| Category | Microsoft Docs article | Related commit history on GitHub | Change details |
|---|---|---|---|
| compliance | Apply Sensitivity Label Automatically | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-sensitivity-label-automatically.md | However currently, restricted admins won't be able to see labeling activities fo ### Use PowerShell for auto-labeling policies -You can use [Security & Compliance PowerShell](/powershell/exchange/scc-powershell) to create and configure auto-labeling policies. This means you can fully script the creation and maintenance of your auto-labeling policies, which also provides a more efficient method of specifying multiple URLs for OneDrive and SharePoint locations. +You can use [Security & Compliance PowerShell](/powershell/exchange/scc-powershell) to create and configure auto-labeling policies. This means you can fully script the creation and maintenance of your auto-labeling policies, which also provides a more efficient method of specifying multiple locations for SharePoint and OneDrive. Before you run the commands in PowerShell, you must first [connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). |
| compliance | Audit Log Activities | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/audit-log-activities.md | The following table describes the folder activities in SharePoint Online and One The following table lists the activities in information barriers that are logged in the Microsoft 365 audit log. For more information about information barriers, see [Learn about information barriers in Microsoft 365](information-barriers.md). |Friendly name|Operation|Description|-|:-|:|:--| -| Added segments to a site | SegmentsAdded | A SharePoint, global administrator, or site owner added one or more information barriers segments to a site. | -| Changed segments of a site | SegmentsChanged | A SharePoint or global administrator changed one or more information barriers segments for a site. | -| Removed segments from a site | SegmentsRemoved | A SharePoint or global administrator removed one or more information barriers segments from a site. | +|:|:--|:-| +|Applied information barrier mode to site|SiteIBModeSet|A SharePoint or global administrator has applied a mode to the site.| +|Applied segments to site|SiteIBSegmentsSet|A SharePoint, global administrator, or site owner added one or more information barriers segments to a site.| +|Changed information barrier mode of site|SiteIBModeChanged|A SharePoint or global administrator has updated the mode of the site.| +|Changed segments of site|SiteIBSegmentsChanged|A SharePoint or global administrator changed one or more information barriers segments for a site.| +|Disabled information barriers for SharePoint and OneDrive|SPOIBIsDisabled|A SharePoint or global administrator has disabled information barriers for SharePoint and OneDrive in the organization.| +|Enabled information barriers for SharePoint and OneDrive|SPOIBIsEnabled|A SharePoint or global administrator has disabled information barriers for SharePoint and OneDrive in the organization.| +|Information barriers insights report completed|InformationBarriersInsightsReportCompleted| System completes build of the information barriers insights report.| +|Information barriers insights report OneDrive section queried|InformationBarriersInsightsReportOneDriveSectionQueried |An administrator queries the information barriers insights report for OneDrive accounts.| +|Information barriers insights report scheduled|InformationBarriersInsightsReportSchedule|An administrator schedules the information barriers insights report.| +|Information barriers insights report SharePoint section queried|InformationBarriersInsightsReportSharePointSectionQueried|An administrator queries the information barriers insights report for Sharepoint sites.| +|Removed segment from site|SiteIBSegmentsRemoved|A SharePoint or global administrator removed one or more information barriers segments from a site.| ## Microsoft Defender Experts activities |
| compliance | Audit Log Search | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/audit-log-search.md | f1.keywords: Previously updated : 06/12/2023 Last updated : 06/26/2023 audience: Admin -# Search the audit log in the compliance portal +# Search the audit log in the Microsoft Purview compliance portal Need to find if a user viewed a specific document or purged an item from their mailbox? If so, you can use the audit log search tool in Microsoft Purview compliance portal to search the unified audit log to view user and administrator activity in your organization. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Users in your organization can use the audit log search tool to search for, view, and export (to a CSV file) the audit records for these operations. Here's the process for searching the audit log in Microsoft 365. 4. Select **Search** to run the search using your search criteria. - The search results are loaded, and after a few moments they're displayed on a new page. When the search is finished, the number of results found is displayed. A maximum of 50,000 events will be displayed in increments of 150 events. If more than 50,000 events meet the search criteria, only the 50,000 unsorted events returned will be displayed. + The search results are loaded, and after a few moments they're displayed on a new page. When the search is finished, the number of results found is displayed. A maximum of 50,000 events are displayed in increments of 150 events. If more than 50,000 events meet the search criteria, only the 50,000 unsorted events returned are displayed.  You can export the results of an audit log search to a comma-separated value (CS For a description of many of the properties that are listed in the **AuditData** column in the CSV file when you download all results, and the service each one applies to, see [Detailed properties in the audit log](audit-log-detailed-properties.md). -## Scoping access to audit logs +## Scoping access to audit logs (preview) -Access to search the audit log is scoped based upon the administrative units assigned to the user accessing the audit log in the compliance portal. A scoped admin can only search and export user-generated audit logs within the scope of their administrative units. A global admin has access to all audit logs, including logs generated by non-user and system accounts. +Access to search the audit log is scoped based upon the administrative units assigned to the user accessing the audit log in the compliance portal. A restricted admin can only search and export user-generated audit logs within the scope of their administrative units. An unrestricted admin has access to all audit logs, including logs generated by non-user and system accounts. -| Admin units assigned to admins | Admin units available for scoped Search | Access to search and export audit logs | +| Admin units assigned to admins | Admin units available to perform scoped search on | Access to search and export audit logs | |--|--|--|-| None (Default): Unrestricted access | All administrative units are available | Unrestricted access to all activity logs from any user, non-user, or system account. | -| One or more administrative units: Restricted access | Only those administrative units assigned to the admin are available | Restricted access to activity logs from users with a matching administrative unit assignment. | +| None (Default): Unrestricted admin | All administrative units are available | Access to all activity logs from any user, non-user, or system account. | +| One or more administrative units: Restricted admin | Only those administrative units assigned to the admin are available | Access to activity logs from users with a matching administrative unit assignment. | ++> [!NOTE] +> The [Search-MailboxAuditLog](/powershell/module/exchange/search-mailboxauditlog) and [Search-AdminAuditLog cmdlets](/powershell/module/exchange/search-adminauditlog) currently do not support scoped access. Search requests using these cmdlets always include unscoped activity logs from Exchange, even when the user performing the search is a scoped admin. To access scoped activity logs from any Microsoft service, including Exchange mailbox activity logs, use the [Search-UnifiedAuditLog](/powershell/module/exchange/search-unifiedauditlog) cmdlet. For more information about administrative units, see [Permissions in the Microsoft Purview compliance portal](/microsoft-365/compliance/microsoft-365-compliance-center-permissions#administrative-units-preview). No. The auditing service pipeline is near real time, and therefore can't support **Where is auditing data stored?** -We currently have auditing pipeline deployments in the NA (North America), EMEA (Europe, Middle East, and Africa) and APAC (Asia Pacific) regions. Tenants homed in these regions will have their auditing data stored in region. For multi-geo tenants, the audit data collected from all regions of the tenant will be stored only in tenant's home region. However, we may flow the data across these regions for load-balancing and only during live-site issues. When we do perform these activities, the data in transit is encrypted. +We currently have auditing pipeline deployments in the NA (North America), EMEA (Europe, Middle East, and Africa) and APAC (Asia Pacific) regions. Tenants homed in these regions have their auditing data stored in region. For multi-geo tenants, the audit data collected from all regions of the tenant will be stored only in tenant's home region. However, we may flow the data across these regions for load-balancing and only during live-site issues. When we do perform these activities, the data in transit is encrypted. **Is auditing data encrypted?** |
| compliance | Compliance Easy Trials Compliance Playbook | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-easy-trials-compliance-playbook.md | Start by managing the lifecycle of sensitive data by managing it automatically u You can set a default retention label in SharePoint to automatically apply it to all items within a specific document library, folder, or document set in SharePoint. This option is useful when users store a specific type of document in one of these locations. -First, identify the content you would like to manage and the location of the content in SharePoint. Next, [create a retention label](retention.md#retention-labels) with your desired retention or deletion settings. Finally, [publish the retention to the document library, folder, or document set](create-apply-retention-labels.md#applying-a-default-retention-label-to-all-content-in-a-sharepoint-library-folder-or-document-set). +First, identify the content you would like to manage and the location of the content in SharePoint. Next, [create a retention label](create-retention-labels-data-lifecycle-management.md#how-to-create-retention-labels-for-data-lifecycle-management) with your desired retention or deletion settings. Then, [publish the retention label to SharePoint](create-apply-retention-labels.md#how-to-publish-retention-labels). Finally, apply the published label as a [default retention label in SharePoint](create-apply-retention-labels.md#default-labels-for-sharepoint-and-outlook). -### Step 3: Dynamically target retention policies with Adaptive Policy Scopes +### Step 3: Dynamically target retention policies with adaptive policy scopes Many customers want to target a retention policy to specific users or mailboxes. For example, they may want to apply a longer retention period to the mailboxes of people in leadership roles or apply shorter retention to shared mailboxes. Adaptive policy scopes allow you to do this by using their AD attributes to target the policy. If one of the attribute values changes then the retention policy will automatically update its membership. First, [decide what attributes you'll use to target](purview-adaptive-scopes.md# **Manage high-value items for business, legal, or regulatory record-keeping requirements** -Records Management helps you to comply with more granular retention and deletion requirements. As an example, you can track your retention schedule or use flexible automation options. Additionally, you can make content immutable, trigger retention using an event, or require approval before items are disposed. +Records management helps you to comply with more granular retention and deletion requirements. As an example, you can track your retention schedule or use flexible automation options. Additionally, you can make content immutable, trigger retention using an event, or require approval before items are disposed. Here are our most popular records management scenarios: Here are our most popular records management scenarios: ### Step 1: Automatically apply a retention label based on SharePoint file metadata Auto-applying labels removes the need for your users to manually perform the labeling activities. As an example, you can auto-apply retention labels to content that has specific metadata properties in SharePoint.-First, decide the metadata properties you would like to use, the locations where you want to look for matches, and the retention or deletion settings you want to apply. Next, [create a retention label](retention.md#retention-labels). Then, [follow the steps](auto-apply-retention-labels-scenario.md) to auto-apply the label based on SharePoint metadata. ++First, decide the metadata properties you would like to use, the locations where you want to look for matches, and the retention or deletion settings you want to apply. Next, [create a retention label](file-plan-manager.md). Then, [follow the steps](auto-apply-retention-labels-scenario.md) to auto-apply the label based on SharePoint metadata. ### Step 2: Review content to approve before it's permanently deleted -Some organizations have a requirement to review content at the end of its retention period before it's permanently deleted. Using Records Management, users you specify ("reviewers") can be notified to review the content and approve the permanent disposal action. Reviewers can also choose to assign a different retention period to the content or postpone deletion. Learn more here: Disposition of content. +Some organizations have a requirement to review content at the end of its retention period before it's permanently deleted. Using records management, users you specify ("reviewers") can be notified to review the content and approve the permanent disposal action. Reviewers can also choose to assign a different retention period to the content or postpone deletion. Learn more here: [Disposition of content](disposition.md). ### Step 3: Make content immutable to prevent users from editing it -Some content has a lifecycle phase where both the file and the metadata shouldn't be available for editing, often called declaring the content as an immutable record. Learn how to configure this option in Records Management: [Create a retention label that declares content as a record or a regulatory record](declare-records.md). +Some content has a lifecycle phase where both the file and the metadata shouldn't be available for editing, often called declaring the content as an immutable record. Learn how to configure this option in records management: [Create a retention label that declares content as a record or a regulatory record](declare-records.md). ## Manage insider risks |
| compliance | Create Apply Retention Labels | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-apply-retention-labels.md | f1.keywords: Previously updated : 04/28/2023 Last updated : 06/24/2023 audience: Admin description: Instructions to publish retention labels so you can then apply them Use the following information to help you publish [retention labels](retention.md), and then apply them to documents and emails. -Retention labels help you retain what you need and delete what you don't at the item level (document or email). They are also used to declare an item as a record as part of a [records management](records-management.md) solution for your Microsoft 365 data. +Retention labels help you retain what you need and delete what you don't at the item level (document or email). They're also used to declare an item as a record as part of a [records management](records-management.md) solution for your Microsoft 365 data. Making retention labels available to people in your organization so that they can classify content is a two-step process: Decide before you create your retention label policy whether it will be **adapti 1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">Microsoft Purview compliance portal</a>, go to one of the following locations: - - If you are using records management: + - If you're using records management: - **Solutions** > **Records management** > > **Label policies** tab > **Publish labels** - - If you are using data lifecycle management: + - If you're using data lifecycle management: - **Solutions** > **Data lifecycle management** > **Microsoft 365** > **Label policies** tab > **Publish labels**- - Don't immediately see your solution in the navigation pane? First select **Show all**. 2. Follow the prompts to create the retention label policy. Be careful what name you choose for the policy, because this can't be changed after the policy is saved. Decide before you create your retention label policy whether it will be **adapti If you don't want to restrict the policy by using administrative units, or your organization hasn't configured administrative units, keep the default of **Full directory**. You must select **Full directory** for the policy to include the location for SharePoint sites. -5. For the **Choose the type of retention policy to create** page, select **Adaptive** or **Static**, depending on the choice you made from the [Before you begin](#before-you-begin) instructions. If you haven't already created adaptive scopes, you can select **Adaptive** but because there won't be any adaptive scopes to select, you won't be able to finish the wizard with this option. +5. For the **Choose the type of retention policy to create** page, select **Adaptive** or **Static**, depending on the choice you made from the [Before you begin](#before-you-begin) instructions. If you haven't already created adaptive scopes, you can select **Adaptive** but because there won't be any adaptive scopes to select, you won't be able to finish the configuration with this option. 6. Depending on your selected scope: - - If you chose **Adaptive**: On the **Choose adaptive policy scopes and locations** page, select **Add scopes** and select one or more adaptive scopes that have been created. Then, select one or more locations. The locations that you can select depend on the [scope types](purview-adaptive-scopes.md#configure-adaptive-scopes) added. For example, if you only added a scope type of **User**, you will be able to select **Exchange email** but not **SharePoint sites**. + - If you chose **Adaptive**: On the **Choose adaptive policy scopes and locations** page, select **Add scopes** and select one or more adaptive scopes that have been created. Then, select one or more locations. The locations that you can select depend on the [scope types](purview-adaptive-scopes.md#configure-adaptive-scopes) added. For example, if you only added a scope type of **User**, you'll be able to select **Exchange email** but not **SharePoint sites**. - If you chose **Static**: On the **Choose locations** page, toggle on or off any of the locations. For each location, you can leave it at the default to [apply the policy to the entire location](retention-settings.md#a-policy-that-applies-to-entire-locations), or [specify includes and excludes](retention-settings.md#a-policy-with-specific-inclusions-or-exclusions) In Exchange Online, retention labels are made available to end users by a proces ```powershell $xmlprops.Properties.MailboxTable.Property | ? {$_.Name -like "ELC*"} -In the results, the `ELCLastSuccessTimeStamp` (UTC) property shows when the system last processed your mailbox. If it has not happened since the time you created the policy, the labels are not going to appear. To force processing, run `Start-ManagedFolderAssistant -Identity <user>`. +In the results, the `ELCLastSuccessTimeStamp` (UTC) property shows when the system last processed your mailbox. If it hasn't happened since the time you created the policy, the labels aren't going to appear. To force processing, run `Start-ManagedFolderAssistant -Identity <user>`. If labels aren't appearing in Outlook on the web and you think they should be, make sure to clear the cache in your browser (CTRL+F5). Use the following sections to learn how published retention labels can be applie - [Manually apply retention labels](#manually-apply-retention-labels) -- [Applying a default retention label to all content in a SharePoint library, folder, or document set](#applying-a-default-retention-label-to-all-content-in-a-sharepoint-library-folder-or-document-set)--- [Automatically applying a retention label to email by using rules](#automatically-applying-a-retention-label-to-email-by-using-rules)+- [Default labels for SharePoint and Outlook](#default-labels-for-sharepoint-and-outlook) + +- [Automatically apply a retention label to email by using Outlook rules](#automatically-apply-a-retention-label-to-email-by-using-outlook-rules) In addition, when you use [Microsoft Syntex](/microsoft-365/contentunderstanding/) and publish retention labels to SharePoint locations, you can [apply a retention label to a model](../contentunderstanding/apply-a-retention-label-to-a-model.md) so that identified files are automatically labeled. After content is labeled, see the following information to understand when the a ### Manually apply retention labels -End users, as well as administrators, can manually apply retention labels from the following locations: +Users can manually apply retention labels from the following locations: -- Outlook and Outlook on the web- -- OneDrive+- Outlook +- OneDrive and SharePoint +- Teams site that's group-connected -- SharePoint- -- Microsoft 365 group site for Teams- -Use the following sections to understand how to apply retention labels. --#### Applying retention labels in Outlook +Use the following tabs to understand how to manually apply retention labels for each location: -To label an item in the Outlook desktop client, select the item. On the **Home** tab on the ribbon, click **Assign Policy**, and then choose the retention label. - - - -You can also right-click an item, click **Assign Policy** in the context menu, and then choose the retention label. When you select multiple items, you can use this method to assign the same retention label to multiple items at once. --After the retention label is applied, you can view that retention label and what action it takes at the top of the item. If an email has a retention label applied that has an associated retention period, you can see at a glance when the email expires. +# [Outlook](#tab/manual-outlook) -##### Applying a default retention label to an Outlook folder +Your published retention labels display in Outlook alongside any legacy [MRM retention tags](data-lifecycle-management.md#exchange-legacy-features) that are assigned to the mailbox. Although you see references to retention policies, users can't select your Microsoft 365 retention policies in the Outlook apps. -You can apply retention labels to Outlook folders as a default label that can be inherited by messages in that folder. Right-click the folder, select **Properties**, the **Policy** tab, and select the retention label you want to use as that folder's default retention label. --When you use a standard retention label as your default label for an Outlook folder: +To label an item in the Outlook desktop client, select the item. On the **Home** tab on the ribbon, select **Assign Policy**, and then choose the retention label. For example: -- All unlabeled items in the folder have this retention label applied.--- The inheritance flows to any child folders and items inherit the label from their nearest folder.--- Items that are already labeled retain their retention label, unless it was applied by a different default label.--- If you change or remove the default retention label for the folder: Existing retention labels applied to items in that folder are also changed or removed only if those labels were applied by a default label.--- If you move an item with a default retention label from one folder to another folder with a different default retention label: The item gets the new default retention label.--- If you move an item with a default retention label from one folder to another folder with no default retention label: The old default retention label is removed.+ -When labels are applied that aren't standard retention labels but mark items as [records (or regulatory records)](records-management.md#records), these labels can only be manually changed or removed. +If you don't immediately see the option to assign policy, look for the **Tags** group on the ribbon. -#### Applying retention labels in Outlook on the web +You can also right-click an item, select **Assign Policy** in the context menu, and then choose the retention label. When you select multiple items, you can use this method to apply the same retention label to multiple items at once. -To label an item in Outlook on the web, right-click the item \> **Assign policy** \> choose the retention label. Unlike Outlook desktop, you can't use this method if you multi-select items. +To label an item in Outlook on the web, right-click the item, select **Assign policy**, and then choose the retention label. Unlike Outlook desktop, you can't use this method if you multi-select items.  -After the retention label is applied, you can view that retention label and what action it takes at the top of the item. If an email is classified and has an associated retention period, you can know at a glance when the email will expire. +After the retention label is applied, you can view that retention label at the top of the item. For example: - -As with the desktop version of Outlook on the web, you can also apply retention labels to folders. Right-click the folder, select **Assign policy**, and change **Use parent folder policy** to the retention label you want to use as that folder's default retention label. -#### Applying retention labels in OneDrive and SharePoint +For more information about the expiry date displayed to users, see [User notification of expiry date](retention-policies-exchange.md#user-notification-of-expiry-date). + +# [OneDrive and SharePoint](#tab/spo-onedrive) Manually applying retention labels is supported in the new experience only, and not the classic experience. -To label a document (including OneNote files) in OneDrive or SharePoint, select the item \> in the upper-right corner, choose **Open the details pane** \> **Apply retention label** \> choose the retention label. +To label a document (including OneNote files) in OneDrive or SharePoint, first select the item. Then in the upper-right corner, open the details pane, and choose the retention label from **Apply retention label**. -You can also apply a retention label to a list item, folder, or document set, and you can set a [default retention label for a document library](#applying-a-default-retention-label-to-all-content-in-a-sharepoint-library-folder-or-document-set). +You can also apply a retention label to a list item, folder, or document set, and you can set a [default retention label for a document library](#default-labels-for-sharepoint-and-outlook).  After a retention label is applied to an item, you can view it in the details pa For SharePoint, but not OneDrive, you can create a view of the library that contains the **Labels** column or **Item is a Record** column. This view lets you see at a glance the retention labels assigned to all items and which items are records. Note, however, that you can't filter the view by the **Item is a Record** column. For instructions how to add columns, see [Show or hide columns in a list or library](https://support.microsoft.com/en-us/office/show-or-hide-columns-in-a-list-or-library-b820db0d-9e3e-4ff9-8b8b-0b2dbefa87e2). -#### Applying retention labels using Microsoft 365 groups +# [Teams group-connected sites](#tab/teams-groupconnected) When you publish retention labels to the **Microsoft 365 Groups** location, the retention labels appear in the SharePoint teams site but aren't supported by any email client for group mailboxes. The experience of applying a retention label in the site is identical to that for documents in SharePoint. Users can also apply the retention labels directly in Teams, from the **Files**  -### Applying a default retention label to all content in a SharePoint library, folder, or document set +++### Default labels for SharePoint and Outlook ++After a retention label is published to SharePoint and Outlook, users can apply it as a default retention label so that it's inherited by all unlabeled items. Although the same label is applied, each item will be retained and deleted separately, according to the start of the retention period setting in the label. -This method requires retention labels to be published to a retention label policy. +When you use default retention labels, there are some scenarios that can result in the inherited label being replaced or removed. See each tab for details about the label behavior. -In addition to letting people apply a retention label to individual documents, you can also apply a default retention label to a SharePoint library, folder, or document set. In this scenario, documents in that location can inherit your selected default retention label. Although the same label is applied, each document will be retained and deleted separately, according to the start of the retention period setting in the label. +# [Default label for SharePoint](#tab/default-label-for-sharepoint) ++<a name="applying-a-default-retention-label-to-all-content-in-a-sharepoint-library-folder-or-document-set"></a>You can apply a default retention label to all content in a SharePoint library, folder, or document set. Documents in that location then inherit your selected default retention label. For a document library, the default label configuration is done on the **Library settings** page for a document library. When you choose the default retention label, you can also choose to apply it to existing items in the library. For example, if you have a retention label for marketing materials, and you know  -#### Label behavior when you use a default label for SharePoint +##### Label behavior when you use a default label for SharePoint For standard retention labels that you apply as a default retention label to a library, folder, or document set: For standard retention labels that you apply as a default retention label to a l When labels are applied that aren't standard retention labels but mark items as [records (or regulatory records)](records-management.md#records), these labels can only be manually changed or removed. -### Automatically applying a retention label to email by using rules +# [Default label for Outlook](#tab/default-label-for-outlook) ++You can apply a default retention label to Outlook folders so that the label is inherited by all unlabeled items. ++In the Outlook desktop client, right-click the folder, select **Properties**, the **Policy** tab, and then select the retention label you want to use as that folder's default retention label. -In Outlook, you can create rules to apply a retention label. +In Outlook on the web, right-click the folder, select **Assign policy**, and change **Use parent folder policy** to the retention label you want to use as that folder's default retention label. ++##### Label behavior when you use a default label for Outlook ++When you use a standard retention label as your default label for an Outlook folder: -For example, you can create a rule that applies a specific retention label to all messages sent to or from a specific distribution group. +- All unlabeled items in the folder have this retention label applied. ++- The inheritance flows to any child folders and items inherit the label from their nearest folder. ++- Items that are already labeled retain their retention label, unless it was applied by a different default label. ++- If you change or remove the default retention label for the folder: Existing retention labels applied to items in that folder are also changed or removed only if those labels were applied by a default label. ++- If you move an item with a default retention label from one folder to another folder with a different default retention label: The item gets the new default retention label. ++- If you move an item with a default retention label from one folder to another folder with no default retention label: The old default retention label is removed. ++When labels are applied that aren't standard retention labels but mark items as [records (or regulatory records)](records-management.md#records), these labels can only be manually changed or removed. ++++### Automatically apply a retention label to email by using Outlook rules ++In Outlook, you can create rules to apply a retention label. For example, you can create a rule that applies a specific retention label to all messages sent to or from a specific distribution group. -To create a rule, right-click an item \> **Rules** \> **Create Rule** \> **Advanced Options** \> **Rules Wizard** \> **apply retention policy**. +To create a rule, right-click an item, select **Rules** \> **Create Rule** \> **Advanced Options** \> **Rules Wizard**. Specify the condition or conditions for the first step, and then **apply retention policy** for the action: - + -Although the UI refers to retention policies, it's your retention labels that display here and can be selected, not your retention policies. +Although you see a reference to retention policies, retention labels are displayed and can be selected. ## Updating retention labels and their policies |
| compliance | Dlp Alerts Dashboard Learn | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-alerts-dashboard-learn.md | The [DLP alert management dashboard](https://compliance.microsoft.com/datalosspr - SharePoint - OneDrive - Teams-- Windows 10/11 devices+- Windows 10 devices > [!TIP]-> Customers who use [Endpoint DLP](endpoint-dlp-learn-about.md) who are eligible for [Teams DLP](dlp-microsoft-teams.md) will see their endpoint DLP policy alerts and Teams DLP policy alerts in the DLP alert management dashboard. +> Customers who use [Endpoint DLP](endpoint-dlp-learn-about.md) and who are eligible for [Teams DLP](dlp-microsoft-teams.md) will see their endpoint DLP policy alerts and Teams DLP policy alerts in the DLP alert management dashboard. ## Single alert and aggregate alert Here are some of the events associated with an alert. In the UI, you can choose |actions taken |actions that were taken that caused the DLP policy match| all events| |violating action | action on the endpoint device that raised the DLP alert| device events | |user overrode policy |did the user override the policy via a policy tip | all events|-|use override justification |the text of the reason provided by the user for the override | all events| +|use override justification |the text of the reason provided by the user for the override | all events| ## Investigate DLP incidents in Microsoft 365 Defender portal -Incidents for Microsoft Purview Data Loss Prevention (DLP) can be managed in the Microsoft 365 Defender portal. See, [Investigate data loss incidents with Microsoft 365 Defender](../security/defender/investigate-dlp.md) for details. You can manage DLP incidents, along with security incidents from **Incidents & alerts** > **Incidents**, on the quick launch of the Microsoft 365 Defender portal. +Incidents for Microsoft Purview Data Loss Prevention (DLP) can be managed in the Microsoft 365 Defender portal. See, [Investigate data loss incidents with Microsoft 365 Defender](../security/defender/investigate-dlp.md) for details. You can manage DLP incidents along with security incidents from **Incidents & alerts** > **Incidents** on the quick launch of the Microsoft 365 Defender portal. From this page, you can: -- View all your DLP alerts grouped under **Incidents** in the Microsoft 365 Defender incident queue.+- View all your DLP alerts grouped under incidents in the Microsoft 365 Defender incident queue. - View intelligent inter-solution (DLP-MDE, DLP-MDO) and intra-solution (DLP-DLP) correlated alerts under a single incident. - Hunt for compliance logs along with security under Advanced Hunting.-- Administer remediation actions in-place on user, file, and device.+- In-place admin remediation actions on user, file, and device. - Associate custom tags to DLP incidents and filter by them. - Filter by DLP policy name, tag, Date, service source, incident status, and user on the unified incident queue. |
| compliance | Dlp Learn About Dlp | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-learn-about-dlp.md | After the policy is synced to the right locations, it starts to evaluate content ## Viewing policy application results -DLP reports a vast amount of information to Microsoft Purview from monitoring to policy matches and actions, to user activities. You'll need to consume and act on that information to tune your policies and triage actions taken on sensitive items. The telemetry goes into the [Microsoft Purview compliance portal Audit Logs](audit-log-search.md#search-the-audit-log-in-the-compliance-portal) first, is processed, and makes its way to different reporting tools. Each reporting tool has a different purpose. +DLP reports a vast amount of information to Microsoft Purview from monitoring to policy matches and actions, to user activities. You'll need to consume and act on that information to tune your policies and triage actions taken on sensitive items. The telemetry goes into the [Microsoft Purview compliance portal Audit Logs](audit-log-search.md) first, is processed, and makes its way to different reporting tools. Each reporting tool has a different purpose. ### High volume of sensitive info shared or save externally |
| compliance | Dlp Migration Assistant For Symantec Learn | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-migration-assistant-for-symantec-learn.md | -description: "The migration assistant is a Windows based desktop application that will migrate your DLP policies from other DLP platforms to Microsoft DLP platform." +description: "The migration assistant is a Windows based desktop application that migrates your DLP policies from other DLP platforms to Microsoft DLP platform." # Learn about the Microsoft Purview Data Loss Prevention migration assistant for Symantec The migration assistant is a Windows-based desktop application for migrating you ## What can the migration assistant help with? -The migration assistant helps with some of the tasks involved in a Data Loss Prevention (DLP) migration project: +The migration assistant helps with some of the tasks involved in a DLP migration project: - In a manual migration scenario, you need to perform a feasibility analysis between the source and target DLP platforms, map the features, migrate policies manually, and test and tweak DLP policies. With the migration assistant, your migrated DLP policies can be up and running within minutes of starting the migration assistant process. - With migration assistant, you can quickly scale up your migration project. You can start by moving a single policy manually to multiple policies at the same time. Each time the migration assistant runs, it performs the following steps: ## Understand mapping of Symantec DLP elements to Microsoft Purview DLP elements -Here's how the migration assistant translates different policy elements from Symantec DLP to Microsoft Purview DLP: +The migration assistant translates different policy elements from Symantec DLP to Microsoft Purview DLP. ### Symantec DLP supported versions -The migration assistant supports migrating DLP policies from Symantec versions 15.0 through 15.8 maintenance packs included. +The migration assistant supports migrating DLP policies from Symantec versions 15.0 through 15.8, maintenance packs included. ### Supported Workloads -The migration assistant migrates policies into these workloads. +The migration assistant migrates policies into these workloads: | **Workload** | **Migration assistant support** | | - | - |-| Exchange Online (EXO)| Yes | -| SharePoint Online (SPO) | Yes | -| OneDrive for Business (ODB) | Yes | +| Exchange | Yes | +| SharePoint | Yes | +| OneDrive | Yes | | Teams chat and channel messages | Yes | | Endpoint devices | Yes | Here's how the migration assistant maps Symantec elements to Purview DLP element | **Symantec Classification Element** | **Microsoft Purview DLP Classification Element** | | - | - |-| Regular Expression| Create new custom sensitive information type (SIT) with the regular expression.| -| Keyword | Create new custom SIT with a keyword list or keyword dictionary.| -| Keyword Pair | Create new custom SIT with first keyword list as primary element & second keyword list as a supporting element with 300 char proximity. | -| Data Identifier | Map to pre-configured SIT if an equivalent is available, else create a new custom SIT. | +| Regular Expression| Create a new custom sensitive information type (SIT) with the regular expression.| +| Keyword | Create a new custom SIT with a keyword list or keyword dictionary.| +| Keyword Pair | Create a new custom SIT with first keyword list as primary element & second keyword list as a supporting element with 300 char proximity. | +| Data Identifier | Map to a preconfigured SIT if an equivalent is available, else create a new custom SIT. | Here are the mapping details of optional validators for sensitive information types (also known as Data Identifiers in Symantec DLP) that the migration assistant uses while translating Symantec DLP policies: | **Symantec Optional Validators** | **Microsoft Purview DLP Optional Validators**| | -- | | | Exclude exact match | Exclude specific matches |-| Exact Match Data Identifier Check | NA | +| Exact Match Data Identifier Check | N/A | | Exclude beginning characters | Starts or doesn't start with characters | | Exclude ending characters | Ends or doesn't end with characters | | Exclude prefix | Include or Exclude prefixes | | Exclude suffix | Include or Exclude prefixes |-| Number Delimiter| NA | +| Number Delimiter| N/A | | Require beginning characters | Starts or doesn't start with characters |-| Exact Match | NA | +| Exact Match | N/A | | Duplicate digits| Exclude duplicate characters | | Require ending characters | Ends or doesn't end with characters | | Find keywords | Available as both primary & supporting elements | When you upload your rule package XML file, the system validates the XML and che ### Condition and Exception Mapping -Here's how the migration assistant maps Symantec condition and exception elements for various workloads to Purview DLP conditions. +Here's how the migration assistant maps Symantec condition and exception elements for various workloads to Microsoft Purview DLP conditions. #### Exchange Workload Here's how the migration assistant maps Symantec condition and exception element | Detect using Vector Machine Learning profile (VML) | Not supported | | Protocol Monitoring<li>SMTP protocol | Exchange (EXO) DLP policy | -#### Endpoint Devices, SharePoint Online, OneDrive and other workloads +#### Endpoint Devices, SharePoint Online, OneDrive, and other workloads | **Condition/Exception in Symantec** | **Condition in Microsoft Purview DLP** | | -- | - | Here's how the migration assistant maps Symantec response rules to Microsoft Pur ## Next steps -Now that you've learned about the Microsoft Purview Data Loss Prevention migration assistant for Symantec, your next steps are: +Now that you've learned about the Microsoft Purview Data Loss Prevention migration assistant for Symantec, your next steps are to: 1. [Get started with the Microsoft Purview Data Loss Prevention migration assistant for Symantec](dlp-migration-assistant-for-symantec-get-started.md) 2. [Use the Microsoft Purview Data Loss Prevention migration assistant for Symantec](dlp-migration-assistant-for-symantec-use.md) |
| compliance | Dlp On Premises Scanner Learn | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-on-premises-scanner-learn.md | When you select the **On-premises repositories** location, Microsoft Purview Dat ## DLP relies on Microsoft Purview Information Protection scanner -DLP relies on a full implementation of the Microsoft Purview Information Protection scanner to monitor, label and protect sensitive items. If you haven't implemented Information Protection scanner, must do so first. See these articles: +DLP relies on a full implementation of the Microsoft Purview Information Protection scanner to monitor, label, and protect sensitive items. If you haven't implemented Information Protection scanner, you must do so before you can use DLP. For more information, read these articles: - [What is Azure Information Protection](/azure/information-protection/what-is-information-protection) - [Learn about the information protection scanner](deploy-scanner.md) DLP relies on a full implementation of the Microsoft Purview Information Protect ## DLP On-premises repository actions -DLP detects files in on-premises repositories by one of these four methods: +DLP detects files in on-premises repositories by looking for the following: - sensitive information types - sensitivity labels |
| compliance | Dlp On Premises Scanner Use | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-on-premises-scanner-use.md | -description: "Learn how to use data loss prevention on premises repositories location to scan data at rest and implement protective actions for on premises file shares and on-premises SharePoint folders and document libraries." +description: "Learn how to use data loss prevention on premises location repositories to scan data at rest and implement protective actions for on premises file shares and on-premises SharePoint folders and document libraries." # Use the data loss prevention on-premises repositories location Data from DLP surfaces in several areas ### Activity explorer - DLP reports rule matches in [Activity Explorer](https://compliance.microsoft.com/dataclassification?viewid=activitiesexplorer). + DLP reports rule matches are available in [Activity Explorer](https://compliance.microsoft.com/dataclassification?viewid=activitiesexplorer). ### Microsoft 365 Audit log Discovery data is available in a local report in .csv format and is stored under ## Scenario: Enforce DLP rule -If you want to enforce DLP rules on scanned files, enforcement must be enabled on both the content scan job and at the policy level in DLP. +If you want to enforce DLP rules on scanned files, enforcement must be enabled both on the content scan job and at the policy level in DLP. ### Configure DLP to enforce policy actions |
| compliance | Dlp Overview Plan For Dlp | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-overview-plan-for-dlp.md | description: "Overview of the planning process for data loss prevention" # Plan for data loss prevention (DLP) -Every organization will plan for and implement data loss prevention (DLP) differently because every organization's business needs, goals, resources, and situation are unique to them. However, there are elements that are common to all successful DLP implementations. This article presents the best practices that are used by organizations in DLP planning. +Every organization plans for and implements data loss prevention (DLP) differently. Why? Because every organization's business needs, goals, resources, and situation are unique. However, there are elements that are common to all successful DLP implementations. This article presents the best practices for planning a DLP deployment. [!INCLUDE [purview-preview](../includes/purview-preview.md)] ## Before you begin -If you are new to Microsoft Purview DLP, here's a list of the core articles you'll need as you implement DLP: +If you're new to Microsoft Purview DLP, here's a list of the core articles you need as you implement DLP: -1. [Administrative units (preview)](microsoft-365-compliance-center-permissions.md#administrative-units-preview) -1. [Learn about Microsoft Purview Data Loss Prevention](dlp-learn-about-dlp.md) - the article introduces you to the data loss prevention discipline and Microsoft's implementation of DLP -1. [Plan for data loss prevention (DLP)](dlp-overview-plan-for-dlp.md#plan-for-data-loss-prevention-dlp) - by working through this article that you're reading now, you will: +1. [Administrative units](microsoft-365-compliance-center-permissions.md#administrative-units-preview) +1. [Learn about Microsoft Purview Data Loss Prevention](dlp-learn-about-dlp.md) - The article introduces you to the data loss prevention discipline and Microsoft's implementation of DLP. +1. [Plan for data loss prevention (DLP)](dlp-overview-plan-for-dlp.md#plan-for-data-loss-prevention-dlp) - By working through the article that you're reading now, you will: 1. [Identify stakeholders](dlp-overview-plan-for-dlp.md#identify-stakeholders) 1. [Describe the categories of sensitive information to protect](dlp-overview-plan-for-dlp.md#describe-the-categories-of-sensitive-information-to-protect) 1. [Set goals and strategy](dlp-overview-plan-for-dlp.md#set-goals-and-strategy)-1. [Data Loss Prevention policy reference](dlp-policy-reference.md#data-loss-prevention-policy-reference) - this article introduces all the components of a DLP policy and how each one influences the behavior of a policy -1. [Design a DLP policy](dlp-policy-design.md) - this article walks you through creating a policy intent statement and mapping it to a specific policy configuration. -1. [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) - This article presents some common policy intent scenarios that you'll map to configuration options, then it walks you through configuring those options. +1. [Data Loss Prevention policy reference](dlp-policy-reference.md#data-loss-prevention-policy-reference) - This article introduces all the components of a DLP policy and how each one influences the behavior of a policy. +1. [Design a DLP policy](dlp-policy-design.md) - This article walks you through creating a policy intent statement and mapping it to a specific policy configuration. +1. [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) - This article presents some common policy intent scenarios that you'll map to configuration options. Then, it walks you through configuring those options. ## Multiple starting points Many organizations choose to implement DLP to comply with various governmental or industry regulations. For example, the European Union's General Data Protection Regulation (GDPR), or the Health Insurance Portability and Accountability Act (HIPAA), or the California Consumer Privacy Act (CCPA). They also implement data loss prevention to protect their intellectual property. However, the starting place and ultimate destination in the DLP journey vary. -Organizations can start their DLP journey: +Organizations can start their DLP journey from several different points: -- from a platform focus, for instance, if they want to protect information in Teams Chat and Channel messages or on Windows 10 or 11 devices-- knowing what sensitive information they want to prioritize protecting, like health care records, and going straight to defining policies to protect it-- without knowing what their sensitive information is, where it is, or who is doing what with it; in this case they start with discovery and categorization and take a more methodical approach-- without knowing what their sensitive information is, or where it is, or who is doing what with it, but moving straight to defining policies and using those outcomes as a starting place and then refining their policies from there-- knowing that they need to implement the full Microsoft Purview Information Protection stack and so take a longer term, methodical approach+- With a platform focus, like wanting to protect information in Teams Chat and Channel messages or on Windows 10 or 11 devices +- Knowing the sensitive information they want to prioritize protecting, such as health care records, and going straight to defining policies to protect it +- Without knowing what their sensitive information is, where it is, or who is doing what with it; so, they start with discovery and categorization and take a more methodical approach +- Without knowing what their sensitive information is, where it is, or who is doing what with it, they go straight to defining policies and then using those outcomes to refine them +- Knowing that they need to implement the full Microsoft Purview Information Protection stack, and a plan to take a longer term, methodical approach -These are just some examples of how customers can approach DLP. It doesn't matter where you start from, DLP is flexible enough to accommodate various types of information protection journeys from start to a fully realized data loss prevention strategy. +These are just some examples of how customers can approach DLP. It doesn't matter where you start from; DLP is flexible enough to accommodate various types of information protection journeys from start to a fully realized data loss prevention strategy. ## Overview of planning process -The [Learn about Microsoft Purview Data Loss Prevention](dlp-learn-about-dlp.md#learn-about-data-loss-prevention) introduces the three different aspects of the [DLP planning process](dlp-learn-about-dlp.md#plan-for-dlp). We'll go into more detail here on the elements that are common to all DLP plans. +The [Learn about Microsoft Purview Data Loss Prevention](dlp-learn-about-dlp.md#learn-about-data-loss-prevention) introduces the three different aspects of the [DLP planning process](dlp-learn-about-dlp.md#plan-for-dlp). We go into more detail here on the elements that are common to all DLP plans. ### Identify stakeholders When implemented, DLP policies can be applied across large portions of your organization. Your IT department can't develop a broad ranging plan on their own without negative consequences. You need to identify the stakeholders who can: -- describe the regulations, laws, and industry standards your organization is subject to+- the regulations, laws, and industry standards your organization is subject to - the categories of sensitive items to be protected-- the business processes they are used in+- the business processes they're used in - the risky behavior that should be limited - prioritize which data should be protected first, based on the sensitivity of the items and risk involved - outline the DLP policy match event review and remediation process Once identified, the stakeholders then describe the categories of sensitive info Stakeholders might identify the sensitive information as "We are a data processor, so we have to implement privacy protections on data subject information and financial information". - <!-- The business process is important as it informs the ΓÇÿdata at restΓÇÖ, ΓÇÿdata in transitΓÇÖ, ΓÇÿdata in useΓÇÖ aspect of DLP planning and who should be sharing the items and who should not.--> ### Set goals and strategy -Once you have identified your stakeholders and you know which sensitive information needs protection and where it's used, the stakeholders can set their protection goals and IT can develop an implementation plan. -+Once you have identified your stakeholders, know which sensitive information needs protection, and where it's used, the stakeholders can set their protection goals and IT can develop an implementation plan. <!-- ### Discovery start small and always in test mode. Note that DLP policies can feed into inside Your implementation plan should include: -- Mapping out your starting state, desired end state, and the steps to get from one to the other-- how you will address discovery of sensitive items-- policy planning and the order in which policies will be implemented-- how you will address any prerequisites-- planning on how policies will first be tested before moving to enforcement-- how you will train your end users-- how you will test and tune your policies-- how you will review and update your data loss prevention strategy based on changing regulatory, legal, industry standard or intellectual property protection and business needs+- a map of your starting state, desired end state, and the steps to get from one to the other +- a plan for how you'll address discovery of sensitive items +- a plan for developing policies and the order in which policies you'll implement them +- a plan for how you'll address any prerequisites +- a plan for how you'll test policies before implementing them for enforcement +- a plan for how you'll train your end users +- a plan for how you'll tune your policies +- a plan for how you'll review and update your data loss prevention strategy based on changing regulatory, legal, industry standard, or intellectual property protection and business needs #### Map out path from start to desired end state -Documenting how your organization is going to get from its starting state to the desired end state is essential to communicating with your stakeholders and setting the project scope. Here is a set of steps that are commonly used to deploy DLP. You'll want more detail than this, but you can use this to frame your DLP adoption path. +Documenting how your organization is going to get from its starting state to the desired end state is essential to communicating with your stakeholders and setting the project scope. Here's a set of steps that are commonly used to deploy DLP. You'll want more detail than the graphic shows, but you can use it to frame your DLP adoption path.  #### Sensitive item discovery -There are multiple ways to discover what individual sensitive items are and where they are located. You may have sensitivity labels already deployed or you may have decided to deploy a broad DLP policy to all locations that only discovers and audits items. To learn more, see [Know your data](information-protection.md#know-your-data). +There are multiple ways to discover what individual sensitive items are and where they're located. You may have sensitivity labels already deployed or you may have decided to deploy a broad DLP policy to all locations that only discovers and audits items. To learn more, see [Know your data](information-protection.md#know-your-data). #### Policy planning As you begin your DLP adoption, you can use these questions to focus your policy ##### What laws, regulations, and industry standards must your organization comply with? -Because many organizations come to DLP with the goal of regulatory compliance, answering this question is a natural starting place for planning your DLP implementation. But, as the IT implementer, you're probably not positioned to answer it. It needs to be answered by your legal team and business executives. +Because many organizations come to DLP with the goal of regulatory compliance, answering this question is a natural starting place for planning your DLP implementation. But, as the IT implementer, you're probably not positioned to answer it. Instead, you should consult your legal team and business executives for an answer. **Example** Your organization is subject to U.K. financial regulations. -##### What sensitive items does your organization have that must be protected from leakage? +##### What sensitive items must your organization protect from leakage? -Once your organization knows where it stands in terms of regulatory compliance needs, you'll have some idea of what sensitive items need to be protected from leakage and how you want to prioritize policy implementation to protect them. This will help you choose the most appropriate DLP policy templates. Microsoft Purview comes with pre-configured DLP templates for Financial, Medical and health, Privacy. You can also build your own policies using the Custom template. As you design and create your actual DLP policies, knowing the answer to this question will also help you choose the right [sensitive information type](sensitive-information-type-learn-about.md#learn-about-sensitive-information-types). +Once you know where your organization stands in terms of regulatory compliance needs, you'll have some idea of what sensitive items need to be protected from leakage. You'll also have an idea about how you want to prioritize policy implementation to protect those items. This knowledge helps you choose the most appropriate DLP policy templates. Microsoft Purview comes with preconfigured DLP templates for Financial, Medical and health, and Privacy policy templates. Additionally, you can build your own using the Custom template. As you design and create your actual DLP policies, having a working knowledge of the sensitive items you need to protect helps you choose the right [sensitive information type](sensitive-information-type-learn-about.md#learn-about-sensitive-information-types). -**Example** To get started quickly, you pick the `U.K. Financial Data` policy template, which includes the `Credit Card Number`, `EU Debit Card Number`, and `SWIFT Code` sensitive information types. +**Example** To get started quickly, you might pick the preconfigured `U.K. Financial Data` policy template, which includes the `Credit Card Number`, `EU Debit Card Number`, and `SWIFT Code` sensitive information types. ##### How you want your policies scoped -If your organization has implemented [administrative units](microsoft-365-compliance-center-permissions.md#administrative-units-preview), you can scope your DLP policies by administrative unit or leave the default full directory scoping. See [Policy Scoping](dlp-policy-reference.md#policy-scoping)(preview) for more details. +If your organization has implemented [administrative units](microsoft-365-compliance-center-permissions.md#administrative-units-preview), you can scope your DLP policies by administrative unit or leave the scope default, which applies policies to the full directory. For more information, see [Policy Scoping](dlp-policy-reference.md#policy-scoping). ##### Where are the sensitive items and what business processes are they involved in? -The items that contain your organization's sensitive information are used every day in the course of doing business. You need to know where instances of that sensitive information may occur and what business processes they are used in. This will help you choose the right locations to apply your DLP policies to. DLP policies are applied to locations: +The items that contain your organization's sensitive information are used every day in the course of doing business. You need to know where instances of that sensitive information may occur and what business processes they're used in. Knowing this helps you choose the right locations to apply your DLP policies. DLP policies can be applied to the following locations: - Exchange email - SharePoint sites - OneDrive accounts - Teams chat and channel messages-- Windows 10, 11, and macOS Devices+- Windows 10, 11 and macOS Devices - Microsoft Defender for Cloud Apps - On-premises repositories -**Example** Your organization's internal auditors are tracking a set of credit card numbers. They keep a spreadsheet of them in a secure SharePoint site. Several of the employees make copies and save them to their work OneDrive site, which is synced to their Windows 10 device. One of them pastes a list of 14 of those credit card numbers into an email and tries to send it to the outside auditors for review. You'd want to apply the policy to the secure SharePoint site, all the internal auditors' OneDrive accounts, their Windows 10 devices, and Exchange email. +**Example** Your organization's internal auditors are tracking a set of credit card numbers. They keep a spreadsheet of them in a secure SharePoint site. Several of the employees make copies and save them to their work OneDrive site, which is synced to their Windows 10 device. One of these employees pastes a list of 14 credit card numbers into an email and tries to send it to the outside auditors for review. In this case, you'd want to apply the policy to the secure SharePoint site, all the internal auditors OneDrive accounts, their Windows 10 devices, and Exchange email. -##### What is your organizations tolerance for leakage? +##### What is your organization's tolerance for leakage? -Different groups in your organization may have different views on what's an acceptable level of sensitive item leakage and what's not. Achieving the perfection of zero leakage may come at too high a cost to the business. +Different groups in your organization may have different views on what counts as an acceptable level of sensitive item leakage. Achieving the perfection of zero leakage may come at too high a cost to the business. -**Example** Your organization's security group and legal team both feel that there should be no sharing of credit card numbers with anyone outside the org and insist on zero leakage. But, as part of regular review of credit card number activity, the internal auditors must share some credit card numbers with third-party auditors. If your DLP policy prohibits all sharing of credit card numbers outside the org, there will be a significant business process disruption and added cost to mitigate the disruption in order for the internal auditors to complete their tracking. This extra cost is unacceptable to the executive leadership. To resolve this, there needs to be an internal conversation to decide an acceptable level of leakage. Once that is decided the policy can provide exceptions for certain individuals to share the information or it can be applied in audit only mode. +**Example** Your organization's security group and legal team both feel that there should be no sharing of credit card numbers with anyone outside the org. They insist on zero leakage. However, as part of their regular review of credit card number activity, the internal auditors must share some credit card numbers with third-party auditors. If your DLP policy prohibits all sharing of credit card numbers outside the org, there will be a significant business process disruption and added cost to mitigate the disruption in order for the internal auditors to complete their tracking. This extra cost is unacceptable to the executive leadership. To resolve this issue, there needs to be an internal conversation to decide an acceptable level of leakage. Once that is decided, the policy can provide exceptions for certain individuals to share the information, or, it can be applied in audit-only mode. > [!IMPORTANT] > To learn how to create a policy intent statement and map it to policy configurations see, [Design a data loss prevention policy](dlp-policy-design.md#design-a-data-loss-prevention-policy) Different groups in your organization may have different views on what's an acce Before you can monitor some DLP locations, there are prerequisites that must be met. See the **Before you begin** sections of the following articles: -- [Get started with the data loss prevention on-premises scanner (preview)](dlp-on-premises-scanner-get-started.md#before-you-begin)+- [Get started with the data loss prevention on-premises scanner](dlp-on-premises-scanner-get-started.md#before-you-begin) - [Get started with Endpoint data loss prevention](endpoint-dlp-getting-started.md#before-you-begin) - [Get started with the Microsoft compliance extension](dlp-chrome-get-started.md#before-you-begin)-- [Use data loss prevention policies for non-Microsoft cloud apps (preview)](dlp-use-policies-non-microsoft-cloud-apps.md#before-you-begin)+- [Use data loss prevention policies for non-Microsoft cloud apps](dlp-use-policies-non-microsoft-cloud-apps.md#before-you-begin) #### Policy deployment -When you create your DLP policies, you should consider rolling them out gradually to assess their impact and test their effectiveness before fully enforcing them. For example, you don't want a new DLP policy to unintentionally block access to thousands of documents or to break an existing business process. +When you create your DLP policies, you should consider rolling them out gradually, so you can assess their impact and test their effectiveness before fully enforcing them. For example, you don't want a new DLP policy to unintentionally block access to thousands of documents or to break an existing business process. If you're creating DLP policies with a large potential impact, we recommend following this sequence: -1. **Start in test mode without Policy Tips** and then use the DLP reports and any incident reports to assess the impact. You can use DLP reports to view the number, location, type, and severity of policy matches. Based on the results, you can fine-tune the policies as needed. In test mode, DLP policies will not impact the productivity of people working in your organization. Also, use this stage to test out your workflow for DLP event review and issue remediation. +1. **Start in test mode, without Policy Tips** and then use the DLP reports, and any incident reports, to assess the impact of the policies. You can use DLP reports to view the number, location, type, and severity of policy matches. Based on the results, you can fine-tune your policies as needed. In test mode, DLP policies won't impact the productivity of people working in your organization. It's also good to use this stage for testing out your workflow for DLP event review and issue remediation. -2. **Move to Test mode with notifications and Policy Tips** so that you can begin to teach users about your compliance policies and prepare them for when the policies are applied. It's useful to have a link to an organization policy page that provides more details about the policy in the policy tip. At this stage, you can also ask users to report false positives so that you can further refine the conditions and reduce the number of false positives. Move to this stage once you have confidence that the results of policy application match what they stakeholders had in mind. +2. **Move to Test mode with notifications and Policy Tips** so that you can begin to teach users about your compliance policies and prepare them for when the policies are applied. It's useful to have a link to an organization policy page that provides more details about the policy in the Policy Tip. At this stage, you can also ask users to report false positives, so that you can further refine the conditions and reduce the number of false positives. Move to this stage once you have confidence that the results of applying the policies match what they stakeholders had in mind. -3. **Start full enforcement on the policies** so that the actions in the rules are applied and the content is protected. Continue to monitor the DLP reports and any incident reports or notifications to make sure that the results are what you intend. +3. **Start full policy enforcement** so that the actions in the rules are applied and the content is protected. Continue to monitor the DLP reports and any incident reports or notifications to make sure that the results are what you intend.  If you're creating DLP policies with a large potential impact, we recommend foll #### End-user training - You can configure your policies sot that, when a DLP policy is triggered, an [email notification is sent to admins and policy tips are shown to end users](use-notifications-and-policy-tips.md#send-email-notifications-and-show-policy-tips-for-dlp-policies). While your policies are still in test mode, and before they are set to enforce a blocking action, policy tips are useful ways to raise awareness of risky behaviors on sensitive items and for training users to avoid those behaviors in the future. +You can configure your policies so that, when a DLP policy is triggered, [email notifications are sent automatically, and policy tips are shown](use-notifications-and-policy-tips.md#send-email-notifications-and-show-policy-tips-for-dlp-policies) to admins and end users. Policy tips are useful ways to raise awareness of risky behaviors on sensitive items and train users to avoid those behaviors in the future. #### Review DLP requirements and update strategy -The regulations, laws, and industry standards that your organization is subject to will change over time and your business goals for DLP will too. Be sure to include regular reviews of all these areas so that your organization stays in compliance and your DLP implementation continues to meet your business needs. +The regulations, laws, and industry standards that your organization is subject to will change over time, as will your business goals for DLP. Be sure to include regular reviews of all these areas so that your organization stays in compliance and so your DLP implementation continues to meet your business needs. ## Approaches to deployment -|Customer business needs description | approach | +|Customer business needs description | Approach | |||-|**Contoso Bank** is in a highly regulated industry and has many different types of sensitive items in many different locations. Contoso </br> - knows which types of sensitive information are top priority. </br> - must minimize business disruption as policies are rolled out. </br> - has IT resources and can hire experts to help plan, design, and deploy </br> - has a premier support contract with Microsoft| - Take the time to understand what regulations they must comply with and how they are going to comply. </br> - Take the time to understand the better together value of the Microsoft Purview Information Protection stack </br> - Develop a sensitivity labeling scheme for prioritized items and apply </br> - Involve business process owners </br>- Design/code policies, deploy in test mode, train users </br>- repeat| -|**TailSpin Toys** doesnΓÇÖt know what they have or where it is, and have little to no resource depth. They use Teams, OneDrive, and Exchange extensively. |- Start with simple policies on the prioritized locations. </br>- Monitor what gets identified </br>- Apply sensitivity labels accordingly </br>- Refine policies and train users | -|**Fabrikam** is a small startup and wants to protect its intellectual property. It must move quickly. They are willing to dedicate some resources, but can't afford to hire outside experts. </br>- Sensitive items are all in OneDrive and SharePoint </br>- Adoption of OneDrive and SharePoint is slow, employees/shadow IT use DropBox and Google Drive to share/store items </br>- Employees value speed of work over disciplined data protection </br>- Customer splurged and bought all 18 employees new Windows devices |- Take advantage of the default DLP policy in Teams </br>- Use the *restricted by default* setting for SharePoint items </br>- Deploy policies that prevent external sharing </br>- Deploy policies to prioritized locations </br>- Deploy policies to Windows devices </br>- Block uploads to non-OneDrive for Business cloud storage | +|**Contoso Bank** is in a highly regulated industry and has many different types of sensitive items in many different locations. </br> </br> Contoso: </br> - knows which types of sensitive information are top priority </br> - must minimize business disruption as policies are rolled out </br> - has involved business process owners </br> - has IT resources and can hire experts to help plan, design, and deploy </br>- has a premier support contract with Microsoft| - Take time to understand what regulations they must comply with and how they're going to comply. </br> - Take time to understand the "better together" value of the Microsoft Purview Information Protection stack </br> - Develop a sensitivity labeling scheme for prioritized items and apply it </br> - Design and code policies, deploy them in test mode, and train users </br>- Repeat and refine policies| +|**TailSpin Toys** doesnΓÇÖt know what sensitive data they have or where it is, and they have little to no resource depth. They use Teams, OneDrive, and Exchange extensively. |- Start with simple policies on the prioritized locations. </br>- Monitor what gets identified </br>- Apply sensitivity labels accordingly </br>- Refine policies and train users | +|**Fabrikam** is a small startup. They want to protect their intellectual property and must move quickly. They're willing to dedicate some resources, but can't afford to hire outside experts. </br></br>Other considerations: </br> - Sensitive items are all in Microsoft 365 OneDrive / SharePoint </br>- Adoption of OneDrive and SharePoint is slow. Many employees still use DropBox and Google drive to store and share items </br>- Employees value speed of work over data protection discipline </br>- All 18 employees have new Windows devices | - Take advantage of the default DLP policy in Teams </br>- Use the "restricted by default" setting for SharePoint items </br>- Deploy policies that prevent external sharing </br>- Deploy policies to prioritized locations </br>- Deploy policies to Windows devices </br>- Block uploads to cloud storage solutions other than OneDrive | ## Next steps |
| compliance | Ediscovery Keyword Queries And Search Conditions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-keyword-queries-and-search-conditions.md | For step-by-step instructions on how to create different eDiscovery searches, se - The timezone for all searches is Coordinated Universal Time (UTC). Changing timezones for your organization isn't currently supported. - Keyword searches aren't case-sensitive. For example, **cat** and **CAT** return the same results. - The Boolean operators **AND**, **OR**, **NOT**, and **NEAR** must be uppercase.-- A space between two keywords or two `property:value` expressions is the same as using **AND**. For example, `from:"Sara Davis" subject:reorganization` returns all messages sent by Sara Davis that contain the word reorganization in the subject line.+- A space between two keywords or two `property:value` expressions is the same as using **OR**. For example, `from:"Sara Davis" subject:reorganization` returns all messages sent by Sara Davis or messages that contain the word reorganization in the subject line. - Use syntax that matches the `property:value` format. Values aren't case-sensitive, and they can't have a space after the operator. If there's a space, your intended value will be a full-text search. For example `to: pilarp` searches for "pilarp" as a keyword, rather than for messages sent to pilarp. - When searching a recipient property, such as To, From, Cc, or Recipients, you can use an SMTP address, alias, or display name to denote a recipient. For example, you can use pilarp@contoso.com, pilarp, or "Pilar Pinilla". - You can use only prefix searches; for example, **cat\*** or **set\***. Suffix searches (**\*cat**), infix searches (**c\*t**), and substring searches (**\*cat\***) aren't supported. |
| compliance | Endpoint Dlp Learn About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-learn-about.md | f1.keywords: Previously updated : 06/02/2023 Last updated : 06/24/2023 audience: ITPro f1_keywords: description: "Endpoint data loss prevention extends monitoring of file activitie You can use Microsoft Purview Data Loss Prevention (DLP) to monitor the actions that are being taken on items you've determined to be sensitive and to help prevent the unintentional sharing of those items. For more information on DLP, see [Learn about data loss prevention](dlp-learn-about-dlp.md). -**Endpoint data loss prevention** (Endpoint DLP) extends the activity monitoring and protection capabilities of DLP to sensitive items that are physically stored on Windows 10, Windows 11, and macOS devices running any of the latest releases. Once devices are onboarded into the Microsoft Purview solutions, the information about what users are doing with sensitive items is made visible in [activity explorer](data-classification-activity-explorer.md) and you can enforce protective actions on those items via [DLP policies](dlp-create-deploy-policy.md). +**Endpoint data loss prevention** (Endpoint DLP) extends the activity monitoring and protection capabilities of DLP to sensitive items that are physically stored on Windows 10/11 and macOS (the three latest released major versions) devices. Once devices are onboarded into the Microsoft Purview solutions, the information about what users are doing with sensitive items is made visible in [activity explorer](data-classification-activity-explorer.md). You can then enforce protective actions on those items via [DLP policies](dlp-create-deploy-policy.md). > [!TIP] > If you are looking for device control for removable storage, see [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](../security/defender-endpoint/device-control-removable-storage-access-control.md#microsoft-defender-for-endpoint-device-control-removable-storage-access-control). Endpoint DLP enables you to audit and manage the following types of activities u |Activity |Description |Windows 10 1809 and later/ Windows 11| macOS three latest released versions | Auditable/restrictable| ||||||-|Upload to cloud service, or access by unallowed browsers | Detects when a user attempts to upload an item to a restricted service domain or access an item through a browser. If they're using a browser that is listed in DLP as an unallowed browser, the upload activity is blocked and the user is redirected to use Microsoft Edge. Microsoft Edge then either allows or blocks the upload or access based on the DLP policy configuration. You can block, warn, or audit when protected files are uploaded or blocked from being uploaded to cloud services based on the allow/unallowed domains list in Global settings. When the configured action is set to warn or block, other browsers (defined in the unallowed browsers list under Global settings) are blocked from accessing the file. |Supported |Supported|Auditable and restrictable| -|Paste to a browser| This activity is detected when a user copies and pastes sensitive information strings (rather than trying to attach or upload a sensitive file) into a browser. For instance, copying data from a database and pasting it into a web form. | Supported | Not supported | Auditable and restrictable | -|Copy to another app |Detects when a user attempts to copy information from a protected item and then paste it into another app, process or item. It also detects when a user copies and pastes content among files within the same app, process or item for Word, Excel, and PowerPoint.|Supported|Supported | Auditable and restrictable| -|Copy to USB removable media |When this activity is detected, you can block, warn or audit the copying or moving of protected files from an endpoint device to USB removable media.|Supported|Supported |Auditable and restrictable| +|Upload to cloud service, or access by unallowed browsers | Detects when a user attempts to upload an item to a restricted service domain or access an item through a browser. If they're using a browser that is listed in DLP as unallowed, the upload activity is blocked and the user is redirected to use Microsoft Edge. Microsoft Edge then either allows or blocks the upload or access based on the DLP policy configuration. You can block, warn, or audit when protected files are allowed to be uploaded or prevented from being uploaded to cloud services based on the allow/unallowed domains list in Global settings. When the configured action is set to warn or block, other browsers (defined on the unallowed browsers list under Global settings) are blocked from accessing the file. |Supported |Supported|Auditable and restrictable| +|Copy to another app |Detects when a user attempts to copy information from a protected item and then paste it into another app, process, or item. It also detects when a user copies and pastes content among files within the same app, process, or item for Word, Excel, and PowerPoint.|Supported|Supported | Auditable and restrictable| +|Copy to USB removable media |When this activity is detected, you can block, warn, or audit the copying or moving of protected files from an endpoint device to USB removable media.|Supported|Supported |Auditable and restrictable| |Copy to a network share | When this activity is detected, you can block, warn, or audit the copying or moving of protected files from an endpoint device to any network share. |Supported|Supported |Auditable and restrictable| |Print a document |When this activity is detected, you can block, warn, or audit the printing of protected files from an endpoint device. |Supported|Supported|Auditable and restrictable | |Copy to a remote session|Detects when a user attempts to copy an item to a remote desktop session. |Supported|Not supported| Auditable and restrictable| Endpoint DLP enables you to audit and manage the following types of activities u |Copy to clipboard| When this activity is detected, you can block, warn, or audit the copying of protected files to a clipboard on an endpoint device. |Supported | Supported|Auditable and restrictable| |Access by unallowed apps| Detects when an application that is on the unallowed apps list (as defined in [restricted apps and app groups](dlp-configure-endpoint-settings.md)) attempts to access protected files on an endpoint device. |Supported |Supported| - ## Best practice for endpoint DLP policies Say you want to block all items that contain credit card numbers from leaving endpoints of Finance department users. We recommend the following: - Create a policy and scope it to endpoints and to that group of users.-- Create a rule in the policy that detects the type of information that you want to protect. In this case, **content contains** set to *Sensitive information type*, and select **Credit Card**.+- Create a rule in the policy that detects the type of information that you want to protect. In this case, set **content contains** to *Sensitive information type**, and select **Credit Card**. - Set the actions for each activity to **Block**. See [Design a data loss prevention policy](dlp-policy-design.md) for more guidance on designing your DLP policies. > [!NOTE]-> In Microsoft Purview, DLP policy evaluation of sensitive items occurs centrally, so there is no time lag for policies and policy updates to be distributed to individual devices. When a policy is updated in compliance center, it generally takes about an hour for those updates to be synchronized across the service. Once policy updates are synchronized, items on targeted devices are automatically re-evaluated the next time they are accessed or modified. (Preview) For Authorized Groups changes, the policy will need 24 hours to sync +> In Microsoft Purview, DLP policy evaluation of sensitive items occurs centrally, so there is no time lag for policies and policy updates to be distributed to individual devices. When a policy is updated in compliance center, it generally takes about an hour for those updates to be synchronized across the service. Once policy updates are synchronized, items on targeted devices are automatically re-evaluated the next time they are accessed or modified. (Preview) For Authorized Groups changes, the policy will need 24 hours to sync. ## Monitored files If you only want monitoring data from policy matches, you can turn off the **Alw To ensure activities are audited for all supported file types, create a [custom DLP policy](dlp-create-deploy-policy.md). -Endpoint DLP monitors activity-based on MIME type, so activities are captured, even if the file extension is changed for these files types: +Endpoint DLP monitors activity-based on MIME type, so activities are captured, even if the file extension is changed, for these files types: After the extension is changed to any other file extension: - doc If the extension is changed only to supported file extensions: File types are a grouping of file formats. They are utilized to protect specific workflows or areas of business. You can use one or more file types as conditions in your DLP policies. File types are supported for Windows 10/11 devices. -|File Type |App |monitored file extensions | +|File Type |App |Monitored file extensions | |||| |word processing |Word, PDF | .doc, .docx, .docm, .dot, .dotx, .dotm, .docb, .pdf | |spreadsheet |Excel, CSV, TSV |.xls, .xlsx, .xlt, .xlm, .xlsm, .xltx, .xltm, .xlsb, .xlw, .csv, .tsv | File types are a grouping of file formats. They are utilized to protect specific ### File extensions -If the File types don't cover the file extensions you need to list as a condition in a policy, you can use file extensions separated by comma instead. +If the file types don't cover the file extensions you need to list as a condition in a policy, you can use file extensions separated by comma instead. > [!IMPORTANT] > The **file extensions** and **file types** options cannot be used as conditions in the same rule. If you want to use them as conditions in the same policy, they must be in separate rules. There are a few extra concepts that you need to be aware of before you dig into ### Enabling Device management -Device management is the functionality that enables the collection of telemetry from devices and brings it into Microsoft Purview solutions like Endpoint DLP and [insider risk management](insider-risk-management.md). You need to onboard all devices you want to use as locations in DLP policies. +Device management is the functionality that enables the collection of telemetry from devices and brings it into Microsoft Purview solutions like Endpoint DLP and [insider risk management](insider-risk-management.md). You need to onboard all the devices you want to use as locations in your DLP policies. > [!div class="mx-imgBorder"] >  Onboarding and offboarding are handled via scripts that you download from the de Use the procedures in [Getting started with Microsoft 365 Endpoint DLP](endpoint-dlp-getting-started.md) to onboard devices. -If you have onboarded devices through [Microsoft Defender for Endpoint](../security/defender-endpoint/configure-machines-onboarding.md), those devices automatically show up in the list of devices. This is because onboarding to Defender also onboards devices to DLP. You only need to **Turn on device monitoring** to use endpoint DLP. +If you have onboarded devices through [Microsoft Defender for Endpoint](../security/defender-endpoint/configure-machines-onboarding.md), those devices will show up automatically in the list of devices. This is because onboarding to Defender also onboards devices to DLP. You only need to **Turn on device monitoring** to use endpoint DLP. > [!div class="mx-imgBorder"] >  You can view alerts related to DLP policies enforced on endpoint devices by goin > [!div class="mx-imgBorder"] >  -You can also view details of the associated event with rich metadata in the same dashboard +You can also view details of the associated event, with rich metadata, in the same dashboard > [!div class="mx-imgBorder"] >  For example, if a file is copied to removable USB media, you'd see these attribu > [!div class="mx-imgBorder"] >  -## Just in time protection (preview) +## Just-in-time protection (preview) > [!IMPORTANT] > If you want to try out just-in-time protection, you must register your tenant at [Endpoint JIT Preview](https://aka.ms/EndpointJITPreview). +Endpoint DLP can use **Just in time protection** once it's enabled in **Microsoft Purview compliance console** > **Settings**. Endpoint DLP can use **Just in time protection** once it's enabled in **Microsoft Purview compliance console** > **Settings**. Just-in-time protection applies a candidate policy to onboarded Windows 10/11 devices. The candidate policy blocks all egress activities on monitored files until policy evaluation completes successfully. The candidate policy is applied to: Just-in-time protection applies a candidate policy to onboarded Windows 10/11 de > - Simulate Mode: Just-in-time protection is triggered in the background. Admins can see just-in-time events in Activity explorer, without users being blocked. > - Enforce Mode: End users are blocked until the evaluation is complete. -<!-- You can prevent a file from being permanently blocked if policy evaluation starts on a file, but doesn't complete. Use the **Just in time protection configuration** fallback setting to either **Allow** or **Block** egress activities if policy evaluation doesn't complete. You configure fallback settings in **Microsoft Purview compliance console** > **Settings** > **Just in time protection configuration** > **Decide what happens if JIT protection fails**. --> +You can prevent a file from being permanently blocked if policy evaluation starts on a file, but doesn't complete. Use the **Just in time protection configuration** fallback setting to either **Allow** or **Block** egress activities if the policy evaluation doesn't complete. To configure fallback settings, navigate to **Microsoft Purview compliance console** > **Settings** > **Just in time protection configuration** > **Decide what happens if JIT protection fails**. > [!TIP]-> Because the candidate policy from just-in-time protection is applied to all files on onboarded devices, it may block user activity on files that won't have a policy applied once evaluation occurs. To prevent this productivity interruption, you should configure and deploy policies to devices before enabling just in time protection. +> Because the candidate policy from just-in-time protection is applied to all files on onboarded devices, it may block user activity on files that won't have a policy applied once evaluation occurs. To prevent this productivity interruption, you should configure and deploy policies to devices before enabling just-in-time protection. ## Next steps |
| compliance | Information Barriers Insights Report | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/information-barriers-insights-report.md | + + Title: "SharePoint & OneDrive insights report" +description: Use the insights report to get information about information barriers usage in your organization. +keywords: Microsoft 365, Microsoft Purview, compliance, information barriers ++++audience: ITPro ++++- highpri +- tier2 +- purview-compliance +- m365solution-mip +- m365initiative-compliance +- highpri +ms.localizationpriority: medium +f1.keywords: +- NOCSH + Last updated : 05/31/2023+++# SharePoint & OneDrive insights reports ++The insights report in [information barriers](information-barriers.md) (IB) can help you identify and discover usage patterns across SharePoint sites and OneDrive accounts in your organization. Administrators can use PowerShell to create and view reports to identify top sites and their modes to help apply suitable controls for the sites as applicable. ++The insights report provides the following information for the top 100 most actively used SharePoint sites and OneDrive accounts in your organization: ++|**Report section**|**Description**|**Applies to**| +|:-|:--|:-| +|Explicit mode section|Top restrictive sites with highest collaboration between IB users|SharePoint sites and OneDrive accounts| +|Implicit mode section|Top sites with highest collaboration between compatible users|SharePoint sites only| +|Mixed mode section|Top accounts with collaboration between segmented and unsegmented users|OneDrive accounts only| +|Mode Distribution section|The number and percentage of modes across all sites and accounts|SharePoint sites and OneDrive accounts| +|Open mode section|Top least restrictive sites|SharePoint sites and OneDrive accounts| +|Owner Moderated mode section|Top sites with highest collaboration between IB users and non-IB users|SharePoint sites and OneDrive accounts| ++## Prerequisites ++- Your organization must have information barriers enabled for SharePoint and OneDrive to be able to create the insights report. To enable IB in SharePoint and OneDrive for your organization, see [Use information barriers with SharePoint](/microsoft-365/compliance/information-barriers-sharepoint#enable-sharepoint-and-onedrive-information-barriers-in-your-organization). +- You must use the latest version of the [SharePoint Online Management Shell](https://www.microsoft.com/download/details.aspx?id=35588). If you've installed a previous version of the SharePoint Online Management Shell, go to **Add or remove programs** and uninstall *SharePoint Online Management Shell* and then install the latest version. To learn more about SharePoint Online Management Shell, see [Get started with SharePoint Online Management Shell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online). ++## Create the insights report ++Before you can run specific queries for information barriers details, you must first create a report. After the report has completed successfully, you can run specific detail reports. ++One insight report is supported for every 24 hour period and the previous report is overwritten when the next report is created. For example, if you create an insights report on 4/25/2023 at 4:10 PM, you can't create another insight report until after 4:10 PM on 4/26/2023. ++To create the insights report, complete the following steps: ++1. [Connect to SharePoint Online](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online?view=sharepoint-ps) as a global administrator or SharePoint administrator in Microsoft 365. +2. Run the following PowerShell cmdlet and accept the confirmation prompt to create the insights report: ++ ```powershell + Start-SPOInformationBarriersInsightsReport + ``` ++ > [!NOTE] + > Depending on the number of SharePoint sites and OneDrives accounts in your organization, it may take up to one hour for this report to created. ++ You can automate acceptance of the confirmation prompt when creating the insights report by appending the *-Yes* as an parameter to the cmdlet. For example, `Start-SPOInformationBarriersInsightsReport -Yes`. +3. Run the following PowerShell cmdlet to view the status of the insights report: ++ ```powershell + Get-SPOInformationBarriersInsightsReport + ``` ++ The following example shows the information returned for the insights report: ++ `State: Completed` <br> + `Id: ec65a1cf-9b1a-48c2-a1b4-f923ac4c0776` <br> + `StartTimeInUtc: 4/25/2023 4:10:16 PM`<br> + `CompleteTimeInUtc: 4/25/2023 4:10:25 PM`<br> + `QueuedTimeInUtc: 4/25/2023 4:06:47 PM` ++ The report is ready to view or download when the *State* value is *Completed*. Other *State* values include: ++ - *Not Started*: State when the inisghts report hasn't started. + - *In Progress*: State when the insights report is in progress. + - *Error*: State when the insights report has failed. ++## Insights reports for SharePoint sites ++### View a summary of modes with results for SharePoint sites ++To view a summary of the modes with results for SharePoint sites, use the following cmdlet syntax to view insights from the report: ++```powershell +Get-SPOInformationBarriersInsightsReport -reportId <ID> +``` ++**Example**: ++`Get-SPOInformationBarriersInsightsReport -reportId ec65a1cf-9b1a-48c2-a1b4-f923ac4c0776` ++**Example results**: ++`Content: Explicit, Implicit, Open, OwnerModerated, ModeDistribution` <br> +`State: Completed`<br> +`Id: ec65a1cf-9b1a-48c2-a1b4-f923ac4c0776`<br> +`StartTimeInUtc: 4/25/2023 4:10:16 PM`<br> +`CompleteTimeInUtc: 4/25/2023 4:10:25 PM`<br> +`QueuedTimeInUtc: 4/25/2023 4:06:47 PM` ++In this example, the insights report results are displayed for SharePoint sites included in the organization with an ID of *ec65a1cf-9b1a-48c2-a1b4-f923ac4c0776*. The values in the *Content* line represent the modes that have results in the report. If a mode (applicable to SharePoint) isn't listed, there aren't any SharePoint sites in the organization with that mode. ++### View the details for a specific mode for SharePoint sites ++To view details about a specific mode with results for SharePoint sites, use the following cmdlet syntax to view insights from the insights report: ++```powershell +Get-SPOInformationBarriersInsightsReport -reportId <ID> -section <Mode> +``` ++**Example**: ++`Get-SPOInformationBarriersInsightsReport -reportId ec65a1cf-9b1a-48c2-a1b4-f923ac4c0776 -section Explicit` ++**Example results**: ++`SiteName: Contoso Budget Planning` <br> +`SiteURL: https://contoso.sharepoint.com/sites/ContosoBudgetPlanning`<br> +`Site Owner: User1`<br> +`LastActivity: 4/25/2023 4:10:16 PM`<br> +`IBMode: Explicit` ++`SiteName: Contoso Training Budgets` <br> +`SiteURL: https://contoso.sharepoint.com/sites/ContosoTrainingBudgets`<br> +`Site Owner: User2`<br> +`LastActivity: 4/25/2023 4:10:16 PM`<br> +`IBMode: Explicit` ++`SiteName: Contoso Viewpoint Project` <br> +`SiteURL: https://contoso.sharepoint.com/sites/ContosoViewpointProject`<br> +`Site Owner: User3`<br> +`LastActivity: 4/25/2023 4:10:16 PM`<br> +`IBMode: Explicit` ++### View the details for the mode distribution for SharePoint sites ++To view details about the mode distribution with results for SharePoint sites, use the following cmdlet syntax to view insights from the insights report: ++```powershell +Get-SPOInformationBarriersInsightsReport -reportId <ID> -section <ModeDistribution> +``` ++**Example**: ++`Get-SPOInformationBarriersInsightsReport -reportId ec65a1cf-9b1a-48c2-a1b4-f923ac4c0776 -section ModeDistribution` ++**Example results**: ++`Total site count: 10000` <br> +`Owner Moderated SiteCount: 500 SitePercentage: 5` <br> +`Open SiteCount: 1682 SitePercentage: 16.82` <br> +`Explicit SiteCount: 3628 SitePercentage: 36.82` <br> +`Implicit SiteCount: 4190 SitePercentage: 41.9` ++## Insights reports for OneDrive accounts ++### View a summary of modes with results for OneDrive accounts ++To view a summary of the modes with results for OneDrive accounts, use the following cmdlet syntax to view insights from the insights report: ++```powershell +Get-SPOInformationBarriersInsightsReport -reportId <ID> -service <OneDrive> +``` ++**Example**: ++`Get-SPOInformationBarriersInsightsReport -reportId ec65a1cf-9b1a-48c2-a1b4-f923ac4c0776 -service OneDrive` ++**Example results**: ++`Content: Explicit, Mixed, Open, OwnerModerated, ModeDistribution` <br> +`State: Completed`<br> +`Id: ec65a1cf-9b1a-48c2-a1b4-f923ac4c0776`<br> +`StartTimeInUtc: 4/25/2023 4:10:16 PM`<br> +`CompleteTimeInUtc: 4/25/2023 4:10:25 PM`<br> +`QueuedTimeInUtc: 4/25/2023 4:06:47 PM` ++In this example, the insights report results are displayed for OneDrive accounts included in the organization with an ID of *ec65a1cf-9b1a-48c2-a1b4-f923ac4c0776*. The values in the *Content* line represent the modes that have results in the report. If a mode (applicable to OneDrive) isn't listed, there aren't any OneDrive accounts in the organization with that mode. ++### View the details for a specific mode for OneDrive accounts ++To view details about a specific mode with results for OneDrive accounts, use the following cmdlet syntax to view insights from the insights report: ++```powershell +Get-SPOInformationBarriersInsightsReport -reportId <ID> -service OneDrive -section <Mode> +``` ++**Example**: ++`Get-SPOInformationBarriersInsightsReport -reportId ec65a1cf-9b1a-48c2-a1b4-f923ac4c0776 -service OneDrive -section Open` ++**Example results**: ++`SiteName: User1` <br> +`SiteURL: https://spdfcontoso-my.sharepoint.com/personal/user1_spdfcontoso_onmicrosoft_com`<br> +`Site Owner: user1@spdfcontoso.onmicrosoft.com`<br> +`LastActivity: 4/25/2023 4:10:16 PM`<br> +`IBMode: Open` ++`SiteName: User2` <br> +`SiteURL: https://spdfcontoso-my.sharepoint.com/personal/user2_spdfcontoso_onmicrosoft_com`<br> +`Site Owner: user2@spdfcontoso.onmicrosoft.com`<br> +`LastActivity: 4/25/2023 4:10:16 PM`<br> +`IBMode: Open` ++`SiteName: User3` <br> +`SiteURL: https://spdfcontoso-my.sharepoint.com/personal/user3_spdfcontoso_onmicrosoft_com`<br> +`Site Owner: user3@spdfcontoso.onmicrosoft.com`<br> +`LastActivity: 4/25/2023 4:10:16 PM`<br> +`IBMode: Open` ++### View the details for the mode distribution for OneDrive accounts ++To view details about the mode distribution with results for OneDrive accounts, use the following cmdlet syntax to view insights from the insights report: ++```powershell +Get-SPOInformationBarriersInsightsReport -reportId <ID> -service OneDrive -section <ModeDistribution> +``` ++**Example**: ++`Get-SPOInformationBarriersInsightsReport -reportId ec65a1cf-9b1a-48c2-a1b4-f923ac4c0776 -service OneDrive -section ModeDistribution` ++**Example results**: ++`Total site count: 19305` <br> +`Owner Moderated SiteCount: 167 SitePercentage: 0.87` <br> +`Mixed SiteCount: 4881 SitePercentage: 25.28` <br> +`Explicit SiteCount: 4910 SitePercentage: 25.43` <br> +`Open SiteCount: 9347 SitePercentage: 48.42` ++## Download the results of the insights report ++To download the results of a specific insights report for SharePoint sites, use the following cmdlet syntax to download the report: ++```powershell +Get-SPOInformationBarriersInsightsReport -reportId <ID> -section <report you want to download> -action Download +``` ++The report is automatically exported as a .csv file with a file name of *SharePoint_the name of the report type*. For example, if you download the *Explicit* report, the file name is *SharePoint_Explicit.csv*. ++To download the results of a specific insights report for OneDrive accounts, use the following cmdlet syntax to download the report: ++```powershell +Get-SPOInformationBarriersInsightsReport -reportId <ID> -service OneDrive -section <report you want to download> -action Download +``` ++The report is automatically exported as a .csv file with a file name of *OneDrive_the name of the report type*. For example, if you download the *Explicit* report, the file name is *OneDrive_Explicit.csv*. ++To rename the report or export to custom locations, you can use standard PowerShell parameters. For more information, see the [PowerShell documentation](/powershell/). ++## Audit activities for the insights report ++Audit events for the insights report are available in the Microsoft Purview compliance portal. For more information about the activities logged, see [Information barriers activities](/microsoft-365/compliance/audit-log-activities#information-barriers-activities). |
| compliance | Retention | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention.md | f1.keywords: Previously updated : 06/08/2023 Last updated : 06/24/2023 audience: Admin As with sensitivity labels, an item such as an email or document can have only a - [Auto-apply retention label policy](apply-retention-labels-automatically.md) - [A Microsoft Syntex model](../contentunderstanding/apply-a-retention-label-to-a-model.md)-- [Default retention label for SharePoint](create-apply-retention-labels.md#applying-a-default-retention-label-to-all-content-in-a-sharepoint-library-folder-or-document-set) or [Outlook](create-apply-retention-labels.md#applying-a-default-retention-label-to-an-outlook-folder)-- [Outlook rules](create-apply-retention-labels.md#automatically-applying-a-retention-label-to-email-by-using-rules)+- [Default retention label for SharePoint or Outlook](create-apply-retention-labels.md#default-labels-for-sharepoint-and-outlook) +- [Outlook rules](create-apply-retention-labels.md#automatically-apply-a-retention-label-to-email-by-using-outlook-rules) - [Power Automate compliance action](/power-automate/overview-cloud) of **Apply a retention label on the item** If there are multiple auto-apply retention label policies that could apply a retention label, and the content meets the conditions of more than one of these policies, you can't control which retention label will be selected. However, in some cases, the retention label for the oldest auto-apply retention label policy (by date created) is selected. This happens only when the matching policies don't include multiple instances of the same type of condition (sensitive information types, specific keywords or searchable properties, or trainable classifiers). For standard retention labels (they don't mark items as a [record or regulatory - The existing label was applied as a default label. When you use a default label, there are some scenarios when it can be replaced by another default label, or automatically removed. For more information about the label behavior when it's applied by using a default label:- - Default label for SharePoint: [Label behavior when you use a default label for SharePoint](create-apply-retention-labels.md#label-behavior-when-you-use-a-default-label-for-sharepoint) - - Default label for Outlook: [Applying a default retention label to an Outlook folder](create-apply-retention-labels.md#applying-a-default-retention-label-to-an-outlook-folder) + - [Label behavior when you use a default label for SharePoint](create-apply-retention-labels.md#label-behavior-when-you-use-a-default-label-for-sharepoint) + - [Label behavior when you use a default label for Outlook](/microsoft-365/compliance/create-apply-retention-labels&tabs=manual-outlook%2Cdefault-label-for-outlook#label-behavior-when-you-use-a-default-label-for-outlook) For retention labels that mark items as a record or a regulatory record: If you currently use these older features, they will usually work side by side w - An archive policy for [archive mailboxes](enable-archive-mailboxes.md) to automatically move emails from a user's primary mailbox to their archive mailbox after a specified period of time. An archive policy (with any settings) can be used in conjunction with a Microsoft 365 retention policy that applies to a user's primary and archive mailbox. - - Retention policies applied by an admin to specific folders within a mailbox. A Microsoft 365 retention policy applies to all folders in the mailbox. However, an admin can configure different retention settings by using retention labels that a user can apply to folders in Outlook as a [default retention label](create-apply-retention-labels.md#applying-a-default-retention-label-to-an-outlook-folder). + - Retention policies applied by an admin to specific folders within a mailbox. A Microsoft 365 retention policy applies to all folders in the mailbox. However, an admin can configure different retention settings by using retention labels that a user can apply to folders in Outlook as a [default retention label](create-apply-retention-labels.md#default-labels-for-sharepoint-and-outlook). - [Journaling](/exchange/security-and-compliance/journaling/journaling) (retention and archive) |
| includes | Microsoft 365 Content Updates | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/microsoft-365-content-updates.md | +## Week of June 19, 2023 +++| Published On |Topic title | Change | +|||--| +| 6/19/2023 | [Change a user name and email address](/microsoft-365/admin/add-users/change-a-user-name-and-email-address?view=o365-worldwide) | modified | +| 6/19/2023 | [Configure email forwarding](/microsoft-365/admin/email/configure-email-forwarding?view=o365-worldwide) | modified | +| 6/19/2023 | [Password policy recommendations](/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide) | modified | +| 6/19/2023 | [Get started with trainable classifiers](/microsoft-365/compliance/classifier-get-started-with?view=o365-worldwide) | modified | +| 6/19/2023 | [How to retrain a classifier in content explorer](/microsoft-365/compliance/classifier-how-to-retrain-content-explorer?view=o365-worldwide) | modified | +| 6/19/2023 | [Create a custom sensitive information type using PowerShell](/microsoft-365/compliance/create-a-custom-sensitive-information-type-in-scc-powershell?view=o365-worldwide) | modified | +| 6/19/2023 | [Create a keyword dictionary](/microsoft-365/compliance/create-a-keyword-dictionary?view=o365-worldwide) | modified | +| 6/19/2023 | [Customize a built-in sensitive information type](/microsoft-365/compliance/customize-a-built-in-sensitive-information-type?view=o365-worldwide) | modified | +| 6/19/2023 | [Labeling actions reported in Activity explorer](/microsoft-365/compliance/data-classification-activity-explorer-available-events?view=o365-worldwide) | modified | +| 6/19/2023 | [Get started with Activity explorer](/microsoft-365/compliance/data-classification-activity-explorer?view=o365-worldwide) | modified | +| 6/19/2023 | [Increase Classifier Accuracy](/microsoft-365/compliance/data-classification-increase-accuracy?view=o365-worldwide) | modified | +| 6/19/2023 | [Learn about Adaptive Protection in data loss prevention](/microsoft-365/compliance/dlp-adaptive-protection-learn?view=o365-worldwide) | modified | +| 6/19/2023 | [Get started with the DLP Alerts dashboard](/microsoft-365/compliance/dlp-alerts-dashboard-get-started?view=o365-worldwide) | modified | +| 6/19/2023 | [Learn about the DLP alerts dashboard](/microsoft-365/compliance/dlp-alerts-dashboard-learn?view=o365-worldwide) | modified | +| 6/19/2023 | [Get started with the Microsoft Purview extension for Chrome](/microsoft-365/compliance/dlp-chrome-get-started?view=o365-worldwide) | modified | +| 6/19/2023 | [DLP policy conditions, exceptions, and actions](/microsoft-365/compliance/dlp-conditions-and-exceptions?view=o365-worldwide) | modified | +| 6/19/2023 | [Configure endpoint DLP settings](/microsoft-365/compliance/dlp-configure-endpoint-settings?view=o365-worldwide) | modified | +| 6/19/2023 | [Configure and view alerts for DLP policies](/microsoft-365/compliance/dlp-configure-view-alerts-policies?view=o365-worldwide) | modified | +| 6/19/2023 | [Learn about collecting files that match DLP policies from devices (preview)](/microsoft-365/compliance/dlp-copy-matched-items-learn?view=o365-worldwide) | modified | +| 6/19/2023 | [Learn about data loss prevention](/microsoft-365/compliance/dlp-learn-about-dlp?view=o365-worldwide) | modified | +| 6/19/2023 | [Legacy eDiscovery tools retired](/microsoft-365/compliance/ediscovery-legacy-retirement?view=o365-worldwide) | modified | +| 6/19/2023 | [Enable co-authoring for encrypted documents](/microsoft-365/compliance/sensitivity-labels-coauthoring?view=o365-worldwide) | modified | +| 6/19/2023 | [Enable sensitivity labels for Office files](/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files?view=o365-worldwide) | modified | +| 6/19/2023 | [Overview of Loop components in the Microsoft 365 ecosystem](/microsoft-365/loop/loop-components-teams?view=o365-worldwide) | modified | +| 6/19/2023 | [Run the client analyzer on macOS or Linux](/microsoft-365/security/defender-endpoint/run-analyzer-macos-linux?view=o365-worldwide) | modified | +| 6/19/2023 | [Overview of Microsoft Syntex](/microsoft-365/syntex/syntex-overview) | modified | +| 6/19/2023 | [Data loss prevention Exchange conditions and actions reference](/microsoft-365/compliance/dlp-exchange-conditions-and-actions?view=o365-worldwide) | renamed | +| 6/19/2023 | [Search the audit log in the Microsoft Purview compliance portal](/microsoft-365/compliance/audit-log-search?view=o365-worldwide) | modified | +| 6/19/2023 | [Permissions in the Microsoft Purview compliance portal](/microsoft-365/compliance/microsoft-365-compliance-center-permissions?view=o365-worldwide) | modified | +| 6/19/2023 | [Microsoft Defender for Business](/microsoft-365/security/defender-business/index?view=o365-worldwide) | modified | +| 6/19/2023 | [Assign security roles and permissions in Microsoft Defender for Business](/microsoft-365/security/defender-business/mdb-roles-permissions?view=o365-worldwide) | modified | +| 6/19/2023 | [Compare Microsoft endpoint security plans](/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1-2?view=o365-worldwide) | modified | +| 6/19/2023 | [Overview of Microsoft Defender for Endpoint Plan 1](/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1?view=o365-worldwide) | modified | +| 6/19/2023 | [Use network protection to help prevent connections to bad sites](/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide) | modified | +| 6/19/2023 | [Update your agent on devices for Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/update-agent-mma-windows?view=o365-worldwide) | modified | +| 6/20/2023 | [Outbound delivery pools](/microsoft-365/security/office-365-security/outbound-spam-high-risk-delivery-pool-about?view=o365-worldwide) | modified | +| 6/20/2023 | [Configure outbound spam policies](/microsoft-365/security/office-365-security/outbound-spam-policies-configure?view=o365-worldwide) | modified | +| 6/20/2023 | [Configuring and controlling external email forwarding in Microsoft 365](/microsoft-365/security/office-365-security/outbound-spam-policies-external-email-forwarding?view=o365-worldwide) | modified | +| 6/20/2023 | [Outbound spam protection](/microsoft-365/security/office-365-security/outbound-spam-protection-about?view=o365-worldwide) | modified | +| 6/20/2023 | [Preset security policies](/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide) | modified | +| 6/20/2023 | [Protect against threats in Microsoft Defender for Office 365, Anti-malware, Anti-Phishing, Anti-spam, Safe links, Safe attachments, Zero-hour auto purge (ZAP), MDO security configuration](/microsoft-365/security/office-365-security/protect-against-threats?view=o365-worldwide) | modified | +| 6/20/2023 | [Quarantined email messages](/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide) | modified | +| 6/20/2023 | [Find and release quarantined messages as a user](/microsoft-365/security/office-365-security/quarantine-end-user?view=o365-worldwide) | modified | +| 6/20/2023 | [Quarantine policies](/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide) | modified | +| 6/20/2023 | [Quarantine notifications (end-user spam notifications) in Microsoft 365](/microsoft-365/security/office-365-security/quarantine-quarantine-notifications?view=o365-worldwide) | modified | +| 6/20/2023 | [View and release quarantined messages from shared mailboxes](/microsoft-365/security/office-365-security/quarantine-shared-mailbox-messages?view=o365-worldwide) | modified | +| 6/20/2023 | [Threat Explorer and Real-time detections basics in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/real-time-detections?view=o365-worldwide) | modified | +| 6/20/2023 | [Microsoft recommendations for EOP and Defender for Office 365 security settings](/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365?view=o365-worldwide) | modified | +| 6/20/2023 | [Reference Policies, practices, and guidelines](/microsoft-365/security/office-365-security/reference-policies-practices-and-guidelines?view=o365-worldwide) | modified | +| 6/20/2023 | [Remove blocked users from the Restricted entities page](/microsoft-365/security/office-365-security/removing-user-from-restricted-users-portal-after-spam?view=o365-worldwide) | modified | +| 6/20/2023 | [View email security reports](/microsoft-365/security/office-365-security/reports-email-security?view=o365-worldwide) | modified | +| 6/20/2023 | [Responding to a Compromised Email Account](/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide) | modified | +| 6/20/2023 | [Manage mailbox auditing](/microsoft-365/compliance/audit-mailboxes?view=o365-worldwide) | modified | +| 6/20/2023 | [Deploy frontline dynamic teams at scale](/microsoft-365/frontline/deploy-dynamic-teams-at-scale?view=o365-worldwide) | added | +| 6/20/2023 | [How to find the best frontline team solution for your organization](/microsoft-365/frontline/frontline-team-options?view=o365-worldwide) | added | +| 6/20/2023 | [Administering Exchange Online mailboxes in a multi-geo environment](/microsoft-365/enterprise/administering-exchange-online-multi-geo?view=o365-worldwide) | modified | +| 6/20/2023 | [Exchange Multi-Geo](/microsoft-365/enterprise/multi-geo-capabilities-in-exchange-online?view=o365-worldwide) | modified | +| 6/20/2023 | [Deploy frontline static teams at scale with PowerShell for frontline workers](/microsoft-365/frontline/deploy-teams-at-scale?view=o365-worldwide) | modified | +| 6/20/2023 | [Set up, review, and edit your security policies and settings in Microsoft Defender for Business](/microsoft-365/security/defender-business/mdb-configure-security-settings?view=o365-worldwide) | modified | +| 6/20/2023 | [Manage devices in Microsoft Defender for Business](/microsoft-365/security/defender-business/mdb-manage-devices?view=o365-worldwide) | modified | +| 6/20/2023 | [Set up web content filtering in Microsoft Defender for Business](/microsoft-365/security/defender-business/mdb-web-content-filtering?view=o365-worldwide) | modified | +| 6/20/2023 | [Secure by default in Office 365](/microsoft-365/security/office-365-security/secure-by-default?view=o365-worldwide) | modified | +| 6/20/2023 | [SIEM integration with Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/siem-integration-with-office-365-ti?view=o365-worldwide) | modified | +| 6/20/2023 | [SIEM server integration with Microsoft 365 services and applications](/microsoft-365/security/office-365-security/siem-server-integration?view=o365-worldwide) | modified | +| 6/20/2023 | [Configure the advanced delivery policy for third-party phishing simulations and email delivery to SecOps mailboxes](/microsoft-365/security/office-365-security/skip-filtering-phishing-simulations-sec-ops-mailboxes?view=o365-worldwide) | modified | +| 6/20/2023 | [Admin review for user reported messages](/microsoft-365/security/office-365-security/submissions-admin-review-user-reported-messages?view=o365-worldwide) | modified | +| 6/20/2023 | [Manage submissions](/microsoft-365/security/office-365-security/submissions-admin?view=o365-worldwide) | modified | +| 6/20/2023 | [Errors during admin submissions](/microsoft-365/security/office-365-security/submissions-error-messages?view=o365-worldwide) | modified | +| 6/20/2023 | [Report phishing and suspicious emails in Outlook for admins](/microsoft-365/security/office-365-security/submissions-outlook-report-messages?view=o365-worldwide) | modified | +| 6/20/2023 | [Report spam, non-spam, phishing, suspicious emails and files to Microsoft](/microsoft-365/security/office-365-security/submissions-report-messages-files-to-microsoft?view=o365-worldwide) | modified | +| 6/20/2023 | [Submit malware and good files to Microsoft for analysis](/microsoft-365/security/office-365-security/submissions-submit-files-to-microsoft?view=o365-worldwide) | modified | +| 6/20/2023 | [User reported settings](/microsoft-365/security/office-365-security/submissions-user-reported-messages-custom-mailbox?view=o365-worldwide) | modified | +| 6/20/2023 | [Enable the Report Message or the Report Phishing add-ins](/microsoft-365/security/office-365-security/submissions-users-report-message-add-in-configure?view=o365-worldwide) | modified | +| 6/20/2023 | [Manage allows and blocks in the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list-about?view=o365-worldwide) | modified | +| 6/20/2023 | [Allow or block email using the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list-email-spoof-configure?view=o365-worldwide) | modified | +| 6/20/2023 | [Allow or block files using the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list-files-configure?view=o365-worldwide) | modified | +| 6/20/2023 | [Allow or block URLs using the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list-urls-configure?view=o365-worldwide) | modified | +| 6/20/2023 | [Configure your Microsoft 365 tenant for increased security](/microsoft-365/security/office-365-security/tenant-wide-setup-for-increased-security?view=o365-worldwide) | modified | +| 6/20/2023 | [Threat hunting in Threat Explorer for Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/threat-explorer-threat-hunting?view=o365-worldwide) | modified | +| 6/20/2023 | [Use Trusted ARC senders for legitimate devices and services between the sender and receiver](/microsoft-365/security/office-365-security/use-arc-exceptions-to-mark-trusted-arc-senders?view=o365-worldwide) | modified | +| 6/20/2023 | [Remove yourself from the blocked senders list and address 5.7.511 Access denied errors](/microsoft-365/security/office-365-security/use-the-delist-portal-to-remove-yourself-from-the-office-365-blocked-senders-lis?view=o365-worldwide) | modified | +| 6/21/2023 | [Add custom tiles to the app launcher](/microsoft-365/admin/manage/customize-the-app-launcher?view=o365-worldwide) | modified | +| 6/21/2023 | [Anti-spoofing protection FAQ](/microsoft-365/security/office-365-security/anti-phishing-protection-spoofing-faq?view=o365-worldwide) | modified | +| 6/21/2023 | [Anti-spam protection FAQ](/microsoft-365/security/office-365-security/anti-spam-protection-faq?view=o365-worldwide) | modified | +| 6/21/2023 | [Configure junk email settings on Exchange Online mailboxes](/microsoft-365/security/office-365-security/configure-junk-email-settings-on-exo-mailboxes?view=o365-worldwide) | modified | +| 6/21/2023 | [Email authentication in Microsoft 365](/microsoft-365/security/office-365-security/email-authentication-about?view=o365-worldwide) | modified | +| 6/21/2023 | [Exchange Online Protection (EOP) overview](/microsoft-365/security/office-365-security/eop-about?view=o365-worldwide) | modified | +| 6/21/2023 | [EOP general FAQ](/microsoft-365/security/office-365-security/eop-faq?view=o365-worldwide) | modified | +| 6/21/2023 | [Help and support for EOP](/microsoft-365/security/office-365-security/help-and-support-for-eop?view=o365-worldwide) | modified | +| 6/21/2023 | [Order and precedence of email protection](/microsoft-365/security/office-365-security/how-policies-and-protections-are-combined?view=o365-worldwide) | modified | +| 6/21/2023 | [Get started with Microsoft 365 Copilot](/microsoft-365/admin/copilot/m365-copilot-setup?view=o365-worldwide) | added | +| 6/21/2023 | [Microsoft 365 Copilot Early Access Program](/microsoft-365/admin/copilot/m365-early-access-program?view=o365-worldwide) | added | +| 6/21/2023 | [Install Microsoft 365 apps](/microsoft-365/admin/setup/install-applications?view=o365-worldwide) | modified | +| 6/21/2023 | [Take response actions on a device in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide) | modified | +| 6/21/2023 | [What's new in Microsoft Purview risk and compliance solutions](/microsoft-365/compliance/whats-new?view=o365-worldwide) | modified | +| 6/22/2023 | [Overview of Loop workspaces storage and permissions](/microsoft-365/loop/loop-workspaces-storage-permission?view=o365-worldwide) | added | +| 6/22/2023 | [Manage device access settings in Basic Mobility and Security](/microsoft-365/admin/basic-mobility-security/manage-device-access-settings?view=o365-worldwide) | modified | +| 6/22/2023 | [Manage Microsoft feedback for your organization](/microsoft-365/admin/manage/manage-feedback-ms-org?view=o365-worldwide) | modified | +| 6/22/2023 | [Learn about Microsoft feedback for your organization](/microsoft-365/admin/misc/feedback-user-control?view=o365-worldwide) | modified | +| 6/22/2023 | [Microsoft Bookings Frequently Asked Questions](/microsoft-365/bookings/bookings-faq?view=o365-worldwide) | modified | +| 6/22/2023 | [IdentityInfo table in the advanced hunting schema](/microsoft-365/security/defender/advanced-hunting-identityinfo-table?view=o365-worldwide) | modified | +| 6/22/2023 | [Impersonation insight](/microsoft-365/security/office-365-security/anti-phishing-mdo-impersonation-insight?view=o365-worldwide) | modified | +| 6/22/2023 | [Anti-phishing policies](/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide) | modified | +| 6/22/2023 | [Web content filtering](/microsoft-365/security/defender-endpoint/web-content-filtering?view=o365-worldwide) | modified | +| 6/22/2023 | [Manage Loop components in OneDrive and SharePoint](/microsoft-365/loop/loop-components-configuration?view=o365-worldwide) | added | +| 6/22/2023 | [Manage Loop workspaces in Syntex repository services](/microsoft-365/loop/loop-workspaces-configuration?view=o365-worldwide) | added | +| 6/22/2023 | Manage Loop experiences (Loop workspaces and Loop components) in SharePoint | removed | +| 6/22/2023 | [Overview of Loop components in the Microsoft 365 ecosystem](/microsoft-365/loop/loop-components-teams?view=o365-worldwide) | modified | +| 6/22/2023 | [Use network protection to help prevent macOS connections to bad sites](/microsoft-365/security/defender-endpoint/network-protection-macos?view=o365-worldwide) | modified | +| 6/22/2023 | [Microsoft Syntex video library](/microsoft-365/syntex/video-library) | modified | +| 6/23/2023 | [Get started with collecting files that match data loss prevention policies from devices (preview)](/microsoft-365/compliance/dlp-copy-matched-items-get-started?view=o365-worldwide) | modified | +| 6/23/2023 | [Configure Microsoft Defender for Endpoint on Android risk signals using App Protection Policies (MAM)](/microsoft-365/security/defender-endpoint/android-configure-mam?view=o365-worldwide) | modified | +| 6/23/2023 | [Configure Microsoft Defender for Endpoint on Android features](/microsoft-365/security/defender-endpoint/android-configure?view=o365-worldwide) | modified | +| 6/23/2023 | [Troubleshoot issues on Microsoft Defender for Endpoint on Android](/microsoft-365/security/defender-endpoint/android-support-signin?view=o365-worldwide) | modified | +| 6/23/2023 | [Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide) | modified | +| 6/23/2023 | [Configure the advanced delivery policy for third-party phishing simulations and email delivery to SecOps mailboxes](/microsoft-365/security/office-365-security/skip-filtering-phishing-simulations-sec-ops-mailboxes?view=o365-worldwide) | modified | +| 6/23/2023 | [Collaborate with guests in a team](/microsoft-365/solutions/collaborate-as-team?view=o365-worldwide) | modified | +| 6/23/2023 | [Sensitive information type entity definitions](/microsoft-365/compliance/sensitive-information-type-entity-definitions?view=o365-worldwide) | modified | +| 6/23/2023 | [Cross-tenant mailbox migration](/microsoft-365/enterprise/cross-tenant-mailbox-migration?view=o365-worldwide) | modified | +| 6/23/2023 | [Deploy Microsoft Defender for Endpoint on Linux manually](/microsoft-365/security/defender-endpoint/linux-install-manually?view=o365-worldwide) | modified | +| 6/23/2023 | [Configure anti-phishing policies in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/anti-phishing-policies-mdo-configure?view=o365-worldwide) | modified | +| 6/23/2023 | [Backscatter in EOP](/microsoft-365/security/office-365-security/anti-spam-backscatter-about?view=o365-worldwide) | modified | +| 6/23/2023 | [Anti-spam protection](/microsoft-365/security/office-365-security/anti-spam-protection-about?view=o365-worldwide) | modified | +| 6/23/2023 | [End-user notifications for Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-end-user-notifications?view=o365-worldwide) | modified | +| 6/23/2023 | [Attack simulation training deployment considerations and FAQ](/microsoft-365/security/office-365-security/attack-simulation-training-faq?view=o365-worldwide) | modified | +| 6/23/2023 | [Landing pages in Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-landing-pages?view=o365-worldwide) | modified | +| 6/23/2023 | [EOP queued, deferred, and bounced messages FAQ](/microsoft-365/security/office-365-security/mail-flow-delivery-faq?view=o365-worldwide) | modified | +| 6/23/2023 | [Security Operations Guide for Defender for Office 365](/microsoft-365/security/office-365-security/mdo-sec-ops-guide?view=o365-worldwide) | modified | +| 6/23/2023 | [Message trace in the Microsoft 365 Defender portal](/microsoft-365/security/office-365-security/message-trace-scc?view=o365-worldwide) | modified | +| 6/23/2023 | [Migrate from a third-party protection service to Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365?view=o365-worldwide) | modified | +| 6/23/2023 | [Outbound delivery pools](/microsoft-365/security/office-365-security/outbound-spam-high-risk-delivery-pool-about?view=o365-worldwide) | modified | +| 6/23/2023 | [Quarantined messages FAQ](/microsoft-365/security/office-365-security/quarantine-faq?view=o365-worldwide) | modified | +| 6/23/2023 | [View and release quarantined messages from shared mailboxes](/microsoft-365/security/office-365-security/quarantine-shared-mailbox-messages?view=o365-worldwide) | modified | +| 6/23/2023 | [Reference Policies, practices, and guidelines](/microsoft-365/security/office-365-security/reference-policies-practices-and-guidelines?view=o365-worldwide) | modified | +| 6/23/2023 | [Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview compliance](/microsoft-365/security/office-365-security/scc-permissions?view=o365-worldwide) | modified | +| 6/23/2023 | [Sending mail to Microsoft 365](/microsoft-365/security/office-365-security/sending-mail-to-office-365?view=o365-worldwide) | modified | +| 6/23/2023 | [Services for external organizations sending mail to Microsoft 365](/microsoft-365/security/office-365-security/services-for-non-customers?view=o365-worldwide) | modified | +| 6/23/2023 | [Microsoft Defender for Office 365 trial user guide](/microsoft-365/security/office-365-security/trial-user-guide-defender-for-office-365?view=o365-worldwide) | modified | +| 6/23/2023 | [Zero-hour auto purge in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/zero-hour-auto-purge?view=o365-worldwide) | modified | ++ ## Week of June 12, 2023 | 5/26/2023 | [Report phishing and suspicious emails in Outlook for admins](/microsoft-365/security/office-365-security/submissions-outlook-report-messages?view=o365-worldwide) | modified | | 5/26/2023 | [Onboard non-persistent virtual desktop infrastructure (VDI) devices](/microsoft-365/security/defender-endpoint/configure-endpoints-vdi?view=o365-worldwide) | modified | | 5/26/2023 | [Microsoft Defender Antivirus security intelligence and product updates](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-updates?view=o365-worldwide) | modified |---## Week of May 15, 2023 ---| Published On |Topic title | Change | -|||--| -| 5/15/2023 | [Configure Microsoft Defender for Endpoint on iOS features](/microsoft-365/security/defender-endpoint/ios-configure-features?view=o365-worldwide) | modified | -| 5/15/2023 | [Deploy Microsoft Defender for Endpoint on iOS with Mobile Application Management](/microsoft-365/security/defender-endpoint/ios-install-unmanaged?view=o365-worldwide) | modified | -| 5/15/2023 | [Automatic attack disruption in Microsoft 365 Defender](/microsoft-365/security/defender/automatic-attack-disruption?view=o365-worldwide) | modified | -| 5/15/2023 | [Configure Microsoft Syntex for pay-as-you-go billing](/microsoft-365/syntex/syntex-azure-billing) | modified | -| 5/15/2023 | [Top 10 ways to secure your business data with Microsoft 365 for business](/microsoft-365/business-premium/secure-your-business-data?view=o365-worldwide) | modified | -| 5/15/2023 | [What's new in Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-whatsnew?view=o365-worldwide) | modified | -| 5/16/2023 | [Permissions in the Microsoft Purview compliance portal](/microsoft-365/compliance/microsoft-365-compliance-center-permissions?view=o365-worldwide) | modified | -| 5/16/2023 | [Adaptive scopes](/microsoft-365/compliance/purview-adaptive-scopes?view=o365-worldwide) | modified | -| 5/16/2023 | [Preset security policies](/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide) | modified | -| 5/16/2023 | [User tags in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/user-tags-about?view=o365-worldwide) | modified | -| 5/16/2023 | [Check the device health at Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/check-sensor-status?view=o365-worldwide) | modified | -| 5/16/2023 | [Salesforce connector setup for Microsoft Purview Compliance Manager](/microsoft-365/compliance/compliance-manager-connectors-salesforce?view=o365-worldwide) | added | -| 5/16/2023 | [Zoom connector setup for Microsoft Purview Compliance Manager](/microsoft-365/compliance/compliance-manager-connectors-zoom?view=o365-worldwide) | added | -| 5/16/2023 | [Connectors for Microsoft Purview Compliance Manager](/microsoft-365/compliance/compliance-manager-connectors?view=o365-worldwide) | added | -| 5/17/2023 | [Custom functions in the advanced hunting schema](/microsoft-365/security/defender/advanced-hunting-custom-functions?view=o365-worldwide) | added | -| 5/17/2023 | [Deploy and manage Office Add-ins](/microsoft-365/admin/manage/office-addins?view=o365-worldwide) | added | -| 5/17/2023 | [SaaS linked apps](/microsoft-365/admin/manage/saas-linked-apps?view=o365-worldwide) | added | -| 5/17/2023 | [Teams apps that work on Outlook and Microsoft 365](/microsoft-365/admin/manage/teams-apps-work-on-outlook-and-m365?view=o365-worldwide) | added | -| 5/17/2023 | [Teams apps that only work on Teams](/microsoft-365/admin/manage/teams-apps-work-only-on-teams?view=o365-worldwide) | added | -| 5/17/2023 | [Enable admin notifications in insider risk management](/microsoft-365/compliance/insider-risk-management-settings-admin-notifications?view=o365-worldwide) | added | -| 5/17/2023 | [Export insider risk management alert information](/microsoft-365/compliance/insider-risk-management-settings-alerts?view=o365-worldwide) | added | -| 5/17/2023 | [Enable analytics in insider risk management](/microsoft-365/compliance/insider-risk-management-settings-analytics?view=o365-worldwide) | added | -| 5/17/2023 | [Configure inline alert customization in insider risk management](/microsoft-365/compliance/insider-risk-management-settings-inline-alert-customization?view=o365-worldwide) | added | -| 5/17/2023 | [Configure intelligent detections in insider risk management](/microsoft-365/compliance/insider-risk-management-settings-intelligent-detections?view=o365-worldwide) | added | -| 5/17/2023 | [Configure policy indicators in insider risk management](/microsoft-365/compliance/insider-risk-management-settings-policy-indicators?view=o365-worldwide) | added | -| 5/17/2023 | [Set policy timeframes in insider risk management](/microsoft-365/compliance/insider-risk-management-settings-policy-timeframes?view=o365-worldwide) | added | -| 5/17/2023 | [Automate insider risk management actions with Microsoft Power Automate flows (preview)](/microsoft-365/compliance/insider-risk-management-settings-power-automate?view=o365-worldwide) | added | -| 5/17/2023 | [Identify priority physical assets for insider risk management policies](/microsoft-365/compliance/insider-risk-management-settings-priority-physical-assets?view=o365-worldwide) | added | -| 5/17/2023 | [Prioritize user groups for insider risk management policies](/microsoft-365/compliance/insider-risk-management-settings-priority-user-groups?view=o365-worldwide) | added | -| 5/17/2023 | [Manage username privacy in insider risk management](/microsoft-365/compliance/insider-risk-management-settings-privacy?view=o365-worldwide) | added | -| 5/17/2023 | [Enable Microsoft Teams for collaborating on insider risk management cases](/microsoft-365/compliance/insider-risk-management-settings-teams?view=o365-worldwide) | added | -| 5/17/2023 | [Use DMARC Reports to protect against spoofing and phishing in Microsoft Office 365](/microsoft-365/security/office-365-security/email-authentication-dmarc-reports?view=o365-worldwide) | added | -| 5/17/2023 | [Learn about insider risk management settings](/microsoft-365/compliance/insider-risk-management-settings?view=o365-worldwide) | modified | -| 5/17/2023 | [Enable controlled folder access](/microsoft-365/security/defender-endpoint/enable-controlled-folders?view=o365-worldwide) | modified | -| 5/17/2023 | [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide) | modified | -| 5/17/2023 | [Get started using Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-get-started?view=o365-worldwide) | modified | -| 5/17/2023 | [Microsoft Defender for Office 365 permissions in the Microsoft 365 Defender portal](/microsoft-365/security/office-365-security/mdo-portal-permissions?view=o365-worldwide) | modified | -| 5/18/2023 | Allotment basics | removed | -| 5/18/2023 | [Prioritize incidents in Microsoft 365 Defender](/microsoft-365/security/defender/incident-queue?view=o365-worldwide) | modified | -| 5/18/2023 | [Data Loss Prevention policy reference](/microsoft-365/compliance/dlp-policy-reference?view=o365-worldwide) | modified | -| 5/18/2023 | [Take response actions on a device in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide) | modified | -| 5/18/2023 | [Preset security policies](/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide) | modified | -| 5/19/2023 | [Remove blocked connectors from the Restricted entities page in Microsoft 365](/microsoft-365/security/office-365-security/connectors-remove-blocked?view=o365-worldwide) | modified | -| 5/19/2023 | [Remove blocked users from the Restricted entities page](/microsoft-365/security/office-365-security/removing-user-from-restricted-users-portal-after-spam?view=o365-worldwide) | modified | -| 5/19/2023 | [Responding to a Compromised Email Account](/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide) | modified | -| 5/19/2023 | [Create and deploy a data loss prevention policy](/microsoft-365/compliance/dlp-create-deploy-policy?view=o365-worldwide) | modified | -| 5/19/2023 | [Data Loss Prevention policy reference](/microsoft-365/compliance/dlp-policy-reference?view=o365-worldwide) | modified | -| 5/19/2023 | [Get started with communication compliance](/microsoft-365/compliance/communication-compliance-configure?view=o365-worldwide) | modified | -| 5/19/2023 | [Working with improvement actions in Microsoft Purview Compliance Manager](/microsoft-365/compliance/compliance-manager-improvement-actions?view=o365-worldwide) | modified | -| 5/19/2023 | [Data Loss Prevention policy tips reference](/microsoft-365/compliance/dlp-policy-tips-reference?view=o365-worldwide) | modified | -| 5/19/2023 | [Assign eDiscovery permissions in the Microsoft Purview compliance portal](/microsoft-365/compliance/ediscovery-assign-permissions?view=o365-worldwide) | modified | -| 5/19/2023 | [Get started with eDiscovery (Premium)](/microsoft-365/compliance/ediscovery-premium-get-started?view=o365-worldwide) | modified | -| 5/19/2023 | [Get started with eDiscovery (Standard)](/microsoft-365/compliance/ediscovery-standard-get-started?view=o365-worldwide) | modified | |
| security | Mdb Roles Permissions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-roles-permissions.md | To perform tasks in the Microsoft 365 Defender portal, such as configuring Defen ## What to do 1. [Learn about roles in Defender for Business](#roles-in-defender-for-business).-2. [View or edit role assignments for your security team](#view-or-edit-role-assignments). +2. [View or edit role assignments for your security team](#view-and-edit-role-assignments). 3. [Proceed to your next steps](#next-steps). The following table describes the three roles that can be assigned in Defender f | **Security administrators** (also referred to as security admins) | Security admins can perform the following tasks: <br/>- View and manage security policies<br/>- View, respond to, and manage alerts <br/>- Take response actions on devices with detected threats<br/>- View security information and reports <br/><br/>In general, security admins use the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) to perform security tasks. | | **Security reader** | Security readers can perform the following tasks:<br/>- View a list of onboarded devices<br/>- View security policies<br/>- View alerts and detected threats<br/>- View security information and reports <br/><br/>Security readers cannot add or edit security policies, nor can they onboard devices. | -## View or edit role assignments +## View and edit role assignments ++> [!IMPORTANT] +> Microsoft recommends that you grant people access to only what they need to perform their tasks. We call this concept *least privilege* for permissions. To learn more, see [Best practices for least-privileged access for applications](/azure/active-directory/develop/secure-least-privileged-access). 1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in. 2. In the navigation pane, choose **Permissions & roles**, and then under **Azure AD**, select **Roles**. -3. Select one of the following roles to open its side pane: +3. Select one of the following roles that are relevant to Defender for Business: - - Global Administrator - - Security Administrator - - Security Reader + - Global administrator + - Security administrator + - Security reader - > [!IMPORTANT] - > Microsoft recommends that you grant people access to only what they need to perform their tasks. We call this concept *least privilege* for permissions. To learn more, see [Best practices for least-privileged access for applications](/azure/active-directory/develop/secure-least-privileged-access). + A side pane opens and displays information, such as which users are assigned that role. -4. In the side pane, select the **Manage members in Azure AD** link. This action takes you to Azure Active Directory (Azure AD), where you can view and manage your role assignments. +4. In the side pane, select the **Manage members in Azure AD** link. This action takes you to the **Users** view in Azure Active Directory (Azure AD), where you can view and manage your role assignments. -5. Select a user to open their profile, and then choose **Assigned roles**. +5. To add or remove a role, use one of the following procedures: - - To add a role, choose **+ Add assignments**. - - To remove a role, choose **X Remove assignments**. + | Task | Procedure | + ||| + | Add a role to a user account | 1. In the [**Users** view in Azure AD](https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/AllUsers), select a user to open their profile.<br/><br/>2. In the navigation pane, under **Manage**, select **Assigned roles**, and then choose **+ Add assignments**.<br/><br/>3. Search for one of the following roles, select it, and then choose **Add** to assign that role to the user account.<br/>- Global Administrator<br/>- Security Administrator<br/>- Security Reader | + | Remove a role from a user account | 1. In the [**Users** view in Azure AD](https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/AllUsers), select a user to open their profile.<br/><br/>2. In navigation pane, under **Manage**, select **Assigned roles**.<br/><br/>3. Select one or more administrative roles, and then select **X Remove assignments**. | ## Next steps |
| security | Trial Playbook Defender Business | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/trial-playbook-defender-business.md | Defender for Business was designed to save small and medium-sized businesses tim > [!TIP] > **Using the setup wizard is optional.** If you choose not to use the wizard, or if the wizard is closed before your setup process is complete, you can complete the setup and configuration process on your own. See [Step 4: Set up and configure Defender for Business](#step-4-set-up-and-configure-defender-for-business). -1. **[Assign user permissions](mdb-roles-permissions.md#view-or-edit-role-assignments)**. Grant your security team access to the Microsoft 365 Defender portal. +1. **[Assign user permissions](mdb-roles-permissions.md#view-and-edit-role-assignments)**. Grant your security team access to the Microsoft 365 Defender portal. 2. **[Set up email notifications](mdb-email-notifications.md#view-and-edit-email-notifications)** for your security team. If you used the setup wizard but you need to onboard more devices, such as non-W 2. **[Assign roles and permissions](mdb-roles-permissions.md)** in the Microsoft 365 Defender portal. - [Learn about roles in Defender for Business](mdb-roles-permissions.md#roles-in-defender-for-business). - - [View or edit role assignments for your security team](mdb-roles-permissions.md#view-or-edit-role-assignments). + - [View or edit role assignments for your security team](mdb-roles-permissions.md#view-and-edit-role-assignments). 3. **[Set up email notifications](mdb-email-notifications.md)** for your security team. |
| security | Configure Network Connections Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus.md | Title: Configure and validate Microsoft Defender Antivirus network connections description: Configure and test your connection to the Microsoft Defender Antivirus cloud protection service. -keywords: antivirus, Microsoft Defender Antivirus, antimalware, security, defender, cloud, aggressiveness, protection level ms.localizationpriority: medium After you've enabled the service, you need to configure your network or firewall The table in this section lists services and their associated website addresses (URLs). -Make sure that there are no firewall or network filtering rules denying access to these URLs. Otherwise, you must create an allow rule specifically for those URLs (excluding the URL `*.blob.core.windows.net`). The URLs in the following table use port 443 for communication. +Make sure that there are no firewall or network filtering rules denying access to these URLs. Otherwise, you must create an allow rule specifically for those URLs (excluding the URL `*.blob.core.windows.net`). The URLs in the following table use port 443 for communication. (Port 80 is also required for some URLs, as noted in the following table.) |Service and description|URL| ||| |Microsoft Defender Antivirus cloud-delivered protection service is referred to as Microsoft Active Protection Service (MAPS).<br/> Microsoft Defender Antivirus uses the MAPS service to provide cloud-delivered protection.|`*.wdcp.microsoft.com` <br/>`*.wdcpalt.microsoft.com`<br/>`*.wd.microsoft.com` | |Microsoft Update Service (MU) and Windows Update Service (WU)<br/>These services will allow security intelligence and product updates.|`*.update.microsoft.com`<br/>`*.delivery.mp.microsoft.com`<br/>`*.windowsupdate.com` <br/>`ctldl.windowsupdate.com`<br/><br/>For more information, see [Connection endpoints for Windows Update](/windows/privacy/manage-windows-1709-endpoints#windows-update).|-|Security intelligence updates Alternate Download Location (ADL)<br/>This is an alternate location for Microsoft Defender Antivirus Security intelligence updates, if the installed Security intelligence is out of date (Seven or more days behind).|`*.download.microsoft.com`<br/>`*.download.windowsupdate.com`<br/>`go.microsoft.com`<br/>`https://www.microsoft.com/security/encyclopedia/adlpackages.aspx` <br/>`https://definitionupdates.microsoft.com/download/DefinitionUpdates/`<br/>`https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx`| +|Security intelligence updates Alternate Download Location (ADL)<br/>This is an alternate location for Microsoft Defender Antivirus Security intelligence updates, if the installed Security intelligence is out of date (Seven or more days behind).|`*.download.microsoft.com`<br/>`*.download.windowsupdate.com` (Port 80 is required)<br/>`go.microsoft.com` (Port 80 is required)<br/>`https://www.microsoft.com/security/encyclopedia/adlpackages.aspx` <br/>`https://definitionupdates.microsoft.com/download/DefinitionUpdates/`<br/>`https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx`| |Malware submission storage<br/>This is an upload location for files submitted to Microsoft via the Submission form or automatic sample submission.|`ussus1eastprod.blob.core.windows.net`<br/>`ussus2eastprod.blob.core.windows.net`<br/>`ussus3eastprod.blob.core.windows.net`<br/>`ussus4eastprod.blob.core.windows.net`<br/>`wsus1eastprod.blob.core.windows.net`<br/>`wsus2eastprod.blob.core.windows.net`<br/>`ussus1westprod.blob.core.windows.net`<br/>`ussus2westprod.blob.core.windows.net`<br/>`ussus3westprod.blob.core.windows.net`<br/>`ussus4westprod.blob.core.windows.net`<br/>`wsus1westprod.blob.core.windows.net`<br/>`wsus2westprod.blob.core.windows.net`<br/>`usseu1northprod.blob.core.windows.net`<br/>`wseu1northprod.blob.core.windows.net`<br/>`usseu1westprod.blob.core.windows.net`<br/>`wseu1westprod.blob.core.windows.net`<br/>`ussuk1southprod.blob.core.windows.net`<br/>`wsuk1southprod.blob.core.windows.net`<br/>`ussuk1westprod.blob.core.windows.net`<br/>`wsuk1westprod.blob.core.windows.net`| |Certificate Revocation List (CRL)<br/>Windows use this list while creating the SSL connection to MAPS for updating the CRL.|`http://www.microsoft.com/pkiops/crl/`<br/>`http://www.microsoft.com/pkiops/certs`<br/>`http://crl.microsoft.com/pki/crl/products`<br/>`http://www.microsoft.com/pki/certs`| |Symbol Store <p>Microsoft Defender Antivirus uses the Symbol Store to restore certain critical files during the remediation flows.|`https://msdl.microsoft.com/download/symbols`| |Universal GDPR Client<br/>Windows use this client to send the client diagnostic data.<br/><br/>Microsoft Defender Antivirus uses General Data Protection Regulation for product quality, and monitoring purposes.|The update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints:<br/>`vortex-win.data.microsoft.com`<br/>`settings-win.data.microsoft.com`| - ## Validate connections between your network and the cloud After allowing the URLs listed, test whether you're connected to the Microsoft Defender Antivirus cloud service. Test the URLs are correctly reporting and receiving information to ensure you're fully protected. A similar message occurs if you're using Internet Explorer: 2. Select **Virus & threat protection**, and then select **Protection history**. -3. Under the **Quarantined threats** section, select **See full history** to see the detected fake malware. +1. 3. Under the **Quarantined threats** section, select **See full history** to see the detected fake malware. > [!NOTE] > Versions of Windows 10 before version 1703 have a different user interface. See [Microsoft Defender Antivirus in the Windows Security app](microsoft-defender-security-center-antivirus.md). The Windows event log will also show [Windows Defender client event ID 1116](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus/). - > [!TIP] - > If you're looking for Antivirus related information for other platforms, see: - > - [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md) - > - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md) - > - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos) - > - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md) - > - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) - > - [Configure Defender for Endpoint on Android features](android-configure.md) - > - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md) -+> [!TIP] +> If you're looking for Antivirus related information for other platforms, see: +> +> - [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md) +> +> - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md) +> +> - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos) +> +> - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md) +> +> - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) +> +> - [Configure Defender for Endpoint on Android features](android-configure.md) +> +> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md) ## See also - [Configure device proxy and Internet connectivity settings for Microsoft Defender for Endpoint](configure-proxy-internet.md) - [Use Group Policy settings to configure and manage Microsoft Defender Antivirus](use-group-policy-microsoft-defender-antivirus.md) - [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006) ++ |
| security | Configure Real Time Protection Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus.md | You can use Intune to configure antivirus policies, and then apply those policie ## Are you using Group Policy? > [!IMPORTANT]-> We recommend using [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) to manage Microsoft Defender Antivirus settings for your organization. With Intune, you can control where tamper protection is enabled (or disabled) through policies. You can also protect Microsoft Defender Antivirus exclusions. See [Tamper protection: Microsoft Defender Antivirus exclusions](prevent-changes-to-security-settings-with-tamper-protection.md#what-about-exclusions). +> We recommend using [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) to manage Microsoft Defender Antivirus settings for your organization. With Intune, you can control where tamper protection is enabled (or disabled) through policies. You can also protect Microsoft Defender Antivirus exclusions. For more information, see [Protect Microsoft Defender Antivirus exclusions from tampering](prevent-changes-to-security-settings-with-tamper-protection.md#protect-microsoft-defender-antivirus-exclusions). You can use Group Policy to manage some Microsoft Defender Antivirus settings. Note that if [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) is enabled in your organization, any changes made to [tamper-protected settings](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#what-happens-when-tamper-protection-is-turned-on) are ignored. You can't turn off tamper protection by using Group Policy. |
| security | Device Control Report | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-report.md | Title: Protect your organization's data with device control description: Monitor your organization's data security through device control reports. -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium Previously updated : 01/31/2023 Last updated : 06/26/2023 search.appverid: met150 # Device control report -Microsoft Defender for Endpoint device control protects against data loss by monitoring and controlling media use by devices in your organization, such as using removable storage devices and USB drives. +Microsoft Defender for Endpoint device control protects against data loss by monitoring and controlling media use by devices in your organization, such as using removable storage devices and USB drives. You can use device control events through: ++- **Advanced hunting**; and +- the **Device control report**. ++Select each tab to learn more about these methods. ++## [**Advanced hunting**](#tab/advhunt) -You can use device control events through **Advanced hunting** and **Device control report**. ## Advanced hunting You can use device control events through **Advanced hunting** and **Device cont - [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender for Business](/microsoft-365/security/defender-business) The [Microsoft 365 Defender portal](https://security.microsoft.com/advanced-hunting) shows events triggered by the Device Control Removable Storage Access Control and Printer Protection. To access the Microsoft 365 Defender portal, you must have the following subscription: The [Microsoft 365 Defender portal](https://security.microsoft.com/advanced-hunt - **RemovableStoragePolicyTriggered:** Shows the event triggered by Disk and file system level enforcement for both printer and removable storage when the `AuditAllowed` or `AuditDenied` is configured in your policy and **Send event** is selected in **Options**. - **RemovableStorageFileEvent:** Shows the event triggered by the Evidence file feature for both printer and removable storage when **Options** 8 is configured in **Allow** Entry. -The event will be sent to Advanced hunting or the device control report for every covered access (`AccessMask` in the entry), regardless of whether it was initiated by the system or by the user who signed in. +The event is sent to Advanced hunting or the device control report for every covered access (`AccessMask` in the entry), regardless of whether it was initiated by the system or by the user who signed in. ```kusto //RemovableStoragePolicyTriggered: event triggered by Disk and file system level enforcement for both Printer and Removable storage based on your policy DeviceEvents | order by Timestamp desc ``` +## [**Device control report**](#tab/report) ## Device control report **Applies to:** - [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)+- [Microsoft Defender for Business](/microsoft-365/security/defender-business) + With the device control report, you can view events that relate to media usage. Such events include: The audit events include: Device control in Defender for Endpoint empowers security administrators with tools that enable them to track their organization's device control security through reports. You can find the device control report in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). Go to **Reports** > **Endpoints**. Find **Device control** card, and select the link to open the report. -The Device protection card on the **Reports** dashboard shows the number of audit events generated by media type, over the last 180 days; the raw events under the **View details** show events over the last 30 days. +In the **Reports** dashboard, the **Device protection** card shows the number of audit events generated by media type, over the last 180 days. Under **View details**, raw events over the last 30 days are listed. The **View details** button shows more media usage data in the **Device control report** page. -The page provides a dashboard with aggregated number of events per type and a list of events and shows 500 events per page, but Administrators can scroll down to see more events and can filter on time range, media class name, and device ID. +The page provides a dashboard with aggregated number of events per type and a list of events and shows 500 events per page, but if you're an administrator (such as a global administrator or security administrator), you can scroll down to see more events and can filter on time range, media class name, and device ID. > [!div class="mx-imgBorder"] > :::image type="content" source="images/Detaileddevicecontrolreport.png" alt-text="The Device Control Report Details page in the Microsoft 365 Defender portal" lightbox="images/Detaileddevicecontrolreport.png"::: When you select an event, a flyout appears that shows you more information: > [!div class="mx-imgBorder"] > :::image type="content" source="images/devicecontrolreportfilter.png" alt-text="The Filter On Device Control Report page" lightbox="images/devicecontrolreportfilter.png"::: -To see real-time activity for this media across the organization, select the **Open Advanced hunting** button. This includes an embedded, pre-defined query. +To see real-time activity for this media across the organization, select the **Open Advanced hunting** button. This includes an embedded, predefined query. > [!div class="mx-imgBorder"] > :::image type="content" source="images/Devicecontrolreportquery.png" alt-text="The Query On Device Control Report page" lightbox="images/Devicecontrolreportquery.png"::: To see the security of the device, select the **Open device page** button on the ### Reporting delays There might be a delay of up to six hours from the time a media connection occurs to the time the event is reflected in the card or in the domain list.++> [!NOTE] +> When you export data, such as a list of events, from the device control report to Excel, up to 500 events are exported. However, if your organization is using Microsoft Sentinel, you can integrate Defender for Endpoint with Sentinel so that all incidents and alerts are streamed. For more information, see [Connect data from Microsoft 365 Defender to Microsoft Sentinel](/azure/sentinel/connect-microsoft-365-defender). +> ++ |
| security | Find Defender Malware Name | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/find-defender-malware-name.md | Title: Find malware detection names for Microsoft Defender for Endpoint description: How to find the names for the latest malware detections in Defender for Endpoint -keywords: Microsoft malware family names -ms.pagetype: security ms.localizationpriority: medium To find the detection name of a malware family, you'll need to search the intern For example, search for the "Sunburst cyberattack hash". One of the websites returned in the search results should have the hash. In this example, the hash is **a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc**. Then, look up this hash in [Virus Total](https://www.virustotal.com/). -You'll find the Microsoft row detects this malware as **Trojan:MSIL/Solorigate.BR!dha**. Searching in the Microsoft Defender Security Intelligence website, you'll find information specific to that malware, including techincal details and mitigation steps. +You'll find the Microsoft row detects this malware as **Trojan:MSIL/Solorigate.BR!dha**. Searching in the Microsoft Defender Security Intelligence website, you'll find information specific to that malware, including technical details and mitigation steps. |
| security | Manage Tamper Protection Configuration Manager | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-tamper-protection-configuration-manager.md | description: Turn tamper protection on or off using tenant attach with Configura keywords: malware, defender, antivirus, tamper protection, Configuration Manager ms.localizationpriority: medium Previously updated : 05/19/2023 Last updated : 06/23/2023 audience: ITPro Using Configuration Manager with tenant attach, you can turn tamper protection o > [!IMPORTANT] > When tamper protection is turned on, [tamper-protected settings](prevent-changes-to-security-settings-with-tamper-protection.md#what-is-tamper-protection) cannot be changed. To avoid breaking management experiences, including Intune and Configuration Manager, keep in mind that changes to tamper-protected settings might appear to succeed but are actually blocked by tamper protection. Depending on your particular scenario, you have several options available: -> - If you must make changes to a device and those changes are blocked by tamper protection, we recommend using [troubleshooting mode](/microsoft-365/security/defender-endpoint/enable-troubleshooting-mode) to temporarily disable tamper protection on the device. -> - You can use [Intune](manage-tamper-protection-intune.md) or Configuration Manager to exclude devices from tamper protection. +> - If you must make changes to a device and those changes are blocked by tamper protection, use [troubleshooting mode](/microsoft-365/security/defender-endpoint/enable-troubleshooting-mode) to temporarily disable tamper protection on the device. +> - Use [Intune](manage-tamper-protection-intune.md) or Configuration Manager to exclude devices from tamper protection. :::image type="content" source="media/tamper-protect-configmgr.png" alt-text="Screenshot showing Windows Security settings with tamper protection enabled."::: Using Configuration Manager with tenant attach, you can turn tamper protection o ## See also +- [Frequently asked questions (FAQs) on tamper protection](faqs-on-tamper-protection.yml) - [Protect macOS security settings with tamper protection](tamperprotection-macos.md) - [Settings for the Windows Security experience profile in Microsoft Intune](/mem/intune/protect/antivirus-security-experience-windows-settings) - [Tech Community Blog: Announcing Tamper Protection for Configuration Manager Tenant Attach clients](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/announcing-tamper-protection-for-configuration-manager-tenant/ba-p/1700246#.X3QLR5Ziqq8.linkedin) |
| security | Manage Tamper Protection Intune | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-tamper-protection-intune.md | Using Intune, you can: ## Requirements for managing tamper protection in Intune -- You must have appropriate permissions assigned through roles, such as Global Administrator or Security Administrator. (See [Azure Active Directory roles with Intune access](/mem/intune/fundamentals/role-based-access-control#azure-active-directory-roles-with-intune-access).)--- Your organization uses [Intune to manage devices](/mem/intune/fundamentals/manage-devices). (Intune licenses are required; Intune is included in Microsoft 365 E3/E5, Enterprise Mobility + Security E3/E5, Microsoft 365 Business Premium, Microsoft 365 F1/F3, Microsoft 365 Government G3/G5, and corresponding education licenses.)--- Windows devices must be running Windows 10 [version 1709 or later](/lifecycle/announcements/revised-end-of-service-windows-10-1709) or Windows 11. (For more information about releases, see [Windows release information](/windows/release-health/release-information).)--- You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or later).--- Devices must be using anti-malware platform version `4.18.1906.3` (or above) and anti-malware engine version `1.1.15500.X` (or later). (See [Manage Microsoft Defender Antivirus updates and apply baselines](microsoft-defender-antivirus-updates.md).)--- Your Intune and Defender for Endpoint tenants must share the same Azure Active Directory infrastructure.--- Your devices must be onboarded to Defender for Endpoint.+| Requirement | Details | +||| +| Roles and permissions | You must have appropriate permissions assigned through roles, such as Global Administrator or Security Administrator. See [Azure Active Directory roles with Intune access](/mem/intune/fundamentals/role-based-access-control#azure-active-directory-roles-with-intune-access). | +| Device management | Your organization uses [Intune to manage devices](/mem/intune/fundamentals/manage-devices). | +| Intune licenses | Intune licenses are required; Intune is included in Microsoft 365 E3/E5, Enterprise Mobility + Security E3/E5, Microsoft 365 Business Premium, Microsoft 365 F1/F3, Microsoft 365 Government G3/G5, and corresponding education licenses. | +| Operating System | Windows devices must be running Windows 10 [version 1709 or later](/lifecycle/announcements/revised-end-of-service-windows-10-1709) or Windows 11. (For more information about releases, see [Windows release information](/windows/release-health/release-information).) <br/><br/>For Mac, see [Protect macOS security settings with tamper protection](tamperprotection-macos.md). | +| Security intelligence | You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or later). | +| Antimalware platform | Devices must be using antimalware platform version `4.18.1906.3` (or above) and anti-malware engine version `1.1.15500.X` (or later). See [Manage Microsoft Defender Antivirus updates and apply baselines](microsoft-defender-antivirus-updates.md). | +| Azure Active Directory (Azure AD) | Your Intune and Defender for Endpoint tenants must share the same Azure AD infrastructure. | +| Defender for Endpoint | Your devices must be onboarded to Defender for Endpoint. | > [!NOTE] > If devices are not enrolled in Microsoft Defender for Endpoint, tamper protection shows up as **Not Applicable** until the onboarding process completes. Using Intune, you can: If your organization has [exclusions defined for Microsoft Defender Antivirus](configure-exclusions-microsoft-defender-antivirus.md), tamper protection protects those exclusions, provided all of the following conditions are met: -- Devices are running Windows Defender platform `4.18.2211.5` or later. (See [Monthly platform and engine versions](microsoft-defender-antivirus-updates.md#monthly-platform-and-engine-versions).)--- `DisableLocalAdminMerge` is enabled. (See [DisableLocalAdminMerge](/windows/client-management/mdm/defender-csp).)--- Tamper protection is deployed through Intune, and devices are managed in Intune only.--- Microsoft Defender Antivirus exclusions are managed in Microsoft Intune. (See [Settings for Microsoft Defender Antivirus policy in Microsoft Intune for Windows devices](/mem/intune/protect/antivirus-microsoft-defender-settings-windows).)--- Functionality to protect Microsoft Defender Antivirus exclusions is enabled on devices. (See [How to determine whether antivirus exclusions are tamper protected on a Windows device](#how-to-determine-whether-antivirus-exclusions-are-tamper-protected-on-a-windows-device).)+| Condition | Criteria | +||| +| Microsoft Defender platform | Devices are running Microsoft Defender platform `4.18.2211.5` or later. For more information, see [Monthly platform and engine versions](microsoft-defender-antivirus-updates.md#monthly-platform-and-engine-versions). | +| `DisableLocalAdminMerge` setting | Also known as preventing local list merging, `DisableLocalAdminMerge` is enabled so that settings configured on a device are not merged with organization policies, such as settings in Intune. For more information, see [DisableLocalAdminMerge](/windows/client-management/mdm/defender-csp). | +| Tamper protection deployment | Tamper protection is deployed through Intune. | +| Device management | Devices are managed in Intune only (not co-managed). | +| Antivirus exclusions | Microsoft Defender Antivirus exclusions are managed in Microsoft Intune. For more information, see [Settings for Microsoft Defender Antivirus policy in Microsoft Intune for Windows devices](/mem/intune/protect/antivirus-microsoft-defender-settings-windows). <br/><br/>Functionality to protect Microsoft Defender Antivirus exclusions is enabled on devices. For more information, see [How to determine whether antivirus exclusions are tamper protected on a Windows device](#how-to-determine-whether-antivirus-exclusions-are-tamper-protected-on-a-windows-device). | > [!TIP] > For more detailed information about Microsoft Defender Antivirus exclusions, see [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md). You can use a registry key to determine whether the functionality to protect Mic ## See also +- [Frequently asked questions (FAQs) on tamper protection](faqs-on-tamper-protection.yml) - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md) - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos) - [Troubleshoot problems with tamper protection](troubleshoot-problems-with-tamper-protection.yml)-- [Manage Microsoft Defender for Endpoint on devices with Microsoft Intune](/mem/intune/protect/mde-security-integration)+- [Manage Microsoft Defender for Endpoint on devices with Microsoft Intune](/mem/intune/protect/mde-security-integration) |
| security | Network Devices | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/network-devices.md | The following operating systems are currently supported: - Juniper JUNOS - HPE ArubaOS, Procurve Switch Software - Palo Alto Networks PAN-OS+- Fortinet FortiOS More networking vendors and OS will be added over time, based on data gathered from customer usage. Therefore, you're encouraged to configure all your network devices, even if they're not specified in this list. |
| security | Prevent Changes To Security Settings With Tamper Protection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md | Tamper protection is also available for Mac, although it works a little differen > - [Built-in protection helps guard against ransomware](built-in-protection.md) (article) > - [Tamper protection will be turned on for all enterprise customers](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/tamper-protection-will-be-turned-on-for-all-enterprise-customers/ba-p/3616478) (Tech Community blog post) -### Are you using Windows Server 2012 R2, 2016, or Windows version 1709, 1803, or 1809? +### Tamper protection on Windows Server 2012 R2, 2016, or Windows version 1709, 1803, or 1809 If you're using Windows Server 2012 R2 using the modern unified solution, Windows Server 2016, Windows 10 version 1709, 1803, or [1809](/windows/release-health/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. Instead, you can use PowerShell to determine whether tamper protection is enabled. You can use Microsoft Intune and other methods to configure or manage tamper pro | Method | What you can do | |:|:|-| Use the [Microsoft 365 Defender portal](https://security.microsoft.com). | Turn tamper protection on (or off), tenant wide. This method won't override settings that are managed in Microsoft Intune or Configuration Manager with tenant attach. <br/><br/>See [Manage tamper protection for your organization using Microsoft 365 Defender](manage-tamper-protection-microsoft-365-defender.md). | -| Use the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). | Turn tamper protection on (or off), tenant wide, for some or all devices. Using this method, you can also [tamper protect antivirus exclusions](manage-tamper-protection-intune.md#tamper-protection-for-antivirus-exclusions) that are defined for Microsoft Defender Antivirus. <br/><br/>See [Manage tamper protection for your organization using Intune](manage-tamper-protection-intune.md). | -| Use [Configuration Manager](manage-tamper-protection-configuration-manager.md). | Turn tamper protection on (or off) for some or all devices by using Configuration Manager with tenant attach. This method won't override settings managed in Intune. <br/><br/>See [Manage tamper protection for your organization using tenant attach with Configuration Manager, version 2006](manage-tamper-protection-configuration-manager.md). | -| Use the [Windows Security app](manage-tamper-protection-individual-device.md). | Turn tamper protection on (or off) on an individual device that isn't managed by a security team (such as devices for home use). This method won't override tamper protection settings that are managed by the Microsoft 365 Defender portal, Intune, or Configuration Manager, and it isn't intended to be used by organizations. <br/><br/>See [Manage tamper protection on an individual device](manage-tamper-protection-individual-device.md). | +| Use the [Microsoft 365 Defender portal](https://security.microsoft.com). | Turn tamper protection on (or off), tenant wide. See [Manage tamper protection for your organization using Microsoft 365 Defender](manage-tamper-protection-microsoft-365-defender.md). <br/><br/>*This method won't override settings that are managed in Microsoft Intune or Configuration Manager with tenant attach.* | +| Use the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). | Turn tamper protection on (or off), tenant wide, or apply tamper protection to some users/devices. You can exclude certain devices from tamper protection. See [Manage tamper protection for your organization using Intune](manage-tamper-protection-intune.md).<br/><br/>Protect Microsoft Defender Antivirus exclusions from tampering. See [Tamper protection for antivirus exclusions](manage-tamper-protection-intune.md#tamper-protection-for-antivirus-exclusions). | +| Use [Configuration Manager with tenant attach](manage-tamper-protection-configuration-manager.md). | Turn tamper protection on (or off), tenant wide, or apply tamper protection to some users/devices. You can exclude certain devices from tamper protection. see [Manage tamper protection for your organization using tenant attach with Configuration Manager, version 2006](manage-tamper-protection-configuration-manager.md). | +| Use the [Windows Security app](manage-tamper-protection-individual-device.md). | Turn tamper protection on (or off) on an individual device that isn't managed by a security team (such as devices for home use). See [Manage tamper protection on an individual device](manage-tamper-protection-individual-device.md).<br/><br/>*This method won't override tamper protection settings that are managed by the Microsoft 365 Defender portal, Intune, or Configuration Manager, and it isn't intended to be used by organizations.* | > [!TIP]-> If you're using Group Policy to manage Microsoft Defender Antivirus settings, keep in mind that any changes made to tamper-protected settings are ignored. If you must make changes to a device and those changes are blocked by tamper protection, we recommend using [troubleshooting mode](/microsoft-365/security/defender-endpoint/enable-troubleshooting-mode) to temporarily disable tamper protection on the device. Note that after troubleshooting mode ends, any changes made to tamper-protected settings are reverted to their configured state. +> If you're using Group Policy to manage Microsoft Defender Antivirus settings, keep in mind that any changes made to tamper-protected settings are ignored. If you must make changes to a device and those changes are blocked by tamper protection, use [troubleshooting mode](/microsoft-365/security/defender-endpoint/enable-troubleshooting-mode) to temporarily disable tamper protection on the device. After troubleshooting mode ends, any changes made to tamper-protected settings are reverted to their configured state. -## What about exclusions? +## Protect Microsoft Defender Antivirus exclusions -Under certain conditions, tamper protection can now protect antivirus exclusions that are defined for Microsoft Defender Antivirus. For more information, see [Tamper protection for exclusions](manage-tamper-protection-intune.md#tamper-protection-for-antivirus-exclusions). +Under certain conditions, tamper protection can protect exclusions that are defined for Microsoft Defender Antivirus. For more information, see [Tamper protection for exclusions](manage-tamper-protection-intune.md#tamper-protection-for-antivirus-exclusions). ## View information about tampering attempts To learn more about Microsoft Defender Vulnerability Management, see [Dashboard - [Protect macOS security settings with tamper protection](tamperprotection-macos.md) - [Built-in protection helps guard against ransomware](built-in-protection.md) - [Frequently asked questions on tamper protection](faqs-on-tamper-protection.yml)-- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](/intune/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) - [Troubleshoot problems with tamper protection](troubleshoot-problems-with-tamper-protection.yml)-- [Manage Microsoft Defender for Endpoint on devices with Microsoft Intune](/mem/intune/protect/mde-security-integration) |
| security | Whats New In Microsoft Defender Endpoint | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/whats-new-in-microsoft-defender-endpoint.md | For more information on Microsoft Defender for Endpoint on specific operating sy ## January 2023 -- [Tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) can now protect exclusions when deployed with Microsoft Intune. See [What about exclusions](prevent-changes-to-security-settings-with-tamper-protection.md#what-about-exclusions)?+- [Tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) can now protect exclusions when deployed with Microsoft Intune. See [Protect Microsoft Defender Antivirus exclusions from tampering](prevent-changes-to-security-settings-with-tamper-protection.md#protect-microsoft-defender-antivirus-exclusions) - Live Response is now generally available for macOS and Linux. For more information, see, [Investigate entities on devices using live response](live-response.md). |
| security | Microsoft 365 Security Center Mdi | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-mdi.md | -Microsoft Defender for Identity is now part of Microsoft 365 Defender. The Microsoft 365 Defender portal allows security admins to perform their security tasks in one location. This will simplify workflows, and add the functionality of the other Microsoft 365 Defender services. Microsoft 365 Defender will be the home for monitoring and managing security across your Microsoft identities, data, devices, apps, and infrastructure. +Microsoft Defender for Identity is now part of Microsoft 365 Defender, the home for monitoring and managing security across your Microsoft identities, data, devices, apps, and infrastructure. The Microsoft 365 Defender portal allows security admins to perform their security tasks in one location, which simplifies workflows and integrating functionality from other Microsoft 365 Defender services. Microsoft Defender for Identity contributes identity focused information into the incidents and alerts that Microsoft 365 Defender presents. This information is key to providing context and correlating alerts from the other products within Microsoft 365 Defender. Microsoft Defender for Identity contributes identity focused information into th [Microsoft 365 Defender](https://security.microsoft.com) combines security capabilities that protect, detect, investigate, and respond to email, collaboration, identity, and device threats, and now includes all functionality provided in the [classic Defender for Identity portal](/defender-for-identity/classic-workspace-portal). -While they may not be in exactly same pages, much of your data is integrated into Microsoft 365 Defender pages so that you can view your data across all of your monitored entities. +While data placement might differ from the classic Defender for Identity portal, your data is now integrated into Microsoft 365 Defender pages so that you can view your data across all of your monitored entities. The following sections describe enhanced Defender for Identity features found in Microsoft 365 Defender. The following sections describe enhanced Defender for Identity features found in |Area |Description | |||-|**Global exclusions** | In Microsoft 365 Defender, use alert tuning to define global exclusions that can apply to all Defender for Identity security alerts, instead of having to configure the exclusion in each, individual detection exclusion. <br><br> For more information, see [Global excluded entities](/defender-for-identity/exclusions). | -|**Manage action and directory service accounts** | By default, Microsoft 365 Defender is configured to use the *local system*. Therefore, you'll only need to configure action and directory service account settings if you want a specific user account to perform the user remediation actions.<br><br> For more information, see [Microsoft Defender for Identity action accounts](/defender-for-identity/manage-action-accounts). | -|**Remove a learning period** | Some Defender for Identity alerts rely on learning periods to build a profile of patterns, and then distinguish between legitimate and suspicious activities. <br><br>Microsoft 365 Defender supports an advanced setting to control whether to see alerts during the learning period before that profile is fully built. Changing this setting results in an increased number of alerts, with some of them being for legitimate traffic and activities. <br><br>For more information see [Remove the learning period for alerts](/defender-for-identity/advanced-settings). | +|**Global exclusions** | Global exclusions allow you to define certain entities, such as IP addresses, devices, or domains, to be excluded across all Defender for Identity detections. For example, if you only exclude a device, the exclusion applies only to detections that have a *device* identification as part of the detection. <br><br> For more information, see [Global excluded entities](/defender-for-identity/exclusions). | +|**Manage action and directory service accounts** | You might want to respond to compromised users by disabling their accounts or resetting their password. When you take either of these actions, Microsoft 365 Defender is configured by default to use the *local system* account. Therefore, you'll only need to configure action and directory service account settings if you want to have more control, and define a different user account to perform user remediation actions.<br><br> For more information, see [Microsoft Defender for Identity action accounts](/defender-for-identity/manage-action-accounts). | |**Custom permission roles** | Microsoft 365 Defender supports custom permission roles. <br><br>For more information, see [Microsoft 365 Defender role-based access control (RBAC)](manage-rbac.md) |-|**Microsoft Secure Score** | All security posture management assessments that were previously available from Microsoft Defender for Cloud Apps are now available in [Microsoft Secure Score](https://security.microsoft.com/securescore), in Microsoft 365 Defender. <br><br> For more information, see [Microsoft Defender for Identity's security posture assessments](/defender-for-identity/security-assessment). | +|**Microsoft Secure Score** | Defender for Identity security posture assessments are available in [Microsoft Secure Score](https://security.microsoft.com/securescore). Each assessment is a downloadable report with instructions for use and tools to build an action plan for remediating or resolving the issue. Filter Microsoft Secure Score by **Identity** to view Defender for Identity assessments. <br><br> For more information, see [Microsoft Defender for Identity's security posture assessments](/defender-for-identity/security-assessment). | |**API** | Use any of the following Microsoft 365 Defender APIs with Defender for Identity: <br><br>- [Query activities via API](api-advanced-hunting.md) <br>- [Manage security alerts via API](api-incident.md) <br>- [Stream security alerts and activities to Microsoft Sentinel](streaming-api.md)<br><br>**Tip**: Microsoft 365 Defender only stores advanced hunting data for 30 days. If you need longer retention periods, stream the activities to Microsoft Sentinel or another partner security information and event management (SIEM) system. |-| **Onboarding** | Defender for Identity onboarding is now automatic for new customers, with no need to configure a workspace. <br><br>If you need to delete your instance, do so together with Microsoft support. | +| **Onboarding** | Defender for Identity onboarding is now automatic for new customers, with no need to configure a workspace. <br><br>If you need to delete your instance, open a Microsoft support case. | ### Investigation |Area |Description | |||-|**Identity page** | The Microsoft 365 Defender identity details page provides data about each identity, such as: <br><br>- Any associated alerts <br>- Active Directory account control<br>- Risky lateral movement paths<br>- A timeline of activities and alerts<br>- Details about observed locations, devices and groups. <br><br>For more information, see [Investigate users in Microsoft 365 Defender](investigate-users.md). | +|**Identity page** | The Microsoft 365 Defender identity details page provides inclusive data about each identity, such as: <br><br>- Any associated alerts <br>- Active Directory account control<br>- Risky lateral movement paths<br>- A timeline of activities and alerts<br>- Details about observed locations, devices and groups. <br><br><!--The identity page contains more inclusive view from the different available products. <br>-->For more information, see [Investigate users in Microsoft 365 Defender](investigate-users.md). | |**Device page** | Microsoft 365 Defender alert evidence lists all devices and users connected to each suspicious activity. Investigate further by selecting a specific device in an alert to access a device details page. <br><br>For more information, see [Investigate devices in the Microsoft Defender for Endpoint Devices list](../defender-endpoint/investigate-machines.md). | |**Advanced hunting** | Microsoft 365 Defender helps you proactively search for threats and malicious activity by using advanced hunting queries. These powerful queries can be used to locate and review threat indicators and entities for both known and potential threats. <br><br>Build custom detection rules from advanced hunting queries to help you proactively watch for events that might be indicative of breach activity and misconfigured devices. <br><br>For more information, see [Proactively hunt for threats with advanced hunting in Microsoft 365 Defender](advanced-hunting-overview.md). | |**Global search** | Using the search bar at the top of the Microsoft 365 Defender page to search for any entity being monitored by Microsoft 365 Defender, including identities, endpoints, Office 365 data, and more. <br><br>Select results directly from the search drop-down, or select **All users** or **All devices** to see all entities associated with a given search term. | The following sections describe enhanced Defender for Identity features found in |Area |Description | ||| | **Alert and incident correlation** | Defender for Identity alerts are now included in Microsoft 365 Defender's alert queue, making them available to the automated incident correlation feature. <br><br>View all of your alerts in one place, and determine the scope of the breach even quicker than before. <br><br>For more information, see [Investigate Defender for Identity alerts in Microsoft 365 Defender](/defender-for-identity/manage-security-alerts). |-| **Alert exclusions and tuning** | Microsoft 365 Defender's alert interface is more user friendly, and includes a search function and global exclusions, meaning you can exclude any entity from all alerts generated by Defender for Identity. <br><br>For more information, see [Configure Defender for Identity detection exclusions in Microsoft 365 Defender](/defender-for-identity/exclusions).| +| **Alert exclusions** | Microsoft 365 Defender's alert interface is more user friendly, and includes a search function and global exclusions, meaning you can exclude any entity from all alerts generated by Defender for Identity. <br><br>For more information, see [Configure Defender for Identity detection exclusions in Microsoft 365 Defender](/defender-for-identity/exclusions).| +| **Alert tuning** | Alert tuning, previously known as *alert suppression*, allows you to adjust and optimize your alerts. Alert tuning reduces false positives, allowing your SOC teams to focus on high-priority alerts, and improves threat detection coverage across your system.<br><br> In Microsoft 365 Defender, create rule conditions based on evidence types, and then apply your rule on any rule type that matches your conditions. For more information, see [Tune an alert](investigate-alerts.md#tune-an-alert).| | **Remediation actions** | Defender for Identity remediation actions, such as disabling accounts or requiring password resets, are available from the Microsoft 365 Defender user details page. <br><br>For more information, see [Remediation actions in Microsoft Defender for Identity](/defender-for-identity/remediation-actions). |