| Category | Microsoft Docs article | Related commit history on GitHub | Change details |
|---|---|---|---|
| admin | Activity Reports | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/activity-reports.md | audience: Admin ms.localizationpriority: high-+ - M365-subscription-management - Adm_O365 - Adm_TOC-+ - AdminSurgePortfolio - AdminTemplateSet search.appverid: description: "Get a periodic report of how people in your organization are using # Microsoft 365 Reports in the admin center -You can easily see how people in your business are using Microsoft 365 services. For example, you can identify who is using a service a lot and reaching quotas, or who may not need a Microsoft 365 license at all. Perpetual license model will not be included in the reports. - +You can easily see how people in your business are using Microsoft 365 services. For example, you can identify who is using a service a lot and reaching quotas, or who may not need a Microsoft 365 license at all. Perpetual license model will not be included in the reports. + Reports are available for the last 7 days, 30 days, 90 days, and 180 days. Data won't exist for all reporting periods right away. The reports become available within 48 hours.- + ## Watch: Act on a usage report in Office 365- + > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4VjrX?autoplay=false]- + ## How to get to the Reports dashboard ::: moniker range="o365-worldwide" Reports are available for the last 7 days, 30 days, 90 days, and 180 days. Data ## Who can see reports People who have the following permissions:- + - Global admins: We recommend that only a few people in your company have this role. It reduces the risk to your business.- + - Exchange admins- + - SharePoint admins- + - Skype for Business admins - Global reader (with no user details) People who have the following permissions: - Teams Administrator - Teams Communications Administrator- + To learn more, see [About admin roles](../add-users/about-admin-roles.md) and [Assign admin roles](../add-users/assign-admin-roles.md).- + ## Which activity reports are available in the admin center Depending on your subscription, here are the available reports in all environments. -|**Report**|**Public**|**GCC**|**GCC-High**|**DoD**|**Office 365 operated by 21Vianet**| +|Report|Public|GCC|GCC-High|DoD|Office 365 operated by 21Vianet| |:--|:--|:--|:--|:--|:--| |[Microsoft browser usage](browser-usage-report.md)|Yes|No<sup>1</sup>|No<sup>1</sup>|No<sup>1</sup>|No<sup>1</sup>| |[Email activity](email-activity-ww.md)|Yes|Yes|Yes|Yes|Yes| N/A<sup>2</sup>: The service is not available in the environment so no plan to r ## How to view licensing information - To see how many licenses you have assigned and unassigned, in the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842264" target="_blank">Licenses</a> page.- -- To see who is licensed, unlicensed, or guest, in the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page. - ++- To see who is licensed, unlicensed, or guest, in the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page. + ## How to view usage information for a specific user Use the service reports to research how much a specific user is using the service. For example, to find out how much mailbox storage a specific user has consumed, open the Mailbox usage report, and sort the users by name. If you have thousands of users, export the report to Excel so you filter through the list quickly.- + You can't generate a report where you enter a user's account and then get a list of which services they are using and how much. -There are circumstances where new users show up as **unknown**. This is usually due to occasional delays in creating user profiles. - +There are circumstances where new users show up as **unknown**. This is usually due to occasional delays in creating user profiles. + ## Show user details in the reports By default, user details will be hidden for all reports.- + Your user list will look like this:- - + If you want to unhide user-level information when you're generating your reports, a **global administrator** can quickly make that change in the admin center. Reports provide information about your organizationΓÇÖs usage data. By default, reports display information with identifiable names for users, groups, and sites. Starting September 1, 2021, we are hiding user information by default for all reports as part of our ongoing commitment to help companies support their local privacy laws. Global administrators can revert this change for their tenant and show identifiable user information if their organization's privacy practices allow it. It can be achieved in the Microsoft 365 admin center by following these steps:- + 1. In the admin center, go to the **Settings** \> **Org Settings** \> **Services** page. -2. Select **Reports**. - -3. Uncheck the statement **Display concealed user, group, and site names in all reports**, and then save your changes. - -It'll take a few minutes for these changes to take effect on the reports in the reports dashboard. This setting also applies to the Microsoft 365 usage reports in [Microsoft Graph](/graph/api/resources/report) and [Power BI](/microsoft-365/admin/usage-analytics/usage-analytics) and [the usage reports in Microsoft Teams Admin center](/microsoftteams/teams-analytics-and-reports/teams-reporting-reference). Showing identifiable user information is a logged event in the Microsoft Purview compliance portal audit log. +2. Select **Reports**. ++3. Uncheck the statement **Display concealed user, group, and site names in all reports**, and then save your changes. ++It'll take a few minutes for these changes to take effect on the reports in the reports dashboard. This setting also applies to the Microsoft 365 usage reports in [Microsoft Graph](/graph/api/resources/report) and [Power BI](/microsoft-365/admin/usage-analytics/usage-analytics) and [the usage reports in Microsoft Teams Admin center](/microsoftteams/teams-analytics-and-reports/teams-reporting-reference). Showing identifiable user information is a logged event in the Microsoft Purview compliance portal audit log. - ## What happens to usage data when a user account is closed? Whenever you close a user's account, Microsoft will delete that user's usage data within 30 days. That user will still be included in the Activity chart totals for the periods she was active in, but will not appear in the User Details table.- + However, when you select a particular day, up to 28 days from the current date, the report show the user's usage for that day in the User Details table.- + ## Related content -[Reports in the Security & Compliance Center](../../compliance/reports-in-security-and-compliance.md) (article)\ [Microsoft 365 usage analytics](../usage-analytics/usage-analytics.md) (article)\ [Customize the reports in Microsoft 365 usage analytics](../usage-analytics/customize-reports.md) (article) |
| admin | Office 365 Groups Ww | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/office-365-groups-ww.md | audience: Admin ms.localizationpriority: medium--- M365-subscription-management ++- M365-subscription-management - Adm_O365 - Adm_NonTOC-+ - AdminSurgePortfolio - AdminTemplateSet search.appverid: description: "Get a Microsoft 365 Groups report to gain insights into the activi # Microsoft 365 Reports in the admin center - Microsoft 365 groups The Microsoft 365 Reports dashboard shows you the activity overview across the products in your organization. It enables you to drill in to individual product level reports to give you more granular insight about the activities within each product. Check out [the Reports overview topic](activity-reports.md). In the Microsoft 365 groups report, you can gain insights into the activity of groups in your organization and see how many groups are being created and used.- + ## How to get to the groups report 1. In the admin center, go to the **Reports** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2074756" target="_blank">Usage</a> page. 2. From the dashboard homepage, click on the **View more** button on the Active users - Microsoft 365 Apps or the Active users - Microsoft 365 Services card to get to the Office 365 report page.- + ## Interpret the groups report You can view the activations in the Office 365 report by choosing the **Groups activity** tab. Select **Choose columns** to add or remove columns from the report. :::image type="content" alt-text="Office 365 groups activity report - choose columns." source="../../media/1600556a-f5f1-47d9-b325-cd77c78f4004.png"::: -You can also export the report data into an Excel .csv file by selecting the **Export** link. This exports data of all users and enables you to do simple sorting and filtering for further analysis. If you have less than 2000 users, you can sort and filter within the table in the report itself. If you have more than 2000 users, in order to filter and sort, you'll need to export the data. +You can also export the report data into an Excel .csv file by selecting the **Export** link. This exports data of all users and enables you to do simple sorting and filtering for further analysis. If you have less than 2000 users, you can sort and filter within the table in the report itself. If you have more than 2000 users, in order to filter and sort, you'll need to export the data. The **groups** report can be viewed for trends over the last 7 days, 30 days, 90 days, or 180 days. However, if you select a particular day in the report, the table will show data for up to 28 days from the current date (not the date the report was generated). The **groups** report can be viewed for trends over the last 7 days, 30 days, 90 |Total organized meetings |The sum of one-time scheduled and recurring meetings a user organized during the specified time period.| |Channel messages |The number of unique messages that a user posted in a team chat during the specified time period. This includes original posts and replies. | - ## Related content [Microsoft 365 Reports in the admin center](activity-reports.md) (article)\-[Smart reports and insights in the Security & Compliance Center](/microsoft-365/security/office-365-security/reports-and-insights-in-security-and-compliance) (article)\ [Microsoft 365 Reports in the admin center - Active Users](../../admin/activity-reports/active-users-ww.md) (article)- |
| admin | Set Password To Never Expire | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/set-password-to-never-expire.md | search.appverid: - MET150 - MOE150 ms.assetid: f493e3af-e1d8-4668-9211-230c245a0466-description: "Sign in to your Microsoft 365 admin account to set some individual user passwords to never expire by using Windows PowerShell." +description: "Sign in to your Microsoft 365 admin account to set some individual user passwords to never expire by using Azure AD PowerShell." # Set an individual user's password to never expire This article explains how to set a password for an individual user to not expire ## Before you begin -This article is for people who set password expiration policy for a business, school, or nonprofit. To complete these steps, you need to sign in with your Microsoft 365 admin account. See [Overview of the Microsoft 365 admin center](/microsoft-365/admin/admin-overview/admin-center-overview?view=o365-worldwide). +This article is for people who set password expiration policy for a business, school, or nonprofit. To complete these steps, you need to sign in with your Microsoft 365 admin account. See [Overview of the Microsoft 365 admin center](/microsoft-365/admin/admin-overview/admin-center-overview). You must be a [global admin or password administrator](about-admin-roles.md) to perform these steps. A global admin for a Microsoft cloud service can use the [Azure Active Directory This guide applies to other providers, such as Intune and Microsoft 365, which also rely on Azure AD for identity and directory services. Password expiration is the only part of the policy that can be changed. - ## How to check the expiration policy for a password For more information about the Get-AzureADUser command in the AzureAD module, see the reference article [Get-AzureADUser](/powershell/module/Azuread/Get-AzureADUser). |
| admin | Strong Password | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/strong-password.md | search.appverid: - BCS160 - MET150 - MOE150-description: "If you're an admin who manages password policy for a business, school, or nonprofit, you can set strong password requirements by using Windows PowerShell." +description: "If you're an admin who manages password policy for a business, school, or nonprofit, you can set strong password requirements by using Azure AD PowerShell." # Turn off strong password requirements for users |
| admin | Capabilities | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/capabilities.md | The following option can block users from accessing their Microsoft 365 email if ## Additional settings -You can set the following additional policy settings by using Security & Compliance Center PowerShell cmdlets. For more information, see [Security & Compliance Center PowerShell](/powershell/exchange/scc-powershell). +You can set the following additional policy settings by using Security & Compliance PowerShell cmdlets. For more information, see [Security & Compliance PowerShell](/powershell/exchange/scc-powershell). |Setting name|iOS|Android| |||| |
| admin | Get Details About Managed Devices | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/get-details-about-managed-devices.md | -description: "Use Windows PowerShell to get details about Basic Mobility and Security devices in your organization." +description: "Use Azure AD PowerShell to get details about Basic Mobility and Security devices in your organization." # Get details about Basic Mobility and Security managed devices -This article shows you how to use Windows PowerShell to get details about the devices in your organization that you set up for Basic Mobility and Security. +This article shows you how to use Azure AD PowerShell to get details about the devices in your organization that you set up for Basic Mobility and Security. Here's a breakdown for the device details available to you. For more info on these steps, see [Connect to Microsoft 365 with PowerShell](/of Connect-MsolService -Credential $UserCredential ``` -### Step 3: Make sure youΓÇÖre able to run PowerShell scripts +### Step 3: Make sure you're able to run PowerShell scripts > [!NOTE]-> You can skip this step if youΓÇÖre already set up to run PowerShell scripts. +> You can skip this step if you're already set up to run PowerShell scripts. To run the Get-MsolUserDeviceComplianceStatus.ps1 script, you need to enable the running of PowerShell scripts. |
| admin | Ownerless Groups Teams | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/create-groups/ownerless-groups-teams.md | description: "Learn how to automatically invite members to become owners in an o # Manage ownerless Microsoft 365 groups and teams -A team in Microsoft Teams or a Microsoft 365 group can become ownerless if an owner's account is deleted or disabled in Microsoft 365. Groups and teams require an owner to add or remove members and change group settings. +A team in Microsoft Teams or a Microsoft 365 group and its related services can become ownerless if an owner's account is deleted or disabled in Microsoft 365. Groups and teams require an owner to add or remove members and change group settings. A Global administrator can create a policy that automatically asks the most active members of an ownerless group or team if they'll accept ownership. When a member accepts the invitation to become an owner, the action is logged in the compliance portal audit log. Guests are never invited to be owners. To set an ownerless group or team policy 1. On the *Review and finish* page, confirm your settings and click **Finish**, and then select **Done**. -Notifications are sent weekly starting within 24 hours of policy creation. +Notifications are sent weekly starting within 24 hours of policy creation. Recipients can't forward the notifications to others. Notifications and responses are tracked in the audit log. ++Up to two group members per group can accept the invitation to become an owner. If no group members accept, an administrator will have to [assign a group owner](/admin/create-groups/add-or-remove-members-from-groups). ++ |
| admin | Resolve Issues With Shared Mailboxes | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/resolve-issues-with-shared-mailboxes.md | If you see error messages when creating or using a shared mailbox, try these pos If you see the error message, **The proxy address "smtp:<shared mailbox name\>" is already being used by the proxy addresses or LegacyExchangeDN of "\<name>". Please choose another proxy address**, it means you're trying to give the shared mailbox a name that's already in use. For example, let's say you want shared mailboxes named info@domain1 and info@domain2. There are two ways to do this: - - Use Windows PowerShell. See this blog post for instructions: [Create Shared Mailboxes with Same Alias at Different Domains](https://www.cogmotive.com/blog/office-365-tips/create-shared-mailboxes-with-same-alias-at-different-domains-in-office-365) - - - Name the second shared mailbox something different from the start to get around the error. Then in the admin center, rename the shared mailbox to what you want it to be. +- Use Exchange Online PowerShell. See this blog post for instructions: [Create Shared Mailboxes with Same Alias at Different Domains](https://www.cogmotive.com/blog/office-365-tips/create-shared-mailboxes-with-same-alias-at-different-domains-in-office-365) ++- Name the second shared mailbox something different from the start to get around the error. Then in the admin center, rename the shared mailbox to what you want it to be. ## Error about not having send permissions when using a shared mailbox This message appears when Microsoft 365 is experiencing a replication latency is [Create a shared mailbox](create-a-shared-mailbox.md) (article)\ [Configure a shared mailbox](configure-a-shared-mailbox.md) (article)\ [Convert a user mailbox to a shared mailbox](convert-user-mailbox-to-shared-mailbox.md) (article)\-[Remove a license from a shared mailbox](remove-license-from-shared-mailbox.md) (article) +[Remove a license from a shared mailbox](remove-license-from-shared-mailbox.md) (article) |
| admin | Get Help Support | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/get-help-support.md | Technical support for Office 365 operated by 21Vianet subscriptions provides ass | Severity level | Operations and support description | Examples | |-||--| | Sev A (Critical) | One or more services aren't accessible or are unusable. Production, operations, or deployment deadlines are severely affected, or there will be a severe impact on production or profitability. Multiple users or services are affected. | <ul><li>Widespread problems sending or receiving mail.</li><li>SharePoint site down.</li><li>All users can't send instant messages, join or schedule Skype for Business Meetings, or make Skype for Business calls.</li></ul> |-| Sev B (High) | The service is usable but in an impaired fashion. The situation has moderate business impact and can be dealt with during business hours. A single user, customer, or service is partially affected. | <ul><li>Send button in Outlook is garbled.</li><li>Setting is impossible from EAC (Exchange admin center) but possible in Windows PowerShell.</li></ul> | +| Sev B (High) | The service is usable but in an impaired fashion. The situation has moderate business impact and can be dealt with during business hours. A single user, customer, or service is partially affected. | <ul><li>Send button in Outlook is garbled.</li><li>Setting is impossible from EAC (Exchange admin center) but possible in Exchange Online PowerShell.</li></ul> | | Sev C (Non-critical) | The situation has minimal business impact. The issue is important but does not have a significant current service or productivity impact for the customer. A single user is experiencing partial disruption, but an acceptable workaround exists. | <ul><li>How to set user password that never expires.</li> <li>User can't delete contact information in Exchange Online.</li></ul> | ## Technical support initial response times |
| admin | Configure Focused Inbox | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/configure-focused-inbox.md | You use PowerShell to turn Focused Inbox on or off for everyone in your organiza The following PowerShell example turns Focused Inbox **Off** in your organization. However, it doesn't block the availability of the feature for your users. If they want, they can still re-enable Focused Inbox again on each of their clients. -1. [Connect to Exchange Online using remote PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). +1. [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). 2. You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Transport rules" entry in [Messaging policy and compliance permissions](/exchange/messaging-policy-and-compliance-permissions-exchange-2013-help). When a user decides to start using Focused Inbox, Clutter gets disabled automati This example turns Focused Inbox **Off** for Tim Matthews in the Contoso organization. However, it doesn't block the availability of the feature to him. If he wants, he can still re-enable Focused Inbox again on each of his clients. -1. [Connect to Exchange Online using remote PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). +1. [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). 2. You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Transport rules" entry in the Messaging policy and compliance permissions topic. This example turns Focused Inbox **Off** for Tim Matthews in the Contoso organiz ## Use PowerShell to create a transport rule to direct email messages to the Focused view for all your users -1. [Connect to Exchange Online using remote PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). +1. [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). 2. You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Transport rules" entry in [Messaging policy and compliance permissions](/exchange/messaging-policy-and-compliance-permissions-exchange-2013-help). |
| commerce | Manage Third Party App Licenses | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/manage-third-party-app-licenses.md | You must be a Global, License, or User admin to assign licenses. For more inform ## Add or remove ISV app licenses for your account -ISV app licenses are managed by the app vendor. Contact the vendor to add or remove licenses for your account. +If you bought your app through Microsoft at https://appsource.microsoft.com, you can [add or remove licenses](buy-licenses.md) in the Microsoft 365 admin center. ++If you bought an ISV app through an app vendor, contact the vendor to add or remove licenses from your account. ## Next steps |
| compliance | Add Your Organization Brand To Encrypted Messages | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/add-your-organization-brand-to-encrypted-messages.md | description: Learn how Office 365 global administrators can apply your organizat [!include[Purview banner](../includes/purview-rebrand-banner.md)] -You can apply your company branding to customize the look of your organization's email messages and the encryption portal. You'll need to apply global administrator permissions to your work or school account before you can get started. Once you have these permissions, use the Get-OMEConfiguration and Set-OMEConfiguration Windows PowerShell cmdlets to customize these parts of encrypted email messages: +You can apply your company branding to customize the look of your organization's email messages and the encryption portal. You'll need to apply global administrator permissions to your work or school account before you can get started. Once you have these permissions, use the Get-OMEConfiguration and Set-OMEConfiguration cmdlets in Exchange Online PowerShell to customize these parts of encrypted email messages: - Introductory text - Disclaimer text Once you've created the templates, you can apply them to encrypted emails by usi ## Work with OME branding templates -You can modify several features within a branding template. You can modify, but not remove, the default template. If you have Advanced Message Encryption, you can also create, modify, and remove custom templates. Use Windows PowerShell to work with one branding template at a time. +You can modify several features within a branding template. You can modify, but not remove, the default template. If you have Advanced Message Encryption, you can also create, modify, and remove custom templates. Use Exchange Online PowerShell to work with one branding template at a time. - [Set-OMEConfiguration](/powershell/module/exchange/set-omeconfiguration) - Modify the default branding template or a custom branding template that you created. - [New-OMEConfiguration](/powershell/module/exchange/new-omeconfiguration) - Create a new branding template, Advanced Message Encryption only. You can modify several features within a branding template. You can modify, but ## Modify an OME branding template -Use Windows PowerShell to modify one branding template at a time. If you have Advanced Message Encryption, you can also create, modify, and remove custom templates. +Use Exchange Online PowerShell to modify one branding template at a time. If you have Advanced Message Encryption, you can also create, modify, and remove custom templates. -1. Using a work or school account that has global administrator permissions in your organization, start a Windows PowerShell session and connect to Exchange Online. For instructions, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). +1. Using a work or school account that has global administrator permissions in your organization, connect to Exchange Online PowerShell. For instructions, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). 2. Use the Set-OMEConfiguration cmdlet as described in [Set-OMEConfiguration](/powershell/module/exchange/Set-OMEConfiguration) or use the following graphic and table for guidance.  -<br> --**** --|**To customize this feature of the encryption experience**|**Use these commands**| +|To customize this feature of the encryption experience|Use these commands| ||| |Background color|`Set-OMEConfiguration -Identity "<OMEConfigurationName>" -BackgroundColor "<#RRGGBB hexadecimal color code or name value>"` <p> **Example:** <p> `Set-OMEConfiguration -Identity "Branding Template 1" -BackgroundColor "#ffffff"` <p> For more information about background colors, see the [Background colors](#background-color-reference) section later in this article.| |Logo|`Set-OMEConfiguration -Identity "<OMEConfigurationName>" -Image <Byte[]>` <p> **Example:** <p> `Set-OMEConfiguration -Identity "Branding Template 1" -Image ([System.IO.File]::ReadAllBytes('C:\Temp\contosologo.png'))` <p> Supported file formats: .png, .jpg, .bmp, or .tiff <p> Optimal size of logo file: less than 40 KB <p> Optimal size of logo image: 170x70 pixels. If your image exceeds these dimensions, the service resizes your logo for display in the portal. The service doesn't modify the graphic file itself. For best results, use the optimal size.| Use Windows PowerShell to modify one branding template at a time. If you have Ad |Text that appears at the top of the encrypted mail viewing portal|`Set-OMEConfiguration -Identity "<OMEConfigurationName>" -PortalText "<Text for your portal. String of up to 128 characters.>"` <p> **Example:** <p> `Set-OMEConfiguration -Identity "OME Configuration" -PortalText "ContosoPharma secure email portal."`| |To enable or disable authentication with a one-time pass code for this custom template|`Set-OMEConfiguration -Identity "<OMEConfigurationName>" -OTPEnabled <$true|$false>` <p> **Examples:** <br/>To enable one-time passcodes for this custom template <p> `Set-OMEConfiguration -Identity "Branding Template 1" -OTPEnabled $true` <p> To disable one-time passcodes for this custom template <p> `Set-OMEConfiguration -Identity "Branding Template 1" -OTPEnabled $false`| |To enable or disable authentication with Microsoft, Google, or Yahoo identities for this custom template|`Set-OMEConfiguration -Identity "<OMEConfigurationName>" -SocialIdSignIn <$true|$false>` <p> **Examples:** <br/>To enable social IDs for this custom template <p> `Set-OMEConfiguration -Identity "Branding Template 1" -SocialIdSignIn $true` <p> To disable social IDs for this custom template <p> `Set-OMEConfiguration -Identity "Branding Template 1" -SocialIdSignIn $false`|-| ## Create an OME branding template (Advanced Message Encryption) If you have Microsoft Purview Advanced Message Encryption, you can create custom To create a new custom branding template: -1. Using a work or school account that has global administrator permissions in your organization, start a Windows PowerShell session and connect to Exchange Online. For instructions, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). +1. Using a work or school account that has global administrator permissions in your organization, connect to Exchange Online PowerShell. For instructions, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). 2. Use the [New-OMEConfiguration](/powershell/module/exchange/new-omeconfiguration) cmdlet to create a new template. To create a new custom branding template: To remove all modifications from the default template, including brand customizations, and so on, complete these steps: -1. Using a work or school account that has global administrator permissions in your organization, start a Windows PowerShell session and connect to Exchange Online. For instructions, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). +1. Using a work or school account that has global administrator permissions in your organization, connect to Exchange Online PowerShell. For instructions, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). 2. Use the **Set-OMEConfiguration** cmdlet as described in [Set-OMEConfiguration](/powershell/module/exchange/Set-OMEConfiguration). To remove your organization's branded customizations from the DisclaimerText, EmailText, and PortalText values, set the value to an empty string, `""`. For all image values, such as Logo, set the value to `"$null"`. The following table describes the encryption customization option defaults. - <br> -- **** - |To revert this feature of the encryption experience back to the default text and image|Use these commands| |:--|:--| |Default text that comes with encrypted email messages. The default text appears above the instructions for viewing encrypted messages|`Set-OMEConfiguration -Identity "<OMEConfigurationName>" -EmailText "<empty string>"` <p> **Example:** <p> `Set-OMEConfiguration -Identity "OME Configuration" -EmailText ""`| To remove all modifications from the default template, including brand customiza |Text that appears at the top of the encrypted mail viewing portal|`Set-OMEConfiguration -Identity "<OMEConfigurationName>" -PortalText "<empty string>"` <p> **Example reverting back to default:** <p> `Set-OMEConfiguration -Identity "OME Configuration" -PortalText ""`| |Logo|`Set-OMEConfiguration -Identity "<OMEConfigurationName>" -Image <"$null">` <p> **Example reverting back to default:** <p> `Set-OMEConfiguration -Identity "OME configuration" -Image $null`| |Background color|`Set-OMEConfiguration -Identity "<OMEConfigurationName>" -BackgroundColor "$null">` <p> **Example reverting back to default:** <p> `Set-OMEConfiguration -Identity "OME configuration" -BackgroundColor $null`|- | ## Remove a custom branding template (Advanced Message Encryption) You can only remove or delete branding templates that you've made. You can't rem To remove a custom branding template: -1. Using a work or school account that has global administrator permissions in your organization, start a Windows PowerShell session and connect to Exchange Online. For instructions, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). +1. Using a work or school account that has global administrator permissions in your organization, connect to Exchange Online PowerShell. For instructions, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). 2. Use the **Remove-OMEConfiguration** cmdlet as follows: To ensure Microsoft Purview Message Encryption applies your custom branding, set 7. If you've already defined a mail flow rule to apply encryption, skip this step. Otherwise, to configure the mail flow rule to apply encryption, from **Do the following**, select **Modify the message security**, and then choose **Apply Office 365 Message Encryption and rights protection**. Select an RMS template from the list and then choose **add action**. The list of templates includes default templates and options and any custom templates you create. If the list is empty, ensure that you have set up Microsoft Purview Message Encryption. For instructions, see [Set up Microsoft Purview Message Encryption](set-up-new-message-encryption-capabilities.md). For information about the default templates, see [Configuring and managing templates for Azure Information Protection](/information-protection/deploy-use/configure-policy-templates). For information about the **Do Not Forward** option, see [Do Not Forward option for emails](/information-protection/deploy-use/configure-usage-rights#do-not-forward-option-for-emails). For information about the **encrypt only** option, see [Encrypt Only option for emails](/information-protection/deploy-use/configure-usage-rights#encrypt-only-option-for-emails).- + 8. From **Do the following**, select **Modify the message security** \> **Apply custom branding to OME messages**. Next, from the drop-down, select a branding template. Choose **add action** if you want to specify another action, or choose **Save**, and then choose **OK**. The color names that you can use for the background color are limited. Instead o The available background color names and their corresponding hex code values are described in the following table. -|**Color name**|**Color code**| +|Color name|Color code| ||| |`aliceblue`|#f0f8ff| |`antiquewhite`|#faebd7| |
| compliance | Alert Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/alert-policies.md | Here's a quick overview of how alert policies work and the alerts that are trigg  -1. An admin in your organization creates, configures, and turns on an alert policy by using the **Alert policies** page in the compliance portal or the Microsoft 365 Defender portal. You can also create alert policies by using the [New-ProtectionAlert](/powershell/module/exchange/new-protectionalert) cmdlet in Security & Compliance Center PowerShell. +1. An admin in your organization creates, configures, and turns on an alert policy by using the **Alert policies** page in the compliance portal or the Microsoft 365 Defender portal. You can also create alert policies by using the [New-ProtectionAlert](/powershell/module/exchange/new-protectionalert) cmdlet in Security & Compliance PowerShell. To create alert policies, you have to be assigned the Manage Alerts role or the Organization Configuration role in the compliance portal or the Defender portal. Here's a quick overview of how alert policies work and the alerts that are trigg 3. Microsoft 365 generates an alert that's displayed on the **Alerts** page in compliance portal or Defender portal. Also, if email notifications are enabled for the alert policy, Microsoft sends a notification to a list of recipients. The alerts that an admin or other users can see that on the Alerts page is determined by the roles assigned to the user. For more information, see [RBAC permissions required to view alerts](#rbac-permissions-required-to-view-alerts). -4. An admin manages alerts in the compliance center. Managing alerts consists of assigning an alert status to help track and manage any investigation. +4. An admin manages alerts in the Microsoft Purview compliance portal. Managing alerts consists of assigning an alert status to help track and manage any investigation. ## Alert policy settings -An alert policy consists of a set of rules and conditions that define the user or admin activity that generates an alert, a list of users who trigger the alert if they perform the activity, and a threshold that defines how many times the activity has to occur before an alert is triggered. You also categorize the policy and assign it a severity level. These two settings help you manage alert policies (and the alerts that are triggered when the policy conditions are matched) because you can filter on these settings when managing policies and viewing alerts in the compliance center. For example, you can view alerts that match the conditions from the same category or view alerts with the same severity level. +An alert policy consists of a set of rules and conditions that define the user or admin activity that generates an alert, a list of users who trigger the alert if they perform the activity, and a threshold that defines how many times the activity has to occur before an alert is triggered. You also categorize the policy and assign it a severity level. These two settings help you manage alert policies (and the alerts that are triggered when the policy conditions are matched) because you can filter on these settings when managing policies and viewing alerts in the Microsoft Purview compliance portal. For example, you can view alerts that match the conditions from the same category or view alerts with the same severity level. To view and create alert policies: To view and create alert policies: Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">compliance portal</a>, and then select **Policies** > **Alert** > **Alert policies**. - + ### Microsoft 365 Defender portal Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_b  > [!NOTE]-> You have to be assigned the View-Only Manage Alerts role to view alert policies in the compliance center or Defender portal. You have to be assigned the Manage Alerts role to create and edit alert policies. For more information, see [Permissions in the security and compliance center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md). +> You have to be assigned the View-Only Manage Alerts role to view alert policies in the Microsoft Purview compliance portal or the Microsoft 365 Defender portal. You have to be assigned the Manage Alerts role to create and edit alert policies. For more information, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md). An alert policy consists of the following settings and conditions. You can also define user tags as a condition of an alert policy. This results in - Others - When an activity occurs that matches the conditions of the alert policy, the alert that's generated is tagged with the category defined in this setting. This allows you to track and manage alerts that have the same category setting on the **Alerts** page in the compliance center because you can sort and filter alerts based on category. + When an activity occurs that matches the conditions of the alert policy, the alert that's generated is tagged with the category defined in this setting. This allows you to track and manage alerts that have the same category setting on the **Alerts** page in the Microsoft Purview portal because you can sort and filter alerts based on category. - **Alert severity**. Similar to the alert category, you assign a severity attribute (**Low**, **Medium**, **High**, or **Informational**) to alert policies. Like the alert category, when an activity occurs that matches the conditions of the alert policy, the alert that's generated is tagged with the same severity level that's set for the alert policy. Again, this allows you to track and manage alerts that have the same severity setting on the **Alerts** page. For example, you can filter the list of alerts so that only alerts with a **High** severity are displayed. The table also indicates the Office 365 Enterprise and Office 365 US Government |**Admin triggered manual investigation of email**|Generates an alert when an admin triggers the manual investigation of an email from Threat Explorer. For more information, see [Example: A security administrator triggers an investigation from Threat Explorer](../security/office-365-security/automated-investigation-response-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer). This alert notifies your organization that the investigation was started. The alert provides information about who triggered it and includes a link to the investigation. This policy has an **Informational** severity setting.|Threat management|Yes|E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription| |**Admin triggered user compromise investigation**|Generates an alert when an admin triggers the manual user compromise investigation of either an email sender or recipient from Threat Explorer. For more information, see [Example: A security administrator triggers an investigation from Threat Explorer](../security/office-365-security/automated-investigation-response-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer), which shows the related manual triggering of an investigation on an email. This alert notifies your organization that the user compromise investigation was started. The alert provides information about who triggered it and includes a link to the investigation. This policy has a **Medium** severity setting.|Threat management|Yes|E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription| |**Creation of forwarding/redirect rule**|Generates an alert when someone in your organization creates an inbox rule for their mailbox that forwards or redirects messages to another email account. This policy only tracks inbox rules that are created using Outlook on the web (formerly known as Outlook Web App) or Exchange Online PowerShell. This policy has a **Informational** severity setting. For more information about using inbox rules to forward and redirect email in Outlook on the web, see [Use rules in Outlook on the web to automatically forward messages to another account](https://support.office.com/article/1433e3a0-7fb0-4999-b536-50e05cb67fed).|Threat management|No|E1/F1/G1, E3/F3/G3, or E5/G5|-|**eDiscovery search started or exported**|Generates an alert when someone uses the Content search tool in the Security and compliance center. An alert is triggered when the following content search activities are performed: <br><br> <li> A content search is started <li> The results of a content search are exported <li> A content search report is exported <br><br> Alerts are also triggered when the previous content search activities are performed in association with an eDiscovery case. This policy has a **Informational** severity setting. For more information about content search activities, see [Search for eDiscovery activities in the audit log](search-for-ediscovery-activities-in-the-audit-log.md#ediscovery-activities).|Threat management|No|E1/F1/G1, E3/F3/G3, or E5/G5| +|**eDiscovery search started or exported**|Generates an alert when someone uses the Content search tool in the Microsoft Purview portal. An alert is triggered when the following content search activities are performed: <br><br> <li> A content search is started <li> The results of a content search are exported <li> A content search report is exported <br><br> Alerts are also triggered when the previous content search activities are performed in association with an eDiscovery case. This policy has a **Informational** severity setting. For more information about content search activities, see [Search for eDiscovery activities in the audit log](search-for-ediscovery-activities-in-the-audit-log.md#ediscovery-activities).|Threat management|No|E1/F1/G1, E3/F3/G3, or E5/G5| |**Elevation of Exchange admin privilege**|Generates an alert when someone is assigned administrative permissions in your Exchange Online organization. For example, when a user is added to the Organization Management role group in Exchange Online. This policy has a **Low** severity setting.|Permissions|No|E1/F1/G1, E3/F3/G3, or E5/G5| |**Email messages containing malicious file removed after delivery**|Generates an alert when any messages containing a malicious file are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [Zero-hour auto purge](../security/office-365-security/zero-hour-auto-purge.md). This policy has an **Informational** severity setting and automatically triggers [automated investigation and response in Office 365](../security/office-365-security/office-365-air.md). For more information on this new policy, see [New alert policies in Microsoft Defender for Office 365](new-defender-alert-policies.md).|Threat management|Yes|E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription| |**Email messages containing malicious URL removed after delivery**|Generates an alert when any messages containing a malicious URL are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [Zero-hour auto purge](../security/office-365-security/zero-hour-auto-purge.md). This policy has an **Informational** severity setting and automatically triggers [automated investigation and response in Office 365](../security/office-365-security/office-365-air.md). For more information on this new policy, see [New alert policies in Microsoft Defender for Office 365](new-defender-alert-policies.md).|Threat management|Yes|E5/G5 or Defender for Office 365 P2 add-on subscription| The unusual activity monitored by some of the built-in policies is based on the ## View alerts -When an activity performed by users in your organization matches the settings of an alert policy, an alert is generated and displayed on the **Alerts** page in the compliance center or the Defender portal. Depending on the settings of an alert policy, an email notification is also sent to a list of specified users when an alert is triggered. For each alert, the dashboard on the **Alerts** page displays the name of the corresponding alert policy, the severity and category for the alert (defined in the alert policy), and the number of times an activity has occurred that resulted in the alert being generated. This value is based on the threshold setting of the alert policy. The dashboard also shows the status for each alert. For more information about using the status property to manage alerts, see [Managing alerts](#manage-alerts). +When an activity performed by users in your organization matches the settings of an alert policy, an alert is generated and displayed on the **Alerts** page in the Microsoft Purview portal or the Defender portal. Depending on the settings of an alert policy, an email notification is also sent to a list of specified users when an alert is triggered. For each alert, the dashboard on the **Alerts** page displays the name of the corresponding alert policy, the severity and category for the alert (defined in the alert policy), and the number of times an activity has occurred that resulted in the alert being generated. This value is based on the threshold setting of the alert policy. The dashboard also shows the status for each alert. For more information about using the status property to manage alerts, see [Managing alerts](#manage-alerts). To view alerts: You can use the following filters to view a subset of all the alerts on the **Al - **Tags.** Use this filter to show alerts from one or more user tags. Tags are reflected based on tagged mailboxes or users that appear in the alerts. See [User tags in Office 356 ATP](../security/office-365-security/user-tags.md) to learn more. -- **Source.** Use this filter to show alerts triggered by alert policies in the compliance center or alerts triggered by Office 365 Cloud App Security policies, or both. For more information about Office 365 Cloud App Security alerts, see [Viewing Defender for Cloud Apps alerts](#viewing-cloud-app-security-alerts).+- **Source.** Use this filter to show alerts triggered by alert policies in the Microsoft Purview portal or alerts triggered by Microsoft Defender for Cloud Apps policies, or both. For more information about Defender for Cloud App Security alerts, see [Viewing Defender for Cloud Apps alerts](#viewing-cloud-app-security-alerts). > [!IMPORTANT] > Filtering and sorting by user tags is currently in public preview. To see which category a default alert policy is assigned to, see the table in [D |View-Only Retention Management||||||| > [!TIP]-> To view the roles that are assigned to each of the default role groups, run the following commands in Security & Compliance Center PowerShell: +> To view the roles that are assigned to each of the default role groups, run the following commands in Security & Compliance PowerShell: > > ```powershell > $RoleGroups = Get-RoleGroup To see which category a default alert policy is assigned to, see the table in [D ## Manage alerts -After alerts have been generated and displayed on the **Alerts** page in the compliance center, you can triage, investigate, and resolve them. The same [RBAC permissions](#rbac-permissions-required-to-view-alerts) that give users access to alerts also give them the ability to manage alerts. +After alerts have been generated and displayed on the **Alerts** page in the Microsoft Purview portal, you can triage, investigate, and resolve them. The same [RBAC permissions](#rbac-permissions-required-to-view-alerts) that give users access to alerts also give them the ability to manage alerts. Here are some tasks you can perform to manage alerts. Here are some tasks you can perform to manage alerts. ## View Defender for Cloud Apps alerts -Alerts that are triggered by Office 365 Cloud App Security policies are now displayed on the **Alerts** page in the compliance center. This includes alerts that are triggered by activity policies and alerts that are triggered by anomaly detection policies in Office 365 Cloud App Security. This means you can view all alerts in the compliance center. Office 365 Cloud App Security is only available for organizations with an Office 365 Enterprise E5 or Office 365 US Government G5 subscription. For more information, see [Overview of Defender for Cloud Apps](/cloud-app-security/what-is-cloud-app-security). +Alerts that are triggered by Defender for Cloud Apps Security policies are now displayed on the **Alerts** page in the Microsoft Purview portal. This includes alerts that are triggered by activity policies and alerts that are triggered by anomaly detection policies in Defender for Cloud Apps Security. This means you can view all alerts in the Microsoft Purview portal. Defender for Cloud App Security is only available for organizations with an Office 365 Enterprise E5 or Office 365 US Government G5 subscription. For more information, see [Overview of Defender for Cloud Apps](/cloud-app-security/what-is-cloud-app-security). Organizations that have Microsoft Defender for Cloud Apps as part of an Enterprise Mobility + Security E5 subscription or as a standalone service can also view Defender for Cloud Apps alerts that are related to Microsoft 365 apps and services in the compliance portal or the Microsoft 365 Defender portal. -To display only Defender for Cloud Apps alerts in the compliance center or the Defender portal, use the **Source** filter and select **Defender for Cloud Apps**. +To display only Defender for Cloud Apps alerts in the Microsoft Purview portal or the Defender portal, use the **Source** filter and select **Defender for Cloud Apps**.  -Similar to an alert triggered by an alert policy in the compliance center, you can select a Defender for Cloud Apps alert to display a flyout page with details about the alert. The alert includes a link to view the details and manage the alert in the Defender for Cloud Apps portal and a link to the corresponding Defender for Cloud Apps policy that triggered the alert. See [Monitor alerts in Defender for Cloud Apps](/cloud-app-security/monitor-alerts). +Similar to an alert triggered by an alert policy in the Microsoft Purview portal, you can select a Defender for Cloud Apps alert to display a flyout page with details about the alert. The alert includes a link to view the details and manage the alert in the Defender for Cloud Apps portal and a link to the corresponding Defender for Cloud Apps policy that triggered the alert. See [Monitor alerts in Defender for Cloud Apps](/cloud-app-security/monitor-alerts).  > [!IMPORTANT]-> Changing the status of a Defender for Cloud Apps alert in the compliance center won't update the resolution status for the same alert in the Defender for Cloud Apps portal. For example, if you mark the status of the alert as **Resolved** in the compliance center, the status of the alert in the Defender for Cloud Apps portal is unchanged. To resolve or dismiss a Defender for Cloud Apps alert, manage the alert in the Defender for Cloud Apps portal. +> Changing the status of a Defender for Cloud Apps alert in the Microsoft Purview portal won't update the resolution status for the same alert in the Defender for Cloud Apps portal. For example, if you mark the status of the alert as **Resolved** in the Microsoft Purview portal, the status of the alert in the Defender for Cloud Apps portal is unchanged. To resolve or dismiss a Defender for Cloud Apps alert, manage the alert in the Defender for Cloud Apps portal. |
| compliance | Apply Retention Labels Automatically | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-retention-labels-automatically.md | To identify files in SharePoint or OneDrive and Exchange emails that have a spec InformationProtectionLabelId:<GUID> ``` -To find the GUID, use the [Get-Label](/powershell/module/exchange/get-label) cmdlet from [Security & Compliance Center PowerShell](/powershell/exchange/scc-powershell): +To find the GUID, use the [Get-Label](/powershell/module/exchange/get-label) cmdlet from [Security & Compliance PowerShell](/powershell/exchange/scc-powershell): -````powershell +```powershell Get-Label | Format-Table -Property DisplayName, Name, Guid-```` +``` #### Auto-apply labels to content by using trainable classifiers When you auto-apply retention labels based on sensitive information, keywords or If the expected labels don't appear after seven days, check the **Status** of the auto-apply policy by selecting it from the **Label policies** page in the Microsoft Purview compliance portal. If you see the status of **Off (Error)** and in the details for the locations see a message that it's taking longer than expected to deploy the policy (for SharePoint) or to try redeploying the policy (for OneDrive), try running the [Set-RetentionCompliancePolicy](/powershell/module/exchange/set-retentioncompliancepolicy) PowerShell command to retry the policy distribution: -1. [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell). +1. [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). 2. Run the following command: |
| compliance | Apply Sensitivity Label Automatically | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-sensitivity-label-automatically.md | You can also see the results of your auto-labeling policy by using [content expl ### Use PowerShell for auto-labeling policies -You can use [Security & Compliance Center PowerShell](/powershell/exchange/scc-powershell) to create and configure auto-labeling policies. This means you can fully script the creation and maintenance of your auto-labeling policies, which also provides a more efficient method of specifying multiple URLs for OneDrive and SharePoint locations. +You can use [Security & Compliance PowerShell](/powershell/exchange/scc-powershell) to create and configure auto-labeling policies. This means you can fully script the creation and maintenance of your auto-labeling policies, which also provides a more efficient method of specifying multiple URLs for OneDrive and SharePoint locations. -Before you run the commands in PowerShell, you must first [connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell). +Before you run the commands in PowerShell, you must first [connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). To create a new auto-labeling policy: |
| compliance | Assign Ediscovery Permissions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/assign-ediscovery-permissions.md | The primary eDiscovery-related role group in compliance portal is called **eDisc - You have to be a member of the Organization Management role group or be assigned the Role Management role to assign eDiscovery permissions in the compliance portal. -- You can use the [Add-RoleGroupMember](/powershell/module/exchange/Add-RoleGroupMember) cmdlet in Security & Compliance Center PowerShell to add a mail-enabled security group as a member of the eDiscovery Managers subgroup in the eDiscovery Manager role group. However, you can't add a mail-enabled security group to the eDiscovery Administrators subgroup. For details, see [More information](#more-information).+- You can use the [Add-RoleGroupMember](/powershell/module/exchange/Add-RoleGroupMember) cmdlet in Security & Compliance PowerShell to add a mail-enabled security group as a member of the eDiscovery Managers subgroup in the eDiscovery Manager role group. However, you can't add a mail-enabled security group to the eDiscovery Administrators subgroup. For details, see [More information](#more-information). ## Assign eDiscovery permissions The primary eDiscovery-related role group in compliance portal is called **eDisc 2. In the left pane, select **Permissions**. -3. On the **Permissions & Roles** page, under **Compliance center**, click **Roles**. +3. On the **Permissions & Roles** page, under **Microsoft Purview solutions**, click **Roles**. -4. On the **Compliance center roles** page, select **eDiscovery Manager**. + To go directly to this page, use <https://compliance.microsoft.com/compliancecenterpermissions>. ++4. On the **Role groups for Microsoft Purview solutions** page, select **eDiscovery Manager**. 5. On the **eDiscovery Manager** flyout page, do one of the following based on the eDiscovery permissions that you want to assign. The following table lists the eDiscovery-related RBAC roles in the compliance po | Role | Compliance Administrator | eDiscovery Manager & Administrator | Organization Management | Reviewer | |:--|:--:|:--:|:--:|:--:|-|Case Management <br/> | <br/> | <br/> | <br/> | <br/> | -|Communication <br/> | <br/> | <br/> | <br/> | <br/> | -|Compliance Search <br/> | <br/> | <br/> | <br/> | <br/> | -|Custodian <br/> | <br/> | <br/> | <br/> | <br/> | -|Export <br/> | <br/> | <br/> | <br/> | <br/> | -|Hold <br/> | <br/> | <br/> | <br/> | <br/> | -|Preview <br/> | <br/> | <br/> | <br/> | <br/> | -|Review <br/> | <br/> | <br/> | <br/> | <br/> | -|RMS Decrypt <br/> || <br/> ||| -|Search And Purge <br/> | <br/> | <br/> |<br/> | <br/> | -|||||| +|Case Management||||| +|Communication||||| +|Compliance Search||||| +|Custodian||||| +|Export||||| +|Hold||||| +|Preview||||| +|Review||||| +|RMS Decrypt||||| +|Search And Purge||||| The following sections describe each of the eDiscovery-related RBAC roles listed in the previous table. Get-ComplianceCase -RoleGroup "Name of role group" -CaseType AdvancedEdiscovery - Because an eDiscovery Administrator can view and access all eDiscovery (Standard) and eDiscovery (Premium) cases, they can audit and oversee all cases and associated compliance searches. This can help to prevent any misuse of compliance searches or eDiscovery cases. And because eDiscovery Administrators can access potentially sensitive information in the results of a compliance search, you should limit the number of people who are eDiscovery Administrators. -- **Can I add a group as a member of the eDiscovery Manager role group?** As previously explained, you can add a mail-enabled security group as a member of the eDiscovery Managers subgroup in the eDiscovery Manager role group by using the **Add-RoleGroupMember** cmdlet in Security & Compliance Center PowerShell. For example, you can run the following command to add a mail-enabled security group to the eDiscovery Manager role group. +- **Can I add a group as a member of the eDiscovery Manager role group?** As previously explained, you can add a mail-enabled security group as a member of the eDiscovery Managers subgroup in the eDiscovery Manager role group by using the **Add-RoleGroupMember** cmdlet in Security & Compliance PowerShell. For example, you can run the following command to add a mail-enabled security group to the eDiscovery Manager role group. ```powershell Add-RoleGroupMember "eDiscovery Manager" -Member <name of security group> Get-ComplianceCase -RoleGroup "Name of role group" -CaseType AdvancedEdiscovery Exchange distribution groups and Microsoft 365 Groups aren't supported. You must use a mail-enabled security group, which you can create in Exchange Online PowerShell by running `New-DistributionGroup -Type Security`. You can also create a mail-enabled security group (and add members) in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a> or in the [Microsoft 365 admin center](https://go.microsoft.com/fwlink/p/?linkid=2024339). It might take up to 60 minutes after you create it for a new mail-enabled security group to be available to add to the eDiscovery Managers role group. - Also as previously stated, you can't make a mail-enabled security group an eDiscovery Administrator by using the **Add-eDiscoveryCaseAdmin** cmdlet in Security & Compliance Center PowerShell. You can only add individual users as eDiscovery Administrators. + Also as previously stated, you can't make a mail-enabled security group an eDiscovery Administrator by using the **Add-eDiscoveryCaseAdmin** cmdlet in Security & Compliance PowerShell. You can only add individual users as eDiscovery Administrators. You also can't add a mail-enabled security group as a member of a case. |
| compliance | Audit Log Retention Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/audit-log-retention-policies.md | To edit a policy, select it to display the flyout page. You can modify one or mo > [!IMPORTANT] >-> If you use the **New-UnifiedAuditLogRetentionPolicy** cmdlet, it's possible to create an audit log retention policy for record types or activities that aren't available in the **Create audit retention policy** tool in the dashboard. In this case, you won't be able to edit the policy (for example, change the retention duration or add and remove activities) from the **Audit retention policies** dashboard. You'll only be able to view and delete the policy in the compliance center. To edit the policy, you'll have to use the [Set-UnifiedAuditLogRetentionPolicy](/powershell/module/exchange/set-unifiedauditlogretentionpolicy) cmdlet in Security & Compliance Center PowerShell.> +> If you use the **New-UnifiedAuditLogRetentionPolicy** cmdlet, it's possible to create an audit log retention policy for record types or activities that aren't available in the **Create audit retention policy** tool in the dashboard. In this case, you won't be able to edit the policy (for example, change the retention duration or add and remove activities) from the **Audit retention policies** dashboard. You'll only be able to view and delete the policy in the Microsoft Purview compliance portal. To edit the policy, you'll have to use the [Set-UnifiedAuditLogRetentionPolicy](/powershell/module/exchange/set-unifiedauditlogretentionpolicy) cmdlet in Security & Compliance PowerShell.> > > **Tip:** A message is displayed at the top of the flyout page for policies that have to be edited using PowerShell. To delete a policy, click the **Delete** . +1. [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). 2. Run the following command to create an audit log retention policy: For more information, see [New-UnifiedAuditLogRetentionPolicy](/powershell/modul ### View policies in PowerShell -Use the [Get-UnifiedAuditLogRetentionPolicy](/powershell/module/exchange/get-unifiedauditlogretentionpolicy) cmdlet in Security & Compliance Center PowerShell to view audit log retention policies. +Use the [Get-UnifiedAuditLogRetentionPolicy](/powershell/module/exchange/get-unifiedauditlogretentionpolicy) cmdlet in Security & Compliance PowerShell to view audit log retention policies. Here's a sample command to display the settings for all audit log retention policies in your organization. This command sorts the policies from the highest to lowest priority. Get-UnifiedAuditLogRetentionPolicy | Sort-Object -Property Priority -Descending ### Edit policies in PowerShell -Use the [Set-UnifiedAuditLogRetentionPolicy](/powershell/module/exchange/set-unifiedauditlogretentionpolicy) cmdlet in Security & Compliance Center PowerShell to edit an existing audit log retention policy. +Use the [Set-UnifiedAuditLogRetentionPolicy](/powershell/module/exchange/set-unifiedauditlogretentionpolicy) cmdlet in Security & Compliance PowerShell to edit an existing audit log retention policy. ### Delete policies in PowerShell -Use the [Remove-UnifiedAuditLogRetentionPolicy](/powershell/module/exchange/remove-unifiedauditlogretentionpolicy) cmdlet in Security & Compliance Center PowerShell to delete an audit log retention policy. It might take up to 30 minutes for the policy to be removed from your organization. +Use the [Remove-UnifiedAuditLogRetentionPolicy](/powershell/module/exchange/remove-unifiedauditlogretentionpolicy) cmdlet in Security & Compliance PowerShell to delete an audit log retention policy. It might take up to 30 minutes for the policy to be removed from your organization. ## More information |
| compliance | Bulk Create Publish Labels Using Powershell | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/bulk-create-publish-labels-using-powershell.md | if ($ResultCSV) ## Step 4: Run the PowerShell script -First, [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell). +First, [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). Then, run the script that creates and publishes the retention labels: -1. In your Security & Compliance Center PowerShell session, enter the path, followed by the characters `.\` and the file name of the script, and then press ENTER to run the script. For example: +1. In your Security & Compliance PowerShell session, enter the path, followed by the characters `.\` and the file name of the script, and then press ENTER to run the script. For example: ```powershell <path>.\CreateRetentionSchedule.ps1 |
| compliance | Change The Hold Duration For An Inactive Mailbox | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/change-the-hold-duration-for-an-inactive-mailbox.md | As regulations and policies evolve, there may be some situations in which you ne ## Connect to PowerShell -As we mentioned before, many different types of holds can trigger the creation of an inactive mailbox. For this reason, in order to change the hold duration applied to the inactive mailbox, you must first identify what type of holds are affecting it. To do this, you must use Exchange Online PowerShell to identify the types of holds and, if the inactive mailbox is affected by Microsoft 365 retention policies or labels you must also use Security and Compliance Center PowerShell to identify the specific policies. +As we mentioned before, many different types of holds can trigger the creation of an inactive mailbox. For this reason, in order to change the hold duration applied to the inactive mailbox, you must first identify what type of holds are affecting it. To do this, you must use Exchange Online PowerShell to identify the types of holds and, if the inactive mailbox is affected by Microsoft 365 retention policies or labels you must also use Security & Compliance PowerShell to identify the specific policies. -- To connect to Exchange Online PowerShell or Security & Compliance Center PowerShell, see one of the following topics:+- To connect to Exchange Online PowerShell or Security & Compliance PowerShell, see one of the following topics: - [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) - - [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell) + - [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell) ## Step 1: Identify the holds on an inactive mailbox After you identify what type of hold is placed on the inactive mailbox (and whet ### Change the duration for a Microsoft 365 retention policy -In order to modify the hold duration for a Microsoft 365 retention policy, you must first identify the policy affecting the inactive mailbox by running `Get-RetentionCompliancePolicy` with the associated GUID from the `InPlaceHolds` property on the mailbox in Security and Compliance Center PowerShell. +In order to modify the hold duration for a Microsoft 365 retention policy, you must first identify the policy affecting the inactive mailbox by running `Get-RetentionCompliancePolicy` with the associated GUID from the `InPlaceHolds` property on the mailbox in Security & Compliance PowerShell. Be sure to remove the prefix and suffix from the GUID when running this command. For example, using the sample information from above, you would take the `InPlaceHolds` value of `mbxcdbbb86ce60342489bff371876e7f224:3` then remove `mbx` and `:3` resulting in a policy GUID of `cdbbb86ce60342489bff371876e7f224`. In this example, you'd want to run: If the intention is to modify the retention period for only inactive mailboxes, ### Change the duration for a Microsoft 365 retention label -As with retention policies, when modifying the hold duration of a Microsoft 365 retention label, you must first identify the policy which publishes the label affecting the content within the inactive mailbox by running `Get-RetentionCompliancePolicy` with the associated GUID from the `InPlaceHolds` property on the mailbox in Security and Compliance Center PowerShell. +As with retention policies, when modifying the hold duration of a Microsoft 365 retention label, you must first identify the policy which publishes the label affecting the content within the inactive mailbox by running `Get-RetentionCompliancePolicy` with the associated GUID from the `InPlaceHolds` property on the mailbox in Security & Compliance PowerShell. Be sure to remove the prefix and suffix from the GUID when running this command. For example, using the sample information from above, you would take the `InPlaceHolds` value of `mbx6fe063689d404a5bb9940eed0f0bf5d2:1` then remove `mbx` and `:1` resulting in a policy GUID of `6fe063689d404a5bb9940eed0f0bf5d2`. In this example, you'd want to run: |
| compliance | Clone A Content Search | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/clone-a-content-search.md | search.appverid: ms.assetid: 7b40eeaa-544c-4534-b89b-9f79998e374c - seo-marvel-apr2020-description: "Use the PowerShell script in this article to quickly clone an existing Content Search in the compliance center in Office 365 or Microsoft 365." +description: "Use the PowerShell script in this article to quickly clone an existing Content Search in the Microsoft Purview compliance portal in Microsoft 365." # Clone a Content Search [!include[Purview banner](../includes/purview-rebrand-banner.md)] -Creating a Content Search in the compliance center in Office 365 or Microsoft 365 that searches many mailboxes or SharePoint and OneDrive for Business sites can take a while. Specifying the sites to search can also be prone to errors if you mistype a URL. To avoid these issues, you can use the Windows PowerShell script in this article to quickly clone an existing Content Search. When you clone a search, a new search (with a different name) is created that contains the same properties (such as the content locations and the search query) as the original search. Then you can edit the new search by changing the keyword query or the date range, and run it. - +Creating a Content Search in the Microsoft Purview compliance portal in Microsoft 365 that searches many mailboxes or SharePoint and OneDrive for Business sites can take a while. Specifying the sites to search can also be prone to errors if you mistype a URL. To avoid these issues, you can use the Windows PowerShell script in this article to quickly clone an existing Content Search. When you clone a search, a new search (with a different name) is created that contains the same properties (such as the content locations and the search query) as the original search. Then you can edit the new search by changing the keyword query or the date range, and run it. + Why clone Content Searches?- + - To compare the results of different keyword search queries run on the same content locations.- + - To save you from having to reenter a large number of content locations when you create a new search.- + - To decrease the size of the search results. For example, if you have a search that returns too many results to export, you can clone the search and then add a search condition based on a date range to reduce the number of search results.- + ## Script information +- You need to install the Exchange Online V2 module. For instructions, see [Install and maintain the EXO V2 module](/powershell/exchange/exchange-online-powershell-v2#install-and-maintain-the-exo-v2-module). + - You have to be a member of the eDiscovery Manager role group in the Microsoft Purview compliance portal to run the script described in this topic.- + - The script includes minimal error handling. The primary purpose of the script is to quickly clone a content search.- + - The script creates a new Content Search, but doesn't start it.- -- This script takes into account whether the Content Search that you're cloning is associated with an eDiscovery case. If the search is associated with a case, the new search will also be associated with the same case. If the existing search isn't associated with a case, the new search will be listed on the **Content search** page in the compliance center. - ++- This script takes into account whether the Content Search that you're cloning is associated with an eDiscovery case. If the search is associated with a case, the new search will also be associated with the same case. If the existing search isn't associated with a case, the new search will be listed on the **Content search** page in the Microsoft Purview compliance portal. + - The sample script provided in this topic isn't supported under any Microsoft standard support program or service. The sample script is provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample script and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.- + ## Step 1: Run the script to clone a search The script in this step will create a new Content Search by cloning an existing one. When you run this script, you'll be prompted for the following information:- -- **Your user credentials** - The script will use your credentials to connect to Security & Compliance Center PowerShell. As previously stated, you have to be a member of the eDiscovery Manager role group in the Security & compCompliance Center to run the script. - -- **The name of the existing search** - This is the Content Search that you want to clone. - -- **The name of the new search that will be created** - If you leave this value blank, the script will create a name for the new search that is based on the name of the search that you're cloning. - ++- **Your user credentials** - The script will use your credentials to connect to Security & Compliance PowerShell. As previously stated, you have to be a member of the eDiscovery Manager role group in the Microsoft Purview compliance portal to run the script. ++- **The name of the existing search** - This is the Content Search that you want to clone. ++- **The name of the new search that will be created** - If you leave this value blank, the script will create a name for the new search that is based on the name of the search that you're cloning. + To clone a search:- + 1. Save the following text to a Windows PowerShell script file by using a filename suffix of .ps1; for example, `CloneSearch.ps1`.- - ```powershell - # This PowerShell script clones an existing content search in the Security & Compliance Center. - # Get login credentials from the user - if(!$UserCredential) - { - $UserCredential = Get-Credential - $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid -Credential $UserCredential -Authentication Basic -AllowRedirection - if (!$Session) - { - Write-Error "Couldn't create a remote PowerShell session." - return - } - Import-PSSession $Session -AllowClobber -DisableNameChecking - $Host.UI.RawUI.WindowTitle = $UserCredential.UserName + " (Security & Compliance Center)" - } - # Ask for the name of the search you want to clone - $searchName = Read-Host 'Enter the name of the search that you want to clone' - # Ask for the name of the new search - $newSearchName = Read-Host 'Enter a name for the new search [leave blank to automatically generate a name]' - $originalSearch = Get-ComplianceSearch $searchName -EA SilentlyContinue - # Make sure we have a valid search before continuing - if(!$originalSearch) - { - Write-Error "Couldn't find search: $searchName" - return - } - $searchNameCounter = 1 - # Find a suitable name for the new search - while(!$newSearchName) - { - $newSearchName = $originalSearch.Name + "_" + $searchNameCounter - $tempSearch = Get-ComplianceSearch $newSearchName -EA SilentlyContinue - if ($tempSearch) - { - $newSearchName = $null - $searchNameCounter++ - } - } - $caseName - # Determine if the search is part of a case; if so get the case name - if ($originalSearch.CaseId) - { - $searchCase = Get-ComplianceCase $originalSearch.CaseId - $caseName = $searchCase.Name - } - # Need to cast this value as a Boolean the old fashion way - $allowNotFoundExchangeLocationsEnabled = $false - if ($originalSearch.AllowNotFoundExchangeLocationsEnabled) - { - $allowNotFoundExchangeLocationsEnabled = $true - } - $newSearch = New-ComplianceSearch -Name $newSearchName -AllowNotFoundExchangeLocationsEnabled $allowNotFoundExchangeLocationsEnabled -Case $caseName -ContentMatchQuery $originalSearch.ContentMatchQuery -Description $originalSearch.Description -ExchangeLocation $originalSearch.ExchangeLocation -ExchangeLocationExclusion $originalSearch.ExchangeLocationExclusion -Language $originalSearch.Language -SharePointLocation $originalSearch.SharePointLocation -SharePointLocationExclusion $originalSearch.SharePointLocationExclusion -PublicFolderLocation $originalSearch.PublicFolderLocation - if ($newSearch) - { - Write-Host $newSearch.Name "was successfully created" -ForegroundColor Yellow - } - ``` --2. Open Windows PowerShell and go to the folder where you saved the script. - ++ ```powershell + # This PowerShell script clones an existing content search in Microsoft Purview compliance. ++ # Ask for the name of the search you want to clone + $searchName = Read-Host 'Enter the name of the search that you want to clone' + # Ask for the name of the new search + $newSearchName = Read-Host 'Enter a name for the new search [leave blank to automatically generate a name]' + $originalSearch = Get-ComplianceSearch $searchName -EA SilentlyContinue + # Make sure we have a valid search before continuing + if(!$originalSearch) + { + Write-Error "Couldn't find search: $searchName" + return + } + $searchNameCounter = 1 + # Find a suitable name for the new search + while(!$newSearchName) + { + $newSearchName = $originalSearch.Name + "_" + $searchNameCounter + $tempSearch = Get-ComplianceSearch $newSearchName -EA SilentlyContinue + if ($tempSearch) + { + $newSearchName = $null + $searchNameCounter++ + } + } + $caseName + # Determine if the search is part of a case; if so get the case name + if ($originalSearch.CaseId) + { + $searchCase = Get-ComplianceCase $originalSearch.CaseId + $caseName = $searchCase.Name + } + # Need to cast this value as a Boolean the old fashion way + $allowNotFoundExchangeLocationsEnabled = $false + if ($originalSearch.AllowNotFoundExchangeLocationsEnabled) + { + $allowNotFoundExchangeLocationsEnabled = $true + } + $newSearch = New-ComplianceSearch -Name $newSearchName -AllowNotFoundExchangeLocationsEnabled $allowNotFoundExchangeLocationsEnabled -Case $caseName -ContentMatchQuery $originalSearch.ContentMatchQuery -Description $originalSearch.Description -ExchangeLocation $originalSearch.ExchangeLocation -ExchangeLocationExclusion $originalSearch.ExchangeLocationExclusion -Language $originalSearch.Language -SharePointLocation $originalSearch.SharePointLocation -SharePointLocationExclusion $originalSearch.SharePointLocationExclusion -PublicFolderLocation $originalSearch.PublicFolderLocation + if ($newSearch) + { + Write-Host $newSearch.Name "was successfully created" -ForegroundColor Yellow + } + ``` ++2. [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). In the same PowerShell window, go to the folder where you saved the script. + 3. Run the script; for example:- - ```powershell - .\CloneSearch.ps1 - ``` --4. When prompted for your credentials, enter your email address and password, and then click **OK**. - -5. Enter following information when prompted by the script. Type each piece of information and then press **Enter**. - - - The name of the existing search. - - - The name of the new search. - - The script creates the new Content Search, but doesn't start it. This gives you a chance to edit and run the search in the next step. You can view the properties of the new search by running the **Get-ComplianceSearch** cmdlet or by going to the **Content search** or **eDiscovery** page in the compliance center, depending on whether the new search is associated with a case. - -## Step 2: Edit and run the cloned search in the compliance center --After you run the script to clone an existing Content Search, the next step is to go to the compliance center to edit and run the new search. As previously stated, you can edit a search by changing the keyword search query and adding or removing search conditions. For more information, see: - ++ ```powershell + .\CloneSearch.ps1 + ``` ++4. Enter following information when prompted by the script. Type each piece of information and then press **Enter**. ++ - The name of the existing search. + - The name of the new search. ++ The script creates the new Content Search, but doesn't start it. This gives you a chance to edit and run the search in the next step. You can view the properties of the new search by running the **Get-ComplianceSearch** cmdlet or by going to the **Content search** or **eDiscovery** page in the Microsoft Purview compliance portal, depending on whether the new search is associated with a case. ++## Step 2: Edit and run the cloned search in the Microsoft Purview compliance portal ++After you run the script to clone an existing Content Search, the next step is to go to the Microsoft Purview compliance portal to edit and run the new search. As previously stated, you can edit a search by changing the keyword search query and adding or removing search conditions. For more information, see: + - [Content Search in Office 365](content-search.md)- + - [Keyword queries and search conditions for Content Search](keyword-queries-and-search-conditions.md)- -- [eDiscovery cases](./get-started-core-ediscovery.md)++- [eDiscovery cases](./get-started-core-ediscovery.md) |
| compliance | Compliance Easy Trials Compliance Playbook | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-easy-trials-compliance-playbook.md | Audit log retention policies are part of the new Audit (Premium) capabilities in 1. Before you create an audit log retention policy ΓÇô [key things to know](audit-log-retention-policies.md#before-you-create-an-audit-log-retention-policy) before creating your policy. 1. [Create an audit log retention policy](audit-log-retention-policies.md#create-an-audit-log-retention-policy) 1. [Manage audit log retention policies in the Microsoft Purview compliance portal](audit-log-retention-policies.md#manage-audit-log-retention-policies-in-the-compliance-portal) - Audit log retention policies are listed on the Audit retention policies tab (also called the dashboard). You can use the dashboard to view, edit, and delete audit retention policies.-1. Create and manage audit log retention policies on PowerShell - You can also use Security & Compliance Center PowerShell to [create and manage audit log retention policies](audit-log-retention-policies.md#create-and-manage-audit-log-retention-policies-in-powershell). One reason to use PowerShell is to create a policy for a record type or activity that isn't available in the UI. +1. Create and manage audit log retention policies on PowerShell - You can also use Security & Compliance PowerShell to [create and manage audit log retention policies](audit-log-retention-policies.md#create-and-manage-audit-log-retention-policies-in-powershell). One reason to use PowerShell is to create a policy for a record type or activity that isn't available in the UI. ## Communication Compliance To access eDiscovery (Premium) or be added as a member of an eDiscovery (Premium More organizations use the eDiscovery (Premium) solution in Microsoft Purview for critical eDiscovery processes. This includes responding to regulatory requests, investigations, and litigation. -1. Manage eDiscovery (Premium) ΓÇô [learn how to configure eDiscovery (Premium), manage cases by using the Security & Compliance Center, manage a workflow in eDiscovery (Premium), and analyze eDiscovery (Premium) search results](/learn/modules/manage-advanced-ediscovery). +1. Manage eDiscovery (Premium) ΓÇô [learn how to configure eDiscovery (Premium), manage cases, manage a workflow in eDiscovery (Premium), and analyze eDiscovery (Premium) search results](/learn/modules/manage-advanced-ediscovery). 1. [Create an eDiscovery case using Advance eDiscovery's new case format](advanced-ediscovery-new-case-format.md) 1. [Close or delete a case](close-or-delete-case.md) - When the legal case or investigation is completed, you can close or delete. You can also reopen a closed case. |
| compliance | Compliance Manager Mcca | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-mcca.md | description: "Understand how to use Microsoft Compliance Configuration Analyzer ## Microsoft Compliance Configuration Analyzer (MCCA) (preview) overview -The Microsoft Compliance Configuration Analyzer (MCCA) is a preview tool that can help you get started with [Microsoft Purview Compliance Manager](compliance-manager.md). MCCA is a PowerShell-based utility that will fetch your organizationΓÇÖs current configurations and validate them against Microsoft 365 recommended best practices. These best practices are based on a set of controls that include key regulations and standards for data protection and data governance. +The Microsoft Compliance Configuration Analyzer (MCCA) is a preview tool that can help you get started with [Microsoft Purview Compliance Manager](compliance-manager.md). MCCA is a PowerShell-based utility that will fetch your organization's current configurations and validate them against Microsoft 365 recommended best practices. These best practices are based on a set of controls that include key regulations and standards for data protection and data governance. MCCA can help you quickly see which improvement actions in Compliance Manager apply to your current Microsoft 365 environment. Each action identified by MCCA will give you recommendations for implementation, with direct links to Compliance Manager and the applicable solution to start taking corrective action. -An additional resource for understanding MCCA is by visiting the [README instructions on GitHub](https://github.com/OfficeDev/MCCA#overview). This page provides detailed information about prerequisites and gives full installation instructions. You donΓÇÖt need a GitHub account to access this page. +An additional resource for understanding MCCA is by visiting the [README instructions on GitHub](https://github.com/OfficeDev/MCCA#overview). This page provides detailed information about prerequisites and gives full installation instructions. You don't need a GitHub account to access this page. **Availability**: MCCA is available to all organizations with Office 365 and Microsoft 365 licenses and US Government Community (GCC) Moderate, GCC High, and Department of Defense (DoD) customers. ## Install MCCA and run a report -You can install the MCCA tool using Windows PowerShell. Once you download and install the tool, you donΓÇÖt need to repeat those steps in order to run reports. Each time you open MCCA, it will ask you for your login credentials, and it will generate a new, updated report. +You can install the MCCA tool using Windows PowerShell. Once you download and install the tool, you don't need to repeat those steps in order to run reports. Each time you open MCCA, it will ask you for your login credentials, and it will generate a new, updated report. -### Step 1: Install Windows PowerShell +### Step 1: Install the Exchange Online PowerShell V2 module -To begin, you'll need the Exchange Online PowerShell module (v2.0.3 or higher) that's available in the PowerShell gallery. [Get installation instructions](https://www.powershellgallery.com/packages/ExchangeOnlineManagement/2.0.3). +To begin, you'll need the Exchange Online PowerShell module (v2.0.3 or higher) that's available in the PowerShell gallery. For installation instructions, see [Install and maintain the EXO V2 module](/powershell/exchange/exchange-online-powershell-v2#install-and-maintain-the-exo-v2-module). ### Step 2: Install MCCA After you install MCCA, you can run MCCA and generate a report. To run a report: 3. Once MCCA runs, it does an initial version check and ask for credentials. At the Input the user name prompt, sign in with your Microsoft 365 account email address ([view the roles eligible to create reports](#role-based-reporting)). Then enter your password at the password prompt. -Your report will then take approximately 2-5 minutes to generate. When itΓÇÖs done, a browser window opens and displays your HTML report. Every time you run the tool, it will ask for your credentials and generate a new report. This report is stored locally in the directory C: \ Users \ *username* \ AppData \ Local \ Microsoft \ MCCA. +Your report will then take approximately 2-5 minutes to generate. When it's done, a browser window opens and displays your HTML report. Every time you run the tool, it will ask for your credentials and generate a new report. This report is stored locally in the directory C: \ Users \ *username* \ AppData \ Local \ Microsoft \ MCCA. You can access previously generated reports from this directory. You can access previously generated reports from this directory. Your report reflects data based on the date and time at which it was generated. The top section provides details on when it was generated, your organization name, and tenant ID. -#### Geolocation-based reporting +### Geolocation-based reporting The **Note** section shows that your report is customized based on the geographic location of your tenant. Recommendations listed in the tool will be specific to your country or region. To change your report's location information, you need provide a geolocation (-G Follow these instructions to run a report based on a specific location: 1. Open PowerShell-2. To specify a certain region, youΓÇÖll run a cmdlet using the numbers from the table below that correspond to the country or region. Enter multiple numbers by separating them with a comma. For example, the cmdlet below will run a customized report for Asia-Pacific and Japan: +2. To specify a certain region, you'll run a cmdlet using the numbers from the table below that correspond to the country or region. Enter multiple numbers by separating them with a comma. For example, the cmdlet below will run a customized report for Asia-Pacific and Japan: ```powershell Get-MCCAReport -Geo @(1,7) ```- | Input | Country or Region | ++ | Input | Country or Region | | :- | :: | | 1 | Asia-Pacific | | 2 | Australia | Follow these instructions to run a report based on a specific location: | 13 | United Arab Emirates | | 14 | United Kingdom | + > [!NOTE] + > The report will always include MCCA supported international sensitive information types such as SWIFT code, credit card number, etc. - > [!NOTE] -> The report will always include MCCA supported international sensitive information types such as SWIFT code, credit card number, etc. --#### Role-based reporting +### Role-based reporting Your report will also be customized based on your role. The table below shows which roles have access to which sections of the report. O  Exceptions:+ 1. Users won't be able to generate report for IP apart from ΓÇ£Use IRM for Exchange OnlineΓÇ¥ section. 2. Users will be able to generate report for IP apart from ΓÇ£Use IRM for Exchange OnlineΓÇ¥ section. 3. Users will be able to generate report for IP apart from ΓÇ£Enable Communication Compliance in O365ΓÇ¥ section. 4. Users won't be able to generate report for IP apart from ΓÇ£Enable Auditing in Office 365ΓÇ¥ section. 5. Users will be able generate report for IP apart from ΓÇ£Enable Auditing in Office 365ΓÇ¥ section. -#### Solutions Summary section +### Solutions Summary section The **Solutions Summary** section of the report gives an overview of improvement actions that your organization can take in Compliance Manager to help improve your compliance posture. Next to each Microsoft solution are color-coded boxes indicating the number of i - **OK**: the actions that meet recommended conditions and need no attention at this time - **Improvement**: actions that need attention-- **Recommendation**: actions that donΓÇÖt need attention, but for which we recommend best practices- +- **Recommendation**: actions that don't need attention, but for which we recommend best practices + Select a box to view improvements and recommendations. -**Items with the Improvement status** +#### Items with the Improvement status -Select the dropdown next to the **Improvement** label to the right of the improvement action. YouΓÇÖll see a quick summary and details about your current settings and the recommended improvement actions. The summary includes direct links into Compliance Manager, the applicable solution in the Microsoft Purview compliance portal, and relevant documentation. +Select the dropdown next to the **Improvement** label to the right of the improvement action. You'll see a quick summary and details about your current settings and the recommended improvement actions. The summary includes direct links into Compliance Manager, the applicable solution in the Microsoft Purview compliance portal, and relevant documentation. Clicking on the Compliance Manager link takes you to a filtered view of all the improvement actions within that solution that you have not yet implemented. From there, you can see the number of points you can achieve to increase your [compliance score](compliance-score-calculation.md), and the assessments they apply to, and the applicable regulations and certifications. -For DLP, thereΓÇÖs a **Remediation Script** button that gives you a pre-generated PowerShell script based on whatΓÇÖs recommended. You can copy and paste it directly in your PowerShell console. It will create a DLP policy in test mode +For DLP, there's a **Remediation Script** button that gives you a pre-generated PowerShell script based on what's recommended. You can copy and paste it directly in your PowerShell console. It will create a DLP policy in test mode -**Items with Recommendation status** +#### Items with Recommendation status -Select the dropdown next to the **Recommendation** label to the right of the improvement action. YouΓÇÖll see a summary of your organizationΓÇÖs current Microsoft 365 environment related to the improvement action, along with recommended best practices. +Select the dropdown next to the **Recommendation** label to the right of the improvement action. You'll see a summary of your organization's current Microsoft 365 environment related to the improvement action, along with recommended best practices. ## Resources |
| compliance | Configure Irm To Use An On Premises Ad Rms Server | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/configure-irm-to-use-an-on-premises-ad-rms-server.md | To learn more about IRM in Exchange Online, see [Information Rights Management i - The AD RMS server must be running Windows Server 2008 or later. For details about how to deploy AD RMS, see [Installing an AD RMS Cluster](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726041(v=ws.11)). -- For details about how to install and configure Windows PowerShell and connect to the service, see [Connect to Exchange Online Using Remote PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).+- For details about how to install and configure Windows PowerShell and connect to the service, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). - For information about keyboard shortcuts that may apply to the procedures in this topic, see [Keyboard shortcuts for the Exchange admin center in Exchange Online](/Exchange/accessibility/keyboard-shortcuts-in-admin-center). When you import the TPD, it's stored and protected in Exchange Online. After the TPD is exported to an XML file, you have to import it to Exchange Online. When a TPD is imported, your organization's AD RMS templates are also imported. When the first TPD is imported, it becomes the default TPD for your cloud-based organization. If you import another TPD, you can use the **Default** switch to make it the default TPD that is available to users. -To import the TPD, run the following command in Windows PowerShell: +To import the TPD, run the following command in Exchange Online PowerShell: ```powershell Import-RMSTrustedPublishingDomain -FileData ([System.IO.File]::ReadAllBytes('<path to exported TPD file>')) -Name "<name of TPD>" -ExtranetLicensingUrl <URL> -IntranetLicensingUrl <URL> |
| compliance | Content Search Reference | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/content-search-reference.md | Here are a few things to keep in mind when searching inactive mailboxes. - Sometimes a user may have an active mailbox and an inactive mailbox that have the same SMTP address. In this case, only the specific mailbox that you select as a location for a content search is searched. In other words, if you add a user's mailbox to a search, you can't assume that both their active and inactive mailboxes are searched. Only the mailbox that you explicitly add to the search is searched. -- You can use Security & Compliance Center PowerShell to create a content search to search an inactive mailbox. To do this, you have to pre-append a period ( . ) to the email address of the inactive mailbox. For example, the following command creates a content search that searches an inactive mailbox with the email address pavelb@contoso.onmicrosoft.com:+- You can use Security & Compliance PowerShell to create a content search to search an inactive mailbox. To do this, you have to pre-append a period ( . ) to the email address of the inactive mailbox. For example, the following command creates a content search that searches an inactive mailbox with the email address pavelb@contoso.onmicrosoft.com: ```powershell New-ComplianceSearch -Name InactiveMailboxSearch -ExchangeLocation .pavelb@contoso.onmicrosoft.com -AllowNotFoundExchangeLocationsEnabled $true |
| compliance | Create A Custom Sensitive Information Type In Scc Powershell | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-a-custom-sensitive-information-type-in-scc-powershell.md | In this example, a date validator is defined for a RegEx part of which is date. ## Changes for Exchange Online -Previously, you might have used Exchange Online PowerShell to import your custom sensitive information types for DLP. Now your custom sensitive information types can be used in both the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a> and the Compliance center. As part of this improvement, you should use Compliance center PowerShell to import your custom sensitive information types ΓÇö you can't import them from the Exchange PowerShell anymore. Your custom sensitive information types will continue to work just like before; however, it may take up to one hour for changes made to custom sensitive information types in the Compliance center to appear in the Exchange admin center. +Previously, you might have used Exchange Online PowerShell to import your custom sensitive information types for DLP. Now your custom sensitive information types can be used in both the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a> and the Compliance center. As part of this improvement, you should use Security & Compliance PowerShell to import your custom sensitive information types ΓÇö you can't import them from Exchange Online PowerShell anymore. Your custom sensitive information types will continue to work just like before; however, it may take up to one hour for changes made to custom sensitive information types in the Compliance center to appear in the Exchange admin center. Note that in the Compliance center, you use the **[New-DlpSensitiveInformationTypeRulePackage](/powershell/module/exchange/new-dlpsensitiveinformationtyperulepackage)** cmdlet to upload a rule package. (Previously, in the Exchange admin center, you used the **ClassificationRuleCollection**` cmdlet.) To upload your rule package, do the following steps: 1. Save it as an .xml file with Unicode encoding. -2. [Connect to Compliance center PowerShell](/powershell/exchange/exchange-online-powershell) +2. [Connect to Security & Compliance PowerShell](/powershell/exchange/exchange-online-powershell) 3. Use the following syntax: |
| compliance | Create A Keyword Dictionary | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-a-keyword-dictionary.md | Microsoft Purview Data Loss Prevention (DLP) can identify, monitor, and protect ## Keyword dictionary limits -There is a limit of 50 keyword dictionary based sensitive information types that can be created per tenant. To find out how many keyword dictionaries you have in your tenant, connect using the procedures in [Connect to the Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell) to connect to your tenant and run this PowerShell script. +There is a limit of 50 keyword dictionary based sensitive information types that can be created per tenant. To find out how many keyword dictionaries you have in your tenant, connect using the procedures in [Connect to the Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell) to connect to your tenant and run this PowerShell script. ```powershell $rawFile = $env:TEMP + "\rule.xml" Use the following steps to create and import keywords for a custom dictionary: ## Create a keyword dictionary from a file using PowerShell -Often when you need to create a large dictionary, it's to use keywords from a file or a list exported from some other source. In this case, you'll create a keyword dictionary containing a list of inappropriate language to screen in external email. You must first [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell). +Often when you need to create a large dictionary, it's to use keywords from a file or a list exported from some other source. In this case, you'll create a keyword dictionary containing a list of inappropriate language to screen in external email. You must first [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). 1. Copy the keywords into a text file and make sure that each keyword is on a separate line. |
| compliance | Create A Report On Holds In Ediscovery Cases | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-a-report-on-holds-in-ediscovery-cases.md | See the [More information](#more-information) section for a detailed description - The sample scripts provided in this topic aren't supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages. -## Step 1: Connect to Security & Compliance Center PowerShell +## Step 1: Connect to Security & Compliance PowerShell -The first step is to connect to Security & Compliance Center PowerShell for your organization. For step-by-step instructions, see [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell). +The first step is to connect to Security & Compliance PowerShell for your organization. For step-by-step instructions, see [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). ## Step 2: Run the script to report on holds associated with eDiscovery cases -After you've connected to Security & Compliance Center PowerShell, the next step is to create and run the script that collects information about the eDiscovery cases in your organization. +After you've connected to Security & Compliance PowerShell, the next step is to create and run the script that collects information about the eDiscovery cases in your organization. 1. Save the following text to a Windows PowerShell script file by using a filename suffix of .ps1; for example, CaseHoldsReport.ps1. |
| compliance | Create Activity Alerts | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-activity-alerts.md | To turn an activity alert back on, just repeat these steps and click the **Off** |Permanently deletes (purges) an email message from their mailbox. |Purged messages from mailbox | Exchange mailbox activities | |Sends an email message from a shared mailbox. |Sent message using Send As permissions <br/> And <br/> Sent message using Send On Behalf permissions | Exchange mailbox activities | -- You can also use the **New-ActivityAlert** and **Set-ActivityAlert** cmdlets in Security & Compliance Center PowerShell to create and edit activity alerts. Keep the following things in mind if you use these cmdlets to create or edit activity alerts:+- You can also use the **New-ActivityAlert** and **Set-ActivityAlert** cmdlets in Security & Compliance PowerShell to create and edit activity alerts. Keep the following things in mind if you use these cmdlets to create or edit activity alerts: - If you use a cmdlet to add an activity to the alert that isn't listed in the **Activities** drop-down list, a message is displayed in on the property page for the alert that says, "This alert has custom operations not listed in the picker." |
| compliance | Create Apply Retention Labels | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-apply-retention-labels.md | If you publish retention labels to Exchange, it can take up to seven days for th If the labels don't appear after seven days, check the **Status** of the label policy by selecting it from the **Label policies** page in the Microsoft Purview compliance portal. If you see **(Error)** included in the status and in the details for the locations see a message that it's taking longer than expected to deploy the policy or to try redeploying the policy, try running the [Set-AppRetentionCompliancePolicy](/powershell/module/exchange/set-appretentioncompliancepolicy) or [Set-RetentionCompliancePolicy](/powershell/module/exchange/set-retentioncompliancepolicy) PowerShell command to retry the policy distribution: -1. [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell). +1. [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). 2. Run one of the following commands: |
| compliance | Create Report On And Delete Multiple Content Searches | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-report-on-and-delete-multiple-content-searches.md | search.appverid: - MOE150 - MET150 ms.assetid: 1d463dda-a3b5-4675-95d4-83db19c9c4a3-description: "Learn how to automate Content Search tasks like creating searches and running reports using Security & Compliance Center PowerShell." +description: "Learn how to automate Content Search tasks like creating searches and running reports using Security & Compliance PowerShell." - Quickly creating and reporting discovery searches is often an important step in eDiscovery and investigations when you're trying to learn about the underlying data, and the richness and quality of your searches. To help you do this, Security & Compliance Center PowerShell offers a set of cmdlets to automate time-consuming Content Search tasks. These scripts provide a quick and easy way to create a number of searches, and then run reports of the estimated search results that can help you determine the quantity of data in question. You can also use the scripts to create different versions of searches to compare the results each one produces. These scripts can help you to quickly and efficiently identify and cull your data. + Quickly creating and reporting discovery searches is often an important step in eDiscovery and investigations when you're trying to learn about the underlying data, and the richness and quality of your searches. To help you do this, Security & Compliance PowerShell offers a set of cmdlets to automate time-consuming Content Search tasks. These scripts provide a quick and easy way to create a number of searches, and then run reports of the estimated search results that can help you determine the quantity of data in question. You can also use the scripts to create different versions of searches to compare the results each one produces. These scripts can help you to quickly and efficiently identify and cull your data. ## Before you create a Content Search The comma separated value (CSV) file that you create in this step contains a row 3. Save the Excel file as a CSV file to a folder on your local computer. The script that you create in Step 3 will use the information in this CSV file to create the searches. -## Step 2: Connect to Security & Compliance Center PowerShell +## Step 2: Connect to Security & Compliance PowerShell -The next step is to connect to Security & Compliance Center PowerShell for your organization. For step-by-step instructions, see [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell). +The next step is to connect to Security & Compliance PowerShell for your organization. For step-by-step instructions, see [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). ## Step 3: Run the script to create and start the searches |
| compliance | Create Retention Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-retention-policies.md | When you create and submit a retention policy, it can take up to seven days for First, the retention policy needs to be distributed to the locations that you selected, and then applied to content. You can always check the distribution status of the retention policy by selecting it from the **Retention policies** page in the Microsoft Purview compliance portal. From the flyout pane, if you see **(Error)** included in the status, and in the details for the locations see a message that it's taking longer than expected to deploy the policy or to try redeploying the policy, try running the [Set-AppRetentionCompliancePolicy](/powershell/module/exchange/set-appretentioncompliancepolicy) or [Set-RetentionCompliancePolicy](/powershell/module/exchange/set-retentioncompliancepolicy) PowerShell command to retry the policy distribution: -1. [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell). +1. [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). 2. Run one of the following commands: |
| compliance | Create Sensitivity Labels | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-sensitivity-labels.md | Until you publish your labels, they won't be available to select in apps or for > [!IMPORTANT] > On this **Labels** tab, do not select the **Publish labels** tab (or the **Publish label** button when you edit a label) unless you need to create a new label policy. You need multiple label policies only if users need different labels or different policy settings. Aim to have as few label policies as possibleΓÇöit's not uncommon to have just one label policy for the organization. -### Additional label settings with Security & Compliance Center PowerShell +### Additional label settings with Security & Compliance PowerShell -Additional label settings are available with the [Set-Label](/powershell/module/exchange/set-label) cmdlet from [Security & Compliance Center PowerShell](/powershell/exchange/scc-powershell). +Additional label settings are available with the [Set-Label](/powershell/module/exchange/set-label) cmdlet from [Security & Compliance PowerShell](/powershell/exchange/scc-powershell). For example: As a result of this configuration, users who have Office apps that use those dis For the languages that you need to support, use the Office [language identifiers](/deployoffice/office2016/language-identifiers-and-optionstate-id-values-in-office-2016#language-identifiers) (also known as language tags), and specify your own translation for the label name and tooltip. -Before you run the commands in PowerShell, you must first [connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell). +Before you run the commands in PowerShell, you must first [connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). ```powershell $Languages = @("fr-fr","it-it","de-de") To edit an existing label policy, select it, and then select the **Edit Policy** This button starts the **Create policy** configuration, which lets you edit which labels are included and the label settings. When you complete the configuration, any changes are automatically replicated to the selected users and services. -### Additional label policy settings with Security & Compliance Center PowerShell +### Additional label policy settings with Security & Compliance PowerShell -Additional label policy settings are available with the [Set-LabelPolicy](/powershell/module/exchange/set-labelpolicy) cmdlet from [Security & Compliance Center PowerShell](/powershell/exchange/scc-powershell). +Additional label policy settings are available with the [Set-LabelPolicy](/powershell/module/exchange/set-labelpolicy) cmdlet from [Security & Compliance PowerShell](/powershell/exchange/scc-powershell). The Azure Information Protection unified labeling client supports many [advanced settings](/azure/information-protection/rms-client/clientv2-admin-guide-customizations) that include migrating from other labeling solutions, and pop-up messages in Outlook that warn, justify, or block emails being sent. For the full list, see [Available advanced settings for label policies](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#available-advanced-settings-for-label-policies) from this client's admin guide. However, there are some scenarios where label and label policy changes can take ## Use PowerShell for sensitivity labels and their policies -You can now use [Security & Compliance Center PowerShell](/powershell/exchange/scc-powershell) to create and configure all the settings you see in your labeling admin center. This means that in addition to using PowerShell for settings that aren't available in the labeling admin centers, you can now fully script the creation and maintenance of sensitivity labels and sensitivity label policies. +You can now use [Security & Compliance PowerShell](/powershell/exchange/scc-powershell) to create and configure all the settings you see in your labeling admin center. This means that in addition to using PowerShell for settings that aren't available in the labeling admin centers, you can now fully script the creation and maintenance of sensitivity labels and sensitivity label policies. See the following documentation for supported parameters and values: |
| compliance | Create Test Tune Dlp Policy | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-test-tune-dlp-policy.md | When you're happy that your DLP policy is accurately and effectively detecting s  -If you're waiting to see when the policy will take effect, [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell) and run the [Get-DlpCompliancePolicy cmdlet](/powershell/module/exchange/get-dlpcompliancepolicy) to see the DistributionStatus. +If you're waiting to see when the policy will take effect, [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell) and run the [Get-DlpCompliancePolicy cmdlet](/powershell/module/exchange/get-dlpcompliancepolicy) to see the DistributionStatus. ```powershell Get-DlpCompliancePolicy "Testing -Australia PII" -DistributionDetail | Select distributionstatus |
| compliance | Customer Key Availability Key Roll | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/customer-key-availability-key-roll.md | When you roll either of the Azure Key Vault keys associated with a DEP used with To instruct Customer Key to use the new key to encrypt multiple workloads, complete these steps: -1. On your local computer, using a work or school account that has global administrator or compliance admin permissions in your organization, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) in a Windows PowerShell window. +1. On your local computer, using a work or school account that has global administrator or compliance admin permissions in your organization, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). 2. Run the Set-M365DataAtRestEncryptionPolicy cmdlet. |
| compliance | Customer Key Manage | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/customer-key-manage.md | After you've set up Customer Key, you'll need to create and assign one or more d Before you begin, ensure that you've completed the tasks required to set up Customer Key. For information, see [Set up Customer Key](customer-key-set-up.md). To create the DEP, you need the Key Vault URIs you obtained during setup. For information, see [Obtain the URI for each Azure Key Vault key](customer-key-set-up.md#obtain-the-uri-for-each-azure-key-vault-key). To create a multi-workload DEP, follow these steps:- -1. On your local computer, using a work or school account that has global administrator or compliance admin permissions in your organization, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) in a Windows PowerShell window. ++1. On your local computer, using a work or school account that has global administrator or compliance admin permissions in your organization, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). 2. To create a DEP, use the New-M365DataAtRestEncryptionPolicy cmdlet. Set-M365DataAtRestEncryptionPolicyAssignment -DataEncryptionPolicy "Contoso_Glob ## Create a DEP for use with Exchange Online mailboxes -Before you begin, ensure that you've completed the tasks required to set up Azure Key Vault. For information, see [Set up Customer Key](customer-key-set-up.md). You'll complete these steps by remotely connecting to Exchange Online with Windows PowerShell. +Before you begin, ensure that you've completed the tasks required to set up Azure Key Vault. For information, see [Set up Customer Key](customer-key-set-up.md). You'll complete these steps in Exchange Online PowerShell. A DEP is associated with a set of keys stored in Azure Key Vault. You assign a DEP to a mailbox in Microsoft 365. Microsoft 365 will then use the keys identified in the policy to encrypt the mailbox. To create the DEP, you need the Key Vault URIs you obtained during setup. For information, see [Obtain the URI for each Azure Key Vault key](customer-key-set-up.md#obtain-the-uri-for-each-azure-key-vault-key). Remember! When you create a DEP, you specify two keys in two different Azure Key Vaults. Create these keys in two separate Azure regions to ensure geo-redundancy. To create a DEP to use with a mailbox, follow these steps:- -1. On your local computer, using a work or school account that has global administrator or Exchange Online admin permissions in your organization, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) in a Windows PowerShell window. ++1. On your local computer, using a work or school account that has global administrator or Exchange Online admin permissions in your organization, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). 2. To create a DEP, use the New-DataEncryptionPolicy cmdlet by typing the following command. To create a DEP to use with a mailbox, follow these steps: - *KeyVaultURI2* is the URI for the second key in the policy. For example, <https://contoso_EastUS2vault01.vault.azure.net/keys/USA_Key_02>. Separate the two URIs by a comma and a space. Example:- + ```powershell New-DataEncryptionPolicy -Name USA_mailboxes -Description "Root key for mailboxes in USA and its territories" -AzureKeyIDs https://contoso_EastUSvault02.vault.azure.net/keys/USA_key_01, https://contoso_CentralUSvault02.vault.azure.net/keys/USA_Key_02 ``` For detailed syntax and parameter information, see [New-DataEncryptionPolicy](/p ### Assign a DEP to a mailbox Assign the DEP to a mailbox by using the Set-Mailbox cmdlet. Once you assign the policy, Microsoft 365 can encrypt the mailbox with the key identified in the DEP.- + ```powershell Set-Mailbox -Identity <MailboxIdParameter> -DataEncryptionPolicy <PolicyName> ``` Where *MailUserIdParameter* specifies a mail user (also known as a mail-enabled ## Create a DEP for use with SharePoint Online, OneDrive for Business, and Teams files Before you begin, ensure that you've completed the tasks required to set up Azure Key Vault. For information, see [Set up Customer Key](customer-key-set-up.md).- -To set up Customer Key for SharePoint Online, OneDrive for Business, and Teams files you complete these steps by remotely connecting to SharePoint Online with Windows PowerShell. - ++To set up Customer Key for SharePoint Online, OneDrive for Business, and Teams files you complete these steps in SharePoint Online PowerShell. + You associate a DEP with a set of keys stored in Azure Key Vault. You apply a DEP to all of your data in one geographic location, also called a geo. If you use the multi-geo feature of Office 365, you can create one DEP per geo with the capability to use different keys per geo. If you aren't using multi-geo, you can create one DEP in your organization for use with SharePoint Online, OneDrive for Business, and Teams files. Microsoft 365 uses the keys identified in the DEP to encrypt your data in that geo. To create the DEP, you need the Key Vault URIs you obtained during setup. For information, see [Obtain the URI for each Azure Key Vault key](customer-key-set-up.md#obtain-the-uri-for-each-azure-key-vault-key).- + Remember! When you create a DEP, you specify two keys in two different Azure Key Vaults. Create these keys in two separate Azure regions to ensure geo-redundancy.- -To create a DEP, you need to remotely connect to SharePoint Online by using Windows PowerShell. - -1. On your local computer, using a work or school account that has global administrator permissions in your organization, [Connect to SharePoint Online PowerShell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online?preserve-view=true&view=sharepoint-ps). ++To create a DEP, you need to use SharePoint Online PowerShell. ++1. On your local computer, using a work or school account that has global administrator permissions in your organization, [connect to SharePoint Online PowerShell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online?preserve-view=true&view=sharepoint-ps). 2. In the Microsoft SharePoint Online Management Shell, run the Register-SPODataEncryptionPolicy cmdlet as follows: To create a DEP, you need to remotely connect to SharePoint Online by using Wind ``` Example:- + ```powershell Register-SPODataEncryptionPolicy -PrimaryKeyVaultName 'stageRG3vault' -PrimaryKeyName 'SPKey3' -PrimaryKeyVersion 'f635a23bd4a44b9996ff6aadd88d42ba' -SecondaryKeyVaultName 'stageRG5vault' -SecondaryKeyName 'SPKey5' -SecondaryKeyVersion '2b3e8f1d754f438dacdec1f0945f251a' ``` To assign a DEP to a mailbox before you migrate it to Office 365, run the Set-Ma ### Determine the DEP assigned to a mailbox To determine the DEP assigned to a mailbox, use the Get-MailboxStatistics cmdlet. The cmdlet returns a unique identifier (GUID).- + 1. Using a work or school account that has global administrator permissions in your organization, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). ```powershell To determine the DEP assigned to a mailbox, use the Get-MailboxStatistics cmdlet ``` Where *GeneralMailboxOrMailUserIdParameter* specifies a mailbox and DataEncryptionPolicyID returns the GUID of the DEP. For more information about the Get-MailboxStatistics cmdlet, see [Get-MailboxStatistics](/powershell/module/exchange/get-mailboxstatistics).- + 2. Run the Get-DataEncryptionPolicy cmdlet to find out the friendly name of the DEP to which the mailbox is assigned.- + ```powershell Get-DataEncryptionPolicy <GUID> ``` Whether you've rolled a Customer Key, assigned a new DEP, or migrated a mailbox, ### Verify encryption completes for Exchange Online mailboxes Encrypting a mailbox can take some time. For first time encryption, the mailbox must also completely move from one database to another before the service can encrypt the mailbox.- + Use the Get-MailboxStatistics cmdlet to determine if a mailbox is encrypted.- + ```powershell Get-MailboxStatistics -Identity <GeneralMailboxOrMailUserIdParameter> | fl IsEncrypted ``` Check on the status of encryption by running the Get-SPODataEncryptionPolicy cmd ``` The output from this cmdlet includes:- + - The URI of the primary key. - The URI of the secondary key. The output from this cmdlet includes: To get details about all of the DEPs you've created to use with multiple workloads, complete these steps: -1. On your local computer, using a work or school account that has global administrator or compliance admin permissions in your organization, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) in a Windows PowerShell window. +1. On your local computer, using a work or school account that has global administrator or compliance admin permissions in your organization, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). - To return the list of all multi-workload DEPs in the organization, run this command. ```powershell- Get-M365DataAtRestEncryptionPolicy + Get-M365DataAtRestEncryptionPolicy ``` - To return details about a specific DEP, run this command. This example returns detailed information for the DEP named "Contoso_Global". ```powershell- Get-M365DataAtRestEncryptionPolicy -Identity "Contoso_Global" + Get-M365DataAtRestEncryptionPolicy -Identity "Contoso_Global" ``` ## Get multi-workload DEP assignment information -To find out which DEP is currently assigned to your tenant, follow these steps. +To find out which DEP is currently assigned to your tenant, follow these steps. -1. On your local computer, using a work or school account that has global administrator or compliance admin permissions in your organization, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) in a Windows PowerShell window. +1. On your local computer, using a work or school account that has global administrator or compliance admin permissions in your organization, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). 2. Type this command. ```powershell- Get-M365DataAtRestEncryptionPolicyAssignment + Get-M365DataAtRestEncryptionPolicyAssignment ``` ## Disable a multi-workload DEP Before you disable a multi-workload DEP, unassign the DEP from workloads in your tenant. To disable a DEP used with multiple workloads, complete these steps: -1. On your local computer, using a work or school account that has global administrator or compliance admin permissions in your organization, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) in a Windows PowerShell window. +1. On your local computer, using a work or school account that has global administrator or compliance admin permissions in your organization, [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). 2. Run the Set-M365DataAtRestEncryptionPolicy cmdlet.- + ```powershell Set-M365DataAtRestEncryptionPolicy -[Identity] "PolicyName" -Enabled $false ``` Set-M365DataAtRestEncryptionPolicy -Identity "Contoso_Global" -Enabled $false ## Restore Azure Key Vault keys Before performing a restore, use the recovery capabilities provided by soft delete. All keys that are used with Customer Key are required to have soft delete enabled. Soft delete acts like a recycle bin and allows recovery for up to 90 days without the need to restore. Restore should only be required in extreme or unusual circumstances, for example if the key or key vault is lost. If you must restore a key for use with Customer Key, in Azure PowerShell, run the Restore-AzureKeyVaultKey cmdlet as follows:- + ```powershell Restore-AzKeyVaultKey -VaultName <vault name> -InputFile <filename> ``` For example:- + ```powershell Restore-AzKeyVaultKey -VaultName Contoso-O365EX-NA-VaultA1 -InputFile Contoso-O365EX-NA-VaultA1-Key001-Backup-20170802.backup ``` If the key vault already contains a key with the same name, the restore operation fails. Restore-AzKeyVaultKey restores all key versions and all metadata for the key including the key name.- + ## Manage key vault permissions Several cmdlets are available that enable you to view and, if necessary, remove key vault permissions. You might need to remove permissions, for example, when an employee leaves the team. For each of these tasks, you will use Azure PowerShell. For information about Azure PowerShell, see [Overview of Azure PowerShell](/powershell/azure/). Get-AzKeyVault -VaultName Contoso-O365EX-NA-VaultA1 ``` To remove an administrator's permissions, run the Remove-AzKeyVaultAccessPolicy cmdlet:- + ```powershell Remove-AzKeyVaultAccessPolicy -VaultName <vault name> -UserPrincipalName <UPN of user> ``` To unassign mailbox DEPs, use the Set-Mailbox PowerShell cmdlet. 2. Run the Set-Mailbox cmdlet. ```powershell- Set-Mailbox -Identity <mailbox> -DataEncryptionPolicy $NULL + Set-Mailbox -Identity <mailbox> -DataEncryptionPolicy $null ``` Running this cmdlet unassigns the currently assigned DEP and reencrypts the mailbox using the DEP associated with default Microsoft-managed keys. You can't unassign the DEP used by Microsoft managed keys. If you don't want to use Microsoft-managed keys, you can assign another Customer Key DEP to the mailbox. > [!IMPORTANT]-> Roll back from Customer Key to Microsoft managed keys isn't supported for SharePoint Online, OneDrive for Business, and Teams files. +> Roll back from Customer Key to Microsoft managed keys isn't supported for SharePoint Online, OneDrive for Business, and Teams files. ## Revoke your keys and start the data purge path process To initiate the data purge path, complete these steps: ### Revoke your Customer Keys and the availability key for SharePoint Online, OneDrive for Business, and Teams files -Purging of SharePoint, OneDrive for work or school, and Teams files DEPs is not supported in Customer Key. These multi-workload DEPs are used to encrypt data across multiple workloads across all tenant users. Purging such a DEP would result in data from across multiple workloads becoming inaccessible. If you decide to exit Microsoft 365 services altogether, you could pursue the path of tenant deletion per the documented process. See how to [delete a tenant in Azure Active Directory](/azure/active-directory/enterprise-users/directory-delete-howto). +Purging of SharePoint, OneDrive for work or school, and Teams files DEPs is not supported in Customer Key. These multi-workload DEPs are used to encrypt data across multiple workloads across all tenant users. Purging such a DEP would result in data from across multiple workloads becoming inaccessible. If you decide to exit Microsoft 365 services altogether, you could pursue the path of tenant deletion per the documented process. See how to [delete a tenant in Azure Active Directory](/azure/active-directory/enterprise-users/directory-delete-howto). ## Related articles |
| compliance | Customize A Built In Sensitive Information Type | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/customize-a-built-in-sensitive-information-type.md | You can take this example and apply it to other built-in sensitive information t ## Export the XML file of the current rules -To export the XML, you need to [connect to the Security and Compliance Center via Remote PowerShell.](/powershell/exchange/connect-to-scc-powershell). +To export the XML, you need to [connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). 1. In the PowerShell, type the following to display your organization's rules on screen. If you haven't created your own, you'll only see the default, built-in rules, labeled "Microsoft Rule Package." To export the XML, you need to [connect to the Security and Compliance Center vi Get-DlpSensitiveInformationTypeRulePackage ``` -2. Store your organization's rules in a variable by typing the following. Storing something in a variable makes it easily available later in a format that works for remote PowerShell commands. +2. Store your organization's rules in a variable by typing the following. Storing something in a variable makes it easily available later in a format that works for PowerShell commands. ```powershell $ruleCollections = Get-DlpSensitiveInformationTypeRulePackage Now that you have located the Credit Card Number rule definition in the XML, you ## Modify the XML and create a new sensitive information type -First, you need to create a new sensitive information type because you can't directly modify the default rules. You can do a wide variety of things with custom sensitive information types, which are outlined in [Create a custom sensitive information type in Security & Compliance Center PowerShell](create-a-custom-sensitive-information-type-in-scc-powershell.md). For this example, we'll keep it simple and only remove corroborative evidence and add keywords to the Credit Card Number rule. +First, you need to create a new sensitive information type because you can't directly modify the default rules. You can do a wide variety of things with custom sensitive information types, which are outlined in [Create a custom sensitive information type in Security & Compliance PowerShell](create-a-custom-sensitive-information-type-in-scc-powershell.md). For this example, we'll keep it simple and only remove corroborative evidence and add keywords to the Credit Card Number rule. All XML rule definitions are built on the following general template. You need to copy and paste the Credit Card Number definition XML in the template, modify some values (notice the ". . ." placeholders in the following example), and then upload the modified XML as a new rule that can be used in policies. To upload your rule, you need to do the following. 1. Save it as an .xml file with Unicode encoding. This is important because the rule won't work if the file is saved with a different encoding. -2. [Connect to the Security and Compliance Center via Remote PowerShell.](/powershell/exchange/connect-to-scc-powershell) +2. [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). 3. In the PowerShell, type the following. |
| compliance | Data Loss Prevention Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-loss-prevention-policies.md | These permissions are required only to create and apply a DLP policy. Policy enf To use most of the cmdlets for the Microsoft Purview compliance portal, you need to: -1. [Connect to the Office 365 Microsoft Purview compliance portal using remote PowerShell](/powershell/exchange/connect-to-scc-powershell). +1. [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). 2. Use any of these [policy-and-compliance-dlp cmdlets](/powershell/module/exchange/export-dlppolicycollection). However, DLP reports need pull data from across Microsoft 365, including Exchange Online. For this reason, ***the cmdlets for the DLP reports are available in Exchange Online Powershell -- not in Microsoft Purview compliance portal Powershell***. Therefore, to use the cmdlets for the DLP reports, you need to: -1. [Connect to Exchange Online using remote PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). +1. [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). 2. Use any of these cmdlets for the DLP reports: |
| compliance | Declare Records | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/declare-records.md | You can then either publish those labels in a retention label policy so that use By default, the retention label option to mark content as a regulatory record isn't displayed in the retention label wizard. To display this option, you must first run a PowerShell command: -1. [Connect to the Office 365 Security & Compliance Center PowerShell](/powershell/exchange/office-365-scc/connect-to-scc-powershell/connect-to-scc-powershell). +1. [Connect to the Office 365 Security & Compliance PowerShell](/powershell/exchange/office-365-scc/connect-to-scc-powershell/connect-to-scc-powershell). 2. Run the following cmdlet: |
| compliance | Delete An Inactive Mailbox | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/delete-an-inactive-mailbox.md | Set-Mailbox <identity of inactive mailbox> -ExcludeFromAllOrgHolds #### Remove an inactive mailbox from a specific location retention policy -Use [Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell) to remove an inactive mailbox from an explicit retention policy: +Use [Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell) to remove an inactive mailbox from an explicit retention policy: ```powershell Set-RetentionCompliancePolicy -Identity <retention policy GUID without prefix or suffix> -RemoveExchangeLocation <identity of inactive mailbox> |
| compliance | Delete Items In The Recoverable Items Folder Of Mailboxes On Hold | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/delete-items-in-the-recoverable-items-folder-of-mailboxes-on-hold.md | After you identify the In-Place Hold, you can use the <a href="https://go.micros ### Retention policies applied to specific mailboxes -Run the following command in [Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell) to identify the retention policy that is applied to the mailbox. This command will also return any Teams conversation retention policies applied to a mailbox. Use the GUID (not including the `mbx` or `skp` prefix) for the retention policy that you identified in Step 1. +Run the following command in [Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell) to identify the retention policy that is applied to the mailbox. This command will also return any Teams conversation retention policies applied to a mailbox. Use the GUID (not including the `mbx` or `skp` prefix) for the retention policy that you identified in Step 1. ```powershell Get-RetentionCompliancePolicy <retention policy GUID without prefix> | FL Name After you identify the retention policy, go to the **Data lifecycle management** ### Organization-wide retention policies -Organization-wide, Exchange-wide, and Teams-wide retention policies are applied to every mailbox in the organization. They are applied at the organization level (not the mailbox level) and are returned when you run the **Get-OrganizationConfig** cmdlet in Step 1. Run the following command in [Security & Compliance Center PowerShell](/powershell/exchange/exchange-online-powershell) to identify the organization-wide retention policies. Use the GUID (not including the `mbx` prefix) for the organization-wide retention policies that you identified in Step 1. +Organization-wide, Exchange-wide, and Teams-wide retention policies are applied to every mailbox in the organization. They are applied at the organization level (not the mailbox level) and are returned when you run the **Get-OrganizationConfig** cmdlet in Step 1. Run the following command in [Security & Compliance PowerShell](/powershell/exchange/exchange-online-powershell) to identify the organization-wide retention policies. Use the GUID (not including the `mbx` prefix) for the organization-wide retention policies that you identified in Step 1. ```powershell Get-RetentionCompliancePolicy <retention policy GUID without prefix> | FL Name For more information about labels, see [Learn about retention policies and reten ### eDiscovery holds -Run the following commands in [Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell) to identify the hold associated with an eDiscovery case (called *eDiscovery holds*) that's applied to the mailbox. Use the GUID (not including the `UniH` prefix) for the eDiscovery hold that you identified in Step 1. The second command displays the name of the eDiscovery case the hold is associated with; the third command displays the name of the hold. +Run the following commands in [Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell) to identify the hold associated with an eDiscovery case (called *eDiscovery holds*) that's applied to the mailbox. Use the GUID (not including the `UniH` prefix) for the eDiscovery hold that you identified in Step 1. The second command displays the name of the eDiscovery case the hold is associated with; the third command displays the name of the hold. ```powershell $CaseHold = Get-CaseHoldPolicy <hold GUID without prefix> You must be assigned the Legal Hold role in Exchange Online to use the *RemoveDe ## Step 5: Delete items in the Recoverable Items folder -Now you're ready to actually delete items in the Recoverable Items folder by using the [New-ComplianceSearch](/powershell/module/exchange/new-compliancesearch) and [New-ComplianceSearchAction](/powershell/module/exchange/new-compliancesearchaction) cmdlets in Security & Compliance Center PowerShell. +Now you're ready to actually delete items in the Recoverable Items folder by using the [New-ComplianceSearch](/powershell/module/exchange/new-compliancesearch) and [New-ComplianceSearchAction](/powershell/module/exchange/new-compliancesearchaction) cmdlets in Security & Compliance PowerShell. To search for items that are located in the Recoverable Items folder, we recommend that you perform a *targeted collection*. This means you narrow the scope of your search only to items located in the Recoverable Items folder. You can do this by running the script in the [Use Content Search for targeted collections](use-content-search-for-targeted-collections.md) article. This script returns the value of the folder ID property for all the subfolders in the target Recoverable Items folder. Then you use the folder ID in a search query to return items located in that folder. Here's an overview of the process to search for and delete items in a user's Rec - **SubstrateHolds**: Contains hard-deleted items from Teams and other cloud-based apps that have been preserved by a retention policy or other type of hold. This subfolder isn't visible to end users. -3. Use the **New-ComplianceSearch** cmdlet (in Security & Compliance Center PowerShell) or use the Content search tool in the compliance center to create a content search that returns items from the target user's Recoverable Items folder. You can do this by including the FolderId in the search query for all subfolders that you want to search. For example, the following query returns all messages in the Deletions and eDiscoveryHolds subfolders: +3. Use the **New-ComplianceSearch** cmdlet (in Security & Compliance PowerShell) or use the Content search tool in the compliance center to create a content search that returns items from the target user's Recoverable Items folder. You can do this by including the FolderId in the search query for all subfolders that you want to search. For example, the following query returns all messages in the Deletions and eDiscoveryHolds subfolders: ```text folderid:<folder ID of Deletions subfolder> OR folderid:<folder ID of DiscoveryHolds subfolder> Here's an overview of the process to search for and delete items in a user's Rec > [!NOTE] > If you use the **New-ComplianceSearch** cmdlet to search the Recoverable Items folder, be sure to use **Start-ComplianceSearch** cmdlet to run the search. -4. After you've created a content search and validated that it returns the items that you wan to delete, use the `New-ComplianceSearchAction -Purge -PurgeType HardDelete` command (in Security & Compliance Center PowerShell) to permanently delete the items returned by the content search that you created in the previous step. For example, you can run a command similar to the following command: +4. After you've created a content search and validated that it returns the items that you wan to delete, use the `New-ComplianceSearchAction -Purge -PurgeType HardDelete` command (in Security & Compliance PowerShell) to permanently delete the items returned by the content search that you created in the previous step. For example, you can run a command similar to the following command: ```powershell New-ComplianceSearchAction -SearchName "RecoverableItems" -Purge -PurgeType HardDelete As previously explained, you have to remove all holds and retention policies fro |:--|:--|:--| |Litigation Hold <br/> | `True` <br/> |The *LitigationHoldEnabled* property is set to `True`. <br/> | |In-Place Hold <br/> | `c0ba3ce811b6432a8751430937152491` <br/> |The *InPlaceHolds* property contains the GUID of the In-Place Hold that's placed on the mailbox. You can tell this is an In-Place Hold because the GUID doesn't start with a prefix. <br/> You can use the `Get-MailboxSearch -InPlaceHoldIdentity <hold GUID> | FL` command in Exchange Online PowerShell to get information about the In-Place Hold on the mailbox. <br/> |-| Retention policies in the compliance portal applied to specific mailboxes <br/> | `mbxcdbbb86ce60342489bff371876e7f224` <br/> or <br/> `skp127d7cf1076947929bf136b7a2a8c36f` <br/> |When you run the **Get-Mailbox** cmdlet, the *InPlaceHolds* property also contains GUIDs of retention policies applied to the mailbox. You can identify retention policies because the GUID starts with the `mbx` prefix. If the GUID of the retention policy starts with the `skp` prefix, that indicates that the retention policy is applied to Skype for Business conversations. <br/> To identity the retention policy that's applied to the mailbox, run the following command in Security & Compliance Center PowerShell: <br/> <br/>`Get-RetentionCompliancePolicy <retention policy GUID without prefix> | FL Name`<br/><br/>Be sure to remove the `mbx` or `skp` prefix when you run this command. <br/> | -|Organization-wide retention policies in the compliance portal <br/> |No value <br/> or <br/> `-mbxe9b52bf7ab3b46a286308ecb29624696` (indicates that the mailbox is excluded from an organization-wide policy) <br/> |Even if the *InPlaceHolds* property is empty when you run the **Get-Mailbox** cmdlet, there still might be one or more organization-wide retention policies applied to the mailbox. <br/> To verify this, you can run the `Get-OrganizationConfig | FL InPlaceHolds` command in Exchange Online PowerShell to get a list of the GUIDs for organization-wide retention policies. The GUID for organization-wide retention policies applied to Exchange mailboxes starts with the `mbx` prefix; for example, `mbxa3056bb15562480fadb46ce523ff7b02`. <br/> To identity the organization-wide retention policy that's applied to the mailbox, run the following command in Security & Compliance Center PowerShell: <br/><br/> `Get-RetentionCompliancePolicy <retention policy GUID without prefix> | FL Name`<br/><br/>If a mailbox is excluded from an organization-wide retention policy, the GUID for the retention policy is displayed in the *InPlaceHolds* property of the user's mailbox when you run the **Get-Mailbox** cmdlet; it's identified by the prefix `-mbx`; for example, `-mbxe9b52bf7ab3b46a286308ecb29624696` <br/> | -|eDiscovery case hold in the compliance portal <br/> | `UniH7d895d48-7e23-4a8d-8346-533c3beac15d` <br/> |The *InPlaceHolds* property also contains the GUID of any hold associated with an eDiscovery case in the compliance portal that might be placed on the mailbox. You can tell this is an eDiscovery case hold because the GUID starts with the `UniH` prefix. <br/> You can use the `Get-CaseHoldPolicy` cmdlet in Security & Compliance Center PowerShell to get information about the eDiscovery case that the hold on the mailbox is associated with. For example, you can run the command `Get-CaseHoldPolicy <hold GUID without prefix> | FL Name` to display the name of the case hold that's on the mailbox. Be sure to remove the `UniH` prefix when you run this command. <br/><br/> To identity the eDiscovery case that the hold on the mailbox is associated with, run the following commands:<br/><br/>`$CaseHold = Get-CaseHoldPolicy <hold GUID without prefix>`<br/><br/>`Get-ComplianceCase $CaseHold.CaseId | FL Name` +| Retention policies in the compliance portal applied to specific mailboxes <br/> | `mbxcdbbb86ce60342489bff371876e7f224` <br/> or <br/> `skp127d7cf1076947929bf136b7a2a8c36f` <br/> |When you run the **Get-Mailbox** cmdlet, the *InPlaceHolds* property also contains GUIDs of retention policies applied to the mailbox. You can identify retention policies because the GUID starts with the `mbx` prefix. If the GUID of the retention policy starts with the `skp` prefix, that indicates that the retention policy is applied to Skype for Business conversations. <br/> To identity the retention policy that's applied to the mailbox, run the following command in Security & Compliance PowerShell: <br/> <br/>`Get-RetentionCompliancePolicy <retention policy GUID without prefix> | FL Name`<br/><br/>Be sure to remove the `mbx` or `skp` prefix when you run this command. <br/> | +|Organization-wide retention policies in the compliance portal <br/> |No value <br/> or <br/> `-mbxe9b52bf7ab3b46a286308ecb29624696` (indicates that the mailbox is excluded from an organization-wide policy) <br/> |Even if the *InPlaceHolds* property is empty when you run the **Get-Mailbox** cmdlet, there still might be one or more organization-wide retention policies applied to the mailbox. <br/> To verify this, you can run the `Get-OrganizationConfig | FL InPlaceHolds` command in Exchange Online PowerShell to get a list of the GUIDs for organization-wide retention policies. The GUID for organization-wide retention policies applied to Exchange mailboxes starts with the `mbx` prefix; for example, `mbxa3056bb15562480fadb46ce523ff7b02`. <br/> To identity the organization-wide retention policy that's applied to the mailbox, run the following command in Security & Compliance PowerShell: <br/><br/> `Get-RetentionCompliancePolicy <retention policy GUID without prefix> | FL Name`<br/><br/>If a mailbox is excluded from an organization-wide retention policy, the GUID for the retention policy is displayed in the *InPlaceHolds* property of the user's mailbox when you run the **Get-Mailbox** cmdlet; it's identified by the prefix `-mbx`; for example, `-mbxe9b52bf7ab3b46a286308ecb29624696` <br/> | +|eDiscovery case hold in the compliance portal <br/> | `UniH7d895d48-7e23-4a8d-8346-533c3beac15d` <br/> |The *InPlaceHolds* property also contains the GUID of any hold associated with an eDiscovery case in the compliance portal that might be placed on the mailbox. You can tell this is an eDiscovery case hold because the GUID starts with the `UniH` prefix. <br/> You can use the `Get-CaseHoldPolicy` cmdlet in Security & Compliance PowerShell to get information about the eDiscovery case that the hold on the mailbox is associated with. For example, you can run the command `Get-CaseHoldPolicy <hold GUID without prefix> | FL Name` to display the name of the case hold that's on the mailbox. Be sure to remove the `UniH` prefix when you run this command. <br/><br/> To identity the eDiscovery case that the hold on the mailbox is associated with, run the following commands:<br/><br/>`$CaseHold = Get-CaseHoldPolicy <hold GUID without prefix>`<br/><br/>`Get-ComplianceCase $CaseHold.CaseId | FL Name` |
| compliance | Document Fingerprinting | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/document-fingerprinting.md | Document Fingerprinting won't detect sensitive information in the following case ## Use PowerShell to create a classification rule package based on document fingerprinting -Currently, you can create a document fingerprint only in [Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell). +Currently, you can create a document fingerprint only in [Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). DLP uses classification rule packages to detect sensitive content. To create a classification rule package based on a document fingerprint, use the **New-DlpFingerprint** and **New-DlpSensitiveInformationType** cmdlets. Because the results of **New-DlpFingerprint** aren't stored outside the data classification rule, you always run **New-DlpFingerprint** and **New-DlpSensitiveInformationType** or **Set-DlpSensitiveInformationType** in the same PowerShell session. The following example creates a new document fingerprint based on the file C:\My Documents\Contoso Employee Template.docx. You store the new fingerprint as a variable so you can use it with the **New-DlpSensitiveInformationType** cmdlet in the same PowerShell session. |
| compliance | Ediscovery Diagnostic Info | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-diagnostic-info.md | Occasionally Microsoft Support engineers require specific information about your ## Collect diagnostic information for eDiscovery (Standard) -Collecting diagnostic information for eDiscovery (Standard) is cmdlet-based, so you'll have to use Security & Compliance Center PowerShell. The following PowerShell examples will run cmdlets and then save the output to a specified text file. In most support cases, you should only have to run one of these commands. +Collecting diagnostic information for eDiscovery (Standard) is cmdlet-based, so you'll have to use Security & Compliance PowerShell. The following PowerShell examples will run cmdlets and then save the output to a specified text file. In most support cases, you should only have to run one of these commands. -To run the following cmdlets, [connect to Security & Compliance Center PowerShell</span>](/powershell/exchange/connect-to-scc-powershell). After you're connected, run one or more of the following commands and be sure to replace placeholders with the actual object names. +To run the following cmdlets, [connect to Security & Compliance PowerShell</span>](/powershell/exchange/connect-to-scc-powershell). After you're connected, run one or more of the following commands and be sure to replace placeholders with the actual object names. After reviewing the generated text file and redacting sensitive information, send it to the Microsoft Support engineer working on your case. |
| compliance | Enable Autoexpanding Archiving | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/enable-autoexpanding-archiving.md | You can use the Exchange Online auto-expanding archiving feature to enable addit - Auto-expanding archiving prevents you from recovering or restoring an [inactive mailbox](inactive-mailboxes-in-office-365.md#what-are-inactive-mailboxes). That means if you enable auto-expanding archiving for a mailbox and the mailbox is made inactive at a later date, you won't be able to [recover the inactive mailbox](recover-an-inactive-mailbox.md) (by converting it to an active mailbox) or [restore it](restore-an-inactive-mailbox.md) (by merging the contents to an existing mailbox). If auto-expanding archiving is enabled on an inactive mailbox, the only way to recover data is by using the Content search tool in the Microsoft Purview compliance portal to export the data from the mailbox and import to another mailbox. For more information, see the "Inactive mailboxes and auto-expanding archives" section in [Learn about inactive mailboxes](inactive-mailboxes-in-office-365.md#inactive-mailboxes-and-auto-expanding-archives). -- You can't use the Exchange admin center or the Microsoft Purview compliance portal to enable auto-expanding archiving. You have to use Exchange Online PowerShell. To connect to your Exchange Online organization using remote PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).+- You can't use the Exchange admin center or the Microsoft Purview compliance portal to enable auto-expanding archiving. You have to use Exchange Online PowerShell. To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). ## Enable auto-expanding archiving for your entire organization |
| compliance | Identify A Hold On An Exchange Online Mailbox | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/identify-a-hold-on-an-exchange-online-mailbox.md | After you obtain the GUID for a hold that is applied to a mailbox, the next step ### eDiscovery holds -Run the following commands in Security & Compliance Center PowerShell to identify an eDiscovery hold that's applied to the mailbox. Use the GUID (not including the UniH prefix) for the eDiscovery hold that you identified in Step 1. +Run the following commands in Security & Compliance PowerShell to identify an eDiscovery hold that's applied to the mailbox. Use the GUID (not including the UniH prefix) for the eDiscovery hold that you identified in Step 1. -To connect to Security & Compliance Center PowerShell, see [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell). +To connect to Security & Compliance PowerShell, see [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). The first command creates a variable that contains information about the hold. This variable is used in the other commands. The second command displays the name of the eDiscovery case the hold is associated with. The third command displays the name of the hold and a list of the mailboxes the hold applies to. If the GUID for the In-Place Hold starts with the `cld` prefix, be sure to inclu ### Microsoft 365 retention policies -[Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell) and run the following command to identity the Microsoft 365 retention policy (organization-wide or specific location) that's applied to the mailbox. Use the GUID (not including the mbx, skp, or grp prefix or the action suffix) that you identified in Step 1. +[Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell) and run the following command to identity the Microsoft 365 retention policy (organization-wide or specific location) that's applied to the mailbox. Use the GUID (not including the mbx, skp, or grp prefix or the action suffix) that you identified in Step 1. ```powershell Get-RetentionCompliancePolicy <hold GUID without prefix or suffix> -DistributionDetail | FL Name,*Location When a retention policy is no longer applied to a mailbox, we will place a tempo After you identify the holds that are applied to a mailbox, you can perform tasks such as changing the duration of the hold, temporarily or permanently removing the hold, or excluding an inactive mailbox from a Microsoft 365 retention policy. For more information about performing tasks related to holds, see one of the following topics: -- Run the [Set-RetentionCompliancePolicy -Identity \<Policy Name> -AddExchangeLocationException \<user mailbox>](/powershell/module/exchange/set-retentioncompliancepolicy) command in [Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell) to exclude a mailbox from an organization-wide Microsoft 365 retention policy. This command can only be used for retention policies where the value for the *ExchangeLocation* property equals `All`.+- Run the [Set-RetentionCompliancePolicy -Identity \<Policy Name> -AddExchangeLocationException \<user mailbox>](/powershell/module/exchange/set-retentioncompliancepolicy) command in [Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell) to exclude a mailbox from an organization-wide Microsoft 365 retention policy. This command can only be used for retention policies where the value for the *ExchangeLocation* property equals `All`. - [Change the hold duration for an inactive mailbox](change-the-hold-duration-for-an-inactive-mailbox.md) |
| compliance | Increase The Recoverable Quota For Mailboxes On Hold | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/increase-the-recoverable-quota-for-mailboxes-on-hold.md | The remainder of this topic describes the step-by-step procedures to create a cu The first step is to create a custom retention tag (called a retention policy tag or RPT) for the Recoverable Items folder. As previously explained, this RPT moves items from the Recoverable Items folder in the user's primary mailbox to the Recoverable Items folder in the user's archive mailbox. You have to use PowerShell to create an RPT for the Recoverable Items folder. You can't use the Exchange admin center (EAC). -1. [Connect to Exchange Online using remote PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) +1. [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) 2. Run the following command to create a new RPT for the Recoverable Items folder: |
| compliance | Information Barriers Edit Segments Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/information-barriers-edit-segments-policies.md | After you have [defined information barriers (IB) policies](information-barriers | [Troubleshooting information barriers](/office365/troubleshoot/information-barriers/information-barriers-troubleshooting) | Refer to this article when you run into unexpected issues with information barriers. | >[!IMPORTANT]->To perform the tasks described in this article, you must be assigned an appropriate role, such as one of the following:<br>- Microsoft 365 Enterprise Global Administrator<br>- Global Administrator<br>- Compliance Administrator<br>- IB Compliance Management (this is a new role!)<br><br>To learn more about prerequisites for information barriers, see [Prerequisites (for information barriers policies)](information-barriers-policies.md#step-1-make-sure-prerequisites-are-met).<br><br> Make sure to [connect to the Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell). +>To perform the tasks described in this article, you must be assigned an appropriate role, such as one of the following:<br>- Microsoft 365 Enterprise Global Administrator<br>- Global Administrator<br>- Compliance Administrator<br>- IB Compliance Management (this is a new role!)<br><br>To learn more about prerequisites for information barriers, see [Prerequisites (for information barriers policies)](information-barriers-policies.md#step-1-make-sure-prerequisites-are-met).<br><br> Make sure to [connect to the Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). ## Edit user account attributes |
| compliance | Investigating Partially Indexed Items In Ediscovery | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/investigating-partially-indexed-items-in-ediscovery.md | The following steps show you how to run a PowerShell script that searches for al ```powershell write-host "**************************************************"- write-host " Security & Compliance Center PowerShell " -foregroundColor yellow -backgroundcolor darkgreen + write-host " Security & Compliance PowerShell " -foregroundColor yellow -backgroundcolor darkgreen write-host " eDiscovery Partially Indexed Item Statistics " -foregroundColor yellow -backgroundcolor darkgreen write-host "**************************************************" " " The following steps show you how to run a PowerShell script that searches for al } ``` -2. [Connect to Security & Compliance Center PowerShell](/powershell/exchange/exchange-online-powershell). +2. [Connect to Security & Compliance PowerShell](/powershell/exchange/exchange-online-powershell). -3. In Security & Compliance Center PowerShell, go to the folder where you saved the script in step 1, and then run the script; for example: +3. In Security & Compliance PowerShell, go to the folder where you saved the script in step 1, and then run the script; for example: ```powershell .\PartiallyIndexedItems.ps1 |
| compliance | Keyword Queries And Search Conditions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/keyword-queries-and-search-conditions.md | description: "Learn about email and document properties that you can search by u [!include[Purview banner](../includes/purview-rebrand-banner.md)] -This article describes the email and document properties that you can search for in email items and Microsoft Teams chat conversations in Exchange Online, and documents stored on SharePoint and OneDrive for Business sites using the eDiscovery search tools in the Microsoft Purview compliance portal. This includes Content search, Microsoft Purview eDiscovery (Standard), and Microsoft Purview eDiscovery (Premium) (eDiscovery searches in eDiscovery (Premium) are called *collections*). You can also use the **\*-ComplianceSearch** cmdlets in Security & Compliance Center PowerShell to search for these properties. The article also describes: +This article describes the email and document properties that you can search for in email items and Microsoft Teams chat conversations in Exchange Online, and documents stored on SharePoint and OneDrive for Business sites using the eDiscovery search tools in the Microsoft Purview compliance portal. This includes Content search, Microsoft Purview eDiscovery (Standard), and Microsoft Purview eDiscovery (Premium) (eDiscovery searches in eDiscovery (Premium) are called *collections*). You can also use the **\*-ComplianceSearch** cmdlets in Security & Compliance PowerShell to search for these properties. The article also describes: - Using Boolean search operators, search conditions, and other search query techniques to refine your search results. - Searching for sensitive data types and custom sensitive data types in SharePoint and OneDrive for Business. For step-by-step instructions on how to create different eDiscovery searches, se - [Create a draft collection in eDiscovery (Premium)](create-draft-collection.md) > [!NOTE]-> eDiscovery searches in the compliance portal and the corresponding **\*-ComplianceSearch** cmdlets in Security & Compliance Center PowerShell use the Keyword Query Language (KQL). For more detailed information, see [Keyword Query Language syntax reference](/sharepoint/dev/general-development/keyword-query-language-kql-syntax-reference). +> eDiscovery searches in the compliance portal and the corresponding **\*-ComplianceSearch** cmdlets in Security & Compliance PowerShell use the Keyword Query Language (KQL). For more detailed information, see [Keyword Query Language syntax reference](/sharepoint/dev/general-development/keyword-query-language-kql-syntax-reference). ## Searchable email properties The following table lists the contact properties that are indexed and that you c You can use eDiscovery search tools in the compliance portal to search for sensitive data, such as credit card numbers or social security numbers, that is stored in documents on SharePoint and OneDrive for Business sites. You can do this by using the `SensitiveType` property and the name (or ID) of a sensitive information type in a keyword query. For example, the query `SensitiveType:"Credit Card Number"` returns documents that contain a credit card number. The query `SensitiveType:"U.S. Social Security Number (SSN)"` returns documents that contain a U.S. social security number. -To see a list of the sensitive information types that you can search for, go to **Data classifications** \> **Sensitive info types** in the compliance portal. Or you can use the **Get-DlpSensitiveInformationType** cmdlet in Security & Compliance Center PowerShell to display a list of sensitive information types. +To see a list of the sensitive information types that you can search for, go to **Data classifications** \> **Sensitive info types** in the compliance portal. Or you can use the **Get-DlpSensitiveInformationType** cmdlet in Security & Compliance PowerShell to display a list of sensitive information types. For more information about creating queries using the `SensitiveType` property, see [Form a query to find sensitive data stored on sites](form-a-query-to-find-sensitive-data-stored-on-sites.md). For more information about creating queries using the `SensitiveType` property, - To search for custom sensitive information types, you have to specify the ID of the sensitive information type in the `SensitiveType` property. Using the name of a custom sensitive information type (as shown in the example for built-in sensitive information types in the previous section) will return no results. Use the **Publisher** column on the **Sensitive info types** page in the compliance center (or the **Publisher** property in PowerShell) to differentiate between built-in and custom sensitive information types. Built-in sensitive data types have a value of `Microsoft Corporation` for the **Publisher** property. - To display the name and ID for the custom sensitive data types in your organization, run the following command in Security & Compliance Center PowerShell: + To display the name and ID for the custom sensitive data types in your organization, run the following command in Security & Compliance PowerShell: ```powershell Get-DlpSensitiveInformationType | Where-Object {$_.Publisher -ne "Microsoft Corporation"} | FT Name,Id |
| compliance | Legacy Ediscovery Retirement | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/legacy-ediscovery-retirement.md | It's possible to migrate In-Place eDiscovery searches and holds from the EAC by As per the original notice announced on July 1, 2017 in the Exchange admin center, the In-Place eDiscovery & Hold functionality and the corresponding **\*-MailboxSearch** cmdlets are being retired. These cmdlets provide users the ability to search, hold, and export mailbox content for legal, regulatory, and public requests. -Because these capabilities are now available in the [<span class="underline">compliance portal</span>](./microsoft-365-compliance-center.md) and Office 365 Security & Compliance Center PowerShell with improved performance and scalability, you should using these improved cmdlets. These cmdlets include [<span class="underline">\*-ComplianceCase</span>](/powershell/module/exchange/get-compliancecase), [<span class="underline">\*-ComplianceSearch</span>](/powershell/module/exchange/get-compliancesearch), [<span class="underline">\*-CaseHoldPolicy</span>](/powershell/module/exchange/get-caseholdpolicy), [<span class="underline">\*-CaseHoldRule</span>](/powershell/module/exchange/get-caseholdrule), and [<span class="underline">\*-ComplianceSearchAction</span>](/powershell/module/exchange/get-compliancesearchaction). +Because these capabilities are now available in the [<span class="underline">compliance portal</span>](./microsoft-365-compliance-center.md) and Office 365 Security & Compliance PowerShell with improved performance and scalability, you should using these improved cmdlets. These cmdlets include [<span class="underline">\*-ComplianceCase</span>](/powershell/module/exchange/get-compliancecase), [<span class="underline">\*-ComplianceSearch</span>](/powershell/module/exchange/get-compliancesearch), [<span class="underline">\*-CaseHoldPolicy</span>](/powershell/module/exchange/get-caseholdpolicy), [<span class="underline">\*-CaseHoldRule</span>](/powershell/module/exchange/get-caseholdrule), and [<span class="underline">\*-ComplianceSearchAction</span>](/powershell/module/exchange/get-compliancesearchaction). ### Scope of affected organizations Yes, although we're removing the ability to create and modify searches, you'll s ## Search-Mailbox cmdlet -The **Search-Mailbox** cmdlet in Exchange Online PowerShell is being retired as originally announced in a warning in the cmdlet output starting back in 2018. The **Search-Mailbox** cmdlet was originally used to search a user's mailbox and purge malicious content. We recommend that you start using the **New-ComplianceSearch** and **New-ComplianceSearchAction** cmdlets in Office 365 Security & Compliance Center PowerShell to search for and purge content. For a built-in security experience, the [<span class="underline">Microsoft 365 security features</span>](../security/index.yml) provide robust threat protection for email and many other Microsoft services. +The **Search-Mailbox** cmdlet in Exchange Online PowerShell is being retired as originally announced in a warning in the cmdlet output starting back in 2018. The **Search-Mailbox** cmdlet was originally used to search a user's mailbox and purge malicious content. We recommend that you start using the **New-ComplianceSearch** and **New-ComplianceSearchAction** cmdlets in Office 365 Security & Compliance PowerShell to search for and purge content. For a built-in security experience, the [<span class="underline">Microsoft 365 security features</span>](../security/index.yml) provide robust threat protection for email and many other Microsoft services. ### Scope of affected organizations |
| compliance | Legacy Information For Message Encryption | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/legacy-information-for-message-encryption.md | For more information about how to create Exchange mail flow rules, see [Define R ### Remove encryption from email replies encrypted without Microsoft Purview Message Encryption -When your email users send encrypted messages, recipients of those messages can respond with encrypted replies. You can create mail flow rules to automatically remove encryption from replies so email users in your organization don't have to sign in to the encryption portal to view them. You can use the EAC or Windows PowerShell cmdlets to define these rules. You can decrypt messages that are sent from within your organization or messages that are replies to messages sent from within your organization. You cannot decrypt encrypted messages originating from outside of your organization. +When your email users send encrypted messages, recipients of those messages can respond with encrypted replies. You can create mail flow rules to automatically remove encryption from replies so email users in your organization don't have to sign in to the encryption portal to view them. You can use the EAC or Exchange Online PowerShell cmdlets to define these rules. You can decrypt messages that are sent from within your organization or messages that are replies to messages sent from within your organization. You cannot decrypt encrypted messages originating from outside of your organization. #### Use the EAC to create a rule for removing encryption from email replies encrypted without Microsoft Purview Message Encryption When your email users send encrypted messages, recipients of those messages can 2. Choose the **Admin** tile. -3. In the >Microsoft 365 admin center, choose **Admin centers** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">**Exchange**</a>. +3. In the Microsoft 365 admin center, choose **Admin centers** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">**Exchange**</a>. 4. In the EAC, go to **Mail flow** \> **Rules** and select **New**  \> **Create a new rule**. For more information about using the EAC, see [Exchange admin center in Exchange Online](/exchange/exchange-admin-center). Recipients follow instructions in the message to open the attachment and authent ## Customize encrypted messages with Office 365 Message Encryption -As an Exchange Online and Exchange Online Protection administrator, you can customize your encrypted messages. For example, you can add your company's brand and logo, specify an introduction, and add disclaimer text in encrypted messages and in the portal where recipients view your encrypted messages. Using Windows PowerShell cmdlets, you can customize the following aspects of the viewing experience for recipients of encrypted email messages: +As an Exchange Online and Exchange Online Protection administrator, you can customize your encrypted messages. For example, you can add your company's brand and logo, specify an introduction, and add disclaimer text in encrypted messages and in the portal where recipients view your encrypted messages. Using Exchange Online PowerShell cmdlets, you can customize the following aspects of the viewing experience for recipients of encrypted email messages: - Introductory text of the email that contains the encrypted message - Disclaimer text of the email that contains the encrypted message The following example shows a custom logo for ContosoPharma in the email attachm ### To customize encryption email messages and the encryption portal with your organization's brand -1. Connect to Exchange Online using Remote PowerShell, as described in [Connect to Exchange Online Using Remote PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). +1. [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). 2. Use the Set-OMEConfiguration cmdlet as described here: [Set-OMEConfiguration](/powershell/module/exchange/set-omeconfiguration) or use the following table for guidance. **Encryption customization options** - |To customize this feature of the encryption experience|Use these Windows PowerShell commands| + |To customize this feature of the encryption experience|Use these Exchange Online PowerShell commands| ||| |Default text that accompanies encrypted email messages <p> The default text appears above the instructions for viewing encrypted messages|`Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> -EmailText "<string of up to 1024 characters>"` <p> **Example:** `Set-OMEConfiguration -Identity "OME Configuration" -EmailText "Encrypted message from ContosoPharma secure messaging system"`| |Disclaimer statement in the email that contains the encrypted message|`Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> DisclaimerText "<your disclaimer statement, string of up to 1024 characters>"` <p> **Example:** `Set-OMEConfiguration -Identity "OME Configuration" -DisclaimerText "This message is confidential for the use of the addressee only"`| The following example shows a custom logo for ContosoPharma in the email attachm ### To remove brand customizations from encryption email messages and the encryption portal -1. Connect to Exchange Online using Remote PowerShell, as described in [Connect to Exchange Online Using Remote PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). +1. [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). 2. Use the Set-OMEConfiguration cmdlet as described here: [Set-OMEConfiguration](/powershell/module/exchange/set-omeconfiguration). To remove your organization's branded customizations from the DisclaimerText, EmailText, and PortalText values, set the value to an empty string, `""`. For all image values, such as Logo, set the value to `"$null"`. **Encryption customization options** - |To revert this feature of the encryption experience back to the default text and image|Use these Windows PowerShell commands| + |To revert this feature of the encryption experience back to the default text and image|Use these Exchange Online PowerShell commands| ||| |Default text that accompanies encrypted email messages <p> The default text appears above the instructions for viewing encrypted messages|`Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> -EmailText "<empty string>"` <p> **Example:** `Set-OMEConfiguration -Identity "OME Configuration" -EmailText ""`| |Disclaimer statement in the email that contains the encrypted message <p> |`Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> DisclaimerText "<empty string>"` <p> **Example:** `Set-OMEConfiguration -Identity "OME Configuration" -DisclaimerText ""`| No, the encrypted messages are kept on the recipient's email system, and when th **Q. Can I customize encrypted email messages with my brand?** -Yes. You can use Windows PowerShell cmdlets to customize the default text that appears at the top of encrypted email messages, the disclaimer text, and the logo that you want to use for the email message and the encryption portal. This feature is now available in OMEv2. For details, see [Add branding to encrypted messages](add-your-organization-brand-to-encrypted-messages.md). +Yes. You can use Exchange Online PowerShell cmdlets to customize the default text that appears at the top of encrypted email messages, the disclaimer text, and the logo that you want to use for the email message and the encryption portal. This feature is now available in OMEv2. For details, see [Add branding to encrypted messages](add-your-organization-brand-to-encrypted-messages.md). **Q. Does the service require a license for every user in my organization?** |
| compliance | Limits For Content Search | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/limits-for-content-search.md | The following table lists the search limits when using the content search tool i |The maximum number of mailboxes or sites that can be searched in a single search|No limit <sup>1</sup>| |The maximum number of searches that can run at the same time in your organization.|30| |The maximum number of organization-wide searches that can be run at the same time.|3|-|The maximum number of searches that a single user can start at the same time. This limit is most likely hit when the user tries to start multiple searches by using the **Get-ComplianceSearch \|Start-ComplianceSearch** command in Security & Compliance Center PowerShell.|10| +|The maximum number of searches that a single user can start at the same time. This limit is most likely hit when the user tries to start multiple searches by using the **Get-ComplianceSearch \|Start-ComplianceSearch** command in Security & Compliance PowerShell.|10| |The maximum number of items per user mailbox that are displayed on the preview page when previewing Content Search results.|100| |The maximum number of items found in all user mailboxes that can possibly be displayed on the preview page when previewing search results. The newest items are displayed.|1,000 <sup>2</sup>| |The maximum number of user mailboxes that can be previewed for search results. If there are more than 1000 mailboxes that contain content that matches the search query, at most, only the top 1000 mailboxes with the most search results will be available for preview.|1,000| |
| compliance | Manage Legal Investigations | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/manage-legal-investigations.md | eDiscovery cases let you control who can create, access, and manage eDiscovery c ### Use scripts for advanced scenarios -Like the previous section that listed scripts for content search scenarios, we've also created some Security & Compliance Center PowerShell scripts to help you manage eDiscovery cases. +Like the previous section that listed scripts for content search scenarios, we've also created some Security & Compliance PowerShell scripts to help you manage eDiscovery cases. - [Create a eDiscovery hold report](create-a-report-on-holds-in-ediscovery-cases.md) that contains information about all holds associated with eDiscovery cases in your organization. |
| compliance | Manage Office 365 Message Encryption | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/manage-office-365-message-encryption.md | Last updated 03/04/2022 search.appverid: - MET150 ms.assetid: 09f6737e-f03f-4bc8-8281-e46d24ee2a74-+ - Strat_O365_IP - M365-security-compliance Once you've finished setting up Office 365 Message Encryption (OME), you can cus ## Manage whether Google, Yahoo, and Microsoft Account recipients can use these accounts to sign in to the Office 365 Message Encryption portal When you set up the new Office 365 Message Encryption capabilities, users in your organization can send messages to recipients that are outside of your organization. If the recipient uses a *social ID* such as a Google account, Yahoo account, or Microsoft account, the recipient can sign in to the OME portal with a social ID. If you want, you can choose not to allow recipients to use social IDs to sign in to the OME portal.- + ### To manage whether recipients can use social IDs to sign in to the OME portal- -1. [Connect to Exchange Online Using Remote PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). ++1. [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). 2. Run the Set-OMEConfiguration cmdlet with the SocialIdSignIn parameter as follows: When you set up the new Office 365 Message Encryption capabilities, users in you ## Manage the use of one-time pass codes for the Office 365 Message Encryption portal If the recipient of a message encrypted by OME doesn't use Outlook, regardless of the account used by the recipient, the recipient receives a limited-time web-view link that lets them read the message. This link includes a one-time pass code. As an administrator, you can decide if recipients can use one-time pass codes to sign in to the OME portal.- + ### To manage whether OME generates one-time pass codes- -1. Use a work or school account that has global administrator permissions in your organization and start a Windows PowerShell session and connect to Exchange Online. For instructions, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). ++1. Use a work or school account that has global administrator permissions in your organization and connect to Exchange Online PowerShell. For instructions, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). 2. Run the Set-OMEConfiguration cmdlet with the OTPEnabled parameter: If the recipient of a message encrypted by OME doesn't use Outlook, regardless o ## Manage the display of the Encrypt button in Outlook on the web As an administrator, you can manage whether to display this button to end users.- + ### To manage whether the Encrypt button appears in Outlook on the web- -1. Use a work or school account that has global administrator permissions in your organization and start a Windows PowerShell session and connect to Exchange Online. For instructions, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). ++1. Use a work or school account that has global administrator permissions in your organization and connect to Exchange Online PowerShell. For instructions, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). 2. Run the Set-IRMConfiguration cmdlet with the -SimplifiedClientAccessEnabled parameter: As an administrator, you can manage whether to display this button to end users. ## Enable service-side decryption of email messages for iOS mail app users The iOS mail app can't decrypt messages protected with Office 365 Message Encryption. As a Microsoft 365 administrator, you can apply service-side decryption for messages delivered to the iOS mail app. When you choose to do use service-side decryption, the service sends a decrypted copy of the message to the iOS device. The client device stores a decrypted copy of the message. The message also retains information about usage rights even though the iOS mail app doesn't apply client-side usage rights to the user. The user can copy or print the message even if they didn't originally have the rights to do so. However, if the user attempts to complete an action that requires the Microsoft 365 mail server, such as forwarding the message, the server won't permit the action if the user didn't originally have the usage right to do so. However, end users can work around "Do Not Forward" usage restriction by forwarding the message from a different account within the iOS mail app. Regardless of whether you set up service-side decryption of mail, attachments to encrypted and rights protected mail can't be viewed in the iOS mail app.- + If you choose not to allow decrypted messages to be sent to iOS mail app users, users receive a message that states that they don't have the rights to view the message. By default, service-side decryption of email messages is not enabled.- + For more information, and for a view of the client experience, see [View encrypted messages on your iPhone or iPad](https://support.microsoft.com/en-us/office/view-protected-messages-on-your-iphone-or-ipad-4d631321-0d26-4bcc-a483-d294dd0b1caf).- + ### To manage whether iOS mail app users can view messages protected by Office 365 Message Encryption- -1. Use a work or school account that has global administrator permissions in your organization and start a Windows PowerShell session and connect to Exchange Online. For instructions, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). ++1. Use a work or school account that has global administrator permissions in your organization and connect to Exchange Online PowerShell. For instructions, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). 2. Run the Set-ActiveSyncOrganizations cmdlet with the AllowRMSSupportForUnenlightenedApps parameter: For more information, and for a view of the client experience, see [View encrypt ## Enable service-side decryption of email attachments for web browser mail clients Normally, when you use Office 365 message encryption, attachments are automatically encrypted. As an administrator, you can apply service-side decryption for email attachments that users download from a web browser.- + When you use service-side decryption, the service sends a decrypted copy of the file to the device. The message is still encrypted. The email attachment also keeps information about usage rights even though the browser doesn't apply client-side usage rights to the user. The user can copy or print the email attachment even if they didn't originally have the rights to do so. However, if the user tries to complete an action that requires the Microsoft 365 mail server, such as forwarding the attachment, the server won't permit the action if the user didn't originally have the usage right to do so.- + Regardless of whether you set up service-side decryption of attachments, users can't view any attachments to encrypted and rights protected mail in the iOS mail app.- + If you choose not to allow decrypted email attachments, which is the default, users receive a message that states that they don't have the rights to view the attachment.- + For more information about how Microsoft 365 implements encryption for emails and email attachments with the Encrypt-Only option, see [Encrypt-Only option for emails.](/azure/information-protection/deploy-use/configure-usage-rights#encrypt-only-option-for-emails)- + ### To manage whether email attachments are decrypted on download from a web browser- -1. Use a work or school account that has global administrator permissions in your organization and start a Windows PowerShell session and connect to Exchange Online. For instructions, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). ++1. Use a work or school account that has global administrator permissions in your organization and connect to Exchange Online PowerShell. For instructions, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). 2. Run the Set-IRMConfiguration cmdlet with the DecryptAttachmentForEncryptOnly parameter: You can use custom branding templates to force recipients to receive a wrapper m ### Use a custom template to force all external recipients to use the OME Portal and for encrypted email -1. Use a work or school account that has global administrator permissions in your organization and start a Windows PowerShell session and connect to Exchange Online. For instructions, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). +1. Use a work or school account that has global administrator permissions in your organization and connect to Exchange Online PowerShell. For instructions, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). 2. Run the New-TransportRule cmdlet: You can use custom branding templates to force recipients to receive a wrapper m ## Customize the appearance of email messages and the OME portal For detailed information about how you can customize Microsoft Purview Message Encryption for your organization, see [Add your organization's brand to your encrypted messages](add-your-organization-brand-to-encrypted-messages.md). In order to enable the ability to track and revoke encrypted messages you must add your custom branding to the OME portal.- + ## Disable Microsoft Purview Message Encryption We hope it doesn't come to it, but if you need to, disabling Microsoft Purview Message Encryption is very straightforward. First, you'll need to remove any mail flow rules you've created that use Microsoft Purview Message Encryption. For information about removing mail flow rules, see [Manage mail flow rules](/exchange/security-and-compliance/mail-flow-rules/manage-mail-flow-rules). Then, complete these steps in Exchange Online PowerShell.- + ### To disable Microsoft Purview Message Encryption- -1. Using a work or school account that has global administrator permissions in your organization, start a Windows PowerShell session and connect to Exchange Online. For instructions, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). ++1. Using a work or school account that has global administrator permissions in your organization, connect to Exchange Online PowerShell. For instructions, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). 2. If you enabled the **Encrypt** button in Outlook on the web, disable it by running the Set-IRMConfiguration cmdlet with the SimplifiedClientAccessEnabled parameter. Otherwise, skip this step. |
| compliance | Migrate Legacy Ediscovery Searches And Holds | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/migrate-legacy-eDiscovery-searches-and-holds.md | audience: Admin ms.localizationpriority: medium+search.appverid: - MET150 --description: ++description: # Migrate legacy eDiscovery searches and holds to the compliance portal To help customers take advantage of the new and improved functionality, this art ## Before you begin +- You need to install the Exchange Online V2 module. For instructions, see [Install and maintain the EXO V2 module](/powershell/exchange/exchange-online-powershell-v2#install-and-maintain-the-exo-v2-module). + - You have to be a member of the eDiscovery Manager role group in the compliance portal to run the PowerShell commands described in this article. You also have to be a member of the Discovery Management role group in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a>. - This article provides guidance on how to create an eDiscovery hold. The hold policy will be applied to mailboxes through an asynchronous process. When creating an eDiscovery hold, you must create both a CaseHoldPolicy and CaseHoldRule, otherwise the hold will not be created and content locations will not be placed on hold. -## Step 1: Connect to Exchange Online PowerShell and Security & Compliance Center PowerShell +## Step 1: Connect to Exchange Online PowerShell and Security & Compliance PowerShell -The first step is to connect to Exchange Online PowerShell and Security & Compliance Center PowerShell. You can copy the following script, paste it into a PowerShell window and then run it. You'll be prompted for credentials for the organization that you want to connect to. +The first step is to connect to Exchange Online PowerShell and Security & Compliance PowerShell in the same PowerShell window. You can copy the following commands, paste them into a PowerShell window and then run them. You'll be prompted for credentials. ```powershell-$UserCredential = Get-Credential -$sccSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid -Credential $UserCredential -Authentication Basic -AllowRedirection -Import-PSSession $sccSession -DisableNameChecking -$exoSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection -Import-PSSession $exoSession -AllowClobber -DisableNameChecking +Connect-IPPSSession +Connect-ExchangeOnline -UseRPSSession ``` -You need to run the commands in the following steps in this PowerShell session. +For detailed instructions, see [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell) and [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). ## Step 2: Get a list of In-Place eDiscovery searches by using Get-MailboxSearch -After you've authenticated, you can get a list of In-Place eDiscovery searches by running the **Get-MailboxSearch** cmdlet. Copy and paste the following command into PowerShell and then run it. A list of searches will be listed with their names and the status of any In-Place Holds. +After you've conected, you can get a list of In-Place eDiscovery searches by running the **Get-MailboxSearch** cmdlet. Copy and paste the following command into the PowerShell window and then run it. ```powershell Get-MailboxSearch ``` +A list of searches will be listed with their names and the status of any In-Place Holds. + The cmdlet output will be similar to the following:  $search = Get-MailboxSearch -Identity "Search 1" ``` ```powershell-$search | FL +$search | Format-List ``` The output of these two commands will be similar to the following: The output of these two commands will be similar to the following:  > [!NOTE]-> The duration of the In-Place Hold in this example is indefinite (*ItemHoldPeriod: Unlimited*). This is typical for eDiscovery and legal investigation scenarios. If the hold duration has is different value than indefinite, the reason is likely because the hold is being used to retain content in a retention scenario. Instead of using the eDiscovery cmdlets in Security & Compliance Center PowerShell for retention scenarios, we recommend that you use [New-RetentionCompliancePolicy](/powershell/module/exchange/new-retentioncompliancepolicy) and [New-RetentionComplianceRule](/powershell/module/exchange/new-retentioncompliancerule) to retain content. The result of using these cmdlets will be similar to using **New-CaseHoldPolicy** and **New-CaseHoldRule**, but you'll able to specify a retention period and a retention action, such as deleting content after the retention period expires. Also, using the retention cmdlets don't require you to associate the retention holds with an eDiscovery case. +> The duration of the In-Place Hold in this example is indefinite (*ItemHoldPeriod: Unlimited*). This is typical for eDiscovery and legal investigation scenarios. If the hold duration has is different value than indefinite, the reason is likely because the hold is being used to retain content in a retention scenario. Instead of using the eDiscovery cmdlets in Security & Compliance PowerShell for retention scenarios, we recommend that you use [New-RetentionCompliancePolicy](/powershell/module/exchange/new-retentioncompliancepolicy) and [New-RetentionComplianceRule](/powershell/module/exchange/new-retentioncompliancerule) to retain content. The result of using these cmdlets will be similar to using **New-CaseHoldPolicy** and **New-CaseHoldRule**, but you'll able to specify a retention period and a retention action, such as deleting content after the retention period expires. Also, using the retention cmdlets don't require you to associate the retention holds with an eDiscovery case. ## Step 4: Create a case in the Microsoft Purview compliance portal To create an eDiscovery hold, you have to create an eDiscovery case to associate ```powershell $case = New-ComplianceCase -Name "[Case name of your choice]" ```+  ## Step 5: Create the eDiscovery hold If you migrate an In-Place eDiscovery search but don't associate it with an eDis ## More information - For more information about In-Place eDiscovery & Holds in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a>, see:- + - [In-Place eDiscovery](/exchange/security-and-compliance/in-place-ediscovery/in-place-ediscovery) - [In-Place Hold and Litigation Hold](/exchange/security-and-compliance/in-place-and-litigation-holds) If you migrate an In-Place eDiscovery search but don't associate it with an eDis - For more information about the PowerShell cmdlets used in the article, see: - [Get-MailboxSearch](/powershell/module/exchange/get-mailboxsearch)- + - [New-ComplianceCase](/powershell/module/exchange/new-compliancecase) - [New-CaseHoldPolicy](/powershell/module/exchange/new-caseholdpolicy)- + - [New-CaseHoldRule](/powershell/module/exchange/new-caseholdrule) - [Get-CaseHoldPolicy](/powershell/module/exchange/get-caseholdpolicy)- + - [New-ComplianceSearch](/powershell/module/exchange/new-compliancesearch) - [Start-ComplianceSearch](/powershell/module/exchange/start-compliancesearch) |
| compliance | Ome Advanced Expiration | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ome-advanced-expiration.md | Microsoft Purview Advanced Message Encryption is included in [Microsoft 365 Ente If your organization has a subscription that does not include Microsoft Purview Advanced Message Encryption, you can purchase it with the Microsoft 365 E5 Compliance SKU add-on for Microsoft 365 E3, Microsoft 365 E3 (Nonprofit Staff Pricing), or the Office 365 Advanced Compliance SKU add-on for Microsoft 365 E3, Microsoft 365 E3 (Nonprofit Staff Pricing), or Office 365 SKUs. -You can use message expiration on emails that your users send to external recipients who use the OME Portal to access encrypted emails. You force recipients to use the OME portal to view and reply to encrypted emails sent by your organization by using a custom branded template that specifies an expiration date in Windows PowerShell. +You can use message expiration on emails that your users send to external recipients who use the OME Portal to access encrypted emails. You force recipients to use the OME portal to view and reply to encrypted emails sent by your organization by using a custom branded template that specifies an expiration date in PowerShell. As an Office 365 global administrator, when you apply your company brand to customize the look of your organization's email messages, you can also specify an expiration for these email messages. With Microsoft Purview Advanced Message Encryption, you can create multiple templates for encrypted emails that originate from your organization. Using a template, you can control how long recipients have access to mail sent by your users. |
| compliance | Ome Sensitive Info Types | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ome-sensitive-info-types.md | Sign in to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" targe ### To create the policy by using mail flow rules in PowerShell -Use a work or school account that has global administrator permissions in your organization, start a Windows PowerShell session and connect to Exchange Online. For instructions, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). Use the Set-IRMConfiguration and New-TransportRule cmdlets to create the policy. +Use a work or school account that has global administrator permissions in your organization, connect to Exchange Online PowerShell. For instructions, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). Use the Set-IRMConfiguration and New-TransportRule cmdlets to create the policy. ## Example mail flow rule created with PowerShell After Microsoft encrypts a message, recipients have unrestricted access to attac You may want to update any applicable end-user documentation and training materials to prepare people in your organization for this change. Share these Office 365 Message Encryption resources with your users as appropriate: -- [Send, view, and reply to encrypted messages in Outlook for PC](https://support.microsoft.com/en-us/office/send-view-and-reply-to-encrypted-messages-in-outlook-for-pc-eaa43495-9bbb-4fca-922a-df90dee51980)+- [Send, view, and reply to encrypted messages in Outlook for PC](https://support.microsoft.com/office/send-view-and-reply-to-encrypted-messages-in-outlook-for-pc-eaa43495-9bbb-4fca-922a-df90dee51980) - [Microsoft 365 Essentials Video: Message Encryption](https://youtu.be/CQR0cG_iEUc) ## View these changes in the audit log |
| compliance | Permissions Filtering For Content Search | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/permissions-filtering-for-content-search.md | The following four cmdlets in Security & Compliance PowerShell let you configure - To run the compliance security filter cmdlets, you have to be a member of the Organization Management role group in the compliance portal. For more information, see [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md). -- You have to connect to both Exchange Online and Security & Compliance Center PowerShell to use the compliance security filter cmdlets. This is necessary because these cmdlets require access to mailbox properties, which is why you have to connect to Exchange Online PowerShell. See the steps in the next section.+- You have to connect to both Exchange Online and Security & Compliance PowerShell to use the compliance security filter cmdlets. This is necessary because these cmdlets require access to mailbox properties, which is why you have to connect to Exchange Online PowerShell. See the steps in the next section. - See the [More information](#more-information) section for additional information about search permissions filters. The following four cmdlets in Security & Compliance PowerShell let you configure - There is no limit to the number of search permissions filters that can be created in an organization. However, a search query can have a maximum of 100 conditions. In this case, a condition is defined as something that's connected to the query by a Boolean operator (such as **AND**, **OR**, and **NEAR**). The limit for the number of conditions includes the search query itself plus all search permissions filters that are applied to the user who runs the search. Therefore, the more search permissions filters you have (especially if these filters are applied to the same user or group of users), the better the chance of exceeding the maximum number of conditions for a search. To prevent your organization from reaching the conditions limit, keep the number of search permissions filters in your organization to few as possible to meet your business requirements. For more information, see [Set up compliance boundaries for eDiscovery investigations](set-up-compliance-boundaries.md#frequently-asked-questions). -## Connect to Exchange Online and Security & Compliance Center PowerShell in a single session +## Connect to Exchange Online and Security & Compliance PowerShell in a single session Before you can successfully run the script in this section, you have to download and install the Exchange Online PowerShell V2 module. For information, see [About the Exchange Online PowerShell V2 module](/powershell/exchange/exchange-online-powershell-v2#install-and-maintain-the-exo-v2-module). Before you can successfully run the script in this section, you have to download .\ConnectEXO-SCC.ps1 ``` -How do you know if this worked? After you run the script, cmdlets from Exchange Online and Security & Compliance PowerShell are imported to your local Windows PowerShell session. If you don't receive any errors, you connected successfully. A quick test is to run Exchange Online and Security & Compliance Center PowerShell cmdlets. For example, you can run and **Get-Mailbox** and **Get-ComplianceSearch**. +How do you know if this worked? After you run the script, cmdlets from Exchange Online PowerShell and Security & Compliance PowerShell are available. If you don't receive any errors, you connected successfully. A quick test is to run Exchange Online PowerShell and Security & Compliance PowerShell cmdlets. For example, you can run and **Get-Mailbox** and **Get-ComplianceSearch**. For troubleshooting PowerShell connection errors, see: - [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell#how-do-you-know-this-worked) -- [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell#how-do-you-know-this-worked)+- [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell#how-do-you-know-this-worked) ## New-ComplianceSecurityFilter |
| compliance | Protect Documents That Have Fci Or Other Properties | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/protect-documents-that-have-fci-or-other-properties.md | Next, they create a DLP policy with two rules that both use the condition **Docu - **FCI PII content - Low** The second rule sends a notification to the document owner if the FCI classification property **Personally Identifiable Information** equals **Low** and the document is shared with people outside the organization. -### Create the DLP policy by using PowerShell +### Create the DLP policy by using Security & Compliance PowerShell -The condition **Document properties contain any of these values** is temporarily not available in the UI of the Security & Compliance Center, but you can still use this condition by using PowerShell. You can use the `New\Set\Get-DlpCompliancePolicy` cmdlets to work with a DLP policy, and use the `New\Set\Get-DlpComplianceRule` cmdlets with the `ContentPropertyContainsWords` parameter to add the condition **Document properties contain any of these values**. +The condition **Document properties contain any of these values** is temporarily not available in the Microsoft Purview compliance portal, but you can still use this condition in Security & Compliance PowerShell. You can use the `New\Set\Get-DlpCompliancePolicy` cmdlets to work with a DLP policy, and use the `New\Set\Get-DlpComplianceRule` cmdlets with the `ContentPropertyContainsWords` parameter to add the condition **Document properties contain any of these values**. -For more information on these cmdlets, see [Security & Compliance Center cmdlets](/powershell/exchange/exchange-online-powershell). +1. [Connect to the Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell) -1. [Connect to the Security & Compliance Center using remote PowerShell](/powershell/exchange/connect-to-scc-powershell) +2. Create the policy by using `New-DlpCompliancePolicy`. -2. Create the policy by using `New-DlpCompliancePolicy`. --This PowerShell creates a DLP policy that applies to all locations. + This PowerShell creates a DLP policy that applies to all locations. ```powershell New-DlpCompliancePolicy -Name FCI_PII_policy -ExchangeLocation All -SharePointLocation All -OneDriveLocation All -Mode Enable ``` -3. Create the two rules described above by using `New-DlpComplianceRule`, where one rule is for the **Low** value, and another rule is for the **High** and **Moderate** values. +3. Create the two rules described above by using `New-DlpComplianceRule`, where one rule is for the **Low** value, and another rule is for the **High** and **Moderate** values. - Here is a PowerShell example that creates these two rules. The property name/value pairs are enclosed in quotation marks, and a property name may specify multiple values separated by commas with no spaces, like `"<Property1>:<Value1>,<Value2>","<Property2>:<Value3>,<Value4>"....` + Here is a PowerShell example that creates these two rules. The property name/value pairs are enclosed in quotation marks, and a property name may specify multiple values separated by commas with no spaces, like `"<Property1>:<Value1>,<Value2>","<Property2>:<Value3>,<Value4>"....` ```powershell New-DlpComplianceRule -Name FCI_PII_content-High,Moderate -Policy FCI_PII_policy -AccessScope NotInOrganization -BlockAccess $true -ContentPropertyContainsWords "Personally Identifiable Information:High,Moderate" -Disabled $falseNew-DlpComplianceRule -Name FCI_PII_content-Low -Policy FCI_PII_policy -AccessScope NotInOrganization -BlockAccess $false -ContentPropertyContainsWords "Personally Identifiable Information:Low" -Disabled $false -NotifyUser Owner |
| compliance | Retention Preservation Lock | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-preservation-lock.md | You must use PowerShell if you need to use Preservation Lock. Because administra All retention policies with any configuration support Preservation Lock. To apply Preservation Lock on a retention label policy, it must contain only labels that mark items as regulatory records. -1. [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell). +1. [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). 2. Find the name of the policy that you want to lock by running [Get-RetentionCompliancePolicy](/powershell/module/exchange/get-retentioncompliancepolicy). For example: |
| compliance | Retention | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention.md | Retention actions that are logged as auditing events are available only for rete ## PowerShell cmdlets for retention policies and retention labels -To use the retention cmdlets, you must first [connect to Office 365 Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell). Then, use any of the following cmdlets: +To use the retention cmdlets, you must first [connect to Office 365 Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). Then, use any of the following cmdlets: - [Get-ComplianceTag](/powershell/module/exchange/get-compliancetag) |
| compliance | Search Cloud Based Mailboxes For On Premises Users | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-cloud-based-mailboxes-for-on-premises-users.md | Here are the requirements and limitations for enabling cloud-based storage for o ## How it works -If a Microsoft Teams-enabled user has an on-premises mailbox and their user account/identity has been synched to the cloud, Microsoft creates cloud-based storage to associate the on-premises user's 1xN Teams chat data with. Teams chat data for on-premises users is indexed for search. This lets you Use Content search (and searches associated with Microsoft Purview eDiscovery (Standard) and Microsoft Purview eDiscovery (Premium) cases) to search, preview, and export Teams chat data for on-premises users. You can also use **\*ComplianceSearch** cmdlets in Security & Compliance Center PowerShell to search for Teams chat data for on-premises users. +If a Microsoft Teams-enabled user has an on-premises mailbox and their user account/identity has been synched to the cloud, Microsoft creates cloud-based storage to associate the on-premises user's 1xN Teams chat data with. Teams chat data for on-premises users is indexed for search. This lets you Use Content search (and searches associated with Microsoft Purview eDiscovery (Standard) and Microsoft Purview eDiscovery (Premium) cases) to search, preview, and export Teams chat data for on-premises users. You can also use **\*ComplianceSearch** cmdlets in Security & Compliance PowerShell to search for Teams chat data for on-premises users. The following graphic shows the workflow of how Teams chat data for on-premises users is available to search, preview, and export. Here's how to use Content search in the Microsoft Purview compliance portal to s ## Using PowerShell to search for Teams chat data for on-premises users -You can use the **New-ComplianceSearch** cmdlets in Security & Compliance Center PowerShell to search for Teams chat data for on-premises users. As previously explained, you don't have to submit a support request to use PowerShell to search for Teams chat data for on-premises users. +You can use the **New-ComplianceSearch** cmdlets in Security & Compliance PowerShell to search for Teams chat data for on-premises users. As previously explained, you don't have to submit a support request to use PowerShell to search for Teams chat data for on-premises users. -1. [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell). +1. [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). 2. Run the following PowerShell command to create a content search that searches for Teams chat data for on-premises users. |
| compliance | Search For And Delete Messages In Your Organization | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-for-and-delete-messages-in-your-organization.md | You can use the Content search feature to search for and delete email messages f > [!NOTE] > The **Organization Management** role group exists in both Exchange Online and in the compliance portal. These are separate role groups that give different permissions. Being a member of **Organization Management** in Exchange Online does not grant the required permissions to delete email messages. If you aren't assigned the **Search And Purge** role in the compliance center (either directly or through a role group such as **Organization Management**), you'll receive an error in Step 3 when you run the **New-ComplianceSearchAction** cmdlet with the message "A parameter cannot be found that matches parameter name 'Purge'". -- You have to use Security & Compliance Center PowerShell to delete messages. See [Step 1](#step-1-connect-to-security--compliance-center-powershell) for instructions about how to connect.+- You have to use Security & Compliance PowerShell to delete messages. See [Step 1: Connect to Security & Compliance PowerShell](#step-1-connect-to-security--compliance-powershell) for instructions about how to connect. - A maximum of 10 items per mailbox can be removed at one time. Because the capability to search for and remove messages is intended to be an incident-response tool, this limit helps ensure that messages are quickly removed from mailboxes. This feature isn't intended to clean up user mailboxes. You can use the Content search feature to search for and delete email messages f - Email items in a review set in an eDiscovery (Premium) case can't be deleted by using the procedures in this article. That's because items in a review set are stored in an Azure Storage location, and not in the live service. This means they won't be returned by the content search that you create in Step 1. To delete items in a review set, you have to delete the eDiscovery (Premium) case that contains the review set. For more information, see [Close or delete an eDiscovery (Premium) case](close-or-delete-case.md). -## Step 1: Connect to Security & Compliance Center PowerShell +## Step 1: Connect to Security & Compliance PowerShell -The first step is to connect to Security & Compliance Center PowerShell for your organization. For step-by-step instructions, see [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell). +The first step is to connect to Security & Compliance PowerShell for your organization. For step-by-step instructions, see [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). ## Step 2: Create a Content Search to find the message to delete After you've created and refined a Content search to return the messages that yo > [!NOTE] > As previously stated, items from Microsoft Teams that are returned by Content search are not deleted when you run the the **New-ComplianceSearchAction -Purge** command. -To run the following commands to delete messages, be sure that you're [connected to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell). +To run the following commands to delete messages, be sure that you're [connected to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). ### Soft-delete messages |
| compliance | Search For Content | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-for-content.md | Content search is easy to use, but it's also a powerful tool. Behind-the-scenes, ## Use scripts for advanced scenarios -Sometimes you have to perform more advanced, complex, and repetitive content search tasks. In these cases, it's easier and faster to use commands in Security & Compliance Center PowerShell. To help make this easier, we've created a number of Security & Compliance Center PowerShell scripts to help you complete complex content search-related tasks. +Sometimes you have to perform more advanced, complex, and repetitive content search tasks. In these cases, it's easier and faster to use commands in Security & Compliance PowerShell. To help make this easier, we've created a number of Security & Compliance PowerShell scripts to help you complete complex content search-related tasks. - [Search specific mailbox and site folders](use-content-search-for-targeted-collections.md) (called a *targeted* collection) when you're confident that items responsive to a case are located in that folder |
| compliance | Search For Ediscovery Activities In The Audit Log | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-for-ediscovery-activities-in-the-audit-log.md | The following table describes the eDiscovery (Premium) activities logged in the ## eDiscovery cmdlet activities -The following table lists the cmdlet audit log records that are logged when an administrator or user performs an eDiscovery-related activity by using the compliance center or by running the corresponding cmdlet in Security & Compliance Center PowerShell. The detailed information in the audit log record is different for the cmdlet activities listed in this table and the eDiscovery activities described in the previous section. +The following table lists the cmdlet audit log records that are logged when an administrator or user performs an eDiscovery-related activity by using the compliance center or by running the corresponding cmdlet in Security & Compliance PowerShell. The detailed information in the audit log record is different for the cmdlet activities listed in this table and the eDiscovery activities described in the previous section. As previously stated, it may take up to 24 hours for eDiscovery cmdlet activities to appear in the audit log search results. |
| compliance | Search The Audit Log In Security And Compliance | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance.md | Be sure to read the following items before you start searching the audit log. > [!NOTE] > Even when mailbox auditing on by default is turned on, you might notice that mailbox audit events for some users aren't found in audit log searches in the compliance portal or via the Office 365 Management Activity API. For more information, see [More information about mailbox audit logging](enable-mailbox-auditing.md#more-information). -- If you want to turn off audit log search for your organization, you can run the following command in remote PowerShell connected to your Exchange Online organization:+- If you want to turn off audit log search for your organization, you can run the following command in Exchange Online PowerShell: ```powershell Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $false The following table lists file synchronization activities in SharePoint Online a |Friendly name|Operation|Description| |:--|:--|:--|-|Allowed computer to sync files|ManagedSyncClientAllowed|User successfully establishes a sync relationship with a site. The sync relationship is successful because the user's computer is a member of a domain that's been added to the list of domains (called the *safe recipients list*) that can access document libraries in your organization. <br/><br/> For more information about this feature, see [Use Windows PowerShell cmdlets to enable OneDrive sync for domains that are on the safe recipients list](/powershell/module/sharepoint-online/).| -|Blocked computer from syncing files|UnmanagedSyncClientBlocked|User tries to establish a sync relationship with a site from a computer that isn't a member of your organization's domain or is a member of a domain that hasn't been added to the list of domains (called the *safe recipients list)* that can access document libraries in your organization. The sync relationship is not allowed, and the user's computer is blocked from syncing, downloading, or uploading files on a document library. <br/><br/> For information about this feature, see [Use Windows PowerShell cmdlets to enable OneDrive sync for domains that are on the safe recipients list](/powershell/module/sharepoint-online/).| +|Allowed computer to sync files|ManagedSyncClientAllowed|User successfully establishes a sync relationship with a site. The sync relationship is successful because the user's computer is a member of a domain that's been added to the list of domains (called the *safe recipients list*) that can access document libraries in your organization. <br/><br/> For more information about this feature, see [Use PowerShell cmdlets to enable OneDrive sync for domains that are on the safe recipients list](/powershell/module/sharepoint-online/).| +|Blocked computer from syncing files|UnmanagedSyncClientBlocked|User tries to establish a sync relationship with a site from a computer that isn't a member of your organization's domain or is a member of a domain that hasn't been added to the list of domains (called the *safe recipients list)* that can access document libraries in your organization. The sync relationship is not allowed, and the user's computer is blocked from syncing, downloading, or uploading files on a document library. <br/><br/> For information about this feature, see [Use PowerShell cmdlets to enable OneDrive sync for domains that are on the safe recipients list](/powershell/module/sharepoint-online/).| |Downloaded files to computer|FileSyncDownloadedFull|User downloads a file to their computer from a SharePoint document library or OneDrive for Business using OneDrive sync app (OneDrive.exe).| |Downloaded file changes to computer|FileSyncDownloadedPartial|This event has been deprecated along with the old OneDrive for Business sync app (Groove.exe).| |Uploaded files to document library|FileSyncUploadedFull|User uploads a new file or changes to a file in SharePoint document library or OneDrive for Business using OneDrive sync app (OneDrive.exe).| The following table lists events that result from site administration tasks in S The following table lists the activities that can be logged by mailbox audit logging. Mailbox activities performed by the mailbox owner, a delegated user, or an administrator are automatically logged in the audit log for up to 90 days. It's possible for an admin to turn off mailbox audit logging for all users in your organization. In this case, no mailbox actions for any user are logged. For more information, see [Manage mailbox auditing](enable-mailbox-auditing.md). - You can also search for mailbox activities by using the [Search-MailboxAuditLog](/powershell/module/exchange/search-mailboxauditlog) cmdlet in Exchange Online PowerShell. + You can also search for mailbox activities by using the [Search-MailboxAuditLog](/powershell/module/exchange/search-mailboxauditlog) cmdlet in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). |Friendly name|Operation|Description| |:--|:--|:--| |
| compliance | Search The Mailbox And Onedrive For Business For A List Of Users | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-the-mailbox-and-onedrive-for-business-for-a-list-of-users.md | Last updated 1/3/2017 audience: Admin -+ - M365-security-compliance - SPO_Content ms.localizationpriority: medium+search.appverid: - MOE150 - MET150 ms.assetid: 5f4f8206-2d6a-4cb2-bbc6-7a0698703cc0-Security & Compliance Center PowerShell provides a number of cmdlets that let you automate time-consuming eDiscovery-related tasks. Currently, creating a Content search in the Microsoft Purview compliance portal to search a large number of custodian content locations takes time and preparation. Before you create a search, you have to collect the URL for each OneDrive for Business site and then add each mailbox and OneDrive for Business site to the search. In future releases, this will be easier to do in the compliance portal. Until then, you can use the script in this article to automate this process. This script prompts you for the name of your organization's MySite domain (for example, **contoso** in the URL `https://contoso-my.sharepoint.com`), a list of user email addresses, the name of the new Content Search, and the search query to use. The script gets the OneDrive for Business URL for each user in the list, and then it creates and starts a Content Search that searches the mailbox and OneDrive for Business site for each user in the list, using the search query that you provide. - +Security & Compliance PowerShell provides a number of cmdlets that let you automate time-consuming eDiscovery-related tasks. Currently, creating a Content search in the Microsoft Purview compliance portal to search a large number of custodian content locations takes time and preparation. Before you create a search, you have to collect the URL for each OneDrive for Business site and then add each mailbox and OneDrive for Business site to the search. In future releases, this will be easier to do in the compliance portal. Until then, you can use the script in this article to automate this process. This script prompts you for the name of your organization's MySite domain (for example, **contoso** in the URL `https://contoso-my.sharepoint.com`), a list of user email addresses, the name of the new Content Search, and the search query to use. The script gets the OneDrive for Business URL for each user in the list, and then it creates and starts a Content Search that searches the mailbox and OneDrive for Business site for each user in the list, using the search query that you provide. + ## Permissions and script information - You have to be a member of the eDiscovery Manager role group in the compliance portal and a SharePoint Online global administrator to run the script in Step 3. Security & Compliance Center PowerShell provides a number of cmdlets that let yo ## Step 1: Install the SharePoint Online Management Shell The first step is to install the SharePoint Online Management Shell. You don't have to use the shell in this procedure, but you have to install it because it contains pre-requisites required by the script that you run in Step 3. These prerequisites allow the script to communicate with SharePoint Online to get the URLs for the OneDrive for Business sites.- -Go to [Set up the SharePoint Online Management Shell Windows PowerShell environment](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online) and perform Step 1 and Step 2 to install the SharePoint Online Management Shell. - ++Go to [Set up the SharePoint Online Management Shell environment](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online) and perform Step 1 and Step 2 to install the SharePoint Online Management Shell. + ## Step 2: Generate a list of users -The script in Step 3 will create a Content Search to search the mailboxes and OneDrive accounts for a list of users. You can just type the email addresses in a text file, or you can run a command in Windows PowerShell to get a list of email addresses and save them to a file (located in same folder that you'll save the script to in Step 3). - -Here's an [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) command that you can runt to get a list of email addresses for all users in your organization and save it to a text file named `Users.txt`. - +The script in Step 3 will create a Content Search to search the mailboxes and OneDrive accounts for a list of users. You can just type the email addresses in a text file, or you can run a command in PowerShell to get a list of email addresses and save them to a file (located in same folder that you'll save the script to in Step 3). ++Here's an [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) command that you can runt to get a list of email addresses for all users in your organization and save it to a text file named `Users.txt`. + ```powershell Get-Mailbox -ResultSize unlimited -Filter { RecipientTypeDetails -eq 'UserMailbox'} | Select-Object PrimarySmtpAddress > Users.txt ``` After you run this command, be sure to open the file and remove the header that contains the property name, `PrimarySmtpAddress`. The text file should just contain a list of email addresses, and nothing else. Make sure there are no blank rows before or after the list of email addresses.- + ## Step 3: Run the script to create and start the search When you run the script in this step, it will prompt you for the following information. Be sure to have this information ready before you run the script.- -- **Your user credentials** - The script will use your credentials to access SharePoint Online to get the OneDrive for Business URLs and to connect to Security & Compliance Center PowerShell. - -- **Name of your MySite domain** - The MySite domain is the domain that contains all the OneDrive for Business sites in your organization. For example, if the URL for your MySite domain is **https://contoso-my.sharepoint.com**, then you would enter `contoso` when the script prompts you for the name of your MySite domain. - -- **Pathname of the text file from Step 2** - The pathname of the text file that you created in Step 2. If the text file and the script are located in the same folder, then enter the name of the text file. Otherwise, enter the complete pathname for the text file. - -- **Name of the Content Search** - The name of the Content Search that will be created by the script. - -- **Search query** - The search query that will be used with the Content Search is created and run. For more information about search queries, see [Keyword queries and search conditions for eDiscovery](keyword-queries-and-search-conditions.md). +- **Your user credentials** - The script will use your credentials to access SharePoint Online to get the OneDrive for Business URLs and to connect to Security & Compliance PowerShell. ++- **Name of your MySite domain** - The MySite domain is the domain that contains all the OneDrive for Business sites in your organization. For example, if the URL for your MySite domain is **https://contoso-my.sharepoint.com**, then you would enter `contoso` when the script prompts you for the name of your MySite domain. ++- **Pathname of the text file from Step 2** - The pathname of the text file that you created in Step 2. If the text file and the script are located in the same folder, then enter the name of the text file. Otherwise, enter the complete pathname for the text file. ++- **Name of the Content Search** - The name of the Content Search that will be created by the script. ++- **Search query** - The search query that will be used with the Content Search is created and run. For more information about search queries, see [Keyword queries and search conditions for eDiscovery](keyword-queries-and-search-conditions.md). **To run the script:**- + 1. Save the following text to a Windows PowerShell script file by using a filename suffix of .ps1; for example, `SearchEXOOD4B.ps1`. Save the file to the same folder where you saved the list of users in Step 2.- - ```powershell - # This PowerShell script will prompt you for the following information: - # * Your user credentials - # * The name of your organization's MySite domain - # * The pathname for the text file that contains a list of user email addresses - # * The name of the Content Search that will be created - # * The search query string - # The script will then: - # * Find the OneDrive for Business site for each user in the text file - # * Create and start a Content Search using the above information - # Get user credentials - if (!$credentials) - { - $credentials = Get-Credential - } - # Get the user's MySite domain name. We use this to create the admin URL and root URL for OneDrive for Business - $mySiteDomain = Read-Host "What is your organization's MySite domain? For example, 'contoso' for 'https://contoso-my.sharepoint.com'" - $AdminUrl = "https://$mySiteDomain-admin.sharepoint.com" - $mySiteUrlRoot = "https://$mySiteDomain-my.sharepoint.com" - # Get other required information - $inputfile = read-host "Enter the file name of the text file that contains the email addresses for the users you want to search" - $searchName = Read-Host "Enter the name for the new search" - $searchQuery = Read-Host "Enter the search query you want to use" - $emailAddresses = Get-Content $inputfile | where {$_ -ne ""} | foreach{ $_.Trim() } - # Connect to Security & Compliance Center PowerShell - if (!$s -or !$a) - { - Import-Module ExchangeOnlineManagement - Connect-IPPSSession - } - - # Load the SharePoint assemblies from the SharePoint Online Management Shell - # To install, go to https://go.microsoft.com/fwlink/p/?LinkId=255251 - if (!$SharePointClient -or !$SPRuntime -or !$SPUserProfile) - { - $SharePointClient = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client") - $SPRuntime = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.Runtime") - $SPUserProfile = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.UserProfiles") - if (!$SharePointClient) - { - Write-Error "SharePoint Online Management Shell isn't installed, please install from: https://go.microsoft.com/fwlink/p/?LinkId=255251 and then run this script again" - return; - } - } - if (!$spCreds) - { - $spCreds = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($credentials.UserName, $credentials.Password) - } - # Add the path of the User Profile Service to the SPO admin URL, then create a new webservice proxy to access it - $proxyaddr = "$AdminUrl/_vti_bin/UserProfileService.asmx?wsdl" - $UserProfileService= New-WebServiceProxy -Uri $proxyaddr -UseDefaultCredential False - $UserProfileService.Credentials = $credentials - # Take care of auth cookies - $strAuthCookie = $spCreds.GetAuthenticationCookie($AdminUrl) - $uri = New-Object System.Uri($AdminUrl) - $container = New-Object System.Net.CookieContainer - $container.SetCookies($uri, $strAuthCookie) - $UserProfileService.CookieContainer = $container - Write-Host "Getting each user's OneDrive for Business URL" - $urls = @() - foreach($emailAddress in $emailAddresses) - { - try - { - $prop = $UserProfileService.GetUserProfileByName("i:0#.f|membership|$emailAddress") | Where-Object { $_.Name -eq "PersonalSpace" } - $url = $prop.values[0].value - $furl = $mySiteUrlRoot + $url - $urls += $furl - Write-Host "-$emailAddress => $furl" - } - catch - { - Write-Warning "Could not locate OneDrive for $emailAddress" - } - } - Write-Host "Creating and starting the search" - $search = New-ComplianceSearch -Name $searchName -ExchangeLocation $emailAddresses -SharePointLocation $urls -ContentMatchQuery $searchQuery - # Finally, start the search and then display the status - if($search) - { - Start-ComplianceSearch $search.Name - Get-ComplianceSearch $search.Name - } - - ``` ++ ```powershell + # This PowerShell script will prompt you for the following information: + # * Your user credentials + # * The name of your organization's MySite domain + # * The pathname for the text file that contains a list of user email addresses + # * The name of the Content Search that will be created + # * The search query string + # The script will then: + # * Find the OneDrive for Business site for each user in the text file + # * Create and start a Content Search using the above information + # Get user credentials + if (!$credentials) + { + $credentials = Get-Credential + } + # Get the user's MySite domain name. We use this to create the admin URL and root URL for OneDrive for Business + $mySiteDomain = Read-Host "What is your organization's MySite domain? For example, 'contoso' for 'https://contoso-my.sharepoint.com'" + $AdminUrl = "https://$mySiteDomain-admin.sharepoint.com" + $mySiteUrlRoot = "https://$mySiteDomain-my.sharepoint.com" + # Get other required information + $inputfile = read-host "Enter the file name of the text file that contains the email addresses for the users you want to search" + $searchName = Read-Host "Enter the name for the new search" + $searchQuery = Read-Host "Enter the search query you want to use" + $emailAddresses = Get-Content $inputfile | where {$_ -ne ""} | foreach{ $_.Trim() } + # Connect to Security & Compliance PowerShell + if (!$s -or !$a) + { + Import-Module ExchangeOnlineManagement + Connect-IPPSSession + } ++ # Load the SharePoint assemblies from the SharePoint Online Management Shell + # To install, go to https://go.microsoft.com/fwlink/p/?LinkId=255251 + if (!$SharePointClient -or !$SPRuntime -or !$SPUserProfile) + { + $SharePointClient = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client") + $SPRuntime = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.Runtime") + $SPUserProfile = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.UserProfiles") + if (!$SharePointClient) + { + Write-Error "SharePoint Online Management Shell isn't installed, please install from: https://go.microsoft.com/fwlink/p/?LinkId=255251 and then run this script again" + return; + } + } + if (!$spCreds) + { + $spCreds = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($credentials.UserName, $credentials.Password) + } + # Add the path of the User Profile Service to the SPO admin URL, then create a new webservice proxy to access it + $proxyaddr = "$AdminUrl/_vti_bin/UserProfileService.asmx?wsdl" + $UserProfileService= New-WebServiceProxy -Uri $proxyaddr -UseDefaultCredential False + $UserProfileService.Credentials = $credentials + # Take care of auth cookies + $strAuthCookie = $spCreds.GetAuthenticationCookie($AdminUrl) + $uri = New-Object System.Uri($AdminUrl) + $container = New-Object System.Net.CookieContainer + $container.SetCookies($uri, $strAuthCookie) + $UserProfileService.CookieContainer = $container + Write-Host "Getting each user's OneDrive for Business URL" + $urls = @() + foreach($emailAddress in $emailAddresses) + { + try + { + $prop = $UserProfileService.GetUserProfileByName("i:0#.f|membership|$emailAddress") | Where-Object { $_.Name -eq "PersonalSpace" } + $url = $prop.values[0].value + $furl = $mySiteUrlRoot + $url + $urls += $furl + Write-Host "-$emailAddress => $furl" + } + catch + { + Write-Warning "Could not locate OneDrive for $emailAddress" + } + } + Write-Host "Creating and starting the search" + $search = New-ComplianceSearch -Name $searchName -ExchangeLocation $emailAddresses -SharePointLocation $urls -ContentMatchQuery $searchQuery + # Finally, start the search and then display the status + if($search) + { + Start-ComplianceSearch $search.Name + Get-ComplianceSearch $search.Name + } + ``` 2. Open Windows PowerShell and go to the folder where you saved the script and the list of users from Step 2.- + 3. Start the script; for example:- + ```powershell .\SearchEXOOD4B.ps1 ``` -4. When prompted for your credentials, enter your email address and password, and then click **OK**. - +4. When prompted for your credentials, enter your email address and password, and then click **OK**. + 5. Enter following information when prompted by the script. Type each piece of information and then press **Enter**.- - - The name of your MySite domain. - ++ - The name of your MySite domain. + - The pathname of the text file that contains the list of users.- + - A name for the Content Search.- + - The search query (leave this blank to return all items in the content locations).- - The script gets the URLs for each OneDrive for Business site and then creates and starts the search. You can either run the **Get-ComplianceSearch** cmdlet in Security & Compliance Center PowerShell to display the search statistics and results, or you can go to the **Content search** page in the compliance portal to view information about the search. ++ The script gets the URLs for each OneDrive for Business site and then creates and starts the search. You can either run the **Get-ComplianceSearch** cmdlet in Security & Compliance PowerShell to display the search statistics and results, or you can go to the **Content search** page in the compliance portal to view information about the search. |
| compliance | Sensitive Information Type Learn About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitive-information-type-learn-about.md | You can choose from several options to create custom sensitive information types - **Use EDM** - You can set up custom sensitive information types using Exact Data Match (EDM)-based classification. This method enables you to create a dynamic sensitive information type using a secure database that you can refresh periodically. See [Learn about exact data match based sensitive information types](sit-learn-about-exact-data-match-based-sits.md#learn-about-exact-data-match-based-sensitive-information-types). -- **Use PowerShell** - You can set up custom sensitive information types using PowerShell. Although this method is more complex than using the UI, you have more configuration options. See [Create a custom sensitive information type in Security & Compliance Center PowerShell](create-a-custom-sensitive-information-type-in-scc-powershell.md).+- **Use PowerShell** - You can set up custom sensitive information types using PowerShell. Although this method is more complex than using the UI, you have more configuration options. See [Create a custom sensitive information type in Security & Compliance PowerShell](create-a-custom-sensitive-information-type-in-scc-powershell.md). > [!NOTE] > Improved confidence levels are available for immediate use within Microsoft Purview data loss prevention services, information protection, Communication Compliance, data lifecycle management, and records management. |
| compliance | Sensitivity Labels Default Sharing Link | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-default-sharing-link.md | To apply the default sharing link type for sites, sensitivity labels must be ena To apply the default sharing link type for documents in SharePoint and OneDrive, sensitivity labels must be enabled for these services. If this capability isn't yet enabled for your tenant, see [How to enable sensitivity labels for SharePoint and OneDrive (opt-in)](sensitivity-labels-sharepoint-onedrive-files.md#how-to-enable-sensitivity-labels-for-sharepoint-and-onedrive-opt-in). -In a PowerShell session, you must [connect to Office 365 Security & Compliance Center PowerShell](/powershell/exchange/office-365-scc/connect-to-scc-powershell/connect-to-scc-powershell) to configure the settings for the default sharing link type. +In a PowerShell session, you must [connect to Office 365 Security & Compliance PowerShell](/powershell/exchange/office-365-scc/connect-to-scc-powershell/connect-to-scc-powershell) to configure the settings for the default sharing link type. > [!NOTE] > Although not required, it's easiest to first [create and configure sensitivity labels in the Microsoft Purview compliance portal](create-sensitivity-labels.md), and then modify these labels with the settings that configure the default sharing link type. ## How to configure settings for the default sharing link type -The configuration settings for the default sharing link type use the PowerShell *AdvancedSettings* parameter with the [Set-Label](/powershell/module/exchange/set-label) and [New-Label](/powershell/module/exchange/new-labelpolicy) cmdlets from [Security & Compliance Center PowerShell](/powershell/exchange/scc-powershell): +The configuration settings for the default sharing link type use the PowerShell *AdvancedSettings* parameter with the [Set-Label](/powershell/module/exchange/set-label) and [New-Label](/powershell/module/exchange/new-labelpolicy) cmdlets from [Security & Compliance PowerShell](/powershell/exchange/scc-powershell): - **DefaultSharingScope**: The available values are: - **SpecificPeople**: Sets the default sharing link for the site to the "Specific people" link |
| compliance | Sensitivity Labels Sharepoint Onedrive Files | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files.md | Use the OneDrive sync app version 19.002.0121.0008 or later on Windows, and vers - If a document is labeled while it's [checked out in SharePoint](https://support.microsoft.com/office/check-out-check-in-or-discard-changes-to-files-in-a-library-7e2c12a9-a874-4393-9511-1378a700f6de), the **Sensitivity** column in the document library won't display the label name until the document is checked in and next opened in SharePoint. - If a labeled and encrypted document is downloaded from SharePoint or OneDrive by an app or service that uses a service principal name, and then uploaded again with a label that applies different encryption settings, the upload will fail. An example scenario is Microsoft Defender for Cloud Apps changes a sensitivity label on a file from **Confidential** to **Highly Confidential**, or from **Confidential** to **General**.- + The upload doesn't fail if the app or service first runs the [Unlock-SPOSensitivityLabelEncryptedFile](/powershell/module/sharepoint-online/unlock-sposensitivitylabelencryptedFile) cmdlet, as explained in the [Remove encryption for a labeled document](#remove-encryption-for-a-labeled-document) section. Or, before the upload, the original file is deleted, or the file name is changed. - Users might experience delays in being able to open encrypted documents in the following Save As scenario: Using a desktop version of Office, a user chooses Save As for a document that has a sensitivity label that applies encryption. The user selects SharePoint or OneDrive for the location, and then immediately tries to open that document in Office for the web. If the service is still processing the encryption, the user sees a message that the document must be opened in their desktop app. If they try again in a couple of minutes, the document successfully opens in Office for the web. Use the OneDrive sync app version 19.002.0121.0008 or later on Windows, and vers - For encrypted documents in Office for the web, copying to the clipboard and screen captures are not prevented. For more information, see [Can Rights Management prevent screen captures?](/azure/information-protection/faqs-rms#can-rights-management-prevent-screen-captures) - By default, Office desktop apps and mobile apps don't support co-authoring for files that are labeled with encryption. These apps continue to open labeled and encrypted files in exclusive editing mode.- + > [!NOTE] > Co-authoring is now supported for Windows and macOS. For more information, see [Enable co-authoring for files encrypted with sensitivity labels](sensitivity-labels-coauthoring.md). Use the OneDrive sync app version 19.002.0121.0008 or later on Windows, and vers - Encryption that was applied by using [Double Key Encryption](double-key-encryption.md) - Encryption that was applied independently from a label, for example, by directly applying a Rights Management protection template. -- Labels configured for [other languages](create-sensitivity-labels.md#additional-label-settings-with-security--compliance-center-powershell) are not supported and display the original language only.+- Labels configured for [other languages](create-sensitivity-labels.md#additional-label-settings-with-security--compliance-powershell) are not supported and display the original language only. - If you delete a label that's been applied to a document in SharePoint or OneDrive, rather than remove the label from the applicable label policy, the document when downloaded won't be labeled or encrypted. In comparison, if the labeled document is stored outside SharePoint or OneDrive, the document remains encrypted if the label is deleted. Note that although you might delete labels during a testing phase, it's very rare to delete a label in a production environment. Search won't find labeled documents in a compressed file, such as a .zip file. To get the GUIDs for your sensitivity labels, use the [Get-Label](/powershell/module/exchange/get-label) cmdlet: -1. First, [connect to Office 365 Security & Compliance Center PowerShell](/powershell/exchange/office-365-scc/connect-to-scc-powershell/connect-to-scc-powershell). +1. First, [connect to Office 365 Security & Compliance PowerShell](/powershell/exchange/office-365-scc/connect-to-scc-powershell/connect-to-scc-powershell). For example, in a PowerShell session that you run as administrator, sign in with a global administrator account. |
| compliance | Sensitivity Labels Teams Groups Sites | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-teams-groups-sites.md | If you haven't yet enabled sensitivity labels for containers, do the following s 1. Because this feature uses Azure AD functionality, follow the instructions from the Azure AD documentation to enable sensitivity label support: [Assign sensitivity labels to Microsoft 365 groups in Azure Active Directory](/azure/active-directory/users-groups-roles/groups-assign-sensitivity-labels). -2. You now need to synchronize your sensitivity labels to Azure AD. First, [connect to Security & Compliance Center PowerShell](/powershell/exchange/office-365-scc/connect-to-scc-powershell/connect-to-scc-powershell). +2. You now need to synchronize your sensitivity labels to Azure AD. First, [connect to Security & Compliance PowerShell](/powershell/exchange/office-365-scc/connect-to-scc-powershell/connect-to-scc-powershell). For example, in a PowerShell session that you run as administrator, sign in with a global administrator account. Make sure you have version 16.0.19418.12000 or later of the SharePoint Online Ma 1. Open a PowerShell session with the **Run as Administrator** option. -2. If you don't know your label GUID: [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell) and get the list of sensitivity labels and their GUIDs. +2. If you don't know your label GUID: [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell) and get the list of sensitivity labels and their GUIDs. ```powershell Get-Label |ft Name, Guid To help you manage the coexistence of sensitivity labels and Azure AD classifica ### Use PowerShell to convert classifications for Microsoft 365 groups to sensitivity labels -1. First, [connect to Security & Compliance Center PowerShell](/powershell/exchange/office-365-scc/connect-to-scc-powershell/connect-to-scc-powershell). +1. First, [connect to Security & Compliance PowerShell](/powershell/exchange/office-365-scc/connect-to-scc-powershell/connect-to-scc-powershell). For example, in a PowerShell session that you run as administrator, sign in with a global administrator account: |
| compliance | Set Up An Archive And Deletion Policy For Mailboxes | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/set-up-an-archive-and-deletion-policy-for-mailboxes.md | You do this by using Exchange Online PowerShell to update your organization's de |Never Delete <br/> |This tag prevents items from being deleted by a retention policy. <br/> |Built-in <br/> |Personal; this tag can be applied by users. <br/> | |Personal 1 year move to archive <br/> |Moves items to the archive mailbox after 1 year. <br/> |Built-in <br/> |Personal; this tag can be applied by users. <br/> | - > <sup>\*</sup> Users can use the Recover Deleted Items tool in Outlook and Outlook on the web (formerly known as Outlook Web App) to recover a deleted item within the deleted item retention period, which by default is 14 days in Exchange Online. An administrator can use Windows PowerShell to increase the deleted item retention period to a maximum of 30 days. For more information, see: [Recover deleted items in Outlook for Windows](https://support.office.com/article/49e81f3c-c8f4-4426-a0b9-c0fd751d48ce) and [Change the deleted item retention period for a mailbox in Exchange Online](/exchange/recipients-in-exchange-online/manage-user-mailboxes/change-deleted-item-retention). + > <sup>\*</sup> Users can use the Recover Deleted Items tool in Outlook and Outlook on the web (formerly known as Outlook Web App) to recover a deleted item within the deleted item retention period, which by default is 14 days in Exchange Online. An administrator can use Exchange Online PowerShell to increase the deleted item retention period to a maximum of 30 days. For more information, see: [Recover deleted items in Outlook for Windows](https://support.office.com/article/49e81f3c-c8f4-4426-a0b9-c0fd751d48ce) and [Change the deleted item retention period for a mailbox in Exchange Online](/exchange/recipients-in-exchange-online/manage-user-mailboxes/change-deleted-item-retention). - Using the **Recoverable Items 14 days Move to Archive** retention tag helps free up storage space in the Recoverable Items folder in the user's primary mailbox. This is useful when a user's mailbox is placed on hold, which means nothing is ever permanently deleted from the user's mailbox. Without moving items to the archive mailbox, it's possible the storage quota for the Recoverable Items folder in the primary mailbox will be reached. For more information about this and how to avoid it, see [Increase the Recoverable Items quota for mailboxes on hold](./increase-the-recoverable-quota-for-mailboxes-on-hold.md). |
| compliance | Set Up Azure Rms For Previous Version Message Encryption | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/set-up-azure-rms-for-previous-version-message-encryption.md | If you haven't yet moved your organization to Microsoft Purview Message Encrypti <a name="warmprereqs"> </a> Office 365 Message Encryption (OME), including IRM, depends on Azure Rights Management (Azure RMS). Azure RMS is the protection technology used by Azure Information Protection. To use OME, your organization must include an Exchange Online or Exchange Online Protection subscription that, in turn, includes an Azure Rights Management subscription.- + - If you're not sure of what your subscription includes, see the Exchange Online service descriptions for [Message Policy, Recovery, and Compliance](/office365/servicedescriptions/exchange-online-service-description/message-policy-and-compliance). - If you have Azure Rights Management but it's not set up for Exchange Online or Exchange Online Protection, this article explains how to activate Azure Rights Management and then the describes the best way to set up OME to work with Azure Rights Management. Office 365 Message Encryption (OME), including IRM, depends on Azure Rights Mana ## Activate Azure Rights Management for the previous version of OME in Office 365 You need to activate Azure Rights Management so that the users in your organization can apply information protection to messages that they send, and open messages and files that have been protected by the Azure Rights Management service. For instructions, see [Activating Azure Rights Management](/azure/information-protection/activate-service). Once you've completed the activation, return here and continue with the tasks in this article.- + ## Set up the previous version of OME to use Azure RMS by importing trusted publishing domains (TPDs) -A TPD is an XML file that contains information about your organization's rights management settings. For example, the TPD contains information about the server licensor certificate (SLC) used for signing and encrypting certificates and licenses, the URLs used for licensing and publishing, and so on. You import the TPD into your organization by using Windows PowerShell. - +A TPD is an XML file that contains information about your organization's rights management settings. For example, the TPD contains information about the server licensor certificate (SLC) used for signing and encrypting certificates and licenses, the URLs used for licensing and publishing, and so on. You import the TPD into your organization by using PowerShell. + > [!IMPORTANT] > Previously, you could choose to import TPDs from the Active Directory Rights Management service (AD RMS) into your organization. However, doing so will prevent you from using Microsoft Purview Message Encryption and is not recommended. If your organization is currently configured this way, Microsoft recommends that you create a plan to migrate from your on-premises Active Directory RMS to cloud-based Azure Information Protection. For more information, see [Migrating from AD RMS to Azure Information Protection](/information-protection/plan-design/migrate-from-ad-rms-to-azure-rms). You will not be able to use Microsoft Purview Message Encryption until you have completed the migration to Azure Information Protection.- - **To import TPDs from Azure RMS** - -1. [Connect to Exchange Online Using Remote PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). ++**To import TPDs from Azure RMS**: ++1. [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). 2. Choose the key-sharing URL that corresponds to your organization's geographic location: -|**Location**|**Key sharing location URL**| -|:--|:--| -|North America <br/> |https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc <br/> | -|European Union <br/> |https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc <br/> | -|Asia <br/> |https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc <br/> | -|South America <br/> |https://sp-rms.sa.aadrm.com/TenantManagement/ServicePartner.svc <br/> | -|Office 365 for Government (Government Community Cloud) <br/> This RMS key-sharing location is reserved for customers who have purchased Office 365 for Government SKUs. <br/> |https://sp-rms.govus.aadrm.com/TenantManagement/ServicePartner.svc <br/> | - -3. Configure the key-sharing location by running the [Set-IRMConfiguration](/powershell/module/exchange/set-irmconfiguration) cmdlet as follows: + |Location|Key sharing location URL| + ||| + |North America|<https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc>| + |European Union|<https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc>| + |Asia|<https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc>| + |South America|<https://sp-rms.sa.aadrm.com/TenantManagement/ServicePartner.svc>| + |Office 365 for Government (Government Community Cloud) <br/> This RMS key-sharing location is reserved for customers who have purchased Office 365 for Government SKUs.|<https://sp-rms.govus.aadrm.com/TenantManagement/ServicePartner.svc>| ++3. Configure the key-sharing location by running the [Set-IRMConfiguration](/powershell/module/exchange/set-irmconfiguration) cmdlet as follows: ```powershell Set-IRMConfiguration -RMSOnlineKeySharingLocation "<RMSKeySharingURL >" ```- + For example, to configure the key sharing location if your organization is located in North America: ```powershell Set-IRMConfiguration -RMSOnlineKeySharingLocation "https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc" ``` -4. Run the [Import-RMSTrustedPublishingDomain](/powershell/module/exchange/import-rmstrustedpublishingdomain) cmdlet with the -RMSOnline switch to import the TPD from Azure Rights Management: +4. Run the [Import-RMSTrustedPublishingDomain](/powershell/module/exchange/import-rmstrustedpublishingdomain) cmdlet with the -RMSOnline switch to import the TPD from Azure Rights Management: ```powershell Import-RMSTrustedPublishingDomain -RMSOnline -Name "<TPDName> " ``` - Where *TPDName* is the name you want to use for the TPD. For example, "Contoso North American TPD". + Where *TPDName* is the name you want to use for the TPD. For example, "Contoso North American TPD". 5. To verify that you successfully configured your organization to use the Azure Rights Management service, run the [Test-IRMConfiguration](/powershell/module/exchange/test-irmconfiguration) cmdlet with the -RMSOnline switch as follows: A TPD is an XML file that contains information about your organization's rights Among other things, this cmdlet checks connectivity with the Azure Rights Management service, downloads the TPD, and checks its validity. -6. Run the [Set-IRMConfiguration](/powershell/module/exchange/set-irmconfiguration) cmdlet as follows to disable Azure Rights Management templates from being available in Outlook on the web and Outlook: +6. Run the [Set-IRMConfiguration](/powershell/module/exchange/set-irmconfiguration) cmdlet as follows to disable Azure Rights Management templates from being available in Outlook on the web and Outlook: ```powershell Set-IRMConfiguration -ClientAccessServerEnabled $false A TPD is an XML file that contains information about your organization's rights <a name="importTPDs"> </a> You can continue to use your existing Office 365 Message Encryption mail flow rules with Active Directory Rights Management, but you can't configure or use Microsoft Purview Message Encryption. Instead, you need to migrate to Azure Information Protection. For information about migration and what this means for your organization, see [Migrating from AD RMS to Azure Information Protection](/information-protection/deploy-use/prepare-environment-adrms).- + ## Next steps <a name="importTPDs"> </a> Once you've completed Azure Rights Management setup, if you want to enable Microsoft Purview Message Encryption, see [Set up Microsoft Purview Message Encryption](./set-up-new-message-encryption-capabilities.md).- + After you've set up your organization to use Microsoft Purview Message Encryption, you're ready to [Define mail flow rules](define-mail-flow-rules-to-encrypt-email.md).- + ## Related topics <a name="importTPDs"> </a> [Encryption in Office 365](encryption.md)- + [Technical reference details about encryption in Office 365](technical-reference-details-about-encryption.md)- + [What is Azure Rights Management?](/information-protection/understand-explore/what-is-azure-rms) |
| compliance | Sit Edm Notifications Activities | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-edm-notifications-activities.md | To learn more about DLP licensing, see [Microsoft 365 licensing guidance for sec ## Configure notifications for EDM activities -1. Connect to the [Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell). +1. Connect to the [Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). 2. Run the `New-ProtectionAlert` cmdlet using the activity that you want to create the notification for. For example, if you want to be notified when the **UploadDataCompleted** action occurred, run: |
| compliance | Sit Get Started Exact Data Match Create Rule Package | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-get-started-exact-data-match-create-rule-package.md | In some cases, you might have to identify certain account or record identificati ## Create a rule package manually -This procedure shows you how to create a file in XML format called a rule package (with Unicode encoding), and then upload it into Microsoft Purview using Compliance center PowerShell cmdlets. +This procedure shows you how to create a file in XML format called a rule package (with Unicode encoding), and then upload it into Microsoft Purview using Security & Compliance PowerShell cmdlets. > [!NOTE] > If the SIT that you map to can detect multi-word corroborative evidence, the secondary elements you define in a manually created rule package can be mapped to the SIT. For example, the name `John Smith` would not match as a secondary element because we'd compare `John` and `Smith` found in the content separately to the term `John Smith` uploaded in one of the fields, if that corroborative evidence field wasn't mapped to a SIT that can detect that pattern. |
| compliance | Sit Get Started Exact Data Match Create Schema | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-get-started-exact-data-match-create-schema.md | You can use this wizard to help simplify the schema file creation process. If you created the EDM schema in the EDM schema wizard, you must export the EDM schema file in XML format. You'll need it in the [Hash and upload the sensitive information source table for exact data match sensitive information types](sit-get-started-exact-data-match-hash-upload.md#hash-and-upload-the-sensitive-information-source-table-for-exact-data-match-sensitive-information-types) phase. -1. [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell). +1. [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). 2. To export the EDM schema file, use this syntax: The `ignoredDelimiters` flag doesn't support: Once you have created the EDM schema file in XML format, you have to upload it to the cloud service. -2. [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell). +2. [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). 3. To upload the database schema, run the following command: |
| compliance | Sit Modify A Custom Sensitive Information Type In Powershell | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-modify-a-custom-sensitive-information-type-in-powershell.md | description: "Learn how to modify a custom sensitive information using PowerShel [!include[Purview banner](../includes/purview-rebrand-banner.md)] -In Compliance center PowerShell, modifying a custom sensitive information type requires you to: +In Security & Compliance PowerShell, modifying a custom sensitive information type requires you to: 1. Export the existing rule package that contains the custom sensitive information type to an XML file (or use the existing XML file if you have it). In Compliance center PowerShell, modifying a custom sensitive information type r 3. Import the updated XML file back into the existing rule package. -To connect to Compliance Center PowerShell, see [Connect to Compliance Center PowerShell](/powershell/exchange/exchange-online-powershell). +To connect to Security & Compliance PowerShell, see [Security & Compliance PowerShell](/powershell/exchange/exchange-online-powershell). -### Step 1: Export the existing rule package to an XML file +## Step 1: Export the existing rule package to an XML file > [!NOTE] > If you have a copy of the XML file (for example, you just created and imported it), you can skip to the next step to modify the XML file. To connect to Compliance Center PowerShell, see [Connect to Compliance Center Po [System.IO.File]::WriteAllBytes('C:\My Documents\ExportedRulePackage.xml', $rulepak.SerializedClassificationRuleCollection) ``` -#### Step 2: Modify the sensitive information type in the exported XML file +## Step 2: Modify the sensitive information type in the exported XML file Sensitive information types in the XML file and other elements in the file are described earlier in this topic. -#### Step 3: Import the updated XML file back into the existing rule package +## Step 3: Import the updated XML file back into the existing rule package To import the updated XML back into the existing rule package, use the [Set-DlpSensitiveInformationTypeRulePackage](/powershell/module/exchange/set-dlpsensitiveinformationtyperulepackage) cmdlet: |
| compliance | Sit Modify Edm Schema Configurable Match | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-modify-edm-schema-configurable-match.md | Exact Data Match (EDM) based classification enables you to create custom sensiti - \" - \, -6. [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell). +6. [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). > [!NOTE] > If your organization has set up [Customer Key for Microsoft 365 at the tenant level (public preview)](customer-key-tenant-level.md#overview-of-customer-key-for-microsoft-365-at-the-tenant-level-public-preview), Exact data match will make use of its encryption functionality automatically. This is available only to E5 licensed tenants in the Commercial cloud. |
| compliance | Sit Remove A Custom Sensitive Information Type In Powershell | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-remove-a-custom-sensitive-information-type-in-powershell.md | description: "Learn how to remove a custom sensitive information type using Powe [!include[Purview banner](../includes/purview-rebrand-banner.md)] -In Compliance center PowerShell, there are two methods to remove custom sensitive information types: +In Security & Compliance PowerShell, there are two methods to remove custom sensitive information types: - **Remove individual custom sensitive information types**: Use the method documented in [Modify a custom sensitive information type using PowerShell](sit-modify-a-custom-sensitive-information-type-in-powershell.md#modify-a-custom-sensitive-information-type-using-powershell). You export the custom rule package that contains the custom sensitive information type, remove the sensitive information type from the XML file, and import the updated XML file back into the existing custom rule package. In Compliance center PowerShell, there are two methods to remove custom sensitiv > [!NOTE] > Before your remove a custom sensitive information type, verify that no DLP policies or Exchange mail flow rules (also known as transport rules) still reference the sensitive information type. -1. [Connect to Compliance center PowerShell](/powershell/exchange/exchange-online-powershell) +1. [Security & Compliance PowerShell](/powershell/exchange/exchange-online-powershell) 2. To remove a custom rule package, use the [Remove-DlpSensitiveInformationTypeRulePackage](/powershell/module/exchange/remove-dlpsensitiveinformationtyperulepackage) cmdlet: |
| compliance | Sit Use Exact Data Manage Schema | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-use-exact-data-manage-schema.md | If you want to make changes to your EDM schema, for example the **edm.xml** file 1. Edit your **edm.xml** file (this is the file discussed in the [Create the schema for exact data match based sensitive information types](sit-get-started-exact-data-match-create-schema.md#create-the-schema-for-exact-data-match-based-sensitive-information-types). -2. [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell). +2. [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). 3. To update your database schema, run the following command: If you want to make changes to your EDM schema, for example the **edm.xml** file If you want to remove the schema you're using for EDM-based classification, follow these steps: -1. [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell). +1. [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). 2. Run the following command, substituting the data store name of "patient records" with the one you want to remove (using the patientrecords store as an example): |
| compliance | Sit Use Exact Data Refresh Data | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-use-exact-data-refresh-data.md | You can refresh your sensitive information database up to 5 times in every 24 ho |Method|What to do| |||- |Windows PowerShell|See the [ScheduledTasks](/powershell/module/scheduledtasks/) documentation and the [example PowerShell script](#example-powershell-script-for-task-scheduler) in this article| + |PowerShell|See the [ScheduledTasks](/powershell/module/scheduledtasks/) documentation and the [example PowerShell script](#example-powershell-script-for-task-scheduler) in this article| |Task Scheduler API|See the [Task Scheduler](/windows/desktop/TaskSchd/using-the-task-scheduler) documentation| |Windows user interface|In Windows, click **Start**, and type Task Scheduler. Then, in the list of results, right-click **Task Scheduler**, and choose **Run as administrator**.| -### Example PowerShell script for Task Scheduler +## Example PowerShell script for Task Scheduler This section includes an example PowerShell script you can use to schedule your tasks for hashing data and uploading the hashed data: -#### Schedule hashing and upload in a combined step +### Schedule hashing and upload in a combined step ```powershell param(\[string\]$dataStoreName,\[string\]$fileLocation) $taskName = 'EDMUpload\_' + $dataStoreName Register-ScheduledTask -TaskName $taskName -InputObject $scheduledTask -User $user -Password $password ``` -#### Schedule hashing and upload as separate steps +### Schedule hashing and upload as separate steps ```powershell param(\[string\]$dataStoreName,\[string\]$fileLocation) |
| compliance | Use A Script To Add Users To A Hold In Ediscovery | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/use-a-script-to-add-users-to-a-hold-in-ediscovery.md | f1.keywords: Previously updated : Last updated : audience: Admin search.appverid: - MBS150 - MET150 ms.assetid: bad352ff-d5d2-45d8-ac2a-6cb832f10e73-+ - seo-marvel-apr2020 - admindeeplinkSPO description: "Learn how to run a script to add mailboxes & OneDrive for Business sites to a new hold associated with an eDiscovery case in the Microsoft Purview compliance portal." description: "Learn how to run a script to add mailboxes & OneDrive for Business [!include[Purview banner](../includes/purview-rebrand-banner.md)] -Security & Compliance Center PowerShell provides cmdlets that let you automate time-consuming tasks related to creating and managing eDiscovery cases. Currently, using the Microsoft Purview eDiscovery (Standard) case in the Microsoft Purview compliance portal to place a large number of custodian content locations on hold takes time and preparation. For example, before you create a hold, you have to collect the URL for each OneDrive for Business site that you want to place on hold. Then for each user you want to place on hold, you have to add their mailbox and their OneDrive for Business site to the hold. You can use the script in this article to automate this process. - +Security & Compliance PowerShell provides cmdlets that let you automate time-consuming tasks related to creating and managing eDiscovery cases. Currently, using the Microsoft Purview eDiscovery (Standard) case in the Microsoft Purview compliance portal to place a large number of custodian content locations on hold takes time and preparation. For example, before you create a hold, you have to collect the URL for each OneDrive for Business site that you want to place on hold. Then for each user you want to place on hold, you have to add their mailbox and their OneDrive for Business site to the hold. You can use the script in this article to automate this process. + The script prompts you for the name of your organization's My Site domain (for example, `contoso` in the URL https://contoso-my.sharepoint.com), the name of an existing eDiscovery case, the name of the new hold that associated with the case, a list of email addresses of the users you want to put on hold, and a search query to use if you want to create a query-based hold. The script then gets the URL for the OneDrive for Business site for each user in the list, creates the new hold, and then adds the mailbox and OneDrive for Business site for each user in the list to the hold. The script also generates log files that contain information about the new hold.- + Here are the steps to make this happen:- + [Step 1: Install the SharePoint Online Management Shell](#step-1-install-the-sharepoint-online-management-shell)- + [Step 2: Generate a list of users](#step-2-generate-a-list-of-users)- + [Step 3: Run the script to create a hold and add users](#step-3-run-the-script-to-create-a-hold-and-add-users)- + ## Before you add users to a hold - You have to be a member of the eDiscovery Manager role group in the compliance portal and a SharePoint Online administrator to run the script in Step 3. For more information, see [Assign eDiscovery permissions in the Office 365 Security & Compliance Center](assign-ediscovery-permissions.md). Here are the steps to make this happen: - The script adds the list of users to a new hold that is associated with an existing case. Be sure the case that you want to associate the hold with is created before you run the script. -- The script in this article supports modern authentication when connecting to Security & Compliance Center PowerShell and SharePoint Online Management Shell. You can use the script as-is if you are a Microsoft 365 or a Microsoft 365 GCC organization. If you are an Office 365 Germany organization, a Microsoft 365 GCC High organization, or a Microsoft 365 DoD organization, you will have to edit the script to successfully run it. Specifically, you have to edit the line `Connect-IPPSSession` and use the *ConnectionUri* and *AzureADAuthorizationEndpointUri* parameters (and the appropriate values for your organization type) to connect to Security & Compliance Center PowerShell. For more information, see the examples in [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell#connect-to-security--compliance-center-powershell-without-using-mfa).+- The script in this article supports modern authentication when connecting to Security & Compliance PowerShell and SharePoint Online Management Shell. You can use the script as-is if you are a Microsoft 365 or a Microsoft 365 GCC organization. If you are an Office 365 Germany organization, a Microsoft 365 GCC High organization, or a Microsoft 365 DoD organization, you will have to edit the script to successfully run it. Specifically, you have to edit the line `Connect-IPPSSession` and use the *ConnectionUri* and *AzureADAuthorizationEndpointUri* parameters (and the appropriate values for your organization type) to connect to Security & Compliance PowerShell. For more information, see the examples in [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell#connect-to-security--compliance-center-powershell-without-using-mfa). -- The script automatically disconnects from Security & Compliance Center PowerShell and SharePoint Online Management Shell.+- The script automatically disconnects from Security & Compliance PowerShell and SharePoint Online Management Shell. - The script includes minimal error handling. Its primary purpose is to quickly and easily place the mailbox and OneDrive for Business site of each user on hold. Here are the steps to make this happen: ## Step 1: Install the SharePoint Online Management Shell The first step is to install the SharePoint Online Management Shell if it's not already installed on your local computer. You don't have to use the shell in this procedure, but you have to install it because it contains pre-requisites required by the script that you run in Step 3. These prerequisites allow the script to communicate with SharePoint Online to get the URLs for the OneDrive for Business sites.- -Go to [Set up the SharePoint Online Management Shell Windows PowerShell environment](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online) and perform Step 1 and Step 2 to install the SharePoint Online Management Shell on your local computer. ++Go to [Set up the SharePoint Online Management Shell environment](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online) and perform Step 1 and Step 2 to install the SharePoint Online Management Shell on your local computer. ## Step 2: Generate a list of users -The script in Step 3 will create a hold that's associated with an eDiscovery case, and the add the mailboxes and OneDrive for Business sites of a list of users to the hold. You can just type the email addresses in a text file, or you can run a command in Windows PowerShell to get a list of email addresses and save them to a file (located in same folder that you'll save the script to in Step 3). - -Here's a PowerShell command (that you run by using remote PowerShell connected to your Exchange Online organization) to get a list of email addresses for all users in your organization and save it to a text file named HoldUsers.txt. - +The script in Step 3 will create a hold that's associated with an eDiscovery case, and the add the mailboxes and OneDrive for Business sites of a list of users to the hold. You can just type the email addresses in a text file, or you can run a command in PowerShell to get a list of email addresses and save them to a file (located in same folder that you'll save the script to in Step 3). ++Here's an [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) command to get a list of email addresses for all users in your organization and save it to a text file named HoldUsers.txt. + ```powershell Get-Mailbox -ResultSize unlimited -Filter { RecipientTypeDetails -eq 'UserMailbox'} | Select-Object PrimarySmtpAddress > HoldUsers.txt ``` After you run this command, open the text file and remove the header that contains the property name, `PrimarySmtpAddress`. Then remove all email addresses except the ones for the users that you want to add to the hold that you'll create in Step 3. Make sure there are no blank rows before or after the list of email addresses.- + ## Step 3: Run the script to create a hold and add users When you run the script in this step, it will prompt you for the following information. Be sure to have this information ready before you run the script.- -- **Your user credentials:** The script will use your credentials to connect to Security & Compliance Center with PowerShell. It will also use these credentials to access SharePoint Online to get the OneDrive for Business URLs for the list of users.++- **Your user credentials:** The script will use your credentials to connect to Security & Compliance PowerShell. It will also use these credentials to access SharePoint Online to get the OneDrive for Business URLs for the list of users. - **Name of your SharePoint domain:** The script prompts you to enter this name so it can connect to the <a href="https://go.microsoft.com/fwlink/?linkid=2185219" target="_blank">SharePoint admin center</a>. It also uses the domain name for the OneDrive URLs in your organization. For example, if the URL for your admin center is `https://contoso-admin.sharepoint.com` and the URL for OneDrive is `https://contoso-my.sharepoint.com`, then you would enter `contoso` when the script prompts you for your domain name. When you run the script in this step, it will prompt you for the following infor - **Name of the text file with the list of users** - The name of the text file from Step 2 that contains the list of users to add to the hold. If this file is located in the same folder as the script, just type the name of the file (for example, HoldUsers.txt). If the text file is in another folder, type the full pathname of the file. After you've collected the information that the script will prompt you for, the final step is to run the script to create the new hold and add users to it.- + 1. Save the following text to a Windows PowerShell script file by using a filename suffix of `.ps1`. For example, `AddUsersToHold.ps1`. -```powershell -#script begin -" " -write-host "***********************************************" -write-host " Security & Compliance Center PowerShell " -foregroundColor yellow -backgroundcolor darkgreen -write-host " eDiscovery (Standard) cases - Add users to a hold " -foregroundColor yellow -backgroundcolor darkgreen -write-host "***********************************************" -" " -# Connect to SCC PowerShell using modern authentication -if (!$SccSession) -{ - Import-Module ExchangeOnlineManagement - Connect-IPPSSession -} --# Get the organization's domain name. We use this to create the SharePoint admin URL and root URL for OneDrive for Business. -"" -$mySiteDomain = Read-Host "Enter the domain name for your SharePoint organization. We use this name to connect to SharePoint admin center and for the OneDrive URLs in your organization. For example, 'contoso' in 'https://contoso-admin.sharepoint.com' and 'https://contoso-my.sharepoint.com'" -"" --# Connect to PnP Online using modern authentication -Import-Module PnP.PowerShell -Connect-PnPOnline -Url https://$mySiteDomain-admin.sharepoint.com -UseWebLogin --# Load the SharePoint assemblies from the SharePoint Online Management Shell -# To install, go to https://go.microsoft.com/fwlink/p/?LinkId=255251 -if (!$SharePointClient -or !$SPRuntime -or !$SPUserProfile) -{ - $SharePointClient = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client") - $SPRuntime = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.Runtime") - $SPUserProfile = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.UserProfiles") - if (!$SharePointClient) - { - Write-Error "The SharePoint Online Management Shell isn't installed. Please install it from: https://go.microsoft.com/fwlink/p/?LinkId=255251 and then re-run this script." - return; - } -} --# Get other required information -do{ -$casename = Read-Host "Enter the name of the case" -$caseexists = (get-compliancecase -identity "$casename" -erroraction SilentlyContinue).isvalid -if($caseexists -ne 'True') -{"" -write-host "A case named '$casename' doesn't exist. Please specify the name of an existing case, or create a new case and then re-run the script." -foregroundColor Yellow -""} -}While($caseexists -ne 'True') -"" -do{ -$holdName = Read-Host "Enter the name of the new hold" -$holdexists=(get-caseholdpolicy -identity "$holdname" -case "$casename" -erroraction SilentlyContinue).isvalid -if($holdexists -eq 'True') -{"" -write-host "A hold named '$holdname' already exists. Please specify a new hold name." -foregroundColor Yellow -""} -}While($holdexists -eq 'True') -"" -$holdQuery = Read-Host "Enter a search query to create a query-based hold, or press Enter to hold all content" -"" -$holdstatus = read-host "Do you want the hold enabled after it's created? (Yes/No)" -do{ -"" -$inputfile = read-host "Enter the name of the text file that contains the email addresses of the users to add to the hold" -"" -$fileexists = test-path -path $inputfile -if($fileexists -ne 'True'){write-host "$inputfile doesn't exist. Please enter a valid file name." -foregroundcolor Yellow} -}while($fileexists -ne 'True') -#Import the list of addresses from the txt file. Trim any excess spaces and make sure all addresses - #in the list are unique. - [array]$emailAddresses = Get-Content $inputfile -ErrorAction SilentlyContinue | where {$_.trim() -ne ""} | foreach{ $_.Trim() } - [int]$dupl = $emailAddresses.count - [array]$emailAddresses = $emailAddresses | select-object -unique - $dupl -= $emailAddresses.count -#Validate email addresses so the hold creation does not run in to an error. -if($emailaddresses.count -gt 0){ -write-host ($emailAddresses).count "addresses were found in the text file. There were $dupl duplicate entries in the file." -foregroundColor Yellow -"" -Write-host "Validating the email addresses. Please wait..." -foregroundColor Yellow -"" -$finallist =@() -foreach($emailAddress in $emailAddresses) -{ -if((get-recipient $emailaddress -erroraction SilentlyContinue).isvalid -eq 'True') -{$finallist += $emailaddress} -else {"Unable to find the user $emailaddress" -[array]$excludedlist += $emailaddress} -} -"" -#Find user's OneDrive account URL using email address -Write-Host "Getting the URL for each user's OneDrive for Business site." -foregroundColor Yellow -"" -$AdminUrl = "https://$mySiteDomain-admin.sharepoint.com" -$mySiteUrlRoot = "https://$mySiteDomain-my.sharepoint.com" -$urls = @() -foreach($emailAddress in $finallist) -{ -try -{ -$url=Get-PnPUserProfileProperty -Account $emailAddress | Select PersonalUrl -$urls += $url.PersonalUrl - Write-Host "- $emailAddress => $url" - [array]$ODadded += $url.PersonalUrl - }catch { - Write-Warning "Could not locate OneDrive for $emailAddress" - [array]$ODExluded += $emailAddress - Continue } -} -$urls | FL -if(($finallist.count -gt 0) -or ($urls.count -gt 0)){ -"" -Write-Host "Creating the hold named $holdname. Please wait..." -foregroundColor Yellow -if(($holdstatus -eq "Y") -or ($holdstatus -eq "y") -or ($holdstatus -eq "yes") -or ($holdstatus -eq "YES")){ -New-CaseHoldPolicy -Name "$holdName" -Case "$casename" -ExchangeLocation $finallist -SharePointLocation $urls -Enabled $True | out-null -New-CaseHoldRule -Name "$holdName" -Policy "$holdname" -ContentMatchQuery $holdQuery | out-null -} -else{ -New-CaseHoldPolicy -Name "$holdName" -Case "$casename" -ExchangeLocation $finallist -SharePointLocation $urls -Enabled $false | out-null -New-CaseHoldRule -Name "$holdName" -Policy "$holdname" -ContentMatchQuery $holdQuery -disabled $false | out-null -} -"" -} -else {"No valid locations were identified. Therefore, the hold wasn't created."} -#write log files (if needed) -$newhold=Get-CaseHoldPolicy -Identity "$holdname" -Case "$casename" -erroraction SilentlyContinue -$newholdrule=Get-CaseHoldRule -Identity "$holdName" -erroraction SilentlyContinue -if(($ODAdded.count -gt 0) -or ($ODExluded.count -gt 0) -or ($finallist.count -gt 0) -or ($excludedlist.count -gt 0) -or ($newhold.isvalid -eq 'True') -or ($newholdrule.isvalid -eq 'True')) -{ -Write-Host "Generating output files..." -foregroundColor Yellow -if($ODAdded.count -gt 0){ -"OneDrive Locations" | add-content .\LocationsOnHold.txt -"==================" | add-content .\LocationsOnHold.txt -$newhold.SharePointLocation.name | add-content .\LocationsOnHold.txt} -if($ODExluded.count -gt 0){ -"Users without OneDrive locations" | add-content .\LocationsNotOnHold.txt -"================================" | add-content .\LocationsNotOnHold.txt -$ODExluded | add-content .\LocationsNotOnHold.txt} -if($finallist.count -gt 0){ -" " | add-content .\LocationsOnHold.txt -"Exchange Locations" | add-content .\LocationsOnHold.txt -"==================" | add-content .\LocationsOnHold.txt -$newhold.ExchangeLocation.name | add-content .\LocationsOnHold.txt} -if($excludedlist.count -gt 0){ -" "| add-content .\LocationsNotOnHold.txt -"Mailboxes not added to the hold" | add-content .\LocationsNotOnHold.txt -"===============================" | add-content .\LocationsNotOnHold.txt -$excludedlist | add-content .\LocationsNotOnHold.txt} -$FormatEnumerationLimit=-1 -if($newhold.isvalid -eq 'True'){$newhold|fl >.\GetCaseHoldPolicy.txt} -if($newholdrule.isvalid -eq 'True'){$newholdrule|Fl >.\GetCaseHoldRule.txt} -} -} -else {"The hold wasn't created because no valid entries were found in the text file."} -"" -#Disconnect from SCC PowerShell and PnPOnline --Write-host "Disconnecting from SCC PowerShell and PnP Online" -foregroundColor Yellow -Get-PSSession | Remove-PSSession -Disconnect-PnPOnline --Write-host "Script complete!" -foregroundColor Yellow -"" -#script end -``` + ```powershell + #script begin + " " + write-host "***********************************************" + write-host " Security & Compliance PowerShell " -foregroundColor yellow -backgroundcolor darkgreen + write-host " eDiscovery (Standard) cases - Add users to a hold " -foregroundColor yellow -backgroundcolor darkgreen + write-host "***********************************************" + " " + # Connect to Security & Compliance PowerShell using modern authentication + if (!$SccSession) + { + Import-Module ExchangeOnlineManagement + Connect-IPPSSession + } + + # Get the organization's domain name. We use this to create the SharePoint admin URL and root URL for OneDrive for Business. + "" + $mySiteDomain = Read-Host "Enter the domain name for your SharePoint organization. We use this name to connect to SharePoint admin center and for the OneDrive URLs in your organization. For example, 'contoso' in 'https://contoso-admin.sharepoint.com' and 'https://contoso-my.sharepoint.com'" + "" + + # Connect to PnP Online using modern authentication + Import-Module PnP.PowerShell + Connect-PnPOnline -Url https://$mySiteDomain-admin.sharepoint.com -UseWebLogin + + # Load the SharePoint assemblies from the SharePoint Online Management Shell + # To install, go to https://go.microsoft.com/fwlink/p/?LinkId=255251 + if (!$SharePointClient -or !$SPRuntime -or !$SPUserProfile) + { + $SharePointClient = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client") + $SPRuntime = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.Runtime") + $SPUserProfile = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.UserProfiles") + if (!$SharePointClient) + { + Write-Error "The SharePoint Online Management Shell isn't installed. Please install it from: https://go.microsoft.com/fwlink/p/?LinkId=255251 and then re-run this script." + return; + } + } + + # Get other required information + do{ + $casename = Read-Host "Enter the name of the case" + $caseexists = (get-compliancecase -identity "$casename" -erroraction SilentlyContinue).isvalid + if($caseexists -ne 'True') + {"" + write-host "A case named '$casename' doesn't exist. Please specify the name of an existing case, or create a new case and then re-run the script." -foregroundColor Yellow + ""} + }While($caseexists -ne 'True') + "" + do{ + $holdName = Read-Host "Enter the name of the new hold" + $holdexists=(get-caseholdpolicy -identity "$holdname" -case "$casename" -erroraction SilentlyContinue).isvalid + if($holdexists -eq 'True') + {"" + write-host "A hold named '$holdname' already exists. Please specify a new hold name." -foregroundColor Yellow + ""} + }While($holdexists -eq 'True') + "" + $holdQuery = Read-Host "Enter a search query to create a query-based hold, or press Enter to hold all content" + "" + $holdstatus = read-host "Do you want the hold enabled after it's created? (Yes/No)" + do{ + "" + $inputfile = read-host "Enter the name of the text file that contains the email addresses of the users to add to the hold" + "" + $fileexists = test-path -path $inputfile + if($fileexists -ne 'True'){write-host "$inputfile doesn't exist. Please enter a valid file name." -foregroundcolor Yellow} + }while($fileexists -ne 'True') + #Import the list of addresses from the txt file. Trim any excess spaces and make sure all addresses + #in the list are unique. + [array]$emailAddresses = Get-Content $inputfile -ErrorAction SilentlyContinue | where {$_.trim() -ne ""} | foreach{ $_.Trim() } + [int]$dupl = $emailAddresses.count + [array]$emailAddresses = $emailAddresses | select-object -unique + $dupl -= $emailAddresses.count + #Validate email addresses so the hold creation does not run in to an error. + if($emailaddresses.count -gt 0){ + write-host ($emailAddresses).count "addresses were found in the text file. There were $dupl duplicate entries in the file." -foregroundColor Yellow + "" + Write-host "Validating the email addresses. Please wait..." -foregroundColor Yellow + "" + $finallist =@() + foreach($emailAddress in $emailAddresses) + { + if((get-recipient $emailaddress -erroraction SilentlyContinue).isvalid -eq 'True') + {$finallist += $emailaddress} + else {"Unable to find the user $emailaddress" + [array]$excludedlist += $emailaddress} + } + "" + #Find user's OneDrive account URL using email address + Write-Host "Getting the URL for each user's OneDrive for Business site." -foregroundColor Yellow + "" + $AdminUrl = "https://$mySiteDomain-admin.sharepoint.com" + $mySiteUrlRoot = "https://$mySiteDomain-my.sharepoint.com" + $urls = @() + foreach($emailAddress in $finallist) + { + try + { + $url=Get-PnPUserProfileProperty -Account $emailAddress | Select PersonalUrl + $urls += $url.PersonalUrl + Write-Host "- $emailAddress => $url" + [array]$ODadded += $url.PersonalUrl + }catch { + Write-Warning "Could not locate OneDrive for $emailAddress" + [array]$ODExluded += $emailAddress + Continue } + } + $urls | FL + if(($finallist.count -gt 0) -or ($urls.count -gt 0)){ + "" + Write-Host "Creating the hold named $holdname. Please wait..." -foregroundColor Yellow + if(($holdstatus -eq "Y") -or ($holdstatus -eq "y") -or ($holdstatus -eq "yes") -or ($holdstatus -eq "YES")){ + New-CaseHoldPolicy -Name "$holdName" -Case "$casename" -ExchangeLocation $finallist -SharePointLocation $urls -Enabled $True | out-null + New-CaseHoldRule -Name "$holdName" -Policy "$holdname" -ContentMatchQuery $holdQuery | out-null + } + else{ + New-CaseHoldPolicy -Name "$holdName" -Case "$casename" -ExchangeLocation $finallist -SharePointLocation $urls -Enabled $false | out-null + New-CaseHoldRule -Name "$holdName" -Policy "$holdname" -ContentMatchQuery $holdQuery -disabled $false | out-null + } + "" + } + else {"No valid locations were identified. Therefore, the hold wasn't created."} + #write log files (if needed) + $newhold=Get-CaseHoldPolicy -Identity "$holdname" -Case "$casename" -erroraction SilentlyContinue + $newholdrule=Get-CaseHoldRule -Identity "$holdName" -erroraction SilentlyContinue + if(($ODAdded.count -gt 0) -or ($ODExluded.count -gt 0) -or ($finallist.count -gt 0) -or ($excludedlist.count -gt 0) -or ($newhold.isvalid -eq 'True') -or ($newholdrule.isvalid -eq 'True')) + { + Write-Host "Generating output files..." -foregroundColor Yellow + if($ODAdded.count -gt 0){ + "OneDrive Locations" | add-content .\LocationsOnHold.txt + "==================" | add-content .\LocationsOnHold.txt + $newhold.SharePointLocation.name | add-content .\LocationsOnHold.txt} + if($ODExluded.count -gt 0){ + "Users without OneDrive locations" | add-content .\LocationsNotOnHold.txt + "================================" | add-content .\LocationsNotOnHold.txt + $ODExluded | add-content .\LocationsNotOnHold.txt} + if($finallist.count -gt 0){ + " " | add-content .\LocationsOnHold.txt + "Exchange Locations" | add-content .\LocationsOnHold.txt + "==================" | add-content .\LocationsOnHold.txt + $newhold.ExchangeLocation.name | add-content .\LocationsOnHold.txt} + if($excludedlist.count -gt 0){ + " "| add-content .\LocationsNotOnHold.txt + "Mailboxes not added to the hold" | add-content .\LocationsNotOnHold.txt + "===============================" | add-content .\LocationsNotOnHold.txt + $excludedlist | add-content .\LocationsNotOnHold.txt} + $FormatEnumerationLimit=-1 + if($newhold.isvalid -eq 'True'){$newhold|fl >.\GetCaseHoldPolicy.txt} + if($newholdrule.isvalid -eq 'True'){$newholdrule|Fl >.\GetCaseHoldRule.txt} + } + } + else {"The hold wasn't created because no valid entries were found in the text file."} + "" + #Disconnect from SCC PowerShell and PnPOnline + + Write-host "Disconnecting from SCC PowerShell and PnP Online" -foregroundColor Yellow + Get-PSSession | Remove-PSSession + Disconnect-PnPOnline + + Write-host "Script complete!" -foregroundColor Yellow + "" + #script end + ``` 2. On your local computer, open Windows PowerShell and go to the folder where you saved the script. Write-host "Script complete!" -foregroundColor Yellow 4. Enter the information that the script prompts you for. - The script connects to Security & Compliance Center PowerShell, and then creates the new hold in the eDiscovery case and adds the mailboxes and OneDrive for Business for the users in the list. You can go to the case on the **eDiscovery** page in the compliance portal to view the new hold. + The script connects to Security & Compliance PowerShell, and then creates the new hold in the eDiscovery case and adds the mailboxes and OneDrive for Business for the users in the list. You can go to the case on the **eDiscovery** page in the compliance portal to view the new hold. After the script is finished running, it creates the following log files, and saves them to the folder where the script is located.- + - **LocationsOnHold.txt:** Contains a list of mailboxes and OneDrive for Business sites that the script successfully placed on hold. - **LocationsNotOnHold.txt:** Contains a list of mailboxes and OneDrive for Business sites that the script did not place on hold. If a user has a mailbox, but not a OneDrive for Business site, the user would be included in the list of OneDrive for Business sites that weren't placed on hold. -- **GetCaseHoldPolicy.txt:** Contains the output of the **Get-CaseHoldPolicy** cmdlet for the new hold, which the script ran after creating the new hold. The information returned by this cmdlet includes a list of users whose mailboxes and OneDrive for Business sites were placed on hold and whether the hold is enabled or disabled. +- **GetCaseHoldPolicy.txt:** Contains the output of the **Get-CaseHoldPolicy** cmdlet for the new hold, which the script ran after creating the new hold. The information returned by this cmdlet includes a list of users whose mailboxes and OneDrive for Business sites were placed on hold and whether the hold is enabled or disabled. - **GetCaseHoldRule.txt:** Contains the output of the **Get-CaseHoldRule** cmdlet for the new hold, which the script ran after creating the new hold. The information returned by this cmdlet includes the search query if you used the script to create a query-based hold. |
| compliance | Use Content Search For Targeted Collections | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/use-content-search-for-targeted-collections.md | The Content search tool in the Microsoft Purview compliance portal doesn't provi - You also have to be assigned the Mail Recipients role in your Exchange Online organization. This is required to run the **Get-MailboxFolderStatistics** cmdlet, which is included in the script. By default, the Mail Recipients role is assigned to the Organization Management and Recipient Management role groups in Exchange Online. For more information about assigning permissions in Exchange Online, see [Manage role group members](/exchange/manage-role-group-members-exchange-2013-help). You could also create a custom role group, assign the Mail Recipients role to it, and then add the members who need to run the script in Step 1. For more information, see [Manage role groups](/Exchange/permissions-exo/role-groups). -- The script in this article supports modern authentication. You can use the script as-is if you are a Microsoft 365 or a Microsoft 365 GCC organization. If you are an Office 365 Germany organization, a Microsoft 365 GCC High organization, or a Microsoft 365 DoD organization, you will have to edit the script to successfully run it. Specifically, you have to edit the line `Connect-ExchangeOnline` and use the *ExchangeEnvironmentName* parameter (and the appropriate value for your organization type) to connect to Exchange Online PowerShell. Also, you have to edit the line `Connect-IPPSSession` and use the *ConnectionUri* and *AzureADAuthorizationEndpointUri* parameters (and the appropriate values for your organization type) to connect to Security & Compliance Center PowerShell. For more information, see the examples in [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell#connect-to-exchange-online-powershell-without-using-mfa) and [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell#connect-to-security--compliance-center-powershell-without-using-mfa).+- The script in this article supports modern authentication. You can use the script as-is if you are a Microsoft 365 or a Microsoft 365 GCC organization. If you are an Office 365 Germany organization, a Microsoft 365 GCC High organization, or a Microsoft 365 DoD organization, you will have to edit the script to successfully run it. Specifically, you have to edit the line `Connect-ExchangeOnline` and use the *ExchangeEnvironmentName* parameter (and the appropriate value for your organization type) to connect to Exchange Online PowerShell. Also, you have to edit the line `Connect-IPPSSession` and use the *ConnectionUri* and *AzureADAuthorizationEndpointUri* parameters (and the appropriate values for your organization type) to connect to Security & Compliance PowerShell. For more information, see the examples in [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell#connect-to-exchange-online-powershell-without-using-mfa) and [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell#connect-to-security--compliance-center-powershell-without-using-mfa). -- Each time you run the script, a new remote PowerShell session is created. That means you can use up all the remote PowerShell sessions available to you. To prevent this from happening, run the following command to disconnect your active remote PowerShell sessions.+- Each time you run the script, a new remote PowerShell session is created. That means you can use up all the remote PowerShell sessions available to you. To prevent this from happening, run the following commands to disconnect your active remote PowerShell sessions. ```powershell- Get-PSSession | Remove-PSSession + Get-PSSession | Remove-PSSession; Disconnect-ExchangeOnline ``` For more information, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). The script that you run in this first step will return a list of mailbox folders - **OneDrive for Business**: `https://contoso-my.sharepoint.com/personal/stacig_contoso_onmicrosoft_com` -- **Your user credentials**: The script will use your credentials to connect to Exchange Online PowerShell or Security & Compliance Center PowerShell using modern authentication. As previously explained, you have to be assigned the appropriate permissions to successfully run this script.+- **Your user credentials**: The script will use your credentials to connect to Exchange Online PowerShell or Security & Compliance PowerShell using modern authentication. As previously explained, you have to be assigned the appropriate permissions to successfully run this script. To display a list of mailbox folders or site documentlink (path) names: To display a list of mailbox folders or site documentlink (path) names: $searchActionName = "SPFoldersSearch_Preview" # List the folders for the SharePoint or OneDrive for Business Site $siteUrl = $addressOrSite- # Connect to Security & Compliance Center PowerShell + # Connect to Security & Compliance PowerShell if (!$SccSession) { Import-Module ExchangeOnlineManagement |
| compliance | View The Dlp Reports | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/view-the-dlp-reports.md | Last updated 6/7/2018 audience: Admin -+ - M365-security-compliance ms.localizationpriority: medium+search.appverid: - MOE150 - MET150-+ - seo-marvel-apr2020 - admindeeplinkEXCHANGE description: Use the DLP reports in Office 365 to view the number of DLP policy matches, overrides, or false positives and see whether they're trending up or down over time. description: Use the DLP reports in Office 365 to view the number of DLP policy [!include[Purview banner](../includes/purview-rebrand-banner.md)] After you create your Microsoft Purview data loss prevention (DLP) policies, you'll want to verify that they're working as you intended and helping you to stay compliant. With the DLP reports in the Microsoft Purview compliance portal, you can quickly view:- -- **DLP policy matches** This report shows the count of DLP policy matches over time. You can filter the report by date, location, policy, or action. You can use this report to: - ++- **DLP policy matches** This report shows the count of DLP policy matches over time. You can filter the report by date, location, policy, or action. You can use this report to: + - Tune or refine your DLP policies as you run them in test mode. You can view the specific rule that matched the content.- + - Focus on specific time periods and understand the reasons for spikes and trends.- + - Discover business processes that violate your organization's DLP policies.- + - Understand any business impact of the DLP policies by seeing what actions are being applied to content.- + - Verify compliance with a specific DLP policy by showing any matches for that policy.- + - View a list of top users and repeat users who are contributing to incidents in your organization.- + - View a list of the top types of sensitive information in your organization.- -- **DLP incidents** This report also shows policy matches over time, like the policy matches report. However, the policy matches report shows matches at a rule level; for example, if an email matched three different rules, the policy matches report shows three different line items. By contrast, the incidents report shows matches at an item level; for example, if an email matched three different rules, the incidents report shows a single line item for that piece of content. - ++- **DLP incidents** This report also shows policy matches over time, like the policy matches report. However, the policy matches report shows matches at a rule level; for example, if an email matched three different rules, the policy matches report shows three different line items. By contrast, the incidents report shows matches at an item level; for example, if an email matched three different rules, the incidents report shows a single line item for that piece of content. + Because the report counts are aggregated differently, the policy matches report is better for identifying matches with specific rules and fine tuning DLP policies. The incidents report is better for identifying specific pieces of content that are problematic for your DLP policies.- -- **DLP false positives and overrides** If your DLP policy allows users to override it or report a false positive, this report shows a count of such instances over time. You can filter the report by date, location, or policy. You can use this report to: - ++- **DLP false positives and overrides** If your DLP policy allows users to override it or report a false positive, this report shows a count of such instances over time. You can filter the report by date, location, or policy. You can use this report to: + - Tune or refine your DLP policies by seeing which policies incur a high number of false positives.- + - View the justifications submitted by users when they resolve a policy tip by overriding the policy.- + - Discover where DLP policies conflict with valid business processes by incurring a high number of user overrides.- + All DLP reports can show data from the most recent four-month time period. The most recent data can take up to 24 hours to appear in the reports.- + You can find these reports in the Microsoft Purview compliance portal \> **Reports** \> **Dashboard**.- + - + ## View the justification submitted by a user for an override If your DLP policy allows users to override it, you can use the false positive and override report to view the text submitted by users in the policy tip.- + - + ## Take action on insights and recommendations Reports can show insights and recommendations where you can click the red warning icon to see details about potential issues and take possible remedial action.- + - + ## Permissions for DLP reports To view DLP reports in the Security & Compliance Center, you have to be assigned the: To view DLP reports in the Security & Compliance Center, you have to be assigned ## Find the cmdlets for the DLP reports -To use most of the cmdlets for the Microsoft Purview compliance portal, you need to: - -1. [Connect to the Microsoft Purview compliance portal using remote PowerShell](/powershell/exchange/connect-to-scc-powershell) - -2. Use any of these [Security & Compliance Center cmdlets](/powershell/exchange/exchange-online-powershell) - -However, DLP reports need pull data from across Office 365, including Exchange Online. For this reason, the cmdlets for the DLP reports are available in Exchange Online PowershellΓÇönot in Microsoft Purview compliance portal Powershell. Therefore, to use the cmdlets for the DLP reports, you need to: - -1. [Connect to Exchange Online using remote PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) - -2. Use any of these cmdlets for the DLP reports: - - - [Get-DlpDetectionsReport](/powershell/module/exchange/get-dlpdetectionsreport) - - - [Get-DlpDetailReport](/powershell/module/exchange/get-dlpdetailreport) +To use the DLP reporting cmdlets, do these steps: ++1. [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell) ++2. Use these cmdlets: ++ - [Get-DlpDetailReport](/powershell/module/exchange/get-dlpdetailreport) + - [Get-DlpDetectionsReport](/powershell/module/exchange/get-dlpdetectionsreport) + - [Get-DlpSiDetectionsReport](/powershell/module/exchange/get-dlpsidetectionsreport) ++However, DLP reports need pull data from across Microsoft 365, including Exchange Online. For this reason, the following cmdlets for DLP reports are available in Exchange Online Powershell. To use the cmdlets for these DLP reports, do these steps: ++1. [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) ++2. Use these cmdlets: ++ - [Get-DlpDetailReport](/powershell/module/exchange/get-dlpdetailreport) + - [Get-MailDetailDlpPolicyReport](/powershell/module/exchange/get-maildetaildlppolicyreport) |
| compliance | Work With Partner To Archive Third Party Data | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/work-with-partner-to-archive-third-party-data.md | The following sections list the Microsoft partners (and the third-party data sou - YouTube - ### Verba [Verba](https://www.verba.com) supports the following third-party data sources: The following sections list the Microsoft partners (and the third-party data sou Here are the steps for creating and configuring a third-party data mailbox for importing data to Microsoft 365. As previous explained, items are imported to this mailbox if the partner connector can't map the user ID of the item to a user account. - **Complete these tasks in the Microsoft 365 admin center** +### Complete these tasks in the Microsoft 365 admin center 1. Create a user account and assign it an Exchange Online Plan 2 license; see [Add users to Microsoft 365](../admin/add-users/add-users.md). A Plan 2 license is required to place the mailbox on Litigation Hold or enable an archive mailbox that has a storage quota up to 1.5 TB. Here are the steps for creating and configuring a third-party data mailbox for i > [!TIP] > Write down the credentials for this user account. You need to provide them to your partner, as described in Step 4. - **Complete these tasks in the Exchange admin center** +### Complete these tasks in the Exchange admin center -1. Hide the third-party data mailbox from the address book and other address lists in your organization; see [Manage user mailboxes](/exchange/recipients-in-exchange-online/manage-user-mailboxes/manage-user-mailboxes). Alternatively, you can run the following PowerShell command: +1. Hide the third-party data mailbox from the address book and other address lists in your organization; see [Manage user mailboxes](/exchange/recipients-in-exchange-online/manage-user-mailboxes/manage-user-mailboxes). Alternatively, you can run the following [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) command: ```powershell Set-Mailbox -Identity <identity of third-party data mailbox> -HiddenFromAddressListsEnabled $true Here are the steps for creating and configuring a third-party data mailbox for i ## Step 3: Configure user mailboxes for third-party data -The next step is to configure user mailboxes to support third-party data. Complete these tasks by using the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a> or by using the corresponding Windows PowerShell cmdlets. +The next step is to configure user mailboxes to support third-party data. Complete these tasks by using the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a> or by using the corresponding cmdlets. 1. Enable the archive mailbox for each user; see [Enable archive mailboxes](enable-archive-mailboxes.md) and [Enable auto-expanding archiving](enable-autoexpanding-archiving.md). To revoke consent for a third-party data connector, you can delete the applicati ## More information -- As previous explained, items from third-party data sources are imported to Exchange mailboxes as email messages. The partner connector imports the item using a schema required by the Microsoft 365 API. The following table describes the message properties of an item from a third-party data source after it's imported to an Exchange mailbox as an email message. The table also indicates if the message property is mandatory. Mandatory properties must be populated. If an item is missing a mandatory property, it won't be imported to Microsoft 365. The import process returns an error message explaining why an item wasn't imported and which property is missing.<br/><br/>+- As previous explained, items from third-party data sources are imported to Exchange mailboxes as email messages. The partner connector imports the item using a schema required by the Microsoft 365 API. The following table describes the message properties of an item from a third-party data source after it's imported to an Exchange mailbox as an email message. The table also indicates if the message property is mandatory. Mandatory properties must be populated. If an item is missing a mandatory property, it won't be imported to Microsoft 365. The import process returns an error message explaining why an item wasn't imported and which property is missing. - |**Message property**|**Mandatory?**|**Description**|**Example value**| - |:--|:--|:--|:--| - |**FROM** <br/> |Yes <br/> |The user who originally created or sent the item in the third-party data source. The partner connector attempts to map the user ID from the source item (for example a Twitter handle) to a user account for all participants (users in the FROM and TO fields). A copy of the message will be imported to the mailbox of every participant. If none of the participants from the item can be mapped to a user account, the item will be imported to the third-party archiving mailbox in Microsoft 365. <br/> <br/> The participant who's identified as the sender of the item must have an active mailbox in the organization that the item is being imported to. If the sender doesn't have an active mailbox, the following error is returned:<br/><br/> `One or more messages in the Request failed to be delivered to either From or Sender email address. You will need to resend your entire Request. Error: The request failed. The remote server returned an error: (401) Unauthorized.` | `bob@contoso.com` <br/> | - |**TO** <br/> |Yes <br/> |The user who received an item, if applicable for an item in the data source. <br/> | `bob@contoso.com` <br/> | - |**SUBJECT** <br/> |No <br/> |The subject from the source item. <br/> | `"Mega deals with Contoso coming your way! #ContosoHolidayDeals"` <br/> | - |**DATE** <br/> |Yes <br/> |The date the item was originally created or posted in the customer data source. For example, that date when a Twitter message was tweeted. <br/> | `01 NOV 2015` <br/> | - |**BODY** <br/> |No <br/> |The contents of the message or post. For some data sources, the contents of this property could be the same as the content for the **SUBJECT** property. During the import process, the partner connector attempts to maintain full fidelity from the content source as possible. If possible files, graphics, or other content from the body of the source item is included in this property. Otherwise, content from the source item is included in the **ATTACHMENT** property. The contents of this property depends on the partner connector and on the capability of the source platform. <br/> | ` - |**ATTACHMENT** <br/> |No <br/> |If an item in the data source (such as a tweet in Twitter or an instant messaging conversation) has an attached file or include images, the partner connect will first attempt to include attachments in the **BODY** property. If that isn't possible, then it's added to the ** ATTACHMENT ** property. Other examples of attachments include Likes in Facebook, metadata from the content source, and responses to a message or post. <br/> | `image.gif` <br/> | - |**MESSAGECLASS** <br/> |Yes <br/> | This is a multi-value property, which is created and populated by partner connector. The format of this property is `IPM.NOTE.Source.Event`. (This property must begin with `IPM.NOTE`. This format is similar to the one for the `IPM.NOTE.X` message class.) This property includes the following information: <br/><br/>`Source`: Indicates the third-party data source; for example, Twitter, Facebook, or BlackBerry. <br/> <br/> `Event`: Indicates the type of activity that was performed in the third-party data source that produced the items; for example, a tweet in Twitter or a post in Facebook. Events are specific to the data source. <br/> <br/> One purpose of this property is to filter specific items based on the data source where an item originated or based on the type of event. For example, in an eDiscovery search you could create a search query to find all the tweets that were posted by a specific user. <br/> | `IPM.NOTE.Twitter.Tweet` <br/> | + |Message property|Mandatory?|Description|Example value| + ||||| + |**FROM**|Yes|The user who originally created or sent the item in the third-party data source. The partner connector attempts to map the user ID from the source item (for example a Twitter handle) to a user account for all participants (users in the FROM and TO fields). A copy of the message will be imported to the mailbox of every participant. If none of the participants from the item can be mapped to a user account, the item will be imported to the third-party archiving mailbox in Microsoft 365. <br/> <br/> The participant who's identified as the sender of the item must have an active mailbox in the organization that the item is being imported to. If the sender doesn't have an active mailbox, the following error is returned:<br/><br/> `One or more messages in the Request failed to be delivered to either From or Sender email address. You will need to resend your entire Request. Error: The request failed. The remote server returned an error: (401) Unauthorized.`|`bob@contoso.com`| + |**TO**|Yes|The user who received an item, if applicable for an item in the data source.|`bob@contoso.com`| + |**SUBJECT**|No|The subject from the source item.|`"Mega deals with Contoso coming your way! #ContosoHolidayDeals"`| + |**DATE**|Yes|The date the item was originally created or posted in the customer data source. For example, that date when a Twitter message was tweeted.|`01 NOV 2015`| + |**BODY**|No|The contents of the message or post. For some data sources, the contents of this property could be the same as the content for the **SUBJECT** property. During the import process, the partner connector attempts to maintain full fidelity from the content source as possible. If possible files, graphics, or other content from the body of the source item is included in this property. Otherwise, content from the source item is included in the **ATTACHMENT** property. The contents of this property depends on the partner connector and on the capability of the source platform.|` + |**ATTACHMENT**|No|If an item in the data source (such as a tweet in Twitter or an instant messaging conversation) has an attached file or include images, the partner connect will first attempt to include attachments in the **BODY** property. If that isn't possible, then it's added to the ** ATTACHMENT ** property. Other examples of attachments include Likes in Facebook, metadata from the content source, and responses to a message or post.|`image.gif`| + |**MESSAGECLASS**|Yes|This is a multi-value property, which is created and populated by partner connector. The format of this property is `IPM.NOTE.Source.Event`. (This property must begin with `IPM.NOTE`. This format is similar to the one for the `IPM.NOTE.X` message class.) This property includes the following information: <br/><br/>`Source`: Indicates the third-party data source; for example, Twitter, Facebook, or BlackBerry. <br/> <br/> `Event`: Indicates the type of activity that was performed in the third-party data source that produced the items; for example, a tweet in Twitter or a post in Facebook. Events are specific to the data source. <br/> <br/> One purpose of this property is to filter specific items based on the data source where an item originated or based on the type of event. For example, in an eDiscovery search you could create a search query to find all the tweets that were posted by a specific user.|`IPM.NOTE.Twitter.Tweet`| - When items are successfully imported to mailboxes in Microsoft 365, a unique identifier is returned back to the caller as part of the HTTP response. This identifier, called `x-IngestionCorrelationID`, can be used for subsequent troubleshooting purposes by partners for end-to-end tracking of items. It's recommended that partners capture this information and log it accordingly at their end. Here's an example of an HTTP response showing this identifier: To revoke consent for a third-party data connector, you can delete the applicati - [Content Search](content-search.md) - - [Keyword queries and search conditions for Content Search](keyword-queries-and-search-conditions.md) + - [Keyword queries and search conditions for Content Search](keyword-queries-and-search-conditions.md) |
| contentunderstanding | Adoption Assessment Tool | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/adoption-assessment-tool.md | description: Learn how to use the adoption assessment tool to see how your organ # Discover opportunities in SharePoint Syntex by using the Microsoft 365 Assessment tool -> [!IMPORTANT] -> The Microsoft 365 Assessment tool and all other PnP components are open-source tools backed by an active community providing support for them. There is no SLA for open-source tool support from official Microsoft support channels. - > [!NOTE] > The Microsoft 365 Assessment tool can be run only against SharePoint Online. |
| enterprise | Cmdlet References For Microsoft 365 Services | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cmdlet-references-for-microsoft-365-services.md | For Skype for Business Online cmdlet reference topics, see [Skype for Business O For connection instructions for Skype for Business Online PowerShell, see [Manage Skype for Business Online with PowerShell](manage-skype-for-business-online-with-microsoft-365-powershell.md). -## Security & Compliance Center PowerShell cmdlets +## Security & Compliance PowerShell cmdlets The Security & Compliance Center cmdlet references are in the Reference section of the [Security & Compliance PowerShell documentation](/powershell/exchange/scc-powershell). -For connection instructions for Security & Compliance Center PowerShell, see [Connect to the Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell). +For connection instructions for Security & Compliance PowerShell, see [Connect to the Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). ## See also |
| enterprise | Connect To All Microsoft 365 Services In A Single Windows Powershell Window | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/connect-to-all-microsoft-365-services-in-a-single-windows-powershell-window.md | ms.localizationpriority: high f1.keywords: - CSH-+ - LIL_Placement - Ent_Office_Other - O365ITProTrain description: "Summary: Connect to all Microsoft 365 services in a single PowerSh # Connect to all Microsoft 365 services in a single PowerShell window -When you use PowerShell to manage Microsoft 365, you can have multiple PowerShell sessions open at the same time. You might have different PowerShell windows to manage user accounts, SharePoint Online, Exchange Online, Skype for Business Online, Microsoft Teams, and the Security & Compliance center. - -This scenario isn't optimal for managing Microsoft 365, because you can't exchange data among those windows for cross-service management. This article describes how to use a single instance of PowerShell to manage Microsoft 365 accounts, Skype for Business Online, Exchange Online, SharePoint Online, Microsoft Teams, and the Security & Compliance Center. +When you use PowerShell to manage Microsoft 365, you can have multiple PowerShell sessions open at the same time. You might have different PowerShell windows to manage user accounts, SharePoint Online, Exchange Online, Microsoft Teams, Microsoft Defender for Office 365 features (security), and Microsoft Purview compliance features. ++This scenario isn't optimal for managing Microsoft 365, because you can't exchange data among those windows for cross-service management. This article describes how to use a single instance of PowerShell to manage Microsoft 365 accounts, Exchange Online, SharePoint Online, Microsoft Teams, and features in Defender for Office 365 Microsoft Purview compliance. >[!Note] >This article currently only contains the commands to connect to the Worldwide (+GCC) cloud. Notes provide links to articles about connecting to the other Microsoft 365 clouds. This scenario isn't optimal for managing Microsoft 365, because you can't exchan ## Before you begin Before you can manage all of Microsoft 365 from a single instance of PowerShell, consider the following prerequisites:- + - The Microsoft 365 work or school account that you use must be a member of a Microsoft 365 admin role. For more information, see [About admin roles](../admin/add-users/about-admin-roles.md). This is a requirement for PowerShell for Microsoft 365, but not necessarily for all other Microsoft 365 services.- + - You can use the following 64-bit versions of Windows:- + - Windows 11 - Windows 10- - Windows 8.1 or Windows 8- - Windows Server 2019- - Windows Server 2016- - Windows Server 2012 R2 or Windows Server 2012- - Windows 7 Service Pack 1 (SP1)*- - Windows Server 2008 R2 SP1*- + \* You need to install Microsoft .NET Framework 4.5.*x* and then Windows Management Framework 3.0 or 4.0. For more information, see [Windows Management Framework](/powershell/scripting/windows-powershell/wmf/overview).- - You need to use a 64-bit version of Windows because of the requirements for the Skype for Business Online module and one of the Microsoft 365 modules. - -- You need to install the modules that are required for Azure Active Directory (Azure AD), Exchange Online, SharePoint Online, Skype for Business Online and Teams:- ++- You need to install the modules that are required for Azure Active Directory (Azure AD), Exchange Online, Defender for Office 365, Microsoft Purview compliance, SharePoint Online, and Teams: + - [Azure Active Directory V2](connect-to-microsoft-365-powershell.md#connect-with-the-azure-active-directory-powershell-for-graph-module) - [SharePoint Online Management Shell](https://go.microsoft.com/fwlink/p/?LinkId=255251)- - [Skype for Business Online, PowerShell Module](/microsoftteams/teams-powershell-overview) + - [Teams PowerShell Module](/microsoftteams/teams-powershell-overview) - [Exchange Online PowerShell V2](/powershell/exchange/exchange-online-powershell-v2#install-and-maintain-the-exchange-online-powershell-v2-module) - [Teams PowerShell Overview](/microsoftteams/teams-powershell-overview)- -- PowerShell must be configured to run signed scripts for Skype for Business Online and the Security & Compliance Center. Run the following command in an elevated PowerShell session (a PowerShell session that you **Run as administrator**).- ++- PowerShell must be configured to run signed scripts for Exchange Online, Defender for Office 365, and Microsoft Purview compliance. Run the following command in an elevated PowerShell session (a PowerShell session that you **Run as administrator**). + ```powershell Set-ExecutionPolicy RemoteSigned ``` Before you can manage all of Microsoft 365 from a single instance of PowerShell, ## Connection steps when using just a password Follow these steps to connect to all the services in a single PowerShell window when you're using just a password for sign-in.- + 1. Open Windows PowerShell.- + 2. Run this command and enter your Microsoft 365 work or school account credentials.- + ```powershell $credential = Get-Credential ``` 3. Run this command to connect to Azure AD by using the Azure Active Directory PowerShell for Graph module.- + ```powershell Connect-AzureAD -Credential $credential ```- + Or if you're using the Microsoft Azure Active Directory Module for Windows PowerShell module, run this command.- + ```powershell Connect-MsolService -Credential $credential ``` - > [!Note] + > [!NOTE] > PowerShell Core doesn't support the Microsoft Azure Active Directory Module for Windows PowerShell module and cmdlets with *Msol* in their name. You must run these cmdlets from PowerShell. 4. Run these commands to connect to SharePoint Online. Specify the organization name for your domain. For example, for "litwareinc\.onmicrosoft.com", the organization name value is "litwareinc".- + ```powershell $orgName="<for example, litwareinc for litwareinc.onmicrosoft.com>" Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking Follow these steps to connect to all the services in a single PowerShell window ``` 5. Run these commands to connect to Exchange Online.- + ```powershell Import-Module ExchangeOnlineManagement Connect-ExchangeOnline -ShowProgress $true Follow these steps to connect to all the services in a single PowerShell window > [!Note] > To connect to Exchange Online for Microsoft 365 clouds other than Worldwide, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). -6. Run these commands to connect to the Security & Compliance Center. - +6. Run these commands to connect to Security & Compliance PowerShell. + ```powershell $acctName="<UPN of the account, such as belindan@litwareinc.onmicrosoft.com>" Connect-IPPSSession -UserPrincipalName $acctName ``` - > [!Note] - > To connect to the Security & Compliance Center for Microsoft 365 clouds other than Worldwide, see [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell). + > [!NOTE] + > To connect to Security & Compliance PowerShell for Microsoft 365 clouds other than Worldwide, see [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). ++7. Run these commands to connect to Teams PowerShell. -7. Run these commands to connect to Teams PowerShell (and Skype for Business Online). - ```powershell Import-Module MicrosoftTeams $credential = Get-Credential Connect-MicrosoftTeams -Credential $credential ```- - > [!Note] ++ > [!NOTE] > Skype for Business Online Connector is currently part of the latest Teams PowerShell module. If you're using the latest Teams PowerShell public release, you don't need to install the Skype for Business Online Connector.- - > [!Note] + > > To connect to Microsoft Teams clouds other than *Worldwide*, see [Connect-MicrosoftTeams](/powershell/module/teams/connect-microsoftteams).- --### Azure Active Directory PowerShell for Graph module +### Azure Active Directory PowerShell for Graph module when using just a password Here are the commands for all the services in a single block when you use the Azure Active Directory PowerShell for Graph module. Specify the name of your domain host and the UPN for the sign-in and run them all at the same time.- + ```powershell $orgName="<for example, litwareinc for litwareinc.onmicrosoft.com>" $acctName="<UPN of the account, such as belindan@litwareinc.onmicrosoft.com>" Connect-SPOService -Url https://$orgName-admin.sharepoint.com -credential $crede #Exchange Online Import-Module ExchangeOnlineManagement Connect-ExchangeOnline -ShowProgress $true-#Security & Compliance Center +#Security & Compliance Connect-IPPSSession -UserPrincipalName $acctName #Teams and Skype for Business Online Import-Module MicrosoftTeams Connect-MicrosoftTeams -Credential $credential ``` -### Microsoft Azure Active Directory Module for Windows PowerShell module +### Microsoft Azure Active Directory Module for Windows PowerShell module when using just a password Here are the commands for all the services in a single block when you use the Microsoft Azure Active Directory Module for Windows PowerShell module. Specify the name of your domain host and the UPN for the sign-in and run them all at one time.- + ```powershell $orgName="<for example, litwareinc for litwareinc.onmicrosoft.com>" $acctName="<UPN of the account, such as belindan@litwareinc.onmicrosoft.com>" Connect-MsolService -Credential $credential Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking Connect-SPOService -Url https://$orgName-admin.sharepoint.com -credential $credential #Exchange Online-Import-Module ExchangeOnlineManagement Connect-ExchangeOnline -ShowProgress $true-#Security & Compliance Center +#Security & Compliance Connect-IPPSSession -UserPrincipalName $acctName #Teams and Skype for Business Online Import-Module MicrosoftTeams Connect-MicrosoftTeams -Credential $credential ## Connection steps when using multi-factor authentication -### Azure Active Directory PowerShell for Graph module +### Azure Active Directory PowerShell for Graph module when using MFA Here are all the commands in a single block to connect to multiple Microsoft 365 services when you use multi-factor authentication with the Azure Active Directory PowerShell for Graph module. Connect-AzureAD #SharePoint Online Connect-SPOService -Url https://$orgName-admin.sharepoint.com #Exchange Online-Import-Module ExchangeOnlineManagement Connect-ExchangeOnline -UserPrincipalName $acctName -ShowProgress $true-#Security & Compliance Center +#Security & Compliance Connect-IPPSSession -UserPrincipalName $acctName #Teams and Skype for Business Online Import-Module MicrosoftTeams Connect-MicrosoftTeams ```-### Microsoft Azure Active Directory Module for Windows PowerShell module ++### Microsoft Azure Active Directory Module for Windows PowerShell module when using MFA Here are all the commands in a single block to connect to multiple Microsoft 365 services when you use multi-factor authentication with the Microsoft Azure Active Directory Module for Windows PowerShell module. Connect-MicrosoftTeams ## Close the PowerShell window -To close down the PowerShell window, run this command to remove the active sessions to SharePoint Online and Teams: - +To close down the PowerShell window, run this command to remove the active sessions to SharePoint Online, Teams, Defender for Office 365 and Microsoft Purview compliance: + ```powershell-Disconnect-SPOService ; Disconnect-MicrosoftTeams +Disconnect-SPOService; Disconnect-MicrosoftTeams; Disconnect-ExchangeOnline ``` ## See also |
| enterprise | Cross Tenant Mailbox Migration | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-mailbox-migration.md | -Commonly, during mergers or divestitures, you need the ability to move your user's Exchange Online mailbox into a new tenant. Cross-tenant mailbox migration allows tenant administrators to use well-known interfaces like Remote PowerShell and MRS to transition users to their new organization. +Commonly, during mergers or divestitures, you need the ability to move your user's Exchange Online mailbox into a new tenant. Cross-tenant mailbox migration allows tenant administrators to use well-known interfaces like Exchange Online PowerShell and MRS to transition users to their new organization. Administrators can use the New-MigrationBatch cmdlet, available through the Move Mailboxes management role, to execute cross-tenant moves. To obtain the tenant ID of a subscription, sign in to the [Microsoft 365 admin c ### Prepare the target tenant by creating the Exchange Online migration endpoint and organization relationship -1. Create a Remote PowerShell connection to the target Exchange Online tenant. +1. [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) in the target Exchange Online tenant. 2. Create a new migration endpoint for cross-tenant mailbox moves To obtain the tenant ID of a subscription, sign in to the [Microsoft 365 admin c 2. Accept the application when the pop-up appears. You can also log into your Azure Active Directory portal and find the application under Enterprise applications. -3. Create new or edit your existing organization relationship object to your target (destination) tenant from an Exchange Online Remote PowerShell window. +3. Create a new organization relationship or edit your existing organization relationship object to your target (destination) tenant in Exchange Online PowerShell: ```powershell $targetTenantId="[tenant id of your trusted partner, where the mailboxes are being moved to]" |
| enterprise | Multi Geo Ediscovery Configuration | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/multi-geo-ediscovery-configuration.md | When the eDiscovery Manager or Administrator role is set for a particular satell To set the Compliance Security Filter for a Region: -1. [Connect to Microsoft 365 Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell) +1. [Connect to Microsoft 365 Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell) 2. Use the following syntax: |
| enterprise | Privileged Access Microsoft 365 Enterprise Dev Test Environment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/privileged-access-microsoft-365-enterprise-dev-test-environment.md | If you want to configure privileged access management in a lightweight way with If you want to configure privileged access management in a simulated enterprise, follow the instructions in [Pass-through authentication](pass-through-auth-m365-ent-test-environment.md). ->[!NOTE] ->Testing privileged access management doesn't require the simulated enterprise test environment, which includes a simulated intranet connected to the internet and directory synchronization for an Active Directory Domain Services forest. It's provided here as an option so that you can test privileged access management and experiment with it in an environment that represents a typical organization. +> [!NOTE] +> Testing privileged access management doesn't require the simulated enterprise test environment, which includes a simulated intranet connected to the internet and directory synchronization for an Active Directory Domain Services forest. It's provided here as an option so that you can test privileged access management and experiment with it in an environment that represents a typical organization. ## Phase 2: Configure privileged access management In this phase, configure an approvers group and enable privileged access managem To set up and use privileged access in your organization, perform the following steps. -#### [Step 1: Create an approver's group](../compliance/privileged-access-management-configuration.md#step-1-create-an-approvers-group) +### [Step 1: Create an approver's group](../compliance/privileged-access-management-configuration.md#step-1-create-an-approvers-group) Before you start using privileged access, determine who will have approval authority for incoming requests for access to elevated and privileged tasks. All users who are part of the Approvers' group can approve access requests. To use privileged access, you must create a mail-enabled security group in Microsoft 365. In your test environment, name the new security group "Privileged Access Approvers" and add the "User 3" that was previously created in previous test lab guide steps. -#### [Step 2: Enable privileged access](../compliance/privileged-access-management-configuration.md#step-2-enable-privileged-access) +### [Step 2: Enable privileged access](../compliance/privileged-access-management-configuration.md#step-2-enable-privileged-access) Privileged access needs to be explicitly turned on in Microsoft 365 with the default approver group, and it must include a set of system accounts that you want excluded from the privileged access management access control. Be sure to enable privileged access in your organization before starting Phase 3 of this guide. In this phase, verify that the privileged access policy is working and that user ### Test the ability to execute a task NOT defined in a privileged access policy -First, connect to Exchange Management PowerShell with the credentials of a user configured with the Exchange Role Management role in your test environment and attempt to create a new Journal rule. The [New-JournalRule](/powershell/module/exchange/new-journalrule) task is not currently defined in a privileged access policy for your organization. +First, attempt to create a new Journal rule in Exchange Online PowerShell. The [New-JournalRule](/powershell/module/exchange/new-journalrule) task is not currently defined in a privileged access policy for your organization. -1. On your local computer, open and sign in to the Exchange Online Remote PowerShell Module at **Microsoft Corporation** > **Microsoft Exchange Online Remote PowerShell Module** using credentials with the Exchange Role Management role for your test environment. -2. In Exchange Management PowerShell, create a new Journal rule for your organization: +1. On your local computer, [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) using credentials with the Exchange Role Management role for your test environment. +2. Create a new Journal rule for your organization by running the following command: - ```ExchangeManagementPowerShell + ```PowerShell New-JournalRule -Name "JournalRule1" -Recipient joe@contoso.onmicrosoft.com -JournalEmailAddress barbara@adatum.com -Scope Global -Enabled $true ``` -3. View that the new Journal Rule was successfully created in Exchange Management PowerShell. +3. Verify that the new Journal Rule was successfully created: ++ ```PowerShell + Get-JournalRule -Identity "JournalRule1" + ``` ### Create a new privileged access policy for the New-JournalRule task ->[!NOTE] ->If you haven't already completed the Steps 1 and 2 from Phase 2 of this guide, be sure follow the steps to create an approver's group named "Privilege Access Approvers" to enable privileged access in your test environment. +> [!NOTE] +> If you haven't already completed the Steps 1 and 2 from Phase 2 of this guide, be sure follow the steps to create an approver's group named "Privilege Access Approvers" to enable privileged access in your test environment. 1. Sign in to the [Microsoft 365 admin center](https://admin.microsoft.com) using credentials with the Exchange Role Management role for your test environment. 2. In the Admin Center, go to **Settings** > **Security & Privacy** > **Privileged access**. First, connect to Exchange Management PowerShell with the credentials of a user ### Test approval requirement for the New-JournalRule task defined in a privileged access policy -1. On your local computer, open and sign in to the Exchange Online Remote PowerShell Module at **Microsoft Corporation** > **Microsoft Exchange Online Remote PowerShell Module** using credentials with the Exchange Role Management role for your test environment. +1. On your local computer, [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) using credentials with the Exchange Role Management role for your test environment. -2. In Exchange Management PowerShell, create a new Journal rule for your organization: +2. In Exchange Online PowerShell, create a new Journal rule for your organization: - ```ExchangeManagementPowerShell + ```PowerShell New-JournalRule -Name "JournalRule2" -Recipient user1@<your subscription domain> -JournalEmailAddress user1@<your subscription domain> -Scope Global -Enabled $true ``` -3. View the "Insufficient permissions" error in Exchange Management PowerShell: +3. View the "Insufficient permissions" error in Exchange Online PowerShell: - ```ExchangeManagementPowerShell + ```PowerShell Insufficient permissions. Please raise an elevated access request for this task. + CategoryInfo : NotSpecified: (:) [], LocalizedException + FullyQualifiedErrorId : [Server=CY1PR00MB0220,RequestId=7b8c7470-ddd0-4528-a01e-5e20ecc9bd54,TimeStamp=9/19/2018 First, connect to Exchange Management PowerShell with the credentials of a user ### Test creating a new Journal Rule with privileged access approved for the New-JournalRule task -1. On your local computer, open and sign in to the Exchange Online Remote PowerShell Module at **Microsoft Corporation** > **Microsoft Exchange Online Remote PowerShell Module** using credentials with the Exchange Role Management role for your test environment. +1. On your local computer, [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) using credentials with the Exchange Role Management role for your test environment. -2. In Exchange Management PowerShell, create a new Journal rule for your organization: +2. In Exchange Online PowerShell, create a new Journal rule for your organization: - ```ExchangeManagementPowerShell + ```PowerShell New-JournalRule -Name "JournalRule2" -Recipient user1@<your subscription domain> -JournalEmailAddress user1@<your subscription domain> -Scope Global -Enabled $true ``` -3. View that the new Journal Rule was successfully created in Exchange Management PowerShell. +3. Verify that the new Journal rule was successfully created: ++ ```PowerShell + Get-JournalRule -Identity "JournalRule2" + ``` ## Next step |
| enterprise | Remove Or Disable Hybrid Modern Authentication From Skype For Business And Excha | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/remove-or-disable-hybrid-modern-authentication-from-skype-for-business-and-excha.md | description: "This article explains how to remove or disable Hybrid Modern Authe *This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.* If you've enabled Hybrid Modern Authentication (HMA) only to find it's unsuitable for your current environment, you can disable HMA. This article explains how.- + ## Who is this article for? If you've enabled Modern Authentication in Skype for Business Online or On-premises, and/or Exchange Online or On-premises and found you need to disable HMA, these steps are for you. > [!IMPORTANT] > See the '[Skype for Business topologies supported with Modern Authentication](/skypeforbusiness/plan-your-deployment/modern-authentication/topologies-supported)' article if you're in Skype for Business Online or On-premises, have a mixed-topology HMA, and need to look at supported topologies before you begin.- + ## How to disable Hybrid Modern Authentication (Exchange) -1. **Exchange On-premises**: Open the Exchange Management Shell and run the following commands: +1. **Exchange On-premises**: [Open the Exchange Management Shell](/powershell/exchange/open-the-exchange-management-shell) and run the following commands: ++ ```powershell + Set-OrganizationConfig -OAuth2ClientProfileEnabled $false + Set-AuthServer -Identity evoSTS -IsDefaultAuthorizationEndpoint $false + ``` -```powershell -Set-OrganizationConfig -OAuth2ClientProfileEnabled $false -Set-AuthServer -Identity evoSTS -IsDefaultAuthorizationEndpoint $false -``` +2. **Exchange Online**: [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). Run the following command to disable Modern Authentication: -2. **Exchange Online**: [Connect to Exchange Online](/powershell/exchange/connect-to-exchange-online-powershell) with Remote PowerShell. Run the following command to turn your *OAuth2ClientProfileEnabled* flag to 'false': + ```powershell + Set-OrganizationConfig -OAuth2ClientProfileEnabled:$false + ``` -```powershell -Set-OrganizationConfig -OAuth2ClientProfileEnabled:$false -``` - ## How to disable Hybrid Modern Authentication (Skype for Business) 1. **Skype for Business On-premises**: Run the following commands in Skype for Business Management Shell: -```powershell -Set-CsOAuthConfiguration -ClientAuthorizationOAuthServerIdentity "" -``` + ```powershell + Set-CsOAuthConfiguration -ClientAuthorizationOAuthServerIdentity "" + ``` -2. **Skype for Business Online**: [Connect to Skype for Business Online](manage-skype-for-business-online-with-microsoft-365-powershell.md) with Remote PowerShell. Run the following command to disable Modern Authentication: +2. **Skype for Business Online**: [Connect to Skype for Business Online PowerShell](manage-skype-for-business-online-with-microsoft-365-powershell.md). Run the following command to disable Modern Authentication: -```powershell -Set-CsOAuthConfiguration -ClientAdalAuthOverride Disallowed -``` + ```powershell + Set-CsOAuthConfiguration -ClientAdalAuthOverride Disallowed + ``` -[Link back to the Modern Authentication overview](hybrid-modern-auth-overview.md) . +[Link back to the Modern Authentication overview](hybrid-modern-auth-overview.md). |
| enterprise | Use Lean Popouts To Reduce Memory Used When Reading Mail Messages | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/use-lean-popouts-to-reduce-memory-used-when-reading-mail-messages.md | These features will continue to work in the main window but are not available in ## To configure lean popouts for all users within your Office 365 organization -1. [Connect to Exchange Online Using Remote PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). +1. [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). 2. Run the [Set-OrganizationConfig](/powershell/module/exchange/set-organizationconfig) cmdlet with the LeanPopoutEnabled parameter as follows: |
| enterprise | Use Powershell To Perform A Cutover Migration To Microsoft 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/use-powershell-to-perform-a-cutover-migration-to-microsoft-365.md | Estimated time to complete this task: 2-5 minutes to create a migration batch. A You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Migration" entry in a table in the [Recipients Permissions](/exchange/recipients-permissions-exchange-2013-help) topic. -To use the Exchange Online PowerShell cmdlets, you need to sign in and import the cmdlets into your local Windows PowerShell session. See [Connect to Exchange Online using remote PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) for instructions. +To use the Exchange Online PowerShell cmdlets, you need to sign in and import the cmdlets into your local Windows PowerShell session. See [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) for instructions. For a full list of migration commands, see [Move and migration cmdlets](/powershell/exchange/). |
| enterprise | Use Powershell To Perform A Staged Migration To Microsoft 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/use-powershell-to-perform-a-staged-migration-to-microsoft-365.md | Estimated time to complete this task: 2-5 minutes to create a migration batch. A You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Migration" entry in the [Recipients Permissions](/exchange/recipients-permissions-exchange-2013-help) topic. -To use the Exchange Online PowerShell cmdlets, you need to sign in and import the cmdlets into your local Windows PowerShell session. See [Connect to Exchange Online using remote PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) for instructions. +To use the Exchange Online PowerShell cmdlets, you need to sign in and import the cmdlets into your local Windows PowerShell session. See [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) for instructions. For a full list of migration commands, see [Move and migration cmdlets](/powershell/exchange/). |
| enterprise | Use Powershell To Perform An Imap Migration To Microsoft 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/use-powershell-to-perform-an-imap-migration-to-microsoft-365.md | Estimated time to complete this task: 2-5 minutes to create a migration batch. A You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Migration" entry in a table in the [Recipients Permissions](/exchange/recipients-permissions-exchange-2013-help) topic. -To use the Exchange Online PowerShell cmdlets, you need to sign in and import the cmdlets into your local Windows PowerShell session. See [Connect to Exchange Online using remote PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) for instructions. +To use the Exchange Online PowerShell cmdlets, you need to sign in and import the cmdlets into your local Windows PowerShell session. See [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) for instructions. For a full list of migration commands, see [Move and migration cmdlets](/powershell/exchange/). The following restrictions apply to IMAP migrations: - **Assign the administrator account permissions to access mailboxes in your IMAP organization**. If you use administrator credentials in the CSV file, the account that you use must have the necessary permissions to access the on-premises mailboxes. The permissions required to access user mailboxes is determined by the particular IMAP server. -- **To use the Exchange Online PowerShell cmdlets**, you need to sign in and import the cmdlets into your local Windows PowerShell session. See [Connect to Exchange Online using remote PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) for instructions.+- **To use the Exchange Online PowerShell cmdlets**, you need to sign in and import the cmdlets into your local Windows PowerShell session. See [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) for instructions. For a full list of migration commands, see [Move and migration cmdlets](/powershell/exchange/). |
| lighthouse | M365 Lighthouse Block User Signin | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-block-user-signin.md | f1.keywords: NOCSH + audience: Admin ms.prod: microsoft-365-lighthouse |
| lighthouse | M365 Lighthouse Compare Compliance Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-compare-compliance-policies.md | f1.keywords: NOCSH + audience: Admin ms.prod: microsoft-365-lighthouse |
| lighthouse | M365 Lighthouse Configure Portal Security | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-configure-portal-security.md | f1.keywords: CSH + audience: Admin ms.prod: microsoft-365-lighthouse |
| lighthouse | M365 Lighthouse Deploy Baselines | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-deploy-baselines.md | f1.keywords: CSH + audience: Admin ms.prod: microsoft-365-lighthouse |
| lighthouse | M365 Lighthouse Deploy Standard Tenant Configurations Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-deploy-standard-tenant-configurations-overview.md | f1.keywords: CSH + audience: Admin ms.prod: microsoft-365-lighthouse |
| lighthouse | M365 Lighthouse Device Compliance Page Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-device-compliance-page-overview.md | f1.keywords: NOCSH + audience: Admin ms.prod: microsoft-365-lighthouse |
| lighthouse | M365 Lighthouse Get Help And Support | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-get-help-and-support.md | f1.keywords: CSH + audience: Admin ms.prod: microsoft-365-lighthouse |
| lighthouse | M365 Lighthouse Known Issues | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-known-issues.md | f1.keywords: NOCSH + audience: Admin ms.prod: microsoft-365-lighthouse This article lists the known issues for Microsoft 365 Lighthouse by feature area ## Granular Delegated Admin Privileges (GDAP) -> [!NOTE] -> GDAP is currently in [technical preview](/partner-center/announcements/2022-february#6) (public preview) to allow partners to assign granular permissions before GDAP is generally available. --Currently, DAP is required to onboard customers to Lighthouse. We recommend also establishing GDAP with your customers to enable more secure delegated access. While DAP and GDAP coexist, GDAP will take precedence for customers where both models are in place. Soon, customers with just GDAP (and no DAP) will be able to onboard to Lighthouse.<br><br> +Either Granular Delegated Admin Privileges (GDAP) plus an indirect reseller relationship or a Delegated Admin Privileges (DAP) relationship is required to onboard customers to Lighthouse. If DAP and GDAP coexist in a customer tenant, GDAP permissions take precedence for MSP technicians in GDAP-enabled security groups. Coming soon, customers with GDAP-only relationships (without indirect reseller relationships) will be able to onboard to Lighthouse.<br><br> | Issue | Description | Solution | | - | - | - | |
| lighthouse | M365 Lighthouse Manage Mfa | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-manage-mfa.md | f1.keywords: NOCSH + audience: Admin ms.prod: microsoft-365-lighthouse |
| lighthouse | M365 Lighthouse Manage Sspr | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-manage-sspr.md | f1.keywords: NOCSH + audience: Admin ms.prod: microsoft-365-lighthouse |
| lighthouse | M365 Lighthouse Mitigate Threats | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-mitigate-threats.md | f1.keywords: NOCSH + audience: Admin ms.prod: microsoft-365-lighthouse |
| lighthouse | M365 Lighthouse Overview Of Permissions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-overview-of-permissions.md | f1.keywords: CSH + audience: Admin ms.prod: microsoft-365-lighthouse We recommend assigning roles to groups of MSP technicians based on the tasks eac The tables in the next section describe which GDAP roles grant permission to read customer data and take action on customer tenants in Lighthouse. See [Permissions in the partner tenant](#permissions-in-the-partner-tenant) in this article for additional roles required to manage Lighthouse entities (for example, tags and Lighthouse service requests). -> [!NOTE] ->GDAP is currently in [technical preview](/partner-center/announcements/2022-february#6) (public preview) to allow partners to assign granular permissions before GDAP is generally available. Check [Known Issues](m365-lighthouse-known-issues.md) if you're having a problem accessing or performing an action in Lighthouse. - ## Example MSP service tiers, recommended GDAP roles, and permissions The following table lists the recommended GDAP roles for some example MSP service tiers. |
| lighthouse | M365 Lighthouse Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-overview.md | f1.keywords: CSH + audience: Admin ms.prod: microsoft-365-lighthouse |
| lighthouse | M365 Lighthouse Reprovision Cloudpc | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-reprovision-cloudpc.md | f1.keywords: NOCSH + audience: Admin ms.prod: microsoft-365-lighthouse search.appverid: MET150 description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthouse, learn how to reprovision a Windows 365 Cloud PC in Microsoft 365 Lighthouse." - # Reprovision a Windows 365 Cloud PC in Microsoft 365 Lighthouse -Microsoft 365 Lighthouse supports reprovisioning Cloud PCs that have a provisioning policy. You may need to reprovision a device for a new user or if the device isn't working properly. When a reprovision is triggered, the Cloud PC will be deleted and recreated as a new Cloud PC. All user data, applications, customizations, and the like will be deleted. +Microsoft 365 Lighthouse supports reprovisioning of Cloud PCs that have a provisioning policy. You may need to reprovision a device for a new user or if the device isn't working properly. When a reprovision is triggered, the Cloud PC is deleted and re-created as a new Cloud PC. All user data, applications, and customizations are deleted. ## Before you begin You must be a Cloud PC Administrator in the partner tenant. 6. In the confirmation dialog, select **Reprovision**. > [!NOTE]-> The current user of the Cloud PC will be signed out immediately and all user data removed. +> The current user of the Cloud PC is immediately signed out and all user data is removed. ## Check the device action status You must be a Cloud PC Administrator in the partner tenant. 3. From the device list, select a device. -4. In the device details pane, select **Device action status** tab. +4. In the device details pane, select the **Device action status** tab. The tab displays any current actions queued for this device, including the action type, status, and timestamp. |
| lighthouse | M365 Lighthouse Requirements | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-requirements.md | f1.keywords: CSH + audience: Admin ms.prod: microsoft-365-lighthouse In addition, each MSP customer tenant must qualify for Lighthouse by meeting the - Must have at least one Microsoft 365 Business Premium, Microsoft 365 E3, Microsoft 365 E5, Windows 365 Business, or Microsoft Defender for Business license - Must have no more than 1000 licensed users -*Delegated Admin Privileges (DAP) is required to onboard customers to Lighthouse. We recommend also establishing Granular Delegated Admin Privileges (GDAP) with your customers to enable more secure delegated access. While DAP and GDAP coexist, GDAP will take precedence for customers where both models are in place. Soon, customers with just GDAP (and no DAP) will be able to onboard to Lighthouse. +Either Granular Delegated Admin Privileges (GDAP) plus an indirect reseller relationship or a Delegated Admin Privileges (DAP) relationship is required to onboard customers to Lighthouse. If DAP and GDAP coexist in a customer tenant, GDAP permissions take precedence for MSP technicians in GDAP-enabled security groups. Coming soon, customers with GDAP-only relationships (without indirect reseller relationships) will be able to onboard to Lighthouse. ## Requirements for enabling device management |
| lighthouse | M365 Lighthouse Reset User Password | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-reset-user-password.md | f1.keywords: NOCSH + audience: Admin ms.prod: microsoft-365-lighthouse |
| lighthouse | M365 Lighthouse Review Audit Logs | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-review-audit-logs.md | f1.keywords: CSH + audience: Admin ms.prod: microsoft-365-lighthouse |
| lighthouse | M365 Lighthouse Search For Users | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-search-for-users.md | f1.keywords: NOCSH + audience: Admin ms.prod: microsoft-365-lighthouse |
| lighthouse | M365 Lighthouse Sign Up | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-sign-up.md | f1.keywords: CSH + audience: Admin ms.prod: microsoft-365-lighthouse |
| lighthouse | M365 Lighthouse Tenants Page Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-tenants-page-overview.md | f1.keywords: NOCSH + audience: Admin ms.prod: microsoft-365-lighthouse |
| lighthouse | M365 Lighthouse Threat Management Page Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-threat-management-page-overview.md | f1.keywords: NOCSH + audience: Admin ms.prod: microsoft-365-lighthouse |
| lighthouse | M365 Lighthouse Troubleshoot | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-troubleshoot.md | f1.keywords: NOCSH + audience: Admin ms.prod: microsoft-365-lighthouse This article describes error messages and problems that you might encounter whil **Resolution:** The following table describes the different tenant statuses that require action and explains how to resolve them. -*Delegated Admin Privileges (DAP) is required to onboard customers to Lighthouse. We recommend also establishing Granular Delegated Admin Privileges (GDAP) with your customers to enable more secure delegated access. While DAP and GDAP coexist, GDAP will take precedence for customers where both models are in place. Soon, customers with just GDAP (and no DAP) will be able to onboard to Lighthouse. +Either Granular Delegated Admin Privileges (GDAP) plus an indirect reseller relationship or a Delegated Admin Privileges (DAP) relationship is required to onboard customers to Lighthouse. If DAP and GDAP coexist in a customer tenant, GDAP permissions take precedence for MSP technicians in GDAP-enabled security groups. Coming soon, customers with GDAP-only relationships (without indirect reseller relationships) will be able to onboard to Lighthouse.<br><br> | Status | Description | Resolution | |--|--|--| | Inactive | The tenant was offboarded at the request of the MSP and is no longer being managed in Lighthouse. | You need to reactivate the tenant. On the **Tenants** page, select the three dots (more actions) next to the tenant that you want to reactivate, and then select **Activate tenant**. It can take 24ΓÇô48 hours for initial customer data to appear in Lighthouse. |-| Ineligible - DAP or GDAP is not set up | You don't have DAP or GDAP admin privileges set up with the tenant, which is required by Lighthouse. | Set up DAP or GDAP admin privileges in the Microsoft Partner Center. | +| Ineligible - DAP or GDAP is not set up | You don't have DAP or GDAP and indirect reseller admin privileges set up with the tenant, which is required by Lighthouse. | Set up DAP or GDAP and indirect reseller admin privileges in the Microsoft Partner Center. | | Ineligible - Required license is missing | The tenant is missing a required license. They need at least one Microsoft 365 Business Premium, Microsoft 365 E3, Microsoft 365 E5, or Microsoft Defender for Business license. | Make sure the tenant has at least one Microsoft 365 Business Premium, Microsoft 365 E3, Microsoft 365 E5, Windows 365 Business, or Microsoft Defender for Business license assigned. | | Ineligible - User count exceeded | The tenant has more than the maximum of 1000 licensed users allowed by Lighthouse. | Verify that the tenant doesn't have more than 1000 licensed users. | | Ineligible - Geo check failed | You and your customer don't reside in the same geographic region, which is required by Lighthouse. | Verify that the customer resides in your geographic region. If not, then you can't manage the tenant in Lighthouse. | |
| lighthouse | M365 Lighthouse Users Page Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-users-page-overview.md | f1.keywords: NOCSH + audience: Admin ms.prod: microsoft-365-lighthouse |
| lighthouse | M365 Lighthouse View Failed Network Connections | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-view-failed-network-connections.md | f1.keywords: NOCSH + audience: Admin ms.prod: microsoft-365-lighthouse description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthous # View an enterprise Cloud PC failed network connection in Microsoft 365 Lighthouse -Microsoft 365 Lighthouse provides connection status between your tenants and Azure Active Directory. When a Cloud PC has a failed network connection, you can view detailed information in Microsoft Endpoint Manager admin center. +Microsoft 365 Lighthouse provides the connection status between your customer tenants and Azure Active Directory (Azure AD). When a Cloud PC has a failed network connection, you can view detailed information in the Microsoft Endpoint Manager admin center. ## Before you begin - You must be a Global Administrator in the partner tenant.-- You must have Cloud PC administrator or Cloud PC reader access to view connection issues.+- You must have Cloud PC Administrator or Cloud PC Reader access to view connection issues. ## View a failed network connection Microsoft 365 Lighthouse provides connection status between your tenants and Azu 2. Select the **Azure network connections** tab. -3. From the connection summary area, select **Failed connections**. +3. From the connection summary section, select **Failed connections**. 4. From the filtered list, select **View connection details in Microsoft Endpoint Manager** next to the connection you want to investigate. -5. From Microsoft Endpoint Manager admin center, select **View details** to learn more about the error. +5. From the Microsoft Endpoint Manager admin center, select **View details** to learn more about the error. ## Next steps -To troubleshoot connection issues, see [Troubleshoot on-premises network connection](/windows-365/enterprise/troubleshoot-on-premises-network-connection) article. +To troubleshoot connection issues, see [Troubleshoot on-premises network connection](/windows-365/enterprise/troubleshoot-on-premises-network-connection). ## Related content |
| lighthouse | M365 Lighthouse View Manage Risky Users | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-view-manage-risky-users.md | f1.keywords: NOCSH + audience: Admin ms.prod: microsoft-365-lighthouse |
| lighthouse | M365 Lighthouse View Service Health | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-view-service-health.md | f1.keywords: NOCSH + audience: Admin ms.prod: microsoft-365-lighthouse |
| lighthouse | M365 Lighthouse View Your Roles | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-view-your-roles.md | f1.keywords: NOCSH + audience: Admin ms.prod: microsoft-365-lighthouse |
| lighthouse | M365 Lighthouse Win365 Page Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-win365-page-overview.md | f1.keywords: CSH + audience: Admin ms.prod: microsoft-365-lighthouse |
| security | Microsoft 365 Security For Bdm | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/Microsoft-365-security-for-bdm.md | search.appverid: This article discusses some of the most common threat and attack scenarios currently faced by organizations for their Microsoft 365 environments, and recommended actions for mitigating these risks. While Microsoft 365 comes with a wide array of pre-configured security features, it also requires you as the customer to take responsibility to secure your own identities, data, and devices used to access cloud services. This guidance was developed by Kozeta Beam (Microsoft Cloud Security Architect) and Thiagaraj Sundararajan (Microsoft Senior Consultant). -This article is organized by priority of work, starting with protecting those accounts used to administer the most critical services and assets, such as your tenant, e-mail, and SharePoint. It provides a methodical way for approaching security and works together with the following spreadsheet so you can track your progress with stakeholders and teams across your organization: [Microsoft 365 security for BDMs spreadsheet](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/Microsoft-365-BDM-security-recommendations-spreadsheet.xlsx). +This article is organized by priority of work, starting with protecting those accounts used to administer the most critical services and assets, such as your tenant, e-mail, and SharePoint. It provides a methodical way for approaching security and works together with the following spreadsheet so you can track your progress with stakeholders and teams across your organization: [Microsoft 365 security for BDMs spreadsheet](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/Microsoft-365-BDM-security-recommendations-spreadsheet.xlsx). :::image type="content" source="../downloads/microsoft-365-bdm-security-recommendations-spreadsheet-thumb.png" alt-text="An example of the Microsoft 365 BDM security recommendation spreadhsheet" lightbox="../downloads/microsoft-365-bdm-security-recommendations-spreadsheet-thumb.png"::: One more thing before we get started . . . be sure to [turn on the audit log](.. As a first step, we recommend ensuring critical accounts in the environment are given an extra layer of protection as these accounts have access and permissions to manage and alter critical services and resources, which can negatively impact the entire organization, if compromised. Protecting privileged accounts is one of the most effective ways to protect against an attacker who seeks to elevate the permissions of a compromised account to an administrative one. -|Recommendation |E3 |E5 | -|||| +|Recommendation|E3|E5| +|||| |Enforce multifactor authentication (MFA) for all administrative accounts.|||-|Implement Azure Active Directory (Azure AD) Privileged Identity Management (PIM) to apply just-in-time privileged access to Azure AD and Azure resources. You can also discover who has access and review privileged access.| | | -|Implement privileged access management to manage granular access control over privileged admin tasks in Office 365. | | | -|Configure and use Privileged Access Workstations (PAW) to administer services. Do not use the same workstations for browsing the Internet and checking email not related to your administrative account.| !|::: | +|Implement Azure Active Directory (Azure AD) Privileged Identity Management (PIM) to apply just-in-time privileged access to Azure AD and Azure resources. You can also discover who has access and review privileged access.||| +|Implement privileged access management to manage granular access control over privileged admin tasks in Office 365.||| +|Configure and use Privileged Access Workstations (PAW) to administer services. Do not use the same workstations for browsing the Internet and checking email not related to your administrative account.|!|:::| The following diagram illustrates these capabilities. :::image type="content" source="../media/m365-security-bdm-illustrations-privileged-accounts.png" alt-text="The recommended capabilities for protecting privileged accounts" lightbox="../media/m365-security-bdm-illustrations-privileged-accounts.png"::: Here are some examples: Known threats include malware, compromised accounts, and phishing. Some protections against these threats can be implemented quickly with no direct impact to your users, while others require more planning and user training. -|Recommendation |E3 |E5 | -|||| -|**Setup multi-factor authentication and use recommended conditional access policies, including sign-in risk policies**. Microsoft recommends and has tested a set of policies that work together to protect all cloud apps, including Office 365 and Microsoft 365 services. See [Identity and device access configurations](./office-365-security/microsoft-365-policies-configurations.md). | || +|Recommendation|E3|E5| +|||| +|**Setup multi-factor authentication and use recommended conditional access policies, including sign-in risk policies**. Microsoft recommends and has tested a set of policies that work together to protect all cloud apps, including Office 365 and Microsoft 365 services. See [Identity and device access configurations](./office-365-security/microsoft-365-policies-configurations.md).||| |**Require multi-factor authentication for all users**. If you don't have the licensing required to implement the recommended conditional access policies, at a minimum require multifactor authentication for all users.||| |**Raise the level of protection against malware in mail**. Your Office 365 or Microsoft 365 environment includes protection against malware, but you can increase this protection by blocking attachments with file types that are commonly used for malware.|||-|**Protect your email from targeted phishing attacks**. If you've configured one or more custom domains for your Office 365 or Microsoft 365 environment, you can configure targeted anti-phishing protection. Anti-phishing protection, part of Defender for Office 365, can help protect your organization from malicious impersonation-based phishing attacks and other phishing attacks. If you haven't configured a custom domain, you do not need to do this.| || +|**Protect your email from targeted phishing attacks**. If you've configured one or more custom domains for your Office 365 or Microsoft 365 environment, you can configure targeted anti-phishing protection. Anti-phishing protection, part of Defender for Office 365, can help protect your organization from malicious impersonation-based phishing attacks and other phishing attacks. If you haven't configured a custom domain, you do not need to do this.||| |**Protect against ransomware attacks in email**. Ransomware takes away access to your data by encrypting files or locking computer screens. It then attempts to extort money from victims by asking for "ransom," usually in form of cryptocurrencies like Bitcoin, in exchange for returning access to your data. You can help defend against ransomware by creating one or more mail flow rules to block file extensions that are commonly used for ransomware, or to warn users who receive these attachments in email.|||-|**Block connections from countries that you don't do business with**. Create an Azure AD conditional access policy to block any connections coming from these countries, effectively creating a geo firewall around your tenant.| || +|**Block connections from countries that you don't do business with**. Create an Azure AD conditional access policy to block any connections coming from these countries, effectively creating a geo firewall around your tenant.||| The following diagram illustrates these capabilities. :::image type="content" source="../media/m365-security-bdm-illustrations-known-threats.png" alt-text="The recommended capabilities for protecting against known threats" lightbox="../media/m365-security-bdm-illustrations-known-threats.png"::: - ## Protect against unknown threats After adding extra protections to your privileged accounts and protecting against known attacks, shift your attention to protecting against unknown threats. The more determined and advanced adversaries use innovative and new, unknown methods to attack organizations. With Microsoft's vast telemetry of data gathered over billions of devices, applications, and services, we are able to perform Defender for Office 365 on Windows, Office 365, and Azure to prevent against Zero-Day attacks, utilizing sand box environments, and checking validity before allowing access to your content. -|Recommendation |E3 |E5 | -|||| -|**Configure Microsoft Defender for Office 365**:<br>*Safe Attachments<br>* Safe Links<br>*Microsoft Defender for Endpoint for SharePoint, OneDrive, and Microsoft Teams<br>* Anti-phishing in Defender for Office 365 protection| | | -|**Configure Microsoft Defender for Endpoint capabilities**:<br>*Windows Defender Antivirus <br>* Exploit protection <br> *Attack surface reduction <br>* Hardware-based isolation <br>* Controlled folder access | | | -|**Use Microsoft Defender for Cloud Apps** to discover SaaS apps and begin to use behavior analytics and anomaly detection. | | | +|Recommendation|E3|E5| +|||| +|**Configure Microsoft Defender for Office 365**:<ul><li>Safe Attachments</li><li>Safe Links</li><li>Safe Attachments for SharePoint, OneDrive, and Microsoft Teams</li><li>Impersonation protection in anti-phishing policies</li></ul>||| +|**Configure Microsoft Defender for Endpoint capabilities**:<ul><li>Windows Defender Antivirus</li><li>Exploit protection</li><li>Attack surface reduction</li><li>Hardware-based isolation</li><li>Controlled folder access</li></ul>||| +|**Use Microsoft Defender for Cloud Apps** to discover SaaS apps and begin to use behavior analytics and anomaly detection.||| The following diagram illustrates these capabilities. :::image type="content" source="../media/m365-security-bdm-illustrations-unknown-threats.png" alt-text="An example of the capabilities offered by tools to protect against unknown threats" lightbox="../media/m365-security-bdm-illustrations-unknown-threats.png"::: - Additional recommendations: - Secure partner channel communications like Emails using TLS. - Open Teams Federation only to Partners you communicate with. - Do not add sender domains, individual senders, or source IPs to your allowlist as this allows these to bypass spam and malware checks ΓÇö A common practice with customers is adding their own accepted domains or many other domains where email flow issues may have been reported to the allowlist. Do not add domains in the Spam and Connection Filtering list as this potentially bypasses all spam checks. - Enable outbound spam notifications ΓÇö Enable outbound spam notifications to a distribution list internally to the Helpdesk or IT Admin team to report if any of the internal users are sending out Spam emails externally. This could be an indicator that the account has been compromised.-- Disable Remote PowerShell for all users ΓÇö Remote PowerShell is mainly used by Admins to access services for administrative purposes or programmatic API access. We recommended disabling this option for non-Admin users to avoid reconnaissance unless they have a business requirement to access it.+- Disable remote PowerShell for all users ΓÇö remote PowerShell is mainly used by Admins to access services for administrative purposes or programmatic API access. We recommended disabling this option for non-Admin users to avoid reconnaissance unless they have a business requirement to access it. - Block access to the Microsoft Azure Management portal to all non-administrators. You can accomplish this by creating a conditional access rule to block all users, except for admins. ## Assume breach While Microsoft takes every possible measure to prevent against threats and attacks, we recommend always working under the "Assume Breach" mindset. Even if an Attacker has managed to intrude into the environment, we need to make sure they are unable to exfiltrate data or identity information from the environment. For this reason, we recommend enabling protection against sensitive data leaks such as Social Security numbers, credit cards numbers, other personal information, and other organizational level confidential information. --|Recommendation |E3|E5 | -|||| -|**Review and optimize your conditional access and related policies to align with your objectives for a zero trust network**. Protecting against known threats includes implementing a set of [recommended policies](./office-365-security/microsoft-365-policies-configurations.md). Review your implementation of these policies to ensure you're protecting your apps and data against hackers who have gained access to your network. The recommended Intune app protection policy for Windows 10 enables Windows Information Protection (WIP). WIP protects against accidental leaks of your organization data through apps and services, like email, social media, and the public cloud. | || -|**Disable external email forwarding**. Hackers who gain access to a user's mailbox can steal your mail by setting the mailbox to automatically forward email. This can happen even without the user's awareness. You can prevent this from happening by configuring a mail flow rule.| || -|**Disable anonymous external calendar sharing**. By default external anonymous calendar sharing is allowed. [Disable calendar sharing](/exchange/sharing/sharing-policies/modify-a-sharing-policy) to reduce potential leaks of sensitive information.| || -|**Configure data loss prevention policies for sensitive data**. Create a Microsoft Purview Data Loss Prevention Policy in the Security & Compliance center to discover and protect sensitive data such as credit card numbers, Social Security numbers and bank account numbers. Microsoft 365 includes many predefined sensitive information types you can use in data loss prevention policies. You can also create your own sensitive information types for sensitive data that is custom to your environment. ||| -|**Implement data classification and information protection policies**. Implement sensitivity labels and use these to classify and apply protection to sensitive data. You can also use these labels in data loss prevention policies. If you are using Azure Information Protection labels, we recommend that you avoid creating new labels in other admin centers.| || -|**Protect data in third-party apps and services by using Defender for Cloud Apps**. Configure Defender for Cloud Apps policies to protect sensitive information across third-party cloud apps, such as Salesforce, Box, or Dropbox. You can use sensitive information types and the sensitivity labels you created in Defender for Cloud Apps policies and apply these across your SaaS apps. <br><br>Microsoft Defender for Cloud Apps allows you to enforce a wide range of automated processes. Policies can be set to provide continuous compliance scans, legal eDiscovery tasks, DLP for sensitive content shared publicly, and more. Defender for Cloud Apps can monitor any file type based on more than 20 metadata filters (for example, access level, file type). | || -|**Use [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview) to identify if users store sensitive information on their Windows devices**. | || -|**Use [AIP Scanner](/azure/information-protection/deploy-aip-scanner) to identify and classify information across servers and file shares**. Use the AIP reporting tool to view the results and take appropriate actions.| || +|Recommendation|E3|E5| +|||| +|**Review and optimize your conditional access and related policies to align with your objectives for a zero trust network**. Protecting against known threats includes implementing a set of [recommended policies](./office-365-security/microsoft-365-policies-configurations.md). Review your implementation of these policies to ensure you're protecting your apps and data against hackers who have gained access to your network. The recommended Intune app protection policy for Windows 10 enables Windows Information Protection (WIP). WIP protects against accidental leaks of your organization data through apps and services, like email, social media, and the public cloud.||| +|**Disable external email forwarding**. Hackers who gain access to a user's mailbox can steal your mail by setting the mailbox to automatically forward email. This can happen even without the user's awareness. You can prevent this from happening by configuring a mail flow rule.||| +|**Disable anonymous external calendar sharing**. By default external anonymous calendar sharing is allowed. [Disable calendar sharing](/exchange/sharing/sharing-policies/modify-a-sharing-policy) to reduce potential leaks of sensitive information.||| +|**Configure data loss prevention policies for sensitive data**. Create a Microsoft Purview Data Loss Prevention Policy to discover and protect sensitive data such as credit card numbers, Social Security numbers and bank account numbers. Microsoft 365 includes many predefined sensitive information types you can use in data loss prevention policies. You can also create your own sensitive information types for sensitive data that is custom to your environment.||| +|**Implement data classification and information protection policies**. Implement sensitivity labels and use these to classify and apply protection to sensitive data. You can also use these labels in data loss prevention policies. If you are using Azure Information Protection labels, we recommend that you avoid creating new labels in other admin centers.||| +|**Protect data in third-party apps and services by using Defender for Cloud Apps**. Configure Defender for Cloud Apps policies to protect sensitive information across third-party cloud apps, such as Salesforce, Box, or Dropbox. You can use sensitive information types and the sensitivity labels you created in Defender for Cloud Apps policies and apply these across your SaaS apps. <p> Microsoft Defender for Cloud Apps allows you to enforce a wide range of automated processes. Policies can be set to provide continuous compliance scans, legal eDiscovery tasks, DLP for sensitive content shared publicly, and more. Defender for Cloud Apps can monitor any file type based on more than 20 metadata filters (for example, access level, file type).||| +|**Use [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview) to identify if users store sensitive information on their Windows devices**.||| +|**Use [AIP Scanner](/azure/information-protection/deploy-aip-scanner) to identify and classify information across servers and file shares**. Use the AIP reporting tool to view the results and take appropriate actions.||| The following diagram illustrates these capabilities. :::image type="content" source="../media/m365-security-bdm-illustrations-assume-breach.png" alt-text="The capabilities recommended for protecting against unknown threats" lightbox="../media/m365-security-bdm-illustrations-assume-breach.png"::: - ## Continuous monitoring and auditing Last but not least, Continuous Monitoring and Auditing of the Microsoft 365 environment along with the Windows and Devices is critical to making sure you are able to quickly detect and remediate any intrusions. Tools such as Secure Score, Microsoft 365 Defender portal, and Microsoft Intelligent Graph's advanced analytics provide invaluable information into your tenant and link massive amounts of threat intelligence and security data to provide you unparalleled threat protection and detection. -|Recommendation |E3 |E5 | -|||| +|Recommendation|E3|E5| +|||| |Ensure the **audit log** is turned on.||| |**Review Secure Score weekly** ΓÇö Secure score is a central location to access the Security status of your company and take actions based on Secure score recommendations. It is recommended to perform this check weekly.|||-|Use **Microsoft Defender for Office 365** tools:<br>*Threat investigation and response capabilities<br>* Automated investigation and response | || -|Use **Microsoft Defender for Endpoint**:<br> *[Endpoint detection and response](/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) <br>* Automated investigation and remediation Secure score <br>* [Advanced hunting](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) <br>| || -|Use **Microsoft Defender for Cloud Apps** to detect unusual behavior across cloud apps to identify ransomware, compromised users or rogue applications, analyze high-risk usage and remediate automatically to limit the risk to your organization.| |:::image type="content" source="../media/green-check-mark.png" alt-text="The example of green colored check mark" lightbox="../media/green-check-mark.png":::| -|Use **Microsoft Sentinel** or your current SIEM tool to monitor for threats across your environment. | || -|**Deploy [Microsoft Defender for Identity](/azure-advanced-threat-protection/what-is-atp)** to monitor and protect against threats targeted to your on-premises Active Directory environment. | | | -|Use **Microsoft Defender for Cloud** to monitor for threats across hybrid and cloud workloads. Microsoft Defender for Cloud includes a free tier of capabilities and a standard tier of capabilities that are paid for based on resource hours or transactions.| | | +|Use **Microsoft Defender for Office 365** tools: <ul><li>Threat investigation and response capabilities</li><li>Automated investigation and response</li></ul>||| +|Use **Microsoft Defender for Endpoint**: <ul><li>[Endpoint detection and response](/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response)</li><li>Automated investigation and remediation Secure score</li><li>[Advanced hunting](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview)</li></ul>||| +|Use **Microsoft Defender for Cloud Apps** to detect unusual behavior across cloud apps to identify ransomware, compromised users or rogue applications, analyze high-risk usage and remediate automatically to limit the risk to your organization.||:::image type="content" source="../media/green-check-mark.png" alt-text="The example of green colored check mark" lightbox="../media/green-check-mark.png":::| +|Use **Microsoft Sentinel** or your current SIEM tool to monitor for threats across your environment.||| +|**Deploy [Microsoft Defender for Identity](/azure-advanced-threat-protection/what-is-atp)** to monitor and protect against threats targeted to your on-premises Active Directory environment.||| +|Use **Microsoft Defender for Cloud** to monitor for threats across hybrid and cloud workloads. Microsoft Defender for Cloud includes a free tier of capabilities and a standard tier of capabilities that are paid for based on resource hours or transactions. The following diagram illustrates these capabilities. :::image type="content" source="../media/m365-security-bdm-illustrations-monitoring-auditing.png" alt-text="The recommended capabilities for continuous monitoring and auditing" lightbox="../media/m365-security-bdm-illustrations-monitoring-auditing.png"::: - Top recommended monitoring actions: - **Review Microsoft Secure Score weekly** ΓÇö Secure score is a central location to access the security status of your tenant and to take actions based on top recommendations. It is recommended to perform this check weekly. Secure Score includes recommendations from across Azure AD, Intune, Defender for Cloud Apps, and Microsoft Defender for Endpoint, as well as Office 365.-- **Review risky logins weekly** ΓÇö Use the Azure AD admin center to review risky sign-ins weekly. The recommended identity and device access ruleset includes a policy to enforce password change on risky sign-ins. +- **Review risky logins weekly** ΓÇö Use the Azure AD admin center to review risky sign-ins weekly. The recommended identity and device access ruleset includes a policy to enforce password change on risky sign-ins. - **Review top malware and phished users weekly** ΓÇö Use Microsoft Defender for Office 365 Threat Explorer to review top users targeted with malware and phish and to find out the root cause of why these users are affected. |
| security | Device Control Removable Storage Access Control | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control.md | Last updated 06/06/2022 > [!NOTE] > The Group Policy management and Intune OMA-URI/Custom Policy management of this product are now generally available (4.18.2106): See [Tech Community blog: Protect your removable storage and printer with Microsoft Defender for Endpoint](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/protect-your-removable-storage-and-printers-with-microsoft/ba-p/2324806). -Microsoft Defender for Endpoint Device Control Removable Storage Access Control enables you to do the following task: +## Device Control Removable Storage Access Control Overview -- auditing, allowing or preventing the read, write or execute access to removable storage with or without exclusion+Microsoft Defender for Endpoint Device Control Removable Storage Access Control feature enables you to audit, allow or prevent the read, write or execute access to removable storage with or without exclusion. |Privilege|Permission| ||| Microsoft Defender for Endpoint Device Control Removable Storage Access Control |User-based Support|Yes| |Machine-based Support|Yes| +Microsoft Defender for Endpoint Device Control Removable Storage Access Control feature gives you the following capabilities: + |Capability|Description|Deploy through Intune|Deploy through Group Policy| |||||-|Removable Media Group Creation|Allows you to create reusable removable media group|Step 1 in the section, [Deploying policy via OMA-URI](#deploying-policy-via-oma-uri) | Step 1 in the section, [Deploying policy via Group Policy](#deploying-policy-via-group-policy)| -|Policy Creation|Allows you to create policy to enforce each removable media group|Step 2 in the section, [Deploying policy via OMA-URI](#deploying-policy-via-oma-uri) | Steps 2 and 3 in the section, [Deploying policy via Group Policy](#deploying-policy-via-group-policy) | -|Default Enforcement|Allows you to set default access (Deny or Allow) to removable media if there is no policy|Step 3 in the section, [Deploying policy via OMA-URI](#deploying-policy-via-oma-uri) | Step 4 in the section, [Deploying policy via Group Policy](#deploying-policy-via-group-policy) | -|Enable or Disable Removable Storage Access Control|If you set Disable, it will disable the Removable Storage Access Control policy on this machine| Step 4 in the section, [Deploying policy via OMA-URI](#deploying-policy-via-oma-uri) | Step 5 in the section, [Deploying policy via Group Policy](#deploying-policy-via-group-policy) | -|Capture file information|Allows you to create policy to capture file information when Write access happens| Steps 2 and 5 in the section, [Deploying policy via OMA-URI](#deploying-policy-via-oma-uri) | Step 2 and 6 in the section, [Deploying policy via Group Policy](#deploying-policy-via-group-policy) | +|Removable Media Group Creation|Allows you to create reusable removable media group|Step 4 and 6 in the section, [Deploying Removable Storage Access Control by using Intune OMA-URI](#deploying-removable-storage-access-control-by-using-intune-oma-uri)| Step 4 and 6 in the section, [Deploying Removable Storage Access Control by using Group Policy](#deploying-removable-storage-access-control-by-using-group-policy)| +|Policy Creation|Allows you to create policy to enforce each removable media group|Step 5 and 7 in the section, [Deploying Removable Storage Access Control by using Intune OMA-URI](#deploying-removable-storage-access-control-by-using-intune-oma-uri)| Steps 5 and 7 in the section, [Deploying Removable Storage Access Control by using Group Policy](#deploying-removable-storage-access-control-by-using-group-policy)| +|Default Enforcement|Allows you to set default access (Deny or Allow) to removable media if there is no policy|Step 2 in the section, [Deploying Removable Storage Access Control by using Intune OMA-URI](#deploying-removable-storage-access-control-by-using-intune-oma-uri) | Step 2 in the section, [Deploying Removable Storage Access Control by using Group Policy](#deploying-removable-storage-access-control-by-using-group-policy)| +|Enable or Disable Removable Storage Access Control|If you set Disable, it will disable the Removable Storage Access Control policy on this machine| Step 1 in the section, [Deploying Removable Storage Access Control by using Intune OMA-URI](#deploying-removable-storage-access-control-by-using-intune-oma-uri)| Step 1 in the section, [Deploying Removable Storage Access Control by using Group Policy](#deploying-removable-storage-access-control-by-using-group-policy)| +|Capture file information|Allows you to create policy to capture file information when Write access happens| | Step 10 in the section, [Deploying Removable Storage Access Control by using Group Policy](#deploying-removable-storage-access-control-by-using-group-policy) | -## Prepare your endpoints +### Prepare your endpoints Deploy Removable Storage Access Control on Windows 10 and Windows 11 devices that have antimalware client version **4.18.2103.3 or later**. Deploy Removable Storage Access Control on Windows 10 and Windows 11 devices tha > [!NOTE] > None of Windows Security components need to be active as you can run Removable Storage Access Control independent of Windows Security status. -## Policy properties +## Device Control Removable Storage Access Control Policies You can use the following properties to create a removable storage group: You can use the following properties to create a removable storage group: |Property Name|Description|Options| |||| |**Group Id**|GUID, a unique ID, represents the group and will be used in the policy as GroupId||-|**DescriptorIdList**|List the device properties you want to use to cover in the group. For each device property, see [Device Properties](device-control-removable-storage-protection.md) for more detail. All properties are case sensitive. |**PrimaryId**: `RemovableMediaDevices`, `CdRomDevices`, `WpdDevices`<p>**BusId**: For example, USB, SCSI<p>**DeviceId**<p>**HardwareId**<p>**InstancePathId**: InstancePathId is a string that uniquely identifies the device in the system, for example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611&0`. The number at the end (for example &0) represents the available slot and may change from device to device. For best results, use a wildcard at the end. For example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611*`.<p>**FriendlyNameId**<p>**SerialNumberId**<p>**VID**<p>**PID**<p>**VID_PID**<p>`0751_55E0`: match this exact VID/PID pair<p>`_55E0`: match any media with PID=55E0 <p>`0751_`: match any media with VID=0751| -|**MatchType**|When there are multiple device properties being used in the `DescriptorIDList`, MatchType defines the relationship.|**MatchAll**: Any attributes under the `DescriptorIdList` will be **And** relationship; for example, if administrator puts `DeviceID` and `InstancePathID`, for every connected USB, system will check to see whether the USB meets both values. <p> **MatchAny**: The attributes under the DescriptorIdList will be **Or** relationship; for example, if administrator puts `DeviceID` and `InstancePathID`, for every connected USB, system will do the enforcement as long as the USB has either an identical **DeviceID** or **InstanceID** value. | +|**DescriptorIdList**|List the device properties you want to use to cover in the group. For each device property, see [Device Properties](device-control-removable-storage-protection.md) for more detail. All properties are case sensitive. |**PrimaryId**: `RemovableMediaDevices`, `CdRomDevices`, `WpdDevices`<br>**BusId**: For example, USB, SCSI<br>**DeviceId**<br>**HardwareId**<br>**InstancePathId**: InstancePathId is a string that uniquely identifies the device in the system, for example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611&0`. The number at the end (for example &0) represents the available slot and may change from device to device. For best results, use a wildcard at the end. For example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611*`.<br>**FriendlyNameId**<br>**SerialNumberId**<br>**VID**<br>**PID**<br>**VID_PID**<br>`0751_55E0`: match this exact VID/PID pair<br>`_55E0`: match any media with PID=55E0 <br>`0751_`: match any media with VID=0751| +|**MatchType**|When there are multiple device properties being used in the `DescriptorIDList`, MatchType defines the relationship.|**MatchAll**: Any attributes under the `DescriptorIdList` will be **And** relationship; for example, if administrator puts `DeviceID` and `InstancePathID`, for every connected USB, system will check to see whether the USB meets both values. <br> **MatchAny**: The attributes under the DescriptorIdList will be **Or** relationship; for example, if administrator puts `DeviceID` and `InstancePathID`, for every connected USB, system will do the enforcement as long as the USB has either an identical **DeviceID** or **InstanceID** value. | ### Access Control Policy+You can use the following properties to create the access control policy: | Property Name | Description | Options | |||| You can use the following properties to create a removable storage group: | **Options** | Defines whether to display notification or not |**When Type Allow is selected**: <p>0: nothing<p>4: disable **AuditAllowed** and **AuditDenied** for this Entry. Even if **Allow** happens and the AuditAllowed is setting configured, the system will not send event. <p>8: capture file information and have a copy of the file as evidence for Write access. <p>16: capture file information for Write access. <p>**When Type Deny is selected**: <p>0: nothing<p>4: disable **AuditDenied** for this Entry. Even if **Block** happens and the AuditDenied is setting configured, the system will not show notification. <p>**When Type **AuditAllowed** is selected**: <p>0: nothing <p>1: nothing <p>2: send event<p> **When Type **AuditDenied** is selected**: <p>0: nothing <p>1: show notification <p>2: send event<p>3: show notification and send event | |AccessMask|Defines the access. | **Disk level access**: <p>1: Read <p>2: Write <p>4: Execute <p>**File system level access**: <p>8: File system Read <p>16: File system Write <p>32: File system Execute <p><p>You can have multiple access by performing binary OR operation, for example, the AccessMask for Read and Write and Execute will be 7; the AccessMask for Read and Write will be 3.| -## Common Removable Storage Access Control scenarios +## Device Control Removable Storage Access Control Scenarios -To help familiarize you with Microsoft Defender for Endpoint Removable Storage Access Control, we have put together some common scenarios for you to follow. +To help you familiarize with Microsoft Defender for Endpoint Removable Storage Access Control, we have put together some common scenarios for you to follow. ### Scenario 1: Prevent Write and Execute access to all but allow specific approved USBs To help familiarize you with Microsoft Defender for Endpoint Removable Storage A 2. Policy 2: Audit Write and Execute access to others. An example of this use case is: PolicyRule **b58ab853-9a6f-405c-a194-740e69422b48** in the sample [Scenario 2 Audit Write and Execute access to others.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file. -## Deploying and managing policy via Group Policy --The Removable Storage Access Control feature enables you to apply policy via Group Policy to either user or device, or both. --### Licensing --Before you get started with Removable Storage Access Control, you must confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=2). To access and use Removable Storage Access Control, you must have Microsoft 365 E3 or Microsoft 365 E5. --### Deploying policy via Group Policy --1. Combine all groups within `<Groups>` `</Groups>` into one xml file. -- The following image illustrates the example of [Scenario 1: Prevent Write and Execute access to all but allow specific approved USBs](#scenario-1-prevent-write-and-execute-access-to-all-but-allow-specific-approved-usbs). -- :::image type="content" source="images/prevent-write-access-allow-usb.png" alt-text="The configuration settings that allow specific approved USBs on devices" lightbox="images/prevent-write-access-allow-usb.png"::: --2. Combine all rules within `<PolicyRules>` `</PolicyRules>` into one xml file. -- If you want to restrict a specific user, then use SID property into the Entry. If there is no SID in the policy Entry, the Entry will be applied to everyone login instance for the machine. -- If you want to monitor file information for Write access, use the right AccessMask with the right Option (16); here is the example of [Capture file information](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Audit%20File%20Information.xml). -- The following image illustrates the usage of SID property, and an example of [Scenario 1: Prevent Write and Execute access to all but allow specific approved USBs](#scenario-1-prevent-write-and-execute-access-to-all-but-allow-specific-approved-usbs). -- :::image type="content" source="images/usage-sid-property.png" alt-text="The code that indicates usage of the SID property attribute" lightbox="images/usage-sid-property.png"::: --3. Save both rule and group XML files on the network share folder and put the network share folder path into the Group Policy setting: **Computer Configuration** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Device Control**: **'Define device control policy groups'** and **'Define device control policy rules'**. +## Deploying and managing Removable Storage Access Control by using Intune OMA-URI - If you cannot find the policy configuration UX in the Group Policy, you can download the [WindowsDefender.adml](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/WindowsDefender.adml) and [WindowsDefender.admx](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/WindowsDefender.admx) files by selecting **Raw** and then **Save as**. -- - The target machine must be able to access the network share to have the policy. However, once the policy is read, the network share connection is no longer required, even after machine reboot. -- :::image type="content" source="images/device-control.png" alt-text="The Device Control screen" lightbox="images/device-control.png"::: --4. Default enforcement: allows you to set default access (Deny or Allow) to removable media if there is no policy. For example, you only have policy (either Deny or Allow) for RemovableMediaDevices, but do not have any policy for CdRomDevices or WpdDevices, and you set default Deny through this policy, Read/Write/Execute access to CdRomDevices or WpdDevices will be blocked. -- - Once you deploy this setting, you will see **Default Allow** or **Default Deny**. - - Consider both Disk level and File system level AccessMask when configuring this setting, for example, if you want to Default Deny but allow specific storage, you have to allow both Disk level and File system level access, you have to set AccessMask to 63. -- :::image type="content" source="images/148609579-a7df650b-7792-4085-b552-500b28a35885.png" alt-text="Default Allow or Default Deny PowerShell code"::: --5. Enable or Disable Removable Storage Access Control: you can set this value to temporarily disable Removable Storage Access Control. -- :::image type="content" source="images/148608318-5cda043d-b996-4146-9642-14fccabcb017.png" alt-text="Device Control settings"::: -- - Once you deploy this setting, you will see **Enabled** or **Disabled**. Disabled means this machine does not have Removable Storage Access Control policy running. -- :::image type="content" source="images/148609685-4c05f002-5cbe-4aab-9245-83e730c5449e.png" alt-text="Enabled or Disabled device control in PowerShell code"::: --6. Set location for a copy of the file: if you want to have a copy of the file when Write access happens, you have to set the location where system can save the copy. -- Deploy this together with the right AccessMask and Option - see step 2 above. -- :::image type="content" source="../../media/define-device-control-policy-rules.png" alt-text="Group Policy - Set locaiton for file evidence"::: --## Deploying and managing policy via Intune OMA-URI --The Removable Storage Access Control feature enables you to apply policy via OMA-URI to either user or device, or both. +The Removable Storage Access Control feature enables you to apply policy by using OMA-URI to either user or device, or both. ### Licensing requirements For policy deployment in Intune, the account must have permissions to create, ed - Global administrator -### Deploying policy via OMA-URI --Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com/>) \> **Devices** \> **Configuration profiles** \> **Create profile** \> **Platform: Windows 10 and later & Profile: Custom** --1. For each Group, create an OMA-URI rule: +### Deploying Removable Storage Access Control by using Intune OMA-URI - - OMA-URI: +Go to Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com/>) **> Devices > Create profile > Platform: Windows 10 and later, Profile type: Templates > Custom** - `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b**GroupGUID**%7d/GroupData` +1. Enable or Disable Removable Storage Access Control (RSAC):<br> You can enable Removable Storage Access Control as follows: + - Under **Custom > Configuration settings**, click **Add**. + - In the **Add Row** pane, enter: + - **Name** as **Enable RSAC** - For example, for **any removable storage and CD/DVD** group in the sample, the link must be: + - **OMA-URI** as + `./Vendor/MSFT/Defender/Configuration/DeviceControlEnabled` - `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b9b28fae8-72f7-4267-a1a5-685f747a7146%7d/GroupData` + - **Data Type** as **Integer** + + - **Value** as **1** + + `Disable: 0` + `Enable: 1` - - Data Type: String (XML file) -- :::image type="content" source="images/xml-data-type-string.png" alt-text="The Data type field in the Add Row page" lightbox="images/xml-data-type-string.png"::: --2. For each policy, also create an OMA-URI: -- - OMA-URI: -- `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7b**PolicyRuleGUID**%7d/RuleData` -- For example, for the **Block Write and Execute Access but allow approved USBs** rule in the sample, the link must be: -- `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7bc544a991-5786-4402-949e-a032cb790d0e%7d/RuleData` -- - Data Type: String (XML file) -- If you want to monitor file information for Write access, use the right AccessMask with the right Option (16); here is the example of [Capture file information](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Audit%20File%20Information.xml). --3. Default enforcement: allows you to set default access (Deny or Allow) to removable media if there is no policy. For example, you only have policy (either Deny or Allow) for RemovableMediaDevices, but do not have any policy for CdRomDevices or WpdDevices, and you set default Deny through this policy, Read/Write/Execute access to CdRomDevices or WpdDevices will be blocked. -- - OMA-URI: `./Vendor/MSFT/Defender/Configuration/DefaultEnforcement` -- - Data Type: Int -- `DefaultEnforcementAllow = 1` - `DefaultEnforcementDeny = 2` -- - Once you deploy this setting, you will see **Default Allow** or **Default Deny** - - Consider both Disk level and File system level AccessMask when configuring this setting, for example, if you want to Default Deny but allow specific storage, you have to allow both Disk level and File system level access, you have to set AccessMask to 63. -- :::image type="content" source="images/148609590-c67cfab8-8e2c-49f8-be2b-96444e9dfc2c.png" alt-text="Default Enforcement Allow PowerShell code"::: --4. Enable or Disable Removable Storage Access Control: you can set this value to temporarily disable Removable Storage Access Control. -- - OMA-URI: `./Vendor/MSFT/Defender/Configuration/DeviceControlEnabled` -- - Data Type: Int - `Disable: 0` - `Enable: 1` + - Click **Save**. + + :::image type="content" source="images/enable-rsac.png" alt-text="Screenshot of enabling Removable Storage Access Control policy" lightbox="images/enable-rsac.png"::: + +2. Set Default Enforcement:<br> + You can set default access (Deny or Allow) to removable media if there is no policy. <br> + For example, you have either Deny or Allow policy for RemovableMediaDevices, but you do not have any policy for CdRomDevices or WpdDevices. You set Default Deny through this policy, then Read/Write/Execute access to CdRomDevices or WpdDevices will be blocked. ++ - In the **Add Row** pane, enter: + - **Name** as **Default Deny** + - **OMA-URI** as + `./Vendor/MSFT/Defender/Configuration/DefaultEnforcement` ++ - **Data Type** as **Integer** + + - **Value** as **1** or **2** + + `DefaultEnforcementAllow = 1` + `DefaultEnforcementDeny = 2` + - Click **Save**. + + :::image type="content" source="images/default-deny.png" alt-text="Screenshot of setting Default Enforcement as Deny" lightbox="images/default-deny.png"::: ++3. Audit Default Deny:<br> You can create Audit policy for Default Deny as follows: + - In the **Add Row** pane, enter: + - **Name** as **Audit Default Deny** + - **OMA-URI** as + `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7bf3520ea7-fd1b-4237-8ebc-96911db44f8e%7d/RuleData` + :::image type="content" source="images/audit-default-deny-1.png" alt-text="Screenshot of creating Audit Default Deny policy" lightbox="images/audit-default-deny-1.png"::: + - **Data Type** as **String (XML file)** + - **Custom XML** as **Audit Default Deny.xml** file. <br> + XML file path: [mdatp-devicecontrol/Audit Default Deny.xml at main ┬╖ microsoft/mdatp-devicecontrol (github.com](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Audit%20Default%20Deny.xml) + <br>Use the following XML data to create Audit policy for Default Deny: ++ :::image type="content" source="images/audit-default-deny-xml-file-1.png" alt-text="Screenshot of audit default deny xml file"::: + + +4. ReadOnly - Group: You can create removable storage group with ReadOnly access as follows: + - In the **Add Row** pane, enter: + - **Name** as **Any Removable Storage Group** + - **OMA-URI** as + `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b9b28fae8-72f7-4267-a1a5-685f747a7146%7d/GroupData` + :::image type="content" source="images/any-removable-storage-group.png" alt-text="Screenshot of creating any Removable Storage Group" lightbox="images/any-removable-storage-group.png"::: + - **Data Type** as **String (XML file)** + - **Custom XML** as **Any Removable Storage and CD-DVD and WPD Group.xml** file <br> + XML file path: [mdatp-devicecontrol/Any Removable Storage and CD-DVD and WPD Group.xml at main ┬╖ microsoft/mdatp-devicecontrol (github.com](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Any%20Removable%20Storage%20and%20CD-DVD%20and%20WPD%20Group.xml)<br> + Use the following XML data to create 'Any Removable Storage and CD-DVD and WPD Group' with ReadOnly access: + + :::image type="content" source="images/read-only-group-xml-file.png" alt-text="Screenshot of read only group xml file"::: + + +5. ReadOnly - Policy: You can create ReadOnly policy and apply to the ReadOnly removable storage group to allow read activity as follows: + - In the **Add Row** pane, enter: + - **Name** as **Allow Read Activity** + - **OMA-URI** as + `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7bf7e75634-7eec-4e67-bec5-5e7750cb9e02%7d/RuleData` + :::image type="content" source="images/allow-read-activity.png" alt-text="Screenshot of Allow Read Activity policy" lightbox= "images/allow-read-activity.png"::: + - **Data Type** as **String (XML file)** + - **Custom XML** as **Allow Read.xml** file <br> + XML file path: [mdatp-devicecontrol/Allow Read.xml at main ┬╖ microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Allow%20Read.xml)<br> + Use the following XML data to create ReadOnly policy and apply to the ReadOnly removable storage group: + :::image type="content" source="images/read-only-policy-xml-file.png" alt-text="Screenshot of read only policy xml file"::: + +6. Create Group for Allowed Medias: You can create allowed medias group as follows: + - In the **Add Row** pane, enter: + - **Name** as **Approved USBs Group** + - **OMA-URI** as + `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b65fa649a-a111-4912-9294-fb6337a25038%7d/GroupData` + :::image type="content" source="images/create-group-allowed-medias.png" alt-text="Screenshot of creating Approved USBs group" lightbox="images/create-group-allowed-medias.png"::: + - **Data Type** as **String (XML file)** + - **Custom XML** as **Approved USBs Group.xml** file <br> + XML file path: [mdatp-devicecontrol/Approved USBs Group.xml at main ┬╖ microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Approved%20USBs%20Group.xml)<br> + Use the following XML data to create allowed medias group: + :::image type="content" source="images/create-group-allowed-medias-xml-file.png" alt-text="Screenshot of creating group for allowed medias xml file"::: + + +7. Create Policy to allow the approved USB Group: You can create policy to allow the approved USB group as follows: + - In the **Add Row** pane, enter: + - **Name** as **Allow access and Audit file information** + - **OMA-URI** as + `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7bb2061588-029e-427d-8404-6dfec096a571%7d/RuleData` + :::image type="content" source="images/allow-access-audit-file-information-1.png" alt-text="Screenshot of Allow access and audit file information" lightbox= "images/allow-access-audit-file-information-1.png"::: + - **Data Type** as **String (XML file)** + - **Custom XML** as **Allow full access and audit file.xml** file <br> + XML file path: [mdatp-devicecontrol/Allow full access and audit file.xml at main ┬╖ microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Allow%20full%20access%20and%20audit%20file.xml)<br> + Use the following XML data to create policy to allow the approved USB group: + :::image type="content" source="images/create-policy-allow-approved-usb-group-xml-intune.png" alt-text="Screenshot of creating policy to allow the approved USB Group XML file"::: + + What ΓÇÿ47ΓÇÖ means in the policy? <br> + It is 9 + 2 + 36 = 47: <br> + Read access: 1+8 = 9 <br> + Write access: disk level 2 <br> + Execute: 4 + 32 = 36 - - Once you deploy this setting, you will see **Enabled** or **Disabled** +## Deploying and managing policy by using Intune user interface - **Disabled** means this machine does not have Removable Storage Access Control policy running +(*Coming soon!*) This capability will be available in the Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com/>). Go to **Endpoint Security** > **Attack Surface Reduction** > **Create Policy**. Choose **Platform: Windows 10 and later** with **Profile: Device Control**. - :::image type="content" source="images/148609770-3e555883-f26f-45ab-9181-3fb1ff7a38ac.png" alt-text="Removeable Storage Access Control in PowerShell code"::: +## Deploying and managing Removable Storage Access Control by using Group Policy -5. Set the location for a copy of the file: if you want to have a copy of the file when Write access happens, you have to set the location where the system can save the copy. +The Removable Storage Access Control feature enables you to apply policy by using Group Policy to either user or device, or both. - - OMA-URI: `./Vendor/MSFT/Defender/Configuration/DataDuplicationRemoteLocation +### Licensing - - Data Type: String +Before you get started with Removable Storage Access Control, you must confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=2). To access and use Removable Storage Access Control, you must have Microsoft 365 E3 or Microsoft 365 E5. - You have to deploy this together with the right AccessMask and the right Option - see step 2 above. +### Deploying Removable Storage Access Control by using Group Policy - :::image type="content" source="../../media/device-control-oma-uri-edit-row.png" alt-text="Set locaiton for file evidence"::: +1. Enable or Disable Removable Storage Access Control: <br> You can enable Removable Storage Access Control (RSAC) as follows:<br> + - Go to **Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Features > Device Control** + - In the **Device Control** window, select **Enabled**. + + :::image type="content" source="images/enable-rsac-gp.png" alt-text="Screenshot of Enabling RSAC using Group Policy " lightbox="images/enable-rsac-gp.png"::: + +2. Set Default Enforcement: <br> + You can set default access (Deny or Allow) to removable media if there is no policy as follows: + - Go to **Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Features > Device Control > Select Device Control Default Enforcement** -## Deploying and managing policy by using Intune user interface + - In the **Select Device Control Default Enforcement** window, select **Default Deny**: + + :::image type="content" source="images/set-default-enforcement-deny-gp.png" alt-text="Screenshot of setting Default Enforcement = Deny using Group Policy" lightbox="images/set-default-enforcement-deny-gp.png"::: -(*Coming soon!*) This capability will be available in the Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com/>). Go to **Endpoint Security** > **Attack Surface Reduction** > **Create Policy**. Choose **Platform: Windows 10 and later** with **Profile: Device Control**. +3. Audit Default Deny: <br> Use the following XML data to create Audit policy for Default Deny: + + :::image type="content" source="images/audit-default-deny-gp.png" alt-text="Screenshot of audit default deny xml data"::: + + +4. ReadOnly - Group: <br> + Use the following XML data to create removable storage group with ReadOnly access: + + :::image type="content" source="images/read-only-group-gp.png" alt-text="Screen shot of Read only removable storage group xml data"::: + + +5. ReadOnly - Policy: <br> Use the following XML data to create ReadOnly policy and apply to the ReadOnly removable storage group to allow read activity: + + :::image type="content" source="images/read-only-policy-gp.png" alt-text="Screen shot of Read only policy xml data" lightbox="images/read-only-policy-gp.png"::: + + +6. Create Group for Allowed Medias: <br> Use the following XML data to create removable storage allowed medias group: + + :::image type="content" source="images/create-group-allowed-medias-gp.png" alt-text="Screenshot of xml data for creating group for allowed medias" lightbox="images/create-group-allowed-medias-gp.png"::: + + +7. Create Policy to allow the approved USB Group: <br> Use the following XML data to create a policy to allow approved USB group: + + :::image type="content" source="images/create-policy-allow-approved-usb-group-xml.png" alt-text="Screenshot of XML data to create policy to allow the approved USB Group using Group Policy" lightbox="images/create-policy-allow-approved-usb-group-xml.png"::: + + What ΓÇÿ47ΓÇÖ means in the policy? <br> + It is 9 + 2 + 36 = 47: <br> + Read access: 1+8 = 9 <br> + Write access: disk level 2 <br> + Execute: 4 + 32 = 36 ++8. Combine groups into one XML file: <br> You can combine device control policy groups into one XML file as follows:<br> + - Go to **Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define device control policy groups** + :::image type="content" source="images/define-device-control-policy-grps-gp.png" alt-text="Screenshot of Define device control policy groups" lightbox="images/define-device-control-policy-grps-gp.png"::: + - In the **Define device control policy groups** window, enter the file path containing the XML groups data. <br> + XML file path: [mdatp-devicecontrol/Demo_Groups.xml at main ┬╖ microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Demo_Groups.xml)<br> + The following is the device control policy groups xml schema: + :::image type="content" source="images/combine-grps-xml-file-gp.png" alt-text="Screenshot of combine groups into one XML file"::: ++9. Combine policies into one XML file: <br> You can combine device control policy rules into one XML file as follows:<br> + - Go to **Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define device control policy rules** + :::image type="content" source="images/define-device-cntrl-policy-rules-gp.png" alt-text="Screenshot of define device control policy rules" lightbox="images/define-device-cntrl-policy-rules-gp.png"::: + - In the **Define device control policy rules** window, select **Enabled**, and enter the file path containing the XML rules data. <br> + XML file path: [mdatp-devicecontrol/Demo_Policies.xml at main ┬╖ microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Demo_Policies.xml)<br> + The following is the device control policy rules xml schema: + :::image type="content" source="images/combine-policies-xml-gp.png" alt-text="Screenshot of combine policies into one XML file"::: ++10. Set location for a copy of the file (evidence): <br>If you want to have a copy of the file (evidence) when Write access happens, you have to set the location where system can save the copy.<br> + - Go to **Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Device Control > Define Device Control evidence data remote location**. + - In the **Define Device Control evidence data remote location** window, select **Enabled** and enter the local or network share folder path. <br> + :::image type="content" source="images/evidence-data-remote-location-gp.png" alt-text="Screenshot of Define Device Control evidence data remote location" lightbox="images/evidence-data-remote-location-gp.png"::: ## View Device Control Removable Storage Access Control data in Microsoft Defender for Endpoint For example, if you need two blocks of entries per user SID to "Allow"/"Audit al 2. Another reason could be that the XML file isn't correctly formatted, for example, not using the correct markdown formatting for the "&" character in the XML file, or the text editor might add a byte order mark (BOM) 0xEF 0xBB 0xBF at the beginning of the files, which causes the XML parsing not to work. One simple solution is to download the [sample file](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) (select **Raw** and then **Save as**) and then update. -3. If you are deploying and managing the policy via Group Policy, please make sure combine all PolicyRule into one XML file within a parent node called PolicyRules and all Group into one XML file within a parent node called Groups; if you manage through Intune, keep one PolicyRule one XML file, same thing, one Group one XML file. +3. If you are deploying and managing the policy by using Group Policy, please make sure to combine all PolicyRule into one XML file within a parent node called PolicyRules and all Group into one XML file within a parent node called Groups; if you manage through Intune, keep one PolicyRule one XML file, same thing, one Group one XML file. -If still not working, you may want to contact us and share support cab by running cmd with administrator: "%programfiles%\Windows Defender\MpCmdRun.exe" -GetFiles +If it still doesn't work, you may want to contact us and share support cab by running cmd with administrator: "%programfiles%\Windows Defender\MpCmdRun.exe" -GetFiles ### There is no configuration UX for 'Define device control policy groups' and 'Define device control policy rules' on my Group Policy |
| security | Respond Machine Alerts | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-machine-alerts.md | For more information on live response, see [Investigate entities on devices usin As part of the investigation or response process, you can collect an investigation package from a device. By collecting the investigation package, you can identify the current state of the device and further understand the tools and techniques used by the attacker. > [!IMPORTANT]-> ->These actions are not currently supported for macOS and Linux. Use live response to run the action. For more information on live response, see [Investigate entities on devices using live response](live-response.md) +> These actions are not currently supported for devices running macOS or Linux. Use live response to run the action. For more information on live response, see [Investigate entities on devices using live response](live-response.md) To download the package (Zip file) and investigate the events that occurred on a device The Action center will show the scan information and the device timeline will in In addition to containing an attack by stopping malicious processes, you can also lock down a device and prevent subsequent attempts of potentially malicious programs from running. ->[!IMPORTANT] -> - This action is available for devices on Windows 10, version 1709 or later, Windows 11, and Windows Server 2016. +> [!IMPORTANT] +> - This action is available for devices on Windows 10, version 1709 or later, Windows 11, and Windows Server 2019 or later. > - This feature is available if your organization uses Microsoft Defender Antivirus. > - This action needs to meet the Windows Defender Application Control code integrity policy formats and signing requirements. For more information, see [Code integrity policy formats and signing](/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications)). When an app is restricted, the following notification is displayed to inform the :::image type="content" source="images/atp-app-restriction.png" alt-text="The application restriction message" lightbox="images/atp-app-restriction.png"::: ->[!NOTE] ->The notification is not available on Windows Server 2016 and Windows Server 2012 R2. +> [!NOTE] +> The notification is not available on Windows Server 2016 and Windows Server 2012 R2. ## Isolate devices from the network Depending on the severity of the attack and the sensitivity of the device, you might want to isolate the device from the network. This action can help prevent the attacker from controlling the compromised device and performing further activities such as data exfiltration and lateral movement. > [!IMPORTANT]-> - Isolating devices from the network is not currently supported for macOS and Linux. Use live response to run the action. For more information on live response, see [Investigate entities on devices using live response](live-response.md). +> - Isolating devices from the network is not currently supported for devices running macOS or Linux. Use live response to run the action. For more information on live response, see [Investigate entities on devices using live response](live-response.md). > - Full isolation is available for devices on Windows 10, version 1703, Windows 11, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2022. > - Selective isolation is available for devices on Windows 10, version 1709 or later, and Windows 11. > - When isolating a device, only certain processes and destinations are allowed. Therefore, devices that are behind a full VPN tunnel won't be able to reach the Microsoft Defender for Endpoint cloud service after the device is isolated. We recommend using a split-tunneling VPN for Microsoft Defender for Endpoint and Microsoft Defender Antivirus cloud-based protection-related traffic. When you have identified an unmanaged device that is compromised or potentially ### How to contain a device -1. Go to the **Device inventory** page and select the device to contain -2. Select **Contain device** from the actions menu in the device flyout +1. Go to the **Device inventory** page and select the device to contain. ++2. Select **Contain device** from the actions menu in the device flyout. :::image type="content" alt-text="Screenshot of the contain device popup message." source="../../media/defender-endpoint/contain_device.png" lightbox="../../media/defender-endpoint/contain_device.png"::: A device can also be contained from the device page by selecting **Contain devic :::image type="content" alt-text="Screenshot of the contain device menu item on the device page." source="../../media/defender-endpoint/contain_device_page.png" lightbox="../../media/defender-endpoint/contain_device_page.png"::: > [!NOTE]->It can take up to 5 minutes for the details about a newly contained device to reach Microsoft Defender for Endpoint onboarded devices. +> It can take up to 5 minutes for the details about a newly contained device to reach Microsoft Defender for Endpoint onboarded devices. -> [!Important] -> +> [!IMPORTANT] > - If a contained device changes its IP address, then all Microsoft Defender for Endpoint onboarded devices will recognize this and start blocking communications with the new IP address. The original IP address will no longer be blocked (It may take up to 5 mins to see these changes). -> > - In cases where the contained deviceΓÇÖs IP is used by another device on the network, there will be a warning while containing the device, with a link to advanced hunting (with a pre-populated query). This will provide visibility to the other devices using the same IP to help you make a conscious decision if youΓÇÖd like to continue with containing the device.-> > - In cases where the contained device is a network device, a warning will appear with a message that this may cause network connectivity issues (for example, containing a router that is acting as a default gateway). At this point, youΓÇÖll be able to choose whether to contain the device or not. -After you contain a device, if the behavior isn't as expected, verify the Base Filtering Engine(BFE) service is enabled on the Defender for Endpoint onboarded devices. +After you contain a device, if the behavior isn't as expected, verify the Base Filtering Engine (BFE) service is enabled on the Defender for Endpoint onboarded devices. ### Stop containing a device You'll be able to stop containing a device at any time. -1. Select the device from the **Device inventory** or open the device page -2. Select **Release from containment** from the action menu +1. Select the device from the **Device inventory** or open the device page. -This action will restore this device's connection to the network. +2. Select **Release from containment** from the action menu. This action will restore this device's connection to the network. ## Consult a threat expert |
| security | Tune Performance Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tune-performance-defender-antivirus.md | Microsoft Defender Antivirus performance analyzer has the following prerequisite - Supported Windows versions: Windows 10, Windows 11, and Windows Server 2016 and above - Platform Version: 4.18.2108.7+-- PowerShell Version: PowerShell Version 5.1, PowerShell ISE, Remote PowerShell (4.18.2201.10+), PowerShell 7.x (4.18.2201.10+)+- PowerShell Version: PowerShell Version 5.1, PowerShell ISE, remote PowerShell (4.18.2201.10+), PowerShell 7.x (4.18.2201.10+) ## PowerShell reference New-MpPerformanceRecording -RecordTo:.\Defender-scans.etl The above command collects a performance recording and saves it to the specified path: **.\Defender-scans.etl**. -##### Example 2: Collect a performance recording for Remote PowerShell session +##### Example 2: Collect a performance recording for remote PowerShell session ```powershell $s = New-PSSession -ComputerName Server02 -Credential Domain01\User01 New-MpPerformanceRecording -RecordTo C:\LocalPathOnServer02\trace.etl -Session $ The above command collects a performance recording on Server02 (as specified by argument $s of parameter Session) and saves it to the specified path: **C:\LocalPathOnServer02\trace.etl** on Server02. ##### Example 3: Collect a performance recording in non-interactive mode+ ```powershell-New-MpPerformanceRecording -RecordTo:.\Defender-scans.etl -Seconds 60 +New-MpPerformanceRecording -RecordTo:.\Defender-scans.etl -Seconds 60 ```+ The above command collects a performance recording for the duration in seconds specified by parameter -Seconds. This is recommended for users conducting batch collections that require no interaction or prompt. #### Parameters: New-MpPerformanceRecording Accept wildcard characters: False ``` ##### -Seconds+ Specifies the duration of the performance recording in seconds. This is recommended for users conducting batch collections that require no interaction or prompt. ```yaml Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopProcesses:10 -TopExtensio ```powershell Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopScans:100 -MinDuration:100ms ```+ ##### Example 5: Using -Raw parameter ```powershell Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopFiles:10 -TopExtensions:10 -TopProcesses:10 -TopScans:10 -Raw | ConvertTo-Json ```+ Using -Raw in the above command specifies that the output should be machine readable and readily convertible to serialization formats like JSON #### Parameters: Get-MpPerformanceReport Default value: None Accept pipeline input: True Accept wildcard characters: False ```+ ##### -Raw -Specifies that output of performance recording should be machine readable and readily convertible to serialization formats like JSON (for example, via Convert-to-JSON command). This is recommended for users interested in batch processing with other data processing systems. +Specifies that output of performance recording should be machine readable and readily convertible to serialization formats like JSON (for example, via Convert-to-JSON command). This is recommended for users interested in batch processing with other data processing systems. ```yaml Type: <SwitchParameter> |
| security | Integrate Microsoft 365 Defender Secops Use Cases | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/integrate-microsoft-365-defender-secops-use-cases.md | For example, in the anti-phishing scenario example, the SOC teams could have mad |SOC team|Requirement|People to meet requirement|Process to meet requirement|Relevant technology|Gap identified|Use case change log|Exempt (Y/N)| |||||||||-|Threat Intelligence and Analytics team|Data sources are properly feeding the threat intelligence engines.|Threat Intelligence Analyst/Engineer|Data feed requirements established, threat intelligence triggers from approved sources|Microsoft Defender for Identity, Microsoft Defender for Endpoint|Threat Intelligence team did not use automation script to link Microsoft 365 Defender API with threat intel engines|Add Microsoft 365 Defender as data sources to threat engines <BR> <BR> Update use case run book|N| -|Monitoring team|Data sources are properly feeding the monitoring dashboards|Tier 1,2 SOC AnalystΓÇôMonitoring & Alerts|Workflow for reporting Security & Compliance Center Secure Score|[Alerts in Security & Compliance Center](/microsoft-365/security/office-365-security/alerts) <br><br> Secure Score monitoring|No mechanism for SOC analysts to report successful new phishing variant detection to improve Secure Score <br><br> [Reporting in Security & Compliance Center](/microsoft-365/security/office-365-security/reports-and-insights-in-security-and-compliance)|Add a process for tracking Secure Score improvement to Reporting workflows|N| +|Threat Intelligence and Analytics team|Data sources are properly feeding the threat intelligence engines.|Threat Intelligence Analyst/Engineer|Data feed requirements established, threat intelligence triggers from approved sources|Microsoft Defender for Identity, Microsoft Defender for Endpoint|Threat Intelligence team did not use automation script to link Microsoft 365 Defender API with threat intel engines|Add Microsoft 365 Defender as data sources to threat engines <p> Update use case run book|N| +|Monitoring team|Data sources are properly feeding the monitoring dashboards|Tier 1,2 SOC AnalystΓÇôMonitoring & Alerts|Workflow for reporting Security & Compliance Center Secure Score|[Alerts in Security & Compliance Center](/microsoft-365/security/office-365-security/alerts) <p> Secure Score monitoring|No mechanism for SOC analysts to report successful new phishing variant detection to improve Secure Score <p> [View email security reports in the Microsoft 365 Defender portal](/microsoft-365/security/office-365-security/view-email-security-reports)|Add a process for tracking Secure Score improvement to Reporting workflows|N| |Engineering and SecOps Team|Change control updates are made in the SOC team runbooks|Tier 2 SOC Engineer|Change Control notification procedure for SOC team runbooks|Approved changes to security devices|Changes to Microsoft 365 Defender connectivity to SOC security technology requires approval|Add Microsoft Defender for Cloud Apps, Defender for Identity, Defender for Endpoint, Security & Compliance Center to SOC runbooks|Y| Additionally, the SOC teams could have made the discoveries outlined in the table below in regard to the threat and vulnerability management scenario outlined above: Additionally, the SOC teams could have made the discoveries outlined in the tabl ||||||||| |SOC Oversight|All assets connected to approved networks are identified and categorized|SOC Oversight, BU owners, application owners, IT asset owners, etc.|Centralized asset management system to discover and list asset category and attributes based on risk.|ServiceNow or other assets. <br><br>[Microsoft 365 Device Inventory](/microsoft-365/security/defender-endpoint/device-discovery)|Only 70% of assets have been discovered. Microsoft 365 Defender remediation tracking only effective for known assets|Mature asset lifecycle management services to ensure Microsoft 365 Defender has 100% coverage|N| |Engineering & SecOps Teams|High impact and critical vulnerabilities in assets are remediated according to policy|SecOps engineers, SOC analysts: Vulnerability & Compliance, Security Engineering|Defined process for categorizing High Risk and Critical Vulnerabilities|[Threat and Vulnerability Management Dashboards](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)|Defender for Endpoint has identified high impact, high alert devices with no remediation plan or implementation of Microsoft recommended activity|Add a workflow for notifying asset owners when remediation activity is required within 30 days per policy; Implement a ticketing system to notify asset owners of remediation steps.|N|-|Monitoring Teams|Threat and vulnerability status is reported via company intranet portal|Tier 2 SOC analyst|Auto-generated reports from Microsoft 365 Defender showing remediation progress of assets|[Alerts in Security & Compliance Center](/microsoft-365/security/office-365-security/alerts) <br><br> Secure Score monitoring|No views or dashboard reports being communicated to asset owners regarding threat and vulnerability status of assets.|Create automation script to populate status of high risk and critical asset vulnerability remediation to the organization.|N| +|Monitoring Teams|Threat and vulnerability status is reported via company intranet portal|Tier 2 SOC analyst|Auto-generated reports from Microsoft 365 Defender showing remediation progress of assets|[Alerts in Security & Compliance Center](/microsoft-365/security/office-365-security/alerts) <p> Secure Score monitoring|No views or dashboard reports being communicated to asset owners regarding threat and vulnerability status of assets.|Create automation script to populate status of high risk and critical asset vulnerability remediation to the organization.|N| In these example use cases, the testing revealed several gaps in the SOC team's requirements that were established as baselines for the responsibilities of each team. The use case checklist can be as comprehensive as needed to ensure that the SOC team is prepared for the Microsoft 365 Defender integration with new or existing SOC requirements. Since this will be an iterative process, the use case development process and the use case output content will naturally serve to update and mature the SOC's runbooks with lessons learned. |
| security | Phishing Trends | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/intelligence/phishing-trends.md | Business email compromise (BEC) is a sophisticated scam that targets businesses ## More information about phishing attacks -For information on the latest phishing attacks, techniques, and trends, you can read these entries on the [Microsoft Security blog](https://www.microsoft.com/security/blog/product/windows/): +For information on the latest phishing attacks, techniques, and trends, you can read these entries on the [Microsoft Security blog](https://www.microsoft.com/security/blog): - [Phishers unleash simple but effective social engineering techniques using PDF attachments](https://cloudblogs.microsoft.com/microsoftsecure/2017/01/26/phishers-unleash-simple-but-effective-social-engineering-techniques-using-pdf-attachments/?source=mmpc) - [Tax themed phishing and malware attacks proliferate during the tax filing season](https://cloudblogs.microsoft.com/microsoftsecure/2017/03/20/tax-themed-phishing-and-malware-attacks-proliferate-during-the-tax-filing-season/?source=mmpc) |
| security | Admin Submission | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/admin-submission.md | The reported message will be marked as a false positive or a false negative. An > [!NOTE] > If malware filtering has replaced the message attachments with the Malware Alert Text.txt file, you need to submit the original message from quarantine that contains the original attachments. For more information on quarantine and how to release messages with malware false positives, see [Manage quarantined messages and files as an admin](manage-quarantined-messages-and-files.md). -## View admin submissions to Microsoft +## View email admin submissions to Microsoft 1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to the **Submissions** page at **Actions & submissions** \> **Submissions**. To go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>. -2. On the **Submissions** page, verify that the **Emails**, **URL**, or **Email attachment** tab is selected. +2. On the **Submissions** page, verify that the **Emails** tab is selected. - You can sort the entries by clicking on an available column header. Click **Customize columns** to show a maximum of seven columns. The default values are marked with an asterisk (<sup>\*</sup>): - **Submission name**<sup>\*</sup> On the **User reported messages** tab, select a message in the list, click **Sub > [!div class="mx-imgBorder"] > :::image type="content" source="../../media/admin-submission-main-action-button.png" alt-text="The New options on the Action button" lightbox="../../media/admin-submission-main-action-button.png":::++If the message is reported to Microsoft, the **Converted to admin submission** value turns from **no** to **yes**. You can directly access the admin submission by clicking **View the converted admin submission** from the overflow menu inside the submission flyout of the respective user reported message. ++> [!div class="mx-imgBorder"] +> :::image type="content" source="../../media/view-converted-admin-submission.png" alt-text="Option to view created admin submission from user reported message" lightbox="../../media/view-converted-admin-submission.png"::: |
| security | Configure Advanced Delivery | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-advanced-delivery.md | Messages that are identified by the advanced delivery policy aren't security thr - You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the **Advanced delivery** page, open <https://security.microsoft.com/advanceddelivery>. -- To connect to Security & Compliance Center PowerShell, see [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell).+- To connect to Security & Compliance PowerShell, see [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). - You need to be assigned permissions before you can do the procedures in this article: - To create, modify, or remove configured settings in the advanced delivery policy, you need to be a member of the **Security Administrator** role group in the **Microsoft 365 Defender portal** and a member of the **Organization Management** role group in **Exchange Online**. In addition to the two scenarios that the advanced delivery policy can help you - **False positives under review**: You might want to temporarily allow certain messages that are still being analyzed by Microsoft via [admin submissions](admin-submission.md) to report known good messages that are incorrectly being marked as bad to Microsoft (false positives). As with all overrides, we ***highly recommended*** that these allowances are temporary. -## Security & Compliance Center PowerShell procedures for SecOps mailboxes in the advanced delivery policy +## Security & Compliance PowerShell procedures for SecOps mailboxes in the advanced delivery policy -In Security & Compliance Center PowerShell, the basic elements of SecOps mailboxes in the advanced delivery policy are: +In Security & Compliance PowerShell, the basic elements of SecOps mailboxes in the advanced delivery policy are: - **The SecOps override policy**: Controlled by the **\*-SecOpsOverridePolicy** cmdlets. - **The SecOps override rule**: Controlled by the **\*-SecOpsOverrideRule** cmdlets. Remove-SecOpsOverrideRule -Identity SecOpsOverrideRule6fed4b63-3563-495d-a481-b2 For detailed syntax and parameter information, see [Remove-SecOpsOverrideRule](/powershell/module/exchange/remove-secopsoverriderule). -## Security & Compliance Center PowerShell procedures for third-party phishing simulations in the advanced delivery policy +## Security & Compliance PowerShell procedures for third-party phishing simulations in the advanced delivery policy -In Security & Compliance Center PowerShell, the basic elements of third-party phishing simulations in the advanced delivery policy are: +In Security & Compliance PowerShell, the basic elements of third-party phishing simulations in the advanced delivery policy are: - **The phishing simulation override policy**: Controlled by the **\*-PhishSimOverridePolicy** cmdlets. - **The phishing simulation override rule**: Controlled by the **\*-PhishSimOverrideRule** cmdlets. |
| security | Detect And Remediate Outlook Rules Forms Attack | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack.md | You will need to have global administrator rights to run the script because the ## How to stop and remediate the Outlook Rules and Forms attack -If you find any evidence of either of these attacks, remediation is simple, just delete the rule or form from the mailbox. You can do this with the Outlook client or using remote PowerShell to remove rules. +If you find any evidence of either of these attacks, remediation is simple, just delete the rule or form from the mailbox. You can do this with the Outlook client or using Exchange PowerShell to remove rules. ### Using Outlook If you find any evidence of either of these attacks, remediation is simple, just ### Using PowerShell -There are two remote PowerShell cmdlets you can use to remove or disable dangerous rules. Just follow the steps. +There are two Exchange PowerShell cmdlets you can use to remove or disable dangerous rules. Just follow the steps. #### Steps for mailboxes that are on an Exchange server -1. Connect to the Exchange server using remote PowerShell. Follow the steps in [Connect to Exchange servers using remote PowerShell](/powershell/exchange/connect-to-exchange-servers-using-remote-powershell). +1. Connect to the Exchange server using remote PowerShell or the Exchange Management Shell. Follow the steps in [Connect to Exchange servers using remote PowerShell](/powershell/exchange/connect-to-exchange-servers-using-remote-powershell) or [Open the Exchange Management Shell](/powershell/exchange/open-the-exchange-management-shell). 2. If you want to completely remove a single rule, multiple rules, or all rules from a mailbox use the [Remove-InboxRule](/powershell/module/exchange/Remove-InboxRule) cmdlet. There are two remote PowerShell cmdlets you can use to remove or disable dangero #### Steps for mailboxes in Exchange Online -1. Follow the steps in [Connect to Exchange Online using PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). +1. Follow the steps in [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). 2. If you want to completely remove a single rule, multiple rules, or all rules from a mailbox use the [Remove-Inbox Rule](/powershell/module/exchange/Remove-InboxRule) cmdlet. |
| security | Grant Access To The Security And Compliance Center | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/grant-access-to-the-security-and-compliance-center.md | For more information about the different permissions you can give to users in th 5. When you're finished, click **Save**. -## Use Security & Compliance Center PowerShell to give another user access to the Security & Compliance Center +## Use Security & Compliance PowerShell to give another user access to the Security & Compliance Center -1. [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell). +1. [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). 2. Use the following syntax: To verify that you've successfully granted access to the Security & Compliance C - In the Security & Compliance Center, go to **Permissions** and select the role group. In the details flyout that opens, verify the members of the role group. -- In Security & Compliance Center PowerShell, replace \<RoleGroupName\> with the name of the role group, and run the following command:+- In Security & Compliance PowerShell, replace \<RoleGroupName\> with the name of the role group, and run the following command: ```powershell Get-RoleGroupMember -Identity "<RoleGroupName>" |
| security | Permissions In The Security And Compliance Center | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center.md | To see how to grant access to the Security & Compliance Center, check out [Give |**IRM Contributors**|This role group is visible, but is used by background services only.|Insider Risk Management Permanent contribution <br/><br/> Insider Risk Management Temporary contribution| |**Knowledge Administrators**|Configure knowledge, learning, assign trainings and other intelligent features.|Knowledge Admin| |**MailFlow Administrator**|Members can monitor and view mail flow insights and reports in the Security & Compliance Center. Global admins can add ordinary users to this group, but, if the user isn't a member of the Exchange Admin group, the user will not have access to Exchange admin-related tasks.|View-Only Recipients|-|**Organization Management**<sup>1</sup>|Members can control permissions for accessing features in the Security & Compliance Center, and also manage settings for device management, data loss prevention, reports, and preservation. <p> Users who are not global administrators must be Exchange administrators to see and take action on devices that are managed by Basic Mobility and Security for Microsoft 365 (formerly known as Mobile Device Management or MDM). <p> Global admins are automatically added as members of this role group, but you won't see them in the output of the [Get-RoleGroupMember](/powershell/module/exchange/get-rolegroupmember) cmdlet in [Security & Compliance Center PowerShell](/powershell/module/exchange/get-rolegroupmember).|Audit Logs <p><p> Case Management <p> Communication Compliance Admin <p> Communication Compliance Case Management <p> Compliance Administrator <p> Compliance Search <p> Data Connector Admin <p> Device Management <p> DLP Compliance Management <p> Hold <p> IB Compliance Management <p> Insider Risk Management Admin <p> Manage Alerts <p> Organization Configuration <p> Quarantine <p> RecordManagement <p> Retention Management <p> Role Management <p> Search And Purge <p> Security Administrator <p> Security Reader <p> Sensitivity Label Administrator <p> Sensitivity Label Reader <p> Service Assurance View <p> Tag Contributor <p> Tag Manager <p> Tag Reader <p> View-Only Audit Logs <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Case <p> View-Only Manage Alerts <p> View-Only Recipients <p> View-Only Record Management <p> View-Only Retention Management| +|**Organization Management**<sup>1</sup>|Members can control permissions for accessing features in the Security & Compliance Center, and also manage settings for device management, data loss prevention, reports, and preservation. <p> Users who are not global administrators must be Exchange administrators to see and take action on devices that are managed by Basic Mobility and Security for Microsoft 365 (formerly known as Mobile Device Management or MDM). <p> Global admins are automatically added as members of this role group, but you won't see them in the output of the [Get-RoleGroupMember](/powershell/module/exchange/get-rolegroupmember) cmdlet in [Security & Compliance PowerShell](/powershell/module/exchange/get-rolegroupmember).|Audit Logs <p><p> Case Management <p> Communication Compliance Admin <p> Communication Compliance Case Management <p> Compliance Administrator <p> Compliance Search <p> Data Connector Admin <p> Device Management <p> DLP Compliance Management <p> Hold <p> IB Compliance Management <p> Insider Risk Management Admin <p> Manage Alerts <p> Organization Configuration <p> Quarantine <p> RecordManagement <p> Retention Management <p> Role Management <p> Search And Purge <p> Security Administrator <p> Security Reader <p> Sensitivity Label Administrator <p> Sensitivity Label Reader <p> Service Assurance View <p> Tag Contributor <p> Tag Manager <p> Tag Reader <p> View-Only Audit Logs <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Case <p> View-Only Manage Alerts <p> View-Only Recipients <p> View-Only Record Management <p> View-Only Retention Management| |**Privacy Management**|Manage access control for Priva in the Microsoft Purview compliance portal.|Case Management <p><p> Data Classification Content Viewer <p> Data Classification List Viewer <p> Privacy Management Admin <p> Privacy Management Analysis <p> Privacy Management Investigation <p> Privacy Management Permanent contribution <p> Privacy Management Temporary contribution <p> Privacy Management Viewer <p> Subject Rights Request Admin <p> View-Only Case| |**Privacy Management Administrators**|Administrators of privacy management solution that can create/edit policies and define global settings.|Case Management <p><p> Privacy Management Admin <p> View-Only Case| |**Privacy Management Analysts**|Analysts of privacy management solution that can investigate policy matches, view messages meta data, and take remediation actions.|Case Management <p><p> Data Classification List Viewer <p> Privacy Management Analysis <p> View-Only Case| |
| security | Secure Email Recommended Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/secure-email-recommended-policies.md | You can restrict the ability for users to download attachments from Outlook on t Here are the steps: -1. [Connect to an Exchange Online Remote PowerShell session](/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/connect-to-exchange-online-powershell). +1. [Connect to Exchange Online PowerShell](/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/connect-to-exchange-online-powershell). 2. If you don't already have an OWA mailbox policy, create one with the [New-OwaMailboxPolicy](/powershell/module/exchange/new-owamailboxpolicy) cmdlet. 3. If you want to allow viewing of attachments but no downloading, use this command: |
| security | Stay Informed With Message Center | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/stay-informed-with-message-center.md | + + Title: Stay informed of upcoming changes to Microsoft Defender for Office 365 using the message center +description: The steps to setup a weekly digest of message center activity to stay informed of changes to Microsoft Defender for Office 365. +search.product: +search.appverid: +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +f1.keywords: + - NOCSH +++ms.localizationpriority: medium ++audience: ITPro +++ms.technology: mdo +++# Stay informed of upcoming changes to Microsoft Defender for Office 365 using the message center ++The message center is where you can learn about official service announcements and feature changes. You can read these messages in the Microsoft 365 admin center, the admin mobile app, Microsoft Planner, or receive a weekly digest in email. This guide will walk you through setting up a weekly email digest for Microsoft Defender for Office 365 changes & configuring Microsoft Planner. ++## What you'll need ++- Microsoft Defender for Office 365 Plan 1 or 2 +- Sufficient permissions (Message center reader as a minimum) +- 5 minutes to perform the steps below. ++## Setting up a weekly digest of changes and notifications. +1. Login to the **Admin Center** at https://admin.microsoft.com +1. On the left-hand navigation, select **Show All**. +1. Expand **Health** and press **Message Center**. +1. On the page that loads, select **Preferences**. +1. A flyout will appear on the right, select the **Email** tab. +1. Ensure the email notification settings are as expected, you can select **Other e-mail addresses** if required to setup the digest to be sent to different users or a shared mailbox for example. +1. Select the **Send me a weekly digest about services I select** box, and select the services you wish to receive information about, as a minimum you should select **Exchange Online** & **Microsoft 365 Defender**. +1. Press **Save**. ++## Watch: Track your message center tasks in Planner +[Video](https://www.microsoft.com/en-us/videoplayer/embed/RE4C7Ne) ++## Learn More +[Track new and changed features in the Microsoft 365 Message center](https://docs.microsoft.com/microsoft-365/admin/manage/message-center) ++[Track your message center tasks in Planner](/office365/planner/track-message-center-tasks-planner) |
| security | Step By Step Guide Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/step-by-step-guide-overview.md | + + Title: Microsoft Defender for Office 365 step-by-step guides and how to use them +description: What are the step-by-step-guides for Microsoft 365 Defender for Office 365? See *only the steps needed to complete a task* and set up features. Information for use in trial subscriptions and production. Guidance designed to minimise information overload and speed up your configuration and use. +search.product: +search.appverid: +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +f1.keywords: + - NOCSH +++ms.localizationpriority: medium ++audience: ITPro +++ms.technology: mdo +++# Welcome to the Microsoft Defender for Office 365 step-by-step guides ++Microsoft Defender for Office 365 is a powerful product with a lot of capabilities. Along with that comes a lot of documentation and detail. **But sometimes you have to get a task completed *quickly*. That's when you need a step-by-step guide.** ++These step-by-step guides help administrators configure and use Microsoft Defender for Office 365 by reducing distracting information like how a feature might work, and other details not *directly linked to completing a process*. The guides maximize on specific steps and clicks needed to do a thing, and reduce the time taken for admins to test a feature and secure an organization. ++***If you learn Microsoft products best by doing***, the step-by-step guides will jumpstart configuration and testing. They are as useful for set up in a *trial subscription* as they are in *production*. ++## Why use Microsoft Defender for Office 365 step-by-step guides ++> [!IMPORTANT] +> Admins need to be on top of prevention, detection, investigation and hunting, response and remediation, and user training to position their organization securely. The step-by-step guides touch on all of these areas so that admins can set up trials, launch quickly into production, and configure in minutes. +>:::image type="content" source="../../../media/msft-a-graphic-showing-the-steps-to-mastering-microsoft-defender-for-office-365.png" alt-text="This graphic illustrates the areas that admins need to master in order to properly secure their organization. The step-by-step guides touch on all of these areas, so that admins can set up trials, launch quickly, and configure production in minutes."::: ++Beyond links to the documentation, the step-by-step guides don't concern themselves with product details (the docs around Microsoft Defender for Office 365 are thorough for when you need them). ++Instead, these guides are streamlined for **learning by doing**, **testing**, and **running experiments**. They're ideal for **trial subscriptions**, and will allow admins and security operators to **deploy the same logic in production**. ++## Examples ++- If you've just got Microsoft Defender for Office 365, and you want to get protected as quickly as possible use [Preset security policies](ensuring-you-always-have-the-optimal-security-controls-with-preset-security-policies.md). ++- Take advantage of additional protections designed for [members of your c-suite](protect-your-c-suite-with-priority-account-protection.md). ++- How do you [setup](how-to-run-attack-simulations-for-your-team.md) or [automate](how-to-setup-attack-simulation-training-for-automated-attacks-and-training.md) a new simulation quickly and easily? ++- [Connect Microsoft Defender for Office 365 to Sentinel](connect-microsoft-defender-for-office-365-to-microsoft-sentinel.md). ++Documentation in this format can be found under the step-by-step section in Office 365 Security. Visit the docs by using [aka.ms/step-by-step](https://aka.ms/step-by-step). ++**If there's a topic, task or config you'd like to see in this format, please let us know by leaving feedback. Thank you!** |
| security | Turn On Mdo For Spo Odb And Teams | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/turn-on-mdo-for-spo-odb-and-teams.md | You can create an alert policy that notifies you and other admins when Safe Atta ### Use Security & Compliance PowerShell to create an alert policy for detected files -If you'd rather use PowerShell to create the same alert policy as described in the previous section, [connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell) and run the following command: +If you'd rather use PowerShell to create the same alert policy as described in the previous section, [connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell) and run the following command: ```powershell New-ActivityAlert -Name "Malicious Files in Libraries" -Description "Notifies admins when malicious files are detected in SharePoint Online, OneDrive, or Microsoft Teams" -Category ThreatManagement -Operation FileMalwareDetected -NotifyUser "admin1@contoso.com","admin2@contoso.com" |
| security | Use Privileged Identity Management In Defender For Office 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-privileged-identity-management-in-defender-for-office-365.md | In the Microsoft 365 Defender portal, create a custom role group that contains t ### Nest the newly created security group into the role group -1. [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell) and run the following command: +1. [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell) and run the following command: ```powershell Add-RoleGroupMember "<<Role Group Name>>" -Member "<<Azure Security Group>>"` |
| security | Whats New In Defender For Office 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/whats-new-in-defender-for-office-365.md | For more information on what's new with other Microsoft Defender security produc - [Video of admin experience](https://youtu.be/vnar4HowfpY) - [Video of end-user experience](https://youtu.be/s-vozLO43rI) - Other new capabilities coming to the quarantine experience are described in this blog post: [Simplifying the Quarantine experience](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/simplifying-the-quarantine-experience/ba-p/2676388).-- Portal redirection by default begins, redirecting users from Security & Compliance to Microsoft 365 Defender <https://security.microsoft.com>. For more on this, see: [Redirecting accounts from Office 365 Security and Compliance Center to Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-security-mdo-redirection)+- Portal redirection by default begins, redirecting users from Security & Compliance to Microsoft 365 Defender <https://security.microsoft.com>. For more on this, see: [Redirecting accounts from Office 365 Security & Compliance Center to Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-security-mdo-redirection) ## August 2021 |
| solutions | Best Practices Anonymous Sharing | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/best-practices-anonymous-sharing.md | When *Anyone* sharing is enabled for your organization, the default sharing link You can mitigate this risk by changing the default link setting to a link that only works for people inside your organization. Users who want to share with unauthenticated people would then have to specifically select that option. -To set the default file and folder sharing link for the organization +To set the default file and folder sharing link for the organization: + 1. Open the SharePoint admin center, and select <a href="https://go.microsoft.com/fwlink/?linkid=2185222" target="_blank">**Sharing**</a>. 1. Under **File and folder links**, select **Only people in your organization**. To set the default file and folder sharing link for the organization 1. Select **Save** -To set the default file and folder sharing link for a specific site +To set the default file and folder sharing link for a specific site: 1. Open the SharePoint admin center, expand **Sites**, and then select <a href="https://go.microsoft.com/fwlink/?linkid=2185220" target="_blank">**Active sites**</a>. 1. Select the site you want to change, and then select **Sharing**. To set the default file and folder sharing link for a specific site You can use [Microsoft Purview Data Loss Prevention (DLP)](../compliance/dlp-learn-about-dlp.md) to prevent unauthenticated sharing of sensitive content. Data loss prevention can take action based on a file's sensitivity label, retention label, or sensitive information in the file itself. -To create a DLP rule +To create a DLP rule: + 1. In the Microsoft Purview admin center, go to the [Data loss prevention page](https://compliance.microsoft.com/datalossprevention). 2. Click **Create policy**. 3. Choose **Custom** and click **Next**. To create a DLP rule ## Protect against malicious files -When you allow anonymous users to upload files, you're at an increased risk of someone uploading a malicious file. In Microsoft 365, you can use the *Safe Attachments* feature in Defender for Office 365 to automatically scan uploaded files and quarantine files that are found to be unsafe. --To turn on safe attachments -1. Open the [ATP Safe Attachments page](https://protection.office.com/safeattachmentv2) in the Security and Compliance admin center. -2. Click **Global settings**. -3. Turn on ATP for SharePoint, OneDrive, and Microsoft Teams. --  +When you allow anonymous users to upload files, you're at an increased risk of someone uploading a malicious file. In organizations with Microsoft Defender for Office 365 Plan 1 or Plan 2 licenses (for example, in Microsoft 365 E5 or as an add-on), you can use the *Safe Attachments* feature to detonate uploaded files in a sandboxed virtual environment, and quarantine files that are found to be unsafe. -4. Optionally turn on Safe Documents as well, and then click **Save** +For instructions, see [Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](../security/office-365-security/turn-on-mdo-for-spo-odb-and-teams.md). -See [ATP for SharePoint, OneDrive, and Microsoft Teams](../security/office-365-security/mdo-for-spo-odb-and-teams.md) and [Turn on ATP for SharePoint, OneDrive, and Microsoft Teams](../security/office-365-security/turn-on-mdo-for-spo-odb-and-teams.md) for additional guidance. +If you have Microsoft 365 A5 or E5 Security licenses, you can also turn on (and use) the *Safe Documents* feature. For more information, see [Safe Documents in Microsoft 365 A5 or E5 Security](../security/office-365-security/safe-docs.md). ## Add copyright information to your files |
| solutions | Choose Domain To Create Groups | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/choose-domain-to-create-groups.md | Some organizations use separate email domains to segment different parts of thei If your organization needs users to create their groups in domains other than the default accepted domain of your business, you can allow this by configuring email address policies (EAPs) using PowerShell. -Before you can run the PowerShell cmdlets, download and install a module that will let you talk to your organization. Check out [Connect to Exchange Online using remote PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). +Before you can run the PowerShell cmdlets, download and install a module that will let you talk to your organization. Check out [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). ## Example scenarios |
| solutions | Configure Teams Three Tiers Protection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/configure-teams-three-tiers-protection.md | The configurations in this article align with Microsoft's recommendations for th For more information about these tiers and capabilities recommended for each tier, see [Microsoft cloud for enterprise architects illustrations](./cloud-architecture-models.md) - ## Three tiers at a glance The following table summarizes the configurations for each tier. Use these configurations as starting point recommendations and adjust the configurations to meet the needs of your organization. You may not need every tier. -|-|Baseline (Public)|Baseline (Private)|Sensitive|Highly sensitive| +| |Baseline (Public)|Baseline (Private)|Sensitive|Highly sensitive| |:--|:--|:--|:--|:--| |Private or public team|Public|Private|Private|Private| |Who has access?|Everybody in the organization, including B2B users.|Only members of the team. Others can request access to the associated site.|Only members of the team.|Only members of the team.| Start by [configuring the baseline level of protection](configure-teams-baseline [Security and compliance in Microsoft Teams](/microsoftteams/security-compliance-overview) -[Alert policies in the security and compliance center](../compliance/alert-policies.md) +[Alert policies](../compliance/alert-policies.md) |
| solutions | Identity Design Principles | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/identity-design-principles.md | I'm a Principal Technical Architect at the New York [Microsoft Technology Center I typically work with 100+ customers each year. While every organization has unique characteristics, it's interesting to see trends and commonalities. For example, one trend is cross-industry interest for many customers. After all, a bank branch can also be a coffee shop and a community center. -In my role, I focus on helping customers arrive at the best technical solution to address their unique set of business goals. Officially, I focus on Identity, Security, Privacy, and Compliance. I love the fact that these touch everything we do. It gives me an opportunity to be involved with most projects. This keeps me busy and enjoying this role. +In my role, I focus on helping customers arrive at the best technical solution to address their unique set of business goals. Officially, I focus on Identity, Security, Privacy, and Compliance. I love the fact that these touch everything we do. It gives me an opportunity to be involved with most projects. This activity keeps me busy and enjoying this role. I live in New York City (the best!) and really enjoy the diversity of its culture, food, and people (not traffic). I love to travel when I can and hope to see most of the world in my lifetime. I'm currently researching a trip to Africa to learn about wildlife. ## Guiding principles -- **Simple is often better**: You can do (almost) anything with technology, but it doesn't mean you should. Especially in the security space, many customers overengineer solutions. I like [this video](https://www.youtube.com/watch?v=SOQgABDSYZE) from GoogleΓÇÖs Stripe conference to underscore this point.+- **Simple is often better**: You can do (almost) anything with technology, but it doesn't mean you should. Especially in the security space, many customers overengineer solutions. I like [this video](https://www.youtube.com/watch?v=SOQgABDSYZE) from Google's Stripe conference to underscore this point. - **People, process, technology**: [Design for people](https://en.wikipedia.org/wiki/Human-centered_design) to enhance process, not tech first. There are no "perfect" solutions. We need to balance various risk factors and decisions will be different for each business. Too many customers design an approach that their users later avoid. - **Focus on 'why' first and 'how' later**: Be the annoying 7-yr old kid with a million questions. We can't arrive at the right answer if we don't know the right questions to ask. Lots of customers make assumptions on how things need to work instead of defining the business problem. There are always multiple paths that can be taken. - **Long tail of past best practices**: Recognize that best practices are changing at light speed. If you've looked at Azure AD more than three months ago, you're likely out of date. Everything here's subject to change after publication. ΓÇ£BestΓÇ¥ option today may not be the same six months from now. Alas, language isn't a precise tool. We often use the same word to mean differen <br> -When you learn to swim it's better to start in the pool and not in the middle of the ocean. I'm not trying to be technically accurate with this diagram. It's a model to discuss some basic concepts. +When you learn to swim, it's better to start in the pool and not in the middle of the ocean. I'm not trying to be technically accurate with this diagram. It's a model to discuss some basic concepts. In the diagram: -- Tenant = an instance of Azure AD. It is at the "top" of a hierarchy, or Level 1 in the diagram. We can consider this to be the "[boundary](/azure/active-directory/users-groups-roles/licensing-directory-independence)" where everything else occurs ([Azure AD B2B](/azure/active-directory/b2b/what-is-b2b) aside). All Microsoft enterprise cloud services are part of one of these tenants. Consumer services are separate. "Tenant" appears in documentation as Office 365 tenant, Azure tenant, WVD tenant, and so on. I often find these variations cause confusion for customers.-- Services/subscriptions, Level 2 in the diagram, belong to one and only one tenant. Most SaaS services are 1:1 and can't move without migration. Azure is different, you can [move billing](/azure/cost-management-billing/manage/billing-subscription-transfer) and/or a [subscription](/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory) to another tenant. There are many customers that need to move Azure subscriptions. This has various implications. Objects that exist outside of the subscription do not move (for example, role-based access control, or Azure RBAC, and Azure AD objects including groups, apps, policies, and so on). Also, some services (such as Azure Key Vault, Data Bricks, and so on). Don't migrate services without a good business need. Some scripts that can be helpful for migration are [shared on GitHub](https://github.com/lwajswaj/azure-tenant-migration).-- A given service usually has some sort of "sublevel" boundary, or Level 3 (L3). This is useful to understand for segregation of security, policies, governance, and so on. Unfortunately, there's no uniform name that I know of. Some examples names for L3 are: Azure Subscription = [resource](/azure/azure-resource-manager/management/manage-resources-portal); Dynamics 365 CE = [instance](/dynamics365/admin/new-instance-management); Power BI = [workspace](/power-bi/service-create-the-new-workspaces); Power Apps = [environment](/power-platform/admin/environments-overview); and so on.+- Tenant = an instance of Azure AD. It's at the "top" of a hierarchy, or Level 1 in the diagram. We can consider this level to be the "[boundary](/azure/active-directory/users-groups-roles/licensing-directory-independence)" where everything else occurs ([Azure AD B2B](/azure/active-directory/b2b/what-is-b2b) aside). All Microsoft enterprise cloud services are part of one of these tenants. Consumer services are separate. "Tenant" appears in documentation as Office 365 tenant, Azure tenant, WVD tenant, and so on. I often find these variations cause confusion for customers. +- Services/subscriptions, Level 2 in the diagram, belong to one and only one tenant. Most SaaS services are 1:1 and can't move without migration. Azure is different, you can [move billing](/azure/cost-management-billing/manage/billing-subscription-transfer) and/or a [subscription](/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory) to another tenant. There are many customers that need to move Azure subscriptions. This scenario has various implications. Objects that exist outside of the subscription don't move. For example, role-based access control (Azure RBAC), Azure AD objects (groups, apps, policies, etc.), and some services (Azure Key Vault, Data Bricks, etc.). Don't migrate services without a good business need. Some scripts that can be helpful for migration are [shared on GitHub](https://github.com/lwajswaj/azure-tenant-migration). +- A given service usually has some sort of "sublevel" boundary, or Level 3 (L3). This boundary is useful to understand for segregation of security, policies, governance, and so on. Unfortunately, there's no uniform name that I know of. Some examples names for L3 are: Azure Subscription = [resource](/azure/azure-resource-manager/management/manage-resources-portal); Dynamics 365 CE = [instance](/dynamics365/admin/new-instance-management); Power BI = [workspace](/power-bi/service-create-the-new-workspaces); Power Apps = [environment](/power-platform/admin/environments-overview); and so on. - Level 4 is where the actual data lives. This 'data plane' is a complex article. Some services are using Azure AD for RBAC, others aren't. I'll discuss it a bit when we get to delegation articles. -Some additional concepts that I find many customers (and Microsoft employees) are confused about or have questions about include the following: +Some additional concepts that I find many customers (and Microsoft employees) are confused about or have questions about include the following issues: - Anyone can [create](/azure/active-directory/fundamentals/active-directory-access-create-new-tenant) many tenants at [no cost](https://azure.microsoft.com/pricing/details/active-directory/). You don't need a service provisioned within it. I have dozens. Each Tenant name is unique in Microsoft's worldwide cloud service (in other words, no two tenants can have the same name). They all are in the format of TenantName.onmicrosoft.com. There are also processes that create Tenants automatically ([unmanaged tenants](/azure/active-directory/users-groups-roles/directory-self-service-signup)). For example, this can occur when a user signs up for an enterprise service with an email domain that doesn't exist in any other tenant. - In a managed tenant, many [DNS domains](/azure/active-directory/fundamentals/add-custom-domain) can be registered in it. This doesn't change the original tenant name. There's currently no easy way to rename a tenant (other than migration). Although the tenant name is technically not critical these days, some may find this to be limiting. - You should reserve a tenant name for your organization even if you aren't yet planning to deploy any services. Otherwise somebody can take it from you and there's no simple process to take it back (same problem as DNS names). I hear this way too often from customers. What your tenant name should be is a debate article as well. - If you own DNS namespace(s), you should add all of these to your tenant(s). Otherwise one could create an [unmanaged tenant](/azure/active-directory/users-groups-roles/directory-self-service-signup) with this name, which then causes disruption to [make it managed](/azure/active-directory/users-groups-roles/domains-admin-takeover). - DNS namespace (such as contoso.com) can belong to one and only one Tenant. This has implications for various scenarios (for example, sharing an email domain during a merger or acquisition, and so on). There's a way to register a DNS sub (such as div.contoso.com) in a different tenant, but that should be avoided. By registering a top-level domain name, all subdomains are assumed to belong to the same tenant. In multi-tenant scenarios (see below) I would normally recommend using another top-level domain name (such as contoso.ch or ch-contoso.com).-- Who should "own" a tenant? I often see customers that do not know who currently owns their tenant. This is a big red flag. Call Microsoft support ASAP. Just as problematic is when a service owner (often an Exchange administrator) is designated to manage a tenant. The tenant will contain all services that you may want in the future. The tenant owner should be a group that can make decision for enablement of all cloud services in an organization. Another problem is when a tenant owner group is asked to manage all services. This doesn't scale for large organizations.+- Who should "own" a tenant? I often see customers that do not know who currently owns their tenant. This lack of knowledge is a big red flag. Call Microsoft support ASAP. Just as problematic is when a service owner (often an Exchange administrator) is designated to manage a tenant. The tenant will contain all services that you may want in the future. The tenant owner should be a group that can make decision for enablement of all cloud services in an organization. Another problem is when a tenant owner group is asked to manage all services. This doesn't scale for large organizations. - There's no concept of a sub/super tenant. For some reason, this myth keeps repeating itself. This applies to [Azure AD B2C](/azure/active-directory-b2c/) tenants as well. I hear too many times, "My B2C environment is in my XYZ Tenant," or "How do I move my Azure tenant into my Office 365 tenant?"-- This document mostly focuses on the commercial worldwide cloud as this is what most customers are using. It sometimes useful to know about [sovereign clouds](/azure/active-directory/develop/authentication-national-cloud). Sovereign clouds have additional implications to discuss which are out of scope for this discussion.+- This document mostly focuses on the commercial worldwide cloud, because that's what most customers are using. It sometimes useful to know about [sovereign clouds](/azure/active-directory/develop/authentication-national-cloud). Sovereign clouds have additional implications to discuss which are out of scope for this discussion. ## Baseline identity articles There's much documentation about Microsoft's identity platform ΓÇô Azure Active ### Provisioning -Azure AD doesn't solve for lack of governance in your identity world! [Identity governance](/azure/active-directory/governance/identity-governance-overview) should be a critical element independent of any cloud decisions. Governance requirements change over time, which is why it is a program and not a tool. +Azure AD doesn't solve for lack of governance in your identity world! [Identity governance](/azure/active-directory/governance/identity-governance-overview) should be a critical element independent of any cloud decisions. Governance requirements change over time, which is why it's a program and not a tool. [Azure AD Connect](/azure/active-directory/hybrid/whatis-azure-ad-connect) vs. [Microsoft Identity Manager](/microsoft-identity-manager/microsoft-identity-manager-2016) (MIM) vs. something else (third party or custom)? Save yourself a lot of headache now and in the future and go with Azure AD Connect. There are all kinds of smarts in this tool to address peculiar customer configurations and ongoing innovations. Some edge cases that may drive towards a more complex architecture: - I have multiple AD forests without network connectivity between these. There's a new option called [Cloud Provisioning](/azure/active-directory/cloud-provisioning/what-is-cloud-provisioning). - I don't have Active Directory, nor do I want to install it. Azure AD Connect can be configures to [sync from LDAP](/azure/active-directory/hybrid/plan-hybrid-identity-design-considerations-tools-comparison) (partner may be required).-- I need to provision the same objects to multiple tenants. This isn't technically supported but depends on definition of "same."+- I need to provision the same objects to multiple tenants. This scenario isn't technically supported but depends on definition of "same." Should I customize default synchronization rules ([filter objects](/azure/active-directory/hybrid/how-to-connect-sync-configure-filtering), [change attributes](/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized), [alternate login ID](/azure/active-directory/hybrid/plan-connect-userprincipalname), and so on)? Avoid it! An identity platform is only as valuable as the services that use it. While you can do all kinds of nutty configurations, to answer this question you need to look at the impact on applications. If you filter mail-enabled objects, then the GAL for online services will be incomplete; if the application relies on specific attributes, filtering these will have unpredictable impact; and so on. It's not an identity team decision. I often walk customers through client authentication flow to clarify some miscon  -This type of whiteboard drawing illustrates where security policies are applied within the flow of an authentication request. In this example, policies enforced through Active Directory Federation Service (AD FS) are applied to the first service request, but not subsequent service requests. This is at least one reason to move security controls to the cloud as much as possible. +This type of whiteboard drawing illustrates where security policies are applied within the flow of an authentication request. In this example, policies enforced through Active Directory Federation Service (AD FS) are applied to the first service request, but not subsequent service requests. This behavior is at least one reason to move security controls to the cloud as much as possible. We've been chasing the dream of [single sign-on](/azure/active-directory/manage-apps/what-is-single-sign-on) (SSO) for as long as I can remember. Some customers believe they can achieve this by choosing the "right" federation (STS) provider. Azure AD can help significantly to [enable SSO](/azure/active-directory/manage-apps/plan-sso-deployment) capabilities, but no STS is magical. There are too many "legacy" authentication methods that are still used for critical applications. Extending Azure AD with [partner solutions](/azure/active-directory/saas-apps/tutorial-list) can address many of these scenarios. SSO is a strategy and a journey. You can't get there without moving towards [standards for applications](/azure/active-directory/develop/v2-app-types). Related to this article is a journey to [passwordless](/azure/active-directory/authentication/concept-authentication-passwordless) authentication, which also doesn't have a magical answer. Of course, in addition to Azure AD, various services and applications have their ### Audit -Azure AD has detailed [audit and reporting](/azure/active-directory/reports-monitoring/) capabilities. However, this is usually not the only source of information needed to make security decisions. See more discussion on this in the delegation section. +Azure AD has detailed [audit and reporting](/azure/active-directory/reports-monitoring/) capabilities. However, these reports are usually not the only source of information needed to make security decisions. See more discussion on this in the delegation section. ## There's no Exchange Read about [Microsoft Fluid Framework](https://techcommunity.microsoft.com/t5/mi Overall, it's becoming harder to draw a clear line between Office 365 and other services in Microsoft clouds. I view it as a great benefit to customers since they can benefit from total innovation across everything we do even if they use one component. Pretty cool and has far reaching implications for many customers. -Today, I find many customer IT groups are structured around "products." It's logical for an on-premises world since you need an expert for each specific product. However, I am totally happy that I don't have to debug an Active Directory or Exchange database ever again as these services have moved to the cloud. Automation (which cloud kind of is) removes certain repetitive manual jobs (look what happened to factories). However, these are replaced with more complex requirements to understand cross-services interaction, impact, business needs, and so on. If you are willing to [learn](/learn/), there are great opportunities enabled by cloud transformation. Before jumping into technology, I often talk to customers about managing change in IT skills and team structures. +Today, I find many customer IT groups are structured around "products." It's logical for an on-premises world since you need an expert for each specific product. However, I'm totally happy that I don't have to debug an Active Directory or Exchange database ever again as these services have moved to the cloud. Automation (which cloud kind of is) removes certain repetitive manual jobs (look what happened to factories). However, these tasks are replaced with more complex requirements to understand cross-services interaction, impact, business needs, and so on. If you are willing to [learn](/learn/), there are great opportunities enabled by cloud transformation. Before jumping into technology, I often talk to customers about managing change in IT skills and team structures. -To all SharePoint fan-people and developers, please stop asking "How can I do XYZ in SharePoint online?" Use [Power Automate](/power-automate/) (or Flow) for workflow, it is a much more powerful platform. Use [Azure Bot Framework](/azure/bot-service/) to create a better UX for your 500-K item list. Start using [Microsoft Graph](https://developer.microsoft.com/graph/) instead of CSOM. [Microsoft Teams](/MicrosoftTeams/Teams-overview) includes SharePoint but also a world more. There are many other examples I can list. There's a vast and wonderful universe out there. Open the door and [start exploring](). +To all SharePoint fan-people and developers, please stop asking "How can I do XYZ in SharePoint online?" Use [Power Automate](/power-automate/) (or Flow) for workflow, it's a much more powerful platform. Use [Azure Bot Framework](/azure/bot-service/) to create a better UX for your 500-K item list. Start using [Microsoft Graph](https://developer.microsoft.com/graph/) instead of CSOM. [Microsoft Teams](/MicrosoftTeams/Teams-overview) includes SharePoint but also a world more. There are many other examples I can list. There's a vast and wonderful universe out there. Open the door and [start exploring](). The other common impact is in the compliance area. This cross-services approach seems to completely confuse many compliance policies. I keep seeing organizations that state, "I need to journal all email communications to an eDiscovery system." What does this really mean when email is no longer just email but a window into other services? Office 365 has a comprehensive approach for [compliance](../compliance/index.yml), but changing people and processes are often much more difficult than technology. -There are many other people and process implications. In my opinion, this is a critical and under-discussed area. Perhaps more in another article. +There are many other people and process implications. In my opinion, this factor is a critical and under-discussed area. Perhaps more in another article. ## Tenant structure options In general, most customers should have only one production tenant. There are man Many customers end-up with multiple production tenants after a merger and acquisition (M&A) and want to consolidate. Today that's not simple and would require Microsoft Consulting Services (MCS) or a partner plus third-party software. There's ongoing engineering work to address various scenarios with multi-tenant customers in the future. -Some customers choose to go with more than one tenant. This should be a very careful decision and almost always business reason driven! Some examples include the following: +Some customers choose to go with more than one tenant. This should be a very careful decision and almost always business reason driven! Some examples include the following reasons: - A holding type company structure where easy collaboration between different entities is not required and there's strong administrative and other isolation needs. - After an acquisition, a business decision is made to keep two entities separate. In these multi-tenant scenarios, customers often want to keep some configuration To [Multi-Geo](../enterprise/microsoft-365-multi-geo.md) or not to Multi-Geo, that is the question. With Office 365 Multi-Geo, you can provision and store data at rest in the geo locations that you've chosen to meet [data residency](../enterprise/o365-data-locations.md) requirements. There are many misconceptions about this capability. Keep the following in mind: - It doesn't to provide performance benefits. It could make performance worse if the [network design](https://aka.ms/office365networking) is not correct. Get devices "close" to the Microsoft network, not necessarily to your data.-- It is not a solution for [GDPR compliance](https://www.microsoft.com/trust-center/privacy/gdpr-overview). GDPR doesn't focus on data sovereignty or storage locations. There are other compliance frameworks for that.+- It's not a solution for [GDPR compliance](https://www.microsoft.com/trust-center/privacy/gdpr-overview). GDPR doesn't focus on data sovereignty or storage locations. There are other compliance frameworks for that. - It doesn't solve delegation of administration (see below) or [information barriers](../compliance/information-barriers.md).-- It is not the same as multi-tenant and requires additional [user provisioning](https://github.com/MicrosoftDocs/azure-docs-pr/blob/master/articles/active-directory/hybrid/how-to-connect-sync-feature-preferreddatalocation.md) workflows.+- It's not the same as multi-tenant and requires additional [user provisioning](https://github.com/MicrosoftDocs/azure-docs-pr/blob/master/articles/active-directory/hybrid/how-to-connect-sync-feature-preferreddatalocation.md) workflows. - It doesn't [move your tenant](../enterprise/moving-data-to-new-datacenter-geos.md) (your Azure AD) to another geography. ## Delegation of administration -In most large organizations, separation of duties and role-based access control (RBAC) is a necessary reality. I am going to apologize ahead of time. This is not as simple as some customers want it to be. Customer, legal, compliance, and other requirements are different and sometimes conflicting around the world. Simplicity and flexibility are often on opposite sides of each other. Don't get me wrong, we can do a better job at this. There have been (and will be) significant improvements over time. Visit your local [Microsoft Technology Center](https://www.microsoft.com/mtc) to work out the model that fits your business requirements without reading 379230 docs! Here, I'll focus on what you should think about and not why it is this way. Below are five different areas to plan for and some of the common questions I've encountered. +In most large organizations, separation of duties and role-based access control (RBAC) is a necessary reality. I'm going to apologize ahead of time. This activity is not as simple as some customers want it to be. Customer, legal, compliance, and other requirements are different and sometimes conflicting around the world. Simplicity and flexibility are often on opposite sides of each other. Don't get me wrong, we can do a better job at this. There have been (and will be) significant improvements over time. Visit your local [Microsoft Technology Center](https://www.microsoft.com/mtc) to work out the model that fits your business requirements without reading 379230 docs! Here, I'll focus on what you should think about and not why it's this way. Below are five different areas to plan for and some of the common questions I've encountered. ### Azure AD and Microsoft 365 admin centers -There's a long and growing list of [built-in roles](/azure/active-directory/roles/permissions-reference). Each role consists of a list of role permissions grouped together to allow specific actions to be performed. You can see these permissions in the "Description" tab inside each role. Alternatively you can see a more human readable version of these in the Microsoft 365 Admin Center. The definitions for built-in roles cannot be modified. I generally, group these into three categories: +There's a long and growing list of [built-in roles](/azure/active-directory/roles/permissions-reference). Each role consists of a list of role permissions grouped together to allow specific actions to be performed. You can see these permissions in the "Description" tab inside each role. Alternatively, you can see a more human readable version of these permissions in the Microsoft 365 Admin Center. The definitions for built-in roles cannot be modified. I generally, group these roles into three categories: - **Global administrator**: This "all powerful" role should be [highly protected](../enterprise/protect-your-global-administrator-accounts.md) just like you would in other systems. Typical recommendations include: no permanent assignment and use Azure AD Privileged Identity Management (PIM); strong authentication; and so on. Interestingly, this role doesn't give you access to everything by default. Typically, I see confusion about compliance access and Azure access, discussed later. However, this role can always assign access to other services in the tenant.-- **Specific service admins**: Some services (Exchange, SharePoint, Power BI, and so on) consume high-level administration roles from Azure AD. This isn't consistent across all services and there are more service-specific roles discussed later.-- **Functional**: There's a long (and growing) list of roles focused on specific operations (guest inviter, and so on). Periodically, more of these are added based on customer needs.+- **Specific service admins**: Some services (Exchange, SharePoint, Power BI, and so on) consume high-level administration roles from Azure AD. This behavior isn't consistent across all services and there are more service-specific roles discussed later. +- **Functional**: There's a long (and growing) list of roles focused on specific operations (guest inviter, and so on). Periodically, more of these roles are added based on customer needs. -It is not possible to delegate everything (although the gap is decreasing), which means the Global admin role would need to be used sometimes. Configuration-as-code and automation should be considered instead of people membership of this role. +It's not possible to delegate everything (although the gap is decreasing), which means the Global admin role would need to be used sometimes. Configuration-as-code and automation should be considered instead of people membership of this role. **Note**: The Microsoft 365 admin center has a more user-friendly interface but has subset of capabilities compared to the Azure AD admin experience. Both portals use the same Azure AD roles, so changes are occurring in the same place. Tip: if you want an identity-management focused admin UI without all the Azure clutter, use <https://aad.portal.azure.com>. What's in the name? Don't make assumptions from the name of the role. Language is not a very precise tool. The goal should be to define operations that need to be delegated before looking at what roles are needed. Adding somebody to the "Security Reader" role doesn't make them see security settings across everything. -The ability to create [custom roles](/azure/active-directory/users-groups-roles/roles-custom-overview) is a common question. This is limited in Azure AD today (see below) but will grow in capabilities over time. I think of these as applicable to functions in Azure AD and may not span "down" the hierarchy model (discussed above). Whenever I deal with "custom," I tend to go back to my principal of "simple is better." +The ability to create [custom roles](/azure/active-directory/users-groups-roles/roles-custom-overview) is a common question. This capability is limited in Azure AD today (see below) but will grow in capabilities over time. I think of these custom roles as applicable to functions in Azure AD and may not span "down" the hierarchy model (discussed above). Whenever I deal with "custom," I tend to go back to my principal of "simple is better." -Another common question is ability to scope roles to a subset of a directory. One example is something like "Helpdesk Administrator for users in EU only." [Administrative Units](/azure/active-directory/users-groups-roles/directory-administrative-units) (AU) are intended to address this. Like above, I think of these as applicable to functions in Azure AD and may not span "down." Of course, certain roles don't make sense to scope (global admins, service admins, and so on). +Another common question is ability to scope roles to a subset of a directory. One example is something like "Helpdesk Administrator for users in EU only." [Administrative Units](/azure/active-directory/users-groups-roles/directory-administrative-units) (AU) are intended to address this. Like above, I think of these scopes as applicable to functions in Azure AD and may not span "down." Of course, certain roles don't make sense to scope (global admins, service admins, and so on). -Today, all these roles require direct membership (or dynamic assignment if you use [Azure AD PIM](/azure/active-directory/privileged-identity-management/)). This means customers must manage these directly in Azure AD and these cannot be based on a security group membership. I'm not a fan of creating scripts to manage these as it would need to run with elevated rights. I generally recommend API integration with process systems like ServiceNow or using partner governance tools like Saviynt. There's engineering work going on to address this over time. +Today, all these roles require direct membership (or dynamic assignment if you use [Azure AD PIM](/azure/active-directory/privileged-identity-management/)). This means customers must manage these directly in Azure AD, and these roles cannot be based on a security group membership. I'm not a fan of creating scripts to manage these roles as it would need to run with elevated rights. I generally recommend API integration with process systems like ServiceNow or using partner governance tools like Saviynt. There's engineering work going on to address this over time. -I mentioned [Azure AD PIM](/azure/active-directory/privileged-identity-management/) a few times. There's a corresponding Microsoft Identity Manager (MIM) [Privileged Access Management](/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services) (PAM) solution for on-premises controls. You might also want to look at [Privileged Access Workstations](/windows-server/identity/securing-privileged-access/privileged-access-workstations) (PAWs) and [Azure AD Identity Governance](/azure/active-directory/governance/identity-governance-overview). There are various third-party tools as well, which can enable just-in-time, just-enough, and dynamic role elevation. This is usually part of a larger discussion for securing an environment. +I mentioned [Azure AD PIM](/azure/active-directory/privileged-identity-management/) a few times. There's a corresponding Microsoft Identity Manager (MIM) [Privileged Access Management](/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services) (PAM) solution for on-premises controls. You might also want to look at [Privileged Access Workstations](/windows-server/identity/securing-privileged-access/privileged-access-workstations) (PAWs) and [Azure AD Identity Governance](/azure/active-directory/governance/identity-governance-overview). There are various third-party tools as well, which can enable just-in-time, just-enough, and dynamic role elevation. This capability is usually part of a larger discussion for securing an environment. Sometimes scenarios call for adding an external user to a role (see the multi-tenant section, above). This works just fine. [Azure AD B2B](/azure/active-directory/b2b/) is another large and fun article to walk customers through, perhaps in another article. -### Security and Compliance Center (SCC) +### Microsoft 365 Defender and Microsoft 365 Purview compliance portals -[Permissions in the Office 365 Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md) are a collection of "role groups", which are separate and distinct from Azure AD roles. This can be confusing because some of these role groups have the same name as Azure AD roles (for example, Security Reader), yet they can have different membership. I prefer the use of Azure AD roles. Each role group consists of one or more "roles" (see what I mean about reusing the same word?) and have members from Azure AD, which are email enabled objects. Also, you can create a role group with the same name as a role, which may or may not contain that role (avoid this confusion). +**Email & Collaboration roles** in the [Microsoft 365 Defender portal](../security/office-365-security/permissions-microsoft-365-security-center.md) and ***Role groups for Microsoft Purview solutions** in the [Microsoft 365 Purview compliance portal](../compliance/microsoft-365-compliance-center-permissions.md) are a collection of "role groups", which are separate and distinct from Azure AD roles. This can be confusing because some of these role groups have the same name as Azure AD roles (for example, Security Reader), yet they can have different membership. I prefer the use of Azure AD roles. Each role group consists of one or more "roles" (see what I mean about reusing the same word?) and have members from Azure AD, which are email enabled objects. Also, you can create a role group with the same name as a role, which may or may not contain that role (avoid this confusion). -In a sense, these are an evolution of the Exchange role groups model. However, Exchange Online has its own [role group management](/exchange/permissions-exo) interface. Some role groups in Exchange Online are locked and managed from Azure AD or the Security & Compliance Center, but others might have the same or similar names and are managed in Exchange Online (adding to the confusion). I recommend you avoid using the Exchange Online user interface unless you need scopes for Exchange management. +In a sense, these permissions are an evolution of the Exchange role groups model. However, Exchange Online has its own [role group management](/exchange/permissions-exo) interface. Some role groups in Exchange Online are locked and managed from Azure AD or the Microsoft 365 Defender and Microsoft 365 Purview compliance portals, but others might have the same or similar names and are managed in Exchange Online (adding to the confusion). I recommend you avoid using the Exchange Online user interface unless you need scopes for Exchange management. -You can't create custom roles. Roles are defined by services created by Microsoft and will grow as new services are introduced. This is similar in concept to [roles defined by applications](/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps) in Azure AD. When new services are enabled, often new role groups need to be created in order to grant or delegate access to these (for example, [insider risk management](../compliance/insider-risk-management-configure.md). +You can't create custom roles. Roles are defined by services created by Microsoft and will grow as new services are introduced. This behavior is similar in concept to [roles defined by applications](/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps) in Azure AD. When new services are enabled, often new role groups need to be created in order to grant or delegate access to these (for example, [insider risk management](../compliance/insider-risk-management-configure.md). -These role groups also require direct membership and cannot contain Azure AD groups. Unfortunately, today these role groups aren't supported by Azure AD PIM. Like Azure AD roles, I tend to recommend management of these through APIs or a partner governance product like Saviynt, or others. +These role groups also require direct membership and cannot contain Azure AD groups. Unfortunately, today these role groups aren't supported by Azure AD PIM. Like Azure AD roles, I tend to recommend management of these role groups through APIs or a partner governance product like Saviynt, or others. -Security & Compliance Center roles span Microsoft 365 and you can't scope these role groups to a subset of the environment (like you can with administrative units in Azure AD). Many customers ask how they can subdelegate. For example, "create a DLP policy only for EU users." Today, if you have rights to a specific function in the Security & Compliance Center, you have rights to everything covered by this function in the tenant. However, many policies have capabilities to target a subset of the environment (for example, "make these [labels](../compliance/create-sensitivity-labels.md#publish-sensitivity-labels-by-creating-a-label-policy) available only to these users"). Proper governance and communication are a key component to avoid conflicts. Some customers choose to implement a "configuration as code" approach to address subdelegation in the Security & Compliance Center. Some specific services support subdelegation (see below). --It's worth noting that controls currently managed through the Security & Compliance Center (protection.office.com) are in the process of being migrated to two separate admin portals: security.microsoft.com and compliance.microsoft.com. Change is the only constant! +Microsoft 365 Defender portal and Microsoft 365 Purview compliance portal roles span Microsoft 365 and you can't scope these role groups to a subset of the environment (like you can with administrative units in Azure AD). Many customers ask how they can subdelegate. For example, "create a DLP policy only for EU users." Today, if you have rights to a specific function in the Microsoft 365 Defender and Microsoft 365 Purview compliance portals, you have rights to everything covered by this function in the tenant. However, many policies have capabilities to target a subset of the environment (for example, "make these [labels](../compliance/create-sensitivity-labels.md#publish-sensitivity-labels-by-creating-a-label-policy) available only to these users"). Proper governance and communication are a key component to avoid conflicts. Some customers choose to implement a "configuration as code" approach to address subdelegation in the Microsoft 365 Defender and Microsoft 365 Purview compliance portals. Some specific services support subdelegation (see below). ### Service Specific -As stated earlier, many customers are looking to achieve a more granular delegation model. A common example: ΓÇ£Manage XYZ service only for Division X users and locationsΓÇ¥ (or some other dimension). The ability to do this depends on each service and is not consistent across services and capabilities. In-addition, each service may have a separate and unique RBAC model. Instead of discussing all of these (it will take forever), I am adding relevant links for each service. This is not a complete list, but it will get you started. +As stated earlier, many customers are looking to achieve a more granular delegation model. A common example: ΓÇ£Manage XYZ service only for Division X users and locationsΓÇ¥ (or some other dimension). The ability to do this depends on each service and is not consistent across services and capabilities. In-addition, each service may have a separate and unique RBAC model. Instead of discussing all of these models (it will take forever), I'm adding relevant links for each service. This list is not complete, but it will get you started. - **Exchange Online** - (/exchange/permissions-exo/permissions-exo) - **SharePoint Online** - (/sharepoint/manage-site-collection-administrators) As stated earlier, many customers are looking to achieve a more granular delegat ### Activity Logs -Office 365 has a [unified audit log](../compliance/search-the-audit-log-in-security-and-compliance.md). ItΓÇÖs a very [detailed log](/office/office-365-management-api/office-365-management-activity-api-schema), but donΓÇÖt read too much into the name. It may not contain everything you want or need for your security and compliance needs. Also, some customers are really interested in [Audit (Premium)](../compliance/advanced-audit.md). +Office 365 has a [unified audit log](../compliance/search-the-audit-log-in-security-and-compliance.md). It's a very [detailed log](/office/office-365-management-api/office-365-management-activity-api-schema), but don't read too much into the name. It may not contain everything you want or need for your security and compliance needs. Also, some customers are really interested in [Audit (Premium)](../compliance/advanced-audit.md). -Examples of Microsoft 365 logs that are accessed through other APIs include the following: +Examples of Microsoft 365 logs that are accessed through other APIs include the following features: - [Azure AD](/azure/azure-monitor/platform/diagnostic-settings) (activities not related to Office 365) - [Exchange Message Tracking](/powershell/module/exchange/get-messagetrace) Many large customers want to transfer this log data to a third-party system (for ### Azure -I am often asked if there's a way to separate high-privilege roles between Azure AD, Azure, and SaaS (ex.: Global Administrator for Office 365 but not Azure). Not really. Multi-tenant architecture is needed if complete administrative separation is required, but that adds significant [complexity](https://aka.ms/multi-tenant-user) (see above). All these services are part of the same security/identity boundary (look at the hierarchy model above). +I'm often asked if there's a way to separate high-privilege roles between Azure AD, Azure, and SaaS (ex.: Global Administrator for Office 365 but not Azure). Not really. Multi-tenant architecture is needed if complete administrative separation is required, but that adds significant [complexity](https://aka.ms/multi-tenant-user) (see above). All these services are part of the same security/identity boundary (look at the hierarchy model above). -It's important to understand relationships between various services in the same tenant. I am working with many customers that are building business solutions that span Azure, Office 365, and Power Platform (and often also on-premises and third-party cloud services). One common example: +It's important to understand relationships between various services in the same tenant. I'm working with many customers that are building business solutions that span Azure, Office 365, and Power Platform (and often also on-premises and third-party cloud services). One common example: 1. I want to collaborate on a set of documents/images/etc (Office 365) 2. Send each one of them through an approval process (Power Platform)-3. After all components are approved, assemble these into a unified deliverable(s) (Azure) -[Microsoft Graph API](/azure/active-directory/develop/microsoft-graph-intro) is your best friend for these. Not impossible, but significantly more complex to design a solution spanning [multiple tenants](/azure/active-directory/develop/single-and-multi-tenant-apps). +3. After all components are approved, assemble these items into a unified deliverable(s) (Azure) +[Microsoft Graph API](/azure/active-directory/develop/microsoft-graph-intro) is your best friend here. Not impossible, but significantly more complex to design a solution spanning [multiple tenants](/azure/active-directory/develop/single-and-multi-tenant-apps). Azure Role-Based Access Control (RBAC) enables fine-grained access management for Azure. Using RBAC, you can manage access to resources by granting users the fewest permissions needed to perform their jobs. Details are out of scope for this document, but for more information on RBAC, see [What is role-based access control (RBAC) in Azure?](/azure/role-based-access-control/overview) RBAC is important but only part of the governance considerations for Azure. [Cloud Adoption Framework](/azure/cloud-adoption-framework/govern/) is a great starting point to learn more. I like how my friend, [Andres Ravinet](https://www.linkedin.com/in/andres-ravinet/), walks customers step by step though various components to decide on the approach. High-level view for various elements (not as good as the process to get to actual customer model) is something like this: As you can see from above picture, many other services should be considered as p ## Conclusion -Started as a short summary, ended-up longer than I expected. I hope you are now ready to venture into a deep see of creating delegation model for your organization. This conversation is very common with customers. There's no one model that works for everyone. Waiting for a few planned improvements from Microsoft engineering before documenting common patterns we see across customers. In the meantime, you can work with your Microsoft account team to arrange a visit to the nearest [Microsoft Technology Center](https://www.microsoft.com/mtc). See you there! +Started as a short summary, ended-up longer than I expected. I hope you are now ready to venture into a deep see of creating delegation model for your organization. This conversation is very common with customers. There's no one model that works for everyone. Waiting for a few planned improvements from Microsoft engineering before documenting common patterns we see across customers. In the meantime, you can work with your Microsoft account team to arrange a visit to the nearest [Microsoft Technology Center](https://www.microsoft.com/mtc). See you there! |
| solutions | Information Protection Deploy Assess | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/information-protection-deploy-assess.md | The Microsoft Purview compliance portal comes pre-loaded with over 100 sensitive If you need to identify and protect an organization-specific or regional type of sensitive items, such as a custom format for employee IDs, or other personal information not already covered by a built-in sensitive information type, you can create a custom sensitive information type with these methods: -- PowerShell+- Security & Compliance PowerShell - Custom rules with exact data match (EDM)-- Through the Compliance Center admin UI, as highlighted in the [Use Compliance Score and Compliance Manager article](information-protection-deploy-compliance.md)+- Through the Microsoft 365 Purview compliance portal, as highlighted in the [Use Compliance Score and Compliance Manager article](information-protection-deploy-compliance.md) You can also customize an existing, built-in sensitive information type. See these articles for more information: - [Customize a built-in sensitive information type](../compliance/customize-a-built-in-sensitive-information-type.md) - [Learn about sensitive information types](../compliance/sensitive-information-type-learn-about.md)-- [Create a custom sensitive information type in the Security & Compliance Center](../compliance/create-a-custom-sensitive-information-type.md)-- [Create a custom sensitive information type in Security & Compliance Center PowerShell](../compliance/create-a-custom-sensitive-information-type-in-scc-powershell.md)+- [Create a custom sensitive information type in the Microsoft 365 Purview compliance portal](../compliance/create-a-custom-sensitive-information-type.md) +- [Create a custom sensitive information type in Security & Compliance PowerShell](../compliance/create-a-custom-sensitive-information-type-in-scc-powershell.md) - [Create custom sensitive information types with Exact Data Match based classification](../compliance/create-custom-sensitive-information-types-with-exact-data-match-based-classification.md) ### Content Explorer |
| solutions | Information Protection Deploy Monitor Respond | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/information-protection-deploy-monitor-respond.md | To help you get started with a monitoring and response scheme in Microsoft 365 f - What sort of day-to-day monitoring, investigative and reporting techniques are available for the different data types and sources? - What mechanisms will be needed to handle data subject requests (DSRs) and any remedial actions, such as anonymization, redaction, and deletion. -## Auditing and Alert Policies in the Security and Compliance Center +## Auditing and Alert Policies in the Microsoft Purview compliance portal See these articles for setting up auditing, advanced auditing, and alert policies: For Microsoft Stream, when a user is deleted from Azure Active Directory (Azure ## Insider risk management as an investigative tool -[Insider risk management](../compliance/insider-risk-management.md) is a feature of the Microsoft Purview compliance portal to help you minimize internal risk by enabling you to detect, investigate, and take action on risky activities in your organization. +[Insider risk management](../compliance/insider-risk-management.md) is a feature of the Microsoft Purview compliance portal to help you minimize internal risk by enabling you to detect, investigate, and take action on risky activities in your organization. |
| solutions | Microsoft 365 Groups Expiration Policy | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/microsoft-365-groups-expiration-policy.md | You can set the policy for all of your groups, only selected groups (up to 500), ## How expiry works with the retention policy -If you have set up a retention policy for groups in the Security and Compliance center, the expiration policy works seamlessly with retention policy. When a group expires, the group's mailbox conversations and files in the group site are retained in the retention container for the specific number of days defined in the retention policy. Users will not see the group, or its content, after expiration however. +If you have set up a retention policy for groups in the Microsoft Purview compliance portal, the expiration policy works seamlessly with retention policy. When a group expires, the group's mailbox conversations and files in the group site are retained in the retention container for the specific number of days defined in the retention policy. Users will not see the group, or its content, after expiration however. ## How and when a group owner learns if their groups are going to expire |
| test-base | Createaccount | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/createaccount.md | Title: 'Create a new Test Base account' + Title: 'Creating a Test Base Account' description: Details on how to create a new account on Test Base search.appverid: MET150--++ audience: Software-Vendor -# Step 1: Create a Test Base account +# Creating a Test Base Account -If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. +To create a **Test Base** account, perform the steps that follow. -## Enter details for test base account +> [!IMPORTANT] +> You'll need a subscription to register for a **Test Base** account. If you donΓÇÖt have an Azure subscription, see **Subscriptions** on the [Azure home](https://ms.portal.azure.com/#home) page to learn how to create one. ++## To create a Test Base account -1. Search for **'Test Base'** in the Azure portal. +1. On the home page of the [Azure portal](https://ms.portal.azure.com/#home), search the **Test Base for Microsoft 365** in the Azure marketplace to display the controls for creating a **Test Base** account. ++ [  ](Media/creatingaccount01-search.png#lightbox) ++2. In the controls field of the **Test Base for Microsoft 365** page, select the **Create** button as that follows to open the **Create Test Base Account** page. ++ [  ](Media/creatingaccount02-testbase.png#lightbox) ++3. On the **Create Test Base Account** page, add your information to the following required input fields on the **Create Test Base Account** page: ++ - **Subscription**ΓÇöfrom the drop-down list, locate your Azure subscription ID and select it. + - **Resource group**ΓÇöcreate a new Resource group by selecting **Create new** and specifying a chosen name in the **Name** input text box that displays. Select **OK** when done. If you already have a **Resource group**, locate its name in the drop-down list and select it. + - **Test Base account**ΓÇöunder **Account Details**, as shown in the figure that follows, specify a chosen name for your **Test Base** account by typing it in the input text field. ++ > [!NOTE] + > You must provide input for all required fields (*). ++ [  ](Media/creatingaccount03-basics.png#lightbox) ++ > [!NOTE] + > As of April 2022, **Test Base** supports the **Standard** pricing tier only. The **Pricing tier** determines the resource and hourly service cost that is charged to your Azure subscription. ++  ++4. Read the **Terms of Use**. If the terms are acceptable, select the checkbox to confirm that you have read and accept the terms of use. ++  - +5. In the lower sector of the **Create Test Base Account** page, select **Review + create** to validate the input data you specified. -2. Click **'Create'** to create a Test Base account. + If the validation process succeeds, you can review your input data configuration in the **Create Test Base Account** page. - + [  ](Media/creatingaccount06-review.png#lightbox) -3. Read through the ```Terms of Use``` then select the checkbox to confirm your satisfaction with the ```Terms of Use```. +6. Select the **Create** button that is shown in the lower sector of the previous **Create Test Base Account** page. - +  -4. Fill in the correct information under the following requirements: - - Subscription: Resource Group - - Instance Details: Name. +7. On your user **Deployment** page, select **Go to resource** to open your new **Test Base** account Overview page and begin your exploration, configuration, and journey of **Test Base**. -**Currently, Test Base only supports Standard Pricing tier.** + [  ](Media/creatingaccount08-complete.png#lightbox) - -5. Finally, click on ```Review + Create``` to validate and enable your newly created account. -## Next steps -Advance to the next article to get started with Step 2: **Learn how upload your package.** -> [!div class="nextstepaction"] -> [Next step](uploadapplication.md) -<! -Add button for next page > |