Updates from: 07/01/2021 03:10:17
Category Microsoft Docs article Related commit history on GitHub Change details
admin Change A User Name And Email Address https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/change-a-user-name-and-email-address.md
audience: Admin
localization_priority: Priority-+ - M365-subscription-management - Adm_O365 - Adm_TOC
You may need to change someone's email address and display name if, for example,
## Watch: Change a user's name or email address
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE1SJuc]
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE1SJuc]
If you found this video helpful, check out the [complete training series for small businesses and those new to Microsoft 365](../../business-video/index.yml).
-You must be a [global admin](about-admin-roles.md) to do these steps.
+You must be a [global admin](about-admin-roles.md) to do these steps.
## Change a user's email address ::: moniker range="o365-worldwide"
-
+ 1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page. ::: moniker-end ::: moniker range="o365-germany"
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a> page.
+1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a> page.
::: moniker-end ::: moniker range="o365-21vianet"
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a> page.
+1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a> page.
::: moniker-end 1. Select the user's name, and then on the **Account** tab select **Manage username**.
-
-1. In the first box, type the first part of the new email address. If you added your own domain to Microsoft 365, choose the domain for the new email alias by using the drop-down list.
+
+1. In the first box, type the first part of the new email address. If you added your own domain to Microsoft 365, choose the domain for the new email alias by using the drop-down list.
1. Select **Save changes**.
You must be a [global admin](about-admin-roles.md) to do these steps.
::: moniker range="o365-germany"
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a> page.
+1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a> page.
::: moniker-end ::: moniker range="o365-21vianet"
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a> page.
+1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a> page.
::: moniker-end
-
+ 2. Select the user's name, and then on the **Account** tab select **Manage email aliases**.
-3. Select **Set as Primary** for the email address that you want to set as the primary email address for that person.
-
+3. Select **Set as Primary** for the email address that you want to set as the primary email address for that person.
+ > [!IMPORTANT]
- > You won't see this option to Set as Primary if you purchased Microsoft 365 from GoDaddy or another Partner service that provides a management console. Instead, sign in to the GoDaddy / partner's management console to set the primary alias.
- >
+ > You won't see this option to Set as Primary if you purchased Microsoft 365 from GoDaddy or another Partner service that provides a management console. Instead, sign in to the GoDaddy / partner's management console to set the primary alias.
+ >
> Also, you'll only see this option if you're a global admin. If you don't see the option, you don't have permissions to change a user's name and primary email address.
-
+ 4. You'll see a big yellow warning that you're about to change the person's sign-in information. Select **Save**, then **Close**.
-
+ 5. Give the person the following information:
-
+ - This change could take a while.
-
+ - Their new username. They'll need it to sign in to Microsoft 365.
-
+ - If they are using Skype for Business Online, they must reschedule any Skype for Business Online meetings that they organized, and tell their external contacts to update their contact information.
- - If they are using OneDrive, the URL to this location has changed. If they have OneNote notebooks in their OneDrive, they might need to close and reopen them in OneNote. If they have shared files from their OneDrive, the links to the files might not work and the user can reshare.
-
+ - If they are using OneDrive, the URL to this location has changed. If they have OneNote notebooks in their OneDrive, they might need to close and reopen them in OneNote. If they have shared files from their OneDrive, the links to the files might not work and the user can reshare.
+ - If their password changed too, they are prompted to enter the new password on their mobile device, or it won't sync.
-
+ ## Change a user's display name ::: moniker range="o365-worldwide"
You must be a [global admin](about-admin-roles.md) to do these steps.
::: moniker range="o365-germany"
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a> page.
+1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a> page.
::: moniker-end ::: moniker range="o365-21vianet"
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a> page.
+1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a> page.
::: moniker-end
You must be a [global admin](about-admin-roles.md) to do these steps.
If you get the error message "**We're sorry, the user couldn't be edited. Review the user information and try again**, see [Resolve error messages](#resolve-error-messages). It might take up to 24 hours for this change to take effect across all services. After the change has taken effect, the person will have to sign in to Outlook, Skype for Business and SharePoint with their updated username.
-
+ ## Resolve error messages ### "A parameter cannot be found that matches parameter name 'EmailAddresses" If you get the error message " **A parameter cannot be found that matches parameter name 'EmailAddresses**" it means that it's taking a bit longer to finish setting up your tenant, or your custom domain if you recently added one. The setup process can take up to 4 hours to complete. Wait a while so the setup process has time to finish, and then try again. If the problem persists, call [support](../../business-video/get-help-support.md) and ask them to do a full sync for you.
-
+ ### "We're sorry, the user couldn't be edited. Review the user information and try again" If you get the error message " **We're sorry, the user couldn't be edited. Review the user information and try again**." it means you aren't a global admin and you don't have permissions to change the user name. Find the global admin in your business and ask them to make the change. - ## What to do with old email addresses A person's previous primary email address is retained as an additional email address. **We strongly recommend that you don't remove the old email address.**
-
+ Some people might continue to send email to the person's old email address and deleting it may result in NDR failures. Microsoft automatically routes it to the new one. Also, do not reuse old SMTP email addresses and apply them to new accounts. This can also cause NDR failures or delivery to an unintended mailbox.
-
+ ## What if the person's offline address book won't sync with the Global Address List? If they are using Exchange Online or if their account is linked with your organization's on-premises Exchange environment, you might see this error when you try to change a username and email address: "This user is synchronized with your local Active Directory. Some details can be edited only through your local Active Directory."
-
-This is due to the Microsoft Online Email Routing Address (MOERA). The MOERA is constructed from the person's _userPrincipalName_ attribute in Active Directory and is automatically assigned to the cloud account during the initial sync and once created, it cannot be modified or removed in Microsoft 365. You can subsequently change the username in the Active Directory, but it doesn't change the MOERA and you may run into issues displaying the newly changed name in the Global Address List.
-
-To fix this, log in to the [Azure Active Directory Module for PowerShell]( https://go.microsoft.com/fwlink/?LinkId=823193) with your Microsoft 365 administrator credentials. and use the following syntax:
-
+
+This is due to the Microsoft Online Email Routing Address (MOERA). The MOERA is constructed from the person's _userPrincipalName_ attribute in Active Directory and is automatically assigned to the cloud account during the initial sync and once created, it cannot be modified or removed in Microsoft 365. You can subsequently change the username in the Active Directory, but it doesn't change the MOERA and you may run into issues displaying the newly changed name in the Global Address List.
+
+To fix this, log in to the [Azure Active Directory Module for PowerShell](https://go.microsoft.com/fwlink/?LinkId=823193) with your Microsoft 365 administrator credentials. and use the following syntax:
+ ```powershell Set-MsolUserPrincipalName -UserPrincipalName anne.wallace@contoso.onmicrosoft.com -NewUserPrincipalName anne.jones@contoso.com ``` > [!TIP]
-> This changes the person's **userPrincipalName** attribute and has no bearing on their Microsoft Online Email Routing Address (MOERA) email address. It is best practice, however, to have the person's logon UPN match their primary SMTP address.
-
+> This changes the person's **userPrincipalName** attribute and has no bearing on their Microsoft Online Email Routing Address (MOERA) email address. It is best practice, however, to have the person's logon UPN match their primary SMTP address.
+ To learn how to change someone's username in Active Directory, in Windows Server 2003 and earlier, see [Rename a user account](/previous-versions/windows/it-pro/windows-server-2003/cc772952(v=ws.10)).
-
+ ## Related content [Admins: Reset a password for one or more users](reset-passwords.md) (article)\ [Add another email address to a user](../email/add-another-email-alias-for-a-user.md) (article)\
-[Create a shared mailbox](../email/create-a-shared-mailbox.md) (article)
+[Create a shared mailbox](../email/create-a-shared-mailbox.md) (article)
admin About The Admin Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/admin-overview/about-the-admin-center.md
Here are the features and settings you'll find in the left-hand navigation of th
- See activity reports: [Activity Reports](../activity-reports/activity-reports.md) -- [Create a Microsoft 365 group ](../create-groups/create-groups.md)
+- [Create a Microsoft 365 group](../create-groups/create-groups.md)
- [Manage a Microsoft 365 group](../create-groups/manage-groups.md)
admin Capabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/capabilities.md
audience: Admin
localization_priority: Normal-+ - M365-subscription-management - Adm_O365 - Adm_TOC
You can use Basic Mobility and Security to secure and manage the following devic
<sup>3</sup>After June 2020, Android versions later than 9 can't manage password settings except on Samsung Knox devices.
->[!NOTE]
->Devices already enrolled with earlier OS versions continue to function although the capabilities might change without notice.
+> [!NOTE]
+> Devices already enrolled with earlier OS versions continue to function although the capabilities might change without notice.
If people in your organization use mobile devices that aren't supported by Basic Mobility and Security, you might want to block Exchange ActiveSync app access to Microsoft 365 email for those devices, to help make your organization's data more secure. For steps to block Exchange ActiveSync, see [Manage device access settings in Basic Mobility and Security](manage-device-access-settings.md).
The supported apps for the different types of mobile devices in the following ta
|**Exchange** Exchange ActiveSync includes built-in email and third-party apps, like TouchDown, that use Exchange ActiveSync Version 14.1 or later. |Mail |Email | |**Office** and **OneDrive for Business** |Outlook </br>OneDrive </br>Word </br>Excel </br>PowerPoint|**On phones and tablets**:<br/>Outlook <br/> OneDrive <br/> Word <br/> Excel <br/> PowerPoint <br/> **On phones only:** <br/> Office Mobile |
->[!NOTE]
-- >Support for iOS 10.0 and later versions includes iPhone and iPad devices.-- >Management of BlackBerry OS devices isn’t supported by Basic Security and Mobility. Use BlackBerry Business Cloud Services (BBCS) from BlackBerry to manage BlackBerry OS devices. Blackberry devices running Android OS are supported as standard Android devices-- >Users won’t be prompted to enroll and won’t be blocked or reported for policy violation if they use the mobile browser to access Microsoft 365 SharePoint sites, documents in Office Online, or email in Outlook Web App.
+> [!NOTE]
+>
+> - Support for iOS 10.0 and later versions includes iPhone and iPad devices.
+> - Management of BlackBerry OS devices isnΓÇÖt supported by Basic Security and Mobility. Use BlackBerry Business Cloud Services (BBCS) from BlackBerry to manage BlackBerry OS devices. Blackberry devices running Android OS are supported as standard Android devices
+> - Users wonΓÇÖt be prompted to enroll and wonΓÇÖt be blocked or reported for policy violation if they use the mobile browser to access Microsoft 365 SharePoint sites, documents in Office Online, or email in Outlook Web App.
The following diagram shows what happens when a user with a new device signs in to an app that supports access control with Basic Mobility and Security. The user is blocked from accessing Microsoft 365 resources in the app until they enroll their device.
The following diagram shows what happens when a user with a new device signs in
## Policy settings for mobile devices
-If you create a policy to block access with certain settings turned on, users are blocked from accessing Microsoft 365 resources when using a supported app that is listed in [Access control for Microsoft 365 email and documents](capabilities.md).
+If you create a policy to block access with certain settings turned on, users are blocked from accessing Microsoft 365 resources when using a supported app that is listed in [Access control for Microsoft 365 email and documents](capabilities.md).
The settings that can block users from accessing Microsoft 365 resources are in these sections:
The settings that can block users from accessing Microsoft 365 resources are in
- Jail broken -- Managed email profile
+- Managed email profile
For example, the following diagram shows what happens when a user with an enrolled device isnΓÇÖt compliant with a security setting in a mobile device management policy that applies to their device. The user signs in to an app that supports access control with Basic Mobility and Security. They are blocked from accessing Microsoft 365 resources in the app until their device complies with the security setting.
The following sections list the policy settings you can use to help secure and m
|:--|:--|:--|:--| |Require data encryption on devices<sup>1</sup> |No|Yes|Yes|
-<sup>1</sup>With Samsung Knox, you can also require encryption on storage cards.
+<sup>1</sup>With Samsung Knox, you can also require encryption on storage cards.
-## Jail broken setting
+## Jail broken setting
|**Setting name**|**iOS 7.1 and later**|**Android 5 and later**|**Samsung Knox**| |:--|:--|:--|:--| |Device cannot be jail broken or rooted |Yes|Yes|Yes|
-## Managed email profile option
+## Managed email profile option
The following option can block users from accessing their Microsoft 365 email if theyΓÇÖre using a manually created email profile. Users on iOS devices must delete their manually created email profile before they can access their email. After they delete the profile, a new profile is automatically created on the device. For instructions on how end users can get compliant, see [An existing email account was found](/intune-user-help/existing-company-email-account-found).
The following settings are supported for Windows 10 devices that are enrolled as
- Remember password history and prevent reuse
->[!NOTE]
->The following settings regulating passwords only control local Windows accounts. Windows accounts provided through join a domain or Azure Active Directory aren't affected by these settings.
+> [!NOTE]
+> The following settings regulating passwords only control local Windows accounts. Windows accounts provided through join a domain or Azure Active Directory aren't affected by these settings.
### System settings
admin Choose Between Basic Mobility And Security And Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/choose-between-basic-mobility-and-security-and-intune.md
audience: Admin
localization_priority: Normal-+ - M365-subscription-management - Adm_O365 - Adm_TOC
Both Basic Mobility and Security and Intune are included in a variety of plans,
|Enterprise Mobility & Security E3 |No|Yes| |Enterprise Mobility & Security E5 |No|Yes|
->[!NOTE]
->You can't start using Basic Mobility and Security if you're already using Microsoft Intune.
+> [!NOTE]
+> You can't start using Basic Mobility and Security if you're already using Microsoft Intune.
- For details, see [Microsoft 365 and Office 365 platform service descriptions](/office365/servicedescriptions/office-365-platform-service-description/office-365-platform-service-description).
+ For details, see [Microsoft 365 and Office 365 platform service descriptions](/office365/servicedescriptions/office-365-platform-service-description/office-365-platform-service-description).
## Differences in capabilities Microsoft Intune and built-in Basic Mobility and Security both give you the ability to manage mobile devices in your organization, but there are key differences in capability, described in the following table.
->[!NOTE]
->You can manage users and their mobile devices using both Intune and Basic Mobility and Security in the same Microsoft 365 Business Standard organization *by setting up Basic Mobility and Security first, and then adding Microsoft Intune*. This allows you to choose Basic Mobility and Security or the more feature-rich Intune solution. Assign an Intune license to enable the Intune features.
+> [!NOTE]
+> You can manage users and their mobile devices using both Intune and Basic Mobility and Security in the same Microsoft 365 Business Standard organization *by setting up Basic Mobility and Security first, and then adding Microsoft Intune*. This allows you to choose Basic Mobility and Security or the more feature-rich Intune solution. Assign an Intune license to enable the Intune features.
| Feature area | Feature highlights | Basic Mobility and Security | Microsoft Intune | |:--|:--|:--|:--|
Microsoft Intune and built-in Basic Mobility and Security both give you the abil
|Zero touch enrollment programs (AutoPilot) |Enroll large numbers of corporate-owned devices, while simplifying user setup. |No|Yes| |||
-In addition to features listed in the preceding table, Basic Mobility and Security and Intune both include a set of remote actions that send commands to devices over the internet. For example, you can remove Office data from an employeeΓÇÖs device while leaving personal data in place (retire), remove Office apps from a employee's device (wipe), or reset a device to its factory settings (full wipe).
+In addition to features listed in the preceding table, Basic Mobility and Security and Intune both include a set of remote actions that send commands to devices over the internet. For example, you can remove Office data from an employeeΓÇÖs device while leaving personal data in place (retire), remove Office apps from a employee's device (wipe), or reset a device to its factory settings (full wipe).
Basic Mobility and Security remote actions include retire, wipe and full wipe. For more information on Basic Mobility and Security actions, see [capabilities of Basic Mobility and Security](capabilities.md).
admin Create An Apns Certificate For Ios Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/create-an-apns-certificate-for-ios-devices.md
Title: "Create an APNs certificate for iOS devices" -----
-localization_priority: Normal
-
+ Title: "Create an APNs certificate for iOS devices"
+f1.keywords: NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
+ - M365-subscription-management - Adm_O365 - Adm_TOC
-description: "Manage iOS devices in Basic Mobility and Security."
+description: "Manage iOS devices in Basic Mobility and Security."
# Create an APNs certificate for iOS devices
To manage iOS devices such as iPads and iPhones in Basic Mobility and Security,
1. Sign in to Microsoft 365 with your global admin account.
-2. In your browser, typeΓÇ»[https://protection.office.com](https://protection.office.com/).
+2. In your browser, typeΓÇ»<https://protection.office.com/>.
3. Select ΓÇ»**Data loss prevention**ΓÇ»>ΓÇ»**Device management**, and choose **APNs Certificate for iOS devices**.
To manage iOS devices such as iPads and iPhones in Basic Mobility and Security,
5. Select Download your CSR file and save the certificate signing request to somewhere on your computer that you'll remember. Select  **Next**.
-6. On the Create an APNs certificate page:
+6. On the Create an APNs certificate page:
1. SelectΓÇ» Apple APNS Portal to open the Apple Push Certificates Portal. 2. Sign in with an Apple ID.
- >[!IMPORTANT]
- >Use a company Apple ID associated with an email account that will remain with your organization even if the user who manages the account leaves. Save this ID because you'll need to use the same ID when it's time to renew the certificate.
+ > [!IMPORTANT]
+ > Use a company Apple ID associated with an email account that will remain with your organization even if the user who manages the account leaves. Save this ID because you'll need to use the same ID when it's time to renew the certificate.
3. Select  **Create a Certificate**  and accept the Terms of Use. 4. Browse to the certificate signing request you downloaded to your computer from Microsoft 365, and select **Upload**.
- Download the APNs certificate created by the Apple Push Certificate Portal to your computer.
+ Download the APNs certificate created by the Apple Push Certificate Portal to your computer.
- >[!TIP]
- >If you're having trouble downloading the certificate, refresh your browser.
+ > [!TIP]
+ > If you're having trouble downloading the certificate, refresh your browser.
7. Go back to Microsoft 365, and select **Next**  to get to the  **Upload APNS certificate** page.
admin Create Device Security Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/create-device-security-policies.md
You can use Basic Mobility and Security to create device policies that help prot
- To create and deploy Basic Mobility and Security policies in Microsoft 365, you need to be a Microsoft 365 global admin. For more info, see [Permissions in the Security & Compliance Center](../../security/office-365-security/permissions-in-the-security-and-compliance-center.md). - Before you deploy policies, let your organization know the potential impacts of enrolling a device in Basic Mobility and Security. Depending on how you set up the policies, noncompliant devices can be blocked from accessing Microsoft 365 and data, including installed applications, photos, and personal information on an enrolled device, and data can be deleted.
->[!NOTE]
->Policies and access rules created in Basic Mobility and Security for Microsoft 365 Business Standard override Exchange ActiveSync mobile device mailbox policies and device access rules created in the Exchange admin center. After a device is enrolled in Basic Mobility and Security for Microsoft 365 Business Standard, any Exchange ActiveSync mobile device mailbox policy or device access rule applied to the device is ignored. To learn more about Exchange ActiveSync, see [Exchange ActiveSync in Exchange Online](/exchange/clients-and-mobile-in-exchange-online/exchange-activesync/exchange-activesync).
+> [!NOTE]
+> Policies and access rules created in Basic Mobility and Security for Microsoft 365 Business Standard override Exchange ActiveSync mobile device mailbox policies and device access rules created in the Exchange admin center. After a device is enrolled in Basic Mobility and Security for Microsoft 365 Business Standard, any Exchange ActiveSync mobile device mailbox policy or device access rule applied to the device is ignored. To learn more about Exchange ActiveSync, see [Exchange ActiveSync in Exchange Online](/exchange/clients-and-mobile-in-exchange-online/exchange-activesync/exchange-activesync).
## Step 1: Create a device policy and deploy to a test group Before you can start, make sure you have activated and set up Basic Mobility and Security. For instructions, see [Overview of Basic Mobility and Security](overview.md).
-1. From your browser, type [https://protection.office.com/devicev2](https://protection.office.com/devicev2).
+1. From your browser, type <https://protection.office.com/devicev2>.
2. Select **Create a policy**.
admin Enroll Your Mobile Device https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/enroll-your-mobile-device.md
Using your phone, tablet, and other mobile devices for work is a great way to st
Organizations choose Basic Mobility and Security so that employees can use their mobile devices to securely access work email, calendars, and documents while the business secures important data and meets their compliance requirements. To learn more, see [Overview of Basic Mobility and Security for Microsoft 365](overview.md). For more info, see [What information can my organization see when I enroll my device?](/intune-user-help/what-info-can-your-company-see-when-you-enroll-your-device-in-intune).
->[!IMPORTANT]
->When you enroll your device in Basic Mobility and Security for Microsoft 365, you might be required to set up a password, together with allowing the option for your work organization to wipe the device. A device wipe can be performed from the Microsoft 365 admin center, for example, to remove all data from the device if the password is entered incorrectly too many times or if usage terms are broken.
+> [!IMPORTANT]
+> When you enroll your device in Basic Mobility and Security for Microsoft 365, you might be required to set up a password, together with allowing the option for your work organization to wipe the device. A device wipe can be performed from the Microsoft 365 admin center, for example, to remove all data from the device if the password is entered incorrectly too many times or if usage terms are broken.
## Supported devices
Basic Mobility and Security for Microsoft 365 hosted by the Intune service works
If your device is not listed above, and you need to use it with Basic Mobility and Security, contact your work or school administrator.
->[!TIP]
->If you're having trouble enrolling your device, seeΓÇ»[Troubleshoot Basic Mobility and Security](troubleshoot.md).
+> [!TIP]
+> If you're having trouble enrolling your device, seeΓÇ»[Troubleshoot Basic Mobility and Security](troubleshoot.md).
## Set up your mobile device with Intune and Basic Mobility and Security
The Intune Company Portal enables a device to be managed by Microsoft 365 and Ba
### iPhone or iPad
->[!TIP]
->You wonΓÇÖt be able to send and receive email until you complete this step.
+> [!TIP]
+> You wonΓÇÖt be able to send and receive email until you complete this step.
Go to the Apple App Store, and download and install Intune Company Portal.
To connect and configure your iOS phone or tablet with the Company portal to Off
### Android phone or tablet
->[!TIP]
->You wonΓÇÖt be able to send and receive email until you complete this step.
+> [!TIP]
+> You wonΓÇÖt be able to send and receive email until you complete this step.
Go to the Google Play store, and download and install Intune Company Portal.
admin Get Details About Managed Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/get-details-about-managed-devices.md
audience: Admin
localization_priority: Normal-+ - M365-subscription-management - Adm_O365 - Adm_TOC
Here's a breakdown for the device details available to you.
:::image type="content" source="../../media/basic-mobility-security/bms-7-powershell-parameters.png" alt-text="Basic Mobility and Security PowerShell parameters":::
->[!NOTE]
->The commands and scripts in this article also return details about any devices managed byΓÇ»[Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune).
+> [!NOTE]
+> The commands and scripts in this article also return details about any devices managed byΓÇ»[Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune).
## Before you begin
For more info on these steps, seeΓÇ»[Connect to Microsoft 365 with PowerShell](/
2. Install the Microsoft Azure Active Directory Module for Windows PowerShell with these steps:
- 1. Open an administrator-level PowerShell command prompt.
+ 1. Open an administrator-level PowerShell command prompt.
- 2. Run the Install-Module MSOnline command.
+ 2. Run the `Install-Module MSOnline` command.
3. If prompted to install the NuGet provider, type Y and press ENTER.
For more info on these steps, seeΓÇ»[Connect to Microsoft 365 with PowerShell](/
### Step 2: Connect to your Microsoft 365 subscription
-1. In the Windows Azure Active Directory Module for Windows PowerShell, run the following command.
+1. In the Windows Azure Active Directory Module for Windows PowerShell, run the following command.
- $UserCredential = Get-Credential
+ ```powershell
+ $UserCredential = Get-Credential
+ ```
2. In the Windows PowerShell Credential Request dialog box, type the user name and password for your Microsoft 365 global admin account, and then select **OK**. 3. Run the following command.
- Connect-MsolService -Credential $UserCredential
+ ```powershell
+ Connect-MsolService -Credential $UserCredential
+ ```
### Step 3: Make sure youΓÇÖre able to run PowerShell scripts
->[!NOTE]
->You can skip this step if youΓÇÖre already set up to run PowerShell scripts.
+> [!NOTE]
+> You can skip this step if youΓÇÖre already set up to run PowerShell scripts.
To run the Get-MsolUserDeviceComplianceStatus.ps1 script, you need to enable the running of PowerShell scripts.
To run the Get-MsolUserDeviceComplianceStatus.ps1 script, you need to enable
2. Run the following command.
- Set-ExecutionPolicy RemoteSigned
+ ```powershell
+ Set-ExecutionPolicy RemoteSigned
+ ```
3. When prompted, type Y and then press Enter.
-**Run the Get-MsolDevice cmdlet to display details for all devices in your organization**
+#### Run the Get-MsolDevice cmdlet to display details for all devices in your organization
-1. Open the Microsoft Azure Active Directory Module for Windows PowerShell.
+1. Open the Microsoft Azure Active Directory Module for Windows PowerShell.
2. Run the following command.
- Get-MsolDevice -All -ReturnRegisteredOwners | Where-Object {$_.RegisteredOwners.Count -gt 0}
+ ```powershell
+ Get-MsolDevice -All -ReturnRegisteredOwners | Where-Object {$_.RegisteredOwners.Count -gt 0}
+ ```
For more examples, see ΓÇ»[Get-MsolDevice](https://go.microsoft.com/fwlink/?linkid=2157939).
For more examples, see ΓÇ»[Get-MsolDevice](https://go.microsoft.com/fwlink/?link
First, save the script to your computer.
-1. Copy and paste the following text into Notepad.
-
-2. param (
-
-3. [PSObject[]]$users = @(),
-
-4. [Switch]$export,
-
-5. [String]$exportFileName = "UserDeviceComplianceStatus_" + (Get-Date -Format "yyMMdd_HHMMss") + ".csv",
-
-6. [String]$exportPath = [Environment]::GetFolderPath("Desktop")
-
-7. )
-
-9. [System.Collections.IDictionary]$script:schema = @{
-
-11. DeviceId = ''
-
-12. DeviceOSType = ''
-
-13. DeviceOSVersion = ''
-
-14. DeviceTrustLevel = ''
-
-15. DisplayName = ''
-
-16. IsCompliant = ''
-
-17. IsManaged = ''
-
-18. ApproximateLastLogonTimestamp = ''
-
-19. DeviceObjectId = ''
-
-20. RegisteredOwnerUpn = ''
-
-21. RegisteredOwnerObjectId = ''
-
-
-22. RegisteredOwnerDisplayName = ''
-
-
-23. }
-
-
-25. function createResultObject
-
-
-26. {
-
-
-28. [PSObject]$resultObject = New-Object -TypeName PSObject -Property $script:schema
-
-
-30. return $resultObject
-
-
-31. }
-
-
-33. If ($users.Count -eq 0)
-
-
-34. {
-
-
-35. $users = Get-MsolUser
-
-
-36. }
-
-
-38. [PSObject[]]$result = foreach ($u in $users)
-
-
-39. {
-
-
-41. [PSObject]$devices = get-msoldevice -RegisteredOwnerUpn $u.UserPrincipalName
-
-
-42. foreach ($d in $devices)
-
-
-43. {
-
-
-44. [PSObject]$deviceResult = createResultObject
-
-
-45. $deviceResult.DeviceId = $d.DeviceId
-
-
-46. $deviceResult.DeviceOSType = $d.DeviceOSType
-
-
-47. $deviceResult.DeviceOSVersion = $d.DeviceOSVersion
-
-
-48. $deviceResult.DeviceTrustLevel = $d.DeviceTrustLevel
-
-
-49. $deviceResult.DisplayName = $d.DisplayName
-
-
-50. $deviceResult.IsCompliant = $d.GraphDeviceObject.IsCompliant
-
-
-51. $deviceResult.IsManaged = $d.GraphDeviceObject.IsManaged
-
-
-52. $deviceResult.DeviceObjectId = $d.ObjectId
-
-
-53. $deviceResult.RegisteredOwnerUpn = $u.UserPrincipalName
-
-
-54. $deviceResult.RegisteredOwnerObjectId = $u.ObjectId
-
-
-55. $deviceResult.RegisteredOwnerDisplayName = $u.DisplayName
-
-
-56. $deviceResult.ApproximateLastLogonTimestamp = $d.ApproximateLastLogonTimestamp
-
-
-58. $deviceResult
-
-
-59. }
-
-
-61. }
-
-
-63. If ($export)
-
-
-64. {
-
-
-65. $result | Export-Csv -path ($exportPath + "\" + $exportFileName) -NoTypeInformation
-
-
-66. }
-
-
-67. Else
-
-
-68. {
-
-
-69. $result
-
-
-70. }
-
-
-71. Save it as a Windows PowerShell script file by using the file extension .ps1; for example, Get-MsolUserDeviceComplianceStatus.ps1.
+1. Copy and paste the following text into Notepad.
+
+ ```powershell
+ param (
+ [PSObject[]]$users = @(),
+ [Switch]$export,
+ [String]$exportFileName = "UserDeviceComplianceStatus_" + (Get-Date -Format "yyMMdd_HHMMss") + ".csv",
+ [String]$exportPath = [Environment]::GetFolderPath("Desktop")
+ )
+ [System.Collections.IDictionary]$script:schema = @{
+ DeviceId = ''
+ DeviceOSType = ''
+ DeviceOSVersion = ''
+ DeviceTrustLevel = ''
+ DisplayName = ''
+ IsCompliant = ''
+ IsManaged = ''
+ ApproximateLastLogonTimestamp = ''
+ DeviceObjectId = ''
+ RegisteredOwnerUpn = ''
+ RegisteredOwnerObjectId = ''
+ RegisteredOwnerDisplayName = ''
+ }
+ function createResultObject
+ {
+ [PSObject]$resultObject = New-Object -TypeName PSObject -Property $script:schema
+ return $resultObject
+ }
+ If ($users.Count -eq 0)
+ {
+ $users = Get-MsolUser
+ }
+ [PSObject[]]$result = foreach ($u in $users)
+ {
+ [PSObject]$devices = get-msoldevice -RegisteredOwnerUpn $u.UserPrincipalName
+ foreach ($d in $devices)
+ {
+ [PSObject]$deviceResult = createResultObject
+ $deviceResult.DeviceId = $d.DeviceId
+ $deviceResult.DeviceOSType = $d.DeviceOSType
+ $deviceResult.DeviceOSVersion = $d.DeviceOSVersion
+ $deviceResult.DeviceTrustLevel = $d.DeviceTrustLevel
+ $deviceResult.DisplayName = $d.DisplayName
+ $deviceResult.IsCompliant = $d.GraphDeviceObject.IsCompliant
+ $deviceResult.IsManaged = $d.GraphDeviceObject.IsManaged
+ $deviceResult.DeviceObjectId = $d.ObjectId
+ $deviceResult.RegisteredOwnerUpn = $u.UserPrincipalName
+ $deviceResult.RegisteredOwnerObjectId = $u.ObjectId
+ $deviceResult.RegisteredOwnerDisplayName = $u.DisplayName
+ $deviceResult.ApproximateLastLogonTimestamp = $d.ApproximateLastLogonTimestamp
+ $deviceResult
+ }
+ }
+ If ($export)
+ {
+ $result | Export-Csv -path ($exportPath + "\" + $exportFileName) -NoTypeInformation
+ }
+ Else
+ {
+ $result
+ }
+ ```
+
+2. Save it as a Windows PowerShell script file by using the file extension .ps1; for example, Get-MsolUserDeviceComplianceStatus.ps1.
## Run the script to get device information for a single user account 1. Open the Microsoft Azure Active Directory Module for Windows PowerShell.
-
+ 2. Go to the folder where you saved the script. For example, if you saved it to C:\PS-Scripts, run the following command.
-
- cd C:\PS-Scripts
+
+ ```powershell
+ cd C:\PS-Scripts
+ ```
3. Run the following command to identify the user you want to get device details for. This example gets details for bar@example.com.
-
- $u = Get-MsolUser -UserPrincipalName bar@example.com
+
+ ```powershell
+ $u = Get-MsolUser -UserPrincipalName bar@example.com
+ ```
4. Run the following command to initiate the script.
- .\Get-MsolUserDeviceComplianceStatus.ps1 -User $u -Export
+ ```powershell
+ .\Get-MsolUserDeviceComplianceStatus.ps1 -User $u -Export
+ ```
The information is exported to your Windows Desktop as a CSV file. You can use additional parameters to specify the file name and path of the CSV. ## Run the script to get device information for a group of users 1. Open the Microsoft Azure Active Directory Module for Windows PowerShell.
-
-2. Go to the folder where you saved the script. For example, if you saved it to C:\PS-Scripts, run the following command.
- cd C:\PS-Scripts
+2. Go to the folder where you saved the script. For example, if you saved it to C:\PS-Scripts, run the following command.
+
+ ```powershell
+ cd C:\PS-Scripts
+ ```
-3. Run the following command to identify the group you want to get device details for. This example gets details for users in the FinanceStaff group.
+3. Run the following command to identify the group you want to get device details for. This example gets details for users in the FinanceStaff group.
- $u = Get-MsolGroupMember -SearchString "FinanceStaff" | % { Get-MsolUser -ObjectId $_.ObjectId }
+ ```powershell
+ $u = Get-MsolGroupMember -SearchString "FinanceStaff" | % { Get-MsolUser -ObjectId $_.ObjectId }
+ ```
4. Run the following command to initiate the script.
- .\Get-MsolUserDeviceComplianceStatus.ps1 -User $u -Export
+ ```powershell
+ .\Get-MsolUserDeviceComplianceStatus.ps1 -User $u -Export
+ ```
The information is exported to your Windows Desktop as a CSV file. You can use additional parameters to specify the file name and path of the CSV.
The information is exported to your Windows Desktop as a CSV file. You can use a
[Overview of Basic Mobility and Security](overview.md)
-[Get-MsolDevice](https://go.microsoft.com/fwlink/?linkid=2157939)
+[Get-MsolDevice](https://go.microsoft.com/fwlink/?linkid=2157939)
admin Manage Device Access Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/manage-device-access-settings.md
Use these steps:
1. Sign in to Microsoft 365 with your global admin account.
-2. In your browser, type:ΓÇ»[https://protection.office.com](https://protection.office.com/).
+2. In your browser, type:ΓÇ»[https://protection.office.com](https://protection.office.com/).
- >[!IMPORTANT]
- >If this is the first time you're using Basic Mobility and Security for Microsoft 365 Business Standard, activate it here: [Activate Basic Security and Mobility](https://admin.microsoft.com/EAdmin/Device/IntuneInventory.aspx). After you've activated it, manage your devices with [Office 365 Security & Compliance](https://protection.office.com/).
+ > [!IMPORTANT]
+ > If this is the first time you're using Basic Mobility and Security for Microsoft 365 Business Standard, activate it here: [Activate Basic Security and Mobility](https://admin.microsoft.com/EAdmin/Device/IntuneInventory.aspx). After you've activated it, manage your devices with [Office 365 Security & Compliance](https://protection.office.com/).
3. Go to Data loss prevention > **Device management** > **Device policies**, and select **Manage organization-wide device access settings**.
Use these steps:
5. SelectΓÇ»**Save**.
-To learn what devices Basic Mobility and Security supports, seeΓÇ»[Capabilities of Basic Mobility and Security](capabilities.md).
+To learn what devices Basic Mobility and Security supports, seeΓÇ»[Capabilities of Basic Mobility and Security](capabilities.md).
admin Turn Off https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/turn-off.md
Title: "Turn off Basic Mobility and Security" -----
-localization_priority: Normal
-
+ Title: "Turn off Basic Mobility and Security"
+f1.keywords: NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
+ - M365-subscription-management - Adm_O365 - Adm_TOC
-description: "Remove groups or policies to turn off Basic Mobility and Security."
+description: "Remove groups or policies to turn off Basic Mobility and Security."
# Turn off Basic Mobility and Security
To effectively turn off Basic Mobility and Security, you remove groups of people
- Disable Basic Mobility and Security for everyone by removing all Basic Mobility and Security device policies.
-These options remove Basic Mobility and Security enforcement for devices in your organization. Unfortunately, you can't simply "unprovision" Basic Mobility and Security after you've set it up.
+These options remove Basic Mobility and Security enforcement for devices in your organization. Unfortunately, you can't simply "unprovision" Basic Mobility and Security after you've set it up.
->[!IMPORTANT]
->Be aware of the impact on users' devices when you remove user security groups from policies or remove the policies themselves. For example, email profiles and cached emails might be removed, depending on the device. For more info, seeΓÇ» [What happens when you delete a policy or remove a user from the policy?](../../admin/basic-mobility-security/create-device-security-policies.md)
+> [!IMPORTANT]
+> Be aware of the impact on users' devices when you remove user security groups from policies or remove the policies themselves. For example, email profiles and cached emails might be removed, depending on the device. For more info, seeΓÇ» [What happens when you delete a policy or remove a user from the policy?](../../admin/basic-mobility-security/create-device-security-policies.md)
## Remove user security groups from Basic Mobility and Security device policies 1. In your browser type:ΓÇ»[https://protection.office.com/devicev2](https://protection.office.com/devicev2).
-2. Select a device policy, and select **Edit policy**.
+2. Select a device policy, and select **Edit policy**.
3. On the  **Deployment**  page, select **Remove**.
These options remove Basic Mobility and Security enforcement for devices in your
## Remove Basic Mobility and Security device policies
-1. In your browser type:ΓÇ»[https://protection.office.com/devicev2](https://protection.office.com/devicev2).
+1. In your browser type:ΓÇ»[https://protection.office.com/devicev2](https://protection.office.com/devicev2).
+
+2. Select a device policy, and then select ΓÇ»**Delete policy**.
-2. Select a device policy, and then select ΓÇ»**Delete policy**.
-
-3. In the Warning dialog box, select **Yes**.
+3. In the Warning dialog box, select **Yes**.
->[!NOTE]
->For more steps to unblock devices if your organization devices are still in a blocked state, see the blog post [Removing Access Control from Mobile Device Management for Office 365](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Removing-Access-Control-from-Mobile-Device-Management-for-Office/ba-p/279934).
+> [!NOTE]
+> For more steps to unblock devices if your organization devices are still in a blocked state, see the blog post [Removing Access Control from Mobile Device Management for Office 365](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Removing-Access-Control-from-Mobile-Device-Management-for-Office/ba-p/279934).
admin Wipe Mobile Device https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/wipe-mobile-device.md
The wipe is sent immediately to the mobile device and the device is marked as no
|Microsoft 365 app data is wiped if the device is protected by Intune App Protection policies. The apps aren't removed. For devices not protected by Mobile Application Management (MAM) policies, Outlook and OneDrive won't remove cached data.<br/>**Note** For applying Intune App protection policies you must have an Intune license.|Yes|Yes| |Policy settings applied by Basic Mobility and Security to devices are no longer enforced; users can change the settings.|Yes|Yes| |Email profiles created by Basic Mobility and Security are removed and cached email on the device is deleted.|Yes|N/A|
->[!NOTE]
->Company Portal app is available at the App Store for iOS and the Play Store for Android devices.
+
+> [!NOTE]
+> Company Portal app is available at the App Store for iOS and the Play Store for Android devices.
admin Update Dns Records To Retain Current Hosting Provider https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/dns/update-dns-records-to-retain-current-hosting-provider.md
In addition, you can create a CNAME record to help customers find your website.
Finally, do the following:
-[Update your domain's NS records](../get-help-with-domains/set-up-your-domain-host-specific-instructions.md) to point to Microsoft.
+[Update your domain's NS records](../setup/add-domain.md) to point to Microsoft.
When the NS records have been updated to point to Microsoft, your domain is all set up. Email will be routed to Microsoft, and traffic to your website address will continue to go to your current website host.
admin Configure Email Forwarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/configure-email-forwarding.md
description: "Email forwarding lets you forward email messages sent to a Microso
As the admin of an organization, you might have company requirements to set up email forwarding for a user's mailbox. Email forwarding lets you forward email messages sent to a user's mailbox to another user's mailbox inside or outside of your organization. > [!IMPORTANT]
-> You can use outbound spam filter policies to control automatic forwarding to external recipients. For more information, see [Control automatic external email forwarding in Microsoft 365](/microsoft-365/security/office-365-security/external-email-forwarding?view=o365-worldwide&preserve-view=true#how-the-outbound-spam-filter-policy-settings-work-with-other-automatic-email-forwarding-controls).
+> You can use outbound spam filter policies to control automatic forwarding to external recipients. For more information, see [Control automatic external email forwarding in Microsoft 365](/microsoft-365/security/office-365-security/external-email-forwarding#how-the-outbound-spam-filter-policy-settings-work-with-other-automatic-email-forwarding-controls).
## Configure email forwarding
admin Domain Connect https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/get-help-with-domains/domain-connect.md
localization_priority: Normal -+ - M365-subscription-management - Adm_O365 - Adm_TOC
description: "Learn how to work with Domain Connect enabled registrars and add y
# Using Domain Connect **[Check the Domains FAQ](../setup/domains-faq.yml)** if you don't find what you're looking for.
-
-[Domain Connect ](https://www.domainconnect.org/) enabled registrars let you add your domain to Microsoft 365 in a three-step process that takes minutes.
-
+
+[Domain Connect](https://www.domainconnect.org/) enabled registrars let you add your domain to Microsoft 365 in a three-step process that takes minutes.
+ In the wizard, we'll just confirm that you own the domain, and then automatically set up your domain's records, so email comes to Microsoft 365 and other Microsoft 365 services, like Teams, work with your domain.
-
+ > [!NOTE] > Make sure you disable any popup blockers in your browser before you start the setup wizard.
-
+ ## Domain Connect registrars integrating with Microsoft 365 - [1&amp;1 IONOS](https://www.1and1.com/)
In the wizard, we'll just confirm that you own the domain, and then automaticall
- [Plesk](https://www.plesk.com/) - [MediaTemple](https://mediatemple.net/) - SecureServer or WildWestDomains (GoDaddy resellers using SecureServer DNS hosting)
- - [MadDog Web Hosting](https://maddogwebhosting.com/domains/)
- - [CheapNames](https://www.cheapnames.com)
+ - [MadDog Web Hosting](https://maddogwebhosting.com/domains/)
+ - [CheapNames](https://www.cheapnames.com)
## What happens to my email and website? After you finish setup, the MX record for your domain is updated to point to Microsoft 365 and all email for your domain will start coming to Microsoft 365. Make sure you've added users and set up mailboxes in Microsoft 365 for everyone who gets email on your domain!
-
+ If you have a website that you use with your business, it will keep working where it is. The Domain Connect setup steps don't affect your website.
admin Find Your Domain Registrar https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/get-help-with-domains/find-your-domain-registrar.md
audience: Admin
localization_priority: Priority-+ - M365-subscription-management - Adm_O365 - Adm_TOC
description: "Learn to find your domain registrar and DNS hosting provider using
# Find your domain registrar
- **[Check the Domains FAQ](../setup/domains-faq.yml)** if you don't find what you're looking for.
-
+ **[Check the Domains FAQ](../setup/domains-faq.yml)** if you don't find what you're looking for.
+ ## Domain registrar
-
+ ### Find your domain name registrar
->[!NOTE]
+> [!NOTE]
> Only domains ending in *.COM*, *.NET*, and *.EDU* work with this tool.
-
-1. On the [InterNIC search page](https://go.microsoft.com/fwlink/p/?LinkId=402770), in the **Whois Search** box, type your domain. For example, *contoso.com.*
-
+
+1. On the [InterNIC search page](https://go.microsoft.com/fwlink/p/?LinkId=402770), in the **Whois Search** box, type your domain. For example, *contoso.com.*
+ 2. Select the **Domain** option, and then select **Submit**.
-
-3. On the **Whois Search Results** page, locate the **Registrar** entry. This entry lists the organization that provides registrar service for your domain.
-
+
+3. On the **Whois Search Results** page, locate the **Registrar** entry. This entry lists the organization that provides registrar service for your domain.
+ ## DNS hosting provider
-
+ ### Find your DNS hosting provider
->[!NOTE]
+> [!NOTE]
> Only domains ending in *.COM*, *.NET*, and *.EDU* work with this tool.
-
-1. On the [InterNIC search page]( https://go.microsoft.com/fwlink/p/?LinkId=402770), in the **Whois Search** box, type your domain. For example, contoso.com.
-
+
+1. On the [InterNIC search page](https://go.microsoft.com/fwlink/p/?LinkId=402770), in the **Whois Search** box, type your domain. For example, contoso.com.
+ 2. Select the **Domain** option, and then select **Submit**.
-
-3. On the **Whois Search Results** page, locate the first **Name Server** entry.
-
+
+3. On the **Whois Search Results** page, locate the first **Name Server** entry.
+ 4. Copy the name server (NS) information that appears after the colon (:), and then paste it into the **Search** box at the top of the page. Select **Nameserver**, and then select **Submit**.
-
-5. On the **Whois Search Results** page, locate the **Registrar** entry. This entry lists your DNS hosting provider, the DNS provider who owns the name server for your domain.
-
+
+5. On the **Whois Search Results** page, locate the **Registrar** entry. This entry lists your DNS hosting provider, the DNS provider who owns the name server for your domain.
+
admin Information For Dns Records https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/get-help-with-domains/information-for-dns-records.md
description: "Gather the values/information you need to create DNS records to co
::: moniker range="o365-worldwide"
-1. In the Microsoft 365 admin center, go to the **Setup** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834818" target="_blank">Domains</a> page.
+1. In the Microsoft 365 admin center, go to the **Settings** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834818" target="_blank">Domains</a> page.
::: moniker-end ::: moniker range="o365-germany"
-1. In the admin center, go to the **Setup** > <a href="https://go.microsoft.com/fwlink/p/?linkid=854615" target="_blank">Domains</a> page.
+1. In the admin center, go to the **Settings** > <a href="https://go.microsoft.com/fwlink/p/?linkid=854615" target="_blank">Domains</a> page.
::: moniker-end ::: moniker range="o365-21vianet"
-1. In the admin center, go to the **Setup** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2007048" target="_blank">Domains</a> page.
+1. In the admin center, go to the **Settings** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2007048" target="_blank">Domains</a> page.
::: moniker-end 2. On the **Domains** page, select your domain, then select **Start setup**. You'll go back to the domains setup wizard to see the specific value you need to add.
-3. On the **Verify domain** page, select **Add a TXT record instead**, then select **Next**.
+3. On the **Domain Verification** page, select **Add a TXT record to the domain's DNS records**, then select **Continue**.
4. Copy the **TXT value** shown. It looks like this: **MS=msXXXXXXXX**.
-5. Go to [Create DNS records at any DNS hosting provider](create-dns-records-at-any-dns-hosting-provider.md), and select your DNS host from the list of registrars to see the step-by-step instructions.
+5. Go to [Add DNS records to connect your domain](create-dns-records-at-any-dns-hosting-provider.md), and follow the steps to add records at your DNS host's website.
6. Follow the steps for creating the TXT record (or MX record) at your DNS host, then verify the domain back in Microsoft 365.
description: "Gather the values/information you need to create DNS records to co
::: moniker range="o365-worldwide"
-1. In the Microsoft 365 admin center, go to the **Setup** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834818" target="_blank">Domains</a> page.
+1. In the Microsoft 365 admin center, go to the **Settings** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834818" target="_blank">Domains</a> page.
::: moniker-end ::: moniker range="o365-germany"
-1. In the admin center, go to the **Setup** > <a href="https://go.microsoft.com/fwlink/p/?linkid=854615" target="_blank">Domains</a> page.
+1. In the admin center, go to the **Settings** > <a href="https://go.microsoft.com/fwlink/p/?linkid=854615" target="_blank">Domains</a> page.
::: moniker-end ::: moniker range="o365-21vianet"
-1. In the admin center, go to the **Setup** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2007048" target="_blank">Domains</a> page.
+1. In the admin center, go to the **Settings** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2007048" target="_blank">Domains</a> page.
::: moniker-end
-2. On the **Domains** page, select your domain.
+2. On the **Domains** page, select your domain.
-3. Under **Required DNS settings**, you'll see the DNS records to add.
+3. Choose **Manage DNS**, select **More Options** > **Add your own DNS** and select **Continue** to see the DNS records to add.
You'll want to keep this information available while you make changes at your DNS host, so you can copy and paste the values. The groups of DNS records that are listed on the page depend on your choices listed under **Domain purpose**.
-4. Go to [Create DNS records at any DNS hosting provider](create-dns-records-at-any-dns-hosting-provider.md), and then select your DNS host from the list of registrars to see step-by-step instructions for adding records at that DNS host's website.
-
+4. Go to [Add DNS records to connect your domain](create-dns-records-at-any-dns-hosting-provider.md), and follow the steps to add records at your DNS host's website.
+ 5. Follow the steps for creating the records at your DNS host. ## Related content
admin Set Up Your Domain Host Specific Instructions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/get-help-with-domains/set-up-your-domain-host-specific-instructions.md
- Title: "Set up your domain"-- NOCSH-----
-localization_priority: Normal
--- M365-subscription-management-- Adm_O365-- Adm_TOC--- AdminSurgePortfolio-- MET150-- MOE150-- BEA160-- GEA150
-description: "Learn how to manage your own DNS records or let Microsoft manage your DNS records for you."
--
-# Set up your domain
-
-To start using a custom domain (contoso.com) with Microsoft 365, you need to verify your domain and configure your domain's DNS records.
-
-You can add and manage DNS records using the administrative tools at your domain host, or give Microsoft control of your domain records and we'll set them up for you.
-
-## Let Microsoft 365 manage your DNS records
-
-Learn how to [change nameservers to set up Microsoft 365 with any domain registrar](change-nameservers-at-any-domain-registrar.md).
-
-## Manage your own DNS records
-
-For instructions, see [Create DNS records at any DNS hosting provider](create-dns-records-at-any-dns-hosting-provider.md)
admin Country Region Support Dropdown List https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/includes/country-region-support-dropdown-list.md
> - [Nepal](../support/nepal.md) > - [Netherlands](../support/netherlands.md) > - [New Caledonia](../support/new-caledonia.md)
-> - [New Zealand ](../support/new-zealand.md)
+> - [New Zealand](../support/new-zealand.md)
> - [Nicaragua](../support/nicaragua.md) > - [Niue](../support/niue.md) > - [Niger](../support/niger.md)
admin Office365 Admin Content Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/includes/office365-admin-content-updates.md
| Published On |Topic title | Change | |||--|
-| 12/23/2019 | [Assign admin roles the Microsoft 365 admin center](/Office365/Admin/add-users/assign-admin-roles?view=o365-worldwide) | modified |
-| 12/23/2019 | [Change a user name and email address in Microsoft 365](/Office365/Admin/add-users/change-a-user-name-and-email-address?view=o365-worldwide) | modified |
-| 12/23/2019 | [Let users reset their own passwords in Microsoft 365](/Office365/Admin/add-users/let-users-reset-passwords?view=o365-worldwide) | modified |
-| 12/23/2019 | [Remove a former employee from Microsoft 365](/Office365/Admin/add-users/remove-former-employee?view=o365-worldwide) | modified |
-| 12/23/2019 | [Reset Microsoft 365 Apps for business passwords](/Office365/Admin/add-users/reset-passwords?view=o365-worldwide) | modified |
-| 12/23/2019 | [About the Microsoft 365 admin center](/Office365/Admin/admin-overview/about-the-admin-center?view=o365-worldwide) | modified |
-| 12/23/2019 | [Create organization-wide signatures and disclaimers](/Office365/Admin/setup/create-signatures-and-disclaimers?view=o365-worldwide) | modified |
-| 12/23/2019 | [Set up Microsoft 365 file storage and sharing](/Office365/Admin/setup/set-up-file-storage-and-sharing?view=o365-worldwide) | modified |
-| 12/23/2019 | [Remove licenses from your Microsoft 365 for business subscription](/Office365/Admin/subscriptions-and-billing/remove-licenses-from-subscription?view=o365-worldwide) | modified |
-| 12/23/2019 | [View your bill or invoice](/Office365/Admin/subscriptions-and-billing/view-your-bill-or-invoice?view=o365-worldwide) | modified |
+| 12/23/2019 | [Assign admin roles the Microsoft 365 admin center](/Office365/Admin/add-users/assign-admin-roles) | modified |
+| 12/23/2019 | [Change a user name and email address in Microsoft 365](/Office365/Admin/add-users/change-a-user-name-and-email-address) | modified |
+| 12/23/2019 | [Let users reset their own passwords in Microsoft 365](/Office365/Admin/add-users/let-users-reset-passwords) | modified |
+| 12/23/2019 | [Remove a former employee from Microsoft 365](/Office365/Admin/add-users/remove-former-employee) | modified |
+| 12/23/2019 | [Reset Microsoft 365 Apps for business passwords](/Office365/Admin/add-users/reset-passwords) | modified |
+| 12/23/2019 | [About the Microsoft 365 admin center](/Office365/Admin/admin-overview/about-the-admin-center) | modified |
+| 12/23/2019 | [Create organization-wide signatures and disclaimers](/Office365/Admin/setup/create-signatures-and-disclaimers) | modified |
+| 12/23/2019 | [Set up Microsoft 365 file storage and sharing](/Office365/Admin/setup/set-up-file-storage-and-sharing) | modified |
+| 12/23/2019 | [Remove licenses from your Microsoft 365 for business subscription](/Office365/Admin/subscriptions-and-billing/remove-licenses-from-subscription) | modified |
+| 12/23/2019 | [View your bill or invoice](/Office365/Admin/subscriptions-and-billing/view-your-bill-or-invoice) | modified |
## Week of January 06, 2020
| Published On |Topic title | Change | |||--|
-| 1/10/2020 | [Microsoft 365 Reports in the admin center - Active Users](/Office365/Admin/activity-reports/active-users?view=o365-worldwide) | modified |
-| 1/10/2020 | [Microsoft 365 Reports in the admin center](/Office365/Admin/activity-reports/activity-reports?view=o365-worldwide) | modified |
-| 1/10/2020 | [Microsoft 365 Reports in the admin center - Email activity](/Office365/Admin/activity-reports/email-activity?view=o365-worldwide) | modified |
-| 1/10/2020 | [Microsoft 365 Reports in the admin center - Email apps usage](/Office365/Admin/activity-reports/email-apps-usage?view=o365-worldwide) | modified |
-| 1/10/2020 | [Microsoft 365 Reports in the admin center - Mailbox usage](/Office365/Admin/activity-reports/mailbox-usage?view=o365-worldwide) | modified |
-| 1/10/2020 | [Microsoft 365 Reports in the admin center - Microsoft Office activations](/Office365/Admin/activity-reports/microsoft-office-activations?view=o365-worldwide) | modified |
-| 1/10/2020 | [Microsoft 365 Reports in the admin center - Microsoft Teams device usage](/Office365/Admin/activity-reports/microsoft-teams-device-usage?view=o365-worldwide) | modified |
-| 1/10/2020 | [Microsoft 365 Reports in the admin center - Microsoft Teams user activity](/Office365/Admin/activity-reports/microsoft-teams-user-activity?view=o365-worldwide) | modified |
-| 1/10/2020 | [Microsoft 365 Reports in the admin center - Microsoft 365 groups](/Office365/Admin/activity-reports/office-365-groups?view=o365-worldwide) | modified |
-| 1/10/2020 | [Microsoft 365 Reports in the admin center - OneDrive for Business activity](/Office365/Admin/activity-reports/onedrive-for-business-activity?view=o365-worldwide) | modified |
-| 1/10/2020 | [Microsoft 365 Reports in the admin center - OneDrive for Business usage](/Office365/Admin/activity-reports/onedrive-for-business-usage?view=o365-worldwide) | modified |
-| 1/10/2020 | [Microsoft 365 Reports in the admin center - SharePoint activity](/Office365/Admin/activity-reports/sharepoint-activity?view=o365-worldwide) | modified |
-| 1/10/2020 | [Microsoft 365 Reports in the admin center - SharePoint site usage](/Office365/Admin/activity-reports/sharepoint-site-usage?view=o365-worldwide) | modified |
-| 1/10/2020 | [Microsoft 365 Reports in the admin center - Yammer activity report](/Office365/Admin/activity-reports/yammer-activity-report?view=o365-worldwide) | modified |
-| 1/10/2020 | [Microsoft 365 Reports in the admin center - Yammer device usage report](/Office365/Admin/activity-reports/yammer-device-usage-report?view=o365-worldwide) | modified |
-| 1/10/2020 | [Microsoft 365 Reports in the admin center - Yammer groups activity report](/Office365/Admin/activity-reports/yammer-groups-activity-report?view=o365-worldwide) | modified |
-| 1/10/2020 | [About admin roles in the Microsoft 365 admin center](/Office365/Admin/add-users/about-admin-roles?view=o365-worldwide) | modified |
-| 1/10/2020 | [Add users individually or in bulk to Microsoft 365](/Office365/Admin/add-users/add-users?view=o365-worldwide) | modified |
-| 1/10/2020 | [About admin roles](/Office365/Admin/add-users/admin-roles-page?view=o365-worldwide) | modified |
-| 1/10/2020 | [Assign admin roles the Microsoft 365 admin center](/Office365/Admin/add-users/assign-admin-roles?view=o365-worldwide) | modified |
-| 1/10/2020 | [Create, edit, or delete a custom user view in Microsoft 365](/Office365/Admin/add-users/create-edit-or-delete-a-custom-user-view?view=o365-worldwide) | modified |
-| 1/10/2020 | [Get access to and back up a former user's data](/Office365/Admin/add-users/get-access-to-and-back-up-a-former-user-s-data?view=o365-worldwide) | modified |
-| 1/10/2020 | [Give mailbox permissions to another user in Microsoft 365 - Admin Help](/Office365/Admin/add-users/give-mailbox-permissions-to-another-user?view=o365-worldwide) | modified |
-| 1/10/2020 | [Remove a former employee from Microsoft 365](/Office365/Admin/add-users/remove-former-employee?view=o365-worldwide) | modified |
-| 1/10/2020 | [Reset Microsoft 365 Apps for business passwords](/Office365/Admin/add-users/reset-passwords?view=o365-worldwide) | modified |
-| 1/10/2020 | [Restore a user in Microsoft 365](/Office365/Admin/add-users/restore-user?view=o365-worldwide) | modified |
-| 1/10/2020 | [About the Microsoft 365 admin center](/Office365/Admin/admin-overview/about-the-admin-center?view=o365-worldwide) | modified |
-| 1/10/2020 | [Get started with Microsoft 365 for business](/Office365/Admin/admin-overview/get-started-with-office-365?view=o365-worldwide) | modified |
-| 1/10/2020 | [What Microsoft 365 for business subscription do I have?](/Office365/Admin/admin-overview/what-subscription-do-i-have?view=o365-worldwide) | modified |
+| 1/10/2020 | [Microsoft 365 Reports in the admin center - Active Users](/Office365/Admin/activity-reports/active-users) | modified |
+| 1/10/2020 | [Microsoft 365 Reports in the admin center](/Office365/Admin/activity-reports/activity-reports) | modified |
+| 1/10/2020 | [Microsoft 365 Reports in the admin center - Email activity](/Office365/Admin/activity-reports/email-activity) | modified |
+| 1/10/2020 | [Microsoft 365 Reports in the admin center - Email apps usage](/Office365/Admin/activity-reports/email-apps-usage) | modified |
+| 1/10/2020 | [Microsoft 365 Reports in the admin center - Mailbox usage](/Office365/Admin/activity-reports/mailbox-usage) | modified |
+| 1/10/2020 | [Microsoft 365 Reports in the admin center - Microsoft Office activations](/Office365/Admin/activity-reports/microsoft-office-activations) | modified |
+| 1/10/2020 | [Microsoft 365 Reports in the admin center - Microsoft Teams device usage](/Office365/Admin/activity-reports/microsoft-teams-device-usage) | modified |
+| 1/10/2020 | [Microsoft 365 Reports in the admin center - Microsoft Teams user activity](/Office365/Admin/activity-reports/microsoft-teams-user-activity) | modified |
+| 1/10/2020 | [Microsoft 365 Reports in the admin center - Microsoft 365 groups](/Office365/Admin/activity-reports/office-365-groups) | modified |
+| 1/10/2020 | [Microsoft 365 Reports in the admin center - OneDrive for Business activity](/Office365/Admin/activity-reports/onedrive-for-business-activity) | modified |
+| 1/10/2020 | [Microsoft 365 Reports in the admin center - OneDrive for Business usage](/Office365/Admin/activity-reports/onedrive-for-business-usage) | modified |
+| 1/10/2020 | [Microsoft 365 Reports in the admin center - SharePoint activity](/Office365/Admin/activity-reports/sharepoint-activity) | modified |
+| 1/10/2020 | [Microsoft 365 Reports in the admin center - SharePoint site usage](/Office365/Admin/activity-reports/sharepoint-site-usage) | modified |
+| 1/10/2020 | [Microsoft 365 Reports in the admin center - Yammer activity report](/Office365/Admin/activity-reports/yammer-activity-report) | modified |
+| 1/10/2020 | [Microsoft 365 Reports in the admin center - Yammer device usage report](/Office365/Admin/activity-reports/yammer-device-usage-report) | modified |
+| 1/10/2020 | [Microsoft 365 Reports in the admin center - Yammer groups activity report](/Office365/Admin/activity-reports/yammer-groups-activity-report) | modified |
+| 1/10/2020 | [About admin roles in the Microsoft 365 admin center](/Office365/Admin/add-users/about-admin-roles) | modified |
+| 1/10/2020 | [Add users individually or in bulk to Microsoft 365](/Office365/Admin/add-users/add-users) | modified |
+| 1/10/2020 | [About admin roles](/Office365/Admin/add-users/admin-roles-page) | modified |
+| 1/10/2020 | [Assign admin roles the Microsoft 365 admin center](/Office365/Admin/add-users/assign-admin-roles) | modified |
+| 1/10/2020 | [Create, edit, or delete a custom user view in Microsoft 365](/Office365/Admin/add-users/create-edit-or-delete-a-custom-user-view) | modified |
+| 1/10/2020 | [Get access to and back up a former user's data](/Office365/Admin/add-users/get-access-to-and-back-up-a-former-user-s-data) | modified |
+| 1/10/2020 | [Give mailbox permissions to another user in Microsoft 365 - Admin Help](/Office365/Admin/add-users/give-mailbox-permissions-to-another-user) | modified |
+| 1/10/2020 | [Remove a former employee from Microsoft 365](/Office365/Admin/add-users/remove-former-employee) | modified |
+| 1/10/2020 | [Reset Microsoft 365 Apps for business passwords](/Office365/Admin/add-users/reset-passwords) | modified |
+| 1/10/2020 | [Restore a user in Microsoft 365](/Office365/Admin/add-users/restore-user) | modified |
+| 1/10/2020 | [About the Microsoft 365 admin center](/Office365/Admin/admin-overview/about-the-admin-center) | modified |
+| 1/10/2020 | [Get started with Microsoft 365 for business](/Office365/Admin/admin-overview/get-started-with-office-365) | modified |
+| 1/10/2020 | [What Microsoft 365 for business subscription do I have?](/Office365/Admin/admin-overview/what-subscription-do-i-have) | modified |
| 1/10/2020 | [Contact support for business products - Admin Help](../../business-video/get-help-support.md) | modified |
-| 1/10/2020 | [Compare groups in Office 365](/Office365/Admin/create-groups/compare-groups?view=o365-worldwide) | modified |
-| 1/10/2020 | [Create a Microsoft 365 group in the admin center](/Office365/Admin/create-groups/create-groups?view=o365-worldwide) | modified |
-| 1/10/2020 | [Microsoft 365 Group Expiration Policy](/Office365/Admin/create-groups/office-365-groups-expiration-policy?view=o365-worldwide) | modified |
-| 1/10/2020 | [Overview of Microsoft 365 Groups for administrators](/Office365/Admin/create-groups/office-365-groups?view=o365-worldwide) | modified |
-| 1/10/2020 | [Add or edit custom DNS records in Office 365](/Office365/Admin/dns/add-or-edit-custom-dns-records?view=o365-worldwide) | modified |
-| 1/10/2020 | [Change nameservers to set up Office 365 with 1&1 IONOS](/Office365/Admin/dns/change-nameservers-at-1-1-internet?view=o365-worldwide) | modified |
-| 1/10/2020 | [Change nameservers to set up Office 365 with Amazon Web Services (AWS)](/Office365/Admin/dns/change-nameservers-at-aws?view=o365-worldwide) | modified |
-| 1/10/2020 | [Change nameservers to set up Office 365 with Bluehost](/Office365/Admin/dns/change-nameservers-at-bluehost?view=o365-worldwide) | modified |
-| 1/10/2020 | [Change nameservers to set up Office 365 with Google Domains](/Office365/Admin/dns/change-nameservers-at-google-domains?view=o365-worldwide) | modified |
-| 1/10/2020 | [Change nameservers to set up Office 365 with Hostgator](/Office365/Admin/dns/change-nameservers-at-hostgator?view=o365-worldwide) | modified |
-| 1/10/2020 | [Change nameservers to set up Office 365 with MyDomain](/Office365/Admin/dns/change-nameservers-at-mydomain?view=o365-worldwide) | modified |
-| 1/10/2020 | [Change nameservers to set up Office 365 with Network Solutions](/Office365/Admin/dns/change-nameservers-at-network-solutions?view=o365-worldwide) | modified |
-| 1/10/2020 | [Create DNS records at 1&1 IONOS for Office 365](/Office365/Admin/dns/create-dns-records-at-1-1-internet?view=o365-worldwide) | modified |
-| 1/10/2020 | [Create DNS records at 123-reg.co.uk for Office 365](/Office365/Admin/dns/create-dns-records-at-123-reg-co-uk?view=o365-worldwide) | modified |
-| 1/10/2020 | [Create DNS records at Amazon Web Services (AWS) for Office 365](/Office365/Admin/dns/create-dns-records-at-aws?view=o365-worldwide) | modified |
-| 1/10/2020 | [Create DNS records at Bluehost for Office 365](/Office365/Admin/dns/create-dns-records-at-bluehost?view=o365-worldwide) | modified |
-| 1/10/2020 | [Create DNS records at Crazy Domains for Office 365](/Office365/Admin/dns/create-dns-records-at-crazy-domains?view=o365-worldwide) | modified |
-| 1/10/2020 | [Create DNS records at DNSMadeEasy for Office 365](/Office365/Admin/dns/create-dns-records-at-dnsmadeeasy?view=o365-worldwide) | modified |
-| 1/10/2020 | [Create DNS records at Dyn.com for Office 365](/Office365/Admin/dns/create-dns-records-at-dyn-com?view=o365-worldwide) | modified |
-| 1/10/2020 | [Create DNS records at eNomCentral for Office 365](/Office365/Admin/dns/create-dns-records-at-enomcentral?view=o365-worldwide) | modified |
-| 1/10/2020 | [Create DNS records at GoDaddy for Office 365](/Office365/Admin/dns/create-dns-records-at-godaddy?view=o365-worldwide) | modified |
-| 1/10/2020 | [Create DNS records at Google Domains for Office 365](/Office365/Admin/dns/create-dns-records-at-google-domains?view=o365-worldwide) | modified |
-| 1/10/2020 | [Create DNS records at Hostgator for Office 365](/Office365/Admin/dns/create-dns-records-at-hostgator?view=o365-worldwide) | modified |
-| 1/10/2020 | [Create DNS records at Hover for Office 365](/Office365/Admin/dns/create-dns-records-at-hover?view=o365-worldwide) | modified |
-| 1/10/2020 | [Create DNS records at MyDomain for Office 365](/Office365/Admin/dns/create-dns-records-at-mydomain?view=o365-worldwide) | modified |
-| 1/10/2020 | [Create DNS records at name.com for Office 365](/Office365/Admin/dns/create-dns-records-at-name-com?view=o365-worldwide) | modified |
-| 1/10/2020 | [Create DNS records at Names.co.uk for Office 365](/Office365/Admin/dns/create-dns-records-at-names-co-uk?view=o365-worldwide) | modified |
-| 1/10/2020 | [Create DNS records at Network Solutions for Office 365](/Office365/Admin/dns/create-dns-records-at-network-solutions?view=o365-worldwide) | modified |
-| 1/10/2020 | [Create DNS records at Register.com for Office 365](/Office365/Admin/dns/create-dns-records-at-register-com?view=o365-worldwide) | modified |
-| 1/10/2020 | [Create DNS records at Register365 for Office 365](/Office365/Admin/dns/create-dns-records-at-register365?view=o365-worldwide) | modified |
-| 1/10/2020 | [Create DNS records at Yahoo! Small Business for Office 365](/Office365/Admin/dns/create-dns-records-at-yahoo-small-business?view=o365-worldwide) | modified |
-| 1/10/2020 | [About shared mailboxes](/Office365/Admin/email/about-shared-mailboxes?view=o365-worldwide) | modified |
-| 1/10/2020 | [Add a user or contact to an Office 365 distribution group](/Office365/Admin/email/add-user-or-contact-to-distribution-list?view=o365-worldwide) | modified |
-| 1/10/2020 | [Change your email address to use your custom domain](/Office365/Admin/email/change-email-address?view=o365-worldwide) | modified |
-| 1/10/2020 | [Configure a shared mailbox](/Office365/Admin/email/configure-a-shared-mailbox?view=o365-worldwide) | modified |
-| 1/10/2020 | [Create a shared mailbox](/Office365/Admin/email/create-a-shared-mailbox?view=o365-worldwide) | modified |
-| 1/10/2020 | [Create, edit, or delete a security group in the Microsoft 365 admin center](/Office365/Admin/email/create-edit-or-delete-a-security-group?view=o365-worldwide) | modified |
-| 1/10/2020 | [Email collaboration in Office 365](/Office365/Admin/email/email-collaboration?view=o365-worldwide) | modified |
-| 1/10/2020 | [Manage email app access in Microsoft 365 admin center](/Office365/Admin/email/manage-email-app-access?view=o365-worldwide) | modified |
-| 1/10/2020 | [Resolve issues with shared mailboxes](/Office365/Admin/email/resolve-issues-with-shared-mailboxes?view=o365-worldwide) | modified |
-| 1/10/2020 | [Buy a domain name in Office 365](/Office365/Admin/get-help-with-domains/buy-a-domain-name?view=o365-worldwide) | modified |
-| 1/10/2020 | [Change nameservers to set up Office 365 with any domain registrar](/Office365/Admin/get-help-with-domains/change-nameservers-at-any-domain-registrar?view=o365-worldwide) | modified |
-| 1/10/2020 | [Create DNS records at any DNS hosting provider for Office 365](/Office365/Admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider?view=o365-worldwide) | modified |
-| 1/10/2020 | [DNS basics](/Office365/Admin/get-help-with-domains/dns-basics?view=o365-worldwide) | modified |
-| 1/10/2020 | [Using Domain Connect](/Office365/Admin/get-help-with-domains/domain-connect?view=o365-worldwide) | modified |
-| 1/10/2020 | [Find your domain registrar for Office 365](/Office365/Admin/get-help-with-domains/find-your-domain-registrar?view=o365-worldwide) | modified |
-| 1/10/2020 | [Get help with Office 365 domains](/Office365/Admin/get-help-with-domains/get-help-with-domains?view=o365-worldwide) | modified |
-| 1/10/2020 | [Remove a domain from Office 365](/Office365/Admin/get-help-with-domains/remove-a-domain?view=o365-worldwide) | modified |
-| 1/10/2020 | [Set up your domain (host-specific instructions)](/Office365/Admin/get-help-with-domains/set-up-your-domain-host-specific-instructions?view=o365-worldwide) | modified |
-| 1/10/2020 | [Assign licenses to users](/Office365/Admin/manage/assign-licenses-to-users?view=o365-worldwide) | modified |
-| 1/10/2020 | [Change your organization's address, technical contact, and more](/Office365/Admin/manage/change-address-contact-and-more?view=o365-worldwide) | modified |
-| 1/10/2020 | [Change your contact preferences for communications from Microsoft](/Office365/Admin/manage/change-contact-preferences?view=o365-worldwide) | modified |
-| 1/10/2020 | [Add custom tiles to the app launcher](/Office365/Admin/manage/customize-the-app-launcher?view=o365-worldwide) | modified |
-| 1/10/2020 | [Manage deployment of Office 365 add-ins in the admin center](/Office365/Admin/manage/manage-deployment-of-add-ins?view=o365-worldwide) | modified |
-| 1/10/2020 | [Set up the Standard or Targeted release options in Office 365](/Office365/Admin/manage/release-options-in-office-365?view=o365-worldwide) | modified |
-| 1/10/2020 | [Unassign licenses from users](/Office365/Admin/manage/remove-licenses-from-users?view=o365-worldwide) | modified |
-| 1/10/2020 | [Room and equipment mailboxes](/Office365/Admin/manage/room-and-equipment-mailboxes?view=o365-worldwide) | modified |
-| 1/10/2020 | [Set the password expiration policy for your organization](/Office365/Admin/manage/set-password-expiration-policy?view=o365-worldwide) | modified |
-| 1/10/2020 | [Share calendars with external users](/Office365/Admin/manage/share-calendars-with-external-users?view=o365-worldwide) | modified |
-| 1/10/2020 | [Share sites and files externally](/Office365/Admin/manage/share-sites-with-external-users?view=o365-worldwide) | modified |
-| 1/10/2020 | [Stay on top of Office 365 changes](/Office365/Admin/manage/stay-on-top-of-updates?view=o365-worldwide) | modified |
-| 1/10/2020 | [Add, change, or delete a subscription advisor partner](/Office365/Admin/misc/add-partner?view=o365-worldwide) | modified |
-| 1/10/2020 | [Become the admin and purchase Office 365 for your organization](/Office365/Admin/misc/become-admin-and-make-purchases?view=o365-worldwide) | modified |
-| 1/10/2020 | [Perform an internal admin takeover in Office 365](/Office365/Admin/misc/become-the-admin?view=o365-worldwide) | modified |
-| 1/10/2020 | [Compare ways to block access to Office 365](/Office365/Admin/misc/compare-ways-to-block-access?view=o365-worldwide) | modified |
-| 1/10/2020 | [Quick help Contacts](/Office365/Admin/misc/contacts?view=o365-worldwide) | modified |
-| 1/10/2020 | [Cortana integration with Office 365](/Office365/Admin/misc/cortana-integration?view=o365-worldwide) | modified |
-| 1/10/2020 | [Add customized help desk info to the Office 365 help pane](/Office365/Admin/misc/customize-help-desk?view=o365-worldwide) | modified |
-| 1/10/2020 | [Quick help Deleted user](/Office365/Admin/misc/deleted-user?view=o365-worldwide) | modified |
-| 1/10/2020 | [Quick help Deleted users checklist](/Office365/Admin/misc/deleted-users-checklist?view=o365-worldwide) | modified |
-| 1/10/2020 | [Device list CSV-file](/Office365/Admin/misc/device-list?view=o365-worldwide) | modified |
-| 1/10/2020 | [Understand your e-Invoice for Office 365 for business (Taiwan)](/Office365/Admin/misc/e-invoice-of-your-subscription-in-taiwan?view=o365-worldwide) | modified |
-| 1/10/2020 | [Turning Integrated Apps on or off](/Office365/Admin/misc/integrated-apps?view=o365-worldwide) | modified |
-| 1/10/2020 | [License restrictions for Office 365](/Office365/Admin/misc/license-restrictions?view=o365-worldwide) | modified |
-| 1/10/2020 | [Manage licenses for devices](/Office365/Admin/misc/manage-licenses-for-devices?view=o365-worldwide) | modified |
-| 1/10/2020 | [Password policy recommendations for Office 365](/Office365/Admin/misc/password-policy-recommendations?view=o365-worldwide) | modified |
-| 1/10/2020 | [Problems with your Office 365 for business product key?](/Office365/Admin/misc/product-key-errors-and-solutions?view=o365-worldwide) | modified |
-| 1/10/2020 | [Using self-service sign up in your organization](/Office365/Admin/misc/self-service-sign-up?view=o365-worldwide) | modified |
-| 1/10/2020 | [Set up Outlook to read email](/Office365/Admin/misc/set-up-outlook-to-read-email?view=o365-worldwide) | modified |
-| 1/10/2020 | [Your domain may be in use if someone else in your organization signed up with it](/Office365/Admin/misc/sign-up-for-online-services?view=o365-worldwide) | modified |
-| 1/10/2020 | [Top billing questions for Office 365 for business](/Office365/Admin/misc/top-billing-questions?view=o365-worldwide) | modified |
-| 1/10/2020 | [Quick help Types of users](/Office365/Admin/misc/types-of-users?view=o365-worldwide) | modified |
-| 1/10/2020 | [Use your Office 365 promo code to reduce price](/Office365/Admin/misc/use-a-promo-code?view=o365-worldwide) | modified |
-| 1/10/2020 | [Quick help Ways to manage contacts](/Office365/Admin/misc/ways-to-manage-contacts?view=o365-worldwide) | modified |
-| 1/10/2020 | [What happens if I cancel a subscription?](/Office365/Admin/misc/what-happens-if-i-cancel?view=o365-worldwide) | modified |
-| 1/10/2020 | [Why can't I switch Office 365 for business plans?](/Office365/Admin/misc/why-can-t-i-switch-plans?view=o365-worldwide) | modified |
-| 1/10/2020 | [Set up multi-factor authentication for users](/Office365/Admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide) | modified |
+| 1/10/2020 | [Compare groups in Office 365](/Office365/Admin/create-groups/compare-groups) | modified |
+| 1/10/2020 | [Create a Microsoft 365 group in the admin center](/Office365/Admin/create-groups/create-groups) | modified |
+| 1/10/2020 | [Microsoft 365 Group Expiration Policy](/Office365/Admin/create-groups/office-365-groups-expiration-policy) | modified |
+| 1/10/2020 | [Overview of Microsoft 365 Groups for administrators](/Office365/Admin/create-groups/office-365-groups) | modified |
+| 1/10/2020 | [Add or edit custom DNS records in Office 365](/Office365/Admin/dns/add-or-edit-custom-dns-records) | modified |
+| 1/10/2020 | [Change nameservers to set up Office 365 with 1&1 IONOS](/Office365/Admin/dns/change-nameservers-at-1-1-internet) | modified |
+| 1/10/2020 | [Change nameservers to set up Office 365 with Amazon Web Services (AWS)](/Office365/Admin/dns/change-nameservers-at-aws) | modified |
+| 1/10/2020 | [Change nameservers to set up Office 365 with Bluehost](/Office365/Admin/dns/change-nameservers-at-bluehost) | modified |
+| 1/10/2020 | [Change nameservers to set up Office 365 with Google Domains](/Office365/Admin/dns/change-nameservers-at-google-domains) | modified |
+| 1/10/2020 | [Change nameservers to set up Office 365 with Hostgator](/Office365/Admin/dns/change-nameservers-at-hostgator) | modified |
+| 1/10/2020 | [Change nameservers to set up Office 365 with MyDomain](/Office365/Admin/dns/change-nameservers-at-mydomain) | modified |
+| 1/10/2020 | [Change nameservers to set up Office 365 with Network Solutions](/Office365/Admin/dns/change-nameservers-at-network-solutions) | modified |
+| 1/10/2020 | [Create DNS records at 1&1 IONOS for Office 365](/Office365/Admin/dns/create-dns-records-at-1-1-internet) | modified |
+| 1/10/2020 | [Create DNS records at 123-reg.co.uk for Office 365](/Office365/Admin/dns/create-dns-records-at-123-reg-co-uk) | modified |
+| 1/10/2020 | [Create DNS records at Amazon Web Services (AWS) for Office 365](/Office365/Admin/dns/create-dns-records-at-aws) | modified |
+| 1/10/2020 | [Create DNS records at Bluehost for Office 365](/Office365/Admin/dns/create-dns-records-at-bluehost) | modified |
+| 1/10/2020 | [Create DNS records at Crazy Domains for Office 365](/Office365/Admin/dns/create-dns-records-at-crazy-domains) | modified |
+| 1/10/2020 | [Create DNS records at DNSMadeEasy for Office 365](/Office365/Admin/dns/create-dns-records-at-dnsmadeeasy) | modified |
+| 1/10/2020 | [Create DNS records at Dyn.com for Office 365](/Office365/Admin/dns/create-dns-records-at-dyn-com) | modified |
+| 1/10/2020 | [Create DNS records at eNomCentral for Office 365](/Office365/Admin/dns/create-dns-records-at-enomcentral) | modified |
+| 1/10/2020 | [Create DNS records at GoDaddy for Office 365](/Office365/Admin/dns/create-dns-records-at-godaddy) | modified |
+| 1/10/2020 | [Create DNS records at Google Domains for Office 365](/Office365/Admin/dns/create-dns-records-at-google-domains) | modified |
+| 1/10/2020 | [Create DNS records at Hostgator for Office 365](/Office365/Admin/dns/create-dns-records-at-hostgator) | modified |
+| 1/10/2020 | [Create DNS records at Hover for Office 365](/Office365/Admin/dns/create-dns-records-at-hover) | modified |
+| 1/10/2020 | [Create DNS records at MyDomain for Office 365](/Office365/Admin/dns/create-dns-records-at-mydomain) | modified |
+| 1/10/2020 | [Create DNS records at name.com for Office 365](/Office365/Admin/dns/create-dns-records-at-name-com) | modified |
+| 1/10/2020 | [Create DNS records at Names.co.uk for Office 365](/Office365/Admin/dns/create-dns-records-at-names-co-uk) | modified |
+| 1/10/2020 | [Create DNS records at Network Solutions for Office 365](/Office365/Admin/dns/create-dns-records-at-network-solutions) | modified |
+| 1/10/2020 | [Create DNS records at Register.com for Office 365](/Office365/Admin/dns/create-dns-records-at-register-com) | modified |
+| 1/10/2020 | [Create DNS records at Register365 for Office 365](/Office365/Admin/dns/create-dns-records-at-register365) | modified |
+| 1/10/2020 | [Create DNS records at Yahoo! Small Business for Office 365](/Office365/Admin/dns/create-dns-records-at-yahoo-small-business) | modified |
+| 1/10/2020 | [About shared mailboxes](/Office365/Admin/email/about-shared-mailboxes) | modified |
+| 1/10/2020 | [Add a user or contact to an Office 365 distribution group](/Office365/Admin/email/add-user-or-contact-to-distribution-list) | modified |
+| 1/10/2020 | [Change your email address to use your custom domain](/Office365/Admin/email/change-email-address) | modified |
+| 1/10/2020 | [Configure a shared mailbox](/Office365/Admin/email/configure-a-shared-mailbox) | modified |
+| 1/10/2020 | [Create a shared mailbox](/Office365/Admin/email/create-a-shared-mailbox) | modified |
+| 1/10/2020 | [Create, edit, or delete a security group in the Microsoft 365 admin center](/Office365/Admin/email/create-edit-or-delete-a-security-group) | modified |
+| 1/10/2020 | [Email collaboration in Office 365](/Office365/Admin/email/email-collaboration) | modified |
+| 1/10/2020 | [Manage email app access in Microsoft 365 admin center](/Office365/Admin/email/manage-email-app-access) | modified |
+| 1/10/2020 | [Resolve issues with shared mailboxes](/Office365/Admin/email/resolve-issues-with-shared-mailboxes) | modified |
+| 1/10/2020 | [Buy a domain name in Office 365](/Office365/Admin/get-help-with-domains/buy-a-domain-name) | modified |
+| 1/10/2020 | [Change nameservers to set up Office 365 with any domain registrar](/Office365/Admin/get-help-with-domains/change-nameservers-at-any-domain-registrar) | modified |
+| 1/10/2020 | [Create DNS records at any DNS hosting provider for Office 365](/Office365/Admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider) | modified |
+| 1/10/2020 | [DNS basics](/Office365/Admin/get-help-with-domains/dns-basics) | modified |
+| 1/10/2020 | [Using Domain Connect](/Office365/Admin/get-help-with-domains/domain-connect) | modified |
+| 1/10/2020 | [Find your domain registrar for Office 365](/Office365/Admin/get-help-with-domains/find-your-domain-registrar) | modified |
+| 1/10/2020 | [Get help with Office 365 domains](/Office365/Admin/get-help-with-domains/get-help-with-domains) | modified |
+| 1/10/2020 | [Remove a domain from Office 365](/Office365/Admin/get-help-with-domains/remove-a-domain) | modified |
+| 1/10/2020 | [Set up your domain (host-specific instructions)](/Office365/Admin/get-help-with-domains/set-up-your-domain-host-specific-instructions) | modified |
+| 1/10/2020 | [Assign licenses to users](/Office365/Admin/manage/assign-licenses-to-users) | modified |
+| 1/10/2020 | [Change your organization's address, technical contact, and more](/Office365/Admin/manage/change-address-contact-and-more) | modified |
+| 1/10/2020 | [Change your contact preferences for communications from Microsoft](/Office365/Admin/manage/change-contact-preferences) | modified |
+| 1/10/2020 | [Add custom tiles to the app launcher](/Office365/Admin/manage/customize-the-app-launcher) | modified |
+| 1/10/2020 | [Manage deployment of Office 365 add-ins in the admin center](/Office365/Admin/manage/manage-deployment-of-add-ins) | modified |
+| 1/10/2020 | [Set up the Standard or Targeted release options in Office 365](/Office365/Admin/manage/release-options-in-office-365) | modified |
+| 1/10/2020 | [Unassign licenses from users](/Office365/Admin/manage/remove-licenses-from-users) | modified |
+| 1/10/2020 | [Room and equipment mailboxes](/Office365/Admin/manage/room-and-equipment-mailboxes) | modified |
+| 1/10/2020 | [Set the password expiration policy for your organization](/Office365/Admin/manage/set-password-expiration-policy) | modified |
+| 1/10/2020 | [Share calendars with external users](/Office365/Admin/manage/share-calendars-with-external-users) | modified |
+| 1/10/2020 | [Share sites and files externally](/Office365/Admin/manage/share-sites-with-external-users) | modified |
+| 1/10/2020 | [Stay on top of Office 365 changes](/Office365/Admin/manage/stay-on-top-of-updates) | modified |
+| 1/10/2020 | [Add, change, or delete a subscription advisor partner](/Office365/Admin/misc/add-partner) | modified |
+| 1/10/2020 | [Become the admin and purchase Office 365 for your organization](/Office365/Admin/misc/become-admin-and-make-purchases) | modified |
+| 1/10/2020 | [Perform an internal admin takeover in Office 365](/Office365/Admin/misc/become-the-admin) | modified |
+| 1/10/2020 | [Compare ways to block access to Office 365](/Office365/Admin/misc/compare-ways-to-block-access) | modified |
+| 1/10/2020 | [Quick help Contacts](/Office365/Admin/misc/contacts) | modified |
+| 1/10/2020 | [Cortana integration with Office 365](/Office365/Admin/misc/cortana-integration) | modified |
+| 1/10/2020 | [Add customized help desk info to the Office 365 help pane](/Office365/Admin/misc/customize-help-desk) | modified |
+| 1/10/2020 | [Quick help Deleted user](/Office365/Admin/misc/deleted-user) | modified |
+| 1/10/2020 | [Quick help Deleted users checklist](/Office365/Admin/misc/deleted-users-checklist) | modified |
+| 1/10/2020 | [Device list CSV-file](/Office365/Admin/misc/device-list) | modified |
+| 1/10/2020 | [Understand your e-Invoice for Office 365 for business (Taiwan)](/Office365/Admin/misc/e-invoice-of-your-subscription-in-taiwan) | modified |
+| 1/10/2020 | [Turning Integrated Apps on or off](/Office365/Admin/misc/integrated-apps) | modified |
+| 1/10/2020 | [License restrictions for Office 365](/Office365/Admin/misc/license-restrictions) | modified |
+| 1/10/2020 | [Manage licenses for devices](/Office365/Admin/misc/manage-licenses-for-devices) | modified |
+| 1/10/2020 | [Password policy recommendations for Office 365](/Office365/Admin/misc/password-policy-recommendations) | modified |
+| 1/10/2020 | [Problems with your Office 365 for business product key?](/Office365/Admin/misc/product-key-errors-and-solutions) | modified |
+| 1/10/2020 | [Using self-service sign up in your organization](/Office365/Admin/misc/self-service-sign-up) | modified |
+| 1/10/2020 | [Set up Outlook to read email](/Office365/Admin/misc/set-up-outlook-to-read-email) | modified |
+| 1/10/2020 | [Your domain may be in use if someone else in your organization signed up with it](/Office365/Admin/misc/sign-up-for-online-services) | modified |
+| 1/10/2020 | [Top billing questions for Office 365 for business](/Office365/Admin/misc/top-billing-questions) | modified |
+| 1/10/2020 | [Quick help Types of users](/Office365/Admin/misc/types-of-users) | modified |
+| 1/10/2020 | [Use your Office 365 promo code to reduce price](/Office365/Admin/misc/use-a-promo-code) | modified |
+| 1/10/2020 | [Quick help Ways to manage contacts](/Office365/Admin/misc/ways-to-manage-contacts) | modified |
+| 1/10/2020 | [What happens if I cancel a subscription?](/Office365/Admin/misc/what-happens-if-i-cancel) | modified |
+| 1/10/2020 | [Why can't I switch Office 365 for business plans?](/Office365/Admin/misc/why-can-t-i-switch-plans) | modified |
+| 1/10/2020 | [Set up multi-factor authentication for users](/Office365/Admin/security-and-compliance/set-up-multi-factor-authentication) | modified |
| 1/10/2020 | [Buy or try subscriptions for Office 365 operated by 21Vianet](/Office365/Admin/services-in-china/buy-or-try-subscriptions?view=o365-21vianet) | modified | | 1/10/2020 | [Create DNS records for Office 365 when you manage your DNS records](/Office365/Admin/services-in-china/create-dns-records-when-you-manage-your-dns-records?view=o365-21vianet) | modified | | 1/10/2020 | [What's the purpose of the Office 365 CNAME record for MSOID?](/Office365/Admin/services-in-china/purpose-of-cname?view=o365-21vianet) | modified | | 1/10/2020 | [Office 365 operated by 21Vianet](/Office365/Admin/services-in-china/services-in-china?view=o365-21vianet) | modified |
-| 1/10/2020 | [Add a domain to Office 365](/Office365/Admin/setup/add-domain?view=o365-worldwide) | modified |
-| 1/10/2020 | [Create distribution groups in the Microsoft 365 admin center](/Office365/Admin/setup/create-distribution-lists?view=o365-worldwide) | modified |
-| 1/10/2020 | [Domains FAQ](/Office365/Admin/setup/domains-faq?view=o365-worldwide) | modified |
-| 1/10/2020 | [Migrate email and contacts to Office 365](/Office365/Admin/setup/migrate-email-and-contacts-admin?view=o365-worldwide) | modified |
-| 1/10/2020 | [Plan your setup of Office 365 for business](/Office365/Admin/setup/plan-your-setup?view=o365-worldwide) | modified |
-| 1/10/2020 | [Set up Office 365 file storage and sharing](/Office365/Admin/setup/set-up-file-storage-and-sharing?view=o365-worldwide) | modified |
-| 1/10/2020 | [Set up Office 365 for business](/Office365/Admin/setup/setup?view=o365-worldwide) | modified |
-| 1/10/2020 | [Add storage space for your subscription](/Office365/Admin/subscriptions-and-billing/add-storage-space?view=o365-worldwide) | modified |
-| 1/10/2020 | [Buy a subscription to Office 365 for business from your free trial](/Office365/Admin/subscriptions-and-billing/buy-a-subscription-from-your-free-trial?view=o365-worldwide) | modified |
-| 1/10/2020 | [Buy another Office 365 for business subscription](/Office365/Admin/subscriptions-and-billing/buy-another-subscription?view=o365-worldwide) | modified |
-| 1/10/2020 | [Buy licenses for your Office 365 for business subscription](/Office365/Admin/subscriptions-and-billing/buy-licenses?view=o365-worldwide) | modified |
-| 1/10/2020 | [Buy or edit an add-on for Office 365 for business](/Office365/Admin/subscriptions-and-billing/buy-or-edit-an-add-on?view=o365-worldwide) | modified |
-| 1/10/2020 | [Cancel your subscription](/Office365/Admin/subscriptions-and-billing/cancel-your-subscription?view=o365-worldwide) | modified |
-| 1/10/2020 | [Extend your trial for Office 365 for business](/Office365/Admin/subscriptions-and-billing/extend-your-trial?view=o365-worldwide) | modified |
-| 1/10/2020 | [Remove licenses from your Office 365 for business subscription](/Office365/Admin/subscriptions-and-billing/remove-licenses-from-subscription?view=o365-worldwide) | modified |
-| 1/10/2020 | [Switch to a different Office 365 for business plan](/Office365/Admin/subscriptions-and-billing/switch-to-a-different-plan?view=o365-worldwide) | modified |
-| 1/10/2020 | [View your bill or invoice](/Office365/Admin/subscriptions-and-billing/view-your-bill-or-invoice?view=o365-worldwide) | modified |
-| 1/10/2020 | [What does upgrading Office 365 plans do to my service and billing?](/Office365/Admin/subscriptions-and-billing/what-does-switching-plans-do-to-my-service-and-billing?view=o365-worldwide) | modified |
-| 1/10/2020 | [What happens to my data and access when my subscription ends?](/Office365/Admin/subscriptions-and-billing/what-if-my-subscription-expires?view=o365-worldwide) | modified |
-| 1/10/2020 | [Enable Microsoft 365 usage analytics](/Office365/Admin/usage-analytics/enable-usage-analytics?view=o365-worldwide) | modified |
-| 1/10/2020 | [Microsoft 365 usage analytics](/Office365/Admin/usage-analytics/usage-analytics?view=o365-worldwide) | modified |
+| 1/10/2020 | [Add a domain to Office 365](/Office365/Admin/setup/add-domain) | modified |
+| 1/10/2020 | [Create distribution groups in the Microsoft 365 admin center](/Office365/Admin/setup/create-distribution-lists) | modified |
+| 1/10/2020 | [Domains FAQ](/Office365/Admin/setup/domains-faq) | modified |
+| 1/10/2020 | [Migrate email and contacts to Office 365](/Office365/Admin/setup/migrate-email-and-contacts-admin) | modified |
+| 1/10/2020 | [Plan your setup of Office 365 for business](/Office365/Admin/setup/plan-your-setup) | modified |
+| 1/10/2020 | [Set up Office 365 file storage and sharing](/Office365/Admin/setup/set-up-file-storage-and-sharing) | modified |
+| 1/10/2020 | [Set up Office 365 for business](/Office365/Admin/setup/setup) | modified |
+| 1/10/2020 | [Add storage space for your subscription](/Office365/Admin/subscriptions-and-billing/add-storage-space) | modified |
+| 1/10/2020 | [Buy a subscription to Office 365 for business from your free trial](/Office365/Admin/subscriptions-and-billing/buy-a-subscription-from-your-free-trial) | modified |
+| 1/10/2020 | [Buy another Office 365 for business subscription](/Office365/Admin/subscriptions-and-billing/buy-another-subscription) | modified |
+| 1/10/2020 | [Buy licenses for your Office 365 for business subscription](/Office365/Admin/subscriptions-and-billing/buy-licenses) | modified |
+| 1/10/2020 | [Buy or edit an add-on for Office 365 for business](/Office365/Admin/subscriptions-and-billing/buy-or-edit-an-add-on) | modified |
+| 1/10/2020 | [Cancel your subscription](/Office365/Admin/subscriptions-and-billing/cancel-your-subscription) | modified |
+| 1/10/2020 | [Extend your trial for Office 365 for business](/Office365/Admin/subscriptions-and-billing/extend-your-trial) | modified |
+| 1/10/2020 | [Remove licenses from your Office 365 for business subscription](/Office365/Admin/subscriptions-and-billing/remove-licenses-from-subscription) | modified |
+| 1/10/2020 | [Switch to a different Office 365 for business plan](/Office365/Admin/subscriptions-and-billing/switch-to-a-different-plan) | modified |
+| 1/10/2020 | [View your bill or invoice](/Office365/Admin/subscriptions-and-billing/view-your-bill-or-invoice) | modified |
+| 1/10/2020 | [What does upgrading Office 365 plans do to my service and billing?](/Office365/Admin/subscriptions-and-billing/what-does-switching-plans-do-to-my-service-and-billing) | modified |
+| 1/10/2020 | [What happens to my data and access when my subscription ends?](/Office365/Admin/subscriptions-and-billing/what-if-my-subscription-expires) | modified |
+| 1/10/2020 | [Enable Microsoft 365 usage analytics](/Office365/Admin/usage-analytics/enable-usage-analytics) | modified |
+| 1/10/2020 | [Microsoft 365 usage analytics](/Office365/Admin/usage-analytics/usage-analytics) | modified |
## Week of January 13, 2020
| Published On |Topic title | Change | |||--|
-| 1/14/2020 | [Change your payment frequency](/Office365/Admin/subscriptions-and-billing/change-payment-frequency?view=o365-worldwide) | modified |
-| 1/14/2020 | [Enable Microsoft 365 usage analytics](/Office365/Admin/usage-analytics/enable-usage-analytics?view=o365-worldwide) | modified |
-| 1/14/2020 | [Microsoft 365 usage analytics data model](/Office365/Admin/usage-analytics/usage-analytics-data-model?view=o365-worldwide) | modified |
-| 1/14/2020 | [Cancel your subscription](/Office365/Admin/subscriptions-and-billing/cancel-your-subscription?view=o365-worldwide) | modified |
-| 1/14/2020 | [Customize the reports in Microsoft 365 usage analytics](/Office365/Admin/usage-analytics/customize-reports?view=o365-worldwide) | modified |
-| 1/15/2020 | [Manage payment methods](/Office365/Admin/subscriptions-and-billing/manage-payment-methods?view=o365-worldwide) | modified |
-| 1/17/2020 | [Set up multi-factor authentication for users](/Office365/Admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide) | modified |
+| 1/14/2020 | [Change your payment frequency](/Office365/Admin/subscriptions-and-billing/change-payment-frequency) | modified |
+| 1/14/2020 | [Enable Microsoft 365 usage analytics](/Office365/Admin/usage-analytics/enable-usage-analytics) | modified |
+| 1/14/2020 | [Microsoft 365 usage analytics data model](/Office365/Admin/usage-analytics/usage-analytics-data-model) | modified |
+| 1/14/2020 | [Cancel your subscription](/Office365/Admin/subscriptions-and-billing/cancel-your-subscription) | modified |
+| 1/14/2020 | [Customize the reports in Microsoft 365 usage analytics](/Office365/Admin/usage-analytics/customize-reports) | modified |
+| 1/15/2020 | [Manage payment methods](/Office365/Admin/subscriptions-and-billing/manage-payment-methods) | modified |
+| 1/17/2020 | [Set up multi-factor authentication for users](/Office365/Admin/security-and-compliance/set-up-multi-factor-authentication) | modified |
## Week of January 20, 2020
| Published On |Topic title | Change | |||--|
-| 1/21/2020 | [Set the password expiration policy for your organization](/Office365/Admin/manage/set-password-expiration-policy?view=o365-worldwide) | modified |
-| 1/21/2020 | [Set up multi-factor authentication for users](/Office365/Admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide) | modified |
-| 1/21/2020 | [Upgrade your Office 365 for business users to the latest Office client](/Office365/Admin/setup/upgrade-users-to-latest-office-client?view=o365-worldwide) | modified |
+| 1/21/2020 | [Set the password expiration policy for your organization](/Office365/Admin/manage/set-password-expiration-policy) | modified |
+| 1/21/2020 | [Set up multi-factor authentication for users](/Office365/Admin/security-and-compliance/set-up-multi-factor-authentication) | modified |
+| 1/21/2020 | [Upgrade your Office 365 for business users to the latest Office client](/Office365/Admin/setup/upgrade-users-to-latest-office-client) | modified |
admin Centralized Deployment FAQ https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/centralized-deployment-FAQ.md
Centralized Deployment supports assignments to individual users, groups, and eve
It is better to use groups assignments instead of individual user assignment for easier management.
-For more details, see [User and Group assignments](./centralized-deployment-of-add-ins.md?view=o365-worldwide#user-and-group-assignments).ΓÇ»
+For more details, see [User and Group assignments](./centralized-deployment-of-add-ins.md#user-and-group-assignments).ΓÇ»
ΓÇ» ## How long does it take for add-ins to show up for all users?ΓÇ»
Global Admin is the recommended role with complete access to add-in management l
Your subscription comes with a set of admin roles that you can assign to other users in your organization. Each admin role maps to common business functions and gives people in your organization permissions to perform specific tasks in the Microsoft 365 admin center.
-For more information, see [Assign admin roles](../add-users/assign-admin-roles.md?view=o365-worldwide).ΓÇ»
+For more information, see [Assign admin roles](../add-users/assign-admin-roles.md).ΓÇ»
admin Centralized Deployment Of Add Ins https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/centralized-deployment-of-add-ins.md
audience: Admin
localization_priority: Normal--- M365-subscription-management +
+- M365-subscription-management
- Adm_O365 - Adm_TOC
description: "Determine if your tenant and users meet the requirements, so that
Centralized Deployment is the recommended and most feature-rich way for most customers to deploy Office add-ins to users and groups within your organization. If you're an admin, use this guidance to determine if your organization and users meet the requirements so that you can use Centralized Deployment. Centralized Deployment provides the following benefits:
-
+ - A Global admin can assign an add-in directly to a user, to multiple users via a group, or to everyone in the organization.
-
+ - When the relevant Office application starts, the add-in automatically downloads. If the add-in supports add-in commands, the add-in automatically appears in the ribbon within the Office application.
-
+ - Add-ins no longer appear for users if the admin turns off or deletes the add-in, or if the user is removed from Azure Active Directory or from a group that the add-in is assigned to. Centralized Deployment supports three desktop platforms Windows, Mac and Online Office apps. Centralized Deployment also supports iOS and Android (Outlook Mobile Add-ins Only). It can take up to 24 hours for an add-in to show up for client for all users.
-
+ ## Before you begin Centralized deployment of add-ins requires that the users are using Microsoft 365 Enterprise SKUs: E3/E5/F3 or Business SKUs: Business Basic, Business Standard, Business Premium (and are signed into Office using their organizational ID), and have Exchange Online and active Exchange Online mailboxes. Your subscription directory must either be in, or federated to Azure Active Directory. You can view specific requirements for Office and Exchange below, or use the [Centralized Deployment Compatibility Checker](#centralized-deployment-compatibility-checker). Centralized Deployment doesn't support the following:
-
-- Add-ins that target Word, Excel, or PowerPoint in Office 2013 +
+- Add-ins that target Word, Excel, or PowerPoint in Office 2013
- An on-premises directory service - Add-in Deployment to an Exchange On-Prem Mailbox-- Add-in deployment to SharePoint
+- Add-in deployment to SharePoint
- Teams apps - Deployment of Component Object Model (COM) or Visual Studio Tools for Office (VSTO) add-ins. - Deployments of Microsoft 365 that do not include Exchange Online such as SKUs: Microsoft 365 Apps for Business and Microsoft 365 Apps for Enterprise.
Centralized Deployment doesn't support the following:
- On a Windows device, Version 1704 or later of Microsoft 365 Enterprise SKUs: E3/E5/F3 or Business SKUs: Business Basic, Business Standard, Business Premium. - On a Mac, Version 15.34 or later. -- For Outlook, your users must be using one of the following:
+- For Outlook, your users must be using one of the following:
- Version 1701 or later of Microsoft 365 Enterprise SKUs: E3/E5/F3 or Business SKUs: Business Basic, Business Standard, Business Premium. - Version 1808 or later of Office Professional Plus 2019 or Office Standard 2019. - Version 16.0.4494.1000 or later of Office Professional Plus 2016 (MSI) or Office Standard 2016 (MSI)\* - Version 15.0.4937.1000 or later of Office Professional Plus 2013 (MSI) or Office Standard 2013 (MSI)\*
- - Version 16.0.9318.1000 or later of Office 2016 for Mac
-- Version 2.75.0 or later of Outlook mobile for iOS -- Version 2.2.145 or later of Outlook mobile for Android
-
+ - Version 16.0.9318.1000 or later of Office 2016 for Mac
+- Version 2.75.0 or later of Outlook mobile for iOS
+- Version 2.2.145 or later of Outlook mobile for Android
+ *MSI versions of Outlook show admin-installed add-ins in the appropriate Outlook ribbon, not the "My add-ins" section. ### Exchange Online requirements Microsoft Exchange stores the add-in manifests within your organization's tenant. The admin deploying add-ins and the users receiving those add-ins must be on a version of Exchange Online that supports OAuth authentication.
-
-Check with your organization's Exchange admin to find out which configuration is in use. OAuth connectivity per user can be verified by using the [Test-OAuthConnectivity](/powershell/module/exchange/test-oauthconnectivity) PowerShell cmdlet.
+
+Check with your organization's Exchange admin to find out which configuration is in use. OAuth connectivity per user can be verified by using the [Test-OAuthConnectivity](/powershell/module/exchange/test-oauthconnectivity) PowerShell cmdlet.
### Centralized Deployment Compatibility Checker Using the Centralized Deployment Compatibility Checker, you can verify whether the users on your tenant are set up to use Centralized Deployment for Word, Excel and PowerPoint. The Compatibility Checker is not required for Outlook support. Download the [compatibility checker](https://aka.ms/officeaddindeploymentorgcompatibilitychecker).
-
+ #### Run the compatibility checker
-
+ 1. Start an elevated PowerShell.exe window.
-
+ 2. Run the following command: ```powershell Import-Module O365CompatibilityChecker ```
-
+ 3. Run the **Invoke-CompatabilityCheck** command: ```powershell Invoke-CompatibilityCheck ``` This command prompts you for *_TenantDomain_* (for example, *TailspinToysIncorporated.onmicrosoft.</span>com*) and *_TenantAdmin_* credentials (use your global admin credentials), and then requests consent.
-
+ > [!NOTE]
- > Depending on the number of users in your tenant, the checker could complete in minutes or hours.
-
+ > Depending on the number of users in your tenant, the checker could complete in minutes or hours.
+ When the tool finishes running, it produces an output file in comma-separated (.csv) format. The file is saved to **C:\windows\system32** by default. The output file contains the following information:
-
+ - User Name
-
+ - User ID (User's email address)
-
+ - Centralized Deployment ready - If the remaining items are true
-
+ - Office plan - The plan of Office they are licensed for
-
+ - Office Activated - If they have activated Office
-
+ - Supported Mailbox - If they are on an OAuth-enabled mailbox > [!NOTE] > Multifactor authentication is not supported when using the Central Deployment PowerShell module. The module only works with Basic authentication.
-
+ ## User and group assignments The Centralized Deployment feature currently supports the majority of groups supported by Azure Active Directory, including Microsoft 365 groups, distribution lists, and security groups.
-
+ > [!NOTE]
-> Non-mail enabled security groups are not currently supported.
-
+> Non-mail enabled security groups are not currently supported.
+ Centralized Deployment supports assignments to individual users, groups, and everyone in the tenant. Centralized Deployment supports users in top-level groups or groups without parent groups, but not users in nested groups or groups that have parent groups.
-
+ Take a look at the following example where Sandra, Sheila, and the Sales Department group are assigned to an add-in. Because the West Coast Sales Department is a nested group, Bert and Fred aren't assigned to an add-in.
-
+ ![Diagram of sales department](../../media/683094bb-1160-4cce-810d-26ef7264c592.png)
-
+ ### Find out if a group contains nested groups
-The easiest way to detect if a group contains nested groups is to view the group contact card within Outlook. If you enter the group name within the **To** field of an email and then select the group name when it resolves, it will show you if it contains users or nested groups. In the example below, the **Members** tab of the Outlook contact card for the Test Group shows no users and only two sub groups.
-
+The easiest way to detect if a group contains nested groups is to view the group contact card within Outlook. If you enter the group name within the **To** field of an email and then select the group name when it resolves, it will show you if it contains users or nested groups. In the example below, the **Members** tab of the Outlook contact card for the Test Group shows no users and only two sub groups.
+ ![Members tab of Outlook contact card](../../media/d9db88c4-d752-426c-a480-b11a5b3adcd6.png)
-
-You can do the opposite query by resolving the group to see if it's a member of any group. In the example below, you can see under the **Membership** tab of the Outlook contact card that Sub Group 1 is a member of the Test Group.
-
+
+You can do the opposite query by resolving the group to see if it's a member of any group. In the example below, you can see under the **Membership** tab of the Outlook contact card that Sub Group 1 is a member of the Test Group.
+ ![Membership tab of the Outlook contact card](../../media/a9f9b6ab-9c19-4822-9e3d-414ca068c42f.png)
-
+ Alternately, you can use the Azure Active Directory Graph API to run queries to find the list of groups within a group. For more information, see [Operations on groups | Graph API reference](/previous-versions/azure/ad/graph/api/groups-operations).
-
+ ### Contacting Microsoft for support If you or your users encounter problems loading the add-in while using Office apps for the web (Word, Excel, etc.), which were centrally deployed, you may need to contact Microsoft support ([learn how](../../business-video/get-help-support.md)). Provide the following information about your Microsoft 365 environment in the support ticket.
-
+ |**Platform**|**Debug information**| |:--|:--|
-|Office <br/> | Charles/Fiddler logs <br/> Tenant ID ( [learn how](/onedrive/find-your-office-365-tenant-id)) <br/> CorrelationID. View the source of one of the office pages and look for the Correlation ID value and send it to support: <br/>`<input name=" **wdCorrelationId**" type="hidden" value=" **{BC17079E-505F-3000-C177-26A8E27EB623}**">` <br/> `<input name="user_id" type="hidden" value="1003bffd96933623"></form>` <br/> |
+|Office <br/> | Charles/Fiddler logs <br/> Tenant ID ([learn how](/onedrive/find-your-office-365-tenant-id)) <br/> CorrelationID. View the source of one of the office pages and look for the Correlation ID value and send it to support: <br/>`<input name=" **wdCorrelationId**" type="hidden" value=" **{BC17079E-505F-3000-C177-26A8E27EB623}**">` <br/> `<input name="user_id" type="hidden" value="1003bffd96933623"></form>` <br/> |
|Rich clients (Windows, Mac) <br/> | Charles/Fiddler logs <br/> Build numbers of the client app (preferably as a screenshot from **File/Account**) <br/> | ## Related content
admin Remove Licenses From Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/remove-licenses-from-users.md
- commerce_licensing search.appverid: MET150 description: "The method you use to unassign product licenses depends on whether you unassign licenses from specific users or from a specific product." Previously updated : 07/01/2020 Last updated : 06/07/2021 # Unassign licenses from users
admin Room And Equipment Mailboxes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/room-and-equipment-mailboxes.md
To set up a room or equipment mailbox, go to the Microsoft 365 admin center. (Yo
6. If you made changes, select **Save** and then **Close**. > [!Note]
-> To keep your room and equipment mailboxes secure, block sign-in to these mailboxes. For more information, see [Block sign-in for the shared mailbox account](/office365/admin/email/create-a-shared-mailbox?view=o365-worldwide#block-sign-in-for-the-shared-mailbox-account).
+> To keep your room and equipment mailboxes secure, block sign-in to these mailboxes. For more information, see [Block sign-in for the shared mailbox account](/office365/admin/email/create-a-shared-mailbox#block-sign-in-for-the-shared-mailbox-account).
## Common questions about room and equipment mailboxes
admin Cortana Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/cortana-integration.md
When signed in with valid work or school accounts, users can get cloud-based ass
- Consistent with other Office 365 services, Cortana enterprise services meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/licensing/product-licensing/products). -- New Microsoft 365 experiences, such as the Briefing email and Play My Emails, will be enabled using Cortana enterprise services and fully comply with those promises. These features are currently available worldwide (standard multi-tenant). For more information on finding the usage location, please visit [View additional property values for accounts](../../enterprise/view-user-accounts-with-microsoft-365-powershell.md?view=o365-worldwide#view-additional-property-values-for-accounts).
+- New Microsoft 365 experiences, such as the Briefing email and Play My Emails, will be enabled using Cortana enterprise services and fully comply with those promises. These features are currently available worldwide (standard multi-tenant). For more information on finding the usage location, please visit [View additional property values for accounts](../../enterprise/view-user-accounts-with-microsoft-365-powershell.md#view-additional-property-values-for-accounts).
- Existing consumer experiences, including Cortana in Windows 10 (version 1909 and earlier), are governed by the [Microsoft Services Agreement](https://www.microsoft.com/licensing/product-licensing/products) and [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) (see ΓÇ£Existing services for consumersΓÇ¥ section below). These terms will also govern Cortana enterprise services provided to the user when signed in with their consumer credentials.
admin Empower Your Small Business With Remote Work https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/empower-your-small-business-with-remote-work.md
audience: Admin
localization_priority: Normal-+ - Adm_O365-+ - AdminSurgePortfolio - adminvideo description: "Find the latest how-to information, tips, resources, and guidance on remote work for businesses using Microsoft 365."
description: "Find the latest how-to information, tips, resources, and guidance
As businesses adapt to the increased need to have people work remotely and connect with their customers virtually, this site is updated with the latest how-to information, tips, resources, and guidance on remote work for businesses using Microsoft 365.
->[!TIP]
->Don't have Microsoft_Teams? Get 6 months of Microsoft Teams in Office for free (when you sign up for 1 year). Get the technologies described in this article as part of the offer. For details, see [Try 1 month free](https://aka.ms/SMBTeamsOffer).
+> [!TIP]
+> Don't have Microsoft_Teams? Get 6 months of Microsoft Teams in Office for free (when you sign up for 1 year). Get the technologies described in this article as part of the offer. For details, see [Try 1 month free](https://aka.ms/SMBTeamsOffer).
## Remote work for your small business (video)
Already have a subscription but need to get set up? See [Microsoft 365 small bu
## Connect with employees and customers
-You can still connect with employees, customers, clients, and partners, even if you can’t meet face to face. Use Microsoft Teams to continue doing business and connecting with your customers. 
+You can still connect with employees, customers, clients, and partners, even if you can’t meet face to face. Use Microsoft Teams to continue doing business and connecting with your customers.
### Meet up in Teams
For more information, see [Manage devices](../../business-video/secure-win-10-pr
Technical documentation hub for Microsoft 365 Business is updated with new secure remote work guidance.
-For details, see [Microsoft 365 Business resources](https://docs.microsoft.com/microsoft-365/business).
+For details, see [Microsoft 365 Business resources](/microsoft-365/business).
-## Need to ask a question?
+## Need to ask a question?
Ask in the [Teams forum](https://answers.microsoft.com/msteams/forum) or the [Office Admins forum](https://answers.microsoft.com). > [!NOTE]
-> Most of the tasks in this article and video can be accomplished with a subscription to Microsoft 365 Business Basic (formerly Office 365 Business Essentials), but some require a premium subscription. 
+> Most of the tasks in this article and video can be accomplished with a subscription to Microsoft 365 Business Basic (formerly Office 365 Business Essentials), but some require a premium subscription.
admin Sign Up With A Personal Email Address https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/sign-up-with-a-personal-email-address.md
description: "Learn how to sign up for Office 365 with your personal email addre
## When you skip adding a custom domain
-
-When you sign up for Office 365 with your personal email address and skip adding [a custom domain](../get-help-with-domains/what-is-a-domain.md) for now, you limit your access to certain features.
-
+
+When you sign up for Office 365 with your personal email address and skip adding [a custom domain](../get-help-with-domains/what-is-a-domain.md) for now, you limit your access to certain features.
+ If you choose to add a custom domain now, you get access to all the premium features below:
-
+ |**Feature**|**Office 365 with personal email**|**Office 365 with custom domain**| |:--|:--|:--|
-|**OneDrive <sup>1, 2</sup>**| [Personal OneDrive ](https://onedrive.live.com/about/en-us/plans/)| [OneDrive for Business](https://onedrive.live.com/about/en-us/business/) |
-|**Office applications: Word, Excel, PowerPoint, OneNote, Outlook, Access (PC only),**| Yes | Yes
-|**Business applications <sup>3</sup> : Microsoft Bookings and MileIQ**| No | Yes
+|**OneDrive <sup>1, 2</sup>**| [Personal OneDrive](https://onedrive.live.com/about/plans/)| [OneDrive for Business](https://onedrive.live.com/about/en-us/business/) |
+|**Office applications: Word, Excel, PowerPoint, OneNote, Outlook, Access (PC only),**| Yes | Yes
+|**Business applications <sup>3</sup> : Microsoft Bookings and MileIQ**| No | Yes
|**Access to Microsoft 365 admin center**| Limited Access (Billing, Support, and Domain setup) | Yes |**Add Users**| No | Yes |**Office 365 |**Security and Compliance tools**| No | Yes
-
+ > <sup>1</sup> You'll need to migrate your [Personal OneDrive files over to OneDrive for Business](move-email-and-data-to-office-365-business-premium.md).<br/> > <sup>2</sup> For information on how your data will be handled, see the [Privacy Statement](https://g.microsoftonline.com/0BX20en/138). Use of OneDrive is governed by the [Microsoft Services Agreement](https://signup.live.com/signup?ru=https://login.live.com/oauth20_authorize.srf?lc%3d1033%26response_type%3dcode%26client_id%3d51483342-085c-4d86-bf88-cf50c7252078%26scope%3dopenid%2bprofile%2bemail%2boffline_access%26response_mode%3dform_post%26redirect_uri%3dhttps://login.microsoftonline.com/common/federation/oauth2%26state%3drQIIAXWRO2_TUACFc_NSUyGoEBKVEFIHJCSQk-vrR-JIHdLWSdPGaR426TVDZCeO7TjX17Ld5rGzd47EwgLqyFLED2DolBFVMIOYEBMjaXeWM5zvDEfnvEixebb8jOd4wSiaEiMZIsfwEgsZg0ciwwmcyCHIDgXIhQ83t64-PP_-ZvtGvnr04-uX8yedJcj1J-65lR9QcgkeO3EcROVCYTqd5ulo5A7uQOETACsAfgKwTGYsn9G6l8lI5EReYIWSCDmuJIhIKuYxkae6OiT6WIkx6nhNF0K80McN1eYVtR0rB56goKqD1YqgE5lde3wTVb071pOh3oWwSapuo3fkKKS-9vAcIwzx2JlgtT67ST44qZzFDroVGroL608yN6Ih6Qc0ipep9-AksPz6cJ_6vjWI87cxy4_dgRG71G-FNLDC2LWiXbOrtHuKZ7W0_nlgtvwOPZYJU-_7HsIYmWhPY2XSOz2WGh27PzY0ElRHbXgoOqo-N0Rq8KpNTbuzPy_CU1k7VJslRgtmc143vS6vwBrlup0SrYa-ViPzOdNTJHl_OGAachhVhnsz9WMqu56VUP86dX9dyneHO0FIR-7EWqXBr_Q9mCpvbGxuJbYTO4m_afAus36u-1qsZVblo7ffELCfgsR1pkCw8yps8Mh7SaJJaTGxXQU6MB7jakM_iyYHLQVJbRya07a9K5XZiyy4yGZ_ZxOfc_87-h81%26estsfed%3d1%26uaid%3ddd27a8b7188545dab714e7d8c6761b52%26lw%3d1%26fl%3deasi2%26mkt%3den-US&amp;mkt=EN-US&amp;uiflavor=web&amp;lw=1&amp;fl=easi2&amp;client_id=51483342-085c-4d86-bf88-cf50c7252078&amp;uaid=dd27a8b7188545dab714e7d8c6761b52&amp;lic=1). The [Microsoft Online Subscription Agreement](https://admin.microsoft.com/Commerce/Mosa.aspx?cc2=US&amp;cl=en&amp;cc=en-US&amp;gcc=False) governs all the other services included with your subscription.<br/> > <sup>3</sup> Some business applications aren't available in all regions.<br/>
If you choose to add a custom domain now, you get access to all the premium feat
## How to add a domain In the admin center, go to **Setup** > <a href="https://go.microsoft.com/fwlink/p/?linkid=834818" target="_blank">Domains</a> > **Add domain**.
-
+
admin Add Domain https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/add-domain.md
Follow these steps to add, set up, or continue setting up a domain.
If the portal doesn't recognize your registrar, you can [follow these general instructions.](../get-help-with-domains/create-dns-records-at-any-dns-hosting-provider.md)
- Check our list of [host-specific instructions](../get-help-with-domains/set-up-your-domain-host-specific-instructions.md) to find your host and follow the steps to add all the records you need.
-
If you don't know the DNS hosting provider or domain registrar for your domain, see [Find your domain registrar or DNS hosting provider](../get-help-with-domains/find-your-domain-registrar.md). If you want to wait for later, either unselect all the services and click **Continue**, or in the previous domain connection step choose **More Options** and select **Skip this for now**.
If you have a website that you use with your business, it will keep working wher
[Domains FAQ](domains-faq.yml) (article)\ [What is a domain?](../get-help-with-domains/what-is-a-domain.md) (article)\
-[Buy a domain name in Microsoft 365](../get-help-with-domains/buy-a-domain-name.md) (article)\
-[Set up your domain](../get-help-with-domains/set-up-your-domain-host-specific-instructions.md) (article)
+[Buy a domain name in Microsoft 365](../get-help-with-domains/buy-a-domain-name.md) (article)\
admin Customize Your Organization Theme https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/customize-your-organization-theme.md
You can add or update a default theme that applies to everyone within your org.
2. On the **Organization profile** tab, select **Custom themes**.
-All themes can be customized using the following tabs.
+All organization themes can be customized using the following tabs.
|**Tab**|**What can you do?**| |:--|:--| |[General](#general-modify-a-theme) <br/> |Modify a theme name and assign to up to five groups (if applicable). <br/> |
-|[Logos](#logos-specify-your-theme-logos) <br/> |Add your theme logo, including the Office dark theme and mobile options. <br/> |
-|[Colors](#colors-choose-theme-colors) <br/> |Customize a color scheme by specifying navigation bar, accent, text, and icon colors. <br/> |
+|[Logos](#logos-specify-your-theme-logos) <br/> |Add your organization logo, including alternate logo for dark theme. <br/> |
+|[Colors](#colors-choose-theme-colors) <br/> |Customize a color scheme by specifying navigation bar, accent, text and icon colors. <br/> |
## General: Modify a theme
The default theme is the first theme displayed.
> [!IMPORTANT] > The default theme is unique, it can't be renamed and applies to everyone within your organization. To delete the default theme, you have to delete all other themes first. ### Create a group theme
You can create up to four additional group themes.
3. Select **Save**. ## Logos: Specify your theme logos
On the **Logos** page, you can you can add your logos, and specify the URL where
- **Default logo**: Add a URL location that points to your logo. Make sure that the URL uses HTTPS. Add a HTTPS image url that allows anonymous access and doesn't require authentication. For default theme, you also have an option to upload a logo image that is less than 10kb. Your default logo can be in the JPG, PNG, GIF, or SVG format. For SVG images, they will be resized to fit 24 pixels vertically. JPG, PNG, GIF images will be scaled to fit 200 x 48 pixels. Logo aspect ratio will always be preserved. - **Alternate logo**: Add a URL location that points to your logo. Your alternate logo should be optimized for use in Office dark themes. Same requirements as the default logo.-- **On-click link**: Add a URL location that points to your logo. You can use your logo as a link to any company resource, for example, your company's website.
+- **On-click link**: Add a URL location that points to your logo. You can use your logo as a link to any company resource, for example, your company's website. If you donΓÇÖt select a URL location for your logo, itΓÇÖll default to the Office home page.
Select **Save** to save your changes. + You can remove your logos at any time. Just return to the **Logos** page and select **Remove**. ## Colors: Choose theme colors
On the **Colors** page, you can set the default colors and choose which logo sho
- **Text and icon color**: Select a color to use for the text and icons on the top navigation bar. - **Accent color**: Pick one that shows up well on a white or light background. The accent color is used to color some links and buttons that show up on a white or light background. For example, the accent color is used to color elements in a user's inbox and on their Office.com portal page. - **Reset color**: Select this link to reset colors to the default colors.-- **Which logo should be used?**: Select default logos or any other logos you've created yourself. ## Frequently asked questions
admin Setup Business Basic https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/setup-business-basic.md
When you purchase Microsoft 365 Business Basic, you have the option of using a d
> If you purchased a domain during the sign-up, you will not see **Add a domain** step here. Go to [Add users](#add-users-and-assign-licenses) instead.
-4. Follow the steps in the wizard to [Create DNS records at any DNS hosting provider for Office 365](/office365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider) that verifies you own the domain. If you know your domain host, see also the [host specific instructions](/office365/admin/get-help-with-domains/set-up-your-domain-host-specific-instructions).
+4. Follow the steps in the wizard to [Create DNS records at any DNS hosting provider for Office 365](/office365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider) that verifies you own the domain. If you know your domain host, see also [Add a domain to Microsoft 365](/microsoft-365/admin/setup/add-domain).
If your hosting provider is GoDaddy or another host enabled with [domain connect](/office365/admin/get-help-with-domains/domain-connect), the process is easy and you'll be automatically asked to sign in and let Microsoft authenticate on your behalf.
admin Setup Business Standard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/setup-business-standard.md
When you purchase Microsoft 365 Business Standard, you have the option of using
> If you purchased a domain during the sign-up, you will not see **Add a domain** step here. Go to [Add users](#add-users-and-assign-licenses) instead.
-4. Follow the steps in the wizard to [Create DNS records at any DNS hosting provider for Office 365](/office365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider) that verifies you own the domain. If you know your domain host, see also the [host specific instructions](/office365/admin/get-help-with-domains/set-up-your-domain-host-specific-instructions).
+4. Follow the steps in the wizard to [Create DNS records at any DNS hosting provider for Office 365](/office365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider) that verifies you own the domain. If you know your domain host, see also [Add a domain to Microsoft 365](/microsoft-365/admin/setup/add-domain).
If your hosting provider is GoDaddy or another host enabled with [domain connect](/office365/admin/get-help-with-domains/domain-connect), the process is easy and you'll be automatically asked to sign in and let Microsoft authenticate on your behalf.
business-video Admin Center Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-video/admin-center-overview.md
audience: Admin
localization_priority: Normal--- M365-subscription-management +
+- M365-subscription-management
- Adm_O365-+ - AdminSurgePortfolio - adminvideo monikerRange: 'o365-worldwide'
The Microsoft 365 admin center has two views: simplified view helps smaller orga
With the Microsoft 365 admin center, you can reset passwords, view your invoice, add or remove users, and much more all in one place.
-Sign in to Office.com with your work account, and select the app launcher.
+Sign in to Office.com with your work account, and select the app launcher.
-If you have permission to access the admin center, you'll see **Admin** in the list. Select it.
+If you have permission to access the admin center, you'll see **Admin** in the list. Select it.
-At the top of the admin center, review the top actions for you. You may see different actions depending on what you've already set up, such as creating new accounts, using Teams, setting up email, and installing Office apps.
-
-Under **Your organization** on the **Users** tab is a list of people who can access apps and services, add new users, reset passwords, or use the three dots (more actions) menu. Select a person to view or edit their information and settings.
+At the top of the admin center, review the top actions for you. You may see different actions depending on what you've already set up, such as creating new accounts, using Teams, setting up email, and installing Office apps.
-On the **Teams** tab, create a new team or manage existing teams. You can manage the members of a team or select the three dots (more actions) to change other Teams settings.
+Under **Your organization** on the **Users** tab is a list of people who can access apps and services, add new users, reset passwords, or use the three dots (more actions) menu. Select a person to view or edit their information and settings.
+
+On the **Teams** tab, create a new team or manage existing teams. You can manage the members of a team or select the three dots (more actions) to change other Teams settings.
On the **Subscriptions** tab, add more products, add licenses, or use the three dots (more actions) menu to modify licenses or payment method. On the **Learn** tab, browse videos and articles about the admin center and other Microsoft 365 features. To explore more advanced features of the admin center, open the navigation menu and expand the headings to see more. Select **Show all** to see everything in the navigation menu or use the search bar to quickly find what you're looking for.
-If you need assistance, select **Help & support**. Search for topic you want help with and view the recommended solution or select the headset to contact support, and then enter your question and contact information.
+If you need assistance, select **Help & support**. Search for topic you want help with and view the recommended solution or select the headset to contact support, and then enter your question and contact information.
## Watch: The admin center in dashboard view > [!VIDEO https://www.microsoft.com/videoplayer/embed/RWfvDL?autoplay=false]
-The Microsoft 365 admin center is where you manage your business in the cloud. You can complete such tasks as adding and removing users, changing licenses, and resetting passwords.
+The Microsoft 365 admin center is where you manage your business in the cloud. You can complete such tasks as adding and removing users, changing licenses, and resetting passwords.
Specialist workspaces, like Security or Device management, allow for more granular control. For more information about how the admin centers work together, see [What about the specific types of IT roles and other workspaces like Security, Device Management, or Exchange?](#what-about-the-specific-types-of-it-roles-and-other-workspaces-like-security-device-management-or-exchange) in this article.
Select a user to see more options, such as managing their product licenses.
To enable more features that come with your subscription, select **Setup**. Here you can turn on sign-in security, mobile app protection, DLP, and other features included with your subscription.
-If you need support at any time, choose **Need help**. Enter your question, then check out the links that appear. If you don't get your answer here, choose **Contact support** to open a service request.
+If you need support at any time, choose **Need help**. Enter your question, then check out the links that appear. If you don't get your answer here, choose **Contact support** to open a service request.
For more information on managing billing, passwords, users, and admins, see the other lessons in this course.
-## Who is an admin?
+## Who is an admin?
By default, the person who signs up for and buys an Microsoft 365 for business subscription gets admin permissions. That person can assign admin permissions to other people to help them manage Microsoft 365 for their organization. If you get the message "**You don't have permission to access this page or perform this action**," you aren't an admin.
-
+ ### Who has admin permissions in my business? <a name="bkmk_admin"> </a> When looking for your admin to reset your password, delete an account, or do other tasks, here's who you should contact:
-
-- **Universities and schools**: Contact your technical support team. Usually you can find a link on your university site. At smaller schools, there may be just a few individuals who have admin permissions.
-
-- **Large businesses**: Contact your internal help desk / technical support.
-
-- **Small businesses**: Contact the business owner / co-owner. Often they give admin permissions to their IT consultant who does all the computer maintenance work for their business.
-
+
+- **Universities and schools**: Contact your technical support team. Usually you can find a link on your university site. At smaller schools, there may be just a few individuals who have admin permissions.
+
+- **Large businesses**: Contact your internal help desk / technical support.
+
+- **Small businesses**: Contact the business owner / co-owner. Often they give admin permissions to their IT consultant who does all the computer maintenance work for their business.
+ If you have no idea who to contact at your work or school for help, try asking the person who gave you your user account and password. > [!NOTE]
-> Targeted release admins have first access to new features. New features later roll out to all admins. This means that you might not see the admin center, or it might look different than what is described in help articles. To be among the first to see new features, see Participate in the admin center, below.
+> Targeted release admins have first access to new features. New features later roll out to all admins. This means that you might not see the admin center, or it might look different than what is described in help articles. To be among the first to see new features, see Participate in the admin center, below.
## Turn on Targeted release 1. Sign in at [admin.microsoft.com](https://admin.microsoft.com), go to the navigation pane and select **Settings** \> **Organization profile**.
-2. Go to the **Release preferences** card, and then select **Edit**.
-
+2. Go to the **Release preferences** card, and then select **Edit**.
+ 3. Select either **Targeted release for everyone** or **Targeted release for selected users**. If you choose Targeted release for selected users, make sure that you add your admin account (and any other admins in your org who want to participate) to the list of selected users.
-
+ ## Admin center feedback While in the admin center, you can give Microsoft feedback about your experience by selecting **Give feedback** right next to the **Need help?** button at the bottom of every page. Tell us what you like and what we could do better. In addition, you may get pop-up surveys from time-to-time asking about your overall impressions or a particular experience that's newly released. You can also give feedback at the end of this article by selecting **Was this information helpful?** ## Frequently asked questions
-Don't see your questions answered here? Go to the **Feedback** section at the bottom of this page and ask your question.
-
+Don't see your questions answered here? Go to the **Feedback** section at the bottom of this page and ask your question.
+ ### Which Microsoft 365 plans are available to trial or buy? Microsoft 365 is a complete, intelligent solution that includes Office 365, Windows 10, and Enterprise Mobility + Security that empowers everyone to be creative and work together, securely. The following Microsoft 365 subscriptions are available in the admin center for you to try or buy now:
-
+ - Microsoft 365 for business - Microsoft 365 Enterprise E3 - Microsoft 365 Enterprise E5
-
+ For more information, see [Try or buy a Microsoft 365 subscription](../commerce/try-or-buy-microsoft-365.md). ### I found a bug or I want to request a feature enhancement. How do I let Microsoft know?
-We love to hear from you! Reporting bugs and sharing feedback helps us make the Microsoft 365 admin center better. To give feedback, select the **Feedback** button on the bottom of the page and use the form to send us your thoughts. Select the checkbox and confirm your email address if you want someone from the Microsoft 365 admin center team to follow up on your comments. We can't promise to follow up on every piece of feedback, but we're going to try!
-
+We love to hear from you! Reporting bugs and sharing feedback helps us make the Microsoft 365 admin center better. To give feedback, select the **Feedback** button on the bottom of the page and use the form to send us your thoughts. Select the checkbox and confirm your email address if you want someone from the Microsoft 365 admin center team to follow up on your comments. We can't promise to follow up on every piece of feedback, but we're going to try!
+ You can also give feedback from outside of the admin center on our UserVoice forum. You can use this page to make feature suggestions that can be voted on by other forum users: [UserVoice forum for the new admin center](https://go.microsoft.com/fwlink/?linkid=2024994). ### What about the specific types of IT roles and other workspaces like Security, Device Management, or Exchange?
The Microsoft 365 admin center is fully localized in 40 languages.
|Dutch | nl | |Norwegian | no | |Polish | pl |
-|Portuguese ( Brazil) | pt |
+|Portuguese (Brazil) | pt |
|Portuguese (Portugal) | pt-pt | |Romanian | ro | |Russian | ru |
The Microsoft 365 admin center is fully localized in 40 languages.
[What is a Microsoft 365 admin?](what-is-admin.md) (video)\ [Add an admin](add-admin.md) (video)\ [Customize the Microsoft 365 theme for your organization](../admin/setup/customize-your-organization-theme.md) (article)
-
business Migrate From Microsoft 365 Business To Microsoft 365 Enterprise https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/migrate-from-microsoft-365-business-to-microsoft-365-enterprise.md
audience: Admin
localization_priority: Normal-+ - Adm_O365-- M365-subscription-management
+- M365-subscription-management
- Core_O365Admin_Migration - MiniMaven
description: "Learn how to move your business from Microsoft 365 Business Premiu
# Migrate from Microsoft 365 Business Premium to Microsoft 365 E3
-Microsoft 365 Business Premium has everything you need for your small business, combining the best-in-class cloud-based productivity apps with simple device management and security that enable your employees to do their best work. In some cases, however, you may need to migrate your Microsoft 365 Business Premium subscription to Microsoft 365 E3.
+Microsoft 365 Business Premium has everything you need for your small business, combining the best-in-class cloud-based productivity apps with simple device management and security that enable your employees to do their best work. In some cases, however, you may need to migrate your Microsoft 365 Business Premium subscription to Microsoft 365 E3.
For example, your business has grown and needs more than 300 licenses (congratulations, by the way).
Or, your business needs enterprise features, such as Microsoft 365 Apps for ente
Upgrading is easy: you can start the upgrade [from the Admin center](../commerce/subscriptions/upgrade-to-different-plan.md). All your data and configuration in your current subscription is maintained. There's nothing for you to do to prepare for the migration and nothing to do afterward, except take advantage of the new features.
->[!Note]
->You can also use a Microsoft 365 Business Premium subscription for up to 300 seats and get a Microsoft 365 E3 subscription for more than 300 seats. However, Microsoft Defender for Office 365 is not included with Microsoft 365 E3. For continued threat protection, you should add additional Defender for Office 365 licenses so that all of the users in scope of your Defender for Office 365 polices are licensed.
->
+> [!NOTE]
+> You can also use a Microsoft 365 Business Premium subscription for up to 300 seats and get a Microsoft 365 E3 subscription for more than 300 seats. However, Microsoft Defender for Office 365 is not included with Microsoft 365 E3. For continued threat protection, you should add additional Defender for Office 365 licenses so that all of the users in scope of your Defender for Office 365 polices are licensed.
## Differences between Microsoft 365 Business Premium and Microsoft 365 Enterprise This table shows the differences between Microsoft 365 Business Premium and Microsoft 365 E3.
-| Feature | Support in Microsoft 365 Business Premium | Support in Microsoft 365 E3 |
+| Feature | Support in Microsoft 365 Business Premium | Support in Microsoft 365 E3 |
|:-|:--|:--|
-| **On-premises** | | |
-| Windows 10 | Windows 10 Business | Windows 10 Enterprise E3|
-| Office apps* | [Microsoft 365 Apps for business](#office-365-business) | Microsoft 365 Apps for enterprise |
-| **Cloud productivity apps** | | |
-| Exchange Online and Outlook | 50 GB storage limit per mailbox and unlimited Exchange Online archiving | 100 GB storage limit per mailbox and unlimited Exchange Online archiving |
-| Teams | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-| OneDrive for Business | 1 TB storage limit per user | Unlimited |
-| Yammer, SharePoint Online, Planner, Stream | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-| **Threat Protection** | | |
-| Attack surface reduction capabilities | [See this list](#threat-protection) | Enterprise management of hardware-based isolation for Microsoft Edge |
-| Defender for Office 365 Plan 1 | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | Not included, but can be added on |
-| **Identity management** | | |
-| Self-service password reset for hybrid Azure Active Directory (Azure AD) accounts, Azure AD multi-factor authentication (MFA), Conditional Access, password writeback for on-premises identities| ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-| Cloud App Discovery, Azure AD Connect Health | | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-| Azure AD Office 365 apps Single Sign-On (SSO): 10 apps per user (Gallery SaaS apps such as Salesforce)* | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-| Azure AD Premium 1 SSO: no limit (On-premises apps through Azure AD Application Proxy and non-gallery apps using Self-Service App Integration templates) | | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-| **Device and app management** | | |
-| Microsoft Intune, Windows Autopilot| ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-|Virtual Desktop Access (VDA) | | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-|Windows Virtual Desktop (WVD) | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-|Shared Computer Activation (SCA) | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-| Microsoft Desktop Optimization Package | | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-| **Information protection** | | |
-| Office 365 Data Loss Prevention, Azure Information Protection Plan 1 | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-| Window Information Protection for endpoint DLP | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-| **Client Access License (CAL rights)** | | |
-| Enterprise CAL Suite (Exchange, SharePoint, Skype, Windows, Microsoft Endpoint Configuration Manager, Windows Rights Management)| | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-| **Compliance** | | |
-| Unlimited email archiving | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-| Compliance Manager | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-| eDiscovery | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-| In-place hold and litigation hold | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-| Messaging Records Management (MRM) retention tags and retention policies | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
+| **On-premises** | | |
+| Windows 10 | Windows 10 Business | Windows 10 Enterprise E3|
+| Office apps* | [Microsoft 365 Apps for business](#office-365-business) | Microsoft 365 Apps for enterprise |
+| **Cloud productivity apps** | | |
+| Exchange Online and Outlook | 50 GB storage limit per mailbox and unlimited Exchange Online archiving | 100 GB storage limit per mailbox and unlimited Exchange Online archiving |
+| Teams | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
+| OneDrive for Business | 1 TB storage limit per user | Unlimited |
+| Yammer, SharePoint Online, Planner, Stream | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
+| **Threat Protection** | | |
+| Attack surface reduction capabilities | [See this list](#threat-protection) | Enterprise management of hardware-based isolation for Microsoft Edge |
+| Defender for Office 365 Plan 1 | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | Not included, but can be added on |
+| **Identity management** | | |
+| Self-service password reset for hybrid Azure Active Directory (Azure AD) accounts, Azure AD multi-factor authentication (MFA), Conditional Access, password writeback for on-premises identities| ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
+| Cloud App Discovery, Azure AD Connect Health | | ![Included with Microsoft 365 E3](../media/check-mark.png) |
+| Azure AD Office 365 apps Single Sign-On (SSO): 10 apps per user (Gallery SaaS apps such as Salesforce)* | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
+| Azure AD Premium 1 SSO: no limit (On-premises apps through Azure AD Application Proxy and non-gallery apps using Self-Service App Integration templates) | | ![Included with Microsoft 365 E3](../media/check-mark.png) |
+| **Device and app management** | | |
+| Microsoft Intune, Windows Autopilot| ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
+|Virtual Desktop Access (VDA) | | ![Included with Microsoft 365 E3](../media/check-mark.png) |
+|Windows Virtual Desktop (WVD) | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
+|Shared Computer Activation (SCA) | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
+| Microsoft Desktop Optimization Package | | ![Included with Microsoft 365 E3](../media/check-mark.png) |
+| **Information protection** | | |
+| Office 365 Data Loss Prevention, Azure Information Protection Plan 1 | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
+| Window Information Protection for endpoint DLP | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
+| **Client Access License (CAL rights)** | | |
+| Enterprise CAL Suite (Exchange, SharePoint, Skype, Windows, Microsoft Endpoint Configuration Manager, Windows Rights Management)| | ![Included with Microsoft 365 E3](../media/check-mark.png) |
+| **Compliance** | | |
+| Unlimited email archiving | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
+| Compliance Manager | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
+| eDiscovery | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
+| In-place hold and litigation hold | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
+| Messaging Records Management (MRM) retention tags and retention policies | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
|||| \* Users who have been assigned access to SaaS apps can get SSO access to up to 10 apps. Admins can configure SSO and change user access to different SaaS apps, but SSO access is only allowed for 10 apps per user at a time. All Office 365 apps are counted as a single app.
Windows 10 Business includes these protections:
Windows 10 Enterprise E3 also includes enterprise management of hardware-based isolation for Microsoft Edge.
->[!Note]
->Users migrated to Microsoft 365 E3 will each require a Microsoft Defender for Office 365 license for continued threat protection. Be sure to purchase additional Defender for Office 365 licenses so that all of the users in scope of your Defender for Office 365 polices are licensed.
->
+> [!NOTE]
+> Users migrated to Microsoft 365 E3 will each require a Microsoft Defender for Office 365 license for continued threat protection. Be sure to purchase additional Defender for Office 365 licenses so that all of the users in scope of your Defender for Office 365 polices are licensed.
### Device management with Intune
Microsoft 365 Business Premium includes Windows 10 Business, which you can insta
Your Microsoft 365 Apps for business client installed on your devices will automatically begin to use the features of Microsoft 365 Apps for enterprise. After migration, you can now use: -
+- Group Policy support
+- Spreadsheet compare and inquire
+- Business intelligence
business Set Up https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/set-up.md
When you purchase Microsoft 365 Business Premium, you have the option of using a
![Screenshot of the Personalize your sign-in page.](../media/adddomain.png)
-4. Follow the steps in the wizard to [Create DNS records at any DNS hosting provider for Microsoft 365](/office365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider) that verifies you own the domain. If you know your domain host, see also the [host specific instructions](/office365/admin/get-help-with-domains/set-up-your-domain-host-specific-instructions).
+4. Follow the steps in the wizard to [Create DNS records at any DNS hosting provider for Microsoft 365](/office365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider) that verifies you own the domain. If you know your domain host, see also [Add a domain to Microsoft 365](/microsoft-365/admin/setup/add-domain).
If your hosting provider is GoDaddy or another host enabled with [domain connect](/office365/admin/get-help-with-domains/domain-connect), the process is easy and you'll be automatically asked to sign in and let Microsoft authenticate on your behalf.
business Upgrade To Windows Pro Creators Update https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/upgrade-to-windows-pro-creators-update.md
audience: Admin
localization_priority: Normal-+ - M365-subscription-management - TRN_SMB
description: "Discover ways you can upgrade your Windows devices to Windows 10 P
## Watch: Upgrade Windows 10 Home to Windows 10 Pro
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE3t58j]
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE3t58j]
If you found this video helpful, check out the [complete training series for small businesses and those new to Microsoft 365](../business-video/index.yml). ## Upgrade to Windows 10 Pro
-
+ To upgrade to Windows 10 Pro, you have several options. You can:
-
-- Install the upgrade from the [Microsoft Software Download site](https://go.microsoft.com/fwlink/?LinkID=836951 ) &ndash; Select this option if the device that you're logged in is on the same device as the one you want to update.
- - From the software download site, click **Update now** to start upgrading the device to Windows 10 Pro Creators Update.
-
-- Create an installation media using the [Media Creation Tool](https://go.microsoft.com/fwlink/?LinkID=836960) &ndash; Select this option to create a Windows 10 Pro Creators Update installation media (USB flash drive or ISO file) to install Windows 10 on a PC that's different from the one you're using.
+- Install the upgrade from the [Microsoft Software Download site](https://go.microsoft.com/fwlink/?LinkID=836951).
+ - Select this option if the device that you're logged in is on the same device as the one you want to update.
+ - From the software download site, click **Update now** to start upgrading the device to Windows 10 Pro Creators Update.
- - Read the instructions on how to use the tool and create your installation media.
+- Create an installation media using the [Media Creation Tool](https://go.microsoft.com/fwlink/?LinkID=836960) &ndash; Select this option to create a Windows 10 Pro Creators Update installation media (USB flash drive or ISO file) to install Windows 10 on a PC that's different from the one you're using.
+ - Read the instructions on how to use the tool and create your installation media.
> [!NOTE] > If you have Windows devices running Windows 7 Pro, Windows 8 Pro, or Windows 8.1 Pro, your Microsoft 365 for business subscription entitles you to a Windows Pro 10 upgrade.
-
+ ## Next steps
-To complete setting up Windows 10 devices, see [Set up Windows devices for Microsoft 365 for business users](set-up-windows-devices.md).
-
-To complete setting up Android and iOS devices, see [Set up mobile devices for Microsoft 365 for business users](set-up-mobile-devices.md).
-
+To complete setting up Windows 10 devices, see [Set up Windows devices for Microsoft 365 for business users](set-up-windows-devices.md).
+
+To complete setting up Android and iOS devices, see [Set up mobile devices for Microsoft 365 for business users](set-up-mobile-devices.md).
+ ## Related content [Microsoft 365 for business training videos](../business-video/index.yml) (link page)
campaigns M365 Campaigns Protect Pcs Macs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/campaigns/m365-campaigns-protect-pcs-macs.md
You should always run Windows Firewall even if you have another firewall turned
Disk encryption protects data when devices are lost or stolen. FileVault full-disk encryption helps prevent unauthorized access to the information on your startup disk. See [use FileVault to encrypt the startup disk on your Mac](https://support.apple.com/HT204837) for instructions. **Protect your mac from malware**<p>
-Microsoft recommends that you install and use reliable antivirus software on your Mac. See the following article for a list of choices: [Best Mac antivirus 2019 ](https://www.macworld.co.uk/feature/mac-software/mac-antivirus-3672182/).
+Microsoft recommends that you install and use reliable antivirus software on your Mac. See the following article for a list of choices: [Best Mac antivirus 2019](https://www.macworld.co.uk/feature/mac-software/mac-antivirus-3672182/).
You can also reduce the risk of malware by using software only from reliable sources. The settings in Security & Privacy preferences allow you to specify the sources of software installed on your Mac. For more information, see [protect your Mac from malware](https://support.apple.com/kb/PH25087).
commerce Add Storage Space https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/add-storage-space.md
Office 365 Extra File Storage is available for the following subscriptions:
- Office 365 Enterprise E3 - Office 365 Enterprise E4 - Office 365 Enterprise E5
+- Office 365 A3 (faculty)
+- Office 365 A5 (faculty)
- Office for the web with SharePoint Plan 1 - Office for the web with SharePoint Plan 2 - SharePoint Online Plan 1
commerce Manage License Requests https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/manage-license-requests.md
- commerce_licensing search.appverid: MET150 description: "Learn how to review and approve or deny license requests from users for your Microsoft 365 for business subscription." Previously updated : 08/07/2020 Last updated : 06/07/2021 # Manage license requests
commerce Allowselfservicepurchase Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/allowselfservicepurchase-powershell.md
This may be due to an older version of Transport Layer Security (TLS). To connec
### Solution
-Upgrade to TLS 1.2: [https://docs.microsoft.com/mem/configmgr/core/plan-design/security/enable-tls-1-2](/mem/configmgr/core/plan-design/security/enable-tls-1-2)
+Upgrade to TLS 1.2: (/mem/configmgr/core/plan-design/security/enable-tls-1-2)
<!-- ## Uninstall the MSCommerce module
Uninstall-Module -Name MSCommerce
[Manage self-service purchases (Admin)](manage-self-service-purchases-admins.md) (article)
-[Self-service purchase FAQ](self-service-purchase-faq.yml) (article)
+[Self-service purchase FAQ](self-service-purchase-faq.yml) (article)
commerce Change Plans Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/change-plans-manually.md
The licenses for the current subscription will be removed later; you'll only pay
## Step 4: Reassign licenses
+When you upgrade from an Office 365 plan to a Microsoft 365 plan, you must change the license assignments for all users. Licenses aren't automatically assigned when you change plans manually.
+ ### Reassign a license for one user 1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.
compliance Apply Retention Labels Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-retention-labels-automatically.md
Some things to consider when using keywords or searchable properties to auto-app
- New, modified, and existing items will be auto-labeled for SharePoint, OneDrive, and Exchange. -- For SharePoint, crawled properties and custom properties aren't supported for these KQL queries and you must use only predefined managed properties. However, you can use mappings at the tenant level with the predefined managed properties that are enabled as refiners by default (RefinableDate00-19, RefinableString00-99, RefinableInt00-49, RefinableDecimals00-09, and RefinableDouble00-09). For more information, see [Overview of crawled and managed properties in SharePoint Server](/SharePoint/technical-reference/crawled-and-managed-properties-overview), and for instructions, see [Create a new managed property](/sharepoint/manage-search-schema#create-a-new-managed-property).
+- For SharePoint, crawled properties and custom properties aren't supported for these KQL queries and you must use only predefined managed properties for documents. However, you can use mappings at the tenant level with the predefined managed properties that are enabled as refiners by default (RefinableDate00-19, RefinableString00-99, RefinableInt00-49, RefinableDecimals00-09, and RefinableDouble00-09). For more information, see [Overview of crawled and managed properties in SharePoint Server](/SharePoint/technical-reference/crawled-and-managed-properties-overview), and for instructions, see [Create a new managed property](/sharepoint/manage-search-schema#create-a-new-managed-property).
- If you map a custom property to one of the refiner properties, wait 24 hours before you use it in your KQL query for a retention label.
compliance Apply Sensitivity Label Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-sensitivity-label-automatically.md
audience: Admin Previously updated : Last updated : localization_priority: Priority-+ - M365-security-compliance
+search.appverid:
- MOE150 - MET150 description: "When you create a sensitivity label, you can automatically assign a label to files and emails, or you can prompt users to select the label that you recommend."
When content has been manually labeled, that label will never be replaced by aut
There are two different methods for automatically applying a sensitivity label to content in Microsoft 365: -- **Client-side labeling when users edit documents or compose (also reply or forward) emails**: Use a label that's configured for auto-labeling for files and emails (includes Word, Excel, PowerPoint, and Outlook).
-
- This method supports recommending a label to users, as well as automatically applying a label. But in both cases, the user decides whether to accept or reject the label, to help ensure the correct labeling of content. This client-side labeling has minimal delay for documents because the label can be applied even before the document is saved. However, not all client apps support auto-labeling. This capability is supported by the Azure Information Protection unified labeling client, and [some versions of Office](sensitivity-labels-office-apps.md#support-for-sensitivity-label-capabilities-in-apps).
-
+- **Client-side labeling when users edit documents or compose (also reply or forward) emails**: Use a label that's configured for auto-labeling for files and emails (includes Word, Excel, PowerPoint, and Outlook).
+
+ This method supports recommending a label to users, as well as automatically applying a label. But in both cases, the user decides whether to accept or reject the label, to help ensure the correct labeling of content. This client-side labeling has minimal delay for documents because the label can be applied even before the document is saved. However, not all client apps support auto-labeling. This capability is supported by the Azure Information Protection unified labeling client, and [some versions of Office](sensitivity-labels-office-apps.md#support-for-sensitivity-label-capabilities-in-apps).
+ For configuration instructions, see [How to configure auto-labeling for Office apps](#how-to-configure-auto-labeling-for-office-apps) on this page. -- **Service-side labeling when content is already saved (in SharePoint or OneDrive) or emailed (processed by Exchange Online)**: Use an auto-labeling policy.
-
+- **Service-side labeling when content is already saved (in SharePoint or OneDrive) or emailed (processed by Exchange Online)**: Use an auto-labeling policy.
+ You might also hear this method referred to as auto-labeling for data at rest (documents in SharePoint and OneDrive) and data in transit (email that is sent or received by Exchange). For Exchange, it doesn't include emails at rest (mailboxes).
-
+ Because this labeling is applied by services rather than by applications, you don't need to worry about what apps users have and what version. As a result, this capability is immediately available throughout your organization and suitable for labeling at scale. Auto-labeling policies don't support recommended labeling because the user doesn't interact with the labeling process. Instead, the administrator runs the policies in simulation mode to help ensure the correct labeling of content before actually applying the label.
-
+ For configuration instructions, see [How to configure auto-labeling policies for SharePoint, OneDrive, and Exchange](#how-to-configure-auto-labeling-policies-for-sharepoint-onedrive-and-exchange) on this page.
-
+ Specific to auto-labeling for SharePoint and OneDrive: - Office files for Word, PowerPoint, and Excel are supported. Open XML format is supported (such as .docx and .xlsx) but not Microsoft Office 97-2003 format (such as .doc and .xls). - These files can be auto-labeled at rest before or after the auto-labeling policies are created. Files cannot be auto-labeled if they are part of an open session (the file is open).
There are two different methods for automatically applying a sensitivity label t
- If the label is configured for [encryption](encryption-sensitivity-labels.md), that encryption isn't applied. - If the label is configured to apply [dynamic markings](sensitivity-labels-office-apps.md#dynamic-markings-with-variables), be aware that this can result in the names of people outside your organization. - When the label applies encryption, the [Rights Management issuer and Rights Management owner](/azure/information-protection/configure-usage-rights#rights-management-issuer-and-rights-management-owner) is the person who sends the email. There currently isn't a way to set a Rights Manager owner for all incoming email messages that are automatically encrypted.
-
+ ## Compare auto-labeling for Office apps with auto-labeling policies
For more information on parent labels and sublabels, see [Sublabels (grouping la
Automatic labeling in Office apps for Windows is supported by the Azure Information Protection unified labeling client. For built-in labeling in Office apps, this capability is in [different stages of availability for different apps](sensitivity-labels-office-apps.md#support-for-sensitivity-label-capabilities-in-apps).
-The auto-labeling settings for Office apps are available when you [create or edit a sensitivity label](create-sensitivity-labels.md). Make sure **Files & emails** is selected for the label's scope:
+The auto-labeling settings for Office apps are available when you [create or edit a sensitivity label](create-sensitivity-labels.md). Make sure **Files & emails** is selected for the label's scope:
![Sensitivity label scope options for files and emails](../media/filesandemails-scope-options-sensitivity-label.png)
You can learn more about these configuration options from the DLP documentation:
Also similarly to DLP policy configuration, you can choose whether a condition must detect all sensitive information types, or just one of them. And to make your conditions more flexible or complex, you can add [groups and use logical operators between the groups](data-loss-prevention-policies.md#grouping-and-logical-operators). > [!NOTE]
-> Auto-labeling policies that are based on custom sensitive information types apply only to newly created or modified content in OneDrive and SharePoint; not to existing content.
+> Auto-labeling policies that are based on custom sensitive information types apply only to newly created or modified content in OneDrive and SharePoint; not to existing content.
### Configuring trainable classifiers for a label
Specific to the Azure Information Protection unified labeling client:
## How to configure auto-labeling policies for SharePoint, OneDrive, and Exchange
-Make sure you're aware of the prerequisites before you configure auto-labeling policies.
+Make sure you're aware of the prerequisites before you configure auto-labeling policies.
### Prerequisites for auto-labeling policies
Make sure you're aware of the prerequisites before you configure auto-labeling p
- You have [enabled sensitivity labels for Office files in SharePoint and OneDrive](sensitivity-labels-sharepoint-onedrive-files.md). - At the time the auto-labeling policy runs, the file mustn't be open by another process or user. A file that's checked out for editing falls into this category. -- If you plan to use [custom sensitive information types](sensitive-information-type-learn-about.md) rather than the built-in sensitivity types:
+- If you plan to use [custom sensitive information types](sensitive-information-type-learn-about.md) rather than the built-in sensitivity types:
- Custom sensitivity information types apply only to content that is added or modified in SharePoint or OneDrive after the custom sensitivity information types are enforced. - To test new custom sensitive information types, create them before you create your auto-labeling policy, and then create new documents with sample data for testing.
Finally, you can use simulation mode to provide an approximation of the time nee
### Creating an auto-labeling policy 1. In the [Microsoft 365 compliance center](https://compliance.microsoft.com/), navigate to sensitivity labels:
-
+ - **Solutions** > **Information protection**
-
+ If you don't immediately see this option, first select **Show all**. 2. Select the **Auto-labeling** tab:
-
+ ![Auto-labeling tab](../media/auto-labeling-tab.png)
-
+ > [!NOTE] > If you don't see the **Auto-labeling** tab, this functionality isn't currently available in your region. 3. Select **+ Create auto-labeling policy**. This starts the New policy wizard:
-
- ![New policy wizard for auto-labeling ](../media/auto-labeling-wizard.png)
+
+ ![New policy wizard for auto-labeling](../media/auto-labeling-wizard.png)
4. For the page **Choose info you want this label applied to**: Select one of the templates, such as **Financial** or **Privacy**. You can refine your search by using the **Show options for** dropdown. Or, select **Custom policy** if the templates don't meet your requirements. Select **Next**. 5. For the page **Name your auto-labeling policy**: Provide a unique name, and optionally a description to help identify the automatically applied label, locations, and conditions that identify the content to label. 6. For the page **Choose locations where you want to apply the label**: Select and specify locations for Exchange, SharePoint sites, and OneDrive. Then select **Next**.
-
- ![Choose locations page auto-labelingwizard ](../media/locations-auto-labeling-wizard.png)
-
+
+ ![Choose locations page auto-labelingwizard](../media/locations-auto-labeling-wizard.png)
+ You must specify individual SharePoint sites and OneDrive accounts. For OneDrive, the URL for a user's OneDrive account is in the following format: `https://<tenant name>-my.sharepoint.com/personal/<user_name>_<tenant name>_com`
-
+ For example, for a user in the contoso tenant that has a user name of "rsimone": `https://contoso-my.sharepoint.com/personal/rsimone_contoso_onmicrosoft_com`
-
+ To verify the syntax for your tenant and identify URLs for users, see [Get a list of all user OneDrive URLs in your organization](/onedrive/list-onedrive-urls). 7. For the **Set up common or advanced rules** page: Keep the default of **Common rules** to define rules that identify content to label across all your selected locations. If you need different rules per location, select **Advanced rules**. Then select **Next**.
-
+ The rules use conditions that include sensitive information types and sharing options: - For sensitive information types, you can select both built-in and custom sensitive information types. - For the shared options, you can choose **only with people inside my organization** or **with people outside my organization**.
-
+ If your only location is **Exchange**, or if you select **Advanced rules**, there are additional conditions that you can select: - Sender IP address is - Recipient domain is
Finally, you can use simulation mode to provide an approximation of the time nee
- Sender domain is - Recipient is a member of - Sender is
-
+ For each of these conditions, you can then specify exceptions.
-
+ 8. Depending on your previous choices, you'll now have an opportunity to create new rules by using conditions and exceptions.
-
+ The configuration options for sensitive information types are the same as those you select for auto-labeling for Office apps. If you need more information, see [Configuring sensitive info types for a label](#configuring-sensitive-info-types-for-a-label).
-
+ When you have defined all the rules you need, and confirmed their status is on, select **Next** to move on to choosing a label to auto-apply. 11. For the **Choose a label to auto-apply** page: Select **+ Choose a label**, select a label from the **Choose a sensitivity label** pane, and then select **Next**.
-12. For the **Decide if you want to test out the policy now or later** page: Select **Run policy in simulation mode** if you're ready to run the auto-labeling policy now, in simulation mode. Otherwise, select **Leave policy turned off**. Select **Next**:
-
+12. For the **Decide if you want to test out the policy now or later** page: Select **Run policy in simulation mode** if you're ready to run the auto-labeling policy now, in simulation mode. Otherwise, select **Leave policy turned off**. Select **Next**:
+ ![Test out the policy auto-labeling wizard](../media/simulation-mode-auto-labeling-wizard.png) 13. For the **Summary** page: Review the configuration of your auto-labeling policy and make any changes that needed, and complete the wizard.
You can modify your policy directly from this interface:
- For a policy in the **Off** section, select the **Edit policy** button. - For policy in the **Simulation** section, select the **Edit policy** option at the top of the page, from either tab:
-
+ ![Edit auto-labeling policy option](../media/auto-labeling-edit.png)
-
+ When you're ready to run the policy without simulation, select the **Turn on policy** option. Your auto-policies run continuously until they are deleted. For example, new and modified documents will be included with the current policy settings.
You can use [Security & Compliance Center PowerShell](/powershell/exchange/scc-p
Before you run the commands in PowerShell, you must first [connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell).
-To create a new auto-labeling policy:
+To create a new auto-labeling policy:
```powershell New-AutoSensitivityLabelPolicy -Name <AutoLabelingPolicyName> -SharePointLocation "<SharePointSiteLocation>" -ApplySensitivityLabel <Label> -Mode TestWithoutNotifications ```
-This command creates an auto-labeling policy for a SharePoint site that you specify. For a OneDrive location, use the *OneDriveLocation* parameter, instead.
+This command creates an auto-labeling policy for a SharePoint site that you specify. For a OneDrive location, use the *OneDriveLocation* parameter, instead.
To add additional sites to an existing auto-labeling policy:
For more information about the PowerShell cmdlets that support auto-labeling pol
Although auto-labeling is one of the most efficient ways to classify, label, and protect Office files that your organization owns, check whether you can supplement it with any of the additional methods to increase your labeling reach: - When you use the [Azure Information Protection unified labeling client](/azure/information-protection/rms-client/aip-clientv2):
-
+ - For files in on-premises data stores such as network shares and SharePoint Server libraries: Use the [scanner](/azure/information-protection/deploy-aip-scanner) to discover sensitive information in these files and label them appropriately. If you are planning to migrate or upload these files to SharePoint in Microsoft 365, use the scanner to label the files before you move them to the cloud.
-
+ - If you have used another labeling solution before using sensitivity labels: Use PowerShell and [an advanced setting to reuse labels](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#migrate-labels-from-secure-islands-and-other-labeling-solutions) from these solutions. -- Encourage [manual labeling](https://support.microsoft.com/office/apply-sensitivity-labels-to-your-files-and-email-in-office-2f96e7cd-d5a4-403b-8bd7-4cc636bae0f9) after providing users with training which sensitivity labels to apply. When you're confident that users understand which label to apply, consider configuring a default label and mandatory labeling as [policy settings](sensitivity-labels.md#what-label-policies-can-do).
+- Encourage [manual labeling](https://support.microsoft.com/office/apply-sensitivity-labels-to-your-files-and-email-in-office-2f96e7cd-d5a4-403b-8bd7-4cc636bae0f9) after providing users with training which sensitivity labels to apply. When you're confident that users understand which label to apply, consider configuring a default label and mandatory labeling as [policy settings](sensitivity-labels.md#what-label-policies-can-do).
Additionally, consider [marking new files as sensitive by default](/sharepoint/sensitive-by-default) in SharePoint to prevent guests from accessing newly added files until at least one DLP policy scans the content of the file.
compliance Archiving Third Party Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archiving-third-party-data.md
f1.keywords:
Previously updated : Last updated : audience: Admin localization_priority: Normal-+ - Strat_O365_IP - M365-security-compliance - m365solution-mig - m365initiative-compliance
+search.appverid:
- MOE150 - MET150 ms.assetid: 0ce338d5-3666-4a18-86ab-c6910ff408cc
TeleMessage data connectors are also available in GCC environments in the Micros
|Third-party data |Litigation hold|eDiscovery |Retention settings |Records management |Communication compliance |Insider risk management | |:|:|:|:|:|:|:|
-|[Android ](archive-android-archiver-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[AT&T Network ](archive-att-network-archiver-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[Bell Network ](archive-bell-network-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[Enterprise Number ](archive-enterprise-number-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[O2 Network ](archive-o2-network-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[TELUS Network ](archive-telus-network-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[Verizon Network ](archive-verizon-network-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[WeChat ](archive-wechat-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[WhatsApp ](archive-whatsapp-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Android](archive-android-archiver-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[AT&T Network](archive-att-network-archiver-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Bell Network](archive-bell-network-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Enterprise Number](archive-enterprise-number-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[O2 Network](archive-o2-network-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[TELUS Network](archive-telus-network-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Verizon Network](archive-verizon-network-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[WeChat](archive-wechat-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[WhatsApp](archive-whatsapp-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
|||||||| ### 17a-4 data connectors
Before you can archive third-party data in Microsoft 365, you have to work with
|Third-party data |Litigation hold|eDiscovery |Retention settings |Records management |Communication compliance |Insider risk management | |:|:|:|:|:|:|:| |[BlackBerry](archive-17a-4-blackberry-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[Bloomberg ](archive-17a-4-bloomberg-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[Cisco Jabber ](archive-17a-4-cisco-jabber-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[Cisco Webex ](archive-17a-4-webex-teams-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[FactSet ](archive-17a-4-factset-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[Fuze ](archive-17a-4-fuze-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[FX Connect ](archive-17a-4-fxconnect-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Bloomberg](archive-17a-4-bloomberg-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Cisco Jabber](archive-17a-4-cisco-jabber-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Cisco Webex](archive-17a-4-webex-teams-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[FactSet](archive-17a-4-factset-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Fuze](archive-17a-4-fuze-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[FX Connect](archive-17a-4-fxconnect-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
|[ICE Chat](archive-17a-4-ice-im-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[InvestEdge ](archive-17a-4-investedge-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[LivePerson Conversational Cloud ](archive-17a-4-liveperson-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[Quip ](archive-17a-4-quip-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[InvestEdge](archive-17a-4-investedge-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[LivePerson Conversational Cloud](archive-17a-4-liveperson-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Quip](archive-17a-4-quip-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
|[Refinitiv Eikon Messenger](archive-17a-4-refinitiv-messenger-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[ServiceNow ](archive-17a-4-servicenow-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[Slack ](archive-17a-4-slack-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[SQL ](archive-17a-4-sql-database-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[Symphony ](archive-17a-4-symphony-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[Zoom ](archive-17a-4-zoom-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[ServiceNow](archive-17a-4-servicenow-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Slack](archive-17a-4-slack-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[SQL](archive-17a-4-sql-database-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Symphony](archive-17a-4-symphony-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Zoom](archive-17a-4-zoom-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
|||||||| ### CellTrust data connectors
compliance Auto Apply Retention Labels Scenario https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/auto-apply-retention-labels-scenario.md
audience: Admin
localization_priority: Priority-+ - M365-security-compliance - SPO_Content
+search.appverid:
- MOE150 - MET150 description: "How you can use retention labels to manage the lifecycle of documents in SharePoint by using metadata to classify the content, automatically apply the labels, and use event-based retention to start the retention period."
The following screenshot shows the settings when you create the Product Specific
### Create an event type when you create a retention label 1. On the **Define retention settings** page of the Create retention label wizard, after **Start the retention period based on**, select **Create new event type**:
-
+ ![Create a new event type for the Product Specification label dialog box](../media/SPRetention6.png) 3. On the **Name your event type** page, enter **Product Cessation** and an optional description. Then select **Next**, **Submit**, and **Done**. 4. Back on the **Define retention settings** page, for **Start the retention period based on**, use the dropdown box to select the **Product Cessation** event type that you created.
-
- Here's what the settings look like for the Product Specification retention label:
-
+
+ Here's what the settings look like for the Product Specification retention label:
+ ![Settings for the new Product Specification label](../media/SPRetention7.png)
-6. Select **Create label**, and on the next page when you see the options to publish the label, auto-apply the label, or just save the label: Select **Just save the label for now**, and then select **Done**.
-
+6. Select **Create label**, and on the next page when you see the options to publish the label, auto-apply the label, or just save the label: Select **Just save the label for now**, and then select **Done**.
+ > [!TIP] > For more detailed steps, see [Create a label whose retention period is based on an event](event-driven-retention.md#step-1-create-a-label-whose-retention-period-is-based-on-an-event).
To map the **ows\_Doc\_x0020\_Type** crawled property, follow these steps:
1. In the **Managed property** filter box, type ***RefinableString00*** and select the green arrow.
-2. In the results list, select the **RefinableString00** link, and then scroll down to the **Mappings to crawled properties** section.
+2. In the results list, select the **RefinableString00** link, and then scroll down to the **Mappings to crawled properties** section.
-3. Select **Add a Mapping**, and then type ***ows\_Doc\_x0020\_Type*** in the **Search for a crawled property name** box in the **Crawled property selection** window. Select **Find**.
+3. Select **Add a Mapping**, and then type ***ows\_Doc\_x0020\_Type*** in the **Search for a crawled property name** box in the **Crawled property selection** window. Select **Find**.
4. In the results list, select **ows\_Doc\_x0020\_Type** and then select **OK**.
Now that we've verified that the KQL query is working, let's create an auto-appl
2. In the Create auto-labeling policy wizard, on the **Name your auto-labeling policy** page, enter a name such as **Auto-apply Product Specification label**, and an optional description. Then select **Next**. 3. On the **Choose the type of content you want to apply this label to** page, select **Apply label to content that contains specific words or phrases, or properties**, and then select **Next**.
-
+ [ ![Select Apply label to content that contains specific words or phrases, or properties](../media/SPRetention17.png) ](../media/SPRetention17.png#lightbox)
-
+ This option lets us provide the same KQL search query that we tested in the previous section. The query returns all Product Specification documents that have a status of *Final*. When we use this same query in the auto-apply label policy, the Product Specification retention label will be automatically applied to all documents that match it. 4. On the **Apply label to content matching this query** page, type **RefinableString00:"Product Specification" AND RefinableString01:Final**, and then select **Next**. ![Specify the query in the Keyword query editor box](../media/SPRetention19.png)
-5. On the **Choose locations to apply the policy** page, you select the content locations that you want to apply the policy to. For this scenario, we apply the policy only to SharePoint locations, because all the production documents are stored in SharePoint document libraries. Toggle the status for **Exchange email**, **OneDrive accounts**, and **Microsoft 365 Groups** to **Off**. Make sure that the status for SharePoint sites is set to **On** before you select **Next**:
-
+5. On the **Choose locations to apply the policy** page, you select the content locations that you want to apply the policy to. For this scenario, we apply the policy only to SharePoint locations, because all the production documents are stored in SharePoint document libraries. Toggle the status for **Exchange email**, **OneDrive accounts**, and **Microsoft 365 Groups** to **Off**. Make sure that the status for SharePoint sites is set to **On** before you select **Next**:
+ ![Choose specific sites to auto-apply labels to](../media/SPRetentionSPlocations.png)
-
+ > [!TIP] > Instead of applying the policy to all SharePoint sites, you can select **Choose site** and add the URLs for specific SharePoint sites.
Now that we've verified that the KQL query is working, let's create an auto-appl
![Settings to auto-apply the label](../media/SPRetention18.png) 9. Select **Submit** to create the auto-apply label policy.
-
- >[!NOTE]
- >It takes up to 7 days to automatically apply the Product Specification label to all documents that match the KQL search query.
+
+ > [!NOTE]
+ > It takes up to 7 days to automatically apply the Product Specification label to all documents that match the KQL search query.
### Verify that the retention label was automatically applied
To create this flow, start from a SharePoint connector and select the **When an
- **URI**: `https://ps.compliance.protection.outlook.com/psws/service.svc/ComplianceRetentionEvent` - **Headers**: Key = Content-Type, Value = application/atom+xml - **Body**:
-
+ ```xml <?xml version='1.0' encoding='utf-8' standalone='yes'> <entry xmlns:d='http://schemas.microsoft.com/ado/2007/08/dataservices' xmlns:m='http://schemas.microsoft.com/ado/2007/08/dataservices/metadata' xmlns='https://www.w3.org/2005/Atom'>
Select the event to view the details on the flyout page. Notice that even though
![Event details](../media/SPRetention29.png)
-But after a delay, the event status shows that a SharePoint site and a SharePoint document have been processed.
+But after a delay, the event status shows that a SharePoint site and a SharePoint document have been processed.
![Event details show that documents were processed.](../media/SPRetention31.png)
-
+ This shows that the retention period for the label applied to the Spinning Widget product document has been initiated, based on the event date of the *Cessation Production Spinning Widget* event. Assuming that you implemented the scenario in your test environment by configuring a one-day retention period, you can go to the document library for your product documents a few days after the event was created and verify that the document was deleted (after the deletion job in SharePoint has run). ### More about asset IDs
compliance Bulk Edit Content Searches https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/bulk-edit-content-searches.md
audience: Admin
localization_priority: Normal
+search.appverid:
- MOE150 - MET150 ms.assetid: 39e4654a-9588-41f6-892b-c33ab57bfbe2
description: "Use the Bulk Search Editor in the security and compliance center t
# Bulk edit Content Searches You can use the Bulk Search Editor in the Content Search tool to edit multiple searches at the same time. Using this tool lets you quickly change the query and content locations for one or more searches. Then you can rerun the searches and get new estimated search results for the revised searches. The editor also lets you copy and paste queries and content locations from a Microsoft Excel file or text file. This means you can use the Search Statistics tool to view the statistics of one or more searches, export the statistics to a CSV file, where you can edit the queries and content locations in Excel. Then you use the Bulk Search Editor to add the revised queries and content locations to the searches. After you've revised one or more searches, you can restart them and get new estimated search results.
-
+ For more information about using the Search Statistics tool, see [View keyword statistics for Content Search results](view-keyword-statistics-for-content-search.md).
-
+ ## Use the Bulk Search Editor to change queries
-1. Go to [https://protection.office.com](https://protection.office.com), and then select **Search** \> **Content search**.
-
+1. Go to <https://protection.office.com>, and then select **Search** \> **Content search**.
+ 2. In the list of searches, select one or more searches, and then select **Bulk Search Editor** ![Bulk Search Editor button](../media/1ddb3d18-2f00-4a7b-98a6-817ca5ec7014.png).
-
+ ![Select one or more searches and then select Bulk search editor](../media/600c9716-89a2-4451-b111-fa7cfaad2006.png)
-
- The following information is displayed on the **Queries** page of the Bulk Search Editor.
-
+
+ The following information is displayed on the **Queries** page of the Bulk Search Editor.
+ ![The Bulk search editor page displays the queries for the selected searches](../media/189659af-cc78-4479-b0bc-a93decad2f6c.png)
-
- a. The **Search** column displays the name of the Content Search. As previously stated, you can edit the query for multiple searches.
-
- b. The **Query** column displays the query for the Content Search listed in the **Search** column. If the query was created using the keyword list feature, the keywords are separated by the text ** `(c:s)`**. This indicates that the keywords are connected by the **OR** operator. Additionally, if the query includes conditions, the keywords and the conditions are separated by the text ** `(c:c)`**. This indicates that the keywords (or keyword phases) are connected to the conditions by the **AND** operator. For example, in the previous screenshot the for search ContosoSearch1, the KQL query that is equivalent to `customer (c:s) pricing(c:c)(date=2000-01-01..2016-09-30)` would be `(customer OR pricing) AND (date=2002-01-01..2016-09-30)`.
-
+
+ a. The **Search** column displays the name of the Content Search. As previously stated, you can edit the query for multiple searches.
+
+ b. The **Query** column displays the query for the Content Search listed in the **Search** column. If the query was created using the keyword list feature, the keywords are separated by the text **`(c:s)`**. This indicates that the keywords are connected by the **OR** operator. Additionally, if the query includes conditions, the keywords and the conditions are separated by the text **`(c:c)`**. This indicates that the keywords (or keyword phases) are connected to the conditions by the **AND** operator. For example, in the previous screenshot the for search ContosoSearch1, the KQL query that is equivalent to `customer (c:s) pricing(c:c)(date=2000-01-01..2016-09-30)` would be `(customer OR pricing) AND (date=2002-01-01..2016-09-30)`.
+ 3. To edit a query, select in the cell of the query that you want to change and doing one of the following things. The cell is bordered by a blue box when you select it.
-
+ - Type the new query in the cell. You can't edit a portion of the query. You have to type the entire query.
-
+ Or
-
- - Paste a new query in the cell. This assumes that you've copied the query text from a file, such as a text file or an Excel file.
-
+
+ - Paste a new query in the cell. This assumes that you've copied the query text from a file, such as a text file or an Excel file.
+ 4. After you've edited one or more queries on the **Queries** page, select **Save**.
-
- The revised query is displayed in the **Query** column for the selected search.
-
-5. Select **Close** to close the Bulk Search Editor.
-
-6. On the **Content search** page, select the search that you edited, and select **Start** search to restart the search using the revised query.
-
+
+ The revised query is displayed in the **Query** column for the selected search.
+
+5. Select **Close** to close the Bulk Search Editor.
+
+6. On the **Content search** page, select the search that you edited, and select **Start** search to restart the search using the revised query.
+ Here are some tips for editing queries using the Bulk Search Editor:
-
-- Copy the existing query (by using **Ctrl C** ) to a text file. Edit the query in the text file, and then copy the revised query and paste it (using **Ctrl V** ) back into the cell on the **Queries** page.
-
-- You can also copy queries from other applications (such as Microsoft Word or Microsoft Excel). However, you might inadvertently add unsupported characters to a query using the Bulk Search Editor. The best way to prevent unsupported characters is to just type the query in a cell on the **Queries** page. Or you can copy a query from Word or Excel and then paste it to file in a plain text editor, such as Microsoft Notepad. Then save the text file and select **ANSI** in the **Encoding** drop-down list. This removes any formatting and unsupported characters. Then you can copy and paste the query from the text file to the **Queries** page.
-
-
+
+- Copy the existing query (by using **Ctrl C**) to a text file. Edit the query in the text file, and then copy the revised query and paste it (using **Ctrl V**) back into the cell on the **Queries** page.
+
+- You can also copy queries from other applications (such as Microsoft Word or Microsoft Excel). However, you might inadvertently add unsupported characters to a query using the Bulk Search Editor. The best way to prevent unsupported characters is to just type the query in a cell on the **Queries** page. Or you can copy a query from Word or Excel and then paste it to file in a plain text editor, such as Microsoft Notepad. Then save the text file and select **ANSI** in the **Encoding** drop-down list. This removes any formatting and unsupported characters. Then you can copy and paste the query from the text file to the **Queries** page.
+ ## Use the Bulk Search Editor to change content locations
-1. In the Bulk Search Editor for one or more selected searches, select **Enable bulk location editor**, and then select the **Locations** link that is displayed on the page.
-
- The following information is displayed on the **Locations** page of the Bulk Search Editor.
-
+1. In the Bulk Search Editor for one or more selected searches, select **Enable bulk location editor**, and then select the **Locations** link that is displayed on the page.
+
+ The following information is displayed on the **Locations** page of the Bulk Search Editor.
+ ![Select Enable bulk location editor and then select Locations to add or remove content locations](../media/a5a468ce-bd63-4c53-bc37-ff64cf769e59.png)
-
+ a. **Mailboxes to search** This section displays a column for each selected Content Search and a row for each mailbox that's included in the search. A check mark indicates that the mailbox is included in the search. You can add mailboxes to a search by typing the email address of the mailbox in a blank row and then selecting the check box for the Content Search that you want to add it to. Or you can remove a mailbox from a search by clearing the check box.
-
+ b. **SharePoint sites to search** This section displays a row for each SharePoint and OneDrive site that's included in each selected Content Search. A check mark indicates that the site is included in the search. You can add sites to a search by typing the URL for the site in a blank row and then selecting the check box for the Content Search that you want to add it to. Or you can remove a site from a search by clearing the check box.
-
+ c. **Other search options** This section indicates whether unindexed items and public folders are included in the search. To include them, make sure the check box is selected. To remove them, clear the check box.
-
+ 2. After you've edited one or more of the sections on the **Locations** page, select **Save**.
-
+ The revised content locations are displayed in the appropriate section for the selected searches.
-
-3. Select **Close** to close the Bulk Search Editor.
-
-4. On the **Content search** page, select the search that you edited, and select **Start** search to restart the search using the revised content locations.
-
+
+3. Select **Close** to close the Bulk Search Editor.
+
+4. On the **Content search** page, select the search that you edited, and select **Start** search to restart the search using the revised content locations.
+ Here are some tips for editing content locations using the Bulk Search Editor:
-
-- You can edit Content Searches to search all mailboxes or sites in the organization by typing **All** in a blank row in the **Mailboxes to search** or **SharePoint sites to search** section and then selecting the check box.
-
-- You can add multiple content locations to one or more searches by copying multiple rows from a text file or an Excel file and then pasting them in a section on the **Locations** page. After you add new locations, be sure to select the check box for each search that you want add the location to.
-
+
+- You can edit Content Searches to search all mailboxes or sites in the organization by typing **All** in a blank row in the **Mailboxes to search** or **SharePoint sites to search** section and then selecting the check box.
+
+- You can add multiple content locations to one or more searches by copying multiple rows from a text file or an Excel file and then pasting them in a section on the **Locations** page. After you add new locations, be sure to select the check box for each search that you want add the location to.
+ > [!TIP]
- > To generate a list of email addresses for all the users in your organization, run the PowerShell command in Step 2 in [Step 2: Generate a list of users](search-the-mailbox-and-onedrive-for-business-for-a-list-of-users.md#step-2-generate-a-list-of-users). Or follow the steps in [Get a list of all user OneDrive URLs in your organization](/onedrive/list-onedrive-urls) to generate a list of all OneDrive for Business sites in your organization. Note that you'll have to append the URL for your organization's MySite domain (for example, https://contoso-my.sharepoint.com) to the OneDrive for Business sites that's created by the script. After you have list of email addresses or OneDrive for Business sites, you can copy and paste them to the **Locations** page in the Bulk Search Editor.
-
-- After you select **Save** to save changes in Bulk Search Editor, the email address for mailboxes that you added to a search will be validated. If the email address doesn't exist, an error message is displayed saying the mailbox can't be located. URLs for sites aren't validated.
+ > To generate a list of email addresses for all the users in your organization, run the PowerShell command in Step 2 in [Step 2: Generate a list of users](search-the-mailbox-and-onedrive-for-business-for-a-list-of-users.md#step-2-generate-a-list-of-users). Or follow the steps in [Get a list of all user OneDrive URLs in your organization](/onedrive/list-onedrive-urls) to generate a list of all OneDrive for Business sites in your organization. Note that you'll have to append the URL for your organization's MySite domain (for example, https://contoso-my.sharepoint.com) to the OneDrive for Business sites that's created by the script. After you have list of email addresses or OneDrive for Business sites, you can copy and paste them to the **Locations** page in the Bulk Search Editor.
+
+- After you select **Save** to save changes in Bulk Search Editor, the email address for mailboxes that you added to a search will be validated. If the email address doesn't exist, an error message is displayed saying the mailbox can't be located. URLs for sites aren't validated.
compliance Communication Compliance Case Study https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-case-study.md
The first step is to confirm that Contoso's Microsoft 365 licensing includes sup
They must also confirm that users included in communication compliance policies must be assigned one of the licenses above.
->[!IMPORTANT]
->Office 365 Advanced Compliance is no longer sold as a standalone subscription. When current subscriptions expire, customers should transition to one of the subscriptions above, which contain the same or additional compliance features.
+> [!IMPORTANT]
+> Office 365 Advanced Compliance is no longer sold as a standalone subscription. When current subscriptions expire, customers should transition to one of the subscriptions above, which contain the same or additional compliance features.
Contoso IT administrators take the following steps to verify the licensing support for Contoso:
-1. IT administrators sign in to the **Microsoft 365 admin center** [(https://admin.microsoft.com)](https://admin.microsoft.com) and navigate to **Microsoft 365 admin center** > **Billing** > **Licenses**.
+1. IT administrators sign in to the **Microsoft 365 admin center** <https://admin.microsoft.com> and navigate to **Microsoft 365 admin center** > **Billing** > **Licenses**.
2. Here they confirm that they have one of the [license options](communication-compliance-configure.md#subscriptions-and-licensing) that includes support for communication compliance.
compliance Communication Compliance Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-configure.md
Before you get started with communication compliance, you should confirm your [M
Users included in communication compliance policies must be assigned one of the licenses above.
->[!IMPORTANT]
->Office 365 Advanced Compliance is no longer sold as a standalone subscription. When current subscriptions expire, customers should transition to one of the subscriptions above, which contain the same or additional compliance features.
+> [!IMPORTANT]
+> Office 365 Advanced Compliance is no longer sold as a standalone subscription. When current subscriptions expire, customers should transition to one of the subscriptions above, which contain the same or additional compliance features.
If you don't have an existing Office 365 Enterprise E5 plan and want to try communication compliance, you can [add Microsoft 365](/office365/admin/try-or-buy-microsoft-365) to your existing subscription or [sign up for a trial](https://www.microsoft.com/microsoft-365/enterprise) of Office 365 Enterprise E5. ## Step 1 (required): Enable permissions for communication compliance
->[!Important]
->By default, Global Administrators do not have access to communication compliance features. The roles assigned in this step are required before any communication compliance features will be accessible. After configuring your role groups, it may take up to 30 minutes for the role group permissions to apply to assigned users across your organization.
+> [!IMPORTANT]
+> By default, Global Administrators do not have access to communication compliance features. The roles assigned in this step are required before any communication compliance features will be accessible. After configuring your role groups, it may take up to 30 minutes for the role group permissions to apply to assigned users across your organization.
There are five role groups used to configure permissions to manage communication compliance features. To make **Communication compliance** available as a menu option in Microsoft 365 compliance center and to continue with these configuration steps, you must be assigned to the *Communication Compliance* or *Communication Compliance Admin* role groups. To access and manage communication compliance features after initial configuration, users must be a member of at least one communication compliance role group.
Use the following chart to help you configure groups in your organization for co
|:--|:--|:--| |Supervised users <br> Excluded users | Distribution groups <br> Microsoft 365 Groups | Dynamic distribution groups <br> Nested distribution groups <br> Mail-enabled security groups <br> Microsoft 365 groups with dynamic membership | | Reviewers | None | Distribution groups <br> Dynamic distribution groups <br> Nested distribution groups <br> Mail-enabled security groups |
-
+ When you assign a distribution group in the policy, the policy monitors all emails and Teams chats from each user in distribution group. When you assign a Microsoft 365 group in the policy, the policy monitors all emails and Teams chats sent to that group, not the individual emails and chats received by each group member. If you're an organization with an Exchange on-premises deployment or an external email provider and you want to monitor Microsoft Teams chats for your users, you must create a distribution group for the users with on-premises or external mailboxes to monitor. Later in these steps, you'll assign this distribution group as the **Supervised users and groups** selection in the policy wizard. For more information about the requirements and limitations for enabling cloud-based storage and Teams support for on-premises users, see [Search for Teams chat data for on-premises users](search-cloud-based-mailboxes-for-on-premises-users.md).
To manage supervised users in large enterprise organizations, you may need to mo
```PowerShell $Mbx = (Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited -Filter {CustomAttribute9 -eq $Null}) $i = 0
- ForEach ($M in $Mbx)
+ ForEach ($M in $Mbx)
{ Write-Host "Adding" $M.DisplayName Add-DistributionGroupMember -Identity <your group name> -Member $M.DistinguishedName -ErrorAction SilentlyContinue
- Set-Mailbox -Identity $M.Alias -<your custom attribute name> SRAdded
+ Set-Mailbox -Identity $M.Alias -<your custom attribute name> SRAdded
$i++ } Write-Host $i "Mailboxes added to supervisory review distribution group."
For more information about configuring Yammer in Native Mode, see:
- [Configure your Yammer network for Native Mode for Microsoft 365](/yammer/configure-your-yammer-network/native-mode) ## Step 5 (required): Create a communication compliance policy
-
->[!Important]
->Using PowerShell to create and manage communication compliance policies is not supported. To create and manage these policies, you must use the policy management controls in the [Microsoft 365 communication compliance solution](https://compliance.microsoft.com/supervisoryreview).
-1. Sign into [https://compliance.microsoft.com](https://compliance.microsoft.com) using credentials for an admin account in your Microsoft 365 organization.
+> [!IMPORTANT]
+> Using PowerShell to create and manage communication compliance policies is not supported. To create and manage these policies, you must use the policy management controls in the [Microsoft 365 communication compliance solution](https://compliance.microsoft.com/supervisoryreview).
+
+1. Sign into <https://compliance.microsoft.com> using credentials for an admin account in your Microsoft 365 organization.
2. In the Microsoft 365 compliance center, select **Communication compliance**.
-
+ 3. Select the **Policies** tab. 4. Select **Create policy** to create and configure a new policy from a template or to create and configure a custom policy.
For more information about configuring Yammer in Native Mode, see:
- Choose a limited condition field, usually a sensitive info type or keyword dictionary to apply to the policy.
- >[!NOTE]
- >If you want to enable [optical character recognition (OCR)](communication-compliance-feature-reference.md#optical-character-recognition-ocr) to scan embedded or attached images in messages for printed or handwritten text that match policy conditions, select **Customize policy** > **Conditions and percentage** and enable **Extract printed or handwritten text from images for evaluation**.
+ > [!NOTE]
+ > If you want to enable [optical character recognition (OCR)](communication-compliance-feature-reference.md#optical-character-recognition-ocr) to scan embedded or attached images in messages for printed or handwritten text that match policy conditions, select **Customize policy** > **Conditions and percentage** and enable **Extract printed or handwritten text from images for evaluation**.
If you choose to use the policy wizard to create a custom policy, you will:
compliance Communication Compliance Feature Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-feature-reference.md
search.appverid:
## Policies
->[!Important]
->Using PowerShell to create and manage communication compliance policies is not supported. To create and manage these policies, you must use the policy management controls in the [Microsoft 365 communication compliance solution](https://compliance.microsoft.com/supervisoryreview).
+> [!IMPORTANT]
+> Using PowerShell to create and manage communication compliance policies is not supported. To create and manage these policies, you must use the policy management controls in the [Microsoft 365 communication compliance solution](https://compliance.microsoft.com/supervisoryreview).
You create communication compliance policies for Microsoft 365 organizations in the Microsoft 365 compliance center. Communication compliance policies define which communications and users are subject to review in your organization, define which custom conditions the communications must meet, and specify who should do reviews. Users assigned the *Communication Compliance Admin* role can set up policies, and anyone who has this role assigned can access the **Communication compliance** page and global settings in the Microsoft 365 compliance center. If needed, you can export the history of modifications to a policy to a .csv (comma-separated values) file that also includes the status of alerts pending review, escalated items, and resolved items. Policies can't be renamed and can be deleted when no longer needed.
->[!NOTE]
->Supervision policies created in the Security & Compliance Center for Office 365 subscriptions cannot migrate to Microsoft 365. If you're migrating from an Office 365 subscription to a Microsoft 365 subscription, you'll need to create new communication compliance polices to replace existing Supervision policies.
+> [!NOTE]
+> Supervision policies created in the Security & Compliance Center for Office 365 subscriptions cannot migrate to Microsoft 365. If you're migrating from an Office 365 subscription to a Microsoft 365 subscription, you'll need to create new communication compliance polices to replace existing Supervision policies.
## Policy templates
To resume a policy, navigate to the **Policy** page, select a policy, and then s
## Permissions
->[!Important]
->By default, Global Administrators do not have access to communication compliance features. The roles assigned in this step are required before any communication compliance features will be accessible.
+> [!IMPORTANT]
+> By default, Global Administrators do not have access to communication compliance features. The roles assigned in this step are required before any communication compliance features will be accessible.
There are five role groups used to configure permissions to manage communication compliance features. To make **Communication compliance** available as a menu option in Microsoft 365 compliance center and to continue with these configuration steps, you must be assigned to the *Communication Compliance* or *Communication Compliance Admin* role groups. To access and manage communication compliance features after initial configuration, users must be a member of at least one communication compliance role group.
To update the roles for these users for the new role group structure, and to sep
Before you start using communication compliance, you must determine who needs their communications reviewed. In the policy, user email addresses identify individuals or groups of people to supervise. Some examples of these groups are Microsoft 365 Groups, Exchange-based distribution lists, Yammer communities, and Microsoft Teams channels. You also can exclude specific users or groups from scanning with a specific exclusion group or a list of groups. For more information about groups types supported in communication compliance policies, see [Get started with communication compliance](communication-compliance-configure.md#step-3-optional-set-up-groups-for-communication-compliance).
->[!IMPORTANT]
->Users covered by communication compliance policies must have either a Microsoft 365 E5 Compliance license, an Office 365 Enterprise E3 license with the Advanced Compliance add-on, or be included in an Office 365 Enterprise E5 subscription. If you don't have an existing Enterprise E5 plan and want to try communication compliance, you can [sign up for a trial of Office 365 Enterprise E5](https://go.microsoft.com/fwlink/p/?LinkID=698279).
+> [!IMPORTANT]
+> Users covered by communication compliance policies must have either a Microsoft 365 E5 Compliance license, an Office 365 Enterprise E3 license with the Advanced Compliance add-on, or be included in an Office 365 Enterprise E5 subscription. If you don't have an existing Enterprise E5 plan and want to try communication compliance, you can [sign up for a trial of Office 365 Enterprise E5](https://go.microsoft.com/fwlink/p/?LinkID=698279).
## Reviewers
The *Adult*, *Racy*, and *Gory* image classifiers scan files in .jpeg, .png, .gi
The built-in trainable and global classifiers don't provide an exhaustive list of terms or images across these areas. Further, language and cultural standards continually change, and in light of these realities, Microsoft reserves the right to update classifiers at its discretion. While classifiers may assist your organization in monitoring these areas, classifiers aren't intended to provide your organization's sole means of monitoring or addressing such language or imagery. Your organization, not Microsoft, remains responsible for all decisions related to monitoring, scanning, and blocking language and images in these areas, including compliance with local privacy and other applicable laws. Microsoft encourages consulting with legal counsel before deployment and use.
->[!NOTE]
->Policies using classifiers will inspect and evaluate messages with a word count of six or greater. Messages containing less than six words aren't evaluated in policies using classifiers. To identify and take action on shorter messages containing inappropriate content, we recommend including a custom keyword dictionary to communication compliance policies monitoring for this type of content.
+> [!NOTE]
+> Policies using classifiers will inspect and evaluate messages with a word count of six or greater. Messages containing less than six words aren't evaluated in policies using classifiers. To identify and take action on shorter messages containing inappropriate content, we recommend including a custom keyword dictionary to communication compliance policies monitoring for this type of content.
For information about trainable classifiers in Microsoft 365, see [Getting started with trainable classifiers](classifier-get-started-with.md).
Images from 50 KB to 4 MB in the following image formats are scanned and process
- .tiff (tag image file format) - .pdf (portable document format)
->[!NOTE]
->Scanning and extraction for embedded and attached .pdf images is currently supported only for email messages.
+> [!NOTE]
+> Scanning and extraction for embedded and attached .pdf images is currently supported only for email messages.
When reviewing pending alerts for policies with OCR enabled, images identified and matched to policy conditions are displayed as child items for associated alerts. You can view the original image to evaluate the identified text in context with the original message. It may take up to 48 hours for detected images to be available with alerts.
When reviewing pending alerts for policies with OCR enabled, images identified a
The conditions you choose for the policy apply to communications from both email and third-party sources in your organization (like from Instant Bloomberg). The following table explains more about each condition.
-
+ |**Condition**|**How to use this condition**| |:--|:--| | **Content matches any of these classifiers** | Apply to the policy when any classifiers are included or excluded in a message. Some classifiers are pre-defined in your tenant, and custom classifiers must be configured separately before they're available for this condition. Only one classifier can be defined as a condition in a policy. For more information about configuring classifiers, see [Learn about trainable classifiers (preview)](classifier-learn-about.md). |
The following table explains more about each condition.
| **Attachment is any of these file types** <br><br> **Attachment is none of these file types** | To supervise communications that include or exclude specific types of attachments, enter the file extensions (such as .exe or .pdf). If you want to include or exclude multiple file extensions, enter these on separate lines. Only one attachment extension must match for the policy to apply.| | **Message size is larger than** <br><br> **Message size is not larger than** | To review messages based on a certain size, use these conditions to specify the maximum or minimum size a message can be before it's subject to review. For example, if you specify **Message size is larger than** \> **1.0 MB**, all messages that are 1.01 MB and larger are subject to review. You can choose bytes, kilobytes, megabytes, or gigabytes for this condition.| | **Attachment is larger than** <br><br> **Attachment is not larger than** | To review messages based on the size of their attachments, specify the maximum or minimum size an attachment can be before the message and its attachments are subject to review. For example, if you specify **Attachment is larger than** \> **2.0 MB**, all messages with attachments 2.01 MB and over are subject to review. You can choose bytes, kilobytes, megabytes, or gigabytes for this condition.|
-
+ #### Matching words and phrases to emails or attachments <a name="Matchwords"> </a> Each word you enter and separate with a comma is applied separately (only one word must apply for the policy condition to apply to the email or attachment). For example, let's use the condition, **Message contains any of these words**, with the keywords "banker", "confidential", and "insider trading" separated by a comma (banker, confidential,"insider trading"). The policy applies to any messages that includes the word "banker", "confidential", or the phrase "insider trading". Only one of these words or phrases must occur for this policy condition to apply. Words in the message or attachment must exactly match what you enter.
->[!IMPORTANT]
->When importing a custom dictionary file, each word or phrase must be separated with a carriage return and on a separate line. <br> For example: <br><br>
->*banker* <br>
->*confidential* <br>
->*insider trading*
+> [!IMPORTANT]
+>
+> When importing a custom dictionary file, each word or phrase must be separated with a carriage return and on a separate line. For example:
+>
+> *banker* <br>
+> *confidential* <br>
+> *insider trading*
To scan both email messages and attachments for the same keywords, create a [data loss prevention policy](create-test-tune-dlp-policy.md) with a [custom keyword dictionary](create-a-keyword-dictionary.md) for the terms you wish to scan in messages. This policy configuration identifies defined keywords that appear in either the email message **OR** in the email attachment. Using the standard conditional policy settings (*Message contains any of these words* and *Attachment contains any of these words*) to identify terms in messages and in attachments requires the terms to be present in **BOTH** the message and the attachment.
-
+ #### Enter multiple conditions If you enter multiple conditions, Microsoft 365 uses all the conditions together to determine when to apply the communication compliance policy to communication items. When you set up multiple conditions, all conditions must be met for the policy to apply, unless you enter an exception. For example, you need a policy that applies if a message contains the word "trade", and is larger than 2 MB. However, if the message also contains the words "Approved by Contoso financial", the policy shouldn't apply. In this example, the three conditions would be defined as follows:
-
+ - **Message contains any of these words**, with the keyword "trade" - **Message size is larger than**, with the value 2 MB - **Message contains none of these words**, with the keywords "Approved by Contoso financial team"
If you'd like to create more than a simple text-based email message for notifica
</html> ```
->[!NOTE]
->HTML href attribute implementation in the communication compliance notification templates currently support only single quotation marks instead of double quotation marks for URL references.
+> [!NOTE]
+> HTML href attribute implementation in the communication compliance notification templates currently support only single quotation marks instead of double quotation marks for URL references.
## Filters
For communication compliance policies, the following alert policy values are con
| Threshold | 4 activities | | Window | 60 minutes |
->[!Note]
->The alert policy threshold trigger settings for activities supports a minimum value of 3 or higher for communication compliance policies.
+> [!NOTE]
+> The alert policy threshold trigger settings for activities supports a minimum value of 3 or higher for communication compliance policies.
You can change the default settings for triggers on number of activities, period for the activities, and for specific users in alert policies on the **Alert policies** page in the Security & Compliance Center.
If you'd like to change the severity level assigned in an alert policy for a spe
Customers with Microsoft 365 subscriptions that include communication compliance do not need additional Power Automate licenses to use the recommended default communication compliance Power Automate template. The default template can be customized to support your organization and cover core communication compliance scenarios. If you choose to use premium Power Automate features in these templates, create a custom template using the Microsoft 365 compliance connector, or use Power Automate templates for other compliance areas in Microsoft 365, you may need additional Power Automate licenses.
->[!IMPORTANT]
->Are you receiving prompts for additional license validation when testing Power Automate flows? Your organization may not have received service updates for this preview feature yet. Updates are being deployed and all organizations with Microsoft 365 subscriptions that include communication compliance should have license support for flows created from the recommended Power Automate templates by October 30, 2020.
+> [!IMPORTANT]
+> Are you receiving prompts for additional license validation when testing Power Automate flows? Your organization may not have received service updates for this preview feature yet. Updates are being deployed and all organizations with Microsoft 365 subscriptions that include communication compliance should have license support for flows created from the recommended Power Automate templates by October 30, 2020.
![Communication compliance Power Automate](../media/communication-compliance-power-automate.png) The following Power Automate template is provided to customers to support process automation for communication compliance alerts: - **Notify manager when a user has a communication compliance alert**: Some organizations may need to have immediate management notification when a user has a communication compliance alert. When this flow is configured and selected, the manager for the case user is sent an email message with the following information about all alerts:
- - Applicable policy for the alert
- - Date/Time of the alert
- - Severity level of the alert
+ - Applicable policy for the alert
+ - Date/Time of the alert
+ - Severity level of the alert
### Create a Power Automate flow
The **Reports dashboard** contains the following report widgets and detailed rep
- Items pending review - User notified - Case created
-
+ Use the *Export* option to create a .csv file containing the report details. - **Item and actions per location** detailed report: Review and export matching items and remediation actions per Microsoft 365 location. Includes information about how workload platforms are associated with:
The **Reports dashboard** contains the following report widgets and detailed rep
In some instances, you must provide information to regulatory or compliance auditors to prove supervision of user activities and communications. This information may be a summary of all activities associated with a defined organizational policy or anytime a communication compliance policy changes. Communication compliance policies have built-in audit trails for complete readiness for internal or external audits. Detailed audit histories of every create, edit, and delete action are captured by your communication policies to provide proof of supervisory procedures.
->[!Important]
->Auditing must be enabled for your organization before communication compliance events will be recorded. To enable auditing, see [Enable the audit log](communication-compliance-configure.md#step-2-required-enable-the-audit-log). When activities trigger events that are captured in the Microsoft 365 audit log, it may take up to 48 hours before these events can be viewed in communication compliance policies.
+> [!IMPORTANT]
+> Auditing must be enabled for your organization before communication compliance events will be recorded. To enable auditing, see [Enable the audit log](communication-compliance-configure.md#step-2-required-enable-the-audit-log). When activities trigger events that are captured in the Microsoft 365 audit log, it may take up to 48 hours before these events can be viewed in communication compliance policies.
To view communication compliance policy update activities, select the **Export policy updates** control on the main page for any policy. You must be assigned the *Global Admin* or *Communication Compliance Admin* roles to export update activities. This action generates an audit file in the .csv format that contains the following information:
Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -RecordType Disco
This example returns activities that match your current communication compliance policies: ```PowerShell
-Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -Operations SupervisionRuleMatch
+Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -Operations SupervisionRuleMatch
``` Communication compliance policy matches are stored in a supervision mailbox for each policy. In some cases, you may need to check the size of your supervision mailbox for a policy to make sure you aren't approaching the current 50 GB limit. If the mailbox limit is reached, policy matches aren't captured and you'll need to create a new policy (with the same settings) to continue to capture matches for the same activities.
To check the size of a supervision mailbox for a policy, complete the following
2. Run the following command in PowerShell: ```PowerShell
- ForEach ($p in Get-SupervisoryReviewPolicyV2 | Sort-Object Name)
+ ForEach ($p in Get-SupervisoryReviewPolicyV2 | Sort-Object Name)
{ "<Name of your communication compliance policy>: " + $p.Name Get-MailboxStatistics $p.ReviewMailbox | ft ItemCount,TotalItemSize
compliance Communication Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance.md
Identifying and resolving compliance issues with communication compliance in Mic
In this workflow step, you identify your compliance requirements and configure applicable communication compliance policies. Policy templates are a great way to not only quickly configure a new compliance policy, but to also quickly modify and update policies as your requirements change. For example, you may want to quickly test a policy for offensive language and anti-harassment on communications for a small group of users before configuring a policy for all users in your organization.
->[!Important]
->By default, Global Administrators do not have access to communication compliance features. To enable permissions for communication compliance features, see [Make communication compliance available in your organization](communication-compliance-configure.md#step-1-required-enable-permissions-for-communication-compliance).
+> [!IMPORTANT]
+> By default, Global Administrators do not have access to communication compliance features. To enable permissions for communication compliance features, see [Make communication compliance available in your organization](communication-compliance-configure.md#step-1-required-enable-permissions-for-communication-compliance).
You can choose from the following policy templates in the Microsoft 365 compliance center:
compliance Compliance Quick Tasks https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-quick-tasks.md
ItΓÇÖs difficult to know where to go if you donΓÇÖt know where you are. Meeting
For step-by-step guidance to get started with Compliance Manager, see [Get started with Compliance Manager](compliance-manager-setup.md).
->[!IMPORTANT]
->Security and compliance are tightly integrated for most organizations. ItΓÇÖs important that your organization addresses basic security, threat protection, and identity and access management areas to help provide a defense in-depth approach to both security and compliance.
+> [!IMPORTANT]
+> Security and compliance are tightly integrated for most organizations. ItΓÇÖs important that your organization addresses basic security, threat protection, and identity and access management areas to help provide a defense in-depth approach to both security and compliance.
>
->Check your [Microsoft 365 Secure Score](../security/defender/microsoft-secure-score.md) in the Microsoft 365 security center and completing the tasks outlined in the following articles:
+> Check your [Microsoft 365 Secure Score](../security/defender/microsoft-secure-score.md) in the Microsoft 365 security center and completing the tasks outlined in the following articles:
> > - [Security roadmap - Top priorities for the first 30 days, 90 days, and beyond](../security/office-365-security/security-roadmap.md) > - [Top 12 tasks for security teams to support working from home](../security/top-security-tasks-for-remote-work.md)
compliance Configure Irm To Use An On Premises Ad Rms Server https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/configure-irm-to-use-an-on-premises-ad-rms-server.md
# Configure IRM to use an on-premises AD RMS server
-
+ For use with on-premises deployments, Information Rights Management (IRM) in Exchange Online uses Active Directory Rights Management Services (AD RMS), an information protection technology in Windows Server 2008 and later. IRM protection is applied to email by applying an AD RMS rights policy template to an email message. Rights are attached to the message itself so that protection occurs online and offline and inside and outside of your organization's firewall.
-
+ This topic shows you how to configure IRM to use an AD RMS server. For information about using the new capabilities for Office 365 Message Encryption with Azure Active Directory and Azure Rights Management, see the [Office 365 Message Encryption FAQ](./ome-faq.yml).
-
+ To learn more about IRM in Exchange Online, see [Information Rights Management in Exchange Online](information-rights-management-in-exchange-online.md).
-
+ ## What do you need to know before you begin? - Estimated time to complete this task: 30 minutes -- You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Information Rights Management" entry in the [Messaging policy and compliance permissions](/Exchange/permissions/feature-permissions/policy-and-compliance-permissions) topic.
+- You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Information Rights Management" entry in the [Messaging policy and compliance permissions](/Exchange/permissions/feature-permissions/policy-and-compliance-permissions) topic.
- The AD RMS server must be running Windows Server 2008 or later. For details about how to deploy AD RMS, see [Installing an AD RMS Cluster](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726041(v=ws.11)).
To learn more about IRM in Exchange Online, see [Information Rights Management i
- For information about keyboard shortcuts that may apply to the procedures in this topic, see [Keyboard shortcuts for the Exchange admin center in Exchange Online](/Exchange/accessibility/keyboard-shortcuts-in-admin-center). > [!TIP]
-> Having problems? Ask for help in the Exchange forums. Visit the forums at [Exchange Server](https://go.microsoft.com/fwlink/p/?linkId=60612),[Exchange Online](https://go.microsoft.com/fwlink/p/?linkId=267542), or [Exchange Online Protection](https://go.microsoft.com/fwlink/p/?linkId=285351).
-
+> Having problems? Ask for help in the Exchange forums. Visit the forums at [Exchange Server](https://go.microsoft.com/fwlink/p/?linkId=60612),[Exchange Online](https://go.microsoft.com/fwlink/p/?linkId=267542), or [Exchange Online Protection](https://go.microsoft.com/fwlink/p/?linkId=285351).
+ ## How do you do this? <a name="sectionSection1"> </a> ### Step 1: Use the AD RMS console to export a trusted publishing domain (TPD) from an AD RMS server The first step is to export a trusted publishing domain (TPD) from the on-premises AD RMS server to an XML file. The TPD contains the following settings needed to use RMS features:
-
+ - The server licensor certificate (SLC) used for signing and encrypting certificates and licenses - The URLs used for licensing and publishing
The first step is to export a trusted publishing domain (TPD) from the on-premis
- The AD RMS rights policy templates that were created with the specific SLC for that TPD When you import the TPD, it's stored and protected in Exchange Online.
-
+ 1. Open the Active Directory Rights Management Services console, and then expand the AD RMS cluster. 2. In the console tree, expand **Trust Policies**, and then click **Trusted Publishing Domains**.
When you import the TPD, it's stored and protected in Exchange Online.
5. In the **Publishing domain file** box, click **Save As** to save the file to a specific location on the local computer. Type a file name, making sure to specify the `.xml` file name extension, and then click **Save**.
-6. In the **Password** and **Confirm Password** boxes, type a strong password that will be used to encrypt the trusted publishing domain file. You will have to specify this password when you import the TPD to your cloud-based email organization.
+6. In the **Password** and **Confirm Password** boxes, type a strong password that will be used to encrypt the trusted publishing domain file. You will have to specify this password when you import the TPD to your cloud-based email organization.
### Step 2: Use the Exchange Management Shell to import the TPD to Exchange Online
-After the TPD is exported to an XML file, you have to import it to Exchange Online. When a TPD is imported, your organization's AD RMS templates are also imported. When the first TPD is imported, it becomes the default TPD for your cloud-based organization. If you import another TPD, you can use the **Default** switch to make it the default TPD that is available to users.
-
+After the TPD is exported to an XML file, you have to import it to Exchange Online. When a TPD is imported, your organization's AD RMS templates are also imported. When the first TPD is imported, it becomes the default TPD for your cloud-based organization. If you import another TPD, you can use the **Default** switch to make it the default TPD that is available to users.
+ To import the TPD, run the following command in Windows PowerShell:
-
+ ```powershell Import-RMSTrustedPublishingDomain -FileData $([byte[]](Get-Content -Encoding byte -Path <path to exported TPD file> -ReadCount 0)) -Name "<name of TPD>" -ExtranetLicensingUrl <URL> -IntranetLicensingUrl <URL> ``` You can obtain the values for the _ExtranetLicensingUrl_ and _IntranetLicensingUrl_ parameters in the Active Directory Rights Management Services console. Select the AD RMS cluster in the console tree. The licensing URLs are displayed in the results pane. These URLs are used by email clients when content has to be decrypted and when Exchange Online needs to determine which TPD to use.
-
+ When you run this command, you'll be prompted for a password. Enter the password that you specified when you exported the TPD from your AD RMS server.
-
+ For example, the following command imports the TPD named Exported TPD using the XML file that you exported from your AD RMS server and saved to the desktop of the Administrator account. The Name parameter is used to specify a name to the TPD.
-
+ ```powershell Import-RMSTrustedPublishingDomain -FileData $([byte[]](Get-Content -Encoding byte -Path C:\Users\Administrator\Desktop\ExportTPD.xml -ReadCount 0)) -Name "Exported TPD" -ExtranetLicensingUrl https://corp.contoso.com/_wmcs/licensing -IntranetLicensingUrl https://rmsserver/_wmcs/licensing ``` For detailed syntax and parameter information, see [Import-RMSTrustedPublishingDomain](/powershell/module/exchange/import-rmstrustedpublishingdomain).
-
+ #### How do you know this step worked? To verify that you have successfully imported the TPD, run the **Get-RMSTrustedPublishingDomain** cmdlet to retrieve TPDs in your Exchange Online organization. For details, see the examples in [Get-RMSTrustedPublishingDomain](/powershell/module/exchange/get-rmstrustedpublishingdomain).
-
+ ### Step 3: Use the Exchange Management Shell to distribute an AD RMS rights policy template After you import the TPD, you must make sure an AD RMS rights policy template is distributed. A distributed template is visible to Outlook on the web (formerly known as Outlook Web App) users, who can then apply the templates to an email message.
-
+ To return a list of all templates contained in the default TPD, run the following command:
-
+ ```powershell Get-RMSTemplate -Type All | fl ``` If the value of the _Type_ parameter is `Archived`, the template isn't visible to users. Only distributed templates in the default TPD are available in Outlook on the web.
-
+ To distribute a template, run the following command:
-
+ ```powershell Set-RMSTemplate -Identity "<name of the template>" -Type Distributed ``` For example, the following command imports the Company Confidential template.
-
+ ```powershell Set-RMSTemplate -Identity "Company Confidential" -Type Distributed ``` For detailed syntax and parameter information, see [Get-RMSTemplate](/powershell/module/exchange/get-rmstemplate) and [Set-RMSTemplate](/powershell/module/exchange/set-rmstemplate).
-
+ **The Do Not Forward template**
-
-When you import the default TPD from your on-premises organization into Exchange Online, one AD RMS rights policy template named **Do Not Forward** is imported. By default, this template is distributed when you import the default TPD. You can't use the **Set-RMSTemplate** cmdlet to modify the **Do Not Forward** template.
-
+
+When you import the default TPD from your on-premises organization into Exchange Online, one AD RMS rights policy template named **Do Not Forward** is imported. By default, this template is distributed when you import the default TPD. You can't use the **Set-RMSTemplate** cmdlet to modify the **Do Not Forward** template.
+ When the **Do Not Forward** template is applied to a message, only the recipients addressed in the message can read the message. Additionally, recipients can't do the following:
-
+ - Forward the message to another person. - Copy content from the message.
When the **Do Not Forward** template is applied to a message, only the recipient
- Print the message. > [!IMPORTANT]
-> The **Do Not Forward** template can't prevent information in a message from being copied with third-party screen capture programs, cameras, or users manually transcribing the information
-
+> The **Do Not Forward** template can't prevent information in a message from being copied with third-party screen capture programs, cameras, or users manually transcribing the information
+ You can create additional AD RMS rights policy templates on the AD RMS server in your on-premises organization to meet your IRM protection requirements. If you create additional AD RMS rights policy templates, you have to export the TPD from the on-premises AD RMS server again and refresh the TPD in the cloud-based email organization.
-
+ #### How do you know this step worked? To verify that you have successfully distributed and AD RMS rights policy template, run the **Get-RMSTemplate** cmdlet to check the template's properties. For details, see the examples in [Get-RMSTemplate](/powershell/module/exchange/get-rmstemplate).
-
+ ### Step 4: Use the Exchange Management Shell to enable IRM After you import the TPD and distribute an AD RMS rights policy template, run the following command to enable IRM for your cloud-based email organization.
-
+ ```powershell Set-IRMConfiguration -InternalLicensingEnabled $true ``` For detailed syntax and parameter information, see [Set-IRMConfiguration](/powershell/module/exchange/set-irmconfiguration).
-
+ #### How do you know this step worked? To verify that you have successfully enabled IRM, run the [Get-IRMConfiguration](/powershell/module/exchange/get-irmconfiguration) cmdlet to check IRM configuration in the Exchange Online organization.
-
+ ## How do you know this task worked? <a name="sectionSection2"> </a> To verify that you have successfully imported the TPD and enabled IRM, do the following:
-
+ - Use the **Test-IRMConfiguration** cmdlet to test IRM functionality. For details, see "Example 1" in [Test-IRMConfiguration](/powershell/module/exchange/test-irmconfiguration). -- Compose a new message in Outlook on the web and IRM-protect it by selecting **Set permissions** option from the extended menu ( ![More Options Icon](../media/ITPro-EAC-MoreOptionsIcon.gif)).
+- Compose a new message in Outlook on the web and IRM-protect it by selecting **Set permissions** option from the extended menu (![More Options Icon](../media/ITPro-EAC-MoreOptionsIcon.gif)).
compliance Content Search Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/content-search-reference.md
audience: Admin
localization_priority: Priority-+ - Strat_O365_IP - M365-security-compliance - SPO_Content
This article describes features and functionality of Content search.
## Content search limits For a description of the limits that are applied to Content searches, see [Limits for Content search](limits-for-content-search.md).
-
+ ## Building a search query
-For detailed information about creating a search query, using Boolean search operators and search conditions, and searching for sensitive information types and content shared with users outside your organization, see [Keyword queries and search conditions for Content Search ](keyword-queries-and-search-conditions.md).
-
+For detailed information about creating a search query, using Boolean search operators and search conditions, and searching for sensitive information types and content shared with users outside your organization, see [Keyword queries and search conditions for Content Search](keyword-queries-and-search-conditions.md).
+ Keep the following things in mind when using the keyword list to create a search query.
-
+ - You have to select the **Show keyword list** checkbox and then type each keyword in a separate row to create a search query where the keywords (or keyword phrases) in each row are connected by the **OR** operator. If you paste a list of keywords in the keyword box or press the **Enter** key after typing a keyword, they won't be connected by the **OR** operator. Here are incorrect and correct examples of how to add a list of keywords.
-
+ **Incorrect**
-
+ ![The incorrect way to format a keyword list (by pasting the list into the keyword box)](../media/fb54e3df-232a-439a-b3d7-27a60ec76a4c.png)
-
+ **Correct**
-
+ ![The correct way to format a keyword list (by selecting checkbox and then pasting list)](../media/5d511a7b-c1f9-499c-bffe-e075bfc9adec.png)
-
-- You can also prepare a list of keywords or keyword phrases in an Excel file or a plain text file, and then copy and paste your list into the keyword list. To do this, you have to select the **Show keyword list** check box. Then, click the first row in the keyword list and paste your list. Each line from the Excel or text file is pasted into separate row in the keyword list.
-
-- After you create a query using the keyword list, it's a good idea to verify the search query syntax to make the search query is what you intended. In the search query that's displayed under **Query** in the details pane, the keywords are separated by the text **(c:s)**. This indicates that the keywords are connected by a logical operator similar in functionality to the **OR** operator. Similarly, if your search query includes conditions, the keywords and the conditions are separated by the text **(c:c)**. This indicates that the keywords are connected to the conditions with a logical operator similar in functionality to the **AND** operator. Here's an example of the search query (displayed in the Details pane) that results when using the keyword list and a condition.
-
+
+- You can also prepare a list of keywords or keyword phrases in an Excel file or a plain text file, and then copy and paste your list into the keyword list. To do this, you have to select the **Show keyword list** check box. Then, click the first row in the keyword list and paste your list. Each line from the Excel or text file is pasted into separate row in the keyword list.
+
+- After you create a query using the keyword list, it's a good idea to verify the search query syntax to make the search query is what you intended. In the search query that's displayed under **Query** in the details pane, the keywords are separated by the text **(c:s)**. This indicates that the keywords are connected by a logical operator similar in functionality to the **OR** operator. Similarly, if your search query includes conditions, the keywords and the conditions are separated by the text **(c:c)**. This indicates that the keywords are connected to the conditions with a logical operator similar in functionality to the **AND** operator. Here's an example of the search query (displayed in the Details pane) that results when using the keyword list and a condition.
+ ![Example of the query that's created when using the keyword list and a condition](../media/b463750c-57fa-4602-9fed-0d5a420db3ad.png)
-
+ - When you run a content search, Microsoft 365 automatically checks your search query for unsupported characters and for Boolean operators that may not be capitalized. Unsupported characters are often hidden and typically cause a search error or return unintended results. For more information about the unsupported characters that are checked, see [Check your Content Search query for errors](check-your-content-search-query-for-errors.md).
-
+ - If you have a search query that contains keywords for non-English characters (such as Chinese characters), you can click **Query language-country/region**![Query language-country/region icon in Content search](../media/8d4b60c8-e1f1-40f9-88ae-ee2a7eca0886.png) and select a language-country culture code value for the search. The default language/region is neutral. How can you tell if you need to change the language setting for a content search? If you're certain content locations contain the non-English characters you're searching for, but the search returns no results, the language setting may be the cause.
-
+ ## Partially indexed items - Partially indexed items in mailboxes are included in the estimated search results. Partially indexed items from SharePoint and OneDrive aren't included in the estimated search results. For more information, see [Partially indexed items in eDiscovery](partially-indexed-items-in-content-search.md).
Keep the following things in mind when using the keyword list to create a search
## Searching OneDrive accounts - To collect a list of the URLs for the OneDrive sites in your organization, see [Create a list of all OneDrive locations in your organization](/onedrive/list-onedrive-urls). This script in this article creates a text file that contains a list of all OneDrive sites. To run this script, you have to install and use the SharePoint Online Management Shell. Be sure to append the URL for your organization's MySite domain to each OneDrive site that you want to search. This is the domain that contains all your OneDrive; for example, `https://contoso-my.sharepoint.com`. Here's an example of a URL for a user's OneDrive site: `https://contoso-my.sharepoint.com/personal/sarad_contoso_onmicrosoft.com`.
-
+ In the rare case of a person's user principal name (UPN) being changed, the URL for their OneDrive location is changed to incorporate the new UPN. If this happens, you have to modify a content search by adding the user's new OneDrive URL and removing the old one. For more information, see [How UPN changes affect the OneDrive URL](/onedrive/upn-changes).
-
+ ## Searching Microsoft Teams and Microsoft 365 Groups You can search the mailbox that's associated with a Microsoft Team or Microsoft 365 Group. Because Microsoft Teams is built on Microsoft 365 Groups, searching them is similar. In both cases, only the group or team mailbox is searched. The mailboxes of the group or team members aren't searched. To search them, you have to specifically add them to the search.
-
+ Keep the following things in mind when searching for content in Microsoft Teams and Microsoft 365 Groups.
-
+ - To search for content located in Teams and Microsoft 365 Groups, you have to specify the mailbox and SharePoint site that are associated with a team or group. - Content from private channels is stored in each user's mailbox, not the team mailbox. To search for content in private channels, see [eDiscovery of private channels](/microsoftteams/ediscovery-investigation#ediscovery-of-private-channels).
-
-- Run the **Get-UnifiedGroup** cmdlet in Exchange Online to view properties for a team or a Microsoft 365 Group. This is a good way to get the URL for the site that's associated with a team or a group. For example, the following command displays selected properties for a Microsoft 365 Group named Senior Leadership Team:
-
+
+- Run the **Get-UnifiedGroup** cmdlet in Exchange Online to view properties for a team or a Microsoft 365 Group. This is a good way to get the URL for the site that's associated with a team or a group. For example, the following command displays selected properties for a Microsoft 365 Group named Senior Leadership Team:
+ ```text Get-UnifiedGroup "Senior Leadership Team" | FL DisplayName,Alias,PrimarySmtpAddress,SharePointSiteUrl DisplayName : Senior Leadership Team
Keep the following things in mind when searching for content in Microsoft Teams
``` > [!NOTE]
- > To run the **Get-UnifiedGroup** cmdlet, you have to be assigned the View-Only Recipients role in Exchange Online or be a member of a role group that's assigned the View-Only Recipients role.
-
+ > To run the **Get-UnifiedGroup** cmdlet, you have to be assigned the View-Only Recipients role in Exchange Online or be a member of a role group that's assigned the View-Only Recipients role.
+ - When a user's mailbox is searched, any team or Microsoft 365 Group that the user is a member of won't be searched. Similarly, when you search a team or a Microsoft 365 Group, only the group mailbox and group site that you specify is searched. The mailboxes and OneDrive for Business accounts of group members aren't searched unless you explicitly add them to the search. -- To get a list of the members of a team or a Microsoft 365 Group, you can view the properties on the **Home \> Groups** page in the Microsoft 365 admin center. Alternatively, you can run the following command in Exchange Online PowerShell:
+- To get a list of the members of a team or a Microsoft 365 Group, you can view the properties on the **Home \> Groups** page in the Microsoft 365 admin center. Alternatively, you can run the following command in Exchange Online PowerShell:
```powershell Get-UnifiedGroupLinks <group or team name> -LinkType Members | FL DisplayName,PrimarySmtpAddress ``` > [!NOTE]
- > To run the **Get-UnifiedGroupLinks** cmdlet, you have to be assigned the View-Only Recipients role in Exchange Online or be a member of a role group that's assigned the View-Only Recipients role.
-
+ > To run the **Get-UnifiedGroupLinks** cmdlet, you have to be assigned the View-Only Recipients role in Exchange Online or be a member of a role group that's assigned the View-Only Recipients role.
+ - Conversations that are part of a Teams channel are stored in the mailbox that's associated with the team. Similarly, files that team members share in a channel are stored on the team's SharePoint site. Therefore, you have to add the team mailbox and SharePoint site as a content location to search conversations and files in a channel.
-
+ - Alternatively, conversations that are part of the Chat list in Teams are stored in the Exchange Online mailbox of the users who participate in the chat. And files that a user shares in Chat conversations are stored in the OneDrive for Business account of the user who shares the file. Therefore, you have to add the individual user mailboxes and OneDrive for Business accounts as content locations to search conversations and files in the Chat list.
-
+ > [!NOTE] > In an Exchange hybrid deployment, users with an on-premises mailbox might participate in conversations that are part of the Chat list in Teams. In this case, content from these conversations is also searchable because it's saved to a cloud-based storage area (called a *cloud-based mailbox for on-premises users*) for users who have an on-premises mailbox. For more information, see [Search for Teams chat data for on-premises users](search-cloud-based-mailboxes-for-on-premises-users.md).
-
+ - Every team or team channel contains a Wiki for note-taking and collaboration. The Wiki content is automatically saved to a file with a .mht format. This file is stored in the Teams Wiki Data document library on the team's SharePoint site. You can use the Content Search tool to search the Wiki by specifying the team's SharePoint site as the content location to search. > [!NOTE] > The capability to search the Wiki for a team or channel (when you search the team's SharePoint site) was released on June 22, 2017. Wiki pages that were saved or updated on that date or after are available to be searched. Wiki pages last saved or updated before that date aren't available for search. - Summary information for meetings and calls in a Teams channel are also stored in the mailboxes of users who dialed into the meeting or call. This means you can use Content Search to search these summary records. Summary information includes:
-
+ - Date, start time, end time, and duration of a meeting or call - The date and time when each participant joined or left the meeting or call
Keep the following things in mind when searching for content in Microsoft Teams
It can take up to 8 hours for meeting and call summary records to be available to be searched. In the search results, meeting summaries are identified as **Meeting** in the **Type field**, and call summaries are identified as **Call**. Also, conversations that are part of a Teams channel and 1xN chats are identified as **IM** in the **Type** field.
-
+ ![Teams meetings, calls, and 1xN chats are identified in the Type field](../media/O365-ContentSearch-Teams-MessageKind.png) For more information, see [Microsoft Teams launches eDiscovery for calls and meetings](https://techcommunity.microsoft.com/t5/microsoft-teams-blog/microsoft-teams-launches-ediscovery-for-calling-and-meetings/ba-p/210947).
Keep the following things in mind when searching for content in Microsoft Teams
![Card content in Teams channel message](../media/CardContentTeams.png) **Card content in search results**
-
+ ![Same card content in the results of a Content search](../media/CardContentEdiscoverySearchResults.png) > [!NOTE] > To display images from card content in search results at this time (such as the checkmarks in the previous screenshot), you have to be signed into Teams (at https://teams.microsoft.com) in a different tab in the same browser session that you use to view the search results. Otherwise, image placeholders are displayed. - You can use the **Kind** email property or the **Message kind** search condition to search specifically for content in Teams.
-
+ - To use the **Kind** property as part of the keyword search query, in the **Keywords** box of a search query, type `kind:microsoftteams`. ![Use kind:microsoftteams in the Keywords box](../media/O365-ContentSearch-Teams-Keywords.png)
-
+ - To use a search condition, add the **Message kind** condition and use the value `microsoftteams`. ![Use the Message kind condition with the value microsoftteams.](../media/O365-ContentSearch-Teams-MessageKindCondition.png) Conditions are logically connected to the keyword query by the **AND** operator. That means an item must match both the keyword query and the search condition to be returned in the search results. For more information, see the "Guidelines for using conditions" section in [Keyword queries and search conditions for Content Search.](keyword-queries-and-search-conditions.md#guidelines-for-using-conditions)
-
+ ## Searching Yammer Groups You can use the **ItemClass** email property or the **Type** search condition to search specifically for conversation items in Yammer Groups.
You can use the **ItemClass** email property or the **Type** search condition to
- ItemClass:IPM.Yammer.poll - ItemClass:IPM.Yammer.praise - ItemClass:IPM.Yammer.question
-
+ For example, you can use the following search query to return Yammer messages and Yammer praise items: ![Use the ItemClass property to search for Yammer items](../media/YammerContentSearch1.png)
-
- - Alternatively, you can use the **Type** email condition and select **Yammer messages** to return Yammer items. For example, the following search query will return all Yammer conversation items that contain the keyword "confidential".
+
+ - Alternatively, you can use the **Type** email condition and select **Yammer messages** to return Yammer items. For example, the following search query will return all Yammer conversation items that contain the keyword "confidential".
![Use the Type condition card to search for Yammer conversation items](../media/YammerContentSearch2.png) ## Searching inactive mailboxes You can search inactive mailboxes in a content search. To get a list of the inactive mailboxes in your organization, run the command `Get-Mailbox -InactiveMailboxOnly` in Exchange Online PowerShell. Alternatively, you can go to **Information governance** \> **Retention** in the Security & Compliance Center, and then click **More**![Navigation Bar ellipses](../media/9723029d-e5cd-4740-b5b1-2806e4f28208.gif) \> **Inactive mailboxes**.
-
+ Here are a few things to keep in mind when searching inactive mailboxes. - If an existing content search includes a user mailbox and that mailbox is made inactive, the content search will continue to search the inactive mailbox when you rerun the search after it becomes inactive.
Here are a few things to keep in mind when searching inactive mailboxes.
If the Exchange Online license (or the entire Microsoft 365 license) is removed from a user account or in Azure Active Directory, the user's mailbox becomes a *disconnected* mailbox. This means that the mailbox is no longer associated with the user account. Here's what happens when searching disconnected mailboxes: -- If the license is removed from a mailbox, the mailbox is no longer searchable.
+- If the license is removed from a mailbox, the mailbox is no longer searchable.
- If an existing content search includes a mailbox in which the license is removed, no search results from the disconnected mailbox will be returned if you rerun the content search.
New-ComplianceSecurityFilter -FilterName "SPMultiGeo-APC" -Users ediscovery-apc@
Keep the following things in mind when using search permissions filters to search for content in multi-geo environments: -- The **Region** parameter directs searches to the specified satellite location. If an eDiscovery manager only searches SharePoint and OneDrive sites outside of the region specified in the search permissions filter, no search results are returned.
+- The **Region** parameter directs searches to the specified satellite location. If an eDiscovery manager only searches SharePoint and OneDrive sites outside of the region specified in the search permissions filter, no search results are returned.
- The **Region** parameter doesn't control searches of Exchange mailboxes. All datacenters are searched when you search mailboxes.
compliance Conversation Review Sets https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/conversation-review-sets.md
f1.keywords:
Previously updated : Last updated : audience: Admin localization_priority: Normal-+
+search.appverid:
- MOE150 - MET150
+ms.assetid:
description: "Learn about the conversation reconstruction feature in Advanced eDiscovery (called conversation threading) to reconstruct, review, and export chat conversations in Microsoft Teams and Yammer groups."
With Conversation Reconstruction, you can use built-in capabilities to reconstru
Here are few definitions to help you get start using Conversation Reconstruction. -- **Messages:** Represent the smallest unit of a conversation. Messages may vary in size, structure, and metadata.
+- **Messages:** Represent the smallest unit of a conversation. Messages may vary in size, structure, and metadata.
- **Conversation:** Represents a grouping of one or more messages. Across different applications, conversations may be represented in different ways. In some applications, there is an explicit action that results from replying to an existing message. Conversations are formed explicitly as a result of this user action. For example, here is a screenshot of a channel conversation in Microsoft Teams.
After you have reviewed and finalized the search query in a collection, you can
When you add items from conversations to a review set, you can use the threaded conversations option to collect contextual messages from conversations that contain items that match the search criteria of the collection. After you select the thread conversations option, the following things can happen: ![Conversation Retrieval](../media/messagesandconversations.png)
-
+ 1. Using a keyword and date range query, the search returned a hit on *Message 3*. This message was part of a larger conversation, illustrated by *CRC1*.
-
+ 2. When you add the data into a review set and enable the conversation retrieval options, Advanced eDiscovery will go back and collect other items in *CRC1*.
-
+ 3. After the items have been added to the review set, you can review all the individual messages from *CRC1*. To enabled the threaded conversations option, see [Commit a draft collection to a review set](commit-draft-collection.md#commit-a-draft-collection-to-a-review-set).
-
+ ## Step 3: Review and export threaded conversations After the content has been processed and added to the review set, you can start reviewing the data in the review set. The review capabilities are different depending on whether the content was added to a standard review set or a conversation review set.
In a standard review set, messages are processed and displayed as individual ite
### Reviewing conversations in a conversation review set
-In a conversation review set, individual messages are threaded together and presented as conversations. This lets you review and export contextual conversations.
+In a conversation review set, individual messages are threaded together and presented as conversations. This lets you review and export contextual conversations.
![Conversation review set](../media/ConversationRSOptions.PNG)
In a conversation review set, you can use the following options to facilitate th
- **Group by conversation:** Groups messages within the same conversation together to help users simplify and expedite their review process. -- **Summary view:** Displays the threaded conversation. In this view, you can see the entire conversation and also access the metadata for each individual message.
-
+- **Summary view:** Displays the threaded conversation. In this view, you can see the entire conversation and also access the metadata for each individual message.
+ - View metadata for individual messages
-
+ - Download individual messages - **Text view:** Provides the extracted text for the entire conversation.
In a conversation review set, you can set the following options to export conver
![Export options for conversations](../media/export.png)
-a. Metadata options
+1. Metadata options:
+ - **Load file:** Metadata is included for each individual message, email, and document. There is one row for each message in a conversation.
+ - **Tags:** Tags from your review process are included in the metadata file. Messages in a conversation share the same tags.
- - **Load file:** Metadata is included for each individual message, email, and document. There is one row for each message in a conversation.
-
- - **Tags:** Tags from your review process are included in the metadata file. Messages in a conversation share the same tags.
-
-b. Conversation options
-
- - **Conversation files:** When you export conversation files, the annotated view is converted to a PDF file and downloaded to the export folder. Messages in one conversation file point to the PDF version of the same conversation file.
-
+2. Conversation options:
+ - **Conversation files:** When you export conversation files, the annotated view is converted to a PDF file and downloaded to the export folder. Messages in one conversation file point to the PDF version of the same conversation file.
- **Individual chat messages:** When you export individual messages, each unique message in the conversation is exported as a standalone item. The file is exported in the same format that it was saved as in the mailbox. For a specific conversation, you receive multiple .msg files.
- >[!NOTE]
+ > [!NOTE]
> If you applied annotations to the conversation file, these annotations won't be transferred to the individual messages.
-c. Other options
-
+3. Other options:
- **Generate text files for all exported content:** Generates a text file for each conversation exported from the review set.- - **Replace exported content with redacted PDFs:** If redacted conversation files are generated during the review process, then these files are available during export. You can decided whether to export only the native files (by not selecting this option) or to replace the native files with the redacted versions of the native files (by selecting this option), which are exported as PDF files. ## More information
c. Other options
To learn more about how to review case data in Advanced eDiscovery, see the following articles: - [View case data](view-documents-in-review-set.md)- - [Analyze case data](analyzing-data-in-review-set.md)- - [Export case data](exporting-data-ediscover20.md)
compliance Create A Custom Sensitive Information Type https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-a-custom-sensitive-information-type.md
There are two ways to create a new sensitive information type:
- [functions](what-the-dlp-functions-look-for.md) - [confidence levels](sensitive-information-type-learn-about.md#more-on-confidence-levels) -- You must have Global admin or Compliance admin permissions to create, test, and deploy a custom sensitive information type through the UI. See [About admin roles](/office365/admin/add-users/about-admin-roles?view=o365-worldwide) in Office 365.
+- You must have Global admin or Compliance admin permissions to create, test, and deploy a custom sensitive information type through the UI. See [About admin roles](/office365/admin/add-users/about-admin-roles) in Office 365.
- Your organization must have a subscription, such as Office 365 Enterprise, that includes Data Loss Prevention (DLP). See [Messaging Policy and Compliance ServiceDescription](/office365/servicedescriptions/exchange-online-protection-service-description/messaging-policy-and-compliance-servicedesc).
compliance Create Activity Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-activity-alerts.md
description: Add and manage activity alerts in the Security & Compliance Center
# Create activity alerts
-You can create an activity alert that will send you an email notification when users perform specific activities in Office 365. Activity alerts are similar to searching for events in the audit log, except that you'll be sent an email message when an event for an activity that you've created an alert for happens.
-
+You can create an activity alert that will send you an email notification when users perform specific activities in Office 365. Activity alerts are similar to searching for events in the audit log, except that you'll be sent an email message when an event for an activity that you've created an alert for happens.
+ **Why use activity alerts instead of searching the audit log?** There might be certain kinds of activity or activity performed by specific users that you really want to know about. Instead of having to remember to search the audit log for those activities, you can use activity alerts to have Microsoft 365 send you an email message when users perform those activities. For example, you can create an activity alert to notify you when a user deletes files in SharePoint or you can create an alert to notify you when a user permanently deletes messages from their mailbox. The email notification sent to you includes information about which activity was performed and the user who performed it. > [!NOTE] > Activity alerts are being deprecated. We recommend that you start using alert policies in the security and compliance center instead of creating new activity alerts. Alert policies provide addition functionality such as the ability to create an alert policy that triggers an alert when any user performs a specified activity, and displaying alerts on the **View alerts** page in the security and compliance center. For more information, see [Alert policies](alert-policies.md).
-
+ ## Confirm roles and configure audit logging - You must be assigned the Organization Configuration role in the Security & Compliance Center to manage activity alerts. By default, this role is assigned to the Compliance Administrator and Organization Management role groups. For more information about adding members to role groups, see [Give users access to the Security & Compliance Center](../security/office-365-security/grant-access-to-the-security-and-compliance-center.md).
-
+ - You (or another admin) must first turn on audit logging for your organization before you can start using activity alerts. To do this, just click **Start recording user and admin activity** on the **Activity alerts** page. (If you don't see this link, auditing has already been turned on for your organization.) You can also turn on auditing on the **Audit log search** page in the Security & Compliance Center (go to **Search** \> **Audit log search**). You only have to do this once for your organization.
-
-- You can create alerts for the same activities that you can search for in the audit log. See the [More information](#more-information) section for a list of common scenarios (and the specific activity to monitor) that you can create alerts for.
-
-- You can use the **Activity alerts** page in the Security & Compliance Center to create alerts only for activity performed by users who are listed in your organization's address book. You can't use this page to create alerts for activity performed by external users who aren't listed in the address book.
-
+
+- You can create alerts for the same activities that you can search for in the audit log. See the [More information](#more-information) section for a list of common scenarios (and the specific activity to monitor) that you can create alerts for.
+
+- You can use the **Activity alerts** page in the Security & Compliance Center to create alerts only for activity performed by users who are listed in your organization's address book. You can't use this page to create alerts for activity performed by external users who aren't listed in the address book.
+ ## Create an activity alert 1. Go to [https://protection.office.com/managealerts](https://protection.office.com/managealerts).
-
+ 2. Sign in using your work or school account.
-
+ 3. On the **Activity alerts** page, click ![Add icon](../media/8ee52980-254b-440b-99a2-18d068de62d3.gif) **New**. The flyout page to create an activity alert is displayed.
-
+ ![Create an activity alert](../media/53888bd5-9fa2-4398-8ccc-1a9dc72517ac.png)
-
+ 4. Complete the following fields to create an activity alert:
-
+ a. **Name** - Type a name for the alert. Alert names must be unique within your organization.
-
+ b. **Description** (Optional) - Describe the alert, such as the activities and users being tracked, and the users that email notifications are sent to. Descriptions provide a quick and easy way to describe the purpose of the alert to other admins.
-
- c. **Alert type** - Make sure the **Custom** option is selected.
+
+ c. **Alert type** - Make sure the **Custom** option is selected.
d. **Send this alert when** - Click **Send this alert when** and then configure these two fields:
-
- - **Activities** - Click the drop-down list to display the activities that you can create an alert for. This is the same activities list that's displayed when you search the audit log. You can select one or more specific activities or you can click the activity group name to select all activities in the group. For a description of these activities, see the "Audited activities" section in [Search the audit log](search-the-audit-log-in-security-and-compliance.md#audited-activities). When a user performs any of the activities that you've added to the alert, an email notification is sent.
-
- - **Users** - Click this box and then select one or more users. If the users in this box perform the activities that you added to the **Activities** box, an alert will be sent. Leave the **Users** box blank to send an alert when any user in your organization performs the activities specified by the alert.
+
+ - **Activities** - Click the drop-down list to display the activities that you can create an alert for. This is the same activities list that's displayed when you search the audit log. You can select one or more specific activities or you can click the activity group name to select all activities in the group. For a description of these activities, see the "Audited activities" section in [Search the audit log](search-the-audit-log-in-security-and-compliance.md#audited-activities). When a user performs any of the activities that you've added to the alert, an email notification is sent.
+
+ - **Users** - Click this box and then select one or more users. If the users in this box perform the activities that you added to the **Activities** box, an alert will be sent. Leave the **Users** box blank to send an alert when any user in your organization performs the activities specified by the alert.
e. **Send this alert to** - Click **Send this alert**, and then click in the **Recipients** box and type a name to add a users who will receive an email notification when a user (specified in the **Users** box) performs an activity (specified in the **Activities** box). Note that you are added to the list of recipients by default. You can remove your name from this list.
-
-5. Click **Save** to create the alert.
-
- The new alert is displayed in the list on the **Activity alerts** page.
-
+
+5. Click **Save** to create the alert.
+
+ The new alert is displayed in the list on the **Activity alerts** page.
+ ![A list of alerts is displayed on the Activity alerts page](../media/02b774f2-1719-41de-bbc9-5e5b7576f335.png)
-
- The status of the alert is set to **On**. Note that the recipients who will received an email notification when an alert is sent are also listed.
-
+
+ The status of the alert is set to **On**. Note that the recipients who will received an email notification when an alert is sent are also listed.
+ ## Turn off an activity alert You can turn off an activity alert so that an email notification isn't sent. After you turn off the activity alert, it's still displayed in the list of activity alerts for your organization, and you can still view its properties.
-
+ 1. Go to Go to [https://protection.office.com/managealerts](https://protection.office.com/managealerts).
-
+ 2. Sign in using your work or school account.
-
+ 3. In the list of activity alerts for your organization, click the alert that you want to turn off.
-
+ 4. On the **Edit alert** page, click the **On** toggle switch to change the status to **Off**, and then click **Save**.
-
- The status of the alert on the **Activity alerts** pages is set to **Off**.
-
+
+ The status of the alert on the **Activity alerts** pages is set to **Off**.
+ To turn an activity alert back on, just repeat these steps and click the **Off** toggle switch to change the status to **On**.
-
+ ## More information -- Here's an example of the email notification that is sent to the users that are specified in the Sent this alert to field (and listed under **Recipients** on the **Activity alerts** page ) in the Security & Compliance Center.
-
+- Here's an example of the email notification that is sent to the users that are specified in the Sent this alert to field (and listed under **Recipients** on the **Activity alerts** page) in the Security & Compliance Center.
+ ![Example of an email notifcation sent for an activity alert](../media/a5f91611-fae6-4fe9-82f5-58521a2e2541.png)
-
+ - Here's are some common document and email activities that you can create an activity alerts for. The tables describes the activity, the name of the activity to create an alert for, and the name of the activity group that the activity is listed under in the **Activities** drop-down list. To see a complete list of the activities that you can create activity alerts for, see the "Audited activities" section in [Search the audit log](search-the-audit-log-in-security-and-compliance.md#audited-activities).
-
+ > [!TIP]
- > You might want to create an activity alert for just one activity that's performed by any user. Or you might want to create an activity alert that track multiple activities performed by one or mores users.
-
+ > You might want to create an activity alert for just one activity that's performed by any user. Or you might want to create an activity alert that track multiple activities performed by one or mores users.
+ The following table lists some common document-related activities in SharePoint or OneDrive for Business.
-
+ |**When a user does this...**|**Create an alert for this activity**|**Activity group**| |:--|:--|:--| |Views a document on a site. <br/> |Accessed file <br/> |File and folder activities <br/> |
To turn an activity alert back on, just repeat these steps and click the **Off**
|:--|:--|:--| |Permanently deletes (purges) an email message from their mailbox. <br/> |Purged messages from mailbox <br/> | Exchange mailbox activities <br/> | |Sends an email message from a shared mailbox. <br/> |Sent message using Send As permissions <br/> And <br/> Sent message using Send On Behalf permissions <br/> | Exchange mailbox activities <br/> |
-
-- You can also use the **New-ActivityAlert** and **Set-ActivityAlert** cmdlets in Security & Compliance Center PowerShell to create and edit activity alerts. Keep the following things in mind if you use these cmdlets to create or edit activity alerts:
-
- - If you use a cmdlet to add an activity to the alert that isn't listed in the **Activities** drop-down list, a message is displayed in on the property page for the alert that says, "This alert has custom operations not listed in the picker."
-
- - A good reason to use the cmdlets to create or edit an activity alert is to send email notifications to someone outside of your organization. This external user will be listed in the list of recipients for the alert. But if you remove this external user from the alert, that user can't be re-added to the alert by using the **Edit alert** page. You'll have to re-add the external user using the **Set-ActivityAlert** cmdlet, or use the **New-ActivityAlert** cmdlet to add the same (or different) external user to a new alert.
+
+- You can also use the **New-ActivityAlert** and **Set-ActivityAlert** cmdlets in Security & Compliance Center PowerShell to create and edit activity alerts. Keep the following things in mind if you use these cmdlets to create or edit activity alerts:
+
+ - If you use a cmdlet to add an activity to the alert that isn't listed in the **Activities** drop-down list, a message is displayed in on the property page for the alert that says, "This alert has custom operations not listed in the picker."
+
+ - A good reason to use the cmdlets to create or edit an activity alert is to send email notifications to someone outside of your organization. This external user will be listed in the list of recipients for the alert. But if you remove this external user from the alert, that user can't be re-added to the alert by using the **Edit alert** page. You'll have to re-add the external user using the **Set-ActivityAlert** cmdlet, or use the **New-ActivityAlert** cmdlet to add the same (or different) external user to a new alert.
compliance Create Custom Sensitive Information Types With Exact Data Match Based Classification https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-custom-sensitive-information-types-with-exact-data-match-based-classification.md
If you do not want to expose your clear text sensitive data file, you can hash i
- a work or school account for Microsoft 365 that will be added to the **EDM\_DataUploaders** security group - a Windows 10 or Windows Server 2016 machine with .NET version 4.6.2 for running the EDMUploadAgent - a directory on your upload machine for the:
- - EDMUploadAgent
- - your sensitive item file in .csv or .tsv format, **PatientRecords.csv** in our examples
- - and the output hash and salt files
- - the datastore name from the **edm.xml** file, for this example its `PatientRecords`
+ - EDMUploadAgent
+ - your sensitive item file in .csv or .tsv format, **PatientRecords.csv** in our examples
+ - the output hash and salt files
+ - the datastore name from the **edm.xml** file, for this example its `PatientRecords`
- If you used the [Exact Data Match schema and sensitive information type wizard](sit-edm-wizard.md) you ***must*** download it #### Set up the security group and user account
-1. As a global administrator, go to the admin center using the appropriate [link for your subscription](#portal-links-for-your-subscription) and [create a security group](/office365/admin/email/create-edit-or-delete-a-security-group?view=o365-worldwide) called **EDM\_DataUploaders**.
+1. As a global administrator, go to the admin center using the appropriate [link for your subscription](#portal-links-for-your-subscription) and [create a security group](/office365/admin/email/create-edit-or-delete-a-security-group) called **EDM\_DataUploaders**.
2. Add one or more users to the **EDM\_DataUploaders** security group. (These users will manage the database of sensitive information.)
If you do not want to expose your clear text sensitive data file, you can hash i
This computer must have direct access to your Microsoft 365 tenant.
->[!NOTE]
+> [!NOTE]
+>
> Before you begin this procedure, make sure that you are a member of the **EDM\_DataUploaders** security group.-
-> [!TIP]
+>
> Optionally, you can run a validation against your .csv or .tsv file before uploading by running: >
->`EdmUploadAgent.exe /ValidateData /DataFile [data file] /Schema [schema file]`
+> `EdmUploadAgent.exe /ValidateData /DataFile [data file] /Schema [schema file]`
>
->For more information on all the EdmUploadAgent.exe >supported parameters run
+> For more information on all the EdmUploadAgent.exe >supported parameters run
> > `EdmUploadAgent.exe /?` - #### Links to EDM upload agent by subscription type - [Commercial + GCC](https://go.microsoft.com/fwlink/?linkid=2088639) - most commercial customers should use this
compliance Create Hold Notification https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-hold-notification.md
f1.keywords:
Previously updated : Last updated : audience: Admin localization_priority: Normal-+
+search.appverid:
- MOE150 - MET150
+ms.assetid:
description: Use the Communications tool in an Advanced eDiscovery case to send, collect, and track legal hold notifications.
The first step is to specify the appropriate details for legal hold notices or o
## Step 2: Define the portal content
-Next, you can create and add the content of the hold notice. On the **Define portal content** page in the **Create communication** wizard, specify the contents of the hold notice. This content will be automatically appended to the Issuance, Re-Issue, Reminder, and Escalation notices. Additionally, this content will appear in the custodian's Compliance Portal.
+Next, you can create and add the content of the hold notice. On the **Define portal content** page in the **Create communication** wizard, specify the contents of the hold notice. This content will be automatically appended to the Issuance, Re-Issue, Reminder, and Escalation notices. Additionally, this content will appear in the custodian's Compliance Portal.
![Portal Content Page](../media/PortalContent.PNG) To create the portal content:
-1. Type (or cut and paste from another document) your hold notice in the textbox for the portal content.
+1. Type (or cut and paste from another document) your hold notice in the textbox for the portal content.
2. Insert merge variables into your notice to customize the notice and share the Custodian Compliance Portal. 3. Click **Next**.
- >[!Tip]
- >To learn more about how to can customize the content and format of the portal content, see [Use the Communications Editor](using-communications-editor.md).
+ > [!TIP]
+ > To learn more about how to can customize the content and format of the portal content, see [Use the Communications Editor](using-communications-editor.md).
## Step 3: Set the required notifications
-After you've defined the contents of the hold notice, you can set up the workflows around sending and managing the notification process. Notifications are email messages that are sent to notify and follow up with custodians. Every custodian added to the communication will receive the same notification.
+After you've defined the contents of the hold notice, you can set up the workflows around sending and managing the notification process. Notifications are email messages that are sent to notify and follow up with custodians. Every custodian added to the communication will receive the same notification.
To set up and send a hold notice, you must include Issuance, Re-Issuance, and Release notifications.
-### Issuance notification
+### Issuance notification
-After the communication is created, the **Issuance Notification** is initiated by the specified Issuing Officer. The Issuance notification is the first communication sent to the custodian to inform them about their preservation obligations.
+After the communication is created, the **Issuance Notification** is initiated by the specified Issuing Officer. The Issuance notification is the first communication sent to the custodian to inform them about their preservation obligations.
To create an issuance notification:
To create an issuance notification:
3. Specify the **Subject** for the notice (required).
-4. Specify the contents or additional instructions that you would like to provide to the custodian (required). The portal content you defined in Step 2 is added to the end of the issuance notice.
+4. Specify the contents or additional instructions that you would like to provide to the custodian (required). The portal content you defined in Step 2 is added to the end of the issuance notice.
5. Click **Save**.
To create a re-issuance notification:
After a matter is resolved or if a custodian is no longer subject to preserve content, you can release the custodian from a case. If the custodian was previously issued a hold notice, the release notification can be used to alert custodians that they have been released from their obligation.
-To create a release notification:
+To create a release notification:
1. In the **Release** tile, click **Edit**.
To schedule reminders:
4. Specify the **Number of reminders** (required). This field specifies how many reminders to send to unresponsive custodians. For example, if you set the number of reminders to 3, then a custodian would receive a maximum of three reminders. After a custodian acknowledges the hold notification, reminders will no longer be sent to that user.
-5. Specify the **Subject** for the notice (required).
+5. Specify the **Subject** for the notice (required).
6. Specify the contents or additional instructions that you would like to provide to the custodian (required). The portal content you defined in Step 2 is added to the end of the reminder notice.
To schedule escalations:
4. Specify the **Number of escalations** (required). This field specifies how many escalations to send to unresponsive custodians. For example, if you set the number of escalations to 3, then an escalation notice would be sent to the custodian and their manager a maximum of three times. After a custodian acknowledges the hold notification, escalations will no longer be sent.
-5. Specify the **Subject** for the notice (required).
+5. Specify the **Subject** for the notice (required).
6. Specify the contents or additional instructions that you would like to provide to the custodian (required). The portal content you defined in Step 2 is added to the end of the escalation notice.
To schedule escalations:
## Step 5: Assign custodians to receive notifications
-After you have finalized the content for notifications, select the custodians that you would like to send notifications to.
+After you have finalized the content for notifications, select the custodians that you would like to send notifications to.
![Select Custodians Page](../media/SelectCustodians.PNG)
To add custodians:
2. Click **Next** to review the communication settings and details.
->[!NOTE]
->You can only add custodians who have been added to the case and haven't been sent another notification within the case.
+> [!NOTE]
+> You can only add custodians who have been added to the case and haven't been sent another notification within the case.
## Step 6: Review settings
compliance Customer Key Availability Key Understand https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/customer-key-availability-key-understand.md
Microsoft 365 triggers the availability key only in specific circumstances. Thes
- In this case, the availability key will be used only for system actions and not for user actions, the user request fails, and the user receives an error message.
->[!IMPORTANT]
->Microsoft 365 service code always has a valid login token for reasoning over customer data to provide value-adding cloud services. Therefore, until the availability key has been deleted, it can be used as a fallback for actions initiated by, or internal to, Exchange Online and Skype for Business such as search index creation or moving mailboxes. This applies to both transient ERRORS and ACCESS DENIED requests to Azure Key Vault.
+> [!IMPORTANT]
+> Microsoft 365 service code always has a valid login token for reasoning over customer data to provide value-adding cloud services. Therefore, until the availability key has been deleted, it can be used as a fallback for actions initiated by, or internal to, Exchange Online and Skype for Business such as search index creation or moving mailboxes. This applies to both transient ERRORS and ACCESS DENIED requests to Azure Key Vault.
### Triggers for SharePoint Online, OneDrive for Business, and Teams files
compliance Customize A Built In Sensitive Information Type https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/customize-a-built-in-sensitive-information-type.md
audience: Admin
localization_priority: Priority-+ - M365-security-compliance
+search.appverid:
- MOE150 - MET150
description: Learn how to create a custom sensitive information type that will a
# Customize a built-in sensitive information type
-When looking for sensitive information in content, you need to describe that information in what's called a *rule* . Data loss prevention (DLP) includes rules for the most-common sensitive information types that you can use right away. To use these rules, you have to include them in a policy. You might find that you want to adjust these built-in rules to meet your organization's specific needs, and you can do that by creating a custom sensitive information type. This topic shows you how to customize the XML file that contains the existing rule collection to detect a wider range of potential credit-card information.
-
-You can take this example and apply it to other built-in sensitive information types. For a list of default sensitive information types and XML definitions, see [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md).
-
+When looking for sensitive information in content, you need to describe that information in what's called a *rule* . Data loss prevention (DLP) includes rules for the most-common sensitive information types that you can use right away. To use these rules, you have to include them in a policy. You might find that you want to adjust these built-in rules to meet your organization's specific needs, and you can do that by creating a custom sensitive information type. This topic shows you how to customize the XML file that contains the existing rule collection to detect a wider range of potential credit-card information.
+
+You can take this example and apply it to other built-in sensitive information types. For a list of default sensitive information types and XML definitions, see [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md).
+ ## Export the XML file of the current rules To export the XML, you need to [connect to the Security and Compliance Center via Remote PowerShell.](/powershell/exchange/connect-to-scc-powershell).
-
+ 1. In the PowerShell, type the following to display your organization's rules on screen. If you haven't created your own, you'll only see the default, built-in rules, labeled "Microsoft Rule Package." ```powershell
To export the XML, you need to [connect to the Security and Compliance Center vi
2. Store your organization's rules in a variable by typing the following. Storing something in a variable makes it easily available later in a format that works for remote PowerShell commands.
- ```powershell
+ ```powershell
$ruleCollections = Get-DlpSensitiveInformationTypeRulePackage ```
-
-3. Make a formatted XML file with all that data by typing the following. ( `Set-content` is the part of the cmdlet that writes the XML to the file.)
+
+3. Make a formatted XML file with all that data by typing the following. (`Set-content` is the part of the cmdlet that writes the XML to the file.)
```powershell Set-Content -path C:\custompath\exportedRules.xml -Encoding Byte -Value $ruleCollections.SerializedClassificationRuleCollection ``` > [!IMPORTANT]
- > Make sure that you use the file location where your rule pack is actually stored. `C:\custompath\` is a placeholder.
-
+ > Make sure that you use the file location where your rule pack is actually stored. `C:\custompath\` is a placeholder.
+ ## Find the rule that you want to modify in the XML
-The cmdlets above exported the entire *rule collection*, which includes the default rules we provide. Next you'll need to look specifically for the Credit Card Number rule that you want to modify.
-
+The cmdlets above exported the entire *rule collection*, which includes the default rules we provide. Next you'll need to look specifically for the Credit Card Number rule that you want to modify.
+ 1. Use a text editor to open the XML file that you exported in the previous section.
-
-2. Scroll down to the `<Rules>` tag, which is the start of the section that contains the DLP rules. Because this XML file contains the information for the entire rule collection, it contains other information at the top that you need to scroll past to get to the rules.
-
+
+2. Scroll down to the `<Rules>` tag, which is the start of the section that contains the DLP rules. Because this XML file contains the information for the entire rule collection, it contains other information at the top that you need to scroll past to get to the rules.
+ 3. Look for *Func_credit_card* to find the Credit Card Number rule definition. In the XML, rule names can't contain spaces, so the spaces are usually replaced with underscores, and rule names are sometimes abbreviated. An example of this is the U.S. Social Security number rule, which is abbreviated _SSN_. The Credit Card Number rule XML should look like the following code sample.
-
+ ```xml <Entity id="50842eb7-edc8-4019-85dd-5a5c1f2bb085" patternsProximity="300" recommendedConfidence="85">
The cmdlets above exported the entire *rule collection*, which includes the defa
``` Now that you have located the Credit Card Number rule definition in the XML, you can customize the rule's XML to meet your needs. For a refresher on the XML definitions, see the [Term glossary](#term-glossary) at the end of this topic.
-
+ ## Modify the XML and create a new sensitive information type First, you need to create a new sensitive information type because you can't directly modify the default rules. You can do a wide variety of things with custom sensitive information types, which are outlined in [Create a custom sensitive information type in Security & Compliance Center PowerShell](create-a-custom-sensitive-information-type-in-scc-powershell.md). For this example, we'll keep it simple and only remove corroborative evidence and add keywords to the Credit Card Number rule.
-
+ All XML rule definitions are built on the following general template. You need to copy and paste the Credit Card Number definition XML in the template, modify some values (notice the ". . ." placeholders in the following example), and then upload the modified XML as a new rule that can be used in policies.
-
+ ```xml <?xml version="1.0" encoding="utf-16"?> <RulePackage xmlns="https://schemas.microsoft.com/office/2011/mce"> <RulePack id=". . ."> <Version major="1" minor="0" build="0" revision="0" />
- <Publisher id=". . ." />
+ <Publisher id=". . ." />
<Details defaultLangCode=". . ."> <LocalizedDetails langcode=" . . . "> <PublisherName>. . .</PublisherName>
All XML rule definitions are built on the following general template. You need t
</LocalizedDetails> </Details> </RulePack>
-
+ <Rules>
- <!-- Paste the Credit Card Number rule definition here.-->
+ <!-- Paste the Credit Card Number rule definition here.-->
<LocalizedStrings> <Resource idRef=". . ."> <Name default="true" langcode=" . . . ">. . .</Name>
All XML rule definitions are built on the following general template. You need t
</RulePackage> ```
-Now, you have something that looks similar to the following XML. Because rule packages and rules are identified by their unique GUIDs, you need to generate two GUIDs: one for the rule package and one to replace the GUID for the Credit Card Number rule. The GUID for the entity ID in the following code sample is the one for our built-in rule definition, which you need to replace with a new one. There are several ways to generate GUIDs, but you can do it easily in PowerShell by typing **[guid]::NewGuid()**.
-
+Now, you have something that looks similar to the following XML. Because rule packages and rules are identified by their unique GUIDs, you need to generate two GUIDs: one for the rule package and one to replace the GUID for the Credit Card Number rule. The GUID for the entity ID in the following code sample is the one for our built-in rule definition, which you need to replace with a new one. There are several ways to generate GUIDs, but you can do it easily in PowerShell by typing **[guid]::NewGuid()**.
+ ```xml <?xml version="1.0" encoding="utf-16"?> <RulePackage xmlns="https://schemas.microsoft.com/office/2011/mce">
Now, you have something that looks similar to the following XML. Because rule pa
</LocalizedDetails> </Details> </RulePack>
-
+ <Rules> <Entity id="db80b3da-0056-436e-b0ca-1f4cf7080d1f" patternsProximity="300" recommendedConfidence="85">
Now, you have something that looks similar to the following XML. Because rule pa
</Pattern> </Entity> <LocalizedStrings>
- <Resource idRef="db80b3da-0056-436e-b0ca-1f4cf7080d1f">
+ <Resource idRef="db80b3da-0056-436e-b0ca-1f4cf7080d1f">
<!-- This is the GUID for the preceding Credit Card Number entity because the following text is for that Entity. --> <Name default="true" langcode="en-us">Modified Credit Card Number</Name> <Description default="true" langcode="en-us">Credit Card Number that looks for additional keywords, and another version of Credit Card Number that doesn't require keywords (but has a lower confidence level)</Description>
Now, you have something that looks similar to the following XML. Because rule pa
## Remove the corroborative evidence requirement from a sensitive information type Now that you have a new sensitive information type that you're able to upload to the Security &amp; Compliance Center, the next step is to make the rule more specific. Modify the rule so that it only looks for a 16-digit number that passes the checksum but doesn't require additional (corroborative) evidence, like keywords. To do this, you need to remove the part of the XML that looks for corroborative evidence. Corroborative evidence is very helpful in reducing false positives. In this case there are usually certain keywords or an expiration date near the credit card number. If you remove that evidence, you should also adjust how confident you are that you found a credit card number by lowering the `confidenceLevel`, which is 85 in the example.
-
+ ```xml <Entity id="db80b3da-0056-436e-b0ca-1f4cf7080d1f" patternsProximity="300" <Pattern confidenceLevel="85">
Now that you have a new sensitive information type that you're able to upload to
## Look for keywords that are specific to your organization You might want to require corroborative evidence but want different or additional keywords, and perhaps you want to change where to look for that evidence. You can adjust the `patternsProximity` to expand or shrink the window for corroborative evidence around the 16-digit number. To add your own keywords, you need to define a keyword list and reference it within your rule. The following XML adds the keywords "company card" and "Contoso card" so that any message that contains those phrases within 150 characters of a credit card number will be identified as a credit card number.
-
+ ```xml <Rules> <! -- Modify the patternsProximity to be "150" rather than "300." -->
You might want to require corroborative evidence but want different or additiona
## Upload your rule To upload your rule, you need to do the following.
-
+ 1. Save it as an .xml file with Unicode encoding. This is important because the rule won't work if the file is saved with a different encoding.
-
+ 2. [Connect to the Security and Compliance Center via Remote PowerShell.](/powershell/exchange/connect-to-scc-powershell)
-
+ 3. In the PowerShell, type the following.
- ```powershell
+ ```powershell
New-DlpSensitiveInformationTypeRulePackage -FileData (Get-Content -Path "C:\custompath\MyNewRulePack.xml" -Encoding Byte) ```
-
+ > [!IMPORTANT]
- > Make sure that you use the file location where your rule pack is actually stored. `C:\custompath\` is a placeholder.
-
+ > Make sure that you use the file location where your rule pack is actually stored. `C:\custompath\` is a placeholder.
+ 4. To confirm, type Y, and then press **Enter**. 5. Verify that your new rule was uploaded and its display name by typing:
To upload your rule, you need to do the following.
``` To start using the new rule to detect sensitive information, you need to add the rule to a DLP policy. To learn how to add the rule to a policy, see [Create a DLP policy from a template](create-a-dlp-policy-from-a-template.md).
-
+ ## Term glossary These are the definitions for the terms you encountered during this procedure.
-
+ |**Term**|**Definition**| |:--|:--| |Entity|Entities are what we call sensitive information types, such as credit card numbers. Each entity has a unique GUID as its ID. If you copy a GUID and search for it in the XML, you'll find the XML rule definition and all the localized translations of that XML rule. You can also find this definition by locating the GUID for the translation and then searching for that GUID.|
These are the definitions for the terms you encountered during this procedure.
|Pattern confidenceLevel|This is the level of confidence that the DLP engine found a match. This level of confidence is associated with a match for the pattern if the pattern's requirements are met. This is the confidence measure you should consider when using Exchange mail flow rules (also known as transport rules).| |patternsProximity|When we find what looks like a credit card number pattern, `patternsProximity` is the proximity around that number where we'll look for corroborative evidence.| |recommendedConfidence|This is the confidence level we recommend for this rule. The recommended confidence applies to entities and affinities. For entities, this number is never evaluated against the `confidenceLevel` for the pattern. It's merely a suggestion to help you choose a confidence level if you want to apply one. For affinities, the `confidenceLevel` of the pattern must be higher than the `recommendedConfidence` number for a mail flow rule action to be invoked. The `recommendedConfidence` is the default confidence level used in mail flow rules that invokes an action. If you want, you can manually change the mail flow rule to be invoked based off the pattern's confidence level, instead.|
-
+ ## For more information - [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md)
compliance Data Loss Prevention Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-loss-prevention-policies.md
f1.keywords:
Previously updated : Last updated : audience: ITPro f1_keywords: - 'ms.o365.cc.DLPLandingPage' localization_priority: low-+ - M365-security-compliance - SPO_Content - m365solution-mip - m365initiative-compliance
+search.appverid:
- MET150 - seo-marvel-apr2020
description: data loss prevention reference material
# Data loss prevention reference
-
+ > [!IMPORTANT] > This is reference topic is no longer the main resource for Microsoft 365 data loss prevention (DLP) information. The DLP content set is being updated and restructured. The topics covered in this article will be moving to new, updated articles. For more information about DLP, see [Learn about data loss prevention](dlp-learn-about-dlp.md).
description: data loss prevention reference material
<!-- MOVED TO LEARN ABOUT To comply with business standards and industry regulations, organizations must protect sensitive information and prevent its inadvertent disclosure. Sensitive information can include financial data or personally identifiable information (PII) such as credit card numbers, social security numbers, or health records. With a data loss prevention (DLP) policy in the Office 365 Security &amp; Compliance Center, you can identify, monitor, and automatically protect sensitive information across Office 365.
-
+ With a DLP policy, you can:
-
+ - **Identify sensitive information across many locations, such as Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams.**
-
+ For example, you can identify any document containing a credit card number that's stored in any OneDrive for Business site, or you can monitor just the OneDrive sites of specific people.
-
-- **Prevent the accidental sharing of sensitive information**.
-
+
+- **Prevent the accidental sharing of sensitive information**.
+ For example, you can identify any document or email containing a health record that's shared with people outside your organization, and then automatically block access to that document or block the email from being sent.
-
+ - **Monitor and protect sensitive information in the desktop versions of Excel, PowerPoint, and Word.**
-
+ Just like in Exchange Online, SharePoint Online, and OneDrive for Business, these Office desktop programs include the same capabilities to identify sensitive information and apply DLP policies. DLP provides continuous monitoring when people share content in these Office programs.
-
+ - **Help users learn how to stay compliant without interrupting their workflow.**
-
+ You can educate your users about DLP policies and help them remain compliant without blocking their work. For example, if a user tries to share a document containing sensitive information, a DLP policy can both send them an email notification and show them a policy tip in the context of the document library that allows them to override the policy if they have a business justification. The same policy tips also appear in Outlook on the web, Outlook, Excel, PowerPoint, and Word.
-
+ - **View DLP alerts and reports showing content that matches your organizationΓÇÖs DLP policies.**
-
+ To view alerts and metadata related to your DLP policies you can use the [DLP Alerts Management Dashboard](dlp-configure-view-alerts-policies.md). You can also view policy match reports to assess how your organization is complying with a DLP policy. If a DLP policy allows users to override a policy tip and report a false positive, you can also view what users have reported >
+-->
## Create and manage DLP policies You create and manage DLP policies on the Data loss prevention page in the Microsoft 365 Compliance center.
-
+ ![Data loss prevention page in the Office 365 Security &amp; Compliance Center](../media/943fd01c-d7aa-43a9-846d-0561321a405e.png)
-
+ <!-- MOVED TO LEARN ABOUT ## What a DLP policy contains A DLP policy contains a few basic things:
-
-- Where to protect the content: **locations** such as Exchange Online, SharePoint Online, and OneDrive for Business sites, as well as Microsoft Teams chat and channel messages.
-
-- When and how to protect the content by enforcing **rules** comprised of:
-
- - **Conditions** the content must match before the rule is enforced. For example, a rule might be configured to look only for content containing Social Security numbers that's been shared with people outside your organization.
-
+
+- Where to protect the content: **locations** such as Exchange Online, SharePoint Online, and OneDrive for Business sites, as well as Microsoft Teams chat and channel messages.
+
+- When and how to protect the content by enforcing **rules** comprised of:
+
+ - **Conditions** the content must match before the rule is enforced. For example, a rule might be configured to look only for content containing Social Security numbers that's been shared with people outside your organization.
+ - **Actions** that you want the rule to take automatically when content matching the conditions is found. For example, a rule might be configured to block access to a document and send both the user and compliance officer an email notification. -->
-
+ You can use a rule to meet a specific protection requirement, and then use a DLP policy to group together common protection requirements, such as all of the rules needed to comply with a specific regulation.
-
+ For example, you might have a DLP policy that helps you detect the presence of information subject to the Health Insurance Portability and Accountability Act (HIPAA). This DLP policy could help protect HIPAA data (the what) across all SharePoint Online sites and all OneDrive for Business sites (the where) by finding any document containing this sensitive information that's shared with people outside your organization (the conditions) and then blocking access to the document and sending a notification (the actions). These requirements are stored as individual rules and grouped together as a DLP policy to simplify management and reporting.
-
+ ![Diagram shows that DLP policy contains locations and rules](../media/c006860c-2d00-42cb-aaa4-5b5638d139f7.png)
-
+ <!-- MOVED TO LEARN ABOUT ### Locations DLP policies are applied to sensitive items across Microsoft 365 locations and can be further scoped as detailed in this table.
If you choose to include specific distribution groups in Exchange, the DLP polic
If you choose to include or exclude specific SharePoint sites, a DLP policy can contain no more than 100 such inclusions and exclusions. Although this limit exists, you can exceed this limit by applying either an org-wide policy or a policy that applies to entire locations. If you choose to include or exclude specific OneDrive accounts or groups, a DLP policy can contain no more than 100 user accounts or 50 groups as inclusion or exclusion.
-
+ ### Rules > [!NOTE] > The default behavior of a DLP policy, when there is no alert configured, is not to alert or trigger. This applies only to default information types. For custom information types, the system will alert even if there is no action defined in the policy. Rules are what enforce your business requirements on your organization's content. A policy contains one or more rules, and each rule consists of conditions and actions. For each rule, when the conditions are met, the actions are taken automatically. Rules are executed sequentially, starting with the highest-priority rule in each policy.
-
+ A rule also provides options to notify users (with policy tips and email notifications) and admins (with email incident reports) that content has matched the rule.
-
+ Here are the components of a rule, each explained below.
-
+ ![Sections of the DLP rule editor](../media/1859d504-b9c2-45ed-961b-a0092251acc2.png)
-
+ #### Conditions Conditions are important because they determine what types of information you're looking for, and when to take an action. For example, you might choose to ignore content containing passport numbers unless the content contains more than 10 such numbers and is shared with people outside your organization.
-
-Conditions focus on the **content**, such as what types of sensitive information you're looking for, and also on the **context**, such as who the document is shared with. You can use conditions to assign different actions to different risk levels. For example, sensitive content shared internally might be lower risk and require fewer actions than sensitive content shared with people outside the organization.
-
+
+Conditions focus on the **content**, such as what types of sensitive information you're looking for, and also on the **context**, such as who the document is shared with. You can use conditions to assign different actions to different risk levels. For example, sensitive content shared internally might be lower risk and require fewer actions than sensitive content shared with people outside the organization.
+ ![List showing available DLP conditions](../media/0fa43f90-d007-4506-ae93-43e8424fe103.png)
-
+ The conditions now available can determine if:
-
+ - Content contains a type of sensitive information.
-
+ - Content contains a label. For more information, see the below section [Using a retention label as a condition in a DLP policy](#using-a-retention-label-as-a-condition-in-a-dlp-policy).
-
+ - Content is shared with people outside or inside your organization. > [!NOTE] > Users who have non-guest accounts in a host organization's Active Directory or Azure Active Directory tenant are considered as people inside the organization.
-
+ #### Types of sensitive information
-A DLP policy can help protect sensitive information, which is defined as a **sensitive information type**. Microsoft 365 includes definitions for many common sensitive information types across many different regions that are ready for you to use, such as a credit card number, bank account numbers, national ID numbers, and passport numbers.
-
+A DLP policy can help protect sensitive information, which is defined as a **sensitive information type**. Microsoft 365 includes definitions for many common sensitive information types across many different regions that are ready for you to use, such as a credit card number, bank account numbers, national ID numbers, and passport numbers.
+ ![List of available sensitive information types](../media/3eaa9911-bc94-44be-902f-363dbf3b07fe.png)
-
+ When a DLP policy looks for a sensitive information type such as a credit card number, it doesn't simply look for a 16-digit number. Each sensitive information type is defined and detected by using a combination of:
-
+ - Keywords.
-
+ - Internal functions to validate checksums or composition.
-
+ - Evaluation of regular expressions to find pattern matches.
-
+ - Other content examination.
-
+ This helps DLP detection achieve a high degree of accuracy while reducing the number of false positives that can interrupt peoples' work.
-
+ #### Actions When content matches a condition in a rule, you can apply actions to automatically protect the content.
-
+ ![List of available DLP actions](../media/8aef17fc-1e99-4ac7-adfc-0f2c9c1a0697.png)
-
+ With the actions now available, you can:
-
+ - **Restrict access to the content** Depending on your need, you can restrict access to content in three ways: 1. Restrict access to content for everyone. 2. Restrict access to content for people outside the organization. 3. Restrict access to "Anyone with the link."
- For site content, this means that permissions for the document are restricted for everyone except the primary site collection administrator, document owner, and person who last modified the document. These people can remove the sensitive information from the document or take other remedial action. When the document is in compliance, the original permissions are automatically restored. When access to a document is blocked, the document appears with a special policy tip icon in the library on the site.
-
+ For site content, this means that permissions for the document are restricted for everyone except the primary site collection administrator, document owner, and person who last modified the document. These people can remove the sensitive information from the document or take other remedial action. When the document is in compliance, the original permissions are automatically restored. When access to a document is blocked, the document appears with a special policy tip icon in the library on the site.
+ ![Policy tip showing access to document is blocked](../media/b6cefed3-d212-43d7-8534-4b92b26ebd50.png)
-
+ For email content, this action blocks the message from being sent. Depending on how the DLP rule is configured, the sender sees an NDR or (if the rule uses a notification) a policy tip and/or email notification.
-
+ ![Warning that unauthorized recipients must be removed from the message](../media/302f9994-912d-41e7-861f-8a4539b3c285.png)
-
+ #### User notifications and user overrides You can use notifications and overrides to educate your users about DLP policies and help them remain compliant without blocking their work. For example, if a user tries to share a document containing sensitive information, a DLP policy can both send them an email notification and show them a policy tip in the context of the document library that allows them to override the policy if they have a business justification.
-
+ ![User notifications and user overrides sections of DLP rule editor](../media/37b560d4-6e4e-489e-9134-d4b9daf60296.png)
-
+ The email can notify the person who sent, shared, or last modified the content and, for site content, the primary site collection administrator and document owner. In addition, you can add or remove whomever you choose from the email notification.
-
+ In addition to sending an email notification, a user notification displays a policy tip:
-
+ - In Outlook and Outlook on the web.
-
+ - For the document on a SharePoint Online or OneDrive for Business site.
-
+ - In Excel, PowerPoint, and Word, when the document is stored on a site included in a DLP policy.
-
+ The email notification and policy tip explain why content conflicts with a DLP policy. If you choose, the email notification and policy tip can allow users to override a rule by reporting a false positive or providing a business justification. This can help you educate users about your DLP policies and enforce them without preventing people from doing their work. Information about overrides and false positives is also logged for reporting (see below about the DLP reports) and included in the incident reports (next section), so that the compliance officer can regularly review this information.
-
+ Here's what a policy tip looks like in a OneDrive for Business account.
-
+ ![Policy tip for a document in a OneDrive account](../media/f9834d35-94f0-4511-8555-0fe69855ce6d.png) To learn more about user notifications and policy tips in DLP policies, see [Use notifications and policy tips](use-notifications-and-policy-tips.md). #### Alerts and Incident reports
-When a rule is matched, you can send an alert email to your compliance officer ( or any person(s) you choose) with details of the alert. This alert email will carry a link of the [DLP Alerts Management Dashboard](dlp-configure-view-alerts-policies.md) which the compliance officer can go to view the details of alert and events. The dashboard contains details of the event that triggered the alert along with details of the DLP policy matched and the sensitive content detected.
+When a rule is matched, you can send an alert email to your compliance officer (or any person(s) you choose) with details of the alert. This alert email will carry a link of the [DLP Alerts Management Dashboard](dlp-configure-view-alerts-policies.md) which the compliance officer can go to view the details of alert and events. The dashboard contains details of the event that triggered the alert along with details of the DLP policy matched and the sensitive content detected.
In addition, you can also send an incident report with details of the event. This report includes information about the item that was matched, the actual content that matched the rule, and the name of the person who last modified the content. For email messages, the report also includes as an attachment the original message that matches a DLP policy.
In addition, you can also send an incident report with details of the event. Thi
> ![Page for configuring incident reports](../media/Alerts-and-incident-report.png) DLP scans email differently from items in SharePoint Online or OneDrive for Business. In SharePoint Online and OneDrive for Business, DLP scans existing items as well as new ones and generates an alert and incident report whenever a match is found. In Exchange Online, DLP only scans new email messages and generates a report if there is a policy match. DLP ***does not*** scan or match previously existing email items that are stored in a mailbox or archive.
-
+ ## Grouping and logical operators Often your DLP policy has a straightforward requirement, such as to identify all content that contains a U.S. Social Security Number. However, in other scenarios, your DLP policy might need to identify more loosely defined data.
-
+ For example, to identify content subject to the U.S. Health Insurance Act (HIPAA), you need to look for:
-
+ - Content that contains specific types of sensitive information, such as a U.S. Social Security Number or Drug Enforcement Agency (DEA) Number.
-
+ AND
-
+ - Content that's more difficult to identify, such as communications about a patient's care or descriptions of medical services provided. Identifying this content requires matching keywords from very large keyword lists, such as the International Classification of Diseases (ICD-9-CM or ICD-10-CM).
-
+ You can easily identify such loosely defined data by using grouping and logical operators (AND, OR). When you create a DLP policy, you can:
-
+ - Group sensitive information types.
-
+ - Choose the logical operator between the sensitive information types within a group and between the groups themselves.
-
+ ### Choosing the operator within a group Within a group, you can choose whether any or all of the conditions in that group must be satisfied for the content to match the rule.
-
+ ![Group showing the operators within the group](../media/6a12f1e8-112d-48ee-9a73-82b3dd0542e7.png)
-
+ ### Adding a group You can quickly add a group, which can have its own conditions and operator within that group.
-
+ ![Add group button](../media/5f72f292-d1f3-4f11-a911-a9f71e10abf6.png)
-
+ ### Choosing the operator between groups Between groups, you can choose whether the conditions in just one group or all of the groups must be satisfied for the content to match the rule.
-
-For example, the built-in **U.S. HIPAA** policy has a rule that uses an **AND** operator between the groups so that it identifies content that contains:
-
-- from the group **PII Identifiers** (at least one SSN number **OR** DEA number)
-
+
+For example, the built-in **U.S. HIPAA** policy has a rule that uses an **AND** operator between the groups so that it identifies content that contains:
+
+- from the group **PII Identifiers** (at least one SSN number **OR** DEA number)
+ **AND**
-
-- from the group **Medical Terms** (at least one ICD-9-CM keyword **OR** ICD-10-CM keyword)
-
+
+- from the group **Medical Terms** (at least one ICD-9-CM keyword **OR** ICD-10-CM keyword)
+ ![Groups showing the operator between groups](../media/354aa77f-569c-4847-9dfe-605ee2bb28d1.png)
-
+ ## The priority by which rules are processed When you create rules in a policy, each rule is assigned a priority in the order in which it's created ΓÇö meaning, the rule created first has first priority, the rule created second has second priority, and so on. > [!div class="mx-imgBorder"] > ![Rules in priority order](../media/dlp-rules-in-priority-order.png)
-
+ After you have set up more than one DLP policy, you can change the priority of one or more policies. To do that, select a policy, choose **Edit policy**, and use the **Priority** list to specify its priority. > [!div class="mx-imgBorder"] > ![Set priority for a policy](../media/dlp-set-policy-priority.png) When content is evaluated against rules, the rules are processed in priority order. If content matches multiple rules, the rules are processed in priority order and the most restrictive action is enforced. For example, if content matches all of the following rules, Rule 3 is enforced because it's the highest priority, most restrictive rule:
-
+ - Rule 1: only notifies users
-
+ - Rule 2: notifies users, restricts access, and allows user overrides
-
+ - Rule 3: notifies users, restricts access, and does not allow user overrides
-
+ - Rule 4: only notifies users
-
+ - Rule 5: restricts access
-
+ - Rule 6: notifies users, restricts access, and does not allow user overrides
-
+ In this example, note that matches for all of the rules are recorded in the audit logs and shown in the DLP reports, even though only the most restrictive rule is enforced.
-
+ Regarding policy tips, note that:
-
+ - Only the policy tip from the highest priority, most restrictive rule will be shown. For example, a policy tip from a rule that blocks access to content will be shown over a policy tip from a rule that simply sends a notification. This prevents people from seeing a cascade of policy tips.
-
+ - If the policy tips in the most restrictive rule allow people to override the rule, then overriding this rule also overrides any other rules that the content matched.
-
+ ## Tuning rules to make them easier or harder to match After people create and turn on their DLP policies, they sometimes run into these issues:
-
-- Too much content that **is not** sensitive information matches the rules ΓÇö in other words, too many false positives.
-
-- Too little content that **is** sensitive information matches the rules. In other words, the protective actions aren't being enforced on the sensitive information.
-
+
+- Too much content that **is not** sensitive information matches the rules ΓÇö in other words, too many false positives.
+
+- Too little content that **is** sensitive information matches the rules. In other words, the protective actions aren't being enforced on the sensitive information.
+ To address these issues, you can tune your rules by adjusting the instance count and match accuracy to make it harder or easier for content to match the rules. Each sensitive information type used in a rule has both an instance count and match accuracy.
-
+ ### Instance count Instance count means simply how many occurrences of a specific type of sensitive information must be present for content to match the rule. For example, content matches the rule shown below if between 1 and 9 unique U.S. or U.K. passport numbers are identified. > [!NOTE] > The instance count includes only **unique** matches for sensitive information types and keywords. For example, if an email contains 10 occurrences of the same credit card number, those 10 occurrences count as a single instance of a credit card number.
-
+ To use instance count to tune rules, the guidance is straightforward:
-
-- To make the rule easier to match, decrease the **min** count and/or increase the **max** count. You can also set **max** to **any** by deleting the numerical value.
-
-- To make the rule harder to match, increase the **min** count.
-
+
+- To make the rule easier to match, decrease the **min** count and/or increase the **max** count. You can also set **max** to **any** by deleting the numerical value.
+
+- To make the rule harder to match, increase the **min** count.
+ Typically, you use less restrictive actions, such as sending user notifications, in a rule with a lower instance count (for example, 1-9). And you use more restrictive actions, such as restricting access to content without allowing user overrides, in a rule with a higher instance count (for example, 10-any).
-
+ ![Instance counts in the rule editor](../media/e7ea3c12-72c5-4bb3-9590-c924c665e84d.png)
-
+ ### Match accuracy As described above, a sensitive information type is defined and detected by using a combination of different types of evidence. Commonly, a sensitive information type is defined by multiple such combinations, called patterns. A pattern that requires less evidence has a lower match accuracy (or confidence level), while a pattern that requires more evidence has a higher match accuracy (or confidence level). To learn more about the actual patterns and confidence levels used by every sensitive information type, see [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md).
-
+ For example, the sensitive information type named Credit Card Number is defined by two patterns:
-
+ - A pattern with 65% confidence that requires:
-
+ - A number in the format of a credit card number.
-
+ - A number that passes the checksum.
-
+ - A pattern with 85% confidence that requires:
-
+ - A number in the format of a credit card number.
-
+ - A number that passes the checksum.
-
+ - A keyword or an expiration date in the right format.
-
+ You can use these confidence levels (or match accuracy) in your rules. Typically, you use less restrictive actions, such as sending user notifications, in a rule with lower match accuracy. And you use more restrictive actions, such as restricting access to content without allowing user overrides, in a rule with higher match accuracy.
-
+ It's important to understand that when a specific type of sensitive information, such as a credit card number, is identified in content, only a single confidence level is returned:
-
+ - If all of the matches are for a single pattern, the confidence level for that pattern is returned.
-
+ - If there are matches for more than one pattern (that is, there are matches with two different confidence levels), a confidence level higher than any of the single patterns alone is returned. This is the tricky part. For example, for a credit card, if both the 65% and 85% patterns are matched, the confidence level returned for that sensitive information type is greater than 90% because more evidence means more confidence.
-
-So if you want to create two mutually exclusive rules for credit cards, one for the 65% match accuracy and one for the 85% match accuracy, the ranges for match accuracy would look like this. The first rule picks up only matches of the 65% pattern. The second rule picks up matches with **at least one** 85% match and **can potentially have** other lower-confidence matches.
-
+
+So if you want to create two mutually exclusive rules for credit cards, one for the 65% match accuracy and one for the 85% match accuracy, the ranges for match accuracy would look like this. The first rule picks up only matches of the 65% pattern. The second rule picks up matches with **at least one** 85% match and **can potentially have** other lower-confidence matches.
+ ![Two rules with different ranges for match accuracy](../media/21bdfe36-7a91-4347-8098-11809a92f9a4.png)
-
+ For these reasons, the guidance for creating rules with different match accuracies is:
-
-- The lowest confidence level typically uses the same value for **min** and **max** (not a range).
-
+
+- The lowest confidence level typically uses the same value for **min** and **max** (not a range).
+ - The highest confidence level is typically a range from just above the lower confidence level to 100.
-
+ - Any in-between confidence levels typically range from just above the lower confidence level to just below the higher confidence level.
-
+ ## Using a retention label as a condition in a DLP policy When you use a previously created and published [retention label](retention.md#retention-labels) as a condition in a DLP policy, there are some things to be aware of:
When you use a previously created and published [retention label](retention.md#r
- You published a retention label named **tax year 2018**, which when applied to tax documents from 2018 that are stored in SharePoint retains them for 10 years then disposes of them. You also don't want those items being shared outside your organization, which you can do with a DLP policy. > [!IMPORTANT]
- > You'll get this error if you specify a retention label as a condition in a DLP policy and you also include Exchange and/or Teams as a location: **"Protecting labeled content in email and teams messages isn't supported. Either remove the label below or turn off Exchange and Teams as a location."** This is because Exchange transport does not evaluate the label metadata during message submission and delivery.
+ > You'll get this error if you specify a retention label as a condition in a DLP policy and you also include Exchange and/or Teams as a location: **"Protecting labeled content in email and teams messages isn't supported. Either remove the label below or turn off Exchange and Teams as a location."** This is because Exchange transport does not evaluate the label metadata during message submission and delivery.
### Using a sensitivity label as a condition in a DLP policy [Learn more](./dlp-sensitivity-label-as-condition.md) about using Sensitivity label as a condition in DLP policies.
-
+ ### How this feature relates to other features Several features can be applied to content containing sensitive information:
-
-- A [retention label and a retention policy](retention.md) can both enforce **retention** actions on this content.
-
-- A DLP policy can enforce **protection** actions on this content. And before enforcing these actions, a DLP policy can require other conditions to be met in addition to the content containing a label.
-
+
+- A [retention label and a retention policy](retention.md) can both enforce **retention** actions on this content.
+
+- A DLP policy can enforce **protection** actions on this content. And before enforcing these actions, a DLP policy can require other conditions to be met in addition to the content containing a label.
+ ![Diagram of features that can apply to sensitive information](../media/dd410f97-a3a3-455c-a1e9-7ed8ae6893d6.png)
-
+ Note that a DLP policy has a richer detection capability than a label or retention policy applied to sensitive information. A DLP policy can enforce protective actions on content containing sensitive information, and if the sensitive information is removed from the content, those protective actions are undone the next time the content's scanned. But if a retention policy or label is applied to content containing sensitive information, that's a one-time action that won't be undone even if the sensitive information is removed.
-
+ By using a label as a condition in a DLP policy, you can enforce both retention and protection actions on content with that label. You can think of content containing a label exactly like content containing sensitive information - both a label and a sensitive information type are properties used to classify content, so that you can enforce actions on that content.
-
+ ![Diagram of DLP policy using label as a condition](../media/4538fd8f-fb74-4743-bc22-a5de33adfebb.png)
-
+ ## Simple settings vs. advanced settings When you create a DLP policy, you'll choose between simple or advanced settings:
-
-- **Simple settings** make it easy to create the most common type of DLP policy without using the rule editor to create or modify rules.
-
-- **Advanced settings** use the rule editor to give you complete control over every setting for your DLP policy.
-
+
+- **Simple settings** make it easy to create the most common type of DLP policy without using the rule editor to create or modify rules.
+
+- **Advanced settings** use the rule editor to give you complete control over every setting for your DLP policy.
+ Don't worry, under the covers, simple settings and advanced settings work exactly the same, by enforcing rules comprised of conditions and actionsΓÇöonly with simple settings, you don't see the rule editor. It's a quick way to create a DLP policy.
-
+ ### Simple settings By far, the most common DLP scenario is creating a policy to help protect content containing sensitive information from being shared with people outside your organization, and taking an automatic remediating action such as restricting who can access the content, sending end-user or admin notifications, and auditing the event for later investigation. People use DLP to help prevent the inadvertent disclosure of sensitive information.
-
+ To simplify achieving this goal, when you create a DLP policy, you can choose **Use simple settings**. These settings provide everything you need to implement the most common DLP policy, without having to go into the rule editor.
-
+ ![DLP options for simple and advanced settings](../media/33c93824-ead5-43b6-9c3e-fd1630c92a7d.png)
-
+ ### Advanced settings If you need to create more customized DLP policies, you can choose **Use advanced settings**.
-
+ The advanced settings present you with the rule editor, where you have full control over every possible option, including the instance count and match accuracy (confidence level) for each rule.
-
+ To jump to a section quickly, click an item in the top navigation of the rule editor to go to that section below.
-
+ ![Top navigation menu of DLP rule editor](../media/c527b97f-ca53-4c79-ad19-1a63be8a8ecc.png)
-
+ ## DLP policy templates The first step in creating a DLP policy is choosing what information to protect. By starting with a DLP template, you save the work of building a new set of rules from scratch, and figuring out which types of information should be included by default. You can then add to or modify these requirements to fine tune the rule to meet your organization's specific requirements.
-
+ A preconfigured DLP policy template can help you detect specific types of sensitive information, such as HIPAA data, PCI-DSS data, Gramm-Leach-Bliley Act data, or even locale-specific personally identifiable information (P.I.). To make it easy for you to find and protect common types of sensitive information, the policy templates included in Microsoft 365 already contain the most common sensitive information types necessary for you to get started.
-
+ ![List of templates for data loss prevention policies with focus on template for U.S. Patriot Act](../media/791b2403-430b-4987-8643-cc20abbd8148.png)
-
-Your organization may also have its own specific requirements, in which case you can create a DLP policy from scratch by choosing the **Custom policy** option. A custom policy is empty and contains no premade rules.
-
+
+Your organization may also have its own specific requirements, in which case you can create a DLP policy from scratch by choosing the **Custom policy** option. A custom policy is empty and contains no premade rules.
+ <!-- ## Roll out DLP policies gradually with test mode rehomed to Plan for DLP When you create your DLP policies, you should consider rolling them out gradually to assess their impact and test their effectiveness before fully enforcing them. For example, you don't want a new DLP policy to unintentionally block access to thousands of documents that people require access to in order to get their work done.
-
+ If you're creating DLP policies with a large potential impact, we recommend following this sequence:
-
-1. **Start in test mode without Policy Tips** and then use the DLP reports and any incident reports to assess the impact. You can use DLP reports to view the number, location, type, and severity of policy matches. Based on the results, you can fine tune the rules as needed. In test mode, DLP policies will not impact the productivity of people working in your organization.
-
-2. **Move to Test mode with notifications and Policy Tips** so that you can begin to teach users about your compliance policies and prepare them for the rules that are going to be applied. At this stage, you can also ask users to report false positives so that you can further refine the rules.
-
-3. **Start full enforcement on the policies** so that the actions in the rules are applied and the content's protected. Continue to monitor the DLP reports and any incident reports or notifications to make sure that the results are what you intend.
+
+1. **Start in test mode without Policy Tips** and then use the DLP reports and any incident reports to assess the impact. You can use DLP reports to view the number, location, type, and severity of policy matches. Based on the results, you can fine tune the rules as needed. In test mode, DLP policies will not impact the productivity of people working in your organization.
+
+2. **Move to Test mode with notifications and Policy Tips** so that you can begin to teach users about your compliance policies and prepare them for the rules that are going to be applied. At this stage, you can also ask users to report false positives so that you can further refine the rules.
+
+3. **Start full enforcement on the policies** so that the actions in the rules are applied and the content's protected. Continue to monitor the DLP reports and any incident reports or notifications to make sure that the results are what you intend.
![Options for using test mode and turning on policy](../media/49fafaac-c6cb-41de-99c4-c43c3e380c3a.png)
If you're creating DLP policies with a large potential impact, we recommend foll
> [!div class="mx-imgBorder"] > ![Set rule priority](../media/dlp-set-rule-priority.png)-->
-
+ ## DLP reports After you create and turn on your DLP policies, you'll want to verify that they're working as you intended and helping you stay compliant. With DLP reports, you can quickly view the number of DLP policy and rule matches over time, and the number of false positives and overrides. For each report, you can filter those matches by location, time frame, and even narrow it down to a specific policy, rule, or action.
-
+ With the DLP reports, you can get business insights and:
-
+ - Focus on specific time periods and understand the reasons for spikes and trends.
-
+ - Discover business processes that violate your organization's compliance policies.
-
+ - Understand any business impact of the DLP policies.
-
+ In addition, you can use the DLP reports to fine tune your DLP policies as you run them.
-
+ ![Reports Dashboard in Security and Compliance Center](../media/6d741252-a0ce-4429-95ba-6c857ecc9a7e.png)
-
+ ## How DLP policies work DLP detects sensitive information by using deep content analysis (not just a simple text scan). This deep content analysis uses keyword matches, dictionary matches, the evaluation of regular expressions, internal functions, and other methods to detect content that matches your DLP policies. Potentially only a small percentage of your data is considered sensitive. A DLP policy can identify, monitor, and automatically protect just that data, without impeding or affecting people who work with the rest of your content.
-
+ ### Policies are synced After you create a DLP policy in the Security &amp; Compliance Center, it's stored in a central policy store, and then synced to the various content sources, including:
-
+ - Exchange Online, and from there to Outlook on the web and Outlook.
-
+ - OneDrive for Business sites.
-
+ - SharePoint Online sites.
-
+ - Office desktop programs (Excel, PowerPoint, and Word). - Microsoft Teams channels and chat messages.
-
+ After the policy's synced to the right locations, it starts to evaluate content and enforce actions. <!-- what is the time delay for first deployment of a policy and what is the sync schedule? -->
-
+ ### Policy evaluation in OneDrive for Business and SharePoint Online sites Across all of your SharePoint Online sites and OneDrive for Business sites, documents are constantly changing ΓÇö they're continually being created, edited, shared, and so on. This means documents can conflict or become compliant with a DLP policy at any time. For example, a person can upload a document that contains no sensitive information to their team site, but later, a different person can edit the same document and add sensitive information to it.
-
+ For this reason, DLP policies check documents for policy matches frequently in the background. You can think of this as asynchronous policy evaluation. <!-- what is the frequency? looks like it is tied to the search crawl schedule -->
-
+ #### How it works
-
+ As people add or change documents in their sites, the search engine scans the content, so that you can search for it later. While this is happening, the content's also scanned for sensitive information and to check if it's shared. Any sensitive information that's found is stored securely in the search index, so that only the compliance team can access it, but not typical users. Each DLP policy that you've turned on runs in the background (asynchronously), checking search frequently for any content that matches a policy, and applying actions to protect it from inadvertent leaks.
-
+ ![Diagram showing how DLP policy evaluates content asynchronously](../media/bdf73099-039a-4909-ae89-ac12c41992ba.png)
-
+ <!-- conflict with a DLP policy is bad wording --> Finally, documents can conflict with a DLP policy, but they can also become compliant with a DLP policy. For example, if a person adds credit card numbers to a document, it might cause a DLP policy to block access to the document automatically. But if the person later removes the sensitive information, the action (in this case, blocking) is automatically undone the next time the document is evaluated against the policy.
-
+ DLP evaluates any content that can be indexed. For more information on what file types are crawled by default, see [Default crawled file name extensions and parsed file types in SharePoint Server](/SharePoint/technical-reference/default-crawled-file-name-extensions-and-parsed-file-types). > [!NOTE]
-> In order to prevent documents from being shared before DLP policies had the opportunity to analyze them, sharing of new files in SharePoint can be blocked until its content has been indexed. See, [Mark new files as sensitive by default](/sharepoint/sensitive-by-default) for detailed information.
-
+> In order to prevent documents from being shared before DLP policies had the opportunity to analyze them, sharing of new files in SharePoint can be blocked until its content has been indexed. See, [Mark new files as sensitive by default](/sharepoint/sensitive-by-default) for detailed information.
+ ### Policy evaluation in Exchange Online, Outlook, and Outlook on the web When you create a DLP policy that includes Exchange Online as a location, the policy's synced from the Office 365 Security &amp; Compliance Center to Exchange Online, and then from Exchange Online to Outlook on the web and Outlook.
-
+ When a message is being composed in Outlook, the user can see policy tips as the content being created is evaluated against DLP policies. And after a message is sent, it's evaluated against DLP policies as a normal part of mail flow, along with Exchange mail flow rules (also known as transport rules) and DLP policies created in the Exchange admin center. DLP policies scan both the message and any attachments.
-
+ ### Policy evaluation in the Office desktop programs <!-- same capability to identify sensitive information line conflates sensitive information types and such --> Excel, PowerPoint, and Word include the same capability to identify sensitive information and apply DLP policies as SharePoint Online and OneDrive for Business. These Office programs sync their DLP policies directly from the central policy store, and then continuously evaluate the content against the DLP policies when people work with documents opened from a site that's included in a DLP policy.
-
+ DLP policy evaluation in Office is designed not to affect the performance of the programs or the productivity of people working on content. If they're working on a large document, or the user's computer is busy, it might take a few seconds for a policy tip to appear. ### Policy evaluation in Microsoft Teams <!--what do you mean that it's synched to user accounts? I thought DLP policies were applied to locations not users like sensitivity labels are --> When you create a DLP policy that includes Microsoft Teams as a location, the policy's synced from the Office 365 Security &amp; Compliance Center to user accounts and Microsoft Teams channels and chat messages. Depending on how DLP policies are configured, when someone attempts to share sensitive information in a Microsoft Teams chat or channel message, the message can be blocked or revoked. And, documents that contain sensitive information and that are shared with guests (external users) won't open for those users. To learn more, see [Data loss prevention and Microsoft Teams](dlp-microsoft-teams.md).
-
+ ## Permissions By default, Global admins, Security admins, and Compliance admins will have access to create and apply a DLP policy. Other Members of your compliance team who will create DLP policies need permissions to the Security &amp; Compliance Center. By default, your Tenant admin will have access to this location and can give compliance officers and other people access to the Security &amp; Compliance Center, without giving them all of the permissions of a Tenant admin. To do this, we recommend that you:
-
+ 1. Create a group in Microsoft 365 and add compliance officers to it.
-
-2. Create a role group on the **Permissions** page of the Security &amp; Compliance Center.
+
+2. Create a role group on the **Permissions** page of the Security &amp; Compliance Center.
3. While creating the role group, use the **Choose Roles** section to add the following role to the Role Group: **DLP Compliance Management**.
-
+ 4. Use the **Choose Members** section to add the Microsoft 365 group you created before to the role group. You can also create a role group with view-only privileges to the DLP policies and DLP reports by granting the **View-Only DLP Compliance Management** role. For more information, see [Give users access to the Office 365 Compliance Center](../security/office-365-security/grant-access-to-the-security-and-compliance-center.md).
-
+ These permissions are required only to create and apply a DLP policy. Policy enforcement does not require access to the content.
-
+ ## Find the DLP cmdlets To use most of the cmdlets for the Security &amp; Compliance Center, you need to:
-
+ 1. [Connect to the Office 365 Security &amp; Compliance Center using remote PowerShell](/powershell/exchange/connect-to-scc-powershell).
-
+ 2. Use any of these [policy-and-compliance-dlp cmdlets](/powershell/module/exchange/export-dlppolicycollection).
-
+ However, DLP reports need pull data from across Microsoft 365, including Exchange Online. For this reason, **the cmdlets for the DLP reports are available in Exchange Online Powershell -- not in Security &amp; Compliance Center Powershell**. Therefore, to use the cmdlets for the DLP reports, you need to:
-
+ 1. [Connect to Exchange Online using remote PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).
-
+ 2. Use any of these cmdlets for the DLP reports:
-
+ - [Get-DlpDetectionsReport](/powershell/module/exchange/Get-DlpDetectionsReport) - [Get-DlpDetailReport](/powershell/module/exchange/Get-DlpDetailReport)
-
+ ## More information - [Create a DLP policy from a template](create-a-dlp-policy-from-a-template.md)
-
+ - [Send notifications and show policy tips for DLP policies](use-notifications-and-policy-tips.md)
-
+ - [Create a DLP policy to protect documents with FCI or other properties](protect-documents-that-have-fci-or-other-properties.md)
-
+ - [What the DLP policy templates include](what-the-dlp-policy-templates-include.md)
-
+ - [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md)
-
+ - [What the DLP functions look for](what-the-dlp-functions-look-for.md)
-
+ - [Create a custom sensitive information type](create-a-custom-sensitive-information-type.md)
compliance Declare Records https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/declare-records.md
f1.keywords:
Previously updated : Last updated : audience: Admin localization_priority: Priority-+ - M365-security-compliance - SPO_Content
+search.appverid:
- MOE150 - MET150 description: "Declare records by using retention labels."
You can then either publish those labels in a retention label policy so that use
## How to display the option to mark content as a regulatory record
->[!NOTE]
+> [!NOTE]
> The following procedure is an auditable action, logging **Enabled regulatory record option for retention labels** in the [Retention policy and retention label activities](search-the-audit-log-in-security-and-compliance.md#retention-policy-and-retention-label-activities) section of the audit log. By default, the retention label option to mark content as a regulatory record isn't displayed in the retention label wizard. To display this option, you must first run a PowerShell command:
By default, the retention label option to mark content as a regulatory record is
1. [Connect to the Office 365 Security & Compliance Center PowerShell](/powershell/exchange/office-365-scc/connect-to-scc-powershell/connect-to-scc-powershell). 2. Run the following cmdlet:
-
+ ```powershell Set-RegulatoryComplianceUI -Enabled $true ````+ There is no prompt to confirm and the setting takes effect immediately.
-If you change your mind about seeing this option in the retention label wizard, you can hide it again by running the same cmdlet with the **false** value: `Set-RegulatoryComplianceUI -Enabled $false`
+If you change your mind about seeing this option in the retention label wizard, you can hide it again by running the same cmdlet with the **false** value: `Set-RegulatoryComplianceUI -Enabled $false`
## Configuring retention labels to declare records
For example:
![Configure a retention label to mark content as a record or regulatory](../media/recordversioning6.png)
-Using this retention label, you can now apply it to SharePoint or OneDrive documents and Exchange emails, as needed.
+Using this retention label, you can now apply it to SharePoint or OneDrive documents and Exchange emails, as needed.
For full instructions:
For full instructions:
When retention labels that mark items as a record or regulatory record are made available for users to apply them in apps: -- For Exchange, any user with write-access to the mailbox can apply these labels.
+- For Exchange, any user with write-access to the mailbox can apply these labels.
- For SharePoint and OneDrive, any user in the default Members group (the Contribute permission level) can apply these labels. Example of a document marked as record by using a retention label:
Example of a document marked as record by using a retention label:
The actions of labeling to declare items as records are logged in the audit log.
-For SharePoint items:
+For SharePoint items:
- From **File and page activities**, select **Changed retention label for a file**. This audit event is for retention labels that mark items as records, regulatory records, or that are standard retention labels. For Exchange items:
compliance Deploy Twitter Connector https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/deploy-twitter-connector.md
f1.keywords:
Previously updated : Last updated : audience: Admin localization_priority: Normal
+search.appverid:
- MET150
description: "Administrators can set up a native connector to import and archive
# Deploy a connector to archive Twitter data
-This article contains the step-by-step process to deploy a connector that uses the Office 365 Import service to import data from your organization's Twitter account to Microsoft 365. For a high-level overview of this process and a list of prerequisites required to deploy a Twitter connector, see [Set up a connector to archive Twitter data ](archive-twitter-data-with-sample-connector.md).
+This article contains the step-by-step process to deploy a connector that uses the Office 365 Import service to import data from your organization's Twitter account to Microsoft 365. For a high-level overview of this process and a list of prerequisites required to deploy a Twitter connector, see [Set up a connector to archive Twitter data ](archive-twitter-data-with-sample-connector.md).
## Step 1: Create an app in Azure Active Directory
This article contains the step-by-step process to deploy a connector that uses t
4. Register the application. Under **Redirect URI (optional)**, select **Web** in the application type dropdown list and then type `https://portal.azure.com` in the box for the URI.
- ![Type https://portal.azure.com for the redirect URI ](../media/TCimage04.png)
+ ![Type https://portal.azure.com for the redirect URI](../media/TCimage04.png)
5. Copy the **Application (client) ID** and **Directory (tenant) ID** and save them to a text file or other safe location. You use these IDs in later steps.
This article contains the step-by-step process to deploy a connector that uses t
![Create a new client secret](../media/TCimage06.png)
-7. Create a new secret. In the description box, type the secret and then choose an expiration period.
+7. Create a new secret. In the description box, type the secret and then choose an expiration period.
![Type the secret and choose expiration period](../media/TCimage08.png)
This article contains the step-by-step process to deploy a connector that uses t
![Click Create a resource and type storage account](../media/FBCimage12.png) - **Subscription:** Select your Azure subscription that you want to deploy the Twitter connector web service to.
-
+ - **Resource group:** Choose or create a new resource group. A resource group is a container that holds related resources for an Azure solution. - **Location:** Choose a location. - **Web App Name:** Provide a unique name for the connector web app. Th name must be between 3 and 18 characters in length. This name is used to create the Azure app service URL; for example, if you provide the Web app name of **twitterconnector** then the Azure app service URL will be **twitterconnector.azurewebsites.net**.
-
+ - **tenantId:** The tenant ID of your Microsoft 365 organization that you copied after creating the Facebook connector app in Azure Active Directory in Step 1.
-
+ - **APISecretKey:** You can type any value as the secret. This is used to access the connector web app in Step 5. 3. After the deployment is successful, the page will look similar to the following screenshot:
This article contains the step-by-step process to deploy a connector that uses t
![Go to https://developer.twitter.com and log in](../media/TCimage25-5.png) 2. Click **Create an app**.
-
+ ![Go to Apps page to create an app](../media/TCimage26.png) 3. Under **App details**, add information about the application.
This article contains the step-by-step process to deploy a connector that uses t
![Enter info about the app](../media/TCimage27.png) 4. On the Twitter developer dashboard, select the app that you just created and then click **Details**.
-
+ ![Copy and save the App Id](../media/TCimage28.png) 5. On the **Keys and tokens** tab, under **Consumer API keys** copy both the API Key and the API secret key and save them to a text file or other storage location. Then click **Create** to generate an access token and access token secret and copy these to a text file or other storage location.
-
+ ![Copy and save to API secret key](../media/TCimage29.png) Then click **Create** to generate an access token and an access token secret, and copy these to a text file or other storage location.
This article contains the step-by-step process to deploy a connector that uses t
8. Do the following tasks: - Select the checkbox to allow the connector app to sign in to Twitter.
-
+ - Add the OAuth redirect Uri using the following format: **\<connectorserviceuri>/Views/TwitterOAuth**, where the value of *connectorserviceuri* is the Azure app service URL for your organization; for example, https://twitterconnector.azurewebsites.net/Views/TwitterOAuth. ![Allow connector app to sign in to Twitter and add OAuth redirect Uri](../media/TCimage32.png) The Twitter developer app is now ready to use.
-## Step 4: Configure the connector web app
+## Step 4: Configure the connector web app
1. Go to https://\<AzureAppResourceName>.azurewebsites.net (where **AzureAppResourceName** is the name of your Azure app resource that you named in Step 4). For example, if the name is **twitterconnector**, go to https://twitterconnector.azurewebsites.net. The home page of the app looks like the following screenshot:
The Twitter developer app is now ready to use.
![Sign in using tenant Id and API secret key](../media/TCimage35.png)
-4. Enter the following configuration settings
+4. Enter the following configuration settings
- **Twitter Api Key:** The API key for the Twitter application that you created in Step 3.
-
+ - **Twitter Api Secret Key:** The API secret key for the Twitter application that you created in Step 3.
-
+ - **Twitter Access Token:** The access token that you created in Step 3.
-
+ - **Twitter Access Token Secret:** The access token secret that you created in Step 3.
-
+ - **AAD Application ID:** The application ID for the Azure Active Directory app that you created in Step 1
-
+ - **AAD Application Secret:** The value for the APISecretKey secret that you created in Step 1. 5. Click **Save** to save the connector settings.
The Twitter developer app is now ready to use.
![Enter connector app credentials](../media/TCimage38.png) - In the **Name** box, type a name for the connector, such as **Twitter help handle**.
-
+ - In the **Connector URL** box, type or paste the Azure app service URL; for example `https://twitterconnector.azurewebsites.net`.
-
+ - In the **Password** box, type or paste the value of the APISecretKey that you created in Step 2.
-
+ - In the **Azure App ID** box, type or paste the value of the Azure Application App Id (also called the *client ID*) that you obtained in Step 1. 6. After the connection is successfully validated, click **Next**.
compliance Dlp Chrome Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-chrome-get-started.md
f1.keywords:
Previously updated : Last updated : audience: ITPro f1_keywords: - 'ms.o365.cc.DLPLandingPage' localization_priority: Priority-+ - M365-security-compliance - m365solution-mip - m365initiative-compliance
+search.appverid:
- MET150 description: "Prepare for and deploy the Microsoft Compliance Extension."
Deploying Microsoft Compliance Extension is a multi-phase process. You can choos
4. [Deploy using Group Policy](#deploy-using-group-policy) 5. [Test the Extension](#test-the-extension) 6. [Use the Alerts Management Dashboard to viewing Chrome DLP alerts](#use-the-alerts-management-dashboard-to-viewing-chrome-dlp-alerts)
-7. [Viewing Chrome DLP data in activity explorer](#viewing-chrome-dlp-data-in-activity-explorer)
+7. [Viewing Chrome DLP data in activity explorer](#viewing-chrome-dlp-data-in-activity-explorer)
### Prepare infrastructure
-If you are rolling out the Microsoft Compliance Extension to all your monitored Windows 10 devices, you should remove Google Chrome from the unallowed app and unallowed browser lists. For more information, see [Unallowed browsers](endpoint-dlp-using.md#unallowed-browsers). If you are only rolling it out to a few devices, you can leave Chrome on the unallowed browser or unallowed app lists. The Microsoft Compliance Extension will bypass the restrictions of both lists for those computers where it is installed.
+If you are rolling out the Microsoft Compliance Extension to all your monitored Windows 10 devices, you should remove Google Chrome from the unallowed app and unallowed browser lists. For more information, see [Unallowed browsers](endpoint-dlp-using.md#unallowed-browsers). If you are only rolling it out to a few devices, you can leave Chrome on the unallowed browser or unallowed app lists. The Microsoft Compliance Extension will bypass the restrictions of both lists for those computers where it is installed.
### Prepare your devices
If you are rolling out the Microsoft Compliance Extension to all your monitored
### Basic Setup Single Machine Selfhost
-This is the recommended method.
+This is the recommended method.
-1. Sign in to the Windows 10 computer on which you want to install the Microsoft Compliance Extension on, and run this PowerShell script as an administrator.
+1. Sign in to the Windows 10 computer on which you want to install the Microsoft Compliance Extension on, and run this PowerShell script as an administrator.
```powershell Get-Item -path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Miscellaneous Configuration" | New-ItemProperty -Name DlpDisableBrowserCache -Value 0 -Force
- ```
+ ```
2. Navigate to [Microsoft Compliance Extension - Chrome Web Store (google.com)](https://chrome.google.com/webstore/detail/microsoft-compliance-exte/echcggldkblhodogklpincgchnpgcdco).
Before adding the Microsoft Compliance Extension to the list of force-installed
7. Select **Add**. 8. Enter the following policy information.
-
+ OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist`<br/> Data type: `String`<br/> Value: `<enabled/><data id="ExtensionInstallForcelistDesc" value="1&#xF000; echcggldkblhodogklpincgchnpgcdco;https://clients2.google.com/service/update2/crx"/>`
If you don't want to use Microsoft Endpoint Manager, you can use group policies
### Test the Extension
-#### Upload to cloud service, or access by unallowed browsers Cloud Egress
+#### Upload to cloud service, or access by unallowed browsers Cloud Egress
1. Create or get a sensitive item and, try to upload a file to one of your organizationΓÇÖs restricted service domains. The sensitive data must match one of our built-in [Sensitive Info Types](sensitive-information-type-entity-definitions.md), or one of your organizationΓÇÖs sensitive information types. You should get a DLP toast notification on the device you are testing from that shows that this action is not allowed when the file is open.
-#### Testing other DLP scenarios in Chrome
+#### Testing other DLP scenarios in Chrome
Now that youΓÇÖve removed Chrome from the disallowed browsers/apps list, you can test the scenarios below to confirm the behavior meets your organizationΓÇÖs requirements: - Copy data from a sensitive item to another document using the Clipboard
- - To test, open a file that is protected against copy to clipboard actions in the Chrome browser and attempt to copy data from the file.
- - Expected Result: A DLP toast notification showing that this action is not allowed when the file is open.
+ - To test, open a file that is protected against copy to clipboard actions in the Chrome browser and attempt to copy data from the file.
+ - Expected Result: A DLP toast notification showing that this action is not allowed when the file is open.
- Print a document
- - To test, open a file that is protected against print actions in the Chrome browser and attempt to print the file.
- - Expected Result: A DLP toast notification showing that this action is not allowed when the file is open.
+ - To test, open a file that is protected against print actions in the Chrome browser and attempt to print the file.
+ - Expected Result: A DLP toast notification showing that this action is not allowed when the file is open.
- Copy to USB Removeable Media
- - To test, try to save the file to a removeable media storage.
- - Expected Result: A DLP toast notification showing that this action is not allowed when the file is open.
+ - To test, try to save the file to a removeable media storage.
+ - Expected Result: A DLP toast notification showing that this action is not allowed when the file is open.
- Copy to Network Share
- - To test, try to save the file to a network share.
- - Expected Result: A DLP toast notification showing that this action is not allowed when the file is open.
-
+ - To test, try to save the file to a network share.
+ - Expected Result: A DLP toast notification showing that this action is not allowed when the file is open.
### Use the Alerts Management Dashboard to viewing Chrome DLP alerts
Now that youΓÇÖve removed Chrome from the disallowed browsers/apps list, you can
2. Refer to the procedures in [How to configure and view alerts for your DLP policies](dlp-configure-view-alerts-policies.md) to view alerts for your Endpoint DLP policies. - ### Viewing Chrome DLP data in activity explorer 1. Open the [Data classification page](https://compliance.microsoft.com/dataclassification?viewid=overview) for your domain in the Microsoft 365 Compliance center and choose **Activity explorer**.
Now that youΓÇÖve removed Chrome from the disallowed browsers/apps list, you can
2. Incognito mode is not supported and must be disabled. ## Next steps+ Now that you have onboarded devices and can view the activity data in Activity explorer, you are ready to move on to your next step where you create DLP policies that protect your sensitive items. - [Using Endpoint data loss prevention](endpoint-dlp-using.md) ## See also -- [Learn about Endpoint data loss prevention ](endpoint-dlp-learn-about.md)-- [Using Endpoint data loss prevention ](endpoint-dlp-using.md)
+- [Learn about Endpoint data loss prevention](endpoint-dlp-learn-about.md)
+- [Using Endpoint data loss prevention](endpoint-dlp-using.md)
- [Learn about data loss prevention](dlp-learn-about-dlp.md) - [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) - [Get started with Activity explorer](data-classification-activity-explorer.md)
compliance Dlp Conditions And Exceptions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-conditions-and-exceptions.md
localization_priority: None
+search.appverid:
- MOE150 - MET150 recommendations: false
Conditions and exceptions in DLP policies identify sensitive items that the poli
- Conditions define what to include - Exceptions define what to exclude. - Actions define what happens as a consequence of condition or exception being met
-
+ Most conditions and exceptions have one property that supports one or more values. For example, if the DLP policy is being applied to Exchange emails, the **The sender** is condition requires the sender of the message. Some conditions have two properties. For example, the **A message header includes any of these words** condition requires one property to specify the message header field, and a second property to specify the text to look for in the header field. Some conditions or exceptions donΓÇÖt have any properties. For example, the **Attachment is password protected** condition simply looks for attachments in messages that are password protected.
-Actions typically require additional properties. For example, when the DLP policy rule redirects a message, you need to specify where the message is redirected to.
+Actions typically require additional properties. For example, when the DLP policy rule redirects a message, you need to specify where the message is redirected to.
<!-- Some actions have multiple properties that are available or required. For example, when the rule adds a header field to the message header, you need to specify both the name and value of the header. When the rule adds a disclaimer to messages, you need to specify the disclaimer text, but you can also specify where to insert the text, or what to do if the disclaimer can't be added to the message. Typically, you can configure multiple actions in a rule, but some actions are exclusive. For example, one rule can't reject and redirect the same message.--> ## Conditions and exceptions for DLP policies
This table describes the actions that are available in DLP.
|Forward the message for approval to senderΓÇÖs manager| Moderate|First property: *ModerateMessageByManager*</br> Second property: *Boolean*|The Moderate parameter specifies an action for the DLP rule that sends the email message to a moderator. This parameter uses the syntax: @{ModerateMessageByManager = <$true \| $false>;| |Forward the message for approval to specific approvers| Moderate|First property: *ModerateMessageByUser*</br>Second property: *Addresses*|The Moderate parameter specifies an action for the DLP rule that sends the email message to a moderator. This parameter uses the syntax: @{ ModerateMessageByUser = @("emailaddress1","emailaddress2",..."emailaddressN")}| |Add recipient|AddRecipients|First property: *Field*</br>Second property: *Addresses*| Adds one or more recipients to the To/Cc/Bcc field of the message. This parameter uses the syntax: @{<AddToRecipients \| CopyTo \| BlindCopyTo> = "emailaddress"}|
-|Add the senderΓÇÖs manager as recipient|AddRecipients | First property: *AddedManagerAction*</br>Second property: *Field* | Adds the sender's manager to the message as the specified recipient type ( To, Cc, Bcc ), or redirects the message to the sender's manager without notifying the sender or the recipient. This action only works if the sender's Manager attribute is defined in Active Directory. This parameter uses the syntax: @{AddManagerAsRecipientType = "<To \| Cc \| Bcc>"}|
-Prepend subject |PrependSubject |String |Adds the specified text to the beginning of the Subject field of the message. Consider using a space or a colon (:) as the last character of the specified text to differentiate it from the original subject text.</br>To prevent the same string from being added to messages that already contain the text in the subject (for example, replies), add the "The subject contains words" (ExceptIfSubjectContainsWords) exception to the rule.
-|Apply HTML disclaimer |ApplyHtmlDisclaimer |First property: *Text*</br>Second property: *Location*</br>Third property: *Fallback action* |Applies the specified HTML disclaimer to the required location of the message.</br>This parameter uses the syntax: @{ Text = ΓÇ£ ΓÇ¥ ; Location = <Append \| Prepend>; FallbackAction = <Wrap \| Ignore \| Reject> }
+|Add the senderΓÇÖs manager as recipient|AddRecipients | First property: *AddedManagerAction*</br>Second property: *Field* | Adds the sender's manager to the message as the specified recipient type (To, Cc, Bcc), or redirects the message to the sender's manager without notifying the sender or the recipient. This action only works if the sender's Manager attribute is defined in Active Directory. This parameter uses the syntax: @{AddManagerAsRecipientType = "<To \| Cc \| Bcc>"}|
+Prepend subject |PrependSubject |String |Adds the specified text to the beginning of the Subject field of the message. Consider using a space or a colon (:) as the last character of the specified text to differentiate it from the original subject text.</br>To prevent the same string from being added to messages that already contain the text in the subject (for example, replies), add the "The subject contains words" (ExceptIfSubjectContainsWords) exception to the rule.|
+|Apply HTML disclaimer |ApplyHtmlDisclaimer |First property: *Text*</br>Second property: *Location*</br>Third property: *Fallback action* |Applies the specified HTML disclaimer to the required location of the message.</br>This parameter uses the syntax: @{ Text = ΓÇ£ ΓÇ¥ ; Location = <Append \| Prepend>; FallbackAction = <Wrap \| Ignore \| Reject> }|
|Remove Office 365 Message Encryption and rights protection | RemoveRMSTemplate | n/a| Removes Office 365 encryption applied on an email|
compliance Dlp Configure Endpoints Sccm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-configure-endpoints-sccm.md
audience: ITPro
localization_priority: Normal--- M365-security-compliance +
+- M365-security-compliance
search.appverid:-- MET150
+- MET150
description: Use Configuration Manager to deploy the configuration package on devices so that they are onboarded to the service.
description: Use Configuration Manager to deploy the configuration package on de
2. In the navigation pane, select **Settings** > **Device Onboarding** > **Onboarding**. 3. In the **Deployment method** field, select **Microsoft Endpoint Configuration Manager 2012/2012 R2/1511/1602**.
-
+ 4. Select **Download package**, and save the .zip file. 5. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *DeviceComplianceOnboardingScript.cmd*.
description: Use Configuration Manager to deploy the configuration package on de
> [!NOTE] > Microsoft 365 Endpoint data loss prevention doesn't support onboarding during the [Out-Of-Box Experience (OOBE)](https://answers.microsoft.com/en-us/windows/wiki/windows_10/how-to-complete-the-windows-10-out-of-box/47e3f943-f000-45e3-8c5c-9d85a1a0cf87) phase. Make sure users complete OOBE after running Windows installation or upgrading.
->[!TIP]
+> [!TIP]
> After onboarding the device, you can choose to run a detection test to verify that an device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](/windows/security/threat-protection/microsoft-defender-atp/run-detection-test). > > Note that it is possible to create a detection rule on a Configuration Manager application to continuously check if a device has been onboarded. An application is a different type of object than a package and program. > If a device is not yet onboarded (due to pending OOBE completion or any other reason), Configuration Manager will retry to onboard the device until the rule detects the status change.
->
+>
> This behavior can be accomplished by creating a detection rule checking if the "OnboardingState" registry value (of type REG_DWORD) = 1. > This registry value is located under "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status". For more information, see [Configure Detection Methods in System Center 2012 R2 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682159(v=technet.10)#step-4-configure-detection-methods-to-indicate-the-presence-of-the-deployment-type).
For more information, see [Configure Detection Methods in System Center 2012 R2
For each device, you can set a configuration value to state whether samples can be collected from the device when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.
->[!NOTE]
->These configuration settings are typically done through Configuration Manager.
+> [!NOTE]
+> These configuration settings are typically done through Configuration Manager.
You can set a compliance rule for configuration item in Configuration Manager to change the sample share setting on a device.
The following configuration settings are recommended:
**Attack surface reduction** Configure all available rules to Audit.
->[!NOTE]
+> [!NOTE]
> Blocking these activities may interrupt legitimate business processes. The best approach is setting everything to audit, identifying which ones are safe to turn on, and then enabling those settings on endpoints which do not have false positive detections. **Network protection**
If you use Microsoft Endpoint Configuration Manager current branch, see [Create
3. Select Windows 10 as the operating system. 4. In the **Deployment method** field, select **Microsoft Endpoint Configuration Manager 2012/2012 R2/1511/1602**.
-
+ 5. Select **Download package**, and save the .zip file. 6. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *DeviceComplianceOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
compliance Dlp Configure Endpoints Vdi https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-configure-endpoints-vdi.md
audience: ITPro
localization_priority: Normal--- M365-security-compliance +
+- M365-security-compliance
search.appverid:-- MET150
+- MET150
description: Deploy the configuration package on virtual desktop infrastructure (VDI) device so that they are onboarded to the Microsoft 365 Endpoint data loss prevention service.
description: Deploy the configuration package on virtual desktop infrastructure
- Virtual desktop infrastructure (VDI) devices
->[!WARNING]
+> [!WARNING]
> Microsoft 365 Endpoint data loss prevention support for Windows Virtual Desktop supports single session scenarios. Multi-session scenarios on Windows Virtual Desktop are currently not supported. ## Onboard VDI devices
-Microsoft 365 Endpoint data loss prevention supports non-persistent VDI session onboarding.
+Microsoft 365 Endpoint data loss prevention supports non-persistent VDI session onboarding.
->[!Note]
->To onboard non-persistent VDI sessions, VDI devices must be on Windows 10 1809 or higher.
+> [!NOTE]
+> To onboard non-persistent VDI sessions, VDI devices must be on Windows 10 1809 or higher.
There might be associated challenges when onboarding VDIs. The following are typical challenges for this scenario:
There might be associated challenges when onboarding VDIs. The following are typ
VDI devices can appear in the Microsoft 365 Compliance center as either: -- Single entry for each device.
+- Single entry for each device.
Note that in this case, the *same* device name must be configured when the session is created, for example using an unattended answer file. - Multiple entries for each device - one for each session. The following steps will guide you through onboarding VDI devices and will highlight steps for single and multiple entries.
->[!WARNING]
-> For environments where there are low resource configurations, the VDI boot procedure might slow the Microsoft 365 Endpoint data loss prevention onboarding.
+> [!WARNING]
+> For environments where there are low resource configurations, the VDI boot procedure might slow the Microsoft 365 Endpoint data loss prevention onboarding.
-1. Open the VDI configuration package .zip file (*DeviceCompliancePackage.zip*) that you downloaded from the service onboarding wizard.
+1. Open the VDI configuration package .zip file (*DeviceCompliancePackage.zip*) that you downloaded from the service onboarding wizard.
-2. In the navigation pane, select **Settings** > **Device onboarding** > **Onboarding**.
+2. In the navigation pane, select **Settings** > **Device onboarding** > **Onboarding**.
3. In the **Deployment method** field, select **VDI onboarding scripts for non-persistent endpoints**.
-5. Click **Download package** and save the .zip file.
+4. Click **Download package** and save the .zip file.
-6. Copy the files from the DeviceCompliancePackage folder extracted from the .zip file into the `golden/master` image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`.
+5. Copy the files from the DeviceCompliancePackage folder extracted from the .zip file into the `golden/master` image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`.
-7. If you are not implementing a single entry for each device, copy DeviceComplianceOnboardingScript.cmd.
+6. If you are not implementing a single entry for each device, copy DeviceComplianceOnboardingScript.cmd.
+
+7. If you are implementing a single entry for each device, copy both Onboard-NonPersistentMachine.ps1 and DeviceComplianceOnboardingScript.cmd.
-8. If you are implementing a single entry for each device, copy both Onboard-NonPersistentMachine.ps1 and DeviceComplianceOnboardingScript.cmd.
-
> [!NOTE] > If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from File Explorer.
-9. Open a Local Group Policy Editor window and navigate to **Computer Configuration** > **Windows Settings** > **Scripts** > **Startup**.
+8. Open a Local Group Policy Editor window and navigate to **Computer Configuration** > **Windows Settings** > **Scripts** > **Startup**.
> [!NOTE] > Domain Group Policy may also be used for onboarding non-persistent VDI devices.
-4. Depending on the method you'd like to implement, follow the appropriate steps:
+9. Depending on the method you'd like to implement, follow the appropriate steps:
**For single entry for each device**
-
+ Select the **PowerShell Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`.
-
+ **For multiple entries for each device**:
-
+ Select the **Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to the onboarding bash script `DeviceComplianceOnboardingScript.cmd`.
-5. Test your solution:
+10. Test your solution:
+ 1. Create a pool with one device.
+ 1. Logon to device.
+ 1. Logoff from device.
+ 1. Logon to device with another user.
+ 1. **For single entry for each device**: Check only one entry in Microsoft Defender Security Center.
+ **For multiple entries for each device**: Check multiple entries in Microsoft Defender Security Center.
- 1. Create a pool with one device.
-
- 1. Logon to device.
-
- 1. Logoff from device.
+11. Click **Devices list** on the Navigation pane.
- 1. Logon to device with another user.
-
- 1. **For single entry for each device**: Check only one entry in Microsoft Defender Security Center.<br>
- **For multiple entries for each device**: Check multiple entries in Microsoft Defender Security Center.
+12. Use the search function by entering the device name and select **Device** as search type.
-6. Click **Devices list** on the Navigation pane.
+## Updating non-persistent virtual desktop infrastructure (VDI) images
-7. Use the search function by entering the device name and select **Device** as search type.
+As a best practice, we recommend using offline servicing tools to patch golden/master images.
-## Updating non-persistent virtual desktop infrastructure (VDI) images
-As a best practice, we recommend using offline servicing tools to patch golden/master images.<br>
For example, you can use the below commands to install an update while the image remains offline: ```console
-DISM /Mount-image /ImageFile:"D:\Win10-1909.vhdx" /index:1 /MountDir:"C:\Temp\OfflineServicing"
+DISM /Mount-image /ImageFile:"D:\Win10-1909.vhdx" /index:1 /MountDir:"C:\Temp\OfflineServicing"
DISM /Image:"C:\Temp\OfflineServicing" /Add-Package /Packagepath:"C:\temp\patch\windows10.0-kb4541338-x64.msu" DISM /Unmount-Image /MountDir:"C:\Temp\OfflineServicing" /commit ``` For more information on DISM commands and offline servicing, please refer to the articles below:+ - [Modify a Windows image using DISM](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism) - [DISM Image Management Command-Line Options](/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14) - [Reduce the Size of the Component Store in an Offline Windows Image](/windows-hardware/manufacture/desktop/reduce-the-size-of-the-component-store-in-an-offline-windows-image)
If offline servicing is not a viable option for your non-persistent VDI environm
5. Re-seal the golden/master image as you normally would. ## Related topics+ - [Onboard Windows 10 devices using Group Policy](dlp-configure-endpoints-gp.md) - [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](dlp-configure-endpoints-sccm.md) - [Onboard Windows 10 devices using Mobile Device Management tools](dlp-configure-endpoints-mdm.md) - [Onboard Windows 10 devices using a local script](dlp-configure-endpoints-script.md)-- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding)
+- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding)
compliance Dlp Learn About Dlp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-learn-about-dlp.md
f1.keywords:
Previously updated : Last updated : audience: ITPro localization_priority: Normal-+ - M365-security-compliance
+search.appverid:
- MET150 description: "Learn how to protect your sensitive information using Microsoft 365 data loss prevention policies and tools and take a tour through the DLP lifecycle."
In Microsoft 365, you implement data loss prevention by defining and applying DL
- on-premises file shares and on-premises SharePoint. Microsoft 365 detects sensitive items by using deep content analysis, not by just a simple text scan. Content is analyzed for primary data matches to keywords, by the evaluation of regular expressions, by internal function validation, and by secondary data matches that are in proximity to the primary data match. Beyond that DLP also uses machine learning algorithms and other methods to detect content that matches your DLP policies.
-
+ ## DLP is part of the larger Microsoft 365 Compliance offering Microsoft 365 DLP is just one of the Microsoft 365 Compliance tools that you will use to help protect your sensitive items wherever they live or travel. You should understand the other tools in the Microsoft 365 Compliance tools set, how they interrelate, and work better together. See, [Microsoft 365 compliance tools](protect-information.md) to learn more about the information protection process.
Microsoft 365 DLP monitoring and protection are native to the applications that
**Technology planning for DLP**
-Keep in mind that DLP as a technology can monitor and protect your data at rest, data in use and data in motion across Microsoft 365 services, Windows 10 devices, on-premises file shares, and on-premises SharePoint. There are planning implications for the different locations, the type of data you want to monitor and protect, and the actions to be taken when a policy match occurs.
+Keep in mind that DLP as a technology can monitor and protect your data at rest, data in use and data in motion across Microsoft 365 services, Windows 10 devices, on-premises file shares, and on-premises SharePoint. There are planning implications for the different locations, the type of data you want to monitor and protect, and the actions to be taken when a policy match occurs.
**Business processes planning for DLP**
While in test mode, monitor the outcomes of the policy and fine-tune it so that
#### Enable the control and tune your policies
-Once the policy meets all your objectives, turn it on. Continue to monitor the outcomes of the policy application and tune as needed. In general, policies take effect about an hour after being turned on.
+Once the policy meets all your objectives, turn it on. Continue to monitor the outcomes of the policy application and tune as needed. In general, policies take effect about an hour after being turned on.
<!--See, LINK TO topic for SLAs for location specific details-->
You have flexibility in how you create and configure your DLP policies. You can
- A predefined policy template: Financial data, Medical and health data, Privacy data all for various countries and regions. - A custom policy that uses the available sensitive information types, retention labels, and sensitivity labels. 2. **Choose where you want to monitor** - You pick one or more locations that you want DLP to monitor for sensitive information. You can monitor:
-
+ location | include/exclude by| ||| |Exchange email| distribution groups|
location | include/exclude by|
- SharePoint/Exchange/OneDrive: Block people who are outside your organization form accessing the content. Show the user a tip and send them an email notification that they are taking an action that is prohibited by the DLP policy. - Teams Chat and Channel: Block sensitive information from being shared in the chat or channel-- Windows 10 Devices: Audit or restrict copying a sensitive item to a removeable USB device
+- Windows 10 Devices: Audit or restrict copying a sensitive item to a removeable USB device
- Office Apps: Show a popup notifying the user that they are engaging in a risky behavior and block or block but allow override. - On-premises file shares: move the file from where it is stored to a quarantine folder
location | include/exclude by|
All DLP policies are created and maintained in the Microsoft 365 Compliance center. See, INSERT LINK TO ARTICLE THAT WILL START WALKING THEM THROUGH THE POLICY CREATION PROCEDURES for more information.--> After you create a DLP policy in the Compliance Center, it's stored in a central policy store, and then synced to the various content sources, including:
-
+ - Exchange Online, and from there to Outlook on the web and Outlook. - OneDrive for Business sites. - SharePoint Online sites. - Office desktop programs (Excel, PowerPoint, and Word). - Microsoft Teams channels and chat messages.
-
+ After the policy's synced to the right locations, it starts to evaluate content and enforce actions. ## Viewing policy application results
-DLP reports a vast amount of information into Microsoft 365 from monitoring, policy matches and actions, and user activities. You'll need to consume and act on that information to tune your policies and triage actions taken on sensitive items. The telemetry goes into the [Microsoft 365 Compliance center Audit Logs](search-the-audit-log-in-security-and-compliance.md#search-the-audit-log-in-the-compliance-center) first, is processed, and makes its way to different reporting tools. Each reporting tool has a different purpose.
+DLP reports a vast amount of information into Microsoft 365 from monitoring, policy matches and actions, and user activities. You'll need to consume and act on that information to tune your policies and triage actions taken on sensitive items. The telemetry goes into the [Microsoft 365 Compliance center Audit Logs](search-the-audit-log-in-security-and-compliance.md#search-the-audit-log-in-the-compliance-center) first, is processed, and makes its way to different reporting tools. Each reporting tool has a different purpose.
### DLP Alerts Dashboard
The [DLP reports](view-the-dlp-reports.md#view-the-reports-for-data-loss-prevent
The Activity explorer tab on the DLP page has the *Activity* filter preset to *DLPRuleMatch*. Use this tool to review activity related to content that contains sensitive info or has labels applied, such as what labels were changed, files were modified, and matched a rule.
-![screenshot of the DLPRuleMatch scoped activity explorer ](../media/dlp-activity-explorer.png)
+![screenshot of the DLPRuleMatch scoped activity explorer](../media/dlp-activity-explorer.png)
For more information, see [Get started with activity explorer](data-classification-activity-explorer.md)
To learn more about Microsoft 365 DLP, see:
- [Learn about the Microsoft Compliance Extension (preview)](dlp-chrome-learn-about.md) - [Learn about the data loss prevention Alerts dashboard](dlp-alerts-dashboard-learn.md)
-To learn how to use data loss prevention to comply with data privacy regulations, see [Deploy information protection for data privacy regulations with Microsoft 365](../solutions/information-protection-deploy.md) (aka.ms/m365dataprivacy).
+To learn how to use data loss prevention to comply with data privacy regulations, see [Deploy information protection for data privacy regulations with Microsoft 365](../solutions/information-protection-deploy.md) (aka.ms/m365dataprivacy).
compliance Dlp Use Policies Non Microsoft Cloud Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-use-policies-non-microsoft-cloud-apps.md
To use DLP policy to a specific non-Microsoft cloud app, the app must be connect
After you connect your cloud apps to Cloud App Security, you can create Microsoft 365 DLP policies for them.
->[!NOTE]
->It's also possible to use Microsoft Cloud App Security to create DLP policies to Microsoft cloud apps. However, it's recommended to use Microsoft 365 to create and manage DLP policies to Microsoft cloud apps.
+> [!NOTE]
+> It's also possible to use Microsoft Cloud App Security to create DLP policies to Microsoft cloud apps. However, it's recommended to use Microsoft 365 to create and manage DLP policies to Microsoft cloud apps.
## Create a DLP policy to a non-Microsoft cloud app
When you create a rule in the DLP policy, you can select an action for non-Micro
![Restrict third-party apps](../media/4-dlp-non-microsoft-cloud-app-restrict-third-party-apps.png)
->[NOTE]
->DLP policies applied to non-Microsoft apps use Microsoft Cloud App Security. When the DLP policy for a non-Microsoft app is created, the same policy will be automatically created in Microsoft Cloud App Security.
+> [NOTE]
+> DLP policies applied to non-Microsoft apps use Microsoft Cloud App Security. When the DLP policy for a non-Microsoft app is created, the same policy will be automatically created in Microsoft Cloud App Security.
-For information about creating and configuring DLP policies, see [Create test and tune a DLP policy](./create-test-tune-dlp-policy.md?view=o365-worldwide).
+For information about creating and configuring DLP policies, see [Create test and tune a DLP policy](./create-test-tune-dlp-policy.md).
## See Also -- [Create test and tune a DLP policy](./create-test-tune-dlp-policy.md?view=o365-worldwide)-- [Get started with the default DLP policy](./get-started-with-the-default-dlp-policy.md?view=o365-worldwide)-- [Create a DLP policy from a template](./create-a-dlp-policy-from-a-template.md?view=o365-worldwide)
+- [Create test and tune a DLP policy](./create-test-tune-dlp-policy.md)
+- [Get started with the default DLP policy](./get-started-with-the-default-dlp-policy.md)
+- [Create a DLP policy from a template](./create-a-dlp-policy-from-a-template.md)
compliance Double Key Encryption https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/double-key-encryption.md
Choose whether to use email or role authorization. DKE supports only one of thes
- **Role authorization**. Allows your organization to authorize access to keys based on Active Directory groups, and requires that the web service can query LDAP.
-**To set key access settings for DKE using email authorization**
+##### To set key access settings for DKE using email authorization
1. Open the **appsettings.json** file and locate the `AuthorizedEmailAddress` setting.
This image shows the **appsettings.json** file correctly formatted for email aut
![The appsettings.json file showing email authorization method](../media/dke-email-accesssetting.png)
-**To set key access settings for DKE using role authorization**
+##### To set key access settings for DKE using role authorization
1. Open the **appsettings.json** file and locate the `AuthorizedRoles` setting.
This image shows the **appsettings.json** file correctly formatted for role auth
DKE tenant and key settings are located in the **appsettings.json** file.
-**To configure tenant and key settings for DKE**
+##### To configure tenant and key settings for DKE
1. Open the **appsettings.json** file.
DKE tenant and key settings are located in the **appsettings.json** file.
"https://sts.windows.net/9c99431e-b513-44be-a7d9-e7b500002d4b/" ] ```+ > [!NOTE] > If you want to enable external B2B access to your key store, you will also need to include these external tenants as part of the valid issuers' list.
You may prefer other methods to deploy your keys. Select the method that works b
For pilot deployments, you can deploy in Azure and get started right away.
-**To create an Azure Web App instance to host your DKE deployment**
+#### To create an Azure Web App instance to host your DKE deployment
To publish the key store, you'll create an Azure App Service instance to host your DKE deployment. Next, you'll publish your generated keys to Azure.
To register the DKE service:
4. Select **Save** at the top to save your changes.
- 5. Repeat these steps, but this time, define the client ID as `c00e9d32-3c8d-4a7d-832b-029040e7db99`. This value is the Azure Information Protection unified labeling client ID.
+ 5. Repeat these steps, but this time, define the client ID as `c00e9d32-3c8d-4a7d-832b-029040e7db99`. This value is the Azure Information Protection unified labeling client ID.
Your DKE service is now registered. Continue by [creating labels using DKE](#create-sensitivity-labels-using-dke).
compliance Enable Mailbox Auditing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/enable-mailbox-auditing.md
Logon types classify the user that did the audited actions on the mailbox. The f
The following table describes the mailbox actions that are available in mailbox audit logging for user mailboxes and shared mailboxes. -- A check mark ( ![Check mark](../media/checkmark.png)) indicates the mailbox action can be logged for the logon type (not all actions are available for all logon types).
+- A check mark (![Check mark](../media/checkmark.png)) indicates the mailbox action can be logged for the logon type (not all actions are available for all logon types).
- An asterisk ( <sup>\*</sup> ) after the check mark indicates the mailbox action is logged by default for the logon type. - Remember, an admin with Full Access permission to a mailbox is considered a delegate.
compliance Encryption Office 365 Certificate Chains Itar https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/encryption-office-365-certificate-chains-itar.md
The following certificate information applies to **all DOD and GCC High customer
Last updated: **10/16/2020**
->[!NOTE]
->For certificate information that applies to **worldwide customers**, see [Microsoft 365 encryption chains](encryption-office-365-certificate-chains.md).
+> [!NOTE]
+> For certificate information that applies to **worldwide customers**, see [Microsoft 365 encryption chains](encryption-office-365-certificate-chains.md).
| **Certificate type** | **P7b download** | **CRL Endpoints** | **OCSP Endpoints** | | | | | | |
compliance Encryption Office 365 Certificate Chains https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/encryption-office-365-certificate-chains.md
Microsoft 365 leverages a number of different certificate providers. The followi
Last updated: **10/16/2020**
->[!NOTE]
->For certificate information that applies to **DOD and GCC High** customers, see [Microsoft 365 encryption chains - DOD and GCC High](encryption-office-365-certificate-chains-itar.md).
+> [!NOTE]
+> For certificate information that applies to **DOD and GCC High** customers, see [Microsoft 365 encryption chains - DOD and GCC High](encryption-office-365-certificate-chains-itar.md).
| **Certificate type** | **P7b download** | **CRL Endpoints** | **OCSP Endpoints** | **AIA Endpoints** | | | | | | |
compliance Endpoint Dlp Configure Proxy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-configure-proxy.md
f1_keywords:
- 'ms.o365.cc.DLPLandingPage' localization_priority: Priority-+ - M365-security-compliance - m365solution-mip - m365initiative-compliance
+search.appverid:
- MET150 description: "Learn how to Configure device proxy and internet connection settings for Endpoint DLP."
The WinHTTP configuration setting is independent of the Windows Internet (WinINe
> If youΓÇÖre using Transparent proxy or WPAD in your network topology, you donΓÇÖt need special configuration settings. For more information on Defender for Endpoint URL exclusions in the proxy, see [Enable access to Endpoint DLP cloud service URLs in the proxy server](#enable-access-to-endpoint-dlp-cloud-service-urls-in-the-proxy-server). - Manual static proxy configuration:
- - Registry-based configuration
- - WinHTTP configured using netsh command ΓÇô Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)
+ - Registry-based configuration
+ - WinHTTP configured using netsh command ΓÇô Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)
## Configure the proxy server manually using a registry-based static proxy
The static proxy is configurable through Group Policy (GP). The group policy can
1. Open **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service**
-2. Set it to **Enabled** and select **Disable Authenticated Proxy usage**:
+2. Set it to **Enabled** and select **Disable Authenticated Proxy usage**:
+
+ ![Image of group policy settings 1](../media/atp-gpo-proxy1.png)
-![Image of group policy settings 1](../media/atp-gpo-proxy1.png)
-
3. Open **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**:
- Configure the proxy
+ Configure the proxy
-![Image of group policy settings 2](../media/atp-gpo-proxy2.png)
+ ![Image of group policy settings 2](../media/atp-gpo-proxy2.png)
-The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DataCollection`.
+ The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DataCollection`.
-The registry value TelemetryProxyServer is in this format \<server name or ip\>:\<port\>. For example: **10.0.0.6:8080**
+ The registry value TelemetryProxyServer is in this format \<server name or ip\>:\<port\>. For example: **10.0.0.6:8080**
-The registry value `DisableEnterpriseAuthProxy` should be set to 1.
+ The registry value `DisableEnterpriseAuthProxy` should be set to 1.
## Configure the proxy server manually using "netsh" command
Use netsh to configure a system-wide static proxy.
1. Open an elevated command line: 1. Go to **Start** and type **cmd**
- 1. Right-click **Command prompt** and select **Run as administrator**.
-2. Enter the following command and press **Enter**:
+ 2. Right-click **Command prompt** and select **Run as administrator**.
+
+2. Enter the following command and press **Enter**:
- `netsh winhttp set proxy <proxy>:<port>`
+ `netsh winhttp set proxy <proxy>:<port>`
- For example: **netsh winhttp set proxy 10.0.0.6:8080**
+ For example: **netsh winhttp set proxy 10.0.0.6:8080**
3. To reset the winhttp proxy, enter the following command and press **Enter**:
- `netsh winhttp reset proxy`
+ `netsh winhttp reset proxy`
See [Netsh Command Syntax, Contexts, and Formatting](/windows-server/networking/technologies/netsh/netsh-contexts) to learn more. - ## Enable access to Endpoint DLP cloud service URLs in the proxy server If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, add the domains listed in the downloadable sheet to the allowed domains list.
Verify the proxy configuration completed successfully, that WinHTTP can discover
3. Open an elevated command line: 1. Go to **Start** and type **cmd**. 1. Right-click **Command prompt** and select **Run as administrator**.
-4. Enter the following command and press **Enter**:
-
-`HardDrivePath\MDATPClientAnalyzer.cmd`
+4. Enter the following command and press **Enter**:
-Replace *HardDrivePath* with the path where the MDATPClientAnalyzer tool was downloaded to, for example
-
-**C:\Work\tools\MDATPClientAnalyzer\MDATPClientAnalyzer.cmd**
+ `HardDrivePath\MDATPClientAnalyzer.cmd`
+ Replace *HardDrivePath* with the path where the MDATPClientAnalyzer tool was downloaded to, for example
-5. Extract the **MDATPClientAnalyzerResult.zip*** file created by tool in the folder used in the *HardDrivePath*.
+ **C:\Work\tools\MDATPClientAnalyzer\MDATPClientAnalyzer.cmd**
-6. Open **MDATPClientAnalyzerResult.txt** and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs. The tool checks the connectivity of Defender for Endpoint service URLs that Defender for Endpoint client is configured to interact with. It then prints the results into the **MDATPClientAnalyzerResult.txt** file for each URL that can potentially be used to communicate with the Defender for Endpoint services. For example:
+5. Extract the **MDATPClientAnalyzerResult.zip*** file created by tool in the folder used in the *HardDrivePath*.
- **Testing URL: https://xxx.microsoft.com/xxx </br>
-1 - Default proxy: Succeeded (200) </br>
-2 - Proxy auto discovery (WPAD): Succeeded (200)</br>
-3 - Proxy disabled: Succeeded (200)</br>
-4 - Named proxy: Doesn't exist</br>
-5 - Command-line proxy: Doesn't exist**</br>
+6. Open **MDATPClientAnalyzerResult.txt** and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs. The tool checks the connectivity of Defender for Endpoint service URLs that Defender for Endpoint client is configured to interact with. It then prints the results into the **MDATPClientAnalyzerResult.txt** file for each URL that can potentially be used to communicate with the Defender for Endpoint services. For example:
+ ```DOS
+ Testing URL: https://xxx.microsoft.com/xxx
+ 1 - Default proxy: Succeeded (200)
+ 2 - Proxy auto discovery (WPAD): Succeeded (200)
+ 3 - Proxy disabled: Succeeded (200)
+ 4 - Named proxy: Doesn't exist
+ 5 - Command-line proxy: Doesn't exist
+ ```
-If at least one of the connectivity options returns a (200) status, then the Defender for Endpoint client can communicate with the tested URL properly using this connectivity method.
+If at least one of the connectivity options returns a (200) status, then the Defender for Endpoint client can communicate with the tested URL properly using this connectivity method.
However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Endpoint DLP cloud service URLs in the proxy server](#enable-access-to-endpoint-dlp-cloud-service-urls-in-the-proxy-server). The URLs youΓÇÖll use will depend on the region selected during the onboarding procedure.
-[!NOTE] The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool.
-
-[!NOTE] When the TelemetryProxyServer is set, in Registry or via Group Policy, Defender for Endpoint will fall back to direct if it canΓÇÖt access the defined proxy.
-Related topics
-ΓÇó Onboard Windows 10 devices
-ΓÇó Troubleshoot Microsoft Endpoint DLP onboarding issues
---
+> [!NOTE]
+>
+> The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool.
+>
+> When the TelemetryProxyServer is set, in Registry or via Group Policy, Defender for Endpoint will fall back to direct if it canΓÇÖt access the defined proxy. Related topics:
+>
+> - Onboard Windows 10 devices
+> - Troubleshoot Microsoft Endpoint DLP onboarding issues
## See also -- [Learn about Endpoint data loss prevention ](endpoint-dlp-learn-about.md)-- [Using Endpoint data loss prevention ](endpoint-dlp-using.md)
+- [Learn about Endpoint data loss prevention](endpoint-dlp-learn-about.md)
+- [Using Endpoint data loss prevention](endpoint-dlp-using.md)
- [Learn about data loss prevention](dlp-learn-about-dlp.md) - [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) - [Get started with Activity explorer](data-classification-activity-explorer.md)
Related topics
- [Onboarding tools and methods for Windows 10 machines](/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints) - [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=1) - [Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join)-- [Download the new Microsoft Edge based on Chromium](https://support.microsoft.com/help/4501095/download-the-new-microsoft-edge-based-on-chromium)
+- [Download the new Microsoft Edge based on Chromium](https://support.microsoft.com/help/4501095/download-the-new-microsoft-edge-based-on-chromium)
compliance Endpoint Dlp Getting Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-getting-started.md
f1_keywords:
- 'ms.o365.cc.DLPLandingPage' localization_priority: Priority-+ - M365-security-compliance - m365solution-mip - m365initiative-compliance
+search.appverid:
- MET150 description: "Set up Microsoft 365 Endpoint data loss prevention to monitor file activities and implement protective actions for those files to endpoints."
Before you get started with Endpoint DLP, you should confirm your [Microsoft 365
- Microsoft 365 E5 information protection and governance - Microsoft 365 A5 information protection and governance - ### Permissions To enable device management, the account you use must be a member of any one of these roles:
Make sure that the Windows 10 devices that you plan on deploying Endpoint DLP to
1. Must be running Windows 10 x64 build 1809 or later.
-2. Antimalware Client Version is 4.18.2009.7 or newer. Check your current version by opening Windows Security app, select the Settings icon, and then select About. The version number is listed under Antimalware Client Version. Update to the latest Antimalware Client Version by installing Windows Update KB4052623.
+2. Antimalware Client Version is 4.18.2009.7 or newer. Check your current version by opening Windows Security app, select the Settings icon, and then select About. The version number is listed under Antimalware Client Version. Update to the latest Antimalware Client Version by installing Windows Update KB4052623.
> [!NOTE] > None of Windows Security components need to be active, you can run Endpoint DLP independent of Windows Security status, but the [Real-time protection and Behavior monitor](/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus)) must be enabled.
-
-3. The following Windows Updates are installed.
-
+
+3. The following Windows Updates are installed.
+ > [!NOTE] > These updates are not a pre-requisite to onboard a device to Endpoint DLP, but contain fixes for important issues thus must be installed before using the product.
- - For Windows 10 1809 - KB4559003, KB4577069, KB4580390
- - For Windows 10 1903 or 1909 - KB4559004, KB4577062, KB4580386
- - For Windows 10 2004 - KB4568831, KB4577063
- - For devices running Office 2016 (and not any other Office version) - KB4577063
+ - For Windows 10 1809 - KB4559003, KB4577069, KB4580390
+ - For Windows 10 1903 or 1909 - KB4559004, KB4577062, KB4580386
+ - For Windows 10 2004 - KB4568831, KB4577063
+ - For devices running Office 2016 (and not any other Office version) - KB4577063
4. All devices must be one of these:-- [Azure Active Directory (Azure AD) joined](/azure/active-directory/devices/concept-azure-ad-join)-- [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid)-- [AAD registered](/azure/active-directory/user-help/user-help-register-device-on-network)+
+ - [Azure Active Directory (Azure AD) joined](/azure/active-directory/devices/concept-azure-ad-join)
+ - [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
+ - [AAD registered](/azure/active-directory/user-help/user-help-register-device-on-network)
5. Install Microsoft Chromium Edge browser on the endpoint device to enforce policy actions for the upload to cloud activity. See, [Download the new Microsoft Edge based on Chromium](https://support.microsoft.com/help/4501095/download-the-new-microsoft-edge-based-on-chromium).
In this deployment scenario, you'll onboard devices that have not been onboarded
1. Open the [Microsoft compliance center](https://compliance.microsoft.com).
-2. Open the Compliance Center settings page and choose **Onboard devices**.
+2. Open the Compliance Center settings page and choose **Onboard devices**.
> [!div class="mx-imgBorder"] > ![enable device management](../media/endpoint-dlp-learn-about-1-enable-device-management.png)
In this deployment scenario, you'll onboard devices that have not been onboarded
> [!div class="mx-imgBorder"] > ![deployment method](../media/endpoint-dlp-getting-started-3-deployment-method.png)
-
+ 6. Follow the appropriate procedures in [Onboarding tools and methods for Windows 10 machines](/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). This link takes you to a landing page where you can access Microsoft Defender for Endpoint procedures that match the deployment package you selected in step 5: - Onboard Windows 10 machines using Group Policy
In this scenario, Microsoft Defender for Endpoint is already deployed and there
> [!div class="mx-imgBorder"] > ![device management](../media/endpoint-dlp-getting-started-2-device-management.png)
-
+ 4. Choose **Onboarding** if you need to onboard additional devices. 5. Choose the way you want to deploy to these additional devices from the **Deployment method** list and then **Download package**. 6. Follow the appropriate procedures in [Onboarding tools and methods for Windows 10 machines](/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). This link takes you to a landing page where you can access Microsoft Defender for Endpoint procedures that match the deployment package you selected in step 5:- - Onboard Windows 10 machines using Group Policy - Onboard Windows machines using Microsoft Endpoint Configuration Manager - Onboard Windows 10 machines using Mobile Device Management tools
Once done and endpoint is onboarded, it should be visible under the **Devices**
2. Refer to the procedures in [How to configure and view alerts for your DLP policies](dlp-configure-view-alerts-policies.md) to view alerts for your Endpoint DLP policies. - ### Viewing Endpoint DLP data in activity explorer 1. Open the [Data classification page](https://compliance.microsoft.com/dataclassification?viewid=overview) for your domain in the Microsoft 365 Compliance center and choose Activity explorer.
Once done and endpoint is onboarded, it should be visible under the **Devices**
> ![activity explorer filter for endpoint devices](../media/endpoint-dlp-4-getting-started-activity-explorer.png) ## Next steps+ Now that you have onboarded devices and can view the activity data in Activity explorer, you are ready to move on to your next step where you create DLP policies that protect your sensitive items. - [Using Endpoint data loss prevention](endpoint-dlp-using.md) ## See also -- [Learn about Endpoint data loss prevention ](endpoint-dlp-learn-about.md)-- [Using Endpoint data loss prevention ](endpoint-dlp-using.md)
+- [Learn about Endpoint data loss prevention](endpoint-dlp-learn-about.md)
+- [Using Endpoint data loss prevention](endpoint-dlp-using.md)
- [Learn about data loss prevention](dlp-learn-about-dlp.md) - [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) - [Get started with Activity explorer](data-classification-activity-explorer.md)
compliance Endpoint Dlp Learn About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-learn-about.md
f1_keywords:
- 'ms.o365.cc.DLPLandingPage' localization_priority: Priority-+ - M365-security-compliance - m365solution-mip - m365initiative-compliance
+search.appverid:
- MET150 description: "Microsoft 365 Endpoint data loss prevention extends monitoring of file activities and protective actions for those files to endpoints. Files are made visible in the Microsoft 365 compliance solutions "
You can use Microsoft 365 data loss prevention (DLP) to monitor the actions that
## Endpoint activities you can monitor and take action on
-Microsoft Endpoint DLP enables you to audit and manage the following types of activities users take on sensitive items on devices running Windows 10.
+Microsoft Endpoint DLP enables you to audit and manage the following types of activities users take on sensitive items on devices running Windows 10.
|Activity |Description | Auditable/restictable| ||||
Microsoft Endpoint DLP enables you to audit and manage the following types of ac
|create an item|Detects when a user creates an item| auditable| |rename an item|Detects when a user renames an item| auditable|
- ## Monitored files
+## Monitored files
Endpoint DLP supports monitoring of these file types:
Endpoint DLP supports monitoring of these file types:
- .cs files - .h files - .java files
-
+ By default, endpoint DLP audits the activities for these file types, even if there isn't a policy match. If you only want monitoring data from policy matches, you can turn off the **Always audit file activity for devices** in the endpoint DLP global settings. If this setting is on, activities on any Word, PowerPoint, Excel, PDF, and .csv file are always audited even if the device is not targeted by any policy.
-Endpoint DLP monitors activity-based on MIME type, so activities will be captured even if the file extension is changed.
+Endpoint DLP monitors activity-based on MIME type, so activities will be captured even if the file extension is changed.
## What's different in Endpoint DLP
For example, if a file is copied to removable USB media, you'd see these attribu
Now that you've learned about Endpoint DLP, your next steps are:
-1) [Getting started with Microsoft Endpoint data loss prevention ](endpoint-dlp-getting-started.md)
-2) [Using Microsoft Endpoint data loss prevention](endpoint-dlp-using.md)
+1. [Getting started with Microsoft Endpoint data loss prevention](endpoint-dlp-getting-started.md)
+2. [Using Microsoft Endpoint data loss prevention](endpoint-dlp-using.md)
## See also
Now that you've learned about Endpoint DLP, your next steps are:
- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) - [Get started with Activity explorer](data-classification-activity-explorer.md) - [Microsoft Defender for Endpoint](/windows/security/threat-protection/)-- [Insider Risk management](insider-risk-management.md)
+- [Insider Risk management](insider-risk-management.md)
compliance Error Remediation When Processing Data In Advanced Ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/error-remediation-when-processing-data-in-advanced-ediscovery.md
f1.keywords:
Previously updated : Last updated : audience: Admin localization_priority: Normal-+
+search.appverid:
- MOE150 - MET150
+ms.assetid:
description: Learn how to use error remediation to correct data issues in Advanced eDiscovery that might prevent proper processing of content.
Use the following workflow to remediate files with errors in Advanced eDiscovery
## Create an error remediation session to remediate files with processing errors
->[!NOTE]
->If the the error remediation wizard is closed at any time during the following procedure, you can return to the error remediation session from the **Processing** tab by selecting **Remediations** in the **View** drop-down menu.
+> [!NOTE]
+> If the the error remediation wizard is closed at any time during the following procedure, you can return to the error remediation session from the **Processing** tab by selecting **Remediations** in the **View** drop-down menu.
1. On the **Processing** tab in the Advanced eDiscovery case, select **Errors** in the **View** drop-down menu and then select a review set or the entire case in the **Scope** drop-down menu. This section displays all errors from the case or error from a specific review set.
Use the following workflow to remediate files with errors in Advanced eDiscovery
![Download files](../media/6ac04b09-8e13-414a-9e24-7c75ba586363.png)
-5. To download files, specify the **Destination path for download**. This is a path to the parent folder on your local computer where the file will be downloaded. The default path, %USERPROFILE%\Downloads\errors, points to the logged-in user's downloads folder. You can change this path if desired. If you do change it, we recommend that you use a local file path for the best performance. Don't use a remote network path. For example, you could use the path **C:\Remediation**.
+5. To download files, specify the **Destination path for download**. This is a path to the parent folder on your local computer where the file will be downloaded. The default path, %USERPROFILE%\Downloads\errors, points to the logged-in user's downloads folder. You can change this path if desired. If you do change it, we recommend that you use a local file path for the best performance. Don't use a remote network path. For example, you could use the path **C:\Remediation**.
The path to the parent folder is automatically added to AzCopy command (as the value of the **/Dest** parameter).
-6. Copy the predefined command by clicking **Copy to clipboard**. Open a Windows Command Prompt, paste the AzCopy command, and then press **Enter**.
+6. Copy the predefined command by clicking **Copy to clipboard**. Open a Windows Command Prompt, paste the AzCopy command, and then press **Enter**.
- ![Prepare for error remediation](../media/f364ab4d-31c5-4375-b69f-650f694a2f69.png)
+ ![Prepare for error remediation](../media/f364ab4d-31c5-4375-b69f-650f694a2f69.png)
> [!NOTE] > You must use AzCopy v8.1 to successfully use the command that's provided on the **Download files** page. You also must use AzCopy v8.1 to upload the files in step 10. To install this version of AzCopy, see [Transfer data with the AzCopy v8.1 on Windows](/previous-versions/azure/storage/storage-use-azcopy). If the supplied AzCopy command fails, please see [Troubleshoot AzCopy in Advanced eDiscovery](troubleshooting-azcopy.md).
Use the following workflow to remediate files with errors in Advanced eDiscovery
11. After you run the AzCopy command, click **Next: Process files**.
- When processing is complete, you can go to review set and view the remediated files.
+ When processing is complete, you can go to review set and view the remediated files.
## Remediating errors in container files
Sometimes it's not possible to remediate a file to native format that Advanced e
## What happens when files are remediated
-When remediated files are uploaded, the original metadata is preserved except for the following fields:
+When remediated files are uploaded, the original metadata is preserved except for the following fields:
- ExtractedTextSize - HasText
compliance Event Driven Retention https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/event-driven-retention.md
When you create the event, choose the same event type specified in the retention
Alternatively, if you need to create an event for multiple retention labels that have different event types, select the **Choose Existing Labels** option. Then, select the labels that are configured for the event types you want to associate with this event.
-### Step 7: Enter keywords or an asset ID
+### Step 7: Enter keywords or query for Exchange, asset ID for SharePoint and OneDrive
-Now you narrow the scope of the content by specifying asset IDs for SharePoint and OneDrive content, or keywords for Exchange content. For asset IDs, retention will be enforced only on content with the specified *property:value* pair. If an asset ID is not entered, all content with labels of that event type get the same retention date applied to them.
+Now you narrow the scope of the content. For Exchange content, you do this by specifying keywords or a query. For SharePoint and OneDrive content, you do this by specifying asset IDs.
+
+For Exchange items, use keywords or a query that uses Keyword Query Language (KQL). For more information about the query syntax, see [Keyword Query Language (KQL) syntax reference](/sharepoint/dev/general-development/keyword-query-language-kql-syntax-reference). For more information about the searchable properties that you can use for Exchange, see [Keyword queries and search conditions for Content Search](keyword-queries-and-search-conditions.md).
+
+For asset IDs, retention will be enforced only on content with the specified *property:value* pair. For example, if you're using the Asset ID property, enter `ComplianceAssetID:<value>` in the box for asset IDs shown in the following picture.
+
+If an asset ID is not entered, all content with labels of that event type get the same retention date applied to them.
-For example: If you're using the Asset ID property, enter `ComplianceAssetID:<value>` in the box for asset IDs shown below.
-
Your organization might have applied other properties and IDs to the documents related to this event type. For example, if you need to detect a specific product's records, the ID might be a combination of your custom property ProductID and the value "XYZ". In this case, you'd enter `ProductID:XYZ` in the box for asset IDs shown in the following picture.
-
-For Exchange items, use keywords. You can use a query by using search operators such as AND, OR, and NOT. For more information, see [Keyword queries and search conditions for Content Search](keyword-queries-and-search-conditions.md).
-
-Finally, choose the date when the event occurred; this date is used as the start of the retention period. After you create an event, that event date is synchronized to all the content with a retention label of that event type, asset ID, and keywords. As with any retention label, this synchronization can take up to seven days.
+
+Finally, choose the date when the event occurred; this date is used as the start of the retention period. After you create an event, that event date is synchronized to all the content with a retention label of that event type, asset ID, and keywords or queries. As with any retention label, this synchronization can take up to seven days.
![Event settings page](../media/40d3c9db-f624-49a5-b38a-d16bcce20231.png)
compliance Get Started With Records Management https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/get-started-with-records-management.md
f1.keywords:
Previously updated : Last updated : audience: Admin localization_priority: Priority-+ - M365-security-compliance - SPO_Content
+search.appverid:
- MOE150 - MET150 description: Need a records management solution for Microsoft 365 that manages high-value content for legal, business, or regulatory obligations, but not sure where to start? Read some practical guidance to get started.
description: Need a records management solution for Microsoft 365 that manages h
Ready to start managing your organization's high-value content for legal, business, or regulatory obligations by using a records management solution in Microsoft 365? Use the following guidance to get started:
-1. **Understand the records management solution** and what actions are allowed or blocked when documents and emails are declared records: [Learn about records management](records-management.md).
+1. **Understand the records management solution** and what actions are allowed or blocked when documents and emails are declared records: [Learn about records management](records-management.md).
2. **Understand retention labels and how retention works** for SharePoint and Exchange, because retention labels are used to declare records: [Learn about retention policies and retention labels](retention.md)
-3. **Create your file plan for retention settings and actions** by [importing an existing plan](file-plan-manager.md#import-retention-labels-into-your-file-plan ) if you have one, or create [new retention labels that declare records](declare-records.md).
+3. **Create your file plan for retention settings and actions** by [importing an existing plan](file-plan-manager.md#import-retention-labels-into-your-file-plan) if you have one, or create [new retention labels that declare records](declare-records.md).
+
+4. **Publish and apply your retention labels**. Retention labels are reusable building blocks that can be used in multiple policies and can be incorporated into user workflows:
-4. **Publish and apply your retention labels**. Retention labels are reusable building blocks that can be used in multiple policies and can be incorporated into user workflows:
-
- [Create retention labels and apply them in apps](create-apply-retention-labels.md) - [Apply a retention label to content automatically](apply-retention-labels-automatically.md)
To see the options for licensing your users to benefit from Microsoft 365 compli
## Permissions required for records management
-Members of your compliance team who are responsible for records management need permissions to the [Microsoft 365 compliance center](https://compliance.microsoft.com/). By default, the tenant admin (global administrator) has access to this location and can give compliance officers and other people access without giving them all the permissions of a tenant admin. To grant permissions for this limited administration, we recommend that you add users to the **Records Management** admin role group, which grants permissions for all features related to records management, including [disposition review and verification](disposition.md).
+Members of your compliance team who are responsible for records management need permissions to the [Microsoft 365 compliance center](https://compliance.microsoft.com/). By default, the tenant admin (global administrator) has access to this location and can give compliance officers and other people access without giving them all the permissions of a tenant admin. To grant permissions for this limited administration, we recommend that you add users to the **Records Management** admin role group, which grants permissions for all features related to records management, including [disposition review and verification](disposition.md).
-For a read-only role, you can create a new role group and add the **View-Only Record Management** role to this group.
+For a read-only role, you can create a new role group and add the **View-Only Record Management** role to this group.
For more information about role groups and roles, see [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center).
compliance Increase The Recoverable Quota For Mailboxes On Hold https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/increase-the-recoverable-quota-for-mailboxes-on-hold.md
f1.keywords:
Previously updated : Last updated : audience: Admin localization_priority: Normal
+search.appverid:
- MOE150 - MET150 ms.assetid: a8bdcbdd-9298-462f-b889-df26037a990c
description: "Enable the archive mailbox and turn on auto-expanding archiving to
# Increase the Recoverable Items quota for mailboxes on hold
-The default Exchange retention policyΓÇönamed *Default MRM Policy*ΓÇöthat is automatically applied to new mailboxes in Exchange Online contains a retention tag named Recoverable Items 14 days move to archive. This retention tag moves items from the Recoverable Items folder in the user's primary mailbox to the Recoverable Items folder in the user's archive mailbox after the 14-day retention period expires for an item. For this to happen, the user's archive mailbox must be enabled. If the archive mailbox isn't enabled, no action is taken, which means that items in the Recoverable Items folder for a mailbox on hold aren't moved to the archive mailbox after the 14-day retention period expires. Because nothing is deleted from a mailbox on hold, it's possible that the storage quota for the Recoverable Items folder might be exceeded, especially if the user's archive mailbox isn't enabled.
-
+The default Exchange retention policyΓÇönamed *Default MRM Policy*ΓÇöthat is automatically applied to new mailboxes in Exchange Online contains a retention tag named Recoverable Items 14 days move to archive. This retention tag moves items from the Recoverable Items folder in the user's primary mailbox to the Recoverable Items folder in the user's archive mailbox after the 14-day retention period expires for an item. For this to happen, the user's archive mailbox must be enabled. If the archive mailbox isn't enabled, no action is taken, which means that items in the Recoverable Items folder for a mailbox on hold aren't moved to the archive mailbox after the 14-day retention period expires. Because nothing is deleted from a mailbox on hold, it's possible that the storage quota for the Recoverable Items folder might be exceeded, especially if the user's archive mailbox isn't enabled.
+ To help reduce the chance of exceeding this limit, the storage quota for the Recoverable Items folder is automatically increased from 30 GB to 100 GB when a hold is placed on a mailbox in Exchange Online. If the archive mailbox is enabled, the storage quota for the Recoverable Items folder in the archive mailbox is also increased from 30 GB to 100 GB. If the auto-expanding archiving feature in Exchange Online is enabled, the storage quota for the Recoverable Items folder in the user's archive will be unlimited.
-
- The following table summarizes the storage quota for the Recoverable Items folder.
-
+
+ The following table summarizes the storage quota for the Recoverable Items folder.
+ |**Location of Recoverable Items folder**|**Mailboxes not on hold**|**Mailboxes on hold**| |:--|:--|:--| |Primary mailbox <br/> |30 GB <br/> |100 GB <br/> | |Archive mailbox<sup>\*</sup> <br/> |Unlimited <br/> |Unlimited <br/> | |**Total storage quota for the Recoverable Items folder** <br/> |Unlimited <br/> |Unlimited <br/> |
-
+ > [!NOTE]
-> <sup>\*</sup> The initial storage quota for the archive mailbox is 100 GB for users with an Exchange Online (Plan 2) license. However, when auto-expanding archiving is turned on for mailboxes on hold, the storage quota for both the archive mailbox and the Recoverable Items folder is increased to 110 GB. Additional archive storage space will be provisioned when necessary which results in an unlimited amount of archive storage. For more information about auto-expanding archiving, see [Overview of unlimited archiving in Office 365](unlimited-archiving.md).
-
+> <sup>\*</sup> The initial storage quota for the archive mailbox is 100 GB for users with an Exchange Online (Plan 2) license. However, when auto-expanding archiving is turned on for mailboxes on hold, the storage quota for both the archive mailbox and the Recoverable Items folder is increased to 110 GB. Additional archive storage space will be provisioned when necessary which results in an unlimited amount of archive storage. For more information about auto-expanding archiving, see [Overview of unlimited archiving in Office 365](unlimited-archiving.md).
+ When the storage quota for the Recoverable Items folder in the primary mailbox of a mailbox on hold is close to reaching its limit, you can do the following things:
-
+ - **Enable the archive mailbox and turn on auto-expanding archiving.** You can enable an unlimited storage capacity for the Recoverable Items folder simply by enabling the archive mailbox and then turning on the auto-expanding archiving feature in Exchange Online. This results in 110 GB for the Recoverable Items folder in the primary mailbox and an unlimited amount of storage capacity for the Recoverable Items folder in the user's archive. See how: [Enable archive mailboxes in the Security & Compliance Center](enable-archive-mailboxes.md) and [Enable unlimited archiving in Office 365](enable-unlimited-archiving.md).
-
+ > [!NOTE]
- > After you enable the archive for a mailbox that's close to exceeding the storage quota for the Recoverable Items folder, you might want to run the Managed Folder Assistant to manually trigger the assistant to process the mailbox so that expired items are moved to the Recoverable Items folder in the archive mailbox. See [Step 4](#optional-step-4-run-the-managed-folder-assistant-to-apply-the-new-retention-settings) for instructions. Note that other items in the user's mailbox might be moved to the new archive mailbox. Consider telling the user that this may happen after you enable the archive mailbox.
-
-- **Create a custom Exchange retention policy for mailboxes on hold.** In addition to enabling the archive mailbox and auto-expanding archiving for mailboxes on Litigation Hold or In-Place Hold, you might also want to create a custom Exchange retention policy for mailboxes on hold. This lets you apply a retention policy to mailboxes on hold that's different from the Default MRM Policy that's applied to mailboxes that aren't on hold, and lets you apply retention tags that are designed for mailboxes on hold. This includes creating a new retention tag for the Recoverable Items folder.
-
+ > After you enable the archive for a mailbox that's close to exceeding the storage quota for the Recoverable Items folder, you might want to run the Managed Folder Assistant to manually trigger the assistant to process the mailbox so that expired items are moved to the Recoverable Items folder in the archive mailbox. See [Step 4](#optional-step-4-run-the-managed-folder-assistant-to-apply-the-new-retention-settings) for instructions. Note that other items in the user's mailbox might be moved to the new archive mailbox. Consider telling the user that this may happen after you enable the archive mailbox.
+
+- **Create a custom Exchange retention policy for mailboxes on hold.** In addition to enabling the archive mailbox and auto-expanding archiving for mailboxes on Litigation Hold or In-Place Hold, you might also want to create a custom Exchange retention policy for mailboxes on hold. This lets you apply a retention policy to mailboxes on hold that's different from the Default MRM Policy that's applied to mailboxes that aren't on hold, and lets you apply retention tags that are designed for mailboxes on hold. This includes creating a new retention tag for the Recoverable Items folder.
+ The remainder of this topic describes the step-by-step procedures to create a custom Exchange retention policy for mailboxes on hold.
-
+ [Step 1: Create a custom retention tag for the Recoverable Items folder](#step-1-create-a-custom-retention-tag-for-the-recoverable-items-folder) [Step 2: Create a new Exchange retention policy for mailboxes on hold](#step-2-create-a-new-exchange-retention-policy-for-mailboxes-on-hold)
The remainder of this topic describes the step-by-step procedures to create a cu
[Step 3: Apply the new Exchange retention policy to mailboxes on hold](#step-3-apply-the-new-exchange-retention-policy-to-mailboxes-on-hold) [(Optional) Step 4: Run the Managed Folder Assistant to apply the new retention settings](#optional-step-4-run-the-managed-folder-assistant-to-apply-the-new-retention-settings)
-
+ ## Step 1: Create a custom retention tag for the Recoverable Items folder
-The first step is to create a custom retention tag (called a retention policy tag or RPT) for the Recoverable Items folder. As previously explained, this RPT moves items from the Recoverable Items folder in the user's primary mailbox to the Recoverable Items folder in the user's archive mailbox. You have to use PowerShell to create an RPT for the Recoverable Items folder. You can't use the Exchange admin center (EAC).
-
+The first step is to create a custom retention tag (called a retention policy tag or RPT) for the Recoverable Items folder. As previously explained, this RPT moves items from the Recoverable Items folder in the user's primary mailbox to the Recoverable Items folder in the user's archive mailbox. You have to use PowerShell to create an RPT for the Recoverable Items folder. You can't use the Exchange admin center (EAC).
+ 1. [Connect to Exchange Online using remote PowerShell](/powershell/exchange/connect-to-exchange-online-powershell)
-
-2. Run the following command to create a new RPT for the Recoverable Items folder:
-
+
+2. Run the following command to create a new RPT for the Recoverable Items folder:
+ ```powershell New-RetentionPolicyTag -Name <Name of RPT> -Type RecoverableItems -AgeLimitForRetention <Number of days> -RetentionAction MoveToArchive ``` For example, the following command creates an RPT for the Recoverable Items folder named "Recoverable Items 30 days for mailboxes on hold", with a retention period of 30 days. This means that after an item has been in the Recoverable Items folder for 30 days, it will be moved to the Recoverable Items folder in the user's archive mailbox.
-
+ ```powershell New-RetentionPolicyTag -Name "Recoverable Items 30 days for mailboxes on hold" -Type RecoverableItems -AgeLimitForRetention 30 -RetentionAction MoveToArchive ``` > [!TIP]
- > We recommend that the retention period (defined by the _AgeLimitForRetention_ parameter) for the Recoverable Items RPT is the same as the deleted item retention period for the mailboxes that the RPT will be applied to. This allows a user the entire deleted item retention period to recover deleted items before they are moved to the archive mailbox. In the previous example, the retention period was set to 30 days based on the assumption that the deleted item retention period for mailboxes is also 30 days. An Exchange Online mailbox is configured to retain deleted items for 14 days, by default. But you can change this setting to a maximum of 30 days. For more information, see [Change the deleted item retention period for a mailbox in Exchange Online](https://www.microsoft.com/?ref=go).
-
+ > We recommend that the retention period (defined by the _AgeLimitForRetention_ parameter) for the Recoverable Items RPT is the same as the deleted item retention period for the mailboxes that the RPT will be applied to. This allows a user the entire deleted item retention period to recover deleted items before they are moved to the archive mailbox. In the previous example, the retention period was set to 30 days based on the assumption that the deleted item retention period for mailboxes is also 30 days. An Exchange Online mailbox is configured to retain deleted items for 14 days, by default. But you can change this setting to a maximum of 30 days. For more information, see [Change the deleted item retention period for a mailbox in Exchange Online](https://www.microsoft.com/?ref=go).
+ ## Step 2: Create a new Exchange retention policy for mailboxes on hold
-The next step is to create a new retention policy and add retention tags to it, including the Recoverable Items RPT that you created in Step 1. This new policy will be applied to mailboxes on hold in the next step.
-
+The next step is to create a new retention policy and add retention tags to it, including the Recoverable Items RPT that you created in Step 1. This new policy will be applied to mailboxes on hold in the next step.
+ Before you create the new retention policy, determine the additional retention tags that you want to add. For a list of the retention tags that are added to the Default MRM Policy and for information about creating new retention tags, see the following:
-
-- [Default Retention Policy in Exchange Online ](/exchange/security-and-compliance/messaging-records-management/default-retention-policy)
-
+
+- [Default Retention Policy in Exchange Online](/exchange/security-and-compliance/messaging-records-management/default-retention-policy)
+ - [Default folders that support Retention Policy Tags](/exchange/security-and-compliance/messaging-records-management/default-folders)
-
+ - The "Create a retention tag" section in the [Create a Retention Policy](/exchange/security-and-compliance/messaging-records-management/create-a-retention-policy) topic.
-
+ You can use the EAC or Exchange Online PowerShell to create a retention policy.
-
+ ### Use the EAC to create a retention policy
-
+ 1. In the EAC, go to **Compliance management** \> **Retention policies**, and then click **Add** ![Add Icon](../media/ITPro-EAC-AddIcon.gif).
-
-2. On the **New retention policy** page, under **Name**, type a name that describes the purpose of the retention policy; for example, **MRM Policy for Mailboxes on Hold**.
-
+
+2. On the **New retention policy** page, under **Name**, type a name that describes the purpose of the retention policy; for example, **MRM Policy for Mailboxes on Hold**.
+ 3. Under **Retention tags**, click **Add** ![Add Icon](../media/ITPro-EAC-AddIcon.gif).
-
+ 4. In the list of retention tags, select the Recoverable Items RPT that you created in Step 1, and then click **Add**.
-
+ ![Select the custom Recoverable Items retention tag](../media/eb49866b-bdef-4fcd-a6d9-01607c01249b.png)
-
+ 5. Select additional retention tags to add to the retention policy. For example, you might want to add the same tags that are included in the Default MRM Policy.
-
+ 6. When you're finished adding retention tags, click **OK**.
-
-7. Click **Save** to create the new retention policy.
-
+
+7. Click **Save** to create the new retention policy.
+ Notice that the retention tags linked to the retention policy are displayed in the details pane.
-
+ ![Retention tags linked to the retention policy are displayed in the details pane](../media/dad1c8f4-9928-4d6d-991a-6f6c5194eceb.png)
-
+ ### Use Exchange Online PowerShell to create a retention policy
-
-Run the following command to create new retention policy for mailboxes on hold.
-
+
+Run the following command to create new retention policy for mailboxes on hold.
+ ```powershell New-RetentionPolicy <Name of retention policy> -RetentionPolicyTagLinks <list of retention tags> ``` For example, the following command creates the retention policy and linked retention tags that are displayed in the previous illustration.
-
+ ```powershell New-RetentionPolicy "MRM Policy for Mailboxes on Hold" -RetentionPolicyTagLinks "Recoverable Items 30 days for mailboxes on hold","1 Month Delete","1 Week Delete","1 Year Delete","5 Year Delete","6 Month Delete","Default 2 year move to archive","Junk Email","Never Delete","Personal 1 year move to archive","Personal 5 year move to archive" ``` ## Step 3: Apply the new Exchange retention policy to mailboxes on hold
-The last step is to apply the new retention policy that you created in Step 2 to mailboxes on hold in your organization. You can use the EAC or Exchange Online PowerShell to apply the retention policy to a single mailbox or to multiple mailboxes.
-
+The last step is to apply the new retention policy that you created in Step 2 to mailboxes on hold in your organization. You can use the EAC or Exchange Online PowerShell to apply the retention policy to a single mailbox or to multiple mailboxes.
+ ### Use the EAC to apply the new retention policy
-
+ 1. Go to **Recipients** > **Mailboxes**.
-
+ 2. In the list view, select the mailbox you want to apply the retention policy to, and then click **Edit** ![Edit icon](../media/ebd260e4-3556-4fb0-b0bb-cc489773042c.gif).
-
+ 3. On the **User Mailbox** page, click **Mailbox features**.
-
+ 4. Under **Retention policy**, select the retention policy that you created in Step 2, and then click **Save**.
-
+ You can also use the EAC to apply the retention policy to multiple mailboxes.
-
+ 1. Go to **Recipients** > **Mailboxes**.
-
+ 2. In the list view, use the Shift or Ctrl keys to select multiple mailboxes.
-
+ 3. In the details pane, click **More options**.
-
+ 4. Under **Retention Policy**, click **Update**.
-
-5. On the **Bulk assign retention policy** page, select the retention policy that you created in Step 2, and then click **Save**.
-
+
+5. On the **Bulk assign retention policy** page, select the retention policy that you created in Step 2, and then click **Save**.
+ ### Use Exchange Online PowerShell to apply the new retention policy
-
+ You can use Exchange Online PowerShell to apply a new retention policy to a single mailbox. But the real power of PowerShell is that you can use it to quickly identify all the mailboxes in your organization that are on either Litigation Hold or In-Place Hold, and then apply the new retention policy to all mailboxes on hold in a single command. Here are some examples of using Exchange PowerShell to apply a retention policy to one or more mailboxes. All of the examples apply the retention policy that was created in Step 2.
-
+ This example applies the new retention policy to Pilar Pinilla's mailbox.
-
+ ```powershell Set-Mailbox "Pilar Pinilla" -RetentionPolicy "MRM Policy for Mailboxes on Hold" ``` This example applies the new retention policy to all mailboxes in the organization that are on Litigation Hold.
-
+ ```powershell $LitigationHolds = Get-Mailbox -ResultSize unlimited | Where-Object {$_.LitigationHoldEnabled -eq 'True'} ```
$LitigationHolds.DistinguishedName | Set-Mailbox -RetentionPolicy "MRM Policy fo
``` This example applies the new retention policy to all mailboxes in the organization that are on In-Place Hold.
-
+ ```powershell $InPlaceHolds = Get-Mailbox -ResultSize unlimited | Where-Object {$_.InPlaceHolds -ne $null} ```
$InPlaceHolds = Get-Mailbox -ResultSize unlimited | Where-Object {$_.InPlaceHold
$InPlaceHolds.DistinguishedName | Set-Mailbox -RetentionPolicy "MRM Policy for Mailboxes on Hold" ```
-You can use the **Get-Mailbox** cmdlet to verify that the new retention policy was applied.
-
+You can use the **Get-Mailbox** cmdlet to verify that the new retention policy was applied.
+ Here are some examples to verify that the commands in the previous examples applied the "MRM Policy for Mailboxes on Hold" retention policy to mailboxes on Litigation Hold and mailboxes on In-Place Hold.
-
+ ```powershell Get-Mailbox "Pilar Pinilla" | Select RetentionPolicy ```
Get-Mailbox -ResultSize unlimited | Where-Object {$_.InPlaceHolds -ne $null} | F
## (Optional) Step 4: Run the Managed Folder Assistant to apply the new retention settings
-After you apply the new Exchange retention policy to mailboxes on hold, it can take up to 7 days in Exchange Online for the Managed Folder Assistant to process these mailboxes using the settings in the new retention policy. Instead of waiting for the Managed Folder Assistant to run, you can use the **Start-ManagedFolderAssistant** cmdlet to manually trigger the assistant to process the mailboxes that you applied the new retention policy to.
-
+After you apply the new Exchange retention policy to mailboxes on hold, it can take up to 7 days in Exchange Online for the Managed Folder Assistant to process these mailboxes using the settings in the new retention policy. Instead of waiting for the Managed Folder Assistant to run, you can use the **Start-ManagedFolderAssistant** cmdlet to manually trigger the assistant to process the mailboxes that you applied the new retention policy to.
+ Run the following command to start the Managed Folder Assistant for Pilar Pinilla's mailbox.
-
+ ```powershell Start-ManagedFolderAssistant "Pilar Pinilla" ``` Run the following commands to start the Managed Folder Assistant for all mailboxes on hold.
-
+ ```powershell $MailboxesOnHold = Get-Mailbox -ResultSize unlimited | Where-Object {($_.InPlaceHolds -ne $null) -or ($_.LitigationHoldEnabled -eq "True")} ```
$MailboxesOnHold.DistinguishedName | Start-ManagedFolderAssistant
## More information -- After you enable a user's archive mailbox, consider telling the user that other items in their mailbox (not just items in the Recoverable Items folder) might be moved to the archive mailbox. This is because the Default MRM Policy that's assigned to Exchange Online mailboxes contains a retention tag (named Default 2 years move to archive) that moves items to the archive mailbox two years after the date the item was delivered to the mailbox or created by the user. For more information, see [Default Retention Policy in Exchange Online ](/exchange/security-and-compliance/messaging-records-management/default-retention-policy)
-
-- After you enable a user's archive mailbox, you might also tell the user that they can recover deleted items in the Recoverable Items folder in their archive mailbox. They can do this in Outlook by selecting the **Deleted Items** folder in the archive mailbox, and then clicking **Recover Deleted Items from Server** on the **Home** tab. For more information about recovering deleted items, see [Recover deleted items in Outlook for Windows](https://go.microsoft.com/fwlink/p/?LinkId=624829).
+- After you enable a user's archive mailbox, consider telling the user that other items in their mailbox (not just items in the Recoverable Items folder) might be moved to the archive mailbox. This is because the Default MRM Policy that's assigned to Exchange Online mailboxes contains a retention tag (named Default 2 years move to archive) that moves items to the archive mailbox two years after the date the item was delivered to the mailbox or created by the user. For more information, see [Default Retention Policy in Exchange Online](/exchange/security-and-compliance/messaging-records-management/default-retention-policy)
+
+- After you enable a user's archive mailbox, you might also tell the user that they can recover deleted items in the Recoverable Items folder in their archive mailbox. They can do this in Outlook by selecting the **Deleted Items** folder in the archive mailbox, and then clicking **Recover Deleted Items from Server** on the **Home** tab. For more information about recovering deleted items, see [Recover deleted items in Outlook for Windows](https://go.microsoft.com/fwlink/p/?LinkId=624829).
compliance Information Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/information-protection.md
f1.keywords:
Previously updated : Last updated : audience: Admin localization_priority: Priority
+search.appverid:
- MOE150 - MET150-+ - m365solution-mip - m365initiative-compliance recommendations: false
For information about governing your data, see [Microsoft Information Governance
> For information about classifying and labeling data in Azure Purview, currently in preview, see [Automatically label your content in Azure Purview](/azure/purview/create-sensitivity-label). To understand your data landscape and identify important data across your hybrid environment, use the following capabilities:
-
+ |Capability|What problems does it solve?|Get started| |:|:|:--| |[Sensitive information types](sensitive-information-type-learn-about.md)| Identifies sensitive data by using built-in or custom regular expressions or a function. Corroborative evidence includes keywords, confidence levels, and proximity.| [Customize a built-in sensitive information type](customize-a-built-in-sensitive-information-type.md)| |[Trainable classifiers](classifier-learn-about.md)| Identifies sensitive data by using examples of the data you're interested in rather than identifying elements in the item (pattern matching). You can use built-in classifiers or train a classifier with your own content.| [Get started with trainable classifiers](classifier-get-started-with.md) |
-|[Data classification](data-classification-overview.md) | A graphical identification of items in your organization that have a sensitivity label, a retention label, or have been classified. You can also use this information to gain insights into the actions that your users are taking on these items. | [Get started with content explorer](data-classification-content-explorer.md)<br /><br /> [Get started with activity explorer](data-classification-activity-explorer.md) |
+|[Data classification](data-classification-overview.md) | A graphical identification of items in your organization that have a sensitivity label, a retention label, or have been classified. You can also use this information to gain insights into the actions that your users are taking on these items. | [Get started with content explorer](data-classification-content-explorer.md) <p> [Get started with activity explorer](data-classification-activity-explorer.md) |
## Protect your data
To apply flexible protection actions that include encryption, access restriction
|Capability|What problems does it solve?|Get started| |:|:||
-|[Sensitivity labels](sensitivity-labels.md)| A single solution across apps, services, and devices to label and protect your data as it travels inside and outside your organization. <br /><br />Example scenarios: <br /> [Manage sensitivity labels for Office apps](sensitivity-labels-office-apps.md)<br /> [Encrypt documents and emails](encryption-sensitivity-labels.md )<br /> [Apply and view labels in Power BI](/power-bi/admin/service-security-apply-data-sensitivity-labels) <br /><br /> For a comprehensive list of scenarios for sensitivity labels, see the Get started documentation.|[ Get started with sensitivity labels](get-started-with-sensitivity-labels.md) |
-|[Azure Information Protection unified labeling client](/azure/information-protection/rms-client/aip-clientv2)| For Windows computers, extends sensitivity labels for additional features and functionality that includes labeling and protecting all file types from File Explorer and PowerShell<br /><br /> Example additional features: [Custom configurations for the Azure Information Protection unified labeling client](/azure/information-protection/rms-client/clientv2-admin-guide-customizations)| [Azure Information Protection unified labeling client administrator guide](/azure/information-protection/rms-client/clientv2-admin-guide)|
+|[Sensitivity labels](sensitivity-labels.md)| A single solution across apps, services, and devices to label and protect your data as it travels inside and outside your organization. <p> Example scenarios: <p> [Manage sensitivity labels for Office apps](sensitivity-labels-office-apps.md) <p> [Encrypt documents and emails](encryption-sensitivity-labels.md) <p> [Apply and view labels in Power BI](/power-bi/admin/service-security-apply-data-sensitivity-labels) <p> For a comprehensive list of scenarios for sensitivity labels, see the Get started documentation.|[Get started with sensitivity labels](get-started-with-sensitivity-labels.md) |
+|[Azure Information Protection unified labeling client](/azure/information-protection/rms-client/aip-clientv2)| For Windows computers, extends sensitivity labels for additional features and functionality that includes labeling and protecting all file types from File Explorer and PowerShell <p> Example additional features: [Custom configurations for the Azure Information Protection unified labeling client](/azure/information-protection/rms-client/clientv2-admin-guide-customizations)| [Azure Information Protection unified labeling client administrator guide](/azure/information-protection/rms-client/clientv2-admin-guide)|
|[Double Key Encryption](double-key-encryption.md)| Under all circumstances, only your organization can ever decrypt protected content or for regulatory requirements, you must hold encryption keys within a geographical boundary. | [Deploy Double Key Encryption](double-key-encryption.md#deploy-dke)|
-|[Office 365 Message Encryption (OME)](ome.md)| Encrypts email messages and attached documents that are sent to any user on any device, so only authorized recipients can read emailed information. <br /><br />Example scenario: [Revoke email encrypted by Advanced Message Encryption](revoke-ome-encrypted-mail.md) | [Set up new Message Encryption capabilities](set-up-new-message-encryption-capabilities.md)|
+|[Office 365 Message Encryption (OME)](ome.md)| Encrypts email messages and attached documents that are sent to any user on any device, so only authorized recipients can read emailed information. <p> Example scenario: [Revoke email encrypted by Advanced Message Encryption](revoke-ome-encrypted-mail.md) | [Set up new Message Encryption capabilities](set-up-new-message-encryption-capabilities.md)|
|[Service encryption with Customer Key](customer-key-overview.md) | Protects against viewing of data by unauthorized systems or personnel, and complements BitLocker disk encryption in Microsoft datacenters. | [Set up Customer Key for Office 365](customer-key-set-up.md)| |[SharePoint Information Rights Management (IRM)](set-up-irm-in-sp-admin-center.md#irm-enable-sharepoint-document-libraries-and-lists)|Protects SharePoint lists and libraries so that when a user checks out a document, the downloaded file is protected so that only authorized people can view and use the file according to policies that you specify. | [Set up Information Rights Management (IRM) in SharePoint admin center](set-up-irm-in-sp-admin-center.md)| [Rights Management connector](/azure/information-protection/deploy-rms-connector) |Protection-only for existing on-premises deployments that use Exchange or SharePoint Server, or file servers that run Windows Server and File Classification Infrastructure (FCI). | [Steps to deploy the RMS connector](/azure/information-protection/deploy-rms-connector#steps-to-deploy-the-rms-connector) |[Azure Information Protection unified labeling scanner](/azure/information-protection/deploy-aip-scanner)| Discovers, labels, and protects sensitive information that resides in data stores that are on premises. | [Configuring and installing the Azure Information Protection unified labeling scanner](/azure/information-protection/deploy-aip-scanner-configure-install)| |[Microsoft Cloud App Security](/cloud-app-security/what-is-cloud-app-security)| Discovers, labels, and protects sensitive information that resides in data stores that are in the cloud. | [Discover, classify, label, and protect regulated and sensitive data stored in the cloud](/cloud-app-security/best-practices#discover-classify-label-and-protect-regulated-and-sensitive-data-stored-in-the-cloud)|
-|[Microsoft Information Protection SDK](/information-protection/develop/overview#microsoft-information-protection-sdk)|Extends sensitivity labels to third-party apps and services. <br /><br /> Example scenario: [Set and get a sensitivity label (C++)](/information-protection/develop/quick-file-set-get-label-cpp) |[Microsoft Information Protection (MIP) SDK setup and configuration](/information-protection/develop/setup-configure-mip)|
+|[Microsoft Information Protection SDK](/information-protection/develop/overview#microsoft-information-protection-sdk)|Extends sensitivity labels to third-party apps and services. <p> Example scenario: [Set and get a sensitivity label (C++)](/information-protection/develop/quick-file-set-get-label-cpp) |[Microsoft Information Protection (MIP) SDK setup and configuration](/information-protection/develop/setup-configure-mip)|
## Prevent data loss
compliance Insider Risk Management Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-alerts.md
The insider risk **Alert dashboard** allows you to view and act on alerts genera
- **Total alerts that need review**: The total number of alerts needing review and triage are listed, including a breakdown by alert severity. - **Open alerts over past 30 days**: The total number of alerts created by policy matches over the last 30 days, sorted by high, medium, and low alert severity levels. - **Average time to resolve alerts**: A summary of useful alert statistics:
- - Average time to resolve high severity alerts, listed in hours, days, or months.
- - Average time to resolve medium severity alerts, listed in hours, days, or months.
- - Average time to resolve low severity alerts, listed in hours, days, or months.
+ - Average time to resolve high severity alerts, listed in hours, days, or months.
+ - Average time to resolve medium severity alerts, listed in hours, days, or months.
+ - Average time to resolve low severity alerts, listed in hours, days, or months.
![Insider risk management alert dashboard](../media/insider-risk-alerts-dashboard.png)
->[!NOTE]
->Insider risk management uses built-in alert throttling to help protect and optimize your risk investigation and review experience. This throttling guards against issues that might result in an overload of policy alerts, such as misconfigured data connectors or DLP policies. As a result, there might be a delay in displaying new alerts for a user.
+> [!NOTE]
+> Insider risk management uses built-in alert throttling to help protect and optimize your risk investigation and review experience. This throttling guards against issues that might result in an overload of policy alerts, such as misconfigured data connectors or DLP policies. As a result, there might be a delay in displaying new alerts for a user.
## Alert status and severity
To triage an insider risk alert, complete the following steps:
## Activity explorer (preview)
->[!NOTE]
->Activity explorer is available in the alert management area for users with triggering events after this feature is available in your organization.
+> [!NOTE]
+> Activity explorer is available in the alert management area for users with triggering events after this feature is available in your organization.
The Activity explorer provides risk investigators and analysts with a comprehensive analytic tool that provides detailed information about alerts. With the Activity explorer, reviewers can quickly review a timeline of detected risky activity and identify and filter all risk activities associated with alerts. To filter alerts on the Activity explorer, select the Filter control. You can filter alerts by one or more attributes listed in the details pane for the alert. Activity explorer also supports customizable columns to help investigators and analysts focus the dashboard on the information most important to them.
compliance Insider Risk Management Audit Log https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-audit-log.md
Areas included in activity monitoring include:
To view and export data from the audit log, users must be assigned to the *Insider Risk Management* or *Insider Risk Management Auditors* role groups. To learn more about insider risk management role groups, see [Getting started with insider risk management Step 1: Enabling permissions](insider-risk-management-configure.md#step-1-enable-permissions-for-insider-risk-management).
->[!NOTE]
->The insider risk management audit log isn't associated with the Microsoft 365 audit log, they are independent auditing systems and capture information on separate activities. Disabling Microsoft 365 auditing doesn't impact activity auditing within insider risk management.
+> [!NOTE]
+> The insider risk management audit log isn't associated with the Microsoft 365 audit log, they are independent auditing systems and capture information on separate activities. Disabling Microsoft 365 auditing doesn't impact activity auditing within insider risk management.
## View activity in the insider risk audit log
compliance Insider Risk Management Cases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-cases.md
The **User activity** tab is one of the most powerful tools for internal risk an
### Activity explorer (preview)
->[!IMPORTANT]
->The Activity explorer tab is available in the case management area for users with triggering events after this feature is available in your organization.
+> [!IMPORTANT]
+> The Activity explorer tab is available in the case management area for users with triggering events after this feature is available in your organization.
The **Activity explorer** tab allows risk analysts and investigators to review activity details associated with risk alerts. For example, as part of the case management actions, investigators and analysts may need to review all the risk activities associated with the case for more details. With the **Activity explorer**, reviewers can quickly review a timeline of detected risky activity and identify and filter all risk activities associated with alerts.
compliance Insider Risk Management Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-configure.md
Use insider risk management policies to identify risky activities and management tools to act on risk alerts in your organization. Complete the following steps to set up prerequisites and configure an insider risk management policy.
->[!IMPORTANT]
->The Microsoft 365 insider risk management solution provides a tenant level option to help customers facilitate internal governance at the user level. Tenant level administrators can set up permissions to provide access to this solution for members of your organization and set up data connectors in the Microsoft 365 compliance center to import relevant data to support user level identification of potentially risky activity. Customers acknowledge insights related to the individual user's behavior, character, or performance materially related to employment can be calculated by the administrator and made available to others in the organization. In addition, customers acknowledge that they must conduct their own full investigation related to the individual user's behavior, character, or performance materially related to employment, and not just rely on insights from the insider risk management service. Customers are solely responsible for using the Microsoft 365 insider risk management service, and any associated feature or service in compliance with all applicable laws, including laws relating to individual user identification and any remediation actions.
+> [!IMPORTANT]
+> The Microsoft 365 insider risk management solution provides a tenant level option to help customers facilitate internal governance at the user level. Tenant level administrators can set up permissions to provide access to this solution for members of your organization and set up data connectors in the Microsoft 365 compliance center to import relevant data to support user level identification of potentially risky activity. Customers acknowledge insights related to the individual user's behavior, character, or performance materially related to employment can be calculated by the administrator and made available to others in the organization. In addition, customers acknowledge that they must conduct their own full investigation related to the individual user's behavior, character, or performance materially related to employment, and not just rely on insights from the insider risk management service. Customers are solely responsible for using the Microsoft 365 insider risk management service, and any associated feature or service in compliance with all applicable laws, including laws relating to individual user identification and any remediation actions.
For more information about how insider risk policies can help you manage risk in your organization, see [Insider risk management in Microsoft 365](insider-risk-management.md).
If you don't have an existing Microsoft 365 Enterprise E5 plan and want to try i
## Step 1: Enable permissions for insider risk management
->[!Important]
->After configuring your role groups, it may take up to 30 minutes for the role group permissions to apply to assigned users across your organization.
+> [!IMPORTANT]
+> After configuring your role groups, it may take up to 30 minutes for the role group permissions to apply to assigned users across your organization.
There are four roles groups used to configure permissions to manage insider risk management features. To continue with these configuration steps, your tenant administrators must first assign you to the **Insider Risk Management** or **Insider Risk Management Admin** role group. To access and manage insider risk management features after initial configuration, users must be a member of at least one insider risk management role group.
Insider risk management supports using DLP policies to help identify the intenti
DLP policies help identify users to activate risk scoring in insider risk management for high severity DLP alerts for sensitive information and are an important part of configuring full risk management coverage in your organization. For more information about insider risk management and DLP policy integration and planning considerations, see [Insider risk management policies](insider-risk-management-policies.md#general-data-leaks).
->[!IMPORTANT]
+> [!IMPORTANT]
>Make sure you've completed the following: > >- You understand and properly configure the in-scope users in both the DLP and insider risk management policies to produce the policy coverage you expect.
See the [Getting started with insider risk management settings](insider-risk-man
Insider risk management supports importing user and log data from physical control and access platforms. The Physical badging connector allows you to pull in access data from JSON files, including user IDs, access point IDs, access time and dates, and access status. This data helps drive alert indicators in insider risk management policies and is an important part of configuring full risk management coverage in your organization. If you configure more than one Physical badging connector for your organization, insider risk management automatically pulls indicators from all Physical badging connectors. Information from the Physical badging connector supplements other insider risk signals when using all insider risk policy templates.
->[!IMPORTANT]
->For insider risk management policies to use and correlate signal data related to departing and terminated users with event data from your physical control and access platforms, you must also configure the Microsoft 365 HR connector. If you enable the Physical badging connector without enabling the Microsoft 365 HR connector, insider risk management policies will only process events for unauthorized physical access for users in your organization.
+> [!IMPORTANT]
+> For insider risk management policies to use and correlate signal data related to departing and terminated users with event data from your physical control and access platforms, you must also configure the Microsoft 365 HR connector. If you enable the Physical badging connector without enabling the Microsoft 365 HR connector, insider risk management policies will only process events for unauthorized physical access for users in your organization.
See the [Set up a connector to import physical badging data](import-physical-badging-data.md) article for step-by-step guidance to configure the Physical badging connector for your organization. After you've configured the connector, return to these configuration steps.
Before configuring a policy, define the following insider risk settings:
2. On the **Privacy** page, select a privacy setting for displaying usernames for policy alerts. 3. On the **Indicators** page, select the alert indicators you want to apply to all insider risk policies.
- >[!IMPORTANT]
- >In order to receive alerts for risky activity defined in your policies, you must select one or more indicators. If indicators aren't configured in Settings, the indicators won't be selectable in insider risk policies.
+ > [!IMPORTANT]
+ > In order to receive alerts for risky activity defined in your policies, you must select one or more indicators. If indicators aren't configured in Settings, the indicators won't be selectable in insider risk policies.
4. On the **Policy timeframes** page, select the [policy timeframes](insider-risk-management-settings.md#policy-timeframes) to go into effect for a user when they trigger a match for an insider risk policy. 5. On the **Intelligent detections** page, configure the following settings for insider risk policies:
Insider risk management policies include assigned users and define which types o
2. Select **Create policy** to open the policy wizard. 3. On the **Policy template** page, choose a policy category and then select the template for the new policy. These templates are made up of conditions and indicators that define the risk activities you want to detect and investigate. Review the template prerequisites, triggering events, and detected activities to confirm this policy template fits your needs.
- >[!IMPORTANT]
- >Some policy templates have prerequisites that must be configured for the policy to generate relevant alerts. If you haven't configured the applicable policy prerequisites, see **Step 4** above.
+ > [!IMPORTANT]
+ > Some policy templates have prerequisites that must be configured for the policy to generate relevant alerts. If you haven't configured the applicable policy prerequisites, see **Step 4** above.
4. Select **Next** to continue. 5. On the **Name and description** page, complete the following fields:
Insider risk management policies include assigned users and define which types o
12. Select **Next** to continue. 13. On the **Indicators and triggering events** page, you'll see the [indicators](insider-risk-management-settings.md#indicators) that you've defined as available on the **Insider risk settings** > **Indicators** page. If you selected a *Data leaks* template at the beginning of the wizard, you must select a DLP policy from the **DLP policy** dropdown list to enable triggering indicators for the policy or select the built-in triggering event.
- >[!IMPORTANT]
- >If indicators on this page can't be selected, you'll need to select the indicators you want to enable for all policies. You can use the **Turn on indicators** button in the wizard or select indicators on the **Insider risk management** > **Settings** > **Policy indicators** page.
+ > [!IMPORTANT]
+ > If indicators on this page can't be selected, you'll need to select the indicators you want to enable for all policies. You can use the **Turn on indicators** button in the wizard or select indicators on the **Insider risk management** > **Settings** > **Policy indicators** page.
Select the indicators you want to apply to the policy. If you prefer not to use the default policy threshold settings for these indicators, disable the **Use default thresholds recommended by Microsoft** and enter the threshold values for each selected indicator.
compliance Insider Risk Management Content Explorer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-content-explorer.md
In some cases, data associated with a case may not be available as a snapshot fo
If the content includes Information Rights Management permissions, these permissions are maintained for the copied content and users assigned the *Insider Risk Management Investigators* role will need these permissions and rights if they need to open and view the files. Each file and message are automatically assigned a unique file ID in the insider risk management case for management purposes. Documents associated with device indicator activities are not included in Content explorer.
->[!Note]
->Content explorer includes activities related to Microsoft Office files. Site-level activities, such as when a SharePoint site is deleted or if site permissions are changed, aren't included in Content explorer.
+> [!NOTE]
+> Content explorer includes activities related to Microsoft Office files. Site-level activities, such as when a SharePoint site is deleted or if site permissions are changed, aren't included in Content explorer.
## Column options
compliance Insider Risk Management Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-policies.md
Insider risk management templates are pre-defined policy conditions that define
When users leave your organization, there are specific risk indicators typically associated with data theft by departing users. This policy template uses exfiltration indicators for risk scoring and focuses on detection and alerts in this risk area. Data theft for departing users may include downloading files from SharePoint Online, printing files, and copying data to personal cloud messaging and storage services near their employment resignation and end dates. By using either the Microsoft 365 HR connector or the option to automatically monitor for user account deletion in Azure Active Directory for your organization, this template starts scoring for risk indicators relating to these activities and how they correlate with user employment status.
->[!IMPORTANT]
->When using this template, you can configure a Microsoft 365 HR connector to periodically import resignation and termination date information for users in your organization. See the [Import data with the HR connector](import-hr-data.md) article for step-by-step guidance to configure the Microsoft 365 HR connector for your organization. If you choose not to use the HR connector, you must select the User account deleted from Azure AD option when configuring trigger events in the policy wizard.
+> [!IMPORTANT]
+> When using this template, you can configure a Microsoft 365 HR connector to periodically import resignation and termination date information for users in your organization. See the [Import data with the HR connector](import-hr-data.md) article for step-by-step guidance to configure the Microsoft 365 HR connector for your organization. If you choose not to use the HR connector, you must select the User account deleted from Azure AD option when configuring trigger events in the policy wizard.
### General data leaks
When creating or modifying DLP policies for use with insider risk management pol
![DLP policy alert setting](../media/insider-risk-DLP-policy-high-severity.png)
- >[!NOTE]
- >When creating a new DLP policy using the built-in templates, you'll need to select the **Create or customize advanced DLP rules** option to configure the **Incident reports** setting for the *High* severity level.
+ > [!NOTE]
+ > When creating a new DLP policy using the built-in templates, you'll need to select the **Create or customize advanced DLP rules** option to configure the **Incident reports** setting for the *High* severity level.
Each insider risk management policy created from the **Data leaks** template can only have one DLP policy assigned. Consider creating a dedicated DLP policy that combines the different activities you want to detect and act as triggering events for insider risk policies that use the **Data leaks** template.
These insider risk management policies can use specific indicators and the order
- **Obfuscation**: These category signals focus on the masking of risky activities by in-scope policy users. An example activity in this category would be renaming files on a device. - **Clean-up**: These category signals focus on deletion activities by in-scope policy users. An example activity in this category would be deleting files from a device.
->[!NOTE]
->Sequence detection uses indicators that are enabled in the global settings for insider risk management and indicators that are selected in a policy. If appropriate indicators are not selected, sequence detection will not work.
+> [!NOTE]
+> Sequence detection uses indicators that are enabled in the global settings for insider risk management and indicators that are selected in a policy. If appropriate indicators are not selected, sequence detection will not work.
You can customize individual threshold settings for each sequence detection type when configured in the policy. These threshold settings adjust alerts based on the volume of files associated with the sequence.
Cumulative exfiltration detection is enabled by default when using the following
- Data leaks by priority users - Data leaks by disgruntled users
->[!NOTE]
->Cumulative exfiltration detection uses exfiltration indicators that are enabled in the global settings for insider risk management and exfiltration indicators that are selected in a policy. As such, cumulative exfiltration detection is only evaluated for the necessary exfiltration indicators selected.
+> [!NOTE]
+> Cumulative exfiltration detection uses exfiltration indicators that are enabled in the global settings for insider risk management and exfiltration indicators that are selected in a policy. As such, cumulative exfiltration detection is only evaluated for the necessary exfiltration indicators selected.
When cumulative exfiltration detection is enabled for data theft or data leak policies, insights from cumulative exfiltration activities are displayed on the **User activity** tab within an insider risk management case.
Complete the following steps to create a new policy:
2. Select **Create policy** to open the policy wizard. 3. On the **Policy template** page, choose a policy category and then select the template for the new policy. These templates are made up of conditions and indicators that define the risk activities you want to detect and investigate. Review the template prerequisites, triggering events, and detected activities to confirm this policy template fits your needs.
- >[!IMPORTANT]
- >Some policy templates have prerequisites that must be configured for the policy to generate relevant alerts. If you haven't configured the applicable policy prerequisites, see **Step 4** above.
+ > [!IMPORTANT]
+ > Some policy templates have prerequisites that must be configured for the policy to generate relevant alerts. If you haven't configured the applicable policy prerequisites, see **Step 4** above.
4. Select **Next** to continue. 5. On the **Name and description** page, complete the following fields:
Complete the following steps to create a new policy:
12. Select **Next** to continue. 13. On the **Indicators and triggering events** page, you'll see the [indicators](insider-risk-management-settings.md#indicators) that you've defined as available on the **Insider risk settings** > **Indicators** page. If you selected a *Data leaks* template at the beginning of the wizard, you must select a DLP policy from the **DLP policy** dropdown list to enable triggering indicators for the policy or select the built-in triggering event.
- >[!IMPORTANT]
- >If indicators on this page can't be selected, you'll need to select the indicators you want to enable for all policies. You can use the **Turn on indicators** button in the wizard or select indicators on the **Insider risk management** > **Settings** > **Policy indicators** page.
+ > [!IMPORTANT]
+ > If indicators on this page can't be selected, you'll need to select the indicators you want to enable for all policies. You can use the **Turn on indicators** button in the wizard or select indicators on the **Insider risk management** > **Settings** > **Policy indicators** page.
Select the indicators you want to apply to the policy. If you prefer not to use the default policy threshold settings for these indicators, disable the **Use default thresholds recommended by Microsoft** and enter the threshold values for each selected indicator.
Complete the following steps to manage an existing policy:
12. Select **Next** to continue. 13. On the **Indicators and triggering events** page, you'll see the [indicators](insider-risk-management-settings.md#indicators) that you've defined as available on the **Insider risk settings** > **Indicators** page. If you selected a *Data leaks* template at the beginning of the wizard, you must select a DLP policy from the **DLP policy** dropdown list to enable triggering indicators for the policy or select the built-in triggering event.
- >[!IMPORTANT]
- >If indicators on this page can't be selected, you'll need to select the indicators you want to enable for all policies. You can use the **Turn on indicators** button in the wizard or select indicators on the **Insider risk management** > **Settings** > **Policy indicators** page.
+ > [!IMPORTANT]
+ > If indicators on this page can't be selected, you'll need to select the indicators you want to enable for all policies. You can use the **Turn on indicators** button in the wizard or select indicators on the **Insider risk management** > **Settings** > **Policy indicators** page.
Select the indicators you want to apply to the policy. If you prefer not to use the default policy threshold settings for these indicators, disable the **Use default thresholds recommended by Microsoft** and enter the threshold values for each selected indicator.
Some scenarios where you may want to immediately start scoring user activities:
- When there is an incident that may require you to immediately start assigning risk scores to involved users' activity for one or more of your policies - When you have not configured your HR connector yet, but you want to start assigning risk scores to user activities for HR events by uploading a .csv file for the users
->[!NOTE]
->It may take several hours for new manually-added users to appear in the **Users** dashboard. Activities for the previous 90 days for these users may take up to 24 hours to display. To view activities for manually added users, navigate to the **Users** tab and select the user on the **Users** dashboard and open the **User activity** tab on the details pane.
+> [!NOTE]
+> It may take several hours for new manually-added users to appear in the **Users** dashboard. Activities for the previous 90 days for these users may take up to 24 hours to display. To view activities for manually added users, navigate to the **Users** tab and select the user on the **Users** dashboard and open the **User activity** tab on the details pane.
To manually start scoring activity for users in one or more insider risk management policies, complete the following steps:
To stop scoring users in a policy, see the [Insider risk management users: Remov
## Delete a policy
->[!NOTE]
->Deleting a policy does not delete active or archived alerts generated from the policy.
+> [!NOTE]
+> Deleting a policy does not delete active or archived alerts generated from the policy.
To delete an existing insider risk management policy, complete the following steps:
compliance Insider Risk Management Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-settings.md
In some cases, you may want to limit the insider risk policy indicators that are
To define the insider risk policy indicators that are enabled in all insider risk policies, navigate to **Insider risk settings** > **Indicators** and select one or more policy indicators. The indicators selected on the Indicators settings page cannot be individually configured when creating or editing an insider risk policy in the policy wizard.
->[!NOTE]
->It may take several hours for new manually-added users to appear in the **Users dashboard**. Activities for the previous 90 days for these users may take up to 24 hours to display. To view activities for manually added users, select the user on the **Users dashboard** and open the **User activity** tab on the details pane.
+> [!NOTE]
+> It may take several hours for new manually-added users to appear in the **Users dashboard**. Activities for the previous 90 days for these users may take up to 24 hours to display. To view activities for manually added users, select the user on the **Users dashboard** and open the **User activity** tab on the details pane.
### Enable device indicators and onboard devices <a name="OnboardDevices"> </a>
Alerts from Defender for Endpoint are imported daily. Depending on the triage st
For example, if you select *New*, *In progress*, and *Resolved* for this setting, when a Microsoft Defender for Endpoint alert is generated and the status is *New*, an initial alert activity is imported for the user in insider risk. When the Defender for Endpoint triage status changes to *In progress*, a second activity for this alert is imported for the user in insider risk. When the final Defender for Endpoint triage status of *Resolved* is set, a third activity for this alert is imported for the user in insider risk. This functionality allows investigators to follow the progression of the Defender for Endpoint alerts and choose the level of visibility that their investigation requires.
->[!IMPORTANT]
->You'll need to have Microsoft Defender for Endpoint configured in your organization and enable Defender for Endpoint for insider risk management integration in the Defender Security Center to import security violation alerts. For more information on configuring Defender for Endpoint for insider risk management integration, see [Configure advanced features in Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/advanced-features\#share-endpoint-alerts-with-microsoft-compliance-center).
+> [!IMPORTANT]
+> You'll need to have Microsoft Defender for Endpoint configured in your organization and enable Defender for Endpoint for insider risk management integration in the Defender Security Center to import security violation alerts. For more information on configuring Defender for Endpoint for insider risk management integration, see [Configure advanced features in Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/advanced-features\#share-endpoint-alerts-with-microsoft-compliance-center).
### Domains (preview)
Complete the following steps to edit a priority user group:
To delete an existing priority user group, you'll use setting controls in the **Insider risk management** solution in the Microsoft 365 compliance center. To delete a priority user group, you must be a member of the *Insider Risk Management* or *Insider Risk Management Admin* role group.
->[!IMPORTANT]
->Deleting a priority user group will remove it from any active policy to which it is assigned. If you delete a priority user group that is assigned to an active policy, the policy will not contain any in-scope users and will effectively be idle and will not create alerts.
+> [!IMPORTANT]
+> Deleting a priority user group will remove it from any active policy to which it is assigned. If you delete a priority user group that is assigned to an active policy, the policy will not contain any in-scope users and will effectively be idle and will not create alerts.
Complete the following steps to delete a priority user group:
Complete the following steps to configure priority physical assets:
1. Follow the configuration steps for insider risk management in the [Getting started with insider risk management](insider-risk-management-configure.md) article. In Step 3, make sure you configure the Physical badging connector.
- >[!IMPORTANT]
- >For insider risk management policies to use and correlate signal data related to departing and terminated users with event data from your physical control and access platforms, you must also configure the Microsoft 365 HR connector. If you enable the Physical badging connector without enabling the Microsoft 365 HR connector, insider risk management policies will only process events for physical access activities for users in your organization.
+ > [!IMPORTANT]
+ > For insider risk management policies to use and correlate signal data related to departing and terminated users with event data from your physical control and access platforms, you must also configure the Microsoft 365 HR connector. If you enable the Physical badging connector without enabling the Microsoft 365 HR connector, insider risk management policies will only process events for physical access activities for users in your organization.
2. In the [Microsoft 365 compliance center](https://compliance.microsoft.com), go to **Insider risk management** and select **Insider risk settings** > **Priority physical assets**. 3. On the **Priority physical assets** page, you can either manually add the physical asset IDs you want to monitor for the asset events imported by the Physical badging connector or import a .csv file of all physical assets IDs imported by the Physical badging connector:
Complete the following steps to configure priority physical assets:
To delete an existing priority physical asset, you'll use setting controls in the Insider risk management solution in the Microsoft 365 compliance center. To delete a priority physical asset, you must be a member of the Insider Risk Management or Insider Risk Management Admin role group.
->[!IMPORTANT]
->Deleting a priority physical asset removes it from examination by any active policy to which it was previously included. Alerts generated by activities associated with the priority physical asset aren't deleted.
+> [!IMPORTANT]
+> Deleting a priority physical asset removes it from examination by any active policy to which it was previously included. Alerts generated by activities associated with the priority physical asset aren't deleted.
Complete the following steps to delete a priority physical asset:
Complete the following steps to create a Power Automate flow from a recommended
6. Select **Save draft** to save the flow for further configuration or select **Save** to complete the configuration for the flow. 7. Select **Close** to return to the **Power Automate flow** page. The new template will be listed as a flow on the **My flows** tabs and is automatically available from the **Automate** dropdown control when working with insider risk management cases for the user creating the flow.
->[!IMPORTANT]
->If other users in your organization need access to the flow, the flow must be shared.
+> [!IMPORTANT]
+> If other users in your organization need access to the flow, the flow must be shared.
![Insider risk management power automate flows](../media/insider-risk-settings-power-automate-flows.png)
compliance Insider Risk Management Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-users.md
The **Users dashboard** includes users added to insider risk management policies
When a user is manually added to a policy, the user activities for the previous 90 days are scored and added to the **User activity** timeline. For example, you have a user not currently being assigned risk scores for an insider risk policy and the user has data leak activities reported to the legal department in your organization. The legal department recommends that you configure new short-term monitoring requirements for the user. You can temporarily assign the user to your *Data leaks* policy for a designated length of time (activation window). All users added temporarily are displayed in the **Users dashboard** because triggering event requirements are waived.
->[!NOTE]
->It may take several hours for new manually-added users to appear in the **Users dashboard**. Activities for the previous 90 days for these users may take up to 24 hours to display. To view activities for manually added users, select the user on the **Users dashboard** and open the **User activity** tab on the details pane.
+> [!NOTE]
+> It may take several hours for new manually-added users to appear in the **Users dashboard**. Activities for the previous 90 days for these users may take up to 24 hours to display. To view activities for manually added users, select the user on the **Users dashboard** and open the **User activity** tab on the details pane.
The user is automatically removed from the **Users dashboard** and scoring stops when the time defined in the **Activation window** expires if: - the user doesn't have any additional triggering events or insider risk policy alerts, and - if the manually defined **Activation window** duration is longer than the global policy **Activation window** duration.
-The **Activation window** setting with the longest duration always overrides the **Activation window** setting with a shorter duration. For example, you've configured the **Activation window** on the global **Policy timeframes** tab in the insider risk management global settings for 15 days, which is automatically applied to all your insider risk policies.
+The **Activation window** setting with the longest duration always overrides the **Activation window** setting with a shorter duration. For example, you've configured the **Activation window** on the global **Policy timeframes** tab in the insider risk management global settings for 15 days, which is automatically applied to all your insider risk policies.
You temporarily add a user to your *Data leaks* insider risk policy and define 30 days as the **Activation window** for this user. The global **Activation window** setting of 15 days is overridden by defining the **Activation window** setting of 30 days for the temporarily added user. The temporarily added user will remain in the **Users dashboard** and be in-scope for the policy for 30 days.
Each user displayed in the **Users dashboard** has the following information:
![Insider risk management users dashboard](../media/insider-risk-users-dashboard.png)
->[!NOTE]
->The number of users displayed on the **Users dashboard** may be limited in some instances, depending on the volume of active alerts and matching policies. Users with active alerts are displayed on the **Users dashboard** as the alerts are generated, and there may be rare cases when the maximum number of displayed users is reached. If this limit happens, users with active alerts who aren't displayed will be added to the **Users dashboard** as existing user alerts are triaged.
+> [!NOTE]
+> The number of users displayed on the **Users dashboard** may be limited in some instances, depending on the volume of active alerts and matching policies. Users with active alerts are displayed on the **Users dashboard** as the alerts are generated, and there may be rare cases when the maximum number of displayed users is reached. If this limit happens, users with active alerts who aren't displayed will be added to the **Users dashboard** as existing user alerts are triaged.
## View user details To view more details about risk activity for a user, open the user details pane by double-clicking a user in the **Users dashboard**. On the details pane, you can view the following information: - **User profile** tab
- - **Name and title**: The name and position title for the user from Azure Active Directory. These user fields will be anonymized or empty if the global anonymization setting for insider risk management is enabled.
- - **User email**: The email address for the user.
- - **Alias**: The network alias for the user.
- - **Organization or department**: The organization or department for the user.
+ - **Name and title**: The name and position title for the user from Azure Active Directory. These user fields will be anonymized or empty if the global anonymization setting for insider risk management is enabled.
+ - **User email**: The email address for the user.
+ - **Alias**: The network alias for the user.
+ - **Organization or department**: The organization or department for the user.
- **User activity** tab
- - **History of recent user activity**: Lists both triggering indicators and insider risk indicators for user activities up to the last 180 days. All activities pertinent to insider risk indicators are also scored, though the activities may or may not have generated an insider risk alert. Triggering indicator examples may be a resignation date or the last scheduled date of work for the user. Insider risk indicators are activities determined to have an element of risk and are defined in policies that the user is included in. Event and risk activities are listed with the most recent item listed first.
+ - **History of recent user activity**: Lists both triggering indicators and insider risk indicators for user activities up to the last 180 days. All activities pertinent to insider risk indicators are also scored, though the activities may or may not have generated an insider risk alert. Triggering indicator examples may be a resignation date or the last scheduled date of work for the user. Insider risk indicators are activities determined to have an element of risk and are defined in policies that the user is included in. Event and risk activities are listed with the most recent item listed first.
## Remove users from in-scope assignment to policies There may be scenarios where you need to stop assigning risk scores to a user's activity in insider risk management policies. Use **Remove users** on the **Users dashboard** page to stop assigning risk scores for one or more users from all insider risk management policies that they are currently in-scope for. This action does not remove users from the overall policy assignment (when you add users or groups to a policy configuration), but simply removes the users from active processing by policies after current triggering events. If the users have another triggering event in the future, risk scores from policies will automatically begin to be assigned to the users again. Any existing alerts or cases for this user will not be removed.
->[!NOTE]
->Removing a user from a policy may take several minutes to complete. Once complete, the user will no longer be listed on the Users page. If the removed user has active alerts or cases, then the user will remain on the Users page and the details for the user will show that they are no longer in-scope for a policy.
+> [!NOTE]
+> Removing a user from a policy may take several minutes to complete. Once complete, the user will no longer be listed on the Users page. If the removed user has active alerts or cases, then the user will remain on the Users page and the details for the user will show that they are no longer in-scope for a policy.
To manually remove users from in-scope status in all insider risk management policies, complete the following steps:
compliance Insider Risk Management https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management.md
In the more serious situations, you may need to share the insider risk managemen
- **Advanced eDiscovery**: Escalating a case for investigation allows you to transfer data and management of the case to Advanced eDiscovery in Microsoft 365. Advanced eDiscovery provides an end-to-end workflow to preserve, collect, review, analyze, and export content that's responsive to your organization's internal and external investigations. It allows legal teams to manage the entire legal hold notification workflow. To learn more about Advanced eDiscovery cases, see [Overview of Advanced eDiscovery in Microsoft 365](overview-ediscovery-20.md). - **Office 365 Management APIs integration (preview)**: Insider risk management supports exporting alert information to security information and event management (SIEM) services via the Office 365 Management APIs. Having access to alert information in the platform the best fits your organization's risk processes gives you more flexibility in how to act on risk activities. To learn more about exporting alert information with Office 365 Management APIs, see [Export alerts](insider-risk-management-settings.md#export-alerts-preview).
->[!NOTE]
->Thank you for your feedback and support during the preview of the ServiceNow connector. We've decided to end the preview of ServiceNow connector and discontinue support in insider risk management on November 30, 2020. We are actively evaluating alternative methods to provide customers with ServiceNow integration in insider risk management.
+> [!NOTE]
+> Thank you for your feedback and support during the preview of the ServiceNow connector. We've decided to end the preview of ServiceNow connector and discontinue support in insider risk management on November 30, 2020. We are actively evaluating alternative methods to provide customers with ServiceNow integration in insider risk management.
## Scenarios
compliance Keyword Queries And Search Conditions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/keyword-queries-and-search-conditions.md
Boolean search operators, such as **AND**, **OR**, and **NOT**, help you define
|\>=|property\>=value|Denotes that the property being searched is greater than or equal to a specific value.<sup>1</sup>| |..|property:value1..value2|Denotes that the property being searched is greater than or equal to value1 and less than or equal to value2.<sup>1</sup>| |" "|"fair value" <br/> subject:"Quarterly Financials"|Use double quotation marks (" ") to search for an exact phrase or term in keyword and `property:value` search queries.|
-|\*|cat\* <br/> subject:set\*|Prefix searches (also called *prefix matching*) where a wildcard character ( * ) is placed at the end of a word in keywords or `property:value` queries. In prefix searches, the search returns results with terms that contain the word followed by zero or more characters. For example, ` Title: set*` returns documents that contain the word "set", "setup", and "setting" (and other words that start with "set") in the document title. <br/><br/> **Note:** You can use only prefix searches; for example, **cat\*** or **set\***. Suffix searches (**\*cat** ), infix searches (**c\*t**), and substring searches (**\*cat\***) are not supported.<br/><br/>Also, adding a period ( \. ) to a prefix search will change the results that are returned. That's because a period is treated as a stop word. For example, searching for **cat\*** and searching for **cat.\*** will return different results. We recommend not using a period in a prefix search. |
+|\*|cat\* <br/> subject:set\*|Prefix searches (also called *prefix matching*) where a wildcard character ( * ) is placed at the end of a word in keywords or `property:value` queries. In prefix searches, the search returns results with terms that contain the word followed by zero or more characters. For example, ` Title: set*` returns documents that contain the word "set", "setup", and "setting" (and other words that start with "set") in the document title. <br/><br/> **Note:** You can use only prefix searches; for example, **cat\*** or **set\***. Suffix searches (**\*cat**), infix searches (**c\*t**), and substring searches (**\*cat\***) are not supported.<br/><br/>Also, adding a period ( \. ) to a prefix search will change the results that are returned. That's because a period is treated as a stop word. For example, searching for **cat\*** and searching for **cat.\*** will return different results. We recommend not using a period in a prefix search. |
|( )|(fair OR free) AND (from:contoso.com) <br/> (IPO OR initial) AND (stock OR shares) <br/> (quarterly financials)|Parentheses group together Boolean phrases, `property:value` items, and keywords. For example, `(quarterly financials)` returns items that contain the words quarterly and financials.| |||||
compliance Microsoft 365 Compliance Center Redirection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/microsoft-365-compliance-center-redirection.md
Automatic redirection is enabled by default for all users accessing the followin
Users are automatically routed to the same compliance solutions in the Microsoft 365 compliance center (compliance.microsoft.com).
->[!NOTE]
->For other compliance solutions included in the Office 365 Security and Compliance Center, users will continue to manage these solutions in either the Microsoft 365 compliance center or the Office 365 Security and Compliance Center. The automatic redirection for these compliance solutions will be available soon.*
+> [!NOTE]
+> For other compliance solutions included in the Office 365 Security and Compliance Center, users will continue to manage these solutions in either the Microsoft 365 compliance center or the Office 365 Security and Compliance Center. The automatic redirection for these compliance solutions will be available soon.*
This feature and associated controls does not enable the automatic redirection of Security features for Microsoft Defender for Office 365. To enable the redirection for security features, see [Redirecting accounts from Microsoft Defender for Office 365 to the Microsoft 365 security center](/microsoft-365/security/defender/microsoft-365-security-mdo-redirection) for details.
This feature and associated controls does not enable the automatic redirection o
If something isn't working for you or if there's anything you're unable to complete through the Microsoft 365 compliance center portal, you can temporarily disable the automatic redirection for all users.
->[!IMPORTANT]
->The Microsoft 365 compliance center is the replacement management portal for compliance solutions currently managed in the Office 365 Security and Compliance center. All Microsoft 365 compliance solutions will be managed solely in the Microsoft 365 compliance center. Disabling redirection to the Microsoft 365 compliance center should be a short-term solution.*
+> [!IMPORTANT]
+> The Microsoft 365 compliance center is the replacement management portal for compliance solutions currently managed in the Office 365 Security and Compliance center. All Microsoft 365 compliance solutions will be managed solely in the Microsoft 365 compliance center. Disabling redirection to the Microsoft 365 compliance center should be a short-term solution.*
To switch back to the Office 365 Security and Compliance center (protection.microsoft.com) for all users, complete the following steps:
compliance Office 365 Encryption Risks And Protections https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/office-365-encryption-risks-and-protections.md
Some risk scenarios and the currently available encryption technologies that mit
| | SharePoint Online | Supports [Cryptographic Mode 2](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/hh867439(v=ws.10)), an updated and enhanced RMS cryptographic implementation. It supports RSA 2048 for signature and encryption, and SHA-256 for signature. | [Managed by Microsoft](/azure/information-protection/plan-implement-tenant-key), which is the default setting; or <br> <br> Customer-managed, which is an alternative to Microsoft-managed keys. Organizations that have an IT-managed Azure subscription can use BYOK and log its usage at no extra charge. For more information, see [Implementing bring your own key](/azure/information-protection/plan-implement-tenant-key). In this configuration, nCipher HSMs are used to protect your keys. For more information, see [nCipher HSMs and Azure RMS](https://www.thales-esecurity.com/msrms/cloud). | Yes | | S/MIME | Exchange Online | Cryptographic Message Syntax Standard 1.5 (PKCS #7) | Depends on the customer-managed public key infrastructure deployed. Key management is performed by the customer, and Microsoft never has access to the private keys used for signing and decryption. | Yes, when configured to encrypt outgoing messages with 3DES or AES256 | | Office 365 Message Encryption | Exchange Online | Same as Azure RMS ([Cryptographic Mode 2](./technical-reference-details-about-encryption.md) - RSA 2048 for signature and encryption, and SHA-256 for signature) | Uses Azure Information Protection as its encryption infrastructure. The encryption method used depends on where you obtain the RMS keys used to encrypt and decrypt messages. | Yes |
-| SMTP TLS with partner organization | Exchange Online | TLS 1.2 with AES 256 | The TLS certificate for Exchange Online (outlook.office.com) is a 2048-bit SHA-256 with RSA Encryption certificate issued by DigiCert Cloud Services CA-1. <br> <br> The TLS root certificate for Exchange Online is a 2048-bit SHA-1 with RSA Encryption certificate issued by [GlobalSign Root CA ΓÇô R1](./exchange-online-uses-tls-to-secure-email-connections.md?view=o365-worldwide#tls-certificate-information-for-exchange-online). <br> <br> Be aware that, for security reasons, our certificates do change from time to time. | Yes, when TLS 1.2 with 256-bit cipher strength is used |
+| SMTP TLS with partner organization | Exchange Online | TLS 1.2 with AES 256 | The TLS certificate for Exchange Online (outlook.office.com) is a 2048-bit SHA-256 with RSA Encryption certificate issued by DigiCert Cloud Services CA-1. <br> <br> The TLS root certificate for Exchange Online is a 2048-bit SHA-1 with RSA Encryption certificate issued by [GlobalSign Root CA ΓÇô R1](./exchange-online-uses-tls-to-secure-email-connections.md#tls-certificate-information-for-exchange-online). <br> <br> Be aware that, for security reasons, our certificates do change from time to time. | Yes, when TLS 1.2 with 256-bit cipher strength is used |
*\*TLS certificates referenced in this table are for US datacenters; non-US datacenters also use 2048-bit SHA256RSA certificates.*
Some risk scenarios and the currently available encryption technologies that mit
| | SharePoint Online | Supports [Cryptographic Mode 2](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/hh867439(v=ws.10)), an updated and enhanced RMS cryptographic implementation. It supports RSA 2048 for signature and encryption, and SHA-256 for hash in the signature. | [Managed by Microsoft](/azure/information-protection/plan-implement-tenant-key), which is the default setting; or <br> <br> Customer-managed (also known as BYOK), which is an alternative to Microsoft-managed keys. Organizations that have an IT-managed Azure subscription can use BYOK and log its usage at no extra charge. For more information, see [Implementing bring your own key](/azure/information-protection/plan-implement-tenant-key). <br> <br> In the BYOK scenario, nCipher HSMs are used to protect your keys. For more information, see [nCipher HSMs and Azure RMS](https://www.thales-esecurity.com/msrms/cloud). | Yes | | S/MIME | Exchange Online | Cryptographic Message Syntax Standard 1.5 (PKCS #7) | Depends on the public key infrastructure deployed. | Yes, when configured to encrypt outgoing messages with 3DES or AES-256. | | Office 365 Message Encryption | Exchange Online | Same as Azure RMS ([Cryptographic Mode 2](./technical-reference-details-about-encryption.md) - RSA 2048 for signature and encryption, and SHA-256 for hash in the signature) | Uses Azure RMS as its encryption infrastructure. The encryption method used depends on where you obtain the RMS keys used to encrypt and decrypt messages. <br> <br> If you use Microsoft Azure RMS to obtain the keys, Cryptographic Mode 2 is used. If you use Active Directory (AD) RMS to obtain the keys, either Cryptographic Mode 1 or Cryptographic Mode 2 is used. The method used depends on your on-premises AD RMS deployment. Cryptographic Mode 1 is the original AD RMS cryptographic implementation. It supports RSA 1024 for signature and encryption and supports SHA-1 for signature. This mode continues to be supported by all current versions of RMS, except for BYOK configurations that use HSMs. | Yes |
-| SMTP TLS with partner organization | Exchange Online | TLS 1.2 with AES 256 | The TLS certificate for Exchange Online (outlook.office.com) is a 2048-bit SHA-256 with RSA Encryption certificate issued by DigiCert Cloud Services CA-1. <br> <br> The TLS root certificate for Exchange Online is a 2048-bit SHA-1 with RSA Encryption certificate issued by [GlobalSign Root CA ΓÇô R1](./exchange-online-uses-tls-to-secure-email-connections.md?view=o365-worldwide#tls-certificate-information-for-exchange-online). <br> <br> Be aware that, for security reasons, our certificates do change from time to time. | Yes, when TLS 1.2 with 256-bit cipher strength is used |
+| SMTP TLS with partner organization | Exchange Online | TLS 1.2 with AES 256 | The TLS certificate for Exchange Online (outlook.office.com) is a 2048-bit SHA-256 with RSA Encryption certificate issued by DigiCert Cloud Services CA-1. <br> <br> The TLS root certificate for Exchange Online is a 2048-bit SHA-1 with RSA Encryption certificate issued by [GlobalSign Root CA ΓÇô R1](./exchange-online-uses-tls-to-secure-email-connections.md#tls-certificate-information-for-exchange-online). <br> <br> Be aware that, for security reasons, our certificates do change from time to time. | Yes, when TLS 1.2 with 256-bit cipher strength is used |
*\*TLS certificates referenced in this table are for US datacenters; non-US datacenters also use 2048-bit SHA256RSA certificates.*
compliance Plan For Security And Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/plan-for-security-and-compliance.md
Managing security and compliance is a partnership. You are responsible for prote
Orient yourself to the information protection capabilities in the Information Protection for Office 365 poster.
-[Deploy information protection for data privacy regulations with Microsoft 365](../solutions/information-protection-deploy.md?view=o365-worldwide)
+[Deploy information protection for data privacy regulations with Microsoft 365](../solutions/information-protection-deploy.md)
## Step 2: Check your Secure Score
compliance Predictive Coding Create Model https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/predictive-coding-create-model.md
description: "Learn how to create a predictive coding model in Advanced eDiscove
The first step in using the machine learning capabilities of predictive coding in Advanced eDiscovery is to create a predictive coding model. After you create a model, you can train it identify the relevant and non-relevant content in a review set.
-To review the predictive coding workflow, see [Learn about predictive coding in Advanced eDiscovery ](predictive-coding-overview.md#the-predictive-coding-workflow)
+To review the predictive coding workflow, see [Learn about predictive coding in Advanced eDiscovery](predictive-coding-overview.md#the-predictive-coding-workflow)
## Before you create a model
compliance Predictive Coding Train Model https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/predictive-coding-train-model.md
audience: Admin
localization_priority: Normal
+search.appverid:
- MET150 description: ""
description: ""
After you create a predictive coding model in Advanced eDiscovery, the next step is to performing the first training round to train the model on what is relevant and non-relevant content in your review set. After you complete the first round of training, you can perform subsequent training rounds to improve the model's ability to predict relevant and non-relevant content.
-To review the predictive coding workflow, see [Learn about predictive coding in Advanced eDiscovery ](predictive-coding-overview.md#the-predictive-coding-workflow)
+To review the predictive coding workflow, see [Learn about predictive coding in Advanced eDiscovery](predictive-coding-overview.md#the-predictive-coding-workflow)
## Before you train a model -- During a training round, label items as **Relevant** or **Not relevant** based on the relevancy of the content in the document. Don't base your decision on the values in the metadata fields. For example, for email messages or Teams conversations, don't base your labeling decision on the message participants.
+- During a training round, label items as **Relevant** or **Not relevant** based on the relevancy of the content in the document. Don't base your decision on the values in the metadata fields. For example, for email messages or Teams conversations, don't base your labeling decision on the message participants.
## Train a model for the first time
After you perform the first training round, a job is started that does the follo
- Based on how you labeled the 40 items in the training set, the model learns from your labeling and updates itself to become more accurate. -- The model then processes each item in the entire review set and assigns a prediction score between **0** (not relevant) and **1** (relevant).
+- The model then processes each item in the entire review set and assigns a prediction score between **0** (not relevant) and **1** (relevant).
- The model assigns a prediction score to the 10 items in the control set that you labeled during the training round. The model compares the prediction score of these 10 items with the actual label that you assigned to the item during the training round. Based on this comparison, the model identifies the following classification (called the *Control set confusion matrix*) to assess the model's prediction performance:
-
+ | |Model predicts item is relevant |Model predicts item is not relevant | |:|:|:| |**Reviewer labels item as relevant**| True positive| False positive |
compliance Prepare Tls 1.2 In Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/prepare-tls-1.2-in-office-365.md
If you are using any on-premises infrastructure for hybrid scenarios or Active D
The following resources provide guidance to help make sure that your clients are using TLS 1.2 or a later version and to disable TLS 1.0 and 1.1. - For Windows 7 clients that connect to Office 365, make sure that TLS 1.2 is the default secure protocol in WinHTTP in Windows. For more information see [KB 3140245 - Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP in Windows](https://support.microsoft.com/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in).-- [TLS cipher suites supported by Office 365](/microsoft-365/compliance/technical-reference-details-about-encryption?view=o365-worldwide#tls-cipher-suites-supported-by-office-365)
+- [TLS cipher suites supported by Office 365](/microsoft-365/compliance/technical-reference-details-about-encryption#tls-cipher-suites-supported-by-office-365)
- To start addressing weak TLS use by removing TLS 1.0 and 1.1 dependencies, see [TLS 1.2 support at Microsoft](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/20/tls-1-2-support-at-microsoft/). - [New IIS functionality](https://cloudblogs.microsoft.com/microsoftsecure/2017/09/07/new-iis-functionality-to-help-identify-weak-tls-usage/) makes it easier to find clients on [Windows Server 2012 R2](https://support.microsoft.com/help/4025335/windows-8-1-windows-server-2012-r2-update-kb4025335) and [Windows Server 2016](https://support.microsoft.com/help/4025334/windows-10-update-kb4025334) that connect to the service by using weak security protocols. - Get more information about how to [solve the TLS 1.0 problem](https://www.microsoft.com/download/details.aspx?id=55266).
compliance Privileged Access Management Configuration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/privileged-access-management-configuration.md
- m365-security-compliance - m365solution-insiderrisk - m365initiative-compliance-+ - Ent_Solutions - seo-marvel-apr2020
+ms.assetid:
description: Use this article to learn more about enabling and configuring privileged access management in Office 365.
Before you get started with privileged access management, you should confirm you
- Microsoft 365 E5 subscription (paid or trial version) - Microsoft 365 E3 subscription (or Office 365 E3 subscription + Enterprise Mobility and Security E3 subscription) + the Microsoft 365 E5 Compliance add-on-- Any Microsoft 365, Office 365, Exchange, SharePoint, or OneDrive for Business subscription + the Microsoft 365 E5 Insider Risk Management add-on
+- Any Microsoft 365, Office 365, Exchange, SharePoint, or OneDrive for Business subscription + the Microsoft 365 E5 Insider Risk Management add-on
- Microsoft 365 A5 subscription (paid or trial version) - Microsoft 365 A3 subscription (or Office 365 A3 subscription + Enterprise Mobility and Security A3 subscription) + the Microsoft A5 Compliance add-on - Any Microsoft 365, Office 365, Exchange, SharePoint, or OneDrive for Education subscription + the Microsoft 365 A5 Insider Risk Management add-on
Before you get started with privileged access management, you should confirm you
Users submitting and responding to privileged access management requests must be assigned one of the licenses above.
->[!IMPORTANT]
->Office 365 Advanced Compliance is no longer sold as a standalone subscription. When current subscriptions expire, customers should transition to one of the subscriptions above, which contain the same or additional compliance features.
+> [!IMPORTANT]
+> Office 365 Advanced Compliance is no longer sold as a standalone subscription. When current subscriptions expire, customers should transition to one of the subscriptions above, which contain the same or additional compliance features.
If you don't have an existing Office 365 Enterprise E5 plan and want to try privileged access management, you can [add Microsoft 365](/office365/admin/try-or-buy-microsoft-365) to your existing Office 365 subscription or [sign up for a trial](https://www.microsoft.com/microsoft-365/enterprise) of Microsoft 365 Enterprise E5.
Follow these steps to set up and use privileged access in your organization:
Once enabled, privileged access requires approvals for any task that has an associated approval policy defined. For tasks included in an approval policy, users must request and be granted access approval to have permissions necessary to execute the task.
-After approval is granted, the requesting user can execute the intended task and privileged access will authorize and execute the task on behalf of the user. The approval remains valid for the requested duration (default duration is 4 hours), during which the requester can execute the intended task multiple times. All such executions are logged and made available for security and compliance auditing.
+After approval is granted, the requesting user can execute the intended task and privileged access will authorize and execute the task on behalf of the user. The approval remains valid for the requested duration (default duration is 4 hours), during which the requester can execute the intended task multiple times. All such executions are logged and made available for security and compliance auditing.
->[!NOTE]
->If you want to use Exchange Management PowerShell to enable and configure privileged access, follow the steps in [Connect to Exchange Online PowerShell using Multi-Factor authentication](/powershell/exchange/connect-to-exchange-online-powershell#connect-to-exchange-online-powershell-using-mfa) to connect to Exchange Online PowerShell with your Office 365 credentials. You do not need to enable multi-factor authentication for your organization to use the steps to enable privileged access while connecting to Exchange Online PowerShell. Connecting with multi-factor authentication creates an OAuth token that is used by privileged access for signing your requests.
+> [!NOTE]
+> If you want to use Exchange Management PowerShell to enable and configure privileged access, follow the steps in [Connect to Exchange Online PowerShell using Multi-Factor authentication](/powershell/exchange/connect-to-exchange-online-powershell#connect-to-exchange-online-powershell-using-mfa) to connect to Exchange Online PowerShell with your Office 365 credentials. You do not need to enable multi-factor authentication for your organization to use the steps to enable privileged access while connecting to Exchange Online PowerShell. Connecting with multi-factor authentication creates an OAuth token that is used by privileged access for signing your requests.
<a name="step1"> </a>
Example:
Enable-ElevatedAccessControl -AdminGroup 'pamapprovers@fabrikam.onmicrosoft.com' -SystemAccounts @('sys1@fabrikamorg.onmicrosoft.com', 'sys2@fabrikamorg.onmicrosoft.com') ```
->[!NOTE]
->System accounts feature is made available to ensure certain automations within your organizations can work without dependency on privileged access, however it is recommended that such exclusions be exceptional and those allowed should be approved and audited regularly.
+> [!NOTE]
+> System accounts feature is made available to ensure certain automations within your organizations can work without dependency on privileged access, however it is recommended that such exclusions be exceptional and those allowed should be approved and audited regularly.
<a name="step3"> </a>
You can create and configure up to 30 privileged access policies for your organi
4. Select **Configure policies** and select **Add a policy**. 5. From the drop-down fields, select the appropriate values for your organization:
-
+ **Policy type**: Task, Role, or Role Group **Policy scope**: Exchange
compliance Put An In Place Hold On A Soft Deleted Mailbox https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/put-an-in-place-hold-on-a-soft-deleted-mailbox.md
Learn how to create an In-Place Hold for a soft-deleted mailbox to make it inact
> [!IMPORTANT] > As we continue to invest in different ways to preserve mailbox content, we're announcing the retirement of In-Place Holds in the Exchange admin center (EAC). Starting July 1, 2020 you won't be able to create new In-Place Holds in Exchange Online. But you'll still be able to manage In-Place Holds in the EAC or by using the **Set-MailboxSearch** cmdlet in Exchange Online PowerShell. However, starting October 1, 2020, you won't be able to manage In-Place Holds. You'll only be remove them in the EAC or by using the **Remove-MailboxSearch** cmdlet. For more information about the retirement of In-Place Holds, see [Retirement of legacy eDiscovery tools](legacy-ediscovery-retirement.md).
-
-You might have a situation where a person has left your organization, and their corresponding user account and mailbox were deleted. Afterwards, you realize there's information in the mailbox that needs to be preserved. What can you do? If the deleted mailbox retention period hasn't expired, you can put an In-Place Hold on the deleted mailbox (called a soft-deleted mailbox ) and make it an inactive mailbox. An *inactive mailbox* is used to preserve a former employee's email after he or she leaves your organization. The contents of an inactive mailbox are preserved for the duration of the In-Place Hold that was is placed on the soft-deleted mailbox when it was made inactive. After the mailbox is made inactive, you can search the mailbox by using In-Place eDiscovery in Exchange Online, Content Search in the Security & Compliance Center, or the eDiscovery Center in SharePoint Online.
-
+
+You might have a situation where a person has left your organization, and their corresponding user account and mailbox were deleted. Afterwards, you realize there's information in the mailbox that needs to be preserved. What can you do? If the deleted mailbox retention period hasn't expired, you can put an In-Place Hold on the deleted mailbox (called a soft-deleted mailbox) and make it an inactive mailbox. An *inactive mailbox* is used to preserve a former employee's email after he or she leaves your organization. The contents of an inactive mailbox are preserved for the duration of the In-Place Hold that was is placed on the soft-deleted mailbox when it was made inactive. After the mailbox is made inactive, you can search the mailbox by using In-Place eDiscovery in Exchange Online, Content Search in the Security & Compliance Center, or the eDiscovery Center in SharePoint Online.
+ > [!NOTE]
-> In Exchange Online, a soft-deleted mailbox is a mailbox that's been deleted but can be recovered within a specific retention period. The soft-deleted mailbox retention period in Exchange Online is 30 days. This means that the mailbox can be recovered (or made an inactive mailbox) within 30 days of being deleted. After 30 days, a soft-deleted mailbox is marked for permanent deletion and can't be recovered or made inactive.
-
+> In Exchange Online, a soft-deleted mailbox is a mailbox that's been deleted but can be recovered within a specific retention period. The soft-deleted mailbox retention period in Exchange Online is 30 days. This means that the mailbox can be recovered (or made an inactive mailbox) within 30 days of being deleted. After 30 days, a soft-deleted mailbox is marked for permanent deletion and can't be recovered or made inactive.
+ ## Requirements for In-Place Holds -- You have to use the **New-MailboxSearch** cmdlet in Windows PowerShell to put an In-Place Hold on a soft-deleted mailbox. You can't use the Exchange admin center (EAC) or the eDiscovery Center in SharePoint Online.
+- You have to use the **New-MailboxSearch** cmdlet in Windows PowerShell to put an In-Place Hold on a soft-deleted mailbox. You can't use the Exchange admin center (EAC) or the eDiscovery Center in SharePoint Online.
- To learn how to use Windows PowerShell to connect to Exchange Online, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). -- Run the following command to get identity information about the soft-deleted mailboxes in your organization.
+- Run the following command to get identity information about the soft-deleted mailboxes in your organization.
```powershell Get-Mailbox -SoftDeletedMailbox | FL Name,WhenSoftDeleted,DistinguishedName,ExchangeGuid,PrimarySmtpAddress
You might have a situation where a person has left your organization, and their
## Put an In-Place Hold on a soft-deleted mailbox to make it an inactive mailbox Use the **New-MailboxSearch** cmdlet to make a soft-deleted mailbox an inactive mailbox. For more information, see [New-MailboxSearch](/powershell/module/exchange/new-mailboxsearch).
-
+ 1. Create a variable that contains the properties of the soft-deleted mailbox. ```powershell
Use the **New-MailboxSearch** cmdlet to make a soft-deleted mailbox an inactive
``` > [!IMPORTANT]
- > In the previous command, use the value of the **DistinguishedName** or **ExchangeGuid** property to identify the soft-deleted mailbox. These properties are unique for each mailbox in your organization, whereas it's possible that an active mailbox and a soft-deleted mailbox might have the same primary SMTP address.
-
+ > In the previous command, use the value of the **DistinguishedName** or **ExchangeGuid** property to identify the soft-deleted mailbox. These properties are unique for each mailbox in your organization, whereas it's possible that an active mailbox and a soft-deleted mailbox might have the same primary SMTP address.
+ 2. Create an In-Place Hold and place it on the soft-deleted mailbox. In this example, no hold duration is specified. This means items will be held indefinitely or until the hold is removed from the inactive mailbox. ```powershell
Use the **New-MailboxSearch** cmdlet to make a soft-deleted mailbox an inactive
``` Or
-
+ ```powershell Get-Mailbox -InactiveMailboxOnly -Identity $SoftDeletedMailbox.DistinguishedName | FL IsInactiveMailbox ```
Use the **New-MailboxSearch** cmdlet to make a soft-deleted mailbox an inactive
## More information After you make a soft-deleted mailbox an inactive mailbox, there are a number of ways you can manage the mailbox. For more information, see:
-
+ - [Change the hold duration for an inactive mailbox](change-the-hold-duration-for-an-inactive-mailbox.md) - [Recover an inactive mailbox](recover-an-inactive-mailbox.md)
compliance Record Versioning https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/record-versioning.md
f1.keywords:
Previously updated : Last updated : audience: Admin localization_priority: Priority-+ - M365-security-compliance - SPO_Content
+search.appverid:
- MOE150 - MET150 description: "Learn about records to help you implement a records management solution in Microsoft 365."
description: "Learn about records to help you implement a records management sol
>*[Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).*
->[!NOTE]
+> [!NOTE]
> Because regulatory records block editing, record versioning is not available for regulatory records. The ability to mark a document as a [record](records-management.md#records) and restrict actions that can be performed on the record is an essential goal for any records management solution. However, collaboration might also be needed for people to create subsequent versions. For example, you might mark a sales contract as a record, but then need to update the contract with new terms and mark the latest version as a new record while still retaining the previous record version. For these types of scenarios, SharePoint and OneDrive support *record versioning*. OneNote notebook folders don't support record versioning.
-To use record versioning, you first [label the document and mark it as a record](declare-records.md). At this point, a document property, called *Record status* is displayed next to the retention label, and the initial record status is **Locked**.
+To use record versioning, you first [label the document and mark it as a record](declare-records.md). At this point, a document property, called *Record status* is displayed next to the retention label, and the initial record status is **Locked**.
You can now do the following things:
- - **Continually edit and retain individual versions of the document as records, by unlocking and locking the Record status property.** Only when the **Record status** property is set to **Locked** is a new version of the record retained. This toggle of locked and unlocked reduces the risk of retaining unnecessary versions and copies of the document.
+- **Continually edit and retain individual versions of the document as records, by unlocking and locking the Record status property.** Only when the **Record status** property is set to **Locked** is a new version of the record retained. This toggle of locked and unlocked reduces the risk of retaining unnecessary versions and copies of the document.
- - **Have the records automatically stored in an in-place records repository located within the site collection.** Each site collection in SharePoint and OneDrive preserves content in its Preservation Hold library. Record versions are stored in the Records folder in this library.
+- **Have the records automatically stored in an in-place records repository located within the site collection.** Each site collection in SharePoint and OneDrive preserves content in its Preservation Hold library. Record versions are stored in the Records folder in this library.
- - **Maintain an evergreen document that contains all versions.** By default, each SharePoint and OneDrive document has a version history available on the item menu. In this version history, you can easily see which versions are records and view those documents.
+- **Maintain an evergreen document that contains all versions.** By default, each SharePoint and OneDrive document has a version history available on the item menu. In this version history, you can easily see which versions are records and view those documents.
> [!TIP] > When you use record versioning with a retention label that has a delete action, consider configuring the retention setting **Start the retention period based on:** to be **When items were labeled**. With this label setting, the start of the retention period is reset for each new record version, which ensures that older versions will be deleted before newer versions.
-Record versioning is automatically available for any document that has a retention label that marks the item as a record. When a user views the document properties by using the details pane, they can toggle the **Record status** from **Locked** to **Unlocked**. This action creates a record in the Records folder in the Preservation Hold library, where it resides for the remainder of its retention period.
+Record versioning is automatically available for any document that has a retention label that marks the item as a record. When a user views the document properties by using the details pane, they can toggle the **Record status** from **Locked** to **Unlocked**. This action creates a record in the Records folder in the Preservation Hold library, where it resides for the remainder of its retention period.
While the document is unlocked, any user with standard edit permissions can edit the file. However, users can't delete the file, because it's still a record. When editing is complete, a user can then toggle the **Record status** from **Unlocked** to **Locked**, which prevents further edits while in this status. <br/><br/>
For more information about searching for these events, see [Search the audit log
## Next steps
-For other scenarios supported by records management, see [Common scenarios for records management](get-started-with-records-management.md#common-scenarios-for-records-management).
+For other scenarios supported by records management, see [Common scenarios for records management](get-started-with-records-management.md#common-scenarios-for-records-management).
compliance Records Management https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/records-management.md
f1.keywords:
Previously updated : Last updated : audience: Admin localization_priority: Priority-+ - M365-security-compliance - m365solution-mig - m365initiative-compliance
+search.appverid:
- MOE150 - MET150
By using retention labels to declare records, you can implement a single and con
### Compare restrictions for what actions are allowed or blocked
-Use the following table to identify what restrictions are placed on content as a result of applying a standard retention label, and retention labels that mark content as a record or regulatory record.
+Use the following table to identify what restrictions are placed on content as a result of applying a standard retention label, and retention labels that mark content as a record or regulatory record.
A standard retention label has retention settings and actions but doesn't mark content as a record or a regulatory record.
->[!NOTE]
+> [!NOTE]
> For completeness, the table includes columns for a locked and unlocked record, which is applicable to SharePoint and OneDrive, but not Exchange. The ability to lock and unlock a record uses [record versioning](record-versioning.md) that isn't supported for Exchange items. So for all Exchange items that are marked as a record, the behavior maps to the **Record - locked** column, and the **Record - unlocked column** is not relevant.
Footnotes:
<sup>1</sup> Supported by OneDrive and Exchange by retaining a copy in a secured location, but blocked by SharePoint.
-When you apply a retention label to a list item that has a document attachment, that document doesn't inherit the retention settings and can be deleted from the list item. In comparison, if that list item was declared a record with a retention label, the document attachment would inherit the retention settings and couldn't be deleted.
+When you apply a retention label to a list item that has a document attachment, that document doesn't inherit the retention settings and can be deleted from the list item. In comparison, if that list item was declared a record with a retention label, the document attachment would inherit the retention settings and couldn't be deleted.
<sup>2</sup> Containers include SharePoint document libraries, OneDrive accounts, and Exchange mailboxes.
->[!IMPORTANT]
-> The most important difference for a regulatory record is that after it is applied to content, nobody, not even a global administrator, can remove the label.
+> [!IMPORTANT]
+> The most important difference for a regulatory record is that after it is applied to content, nobody, not even a global administrator, can remove the label.
> > Retention labels configured for regulatory records also have the following admin restrictions:
+>
> - The retention period can't be made shorter after the label is saved, only extended.
-> - These labels aren't supported by auto-labeling policies, and must be applied by using [retention label policies](create-apply-retention-labels.md).
+> - These labels aren't supported by auto-labeling policies, and must be applied by using [retention label policies](create-apply-retention-labels.md).
> > In addition, a regulatory label can't be applied to a document that's checked out in SharePoint.
->
+>
> Because of the restrictions and irreversible actions, make sure you really do need to use regulatory records before you select this option for your retention labels. To help prevent accidental configuration, this option is not available by default but must first be enabled by using PowerShell. Instructions are included in [Declare records by using retention labels](declare-records.md). ## Configuration guidance
compliance Retention https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention.md
To use the retention cmdlets, you must first [connect to the Office 365 Security
- [Remove-RetentionCompliancePolicy](/powershell/module/exchange/remove-retentioncompliancepolicy) -- [Set-RecordReviewNotificationTemplateConfig](/powershell/module/exchange/set-recordreviewnotificationtemplateconfig )
+- [Set-RecordReviewNotificationTemplateConfig](/powershell/module/exchange/set-recordreviewnotificationtemplateconfig)
- [Set-RetentionCompliancePolicy](/powershell/module/exchange/set-retentioncompliancepolicy)
compliance Search For Content https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-for-content.md
f1.keywords:
Previously updated : Last updated : audience: Admin
description: "Use the Content Search eDiscovery tool in the Security & Complianc
# Search for content using the Content Search tool Use the Content Search tool in the Security & Compliance Center to quickly find email in Exchange mailboxes, documents in SharePoint sites and OneDrive locations, and instant messaging conversations in Skype for Business. You can use the content search tool to search for email, documents, and instant messaging conversations in collaboration tools such as Microsoft Teams and Microsoft 365 Groups.
-
+ ## Search for content The first step is to starting using the Content Search tool to choose content locations to search and configure a keyword query to search for specific items. Or, you can just leave the query blank and return all items in the target locations.
-
+ - [Create and run](content-search.md) a Content search - [Feature reference] for Content search (content-search-reference.md) -- [Build search queries and use conditions](keyword-queries-and-search-conditions.md) to narrow your search
+- [Build search queries and use conditions](keyword-queries-and-search-conditions.md) to narrow your search
-- [Configure search permissions filtering](permissions-filtering-for-content-search.md) so that an eDiscovery manager can only search subset of mailboxes or sites in your organization
+- [Configure search permissions filtering](permissions-filtering-for-content-search.md) so that an eDiscovery manager can only search subset of mailboxes or sites in your organization
-- [Run an ID list search](csv-file-for-an-id-list-content-search.md) to search for specific email messages
+- [Run an ID list search](csv-file-for-an-id-list-content-search.md) to search for specific email messages
-- [Search cloud-based mailboxes ](search-cloud-based-mailboxes-for-on-premises-users.md) for on-premises users in Microsoft 365
+- [Search cloud-based mailboxes](search-cloud-based-mailboxes-for-on-premises-users.md) for on-premises users in Microsoft 365
- [View keyword statistics](view-keyword-statistics-for-content-search.md) for the results of a search and then refine the query if necessary
The first step is to starting using the Content Search tool to choose content lo
- [Retry a Content Search](retry-failed-content-search.md) to resolve a content location error -- [Preserve Bcc recipients](/exchange/policy-and-compliance/holds/preserve-bcc-recipients-and-group-members) so you can search for them
+- [Preserve Bcc recipients](/exchange/policy-and-compliance/holds/preserve-bcc-recipients-and-group-members) so you can search for them
## Perform actions on content you find After you run a search and refine it as necessary, the next step is to do something with the results returned by the search. You can export and download the results to your local computer or in the case of a email attack on your organization, you can delete the results of a search from user mailboxes.
-
-- [Export the results of a content search](export-search-results.md) and download them to your local computer +
+- [Export the results of a content search](export-search-results.md) and download them to your local computer
- [Search for and delete email messages](search-for-and-delete-messages-in-your-organization.md) , such as messages that content a virus, dangerous attachments, or phishing messages -- [Export a report](export-a-content-search-report.md) about the results of a content search, without exporting the actual results
+- [Export a report](export-a-content-search-report.md) about the results of a content search, without exporting the actual results
## Learn more about content search Content Search is easy to use, but it's also a powerful tool. Behind-the-scenes, there's a lot going on. The more you know about it and understand its behavior and its limitations, the more successful you'll be using it for your organization's search and investigation needs. Learn about:
-
+ - [Partially indexed items in Exchange and SharePoint](partially-indexed-items-in-content-search.md) and how to include or exclude them when you export and download search results - [Investigate partially indexed items](investigating-partially-indexed-items-in-ediscovery.md) and determine your organization's exposure to them
Content Search is easy to use, but it's also a powerful tool. Behind-the-scenes,
## Use scripts for advanced scenarios Sometimes you have to perform more advanced, complex, and repetitive content search tasks. In these cases, it's easier and fast to use PowerShell commands in the Security & Compliance Center. To help make this easier, we've created a number of Security & Compliance Center PowerShell scripts to help you complete complex content search-related tasks.
-
+ - [Search specific mailbox and site folders](use-content-search-for-targeted-collections.md) (called a *targeted collection) when you're confident that items responsive to a case are located in that folder -- [Search the mailbox and OneDrive location](search-the-mailbox-and-onedrive-for-business-for-a-list-of-users.md) for a list of users
+- [Search the mailbox and OneDrive location](search-the-mailbox-and-onedrive-for-business-for-a-list-of-users.md) for a list of users
-- [Create, report on, and delete multiple searches](create-report-on-and-delete-multiple-content-searches.md) to quickly and efficiently identify and cull search data
+- [Create, report on, and delete multiple searches](create-report-on-and-delete-multiple-content-searches.md) to quickly and efficiently identify and cull search data
- [Clone a content search](clone-a-content-search.md) and quickly compare the results of different keyword search queries run on the same content locations; or use the script to save time by not having to re-enter a large number of content locations when you create a new search
compliance Sensitivity Labels Office Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md
The numbers listed are the minimum Office application version required for each
|[Let users assign permissions: <br /> - Prompt users](encryption-sensitivity-labels.md#let-users-assign-permissions) |2004+ | 16.35+ | Under review | Under review | Under review | |[Audit label-related user activity](data-classification-activity-explorer.md) | 2011+ | 16.43+ | 2.46+ | Rolling out: 16.0.13628+ | Yes <sup>\*</sup> | |[Require users to apply a label to their email and documents](#require-users-to-apply-a-label-to-their-email-and-documents) | 2101+ | 16.45+ | 2.47+ | 16.0.13628+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md)
-|[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) | 2009+ | Rolling out: 16.44+ | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |
+|[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) | 2009+ | 16.44+ | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |
|[Support co-authoring and AutoSave](sensitivity-labels-coauthoring.md) for labeled and encrypted documents | 2105: June 18+ | 16.50+ | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | |
compliance Set Up Encryption https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/set-up-encryption.md
With Office 365, several encryption capabilities are available by default. Addit
|People are communicating via email (Exchange Online)|As an Exchange Online administrator, you have several options for configuring email encryption. These include: <ul><li>Using [Office 365 message encryption (OME)](set-up-new-message-encryption-capabilities.md) with Azure Rights Management (Azure RMS) to enable people to send encrypted messages inside or outside your organization</li><li>Using [S/MIME](/exchange/security-and-compliance/smime-exo/smime-exo) to encrypt and digitally sign email messages</li><li>Using TLS to [set up connectors for secure mail flow with another organization](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-for-secure-mail-flow-with-a-partner)</li></ul> <p> See [Email encryption in Office 365](./email-encryption.md).| |Files are accessed from team sites or document libraries (OneDrive for Business or SharePoint Online)|When people are working with files saved to OneDrive for Business or SharePoint Online, TLS connections are used. This is built into Office 365 automatically. See [Data Encryption in OneDrive for Business and SharePoint Online](./data-encryption-in-odb-and-spo.md).| |Files are shared in online meetings and IM conversations (Skype for Business Online)|When people are working with files using Skype for Business Online, TLS is used for the connection. This is built into Office 365 automatically. See [Security and Archiving (Skype for Business Online)](/office365/servicedescriptions/skype-for-business-online-service-description/skype-for-business-online-features).|
-|Files are shared in online meetings and IM conversations (Microsoft Teams)|When people are working with files using Microsoft Teams, TLS is used for the connection. This is built into Office 365 automatically. Microsoft Teams does not currently support inline rendering of encrypted email. To prevent encrypted email from landing in Microsoft Teams as encrypted, see [Message Encryption FAQ](./ome-faq.yml?view=o365-worldwide&preserve-view=true#can-i-automatically-remove-encryption-on-incoming-and-outgoing-mail-).|
+|Files are shared in online meetings and IM conversations (Microsoft Teams)|When people are working with files using Microsoft Teams, TLS is used for the connection. This is built into Office 365 automatically. Microsoft Teams does not currently support inline rendering of encrypted email. To prevent encrypted email from landing in Microsoft Teams as encrypted, see [Message Encryption FAQ](./ome-faq.yml#can-i-automatically-remove-encryption-on-incoming-and-outgoing-mail-).|
| ## Additional information
compliance Set Up New Message Encryption Capabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/set-up-new-message-encryption-capabilities.md
audience: ITPro
localization_priority: Priority
+search.appverid:
- MET150 ms.assetid: 7ff0c040-b25c-4378-9904-b1b50210d00e-+ - Strat_O365_IP - M365-security-compliance description: Learn about the new Office 365 Message Encryption capabilities that enable protected email communication with people inside and outside your organization.
The only prerequisite for using the new OME capabilities is that [Azure Rights M
Azure RMS is also activated automatically for most eligible plans, so you probably don't have to do anything in this regard either. See [Activating Azure Rights Management](/azure/information-protection/activate-service) for more information.
->[!IMPORTANT]
->If you use Active Directory Rights Management service (AD RMS) with Exchange Online, you need to [migrate to Azure Information Protection](/azure/information-protection/migrate-from-ad-rms-to-azure-rms) before you can use the new OME capabilities. OME is not compatible with AD RMS.
+> [!IMPORTANT]
+> If you use Active Directory Rights Management service (AD RMS) with Exchange Online, you need to [migrate to Azure Information Protection](/azure/information-protection/migrate-from-ad-rms-to-azure-rms) before you can use the new OME capabilities. OME is not compatible with AD RMS.
For more information, see: - [What subscriptions do I need to use the new OME capabilities?](ome-faq.yml#what-subscriptions-do-i-need-to-use-the-new-ome-capabilities-) to check whether your subscription plan includes Azure Information Protection (which includes Azure RMS functionality).-- [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) for information about purchasing an eligible subscription.
+- [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) for information about purchasing an eligible subscription.
### Manually activating Azure Rights Management
There are many reasons, for example compliance requirements, that may necessitat
## Verify new OME configuration in Exchange Online PowerShell You can verify that your Microsoft 365 tenant is properly configured to use the new OME capabilities in [Exchange Online PowerShell](/powershell/exchange/exchange-online-powershell).
-
+ 1. [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) using an account with global administrator permissions in your Microsoft 365 tenant. 2. Run the Get-IRMConfiguration cmdlet.
You can verify that your Microsoft 365 tenant is properly configured to use the
```powershell Test-IRMConfiguration [-Sender <email address >]
- ```
+ ```
**Example**:
You can verify that your Microsoft 365 tenant is properly configured to use the
If there are previously configured mail flow rules to encrypt email in your organization, you need to update the existing rules to use the new OME capabilities. For new deployments, you need to create new mail flow rules.
->[!IMPORTANT]
->If you do not update existing mail flow rules, your users will continue to receive encrypted mail that uses the previous HTML attachment format, instead of the new seamless OME experience.
+> [!IMPORTANT]
+> If you do not update existing mail flow rules, your users will continue to receive encrypted mail that uses the previous HTML attachment format, instead of the new seamless OME experience.
Mail flow rules determine under what conditions email messages should be encrypted, as well as conditions for removing that encryption. When you set an action for a rule, any messages that match the rule conditions are encrypted when they're sent.
-
+ For steps on creating mail flow rules for OME, see [Define mail flow rules to encrypt email messages in Office 365](define-mail-flow-rules-to-encrypt-email.md). To update existing rules to use the new OME capabilities:
To update existing rules to use the new OME capabilities:
- Select **Apply Office 365 Message Encryption and rights protection**. - Select an RMS template from the list. - Select **Save**.
- - Select **OK**.
+ - Select **OK**.
compliance Use Notifications And Policy Tips https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/use-notifications-and-policy-tips.md
f1.keywords:
Previously updated : Last updated : audience: Admin f1_keywords: - 'ms.o365.cc.UnifiedDLPRuleNotifyUser' localization_priority: Normal-+ - M365-security-compliance - SPO_Content
+search.appverid:
- MOE150 - MET150
description: Learn how to add a policy tip to a data loss prevention (DLP) polic
# Send email notifications and show policy tips for DLP policies You can use a data loss prevention (DLP) policy to identify, monitor, and protect sensitive information across Office 365. You want people in your organization who work with this sensitive information to stay compliant with your DLP policies, but you don't want to block them unnecessarily from getting their work done. This is where email notifications and policy tips can help.
-
+ ![Message bar shows policy tip in Excel 2016](../media/7002ff54-1656-4a6c-993f-37427d6508c8.png)
-
+ A policy tip is a notification or warning that appears when someone is working with content that conflicts with a DLP policyΓÇöfor example, content like an Excel workbook on a OneDrive for Business site that contains personally identifiable information (PII) and is shared with an external user.
-
+ You can use email notifications and policy tips to increase awareness and help educate people about your organization's policies. You can also give people the option to override the policy, so that they're not blocked if they have a valid business need or if the policy is detecting a false positive.
-
+ In the Compliance Center, when you create a DLP policy, you can configure the user notifications to:
-
+ - Send an email notification to the people you choose that describes the issue. > [!NOTE] > Notification emails are sent unprotected.
-
+ - Display a policy tip for content that conflicts with the DLP policy:
-
+ - For email in Outlook on the web and Outlook 2013 and later, the policy tip appears at the top of a message above the recipients while the message is being composed.
-
- - For documents in a OneDrive for Business account or SharePoint Online site, the policy tip is indicated by a warning icon that appears on the item. To view more information, you can select an item and then choose **Information** ![Information pane icon](../media/50b6d51b-92b4-4c5f-bb4b-4ca2d4aa3d04.png) in the upper-right corner of the page to open the details pane.
-
- - For Excel, PowerPoint, and Word documents that are stored on a OneDrive for Business site or SharePoint Online site that's included in the DLP policy, the policy tip appears on the Message Bar and the Backstage view ( **File** menu \> **Info**).
-
+
+ - For documents in a OneDrive for Business account or SharePoint Online site, the policy tip is indicated by a warning icon that appears on the item. To view more information, you can select an item and then choose **Information** ![Information pane icon](../media/50b6d51b-92b4-4c5f-bb4b-4ca2d4aa3d04.png) in the upper-right corner of the page to open the details pane.
+
+ - For Excel, PowerPoint, and Word documents that are stored on a OneDrive for Business site or SharePoint Online site that's included in the DLP policy, the policy tip appears on the Message Bar and the Backstage view (**File** menu \> **Info**).
+ ## Add user notifications to a DLP policy When you create a DLP policy, you can enable **User notifications**. When user notifications are enabled, Microsoft 365 sends out both email notifications and policy tips. You can customize who notification emails are sent to, the email text and the policy tip text.
-
+ 1. Go to [https://protection.office.com](https://protection.office.com).
-
+ 2. Sign in using your work or school account. You're now in the Security &amp; Compliance Center.
-
+ 3. In the Security &amp; Compliance Center \> left navigation \> **Data loss prevention** \> **Policy** \> **+ Create a policy**.
-
+ ![Create a policy button](../media/b1e48a08-92e2-47ca-abdc-4341694ddc7c.png)
-
+ 4. Choose the DLP policy template that protects the types of sensitive information that you need \> **Next**.
-
+ To start with an empty template, choose **Custom** \> **Custom policy** \> **Next**.
-
+ 5. Name the policy \> **Next**.
-
+ 6. To choose the locations that you want the DLP policy to protect, do one of the following:
-
+ - Choose **All locations in Office 365** \> **Next**.
-
+ - Choose **Let me choose specific locations** \> **Next**.
-
- To include or exclude an entire location such as all Exchange email or all OneDrive accounts, switch the **Status** of that location on or off.
-
- To include only specific SharePoint sites or OneDrive accounts, switch the **Status** to on, and then click the links under **Include** to choose specific sites or accounts.
-
+
+ To include or exclude an entire location such as all Exchange email or all OneDrive accounts, switch the **Status** of that location on or off.
+
+ To include only specific SharePoint sites or OneDrive accounts, switch the **Status** to on, and then click the links under **Include** to choose specific sites or accounts.
+ 7. Choose **Use advanced settings** \> **Next**.
-
+ 8. Choose **+ New rule**.
-
+ 9. In the rule editor, under **User notifications**, switch the status on.
-
+ ![User notifications section of rule editor](../media/47705927-c60b-4054-a072-ab914f33d15d.png) > [!NOTE] > DLP policies apply to all documents that match the policy, whether those documents are new or existing. However, an email notification is only generated when new content matches an existing DLP policy. Existing content is protected, but will not generate a user notification via email.
-
+ ## Options for configuring email notifications For each rule in a DLP policy, you can:
-
+ - Send the notification to the people you choose. These people can include the owner of the content, the person who last modified the content, the owner of the site where the content is stored, or a specific user.
-
+ - Customize the text that's included in the notification by using HTML or tokens. See the section below for more information.
-
+ > [!NOTE]
-> Email notifications can be sent only to individual recipientsΓÇönot groups or distribution lists. Only new content will trigger an email notification. Editing existing content will trigger policy tips, but not an email notification.
-
+> Email notifications can be sent only to individual recipientsΓÇönot groups or distribution lists. Only new content will trigger an email notification. Editing existing content will trigger policy tips, but not an email notification.
+ ![Email notification options](../media/4e7b9500-2a78-44e6-9067-09f4bfd50301.png)
-
+ ### Default email notification Notifications have a Subject line that begins with the action taken, such as "Notification", "Message Blocked" for email, or "Access Blocked" for documents. If the notification is about a document, the notification message body includes a link that takes you to the site where the document's stored and opens the policy tip for the document, where you can resolve any issues (see the section below about policy tips). If the notification is about a message, the notification includes as an attachment the message that matches a DLP policy.
-
+ ![Notification message](../media/35813d40-5fd8-425f-9624-55655e74fa6b.png)
-
+ By default, notifications display text similar to the following for an item on a site. The notification text is configured separately for each rule, so the text that's displayed differs depending on which rule is matched. |**If the DLP policy rule does this…**|**Then the default notification for SharePoint or OneDrive for Business documents says this…**|**Then the default notification for Outlook messages says this…**|
By default, notifications display text similar to the following for an item on a
|Sends a notification but doesn't allow override <br/> |This item conflicts with a policy in your organization. <br/> |Your email message conflicts with a policy in your organization. <br/> | |Blocks access, sends a notification, and allows override <br/> |This item conflicts with a policy in your organization. If you don't resolve this conflict, access to this file might be blocked. <br/> |Your email message conflicts with a policy in your organization. The message wasn't delivered to all recipients. <br/> | |Blocks access and sends a notification <br/> |This item conflicts with a policy in your organization. Access to this item is blocked for everyone except its owner, last modifier, and the primary site collection administrator. <br/> |Your email message conflicts with a policy in your organization. The message wasn't delivered to all recipients. <br/> |
-
+ ### Custom email notification You can create a custom email notification instead of sending the default email notification to your end users or admins. The custom email notification supports HTML and has a 5,000-character limit. You can use HTML to include images, formatting, and other branding in the notification.
-
+ You can also use the following tokens to help customize the email notification. These tokens are variables that are replaced by specific information in the notification that's sent. |**Token**|**Description**|
You can also use the following tokens to help customize the email notification.
|%%AppliedActions%% <br/> |The actions applied to the content. <br/> | |%%ContentURL%% <br/> |The URL of the document on the SharePoint Online site or OneDrive for Business site. <br/> | |%%MatchedConditions%% <br/> |The conditions that were matched by the content. Use this token to inform people of possible issues with the content. <br/> |
-
+ ![Notification message showing where tokens appear](../media/cd3f36b3-40db-4f30-99e4-190750bd1955.png)
-
+ ## Options for configuring policy tips For each rule in a DLP policy, you can configure policy tips to:
-
+ - Simply notify the person that the content conflicts with a DLP policy, so that they can take action to resolve the conflict. You can use the default text (see the tables below) or enter custom text about your organization's specific policies.
-
+ - Allow the person to override the DLP policy. Optionally, you can:
-
- - Require the person to enter a business justification for overriding the policy. This information is logged and you can view it in the DLP reports in the **Reports** section of the Security &amp; Compliance Center.
-
+
+ - Require the person to enter a business justification for overriding the policy. This information is logged and you can view it in the DLP reports in the **Reports** section of the Security &amp; Compliance Center.
+ - Allow the person to report a false positive and override the DLP policy. This information is also logged for reporting, so that you can use false positives to fine tune your rules.
-
+ ![Policy tip options](../media/0d2f2c68-028a-4900-afe6-1d9fce5303ef.png)
-
+ For example, you may have a DLP policy applied to OneDrive for Business sites that detects personally identifiable information (PII), and this policy has three rules:
-
-1. First rule: If fewer than five instances of this sensitive information are detected in a document, and the document is shared with people inside the organization, the **Send a notification** action displays a policy tip. For policy tips, no override options are necessary because this rule is simply notifying people and not blocking access.
-
-2. Second rule: If greater than five instances of this sensitive information are detected in a document, and the document is shared with people inside the organization, the **Block access to content** action restricts the permissions for the file, and the **Send a notification** action allows people to override the actions in this rule by providing a business justification. Your organization's business sometimes requires internal people to share PII data, and you don't want your DLP policy to block this work.
-
-3. Third rule: If greater than five instances of this sensitive information are detected in a document, and the document is shared with people outside the organization, the **Block access to content** action restricts the permissions for the file, and the **Send a notification** action does not allow people to override the actions in this rule because the information is shared externally. Under no circumstances should people in your organization be allowed to share PII data outside the organization.
-
+
+1. First rule: If fewer than five instances of this sensitive information are detected in a document, and the document is shared with people inside the organization, the **Send a notification** action displays a policy tip. For policy tips, no override options are necessary because this rule is simply notifying people and not blocking access.
+
+2. Second rule: If greater than five instances of this sensitive information are detected in a document, and the document is shared with people inside the organization, the **Block access to content** action restricts the permissions for the file, and the **Send a notification** action allows people to override the actions in this rule by providing a business justification. Your organization's business sometimes requires internal people to share PII data, and you don't want your DLP policy to block this work.
+
+3. Third rule: If greater than five instances of this sensitive information are detected in a document, and the document is shared with people outside the organization, the **Block access to content** action restricts the permissions for the file, and the **Send a notification** action does not allow people to override the actions in this rule because the information is shared externally. Under no circumstances should people in your organization be allowed to share PII data outside the organization.
+ Here are some fine points to understand about using a policy tip to override a rule:
-
+ - The option to override is per rule, and it overrides all of the actions in the rule (except sending a notification, which can't be overridden).
-
+ - It's possible for content to match several rules in a DLP policy, but only the policy tip from the most restrictive, highest-priority rule will be shown. For example, a policy tip from a rule that blocks access to content will be shown over a policy tip from a rule that simply sends a notification. This prevents people from seeing a cascade of policy tips.
-
+ - If the policy tips in the most restrictive rule allow people to override the rule, then overriding this rule also overrides any other rules that the content matched.
-
+ ## Policy tips on OneDrive for Business sites and SharePoint Online sites When a document on a OneDrive for Business site or SharePoint Online site matches a rule in a DLP policy, and that rule uses policy tips, the policy tips display special icons on the document:
-
+ 1. If the rule sends a notification about the file, the warning icon appears.
-
+ 2. If the rule blocks access to the document, the blocked icon appears.
-
+ ![Policy tip icons on documents in a OneDrive account](../media/d3e9f772-03f9-4d28-82f8-3064784332a2.png)
-
+ To take action on a document, you can select an item \> choose **Information** ![Information pane icon](../media/50b6d51b-92b4-4c5f-bb4b-4ca2d4aa3d04.png) in the upper-right corner of the page to open the details pane \> **View policy tip**.
-
-The policy tip lists the issues with the content, and if the policy tips are configured with these options, you can choose **Resolve**, and then **Override** the policy tip or **Report** a false positive.
-
+
+The policy tip lists the issues with the content, and if the policy tips are configured with these options, you can choose **Resolve**, and then **Override** the policy tip or **Report** a false positive.
+ ![Information pane showing policy tip](../media/0a191e70-80f0-4702-90f4-7a5b7aabcaab.png)
-
+ ![Policy tip with option to override](../media/e250bff9-41d5-4ce4-82ea-1dc2d043fab1.png)
-
+ DLP policies are synced to sites and contented is evaluated against them periodically and asynchronously, so there may be a short delay between the time you create the DLP policy and the time you begin to see policy tips. There may be a similar delay from when you resolve or override a policy tip to when the icon on the document on the site goes away.
-
+ ### Default text for policy tips on sites By default, policy tips display text similar to the following for an item on a site. The notification text is configured separately for each rule, so the text that's displayed differs depending on which rule is matched.
By default, policy tips display text similar to the following for an item on a s
|Sends a notification but doesn't allow override <br/> |This item conflicts with a policy in your organization. <br/> | |Blocks access, sends a notification, and allows override <br/> |This item conflicts with a policy in your organization. If you don't resolve this conflict, access to this file might be blocked. <br/> | |Blocks access and sends a notification <br/> |This item conflicts with a policy in your organization. Access to this item is blocked for everyone except its owner, last modifier, and the primary site collection administrator. <br/> |
-
+ ### Custom text for policy tips on sites You can customize the text for policy tips separately from the email notification. Unlike custom text for email notifications (see above section), custom text for policy tips does not accept HTML or tokens. Instead, custom text for policy tips is plain text only with a 256-character limit.
-
+ ## Policy tips in Outlook on the web and Outlook 2013 and later When you compose a new email in Outlook on the web and Outlook 2013 and later, you'll see a policy tip if you add content that matches a rule in a DLP policy, and that rule uses policy tips. The policy tip appears at the top of the message, above the recipients, while the message is being composed.
-
+ ![Policy tip at the top of a message being composed](../media/9b3b6b74-17c5-4562-82d5-d17ecaaa8d95.png)
-
+ Policy tips work whether the sensitive information appears in the message body, subject line, or even a message attachment as shown here.
-
+ ![Policy tip showing that an attachment conflicts with a DLP policy](../media/59ae6655-215f-47d9-ad1d-39c0d1e61740.png)
-
+ If the policy tips are configured to allow override, you can choose **Show Details** \> **Override** \> enter a business justification or report a false positive \> **Override**.
-
+ ![Policy tip in message expanded to show Override option](../media/28bfb997-48a6-41f0-8682-d5e62488458a.png)
-
+ ![Policy tip dialog where you can override the policy tip](../media/f97e836c-04bd-44b4-aec6-ed9526ea31f8.png)
-
+ Note that when you add sensitive information to an email, there may be latency between when the sensitive information is added and when the policy tip appears. ### Outlook 2013 and later supports showing policy tips for only some conditions
Currently, Outlook 2013 and later supports showing policy tips only for these co
- Content contains - Content is shared
-Note that Exceptions are considered conditions and all of these conditions work in Outlook, where they will match content and enforce protective actions on content. But showing policy tips to users is not yet supported.
-
+Note that Exceptions are considered conditions and all of these conditions work in Outlook, where they will match content and enforce protective actions on content. But showing policy tips to users is not yet supported.
+ ### Policy tips in the Exchange admin center vs. the Security &amp; Compliance Center Policy tips can work either with DLP policies and mail flow rules created in the Exchange admin center, or with DLP policies created in the Security &amp; Compliance Center, but not both. This is because these policies are stored in different locations, but policy tips can draw only from a single location.
-
+ If you've configured policy tips in the Exchange admin center, any policy tips that you configure in the Security &amp; Compliance Center won't appear to users in Outlook on the web and Outlook 2013 and later until you turn off the tips in the Exchange admin center. This ensures that your current Exchange mail flow rules (also known as transport rules) will continue to work until you choose to switch over to the Security &amp; Compliance Center.
-
+ Note that while policy tips can draw only from a single location, email notifications are always sent, even if you're using DLP policies in both the Security &amp; Compliance Center and the Exchange admin center.
-
+ ### Default text for policy tips in email By default, policy tips display text similar to the following for email.
By default, policy tips display text similar to the following for email.
|Sends a notification but doesn't allow override <br/> |Your email conflicts with a policy in your organization. <br/> | |Blocks access, sends a notification, and allows override <br/> |Your email conflicts with a policy in your organization. <br/> | |Blocks access and sends a notification <br/> |Your email conflicts with a policy in your organization. <br/> |
-
+ ## Policy tips in Excel, PowerPoint, and Word When people work with sensitive content in the desktop versions of Excel, PowerPoint, and Word, policy tips can notify them in real time that the content conflicts with a DLP policy. This requires that:
-
+ - The Office document is stored on a OneDrive for Business site or SharePoint Online site.
-
+ - The site is included in a DLP policy that's configured to use policy tips.
-
+ Office desktop programs automatically sync DLP policies directly from Office 365, and then scan your documents to ensure that they don't conflict with your DLP policies and display policy tips in real time. > [!NOTE] > Office desktop apps scan documents themselves to determine if DLP policy tips should be shown; they do not show policy tips that SharePoint Online sites or OneDrive for Business sites have already determined should be shown on a file. As a result, you may not always see a DLP policy tip in the desktop apps that you see in the SharePoint Online sites or OneDrive for Business sites. In contrast, the Office applications on the web only show DLP policy tips that SharePoint Online sites or OneDrive for Business sites have already determined should be shown.
-
+ Depending on how you configure the policy tips in the DLP policy, people can choose to simply ignore the policy tip, override the policy with or without a business justification, or report a false positive.
-
+ Policy tips appear on the Message Bar.
-
+ ![Message bar shows policy tip in Excel 2016](../media/7002ff54-1656-4a6c-993f-37427d6508c8.png)
-
-And policy tips also appear in the Backstage view (on the **File** tab).
-
+
+And policy tips also appear in the Backstage view (on the **File** tab).
+ ![Backstage shows policy tip in Excel 2016](../media/44c561f6-8f3f-4878-b1b0-b7543f8a4120.png)
-
-If policy tips in the DLP policy are configured with these options, you can choose **Resolve** to **Override** a policy tip or **Report** a false positive.
-
+
+If policy tips in the DLP policy are configured with these options, you can choose **Resolve** to **Override** a policy tip or **Report** a false positive.
+ ![Options on policy tip in Backstage in Excel 2016](../media/5b3857ba-907e-456e-ae43-888b594c049c.png)
-
-In each of these Office desktop programs, people can choose to turn off policy tips. If turned off, policy tips that are simple notifications will not appear on the Message Bar or Backstage view (on the **File** tab). However, policy tips about blocking and overriding will still appear, and they will still receive the email notification. In addition, turning off policy tips does not exempt the document from any DLP policies that have been applied to it.
-
+
+In each of these Office desktop programs, people can choose to turn off policy tips. If turned off, policy tips that are simple notifications will not appear on the Message Bar or Backstage view (on the **File** tab). However, policy tips about blocking and overriding will still appear, and they will still receive the email notification. In addition, turning off policy tips does not exempt the document from any DLP policies that have been applied to it.
+ ### Default text for policy tips in Excel 2016, PowerPoint 2016, and Word 2016 By default, policy tips display text similar to the following on the Message Bar and Backstage view of an open document. The notification text is configured separately for each rule, so the text that's displayed differs depending on which rule is matched.
By default, policy tips display text similar to the following on the Message Bar
|Sends a notification but doesn't allow override <br/> |This file conflicts with a policy in your organization. Go to the **File** menu for more information. <br/> | |Blocks access, sends a notification, and allows override <br/> |This file conflicts with a policy in your organization. If you don't resolve this conflict, access to this file might be blocked. Go to the **File** menu for more information. <br/> | |Blocks access and sends a notification <br/> |This file conflicts with a policy in your organization. If you don't resolve this conflict, access to this file might be blocked. Go to the **File** menu for more information. <br/> |
-
+ ### Custom text for policy tips in Excel, PowerPoint, and Word You can customize the text for policy tips separately from the email notification. Unlike custom text for email notifications (see above section), custom text for policy tips does not accept HTML or tokens. Instead, custom text for policy tips is plain text only with a 256-character limit.
-
+ ## More information -- [Learn about data loss prevention](dlp-learn-about-dlp.md)
+- [Learn about data loss prevention](dlp-learn-about-dlp.md)
- [Create a DLP policy from a template](create-a-dlp-policy-from-a-template.md)-- [DLP policy conditions, exceptions, and actions (preview)](./dlp-microsoft-teams.md)
+- [DLP policy conditions, exceptions, and actions (preview)](./dlp-microsoft-teams.md)
- [Create a DLP policy to protect documents with FCI or other properties](protect-documents-that-have-fci-or-other-properties.md) - [What the DLP policy templates include](what-the-dlp-policy-templates-include.md) - [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md)
compliance View Documents In Review Set https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/view-documents-in-review-set.md
audience: Admin
localization_priority: Normal-+
+search.appverid:
- MOE150 - MET150 description: "Choose how you view content in Advanced eDiscovery, such as text, annotate, converted, or native view."
The Native viewer displays the richest view of a document. It supports hundreds
The Text viewer provides a view of the extracted text of a file. It ignores any embedded images and formatting but is very effective if you are trying to understand the content quickly. Text view also includes these features:
- - Line counter makes it easier to reference specific portions of a document
+- Line counter makes it easier to reference specific portions of a document
+- Search hit highlighting that will highlight terms within the document as well as the scrollbar
+- Diff view provides a comparison view that highlights textual differences when viewing Near Duplicate documents
- - Search hit highlighting that will highlight terms within the document as well as the scrollbar
+![Text view](../media/Reviewimage4.png)
- - Diff view provides a comparison view that highlights textual differences when viewing Near Duplicate documents
-
-![Text view
-](../media/Reviewimage4.png)
-
-![Diff view
-](../media/Reviewimage5.png)
+![Diff view](../media/Reviewimage5.png)
## Annotate view The Annotate view provides features that allow users to apply markup on a document including:
- - Area redactions ΓÇô users can draw a box on the document in order to hide sensitive content
-
- - Pencil ΓÇô users can free-hand draw on a document in order to bring attention to certain portions of a document
-
- - Select annotations - users can select annotations on a document in order to delete
-
- - Toggle annotation transparency ΓÇô makes annotations semi-transparent in order to view the content behind the annotation
-
- - Previous page ΓÇô navigates to previous page
-
- - Next page ΓÇô navigates to the next page
-
- - Go to page ΓÇô user can enter a specific page number to navigate to
-
- - Zoom ΓÇô set zoom level for annotate view
+- Area redactions ΓÇô users can draw a box on the document in order to hide sensitive content
+- Pencil ΓÇô users can free-hand draw on a document in order to bring attention to certain portions of a document
+- Select annotations - users can select annotations on a document in order to delete
+- Toggle annotation transparency ΓÇô makes annotations semi-transparent in order to view the content behind the annotation
+- Previous page ΓÇô navigates to previous page
+- Next page ΓÇô navigates to the next page
+- Go to page ΓÇô user can enter a specific page number to navigate to
+- Zoom ΓÇô set zoom level for annotate view
+- Rotate ΓÇô user can rotate document clockwise
+- Search ΓÇô user can search within a document and navigate to the various hits within the document
- - Rotate ΓÇô user can rotate document clockwise
+ ![Annotate view](../media/Reviewimage1.png)
- - Search ΓÇô user can search within a document and navigate to the various hits within the document
-
- ![Annotate view
- ](../media/Reviewimage1.png)
+## Dashboard View
-## Dashboard View
-The dashboard view allows you to visualize and summarize the data in your search results grid. In this view, you can create custom widgets to make analyzing and reporting on your review set intuitive and easy. Once you have created your widgets, you can interact with them to get item counts or to create a search.
+The dashboard view allows you to visualize and summarize the data in your search results grid. In this view, you can create custom widgets to make analyzing and reporting on your review set intuitive and easy. Once you have created your widgets, you can interact with them to get item counts or to create a search.
compliance Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/whats-new.md
Whether it be adding new solutions to the [Microsoft 365 compliance center](micr
> Some compliance features get rolled out at different speeds to our customers. If you aren't seeing a feature yet, try adding yourself to [targeted release](/office365/admin/manage/release-options-in-office-365). > [!TIP]
-> Interested in what's going on in other admin centers? Check out these articles:<br>[What's new in the Microsoft 365 admin center](/office365/admin/whats-new-in-preview)<br>[What's new in the SharePoint admin center](/sharepoint/what-s-new-in-admin-center)<br>[What's new in Microsoft 365 Defender](../security/defender/whats-new.md)<br><br>
-And visit the [Microsoft 365 Roadmap](https://www.microsoft.com/microsoft-365/roadmap) to learn about Microsoft 365 features that were launched, are rolling out, are in development, have been cancelled, or previously released.
+> Interested in what's going on in other admin centers? Check out these articles:
+>
+> - [What's new in the Microsoft 365 admin center](/office365/admin/whats-new-in-preview)
+> - [What's new in the SharePoint admin center](/sharepoint/what-s-new-in-admin-center)
+> - [What's new in Microsoft 365 Defender](../security/defender/whats-new.md)
+>
+> And visit the [Microsoft 365 Roadmap](https://www.microsoft.com/microsoft-365/roadmap) to learn about Microsoft 365 features that were launched, are rolling out, are in development, have been cancelled, or previously released.
## May 2021
And visit the [Microsoft 365 Roadmap](https://www.microsoft.com/microsoft-365/ro
### Retention and records management - If you release a retention policy from a SharePoint site or OneDrive account, you no longer have to wait the 30-day grace period before you can delete the site or account. A popular request by customers, this change is now complete for all tenants.-- In preview, **multi-stage disposition review**: An administrator can now add up to five consecutive stages of [disposition review ](disposition.md) for a retention label, and reviewers can add others users to their disposition review stage. You can also customize the email notifications and reminders.
+- In preview, **multi-stage disposition review**: An administrator can now add up to five consecutive stages of [disposition review](disposition.md) for a retention label, and reviewers can add others users to their disposition review stage. You can also customize the email notifications and reminders.
### Sensitive Information Types
And visit the [Microsoft 365 Roadmap](https://www.microsoft.com/microsoft-365/ro
### Sensitivity labels -- In preview, a new setting for **authentication context** is now available when you configure a [sensitivity label for groups and sites]( sensitivity-labels-teams-groups-sites.md). This option works in conjunction with Azure AD Conditional Access policies to enforce more stringent conditions when users access SharePoint sites that have the label applied. Make sure you read the [dependencies and limitations](sensitivity-labels-teams-groups-sites.md#more-information-about-the-dependencies-for-the-authentication-context-option) before you configure this setting.
+- In preview, a new setting for **authentication context** is now available when you configure a [sensitivity label for groups and sites](sensitivity-labels-teams-groups-sites.md). This option works in conjunction with Azure AD Conditional Access policies to enforce more stringent conditions when users access SharePoint sites that have the label applied. Make sure you read the [dependencies and limitations](sensitivity-labels-teams-groups-sites.md#more-information-about-the-dependencies-for-the-authentication-context-option) before you configure this setting.
- [Auto-labeling policies](apply-sensitivity-label-automatically.md#how-to-configure-auto-labeling-policies-for-sharepoint-onedrive-and-exchange) that are configured just for Exchange now support sensitivity labels that apply encryption with **Let users assign permissions** for the Do Not Forward or Encrypt-Only options. - [Mandatory labeling](sensitivity-labels-office-apps.md#require-users-to-apply-a-label-to-their-email-and-documents) is now generally available for all Office apps, across all platforms.
And visit the [Microsoft 365 Roadmap](https://www.microsoft.com/microsoft-365/ro
### Sensitivity labels Outlook releases and updates:+ - [Different settings for the default label and mandatory labeling](sensitivity-labels-office-apps.md#outlook-specific-options-for-default-label-and-mandatory-labeling) are now supported for built-in labeling. Previously, these settings were supported only by the AIP unified labeling client. - [Encrypt-Only](encryption-sensitivity-labels.md#let-users-assign-permissions) is now supported by macOS, iOS, and Android. - [Mandatory labeling](sensitivity-labels-office-apps.md#require-users-to-apply-a-label-to-their-email-and-documents) is rolling out to the remaining platforms.
Content was added or updated in the following topics:
- [Customer-managed encryption features](/microsoft-365/compliance/office-365-customer-managed-encryption-features) - [Exchange Online mail encryption with AD RMS](/microsoft-365/compliance/information-rights-management-in-exchange-online). Support for this service has been deprecated. You can no longer use AD RMS in an Exchange hybrid environment. Instead, migrate to Azure RMS.
-ΓÇïΓÇïΓÇïΓÇïΓÇïΓÇïΓÇï
+ΓÇïΓÇïΓÇïΓÇï
#### Customer Key - [Customer Key for Microsoft 365 at the tenant level](/microsoft-365/compliance/customer-key-tenant-level)
Content was added or updated in the following topics:
#### Information Rights Management (IRM) - [Apply Information Rights Management (IRM) to a list or library](/microsoft-365/compliance/configure-irm-to-use-an-on-premises-ad-rms-server). These national clouds do not support this setting:
- - Microsoft Cloud for US Government
- - Microsoft Cloud Germany
- - Azure and Microsoft 365 operated by 21Vianet in China)
+ - Microsoft Cloud for US Government
+ - Microsoft Cloud Germany
+ - Azure and Microsoft 365 operated by 21Vianet in China)
- [Configure IRM to use an on-premises AD RMS server](/microsoft-365/compliance/configure-irm-to-use-an-on-premises-ad-rms-server). Support for this service in an Exchange hybrid environment has been deprecated. ### Sensitive Information Types
Content was added or updated in the following topics:
- [Create a custom sensitive information types with Exact Data Match based classification](/microsoft-365/compliance/create-custom-sensitive-information-types-with-exact-data-match-based-classification) - [Sensitive information type entity definitions](/microsoft-365/compliance/sensitive-information-type-entity-definitions) - ### Sensitivity labels Content was added or updated in the following topics:
First up is content that ties together our insider risk solutions: communication
- [Insider risk management](insider-risk-management-solution-overview.md) - [Information barriers](information-barriers-solution-overview.md) - [Privileged access management](privileged-access-management-solution-overview.md)
-
+ More content solution docs coming soon! ### Advanced eDiscovery
compliance Work With Partner To Archive Third Party Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/work-with-partner-to-archive-third-party-data.md
f1.keywords:
Previously updated : Last updated : audience: Admin localization_priority: Normal
+search.appverid:
- MET150 - seo-marvel-apr2020
-description: Learn how to set up a custom connector to import third-party data from data sources such as Salesforce Chatter, Yahoo Messenger, or Yammer.
+description: Learn how to set up a custom connector to import third-party data from data sources such as Salesforce Chatter, Yahoo Messenger, or Yammer.
# Work with a partner to archive third-party data You can work with a Microsoft Partner to import and archive data from a third-party data source to Microsoft 365. A partner can provide you with a custom connector that is configured to extract items from the third-party data source (on a regular basis) and then import those items. The partner connector converts the content of an item from the data source to an email message format and then stores the items in mailboxes. After third-party data is imported, you can apply Microsoft 365 compliance features such as Litigation Hold, eDiscovery, In-Place Archiving, Auditing, and Microsoft 365 retention policies to this data.
->[!IMPORTANT]
->The [Communication compliance](communication-compliance.md) solution in Microsoft 365 can't be applied to the third-party data imported by partner connectors mentioned in this article.
+> [!IMPORTANT]
+> The [Communication compliance](communication-compliance.md) solution in Microsoft 365 can't be applied to the third-party data imported by partner connectors mentioned in this article.
Here's an overview of the process and the steps necessary to work with a Microsoft Partner to import third-party data.
Here's an overview of the process and the steps necessary to work with a Microso
## How the third-party data import process works The following illustration and description explain how the third-party data import process works when working with a partner.
-
+ ![How the third-party data import process works](../media/5d4cf8e9-b4cc-4547-90c8-d12d04a9f0e7.png)
-
+ 1. Customer works with their partner of choice to configure a connector that will extract items from the third-party data source and then import those items to Microsoft 365.
-
-2. The partner connector connects to third-party data sources via a third-party API (on a scheduled or as-configured basis) and extracts items from the data source. The partner connector converts the content of an item to an email message format. See the [More information](#more-information) section for a description of the message-format schema.
-
+
+2. The partner connector connects to third-party data sources via a third-party API (on a scheduled or as-configured basis) and extracts items from the data source. The partner connector converts the content of an item to an email message format. See the [More information](#more-information) section for a description of the message-format schema.
+ 3. Partner connector connects to the Azure service in Microsoft 365 by using Exchange Web Service (EWS) via a well-known end point.
-
+ 4. Items are imported into the mailbox of a specific user or into a "catch-all" third-party data mailbox. Whether an item is imported into a specific user mailbox or to the third-party data mailbox is based on the following criteria:
-
+ 1. **Items that have a user ID that corresponds to a user account:** If the partner connector can map the user ID of the item in the third-party data source to a specific user ID in Microsoft 365, the item is copied to the **Purges** folder in the user's Recoverable Items folder. Users can't access items in the Purges folder. However, you can use eDiscovery tools to search for items in the Purges folder.
-
+ 1. **Items that don't have a user ID that corresponds to a user account:** If the partner connector can't map the user ID of an item to a specific user ID, the item is copied to the **Inbox** folder of the third-party data mailbox. Importing items to the inbox allows you or someone in your organization to sign in to the third-party mailbox to view and manage these items, and see if any adjustments need to be made in the partner connector configuration.
-
+ ## Step 1: Find a third-party data partner A key component for archiving third-party data in Microsoft 365 is finding and working with a Microsoft partner that specializes in capturing data from a third-party data source and importing it to Microsoft 365. After the data is imported, it can be archived and preserved along with your organization's other Microsoft data, such as email from Exchange and documents from SharePoint and OneDrive for Business. A partner creates a connector that extracts data from your organization's third-party data sources (such as BlackBerry, Facebook, Google+, Thomson Reuters, Twitter, and YouTube) and passes that data to a Microsoft 365 API that imports items to Exchange mailboxes as email messages.
-
+ The following sections list the Microsoft partners (and the third-party data sources they support) that are participating in the program for archiving third-party data in Microsoft 365. [17a-4 LLC](#17a-4-llc)
-
+ [ArchiveSocial](#archivesocial)
-
+ [Veritas](#veritas)
-
+ [OpenText](#opentext)
-
+ [Smarsh](#smarsh) [Verba](#verba)
-
+ ### 17a-4 LLC [17a-4 LLC](https://www.17a-4.com) supports the following third-party data sources:
-
+ - BlackBerry
-
+ - Bloomberg Data Streams
-
+ - Cisco Jabber
-
+ - FactSet
-
+ - HipChat
-
+ - InvestEdge
-
+ - LivePerson
-
+ - MessageLabs Data Streams
-
+ - OpenText
-
+ - Oracle/ATG 'click-to-call' Live Help
-
+ - Pivot IMTRADER
-
+ - Microsoft SharePoint
-
+ - MindAlign
-
+ - Sitrion One (Newsgator)
-
+ - Skype for Business (Lync/OCS)
-
+ - Skype for Business Online (Lync Online)
-
+ - SQL Databases
-
+ - Squawker
-
+ - Thomson Reuters Eikon Messenger
-
-
### ArchiveSocial
-[ArchiveSocial ](https://www.archivesocial.com) supports the following third-party data sources:
-
+[ArchiveSocial](https://www.archivesocial.com) supports the following third-party data sources:
+ - Facebook
-
+ - Flickr
-
+ - Instagram
-
+ - LinkedIn
-
+ - Pinterest
-
+ - Twitter
-
+ - YouTube
-
+ - Vimeo
-
+ ### Veritas
-[Veritas](https://www.globanet.com) supports the following third-party data sources:
-
-- AOL with Pivot Client
-
+[Veritas](https://www.globanet.com) supports the following third-party data sources:
+
+- AOL with Pivot Client
+ - BlackBerry Call Logs (v5, v10, v12)
-
+ - BlackBerry Messenger (v5, v10, v12)
-
+ - BlackBerry PIN (v5, v10, v12)
-
+ - BlackBerry SMS (v5, v10, v12)
-
+ - Bloomberg Chat
-
+ - Bloomberg Mail
-
+ - Box
-
+ - CipherCloud for Salesforce Chatter
-
+ - Cisco IM &amp; Presence Server (v10, v10.5.1 SU1, v11.0, v11.5 SU2) - Cisco Webex Teams
The following sections list the Microsoft partners (and the third-party data sou
- CrowdCompass - Custom-delimited text files
-
+ - Custom XML files
-
+ - Facebook (Pages)
-
+ - Factset
-
+ - FXConnect
-
+ - ICE Chat/YellowJacket
-
+ - Jive
-
+ - Macgregor XIP - Microsoft Exchange Server
-
+ - Microsoft OneDrive for Business - Microsoft Teams
-
+ - Microsoft Yammer
-
+ - Mobile Guard
-
+ - Pivot
-
+ - Salesforce Chatter - Skype for Business Online
-
+ - Skype for Business, versions 2007 R2 - 2016 (on-premises)
-
+ - Slack Enterprise Grid
-
+ - Symphony
-
+ - Thomson Reuters Eikon
-
+ - Thomson Reuters Messenger
-
+ - Thomson Reuters Dealings 3000 / FX Trading
-
+ - Twitter
-
+ - UBS Chat
-
+ - YouTube
-
+ ### OpenText
-[OpenText](https://www.opentext.com/what-we-do/products/opentext-product-offerings-catalog/rebranded-products/daegis) supports the following third-party data sources:
-
+[OpenText](https://www.opentext.com/what-we-do/products/opentext-product-offerings-catalog/rebranded-products/daegis) supports the following third-party data sources:
+ - Axs Encrypted
-
+ - Axs Exchange
-
+ - Axs Local Archive
-
+ - Axs PlaceHolder
-
+ - Axs Signed
-
+ - Bloomberg
-
+ - Thomson Reuters
-
+ ### Smarsh
-[Smarsh](https://www.smarsh.com) supports the following third-party data sources:
-
+[Smarsh](https://www.smarsh.com) supports the following third-party data sources:
+ - AIM
-
+ - American Idol
-
+ - Apple Juice
-
+ - AOL with Pivot client
-
+ - Ares
-
+ - Bazaar Voice
-
+ - Bear Share
-
+ - Bit Torrent
-
+ - BlackBerry Call Logs (v5, v10, v12)
-
+ - BlackBerry Messenger (v5, v10, v12)
-
+ - BlackBerry PIN (v5, v10, v12)
-
+ - BlackBerry SMS (v5, v10, v12)
-
+ - Bloomberg Mail
-
+ - CellTrust
-
+ - Chat Import
-
+ - Chat Real Time Logging and Policy
-
+ - Chatter
-
+ - Cisco IM &amp; Presence Server (v9.0.1, v9.1, v9.1.1 SU1, v10, v10.5.1 SU1)
-
+ - Cisco Unified Presence Server (v8.6.3, v8.6.4, v8.6.5)
-
+ - Collaboration Import
-
+ - Collaboration Real Time Logging
-
+ - Direct Connect
-
+ - Facebook
-
+ - FactSet
-
+ - FastTrack
-
+ - Gnutella
-
+ - Google+
-
+ - GoToMyPC
-
+ - Hopster
-
+ - HubConnex
-
+ - IBM Connections (v3.0.1, v4.0, v4.5, v4.5 CR3, v5)
-
+ - IBM Connections Chat Cloud
-
+ - IBM Connections Social Cloud
-
+ - IBM SameTime Advanced 8.5.2 IFR1
-
+ - IBM SameTime Communicate 9.0
-
+ - IBM SameTime Community (v8.0.2, v8.5.1 IFR2, v8.5.2 IFR1, v9.1)
-
+ - IBM SameTime Complete 9.0
-
+ - IBM SameTime Conference 9.0
-
+ - IBM SameTime Meeting 8.5.2 IFR1
-
+ - ICE/YellowJacket
-
+ - IM Import
-
+ - IM Real Time Logging and Policy
-
+ - Indii Messenger
-
+ - Instant Bloomberg
-
+ - IRC
-
+ - Jive
-
+ - Jive 6 Real Time Logging (v6, v7)
-
+ - Jive Import
-
+ - JXTA
-
+ - LinkedIn
-
+ - Microsoft Lync (2010, 2013)
-
+ - MFTP
-
+ - Microsoft Lync 2013 Voice
-
+ - Microsoft SharePoint (2010, 2013)
-
+ - Microsoft SharePoint Online
-
+ - Microsoft UC (Unified Communications)
-
+ - MindAlign
-
+ - Mobile Guard
-
+ - MSN
-
+ - My Space
-
+ - NEONetwork
-
+ - Microsoft 365 Lync Dedicated
-
+ - Microsoft 365 Shared IM
-
+ - Pinterest
-
+ - Pivot
-
+ - QQ
-
+ - Skype for Business 2015
-
+ - SoftEther
-
+ - Symphony
-
+ - Thomson Reuters Eikon
-
+ - Thomson Reuters Messenger
-
+ - Tor
-
+ - TTT
-
+ - Twitter
-
+ - WinMX
-
+ - Winny
-
+ - Yahoo
-
+ - Yammer
-
+ - YouTube
-
+ ### Verba
-[Verba](https://www.verba.com) supports the following third-party data sources:
-
+[Verba](https://www.verba.com) supports the following third-party data sources:
+ - Avaya Aura Video
-
+ - Avaya Aura Voice
-
+ - Avtec Radio
-
+ - Bosch/Telex Radio
-
+ - BroadSoft Video
-
+ - BroadSoft Voice
-
+ - Centile Voice
-
+ - Cisco Jabber IM
-
+ - Cisco UC Video
-
+ - Cisco UC Voice
-
+ - Cisco UCCX/UCCE Video
-
+ - Cisco UCCX/UCCE Voice
-
+ - ESChat Radio
-
+ - Geoman Contact Expert
-
+ - IP Trade Voice
-
+ - Luware LUCS Contact Center
-
+ - Microsoft UC (Unified Communications)
-
+ - Mitel MiContact Center for Lync (prairieFyre)
-
+ - Oracle / Acme Packet Session Border Controller Video
-
+ - Oracle / Acme Packet Session Border Controller Voice
-
+ - Singtel Mobile Voice
-
+ - SIPREC Video
-
-- SIPREC Voice
-
+
+- SIPREC Voice
+ - Skype for Business / Lync IM
-
+ - Skype for Business / Lync Video
-
+ - Skype for Business / Lync Voice
-
+ - Speakerbus Voice
-
+ - Standard SIP/H.323 Video
-
+ - Standard SIP/H.323 Voice
-
+ - Truphone Voice
-
+ - TwistedPair Radio
-
+ - Windows Desktop Computer Screen
-
+ ## Step 2: Create and configure a third-party data mailbox in Microsoft 365 Here are the steps for creating and configuring a third-party data mailbox for importing data to Microsoft 365. As previous explained, items are imported to this mailbox if the partner connector can't map the user ID of the item to a user account.
-
+ **Complete these tasks in the Microsoft 365 admin center**
-
+ 1. Create a user account and assign it an Exchange Online Plan 2 license; see [Add users to Microsoft 365](../admin/add-users/add-users.md). A Plan 2 license is required to place the mailbox on Litigation Hold or enable an archive mailbox that has an unlimited storage quota.
-
+ 2. Add the user account for the third-party data mailbox to the **Exchange administrator** admin role in Microsoft 365; see [Assign admin roles in Microsoft 365](../admin/add-users/assign-admin-roles.md).
-
+ > [!TIP]
- > Write down the credentials for this user account. You need to provide them to your partner, as described in Step 4.
-
+ > Write down the credentials for this user account. You need to provide them to your partner, as described in Step 4.
+ **Complete these tasks in the Exchange admin center**
-
+ 1. Hide the third-party data mailbox from the address book and other address lists in your organization; see [Manage user mailboxes](/exchange/recipients-in-exchange-online/manage-user-mailboxes/manage-user-mailboxes). Alternatively, you can run the following PowerShell command:
-
+ ```powershell Set-Mailbox -Identity <identity of third-party data mailbox> -HiddenFromAddressListsEnabled $true ``` 2. Assign the **FullAccess** permission to the third-party data mailbox so that administrators or compliance officers can open the third-party data mailbox in the Outlook desktop client; see [Manage permissions for recipients](https://go.microsoft.com/fwlink/p/?LinkId=692104).
-
+ 3. Enable the following compliance-related features for the third-party data mailbox:
-
+ - Enable the archive mailbox; see [Enable archive mailboxes](enable-archive-mailboxes.md) and [Enable unlimited archiving](enable-unlimited-archiving.md). This lets you free-up storage space in the primary mailbox by setting up an archive policy that moves third-party data items to the archive mailbox. This provides you with unlimited storage for third-party data.
-
+ - Place the third-party data mailbox on Litigation Hold. You can also apply a Microsoft 365 retention policy in the security and compliance center. Placing this mailbox on hold retains third-party data items (indefinitely or for a specified duration) and prevent them from being purged from the mailbox. See one of the following topics:
-
+ - [Place a mailbox on Litigation Hold](./create-a-litigation-hold.md)
-
+ - [Learn about retention policies and retention labels](retention.md)
-
+ - Enable mailbox audit logging for owner, delegate, and admin access to the third-party data mailbox; see [Enable mailbox auditing](enable-mailbox-auditing.md). This allows you to audit all activity performed by any user who has access to the third-party data mailbox. ## Step 3: Configure user mailboxes for third-party data The next step is to configure user mailboxes to support third-party data. Complete these tasks by using the Exchange admin center or by using the corresponding Windows PowerShell cmdlets.
-
+ 1. Enable the archive mailbox for each user; see [Enable archive mailboxes](enable-archive-mailboxes.md) and [Enable unlimited archiving](enable-unlimited-archiving.md).
-
-2. Place user mailboxes on Litigation Hold or apply a Microsoft 365 retention policy; see one of the following topics:
-
+
+2. Place user mailboxes on Litigation Hold or apply a Microsoft 365 retention policy; see one of the following topics:
+ - [Place a mailbox on Litigation Hold](./create-a-litigation-hold.md)
-
+ - [Learn about retention policies and retention labels](retention.md)
-
+ As previously stated, when you place mailboxes on hold, you can set a duration for how long to hold items from the third-party data source or you can choose to hold items indefinitely. ## Step 4: Provide your partner with information
-The final step is to provide your partner with the following information so they can configure the connector to connect to your organization to import data to user mailboxes and to the third-party data mailbox.
-
+The final step is to provide your partner with the following information so they can configure the connector to connect to your organization to import data to user mailboxes and to the third-party data mailbox.
+ - The endpoint used to connect to the Azure service in Microsoft 365: ```http
The final step is to provide your partner with the following information so they
``` - The sign-in credentials (Microsoft 365 user ID and password) of the third-party data mailbox that you created in Step 2. These credentials are required so that the partner connector can access and import items to user mailboxes and to the third-party data mailbox.
-
+ ## Step 5: Register the third-party data connector in Azure Active Directory Starting September 30, 2018, the Azure service in Microsoft 365 will begin using modern authentication in Exchange Online to authenticate third-party data connectors that attempt to connect to your organization to import data. The reason for this change is that modern authentication provides more security than the current method, which was based on an allow list for third-party connectors that use the previously described endpoint to connect to the Azure service.
After you accept the request, the [Azure portal](https://portal.azure.com) is di
After your organization consents to the permissions request to register a third-party data connector in Azure Active Directory, your organization can revoke that consent at any time. However, revoking the consent for a connector means that data from the third-party data source will no longer be imported into Microsoft 365. To revoke consent for a third-party data connector, you can delete the application (by deleting the corresponding service principal) from Azure Active Directory using the **Enterprise applications** blade in the Azure portal, or by using the [Remove-MsolServicePrincipal](/powershell/module/msonline/remove-msolserviceprincipal) in Microsoft 365 PowerShell. You can also use the [Remove-AzureADServicePrincipal](/powershell/module/azuread/remove-azureadserviceprincipal) cmdlet in Azure Active Directory PowerShell.
-
+ ## More information - As previous explained, items from third-party data sources are imported to Exchange mailboxes as email messages. The partner connector imports the item using a schema required by the Microsoft 365 API. The following table describes the message properties of an item from a third-party data source after it's imported to an Exchange mailbox as an email message. The table also indicates if the message property is mandatory. Mandatory properties must be populated. If an item is missing a mandatory property, it won't be imported to Microsoft 365. The import process returns an error message explaining why an item wasn't imported and which property is missing.<br/><br/>
-
+ |**Message property**|**Mandatory?**|**Description**|**Example value**| |:--|:--|:--|:--| |**FROM** <br/> |Yes <br/> |The user who originally created or sent the item in the third-party data source. The partner connector attempts to map the user ID from the source item (for example a Twitter handle) to a user account for all participants (users in the FROM and TO fields). A copy of the message will be imported to the mailbox of every participant. If none of the participants from the item can be mapped to a user account, the item will be imported to the third-party archiving mailbox in Microsoft 365. <br/> <br/> The participant who's identified as the sender of the item must have an active mailbox in the organization that the item is being imported to. If the sender doesn't have an active mailbox, the following error is returned:<br/><br/> `One or more messages in the Request failed to be delivered to either From or Sender email address. You will need to resend your entire Request. Error: The request failed. The remote server returned an error: (401) Unauthorized.` | `bob@contoso.com` <br/> |
To revoke consent for a third-party data connector, you can delete the applicati
|**BODY** <br/> |No <br/> |The contents of the message or post. For some data sources, the contents of this property could be the same as the content for the **SUBJECT** property. During the import process, the partner connector attempts to maintain full fidelity from the content source as possible. If possible files, graphics, or other content from the body of the source item is included in this property. Otherwise, content from the source item is included in the **ATTACHMENT** property. The contents of this property depends on the partner connector and on the capability of the source platform. <br/> | ` |**ATTACHMENT** <br/> |No <br/> |If an item in the data source (such as a tweet in Twitter or an instant messaging conversation) has an attached file or include images, the partner connect will first attempt to include attachments in the **BODY** property. If that isn't possible, then it's added to the ** ATTACHMENT ** property. Other examples of attachments include Likes in Facebook, metadata from the content source, and responses to a message or post. <br/> | `image.gif` <br/> | |**MESSAGECLASS** <br/> |Yes <br/> | This is a multi-value property, which is created and populated by partner connector. The format of this property is `IPM.NOTE.Source.Event`. (This property must begin with `IPM.NOTE`. This format is similar to the one for the `IPM.NOTE.X` message class.) This property includes the following information: <br/><br/>`Source`: Indicates the third-party data source; for example, Twitter, Facebook, or BlackBerry. <br/> <br/> `Event`: Indicates the type of activity that was performed in the third-party data source that produced the items; for example, a tweet in Twitter or a post in Facebook. Events are specific to the data source. <br/> <br/> One purpose of this property is to filter specific items based on the data source where an item originated or based on the type of event. For example, in an eDiscovery search you could create a search query to find all the tweets that were posted by a specific user. <br/> | `IPM.NOTE.Twitter.Tweet` <br/> |
-
+ - When items are successfully imported to mailboxes in Microsoft 365, a unique identifier is returned back to the caller as part of the HTTP response. This identifier, called `x-IngestionCorrelationID`, can be used for subsequent troubleshooting purposes by partners for end-to-end tracking of items. It's recommended that partners capture this information and log it accordingly at their end. Here's an example of an HTTP response showing this identifier: ```http
To revoke consent for a third-party data connector, you can delete the applicati
x-IngestionCorrelationID: 1ec7667d-f097-47fe-a9a2-bc7ab0a7552b X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET
- Date: Tue, 02 Feb 2016 22:55:33 GMT
+ Date: Tue, 02 Feb 2016 22:55:33 GMT
``` - You can use the Content Search tool in the security and compliance center to search for items that were imported to mailboxes from a third-party data source. To search specifically for these imported items, you can use the following message property-value pairs in the keyword box for a Content Search.
-
+ - **`kind:externaldata`**: Use this property-value pair to search all third-party data types. For example, to search for items that were imported from a third-party data source and contained the word "contoso" in the Subject property of the imported item, you would use the keyword query `kind:externaldata AND subject:contoso`.
-
- - **`itemclass:ipm.externaldata.<third-party data type>`**: Use this property-value pair to only search a specify type of third-party data. For example, to only search Facebook data that contains the word "contoso" in the Subject property, you would use the keyword query `itemclass:ipm.externaldata.Facebook* AND subject:contoso`.
+
+ - **`itemclass:ipm.externaldata.<third-party data type>`**: Use this property-value pair to only search a specify type of third-party data. For example, to only search Facebook data that contains the word "contoso" in the Subject property, you would use the keyword query `itemclass:ipm.externaldata.Facebook* AND subject:contoso`.
For a complete list of values to use for third-party data types for the `itemclass` property, see [Use Content Search to search third-party data that was imported to Microsoft 365](use-content-search-to-search-third-party-data-that-was-imported.md).
-
+ For more information about using Content Search and creating keyword search queries, see:
-
+ - [Content Search](content-search.md)
-
+ - [Keyword queries and search conditions for Content Search](keyword-queries-and-search-conditions.md)
contentunderstanding Apply A Sensitivity Label To A Model https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/apply-a-sensitivity-label-to-a-model.md
description: "Learn how to apply a sensitivity label to a model in SharePoint Sy
You can easily apply a [sensitivity label](../compliance/sensitivity-labels.md) to document understanding models in Microsoft SharePoint Syntex. This feature isn't available yet for form processing models.
-Sensitivity labels let you apply encryption, sharing, and conditional access policies to the documents that your models identify. For example, you want your model to not only identify any financial documents that contain bank account numbers or credit card numbers that are uploaded to your document library, but also to apply an *Encryption* sensitivity label to them to restrict who can access that content and how it can be used. SharePoint Syntex models honor the [label order](../compliance/apply-sensitivity-label-automatically.md?view=o365-worldwide#how-multiple-conditions-are-evaluated-when-they-apply-to-more-than-one-label) rules and also do not overwrite an existing label that was manually applied by a user to the file.
+Sensitivity labels let you apply encryption, sharing, and conditional access policies to the documents that your models identify. For example, you want your model to not only identify any financial documents that contain bank account numbers or credit card numbers that are uploaded to your document library, but also to apply an *Encryption* sensitivity label to them to restrict who can access that content and how it can be used. SharePoint Syntex models honor the [label order](../compliance/apply-sensitivity-label-automatically.md#how-multiple-conditions-are-evaluated-when-they-apply-to-more-than-one-label) rules and also do not overwrite an existing label that was manually applied by a user to the file.
You can apply a pre-existing sensitivity label to your model through your model settings on your model's home page. The label must already be published to be available for selection from model settings.
contentunderstanding Skos Format Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/skos-format-reference.md
audience: admin ms.prod: microsoft-365-enterprise
+search.appverid:
localization_priority: Priority description: 'SKOS format reference for SharePoint taxonomy'
A taxonomy is a formal classification system. A taxonomy groups the words, label
Represents a Term or a Keyword in a managed metadata hierarchy.
-A [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term) is the atomic unit of a SharePoint [TermStore](/dotnet/api/microsoft.sharepoint.taxonomy.termstore). Each [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term) belongs to a [TermSet](/dotnet/api/microsoft.sharepoint.taxonomy.termset) that belongs to a [TermGroup](/dotnet/api/microsoft.sharepoint.taxonomy.group).
+A [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term) is the atomic unit of a SharePoint [TermStore](/dotnet/api/microsoft.sharepoint.taxonomy.termstore). Each [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term) belongs to a [TermSet](/dotnet/api/microsoft.sharepoint.taxonomy.termset) that belongs to a [TermGroup](/dotnet/api/microsoft.sharepoint.taxonomy.group).
The syntax to define a [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term) is as follows:
A [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term) can:
- Have multiple child [Terms](/dotnet/api/microsoft.sharepoint.taxonomy.term), but only a single parent [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term). - Not have a parent [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term) defined, if it is a topLevelTermOf a [TermSet](/dotnet/api/microsoft.sharepoint.taxonomy.termset). - Have one defaultLabel, per [TermStore](/dotnet/api/microsoft.sharepoint.taxonomy.termstore) working language.-- Not exist if it neither contains a parent [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term), nor is the topLevelTermOf a [TermSet](/dotnet/api/microsoft.sharepoint.taxonomy.termset).
+- Not exist if it neither contains a parent [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term), nor is the topLevelTermOf a [TermSet](/dotnet/api/microsoft.sharepoint.taxonomy.termset).
- Have only a unique defaultLabel in the same hierarchical level. **sharepoint-taxonomy:TermSet** Represents a hierarchical or flat set of Term objects known as a "TermSet".
-As the name suggests, TermSet is a set of [Terms](/dotnet/api/microsoft.sharepoint.taxonomy.term). A [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term) in a [TermStore](/dotnet/api/microsoft.sharepoint.taxonomy.termstore) must belong to a [TermSet](/dotnet/api/microsoft.sharepoint.taxonomy.termset). No [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term) can exist independently.
+As the name suggests, TermSet is a set of [Terms](/dotnet/api/microsoft.sharepoint.taxonomy.term). A [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term) in a [TermStore](/dotnet/api/microsoft.sharepoint.taxonomy.termstore) must belong to a [TermSet](/dotnet/api/microsoft.sharepoint.taxonomy.termset). No [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term) can exist independently.
The syntax to define a [TermSet](/dotnet/api/microsoft.sharepoint.taxonomy.termset) is:
In the case of the termSetName provided is not unique within the [TermGroup](/do
**sharepoint-taxonomy:hasTopLevelTerm**
-SharePoint uses this property to map the top most [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term) in the [TermSet](/dotnet/api/microsoft.sharepoint.taxonomy.termset), which is the entry point to the hierarchy of [Terms](/dotnet/api/microsoft.sharepoint.taxonomy.term) in a [TermSet](/dotnet/api/microsoft.sharepoint.taxonomy.termset). This is an inverse relation to sharepoint-taxonomy:topLevelTermOf.
+SharePoint uses this property to map the top most [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term) in the [TermSet](/dotnet/api/microsoft.sharepoint.taxonomy.termset), which is the entry point to the hierarchy of [Terms](/dotnet/api/microsoft.sharepoint.taxonomy.term) in a [TermSet](/dotnet/api/microsoft.sharepoint.taxonomy.termset). This is an inverse relation to sharepoint-taxonomy:topLevelTermOf.
The syntax to define this is:
The syntax to define this is:
ex:TermSetA sharepoint-taxonomy:hasTopLevelTerm ex:TermA. ```
->[!NOTE]
+> [!NOTE]
> You cannot define the top level [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term) of a parent [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term). **sharepoint-taxonomy:topLevelTermOf**
You can also add optional labels to your taxonomy.
**sharepoint-taxonomy:otherLabel**
-This is the alternate lexical label for a [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term).
+This is the alternate lexical label for a [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term).
The syntax to define an otherLabel is:
ex:TermA sharepoint-taxonomy:otherLabel ΓÇ£Term AΓÇ¥@en-us.
## Semantic relationships
-Taxonomies have hierarchical and sometimes a simple ΓÇ£related termΓÇ¥ associative relationship, but some have "semantic relationships" or custom-created relationships.
+Taxonomies have hierarchical and sometimes a simple ΓÇ£related termΓÇ¥ associative relationship, but some have "semantic relationships" or custom-created relationships.
**sharepoint-taxonomy:parent**
-This hierarchically relates a [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term) to another [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term). A [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term) could be a top level [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term) of a [TermSet](/dotnet/api/microsoft.sharepoint.taxonomy.termset), but in case it doesnΓÇÖt it must have a parent [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term).
+This hierarchically relates a [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term) to another [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term). A [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term) could be a top level [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term) of a [TermSet](/dotnet/api/microsoft.sharepoint.taxonomy.termset), but in case it doesnΓÇÖt it must have a parent [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term).
The syntax to define a parent is:
This means that TermA is the parent and TermA is the child.
**sharepoint-taxonomy:child**
-The object contains one or more child TermSet instances, and these can be accessed through the TermSets property. This class also provides methods for creating new child TermSet objects. Permissions for editing child Term and TermSet instances is specified on the group.
+The object contains one or more child TermSet instances, and these can be accessed through the TermSets property. This class also provides methods for creating new child TermSet objects. Permissions for editing child Term and TermSet instances is specified on the group.
This hierarchically relates a [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term) to another [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term).
This section discusses the taxonomy detailed in the Microsoft.SharePoint.Taxonom
**sharepoint-taxonomy:description**
-This is a detailed explanation of any [SharePoint taxonomy](/dotnet/api/microsoft.sharepoint.taxonomy) vocabulary entity.
+This is a detailed explanation of any [SharePoint taxonomy](/dotnet/api/microsoft.sharepoint.taxonomy) vocabulary entity.
The syntax to add a description is:
At each level of the hierarchy, you can configure specific data properties for a
**sharepoint-taxonomy:isAvailableForTagging**
-Use this to specify if a [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term) or a [TermSet](/dotnet/api/microsoft.sharepoint.taxonomy.termset) available in SharePoint Lists and Libraries.
+Use this to specify if a [Term](/dotnet/api/microsoft.sharepoint.taxonomy.term) or a [TermSet](/dotnet/api/microsoft.sharepoint.taxonomy.termset) available in SharePoint Lists and Libraries.
The syntax for this is:
propertyName|Has Property Label|SharedCustomPropertyForTerm, LocalCustomProperty
- Hierarchical redundancy - A [SKOS](https://www.w3.org/TR/skos-primer/) concept can be attached to several broader concepts at the same time, but a sharepoint-taxonomy:Term can have only one sharepoint-taxonomy:parent, hence cyclic dependency, of Terms is also not allowed. - Orphaned terms are not allowed in SharePoint taxonomy. Every sharepoint-taxonomy:Term should either have a sharepoint-taxonomy:parent or it should be the sharepoint-taxonomy:topLevelTermOf a TermSet. - SharePoint taxonomy does not support associative relations.-- SharePoint taxonomy only allows 2 types of Hierarchical relations ΓÇô sharepoint-taxonomy:parent and sharepoint-Taxonomy:child.
+- SharePoint taxonomy only allows 2 types of Hierarchical relations ΓÇô sharepoint-taxonomy:parent and sharepoint-Taxonomy:child.
- Unlike [SKOS](https://www.w3.org/TR/skos-primer/) the hierarchical relationship in SharePoint taxonomy vocabulary, can only be established with Terms within the same TermSet. ## See also
enterprise Portallaunchscheduler https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/PortalLaunchScheduler.md
description: "This article describes how you can launch your portal using the Po
A portal is a SharePoint communication site on your intranet that is high-traffic ΓÇô a site that has anywhere from 10,000 to over 100,000 viewers over the course of several weeks. Use the Portal launch scheduler to launch your portal to ensure users have a smooth viewing experience when accessing your new SharePoint portal. <br> <br>
-The Portal launch scheduler is designed to help you follow a phased roll-out approach by batching viewers in waves and managing the URL redirects for the new portal. During the launch of each wave, you can gather user feedback, monitor portal performance, and pause the launch to resolve issues before proceeding with the next wave. Learn more about how to [plan a portal launch in SharePoint](/microsoft-365/Enterprise/Planportallaunchroll-out?view=o365-worldwide).
+The Portal launch scheduler is designed to help you follow a phased roll-out approach by batching viewers in waves and managing the URL redirects for the new portal. During the launch of each wave, you can gather user feedback, monitor portal performance, and pause the launch to resolve issues before proceeding with the next wave. Learn more about how to [plan a portal launch in SharePoint](/microsoft-365/Enterprise/Planportallaunchroll-out).
**There are two types of redirections:**
enterprise About Microsoft 365 Identity https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/about-microsoft-365-identity.md
Last updated 09/30/2020
localization_priority: Normal-+ - Ent_O365 - M365-identity-device-management - M365-security-compliance f1.keywords: - CSH-+ - Adm_O365 - seo-marvel-mar2020 search.appverid:
Your first planning choice is the Microsoft 365 identity model.
## Microsoft 365 identity models
-To plan for user accounts, you first need to understand the two identity models in Microsoft 365. You can maintain your organization's identities only in the cloud, or you can maintain your on-premises Active Directory Domain Services (AD DS) identities and use them for authentication when users access Microsoft 365 cloud services.
+To plan for user accounts, you first need to understand the two identity models in Microsoft 365. You can maintain your organization's identities only in the cloud, or you can maintain your on-premises Active Directory Domain Services (AD DS) identities and use them for authentication when users access Microsoft 365 cloud services.
Here are the two types of identity and their best fit and benefits.
Here are the two types of identity and their best fit and benefits.
## Cloud-only identity
-A cloud-only identity uses user accounts that exist only in Azure AD. Cloud-only identity is typically used by small organizations that do not have on-premises servers or do not use AD DS to manage local identities.
+A cloud-only identity uses user accounts that exist only in Azure AD. Cloud-only identity is typically used by small organizations that do not have on-premises servers or do not use AD DS to manage local identities.
Here are the basic components of cloud-only identity.
-
+ ![Basic components of cloud-only identity](../media/about-microsoft-365-identity/cloud-only-identity.png) Both on-premises and remote (online) users use their Azure AD user accounts and passwords to access Microsoft 365 cloud services. Azure AD authenticates user credentials based on its stored user accounts and passwords. ### Administration
-Because user accounts are only stored in Azure AD, you manage cloud identities with tools such as the [Microsoft 365 admin center](../admin/add-users/index.yml) and [Windows PowerShell](manage-user-accounts-and-licenses-with-microsoft-365-powershell.md).
+Because user accounts are only stored in Azure AD, you manage cloud identities with tools such as the [Microsoft 365 admin center](../admin/add-users/index.yml) and [Windows PowerShell](manage-user-accounts-and-licenses-with-microsoft-365-powershell.md).
## Hybrid identity
Hybrid identity uses accounts that originate in an on-premises AD DS and have a
Azure AD Connect provides the ongoing account synchronization. It runs on an on-premises server, checks for changes in the AD DS, and forwards those changes to Azure AD. Azure AD Connect provides the ability to filter which accounts are synchronized and whether to synchronize a hashed version of user passwords, known as password hash synchronization (PHS).
-When you implement hybrid identity, your on-premises AD DS is the authoritative source for account information. This means that you perform administration tasks mostly on-premises, which are then synchronized to Azure AD.
+When you implement hybrid identity, your on-premises AD DS is the authoritative source for account information. This means that you perform administration tasks mostly on-premises, which are then synchronized to Azure AD.
Here are the components of hybrid identity.
Here are the components of hybrid identity.
The Azure AD tenant has a copy of the AD DS accounts. In this configuration, both on-premises and remote users accessing Microsoft 365 cloud services authenticate against Azure AD.
->[!Note]
->You always need to use Azure AD Connect to synchronize user accounts for hybrid identity. You need the synchronized user accounts in Azure AD to perform license assignment and group management, configure permissions, and other administrative tasks that involve user accounts.
->
+> [!NOTE]
+> You always need to use Azure AD Connect to synchronize user accounts for hybrid identity. You need the synchronized user accounts in Azure AD to perform license assignment and group management, configure permissions, and other administrative tasks that involve user accounts.
### Administration
-Because the original and authoritative user accounts are stored in the on-premises AD DS, you manage your identities with the same tools as you manage your AD DS.
+Because the original and authoritative user accounts are stored in the on-premises AD DS, you manage your identities with the same tools as you manage your AD DS.
You don't use the Microsoft 365 admin center or PowerShell for Microsoft 365 to manage synchronized user accounts in Azure AD.
If you need the cloud-only identity model, see [Cloud-only identity](cloud-only-
If you need the hybrid identity model, see [Hybrid identity](plan-for-directory-synchronization.md). - ## See also
-[Microsoft 365 Enterprise overview](microsoft-365-overview.md)
+[Microsoft 365 Enterprise overview](microsoft-365-overview.md)
enterprise Add A Domain To A Client Tenancy With Windows Powershell For Delegated Access Pe https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/add-a-domain-to-a-client-tenancy-with-windows-powershell-for-delegated-access-pe.md
audience: Admin
localization_priority: Normal
+search.appverid:
- MET150-+ - Ent_O365 - M365-subscription-management f1.keywords:
description: "Summary: Use PowerShell for Microsoft 365 to add an alternate doma
*This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.* You can create and associate new domains with your customer's tenancy with PowerShell for Microsoft 365 faster than using the Microsoft 365 admin center.
-
+ Delegated Access Permission (DAP) partners are Syndication and Cloud Solution Providers (CSP) Partners. They are frequently network or telecom providers to other companies. They bundle Microsoft 365 subscriptions into their service offerings to their customers. When they sell a Microsoft 365 subscription, they are automatically granted Administer On Behalf Of (AOBO) permissions to the customer tenancies so they can administer and report on the customer tenancies. ## What do you need to know before you begin? The procedures in this topic require you to connect to [Connect to Microsoft 365 with PowerShell](connect-to-microsoft-365-powershell.md).
-
+ You also need your partner tenant administrator credentials.
-
+ You also need the following information:
-
+ - You need the fully qualified domain name (FQDN) that your customer wants.
-
+ - You need the customer's **TenantId**.
-
+ - The FQDN must be registered with an Internet domain name service (DNS) registrar, such as GoDaddy. For more information on how to publically register a domain name, see [How to buy a domain name](../admin/get-help-with-domains/buy-a-domain-name.md).
-
+ - You need to know how to add a TXT record to the registered DNS zone for your DNS registrar. For more information on how to add a TXT record, see [Add DNS records to connect your domain](../admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider.md). If those procedures don't work for you, you will need to find the procedures for your DNS registrar.
-
+ ## Create domains Your customers will likely ask you to create additional domains to associate with their tenancy because they don't want the default <domain>.onmicrosoft.com domain to be the primary one that represents their corporate identities to the world. This procedure walks you through creating a new domain associated with your customer's tenancy.
-
+ > [!NOTE]
-> To perform some of these operations, the partner administrator account you sign in with must be set to **Full administration** for the **Assign administrative access to companies you support** setting found in the details of the admin account in the Microsoft 365 admin center. For more information on managing partner administrator roles, see [Partners: Offer delegated administration](https://go.microsoft.com/fwlink/p/?LinkId=532435).
-
+> To perform some of these operations, the partner administrator account you sign in with must be set to **Full administration** for the **Assign administrative access to companies you support** setting found in the details of the admin account in the Microsoft 365 admin center. For more information on managing partner administrator roles, see [Partners: Offer delegated administration](https://go.microsoft.com/fwlink/p/?LinkId=532435).
+ ### Create the domain in Azure Active Directory This command creates the domain in Azure Active Directory but does not associate it with the publicly registered domain. That comes when you prove that you own the publicly registered domain to Microsoft Microsoft 365 for enterprises.
-
+ ```powershell New-MsolDomain -TenantId <customer TenantId> -Name <FQDN of new domain> ```
->[!Note]
->PowerShell Core does not support the Microsoft Azure Active Directory Module for Windows PowerShell module and cmdlets with **Msol** in their name. To continue using these cmdlets, you must run them from Windows PowerShell.
->
+> [!NOTE]
+> PowerShell Core does not support the Microsoft Azure Active Directory Module for Windows PowerShell module and cmdlets with **Msol** in their name. To continue using these cmdlets, you must run them from Windows PowerShell.
### Get the data for the DNS TXT verification record Microsoft 365 will generate the specific data that you need to place into the DNS TXT verification record. To get the data, run this command.
-
+ ```powershell Get-MsolDomainVerificationDNS -TenantId <customer TenantId> -DomainName <FQDN of new domain> -Mode DnsTxtRecord ``` This will give you output like:
-
+ `Label: domainname.com`
-
+ `Text: MS=ms########`
-
+ `Ttl: 3600`
-
+ > [!NOTE]
-> You will need this text to create the TXT record in the publicly registered DNS zone. Be sure to copy and save it.
-
+> You will need this text to create the TXT record in the publicly registered DNS zone. Be sure to copy and save it.
+ ### Add a TXT record to the publically registered DNS zone Before Microsoft 365 will start accepting traffic that is directed to the publicly registered domain name, you must prove that you own and have administrator permissions to the domain. You prove you own the domain by creating a TXT record in the domain. A TXT record doesn't do anything in your domain, and it can be deleted after your ownership of the domain is established. To create the TXT records, follow the procedures at [Add DNS records to connect your domain](../admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider.md). If those procedures don't work for you , you need to find the procedures for your DNS registrar.
-
+ Confirm the successful creation of the TXT record via nslookup. Follow this syntax.
-
+ ```console nslookup -type=TXT <FQDN of registered domain> ``` This will give you output like:
-
+ `Non-authoritative answer:`
-
+ `FQDN of the registered domain`
-
+ `text=MS=ms########`
-
+ ### Validate domain ownership in Microsoft 365
-In this last step, you validate to Microsoft 365 that you own the publically registered domain. After this step, Microsoft 365 will begin accepting traffic routed to the new domain name. To complete the domain creation and registration process, run this command.
-
+In this last step, you validate to Microsoft 365 that you own the publically registered domain. After this step, Microsoft 365 will begin accepting traffic routed to the new domain name. To complete the domain creation and registration process, run this command.
+ ```powershell Confirm-MsolDomain -TenantId <customer TenantId> -DomainName <FQDN of new domain> ``` This command won't return any output, so to confirm that this worked, run this command.
-
+ ```powershell Get-MsolDomain -TenantId <customer TenantId> -DomainName <FQDN of new domain> ```
Name Status Authentication
FQDN of new domain Verified Managed ```
-
+ ## See also
-####
+####
[Help for partners](https://go.microsoft.com/fwlink/p/?LinkID=533477)
enterprise Best Practices For Using Office 365 On A Slow Network https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/best-practices-for-using-office-365-on-a-slow-network.md
description: "This article guides you through the best practices that you can ad
# Best practices for using Office 365 on a slow network
-Wouldn't it be nice if your Internet connection was always fast and never down? Perhaps that day will come. But in the meantime, there are practical things you can do to work around a balky network and still get your day-to-day work done. Although Office 365 is a cloud-based service, it also provides many ways to work with your content offline and to smoothly keep your changes synchronized. Besides, it's sometimes more efficient to work with content offline just because applications run faster and the user interface is more responsive. The point is this: Office 365 gives you the best of both worlds. Here's how to take advantage of that.
-
+Wouldn't it be nice if your Internet connection was always fast and never down? Perhaps that day will come. But in the meantime, there are practical things you can do to work around a balky network and still get your day-to-day work done. Although Office 365 is a cloud-based service, it also provides many ways to work with your content offline and to smoothly keep your changes synchronized. Besides, it's sometimes more efficient to work with content offline just because applications run faster and the user interface is more responsive. The point is this: Office 365 gives you the best of both worlds. Here's how to take advantage of that.
+ > [!TIP]
-> Want to see how slow (or fast) your network connection is? Try the [ OOKLA Speed test ](https://www.speedtest.net/) or the [Network Speed Test App](https://www.windowsphone.com/store/app/network-speed-test/9b9ae06b-2961-41ef-987d-b09567cffe70).
+> Want to see how slow (or fast) your network connection is? Try the [OOKLA Speed test](https://www.speedtest.net/) or the [Network Speed Test App](https://www.windowsphone.com/store/app/network-speed-test/9b9ae06b-2961-41ef-987d-b09567cffe70).
## Why is my network so slow? Although you don't have control over network performance itself, it helps to understand what's going on behind the scenes. The Internet is enormously complex, but there are a few concepts that can help you understand the situation much better. Following the best practices in this article can help workaround performance issues and reduce frustration.
-
-**Major factors that affect network performance**
+
+### Major factors that affect network performance
![Network Performance Factors](../media/62a94322-3f1a-4d2d-bbdc-2aa0722d2d96.png)
-
- **Bandwidth and latency** The two most important measures of network performance are bandwidth and latency:
-
+
+ **Bandwidth and latency**: The two most important measures of network performance are bandwidth and latency:
+ - Bandwidth is the rate of throughput measured in bits per second. Bigger is better. Bandwidth is like a water pipe. The larger the pipe, the more water that you can "put through" it. - Latency is the time it takes for content to get from a server or service to your device and is measured in milliseconds. Faster is better. Latency can be caused by a number of factors including low bandwidth, a sparse connection, or transmission time.
- **Common issues** Besides bandwidth and latency, other issues have an impact on network performance and are often unpredictable. Network performance can fluctuate based on the time of the day or your physical location. The network can become clogged when certain events occur that spike the use of the Internet, such as a natural disaster or a major public event. The size and complexity of the page being loaded and the number and size of files being transferred have a direct bearing on performance. A WiFi connection can temporarily degrade: for example, you poll a large conference meeting of thousands by requesting everyone to tweet at the same time.
-
- **Considerations for a satellite network**A satellite network is useful when a terrestrial network is not feasible, such as the back country, a cruise ship, or a remote scientific area. These networks rely on satellites positioned in a geosynchronous orbit 22,000 miles above the equator. However, a transmission actually travels about 90,000 miles, and so a satellite network has a slower latency (500 ms or more) than a terrestrial network (20 to 50ms). Under the best of conditions, you may not notice this latency, but for downloading large files, streaming videos, and playing games, you probably will. Another issue is "rain fade" in which heavy weather, such as thunderstorms and blizzards, can temporarily interrupt satellite transmission.
-
+ **Common issues**: Besides bandwidth and latency, other issues have an impact on network performance and are often unpredictable. Network performance can fluctuate based on the time of the day or your physical location. The network can become clogged when certain events occur that spike the use of the Internet, such as a natural disaster or a major public event. The size and complexity of the page being loaded and the number and size of files being transferred have a direct bearing on performance. A WiFi connection can temporarily degrade: for example, you poll a large conference meeting of thousands by requesting everyone to tweet at the same time.
+
+ **Considerations for a satellite network**: A satellite network is useful when a terrestrial network is not feasible, such as the back country, a cruise ship, or a remote scientific area. These networks rely on satellites positioned in a geosynchronous orbit 22,000 miles above the equator. However, a transmission actually travels about 90,000 miles, and so a satellite network has a slower latency (500 ms or more) than a terrestrial network (20 to 50ms). Under the best of conditions, you may not notice this latency, but for downloading large files, streaming videos, and playing games, you probably will. Another issue is "rain fade" in which heavy weather, such as thunderstorms and blizzards, can temporarily interrupt satellite transmission.
+ ## Are you sure it's the network? Whenever you experience performance problems, first make sure that your device is not the root cause of the problem. There are two things you can do that might make a big improvement:
-
+ - Make sure your device is running well and there is no malware on your computer. - If possible, buy more memory. Adding memory is the simplest and often most effective way to improve performance on your device. It's especially helpful when working with large files and videos.
-For more information, see [ Windows Performance and maintenance ](https://windows.microsoft.com/windows/performance-maintenance-help#performance-maintenance-help) and [Tips to improve PC performance in Windows 10](https://support.microsoft.com/en-za/help/4002019/windows-10-improve-pc-performance).
+For more information, see [Windows Performance and maintenance](https://windows.microsoft.com/windows/performance-maintenance-help#performance-maintenance-help) and [Tips to improve PC performance in Windows 10](https://support.microsoft.com/help/4002019/windows-10-improve-pc-performance).
## Best practices for using your browser Your browser is your gateway to Office 365, so it can have an impact on performance, especially with the time it takes to load a page and how often you round trip to the Office 365 service.
-
- **Browsers in general**
-
+
+### Browsers in general
+ Here are some suggestions for browsers in general:
-
+ - Disable browser add-ons that might impact performance or that you don't really need. - Increase the cache size for your temporary internet files. -- Once you have signed into your work or school account, keep the browser window open throughout the day. You can open other tabs and windows without signing in again. If you need to sign in to another account, use Private Browsing.
+- Once you have signed into your work or school account, keep the browser window open throughout the day. You can open other tabs and windows without signing in again. If you need to sign in to another account, use Private Browsing.
- Once each page is downloaded and open, keep them open by using tabs. It's easy to navigate between tabs and use the page later on in the day. Refresh a page only if you need the latest data on that page. -- If a page is taking too long to open, stop the page download (press ESC) and then refresh the page (press F5).
+- If a page is taking too long to open, stop the page download (press ESC) and then refresh the page (press F5).
-- When possible, reduce round trips to Office 365. For example, rather than paging through lists or libraries, use search to locate files in a large library and filtering in a list to get directly to the results you want. Or, create views that minimize page load time. For more information, see [Manage large lists and libraries in Office 365](https://support.office.com/article/b4038448-ec0e-49b7-b853-679d3d8fb784#BKMK_PAGES).
+- When possible, reduce round trips to Office 365. For example, rather than paging through lists or libraries, use search to locate files in a large library and filtering in a list to get directly to the results you want. Or, create views that minimize page load time. For more information, see [Manage large lists and libraries in Office 365](https://support.office.com/article/b4038448-ec0e-49b7-b853-679d3d8fb784#BKMK_PAGES).
- If video performance is poor, you may be able to download the video and watch it on your device. A download link may be available, or you may be able to right click the video link, and select **Save Target as**.
- **Browser-specific**
-
-Here are some suggestions for your specific browser:
-
-- **Internet Explorer** Upgrade to Internet Explorer Version 11 or later for substantial performance improvements over previous versions. For more information, see [Troubleshooting guide for Internet Explorer](https://support.microsoft.com/help/2437121/troubleshooting-guide-for-internet-explorer-when-you-access-office-365).
+### Browser-specific
-- **FireFox**For more information, see [Firefox is slow or stops working](https://support.mozilla.org/products/firefox/fix-problems/slowness-or-hanging).
+Here are some suggestions for your specific browser:
-- **Safari** For more information, see [Apple - Safari](https://www.apple.com/safari/).
+- **Internet Explorer**: Upgrade to Internet Explorer Version 11 or later for substantial performance improvements over previous versions. For more information, see [Troubleshooting guide for Internet Explorer](https://support.microsoft.com/help/2437121/troubleshooting-guide-for-internet-explorer-when-you-access-office-365).
+- **FireFox**: For more information, see [Firefox is slow or stops working](https://support.mozilla.org/products/firefox/fix-problems/slowness-or-hanging).
+- **Safari**: For more information, see [Apple - Safari](https://www.apple.com/safari/).
+- **Chrome**: For more information, see [Chrome Help](https://support.google.com/chrome/?hl=en).
-- **Chrome** For more information, see [Chrome Help](https://support.google.com/chrome/?hl=en).
-
## Best practices for using Outlook and Outlook Web App Reading, writing, and organizing email is a big part of everyone's day. Both Outlook and Outlook Web App (OWA) offer offline support. Using an email app on your smart phone is another useful alternative. Use the following options that best fit your needs:
-
-- Upgrade to the latest version of Outlook for substantial performance improvements over previous versions. -- Outlook Web App lets you create offline messages, contacts, and calendar events that are uploaded when OWA is next able to connect to Office 365. For more information about setting up and using OWA in offline mode, see [Using Outlook Web App offline](https://support.office.com/article/3214839c-0604-4162-8a97-6856b4c27b36).
+- Upgrade to the latest version of Outlook for substantial performance improvements over previous versions.
+
+- Outlook Web App lets you create offline messages, contacts, and calendar events that are uploaded when OWA is next able to connect to Office 365. For more information about setting up and using OWA in offline mode, see [Using Outlook Web App offline](https://support.office.com/article/3214839c-0604-4162-8a97-6856b4c27b36).
- Outlook lets you work in cached mode, in which it automatically connects whenever possible. You can have Outlook download your entire mailbox, or just a portion of it. For more information, see [Turn on Cached Exchange Mode](https://support.office.com/article/7885af08-9a60-4ec3-850a-e221c1ed0c1c) and [Work offline in Outlook](https://support.office.com/article/f3a1251c-6dd5-4208-aef9-7c8c9522d633).
Reading, writing, and organizing email is a big part of everyone's day. Both Out
> [!NOTE] > Here is some guidance on when to use Outlook or OWA. If disk space is not an issue on your device, Outlook has a full set of features and might work best for you. If disk space is an issue on your device, consider using OWA which has a subset of features, but also works best in an online situation. Of course, you can use either because they work well together.
-
+ ## Best practices for using OneDrive for Business OneDrive for Business is designed from the ground up to work with your files online and offline. Once you set it up, synchronization of changes occurs automatically and reliably wherever and whenever you make them. If the network is slow, you can work with the offline version of the files.
-
+ The OneDrive for Business sync app comes with a SharePoint Online and Office 365 business subscription, or you can [download](https://support.microsoft.com/kb/2903984) the OneDrive for Business sync app for free. This app is also faster than using the **Open in Explorer** or **Upload** commands. For more information, see [Set up your computer to sync your OneDrive for Business files in Office 365](https://support.office.com/article/23e1f12b-d896-4cb1-a238-f91d19827a16).
-
+ Here's some additional guidance for using the OneDrive for Business sync app:
-
-- If you're syncing a large library for the first time, start the sync during off hours, for example, overnight.
+- If you're syncing a large library for the first time, start the sync during off hours, for example, overnight.
- You can use the [Stop syncing a library with the OneDrive for Business app](https://support.office.com/article/a7e41f1f-3a98-4ca7-9443-f10250688330) feature to temporarily stop syncing updates. However, use this feature for brief periods, such as a few hours at a time, to avoid queuing large numbers of updates, and to minimize the risk of merge conflicts if several people work on the same document.
-
+ ## Best practices for using OneNote Every SharePoint team site has a built-in OneNote notebook and you can easily create your own. OneNote is a great way to collect timely information that you need every day to get tasks done. For example, many teams use OneNote as a collection point for weekly meetings, project notes, ideas, plans, and status reports. You can neatly organize this disparate information by using pages, sections, and tabs.
-
+ The beauty of OneNote is that you can access the content from virtually any device, whether a desktop, a laptop, a tablet, or a smart phone. And you don't have to worry about saving or synchronizing because OneNote does it for you.
-
+ For more information, see [Microsoft OneNote](https://office.microsoft.com/onenote). ## Best practices for using Skype for Business and Lync Online
The following are general guidelines for using Skype for Business or Lync Online
- Video performance is very dependent on network performance. Avoid using video if your network is slow. For more information, see [Poor audio or video quality in Lync Online](https://support.microsoft.com/kb/2386655), or how to [troubleshoot connection issues in Skype for Business](https://support.office.com/article/troubleshoot-connection-issues-in-skype-for-business-ca302828-783f-425c-bbe2-356348583771).
-
+ ## Best practices for using SharePoint lists Working with list data offline to "scrub", analyze, or report data is a great way to minimize the impact of a slow network. You can read and write most lists from Microsoft Access 2019 and Microsoft Access 2016 by linking to them. You can also export a list to an Excel Table, which creates a one-way data connection between the Excel table and the list. Learn how to [Work offline with tables that are linked to SharePoint lists](https://support.office.com/article/work-offline-with-tables-that-are-linked-to-sharepoint-lists-5d66594a-6176-4a25-a198-320f13ccf41e).
-
+ For more information, see the section "More about managing large lists" in [Manage large lists and libraries in Office 365](https://support.office.com/article/b4038448-ec0e-49b7-b853-679d3d8fb784).
-
+ ## Best practices for customizing web pages When you customize a web page, you may inadvertently cause poor performance with the page. A number of factors can have an impact, such as the complexity and size of the page, how many web parts are added, how many list or library items are initially displayed, and the way you code the page.
-
+ For more information, see [Tune SharePoint Online performance](tune-sharepoint-online-performance.md).
-
+ ## Best practices for using Project Online The following guidelines can help improve network performance.
-
+ - Project Online and SharePoint Online require synchronization, which can be time consuming. If your project teams have low turnover, disable Project Site Sync to improve the Project Publish and Project Detail Pages performance. Limit Active Directory sync to groups of resources that actually need to use the system, and monitor any potential permission issues after the synchronization of large groups. - If your organization uses project sites, create them on demand rather than automatically. This speeds up the first publishing experience and avoids creating unnecessary sites and content.
The following guidelines can help improve network performance.
- When you use OData for reporting, limit the amount of data you query at runtime by using server-side filtering. For more information, see [Tune Project Online performance](https://support.office.com/article/12ba0ebd-c616-42e5-b9b6-cad570e8409c).
-
+ ## What's the best way to report problems? Microsoft continually improves the overall performance of Office 365 by monitoring the network, measuring bandwidth and latency, improving page load time, reducing disk I/O, redesigning pages to use Minimal Download Strategy, adding hardware to data centers and adding more data centers. For more information about checking your current status and reporting issues, see [How to check Office 365 service health](view-service-health.md).
-
+ ## See also [Network planning and performance tuning for Office 365](network-planning-and-performance.md)
-
+ [Office 365 Network Connectivity Principles](microsoft-365-network-connectivity-principles.md)
-
+ [Managing Office 365 endpoints](https://support.office.com/article/99cab9d4-ef59-4207-9f2b-3728eb46bf9a)
-
+ [Office 365 endpoints FAQ](https://support.office.com/article/d4088321-1c89-4b96-9c99-54c75cae2e6d)
enterprise Cross Tenant Mailbox Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-mailbox-migration.md
f1.keywords:
- NOCSH Last updated 09/21/2020 -+ - it-pro-+ - M365-subscription-management
Previously, when an Exchange Online tenant needed to move mailboxes to another t
Commonly, during mergers or divestitures, you need the ability to move users and content into a new tenant. When the target tenant administrator executes the move, itΓÇÖs called a Pull move, similar to on-premises to cloud onboarding migrations.
-Cross-tenant Exchange mailbox moves are fully self-serviced by tenant administrators, using well known interfaces that can be scripted into the larger workflows needed to transition users to their new organization. Administrators can use the `New-MigrationBatch` cmdlet, available through the Move Mailboxes management role, to execute cross-tenant moves. The move process includes tenant authorization checks during mailbox synchronization and finalization.
-
-Users migrating must be present in the target tenant Exchange Online system as MailUsers, marked with specific attributes to enable the cross-tenant moves. The system will fail moves for users that are not properly set up in the target tenant.
+Cross-tenant Exchange mailbox moves are fully self-serviced by tenant administrators, using well known interfaces that can be scripted into the larger workflows needed to transition users to their new organization. Administrators can use the `New-MigrationBatch` cmdlet, available through the Move Mailboxes management role, to execute cross-tenant moves. The move process includes tenant authorization checks during mailbox synchronization and finalization.
-When the moves are complete, the source system mailbox is converted to MailUser and the targetAddress (shown as ExternalEmailAddress in Exchange) is stamped with the routing address to the destination tenant. This process leaves the legacy MailUser in the source tenant, and allows for a period of co-existence and mail routing. When business processes allow, the source tenant may remove the source MailUser or convert them to a mail contact.
+Users migrating must be present in the target tenant Exchange Online system as MailUsers, marked with specific attributes to enable the cross-tenant moves. The system will fail moves for users that are not properly set up in the target tenant.
+
+When the moves are complete, the source system mailbox is converted to MailUser and the targetAddress (shown as ExternalEmailAddress in Exchange) is stamped with the routing address to the destination tenant. This process leaves the legacy MailUser in the source tenant, and allows for a period of co-existence and mail routing. When business processes allow, the source tenant may remove the source MailUser or convert them to a mail contact.
Cross-tenant Exchange mailbox migrations are supported for tenants in hybrid or cloud only, or any combination of the two.
-This article describes the process for cross-tenant mailbox moves and provides guidance on how to prepare source and target tenants for the content move.
+This article describes the process for cross-tenant mailbox moves and provides guidance on how to prepare source and target tenants for the content move.
## Preparing source and target tenants
This section does not include the specific steps required to prepare the MailUse
## Prerequisites
-The cross-tenant mailbox move feature requires [Azure Key Vault](/azure/key-vault/basic-concepts) to establish a tenant pair-specific Azure application to securely store and access the certificate/secret used to authenticate and authorize mailbox migration from one tenant to the other, removing any requirements to share certificates/secrets between tenants.
+The cross-tenant mailbox move feature requires [Azure Key Vault](/azure/key-vault/basic-concepts) to establish a tenant pair-specific Azure application to securely store and access the certificate/secret used to authenticate and authorize mailbox migration from one tenant to the other, removing any requirements to share certificates/secrets between tenants.
Before starting, be sure you have the necessary permissions to run the deployment scripts in order to configure Azure Key Vault, Move Mailbox application, EXO Migration Endpoint, and the EXO Organization Relationship. Typically, Global Admin has permission to perform all configuration steps.
Here is how the process works.
<!-- [![Tenant preparation for mailbox migration](../media/tenant-to-tenant-mailbox-move/prepare-tenants-flow.png)](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/media/tenant-to-tenant-mailbox-move/prepare-tenants-flow.png)>
+-->
### Prepare tenants
Prepare the source tenant:
#### Step-by-step instructions for the target tenant admin
-1. Download the SetupCrossTenantRelationshipForTargetTenant.ps1 script for the target tenant setup from the [GitHub repository](https://github.com/microsoft/cross-tenant/releases/tag/Preview).
+1. Download the SetupCrossTenantRelationshipForTargetTenant.ps1 script for the target tenant setup from the [GitHub repository](https://github.com/microsoft/cross-tenant/releases/tag/Preview).
2. Save the script (SetupCrossTenantRelationshipForTargetTenant.ps1) to the computer from which you will be executing the script. 3. Create a Remote PowerShell connection to the Exchange Online target tenant. Again, make sure you have the necessary permissions to run the deployment scripts in order to configure the Azure Key Vault storage and certificate, Move Mailbox application, EXO Migration Endpoint, and the EXO Organization Relationship. 4. Change the file folder directory to the script location or verify the script is currently saved to the location currently in your Remote PowerShell session.
Prepare the source tenant:
https://login.microsoftonline.com/contoso.onmicrosoft.com/adminconsent?client_id=6fea6ssd-0753-404d-wer5-c71a154d675c&redirect_uri=https://office.com Application details to be registered in organization relationship: ApplicationId: [ 6fes8en4-sjo3-406d-ad35-sldkfjiew993 ]. KeyVault secret Id: [ https://cross-tenantmovesvault.vault.azure.net:443/certificates/Contoso-Fabrikam-cert/ksdfj843nt8476h84c288c5a3fb8ec5fdb08 ]. These values are available in variables $AppId and $CertificateId respectively Please consent to the application for fabrikam.onmicrosoft.com before sending invitation to admin@contoso.onmicrosoft.com:
- ```
+ ```
7. A URL will be displayed in the Remote PowerShell session. Copy the link provided for your tenant consent and paste it into a Web browser.
The target admin setup is now complete!
> [!NOTE] > If you do not get this email or cannot find it, the target tenant admin was provided a direct URL that can be given to you to accept the invitation. The URL should in the in the transcript of the target tenant admin's Remote PowerShell session.
-3. In either the Microsoft 365 admin center or a Remote PowerShell session, create one or more mail-enabled security groups to control the list of mailboxes allowed by the target tenant to pull (move) from the source tenant to the target tenant. You do not need to populate this group in advance, but at least one group must be provided to run the setup steps (script). Nest groups are not supported.
+3. In either the Microsoft 365 admin center or a Remote PowerShell session, create one or more mail-enabled security groups to control the list of mailboxes allowed by the target tenant to pull (move) from the source tenant to the target tenant. You do not need to populate this group in advance, but at least one group must be provided to run the setup steps (script). Nest groups are not supported.
-4. Download the SetupCrossTenantRelationshipForResourceTenant.ps1 script for the source tenant setup from the GitHub repository here: [https://github.com/microsoft/cross-tenant/releases/tag/Preview](https://github.com/microsoft/cross-tenant/releases/tag/Preview).
+4. Download the SetupCrossTenantRelationshipForResourceTenant.ps1 script for the source tenant setup from the GitHub repository here: [https://github.com/microsoft/cross-tenant/releases/tag/Preview](https://github.com/microsoft/cross-tenant/releases/tag/Preview).
5. Create a Remote PowerShell connection to the source tenant with your Exchange Administrator permissions. Global Admin permissions are not required to configure the source tenant, only the target tenant because of the Azure application creation process.
If a mailbox move back to the original source tenant is required, the same set o
Users migrating must be present in the target tenant and Exchange Online system (as MailUsers) marked with specific attributes to enable the cross-tenant moves. The system will fail moves for users that are not properly set up in the target tenant. The following section details the MailUser object requirements for the target tenant. ### Prerequisites
-
-You must ensure the following objects and attributes are set in the target organization.
-1. For any mailbox moving from a source organization, you must provision a MailUser object in the Target organization:
+You must ensure the following objects and attributes are set in the target organization.
+
+1. For any mailbox moving from a source organization, you must provision a MailUser object in the Target organization:
- The Target MailUser must have these attributes from the source mailbox or assigned with the new User object:
- - ExchangeGUID (direct flow from source to target) ΓÇô The mailbox GUID must match. The move process will not proceed if this is not present on target object.
- - ArchiveGUID (direct flow from source to target) ΓÇô The archive GUID must match. The move process will not proceed if this is not present on the target object. (This is only required if the source mailbox is Archive enabled).
- - LegacyExchangeDN (flow as proxyAddress, ΓÇ£x500:<LegacyExchangeDN>ΓÇ¥) ΓÇô The LegacyExchangeDN must be present on target MailUser as x500: proxyAddress. The move processes will not proceed if this is not present on the target object.
- - UserPrincipalName ΓÇô UPN will align to the userΓÇÖs NEW identity or target company (for example, user@northwindtraders.onmicrosoft.com).
- - Primary SMTPAddress ΓÇô Primary SMTP address will align to the userΓÇÖs NEW company (for example, user@northwind.com).
- - TargetAddress/ExternalEmailAddress ΓÇô MailUser will reference the userΓÇÖs current mailbox hosted in source tenant (for example user@contoso.onmicrosoft.com). When assigning this value, verify that you have/are also assigning PrimarySMTPAddress or this value will set the PrimarySMTPAddress which will cause move failures.
+ - ExchangeGUID (direct flow from source to target) ΓÇô The mailbox GUID must match. The move process will not proceed if this is not present on target object.
+ - ArchiveGUID (direct flow from source to target) ΓÇô The archive GUID must match. The move process will not proceed if this is not present on the target object. (This is only required if the source mailbox is Archive enabled).
+ - LegacyExchangeDN (flow as proxyAddress, ΓÇ£x500:<LegacyExchangeDN>ΓÇ¥) ΓÇô The LegacyExchangeDN must be present on target MailUser as x500: proxyAddress. The move processes will not proceed if this is not present on the target object.
+ - UserPrincipalName ΓÇô UPN will align to the userΓÇÖs NEW identity or target company (for example, user@northwindtraders.onmicrosoft.com).
+ - Primary SMTPAddress ΓÇô Primary SMTP address will align to the userΓÇÖs NEW company (for example, user@northwind.com).
+ - TargetAddress/ExternalEmailAddress ΓÇô MailUser will reference the userΓÇÖs current mailbox hosted in source tenant (for example user@contoso.onmicrosoft.com). When assigning this value, verify that you have/are also assigning PrimarySMTPAddress or this value will set the PrimarySMTPAddress which will cause move failures.
- You cannot add legacy smtp proxy addresses from source mailbox to target MailUser. For example, you cannot maintain contoso.com on the MEU in fabrikam.onmicrosoft.com tenant objects). Domains are associated with one Azure AD or Exchange Online tenant only.
-
+ Example **target** MailUser object:
-
+ | Attribute | Value | |--|--| | Alias | LaraN |
You must ensure the following objects and attributes are set in the target organ
| ExchangeGuid | 1ec059c7-8396-4d0b-af4e-d6bd4c12a8d8 | | LegacyExchangeDN | /o=First Organization/ou=Exchange Administrative Group | | | (FYDIBOHF23SPDLT)/cn=Recipients/cn=d11ec1a2cacd4f81858c81907273f1f9Lara |
- | EmailAddresses | smtp:LaraN@contoso.onmicrosoft.com
+ | EmailAddresses | smtp:LaraN@contoso.onmicrosoft.com
| | SMTP:Lara.Newton@contoso.com | |||
- - Additional attributes may be included in Exchange hybrid write back already. If not, they should be included.
+ - Additional attributes may be included in Exchange hybrid write back already. If not, they should be included.
- msExchBlockedSendersHash ΓÇô Writes back online safe and blocked sender data from clients to on-premises Active Directory. - msExchSafeRecipientsHash ΓÇô Writes back online safe and blocked sender data from clients to on-premises Active Directory. - msExchSafeSendersHash ΓÇô Writes back online safe and blocked sender data from clients to on-premises Active Directory.
You must ensure the following objects and attributes are set in the target organ
> SAMPLE ΓÇô AS IS, NO WARRANTY<br/>This script assumes a connection to both source mailbox (to get source values) and the target on-premises Active Directory (to stamp the ADUser object). If source has litigation or single item recovery enabled, set this on the destination account. This will increase the dumpster size of destination account to 100 GB. ```powershell
- $ELCValue = 0
- if ($source.LitigationHoldEnabled) {$ELCValue = $ELCValue + 8} if ($source.SingleItemRecoveryEnabled) {$ELCValue = $ELCValue + 16} if ($ELCValue -gt 0) {Set-ADUser -Server $domainController -Identity $destination.SamAccountName -Replace @{msExchELCMailboxFlags=$ELCValue}}
+ $ELCValue = 0
+ if ($source.LitigationHoldEnabled) {$ELCValue = $ELCValue + 8} if ($source.SingleItemRecoveryEnabled) {$ELCValue = $ELCValue + 16} if ($ELCValue -gt 0) {Set-ADUser -Server $domainController -Identity $destination.SamAccountName -Replace @{msExchELCMailboxFlags=$ELCValue}}
``` 3. Non-hybrid target tenants can modify the quota on the Recoverable Items folder for the MailUsers prior to migration by running the following command to enable Litigation Hold on the MailUser object and increasing the quota to 100 GB: `Set-MailUser -EnableLitigationHoldForMigration $TRUE`. Note this will not work for tenants in hybrid.
-4. Users in the target organization must be licensed with appropriate Exchange Online subscriptions applicable for the organization. You may apply a license in advance of a mailbox move but ONLY once the target MailUser is properly set up with ExchangeGUID and proxy addresses. Applying a license before the ExchangeGUID is applied will result in a new mailbox provisioned in target organization.
+4. Users in the target organization must be licensed with appropriate Exchange Online subscriptions applicable for the organization. You may apply a license in advance of a mailbox move but ONLY once the target MailUser is properly set up with ExchangeGUID and proxy addresses. Applying a license before the ExchangeGUID is applied will result in a new mailbox provisioned in target organization.
> [!Note]
- > When you apply a license on a Mailbox or MailUser object, all SMTP type proxyAddresses are scrubbed to ensure only verified domains are included in the Exchange EmailAddresses array.
+ > When you apply a license on a Mailbox or MailUser object, all SMTP type proxyAddresses are scrubbed to ensure only verified domains are included in the Exchange EmailAddresses array.
-5. You must ensure that the target MailUser has no previous ExchangeGuid that does not match the Source ExchangeGuid. This might occur if the target MEU was previously licensed for Exchange Online and provisioned a mailbox. If the target MailUser was previously licensed for or had an ExchangeGuid that does not match the Source ExchangeGuid, you need to perform a cleanup of the cloud MEU. For these cloud MEUs, you can run `Set-User <identity> -PermanentlyClearPreviousMailboxInfo`.
+5. You must ensure that the target MailUser has no previous ExchangeGuid that does not match the Source ExchangeGuid. This might occur if the target MEU was previously licensed for Exchange Online and provisioned a mailbox. If the target MailUser was previously licensed for or had an ExchangeGuid that does not match the Source ExchangeGuid, you need to perform a cleanup of the cloud MEU. For these cloud MEUs, you can run `Set-User <identity> -PermanentlyClearPreviousMailboxInfo`.
> [!Caution]
- > This process is irreversible. If the object has a softDeleted mailbox, it cannot be restored after this point. Once cleared, however, you can sync the correct ExchangeGuid to the target object and MRS will connect the source mailbox to the newly created target mailbox. (Reference EHLO blog on the new parameter.)
+ > This process is irreversible. If the object has a softDeleted mailbox, it cannot be restored after this point. Once cleared, however, you can sync the correct ExchangeGuid to the target object and MRS will connect the source mailbox to the newly created target mailbox. (Reference EHLO blog on the new parameter.)
Find objects that were previously mailboxes using this command.
You must ensure the following objects and attributes are set in the target organ
Get-User <identity> | select Name, *recipient* | ft -AutoSize ```
- Here is an example.
+ Here is an example.
```powershell
- PS demo> get-user John@northwindtraders.com |select name, *recipient*| ft -AutoSize
+ PS demo> get-user John@northwindtraders.com |select name, *recipient*| ft -AutoSize
- Name PreviousRecipientTypeDetails RecipientType RecipientTypeDetails
- - - - --
- John UserMailbox MailUser MailUser
- ```
+ Name PreviousRecipientTypeDetails RecipientType RecipientTypeDetails
+ - - - --
+ John UserMailbox MailUser MailUser
+ ```
Clear the soft-deleted mailbox using this command.
You must ensure the following objects and attributes are set in the target organ
Here is an example. ```powershell
- PS demo> Set-User John@northwindtraders.com -PermanentlyClearPreviousMailboxInfo Confirm
- Are you sure you want to perform this action?
- Delete all existing information about user ΓÇ£John@northwindtraders.com"?. This operation will clear existing values from Previous home MDB and Previous Mailbox GUID of the user. After deletion, reconnecting to the previous mailbox that existed in the cloud will not be possible and any content it had will be unrecoverable PERMANENTLY.
- Do you want to continue?
- [Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): Y
+ PS demo> Set-User John@northwindtraders.com -PermanentlyClearPreviousMailboxInfo Confirm
+ Are you sure you want to perform this action?
+ Delete all existing information about user ΓÇ£John@northwindtraders.com"?. This operation will clear existing values from Previous home MDB and Previous Mailbox GUID of the user. After deletion, reconnecting to the previous mailbox that existed in the cloud will not be possible and any content it had will be unrecoverable PERMANENTLY.
+ Do you want to continue?
+ [Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): Y
``` ## Perform mailbox migrations
-Cross-tenant Exchange mailbox migrations are submitted as migration batches initiated from the target tenant. This is similar to the way that on-boarding migration batches work when migrating from Exchange on-premises to Microsoft 365.
+Cross-tenant Exchange mailbox migrations are submitted as migration batches initiated from the target tenant. This is similar to the way that on-boarding migration batches work when migrating from Exchange on-premises to Microsoft 365.
### Create Migration batches
Once the mailbox moves from source to target, you should ensure that the on-prem
**Do we need to update RemoteMailboxes in source on-premises after the move?**
-Yes, you should update the targetAddress (RemoteRoutingAddress/ExternalEmailAddress) of the source on-premises users when the source tenant mailbox moves to target tenant. While mail routing can follow the referrals across multiple mail users with different targetAddresses, Free/Busy lookups for mail users MUST target the location of the mailbox user. Free/Busy lookups will not chase multiple redirects.
+Yes, you should update the targetAddress (RemoteRoutingAddress/ExternalEmailAddress) of the source on-premises users when the source tenant mailbox moves to target tenant. While mail routing can follow the referrals across multiple mail users with different targetAddresses, Free/Busy lookups for mail users MUST target the location of the mailbox user. Free/Busy lookups will not chase multiple redirects.
-**Do Teams meetings migrate cross-tenant?**
+**Do Teams meetings migrate cross-tenant?**
The meetings will move however the Teams meeting URL does not update when items migrate cross-tenant. Since the URL will be invalid in the target tenant you will need to remove and recreate the Teams meetings.
-**Does the Teams chat folder content migrate cross-tenant?**
+**Does the Teams chat folder content migrate cross-tenant?**
-No, the Teams chat folder content does not migrate cross-tenant.
+No, the Teams chat folder content does not migrate cross-tenant.
**How can I see just moves that are cross-tenant moves, not my onboarding and off-boarding moves?** Use the `-flags` parameter. Here is an example. ```powershell
-Get-MoveRequest -Flags "CrossTenant"
+Get-MoveRequest -Flags "CrossTenant"
``` **Can you provide example scripts for copying attributes used in testing?**
Get-MoveRequest -Flags "CrossTenant"
> SAMPLE ΓÇô AS IS, NO WARRANTY<br/>This script assumes a connection to both source mailbox (to get source values) and the target on-premises Active Directory Domain Services (to stamp the ADUser object). If source has litigation or single item recovery enabled, set this on the destination account. This will increase the dumpster size of destination account to 100 GB. ```powershell
-#Dumps out the test mailboxes from SourceTenant
-#Note, the filter applied on Get-Mailbox is for an attribute set on CustomAttribute1 = "ProjectKermit"
-#These are the ΓÇÿtargetΓÇÖ users to be moved to the Northwind org tenant #################################################################
+#Dumps out the test mailboxes from SourceTenant
+#Note, the filter applied on Get-Mailbox is for an attribute set on CustomAttribute1 = "ProjectKermit"
+#These are the ΓÇÿtargetΓÇÖ users to be moved to the Northwind org tenant #################################################################
$outFileUsers = "$home\desktop\userstomigrate.txt" $outFileUsersXML = "$home\desktop\userstomigrate.xml"
-#output the test objects
+#output the test objects
Get-Mailbox -Filter "CustomAttribute1 -like 'ProjectKermit'" -ResultSize Unlimited | Select-Object -ExpandProperty Alias | Out-File $outFileUsers $mailboxes = Get-Content $outFileUsers $mailboxes | ForEach-Object {Get-Mailbox $_} | Select-Object PrimarySMTPAddress,Alias,SamAccountName,FirstName,LastName,DisplayName,Name,ExchangeGuid,ArchiveGuid,LegacyExchangeDn,EmailAddresses | Export-Clixml $outFileUsersXML
-#################################################################
-#Copy the file $outfile to the desktop of the target on-premises
-#then run the below to create MEU in Target
-#################################################################
+#################################################################
+#Copy the file $outfile to the desktop of the target on-premises
+#then run the below to create MEU in Target
+#################################################################
$mailboxes = Import-Clixml $home\desktop\userstomigrate.xml foreach ($m in $mailboxes) {
foreach ($m in $mailboxes) {
$tmpx500 | %{Set-MailUser $m.Alias -EmailAddresses @{add="$_"}} }
-#################################################################
-# On AADSync machine, run AADSync
-#################################################################
-Start-ADSyncSyncCycle
-
-#AADSync and FWDSync will create the target MEUs in the Target tenant
+#################################################################
+# On AADSync machine, run AADSync
+#################################################################
+Start-ADSyncSyncCycle
+
+#AADSync and FWDSync will create the target MEUs in the Target tenant
``` **How do we access Outlook on Day 1 after the use mailbox is moved?**
-Since only one tenant can own a domain, the former primary SMTPAddress will not be associated to the user in the target tenant when the mailbox move completes; only those domains associated with the new tenant. Outlook uses the users new UPN to authenticate to the service and the Outlook profile expects to find the legacy primary SMTPAddress to match the mailbox in the target system. Since the legacy address is not in the target System the outlook profile will not connect to find the newly moved mailbox.
+Since only one tenant can own a domain, the former primary SMTPAddress will not be associated to the user in the target tenant when the mailbox move completes; only those domains associated with the new tenant. Outlook uses the users new UPN to authenticate to the service and the Outlook profile expects to find the legacy primary SMTPAddress to match the mailbox in the target system. Since the legacy address is not in the target System the outlook profile will not connect to find the newly moved mailbox.
-For this initial deployment, users will need to rebuild their profile with their new UPN, primary SMTP address and re-sync OST content.
+For this initial deployment, users will need to rebuild their profile with their new UPN, primary SMTP address and re-sync OST content.
> [!Note]
-> Plan accordingly as you batch your users for completion. You need to account for network utilization and capacity when Outlook client profiles are created and subsequent OST and OAB files are downloaded to clients.
-
+> Plan accordingly as you batch your users for completion. You need to account for network utilization and capacity when Outlook client profiles are created and subsequent OST and OAB files are downloaded to clients.
+ **What Exchange RBAC roles do I need to be member of to set up or complete a cross-tenant move?**
-
-There a matrix of roles based on assumption of delegated duties when executing a mailbox move. Currently, two roles are required:
-- The first role is for a one-time setup task that establishes the authorization of moving content into or out of your tenant/organizational boundary. As moving data out of your organizational control is a critical concern for all companies, we opted with the highest assigned role of Organization Administrator (OrgAdmin). This role must alter or setup a new OrganizationRelationship that defines the -MailboxMoveCapability with the remote organization. Only the OrgAdmin can alter the MailboxMoveCapability setting, while other attributes on the OrganizationRelationhip can be managed by the Federated Sharing administrator.
-
-- The role of executing the actual move commands can be delegated to a lower-level function. The role of Move Mailboxes is assigned the capability of moving mailboxes in or out of the organization by using the `-RemoteTenant` parameter.
+There a matrix of roles based on assumption of delegated duties when executing a mailbox move. Currently, two roles are required:
+
+- The first role is for a one-time setup task that establishes the authorization of moving content into or out of your tenant/organizational boundary. As moving data out of your organizational control is a critical concern for all companies, we opted with the highest assigned role of Organization Administrator (OrgAdmin). This role must alter or setup a new OrganizationRelationship that defines the -MailboxMoveCapability with the remote organization. Only the OrgAdmin can alter the MailboxMoveCapability setting, while other attributes on the OrganizationRelationhip can be managed by the Federated Sharing administrator.
+
+- The role of executing the actual move commands can be delegated to a lower-level function. The role of Move Mailboxes is assigned the capability of moving mailboxes in or out of the organization by using the `-RemoteTenant` parameter.
**How do we target which SMTP address is selected for targetAddress (TargetDeliveryDomain) on the converted mailbox (to MailUser conversion)?**
-
+ Exchange mailbox moves using MRS craft the targetAddress on the original source mailbox when converting to a MailUser by matching an email address (proxyAddress) on the target object. The process takes the -TargetDeliveryDomain value passed into the move command, then checks for a matching proxy for that domain on the target side. When we find a match, the matching proxyAddress is used to set the ExternalEmailAddress (targetAddress) on the converted mailbox (now MailUser) object.
-
+ **How do mailbox permissions transition?**
-Mailbox permissions include Send on Behalf of and Mailbox Access:
+Mailbox permissions include Send on Behalf of and Mailbox Access:
+
+- Send On Behalf Of (AD:publicDelegates) stores the DN of recipients with access to a userΓÇÖs mailbox as a delegate. This value is stored in Active Directory and currently does not move as part of the mailbox transition. If the source mailbox has publicDelegates set, you will need to restamp the publicDelegates on the target Mailbox once the MEU to Mailbox conversion completes in the target environment by running `Set-Mailbox <principle> -GrantSendOnBehalfTo <delegate>`.
+
+- Mailbox Permissions that are stored in the mailbox will move with the mailbox when both the principal and the delegate are moved to the target system. For example, the user TestUser_7 is granted FullAccess to the mailbox TestUser_8 in the tenant SourceCompany.onmicrosoft.com. After the mailbox move completes to TargetCompany.onmicrosoft.com, the same permissions are set up in the target directory. Examples using *Get-MailboxPermission* for TestUser_7 in both source and target tenants are shown below. Exchange cmdlets are prefixed with source and target accordingly.
-- Send On Behalf Of (AD:publicDelegates) stores the DN of recipients with access to a userΓÇÖs mailbox as a delegate. This value is stored in Active Directory and currently does not move as part of the mailbox transition. If the source mailbox has publicDelegates set, you will need to restamp the publicDelegates on the target Mailbox once the MEU to Mailbox conversion completes in the target environment by running `Set-Mailbox <principle> -GrantSendOnBehalfTo <delegate>`.
-
-- Mailbox Permissions that are stored in the mailbox will move with the mailbox when both the principal and the delegate are moved to the target system. For example, the user TestUser_7 is granted FullAccess to the mailbox TestUser_8 in the tenant SourceCompany.onmicrosoft.com. After the mailbox move completes to TargetCompany.onmicrosoft.com, the same permissions are set up in the target directory. Examples using *Get-MailboxPermission* for TestUser_7 in both source and target tenants are shown below. Exchange cmdlets are prefixed with source and target accordingly.
-
-Here's an example of the output of the mailbox permission before a move.
+Here's an example of the output of the mailbox permission before a move.
```powershell PS C:\PowerShell\> Get-SourceMailboxPermission testuser_7 |ft -AutoSize User, AccessRights, IsInherited, Deny
User AccessRights
NT AUTHORITY\SELF {FullAccess, ReadPermission} False False TestUser_8@SourceCompany.onmicrosoft.com {FullAccess} False False.... ```
-Here's an example of the output of the mailbox permission after the move.
+Here's an example of the output of the mailbox permission after the move.
```powershell PS C:\PowerShell\> Get-TargetMailboxPermission testuser_7 | ft -AutoSize User, AccessRights, IsInherited, Deny
User AccessRights
- -- - NT AUTHORITY\SELF {FullAccess, ReadPermission} False FalseTestUser_8@TargetCompany.onmicrosoft.com {FullAccess} False False ```
-
+ > [!Note]
-> Cross-tenant mailbox and calendar permissions are NOT supported. You must organize principals and delegates into consolidated move batches so that these connected mailboxes are transitioned at the same time from the source tenant.
+> Cross-tenant mailbox and calendar permissions are NOT supported. You must organize principals and delegates into consolidated move batches so that these connected mailboxes are transitioned at the same time from the source tenant.
-**What X500 proxy should be added to the target MailUser proxy addresses to enable migration?**
+**What X500 proxy should be added to the target MailUser proxy addresses to enable migration?**
-The cross-tenant mailbox migration requires that the LegacyExchangeDN value of the source mailbox object to be stamped as an x500 email address on the target MailUser object.
+The cross-tenant mailbox migration requires that the LegacyExchangeDN value of the source mailbox object to be stamped as an x500 email address on the target MailUser object.
-Example:
+Example:
```powershell
-LegacyExchangeDN value on source mailbox is:
-/o=First Organization/ou=Exchange Administrative Group(FYDIBOHF23SPDLT)/cn=Recipients/cn=d11ec1a2cacd4f81858c81907273f1f9Lara
+LegacyExchangeDN value on source mailbox is:
+/o=First Organization/ou=Exchange Administrative Group(FYDIBOHF23SPDLT)/cn=Recipients/cn=d11ec1a2cacd4f81858c81907273f1f9Lara
-so the x500 email address to be added to target MailUser object would be:
-x500:/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=d11ec1a2cacd4f81858c81907273f1f9-Lara
+so the x500 email address to be added to target MailUser object would be:
+x500:/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=d11ec1a2cacd4f81858c81907273f1f9-Lara
```
-> [!Note]
-> In addition to this X500 proxy, you will need to copy all X500 proxies from the mailbox in the source to the mailbox in the target.
+> [!Note]
+> In addition to this X500 proxy, you will need to copy all X500 proxies from the mailbox in the source to the mailbox in the target.
-**Where do I start troubleshooting if moves do not work?**
+**Where do I start troubleshooting if moves do not work?**
Start by running the VerifySetup.ps1 script located [on GitHub](https://github.com/microsoft/cross-tenant/releases/tag/Preview) and review the output.
Here's an eExample of running VerifySetup.ps1 on the source tenant:
VerifySetup.ps1 -PartnerTenantId <TargetTenantId> -ApplicationId <AADApplicationId> ```
-**Can the source and target tenant utilize the same domain name?**
+**Can the source and target tenant utilize the same domain name?**
No. The source and target tenant domain names must be unique. For example, a source domain of contoso.com and the target domain of fourthcoffee.com.
Yes, however we only keep the store permissions as described in these articles:
- [Microsoft Support | How to grant Exchange and Outlook mailbox permissions in Office 365 dedicated](https://support.microsoft.com/topic/how-to-grant-exchange-and-outlook-mailbox-permissions-in-office-365-dedicated-bac01b2c-08ff-2eac-e1c8-6dd01cf77287)
-**Is Azure Key Vault required and when are transactions made?**
+**Is Azure Key Vault required and when are transactions made?**
-Yes, an Azure subscription is required to use Key Vault to store the certificate to authorize migration. Unlike onboarding migrations which use username & password to authenticate to the source, cross-tenant mailbox migrations use OAuth and this certificate as the secret/credential. Access to the Key Vault must be maintained throughout all mailbox migrations as it is accessed once at the beginning and once end of migration, as well as once every 24 hours during incremental sync times. You can review AKV costing details [here]( https://azure.microsoft.com/en-us/pricing/details/key-vault/).
+Yes, an Azure subscription is required to use Key Vault to store the certificate to authorize migration. Unlike onboarding migrations which use username & password to authenticate to the source, cross-tenant mailbox migrations use OAuth and this certificate as the secret/credential. Access to the Key Vault must be maintained throughout all mailbox migrations as it is accessed once at the beginning and once end of migration, as well as once every 24 hours during incremental sync times. You can review AKV costing details [here](https://azure.microsoft.com/en-us/pricing/details/key-vault/).
-**Do you have any recommendations for batches?**
+**Do you have any recommendations for batches?**
Do not exceed 2000 mailboxes per batch. We strongly recommend submitting batches two weeks prior to the cut-over date as there is no impact to the end users during sync. If you need guidance for mailboxes quantities over 50,000 you can reach out to the Engineering Feedback Distribution List at crosstenantmigrationpreview@service.microsoft.com. **What if I use Service encryption with Customer Key?**
-The mailbox will be decrypted prior to moving. Ensure Customer Key is configured in the target tenant if it is still required. See [here](../compliance/customer-key-overview.md) for more information.
+The mailbox will be decrypted prior to moving. Ensure Customer Key is configured in the target tenant if it is still required. See [here](../compliance/customer-key-overview.md) for more information.
**What is the estimated migration time?**
-To help you plan your migration, the table present [here](/exchange/mailbox-migration/office-365-migration-best-practices#estimated-migration-times) shows the guidelines about when to expect bulk mailbox migrations or individual migrations to complete. These estimates are based on a data analysis of previous customer migrations. Because every environment is unique, your exact migration velocity may vary.
+To help you plan your migration, the table present [here](/exchange/mailbox-migration/office-365-migration-best-practices#estimated-migration-times) shows the guidelines about when to expect bulk mailbox migrations or individual migrations to complete. These estimates are based on a data analysis of previous customer migrations. Because every environment is unique, your exact migration velocity may vary.
Do remember that this feature is currently in preview and the SLA and any applicable Service Levels do not apply to any performance or availability issues during the preview status of this feature.
-## Known issues
+## Known issues
- **Issue: Auto Expanded archives cannot be migrated.** The cross-tenant migration feature support migrations of the primary mailbox and archive mailbox for a specific user. If the user in the source however has an auto expanded archive ΓÇô meaning more than one archive mailbox, the feature is unable to migrate the additional archives and should fail. -- **Issue: Cloud MailUsers with non-owned smtp proxyAddress block MRS moves background.** When creating target tenant MailUser objects, you must ensure that all SMTP proxy addresses belong to the target tenant organization. If an SMTP proxyAddress exists on the target mail user that does not belong to the local tenant, the conversion of the MailUser to Mailbox is prevented. This is due to our assurance that mailbox objects can only send mail from domains for which the tenant is authoritative (domains claimed by the tenant):
+- **Issue: Cloud MailUsers with non-owned smtp proxyAddress block MRS moves background.** When creating target tenant MailUser objects, you must ensure that all SMTP proxy addresses belong to the target tenant organization. If an SMTP proxyAddress exists on the target mail user that does not belong to the local tenant, the conversion of the MailUser to Mailbox is prevented. This is due to our assurance that mailbox objects can only send mail from domains for which the tenant is authoritative (domains claimed by the tenant):
- When you sync users from on-premises using Azure AD Connect, you provision on-premises MailUser objects with ExternalEmailAddress pointing to the source tenant where the mailbox exists (laran@contoso.onmicrosoft.com) and you stamp the PrimarySMTPAddress as a domain that resides in the target tenant (Lara.Newton@northwind.com). These values sync down to the tenant and an appropriate mail user is provisioned and ready for migration. An example object is shown here. ```powershell
- target/AADSynced user] PS C> Get-MailUser laran | select ExternalEmailAddress, EmailAddresses
- ExternalEmailAddress EmailAddresses
- -- --
- SMTP:laran@contoso.onmicrosoft.com {SMTP:lara.newton@northwind.com}
+ target/AADSynced user] PS C> Get-MailUser laran | select ExternalEmailAddress, EmailAddresses
+ ExternalEmailAddress EmailAddresses
+ -- --
+ SMTP:laran@contoso.onmicrosoft.com {SMTP:lara.newton@northwind.com}
``` > [!Note]
Do remember that this feature is currently in preview and the SLA and any applic
- **Issue: MailUser objects with ΓÇ£externalΓÇ¥ primary SMTP addresses are modified / reset to ΓÇ£internalΓÇ¥ company claimed domains** MailUser objects are pointers to non-local mailboxes. In the case for cross-tenant mailbox migrations, we use MailUser objects to represent either the source mailbox (from the target organizationΓÇÖs perspective) or target mailbox (from the source organizationΓÇÖs perspective). The MailUsers will have an ExternalEmailAddress (targetAddress) that points to the smtp address of the actual mailbox (ProxyTest@fabrikam.onmicrosoft.com) and primarySMTP address that represents the displayed SMTP address of the mailbox user in the directory. Some organizations choose to display the primary SMTP address as an external SMTP address, not as an address owned/verified by the local tenant (such as fabrikam.com rather than as contoso.com). However, once an Exchange service plan object is applied to the MailUser via licensing operations, the primary SMTP address is modified to show as a domain verified by the local organization (contoso.com). There are two potential reasons:
-
+ - When any Exchange service plan is applied to a MailUser, the Azure AD process starts to enforce proxy scrubbing to ensure that the local organization is not able to send mail out, spoof, or mail from another tenant. Any SMTP address on a recipient object with these service plans will be removed if the address is not verified by the local organization. As is the case in the example, the Fabikam.com domain is NOT verified by the contoso.onmicrosoft.com tenant, so the scrubbing removes that fabrikam.com domain. If you wish to persist these external domain on MailUser, either before the migration or after migration, you need to alter your migration processes to strip licenses after the move completes or before the move to ensure that the users have the expected external branding applied. You will need to ensure that the mailbox object is properly licensed to not affect mail service.<br/><br/>An example script to remove the service plans on a MailUser in the Contoso.onmicrosoft.com tenant is shown here. ```powershell
- $LO = New-MsolLicenseOptions -AccountSkuId "contoso:ENTERPRISEPREMIUM" DisabledPlans
+ $LO = New-MsolLicenseOptions -AccountSkuId "contoso:ENTERPRISEPREMIUM" DisabledPlans
"LOCKBOX_ENTERPRISE","EXCHANGE_S_ENTERPRISE","INFORMATION_BARRIERS","MIP_S_CLP2"," MIP_S_CLP1","MYANALYTICS_P2","EXCHANGE_ANALYTICS","EQUIVIO_ANALYTICS","THREAT_INTE
- LLIGENCE","PAM_ENTERPRISE","PREMIUM_ENCRYPTION"
- Set-MsolUserLicense -UserPrincipalName proxytest@contoso.com LicenseOptions $lo
+ LLIGENCE","PAM_ENTERPRISE","PREMIUM_ENCRYPTION"
+ Set-MsolUserLicense -UserPrincipalName proxytest@contoso.com LicenseOptions $lo
``` Results in the set of ServicePlans assigned are shown here. ```powershell
- (Get-MsolUser -UserPrincipalName proxytest@contoso.com).licenses |select
- -ExpandProperty servicestatus |sort ProvisioningStatus -Descending
- ServicePlan ProvisioningStatus
- --
- ATP_ENTERPRISE PendingProvisioning
- MICROSOFT_SEARCH PendingProvisioning
- INTUNE_O365 PendingActivation
- PAM_ENTERPRISE Disabled
- EXCHANGE_ANALYTICS Disabled
- EQUIVIO_ANALYTICS Disabled
- THREAT_INTELLIGENCE Disabled
- LOCKBOX_ENTERPRISE Disabled
- PREMIUM_ENCRYPTION Disabled
- EXCHANGE_S_ENTERPRISE Disabled
- INFORMATION_BARRIERS Disabled
- MYANALYTICS_P2 Disabled
- MIP_S_CLP1 Disabled
- MIP_S_CLP2 Disabled
- ADALLOM_S_O365 PendingInput
- RMS_S_ENTERPRISE Success
- YAMMER_ENTERPRISE Success
- PROJECTWORKMANAGEMENT Success
- BI_AZURE_P2 Success
- WHITEBOARD_PLAN3 Success
- SHAREPOINTENTERPRISE Success
- SHAREPOINTWAC Success
- KAIZALA_STANDALONE Success
- OFFICESUBSCRIPTION Success
- MCOSTANDARD Success
- Deskless Success
- STREAM_O365_E5 Success
- FLOW_O365_P3 Success
- POWERAPPS_O365_P3 Success
- TEAMS1 Success
- MCOEV Success
- MCOMEETADV Success
- BPOS_S_TODO_3 Success
- FORMS_PLAN_E5 Success
- SWAY Success
+ (Get-MsolUser -UserPrincipalName proxytest@contoso.com).licenses |select
+ -ExpandProperty servicestatus |sort ProvisioningStatus -Descending
+ ServicePlan ProvisioningStatus
+ --
+ ATP_ENTERPRISE PendingProvisioning
+ MICROSOFT_SEARCH PendingProvisioning
+ INTUNE_O365 PendingActivation
+ PAM_ENTERPRISE Disabled
+ EXCHANGE_ANALYTICS Disabled
+ EQUIVIO_ANALYTICS Disabled
+ THREAT_INTELLIGENCE Disabled
+ LOCKBOX_ENTERPRISE Disabled
+ PREMIUM_ENCRYPTION Disabled
+ EXCHANGE_S_ENTERPRISE Disabled
+ INFORMATION_BARRIERS Disabled
+ MYANALYTICS_P2 Disabled
+ MIP_S_CLP1 Disabled
+ MIP_S_CLP2 Disabled
+ ADALLOM_S_O365 PendingInput
+ RMS_S_ENTERPRISE Success
+ YAMMER_ENTERPRISE Success
+ PROJECTWORKMANAGEMENT Success
+ BI_AZURE_P2 Success
+ WHITEBOARD_PLAN3 Success
+ SHAREPOINTENTERPRISE Success
+ SHAREPOINTWAC Success
+ KAIZALA_STANDALONE Success
+ OFFICESUBSCRIPTION Success
+ MCOSTANDARD Success
+ Deskless Success
+ STREAM_O365_E5 Success
+ FLOW_O365_P3 Success
+ POWERAPPS_O365_P3 Success
+ TEAMS1 Success
+ MCOEV Success
+ MCOMEETADV Success
+ BPOS_S_TODO_3 Success
+ FORMS_PLAN_E5 Success
+ SWAY Success
```
-
+ The userΓÇÖs PrimarySMTPAddress is no longer scrubbed. The fabrikam.com domain is not owned by the contoso.onmicrosoft.com tenant and will persist as the primary SMTP address shown in the directory. Here is an example. ```powershell
- get-recipient proxytest | ft -a userprin*, primary*, external*
- PrimarySmtpAddress ExternalDirectoryObjectId ExternalEmailAddress
- - --
- proxytest@fabrikam.com e2513482-1d5b-4066-936a-cbc7f8f6f817 SMTP:proxytest@fabrikam.com
+ get-recipient proxytest | ft -a userprin*, primary*, external*
+ PrimarySmtpAddress ExternalDirectoryObjectId ExternalEmailAddress
+ - --
+ proxytest@fabrikam.com e2513482-1d5b-4066-936a-cbc7f8f6f817 SMTP:proxytest@fabrikam.com
``` - When msExchRemoteRecipientType is set to 8 (DeprovisionMailbox), for on-premises MailUsers that are migrated to the target tenant, the proxy scrubbing logic in Azure will remove nonowned domains and reset the primarySMTP to an owned domain. By clearing msExchRemoteRecipientType in the on-premises MailUser, the proxy scrub logic no longer applies. <br/><br>Below is the full set of possible Service Plans that include Exchange Online.
enterprise Disable Access To Services While Assigning User Licenses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/disable-access-to-services-while-assigning-user-licenses.md
search.appverid:
- MET150 f1.keywords: - CSH-+ - PowerShell - Ent_Office_Other ms.assetid: bb003bdb-3c22-4141-ae3b-f0656fc23b9c
Microsoft 365 subscriptions come with service plans for individual services. Mic
## Use the Azure Active Directory PowerShell for Graph module First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md#connect-with-the-azure-active-directory-powershell-for-graph-module).
-
+ Next, list the license plans for your tenant with this command.
Next, get the sign-in name of the account to which you want add a license, also
Next, compile a list of services to enable. For a complete list of license plans (also known as product names), their included service plans, and their corresponding friendly names, see [Product names and service plan identifiers for licensing](/azure/active-directory/users-groups-roles/licensing-service-plan-reference). For the command block below, fill in the user principal name of the user account, the SKU part number, and the list of service plans to enable and remove the explanatory text and the \< and > characters. Then, run the resulting commands at the PowerShell command prompt.
-
+ ```powershell $userUPN="<user account UPN>" $skuPart="<SKU part number>"
Set-AzureADUserLicense -ObjectId $user.ObjectId -AssignedLicenses $LicensesToAss
First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md#connect-with-the-microsoft-azure-active-directory-module-for-windows-powershell). Next, run this command to see your current subscriptions:
-
+ ```powershell Get-MsolAccountSku ```
Get-MsolAccountSku
> In the display of the `Get-MsolAccountSku` command:
-
+ - **AccountSkuId** is a subscription for your organization in \<OrganizationName>:\<Subscription> format. The \<OrganizationName> is the value that you provided when you enrolled in Microsoft 365, and is unique for your organization. The \<Subscription> value is for a specific subscription. For example, for litwareinc:ENTERPRISEPACK, the organization name is litwareinc, and the subscription name is ENTERPRISEPACK (Office 365 Enterprise E3).
-
+ - **ActiveUnits** is the number of licenses that you've purchased for the subscription.
-
+ - **WarningUnits** is the number of licenses in a subscription that you haven't renewed, and that will expire after the 30-day grace period.
-
+ - **ConsumedUnits** is the number of licenses that you've assigned to users for the subscription.
-
-Note the AccountSkuId for your Microsoft 365 subscription that contains the users you want to license. Also, ensure that there are enough licenses to assign (subtract **ConsumedUnits** from **ActiveUnits** ).
-
+
+Note the AccountSkuId for your Microsoft 365 subscription that contains the users you want to license. Also, ensure that there are enough licenses to assign (subtract **ConsumedUnits** from **ActiveUnits**).
+ Next, run this command to see the details about the Microsoft 365 service plans that are available in all your subscriptions:
-
+ ```powershell Get-MsolAccountSku | Select -ExpandProperty ServiceStatus ``` From the display of this command, determine which service plans you would like to disable when you assign licenses to users.
-
+ Here is a partial list of service plans and their corresponding Microsoft 365 services.
-The following table shows the Microsoft 365 service plans and their friendly names for the most common services. Your list of service plans might be different.
-
+The following table shows the Microsoft 365 service plans and their friendly names for the most common services. Your list of service plans might be different.
+ |**Service plan**|**Description**| |:--|:--| | `SWAY` <br/> |Sway <br/> |
The following table shows the Microsoft 365 service plans and their friendly nam
| `SHAREPOINTWAC` <br/> |Office <br/> | | `SHAREPOINTENTERPRISE` <br/> |SharePoint Online <br/> | | `EXCHANGE_S_ENTERPRISE` <br/> |Exchange Online Plan 2 <br/> |
-
+ For a complete list of license plans (also known as product names), their included service plans, and their corresponding friendly names, see [Product names and service plan identifiers for licensing](/azure/active-directory/users-groups-roles/licensing-service-plan-reference).
-
+ Now that you have the AccountSkuId and the service plans to disable, you can assign licenses for an individual user or for multiple users.
-
+ ### For a single user For a single user, fill in the user principal name of the user account, the AccountSkuId, and the list of service plans to disable and remove the explanatory text and the \< and > characters. Then, run the resulting commands at the PowerShell command prompt.
-
+ ```powershell $userUPN="<the user's account name in email format>" $accountSkuId="<the AccountSkuId from the Get-MsolAccountSku command>"
Set-MsolUserLicense -UserPrincipalName $userUpn -LicenseOptions $licenseOptions
``` Here is an example command block for the account named belindan@contoso.com, for the contoso:ENTERPRISEPACK license, and the service plans to disable are RMS_S_ENTERPRISE, SWAY, INTUNE_O365, and YAMMER_ENTERPRISE:
-
+ ```powershell $userUPN="belindan@contoso.com" $accountSkuId="contoso:ENTERPRISEPACK"
Set-MsolUserLicense -UserPrincipalName $userUpn -LicenseOptions $licenseOptions
### For multiple users To perform this administration task for multiple users, create a comma-separated value (CSV) text file that contains the UserPrincipalName and UsageLocation fields. Here is an example:
-
+ ```powershell UserPrincipalName,UsageLocation ClaudeL@contoso.onmicrosoft.com,FR
ShawnM@contoso.onmicrosoft.com,US
``` Next, fill in the location of the input and output CSV files, the account SKU ID, and the list of service plans to disable, and then run the resulting commands at the PowerShell command prompt.
-
+ ```powershell $inFileName="<path and file name of the input CSV file that contains the users, example: C:\admin\Users2License.CSV>" $outFileName="<path and file name of the output CSV file that records the results, example: C:\admin\Users2License-Done.CSV>"
$users | Get-MsolUser | Select UserPrincipalName, Islicensed,Usagelocation | Exp
``` This PowerShell command block:
-
+ - Displays the user principal name of each user.
-
+ - Assigns customized licenses to each user.
-
+ - Creates a CSV file with all the users that were processed and shows their license status.
-
+ ## See also [Disable access to Microsoft 365 services with PowerShell](disable-access-to-services-with-microsoft-365-powershell.md)
-
+ [Disable access to Sway with PowerShell](disable-access-to-sway-with-microsoft-365-powershell.md)
-
+ [Manage Microsoft 365 user accounts, licenses, and groups with PowerShell](manage-user-accounts-and-licenses-with-microsoft-365-powershell.md)
-
+ [Manage Microsoft 365 with PowerShell](manage-microsoft-365-with-microsoft-365-powershell.md)
enterprise Microsoft 365 Inter Tenant Collaboration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-inter-tenant-collaboration.md
# Microsoft 365 inter-tenant collaboration Suppose that two organizations, Fabrikam and Contoso, each have a Microsoft 365 for business tenant and they want to work together on several projects; some of which run for a limited time and some of which are ongoing. How can Fabrikam and Contoso enable their people and teams to collaborate more effectively across their different Microsoft 365 tenants in a secure manner? Microsoft 365, in conjunction with Azure Active Directory (Azure AD) B2B collaboration, provides several options. This article describes several key scenarios that Fabrikam and Contoso can consider.
-
+ Microsoft 365 inter-tenant collaboration options include using a central location for files and conversations, sharing calendars, using IM, audio/video calls for communication, and securing access to resources and applications. Use the following tables to select solutions and learn more.
-
+ ## Exchange Online collaboration options | Sharing goal | Administrative action | How-to information | |:--|:--|:--|
-|Share calendars with another Microsoft 365 organization |Administrators can set up different levels of calendar access in Exchange Online to allow businesses to collaborate with other businesses and to let users share the schedules (free/busy information) with others. | <ul><li>[Sharing](/exchange/sharing/sharing) </li><li> [Organization relationships](/exchange/sharing/organization-relationships/organization-relationships) </li><li> [Create an organization relationship](/exchange/sharing/organization-relationships/create-an-organization-relationship) </li><li> [Modify an organization relationship ](/exchange/sharing/organization-relationships/modify-an-organization-relationship) </li><li> [Remove an organization relationship](/exchange/sharing/organization-relationships/remove-an-organization-relationship) </li><li> [Share calendars with external users](https://support.office.com/article/fb00dd4e-2d5f-4e8d-8ff4-94b2cf002bdd) </li></ul> |
+|Share calendars with another Microsoft 365 organization |Administrators can set up different levels of calendar access in Exchange Online to allow businesses to collaborate with other businesses and to let users share the schedules (free/busy information) with others. | <ul><li>[Sharing](/exchange/sharing/sharing) </li><li> [Organization relationships](/exchange/sharing/organization-relationships/organization-relationships) </li><li> [Create an organization relationship](/exchange/sharing/organization-relationships/create-an-organization-relationship) </li><li> [Modify an organization relationship](/exchange/sharing/organization-relationships/modify-an-organization-relationship) </li><li> [Remove an organization relationship](/exchange/sharing/organization-relationships/remove-an-organization-relationship) </li><li> [Share calendars with external users](https://support.office.com/article/fb00dd4e-2d5f-4e8d-8ff4-94b2cf002bdd) </li></ul> |
|Control how users share their calendars with people outside your organization | Administrators apply sharing policies to users mailboxes to control who it can be shared with and the level of access granted | <ul><li> [Sharing policies](/exchange/sharing/sharing-policies/sharing-policies) </li><li> [Create a sharing policy](/exchange/sharing/sharing-policies/create-a-sharing-policy) </li><li> [Apply a sharing policy to mailboxes](/exchange/sharing/sharing-policies/apply-a-sharing-policy) </li><li> [Modify, disable, or remove a sharing policy](/exchange/sharing/sharing-policies/modify-a-sharing-policy) </li></ul> | |Configure secure email channels and control mail flow with partner organizations | Administrators create connectors to apply security to mail exchanges with a partner organization or service provider. The connectors enforce encryption via transport layer security (TLS) as well as allowing restrictions on domain names or IP address ranges your partners send email from. | <ul><li> [How Exchange Online uses TLS to secure email connections](../compliance/exchange-online-uses-tls-to-secure-email-connections.md) </li><li> [Configure mail flow using connectors](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/use-connectors-to-configure-mail-flow) </li><li> [Remote domains](/exchange/mail-flow-best-practices/remote-domains/remote-domains) </li><li> [Set up connector for secure mail flow with a partner organization](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-for-secure-mail-flow-with-a-partner) </li><li> [Mail flow best practices (overview)](/exchange/mail-flow-best-practices/mail-flow-best-practices) </li></ul> |
-
+ ## SharePoint Online and OneDrive for Business collaboration options | Sharing goals | Administrative action | How-to information | |:--|:--|:--| |Share sites and documents with external users | Administrators configure sharing at the tenant, or site collection level for Microsoft account authenticated, work or school account authenticated or guest accounts | <ul><li> [Manage external sharing for your SharePoint Online environment](https://support.office.com/article/Manage-external-sharing-for-your-SharePoint-Online-environment-C8A462EB-0723-4B0B-8D0A-70FEAFE4BE85?ui=en-US&amp;rs=en-US&amp;ad=US) </li><li> [Restrict sharing of SharePoint and OneDrive content by domain](/sharepoint/restricted-domains-sharing) </li><li> [Use SharePoint Online as a business-to-business (B2B) extranet solution](https://support.office.com/article/7b087413-165a-4e94-8871-4393e0b9c037) </li></ul> | |Tracking and controlling external sharing for end users | OneDrive for Business file owners and SharePoint Online end users configure site and document sharing and establish notifications to track sharing | <ul><li> [Configure notifications for external sharing for OneDrive for Business](https://support.office.com/article/Configure-notifications-for-external-sharing-for-OneDrive-for-Business-b640c693-f170-4227-b8c1-b0a7e0fa876b) </li><li> [Share SharePoint files or folders](https://support.office.com/article/1fe37332-0f9a-4719-970e-d2578da4941c) </li></ul> |
-
+ ## Skype for Business collaboration options | Sharing goal | Administrative action | How-to information | |:--|:--|:--|
-|Skype for Business Online - IM, calls, and presence with other Skype for Business users | Administrators can enable their Skype for Business Online users to IM, make audio/video calls, and see presence with users in another Microsoft 365 tenant. | [Allow users to contact external Skype for Business users](https://support.office.com/article/b414873a-0059-4cd5-aea1-e5d0857dbc94)|
-|Skype for Business Online - IM, calls, and presence with Skype (consumer) users | Administrators can enable their Skype for Business Online users to IM, make calls, and see presence with Skype (consumer) users. | [Let Skype for Business users add Skype contacts](https://support.office.com/article/08666236-1894-42ae-8846-e49232bbc460)|
-
+|Skype for Business Online - IM, calls, and presence with other Skype for Business users | Administrators can enable their Skype for Business Online users to IM, make audio/video calls, and see presence with users in another Microsoft 365 tenant. | [Allow users to contact external Skype for Business users](https://support.office.com/article/b414873a-0059-4cd5-aea1-e5d0857dbc94)|
+|Skype for Business Online - IM, calls, and presence with Skype (consumer) users | Administrators can enable their Skype for Business Online users to IM, make calls, and see presence with Skype (consumer) users. | [Let Skype for Business users add Skype contacts](https://support.office.com/article/08666236-1894-42ae-8846-e49232bbc460)|
+ ## Azure AD B2B Collaboration options | Sharing goal | Administrative action | How-to information | |:--|:--|:--| |Azure AD B2B collaboration - Content sharing by adding external users to a group in an organization's directory | A global admin for one Microsoft 365 tenant can invite people in another Microsoft 365 tenant to join their directory, add those external users to a group, and grant access to content, such as SharePoint sites and libraries for the group. | <ul><li> [What is Azure AD B2B collaboration preview?](/azure/active-directory/active-directory-b2b-what-is-azure-ad-b2b) </li><li> [Azure AD B2B: New updates make cross-business collab easy](https://blogs.technet.microsoft.com/enterprisemobility/2017/02/01/azure-ad-b2b-new-updates-make-cross-business-collab-easy/) </li><li> [External sharing and Azure Active Directory B2B collaboration](/azure/active-directory/active-directory-b2b-o365-external-user) </li><li> [Azure Active Directory B2B collaboration API and customization](/azure/active-directory/active-directory-b2b-api) </li><li> [Azure AD and Identity Show: Azure AD B2B Collaboration (Business to Business](https://channel9.msdn.com/Series/Azure-AD-Identity/AzureADB2B) </li></ul> |
-
+ ## Microsoft 365 collaboration options | Sharing goal | Administrative action | How-to information | |:--|:--|:--| |Microsoft 365 Groups - Email, calendar, OneNote, and shared files in a central place | Groups are supported in Business Essentials, Business Premium, Education, and the Enterprise E1, E3, and E5 plans. People in one Microsoft 365 tenant can create a group and invite people in another Microsoft 365 tenant as guest users. Applies to Dynamics CRM as well. | <ul><li> [Learn about Microsoft 365 groups](https://support.office.com/article/b565caa1-5c40-40ef-9915-60fdb2d97fa2) </li><li> [Guest access in Microsoft 365 Groups](https://support.office.com/article/bfc7a840-868f-4fd6-a390-f347bf51aff6) </li><li> [Deploy Microsoft 365 Groups](/previous-versions/dynamicscrm-2016/administering-dynamics-365/dn896591(v=crm.8)) </li></ul> |
-
+ ## Yammer collaboration options | Sharing goal | Administrative action | How-to information | |:--|:--|:--|
-|Yammer - Collaboration through an enterprise social medium | Unless the ability to create external groups is disabled by a Yammer admin, users can create external groups to collaborate in Yammer through conversations, the ability to like and follow posts, share files, and chat online. | [Create and manage external groups in Yammer](https://support.office.com/article/9ccd15ce-0efc-4dc1-81bc-4a424ab6f92a)|
-
+|Yammer - Collaboration through an enterprise social medium | Unless the ability to create external groups is disabled by a Yammer admin, users can create external groups to collaborate in Yammer through conversations, the ability to like and follow posts, share files, and chat online. | [Create and manage external groups in Yammer](https://support.office.com/article/9ccd15ce-0efc-4dc1-81bc-4a424ab6f92a)|
+ ## Teams collaboration options |Sharing goal|Administrative action|How-to information| |:--|:--|:--| |Collaborate in Teams with users external to the organization | A global admin for the inviting Microsoft 365 tenant needs to enable external collaboration in Teams. Global admins and team owners will now be able to invite anyone with an email address to collaborate in Teams. <br/> Admins can also manage and edit Guests already present in their tenant. | <ul><li> [Authorize Guest Access](/microsoftteams/teams-dependencies) </li><li> [Turn Guest Access On or Off in Teams](/microsoftteams/set-up-guests) </li><li> [Use PowerShell to control Guest Access](/microsoftteams/guest-access-powershell) </li><li> [Guest Access Checklist](/microsoftteams/guest-access-checklist) </li><li> [View Guest Users](/microsoftteams/view-guests) </li><li> [Edit guest user information](/microsoftteams/edit-guests-information) </li></ul> | |Team owners can invite and manage how guests collaborate within their teams. |Team owners have additional controls on what the guests can do within their teams. | <ul><li> [Add Guests](https://support.office.com/article/teams-and-channels-df38ae23-8f85-46d3-b071-cb11b9de5499?ui=en-US&amp;rs=en-US&amp;ad=US#bkmk_addingguests&amp;ID0EAABAAA=Add_guests) </li><li> [Add a guest to a team](/microsoftteams/add-guests) </li><li> [Manage Guest Access in Teams](/microsoftteams/manage-guests) </li><li> [See who's on a Team or in a Channel](https://support.office.com/article/see-who-s-on-a-team-or-in-a-channel-5c6be9be-9c45-4a0f-a1a0-f332b23cb6b7?ui=en-US&amp;rs=en-US&amp;ad=US) </li></ul> |
-|Guests from other tenants can view contents in Teams and collaborate with other members | None. | [The guest access experience](/microsoftteams/guest-experience)|
+|Guests from other tenants can view contents in Teams and collaborate with other members | None. | [The guest access experience](/microsoftteams/guest-experience)|
## Power BI collaboration options | Sharing goal | Administrative action | How-to information | |:--|:--|:--|
-|Power BI enables external guest users to consume content shared to them through links. This enables users in the organization to distribute content in a secure way across organizations.<br/> | The Power BI Admin can control whether users can invite external users to view content within the organization.| [Distribute Power BI content to external guest users with Azure AD B2B](/power-bi/service-admin-azure-ad-b2b) |
-
+|Power BI enables external guest users to consume content shared to them through links. This enables users in the organization to distribute content in a secure way across organizations.<br/> | The Power BI Admin can control whether users can invite external users to view content within the organization.| [Distribute Power BI content to external guest users with Azure AD B2B](/power-bi/service-admin-azure-ad-b2b) |
+ ## Points to be aware of about Microsoft 365 inter-tenant collaboration ### Sharing of user accounts, licenses, subscriptions, and storage Each organization maintains its own user accounts, identities, security groups, subscriptions, licenses, and storage. People use the collaboration features in Microsoft 365 together with sharing policies and security settings to provide access to needed information while maintaining control of company assets.
-
-- **User accounts:** Accounts cannot be shared or duplicated between the tenants or partitions in the on-premises Active Directory Domain Services.
-
-- **Licenses &amp; subscriptions:** In Microsoft 365, licenses from licensing plans (also called SKUs or Microsoft 365 plans) give users access to the Microsoft 365 services that are defined for those plans.
-
-- **Storage:** In Microsoft 365 licensing plans, software boundaries and limits for SharePoint Online are managed separately from mailbox storage limits. Mailbox storage limits are set up and managed by using Exchange Online. In both scenarios, storage can't be shared across tenants.
-
+
+- **User accounts:** Accounts cannot be shared or duplicated between the tenants or partitions in the on-premises Active Directory Domain Services.
+
+- **Licenses &amp; subscriptions:** In Microsoft 365, licenses from licensing plans (also called SKUs or Microsoft 365 plans) give users access to the Microsoft 365 services that are defined for those plans.
+
+- **Storage:** In Microsoft 365 licensing plans, software boundaries and limits for SharePoint Online are managed separately from mailbox storage limits. Mailbox storage limits are set up and managed by using Exchange Online. In both scenarios, storage can't be shared across tenants.
+ ### Can we share domain namespaces across Microsoft 365 tenants? No. Organization domain names, such as fabrikam.com or tailspintoys.com, can only be associated and used with a single Microsoft 365 tenant. Each tenant must have its own namespace. UPN, SMTP, and SIP namespaces cannot be shared across tenants.
-
+ ### What about hybrid components and Microsoft 365 inter-tenant collaboration? On-premises hybrid components, such as an Exchange organization and Azure AD Connect, cannot be split across multiple tenants.
enterprise Modern Auth For Office 2013 And 2016 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/modern-auth-for-office-2013-and-2016.md
localization_priority: Normal f1.keywords: - CSH-+ - Adm_O365 - seo-marvel-apr2020 search.appverid:
Read this article to learn how Office 2013, Office 2016, and Office 2019 client
## Availability of modern authentication for Microsoft 365 services For the Microsoft 365 services, the default state of modern authentication is:
-
-- Turned **on** for Exchange Online by default. See [Enable or disable modern authentication in Exchange Online](https://support.office.com/article/58018196-f918-49cd-8238-56f57f38d662) to turn it off or on.
-
-- Turned **on** for SharePoint Online by default.
-
-- Turned **on** for Skype for Business Online by default. See [Enable Skype for Business Online for modern authentication ](https://social.technet.microsoft.com/wiki/contents/articles/34339.skype-for-business-online-enable-your-tenant-for-modern-authentication.aspx)to turn it off or on.+
+- Turned **on** for Exchange Online by default. See [Enable or disable modern authentication in Exchange Online](https://support.office.com/article/58018196-f918-49cd-8238-56f57f38d662) to turn it off or on.
+
+- Turned **on** for SharePoint Online by default.
+
+- Turned **on** for Skype for Business Online by default. See [Enable Skype for Business Online for modern authentication](https://social.technet.microsoft.com/wiki/contents/articles/34339.skype-for-business-online-enable-your-tenant-for-modern-authentication.aspx)to turn it off or on.
> [!NOTE] > For tenants created **before** August 1, 2017, modern authentication is turned **off** by default for Exchange Online and Skype for Business Online.
-
+ ## Sign-in behavior of Office client apps Office 2013 client apps support legacy authentication by default. Legacy means that they support either Microsoft Online Sign-in Assistant or basic authentication. In order for these clients to use modern authentication features, the Windows client must have registry keys set. For instructions, see [Enable Modern Authentication for Office 2013 on Windows devices](https://support.office.com/article/7dc1c01a-090f-4971-9677-f1b192d6c910). To enable modern authentication for any devices running Windows (for example on laptops and tablets), that have Microsoft Office 2013 installed, you need to set the following registry keys. The keys have to be set on each device that you want to enable for modern authentication:
-
+ |**Registry key**|**Type**|**Value** | |:-|::|--:| |HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL |REG_DWORD |1 | |HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version |REG_DWORD |1 |
-
-Read [How to use Modern Authentication (ADAL) with Skype for Business](./hybrid-modern-auth-overview.md) to learn about how it works with Skype for Business.
-
+
+Read [How to use Modern Authentication (ADAL) with Skype for Business](./hybrid-modern-auth-overview.md) to learn about how it works with Skype for Business.
+ Office 2016 and Office 2019 clients support modern authentication by default, and no action is needed for the client to use these new flows. However, explicit action is needed to use legacy authentication.
-
+ Click the links below to see how Office 2013, Office 2016, and Office 2019 client authentication works with the Microsoft 365 services depending on whether or not modern authentication is turned on.
-
+ - [Exchange Online](modern-auth-for-office-2013-and-2016.md#BK_EchangeOnline)
-
+ - [SharePoint Online](modern-auth-for-office-2013-and-2016.md#BK_SharePointOnline)
-
+ - [Skype for Business Online](modern-auth-for-office-2013-and-2016.md#BK_SFBO)
-
+ <a name="BK_EchangeOnline"> </a> ### Exchange Online The following table describes the authentication behavior for Office 2013, Office 2016, and Office 2019 client apps when they connect to Exchange Online with or without modern authentication.
-
+ |****Office client app version****|****Registry key present?****|****Modern authentication on?****|****Authentication behavior with modern authentication turned on for the tenant (default)****|****Authentication behavior with modern authentication turned off for the tenant****| |:--|:--|:--|:--|:--| |Office 2019 <br/> |No, <br> AlwaysUseMSOAuthForAutoDiscover = 1 <br/> |Yes <br/> |Forces modern authentication on Outlook 2013, 2016, or 2019. <br/> [More info](https://support.microsoft.com/help/3126599/outlook-prompts-for-password-when-modern-authentication-is-enabled)|Forces modern authentication within the Outlook client.<br/> |
The following table describes the authentication behavior for Office 2013, Offic
|Office 2016 <br/> |Yes, EnableADAL=0 <br/> |No <br/> |Basic authentication <br/> |Basic authentication <br/> | |Office 2013 <br/> |No <br/> |No <br/> |Basic authentication <br/> |Basic authentication <br/> | |Office 2013 <br/> |Yes, EnableADAL = 1 <br/> |Yes <br/> |Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled. <br/> |Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled. <br/> |
-
+ <a name="BK_SharePointOnline"> </a> ### SharePoint Online The following table describes the authentication behavior for Office 2013, Office 2016, and Office 2019 client apps when they connect to SharePoint Online with or without modern authentication.
-
+ |****Office client app version****|****Registry key present?****|****Modern authentication on?****|****Authentication behavior with modern authentication turned on for the tenant (default)****|****Authentication behavior with modern authentication turned off for the tenant****| |:--|:--|:--|:--|:--| |Office 2019 <br/> |No, or EnableADAL = 1 <br/> |Yes <br/> |Modern authentication only. <br/> |Failure to connect. <br/> |
The following table describes the authentication behavior for Office 2013, Offic
|Office 2016 <br/> |Yes, EnableADAL = 0 <br/> |No <br/> |Microsoft Online Sign-in Assistant only. <br/> |Microsoft Online Sign-in Assistant only. <br/> | |Office 2013 <br/> |No <br/> |No <br/> |Microsoft Online Sign-in Assistant only. <br/> |Microsoft Online Sign-in Assistant only. <br/> | |Office 2013 <br/> |Yes, EnableADAL = 1 <br/> |Yes <br/> |Modern authentication only. <br/> |Failure to connect. <br/> |
-
+ ### Skype for Business Online <a name="BK_SFBO"> </a> The following table describes the authentication behavior for Office 2013, Office 2016, and Office 2019 client apps when they connect to Skype for Business Online with or without modern authentication.
-
+ |****Office client app version****|****Registry key present?****|****Modern authentication on?****|****Authentication behavior with modern authentication turned on for the tenant****|****Authentication behavior with modern authentication turned off for the tenant (default)****| |:--|:--|:--|:--|:--| |Office 2019 <br/> |No, or EnableADAL = 1 <br/> |Yes <br/> |Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled. <br/> |Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled. <br/> |
The following table describes the authentication behavior for Office 2013, Offic
|Office 2016 <br/> |Yes, EnableADAL = 0 <br/> |No <br/> |Microsoft Online Sign-in Assistant only. <br/> |Microsoft Online Sign-in Assistant only. <br/> | |Office 2013 <br/> |No <br/> |No <br/> |Microsoft Online Sign-in Assistant only. <br/> |Microsoft Online Sign-in Assistant only. <br/> | |Office 2013 <br/> |Yes, EnableADAL = 1 <br/> |Yes <br/> |Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled. <br/> |Microsoft Online Sign-in Assistant only. <br/> |
-
+ ## See also [Enable Modern Authentication for Office 2013 on Windows devices](../admin/security-and-compliance/enable-modern-authentication.md)
enterprise Ms Cloud Germany Transition Add Pre Work https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-add-pre-work.md
Read and apply the [ADFS Migration steps](ms-cloud-germany-transition-add-adfs.m
| Step(s) | Description | Impact | |:-|:-|:-|
-| Notify external partners of the upcoming transition to Office 365 services. | Customers must notify their partners with whom they have enabled sharing calendar and availability address space configuration (allow sharing of free/busy information with Office 365). Availability configuration needs to transition to use the [Office 365 worldwide endpoints](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide) when Exchange Online migration is completed. | Failure to do so may result in service or client failure at a later phase of customer migration. |
+| Notify external partners of the upcoming transition to Office 365 services. | Customers must notify their partners with whom they have enabled sharing calendar and availability address space configuration (allow sharing of free/busy information with Office 365). Availability configuration needs to transition to use the [Office 365 worldwide endpoints](/microsoft-365/enterprise/urls-and-ip-address-ranges) when Exchange Online migration is completed. | Failure to do so may result in service or client failure at a later phase of customer migration. |
| Notify users of required IMAP4/POP3/SMTP client changes. | Users who have device connections to Microsoft Cloud Deutschland endpoints for client protocols IMAP4, POP3, SMTP are required to manually update their client devices to switch to the [Exchange Online server names](/exchange/clients-and-mobile-in-exchange-online/pop3-and-imap4/pop3-and-imap4#settings-users-use-to-set-up-pop3-or-imap4-access-to-their-exchange-online-mailboxes). | Pre-communicate this dependency to users of these protocols and ensure they either switch to use Outlook mobile or Outlook on the web during this migration. Failure to update client endpoints will result in client connection failures against Microsoft Cloud Deutschland when user mailboxes are migrated. | ||||
Directory attributes are synced between Office 365 and Azure AD with the on-prem
| Step(s) | Description | Impact | |:-|:-|:-| | Re-run HCW using Office 365 Germany settings <br><br> <i>You may start this activity immediately after receiving the message center notification that your Office 365 tenant migration has begun (phase 1).</i>| Uninstalling and re-running HCW (17.0.5378.0 or higher) from [https://aka.ms/hybridwizard](https://aka.ms/hybridwizard) before Phase 5 will ensure that your on-premises configuration is prepared to send and receive mail with both Microsoft Cloud Deutschland users and users who are migrated to Office 365 Germany region. <p><li> In the HCW, for the list box below **My Office 365 organization is hosted by**, select **Office 365 Germany.** | Failing to complete this task before Phase 5 [Exchange Migration] begins may result in NDRs for mail routed between your on-premises Exchange deployment and Office 365.
-| Preserving Shared Mailbox settings | Some Hybrid customers have converted cloud user mailboxes to be 'shared' mailboxes using Exchange Online commands. This cloud mailbox configuration is written to the mailbox and local Exchange Online directory, however, it is not synced back to the customer's Active Directory via AAD Connect. The result is a discrepancy between the Active Directory representation of the mailbox RemoteRecipientType and RemoteDisplayType values and that in Exchange Online defining the mailbox as shared. <br><br> The customer is responsible to ensure that all Shared mailboxes are properly provisioned using `New-RemoteMailbox -Shared`, `Enable-RemoteMailbox -Shared`, or `Set-RemoteMailbox -Shared`. See this reference for how to [Convert a user's mailbox in a hybrid environment](/microsoft-365/admin/email/convert-user-mailbox-to-shared-mailbox?view=o365-worldwide).| Failing to complete this task before Phase 5 [Exchange Online Migration] may result in NDRs for Shared Mailboxes which convert back to unlicensed mailboxes and loss of shared access for affected mailboxes. [Shared mailboxes are unexpectedly converted to user mailboxes after directory synchronization runs in an Exchange hybrid deployment](/exchange/troubleshoot/user-and-shared-mailboxes/shared-mailboxes-unexpectedly-converted-to-user-mailboxes) outlines the impact of not addressing this before Exchange Online Migration completes.
+| Preserving Shared Mailbox settings | Some Hybrid customers have converted cloud user mailboxes to be 'shared' mailboxes using Exchange Online commands. This cloud mailbox configuration is written to the mailbox and local Exchange Online directory, however, it is not synced back to the customer's Active Directory via AAD Connect. The result is a discrepancy between the Active Directory representation of the mailbox RemoteRecipientType and RemoteDisplayType values and that in Exchange Online defining the mailbox as shared. <br><br> The customer is responsible to ensure that all Shared mailboxes are properly provisioned using `New-RemoteMailbox -Shared`, `Enable-RemoteMailbox -Shared`, or `Set-RemoteMailbox -Shared`. See this reference for how to [Convert a user's mailbox in a hybrid environment](/microsoft-365/admin/email/convert-user-mailbox-to-shared-mailbox).| Failing to complete this task before Phase 5 [Exchange Online Migration] may result in NDRs for Shared Mailboxes which convert back to unlicensed mailboxes and loss of shared access for affected mailboxes. [Shared mailboxes are unexpectedly converted to user mailboxes after directory synchronization runs in an Exchange hybrid deployment](/exchange/troubleshoot/user-and-shared-mailboxes/shared-mailboxes-unexpectedly-converted-to-user-mailboxes) outlines the impact of not addressing this before Exchange Online Migration completes.
|||| ## Skype for Business Online
enterprise Ms Cloud Germany Transition Phases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-phases.md
Additional considerations:
- If your organization still uses SharePoint 2010 workflows, they'll no longer function after December 31, 2021. SharePoint 2013 workflows will remain supported, although turned off by default for new tenants starting on November 1, 2020. After migration to the SharePoint Online service is complete, we recommend that you to move to Power Automate or other supported solutions. - Microsoft Cloud Deutschland customers whose SharePoint Online instance is not yet migrated need to stay on SharePoint Online PowerShell module/Microsoft.SharePointOnline.CSOM version 16.0.20616.12000 or below. Otherwise, connections to SharePoint Online via PowerShell or the client-side object model will fail.-- During this phase, the IP addresses behind the SharePoint URLs will change. After the transition to Office 365 Global services, the addresses for the preserved tenant URLs (for example, `contoso.sharepoint.de` and `contoso-my.sharepoint.de`) will be changed to the [Worldwide Microsoft 365 URLs and IP address ranges (SharePoint Online and OneDrive for Business)](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#sharepoint-online-and-onedrive-for-business).
+- During this phase, the IP addresses behind the SharePoint URLs will change. After the transition to Office 365 Global services, the addresses for the preserved tenant URLs (for example, `contoso.sharepoint.de` and `contoso-my.sharepoint.de`) will be changed to the [Worldwide Microsoft 365 URLs and IP address ranges (SharePoint Online and OneDrive for Business)](/microsoft-365/enterprise/urls-and-ip-address-ranges#sharepoint-online-and-onedrive-for-business).
- While SharePoint and OneDrive services are transitioned, Office Online may not work as expected. > [!NOTE]
enterprise Multi Geo Capabilities In Exchange Online https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/multi-geo-capabilities-in-exchange-online.md
Exchange Online synchronizes the **PreferredDataLocation** property from Azure A
- Public folders are supported in multi-geo organizations. However, the public folders must remain in the central geo location. You can't move public folders to satellite geo locations. -- In a multi-geo environment, cross-geo mailbox auditing is not supported. For example, if a user is assigned permissions to access a shared mailbox in a different geo location, mailbox actions performed by that user are not logged in the mailbox audit log of the shared mailbox. For more information, see [Manage mailbox auditing](../compliance/enable-mailbox-auditing.md?view=o365-worldwide).
+- In a multi-geo environment, cross-geo mailbox auditing is not supported. For example, if a user is assigned permissions to access a shared mailbox in a different geo location, mailbox actions performed by that user are not logged in the mailbox audit log of the shared mailbox. For more information, see [Manage mailbox auditing](../compliance/enable-mailbox-auditing.md).
enterprise Performance Troubleshooting Plan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/performance-troubleshooting-plan.md
The built-in column is at the top of the **Frame Details** panel. (To switch bac
![Where to find the Columns drop down for the TCP Troubleshoot option (on top of the Frame Summary).](../media/64fd4baa-a872-4f07-b959-752d7d37fd62.PNG)
-Here's a filtered trace in Wireshark. There is a filter specific to the MSS value ( `tcp.options.mss`). The frames of a SYN, SYN/ACK, ACK handshake are linked at the bottom of the Wireshark equivalent to Frame Details (so frame 47 ACK, links to 46 SYN/ACK, links to 43 SYN) to make this kind of work easier.
+Here's a filtered trace in Wireshark. There is a filter specific to the MSS value (`tcp.options.mss`). The frames of a SYN, SYN/ACK, ACK handshake are linked at the bottom of the Wireshark equivalent to Frame Details (so frame 47 ACK, links to 46 SYN/ACK, links to 43 SYN) to make this kind of work easier.
![Trace filtered in Wireshark by tcp.options.mss for Max Segment Size (MSS).](../media/51e278db-801b-48bc-9b68-87cf92f03fd6.PNG)
enterprise Prepare For Directory Synchronization https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/prepare-for-directory-synchronization.md
It's best to align these attributes to reduce confusion. To meet the requirement
You may need to add an alternative UPN suffix to associate the user's corporate credentials with the Microsoft 365 environment. A UPN suffix is the part of a UPN to the right of the @ character. UPNs that are used for single sign-on can contain letters, numbers, periods, dashes, and underscores, but no other types of characters.
-For more information on how to add an alternative UPN suffix to Active Directory, see [Prepare for directory synchronization]( https://go.microsoft.com/fwlink/p/?LinkId=525430).
+For more information on how to add an alternative UPN suffix to Active Directory, see [Prepare for directory synchronization](https://go.microsoft.com/fwlink/p/?LinkId=525430).
## 5. Match the AD DS UPN with the Microsoft 365 UPN
enterprise Project Server 2010 End Of Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/project-server-2010-end-of-support.md
Key resources:
- [What's new in Project Server 2013 upgrade](/project/what-s-new-in-project-server-2013-upgrade) covers important changes for this version, including:
- - There's no in-place upgrade to Project Server 2013. The database-attach method is the only supported way to upgrade from Project Server 2010 to Project Server 2013.
+ - There's no in-place upgrade to Project Server 2013. The database-attach method is the only supported way to upgrade from Project Server 2010 to Project Server 2013.
- - The upgrade process will not only convert your Project Server 2010 data to Project Server 2013 format but will also consolidate the four Project Server 2010 databases into a single Project Web App database.
+ - The upgrade process will not only convert your Project Server 2010 data to Project Server 2013 format but will also consolidate the four Project Server 2010 databases into a single Project Web App database.
- - Both SharePoint Server 2013 and Project Server 2013 changed to claims-based authentication from the previous version. If you're using classic authentication, you'll need to consider this when you upgrade. For more information, see [Migrate from classic-mode to claims-based authentication in SharePoint 2013]( /sharepoint/upgrade-and-update/migrate-from-classic-mode-to-claims-based-authentication-in-sharepoint-2013).
+ - Both SharePoint Server 2013 and Project Server 2013 changed to claims-based authentication from the previous version. If you're using classic authentication, you'll need to consider this when you upgrade. For more information, see [Migrate from classic-mode to claims-based authentication in SharePoint 2013](/sharepoint/upgrade-and-update/migrate-from-classic-mode-to-claims-based-authentication-in-sharepoint-2013).
Key resources:
Key resources:
- [Things you need to know about Project Server 2019 upgrade](/project/plan-for-upgrade-to-project-server-2016)<br/><br/>Learn about important changes for upgrading to this version, which include:
- - The upgrade process will migrate your data from your Project Server 2016 database to the SharePoint Server 2019 Content database. Project Server 2019 will no longer create its own Project Server database in the SharePoint Server farm.
+ - The upgrade process will migrate your data from your Project Server 2016 database to the SharePoint Server 2019 Content database. Project Server 2019 will no longer create its own Project Server database in the SharePoint Server farm.
- - After the upgrade, be aware of several changes in Project Web App. For details, see [What's new in Project Server 2019](/project/what-s-new-for-it-pros-in-project-server-2019#PWAChanges).
+ - After the upgrade, be aware of several changes in Project Web App. For details, see [What's new in Project Server 2019](/project/what-s-new-for-it-pros-in-project-server-2019#PWAChanges).
**Other resources**:
You can also [download](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/
[Upgrading from SharePoint 2010](upgrade-from-sharepoint-2010.md)
-[Upgrade from Office 2010 servers and clients](upgrade-from-office-2010-servers-and-products.md)
+[Upgrade from Office 2010 servers and clients](upgrade-from-office-2010-servers-and-products.md)
enterprise Setup Guides For Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/setup-guides-for-microsoft-365.md
audience: ITPro
localization_priority: Normal-+ - Ent_O365 - M365-subscription-management - SPO_Content
The setup guides are accessible from the [Setup guidance](https://aka.ms/setupgu
1. In the [Microsoft 365 admin center](https://admin.microsoft.com/), go to the **Home** page.
-2. Find the **Training & guides** card.
+2. Find the **Training & guides** card.
![Training & guides card in the Microsoft 365 admin center](../media/setup-guides-for-microsoft-365/adminportal-trainingandguides.png)
You can use the guides to learn more about specific Microsoft 365 and Office 365
### Prepare your environment
-The [Prepare your environment](https://aka.ms/prepareyourenvironment) guide helps you prepare your organization's environment for Microsoft 365 and Office 365 services. Regardless of your goals, there are tasks you'll need to complete to ensure a successful deployment. To avoid any errors while preparing your environment, you're provided with step-by-step instructions to connect your domain, add users, assign licenses, set up email with Exchange Online, and install or deploy Office apps.
+The [Prepare your environment](https://aka.ms/prepareyourenvironment) guide helps you prepare your organization's environment for Microsoft 365 and Office 365 services. Regardless of your goals, there are tasks you'll need to complete to ensure a successful deployment. To avoid any errors while preparing your environment, you're provided with step-by-step instructions to connect your domain, add users, assign licenses, set up email with Exchange Online, and install or deploy Office apps.
### Email setup advisor
When you migrate a Gmail user's mailbox to Microsoft 365, email messages are mig
### Microsoft 365 deployment advisor
-The [Microsoft 365 deployment advisor](https://aka.ms/microsoft365setupguide) provides you with guidance when setting up productivity tools, security policies, and device management capabilities. With a Microsoft 365 Business Premium or Microsoft 365 for enterprise subscription, you can use this advisor to set up and configure your organization's devices.
+The [Microsoft 365 deployment advisor](https://aka.ms/microsoft365setupguide) provides you with guidance when setting up productivity tools, security policies, and device management capabilities. With a Microsoft 365 Business Premium or Microsoft 365 for enterprise subscription, you can use this advisor to set up and configure your organization's devices.
You'll receive guidance and access to resources to enable your cloud services, update devices to the latest supported version of Windows 10, and join devices to Azure Active Directory (Azure AD), all in one central location. ### Remote work setup guide
-The [Remote work setup guide](https://aka.ms/remoteworksetup) provides organizations with the tips and resources needed to ensure your users can successfully work remotely, your data is secure, and users' credentials are safeguarded.
+The [Remote work setup guide](https://aka.ms/remoteworksetup) provides organizations with the tips and resources needed to ensure your users can successfully work remotely, your data is secure, and users' credentials are safeguarded.
-You'll receive guidance to optimize remote workers' device traffic to both Microsoft 365 resources in the cloud and your organization's network, which will reduce the strain on your remote access VPN infrastructure.
+You'll receive guidance to optimize remote workers' device traffic to both Microsoft 365 resources in the cloud and your organization's network, which will reduce the strain on your remote access VPN infrastructure.
### Windows Virtual Desktop setup guide
-Windows Virtual Desktop is a comprehensive desktop and app virtualization service running in the cloud. It's the only virtual desktop infrastructure (VDI) that delivers simplified management, multi-session Windows 10, optimizations for Microsoft 365 Apps, and support for Remote Desktop Services (RDS) environments. Deploy and scale your Windows desktops and apps to Azure in minutes and get built-in security and compliance features.
+Windows Virtual Desktop is a comprehensive desktop and app virtualization service running in the cloud. It's the only virtual desktop infrastructure (VDI) that delivers simplified management, multi-session Windows 10, optimizations for Microsoft 365 Apps, and support for Remote Desktop Services (RDS) environments. Deploy and scale your Windows desktops and apps to Azure in minutes and get built-in security and compliance features.
-The [Windows Virtual Desktop setup guide](https://aka.ms/wvdsetupguide) provides administrators with planning resources and the prerequisites for deployment, setup guidance, and additional resources.
+The [Windows Virtual Desktop setup guide](https://aka.ms/wvdsetupguide) provides administrators with planning resources and the prerequisites for deployment, setup guidance, and additional resources.
### Microsoft Edge setup guide Microsoft Edge has been rebuilt from the ground up to bring you world-class compatibility and performance, the security and privacy you deserve, and new features designed to bring you the best of the web.
-The [Microsoft Edge setup guide](https://aka.ms/edgeadvisor) will help you configure Enterprise Site Discovery to see which sites accessed in your org might need to use IE mode, review and configure important security features, configure privacy policies and additional policies to meet your org's requirements, and manage web access on your devices. You can download Microsoft Edge to individual devices, or we'll show you how to deploy to multiple users in your org with Configuration Manager or Microsoft Intune.
+The [Microsoft Edge setup guide](https://aka.ms/edgeadvisor) will help you configure Enterprise Site Discovery to see which sites accessed in your org might need to use IE mode, review and configure important security features, configure privacy policies and additional policies to meet your org's requirements, and manage web access on your devices. You can download Microsoft Edge to individual devices, or we'll show you how to deploy to multiple users in your org with Configuration Manager or Microsoft Intune.
### Microsoft Search setup guide
Use the [Intune Configuration Manager co-management setup guide](https://aka.ms/
### Azure AD setup guide
-The [Azure AD setup guide](https://aka.ms/aadpguidance) provides information to ensure your organization has a strong security foundation. In this guide youΓÇÖll set up initial features, like Azure role-based access control (Azure RBAC) for admins, Azure AD Connect for your on-premises directory, and Azure AD Connect Health, so you can monitor your hybrid identity's health during automated syncs.
+The [Azure AD setup guide](https://aka.ms/aadpguidance) provides information to ensure your organization has a strong security foundation. In this guide youΓÇÖll set up initial features, like Azure role-based access control (Azure RBAC) for admins, Azure AD Connect for your on-premises directory, and Azure AD Connect Health, so you can monitor your hybrid identity's health during automated syncs.
It also includes essential information on enabling self-service password resets, conditional access and integrated third-party sign-on including optional advanced identity protection and user provisioning automation.
The [Sync users from your orgΓÇÖs directory wizard](https://aka.ms/directorysync
### Plan your passwordless deployment
-Upgrade to an alternative sign-in approach that allows users to access their devices securely with one of the following passwordless authentication methods:
+Upgrade to an alternative sign-in approach that allows users to access their devices securely with one of the following passwordless authentication methods:
- Windows Hello for Business - The Microsoft Authenticator app-- Security keys
+- Security keys
-Use the [Plan your passwordless deployment wizard](https://aka.ms/passwordlesssetup) to discover the best passwordless authentication methods to use and receive guidance on how to deploy them.
+Use the [Plan your passwordless deployment wizard](https://aka.ms/passwordlesssetup) to discover the best passwordless authentication methods to use and receive guidance on how to deploy them.
### Plan your self-service password reset (SSPR) deployment
-Give users the ability to change or reset their password independently, if their account is locked, or they forget their password without the need to contact a helpdesk engineer.
+Give users the ability to change or reset their password independently, if their account is locked, or they forget their password without the need to contact a helpdesk engineer.
Use the [Plan your self-service password reset deployment wizard](https://aka.ms/SSPRSetupGuide) to receive relevant articles and instructions for configuring the appropriate Azure portal options to help you deploy SSPR in your environment. ### Active Directory Federation Services (AD FS) deployment advisor
-The [AD FS deployment advisor](https://aka.ms/adfsguidance) provides you with step-by-step guidance on deploying an on-premises AD FS infrastructure that authenticates users for Microsoft 365 and Office 365 services. With this guide, your organization can review AD FS components and requirements, acquire and install SSL certificates that are necessary for deployment, and install a required web application proxy server.
+The [AD FS deployment advisor](https://aka.ms/adfsguidance) provides you with step-by-step guidance on deploying an on-premises AD FS infrastructure that authenticates users for Microsoft 365 and Office 365 services. With this guide, your organization can review AD FS components and requirements, acquire and install SSL certificates that are necessary for deployment, and install a required web application proxy server.
## Guides for security and compliance
-### Microsoft Intune setup guide
+### Microsoft Intune setup guide
-Set up Microsoft Intune to manage devices in your organization. For full control of corporate devices, youΓÇÖll use IntuneΓÇÖs mobile device management (MDM) features. To manage your organization's data on shared and personal devices, you can use IntuneΓÇÖs mobile application management (MAM) features.
+Set up Microsoft Intune to manage devices in your organization. For full control of corporate devices, youΓÇÖll use IntuneΓÇÖs mobile device management (MDM) features. To manage your organization's data on shared and personal devices, you can use IntuneΓÇÖs mobile application management (MAM) features.
-With the [Microsoft Intune setup guide](https://aka.ms/intunesetupguide), you'll set up device and app compliance policies, assign app protection policies, and monitor the device and app protection status.
+With the [Microsoft Intune setup guide](https://aka.ms/intunesetupguide), you'll set up device and app compliance policies, assign app protection policies, and monitor the device and app protection status.
### Microsoft Defender for Endpoint advisor
-The [Microsoft Defender for Endpoint advisor](https://aka.ms/mdatpsetup) provides instructions that will help your enterprise network prevent, detect, investigate, and respond to advanced threats. Make an informed assessment of your organization's vulnerability and decide which deployment package and configuration methods are best.
+The [Microsoft Defender for Endpoint advisor](https://aka.ms/mdatpsetup) provides instructions that will help your enterprise network prevent, detect, investigate, and respond to advanced threats. Make an informed assessment of your organization's vulnerability and decide which deployment package and configuration methods are best.
>[!NOTE] >A Microsoft Volume License is required for Microsoft Defender for Endpoint. ### Exchange Online Protection setup guide
-Microsoft Exchange Online Protection (EOP) is a cloud-based email filtering service for protection against spam and malware, with features to safeguard your organization from messaging policy violations.
+Microsoft Exchange Online Protection (EOP) is a cloud-based email filtering service for protection against spam and malware, with features to safeguard your organization from messaging policy violations.
-Use the [Exchange Online Protection setup guide](https://aka.ms/EOPguidance) to set up EOP by selecting which of the three deployment scenarios&mdash;on-premises mailboxes, hybrid (mix of on-premises and cloud) mailboxes, or all cloud mailboxes&mdash;fits your organization. The guide provides information and resources to set up and review your user's licensing, assign permissions in the Microsoft 365 admin center, and configure your organization's anti-malware and spam policies in the Security & Compliance Center.
+Use the [Exchange Online Protection setup guide](https://aka.ms/EOPguidance) to set up EOP by selecting which of the three deployment scenarios&mdash;on-premises mailboxes, hybrid (mix of on-premises and cloud) mailboxes, or all cloud mailboxes&mdash;fits your organization. The guide provides information and resources to set up and review your user's licensing, assign permissions in the Microsoft 365 admin center, and configure your organization's anti-malware and spam policies in the Security & Compliance Center.
### Microsoft Defender for Office 365 advisor
-The [Microsoft Defender for Office 365 advisor](https://aka.ms/oatpsetup) safeguards your organization against malicious threats that your environment might encounter through email messages, links, and third-party collaboration tools. This guide provides you with the resources and information to help you prepare and identify the Defender for Office 365 plan to fit your organization's needs.
+The [Microsoft Defender for Office 365 advisor](https://aka.ms/oatpsetup) safeguards your organization against malicious threats that your environment might encounter through email messages, links, and third-party collaboration tools. This guide provides you with the resources and information to help you prepare and identify the Defender for Office 365 plan to fit your organization's needs.
### Microsoft information protection setup guide
Get an overview of the capabilities you can apply to your Information Protection
### Microsoft information governance setup guide
-The [Microsoft Information governance setup guide](https://aka.ms/migsetupguide) provides you with the information you'll need to set up and manage your organization's governance strategy, to ensure that your data is classified and managed according to the specific lifecycle guidelines you set. With this guide, you'll learn how to create, auto-apply, or publish labels, label policies, and retention policies that are applied to your organization's reusable content and compliance records. You'll also get information on importing CSV files with a file plan for bulk scenarios or for applying them manually to individual documents.
+The [Microsoft Information governance setup guide](https://aka.ms/migsetupguide) provides you with the information you'll need to set up and manage your organization's governance strategy, to ensure that your data is classified and managed according to the specific lifecycle guidelines you set. With this guide, you'll learn how to create, auto-apply, or publish labels, label policies, and retention policie