Updates from: 06/29/2021 03:28:10
Category Microsoft Docs article Related commit history on GitHub Change details
admin About Admin Roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/about-admin-roles.md
You'll probably only need to assign the following roles in your organization. By
|License admin | Assign the License admin role to users who need to assign and remove licenses from users and edit their usage location. <br/><br/> License admins also can: <br> - Reprocess license assignments for group-based licensing <br> - Assign product licenses to groups for group-based licensing | |Office Apps admin | Assign the Office Apps admin role to users who need to do the following: <br> - Use the Office cloud policy service to create and manage cloud-based policies for Office <br> - Create and manage service requests <br> - Manage the What's New content that users see in their Office apps <br> - Monitor service health | |Password admin | Assign the Password admin role to a user who needs to reset passwords for non-administrators and Password Administrators. |
-|Message center reader | Assign the Reports reader role to users who need to do the following: <br> - Monitor message center notifications <br> - Get weekly email digests of message center posts and updates <br> - Share message center posts <br> - Have read-only access to Azure AD services, such as users and groups|
-|Power Platform admin | Assign the Reports reader role to users who need to do the following: <br> - Manage all admin features for Power Apps, Power Automate, and data loss prevention <br> - Create and manage service requests <br> - Monitor service health |
+|Message center reader | Assign the Message center reader role to users who need to do the following: <br> - Monitor message center notifications <br> - Get weekly email digests of message center posts and updates <br> - Share message center posts <br> - Have read-only access to Azure AD services, such as users and groups|
+|Power Platform admin | Assign the Power Platform admin role to users who need to do the following: <br> - Manage all admin features for Power Apps, Power Automate, and data loss prevention <br> - Create and manage service requests <br> - Monitor service health |
|Reports reader | Assign the Reports reader role to users who need to do the following: <br> - View usage data and the activity reports in the Microsoft 365 admin center <br> - Get access to the Power BI adoption content pack <br> - Get access to sign-in reports and activity in Azure AD <br> - View data returned by Microsoft Graph reporting API| |Service Support admin | Assign the Service Support admin role as an additional role to admins or users who need to do the following in addition to their usual admin role: <br> - Open and manage service requests <br> - View and share message center posts <br> - Monitor service health | |SharePoint admin | Assign the SharePoint admin role to users who need to access and manage the SharePoint Online admin center. <br><br>SharePoint admins can also: <br> - Create and delete sites <br> - Manage site collections and global SharePoint settings |
admin Remove Former Employee Step 1 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee-step-1.md
For more information about how long it takes to get someone out of email, see [W
If you have email as part of your Microsoft 365 subscription, sign in to the Exchange admin center and follow these steps to block your former employee from accessing their email.
-1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a>.
+1. Go to the <a href="https://admin.exchange.microsoft.com/" target="_blank">Exchange admin center</a>.
2. In the Exchange admin center, navigate to **Recipients** \> **Mailboxes**.
-3. Double-click the user and go to the **Mailbox features** page. Under **Mobile Devices**, select **Disable Exchange ActiveSync** and **Disable OWA for Devices,** and answer **Yes** to both when prompted.
-4. Under **Email Connectivity**, select **Disable** and answer **Yes** when prompted.
+3. Double-click the user and go to **Manage email apps settings** under **Email apps**. Turn **Off** the slider for all the options; **Mobile (Exchange ActiveSync)**, **Outlook on the web**, **Outlook desktop (MAPI)**, **Exchange web services**, **POP3**, and **IMAP**.
+4. Select **Save**.
admin Remove Former Employee Step 2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee-step-2.md
Once you've blocked a user from being able to log into your organization you can
**OR**
-2. Add the former employee's email address to your version of Outlook web app, and then export the data to a .pst file. You can import the data to another email account as needed. Check out [Step 6 - Give another employee access to OneDrive and Outlook data](remove-former-employee-step-6.md).
+2. Add the former employee's email address to your version of Outlook on Desktop, and then export the data to a .pst file. You can import the data to another email account as needed. Check out [Step 6 - Give another employee access to OneDrive and Outlook data](remove-former-employee-step-6.md).
admin Frequently Asked Questions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/frequently-asked-questions.md
- Title: "Basic Mobility and Security frequently-asked questions (FAQ)"-- NOCSH-----
-localization_priority: Normal
--- M365-subscription-management-- Adm_O365-- Adm_TOC--- AdminSurgePortfolio-- MET150
-description: "Frequently-asked questions about Basic Mobility and Security."
--
-# Basic Mobility and Security frequently-asked questions (FAQ)
-
-This article contains frequently asked questions about Basic Mobility and Security, a feature that helps you manage and secure mobile devices in Microsoft 365. If you can't find an answer to your question, let us know by leaving a comment on the page so we can consider adding your question to this article.
-
-## How can I get Basic Mobility and Security? I don't see it in the Microsoft 365 admin center
-
-1. Activate Basic Mobility and Security by going to the [Office 365 Security & Compliance](https://protection.office.com/) page.
-
-2. Go to Data loss prevention > Device management.
-
-## How can I get started with device management in Basic Mobility and Security?
-
-There are four steps to getting started with Basic Mobility and Security:
-
-1. Activate Basic Mobility and Security by going to the [Office 365 Security & Compliance](https://protection.office.com/).
-
-2. Go to Data loss prevention > Device management > Device policies.
-
-3. Create device management policies, and apply them to groups of users that are set up in security groups. We recommend that you start by deploying the policies to a small test group. For more info, see [Create device security policies in Basic Mobility and Security](create-device-security-policies.md).
-
-4. Users who have had a policy applied to them are prompted to enroll their devices when they try to access Microsoft 365 data. For more info, see [Enroll your mobile device using Basic Mobility and Security](enroll-your-mobile-device.md).
-
-For more details, see [Set up Basic Mobility and Security](set-up.md).
-
-## IΓÇÖm trying to set up Basic Mobility and Security but it seems stuck. The Microsoft 365 Service Health has been showing ΓÇ£provisioningΓÇ¥ for a while. What can I do?
-
-It may take some time to get the service ready for you. When provisioning is complete, you'll see the Basic Mobility and Security page. If you've waited 24 hours and the status is still provisioning, please contact Support and we'll help figure out what the issue is.
-
-## What can I do if device enrollment fails?
-
-If you're having trouble getting a device enrolled, first check the following:
--- Make sure that the device isn't already enrolled with another mobile device management provider, such as Intune.--- Make sure that the device is set to the correct date and time.--- Switch to a different WIFI or cellular network on the device.--- For Android or iOS devices, uninstall and reinstall the Intune Company Portal app on the device.
-
-If enrollment still isn't working, see [Troubleshoot Basic Mobility and Security](troubleshoot.md).
-
-## What's the difference between Intune and Basic Mobility and Security?
-
-Basic Mobility and Security is hosted by the Intune service. It is a subset of Intune services provided as an added benefit to Microsoft 365 and is a built-in cloud-based solution for managing devices in your organization. For a side-by-side comparison of the two services to help you decide if using Intune or Basic Mobility and Security for Microsoft 365 is the best fit for you, see [Choose between Basic Mobility Security and Intune](choose-between-basic-mobility-and-security-and-intune.md).
-
-## How do policies work for Basic Mobility and Security? How do I set them up? Disable them?
-
-After you complete initial setup for Basic Mobility and Security, you create policies and apply them to groups of users in the Security & Compliance Center. Policies require users of the policies to enroll their devices in Basic Mobility and Security before the device can be used to access Microsoft 365 data. The policies that you set up determine settings for mobile devices, for example, how often passwords must be reset or whether data encryption is required. For more information, see [Create device security policies in Basic Mobility and Security](create-device-security-policies.md) and [Microsoft 365 compliance center](../../compliance/microsoft-365-compliance-center.md).
-
-For step-by-step instructions for creating and deploying device policies, see [Create device security policies in Basic Mobility and Security](create-device-security-policies.md).
-
-If you want to exclude a specific group of users from being affected by policies, you can add a group to the exclusion group.
-
-## Can I switch from Exchange ActiveSync device management to Basic Mobility and Security for Microsoft 365?
-
-If you’re already using Exchange ActiveSync policies to manage mobile devices, you can start using Basic Mobility and Security by following the steps to set up Basic Mobility and Security. For more information, see [Protect user and device access](../../compliance/protect-access-to-data-and-services.md) and [Set up Basic Mobility and Security](set-up.md).
-
-When you apply the policies that you create in Basic Mobility and Security to groups of users, these policies override Exchange ActiveSync mobile device mailbox policies and device access rules that youΓÇÖve previously created in the Exchange admin center for those users.
-
-After a device is enrolled in Basic Mobility and Security, any Exchange ActiveSync mobile device mailbox policy or device access rule applied to the device is ignored.
-
-## I set up Basic Mobility and Security but now I want to remove it. What are the steps?
-
-Unfortunately, you can't simply "unprovision" Basic Mobility and Security after you've set it up. But you can remove it for groups of users by removing user security groups from the device policies you've created. Or, you can disable it for everyone by removing the device policies so they aren't in place and aren't enforced. For more info, see [Turn off Basic Mobility and Security](turn-off.md).
admin Set Up https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/set-up.md
description: "Set up Basic Mobility and Security to secure and manage your users
The built-in Basic Mobility and Security for Microsoft 365 helps you secure and manage users' mobile devices such as iPhones, iPads, Androids, and Windows phones. You can create and manage device security policies, remotely wipe a device, and view detailed device reports.
-Have questions? For a FAQ to help address common questions, see [Basic Mobility and Security Frequently-asked questions (FAQ)](frequently-asked-questions.md). Be aware that you cannot use a delegated administrator account to manage Basic Mobility and Security. For more info, see [Partners: Offer delegated administration](https://support.microsoft.com/office/partners-offer-delegated-administration-26530dc0-ebba-415b-86b1-b55bc06b073e). 
+Have questions? For a FAQ to help address common questions, see [Basic Mobility and Security Frequently-asked questions (FAQ)](frequently-asked-questions.yml). Be aware that you cannot use a delegated administrator account to manage Basic Mobility and Security. For more info, see [Partners: Offer delegated administration](https://support.microsoft.com/office/partners-offer-delegated-administration-26530dc0-ebba-415b-86b1-b55bc06b073e). 
Device management is part of the Security & Compliance Center so you'll need to go there to kick off Basic Mobility and Security setup.
business-video Safe Links https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-video/safe-links.md
Microsoft Defender for Office 365 , formerly called Microsoft 365 ATP, or Advanc
## Try it! 1. Go to the [admin center](https://admin.microsoft.com), and select **Setup**.
-1. Scroll down to **Increase protection from advanced threats**. Select **View**, **Manage**,and then **ATP Safe Links**.
-1. Under **Policies that apply to the entire organization**, choose the **Default** policy, and then select the **Edit** icon.
-1. Enter a URL that you want to block.
-1. Select **Use safe links in Office apps, Office for iOS and Android**; select **Do not track when users click safe links**; and select **Do not let users click through safe links to original URL**. These might already be selected if you set up the default policy. Select **Save**.
-1. Under **Policies that apply to specific recipients**, choose **Recommended safe links rule**, and then select the **Edit** icon.
-1. Select **settings**, scroll down, enter the URL that you do not want to be checked, and then select the **Add** icon.
-1. Select **applied to**, and then select your domain name. Select any additional domains that you want the rule applied to. Select **add**, **OK**, and then **Save**.
+2. Scroll down to **Increase protection from advanced threats**. Select **Manage**,and then **Safe Links**.
+3. Select **Global Settings** and in **Block the following URLs**, enter the URL that you want to block.
+4. Select **Use Safe Links in Office 365 app**, select **Do not track when users click protected links in Office 365 apps**, and select **Do not let users click through to the original URL in Office 365 apps**. These might already be selected if you set up the default policy. Select **Save**.
-ATP Safe Links are now configured. Allow up to 30 minutes for your changes to take effect.
+Safe Links are now configured. Allow up to 30 minutes for your changes to take effect.
-When a user receives an email with links, the links will be scanned. If the links are deemed safe, they'll be clickable. However, if the link is on the blocked list, users will see a message that it's been blocked.
+When a user receives an email with links, the links will be scanned. If the links are deemed safe, they'll be clickable. However, if the link is on the blocked list, users will see a message that it's been blocked.
campaigns Index https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/campaigns/index.md
ms.assetid: 5abfef7b-5957-484a-b06b-a7c55e013e44
description: "Microsoft 365 Business Premium security and collaboration recommendations for smaller businesses, including smaller firms, practices, and political campaigns."
-Microsoft 365 for smaller businesses and campaigns
-===========================
+# Microsoft 365 for smaller businesses and campaigns
If you have Microsoft 365 Business Premium, the guidance in this library is the quickest way to setup security and begin collaborating safely. In our current world, keeping data and communications secure is a priority, particularly for medical and legal practices, political campaigns, and many other smaller businesses. This solution provides a set of recommendations designed to help protect you and your data. This library includes help for setting up and using this recommended environment, no matter your business type.
-![Microsoft 365 Business Premium protects your productivity tools, collaboration tools, file storage, email, devices, and identity](../media/M365-WhatIsIt-SecurityFocus.png)
+![Microsoft 365 Business Premium protects your productivity tools, collaboration tools, file storage, email, devices, and identity](../media/M365-WhatIsIt-SecurityFocus.png#lightbox)
This configuration includes the following guidance for productivity, collaboration, file storage, email, devices, and identity to protect your business:
This configuration includes the following guidance for productivity, collaborati
|Storing and sharing files securely | Share files and videos from Microsoft Teams, OneDrive, SharePoint, and Microsoft Stream, and protect sensitive data.| [Share files and videos](share-files-and-videos.md) | |Managed Windows 10 devices |Use managed devices for key staff and secure these devices. | [Set up managed devices](../business/set-up-windows-devices.md?toc=/microsoft-365/campaigns/toc.json) |
-A recommended security configuration for Microsoft 365 Business Premium
-
+## A recommended security configuration for Microsoft 365 Business Premium
This recommended secure configuration for Microsoft 365 Business Premium lets you:
This library includes the following:
For more information about what's included, see [Microsoft 365 Business Premium](https://www.microsoft.com/microsoft-365/business).
-Get started
+## Get started
Follow these steps to get started:
Follow these steps to get started:
- For any business: [Learn how your users will work with Microsoft 365](m365-campaigns-users.md) - For any business: [Set up Microsoft 365](microsoft-365-campaigns-setup-overview.md)
-Solutions for your business
+## Solutions for your business
After you set up your secure Microsoft 365 environment, you can use the following solutions to get working:
compliance Apply Sensitivity Label Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-sensitivity-label-automatically.md
Use the following table to help you identify the differences in behavior for the
|Restrict by location|No |Yes | |Conditions: Trainable classifiers|Yes |No | |Conditions: Sharing options and additional options for email|No |Yes |
+|Conditions: Exceptions|No |Yes (email only) |
|Recommendations, policy tooltip, and user overrides|Yes |No | |Simulation mode|No |Yes | |Exchange attachments checked for conditions|No | Yes|
Finally, you can use simulation mode to provide an approximation of the time nee
- Attachment is password protected - Any email attachment's content could not be scanned - Any email attachment's content didn't complete scanning-
+ - Header matches patterns
+ - Subject matches patterns
+ - Recipient address contains words
+ - Recipient address matches patterns
+ - Sender address matches patterns
+ - Sender domain is
+ - Recipient is a member of
+ - Sender is
+
+ For each of these conditions, you can then specify exceptions.
+
8. Depending on your previous choices, you'll now have an opportunity to create new rules by using conditions and exceptions. The configuration options for sensitive information types are the same as those you select for auto-labeling for Office apps. If you need more information, see [Configuring sensitive info types for a label](#configuring-sensitive-info-types-for-a-label).
compliance Create Retention Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-retention-policies.md
It's possible that a retention policy that's applied to Microsoft 365 groups, Sh
### Retention policy for Yammer locations > [!NOTE]
-> Retention policies for Yammer are in preview.
+> Retention policies for Yammer are in preview and currently do not inform users when messages are deleted as a result of a retention policy.
> > To use this feature, your Yammer network must be [Native Mode](/yammer/configure-your-yammer-network/overview-native-mode), not Hybrid Mode.
compliance How Dlp Works Between Admin Centers https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/how-dlp-works-between-admin-centers.md
If you've created DLP policies in the Exchange admin center, those policies will
This means that: - Messages that are blocked by Exchange mail flow rules won't get scanned by DLP rules created in the Security & Compliance Center.+
+- Messages that are quarantined by Exchange mail flow rules or any other filters run before DLP will not be scanned by DLP
- If an Exchange mail flow rule modifies a message in a way that causes it to match a DLP policy in the Security & Compliance Center - such as adding external users - then the DLP rules will detect this and enforce the policy as needed.
contentunderstanding Rest Applymodel Method https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/rest-api/rest-applymodel-method.md
None
| Name | Required | Type | Description | |--|-|--|| |__metadata|yes|string|Set the object meta on the SPO. Always use the value: {"type": "Microsoft.Office.Server.ContentCenter.SPMachineLearningPublicationsEntityData"}.|
-|Publications|yes|MachineLearningPublicationEntityData[]|The collection of MachineLearningPublicationEntityData each of which specifices the model and target document library.|
+|Publications|yes|MachineLearningPublicationEntityData[]|The collection of MachineLearningPublicationEntityData each of which specifies the model and target document library.|
### MachineLearningPublicationEntityData | Name | Required | Type | Description |
None
| Name | Type | Description| |--|-||
-|201 Created||This a customized API to support applying a model to multi document libraries. In the case of failing, 201 created could still be returned and the caller needs to inspect the response body to understand if the model has been successfully applied to the doc lib.|
+|201 Created||This is a customized API to support applying a model to multi document libraries. In the case of partial success, 201 created could still be returned and the caller needs to inspect the response body to understand if the model has been successfully applied to a document library.|
## Response Body | Name | Type | Description| |--|-||
-|TotalSuccesses|int|The total number of a model being sucessfully applied to a document library.|
+|TotalSuccesses|int|The total number of a model being successfully applied to a document library.|
|TotalFailures|int|The total number of a model failing to be applied to a document library.|
-|Details|MachineLearningPublicationResult[]|The collection of MachineLearningPublicationResult each of which specififies the detailed result of applying the model to the document library.|
+|Details|MachineLearningPublicationResult[]|The collection of MachineLearningPublicationResult each of which specifies the detailed result of applying the model to the document library.|
### MachineLearningPublicationResult | Name | Type | Description| |--|-||
-|StatusCode|int|The status code|
+|StatusCode|int|The HTTP status code.|
|ErrorMessage|string|The error message which tells what's wrong when apply the model to the document library.| |Publication|MachineLearningPublicationEntityData|It specifies the model info and the target document library.|
In this sample, the ID of the Contoso Contract document understanding model is `
In the response, TotalFailures and TotalSuccesses refers to the number of failures and successes of the model being applies to the specified libraries.
-**Status code:** 200
+**Status code:** 201
```JSON {
In the response, TotalFailures and TotalSuccesses refers to the number of failur
"TargetLibraryServerRelativeUrl": "/sites/repository/contracts", "ViewOption": "NewViewAsDefault" },
- "StatusCode": 200
+ "StatusCode": 201
} ], "TotalFailures": 0,
contentunderstanding Rest Batchdelete Method https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/rest-api/rest-batchdelete-method.md
None
| Name | Required | Type | Description | |--|-|--||
-|Publications|yes|MachineLearningPublicationEntityData[]|The collection of MachineLearningPublicationEntityData each of which specifices the model and target document library.|
+|Publications|yes|MachineLearningPublicationEntityData[]|The collection of MachineLearningPublicationEntityData each of which specifies the model and target document library.|
### MachineLearningPublicationEntityData | Name | Required | Type | Description |
None
| Name | Type | Description| |--|-||
-|200 OK||This a customized API to support removing a model from multi document libraries. In the case of failing, 200 OK could still be returned and the caller needs to inspect the response body to understand if the model has been successfully removed from the doc lib.|
+|200 OK||This is a customized API to support removing a model from multi document libraries. In the case of partial success, 200 OK could still be returned and the caller needs to inspect the response body to understand if the model has been successfully removed from a document library.|
## Response Body | Name | Type | Description| |--|-||
-|TotalSuccesses|int|The total number of a model being sucessfully remvoed from a document library.|
+|TotalSuccesses|int|The total number of a model being successfully removed from a document library.|
|TotalFailures|int|The total number of a model failing to be removed from a document library.|
-|Details|MachineLearningPublicationResult[]|The collection of MachineLearningPublicationResult each of which specififies the detailed result of removing the model from the document library.|
+|Details|MachineLearningPublicationResult[]|The collection of MachineLearningPublicationResult each of which specifies the detailed result of removing the model from a document library.|
### MachineLearningPublicationResult | Name | Type | Description| |--|-||
-|StatusCode|int|The status code|
+|StatusCode|int|The HTTP status code.|
|ErrorMessage|string|The error message which tells what's wrong when apply the model to the document library.| |Publication|MachineLearningPublicationEntityData|It specifies the model info and the target document library.|
In this sample, the ID of the Contoso Contract document understanding model is `
#### Sample response
-In the response, TotalFailures and TotalSuccesses refer to the number of failures and successes of the mdoel being removed from the specified libraries.
+In the response, TotalFailures and TotalSuccesses refer to the number of failures and successes of the model being removed from the specified libraries.
**Status code:** 200
contentunderstanding Rest Getbytitle Method https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/rest-api/rest-getbytitle-method.md
GET /_api/machinelearning/models/getbytitle('Contoso Contract') HTTP/1.1
#### Sample response
-**Status code:** 204
+**Status code:** 200
```HTTP {
In this sample, the name of the Contoso Contract document understanding model is
##### Sample request ```HTTP
-DELETE /_api/machinelearning/models/getbytitle('{Contoso Contract') HTTP/1.1
+DELETE /_api/machinelearning/models/getbytitle('Contoso Contract') HTTP/1.1
``` ## See also
contentunderstanding Rest Getbyuniqueid Method https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/rest-api/rest-getbyuniqueid-method.md
In this sample, the ID of the Contoso Contract document understanding model is `
#### Sample request ```HTTP
-DELETE /_api/machinelearning/models/getbyuniqueid(ΓÇÿ{7645e69d-21fb-4a24-a17a-9bdfa7cb63dc}') HTTP/1.1
+DELETE /_api/machinelearning/models/getbyuniqueid('7645e69d-21fb-4a24-a17a-9bdfa7cb63dc') HTTP/1.1
``` ## See also
contentunderstanding Rest Getmodelandlibraryinfo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/rest-api/rest-getmodelandlibraryinfo.md
Gets information about a model and the library where it has been applied (see [e
## HTTP request ```HTTP
-GET /_api/machinelearning/publications/getbyuniqueid(ΓÇÿ{modelUniqueId}ΓÇÖ) HTTP/1.1
+GET /_api/machinelearning/publications/getbymodeluniqueid('{modelUniqueId}') HTTP/1.1
``` ## URI parameters
In this sample, the ID of the Contoso Contract document understanding model is `
#### Sample request ```HTTP
-GET /sites/TestCC/_api/machinelearning/publications/getbymodeluniqueid(ΓÇÿ{7645e69d-21fb-4a24-a17a-9bdfa7cb63dc}ΓÇÖ) HTTP/1.1
+GET /sites/TestCC/_api/machinelearning/publications/getbymodeluniqueid('7645e69d-21fb-4a24-a17a-9bdfa7cb63dc') HTTP/1.1
``` #### Sample response
GET /sites/TestCC/_api/machinelearning/publications/getbymodeluniqueid(ΓÇÿ{7645e
"ViewOption": "NewViewAsDefault" } ]
-}```
+}
+```
## See also
includes Office 365 Germany Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-germany-endpoints.md
<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.--> <!--Germany endpoints version 2020120100-->
-<!--File generated 2021-06-16 17:00:28.7402-->
+<!--File generated 2021-06-28 14:03:17.1654-->
## Exchange Online
includes Office 365 Operated By 21Vianet Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-operated-by-21vianet-endpoints.md
<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.--> <!--China endpoints version 2021032900-->
-<!--File generated 2021-06-16 17:00:27.1271-->
+<!--File generated 2021-06-28 14:03:15.8423-->
## Exchange Online
includes Office 365 U.S. Government Dod Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-u.s.-government-dod-endpoints.md
<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.--> <!--USGovDoD endpoints version 2021052800-->
-<!--File generated 2021-06-16 17:00:24.7412-->
+<!--File generated 2021-06-28 14:00:15.9804-->
## Exchange Online
includes Office 365 U.S. Government Gcc High Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-u.s.-government-gcc-high-endpoints.md
<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.--> <!--USGovGCCHigh endpoints version 2021052800-->
-<!--File generated 2021-06-16 17:00:25.9130-->
+<!--File generated 2021-06-28 14:01:29.9551-->
## Exchange Online
includes Office 365 Worldwide Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-worldwide-endpoints.md
<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.--> <!--Worldwide endpoints version 2021052800-->
-<!--File generated 2021-06-16 17:00:22.5427-->
+<!--File generated 2021-06-28 14:00:12.8981-->
## Exchange Online
managed-desktop Readiness Assessment Fix https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/readiness-assessment-fix.md
At least one certificate connector has an error. If you need this connector for
You have at least one certificate connector and no errors are reported. However, in preparation for deployment, you might need to create a profile to reuse the connector for Microsoft Managed Desktop devices. For more information, see [Prepare certificates and network profiles for Microsoft Managed Desktop](certs-wifi-lan.md).
+### Company Portal
+
+Microsoft Managed Desktop requires that IT administrators install Intune Company Portal for their users with Microsoft Managed Desktop devices.
+
+**Not ready**
+
+You do not have Company Portal installed for your users. Purchase Company Portal and force a sync between Intune and Microsoft Store for Business. For more information, see [Install Intune Company Portal on devices](../get-started/company-portal.md).
+ ### Conditional access policies
The **Allow syncing only on PCs joined to specific domains** setting will confli
**Advisory**
-You're using the **Allow syncing only on PCs joined to specific domains** setting. This setting won't work with Microsoft Managed Desktop. Disable this setting, and instead set up OneDrive to use a conditional access policy. See [Plan a Conditional Access deployment](/azure/active-directory/conditional-access/plan-conditional-access) for help.
+You're using the **Allow syncing only on PCs joined to specific domains** setting. This setting won't work with Microsoft Managed Desktop. Disable this setting, and instead set up OneDrive to use a conditional access policy. See [Plan a Conditional Access deployment](/azure/active-directory/conditional-access/plan-conditional-access) for help.
managed-desktop Privacy Personal Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/privacy-personal-data.md
audience: Admin, ITPro
ms.localizationpriority: normal
-# Privacy and personal data
+# Overview
-Users can receive, transmit, and store data on devices managed by Microsoft Managed Desktop. They trust that the data's privacy is protected and used only in a way that is consistent with their expectations. This article explains how Microsoft Managed Desktop collects, stores, retains, processes, secures, shares, audits, and exports personal data. You'll also learn how an admin can view, correct, and delete personal data.
+Microsoft Managed Desktop is an IT-as-a-Service (ITaaS) service for enterprise cloud customers designed to keep employeesΓÇÖ Windows devices deployed and updated. It also provides IT service management and operations, monitors security and incident response, as well as providing user support. This documentation provides additional details on data platform and privacy compliance for Microsoft Managed Desktop.
-Microsoft Managed Desktop does not use any personal data collected as part of providing the service for profiling, advertising, or marketing purposes.
+## Microsoft Managed Desktop data sources and purpose
-## Data collection of Microsoft Managed Desktop
+Microsoft Managed Desktop provides its service to enterprise customers and properly administers customersΓÇÖ enrolled devices by using data from various sources. These sources, including Azure Active Directory, Microsoft Intune, Microsoft Windows 10, and Microsoft Defender for Endpoint, provide a comprehensive view of the devices that Microsoft Managed Desktop manages. The service also uses these Microsoft services to enable Microsoft Managed Desktop to provide ITaaS capabilities:
-When users enroll corporate devices into Microsoft Managed Desktop, data collection is handled ΓÇô on the technical layer ΓÇô by using Windows and Microsoft Intune. These sources collect personal data about users' devices, such as device names for Microsoft Managed Desktop to be able to identify the device to be managed and provided with the Microsoft Managed Desktop experiences.
+- [Microsoft Windows 10 Enterprise](/windows/windows-10/) - for management of device setup experience, managing connections to other services, and operational support for IT pros.
+- [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb) - uses Windows 10 Enterprise diagnostic data to provide additional information on Windows 10 update.
+- [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) ΓÇô for device management and to keep your data secure.
+ - [Microsoft Azure Active Directory](/azure/active-directory/) - for authentication and identification of all user accounts.
+ - [Microsoft Intune](/mem/intune/) ΓÇô for distributing device configurations, device management and application management.
+ - [Endpoint Analytics](/mem/analytics/overview) ΓÇô for analytical insights about device and app usage.
+ - [Windows Autopilot](/microsoft-365/windows/windows-autopilot) ΓÇô for device provisioning and deployment.
+ - [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/) ΓÇô provides security services such as device security monitoring and security intelligence data.
+- [Microsoft Managed Desktop](https://endpoint.microsoft.com/#home) ΓÇô Data provided by the customer or generated by the service during running of the service.
+- [Microsoft 365 apps for enterprise](https://www.microsoft.com/en-us/microsoft-365/enterprise/compare-office-365-plans?rtc=1) ΓÇô for management of Microsoft 365 Apps.
-Microsoft Managed Desktop does not collect data by itself to provide its service (except for [IT Admin contact information](#it-admin-contact-information). Instead, Microsoft Managed Desktop reuses data that other sources, such as Windows and Microsoft Intune, have already collected. Microsoft Managed Desktop uses data these services collect from enrolled devices:
+## Microsoft Managed Desktop data process and storage
-- Windows diagnostic data from devices managed by Microsoft Managed Desktop is sent to Microsoft's Windows diagnostic data stores.-- Microsoft Managed Desktop uses [modern management](/learn/modules/introduction-to-modern-management-in-microsoft-365/) for managing the enrolled devices. As part of "modern management," the devices must be enrolled in the tenantΓÇÖs Azure Active Directory.-- For distributing its highly optimized and secure configuration to enrolled devices, Microsoft Managed Desktop uses Microsoft Intune.-- Microsoft Managed Desktop uses security intelligence data from Microsoft Defender Advanced Thread Protection for those customers that use that service.
+Microsoft Managed Desktop relies on data from multiple Microsoft products and services to provide its service to enterprise customers. To accomplish the goal of protecting and maintaining enrolled devices, we process and copy data from these services to Microsoft Managed Desktop. When we process data, we follow the documented directions you provide, as referenced in the Online Services Terms and Microsoft Privacy Statement. When we process data, we follow the documented directions you provide, as referenced in the [Online Services Terms](https://www.microsoft.com/licensing/product-licensing/products) and [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement). Microsoft Managed DesktopΓÇÖs processor duties include ensuring appropriate confidentiality, security, and resilience. Microsoft Managed Desktop employs additional privacy and security measures to ensure proper handling of personal identifiable data.
-## Data storage and sources in Microsoft Managed Desktop
-After Microsoft Managed Desktop gets the data, it needs to provide its service, storage, and processing of that data proceeds as follows:
+## Microsoft Managed Desktop data storage and staff location
-### Storing data, storage location, and data retention
+Microsoft Managed Desktop stores its data in the Azure data centers in the United States. Personal data obtained by Microsoft Managed Desktop and other services are required to keep the service operational. If a device is removed from Microsoft Managed Desktop, we keep personal data for a maximum of 30 days except for alert data collected by Microsoft Defender for Endpoint, which is stored for 180 days for security purposes. For more information on data retention, see [Data retention, deletion, and destruction in Microsoft 365](/compliance/assurance/assurance-data-retention-deletion-and-destruction-overview).
-Microsoft Managed Desktop stores its data in one or more of the following Microsoft storage
+Microsoft Managed Desktop Engineering Operations and Security Operations teams are located in the United States and India.
-- Azure SQL-- Azure storage-- Dynamics 365
+## Microsoft Windows 10 diagnostic data
-Microsoft Managed Desktop stores its data in the United States. Personal data is retained by Microsoft Managed Desktop for a maximum of 30 days, except for alert data for Microsoft Managed Desktop devices collected by Microsoft Defender for Endpoint. The actual alert data (which could include personal data) is stored for 180 days. Alert data with personal data removed is stored for up to two years. In compliance with the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), Microsoft Managed Desktop honors the data subject rights for any personal data that is stored in alert data.
+Microsoft Managed Desktop uses [Windows 10 Enhanced diagnostic data](/windows/privacy/windows-diagnostic-data) to keep Windows secure, up to date, troubleshoot problems, and make product improvements. The enhanced diagnostic data setting includes more detailed information about the devices enrolled in Microsoft Managed Desktop and their settings, capabilities, and device health. When enhanced diagnostic data is selected, data, including required diagnostic data, are collected. See [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection) for more information about the Windows 10 diagnostic data setting and data collection.
-### Staff location
+The diagnostic data terminology will change in future versions of Windows. Microsoft Managed Desktop is committed to processing only the data that the service needs. While this will mean the diagnostic level will change to **Optional**, Microsoft Managed Desktop will implement the limited diagnostic policies to fine-tune diagnostic data collection required for the service. For more details, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection).
-The Microsoft Managed Desktop Operations and Security Operations teams are located in the United States and India.
+Microsoft Managed Desktop only processes and stores system-level data from Windows 10 optional diagnostic data originating from enrolled devices such as application and device reliability and performance information. Microsoft Managed Desktop does not process and store customersΓÇÖ personal data such as chat and browser history, voice, text, or speech data.
-## Data usage of Microsoft Managed Desktop
+For more information about the diagnostic data collection of Microsoft Windows 10, see the [Where we store and process personal data](https://privacy.microsoft.com/privacystatement#mainwherewestoreandprocessdatamodule) section of the Microsoft Privacy Statement.
-Microsoft Managed Desktop uses this data:
+## Microsoft Windows Update for Business
+Microsoft Windows Update for Business uses data from Windows diagnostics to analyze update status and failures. Microsoft Managed Desktop leverages this data and uses it to mitigate and resolve problems to ensure that all registered devices are up to date based on a predefined update cadence.
+## Microsoft Azure Active Directory
+Identifying data used by Microsoft Managed Desktop is stored by Azure Active Directory (Azure AD) in a geographical location based on the location provided by the organization when subscribing to Microsoft online services, such as Microsoft Apps for enterprise and Azure. Identifying data used by Microsoft Managed Desktop is stored by Azure AD in a geographical location based on the location provided by the organization when subscribing to Microsoft online services such as Microsoft Apps for enterprise and Azure. For more information on where your Azure AD data is located, see [Azure Active Directory - Where is your data located?](https://msit.powerbi.com/view?r=eyJrIjoiODdjOWViZDctMWRhZS00ODUzLWI4MmQtNWM5NjBkZTBkNjFlIiwidCI6IjcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0NyIsImMiOjV9)
-| Data sources |Use with Microsoft Managed Desktop |
-|||
-|Azure Active Directory data | Used in reports created for tenant admins, which are available in the Microsoft Managed Desktop Admin portal. |
-|Intune data | Used in reports created for tenant admins, which are available in the Microsoft Managed Desktop Admin portal. |
-|Microsoft Defender for Endpoint | Used for addressing security threats detected on enrolled devices by Microsoft Managed DesktopΓÇÖs Security Operations Center (SOC). |
-|Windows diagnostic data |Used to determine the update status of managed devices and to provide and improve Microsoft Managed DesktopΓÇÖs IT-as-a-Service (ITaaS) offering. |
-|Admin contact data | Used by Microsoft Managed Desktop to communicate with tenant administrators. |
+## Microsoft Intune
+Microsoft Intune collects, processes, and shares data to Microsoft Managed Desktop to support business operations and services. See [Data collection in Intune](/mem/intune/protect/privacy-data-collect) for more information about the data collected in Intune.
+For more information on Microsoft Intune data locations, see [Where your Microsoft 365 customer data is stored](/microsoft-365/enterprise/o365-data-locations?view=o365-worldwide). Intune respects the storage location selections made by the administrator for customer data.
-### Entities processed by Microsoft Managed Desktop
+## Microsoft Defender for Endpoint
+Microsoft Defender for Endpoint collects and stores information for devices enrolled in Microsoft Managed Desktop for administration, tracking, and reporting purposes. Information collected includes file data (such as file names, size, and hashes), process data (running processes, hashes), registry data, network connection data, and device details (such as device identifiers, device names, and the operating system version). See [Microsoft Defender for Endpoint data storage and privacy](/microsoft-365/security/defender-endpoint/data-storage-privacy?view=o365-worldwide#what-data-does-microsoft-defender-atp-collect) for more information on Microsoft Defender for EndpointΓÇÖs data collection and storage locations.
-Microsoft Managed Desktop processes these entities to provide the service:
+## Microsoft 365 Apps for enterprise
+Microsoft 365 Apps for enterprise collects and shares data with Microsoft Managed Desktop to ensure those apps are up to date with the latest version based on predefined update channels managed by Microsoft Managed Desktop. See [Microsoft Defender for Endpoint data storage and privacy](/microsoft-365/security/defender-endpoint/data-storage-privacy?view=o365-worldwide#what-data-does-microsoft-defender-atp-collect) for more information on Microsoft 365 Apps's data collection and storage locations.
-- Device data-- Device security settings-- Device operating system and hardware-- Aggregated information about device health-- Device diagnostic information-- Tenant data-- Azure Active Directory resources-- Policy and configuration data-- Microsoft Defender for Endpoint metadata and alert data-- Windows diagnostic data-- Product and service usage data
+## Major data change notification
+Microsoft Managed Desktop follows a change control process as outlined in our service communication framework. We notify customers through the Microsoft 365 Message Center and Microsoft Managed Desktop Admin portal of both security incidents and major changes to the service. Changes to the types of data gathered and where it is stored are considered a material change. We will provide a minimum of 30 days of advanced notification of this change as is standard practice for Microsoft 365 products and services. For more information, see [Service changes and communication](/microsoft-365/managed-desktop/service-description/servicechanges?view=o365-worldwide).
-### Microsoft Azure Active Directory
+## Compliance
+Microsoft Managed Desktop has undergone external audits and obtained a comprehensive set of compliance offerings. You can find more information in Microsoft Managed Desktop [Compliance](/microsoft-365/managed-desktop/intro/compliance). Audit reports are available for download at the Microsoft [Service Trust Portal](https://aka.ms/stp), which serves as a central repository for Microsoft Enterprise Online Services. (Microsoft Managed Desktop is listed within these documents under the category ΓÇ£Monitoring and Management.ΓÇ¥)
-Identity data used by Microsoft Managed Desktop is stored by Azure Active Directory in a geographical location based on the address provided by the organization when subscribing for a Microsoft online service such as Office 365 or Azure. See [Microsoft AzureΓÇöWhere is my customer data?](http://azuredatacentermap.azurewebsites.net/) for a map showing the datacenters for Azure Active Directory.
-
-For more information about the regions Azure uses for data storage, see [Azure Active DirectoryΓÇôWhere is your data located](https://msit.powerbi.com/view?r=eyJrIjoiODdjOWViZDctMWRhZS00ODUzLWI4MmQtNWM5NjBkZTBkNjFlIiwidCI6IjcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0NyIsImMiOjV9).
-
-### Microsoft Intune
-
-Intune data can be stored in a few different regions, such as Europe North (Ireland) and Europe West (Netherlands). Your IT administrator creates a tenant account and chooses the country where data will be stored when they initially enroll in Intune services. For a list of datacenter locations used by Intune, see [Microsoft IntuneΓÇöWhere is my customer data?](http://intunedatacentermap.azurewebsites.net/). For more information about data storage and use by Intune, see [Data collection in Intune](/intune/privacy-data-collect).
-
-### Microsoft Defender for Endpoint
-
-Microsoft Defender for Endpoint data can be stored in a few different regions. For this reason, Defender for Endpoint operates in the Microsoft Azure datacenters in the European Union, the United Kingdom, and in the United States, as stated at [Microsoft Defender for EndpointΓÇöData storage locations](http://intunedatacentermap.azurewebsites.net/). For more information about data storage and use by Defender for Endpoint, see [What data does Microsoft Defender for Endpoint collect?](/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy#what-data-does-microsoft-defender-atp-collect)
-
-### Windows 10
-
-As stated in the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement), “personal data collected by Microsoft may be stored and processed in your region, in the United States, and in any other country where Microsoft or its affiliates, subsidiaries, or service providers operate facilities. […] Typically, the primary storage location is in the customer’s region or in the United States, often with a backup to a datacenter in another region. The storage location(s) are chosen in order to operate efficiently, to improve performance, and to create redundancies in order to protect the data if there is an outage or other problem. We take steps to ensure that the data we collect under this privacy statement is processed according to the provisions of this statement and the requirements of applicable law wherever the data is located.”
-
-For more information about the diagnostic data collection of Windows 10, see the ["Where we store and process personal data"](https://privacy.microsoft.com/privacystatement#mainwherewestoreandprocessdatamodule) section of the Microsoft Privacy Statement.
-
-## Data access protection
-
-Direct access to Microsoft Managed DesktopΓÇÖs internal data stores is restricted in several ways:
--- It requires engineering lead level approval.-- It is time-bounded and audited.-- All data is encrypted while it is stored.-- Access to Microsoft Managed DesktopΓÇÖs internal management portal requires a highly secured and restricted workstation.-
-## Processing personal data in a compliant manner
-Microsoft Managed Desktop processes personal data with ISO-certified systems. For more information, see [Compliance](../intro/compliance.md).
-
-## Profiling and marketing
-
-Microsoft Managed Desktop does not use any personal data collected as part of providing the service for profiling, advertising, or marketing purposes.
-
-## Data Subject Requests for the GDPR and CCPA
-
-The European Union [General Data Protection Regulation (GDPR)](https://ec.europa.eu/justice/data-protection/reform/index_en.htm) gives rights to people (known in the regulation as data subjects) to manage the personal data that has been collected by an employer or other type of agency or organization (known as the data controller or just controller). Personal data is defined very broadly under the GDPR as any data that relates to an identified or identifiable natural person. The GDPR gives data subjects specific rights to their personal data; these rights include obtaining copies of personal data, requesting corrections to it, restricting the processing of it, deleting it, or receiving it in an electronic format so it can be moved to another controller. A formal request by a data subject to a controller to take an action on their personal data is called a Data Subject Request or DSR.
-
-Similarly, the CCPA provides privacy rights and obligations to California consumers, including rights similar to GDPR's Data Subject Rights, such as the right to delete, access, and receive (portability) their personal information. The CCPA also provides for certain disclosures, protections against discrimination when electing exercise rights, and "opt-out / opt-in" requirements for certain data transfers classified as "sales". Sales are broadly defined to include the sharing of data for a valuable consideration. For more information about the CCPA, see the [California Consumer Privacy Act](/compliance/regulatory/offering-ccpa?view=o365-worldwide) and the [California Consumer Privacy Act FAQ](/compliance/regulatory/ccpa-faq?view=o365-worldwide).
-
-The following section discusses how Microsoft Managed Desktop helps controllers to find, access, and act on personal data or personal information used by Microsoft Managed Desktop.
-
-> [!NOTE]
-> If you're looking for general information about the GDPR, see the [GDPR section](https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted) of the Service Trust Portal.
-
-### IT Admin contact information
-
-A tenant administrator can view, correct, and delete their own personal data (such as their own contact information) directly in the Admin Contact section of the Microsoft Managed Desktop Portal.
-
-## Microsoft Defender for Endpoint alert data
-
-Security administrators can request an extraction or deletion of personal data related to Microsoft Defender for Endpoint alerts on a Microsoft Managed Desktop managed device in their environment. The security administrator should sign in to the Microsoft Managed Desktop [Admin Portal](https://aka.ms/memadmin) and submit a support request. Select **Support request type** of **Change request**, **Category** of **Security**, and **Subcategory** of **Other**, and then provide the relevant device names in the description along with your request for extraction or deletion of data.
-
-### User-related personal data
-
-Aside from this, Microsoft Managed Desktop does not collect personal data on its own. Instead, it relies on and uses personal data that other Microsoft Enterprise Online Services collected. IT Admins looking to respond to their user requests to view, correct, and delete their personal data can use the respective functionality of the underlying services that Microsoft Managed Desktop depends on. If you are interested in viewing or deleting personal data used by these services, see the [Azure Data Subject Requests for the GDPR](/compliance/regulatory/gdpr-dsr-Azure) article first.
-
-Furthermore, use the following guidance to exercise DSRs for the services Microsoft Managed Desktop depends on for the collection of personal data:
--- [Azure Active Directory](/compliance/regulatory/gdpr-dsr-Azure?view=o365-worldwide)-- [Microsoft Intune](/compliance/regulatory/gdpr-dsr-Intune?view=o365-worldwide)-- [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy)-- [Windows 10](/windows/privacy/windows-10-and-privacy-compliance)
+## Legal
+**MicrosoftΓÇÖs privacy notice to end users of products provided by organizational customers** - The [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) notifies end users that when they sign in to Microsoft products with a work account, a) their organization can control and administer their account (including controlling privacy-related settings) and access and process their data, and b) Microsoft may collect and process the data to provide the service to the organization and end users.
security Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction.md
You can assess how an attack surface reduction rule might affect your network by
In the recommendation details pane, check for user impact to determine what percentage of your devices can accept a new policy enabling the rule in blocking mode without adversely affecting productivity.
+See [Requirements](enable-attack-surface-reduction.md#requirements) in the "Enable attack surface reduction rules" article for information about supported operating systems and additional requirement information.
+ ## Audit mode for evaluation Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would affect your organization if enabled. Run all rules in audit mode first so you can understand how they affect your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they might perform tasks in ways that seem similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without reducing productivity.
security Configure Device Discovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-device-discovery.md
Choosing the initial discovery classification means applying the default system-
6. Confirm that you want to make the change.
+## Explore devices in the network
+You can use the following advanced hunting query to get more context about each network name described in the networks list. The query lists all the onboarded devices that were connected to a certain network within the last 7 days.
+++
+```kusto
+DeviceNetworkInfo
+| where Timestamp > ago(7d)
+| summarize arg_max(Timestamp, *) by DeviceId
+| where ConnectedNetworks != ""
+| extend ConnectedNetworksExp = parse_json(ConnectedNetworks)
+| mv-expand bagexpansion = array ConnectedNetworks=ConnectedNetworksExp
+| extend NetworkName = tostring(ConnectedNetworks ["Name"]), Description = tostring(ConnectedNetworks ["Description"]), NetworkCategory = tostring(ConnectedNetworks ["Category"])
+| where NetworkName == "<your network name here>"
++
+```
## See also - [Device discovery overview](device-discovery.md)
security Customize Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/customize-attack-surface-reduction.md
You can set attack surface reduction rules for devices running any of the follow
- Windows 10 Enterprise, [version 1709](/windows/whats-new/whats-new-windows-10-version-1709) or later - Windows Server, [version 1803 (Semi-Annual Channel)](/windows-server/get-started/whats-new-in-windows-server-1803) or later - [Windows Server 2019](/windows-server/get-started-19/whats-new-19)+ You can use Group Policy, PowerShell, and Mobile Device Management (MDM) configuration service providers (CSP) to configure these settings.
+See [Requirements](enable-attack-surface-reduction.md#requirements) in the "Enable attack surface reduction rules" article for information about supported operating systems and additional requirement information.
+ ## Exclude files and folders You can choose to exclude files and folders from being evaluated by attack surface reduction rules. When excluded, the file won't be blocked from running even if an attack surface reduction rule detects that the file contains malicious behavior.
If you are encountering problems with rules detecting files that you believe sho
| Rule description | GUID | |:-|:-|
+| Block abuse of exploited vulnerable signed drivers | `56a863a9-875e-4185-98a7-b882c64b5ce5` |
+| Block Adobe Reader from creating child processes | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` |
| Block all Office applications from creating child processes | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` |
+| Block credential stealing from the Windows local security authority subsystem (lsass.exe) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` |
+| Block executable content from email client and webmail | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` |
+| Block executable files from running unless they meet a prevalence, age, or trusted list criteria | `01443614-cd74-433a-b99e-2ecdc07bfc25` |
| Block execution of potentially obfuscated scripts | `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` |
-| Block Win32 API calls from Office macro | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` |
+| Block JavaScript or VBScript from launching downloaded executable content | `D3E037E1-3EB8-44C8-A917-57927947596D` |
| Block Office applications from creating executable content | `3B576869-A4EC-4529-8536-B80A7769E899` | | Block Office applications from injecting code into other processes | `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` |
-| Block JavaScript or VBScript from launching downloaded executable content | `D3E037E1-3EB8-44C8-A917-57927947596D` |
-| Block executable content from email client and webmail | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` |
-| Block executable files from running unless they meet a prevalence, age, or trusted list criteria | `01443614-cd74-433a-b99e-2ecdc07bfc25` |
-| Use advanced protection against ransomware | `c1db55ab-c21a-4637-bb3f-a12568109d35` |
-| Block credential stealing from the Windows local security authority subsystem (lsass.exe) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` |
-| Block process creations originating from PSExec and WMI commands | `d1e49aac-8f56-4280-b9ba-993a6d77406c` |
-| Block untrusted and unsigned processes that run from USB | `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` |
| Block Office communication applications from creating child processes | `26190899-1602-49e8-8b27-eb1d0a1ce869` |
-| Block Adobe Reader from creating child processes | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` |
| Block persistence through WMI event subscription | `e6db77e5-3df2-4cf1-b95a-636979351e5b` |
+| Block process creations originating from PSExec and WMI commands | `d1e49aac-8f56-4280-b9ba-993a6d77406c` |
+| Block untrusted and unsigned processes that run from USB | `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` |
+| Block Win32 API calls from Office macro | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` |
+| Use advanced protection against ransomware | `c1db55ab-c21a-4637-bb3f-a12568109d35` |
See the [attack surface reduction](attack-surface-reduction.md) topic for details on each rule.
security Enable Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction.md
Last updated 06/02/2021
[Attack surface reduction rules](attack-surface-reduction.md) (ASR rules) help prevent actions that malware often abuses to compromise devices and networks.
-**Requirements**
+## Requirements
+
+Attack surface reduction features across Windows versions
+ You can set attack surface reduction rules for devices that are running any of the following editions and versions of Windows: - Windows 10 Pro, [version 1709](/windows/whats-new/whats-new-windows-10-version-1709) or later
You can set attack surface reduction rules for devices that are running any of t
- Windows Server, [version 1803 (Semi-Annual Channel)](/windows-server/get-started/whats-new-in-windows-server-1803) or later - [Windows Server 2019](/windows-server/get-started-19/whats-new-19)
-Although attack surface reduction rules don't require a [Windows E5 license](/windows/deployment/deploy-enterprise-licenses), if you have Windows E5, you get advanced management capabilities. These capabilities available only in Windows E5 include monitoring, analytics, and workflows available in [Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide&preserve-view=true), as well as reporting and configuration capabilities in the [Microsoft 365 security center](/microsoft-365/security/defender/overview-security-center?view=o365-worldwide&preserve-view=true). These advanced capabilities aren't available with a Windows Professional or Windows E3 license; however, if you do have those licenses, you can use Event Viewer and Microsoft Defender Antivirus logs to review your attack surface reduction rule events.
+To use the entire feature-set of attack surface reduction rules, you need:
+
+- Windows Defender Antivirus as primary AV (real-time protection on)
+- [Cloud-Delivery Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) on (some rules require that)
+- Windows 10 Enterprise E5 or E3 License or Microsoft 365 Business License
+
+Although attack surface reduction rules don't require a [Windows E5 license](/windows/deployment/deploy-enterprise-licenses), with a Windows E5 license, you get advanced management capabilities including monitoring, analytics, and workflows available in Defender for Endpoint, as well as reporting and configuration capabilities in the Microsoft 365 security center. These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events.
Each ASR rule contains one of four settings:
security M365d Permissions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-permissions.md
To review accounts with these roles, [view Permissions in the Microsoft 365 secu
**Custom role** access is a new capability in Microsoft 365 Defender and allows you to manage access to specific data, tasks, and capabilities in Microsoft Defender 365. Custom roles offer more control than global Azure AD roles, providing users only the access they need with the least-permissive roles necessary. Custom roles can be created in addition to global Azure AD roles. [Learn more about custom roles](custom-roles.md).
-> ![NOTE]
+> [!NOTE]
> This article applies only to managing global Azure Active Directory roles. For more information about using custom role-based access control, see [Custom roles for role-based access control](custom-roles.md) ## Access to functionality
During the preview, Microsoft 365 Defender does not enforce access controls base
- [Custom roles in role-based access control for Microsoft 365 Defender](custom-roles.md) - [Azure AD roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles) - [Microsoft Defender for Endpoint RBAC](/windows/security/threat-protection/microsoft-defender-atp/rbac)-- [Cloud App Security roles](/cloud-app-security/manage-admins)
+- [Cloud App Security roles](/cloud-app-security/manage-admins)
security Secure By Default https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/secure-by-default.md
f1.keywords:
Previously updated : Last updated : 06/28/2021 audience: ITPro - localization_priority: Normal search.appverid: - MET150
To put it another way: as a security service, we're acting on your behalf to pre
## Exceptions > [!NOTE]
-> In July 2021, secure by default will be extended to Exchange mail flow rules (also known as transport rules). If you use mail flow rules to allow third-party phishing simulations or unfiltered delivery to security operation mailboxes, you eventually need to eliminate these rules and switch to using the [advanced delivery policy](configure-advanced-delivery.md) _when the feature is available to you_.
+> In August 2021, secure by default will be extended to Exchange mail flow rules (also known as transport rules). If you use mail flow rules to allow third-party phishing simulations or unfiltered delivery to security operation mailboxes, you eventually need to eliminate these rules and switch to using the [advanced delivery policy](configure-advanced-delivery.md) _when the feature is available to you_.
The only override that allows high confidence phishing message to bypass filtering is mail flow rules. To use mail flow rules to bypass filtering, see [Use mail flow rules to set the SCL in messages](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl).
security Whats New In Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/whats-new-in-defender-for-office-365.md
Learn more by watching [this video](https://www.youtube.com/watch?v=Tdz6KfruDGo&
- Increasing the limits for Export of records from 9990 to 200,000 in [hunting experiences](threat-explorer.md) - Extending the Explorer (and Real-time detections) data retention and search limit for trial tenants from 7 (previous limit) to 30 days in [hunting experiences](threat-explorer.md) - New hunting pivots called **Impersonated domain** and **Impersonated user** within the Explorer (and Real-time detections) to search for impersonation attacks against protected users or domains. For more information, see [details](threat-explorer.md#view-phishing-emails-sent-to-impersonated-users-and-domains). (Microsoft Defender for Office 365 Plan 1 or Plan 2)-- New first contact safety tip for when recipients first receive an email from a sender or do not often receive email from a sender. For more information on this setting and how to configure it using Exchange mail flow rules (also known as transport rules), see [First contact safety tip](set-up-anti-phishing-policies.md#first-contact-safety-tip). ## December 2020
Learn more by watching [this video](https://www.youtube.com/watch?v=Tdz6KfruDGo&
## September/October 2020
+- New first contact safety tip for when recipients first receive an email from a sender or do not often receive email from a sender. For more information on this setting and how to configure it using Exchange mail flow rules (also known as transport rules), see [First contact safety tip](set-up-anti-phishing-policies.md#first-contact-safety-tip).
- [Check your policies using Configuration Analyzer](configuration-analyzer-for-security-policies.md) - [Extended capabilities in Threat Explorer including top targeted users, transport rules, and connectors](threat-explorer.md#new-features-in-threat-explorer-and-real-time-detections) (Defender for Office 365 information in [Threat Explorer](threat-explorer.md) (email was allowed/blocked by tenant/user policy) (Defender for Office 365 Plan 2) - Surfacing URL threats in [Threat Explorer](threat-explorer.md#threats-in-urls) (malware, phish, spam, or none) (Defender for Office 365 Plan 2)
solutions Microsoft 365 Guest Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/microsoft-365-guest-settings.md
Because OneDrive is a hierarchy of sites within SharePoint, the organization-lev
| Setting | Default | Description | |:--|:--|:--| |Limit external sharing by domain|Off|This setting allows you to specify a list of allowed or blocked domains for sharing. When allowed domains are specified, then sharing invitations can only be sent to those domains. When denied domains are specified, then sharing invitations cannot be sent to those domains.<br><br> This setting affects all SharePoint and OneDrive sites in the organization.|
+|Allow only users in specific security groups to share externally|Off|If you want to limit who can share with guests in SharePoint and OneDrive, you can do so by limiting sharing to people in specified security groups. These settings do not affect sharing via Microsoft 365 Groups or Teams. Guests invited via a group or team would also have access to the associated site, though document and folder sharing could only be done by people in the specified security groups.<br><br>For each specified group, you can choose of those users can share with Anyone links.|
|Guests must sign in using the same account to which sharing invitations are sent|Off|Prevents guests from redeeming site sharing invitations using a different email address than the invitation was sent to.<br><br>[SharePoint and OneDrive integration with Azure AD B2B (Preview)](/sharepoint/sharepoint-azureb2b-integration-preview) does not use this setting because all guests are added to the directory based on the email address that the invitation was sent to. Alternate email addresses cannot be used to access the site.| |Allow guests to share items they don't own|On|When **On**, guests can share items that they don't own with other users or guests; when **Off** they cannot. Guests can always share items for which they have full control.|
+|People who use a verification code must reauthenticate after this many days|Off|This setting allows you to require that users authenticating with a one-time passcode need to reauthenticate after a certain number of days.|
### SharePoint and OneDrive file and folder link settings
When files and folders are shared in SharePoint and OneDrive, sharing recipients
|File permissions|View and edit|Specifies the file permission levels available to users when creating an *Anyone* link. If **View** is selected, then users can only create *Anyone* file links with view permissions. If **View, and edit** is selected, then users can choose between view and view and edit permissions when they create the link.| |Folder permissions|View, edit, and upload|Specifies the folder permission levels available to users when creating an *Anyone* link. If **View** is selected, then users can only create *Anyone* folder links with view permissions. If **View, edit, and upload** is selected, then users can choose between view and view, edit, and upload permissions when they creat the link.|
-### SharePoint and OneDrive security group settings
-
-If you want to limit who can share with guests in SharePoint and OneDrive, you can do so by limiting sharing to people in specified security groups. These settings do not affect sharing via Microsoft 365 Groups or Teams. Guests invited via a group or team would also have access to the associated site, though document and folder sharing could only be done by people in the specified security groups.
-
-**Navigation:** SharePoint admin center > Sharing > Limit external sharing to specific security groups
-
-![Screenshot of SharePoint organization-level sharing security group settings](../media/sharepoint-organization-external-sharing-security-groups.png)
-
-| Setting | Default | Description |
-|:--|:--|:--|
-|Let only users in selected security groups share with authenticated external users|Off|When **On**, only the people in the specified security groups can share with people outside the organization. Only *Specific people* links are available. *Anyone* sharing is effectively disabled unless **Let only users in selected security groups share with authenticated external users and using anonymous links** is also **On**|
-|Let only users in selected security groups share with authenticated external users and using anonymous links|Off|When **On**, only the people in the specified security groups can share with guests. Both *Anyone* and *Specific people* links are available.|
-
-Both of these settings can be used at the same time. If a user is in security groups specified for both settings, then the greater permission level prevails (*Anyone* plus *Specific user*). Nested security groups are supported.
- ## SharePoint (site level) **Admin role:** SharePoint administrator