Updates from: 06/03/2021 03:25:31
Category Microsoft Docs article Related commit history on GitHub Change details
admin Business Assist https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/business-assist.md
description: "Learn about the Business Assist program and how it can help your o
Get the most out of your subscription with expert advice from small business specialists.
-**Business Assist for Microsoft 365** is designed for businesses with less than 5 users to give you and your employees around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use.
+**Business Assist for Microsoft 365** is designed for businesses with fewer than 5 users to give you and your employees around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use.
## Business Assist services
-||||
+| | | |
|:--|:--|:--| |**Get up and running quickly** <br> Work with a small business specialist to set up Microsoft 365 features that protect your business and give it a professional look. |**Empower everyone in your business** <br> All your employees, not just the person in charge of IT can go directly to Microsoft experts for faster ongoing support. |**Unlock business potential** <br> Learn about underutilized features and get advice on ways to get more value out of your subscription. | |**Accelerate your cloud migration** <br> Get personalized help moving all your current files (email, storage, documents, and communication) to Microsoft 365. |**Access specialists with ease** <br> Our team will pick up the conversation where you left it last. No tickets to track, no robots, no long waiting times. |**Stay up to date** <br> Regular check-ups that help you stay current as new service capabilities are added, and your companyΓÇÖs needs evolve. |
Get the most out of your subscription with expert advice from small business spe
## Eligibility for Business Assist
-Customers with an active Microsoft 365 for business subscription plan can use Business Assist onboarding, migration and management services. Your organization must have 5 or less user licenses.
+Customers with an active Microsoft 365 for business subscription plan can use Business Assist onboarding, migration and management services. Your organization must have 5 or fewer user licenses.
> [!IMPORTANT] > Business Assist is only available in the United States.
Customers with an active Microsoft 365 for business subscription plan can use Bu
Only organizations that are eligible will see the option to buy Business Assist. Business Assist costs $5 per user per month. Here's how you can buy Business Assist.
-1. In the Microsoft 365 admin center, go to **Billing** > **Purchase services**.
+1. In the simplified view of the Microsoft 365 admin center, go to the **Subscriptions** tab and select **Add products**.
-2. Select **Details** on the **Small Business Assist for Microsoft 365** and complete your purchase.
+2. On the Purchase services page, Select **Details** on **Business Assist for Microsoft 365** and complete your purchase.
:::image type="content" source="../../media/business-assist-april.png" alt-text="Screeenshot: Purchase Business Assist from the Add-ons section on the Purchase services page":::
admin Whats New In Preview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/whats-new-in-preview.md
And if you'd like to know what's new with other Microsoft cloud
### Keep track of support ticket updates using the Admin mobile app
-For all the service requests created in your tenant you can now keep track of the ticket status, view ticket details and provide / request additional information by adding notes & attachments.
+For all the service requests created in your tenant you can now keep track of the ticket status, view ticket details and provide / request additional information by adding notes & attachments.
-### Stay on top of all the major updates to the app and your Microsoft 365 subscription
+### Stay on top of all the major updates to the app and your Microsoft 365 subscription
-- Stay on top of all the major updates to your Microsoft 365 subscription through Message Center push notifications (now enabled by default).
+- Stay on top of all the major updates to your Microsoft 365 subscription through Message Center push notifications (now enabled by default).
- Keep track of the latest features available in the app using the **What's New** section. Go to **Settings** > **WhatΓÇÖs new?** ## April 2021
compliance Apply Sensitivity Label Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-sensitivity-label-automatically.md
Use the following table to help you identify the differences in behavior for the
|Exchange attachments checked for conditions|No | Yes| |Apply visual markings |Yes |Yes (email only) | |Override IRM encryption applied without a label|Yes if the user has the minimum usage right of Export |Yes (email only) |
-|Label incoming email|No |Yes (encryption not applied) |
+|Label incoming email|No |Yes|
\* Auto-labeling isn't currently available in all regions. If your tenant can't support this functionality, the Auto-labeling tab isn't visible in the admin labeling center.
compliance Communication Compliance Feature Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-feature-reference.md
Policy templates are pre-defined policy settings that you can use to quickly cre
| **Regulatory compliance** | Monitor communications for info related to financial regulatory compliance | - Locations: Exchange Online, Microsoft Teams, Yammer, Skype for Business <br> - Direction: Inbound, Outbound <br> - Review Percentage: 10% <br> - Conditions: custom dictionary option, attachments larger than 1 MB | | **Conflict of interest** | Monitor communications between two groups or two users to help avoid conflicts of interest | - Locations: Exchange Online, Microsoft Teams, Yammer, Skype for Business <br> - Direction: Internal <br> - Review Percentage: 100% <br> - Conditions: None |
-Communications are scanned every 24 hours from the time policies are created. For example, if you create an offensive language policy at 11:00 AM, the policy will gather communication compliance signals every 24 hours at 11:00 AM daily. Editing a policy doesn't change this time. To view the last scan date and time for a policy, navigate to the *Last policy scan* column on the **Policy** page. After creating a new policy, it may take up to 24 hours to view the first policy scan date and time. The date and time of the last scan will be converted to the time zone of your local system.
+Communications are scanned every 24 hours from the time policies are created. For example, if you create an offensive language policy at 11:00 AM, the policy will gather communication compliance signals every 24 hours at 11:00 AM daily. Editing a policy doesn't change this time. To view the last scan date and time for a policy, navigate to the *Last policy scan* column on the **Policy** page. After creating a new policy, it may take up to 24 hours to view the first policy scan date and time. The date and time of the last scan are converted to the time zone of your local system.
+
+## Pausing a policy (preview)
+
+After you've created a communication compliance policy, the policy may be temporarily paused if needed. Pausing a policy may be used for testing or troubleshooting policy matches, or for optimizing policy conditions. Instead of deleting a policy in these circumstances, pausing a policy also preserves existing policy alerts and messages for ongoing investigations and reviews. Pausing a policy prevents inspect and alert generation for all user message conditions defined in the policy for the time the policy is paused. To pause or restart a policy, users must be a member of the *Communication Compliance Admin* role group.
+
+To pause a policy, navigate to the **Policy** page, select a policy, and then select **Pause policy** from the actions toolbar. On the **Pause policy** pane, confirm you'd like to pause the policy by selecting **Pause**. In some cases, it may take up to 24 hours for a policy to be paused. Once the policy is paused, alerts for messages matching the policy aren't created. However, messages associated with alerts that were created prior to pausing the policy remain available for investigation, review, and remediation.
+
+The policy status for paused policies may indicate several states:
+
+- **Active**: The policy is active
+- **Paused**: The policy is fully paused.
+- **Pausing**: The policy is in the process of being paused.
+- **Resuming**: The policy in the process of being resumed.
+- **Error in resuming**: An error has been encountered when resuming the policy. For the error stack trace, hover your mouse over the *Error in resuming* status in the Status column on the Policy page.
+- **Error in pausing**: An error has been encountered when pausing the policy. For the error stack trace, hover your mouse over the *Error in pausing* status in the Status column on the Policy page.
+
+To resume a policy, navigate to the **Policy** page, select a policy, and then select **Resume policy** from the actions toolbar. On the **Resume policy** pane, confirm you'd like to resume the policy by selecting **Resume**. In some cases, it may take up to 24 hours for a policy to be resumed. Once the policy is resumed, alerts for messages matching the policy will be created and will be available for investigation, review, and remediation.
## Permissions
compliance Create Retention Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-retention-policies.md
To return to the default value of both the mailbox and SharePoint site for the s
### Configuration information for Skype for Business
-Unlike Exchange email, you can't toggle the status of the Skype location on to automatically include all users, but when you turn on that location, you must then manually choose the users whose conversations you want to retain:
+Unlike other locations, you can't toggle the status of the Skype location on to automatically include all users. Instead, when you turn on that location, you must then select the **Edit** option to manually choose the users whose conversations you want to retain:
-![Choose Skype location for retention policies](../media/skype-location-retention-policies.png)
+![Edit Skype location for retention policies](../media/skype-location-retention-policies.png)
-When you select **Choose user**, you can quickly include all users by selecting the **Select all** box. However, it's important to understand that each user counts as a specific inclusion in the policy. So if you include 1,000 users by selecting the **Select all** box, it's the same as if you manually selected 1,000 users to include, which is the maximum supported for Skype for Business.
+After you select this **Edit** option, in the **Skype for Business** pane you can quickly include all users by selecting the hidden box before the **Name** column. However, it's important to understand that each user counts as a specific inclusion in the policy. So if you include 1,000 users by selecting this box, it's the same as if you manually selected 1,000 users to include, which is the maximum supported for Skype for Business.
Be aware that **Conversation History**, a folder in Outlook, is a feature that has nothing to do with Skype archiving. **Conversation History** can be turned off by the end user, but archiving for Skype is done by storing a copy of Skype conversations in a hidden folder that is inaccessible to the user but available to eDiscovery.
compliance Customer Key Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/customer-key-overview.md
A data encryption policy (DEP) defines the encryption hierarchy. This hierarchy
- Teams status messages - User and signal information for Exchange Online - Exchange Online mailboxes that aren't already encrypted by mailbox DEPs-- MIP exact data match (EDM) data ΓÇô (data file schemas, rule packages, and the salts used to hash the sensitive data).
- For MIP exact data match (EDM) and Microsoft Teams, the multi-workload DEP encrypts new data from the time you assign the DEP to the tenant. For Exchange Online, Customer Key encrypts all existing and new data.
+- Microsoft Information Protection:
+
+ - Exact data match (EDM) data, including data file schemas, rule packages, and the salts used to hash the sensitive data. For EDM and Microsoft Teams, the multi-workload DEP encrypts new data from the time you assign the DEP to the tenant. For Exchange Online, Customer Key encrypts all existing and new data.
+
+ - Label configuration for sensitivity labels
Multi-workload DEPs don't encrypt the following types of data. Instead, Microsoft 365 uses other types of encryption to protect this data.
compliance Document Metadata Fields In Advanced Ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/document-metadata-fields-in-Advanced-eDiscovery.md
The following table lists the metadata fields for documents in a review set in a
|EmailAction*||Email_action|Values are **None**, **Reply**, or **Forward**; based on the subject line of a message.| |Email Delivery Receipt Requested||Email_delivery_receipt|Email address supplied in Internet Headers for delivery receipt.| |Importance|EmailImportance|Email_importance|Importance of the message: **0** - Low; **1** - Normal; **2** - High|
+|Ignored processing errors|ErrorIgnored|Error_Ignored|Error was ignored and not remediated.|
|EmailInternetHeaders|EmailInternetHeaders|Email_internet_headers|The full set of email headers from the email message| |EmailLevel*||Email_level|Indicates a message's level within the email thread it belongs to; attachments inherit its parent message's value.| |Email Message Id||Email_message_ID|Internet message Id from the message.|
The following table lists the metadata fields for documents in a review set in a
|||Extracted_text_path|The path to the extracted text file in the export.| |ExtractedTextLength*||Extracted_text_length|Number of characters in the extracted text.| |FamilyDuplicateSet*||Family_duplicate_set|Numeric identifier for families that are exact duplicates of each other (same content and all the same attachments).|
-|Family ID|FamilyId|Family_ID|Family Id groups together all items; for email, this includes the message and all attachments; for documents, this includes the document and any embedded items.|
+|Family ID|FamilyId|Family_ID|Groups together all items for email. This includes the message and all attachments and extracted items.|
|Family Size||Family_size|Number of documents in the family.| |File class|FileClass|File_class|For content from SharePoint and OneDrive: **Document**; for content from Exchange: **Email** or **Attachment**.| |File ID|FileId|File_ID|Document identifier unique within the case.| |File system date created||File_system_date_created|Created date from file system (only applies to non-Office 365 data).| |File system date modified||File_system_date_modified|Modified date from file system (only applies to non-Office 365 data).| |File Type|FileType||File type of the item based on file extension.|
-|Group Id|GroupID||Group ID for grouped content.|
+|Group Id|Group Id|Group_ID|Groups together all items for email and documents. For email, this includes the message and all attachments and extracted items. For documents, this includes the document and any embedded items.|
|Has attachment|HasAttachment|Email_has_attachment|Indicates whether or not the message has attachments.| |Has attorney|HasAttorney||**True** when at least one of the participants is found in the attorney list; otherwise, the value is **False**.| |HasText*||Has_text|Indicates whether or not the item has text; possible values are **True** and **False**.|
The following table lists the metadata fields for documents in a review set in a
|NativeSHA256||Native_SHA_256|SHA256 hash (256-bit hash value) of the file stream.| |ND/ET Sort: Excluding attachments|NdEtSortExclAttach|ND_ET_sort_excl_attach|Concatenation of the email thread (ET) set and Near-duplicate (ND) set. This field is used for efficient sorting at review time. A **D** is prefixed to ND sets and an **E** is prefixed to ET sets.| |ND/ET Sort: Including attachments|NdEtSortInclAttach|ND_ET_sort_incl_attach|Concatenation of an email thread (ET) set and near-duplicate (ND) set. This field is used for efficient sorting at review time. A **D** is prefixed to ND sets and an **E** is prefixed to ET sets. Each email item in an ET set is followed by its appropriate attachments.|
+|Near Duplicate Set||ND_set|Items that are similar to the pivot document share the same ND_set.|
|O365 authors||O365_authors|Author from SharePoint.| |O365 created by||O365_created_by|Created by from SharePoint.| |O365 date created||O365_date_created|Created date from SharePoint.|
The following table lists the metadata fields for documents in a review set in a
|Sender domain|SenderDomain|Email_sender_domain|Domain of the sender.| |Sent|Sent|Email_date_sent|Sent date of the message.| |Set Order: Inclusive First|SetOrderInclusivesFirst|Set_order_inclusives_first|Sorting field - email and attachments: counter-chronological; documents: pivot first then by descending similarity score.|
+|Set ID||Set_ID|Documents of similar content (ND_set) or email within the same email thread (Email_set) share the same Set_ID.|
|SimilarityPercent||Similarity_percent|Indicates how similar a document is to the pivot of the near duplicate set.| |Native file size|Size|Native_size|Number of bytes of the native item.| |Subject|Subject|Email_subject|Subject of the message.|
compliance Review Set Search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/review-set-search.md
Title: "Query the data in a review set"
+ Title: "Query the content in a review set"
f1.keywords: - NOCSH
search.appverid:
- MOE150 - MET150 ms.assetid:
-description: "Learn how to create and run a query in a review set to organize data for a more efficient review in an Advanced eDiscovery case."
+description: "Learn how to create and run a query in a review set to organize content for a more efficient review in an Advanced eDiscovery case."
-# Query the data in a review set
+# Query and filter content in a review set
-In most cases, it will be useful to be able to dig deeper into the data in a review set and organize that data to facilitate a more efficient review. Using Queries in a review set helps you focus on a subset of documents that meet the criteria of your review.
+In most cases, it will be useful to dig deeper into the content in a review set and organize it to facilitate a more efficient review. Using filters and queries in a review set helps you focus on a subset of documents that meet the criteria of your review.
-## Creating and running a query in a review set
+## Default filters
-To create and run a query on the documents in a review set, select **New query** in the review set. After you name your query and define the conditions, select **Save** to save and run the query. To run a query that has been previously saved, select a saved query.
+In a review set, there are five default filters that are pre-loaded in the review set:
-![Review set queries](../media/AeDReviewSetQueries.png)
+- Keywords
+- Date
+- Sender/Author
+- Subject/Title
+- Tags
-## Building a review set query
+![Default filter types](../media/DefaultFilterTypes.png)
-You can build a query by using a combination of keywords, properties, and conditions in the Keywords condition. You can also group conditions as a block (called a *condition group*) to build a more complex query. For a list and description of metadata properties that you can search, see [Document metadata fields in Advanced eDiscovery](document-metadata-fields-in-Advanced-eDiscovery.md).
+Click each filter to expand it and assign a value. Click outside the filter to automatically apply the filter to the review set. The following screenshot shows the Date filter configured to show documents within a date range.
-### Conditions
+![Default filter expanded](../media/ExpandedFilter.png)
-Every searchable field in a review set has a corresponding condition that you can use to build your query.
+## Add or remove filters
-There are multiple types of conditions:
+To add or remove filters that are displayed for the review set, select **Filters** to open the filter panel, which is displayed on a flyout page.
-- Freetext: A freetext condition is used for text fields such as subject. You can list multiple search terms by separating them out with a comma.
+![Filter panel](../media/FilterPanel.png)
-- Date: A date condition is used for date fields such as last modified date.
+The available filters are organized in four sections:
-- Search options: A search options condition will provide a list of possible values for the particular field in your review set. This is used for fields, such as sender, where there is a finite number of possible values in your review set.
+- **Search**: Filters that provide different search capabilities.
-- Keyword: A keyword condition is a specific instance of freetext condition that you can use to search for terms, or use KQL-like query language in. See below for more detail.
+- **Analytics & predictive coding**: Filters for properties generated and added to documents when you run the **Document & email analytic** job or use predictive coding models.
-### Query language
+- **IDs**: Filters for all ID properties of documents.
-In addition to conditions, you can use a KQL-like query language in the Keywords condition to build your query. The query language for review set queries supports standard Boolean operators, such as **AND**, **OR**, **NOT**, and **NEAR**. It also supports a single-character wildcard (?) and a multi-character wildcard (*).
+- **Item properties**: Filters for document properties.
-## Filters
+Expand each section and select or deselect filters to add or remove them in the filter set. When you add a filter, it's displayed in the filter set.
-In addition to queries that you can save, you can use review set filters to quickly apply additional conditions to a review set query. Using filters help you further refine the results displayed by a review set query.
+![List of filter sections and properties in the filter panel](../media/FilterPanel2.png)
-![Review set filters](../media/AeDReviewSetFilters.png)
+> [!NOTE]
+> When you expand a section in the filter panel, you'll notice that the default filter types are selected. You can keep these selected or deselect them and removed them from the filter set.
-Filters differ from queries in two significant ways:
+## Filter types
-- Filters are transient. They don't persist beyond the existing session. In other words, you can't save a filter. Queries are saved to the review set, and access them whenever you open the review set.
+Every searchable field in a review set has a corresponding filter that you can use for filter items based on a specific field.
-- Filters are always additive. Filters are applied in addition to the current review set query. Applying a different query will replace the results returned by the current query.
+There are multiple types of filters:
+
+- **Freetext**: A freetext filter is applied to text fields such as "Subject". You can list multiple search terms by separating them with a comma.
+
+- **Date**: A date filter is used for date fields such as "Last modified date".
+
+- **Search options**: A search options filter provides a list of possible values (each value is displayed with a checkbox that you can select) for particular fields in the review. This filter is used for fields, such as "Sender", where there is a finite number of possible values in the review set.
+
+- **Keyword**: A keyword condition is a specific instance of freetext condition that you can use to search for terms. You can also use KQL-like query language in this type of filter. For more information, see the Query language and Advanced query builder sections in this topic.
+
+## Include and exclude filter relationships
+
+You have the option to change the include and exclude relationship for a particular filter. For example, in the Tag filter, you can exclude items that are tagged with a particular tag by selecting **Equals none of** in the dropdown filter.
+
+![Exclude tag filter](../media/TagFilterExclude.png)
+
+## Save filters as queries
+
+After you are satisfied with your filters, you can save the filter combination as a filter query. This lets you apply the filter in the future review sessions.
+
+To save a filter, select **Save the query** and name it. You or other reviewers can run previously saved filter queries by selecting the **Saved filter queries** dropdown and selecting a filter query to apply to review set documents.
+
+![Save a filter query](../media/SaveFilterQuery.png)
+
+To delete a filter query, open the filter panel and select the trashcan icon next to the query.
+
+![Delete a filter query](../media/DeleteFilterQuery.png)
+
+## Query language
+
+In addition to using filters, you can also use a KQL-like query language in the Keywords filter to build your review set search query. The query language for review set queries supports standard Boolean operators, such as **AND**, **OR**, **NOT**, and **NEAR**. It also supports a single-character wildcard (?) and a multi-character wildcard (*).
+
+## Advanced query builder
+
+You can also build more advanced queries to search for documents in a review set.
+
+1. Open the filter panel, select **Filters**, and expand the **Search** section.
+
+ ![Add a KQL filter](../media/AddKQLFilter.png)
+
+2. Select the **KQL** filter and click **Open query builder**.
+
+ In this panel, you can create complex KQL queries by using the query builder. You can add conditions or add condition groups that are made up of multiple conditions that are logically connected by **AND** or **OR** relationships.
+
+ ![Use query builder to configure complex filter queries](../media/ComplexQuery.png)
compliance Search For And Delete Messages In Your Organization https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-for-and-delete-messages-in-your-organization.md
search.appverid:
- MOE150 - MET150 ms.assetid: 3526fd06-b45f-445b-aed4-5ebd37b3762a
-description: "Use the search and purge feature in the Security & Compliance Center to search for and delete an email message from all mailboxes in your organization."
+description: "Use the search and purge feature in the Microsoft 365 compliance center to search for and delete an email message from all mailboxes in your organization."
# Search for and delete email messages
You can use the Content Search feature to search for and delete an email message
> [!NOTE] > The **Organization Management** role group exists in both Exchange Online and Security & Compliance Center. These are separate role groups that give different permissions. Being a member of **Organization Management** in Exchange Online does not grant the required permissions to delete email messages. If you aren't assigned the **Search And Purge** role in Security & Compliance Center (either directly or through a role group such as **Organization Management**), you'll receive an error in Step 3 when you run the **New-ComplianceSearchAction** cmdlet with the message "A parameter cannot be found that matches parameter name 'Purge'". -- You have to use Security & Compliance Center PowerShell to delete messages. See [Step 2](#step-2-connect-to-security--compliance-center-powershell) for instructions about how to connect.
+- You have to use Security & Compliance Center PowerShell to delete messages. See [Step 1](#step-1-connect-to-security--compliance-center-powershell) for instructions about how to connect.
- A maximum of 10 items per mailbox can be removed at one time. Because the capability to search for and remove messages is intended to be an incident-response tool, this limit helps ensure that messages are quickly removed from mailboxes. This feature isn't intended to clean up user mailboxes. -- The maximum number of mailboxes in a content search that you can use to delete items by doing a search and purge action is 50,000. If the search (that you create in [Step 1](#step-1-create-a-content-search-to-find-the-message-to-delete)) searches more than 50,000 mailboxes, the purge action (that you create in Step 3) will fail. Searching more than 50,000 mailbox in a single search might typically happen when you configure the search to include all mailboxes in your organization. This restriction still applies even when less than 50,000 mailboxes contain items that match the search query. See the [More information](#more-information) section for guidance about using search permissions filters to search for and purge items from more than 50,000 mailboxes.
+- The maximum number of mailboxes in a content search that you can use to delete items by doing a search and purge action is 50,000. If the search (that you create in [Step 2](#step-2-create-a-content-search-to-find-the-message-to-delete) searches more than 50,000 mailboxes, the purge action (that you create in Step 3) will fail. Searching more than 50,000 mailbox in a single search might typically happen when you configure the search to include all mailboxes in your organization. This restriction still applies even when less than 50,000 mailboxes contain items that match the search query. See the [More information](#more-information) section for guidance about using search permissions filters to search for and purge items from more than 50,000 mailboxes.
- The procedure in this article can only be used to delete items in Exchange Online mailboxes and public folders. You can't use it to delete content from SharePoint or OneDrive for Business sites. - Email items in a review set in an Advanced eDiscovery case can't be deleted by using the procedures in this article. That's because items in a review set are stored in an Azure Storage location, and not in the live service. This means they won't be returned by the content search that you create in Step 1. To delete items in a review set, you have to delete the Advanced eDiscovery case that contains the review set. For more information, see [Close or delete an Advanced eDiscovery case](close-or-delete-case.md).
-## Step 1: Create a Content Search to find the message to delete
+## Step 1: Connect to Security & Compliance Center PowerShell
-The first step is to create and run a Content Search to find the message that you want to remove from mailboxes in your organization. You can create the search by using the Security & Compliance Center or by running the **New-ComplianceSearch** and **Start-ComplianceSearch** cmdlets. The messages that match the query for this search will be deleted by running the **New-ComplianceSearchAction -Purge** command in [Step 3](#step-3-delete-the-message). For information about creating a Content Search and configuring search queries, see the following topics:
+The first step is to connect to Security & Compliance Center PowerShell for your organization. For step-by-step instructions, see [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell).
-- [Content Search in Office 365](content-search.md)
+## Step 2: Create a Content Search to find the message to delete
-- [Keyword queries for Content Search](keyword-queries-and-search-conditions.md)
+The second step is to create and run a Content search to find the message that you want to remove from mailboxes in your organization. You can create the search by using the Microsoft 365 compliance center or by running the **New-ComplianceSearch** and **Start-ComplianceSearch** cmdlets in Security & Compliance PowerShell. The messages that match the query for this search will be deleted by running the **New-ComplianceSearchAction -Purge** command in [Step 3](#step-3-delete-the-message). For information about creating a Content search and configuring search queries, see the following topics:
+
+- [Content search in Office 365](content-search.md)
+
+- [Keyword queries for Content search](keyword-queries-and-search-conditions.md)
- [New-ComplianceSearch](/powershell/module/exchange/New-ComplianceSearch) - [Start-ComplianceSearch](/powershell/module/exchange/Start-ComplianceSearch) > [!NOTE]
-> The content locations that are searched in the Content Search that you create in this step can't include SharePoint or OneDrive for Business sites. You can include only mailboxes and public folders in a Content Search that will be used to email messages. If the Content Search includes sites, you'll receive an error in Step 3 when you run the **New-ComplianceSearchAction** cmdlet.
+> The content locations that are searched in the Content search that you create in this step can't include SharePoint or OneDrive for Business sites. You can include only mailboxes and public folders in a Content search that will be used to email messages. If the Content search includes sites, you'll receive an error in Step 3 when you run the **New-ComplianceSearchAction** cmdlet.
### Tips for finding messages to remove
The goal of the search query is to narrow the results of the search to only the
- Preview the search results to verify that the search returned only the message (or messages) that you want to delete. -- Use the search estimate statistics (displayed in the details pane of the search in the Security & Compliance Center or by using the [Get-ComplianceSearch](/powershell/module/exchange/get-compliancesearch) cmdlet) to get a count of the total number of results.
+- Use the search estimate statistics (displayed in the details pane of the search in the Microsoft 365 compliance center or by using the [Get-ComplianceSearch](/powershell/module/exchange/get-compliancesearch) cmdlet) to get a count of the total number of results.
Here are two examples of queries to find suspicious email messages.
$Search=New-ComplianceSearch -Name "Remove Phishing Message" -ExchangeLocation A
Start-ComplianceSearch -Identity $Search.Identity ```
-## Step 2: Connect to Security & Compliance Center PowerShell
-
-The next step is to connect to Security & Compliance Center PowerShell for your organization. For step-by-step instructions, see [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell).
-
-After you've connected to Security & Compliance Center PowerShell, run the **New-ComplianceSearch** and **Start-ComplianceSearch** cmdlets that you prepared in the previous step.
- ## Step 3: Delete the message
-After you've created and refined a Content Search to return the message that you want to remove and are connected to Security & Compliance Center PowerShell, the final step is to run the **New-ComplianceSearchAction** cmdlet to delete the message. You can soft- or hard-delete the message. A soft-deleted message is moved to a user's Recoverable Items folder and retained until the deleted item retention period expires. Hard-deleted messages are marked for permanent removal from the mailbox and will be permanently removed the next time the mailbox is processed by the Managed Folder Assistant. If single item recovery is enabled for the mailbox, hard-deleted items will be permanently removed after the deleted item retention period expires. If a mailbox is placed on hold, deleted messages are preserved until the hold duration for the item expires or until the hold is removed from the mailbox.
+After you've created and refined a Content search to return the message that you want to remove and are connected to Security & Compliance Center PowerShell, the final step is to run the **New-ComplianceSearchAction** cmdlet to delete the message. You can soft- or hard-delete the message. A soft-deleted message is moved to a user's Recoverable Items folder and retained until the deleted item retention period expires. Hard-deleted messages are marked for permanent removal from the mailbox and will be permanently removed the next time the mailbox is processed by the Managed Folder Assistant. If single item recovery is enabled for the mailbox, hard-deleted items will be permanently removed after the deleted item retention period expires. If a mailbox is placed on hold, deleted messages are preserved until the hold duration for the item expires or until the hold is removed from the mailbox.
-In the following example, the command soft-deletes the search results returned by a Content Search named "Remove Phishing Message".
+In the following example, the command soft-deletes the search results returned by a Content search named "Remove Phishing Message".
```powershell New-ComplianceSearchAction -SearchName "Remove Phishing Message" -Purge -PurgeType SoftDelete
compliance Sensitivity Labels Office Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md
The numbers listed are the minimum Office application version required for each
|[Dynamic markings with variables](#dynamic-markings-with-variables) | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes | |[Assign permissions now](encryption-sensitivity-labels.md#assign-permissions-now) | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes | |[Let users assign permissions: <br /> - Do Not Forward](encryption-sensitivity-labels.md#let-users-assign-permissions) | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes |
-|[Let users assign permissions: <br /> - Encrypt-Only](encryption-sensitivity-labels.md#let-users-assign-permissions) |2011+ | 16.48+ | 4.2112.0+ | 4.2112.0+ | Yes |
+|[Let users assign permissions: <br /> - Encrypt-Only](encryption-sensitivity-labels.md#let-users-assign-permissions) |2011+ | 16.48+ <sup>\*</sup> | 4.2112.0+ | 4.2112.0+ | Yes |
|[Require users to apply a label to their email and documents](#require-users-to-apply-a-label-to-their-email-and-documents) | 2101+ | 16.43+ <sup>\*</sup> | 4.2111+ | 4.2111+ | Yes | |[Audit label-related user activity](data-classification-activity-explorer.md) | 2011+ | Under review | Under review | Under review | Under review | |[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) | 2009+ | 16.44+ <sup>\*</sup> | Under review | Under review | Yes |
-|[Different settings for default label and mandatory labeling](#outlook-specific-options-for-default-label-and-mandatory-labeling) | 2105+ | 16.43.1108+ | 4.2111+ | 4.2111+ | Yes |
+|[Different settings for default label and mandatory labeling](#outlook-specific-options-for-default-label-and-mandatory-labeling) | 2105+ | 16.43.1108+ <sup>\*</sup> | 4.2111+ | 4.2111+ | Yes |
| **Footnotes:**
compliance Sensitivity Labels Sharepoint Onedrive Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files.md
Use the OneDrive sync app version 19.002.0121.0008 or later on Windows, and vers
For labels with any of these encryption configurations, the labels aren't displayed to users in Office for the web. Additionally, the new capabilities can't be used with labeled documents that already have these encryption settings. For example, these documents won't be returned in search results, even if they are updated.
+- For performance reasons, when you upload or save a document to SharePoint and the file's label doesn't apply encryption, the **Sensitivity** column in the document library can take a while to display the label name. Factor in this delay if you use scripts or automation that depend on the label name in this column.
+ - Users might experience delays in being able to open encrypted documents in the following Save As scenario: Using a desktop version of Office, a user chooses Save As for a document that has a sensitivity label that applies encryption. The user selects SharePoint or OneDrive for the location, and then immediately tries to open that document in Office for the web. If the service is still processing the encryption, the user sees a message that the document must be opened in their desktop app. If they try again in a couple of minutes, the document successfully opens in Office for the web. - For encrypted documents, printing is not supported.
To enable the new capabilities, use the [Set-SPOTenant](/powershell/module/share
1. Using a work or school account that has global administrator or SharePoint admin privileges in Microsoft 365, connect to SharePoint. To learn how, see [Getting started with SharePoint Online Management Shell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online).
- Note: If you have Microsoft 365 Multi-Geo, use the -Url parameter with [Connect-SPOService](/powershell/module/sharepoint-online/connect-sposervice), and specify the SharePoint Online Administration Center site URL for one of your geo-locations.
+ > [!NOTE]
+ > If you have Microsoft 365 Multi-Geo, use the -Url parameter with [Connect-SPOService](/powershell/module/sharepoint-online/connect-sposervice), and specify the SharePoint Online Administration Center site URL for one of your geo-locations.
2. Run the following command and press **Y** to confirm:
If you have Microsoft 365 Multi-Geo, you must run this command for each of your
After you've enabled sensitivity labels for Office files in SharePoint and OneDrive, consider automatically labeling these files by using auto-labeling policies. For more information, see [Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md).
-Need to share your labeled and encrypted documents with people outside your organization? See [Sharing encrypted documents with external users](sensitivity-labels-office-apps.md#sharing-encrypted-documents-with-external-users).
+Need to share your labeled and encrypted documents with people outside your organization? See [Sharing encrypted documents with external users](sensitivity-labels-office-apps.md#sharing-encrypted-documents-with-external-users).
compliance Tagging Documents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/tagging-documents.md
Organizing content in a review set is important to complete various workflows in
- Culling unnecessary content - Identifying relevant content
-
-- Identifying content that must be reviewed by an expert or an attorney
-When experts, attorneys, or other users review content in a review set, their opinions related to the content can be captured by using tags. For example, if the intent is to cull unnecessary content, a user can tag documents with a tag such as "non-responsive". After content has been reviewed and tagged, a review set search can be created to exclude any content tagged as "non-responsive", which eliminates this content from the next steps in the eDiscovery workflow. The tag panel can be customized for every case so that the tags can support the intended review workflow.
+- Identifying content that must be reviewed by an expert or attorney
+
+When experts, attorneys, or other users review content in a review set, their opinions related to the content can be captured by using tags. For example, if the intent is to cull unnecessary content, a user can tag documents with a tag such as "non-responsive". After content has been reviewed and tagged, a review set search can be created to exclude any content tagged as "non-responsive". This process eliminates the non-responsive content from the next steps in the eDiscovery workflow. The tagging panel in a review set can be customized for every case so that the tags support the intended review workflow for the case.
+
+> [!NOTE]
+> The scope of tags is an Advanced eDiscovery case. That means a case can only have one set of tags that reviewers can use to tag review set documents. You can't set up a different set of tags for use in different review sets in the same case.
## Tag types Advanced eDiscovery provides two types of tags: -- **Single choice tags** - Restricts users to select a single tag within a group. This can be useful to ensure users don't select conflicting tags such as "responsive" and "non-responsive". These will appear as radio buttons.
+- **Single choice tags**: Restricts reviewers to selecting a single tag within a group. These types of tags can be useful to ensure that reviewers don't select conflicting tags such as "responsive" and "non-responsive". Single choice tags appear as radio buttons.
-- **Multiple choice tags** - Allow users to select multiple tags within a group. These will appear as checkboxes.
+- **Multiple choice tags**: Allow reviews to select multiple tags within a group. These types of tags appear as checkboxes.
## Tag structure In addition to the tag types, the structure of how tags are organized in the tag panel can be used to make tagging documents more intuitive. Tags are grouped by sections. Review set search supports the ability to search by tag and by tag section. This means you can create a review set search to retrieve documents tagged with any tag in a section.
-![Tag sections in the tag panel](../media/Tagtypes.png)
+![Tag sections in the tag panel](../media/TagTypes.png)
-Tags can be further organized by nesting them within a section. For example, if the intent is to identify and tag privileged content, nesting can be used to make it clear that a user can tag a document as "Privileged" and select the type of privilege by checking the appropriate nested tag.
+You can further organize tags by nesting them within a section. For example, if the intent is to identify and tag privileged content, nesting can be used to make it clear that a reviewer can tag a document as "Privileged" and select the type of privilege by checking the appropriate nested tag.
-![Nested tags within a tag section](../media/Nestingtags.png)
+![Nested tags within a tag section](../media/NestingTags.png)
-## Applying tags
+## Create tags
+
+Before applying tags to documents in the review set, you need to create a tag structure.
+
+1. Open a review set and navigate to the command bar and select **Tag by query**.
+
+2. In the tagging panel, select **Manage tag options**
-There are several ways to apply a tag to content.
+3. Select **Add tag section**.
-### Tagging a single document
+4. Type a tag group title and an optional description, and then click**Save**.
-When viewing a document in a review set, you can display the tags that a review can use by clicking **Tagging panel**.
+5. Select the triple dot dropdown menu next to the tag group title and click **Add check box** or **Add option button**.
-![Click Tag panel to display the tag panel](../media/Singledoctag.png)
+6. Type a name and description for the checkbox or option button.
-This will enable you to apply tags to the document displayed in the viewer.
+7. Repeat this process to create new tag sections, tag options, and checkboxes.
-### Bulk tagging
+ ![Configure tag structure](../media/ManageTagOptions3.png)
-Bulk tagging can be done by selecting multiple files in the results grid and then using the tags in the **Tagging panel** similar to tagging single documents. Bulk un-tagging can be done by selecting tags twice; the first click will apply the tag, and the second selection will ensure that tag is cleared for all selected files.
+## Applying tags
+
+With the tag structure in place, reviewers can apply tags to documents in a review set. There are two different ways to apply tags:
+
+- Tag files
+
+- Tag by query
-![A screenshot of a cell phone
-Description automatically generated](../media/Bulktag.png)
+### Tag files
+
+Whether you select a single item or several items in a review set, you can apply tags to their selection by clicking **Tag files** in the command bar. In the tagging panel, you can select a tag and it is automatically applied to the selected documents.
+
+![Tag selected files](../media/TagFile2.png)
> [!NOTE]
-> When bulk tagging, the tagging panel will display a count of files that are tagged for each tag in the panel.
+> Tags will be applied only to selected items in the list of items.
+
+### Tag by query
-### Tagging in other review panels
+Tagging by query lets you apply tags to all items displayed by a filter query that's currently applied in the review set.
-When reviewing documents, you can use the other review panels to review other characteristics of documents in the results grid. This includes reviewing other related documents, email threads, near duplicates, and hash duplicates. For example, when you're reviewing related documents (by using the **Document family** review panel), you can significantly reduce review time by bulk tagging related documents. For example, if an email message has several attachments and you want to ensure that the entire family is tagged consistently.
+1. Unselect all items in the review set and go to the command bar and select **Tag by query**.
-For example, here's how to display the **Tagging panel** when using the **Document family** review panel:
+2. In the tagging panel, select the tag that you want to apply.
-1. With the review panel open for a selected document (for example, displaying the list of related content in the **Document family** review panel, click **Tag documents** under the document family review panel.
+3. Under the **Tag selection** dropdown, there are three options that dictate which items to apply the tag to.
- The tagging panel is displayed as a pop-up window.
+ - **Items that match applied query**: Applies tags to specific items that match the filter query conditions.
-2. Choose one or more tags to apply the selected document.
+ - **Include associated family items**: Applies tags to specific items that match the filter query conditions and their associated family items. *Family items* are items that share the same FamilyId metadata value.
-3. To tag all documents, select all documents in the **Document family** panel, click **Tag documents**, and then choose the tags to apply to the entire family of documents.
+ - **Include associated conversation items**: Applies tags to items that match the filter query conditions and their associated conversation items. *Conversation items* are items that share the same ConversationId metadata values.
-![A screenshot of a social media post
-Description automatically generated](../media/Relatedtag.png)
+ ![Tag selection](../media/TagByQuery2.png)
+
+4. Click **Start tagging job** to trigger the tagging job.
+
+## Tag filter
+
+Use the tag filter in review set to quickly find or exclude items from the query results based on how an item is tagged.
+
+1. Select **Filters** to expand the filter panel.
+
+2. Select and expand **Item properties**.
+
+3. Scroll down to find the filter named **Tag**, select the checkbox, and then click **Done**.
+
+4. To include or exclude items with a specific tag from a query, do one of the following:
+
+ - **Include items**: Select the tag value and select **Equal any of** in the dropdown menu.
+
+ Or
+
+ - **Exclude items**: Select the tag value and select **Equals none of** in dropdown menu.
+
+ ![Tag filter exclude items](../media/TagFilterExclude.png)
+
+> [!NOTE]
+> Be sure to refresh the page to ensure that the tag filter displays the latest changes to the tag structure.
contentunderstanding Explanation Types Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/explanation-types-overview.md
- enabler-strategic - m365initiative-syntex localization_priority: Priority
-description: "Learn more about explanation types in Microsoft SharePoint Syntex."
+description: "Learn more about phrase list, regular expression, and proximity explanation types in Microsoft SharePoint Syntex."
# Explanation types in Microsoft SharePoint Syntex
To add a regular expression explanation type:
![Screenshot showing the Create an explanation panel with Email address template applied.](../media/content-understanding/create-regular-expression-email.png)
+### Limitations
+
+The following table shows inline character options that currently are not available for use in regular expression patterns.
+
+|Option |State |Current functionality |
+||||
+|Case sensitivity | Currently not supported. | All matches performed are case-insensitive. |
+|Line anchors | Currently not supported. | Unable to specify a specific position in a string where a match must occur. |
+ ## Proximity The proximity explanation type helps your model identify data by defining how close another piece of data is to it. For example, in your model say you have defined two explanations that label both the customer *street address number* and *phone number*.
contentunderstanding Solution Manage Contracts In Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/solution-manage-contracts-in-microsoft-365.md
This contract management solution guidance includes four components of Microsoft
![Contracts tab.](../media/content-understanding/tile-view.png)
+### Licensing requirements
+
+This solution relies on the following functionality, all available as part of a Microsoft 365 Enterprise (E1, E3, E5, F3) or Business (Basic, Standard, or Premium) license:
+
+- Microsoft SharePoint Syntex
+- Microsoft Teams
+- Power Automate
+ ## Create the solution The next sections will go into detail about how to configure your contracts management solution. It's divided into three steps:
enterprise Portallaunchscheduler https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/PortalLaunchScheduler.md
description: "This article describes how you can launch your portal using the Po
A portal is a SharePoint communication site on your intranet that is high-traffic ΓÇô a site that has anywhere from 10,000 to over 100,000 viewers over the course of several weeks. Use the Portal launch scheduler to launch your portal to ensure users have a smooth viewing experience when accessing your new SharePoint portal. <br> <br>
-The Portal launch scheduler is designed to help you follow a phased roll-out approach by batching viewers in waves and managing the URL redirects for the new portal. During the launch of each wave, you can gather user feedback, monitor portal performance, and pause the launch to resolve issues before proceeding with the next wave. Learn more about how to [plan a portal launch in SharePoint](https://docs.microsoft.com/microsoft-365/Enterprise/Planportallaunchroll-out?view=o365-worldwide).
+The Portal launch scheduler is designed to help you follow a phased roll-out approach by batching viewers in waves and managing the URL redirects for the new portal. During the launch of each wave, you can gather user feedback, monitor portal performance, and pause the launch to resolve issues before proceeding with the next wave. Learn more about how to [plan a portal launch in SharePoint](/microsoft-365/Enterprise/Planportallaunchroll-out?view=o365-worldwide).
**There are two types of redirections:**
Formerly, portal launches could only be scheduled through SharePoint PowerShell.
7. Determine who needs to view the site right away and enter their information into the **Users exempt from waves** field. These users are excluded from waves and will not be redirected before, during, or after the launch.
-8. Confirm portal launch details and select **Schedule**. Once the launch has been scheduled, any changes to the SharePoint portal home page will need to receive a healthy diagnostic result before the portal launch will resume.
+ >[!NOTE]
+ > Up to 50 distinct users or security groups max can be added. Use security groups when you need more than 50 individuals to get access to the portal before the waves start launching.
-### Launch portal with over 100k users
+8. Confirm portal launch details and select **Schedule**. Once the launch has been scheduled, any changes to the SharePoint portal home page will need to receive a healthy diagnostic result before the portal launch will resume.
-If you are planning to launch a portal with over 100,000 users, please submit a support request following the steps listed below. Make sure to include all requested information.
+### Launch a portal with over 100k users
-Follow these steps:
-1. Navigate to https://admin.microsoft.com
-2. Ensure you are using the new admin center preview.
-3. On the left nav pane, select **Support**, and then select **New Service Request**.
+If you are planning to launch a portal with over 100,000 users, submit a support request following the steps listed below. Make sure to include all the requested information.
+**Follow these steps:**
+1. Go to https://admin.microsoft.com
+2. Ensure you are using the new admin center preview
+3. On the left navigational pane, select **Support**, and then select **New Service Request**
This will activate the **Need Help?** pane on the right-hand side of your screen.
-4. In the **Briefly describe your issue** area, enter "Launch SharePoint Portal with 100k users".</br>
-5. Select **Contact Support**.
-6. Under **Description**, enter "Launch SharePoint Portal with 100k users".
-7. Fill out the remaining info, and select **Contact me**.
+4. For **Briefly describe your issue**, enter "Launch SharePoint Portal with 100k users"</br>
+5. Then, select **Contact Support**
+6. Under **Description**, enter "Launch SharePoint Portal with 100k users"
+7. Fill out the remaining information, and then select **Contact me**
8. After the ticket has been created, ensure you provide the support agent with the following information:-- Launch Portal URL's -- Number of users expected-- Estimated time of launch
+ - Portal URL's
+ - Number of users expected
+ - Estimated launch schedule
## Make changes to a scheduled portal launch
enterprise Modern Desktop Deployment And Management Lab https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/modern-desktop-deployment-and-management-lab.md
The Windows 10 and Office 365 deployment lab kit is designed to help you plan, t
This kit is highly recommended for organizations preparing for Windows 8.1 upgrades to Windows 10. It also applies if you're currently using Windows 10, Microsoft 365 Apps for enterprise (formerly Office 365 ProPlus), or Office 2019. As an isolated environment, the resulting lab is ideal for exploring deployment tool updates and testing your deployment-related automation.
-[Download the Windows and Office Deployment Lab Kit](https://www.microsoft.com/evalcenter/evaluate-lab-kit).
+[Download the Windows 10 and Office 365 deployment lab kit](https://www.microsoft.com/evalcenter/evaluate-lab-kit).
## A complete lab environment
The kit provides you with an automatically provisioned virtual lab environment,
- NEW! Windows 10 Enterprise, Version 21H1 - Windows 7 Enterprise
- - NEW! Microsoft Endpoint Configuration Manager, Version 2103*
+ - NEW! Microsoft Endpoint Configuration Manager, Version 2103
- Windows Assessment and Deployment Kit for Windows 10 - Microsoft Deployment Toolkit - Microsoft Application Virtualization (App-V)
Detailed lab guides take you through multiple deployment and management scenario
[Download the Windows and Office Deployment Lab Kit](https://www.microsoft.com/evalcenter/evaluate-lab-kit).
-Note: Please use a broad bandwidth Internet connection to download this content and allow 30-45 minutes for automatic provisioning. The lab environment requires a minimum of 16 GB of available memory and 150 GB of free disk space. For optimal performance, 32 GB of available memory and 300 GB of free space is recommended. The kit expires August 23, 2021. A new version will be published prior to expiration.
+> [!NOTE]
+> Please use a broadband Internet connection to download this content and allow 30-45 minutes for automatic provisioning. The lab environment requires a minimum of 16 GB of available memory and 150 GB of free disk space. For optimal performance, 32 GB of available memory and 300 GB of free space is recommended. The kit expires August 23, 2021. A new version will be published prior to expiration.
## Additional guidance
enterprise Ms Cloud Germany Transition Add Pre Work https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-add-pre-work.md
The OCCT can be deployed on Windows clients at any time before phase 9. If the O
## Active Directory Federation Services (AD FS)
-<!-- before phase 4 -->
- **Applies to**: Customers using AD FS on premises to authenticate users connecting to Microsoft Office 365<br>
-**When applied**: Any time before phase 4 starts
+**When applied**: Any time before phase 2 starts
Read and apply the [ADFS Migration steps](ms-cloud-germany-transition-add-adfs.md) ## SharePoint Online
-<!-- before phase 4 -->
- **Applies to**: Customers using SharePoint 2013 on-premises<br> **When applied**: Any time before phase 4 starts
enterprise Ms Cloud Germany Transition Phases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-phases.md
In case you are using single sign on for Office 365 and Azure in the Microsoft C
**When applied**: Before phase 2 starts
-If you are using Active Directory Federation Services (AD FS), make sure to [back up your ADFS configuration before and after adding the relying party trust](ms-cloud-germany-transition-azure-ad.md) for the Office 365 Global service **before** the beginning of phase 2.
+If you are using Active Directory Federation Services (AD FS), make sure to [back up your ADFS configuration before and after adding the relying party trust](ms-cloud-germany-transition-add-adfs.md) for the Office 365 Global service **before** the beginning of phase 2.
## Phase 2: Azure AD Migration In this phase the Azure Active Directory will be migrated to the new datacenter region and become active. The old Azure AD endpoints will be still available.
managed-desktop Admin Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/working-with-managed-desktop/admin-support.md
You can submit support tickets or feedback requests to Microsoft using the Micro
>Make sure that you [set up an Admin contact](../get-started/add-admin-contacts.md) for app packaging, devices, security, and other. You are unable to submit a support request in any of these areas if an admin contact is not configured. **To submit a support request**
-1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Troubleshooting + support** menu.
+1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Tenant administration** menu.
2. Look for the Microsoft Managed Desktop section, select **Service request**. 3. On **Support requests**, select **+ New Support ticket**. 4. Select the **Support request type** that matches the help you need. The table below outlines the options.
managed-desktop Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/working-with-managed-desktop/reports.md
# Work with reports
-Microsoft Managed Desktop provides several reports and dashboards that IT admins in your organization can use to understand various aspects of the population of devices. You'll find reports in two locations: in [Microsoft Endpoint Manager](https://endpoint.microsoft.com) and in the [Microsoft 365 Admin Center](https://admin.microsoft.com/adminportal/home?previewoff=false#/microsoftmanageddesktop).
+Microsoft Managed Desktop provides several reports and dashboards that IT admins in your organization can use to understand various aspects of the population of devices.ΓÇ»
## Reports in Microsoft Endpoint Manager
Additionally, in several locations throughout Microsoft Endpoint Manager you can
> [!NOTE] > Custom Microsoft Managed Desktop roles guarantee access only to the Microsoft Managed Desktop reports. To access other parts of Microsoft Endpoint Manager, such as **All devices**, see [Role-based access control with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control).
+## Endpoint analytics
+Microsoft Managed Desktop is now integrated with [Endpoint analytics](/mem/analytics/overview). These reports give you insights for measuring how your organization is working and the quality of the experience delivered to your users. Endpoint analytics is in the **Reports** menu of [Microsoft Endpoint Manager](https://endpoint.microsoft.com/). To pivot a score to only include devices being managed by Microsoft Managed Desktop go to any report, select the **Filter** drop down, and then select **Microsoft Managed Desktop devices**.
+
+If Endpoint analytics wasn't automatically configured for your Azure AD organization ("tenant") during enrollment, you can do that yourself. For more information, see [Onboard in the Endpoint analytics portal](/mem/analytics/enroll-intune#bkmk_onboard). You can enroll all your devices or, if you want to include only Microsoft Managed Desktop devices, select the **modern workplace device** groups for Test, First, Fast, and Broad. These reports might require different permissions. For more information, see [Permissions](/mem/analytics/overview#permissions) to ensure you have roles appropriately assigned.
+
+> [!NOTE]
+> To better respect privacy user privacy, there must be more than 10 Microsoft Managed Desktop devices enrolled with Endpoint analytics to use this filter.
## Inventory data
-In addition to the other reports, you can export information about the devices managed by Microsoft Managed Desktop. In the **Devices** view of the **Devices** area of Microsoft Endpoint Manager, use the **Export all** tab to [download a detailed inventory report](device-inventory-report.md).
+In addition to the other reports, you can export information about the devices managed by Microsoft Managed Desktop. In the **Devices** view of the **Devices** area of Microsoft Endpoint Manager, use the **Export all** tab to [download a detailed inventory report](device-inventory-report.md).
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
### [Attack surface reduction]() #### [Overview of attack surface reduction](overview-attack-surface-reduction.md)
+#### [Configure attack surface reduction capabilities](configure-attack-surface-reduction.md)
+#### [Learn about attack surface reduction rules](attack-surface-reduction.md)
#### [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
-#### [Attack surface reduction configuration settings](configure-attack-surface-reduction.md)
+#### [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
+#### [Customize attack surface reduction rules](customize-attack-surface-reduction.md)
#### [Attack surface reduction FAQ](attack-surface-reduction-faq.md)-
-#### [Attack surface reduction controls]()
-##### [Attack surface reduction rules](attack-surface-reduction.md)
-##### [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
-##### [Customize attack surface reduction rules](customize-attack-surface-reduction.md)
-##### [View attack surface reduction events](event-views.md)
-
-#### [Use audit mode](audit-windows-defender.md)
+#### [View attack surface reduction events](event-views.md)
+#### [Use audit mode for attack surface reduction](audit-windows-defender.md)
### Next-generation protection #### [Overview of Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md)
###### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) ###### [Using OData Queries](exposed-apis-odata-samples.md) +
+#### [Raw data streaming API]()
+##### [Raw data streaming](raw-data-export.md)
+##### [Stream advanced hunting events to Azure Events hub](raw-data-export-event-hub.md)
+##### [Stream advanced hunting events to your storage account](raw-data-export-storage.md)
++ #### [SIEM integration]() ##### [Understand threat intelligence concepts](threat-indicator-concepts.md) ##### [Learn about different ways to pull detections](configure-siem.md)
security Audit Windows Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/audit-windows-defender.md
ms.sitesec: library
ms.pagetype: security localization_priority: Normal audience: ITPro--++ ms.technology: mde Last updated : 06/02/2021+
-# Test how Microsoft Defender for Endpoint features work in audit mode
+# Test attack surface reduction in Microsoft Defender for Endpoint
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -
-You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. Audit mode lets you see a record of what *would* have happened if you had enabled the feature.
+If you're part of your organization's security team, you can configure attack surface reduction capabilities to run in audit mode to see how they'll work in your organization. In particular, you can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. Audit mode lets you see a record of what *would* have happened if you had enabled the feature.
You may want to enable audit mode when testing how the features will work in your organization. This will help make sure your line-of-business apps aren't affected. You can also get an idea of how many suspicious file modification attempts occur over a certain period of time.
You can use Group Policy, PowerShell, and configuration service providers (CSPs)
| Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer) | Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection.md#review-exploit-protection-events-in-windows-event-viewer)
-## Related topics
-* [Protect devices from exploits](exploit-protection.md)
-* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
-* [Protect your network](network-protection.md)
-* [Protect important folders](controlled-folders.md)
security Configure Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-attack-surface-reduction.md
Title: Configure attack surface reduction
+ Title: Configure attack surface reduction capabilities
description: Use Microsoft Intune, Microsoft Endpoint Configuration Manager, PowerShell cmdlets, and Group Policy to configure attack surface reduction. keywords: asr, attack surface reduction, windows defender, microsoft defender, antivirus, av search.product: eADQiWindows 10XVcnh
ms.prod: m365-security
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security--++ localization_priority: Normal audience: ITPro ms.technology: mde Last updated : 06/02/2021
-# Configure attack surface reduction
-
+# Configure attack surface reduction capabilities
**Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
+> [!TIP]
+> Want to experience Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink).
+
+Defender for Endpoint includes several attack surface reduction capabilities. To learn more, see [Overview of attack surface reduction capabilities](overview-attack-surface-reduction.md). To configure attack surface reduction in your environment, follow these steps:
+
+1. [Enable hardware-based isolation for Microsoft Edge](/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
+
+2. Enable application control.
+
+ 1. Review base policies in Windows. See [example base policies](/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies).
+ 2. See the [application control design guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide).
+ 3. Refer to the [application control design guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).
+
+3. [Enable controlled folder access](enable-controlled-folders.md).
+
+4. [Turn on Network protection](enable-network-protection.md).
+
+5. [Enable exploit protection](enable-exploit-protection.md).
-You can configure attack surface reduction with many tools, including:
+6. [Configure attack surface reduction rules](enable-attack-surface-reduction.md).
-* Microsoft Intune
-* Microsoft Endpoint Configuration Manager
-* Group Policy
-* PowerShell cmdlets
+7. Set up your network firewall.
-Article | Description
--|-
-[Enable hardware-based isolation for Microsoft Edge](/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard) | How to prepare for and install Application Guard, including hardware and software requirements
-[Enable application control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)|How to control applications run by users and protect kernel mode processes
-[Exploit protection](./enable-exploit-protection.md)|How to automatically apply exploit mitigation techniques on both operating system processes and on individual apps
-[Network protection](./enable-network-protection.md)|How to prevent users from using any apps to access dangerous domains
-[Controlled folder access](./enable-controlled-folders.md)|How to protect valuable data from malicious apps
-[Attack surface reduction](./enable-attack-surface-reduction.md)|How to prevent actions and apps that are typically used by exploit-seeking malware
-[Network firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide)|How to protect devices and data across a network
+ 1. Get an overview of [Windows Defender Firewall with advanced security](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security).
+ 2. Use the [Windows Defender Firewall design guide](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide) to decide how you want to design your firewall policies.
+ 3. Use the [Windows Defender Firewall deployment guide](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide) to set up your organization's firewall with advanced security.
+> [!TIP]
+> In most cases, when you configure attack surface reduction capabilities, you can choose from among several methods:
+> - Microsoft Endpoint Manager (which now includes Microsoft Intune and Microsoft Endpoint Configuration Manager)
+> - Group Policy
+> - PowerShell cmdlets
security Configure Microsoft Threat Experts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-microsoft-threat-experts.md
When accepted, you will receive a welcome email and you will see the **Apply** b
You can receive targeted attack notification from Microsoft Threat Experts through the following medium: - The Defender for Endpoint portal's **Incidents** page - The Defender for Endpoint portal's **Alerts** dashboard -- OData alerting [API](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/get-alerts) and [REST API](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api)-- [DeviceAlertEvents](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table) table in Advanced hunting
+- OData alerting [API](/windows/security/threat-protection/microsoft-defender-atp/get-alerts) and [REST API](/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api)
+- [DeviceAlertEvents](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table) table in Advanced hunting
- Your email, if you choose to configure it To receive targeted attack notifications through email, create an email notification rule.
It is crucial to respond in quickly to keep the investigation moving.
## Related topic - [Microsoft Threat Experts overview](microsoft-threat-experts.md)
+- [Microsoft Threat Experts in Microsoft 365 Overview](/microsoft-365/security/mtp/microsoft-threat-experts)
security Customize Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/customize-attack-surface-reduction.md
ms.mktglfcycl: manage
ms.sitesec: library localization_priority: Normal audience: ITPro--++ ms.technology: mde+ # Customize attack surface reduction rules -- **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
ms.technology: mde
Learn how to customize attack surface reduction rules by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer. You can set attack surface reduction rules for devices running any of the following editions and versions of Windows:-- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later-- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later-- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- Windows 10 Pro, [version 1709](/windows/whats-new/whats-new-windows-10-version-1709) or later
+- Windows 10 Enterprise, [version 1709](/windows/whats-new/whats-new-windows-10-version-1709) or later
+- Windows Server, [version 1803 (Semi-Annual Channel)](/windows-server/get-started/whats-new-in-windows-server-1803) or later
+- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)
You can use Group Policy, PowerShell, and Mobile Device Management (MDM) configuration service providers (CSP) to configure these settings. ## Exclude files and folders
An exclusion applies to all rules that allow exclusions. You can specify an indi
An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
-Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
+Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [use wildcards in the file name and folder path or extension exclusion lists](configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) .
If you are encountering problems with rules detecting files that you believe should not be detected, [use audit mode to test the rule](evaluate-attack-surface-reduction.md).
-Rule description | GUID
--|-|-
-Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
-Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
-Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
-Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899
-Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
-Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D
-Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
-Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25
-Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35
-Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
-Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
-Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
-Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
-Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
-Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b
+| Rule description | GUID |
+|:-|:-|:-|
+| Block all Office applications from creating child processes | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` |
+| Block execution of potentially obfuscated scripts | `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` |
+| Block Win32 API calls from Office macro | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` |
+| Block Office applications from creating executable content | `3B576869-A4EC-4529-8536-B80A7769E899` |
+| Block Office applications from injecting code into other processes | `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` |
+| Block JavaScript or VBScript from launching downloaded executable content | `D3E037E1-3EB8-44C8-A917-57927947596D` |
+| Block executable content from email client and webmail | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` |
+| Block executable files from running unless they meet a prevalence, age, or trusted list criteria | `01443614-cd74-433a-b99e-2ecdc07bfc25` |
+| Use advanced protection against ransomware | `c1db55ab-c21a-4637-bb3f-a12568109d35` |
+| Block credential stealing from the Windows local security authority subsystem (lsass.exe) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` |
+| Block process creations originating from PSExec and WMI commands | `d1e49aac-8f56-4280-b9ba-993a6d77406c` |
+| Block untrusted and unsigned processes that run from USB | `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` |
+| Block Office communication applications from creating child processes | `26190899-1602-49e8-8b27-eb1d0a1ce869` |
+| Block Adobe Reader from creating child processes | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` |
+| Block persistence through WMI event subscription | `e6db77e5-3df2-4cf1-b95a-636979351e5b` |
See the [attack surface reduction](attack-surface-reduction.md) topic for details on each rule.
Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add
### Use MDM CSPs to exclude files and folders
-Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
+Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
## Customize the notification
security Detect Block Potentially Unwanted Apps Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
audience: ITPro-+ ms.technology: mde Last updated : 06/02/2021 # Detect and block potentially unwanted applications - **Applies to:** - [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
If you're using [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md
DeviceEvents | where ActionType == "AntivirusDetection" | extend x = parse_json(AdditionalFields)
-| evaluate bag_unpack(x)
+| project Timestamp, DeviceName, FolderPath, FileName, SHA256, ThreatName = tostring(x.ThreatName), WasExecutingWhileDetected = tostring(x.WasExecutingWhileDetected), WasRemediated = tostring(x.WasRemediated)
| where ThreatName startswith_cs 'PUA:'
-| project Timestamp, DeviceName, FolderPath, FileName, SHA256, ThreatName, WasExecutingWhileDetected, WasRemediated
``` To learn more about advanced hunting, see [Proactively hunt for threats with advanced hunting](advanced-hunting-overview.md).
security Device Control Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-report.md
ms.mktglfcycl: deploy
ms.sitesec: library ms.pagetype: security localization_priority: normal--++
security Enable Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction.md
ms.sitesec: library
ms.pagetype: security localization_priority: Normal audience: ITPro--++ ms.technology: mde Last updated : 06/02/2021 # Enable attack surface reduction rules - **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > [!TIP]
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink).
[Attack surface reduction rules](attack-surface-reduction.md) (ASR rules) help prevent actions that malware often abuses to compromise devices and networks.
Each ASR rule contains one of four settings:
> [!IMPORTANT] > Currently, warn mode is not supported for three ASR rules when you configure ASR rules in Microsoft Endpoint Manager (MEM). To learn more, see [Cases where warn mode is not supported](attack-surface-reduction.md#cases-where-warn-mode-is-not-supported).
-It's highly recommended you use ASR rules with a Windows E5 license (or similar licensing SKU) to take advantage of the advanced monitoring and reporting capabilities available in [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) (Defender for Endpoint). However, for other licenses like Windows Professional or E3 that don't have access to advanced monitoring and reporting capabilities, you can develop your own monitoring and reporting tools on top of the events that are generated at each endpoint when ASR rules are triggered (e.g., Event Forwarding).
+It's highly recommended to use ASR rules with a Windows E5 license (or similar licensing SKU) to take advantage of the advanced monitoring and reporting capabilities available in [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) (Defender for Endpoint). However, if you have another license, such as Windows Professional or Windows E3 that don't include advanced monitoring and reporting capabilities, you can develop your own monitoring and reporting tools on top of the events that are generated at each endpoint when ASR rules are triggered (e.g., Event Forwarding).
> [!TIP] > To learn more about Windows licensing, see [Windows 10 Licensing](https://www.microsoft.com/licensing/product-licensing/windows10?activetab=windows10-pivot:primaryr5) and get the [Volume Licensing guide for Windows 10](https://download.microsoft.com/download/2/D/1/2D14FE17-66C2-4D4C-AF73-E122930B60F6/Windows-10-Volume-Licensing-Guide.pdf).
Enterprise-level management such as Intune or Microsoft Endpoint Manager is reco
You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect your devices.
-You can also exclude ASR rules from triggering based on certificate and file hashes by allowing specified Defender for Endpoint file and certificate indicators. (See [Manage indicators](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-indicators).)
+You can also exclude ASR rules from triggering based on certificate and file hashes by allowing specified Defender for Endpoint file and certificate indicators. (See [Manage indicators](manage-indicators.md).)
> [!IMPORTANT] > Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded.
You can also exclude ASR rules from triggering based on certificate and file has
You can specify individual files or folders (using folder paths or fully qualified resource names), but you can't specify which rules the exclusions apply to. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
-ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
+ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
The following procedures for enabling ASR rules include instructions for how to exclude files and folders.
You can use Microsoft Endpoint Manager (MEM) OMA-URI to configure custom ASR rul
## MDM
-Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
+Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
The following is a sample for reference, using [GUID values for ASR rules](attack-surface-reduction.md#attack-surface-reduction-rules).
The values to enable (Block), disable, warn, or enable in audit mode are:
- 2 : Audit (Evaluate how the ASR rule would impact your organization if enabled) - 6 : Warn (Enable the ASR rule but allow the end-user to bypass the block). Warn mode is now available for most of the ASR rules.
-Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
+Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
Example:
Example:
To enable ASR Block abuse of exploited vulnerable signed drivers, use the following cmdlet: ```PowerShell
- "& {&'Add-MpPreference' -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Enabled"}
+ Add-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Enabled
``` To turn off ASR rules, use the following cmdlet:
security Evaluate Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-attack-surface-reduction.md
ms.sitesec: library
localization_priority: Normal audience: ITPro---+++ ms.technology: mde
Attack surface reduction rules help prevent actions typically used by malware to
Set attack surface reduction rules for devices running any of the following editions and versions of Windows: -- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later-- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later-- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- Windows 10 Pro, [version 1709](/windows/whats-new/whats-new-windows-10-version-1709) or later
+- Windows 10 Enterprise, [version 1709](/windows/whats-new/whats-new-windows-10-version-1709) or later
+- Windows Server, [version 1803 (Semi-Annual Channel)](/windows-server/get-started/whats-new-in-windows-server-1803) or later
+- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)
Learn how to evaluate attack surface reduction rules by enabling audit mode to test the feature directly in your organization.
security Event Views https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/event-views.md
ms.mktglfcycl: manage
ms.sitesec: library localization_priority: Normal audience: ITPro--++ ms.technology: mde+ # View attack surface reduction events
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
+> [!TIP]
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink).
Review attack surface reduction events in Event Viewer to monitor what rules or settings are working. You can also determine if any settings are too "noisy" or impacting your day to day workflow.
Reviewing events is handy when you're evaluating the features. You can enable au
This article lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events.
-Get detailed reporting into events and blocks as part of Windows Security if you have an E5 subscription and use [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection).
+Get detailed reporting into events and blocks as part of Windows Security if you have an E5 subscription and use [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md).
## Use custom views to review attack surface reduction capabilities
security Management Apis https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/management-apis.md
The **Investigation API** exposes the richness of Defender for Endpoint - exposi
The **Response API** exposes the ability to take actions in the service and on devices, enabling customers to ingest indicators, manage settings, alert status, as well as take response actions on devices programmatically such as isolate devices from the network, quarantine files, and others.
-## Streaming API
-Streaming API provides the ability for customers to ship real-time events and alerts from their instances as they occur within a single data stream, providing a low latency, high throughput delivery mechanism.
+## Raw data streaming API
+Defender for Endpoint raw data streaming API provides the ability for customers to ship real-time events and alerts from their instances as they occur within a single data stream, providing a low latency, high throughput delivery mechanism.
-Event information is pushed directly to Azure storage for long-term data retention, or to Azure Event Hubs for consumption by visualization services or additional data processing engines.
+The Defender for Endpoint event information is pushed directly to Azure storage for long-term data retention, or to Azure Event Hubs for consumption by visualization services or additional data processing engines.
->[!NOTE]
->Streaming API has now moved to Microsoft 365 Defender. For more information, see [Streaming API](raw-data-export.md).
+For more information, see [Raw data streaming API](raw-data-export.md).
+
+The new Microsoft 365 Defender Streaming API includes email and alert events in addition to device events.
+For more information, see [Microsoft 365 Defender Streaming API](../defender/streaming-api.md).
## SIEM API
security Overview Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction.md
ms.technology: mde Last updated : 06/02/2021
-# Overview of attack surface reduction
+# Overview of attack surface reduction capabilities
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
--
-Help reduce your attack surfaces, by minimizing the places where your organization is vulnerable to cyberthreats and attacks. Use the following resources to configure protection for the devices and applications in your organization.
+> [!TIP]
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink).
+Your attack surfaces are all the places where your organization is vulnerable to cyberthreats and attacks. Defender for Endpoint includes several capabilities to help reduce your attack surfaces. Watch the following video to learn more about attack surface reduction.<p>
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4woug]
+## Resources to learn more about attack surface reduction
+
+As mentioned in the video, Defender for Endpoint includes several attack surface reduction capabilities. Use the following resources to learn more:
-Article | Description
--|-
-[Attack surface reduction](./attack-surface-reduction.md) | Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Microsoft Defender Antivirus).
-[Hardware-based isolation](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites.
-[Application control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) | Use application control so that your applications must earn trust in order to run.
-[Exploit protection](./exploit-protection.md) | Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions.
-[Network protection](./network-protection.md) | Extend protection to your network traffic and connectivity on your organization's devices. (Requires Microsoft Defender Antivirus)
-[Web protection](./web-protection-overview.md) | Secure your devices against web threats and help you regulate unwanted content.
-[Controlled folder access](./controlled-folders.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Microsoft Defender Antivirus)
-[Network firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security) | Prevent unauthorized traffic from flowing to or from your organization's devices with two-way network traffic filtering.
-[Attack surface reduction FAQ](./attack-surface-reduction-faq.md) | Frequently asked questions about Attack surface reduction rules, licensing, and more.
+| Article | Description |
+|:|:|
+| [Hardware-based isolation](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites. |
+| [Application control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) | Use application control so that your applications must earn trust in order to run. |
+| [Controlled folder access](controlled-folders.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Microsoft Defender Antivirus) |
+| [Network protection](network-protection.md) | Extend protection to your network traffic and connectivity on your organization's devices. (Requires Microsoft Defender Antivirus) |
+| [Exploit protection](exploit-protection.md) | Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions. |
+| [Attack surface reduction rules](attack-surface-reduction.md) | Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Microsoft Defender Antivirus). |
+| [Device control](device-control-report.md) | Protects against data loss by monitoring and controlling media used on devices, such as removable storage and USB drives, in your organization. |
security Raw Data Export Event Hub https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/raw-data-export-event-hub.md
Title: Stream Microsoft 365 Defender events to Azure Event Hubs
-description: Learn how to configure Microsoft 365 Defender to stream Advanced Hunting events to your Event Hub.
+ Title: Stream Microsoft Defender for Endpoint events to Azure Event Hubs
+description: Learn how to configure Microsoft Defender for Endpoint to stream Advanced Hunting events to your Event Hub.
keywords: raw data export, streaming API, API, Azure Event Hubs, Azure storage, storage account, Advanced Hunting, raw data sharing search.product: eADQiWindows 10XVcnh search.appverid: met150
ms.technology: mde
-# Configure Microsoft 365 Defender to stream Advanced Hunting events to your Azure Event Hubs
+# Configure Microsoft Defender for Endpoint to stream Advanced Hunting events to your Azure Event Hubs
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
-## Before you begin:
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
-1. Create an [event hub](/azure/event-hubs/) in your tenant.
-
-2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to Microsoft.Insights**.
+## Before you begin
-3. Create an Event Hub Namespace, go to **Event Hubs > Add** and select the pricing tier, throughput units and Auto-Inflate appropriate for expected load. For more information, see [Pricing - Event Hubs | Microsoft Azure](https://azure.microsoft.com/en-us/pricing/details/event-hubs/).
+1. Create an [event hub](/azure/event-hubs/) in your tenant.
-4. Once the event hub namespace is created you will need to add the App Registration Service Principal as Reader, Azure Event Hubs Data Receiver and the user who will be logging into Microsoft 365 Defender as Contributor (this can also be done at Resource Group or Subscription level). Go to **Event hubs namespace > Access control (IAM) > Add** and verify under **Role assignements**.
+2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights****.
-## Enable raw data streaming:
+## Enable raw data streaming
-1. Log in to the [Microsoft 365 Defender security center](https://security.microsoft.com) as a ***Global Administrator*** or ***Security Administrator***.
+1. Log in to the [Microsoft Defender Security Center](https://securitycenter.windows.com) as a ***Global Administrator*** or ***Security Administrator***.
-2. Go to the [Data export settings page](https://security.microsoft.com/settings/mtp_settings/raw_data_export).
+2. Go to the [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center.
-3. Click on **Add**.
+3. Click on **Add data export settings**.
4. Choose a name for your new settings. 5. Choose **Forward events to Azure Event Hubs**.
-6. You can select if you want to export the event data to a single event hub, or to export each event table to a different even hub in your event hub namespace.
+6. Type your **Event Hubs name** and your **Event Hubs resource ID**.
-7. To export the event data to a single event hub, Enter your **Event Hub name** and your **Event Hub resource ID**.
-
- To get your **Event Hubs resource ID**, go to your Azure Event Hubs namespace page on [Azure](https://ms.portal.azure.com/) > **Properties** tab > copy the text under **Resource ID**:
+ In order to get your **Event Hubs resource ID**, go to your Azure Event Hubs namespace page on [Azure](https://ms.portal.azure.com/) > properties tab > copy the text under **Resource ID**:
![Image of event hub resource Id1](images/event-hub-resource-id.png)
-8. Choose the events you want to stream and click **Save**.
+7. Choose the events you want to stream and click **Save**.
-## The schema of the events in Azure Event Hubs:
+## The schema of the events in Azure Event Hubs
``` { "records": [ {
- "time": "<The time Microsoft 365 Defender received the event>"
+ "time": "<The time WDATP received the event>"
"tenantId": "<The Id of the tenant that the event belongs to>" "category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>"
- "properties": { <Microsoft 365 Defender Advanced Hunting event as Json> }
+ "properties": { <WDATP Advanced Hunting event as Json> }
} ... ]
ms.technology: mde
- Each event hub message in Azure Event Hubs contains list of records. -- Each record contains the event name, the time Microsoft 365 Defender received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "**properties**".--- For more information about the schema of Microsoft 365 Defender events, see [Advanced Hunting overview](../defender/advanced-hunting-overview.md).--- In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the device. Here every event will be decorated with this column as well.
+- Each record contains the event name, the time Microsoft Defender for Endpoint received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "**properties**".
-9. To export each event table to a different event hub, simply leave the **Event hub name** empty, and Microsoft 365 Defender will do the rest.
+- For more information about the schema of Microsoft Defender for Endpoint events, see [Advanced Hunting overview](advanced-hunting-overview.md).
+- In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the device. Here every event will be decorated with this column as well. See [Device Groups](machine-groups.md) for more information.
-## Data types mapping:
+## Data types mapping
To get the data types for event properties do the following:
-1. Log in to [Microsoft 365 security center](https://security.microsoft.com) and go to [Advanced Hunting page](https://security.microsoft.com/hunting-package).
+1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com) and go to [Advanced Hunting page](https://securitycenter.windows.com/hunting-package).
2. Run the following query to get the data types mapping for each event:
To get the data types for event properties do the following:
![Image of event hub resource Id2](images/machine-info-datatype-example.png) ## Related topics-- [Overview of Advanced Hunting](../defender/advanced-hunting-overview.md)-- [Microsoft 365 Defender streaming API](raw-data-export.md)-- [Stream Microsoft 365 Defender events to your Azure storage account](raw-data-export-storage.md)
+- [Overview of Advanced Hunting](advanced-hunting-overview.md)
+- [Microsoft Defender for Endpoint streaming API](raw-data-export.md)
+- [Stream Microsoft Defender for Endpoint events to your Azure storage account](raw-data-export-storage.md)
- [Azure Event Hubs documentation](/azure/event-hubs/)-- [Troubleshoot connectivity issues - Azure Event Hubs](/azure/event-hubs/troubleshooting-guide)
+- [Troubleshoot connectivity issues - Azure Event Hubs](/azure/event-hubs/troubleshooting-guide)
security Raw Data Export Storage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/raw-data-export-storage.md
Title: Stream Microsoft 365 Defender events to your Storage account
-description: Learn how to configure Microsoft 365 Defender to stream Advanced Hunting events to your Storage account.
+ Title: Stream Microsoft Defender for Endpoint events to your Storage account
+description: Learn how to configure Microsoft Defender for Endpoint to stream Advanced Hunting events to your Storage account.
keywords: raw data export, streaming API, API, Event Hubs, Azure storage, storage account, Advanced Hunting, raw data sharing search.product: eADQiWindows 10XVcnh search.appverid: met150
ms.technology: mde
-# Configure Microsoft 365 Defender to stream Advanced Hunting events to your Storage account
+# Configure Microsoft Defender for Endpoint to stream Advanced Hunting events to your Storage account
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
-
-## Before you begin:
+## Before you begin
1. Create a [Storage account](/azure/storage/common/storage-account-overview) in your tenant.
-2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to Microsoft.Insights**.
+2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to Microsoft.insights**.
-## Enable raw data streaming:
+## Enable raw data streaming
-1. Log in to [Microsoft 365 Defender security center](https://security.microsoft.com) as a ***Global Administrator*** or ***Security Administrator***.
+1. Log in to [Microsoft Defender for Endpoint portal](https://securitycenter.windows.com) as a ***Global Administrator*** or ***Security Administrator***.
-2. Go to [Data export settings page](https://security.microsoft.com/settings/mtp_settings/raw_data_export) in Microsoft Defender Security Center.
+2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center.
3. Click on **Add data export settings**.
ms.technology: mde
5. Choose **Forward events to Azure Storage**.
-6. Type your **Storage Account Resource ID**. In order to get your **Storage Account Resource ID**, go to your Storage account page on [Azure portal](https://ms.portal.azure.com/) > properties tab > copy the text under **Storage Account Resource ID**:
+6. Type your **Storage Account Resource ID**. In order to get your **Storage Account Resource ID**, go to your Storage account page on [Azure portal](https://ms.portal.azure.com/) > properties tab > copy the text under **Storage account resource ID**:
![Image of event hub resource ID1](images/storage-account-resource-id.png) 7. Choose the events you want to stream and click **Save**.
-## The schema of the events in the Storage account:
+## The schema of the events in the Storage account
- A blob container will be created for each event type:
ms.technology: mde
``` {
- "time": "<The time Microsoft 365 Defender received the event>"
+ "time": "<The time WDATP received the event>"
"tenantId": "<Your tenant ID>" "category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>"
- "properties": { <Microsoft 365 Defender Advanced Hunting event as Json> }
+ "properties": { <WDATP Advanced Hunting event as Json> }
} ```
ms.technology: mde
- Each row contains the event name, the time Defender for Endpoint received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "properties". -- For more information about the schema of Microsoft 365 Defender events, see [Advanced Hunting overview](../defender/advanced-hunting-overview.md).
+- For more information about the schema of Microsoft Defender for Endpoint events, see [Advanced Hunting overview](advanced-hunting-overview.md).
+- In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the device. Here every event will be decorated with this column as well. See [Device Groups](machine-groups.md) for more information.
-## Data types mapping:
+## Data types mapping
In order to get the data types for our events properties do the following:
-1. Log in to [Microsoft 365 security center](https://security.microsoft.com) and go to [Advanced Hunting page](https://security.microsoft.com/hunting-package).
+1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com) and go to [Advanced Hunting page](https://securitycenter.windows.com/hunting-package).
2. Run the following query to get the data types mapping for each event:
In order to get the data types for our events properties do the following:
![Image of event hub resource ID3](images/machine-info-datatype-example.png) ## Related topics-- [Overview of Advanced Hunting](../defender/advanced-hunting-overview.md)-- [Microsoft 365 Defender Streaming API](raw-data-export.md)-- [Stream Microsoft 365 Defender events to your Azure storage account](raw-data-export-storage.md)-- [Azure Storage Account documentation](/azure/storage/common/storage-account-overview)
+- [Overview of Advanced Hunting](advanced-hunting-overview.md)
+- [Microsoft Defender for Endpoint Streaming API](raw-data-export.md)
+- [Stream Microsoft Defender for Endpoint events to your Azure storage account](raw-data-export-storage.md)
+- [Azure Storage Account documentation](/azure/storage/common/storage-account-overview)
security Raw Data Export https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/raw-data-export.md
Title: Stream Microsoft 365 Defender events
-description: Learn how to configure Microsoft 365 Defender to stream Advanced Hunting events to Event Hubs or Azure storage account
+ Title: Stream Microsoft Defender for Endpoint event
+description: Learn how to configure Microsoft Defender for Endpoint to stream Advanced Hunting events to Event Hubs or Azure storage account
keywords: raw data export, streaming API, API, Event hubs, Azure storage, storage account, Advanced Hunting, raw data sharing search.product: eADQiWindows 10XVcnh search.appverid: met150
ms.technology: mde
-# Streaming API
+# Raw Data Streaming API
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
## Stream Advanced Hunting events to Event Hubs and/or Azure storage account.
-Microsoft 365 Defender supports streaming all the events available through [Advanced Hunting](../defender/advanced-hunting-overview.md) to an [Event Hubs](/azure/event-hubs/) and/or [Azure storage account](/azure/event-hubs/).
+Defender for Endpoint supports streaming all the events available through [Advanced Hunting](advanced-hunting-overview.md) to an [Event Hubs](/azure/event-hubs/) and/or [Azure storage account](/azure/event-hubs/).
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4r4ga]
## In this section Topic | Description :|:
-[Stream events to Azure Event Hubs](raw-data-export-event-hub.md)| Learn about enabling the streaming API in your tenant and configure Microsoft 365 Defender to stream [Advanced Hunting](../defender/advanced-hunting-overview.md) to Event Hubs.
-[Stream events to your Azure storage account](raw-data-export-storage.md)| Learn about enabling the streaming API in your tenant and configure Microsoft 365 Defender to stream [Advanced Hunting](../defender/advanced-hunting-overview.md) to your Azure storage account.
+[Stream Microsoft Defender for Endpoint events to Azure Event Hubs](raw-data-export-event-hub.md)| Learn about enabling the streaming API in your tenant and configure Defender for Endpoint to stream [Advanced Hunting](advanced-hunting-overview.md) to Event Hubs.
+[Stream Defender for Endpoint events to your Azure storage account](raw-data-export-storage.md)| Learn about enabling the streaming API in your tenant and configure Defender for Endpoint to stream [Advanced Hunting](advanced-hunting-overview.md) to your Azure storage account.
## Related topics-- [Overview of Advanced Hunting](../defender/advanced-hunting-overview.md)
+- [Overview of Advanced Hunting](advanced-hunting-overview.md)
- [Azure Event Hubs documentation](/azure/event-hubs/)-- [Azure Storage Account documentation](/azure/storage/common/storage-account-overview)
+- [Azure Storage Account documentation](/azure/storage/common/storage-account-overview)
security Api Advanced Hunting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-advanced-hunting.md
The following conditions relate to all queries.
1. Queries explore and return data from the past 30 days. 2. Results can return up to 100,000 rows. 3. You can make up to 15 calls per minute per tenant.
-4. You have 10 minutes of running time per hour per tenant.
-5. You have four total hours of running time per day per tenant.
-6. If a single request runs for more than 10 minutes, it will time out and return an error.
-7. A `429` HTTP response code indicates that you've reached a quota, either by number of requests sent, or by allotted running time. Read the response body to understand the limit you have reached.
+4. Queries are blocked if the tenant has reached 100% until after the next 15-minute cycle.
+5. If a single request runs for more than 10 minutes, it will time out and return an error.
+6. A `429` HTTP response code indicates that you've reached a quota, either by number of requests sent, or by allotted running time. Read the response body to understand the limit you have reached.
> [!NOTE] > All quotas listed above (for example 15 calls per min) are per tenant size. These quotas are the minimum.
security Microsoft 365 Security Center Mde https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-mde.md
If you use the [Defender for Endpoint SIEM API](../defender-endpoint/enable-siem
You can continue to use email alerts for Defender for Endpoint. We've added new links in the emails that point to the alert page or the incident page in the Microsoft 365 security center. For more information, see [Redirecting accounts from Microsoft Defender for Endpoint to the Microsoft 365 security center](./microsoft-365-security-mde-redirection.md).
+### Managed Security Service Providers (MSSP)
+
+Logging in to multiple tenants simultaneously in the same browsing session is currently not supported in the unified portal. You can opt-out of the automatic redirection by [reverting to the former Microsoft Defender for Endpoint portal](microsoft-365-security-mde-redirection.md#can-i-go-back-to-using-the-former-portal), to maintain this functionality until the issue is resolved.
+ ## Related information - [Microsoft 365 security center](overview-security-center.md)
security Microsoft 365 Security Center Mdo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-mdo.md
ms.technology: m365d
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365)
-The improved [Microsoft 365 security center](./overview-security-center.md) at [https://security.microsoft.com](https://security.microsoft.com) combines security capabilities from existing Microsoft security portals, including Microsoft Defender Security Center and the Office 365 Security & Compliance Center. This improved center helps security teams protect their organization from threats more effectively and efficiently.
+## Quick reference
+
+The image and the table below lists the changes in navigation between the Office 365 Security & Compliance Center and the Microsoft 365 security center.
+
+> [!div class="mx-imgBorder"]
+> ![Image of what moved to where](../../media/mdo-m3d-security-center.png)
+
+<br>
+
+****
+
+|Office 365 Security & Compliance|Microsoft 365 security center|Microsoft 365 compliance center|Exchange admin center|
+|||||
+|Alerts|Email & collaboration|||
+|Classification||See [Microsoft 365 compliance center](https://compliance.microsoft.com/homepage)||
+|Data loss prevention||See [Microsoft 365 compliance center](https://compliance.microsoft.com/homepage)||
+|Records management||See [Microsoft 365 compliance center](https://compliance.microsoft.com/homepage) ||
+|Information governance||See [Microsoft 365 compliance center](https://compliance.microsoft.com/homepage)||
+|Threat management|Email & collaboration|||
+|Mail flow|||See [Exchange admin center](https://admin.exchange.microsoft.com/#/)|
+|Data privacy||See [Microsoft 365 compliance center](https://compliance.microsoft.com/homepage)||
+|Search|Search|||
+|Reports|Report|||
+|Service assurance|Settings|||
+|
+
+The improved [Microsoft 365 security center](./overview-security-center.md) at <https://security.microsoft.com> combines security capabilities from existing Microsoft security portals, including Microsoft Defender Security Center and the Office 365 Security & Compliance Center. This improved center helps security teams protect their organization from threats more effectively and efficiently.
If you are familiar with the Office 365 Security and Compliance portal (protection.office.com), this article describes some of the changes and improvements in the Microsoft 365 security center.
No changes to these areas:
Also, check the **Related Information** section at the bottom of this article. > [!IMPORTANT]
-> The Microsoft 365 Security portal (https://security.microsoft.com) combines security features in https://securitycenter.windows.com, and https://protection.office.com. However, what you see will depend on your subscription. If you only have Microsoft Defender for Office 365 Plan 1 or 2, as standalone subscriptions, for example, you won't see capabilities around Security for Endpoints and Defender for Office Plan 1 customers won't see items such as Threat Analytics.
+> The Microsoft 365 Security portal (<https://security.microsoft.com>) combines security features in <https://securitycenter.windows.com>, and <https://protection.office.com>. However, what you see will depend on your subscription. If you only have Microsoft Defender for Office 365 Plan 1 or 2, as standalone subscriptions, for example, you won't see capabilities around Security for Endpoints and Defender for Office Plan 1 customers won't see items such as Threat Analytics.
> [!TIP] > All Exchange Online Protection (EOP) functions will be included in the Microsoft 365 security center, as EOP is a core element of Defender for Office 365.
Want to get started searching for email threats using advanced hunting? Try this
The [Getting Started](/microsoft-365/security/office-365-security/defender-for-office-365.md#getting-started) section of the [Microsoft Defender for Office 365 article](/microsoft-365/security/office-365-security/defender-for-office-365) has logical early configuration chunks that look like this:
-1. Configure everything with 'anti' in the name.
- - anti-malware
- - anti-phishing
- - anti-spam
-2. Set up everything with 'safe' in the name.
- - safe links
- - safe attachments
-3. Defend the workloads (ex. SharePoint Online, OneDrive, and Teams)
-4. Protect with Zero-Hour auto purge
+1. Configure everything with 'Anti' in the name.
+ - Anti-malware
+ - Anti-phishing
+ - Anti-spam
+2. Set up everything with 'Safe' in the name.
+ - Safe Links
+ - Safe Attachments
+3. Defend the workloads (ex. SharePoint Online, OneDrive, and Teams).
+4. Protect with zero-Hour auto purge.
Along with a [link](../office-365-security/protect-against-threats.md) to jump right in and get configuration going on Day 1.
EmailPostDeliveryEvents
LogonTime = Timestamp, AccountDisplayName, Application, Protocol, DeviceName, LogonType ``` The data from this query will appear in the results panel below the query itself. Results include information like 'DeviceName', 'AccountDisplayName', and 'ZapTime' in a customizable result set. Results can also be exported for your records. If the query is one you'll need again, select **Save** > **Save As** and add the query to your list of queries, shared, or community queries.
security Microsoft 365 Security Mdo Redirection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-mdo-redirection.md
Title: Redirecting accounts from Microsoft Defender for Office 365 to the new Microsoft 365 security center
+ Title: Redirecting accounts from Office 365 Security and Compliance Center to the new Microsoft 365 security center
description: How to redirect from the Defender for Office 365 to the Microsoft 365 security center. keywords: Microsoft 365 security center, Getting started with the Microsoft 365 security center, security center redirection search.product: eADQiWindows 10XVcnh
ms.technology: m365d
-# Redirecting accounts from Microsoft Defender for Office 365 to the Microsoft 365 security center
+# Redirecting accounts from Office 365 Security and Compliance Center to Microsoft 365 security center
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
ms.technology: m365d
- Microsoft 365 Defender - Defender for Office 365
-This article explains how to route accounts to the Microsoft 365 security center by enabling automatic redirection from the former Microsoft Security and Compliance Center (protection.office.com or securitycenter.microsoft.com), to the Microsoft 365 security center (security.microsoft.com).
+This article explains how to route accounts to the Microsoft 365 security center by enabling automatic redirection from the former Office 365 Security and Compliance Center (protection.office.com), to the Microsoft 365 security center (security.microsoft.com).
## What to expect Once automatic redirection is enabled and active, users accessing the security-related capabilities in Office 365 Security and Compliance (protection.office.com), will be automatically routed to the Microsoft 365 security center (https://security.microsoft.com).
To revert to the former portal:
This setting can be enabled again at any time.
-Once disabled, accounts will no longer be routed to security.microsoft.com, and you will once again have access to the former portal - securitycenter.windows.com or securitycenter.microsoft.com.
+Once disabled, accounts will no longer be routed to security.microsoft.com, and you will once again have access to the former portalΓÇösecuritycenter.windows.com or securitycenter.microsoft.com.
## Related information - [Microsoft 365 security center overview](overview-security-center.md)
security Streaming Api Event Hub https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/streaming-api-event-hub.md
+
+ Title: Stream Microsoft 365 Defender events to Azure Event Hubs
+description: Learn how to configure Microsoft 365 Defender to stream Advanced Hunting events to your Event Hub.
+keywords: raw data export, streaming API, API, Azure Event Hubs, Azure storage, storage account, Advanced Hunting, raw data sharing
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+localization_priority: Normal
+
+audience: ITPro
++
+ms.technology: mde
++
+# Configure Microsoft 365 Defender to stream Advanced Hunting events to your Azure Event Hubs
+++
+**Applies to:**
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
++
+## Before you begin:
+
+1. Create an [event hub](/azure/event-hubs/) in your tenant.
+
+2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to Microsoft.Insights**.
+
+3. Create an Event Hub Namespace, go to **Event Hubs > Add** and select the pricing tier, throughput units and Auto-Inflate appropriate for expected load. For more information, see [Pricing - Event Hubs | Microsoft Azure](https://azure.microsoft.com/en-us/pricing/details/event-hubs/).
+
+4. Once the event hub namespace is created you will need to add the App Registration Service Principal as Reader, Azure Event Hubs Data Receiver and the user who will be logging into Microsoft 365 Defender as Contributor (this can also be done at Resource Group or Subscription level). Go to **Event hubs namespace > Access control (IAM) > Add** and verify under **Role assignements**.
+
+## Enable raw data streaming:
+
+1. Log in to the [Microsoft 365 Defender security center](https://security.microsoft.com) as a ***Global Administrator*** or ***Security Administrator***.
+
+2. Go to the [Data export settings page](https://security.microsoft.com/settings/mtp_settings/raw_data_export).
+
+3. Click on **Add**.
+
+4. Choose a name for your new settings.
+
+5. Choose **Forward events to Azure Event Hubs**.
+
+6. You can select if you want to export the event data to a single event hub, or to export each event table to a different even hub in your event hub namespace.
+
+7. To export the event data to a single event hub, Enter your **Event Hub name** and your **Event Hub resource ID**.
+
+ To get your **Event Hubs resource ID**, go to your Azure Event Hubs namespace page on [Azure](https://ms.portal.azure.com/) > **Properties** tab > copy the text under **Resource ID**:
+
+ ![Image of event hub resource Id1](../defender-endpoint/images/event-hub-resource-id.png)
+
+8. Choose the events you want to stream and click **Save**.
+
+## The schema of the events in Azure Event Hubs:
+
+```
+{
+ "records": [
+ {
+ "time": "<The time Microsoft 365 Defender received the event>"
+ "tenantId": "<The Id of the tenant that the event belongs to>"
+ "category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>"
+ "properties": { <Microsoft 365 Defender Advanced Hunting event as Json> }
+ }
+ ...
+ ]
+}
+```
+
+- Each event hub message in Azure Event Hubs contains list of records.
+
+- Each record contains the event name, the time Microsoft 365 Defender received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "**properties**".
+
+- For more information about the schema of Microsoft 365 Defender events, see [Advanced Hunting overview](advanced-hunting-overview.md).
+
+- In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the device. Here every event will be decorated with this column as well.
+
+9. To export each event table to a different event hub, simply leave the **Event hub name** empty, and Microsoft 365 Defender will do the rest.
++
+## Data types mapping:
+
+To get the data types for event properties do the following:
+
+1. Log in to [Microsoft 365 security center](https://security.microsoft.com) and go to [Advanced Hunting page](https://security.microsoft.com/hunting-package).
+
+2. Run the following query to get the data types mapping for each event:
+
+ ```
+ {EventType}
+ | getschema
+ | project ColumnName, ColumnType
+ ```
+
+- Here is an example for Device Info event:
+
+ ![Image of event hub resource Id2](../defender-endpoint/images/machine-info-datatype-example.png)
+
+## Related topics
+- [Overview of Advanced Hunting](advanced-hunting-overview.md)
+- [Microsoft 365 Defender streaming API](streaming-api.md)
+- [Stream Microsoft 365 Defender events to your Azure storage account](streaming-api-storage.md)
+- [Azure Event Hubs documentation](/azure/event-hubs/)
+- [Troubleshoot connectivity issues - Azure Event Hubs](/azure/event-hubs/troubleshooting-guide)
security Streaming Api Storage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/streaming-api-storage.md
+
+ Title: Stream Microsoft 365 Defender events to your Storage account
+description: Learn how to configure Microsoft 365 Defender to stream Advanced Hunting events to your Storage account.
+keywords: raw data export, streaming API, API, Event Hubs, Azure storage, storage account, Advanced Hunting, raw data sharing
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+localization_priority: Normal
+
+audience: ITPro
++
+ms.technology: mde
++
+# Configure Microsoft 365 Defender to stream Advanced Hunting events to your Storage account
+++
+**Applies to:**
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+++
+## Before you begin:
+
+1. Create a [Storage account](/azure/storage/common/storage-account-overview) in your tenant.
+
+2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to Microsoft.Insights**.
+
+## Enable raw data streaming:
+
+1. Log in to [Microsoft 365 Defender security center](https://security.microsoft.com) as a ***Global Administrator*** or ***Security Administrator***.
+
+2. Go to [Data export settings page](https://security.microsoft.com/settings/mtp_settings/raw_data_export) in Microsoft Defender Security Center.
+
+3. Click on **Add data export settings**.
+
+4. Choose a name for your new settings.
+
+5. Choose **Forward events to Azure Storage**.
+
+6. Type your **Storage Account Resource ID**. In order to get your **Storage Account Resource ID**, go to your Storage account page on [Azure portal](https://ms.portal.azure.com/) > properties tab > copy the text under **Storage Account Resource ID**:
+
+ ![Image of event hub resource ID1](../defender-endpoint/images/storage-account-resource-id.png)
+
+7. Choose the events you want to stream and click **Save**.
+
+## The schema of the events in the Storage account:
+
+- A blob container will be created for each event type:
+
+ ![Image of event hub resource ID2](../defender-endpoint/images/storage-account-event-schema.png)
+
+- The schema of each row in a blob is the following JSON:
+
+ ```
+ {
+ "time": "<The time Microsoft 365 Defender received the event>"
+ "tenantId": "<Your tenant ID>"
+ "category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>"
+ "properties": { <Microsoft 365 Defender Advanced Hunting event as Json> }
+ }
+ ```
+
+- Each blob contains multiple rows.
+
+- Each row contains the event name, the time Defender for Endpoint received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "properties".
+
+- For more information about the schema of Microsoft 365 Defender events, see [Advanced Hunting overview](../defender/advanced-hunting-overview.md).
++
+## Data types mapping
+
+In order to get the data types for our events properties do the following:
+
+1. Log in to [Microsoft 365 security center](https://security.microsoft.com) and go to [Advanced Hunting page](https://security.microsoft.com/hunting-package).
+
+2. Run the following query to get the data types mapping for each event:
+
+ ```
+ {EventType}
+ | getschema
+ | project ColumnName, ColumnType
+ ```
+
+- Here is an example for Device Info event:
+
+ ![Image of event hub resource ID3](../defender-endpoint/images/machine-info-datatype-example.png)
+
+## Related topics
+- [Overview of Advanced Hunting](../defender/advanced-hunting-overview.md)
+- [Microsoft 365 Defender Streaming API](streaming-api.md)
+- [Stream Microsoft 365 Defender events to your Azure storage account](streaming-api-storage.md)
+- [Azure Storage Account documentation](/azure/storage/common/storage-account-overview)
security Streaming Api https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/streaming-api.md
+
+ Title: Stream Microsoft 365 Defender events
+description: Learn how to configure Microsoft 365 Defender to stream Advanced Hunting events to Event Hubs or Azure storage account
+keywords: raw data export, streaming API, API, Event hubs, Azure storage, storage account, Advanced Hunting, raw data sharing
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+localization_priority: Normal
+
+audience: ITPro
++
+ms.technology: mde
++
+# Streaming API
++
+**Applies to:**
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
++
+## Stream Advanced Hunting events to Event Hubs and/or Azure storage account.
+
+Microsoft 365 Defender supports streaming all the events available through [Advanced Hunting](../defender/advanced-hunting-overview.md) to an [Event Hubs](/azure/event-hubs/) and/or [Azure storage account](/azure/event-hubs/).
+++
+## In this section
+
+Topic | Description
+:|:
+[Stream events to Azure Event Hubs](streaming-api-event-hub.md)| Learn about enabling the streaming API in your tenant and configure Microsoft 365 Defender to stream [Advanced Hunting](../defender/advanced-hunting-overview.md) to Event Hubs.
+[Stream events to your Azure storage account](streaming-api-storage.md)| Learn about enabling the streaming API in your tenant and configure Microsoft 365 Defender to stream [Advanced Hunting](advanced-hunting-overview.md) to your Azure storage account.
++
+## Related topics
+- [Overview of Advanced Hunting](../defender/advanced-hunting-overview.md)
+- [Azure Event Hubs documentation](/azure/event-hubs/)
+- [Azure Storage Account documentation](/azure/storage/common/storage-account-overview)
security Admin Review Reported Message https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/admin-review-reported-message.md
You will only be able to mark and notify users of review results if the message
## What do you need to know before you begin? - To modify the configuration for User submissions, you need to be a member of one of the following role groups:
- - Organization Management or Security Administrator in the [Security center](permissions-microsoft-365-compliance-security.md).
- - Organization Management in [Exchange Online](/Exchange/permissions-exo/permissions-exo).
+ - Organization Management or Security Administrator in the [Microsoft 365 security center](permissions-microsoft-365-security-center.md).
+ - Organization Management in [Exchange Online](/Exchange/permissions-exo/permissions-exo).
- You'll also need access to the Exchange Online PowerShell. If the account that you're trying to use doesn't have access to Exchange Online PowerShell, you'll receive an error that says *Specify an email address in your domain*. For more information about enabling or disabling access to Exchange Online PowerShell, see the following topics:
- - [Enable or disable access to Exchange Online PowerShell](/powershell/exchange/disable-access-to-exchange-online-powershell)
- - [Client Access Rules in Exchange Online](/exchange/clients-and-mobile-in-exchange-online/client-access-rules/client-access-rules)
+ - [Enable or disable access to Exchange Online PowerShell](/powershell/exchange/disable-access-to-exchange-online-powershell)
+ - [Client Access Rules in Exchange Online](/exchange/clients-and-mobile-in-exchange-online/client-access-rules/client-access-rules)
## Configure the messages used to notify users
security Permissions In The Security And Compliance Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center.md
The Security & Compliance Center includes default role groups for the most commo
![Diagram showing relationship of role groups to roles and members](../../media/2a16d200-968c-4755-98ec-f1862d58cb8b.png)
-## Permissions needed to use features in the Security & Compliance Center
+## Role groups in the Security & Compliance Center
The following table lists the default role groups that are available in the Security & Compliance Center, and the roles that are assigned to the role groups by default. To grant permissions to a user to perform a compliance task, add them to the appropriate Security & Compliance Center role group.
To see how to grant access to the Security & Compliance Center, check out [Give
> [!NOTE] > To view the **Permissions** tab in the Security & Compliance Center, you need to be an admin. Specifically, you need to be assigned the **Role Management** role, and that role is assigned only to the **Organization Management** role group in the Security & Compliance Center by default. Furthermore, the **Role Management** role allows users to view, create, and modify role groups.
-<br><br>
+<br>
****
Note that the following roles aren't assigned to the Organization Management rol
- RMS Decrypt - Supervisory Review Administrator
-<br><br>
+<br>
****
security Permissions Microsoft 365 Compliance Security https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/permissions-microsoft-365-compliance-security.md
- Title: Permissions in the Microsoft 365 compliance center and security center
- - NOCSH
--- Previously updated :
-ms.audience: Admin
-
-localization_priority: Priority
-
- - M365-security-compliance
- - MOE150
- - MET150
-description: By using the Microsoft 365 security center or Microsoft 365 compliance center, you can manage permissions centrally for all tasks related to security or compliance.
---
-# Permissions in the Microsoft 365 compliance center and Microsoft 365 security center
--
-**Applies to**
-- [Exchange Online Protection](exchange-online-protection-overview.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)-
-Your organization needs to manage compliance and security scenarios that span all the Microsoft 365 services. And you need the flexibility to give the right admin permissions to the right people in your organization's IT group. By using the Microsoft 365 security center or Microsoft 365 compliance center, you can manage permissions centrally for all tasks related to security or compliance.
-
-After a global administrator adds users to these admin roles, these admin will have access to features and data that span all services in Microsoft 365, such as the Microsoft 365 security center, Microsoft 365 compliance center, Azure, Office 365, and Enterprise Mobility + Security.
-
-## What the Microsoft 365 roles are
-
-The roles that appear in the Microsoft 365 compliance center and Microsoft 365 security center are Azure Active Directory roles. These roles are designed to align with job functions in your organization's IT group, making it easy to give a person all the permissions necessary to get their job done.
-
-****
-
-|Role|Description|
-|||
-|**Global administrator**|Access to all administrative features in all Microsoft 365 services. Only global administrators can assign other administrator roles. For more information, see [Global Administrator / Company Administrator](/azure/active-directory/roles/permissions-reference#global-administrator--company-administrator).|
-|**Compliance data administrator**|Keep track of your organization's data across Microsoft 365, make sure it's protected, and get insights into any issues to help mitigate risks. For more information, see [Compliance Data Administrator](/azure/active-directory/roles/permissions-reference#compliance-data-administrator).|
-|**Compliance administrator**|Help your organization stay compliant with any regulatory requirements, manage eDiscovery cases, and maintain data governance policies across Microsoft 365 locations, identities, and apps. For more information, see [Compliance Administrator](/azure/active-directory/roles/permissions-reference#compliance-administrator).|
-|**Security operator**|View, investigate, and respond to active threats to your Microsoft 365 users, devices, and content. For more information, see [Security Operator](/azure/active-directory/roles/permissions-reference#security-operator).|
-|**Security reader**|View and investigate active threats to your Microsoft 365 users, devices, and content, but (unlike the Security operator) they do not have permissions to respond by taking action. For more information, see [Security Reader](/azure/active-directory/roles/permissions-reference#security-reader).|
-|**Security administrator**|Control your organization's overall security by managing security policies, reviewing security analytics and reports across Microsoft 365 products, and staying up-to-speed on the threat landscape. For more information, see [Security Administrator](/azure/active-directory/roles/permissions-reference#security-administrator).|
-|**Global reader**|The read-only version of the **Global administrator** role. View all settings and administrative information across Microsoft 365. For more information, see [Global Reader](/azure/active-directory/roles/permissions-reference#global-reader).|
-|
-
-## Global administrators can manage roles in Azure Active Directory
-
-In the Microsoft 365 compliance center and Microsoft 365 security center, when you select a role, you can view its assignments. But to manage those assignments, you need to go to the Azure Active Directory.
-
-For more information, see [View and assign administrator roles in Azure Active Directory](/azure/active-directory/users-groups-roles/directory-manage-roles-portal).
-
-![Link to manage permissions in Azure Active Directory](../../media/permissions-manage-in-azure-ad-link.png)
-
-## Managing roles in a service instead of Azure Active Directory
-
-The roles that appear in the Microsoft 365 compliance center and Microsoft 365 security center also appear in the services where they have permissions. For example, you can see these roles in the Security & Compliance Center.
-
-![Roles in Security & Compliance Center](../../media/m365-roles-in-o365-scc.png)
-
-For information about how these roles are used in the Security & Compliance Center, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md).
-
-### Breaking inheritance
-
-It's important to understand that you when you manage these roles in Azure Active Directory, you're doing so centrally for **all** Microsoft 365 services. However, when you manage a role in a specific service, such as the Security & Compliance Center, you're managing the role for **only** that specific service. The assignments and permissions for a role in a service override any permissions granted to the Azure Active Directory role.
-
-This can be useful. For example, if a person is assigned to the Security administrator role, they don't have permissions to manage incidents. But you can use the permissions in Microsoft Defender for Endpoint to give them the specific permission for incident management in that service.
-
-## Where to find role information for each Microsoft 365 service
-
-By assigning a user to one of the Microsoft 365 compliance or security admin roles, you give that user permissions to a range of Microsoft 365 services. Use the links below to find more information about the specific permissions for a role in each service.
-
-****
-
-|Microsoft 365 service|Role info|
-|||
-|Admin roles in Office 365 and Microsoft 365 for business plans|[Microsoft 365 admin roles](../../admin/add-users/about-admin-roles.md)|
-|Azure Active Directory (Azure AD) and Azure AD Identity Protection|[Azure AD admin roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles)|
-|Microsoft Defender for Identity|[Microsoft Defender for Identity role groups](/azure-advanced-threat-protection/atp-role-groups)|
-|Azure Information Protection|[Azure AD admin roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles)|
-|Compliance Manager|[Compliance Manager](../../compliance/compliance-manager-setup.md#set-user-permissions-and-assign-roles)|
-|Exchange Online|[Exchange role-based access control](/exchange/permissions-exo/permissions-exo)|
-|Intune|[Intune role-based access control](/intune/role-based-access-control)|
-|Managed Desktop|[Azure AD admin roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles)|
-|Microsoft Cloud App Security|[Role-based access control](/cloud-app-security/manage-admins)|
-|Security & Compliance Center|[Microsoft 365 admin roles](permissions-in-the-security-and-compliance-center.md)|
-|Privileged Identity Management|[Azure AD admin roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles)|
-|Secure Score|[Azure AD admin roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles)|
-|SharePoint Online|[Azure AD admin roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles) <p> [About the SharePoint admin role in Office 365](/sharepoint/sharepoint-admin-role)|
-|Teams/Skype for Business|[Azure AD admin roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles)|
-|Microsoft Defender for Endpoint|[Microsoft Defender for Endpoint role-based access control](/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection)|
-|
-
-## Coming soon
-
-We're still working on permissions in the Microsoft 365 compliance center and Microsoft 365 security center. For example, we're currently working on support for the ability to:
--- Manage roles in the Microsoft 365 compliance center and Microsoft 365 security center, instead of going to Azure Active Directory.-- Customize roles by adding or removing specific permissions.-- Create custom roles with permissions that you choose.
security Permissions Microsoft 365 Security Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/permissions-microsoft-365-security-center.md
+
+ Title: Permissions in the Microsoft 365 security center
+f1.keywords:
+ - NOCSH
+++ Last updated :
+ms.audience: Admin
+
+audience: Admin
+localization_priority: Priority
+
+ - M365-security-compliance
+search.appverid:
+ - MOE150
+ - MET150
+description: Admins can learn how to manage permissions in the Microsoft 365 security center for all tasks related to security.
+
+ms.technology: mdo
++
+# Permissions in the Microsoft 365 security center
++
+**Applies to**
+- [Exchange Online Protection](exchange-online-protection-overview.md)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)
+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
+
+You need to manage security scenarios that span all the Microsoft 365 services. And you need the flexibility to give the right admin permissions to the right people in your organization.
+
+The Microsoft 365 security center at <https://security.microsoft.com> supports directly managing permissions for users who perform security tasks in Microsoft 365. By using the security center to manage permissions, you can manage permissions centrally for all tasks related to security.
+
+To manage permissions in the security center, go to **Permissions & roles** or <https://security.microsoft.com/securitypermissions>. You need to be a **global administrator** or a member of the **Organization Management** role group in the security center. Specifically, the **Role Management** role allows users to view, create, and modify role groups in the security center, and by default, that role is assigned only to the **Organization Management** role group.
+
+## Relationship of members, roles, and role groups
+
+Permissions in the security center are based on the role-based access control (RBAC) permissions model. RBAC is the same permissions model that's used by most Microsoft 365 services, so if you're familiar with the permission structure in these services, granting permissions in the security center will be very familiar.
+
+A **role** grants the permissions to do a set of tasks.
+
+A **role group** is a set of roles that lets people do their jobs in the security center. For example, the Attack Simulator Administrators role group includes the Attack Simulator Admin role to create and manage all aspects of attack simulation training.
+
+The security center includes default role groups for the most common tasks and functions that you'll need to assign. Generally, we recommend simply adding individual users as **members** to the default role groups.
+
+![Diagram showing relationship of role groups to roles and members](../../media/2a16d200-968c-4755-98ec-f1862d58cb8b.png)
+
+## Roles and role groups in the security center
+
+The following types of roles and role groups are available in **Permissions & roles** in the security center:
+
+- **Azure AD roles**: You can view the roles and assigned users, but you can't manage them directly in the security center. Azure AD roles are central roles that assign permissions for **all** Microsoft 365 services.
+
+- **Email & collaboration roles**: These are the same role groups that are available in the Security & Compliance Center, but you can manage them directly in the security center. The permissions that you assign here are specific to the Microsoft 365 security center, the Microsoft 365 compliance center, and the Security & Compliance Center, and don't cover all of the permissions that are needed in other Microsoft 365 workloads.
+
+![Permissions & roles page in the Microsoft 365 security center](../../media/m365-sc-permissions-and-roles-page.png)
+
+### Azure AD roles in the security center
+
+When you go **Email & collaboration roles** \> **Permissions & roles** \> **Azure AD roles** \> **Roles** (or directly to <https://security.microsoft.com/aadpermissions>) you'll see the Azure AD roles that are described in this section.
+
+When you select a role, a details flyout that contains the description of the role and the user assignments appears. But to manage those assignments, you need to click **Manage members in Azure AD** in the details flyout.
+
+![Link to manage permissions in Azure Active Directory](../../media/permissions-manage-in-azure-ad-link.png)
+
+For more information, see [View and assign administrator roles in Azure Active Directory](/azure/active-directory/users-groups-roles/directory-manage-roles-portal).
+
+<br>
+
+****
+
+|Role|Description|
+|||
+|**Global administrator**|Access to all administrative features in all Microsoft 365 services. Only global administrators can assign other administrator roles. For more information, see [Global Administrator / Company Administrator](/azure/active-directory/roles/permissions-reference#global-administrator--company-administrator).|
+|**Compliance data administrator**|Keep track of your organization's data across Microsoft 365, make sure it's protected, and get insights into any issues to help mitigate risks. For more information, see [Compliance Data Administrator](/azure/active-directory/roles/permissions-reference#compliance-data-administrator).|
+|**Compliance administrator**|Help your organization stay compliant with any regulatory requirements, manage eDiscovery cases, and maintain data governance policies across Microsoft 365 locations, identities, and apps. For more information, see [Compliance Administrator](/azure/active-directory/roles/permissions-reference#compliance-administrator).|
+|**Security operator**|View, investigate, and respond to active threats to your Microsoft 365 users, devices, and content. For more information, see [Security Operator](/azure/active-directory/roles/permissions-reference#security-operator).|
+|**Security reader**|View and investigate active threats to your Microsoft 365 users, devices, and content, but (unlike the Security operator) they do not have permissions to respond by taking action. For more information, see [Security Reader](/azure/active-directory/roles/permissions-reference#security-reader).|
+|**Security administrator**|Control your organization's overall security by managing security policies, reviewing security analytics and reports across Microsoft 365 products, and staying up-to-speed on the threat landscape. For more information, see [Security Administrator](/azure/active-directory/roles/permissions-reference#security-administrator).|
+|**Global reader**|The read-only version of the **Global administrator** role. View all settings and administrative information across Microsoft 365. For more information, see [Global Reader](/azure/active-directory/roles/permissions-reference#global-reader).|
+|**Attack simulation administrator**|Create and manage all aspects of [attack simulation](attack-simulation-training.md) creation, launch/scheduling of a simulation, and the review of simulation results. For more information, see [Attack Simulation Administrator](/azure/active-directory/roles/permissions-reference#attack-simulation-administrator).|
+|**Attack payload author**|Create attack payloads but not actually launch or schedule them. For more information, see [Attack Payload Author](/azure/active-directory/roles/permissions-reference#attack-payload-author).|
+|
+
+### Email & collaboration roles in the security center
+
+When you go to **Email & collaboration roles** \> **Permissions & roles** \> **Email & collaboration roles** \> **Roles** (or directly to <https://security.microsoft.com/emailandcollabpermissions>) you'll see the same role groups that are available in the Security & Compliance Center.
+
+For complete information about these role groups, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md)
+
+#### Modify Email & collaboration role membership in the security center
+
+1. In the security center, go to **Email & collaboration roles** \> **Permissions & roles** \> **Email & collaboration roles** \> **Roles**.
+
+2. In the **Permissions** page that opens, select the role group that you want to modify from the list. You can click on the **Name** column header to sort the list by name, or you can click **Search** ![Search icon](../../media/m365-cc-sc-search-icon.png) to find the role group.
+
+3. In the role group details flyout that appears, click **Edit** in the **Members** section.
+
+4. In the **Editing choose members** page that appears, do one of the following steps:
+ - If there are no role group members, click **Choose members**.
+ - If there are existing role group members, click **Edit**
+
+5. In the **Choose members** flyout that appears, do one of the following steps:
+
+ - Click **Add**. In the list of users that appears, select one or more users. Or, you can click **Search** ![Search icon](../../media/m365-cc-sc-search-icon.png) to find and select users.
+
+ When you've selected the users that you want to add, click **Add**.
+
+ - Click **Remove**. Select one or more of the existing members. Or, you can click **Search** ![Search icon](../../media/m365-cc-sc-search-icon.png) to find and select members.
+
+ When you've selected the users that you want to remove, click **Remove**.
+
+6. Back on the **Choose members** flyout, click **Done**.
+
+7. Back on the **Editing choose members** page, click **Save**.
+
+8. Back on the role group details flyout, click **Done**.
security Preset Security Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/preset-security-policies.md
ms.prod: m365-security
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-Preset security policies provide a centralized location for applying all of the recommended spam, malware, and phishing policies to users at once. The policy settings are not configurable. Instead, they are set by us and are based on our observations and experiences in the datacenters for a balance between keeping harmful content away from users without disrupting their work.
+Preset security policies provide a centralized location for applying all of the recommended spam, malware, and phishing policies to users at once. The policy settings are not configurable. Instead, they are set by us and are based on our observations and experiences in the datacenters for a balance between keeping harmful content away from users and avoiding unnecessary disruptions.
-The rest of this topic describes preset security policies and how to configure them.
+The rest of this article describes preset security policies and how to configure them.
## What preset security policies are made of
A profile determines the level of protection. The following profiles are availab
You use rules with conditions and exceptions that determine who the profiles are or are not applied to.
-You can only use a condition or exception once, but you can specify multiple values for the condition or exception. Multiple values of the same condition or exception use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). Different conditions or exceptions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_).
- The available conditions and exceptions are: -- **The recipients are**: Mailboxes, mail users, or mail contacts in your organization.-- **The recipients are members of**: Groups in your organization.-- **The recipient domains are**: Accepted domains that are configured in Microsoft 365.
+- **Users**: The specified mailboxes, mail users, or mail contacts in your organization.
+- **Groups**: The specified distribution groups, mail-enabled security groups, or Microsoft 365 Groups in your organization.
+- **Domains**: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization.
+
+You can only use a condition or exception once, but you can specify multiple values for the condition or exception. Multiple values of the same condition or exception use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). Different conditions or exceptions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_).
### Policies in preset security policies
In other words, the settings of the **Strict protection** policy override the se
### What do you need to know before you begin? -- You open the Security & Compliance Center at <https://protection.office.com/>. To go directly to the **Preset security policies** page, use <https://protection.office.com/presetSecurityPolicies>.
+- You open the Microsoft 365 security center at <https://security.microsoft.com/>. To go directly to the **Preset security policies** page, use <https://security.microsoft.com/presetSecurityPolicies>.
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).
In other words, the settings of the **Strict protection** policy override the se
**Note**: Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
-### Use the Security & Compliance Center to assign preset security policies to users
+### Use the security center to assign preset security policies to users
-1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Preset security policies**.
+1. In the security center, go to **Email & collaboration** \> **Policies & Rules** \> **Threat Policies** \> **Preset Security Policies**.
2. Under **Standard protection** or **Strict protection**, click **Edit**.
-3. The **Apply Standard protection** or **Apply Strict protection** wizard starts. On the **EOP protections apply to** step, identify the internal recipients that the [EOP protections](#policies-in-preset-security-policies) apply to:
-
- 1. Click **Add a condition**. In the dropdown that appears, select a condition under **Applied if**:
-
- - **The recipients are**
- - **The recipients are members of**
- - **The recipient domains are**
-
- You can only use a condition once, but you can specify multiple values for the condition. Multiple values of the same condition use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_).
-
- 2. The condition that you selected appears in a shaded section. In that section, click in the **Any of these** box. If you wait a moment, a list will appear so you can select a value. Or, you can start typing a value to filter the list and select a value. Repeat this step as many times as necessary. To remove an individual value, click **Remove** ![Remove icon](../../media/scc-remove-icon.png) on the value. To remove the entire condition, click **Remove** ![Remove icon](../../media/scc-remove-icon.png) on the condition.
+3. The **Apply Standard protection** or **Apply Strict protection** wizard starts. On the **EOP protections apply to** page, identify the internal recipients that the [EOP protections](#policies-in-preset-security-policies) apply to (recipient conditions):
+ - **Users**
+ - **Groups**
+ - **Domains**
- 3. To add another condition, click **Add a condition** and select from the remaining conditions. Different conditions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_).
+ Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove ![Remove icon](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
- Repeat the previous step to add values to the condition, and repeat this step as many times as necessary or until you run out of conditions.
+ For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (\*) by itself to see all available values.
- 4. To add an exception, click **Add a condition**. In the dropdown that appears, select a condition under **Except when**. The settings and behavior are exactly like the conditions.
+ - **Exclude these users, groups, and domains**: To add exceptions for the internal recipients that the policy applies to (recpient exceptions), select this option and configure the exceptions. The settings and behavior are exactly like the conditions.
When you're finished, click **Next**.
-4. If your organization has Microsoft Defender for Office 365, you're taken to the **ATP protections apply to** step to identify the internal recipients that the [Microsoft Defender for Office 365 protections](#policies-in-preset-security-policies) apply to.
+4. In Microsoft Defender for Office 365 organizations, you're taken to the **Defender for Office 365 protections apply to** page to identify the internal recipients that the [Microsoft Defender for Office 365 protections](#policies-in-preset-security-policies) apply to (recipient conditions).
- The settings and behavior are exactly like the **EOP protections apply to** step.
+ The settings and behavior are exactly like the **EOP protections apply to** page.
When you're finished, click **Next**.
-5. On the **Confirm** step, verify your selections, and then click **Confirm**.
+5. On the **Review and confirm your changes** page, verify your selections, and then click **Confirm**.
-### Use the Security & Compliance Center to modify the assignments of preset security policies
+### Use the security center to modify the assignments of preset security policies
-The steps to modify the assignment of the **Standard protection** or **Strict protection** security policy are the same as when you initially [assigned the preset security policies to users](#use-the-security--compliance-center-to-assign-preset-security-policies-to-users).
+The steps to modify the assignment of the **Standard protection** or **Strict protection** security policy are the same as when you initially [assigned the preset security policies to users](#use-the-security-center-to-assign-preset-security-policies-to-users).
-To disable the **Standard protection** or **Strict protection** security policies while still preserving the existing conditions and exceptions, slide the toggle to **Disabled**. To enable the policies, slide the toggle to **Enabled**.
+To disable the **Standard protection** or **Strict protection** security policies while still preserving the existing conditions and exceptions, slide the toggle to **Disabled** ![Toggle Off](../../media/scc-toggle-off.png). To enable the policies, slide the toggle to **Enabled** ![Toggle On](../../media/scc-toggle-on.png).
### How do you know these procedures worked?
To verify that you've successfully assigned the **Standard protection** or **Str
For example, for email that's detected as spam (not high confidence spam) verify that the message is delivered to the Junk Email folder for **Standard protection** users, and quarantined for **Strict protection** users.
-Or, for [bulk email](bulk-complaint-level-values.md), verify that the BCL value 6 or higher delivers the message to the Junk Email folder for **Standard protection** users, and the BCL value 4 or higher quarantines the message for **Strict protection** users.
+Or, for [bulk mail](bulk-complaint-level-values.md), verify that the BCL value 6 or higher delivers the message to the Junk Email folder for **Standard protection** users, and the BCL value 4 or higher quarantines the message for **Strict protection** users.
solutions Cloud Architecture Models https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/cloud-architecture-models.md
f1.keywords: NOCSH
-# Microsoft cloud for enterprise architects illustrations
+# Microsoft cloud for IT architects illustrations
These cloud architecture posters give you information about Microsoft cloud services, including Microsoft 365, Azure Active Directory (Azure AD), Microsoft Intune, Microsoft Dynamics 365, and hybrid on-premises and cloud solutions.
IT decision makers and architects can use these resources to determine the ideal
<a name="identity"></a>
-### Microsoft cloud identity for enterprise architects
+### Microsoft cloud identity for IT architects
What IT architects need to know about designing identity for organizations using Microsoft cloud services and platforms.
What IT architects need to know about designing identity for organizations using
|[![Thumb image for Microsoft cloud identity model](../media/solutions-architecture-center/msft-cloud-identity-model-thumb.png)](../downloads/MSFT_cloud_architecture_identity.pdf) <br/> [View as a PDF](../downloads/MSFT_cloud_architecture_identity.pdf) \| [Download as a PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/MSFT_cloud_architecture_identity.pdf) \| [Download as a Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/MSFT_cloud_architecture_identity.vsdx) <br/>Updated September 2020 | This model contains: <ul> <li> Introduction to identity with Microsoft's cloud </li><li> Azure AD IDaaS capabilities </li><li> Integrating on-premises Active Directory Domain Services (AD DS) accounts with Azure AD </li><li> Putting directory components in Azure IaaS </li><li> AD DS options for workloads in Azure IaaS </li></ul><br/> <br/>| <a name="security"></a>
-### Microsoft cloud security for enterprise architects
+### Microsoft cloud security for IT architects
What IT architects need to know about security in Microsoft cloud services and platforms.
What IT architects need to know about security in Microsoft cloud services and p
|[![Microsoft cloud security for enterprise architects model thumbnail](../media/solutions-architecture-center/msft-cloud-security-model-thumb.png)](https://download.microsoft.com/download/6/D/F/6DFD7614-BBCF-4572-A871-E446B8CF5D79/MSFT_cloud_architecture_security%20(1).pdf) <br/> [PDF](https://download.microsoft.com/download/6/D/F/6DFD7614-BBCF-4572-A871-E446B8CF5D79/MSFT_cloud_architecture_security%20(1).pdf) \| <br/>Updated April 2021 | This model contains: <ul><li>Microsoft and customer security responsibilities</li><li>Identity and device access</li><li>Threat protection</li><li>Information protection </ul><br/>| <a name="networking"></a>
-### Microsoft cloud networking for enterprise architects
+### Microsoft cloud networking for IT architects
What IT architects need to know about networking for Microsoft cloud services and platforms.
What IT architects need to know about networking for Microsoft cloud services an
|[![Thumb image for Microsoft cloud networking model](../media/solutions-architecture-center/msft-cloud-networking-model-thumb.png)](../downloads/MSFT_cloud_architecture_networking.pdf) <br/> [View as a PDF](../downloads/MSFT_cloud_architecture_networking.pdf) \| [Download as a PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/MSFT_cloud_architecture_networking.pdf) \| [Download as a Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/MSFT_cloud_architecture_networking.vsdx) <br/>Updated August 2020 | This model contains: <ul><li> Evolving your network for cloud connectivity </li><li> Common elements of Microsoft cloud connectivity </li><li> ExpressRoute for Microsoft cloud connectivity </li><li> Designing networking for Microsoft SaaS, Azure PaaS, and Azure IaaS </li></ul><br/> <br/>| <a name="hybrid"></a>
-### Microsoft hybrid cloud for enterprise architects
+### Microsoft hybrid cloud for IT architects
What IT architects need to know about hybrid cloud for Microsoft services and platforms.