid` | `string` | On-premises security identifier (SID) of the account |
+| `AccountDisplayName` | `string` | Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initiation, and a last name or surname. |
+| `AccountName` | `string` | User name of the account |
+| `AccountDomain` | `string` | Domain of the account |
+| `DistinguishedName` [*](#mdi-only) | string | The user's [distinguished name](/windows/desktop/ldap/distinguished-names) |
| `CloudSid` | `string` | Cloud security identifier of the account | | `GivenName` | `string` | Given name or first name of the account user | | `Surname` | `string` | Surname, family name, or last name of the account user |
-| `AccountDisplayName` | `string` | Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initiation, and a last name or surname. |
| `Department` | `string` | Name of the department that the account user belongs to | | `JobTitle` | `string` | Job title of the account user |
-| `AccountName` | `string` | User name of the account |
-| `AccountDomain` | `string` | Domain of the account |
| `EmailAddress` | `string` | SMTP address of the account | | `SipProxyAddress` | `string` | Voice over IP (VOIP) session initiation protocol (SIP) address of the account | | `City` | `string` | City where the account user is located | | `Country` | `string` | Country/Region where the account user is located | | `IsAccountEnabled` | `boolean` | Indicates whether the account is enabled or not |
+| `Manager` [*](#mdi-only) | `string` | The listed manager of the account user |
+| `Phone` [*](#mdi-only) | `string` | The listed phone number of the account user|
+| `CreatedDateTime` [*](#mdi-only) | `datetime` | The date and time that the user was created|
+| `SourceProvider` [*](#mdi-only) | `string` |The identity's source, such as Azure Active Directory, Active Directory, or a [hybrid identity](/azure/active-directory/hybrid/what-is-provisioning) synchronized from Active Directory to Azure Active Directory |
+| `ChangeSource` [*](#mdi-only) | `string` |Identifies which identity provider or process triggered the addition of the new row. For example, the `System-UserPersistence` value is used for any rows added by an automated process.|
+| `Tags` [*](#mdi-only) | `dynamic` | Tags assigned to the account user by Defender for Identity |
+| `AssignedRoles` [*](#mdi-only) | `dynamic` | For identities from Azure Active Directory only, the roles assigned to the account user|
+
+<a name="mdi-only"></a>* Available only for tenants with [Microsoft Defender for Identity](microsoft-365-security-center-mdi.md) deployed.
## Related topics
security Advanced Hunting Urlclickevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-urlclickevents-table.md
For information on other tables in the advanced hunting schema, see [the advance
| `IPAddress` | `string` | Public IP address of the device from which the user clicked on the link| | `ThreatTypes` | `string` | Verdict at the time of click, which tells whether the URL led to malware, phish or other threats| | `DetectionMethods` | `string` | Detection technology that was used to identify the threat at the time of click|
-| `IsClickedThrough` | `bool` | Indicates whether the user was able to click through to the original URL or wasn't allowed|
+| `IsClickedThrough` | `bool` | Indicates whether the user was able to click through to the original URL (1) or not (0)|
| `UrlChain` | `string` | For scenarios involving redirections, it includes URLs present in the redirection chain| | `ReportId` | `string` | The unique identifier for a click event. For clickthrough scenarios, report ID would have same value, and therefore it should be used to correlate a click event.|
security Top Scoring Industry Tests https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/top-scoring-industry-tests.md
Microsoft Defender Antivirus is the [next generation protection](https://www.you
The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The following scores are for the Protection category that has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware").
+- 2022 AV-TEST Award ΓÇô for tested IT Security: [Best Advanced Protection for Consumer Users and Best Advanced Protection](https://www.av-test.org/en/news/av-test-award-2022-for-microsoft/)
+ - November - December 2021 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2021/microsoft-defender-antivirus-4.18-212622/) <sup>**Latest**</sup> Microsoft Defender Antivirus achieved a perfect Protection score of 6.0/6.0, with 100% in November and December. 18,870 malware samples were used.
Business Security Test consists of three main parts: the Real-World Protection T
SE Labs test a range of solutions used by products and services to detect and/or protect against attacks. It includes endpoint software, network appliances, and cloud services.
+- Best Email Security Service of 2023: [AAA award](https://www.microsoft.com/en-us/security/blog/2023/02/21/microsoft-defender-for-office-365-named-best-email-security-service-of-2023-by-se-labs/)
+ - Annual Report 2020 - 2021: [AAA award](https://selabs.uk/wp-content/uploads/2021/11/annual-report-2021.pdf) <sup>**Latest**</sup> - Enterprise Endpoint Protection: October - December 2021: [AAA award](https://selabs.uk/wp-content/uploads/2021/12/oct-dec-2021-enterprise.pdf)
security Anti Phishing Mdo Impersonation Insight https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-mdo-impersonation-insight.md
- seo-marvel-apr2020 Previously updated : 06/09/2023 Last updated : 6/22/2023 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a>
Use :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" borde
On the **Domains** tab on the **Impersonation insight** page at <https://security.microsoft.com/impersonationinsight?type=Domain>, select one of the impersonation detections by clicking anywhere in the row other than the check box.
-The details flyout that open contains the following actions and information:
+The following information is available in the details flyout:
+
+- **Why did we catch this?**
+- **What do you need to do?**
+- **Domain summary**: The domain that was detected as impersonation.
+- **Whois data**: Contains information about the domain:
+ - **Sender location**
+ - **Domain created date**
+ - **Domain expiration date**
+ - **Registrant**
+
+- **Explorer investigation**: Select the link to open [Threat Explorer or Real-time detections](threat-explorer-about.md) for additional details about the sender.
+
+- **Email from sender**: This section shows the following information about similar messages from senders in the domain:
+ - **Date**
+ - **Recipient**
+ - **Subject**
+ - **Sender**
+ - **Sender IP**
+ - **Delivery action**
> [!TIP] > To see details about other domain impersonation entries without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout. -- **Select impersonation policy to modify** and **Add to the allowed to impersonation list**: These settings work together to add the domain to the [Trusted senders and domains](anti-phishing-policies-about.md#trusted-senders-and-domains) list in the selected policy so messages from senders in this domain are no longer identified as domain impersonation:
- - Select the anti-phishing policy in the dropdown list. The anti-phishing policy that was responsible for detecting the message is shown in the **Policy** value on the **Domain** tab.
- - Slide the toggle to on: :::image type="icon" source="../../media/scc-toggle-on.png" border="false"::: to add the domain to the **Trusted senders and domains** list in the selected policy.
+To prevent senders in a detected domain from being identified as domain impersonation, see the next subsection.
+
+### Exempt senders in a detected domain from future domain impersonation checks
+
+On the **Domains** tab of the **Impersonation insight** page at <https://security.microsoft.com/impersonationinsight?type=Domain>, use the following steps to exempt senders in a detected domain from being identified as domain impersonation:
- To remove the domain from the **Trusted senders and domains** list, slide the toggle back to :::image type="icon" source="../../media/scc-toggle-off.png" border="false":::
+Select the entry from the list by clicking anywhere in the row other than the check box.
-- The following information is available in the details flyout:
- - **Why did we catch this?**
- - **What do you need to do?**
- - **Domain summary**: The domain that was detected as impersonation.
- - **Whois data**: Contains information about the domain:
- - **Sender location**
- - **Domain created date**
- - **Domain expiration date**
- - **Registrant**
+In the details flyout that opens, use the **Select impersonation policy to modify** and **Add to the allowed to impersonation list** settings at the top of the flyout. These settings work together to add the domain to the [Trusted senders and domains](anti-phishing-policies-about.md#trusted-senders-and-domains) list in the policy that incorrectly identified the message as domain impersonation:
- - **Explorer investigation**: Select the link to open [Threat Explorer or Real-time detections](threat-explorer-about.md) for additional details about the sender.
+- Select the anti-phishing policy in the dropdown list. The anti-phishing policy that was responsible for detecting the message is shown in the **Policy** value on the **Domain** tab.
+- Slide the toggle to on: :::image type="icon" source="../../media/scc-toggle-on.png" border="false"::: to add the domain to the **Trusted senders and domains** list in the selected policy.
- - **Email from sender**: This section shows the following information about similar messages from senders in the domain:
- - **Date**
- - **Recipient**
- - **Subject**
- - **Sender**
- - **Sender IP**
- - **Delivery action**
+ To remove the domain from the **Trusted senders and domains** list, slide the toggle back to :::image type="icon" source="../../media/scc-toggle-off.png" border="false":::
When you're finished in the details flyout, select **Close**.
Use :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" borde
On the **Users** tab on the **Impersonation insight** page at <https://security.microsoft.com/impersonationinsight?type=User>, select one of the impersonation detections by clicking anywhere in the row other than the check box.
-The details flyout that open contains the following actions and information:
+The following information is available in the details flyout:
+
+- **Why did we catch this?**
+- **What do you need to do?**
+- **Sender summary**: The sender that was detected as impersonation.
+
+- **Explorer investigation**: Select the link to open [Threat Explorer or Real-time detections](threat-explorer-about.md) for additional details about the sender.
+
+- **Email from sender**: This section shows the following information about similar messages from the sender:
+ - **Date**
+ - **Recipient**
+ - **Subject**
+ - **Sender**
+ - **Sender IP**
+ - **Delivery action**
> [!TIP] > To see details about other user impersonation entries without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout. -- **Select impersonation policy to modify** and **Add to the allowed to impersonation list**: These settings work together to add the user to the [Trusted senders and domains](anti-phishing-policies-about.md#trusted-senders-and-domains) list in the selected policy so messages from this sender are no longer identified as user impersonation:
- - Select the anti-phishing policy in the dropdown list. The anti-phishing policy that was responsible for detecting the message is shown in the **Policy** value on the **Domain** tab.
- - Slide the toggle to on: :::image type="icon" source="../../media/scc-toggle-on.png" border="false"::: to add the user to the **Trusted senders and domains** list in the selected policy.
+To prevent a detected sender from being identified as user impersonation, see the next subsection.
+
+### Exempt a detected sender from future user impersonation checks
+
+On the **Users** tab of the **Impersonation insight** page at <https://security.microsoft.com/impersonationinsight?type=User>, use the following steps to exempt detected senders from being identified as user impersonation:
- To remove the user from the **Trusted senders and domains** list, slide the toggle back to :::image type="icon" source="../../media/scc-toggle-off.png" border="false":::
+Select the entry from the list by clicking anywhere in the row other than the check box.
-- The following information is available in the details flyout:
- - **Why did we catch this?**
- - **What do you need to do?**
- - **Sender summary**: The sender that was detected as impersonation.
+In the details flyout that opens, use the **Select impersonation policy to modify** and **Add to the allowed to impersonation list** settings at the top of the flyout. These settings work together to add the sender to the [Trusted senders and domains](anti-phishing-policies-about.md#trusted-senders-and-domains) list in the policy that incorrectly identified the message as user impersonation:
- - **Explorer investigation**: Select the link to open [Threat Explorer or Real-time detections](threat-explorer-about.md) for additional details about the sender.
+- Select the anti-phishing policy in the dropdown list. The anti-phishing policy that was responsible for detecting the message is shown in the **Policy** value on the **Domain** tab.
+- Slide the toggle to on: :::image type="icon" source="../../media/scc-toggle-on.png" border="false"::: to add the sender to the **Trusted senders and domains** list in the selected policy.
- - **Email from sender**: This section shows the following information about similar messages from the sender:
- - **Date**
- - **Recipient**
- - **Subject**
- - **Sender**
- - **Sender IP**
- - **Delivery action**
+ To remove the sender from the **Trusted senders and domains** list, slide the toggle back to :::image type="icon" source="../../media/scc-toggle-off.png" border="false":::
When you're finished in the details flyout, select **Close**.
security Anti Phishing Policies About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-policies-about.md
The following policy settings are available in anti-phishing policies in EOP and
- **Users**: One or more mailboxes, mail users, or mail contacts in your organization. - **Groups**:
- - Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups are not supported).
+ - Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups aren't supported).
- The specified Microsoft 365 Groups. - **Domains**: One or more of the configured [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in Microsoft 365.
In anti-phishing policies, you can control whether `p=quarantine` or `p=reject`
:::image type="content" source="../../media/anti-phishing-policies-honor-dmarc-settings.png" alt-text="DMARC settings in an anti-phishing policy." lightbox="../../media/anti-phishing-policies-honor-dmarc-settings.png":::
-The relationship between spoof intelligence and whether sender DMARC policies are honored are described in the following table:
+The relationship between spoof intelligence and whether sender DMARC policies are honored is described in the following table:
|&nbsp;|Honor DMARC policy On|Honor DMARC policy Off| ||||
The relationship between spoof intelligence and whether sender DMARC policies ar
Unauthenticated sender indicators are part of the [Spoof settings](#spoof-settings) that are available in the **Safety tips & indicators** section in anti-phishing policies in both EOP and Defender for Office 365. The following settings are available only when spoof intelligence is turned on: -- **Show (?) for unauthenticated senders for spoof**: Adds a question mark to the sender's photo in the From box if the message does not pass SPF or DKIM checks **and** the message does not pass DMARC or [composite authentication](email-authentication-about.md#composite-authentication). When this setting is turned off, the question mark isn't added to the sender's photo.
+- **Show (?) for unauthenticated senders for spoof**: Adds a question mark to the sender's photo in the From box if the message doesn't pass SPF or DKIM checks **and** the message doesn't pass DMARC or [composite authentication](email-authentication-about.md#composite-authentication). When this setting is turned off, the question mark isn't added to the sender's photo.
-- **Show "via" tag**: Adds the via tag (chris@contoso.com <u>via</u> fabrikam.com) in the From box if the domain in the From address (the message sender that's displayed in email clients) is different from the domain in the DKIM signature or the **MAIL FROM** address. For more information about these addresses, see [An overview of email message standards](anti-phishing-from-email-address-validation.md#an-overview-of-email-message-standards).
+- **Show "via" tag**: Adds the "via" tag (chris@contoso.com <u>via</u> fabrikam.com) in the From box if the domain in the From address (the message sender that's displayed in email clients) is different from the domain in the DKIM signature or the **MAIL FROM** address. For more information about these addresses, see [An overview of email message standards](anti-phishing-from-email-address-validation.md#an-overview-of-email-message-standards).
-To prevent the question mark or via tag from being added to messages from specific senders, you have the following options:
+To prevent the question mark or "via" tag from being added to messages from specific senders, you have the following options:
-- Allow the spoofed sender in the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md) or manually in the [Tenant Allow/Block List](tenant-allow-block-list-about.md). Allowing the spoofed sender will prevent the via tag from appearing in messages from the sender, even if the **Show "via" tag** setting is turned on in the policy.
+- Allow the spoofed sender in the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md) or manually in the [Tenant Allow/Block List](tenant-allow-block-list-about.md). Allowing the spoofed sender prevents the "via" tag from appearing in messages from the sender, even if the **Show "via" tag** setting is turned on in the policy.
- [Configure email authentication](email-authentication-about.md#configure-email-authentication-for-domains-you-own) for the sender domain. - For the question mark in the sender's photo, SPF or DKIM are the most important.
- - For the via tag, confirm the domain in the DKIM signature or the **MAIL FROM** address matches (or is a subdomain of) the domain in the From address.
+ - For the "via" tag, confirm the domain in the DKIM signature or the **MAIL FROM** address matches (or is a subdomain of) the domain in the From address.
For more information, see [Identify suspicious messages in Outlook.com and Outlook on the web](https://support.microsoft.com/office/3d44102b-6ce3-4f7c-a359-b623bec82206) ## First contact safety tip
-The **Show first contact safety tip** settings is available in EOP and Defender for Office 365 organizations and has no dependency on spoof intelligence or impersonation protection settings. The safety tip is shown to recipients in the following scenarios:
+The **Show first contact safety tip** setting is available in EOP and Defender for Office 365 organizations and has no dependency on spoof intelligence or impersonation protection settings. The safety tip is shown to recipients in the following scenarios:
- The first time they get a message from a sender - They don't often get messages from the sender.
This section describes the policy settings that are only available in anti-phish
Impersonation is where the sender or the sender's email domain in a message looks similar to a real sender or domain: - An example impersonation of the domain contoso.com is ćóntoso.com.-- User impersonation is the combination of the user's display name and email address. For example, Valeria Barrios (vbarrios@contoso.com) might be impersonated as Valeria Barrios, but with a completely different email address.
+- User impersonation is the combination of the user's display name and email address. For example, Valeria Barrios (vbarrios@contoso.com) might be impersonated as Valeria Barrios, but with a different email address.
> [!NOTE] > Impersonation protection looks for domains that are similar. For example, if your domain is contoso.com, we check for different top-level domains (.com, .biz, etc.), but also domains that are even somewhat similar. For example, contosososo.com or contoabcdef.com might be seen as impersonation attempts of contoso.com.
For detected domain impersonation attempts, the following actions are available:
#### Mailbox intelligence impersonation protection
-Mailbox intelligence uses artificial intelligence (AI) to determines user email patterns with their frequent contacts.
+Mailbox intelligence uses artificial intelligence (AI) to determine user email patterns with their frequent contacts.
-For example, Gabriela Laureano (glaureano@contoso.com) is the CEO of your company, so you add her as a protected sender in the **Enable users to protect** settings of the policy. But, some of the recipients in the policy communicate regularly with a vendor who is also named Gabriela Laureano (glaureano@fabrikam.com). Because those recipients have a communication history with glaureano@fabrikam.com, mailbox intelligence will not identify messages from glaureano@fabrikam.com as an impersonation attempt of glaureano@contoso.com for those recipients.
+For example, Gabriela Laureano (glaureano@contoso.com) is the CEO of your company, so you add her as a protected sender in the **Enable users to protect** settings of the policy. But, some of the recipients in the policy communicate regularly with a vendor who is also named Gabriela Laureano (glaureano@fabrikam.com). Because those recipients have a communication history with glaureano@fabrikam.com, mailbox intelligence doesn't identify messages from glaureano@fabrikam.com as an impersonation attempt of glaureano@contoso.com for those recipients.
> [!NOTE] > Mailbox intelligence protection does not work if the sender and recipient have previously communicated via email. If the sender and recipient have never communicated via email, the message can be identified as an impersonation attempt by mailbox intelligence.
Impersonation safety tips appear to users when messages are identified as impers
- **Show user impersonation safety tip**: The From address contains a user specified in [user impersonation protection](#user-impersonation-protection). Available only if **Enable users to protect** is turned on and configured. - **Show domain impersonation safety tip**: The From address contains a domain specified in [domain impersonation protection](#domain-impersonation-protection). Available only if **Enable domains to protect** is turned on and configured.-- **Show user impersonation unusual characters safety tip**: The From address contains unusual character sets (for example, mathematical symbols and text or a mix of uppercase and lowercase letters) in an sender specified in [user impersonation protection](#user-impersonation-protection). Available only if **Enable users to protect** is turned on and configured.
+- **Show user impersonation unusual characters safety tip**: The From address contains unusual character sets (for example, mathematical symbols and text or a mix of uppercase and lowercase letters) in a sender specified in [user impersonation protection](#user-impersonation-protection). Available only if **Enable users to protect** is turned on and configured.
> [!NOTE] > Safety tips are not stamped in the following messages:
security Configure Junk Email Settings On Exo Mailboxes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-junk-email-settings-on-exo-mailboxes.md
description: Admins can learn how to configure the junk email settings in Exchange Online mailboxes. Many of these settings are available to users in Outlook or Outlook on the web. Previously updated : 6/14/2023 Last updated : 6/20/2023 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>
In Microsoft 365 organizations with mailboxes in Exchange Online, organizational
But, there are also specific anti-spam settings that admins can configure on individual mailboxes in Exchange Online: -- **Move messages to the Junk Email folder based on anti-spam policies**: When an anti-spam policy is configured with the action **Move message to Junk Email folder** for a spam filtering verdict, the message is moved to the Junk Email folder after the message is delivered to the mailbox. For more information about spam filtering verdicts in anti-spam policies, see [Configure anti-spam policies in EOP](anti-spam-policies-configure.md). Similarly, if zero-hour auto purge (ZAP) determines a delivered message is spam or phish, the message is moved to the Junk Email folder for **Move message to Junk Email folder** spam filtering verdict actions. For more information about ZAP, see [Zero-hour auto purge (ZAP) in Exchange Online](zero-hour-auto-purge.md).
+- **Move messages to the Junk Email folder based on anti-spam policies**: When an anti-spam policy is configured with the action **Move message to Junk Email folder** for a spam filtering verdict, the message is moved to the Junk Email folder *after* the message is delivered to the mailbox. For more information about spam filtering verdicts in anti-spam policies, see [Configure anti-spam policies in EOP](anti-spam-policies-configure.md). Similarly, if zero-hour auto purge (ZAP) determines a delivered message is spam or phish, the message is moved to the Junk Email folder for **Move message to Junk Email folder** spam filtering verdict actions. For more information about ZAP, see [Zero-hour auto purge (ZAP) in Exchange Online](zero-hour-auto-purge.md).
- **Junk email settings that users configure for themselves in Outlook or Outlook on the web**: The _safelist collection_ is the Safe Senders list, the Safe Recipients list, and the Blocked Senders list on each mailbox. The entries in these lists determine whether the message is moved to the Inbox or the Junk Email folder. Users can configure the safelist collection for their own mailbox in Outlook or Outlook on the web (formerly known as Outlook Web App). Admins can configure the safelist collection on any user's mailbox.
EOP is able to move messages to the Junk Email folder based on the spam filterin
Admins can use Exchange Online PowerShell to configure entries in the safelist collection on mailboxes (the Safe Senders list, the Safe Recipients list, and the Blocked Senders list). > [!NOTE]
-> Messages from senders that users have added to their own Safe Senders lists will skip content filtering as part of EOP (the SCL is -1). To prevent users from adding entries to their Safe Senders list in Outlook, use Group Policy as mentioned in the [About junk email settings in Outlook](#about-junk-email-settings-in-outlook) section later in this article. Policy filtering, Content filtering and Defender for Office 365 checks will still be applied to the messages.
+> Messages from senders that users added to their own Safe Senders lists skip content filtering as part of EOP (the SCL is -1). To prevent users from adding entries to their Safe Senders list in Outlook, use Group Policy as mentioned in the [About junk email settings in Outlook](#about-junk-email-settings-in-outlook) section later in this article. Policy filtering, Content filtering and Defender for Office 365 checks are still applied to the messages.
> > EOP uses its own mail flow delivery agent to route messages to the Junk Email folder instead of using the junk email rule in the mailbox. The _Enabled_ parameter on the **Set-MailboxJunkEmailConfiguration** cmdlet has no effect on mail flow for Exchange Online mailboxes. EOP routes messages based on the actions set in anti-spam policies. The user's Safe Sender list and Blocked Senders continue to work as usual.
Admins can use Exchange Online PowerShell to configure entries in the safelist c
- You can only use Exchange Online PowerShell to do the procedures in this article. To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). -- You need to be assigned permissions in Exchange Online before you can do the procedures in this article. Specifically, you need the **Mail Recipients** role (which is assigned to the **Organization Management**, **Recipient Management**, and **Custom Mail Recipients** role groups by default) or the **User Options** role (which is assigned to the **Organization Management** and **Help Desk** role groups by default). To add users to role groups in Exchange Online, see [Modify role groups in Exchange Online](/Exchange/permissions-exo/role-groups#modify-role-groups). Note that users with default permissions can do these same procedures on their own mailbox, as long as they have [access to Exchange Online PowerShell](/powershell/exchange/disable-access-to-exchange-online-powershell).
+- You need to be assigned permissions in Exchange Online before you can do the procedures in this article. Specifically, you need the **Mail Recipients** role (which is assigned to the **Organization Management**, **Recipient Management**, and **Custom Mail Recipients** role groups by default) or the **User Options** role (which is assigned to the **Organization Management** and **Help Desk** role groups by default). To add users to role groups in Exchange Online, see [Modify role groups in Exchange Online](/Exchange/permissions-exo/role-groups#modify-role-groups). Users with default permissions can do these same procedures on their own mailbox, as long as they have [access to Exchange Online PowerShell](/powershell/exchange/disable-access-to-exchange-online-powershell).
- In hybrid environments where EOP protects on-premises Exchange mailboxes, you need to configure mail flow rules (also known as transport rules) in on-premises Exchange. These mail flow rules translate the EOP spam filtering verdict so the junk email rule in the mailbox can move the message to the Junk Email folder. For details, see [Configure EOP to deliver spam to the Junk Email folder in hybrid environments](/exchange/standalone-eop/configure-eop-spam-protection-hybrid). -- Safe senders for shared mailboxes are not synchronized to Azure AD and EOP by design.
+- Safe senders for shared mailboxes aren't synchronized to Azure AD and EOP by design.
## Use Exchange Online PowerShell to configure the safelist collection on a mailbox
The safelist collection on a mailbox includes the Safe Senders list, the Safe Re
<sup>\*</sup> **Notes**: - In Exchange Online, whether entries in the Safe Senders list or _TrustedSendersAndDomains_ parameter work or don't work depends on the verdict and action in the policy that identified the message:
- - **Move messages to Junk Email folder**: Domain entries and sender email address entries are honored. Messages from those senders are not moved to the Junk Email folder.
- - **Quarantine**: Domain entries are not honored (messages from those senders are quarantined). Email address entries are honored (messages from those senders are not quarantined) if either of the following statements are true:
- - The message is not identified as malware or high confidence phishing (malware and high confidence phishing messages are quarantined).
- - The email address is not also in a block entry in the [Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#create-block-entries-for-domains-and-email-addresses).
+ - **Move messages to Junk Email folder**: Domain entries and sender email address entries are honored. Messages from those senders aren't moved to the Junk Email folder.
+ - **Quarantine**: Domain entries aren't honored (messages from those senders are quarantined). Email address entries are honored (messages from those senders aren't quarantined) if either of the following statements are true:
+ - The message isn't identified as malware or high confidence phishing (malware and high confidence phishing messages are quarantined).
+ - The email address isn't also in a block entry in the [Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#create-block-entries-for-domains-and-email-addresses).
- In standalone EOP with directory synchronization, domain entries aren't synchronized by default, but you can enable synchronization for domains. For more information, see [Configure Content Filtering to Use Safe Domain Data: Exchange 2013 Help | Microsoft Learn](/exchange/configure-content-filtering-to-use-safe-domain-data-exchange-2013-help). - You can't directly modify the Safe Recipients list by using the **Set-MailboxJunkEmailConfiguration** cmdlet (the _TrustedRecipientsAndDomains_ parameter doesn't work). You modify the Safe Senders list, and those changes are synchronized to the Safe Recipients list.
$All = Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited; $All
For detailed syntax and parameter information, see [Set-MailboxJunkEmailConfiguration](/powershell/module/exchange/set-mailboxjunkemailconfiguration). > [!NOTE]
->
-> - If the user has never opened their mailbox, you might receive an error when you run the previous commands. To suppress this error for bulk operations, add `-ErrorAction SilentlyContinue` to the **Set-MailboxJunkEmailConfiguration** command.
-> - The Outlook Junk Email Filter has additional safelist collection settings (for example, **Automatically add people I email to the Safe Senders list**). For more information, see [Use Junk Email Filters to control which messages you see](https://support.microsoft.com/office/274ae301-5db2-4aad-be21-25413cede077).
+> The Outlook Junk Email Filter has additional safelist collection settings (for example, **Automatically add people I email to the Safe Senders list**). For more information, see [Use Junk Email Filters to control which messages you see](https://support.microsoft.com/office/274ae301-5db2-4aad-be21-25413cede077).
-### How do you know this worked?
+### How do you know that you've successfully configured the safelist collection on a mailbox?
-To verify that you have successfully configured the safelist collection on a mailbox, use any of following procedures:
+To verify that you've successfully configured the safelist collection on a mailbox, use any of following procedures:
- Replace _\<MailboxIdentity\>_ with the name, alias, or email address of the mailbox, and run the following command to verify the property values:
Outlook and Outlook on the web both support the safelist collection. The safelis
The safelist collection (the Safe Senders list, Safe Recipients list, and Blocked Senders list) that's stored in the user's mailbox is also synchronized to EOP. With directory synchronization, the safelist collection is synchronized to Azure AD. -- The safelist collection in the user's mailbox has a limit of 510 KB, which includes all lists, plus additional junk email filter settings. If a user exceeds this limit, they will receive an Outlook error that looks like this:
+- The safelist collection in the user's mailbox has a limit of 510 KB, which includes all lists, plus additional junk email filter settings. If a user exceeds this limit, they receive an Outlook error that looks like this:
- > Cannot/Unable add to the server Junk E-mail lists. You are over the size allowed on the server. The Junk E-mail filter on the server will be disabled until your Junk E-mail lists have been reduced to the size allowed by the server.
+ > Cannot/Unable add to the server Junk E-mail lists. You are over the size allowed on the server. The Junk E-mail filter on the server is disabled until your Junk E-mail lists have been reduced to the size allowed by the server.
For more information about this limit and how to change it, see [KB2669081](https://support.microsoft.com/help/2669081).
The safelist collection (the Safe Senders list, Safe Recipients list, and Blocke
Entries over 1024 that weren't synchronized to Azure AD are processed by Outlook (not Outlook on the web), and no information is stamped in the message headers.
-As you can see, enabling the **Trust email from my contacts** setting reduces the number of Safe Senders and Safe Recipients that can be synchronized. If this is a concern, then we recommend using Group Policy to turn this feature off:
+As you can see, enabling the **Trust email from my contacts** setting reduces the number of Safe Senders and Safe Recipients that can be synchronized. If this reduction is a concern, we recommend using Group Policy to turn off this feature:
- File name: outlk16.opax - Policy setting: **Trust e-mail from contacts**
security Email Authentication About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-authentication-about.md
ms.localizationpriority: high
description: Admins can learn how EOP uses email authentication (SPF, DKIM, and DMARC) to help prevent spoofing, phishing, and spam. Previously updated : 6/15/2023 Last updated : 6/20/2023 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>
appliesto:
[!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)]
-Email authentication (also known as email validation) is a group of standards that tries to stop spoofing (email messages from forged senders). In all Microsoft 365 organizations, EOP uses these standards to verify inbound email:
+Email authentication (also known as _email validation_) is a group of standards that tries to stop email messages from forged senders (also known as _spoofing_). Microsoft 365 uses the following standards to verify inbound email:
- [SPF](email-authentication-spf-configure.md) - [DKIM](email-authentication-dkim-configure.md) - [DMARC](email-authentication-dmarc-configure.md)
-Email authentication verifies that email messages from a sender (for example, laura@contoso.com) are legitimate and come from expected sources for that email domain (for example, contoso.com.)
+Email authentication verifies that email messages from a sender (for example, laura@contoso.com) are legitimate and come from expected sources for that email domain (for example, contoso.com).
The rest of this article explains how these technologies work, and how EOP uses them to check inbound email. ## Use email authentication to help prevent spoofing
-DMARC prevents spoofing by examining the **From** address in messages. The **From** address is the sender's email address that users see in their email client. Destination email organizations can also verify that the email domain has passed SPF or DKIM. In other words, the domain has been authenticated and therefore the sender's email address is not spoofed.
+DMARC prevents spoofing by examining the **From** address in messages. The **From** address is the sender's email address that users see in their email client. Destination email organizations can also verify that the email domain has passed SPF or DKIM. In other words, the source domain is a valid source for senders in the **From** address, so the sender's email address isn't spoofed.
-However, DNS records for SPF, DKIM, and DMARC (collectively known as email authentication policies) are optional. Domains with strong email authentication policies like microsoft.com and skype.com are protected from spoofing. But domains with weaker email authentication policies, or no policy at all, are prime targets for being spoofed.
+However, DNS records for SPF, DKIM, and DMARC (collectively known as _email authentication policies_) are optional. Domains with strong email authentication policies are protected from spoofing. But domains with weaker email authentication policies or no policy at all are prime targets for being spoofed.
-Lack of strong email authentication policies is a large problem. While organizations might not understand how email authentication works, attackers fully understand and they take advantage. Because of phishing concerns and the limited adoption of strong email authentication policies, Microsoft uses *implicit email authentication* to check inbound email.
+Lack of strong email authentication policies is a large problem. While organizations might not understand how email authentication works, attackers fully understand and they take advantage. Because of phishing concerns and the limited adoption of strong email authentication policies, Microsoft uses _implicit email authentication_ to check inbound email.
-Implicit email authentication is an extension of regular email authentication policies. These extensions include: sender reputation, sender history, recipient history, behavioral analysis, and other advanced techniques. In the absence of other signals from these extensions, messages sent from domains that don't use email authentication policies will be marked as spoof.
+Implicit email authentication is an extension of regular email authentication policies. These extensions include: sender reputation, sender history, recipient history, behavioral analysis, and other advanced techniques. In the absence of other signals from these extensions, messages sent from domains that don't use email authentication policies are marked as spoofing.
To see Microsoft's general announcement, see [A Sea of Phish Part 2 - Enhanced Anti-spoofing in Microsoft 365](https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Schooling-A-Sea-of-Phish-Part-2-Enhanced-Anti-spoofing/ba-p/176209).
Authentication-Results:
These values are explained at [Authentication-results message header](message-headers-eop-mdo.md#authentication-results-message-header).
-By examining the message headers, admins or even end users can determine how Microsoft 365 determined that the sender is spoofed.
+By examining the message headers, admins and users can determine how Microsoft 365 determined that the sender is spoofed.
-## Why email authentication is not always enough to stop spoofing
+## Why email authentication isn't always enough to stop spoofing
Relying only on email authentication records to determine if an incoming message is spoofed has the following limitations: -- The sending domain might lack the required DNS records, or the records are incorrectly configured.--- The source domain has correctly configured DNS records, but that domain doesn't match the domain in the From address. SPF and DKIM don't require the domain to be used in the From address. Attackers or legitimate services can register a domain, configure SPF and DKIM for the domain, and use a completely different domain in the From address. Messages from senders in this domain will pass SPF and DKIM.
+- The source domain might lack the required DNS records, or the records are incorrectly configured.
+- The source domain has correctly configured DNS records, but that domain doesn't match the domain in the From address. SPF and DKIM don't require the domain to be used in the From address. Attackers or legitimate services can register a domain, configure SPF and DKIM for the domain, and use a different domain in the From address. Messages from senders in this domain pass SPF and DKIM.
Composite authentication can address these limitations by passing messages that would otherwise fail email authentication checks.
To: michelle@fabrikam.com
## Solutions for legitimate senders who are sending unauthenticated email
-Microsoft 365 keeps track of who is sending unauthenticated email to your organization. If the service thinks the sender is not legitimate, it will mark messages from this sender as a composite authentication failure. To avoid this verdict, you can use the recommendations in this section.
+Microsoft 365 keeps track of who is sending unauthenticated email to your organization. If the service thinks the sender isn't legitimate, it marks messages from this sender as a composite authentication failure. To avoid this verdict, you can use the recommendations in this section.
### Configure email authentication for domains you own
You can use this method to resolve intra-org spoofing and cross-domain spoofing
- [Configure DKIM records](email-authentication-dkim-configure.md) for your primary domains. - [Consider setting up DMARC records](email-authentication-dmarc-configure.md) for your domain to determine your legitimate senders.
-Microsoft doesn't provide detailed implementation guidelines for SPF, DKIM, and DMARC records. However, there's many information available online. There are also third party companies dedicated to helping your organization set up email authentication records.
+Microsoft doesn't provide detailed implementation guidelines for SPF, DKIM, and DMARC records. However, that information is available online. There are also third party companies dedicated to helping your organization set up email authentication records.
#### You don't know all sources for your email
-Many domains don't publish SPF records because they don't know all of the email sources for messages in their domain. Start by publishing an SPF record that contains all of the email sources you know about (especially where your corporate traffic is located), and publish the neutral SPF policy `?all`. For example:
+Many domains don't publish SPF records because they don't know all of the email sources for messages in their domain. Start by publishing an SPF record that contains all of the email sources you know about (especially where your corporate traffic is located), and publish the enforcement rule value "soft fail" (`~all`) in the SPF record. For example:
```text
-fabrikam.com IN TXT "v=spf1 include:spf.fabrikam.com ?all"
+fabrikam.com IN TXT "v=spf1 include:spf.fabrikam.com ~all"
```
-This example means that email from your corporate infrastructure will pass email authentication, but email from unknown sources will fall back to neutral.
+This example means that email from your corporate infrastructure passes email authentication, but email from unknown sources falls back to "soft fail". Typically, email servers are configured to deliver these messages.
-Microsoft 365 will treat inbound email from your corporate infrastructure as authenticated. Email from unidentified sources might still be marked as spoof if it fails implicit authentication. However, this is still an improvement from all email being marked as spoof by Microsoft 365.
+Microsoft 365 treats inbound email from your corporate infrastructure as authenticated. Email from unidentified sources might still be marked as spoof if it fails implicit authentication. However, this behavior is still an improvement from all email being marked as spoof by Microsoft 365.
-Once you've gotten started with an SPF fallback policy of `?all`, you can gradually discover and include more email sources for your messages, and then update your SPF record with a stricter policy.
+Once you've gotten started with an SPF fallback policy of `~all`, you can gradually discover and include more email sources for your messages, and then update your SPF record with a stricter policy.
### Configure permitted senders of unauthenticated email
For external domains, the spoofed user is the domain in the From address, while
### Create an allow entry for the sender/recipient pair
-To bypass spam filtering, some parts of filtering for phishing, but not malware filtering for specific senders, see [Create safe sender lists in Microsoft 365](create-safe-sender-lists-in-office-365.md).
+To bypass spam filtering for some senders, but not malware or high confidence phishing, see [Create safe sender lists in Microsoft 365](create-safe-sender-lists-in-office-365.md).
### Ask the sender to configure email authentication for domains you don't own
-Because of the problem of spam and phishing, Microsoft recommends email authentication for all email organizations. Instead of configuring manual overrides in your organization, you can ask an admin in the sending domain to configure their email authentication records.
+Because of the problem of spam and phishing, Microsoft recommends email authentication for all email organizations. Instead of configuring manual overrides in your organization, you can ask an admin in the source domain to configure their email authentication records.
- Even if they didn't need to publish email authentication records in the past, they should do so if they send email to Microsoft.- - Set up SPF to publish the domain's sending IP addresses, and set up DKIM (if available) to digitally sign messages. They should also consider setting up DMARC records.- - If they use bulk senders to send email on their behalf, verify that the domain in the From address (if it belongs to them) aligns with the domain that passes SPF or DMARC.- - Verify the following locations (if they use them) are included in the SPF record:- - On-premises email servers. - Email sent from a software-as-a-service (SaaS) provider. - Email sent from a cloud-hosting service (Microsoft Azure, GoDaddy, Rackspace, Amazon Web Services, etc.).- - For small domains that are hosted by an ISP, configure the SPF record according to the instructions from the ISP.
-While it may be difficult at first to get sending domains to authenticate, over time, as more and more email filters start junking or even rejecting their email, it will cause them to set up the proper records to ensure better delivery. Also, their participation can help in the fight against phishing, and can reduce the possibility of phishing in their organization or organizations that they send email to.
+While it might be difficult at first to get sending domains to authenticate, but successful email delivery compels them to do so as more email filters junk or even reject their email. Also, their participation can help in the fight against phishing, and can reduce the possibility of phishing in their organization or organizations that they send email to.
#### Information for infrastructure providers (ISPs, ESPs, or cloud hosting services) If you host a domain's email or provide hosting infrastructure that can send email, you should do the following steps: - Ensure your customers have documentation that explains how your customers should configure their SPF records- - Consider signing DKIM-signatures on outbound email, even if the customer doesn't explicitly set it up (sign with a default domain). You can even double-sign the email with DKIM signatures (once with the customer's domain if they have set it up, and a second time with your company's DKIM signature)
-Deliverability to Microsoft is not guaranteed even if you authenticate email originating from your platform, but at least it ensures that Microsoft does not junk your email because it isn't authenticated.
+Delivery to Microsoft isn't guaranteed, even if you authenticate email originating from your platform. But, the configuration ensures that Microsoft doesn't junk your email because it isn't authenticated.
## Related links
For more information about service providers best practices, see [M3AAWG Mobile
Learn how Office 365 uses SPF and supports DKIM validation: - [More about SPF](email-authentication-anti-spoofing.md)- - [More about DKIM](email-authentication-dkim-support-about.md)
security Eop About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/eop-about.md
f1.keywords:
Previously updated : 6/15/2023 Last updated : 6/20/2023 audience: ITPro
To understand how EOP works, it helps to see how it processes incoming email:
:::image type="content" source="../../media/tp_emailprocessingineopt3.png" alt-text="Graphic of email from the internet or Customer feedback passing into EOP and through the Connection, Anti-malware, Mailflow Rules-slash-Policy Filtering, and Content Filtering, before the verdict of either junk mail or quarantine, or end user mail delivery" lightbox="../../media/tp_emailprocessingineopt3.png":::
-1. When an incoming message enters EOP, it initially passes through connection filtering, which checks the sender's reputation. The majority of spam is stopped at this point and rejected by EOP. For more information, see [Configure connection filtering](connection-filter-policies-configure.md).
+1. When an incoming message enters EOP, it initially passes through connection filtering, which checks the sender's reputation. Most spam is stopped at this point and rejected by EOP. For more information, see [Configure connection filtering](connection-filter-policies-configure.md).
-2. Then the message is inspected for malware. If malware is found in the message or the attachment(s) the message is delivered to quarantine. By default, only admins can view and interact with malware quarantined messages. But, admins can create and use [quarantine policies](quarantine-policies.md#anatomy-of-a-quarantine-policy) to specify what users are allowed to do to quarantined messages. To learn more about malware protection, see [Anti-malware protection in EOP](anti-malware-protection-about.md).
+2. Then the message is inspected for malware. If malware is found in the message or a message attachment, the message is delivered to quarantine. By default, only admins can view and interact with malware quarantined messages. But, admins can create and use [quarantine policies](quarantine-policies.md#anatomy-of-a-quarantine-policy) to specify what users are allowed to do to quarantined messages. To learn more about malware protection, see [Anti-malware protection in EOP](anti-malware-protection-about.md).
3. The message continues through policy filtering, where it's evaluated against any mail flow rules (also known as transport rules) that you've created. For example, a rule can send a notification to a manager when a message arrives from a specific sender.
- In on-premises organization with Exchange Enterprise CAL with Services licenses, [Microsoft Purview data loss prevention (DLP)](/exchange/security-and-compliance/data-loss-prevention/data-loss-prevention) checks in EOP also happen at this point.
+ In on-premises organization with Exchange Enterprise CAL with Services licenses, [Microsoft Purview Data Loss Prevention (DLP)](/exchange/security-and-compliance/data-loss-prevention/data-loss-prevention) checks in EOP also happen at this point.
4. The message passes through content filtering (anti-spam and anti-spoofing) where harmful messages are identified as spam, high confidence spam, phishing, high confidence phishing, or bulk (anti-spam policies) or spoofing (spoof settings in anti-phishing policies). You can configure the action to take on the message based on the filtering verdict (quarantine, move to the Junk Email folder, etc.), and what users can do to the quarantined messages using [quarantine policies](quarantine-policies.md#anatomy-of-a-quarantine-policy). For more information, see [Configure anti-spam policies](anti-spam-policies-configure.md) and [Configure anti-phishing policies in EOP](anti-phishing-policies-eop-configure.md).
For more information, see [Order and precedence of email protection](how-policie
EOP runs on a worldwide network of datacenters that are designed to provide the best availability. For example, if a datacenter becomes unavailable, email messages are automatically routed to another datacenter without any interruption in service. Servers in each datacenter accept messages on your behalf, providing a layer of separation between your organization and the internet, thereby reducing load on your servers. Through this highly available network, Microsoft can ensure that email reaches your organization in a timely manner.
-EOP performs load balancing between datacenters but only within a region. If you're provisioned in one region, all your messages will be processed using the mail routing for that region.
+EOP performs load balancing between datacenters but only within a region. If you're provisioned in one region, all of your messages are processed using the mail routing for that region.
### EOP features
For information about requirements, important limits, and feature availability a
- EOP uses several URL block lists that help detect known malicious links within messages. - EOP uses a vast list of domains that are known to send spam.-- EOP uses multiple anti-malware engines help to automatically protect our customers at all times.
+- EOP uses multiple anti-malware engines help to automatically protect our customers.
- EOP inspects the active payload in the message body and all message attachments for malware. - For recommended values for protection policies, see [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md). - For quick instructions to configure protection policies, see [Protect against threats](protect-against-threats.md).
For information about requirements, important limits, and feature availability a
|Phone and web technical support 24 hours a day, seven days a week|[Help and support for EOP](help-and-support-for-eop.md).| |**Other features**|| |A geo-redundant global network of servers|EOP runs on a worldwide network of datacenters that are designed to help provide the best availability. For more information, see the [EOP datacenters](#eop-datacenters) section earlier in this article.|
-|Message queuing when the on-premises server cannot accept mail|Messages in deferral remain in our queues for one day. Message retry attempts are based on the error we get back from the recipient's mail system. On average, messages are retried every 5 minutes. For more information, see [EOP queued, deferred, and bounced messages FAQ](mail-flow-delivery-faq.yml).|
+|Message queuing when the on-premises server can't accept mail|Messages in deferral remain in our queues for one day. Message retry attempts are based on the error we get back from the recipient's mail system. On average, messages are retried every 5 minutes. For more information, see [EOP queued, deferred, and bounced messages FAQ](mail-flow-delivery-faq.yml).|
|Office 365 Message Encryption available as an add-on|For more information, see [Encryption in Office 365](../../compliance/encryption.md).| |||
security Help And Support For Eop https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/help-and-support-for-eop.md
audience: ITPro
ms.localizationpriority: medium ms.assetid: 64535a0a-1044-413f-8bc2-ed8e8a0bc54c
-description: Microsoft provides help for EOP in a variety of places and methods including self-support and assisted-support.
+description: Microsoft provides help for EOP using self-support and assisted-support.
- m365-security - tier3 search.appverid: met150 Previously updated : 6/15/2023 Last updated : 6/20/2023 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>
appliesto:
[!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)]
-In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, the technical support resources listed in this article will help you find answers if you are having difficulty with EOP. Microsoft provides help for EOP in a variety of places and methods including self-support and assisted-support.
+In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, the technical support resources listed in this article can help you find answers if you have difficulty with EOP. Microsoft provides self-support and assisted-support for EOP.
## Self-support options
-Upon logging in, the Microsoft 365 admin center provides information about the status of your organization's services. Also, the service health section shows the current status of your services, details about disruptions and outages, and lists planned maintenance times. The Microsoft 365 admin center also provides information about known issues and expected resolutions. If you're affected by a service-wide event, then you should see a communication alert (typically accompanied by a bell icon). We recommend that you read and act on any items as appropriate. For more information about the service health area, see [Service health and continuity](/office365/servicedescriptions/office-365-platform-service-description/service-health-and-continuity). You might be able to find more help on your own by using the tools, forums, and community sites listed here.
+After you sign in, the Microsoft 365 admin center at <https://admin.microsoft.com> provides information about the status of your organization's services. Also, the service health section shows the current status of your services, details about disruptions and outages, and lists planned maintenance times. The Microsoft 365 admin center also provides information about known issues and expected resolutions. If you're affected by a service-wide event, then you should see a communication alert (typically accompanied by a bell icon). We recommend that you read and act on any items as appropriate. For more information about the service health area, see [Service health and continuity](/office365/servicedescriptions/office-365-platform-service-description/service-health-and-continuity). You might be able to find more help on your own by using the tools, forums, and community sites listed here.
-[Product Overview for Exchange Online Protection](https://products.office.com/exchange/exchange-email-security-spam-protection)
-
-[Contact support for business products - Admin Help](../../admin/get-help-support.md)
-
-[Microsoft 365 community](https://techcommunity.microsoft.com/t5/Office-365/ct-p/Office365)
-
-[Microsoft Support and Recovery Assistant (SaRA)](https://support.microsoft.com/office/e90bb691-c2a7-4697-a94f-88836856c72f)
-
-[Mail flow troubleshooter](https://aka.ms/FixEmail)
+- [Product Overview for Exchange Online Protection](https://products.office.com/exchange/exchange-email-security-spam-protection)
+- [Contact support for business products - Admin Help](../../admin/get-help-support.md)
+- [Microsoft 365 community](https://techcommunity.microsoft.com/t5/Office-365/ct-p/Office365)
+- [Microsoft Support and Recovery Assistant (SaRA)](https://support.microsoft.com/office/e90bb691-c2a7-4697-a94f-88836856c72f)
+- [Mail flow troubleshooter](https://aka.ms/FixEmail)
## Assisted support from Microsoft
-You can get help from Microsoft by starting a new service request within the Microsoft 365 admin center or by calling on the phone. Premier Support subscribers have extra support options.
+You can get help from Microsoft by starting a new service request within the Microsoft 365 admin center or by calling on the phone. Premier Support subscribers have other support options.
+
+These options are described in the following subsections
### Support for Microsoft Premier Support Subscribers
-If you are an EOP customer and also have a Microsoft Premier Support contract, you can get support through the normal Microsoft Premier Support channels. This allows you to receive access to all processes and resources available to Premier Support customers, such as a Premier Technical Account Manager (TAM) and case submission. Premier Support for Microsoft Online Services extends the Premier Support framework beyond on-premises products to online services, providing you with a unified support experience across all products and services. This service helps ensure that customers can resolve issues quickly and simplifies the task of managing support for different components of an IT infrastructure.
+EOP customers with Microsoft Premier Support contracts can get support through the normal Microsoft Premier Support channels (for example, a Premier Technical Account Manager (TAM) and case submission). Premier Support for Microsoft Online Services provides you with a unified support experience across all products and services. This service helps ensure that customers can resolve issues quickly, and simplifies the task of managing support for different components of an IT infrastructure.
For more information about how Premier Support can help your organization maximize value from your IT investments, see [Premier Support for Partners](https://partner.microsoft.com/support/microsoft-services-premier-support). ### Ask for help on the web
-1. Log in to the Microsoft 365 admin center.
-
-2. Go to **Support** \> **Ask for Customer Support** \> **New Service Request**
-
-3. Use the form to add information about your issue, search for solutions to previous issues, or attach logs or related files.
-
-### Ask for help on the telephone
-
-1. Log in to the Microsoft 365 admin center.
-
-2. For general product issues, go to **Support** \> **Ask for Customer Support** \> **Call technical support**.
-
- For questions before you buy EOP, or questions about billing and subscriptions, go to **Support** \> **Ask for Customer Support** \> **Call billing and subscription support**.
+Open the Microsoft 365 admin center at <https://admin.microsoft.com>, and then go to **...Show all** (if necessary) \> **Support** \> **Help & support**.
-3. Use the Virtual Agent to search for the most current appropriate telephone number.
+In the **How can we help?** flyout that opens, adds information about your issue, search for solutions to previous issues, or attach logs or related files.
## Support telephone numbers
-Microsoft provides local or toll-free telephone numbers for product support around the world. Many of these support centers provide help in your local language during business hours or in English 24 hours a day, every day. If you don't see your location listed below, use the Virtual Agent as described above to find your local support telephone number.
+Microsoft provides local or toll-free telephone numbers for product support around the world. Many of these support centers provide help in your local language during business hours or in English 24 hours a day, every day.
|Country or region|Pre-purchase and billing questions|Technical Support questions| ||||
security How Policies And Protections Are Combined https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/how-policies-and-protections-are-combined.md
- tier3 - seo-marvel-apr2020
-description: Admins can learn about the application order of protections in Exchange Online Protection (EOP), and how the priority value in protection policies determines which policy is applied.
+description: Admins can learn how the order of protection settings and the priority order of security policies affect the application of security policies in Microsoft 365.
search.appverid: met150 Previously updated : 6/15/2023 Last updated : 6/20/2023 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>
appliesto:
[!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)]
-In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, inbound email may be flagged by multiple forms of protection. For example, the built-in anti-phishing policies in EOP that are available to all Microsoft 365 customers, and the more robust anti-phishing policies that are available to Microsoft Defender for Office 365 customers. Messages also pass through multiple detection scans for malware, spam, phishing, etc. Given all this activity, there may be some confusion as to which policy is applied.
+In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, inbound email might be flagged by multiple forms of protection. For example, anti-spoofing protection that's available to all Microsoft 365 customers, and impersonation protection that's available to Microsoft Defender for Office 365 customers only. Messages also pass through multiple detection scans for malware, spam, phishing, etc. Given all this activity, there might be some confusion as to which policy is applied.
In general, a policy that's applied to a message is identified in the **X-Forefront-Antispam-Report** header in the **CAT (Category)** property. For more information, see [Anti-spam message headers](message-headers-eop-mdo.md). There are two major factors that determine which policy is applied to a message: -- **The order of processing for the email protection type**: This order is not configurable, and is described in the following table:
+- **The order of processing for the email protection type**: This order isn't configurable, and is described in the following table:
|Order|Email protection|Category|Where to manage| |::||||
There are two major factors that determine which policy is applied to a message:
<sup>\*</sup> These features are only available in anti-phishing policies in Microsoft Defender for Office 365. -- **The priority of the policy**: For each type of policy (anti-spam, anti-malware, anti-phishing, etc.), there's a default policy that applies to everyone, but you can create custom policies that apply to specific users (recipients). Each custom policy has a priority value that determines the order that the policies are applied in. The default policy is always applied last.
+- **The priority order of policies**: The policy priority order is shown in the following list:
- > [!IMPORTANT]
- > If a recipient is defined in multiple policies of the same type (anti-spam, anti-phishing, etc.), only the policy with the highest priority is applied to the recipient. Any remaining policies of that type are not evaluated for the recipient (including the default policy).
+ 1. The anti-spam, anti-malware, anti-phishing, Safe Links<sup>\*</sup>, and Safe Attachments<sup>\*</sup> policies in the [Strict preset security policy](preset-security-policies.md#profiles-in-preset-security-policies) (when enabled).
+ 2. The anti-spam, anti-malware, anti-phishing, Safe Links<sup>\*</sup>, and Safe Attachments<sup>\*</sup> policies in the [Standard preset security policy](preset-security-policies.md#profiles-in-preset-security-policies) (when enabled).
+ 3. Anti-phishing, Safe Links, and Safe Attachments in [Defender for Office 365 evaluation policies](try-microsoft-defender-for-office-365.md#audit-mode-vs-blocking-mode-for-defender-for-office-365) (when enabled).
+ 4. Custom anti-spam, anti-malware, anti-phishing, Safe Links<sup>\*</sup>, and Safe Attachments<sup>\*</sup> policies (when created).
-For example, consider the following **anti-phishing policies** in Microsoft Defender for Office 365 **that apply to the same users**, and a message that's identified as **both user impersonation and spoofing**:
+ Custom policies are assigned a default priority value when you create the policy (newer equals higher), but you can change the priority value at any time. This priority value affects the order that *custom policies* of that type (anti-spam, anti-malware, anti-phishing, etc.) are applied, but doesn't affect where custom policies are applied in the overall order.
+
+ 5. Of equal value:
+ - The Safe Links and Safe Attachments policies in the [Built-in protection preset security policy](preset-security-policies.md#profiles-in-preset-security-policies)<sup>\*</sup>.
+ - The default policies for anti-malware, anti-spam, and anti-phishing.
+
+ You can configure exceptions to the Built-in protection preset security policy, but you can't configure exceptions to the default policies (they apply to all recipients and you can't turn them off).
+
+ <sup>\*</sup> Defender for Office 365 only.
+
+ The priority order matters if you have the same recipient intentionally or unintentionally defined in multiple policies, because *only* the first policy of that type (anti-spam, anti-malware, anti-phishing, etc.) is applied to that recipient, regardless of how many other policies that the recipient is specified in. There's never a merging or combining of the settings in multiple policies for the recipient. The recipient is unaffected by the settings of the remaining policies of that type.
+
+For example, the group named "Contoso Executives" is specified in the following policies:
+
+- The Strict preset security policy
+- A custom anti-spam policy with the priority value 0 (highest priority)
+- A custom anti-spam policy with the priority value 1.
+
+Which anti-spam policy settings are applied to the members of Contoso Executives? The Strict preset security policy. The settings in the custom anti-spam policies are ignored for the members of Contoso Executives, because the Strict preset security policy is always applied first.
+
+As another example, consider the following custom anti-phishing policies in Microsoft Defender for Office 365 that apply to the same recipients, and a message that contains both user impersonation and spoofing:
|Policy name|Priority|User impersonation|Anti-spoofing| ||::|::|::| |Policy A|1|On|Off| |Policy B|2|Off|On|
-1. The message is identified as spoofing, because spoofing (4) is evaluated before user impersonation (5).
-2. Policy A is applied first because it has a higher priority than Policy B.
+1. The message is identified as spoofing, because spoofing (4) is evaluated before user impersonation (5) in the order of processing for the email protection type.
+2. Policy A is applied first, because it has a higher priority than Policy B.
3. Based on the settings in Policy A, no action is taken on the message because anti-spoofing is turned off. 4. The processing of anti-phishing policies stops for all included recipients, so Policy B is never applied to recipients who are also in Policy A.
-Because the same users might be intentionally or unintentionally included in multiple policies of the same type, use the following design guidelines for custom policies:
+To make sure that recipients get the protection settings that you want, use the following guidelines for policy memberships:
-- Assign a higher priority to policies that apply to a small number of users, and a lower priority to policies that apply to a large number of users. Remember, the default policy is always applied last.-- Configure your higher priority policies to have stricter or more specialized settings than lower priority policies.-- Consider using fewer custom policies (only use custom policies for users who require stricter or more specialized settings).
+- Assign a smaller number of users to higher priority policies, and a larger number of users to lower priority policies. Remember, default policies are always applied last.
+- Configure higher priority policies to have stricter or more specialized settings than lower priority policies. You have complete control over the settings in custom policies and the default policies, but no control over most settings in preset security policies.
+- Consider using fewer custom policies (only use custom policies for users who require more specialized settings than the Standard or Strict preset security policies, or the default policies).
security Quarantine Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-policies.md
The relationship between permissions, permissions groups, and the default quaran
┬│ **Allow recipients to release a message from quarantine** isn't honored for messages that were quarantined as **malware** by anti-malware policies or Safe Attachments policies, or as **high confidence phishing** by anti-spam policies.
-⁴ This policy is used in [preset security policies](preset-security-policies.md) instead of the policy named DefaultFullAccessPolicy to enable quarantine notifications.
+⁴ This policy is used in [preset security policies](preset-security-policies.md) to enable quarantine notifications instead of the policy named DefaultFullAccessPolicy where notifications are turned off.
⁵ Your organization might not have the policy named NotificationEnabledPolicy as described in the next section.
security Reports Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/reports-defender-for-office-365.md
- seo-marvel-apr2020 Previously updated : 6/19/2023 Last updated : 6/21/2023 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a>
Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" bord
When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
-On the **URL threat protection** page, the :::image type="icon" source="../../medi#export-report-data)** buttons are available.
+On the **URL threat protection** page, the :::image type="icon" source="../../medi#export-report-data)** actions are available.
### View data by URL click by application in the URL protection report
Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" bord
When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
-On the **URL threat protection** page, the :::image type="icon" source="../../medi#export-report-data)** buttons are available.
+On the **URL threat protection** page, the :::image type="icon" source="../../medi#export-report-data)** actions are available.
## Additional reports to view
PowerShell reporting cmdlets:
|Compromised users|[Get-CompromisedUserAggregateReport](/powershell/module/exchange/get-compromiseduseraggregatereport) <p> [Get-CompromisedUserDetailReport](/powershell/module/exchange/get-compromiseduserdetailreport)| |Mail flow status|[Get-MailflowStatusReport](/powershell/module/exchange/get-mailflowstatusreport)| |Spoofed users|[Get-SpoofMailReport](/powershell/module/exchange/get-spoofmailreport)|
+|Post delivery activity summary|[Get-AggregateZapReport](/powershell/module/exchange/get-aggregatezapreport)|
+|Post delivery activity details|[Get-DetailZapReport](/powershell/module/exchange/get-detailzapreport)|
## What permissions are needed to view the Defender for Office 365 reports?
syntex Document Understanding Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/document-understanding-overview.md
description: Learn about the unstructured document processing model in Microsoft
# Overview of unstructured document processing in Microsoft Syntex
-> [!NOTE]
-> *Unstructured document processing* was known as *document understanding* in previous releases.
- </br> > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4CSu7]
You can use example files to train and test your classifiers and extractors in y
After publishing your model, use the content center to apply it to any SharePoint document library that you have access to.
-## Requirements
+## Requirements and limitations
For information about requirements to consider when choosing this model, see [Requirements and limitations for models in Microsoft Syntex](requirements-and-limitations.md#unstructured-document-processing).
syntex Form Processing Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/form-processing-overview.md
description: Learn how to use AI Builder to create structured document processin
# Overview of structured document processing in Microsoft Syntex
-> [!NOTE]
-> *Structured document processing* was known as *form processing* in previous releases.
- </br> > [!VIDEO https://www.microsoft.com/videoplayer/embed/RW15YNo]
You can only create a structured document processing model in SharePoint documen
If you need it enabled on your document library, contact your Microsoft 365 admin.
-## Requirements
+## Requirements and limitations
For information about requirements to consider when choosing this model, see [Requirements and limitations for models in Microsoft Syntex](requirements-and-limitations.md#structured-document-processing).
syntex Freeform Document Processing Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/freeform-document-processing-overview.md
You can only create a freeform document processing model in SharePoint document
If you need it enabled on your document library, contact your Microsoft 365 admin.
-## Requirements
+## Requirements and limitations
For information about requirements to consider when choosing this model, see [Requirements and limitations for models in Microsoft Syntex](requirements-and-limitations.md#freeform-document-processing).
syntex Ocr https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/ocr.md
Before you can use the OCR service in Syntex, you must first enter your Azure su
You must have Global admin or SharePoint admin permissions to be able to access the Microsoft 365 admin center and set up the OCR service in Syntex.
-## Set up OCR
+## Set up optical character recognition
You can configure the OCR service by using either or both of these methods:
syntex Prebuilt Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/prebuilt-overview.md
Currently, there are three prebuilt models available: [contracts](prebuilt-model
Additional prebuilt models will be available in future releases.
-## Requirements
+## Requirements and limitations
For information about requirements to consider when choosing this model, see [Requirements and limitations for models in Microsoft Syntex](requirements-and-limitations.md).
syntex Video Library https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/video-library.md
description: Watch videos to learn about some of the different features in Micro
# Microsoft Syntex video library
-|Overview of model types |Create a content center |
+|Overview of Microsoft Syntex |Overview of model types |
|||
-|[:::image type="content" source="../medi) |
+|[:::image type="content" source="../medi) |
-|Unstructured document processing |Apply a model to a document library |
+
+|Unstructured models |Freeform and structured models |
+|||
+|[:::image type="content" source="../medi) |
++
+|Create a content center |Apply a model to a document library |
|||
-|[:::image type="content" source="../medi) |
+|[:::image type="content" source="../medi) |
|Create and train a classifier |Import a training set | |||