Updates from: 07/10/2021 03:10:52
Category Microsoft Docs article Related commit history on GitHub Change details
admin Configure Email Forwarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/configure-email-forwarding.md
Before you set up email forwarding, note the following:
You must be an Exchange administrator or Global administrator in Microsoft 365 to do these steps. For more information, see the topic [About admin roles](../add-users/about-admin-roles.md). + 1. In the admin center, go to the **Users** \> **[Active users](https://go.microsoft.com/fwlink/p/?linkid=834822)** page. 2. Select the name of the user whose email you want to forward, then open the properties page.
admin Feedback User Control https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/feedback-user-control.md
When a user submits feedback, app information is usually collected along with ap
- **Attachments** Were any attachments (i.e screenshots, files) collected as part of the feedback? (Yes/No). - **TenantId** If feedback is submitted from an Azure Active Directory account, which TenantId was associated.
-## Data handling and privacy
+## How can I see my user's feedback?
-We work to earn trust by ensuring that we focus on core data handling and data privacy principles.
-We make sure the feedback we receive is stored and handled under Microsoft governance rules, and that it can only be accessed for approved uses.
+To meet MicrosoftΓÇÖs legal obligations to customers, we're working on a new experience in the Microsoft 365 admin center that lets administrators view, delete, and export the feedback data for their organizations. As part of their data controller responsibility, customers own all user feedback data and this functionality will assist administrators to provide direct transparency into their usersΓÇÖ experiences with Microsoft 365 products and enable user feedback data to be provided as part of any Data Subject Request. Global admins and compliance data administrators will have the ability to view, export and delete user feedback. All other administrators, as well as readers, will be able to view and export feedback data but can't perform compliance related tasks or see information about who posted the feedback (such as user name, email, or device name). To access your organization's feedback data, sign in to the Microsoft 365 admin center and customize navigation to show the health node. Access this experience by selecting **Product Feedback** under the Health node.
-We put you in control of your privacy with easy-to-use tools and clear choices. We're transparent about how we collect and use data, so you can make informed decisions about what you want to share. We protect the data you entrust to us with strong security and encryption. We respect local privacy laws and fight for legal protection of your privacy as a human right. We don't use your email, chat, files, or other personal content to target ads to you. When we collect data, we use it to make your experiences better. Learn more about MicrosoftΓÇÖs approach to privacy [here](https://privacy.microsoft.com/). Learn more about our [Privacy overview](/compliance/assurance/assurance-privacy).
+## Data handling and privacy
-## How can I see my user's feedback?
+We understand that when you use our cloud services, you're entrusting us with one of your most valuable assets: your data. We make sure the feedback we receive is stored and handled under Microsoft governance rules, and that it can only be accessed for approved uses. We don't use your email, chat, files, or other personal content to target ads to you. When we collect data, we use it to make your experiences better.
-Coming soon, we'll be sharing the feedback data we collect for Microsoft products back to you. We're working on a new experience in the Microsoft 365 admin center that let's you view, delete and export the feedback data for your organization. This gives you direct transparency and useful insights into your usersΓÇÖ experiences with Microsoft 365 products.
+To learn more about how we protect the privacy and confidentiality of your data, and how we ensure that it will be used only in a way that is consistent with your expectations, review our privacy principles at the [Microsoft Trust Center](https://www.microsoft.com/trust-center/privacy).
admin Transition To Global Exchange Online https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/transition-to-global-exchange-online.md
description: "Learn how to transition from Microsoft Cloud Germany Exchange Onli
# Update your MX records to transition to the global Exchange Online service
-1. Sign in to [Microsoft 365 admin portal](https://admin.microsoft.com), and go to **Settings** > **Domains**
+1. Sign in to [Microsoft 365 admin center](https://admin.microsoft.com), and go to **Settings** > **Domains**
2. Status will be shown on the right side for each domain. If your organizationΓÇÖs domains point to Microsoft Cloud Germany Exchange Online, you'll need to update your MX record.
business Transition Csp Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/support/transition-csp-subscription.md
The following table summarizes the impact to customers who don't transition from
|-|--|--||| | **State** | In grace period | Expired | Disabled | Deprovisioned | | **Service impacts** |
-| **Microsoft 365 Business admin portal** | No impact to functionality | No impact to functionality | Can add/delete users, purchase subscriptions.</br> Can't assign/revoke licenses. | Customer's subscription and all data is deleted. Admin can manage other paid subscriptions. |
+| **Microsoft 365 admin center** | No impact to functionality | No impact to functionality | Can add/delete users, purchase subscriptions.</br> Can't assign/revoke licenses. | Customer's subscription and all data is deleted. Admin can manage other paid subscriptions. |
| **Office apps** | No end user impact | No end user impact | Office enters reduced functionality mode.</br> Users can view files only. | Office enters reduced functionality mode.</br> Users can view files only. | | **Cloud services (SharePoint Online, Exchange Online, Skype, Teams, and more)** | No end user impact | No end user impact | End users and admins have no access to data in the cloud. | Customer's subscription and all data are deleted. | | **EM+S components** | No admin impact</br> No end user impact | No admin impact</br> No end user impact | Capability is no longer enforced.</br> See [Mobile device impacts upon subscription expiration](#mobile-device-impacts-upon-subscription-expiration) and [Windows 10 PC impacts upon subscription expiration](#windows-10-pc-impacts-upon-subscription-expiration) for more info. | Capability is no longer enforced.</br> See [Mobile device impacts upon subscription expiration](#mobile-device-impacts-upon-subscription-expiration) and [Windows 10 PC impacts upon subscription expiration](#windows-10-pc-impacts-upon-subscription-expiration) for more info. |
compliance Alert Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/alert-policies.md
Go to <https://compliance.microsoft.com> and then select **Policies** > **Alert*
![In the compliance center, select Policies,and under Alert, select Alert policies to view and create alert policies](../media/LaunchAlertPoliciesMCC.png)
+> [!NOTE]
+> You have to be assigned the View-Only Manage Alerts role to view alert policies in the Microsoft 365 compliance center. You have to be assigned the Manage Alerts role to create and edit alert policies. For more information, see [Permissions in the security and compliance center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md).
+ An alert policy consists of the following settings and conditions. - **Activity the alert is tracking**. You create a policy to track an activity or in some cases a few related activities, such a sharing a file with an external user by sharing it, assigning access permissions, or creating an anonymous link. When a user performs the activity defined by the policy, an alert is triggered based on the alert threshold settings.
compliance Create Retention Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-retention-policies.md
When you have more than one retention policy, and when you also use retention la
- **Teams chats**: Messages from private 1:1 chats, group chats, and meeting chats. - **Teams private channel messages**: Messages from private channel chats and private channel meetings. This option is currently rolling out in preview and if you don't see it displayed, try again in a few days.
- By default, [all teams and all users are selected](#a-policy-that-applies-to-entire-locations), but you can refine this by selecting the [**Choose** and **Exclude** options](#a-policy-with-specific-inclusions-or-exclusions). However, before you change the default, be aware of the following consequences for a retention policy that deletes messages when it's configured for includes or excludes:
+ By default, [all teams and all users are selected](#a-policy-that-applies-to-entire-locations), but you can refine this by selecting the **Edit** options to configure a retention policy for [specific inclusions or exclusions](#a-policy-with-specific-inclusions-or-exclusions). However, before you change the default, be aware of the following consequences for a retention policy that deletes messages when it's configured for includes or excludes:
- For group chat messages and private channel messages, because a copy of messages are saved in each user's mailbox who are included in the chat, copies of messages will continue to be returned in eDiscovery results from users who weren't assigned the policy. - For users who weren't assigned the policy, deleted messages will be returned in their Teams search results but won't display the contents of the message as a result of the permanent deletion from the policy assigned to users.
For technical details about how retention works for Teams, including what elemen
- Although you can select the option to start the retention period when items were last modified, the value of **When items were created** is always used. For messages that are edited, a copy of the original message is saved with its original timestamp to identify when this pre-edited message was created, and the post-edited message has a newer timestamp. -- When you select **Choose teams** for the **Teams channel messages** location, you might see Microsoft 365 groups that aren't also teams. Don't select these groups.
+- When you select **Edit** for the **Teams channel messages** location, you might see Microsoft 365 groups that aren't also teams. Don't select these groups.
-- When you select **Choose users for the Teams chats** location, you might see guests and non-mailbox users. Retention policies aren't designed for these users, so don't select them.
+- When you select **Edit** for the Teams chats location, you might see guests and non-mailbox users. Retention policies aren't designed for these users, so don't select them.
#### Additional retention policy needed to support Teams
It's possible that a retention policy that's applied to Microsoft 365 groups, Sh
2. Select **New retention policy** to create a new retention policy.
-3. For **Decide if you want to retain content, delete it, or both** page of the wizard, specify the configuration options for retaining and deleting content.
+3. For the **Choose locations to apply the policy** page, toggle on one or both of the locations for Yammer: **Yammer community message** and **Yammer user messages**.
- You can create a retention policy that just retains content without deleting, retains and then deletes after a specified period of time, or just deletes content after a specified period of time. For more information, see [Settings for retaining and deleting content](#settings-for-retaining-and-deleting-content) on this page.
-
-4. For the **Choose locations** page, select **Let me choose specific locations**. Then toggle on one or both of the locations for Yammer: **Yammer community message** and **Yammer user messages**.
+ > [!IMPORTANT]
+ > Although you can create a retention policy for just Yammer user messages, a retention policy for this location can delete community messages from the Yammer app for all community members.
+ >
+ > If you choose this option and the retention policy will be configured to delete user messages, make sure you understand this implication. For more information, see [How retention works with Yammer](retention-policies-yammer.md#how-retention-works-with-yammer).
By default, all communities and users are selected, but you can refine this by specifying communities and users to be included or excluded. For Yammer user messages: - If you leave the default at **All**, Azure B2B guest users are not included.
- - If you select **Choose user**, you can apply a retention policy to external users if you know their account.
+ - If you select **Edit** for the **Included** column, you can apply a retention policy to external users if you know their account.
+
+4. For **Decide if you want to retain content, delete it, or both** page of the wizard, specify the configuration options for retaining and deleting content.
+
+ You can create a retention policy that just retains content without deleting, retains and then deletes after a specified period of time, or just deletes content after a specified period of time. For more information, see [Settings for retaining and deleting content](#settings-for-retaining-and-deleting-content) on this page.
5. Complete the wizard to save your settings.
Use the following instructions for retention policies that apply to any of these
2. Select **New retention policy** to start the Create retention policy wizard, and name your new retention policy.
-3. For the **Choose locations** page, toggle on or off any of the locations except the locations for Teams. For each location, you can leave it at the default to [apply the policy to the entire location](#a-policy-that-applies-to-entire-locations), or [specify includes and excludes](#a-policy-with-specific-inclusions-or-exclusions).
+3. For the **Choose locations to apply the policy** page, toggle on or off any of the locations except the locations for Teams. For each location, you can leave it at the default to [apply the policy to the entire location](#a-policy-that-applies-to-entire-locations), or [specify includes and excludes](#a-policy-with-specific-inclusions-or-exclusions).
Information specific to locations: - [Exchange email and Exchange public folders](#configuration-information-for-exchange-email-and-exchange-public-folders)
compliance Data Classification Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-classification-overview.md
A number of different subscriptions support Endpoint DLP. To see licensing optio
- Security administrator - Compliance data administrator
+> [!NOTE]
+> As a best practice, always use the role with least privilege to grant access to Microsoft 365 Data Classification.
+ ## Sensitive information types used most in your content Microsoft 365 comes with many definitions of sensitive information types, such as an item containing a social security number or a credit card number. For more information on sensitive information types, see [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md).
compliance Information Barriers Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/information-barriers-policies.md
In addition to the [required licenses and permissions](information-barriers.md#r
```powershell Connect-AzAccount -Tenant "<yourtenantdomain.com>" //for example: Connect-AzAccount -Tenant "Contoso.onmicrosoft.com" $appId="bcf62038-e005-436d-b970-2a472f8c1982"
- $sp=Get-AzADServicePrincipal -ServicePrincipalName $appId
- if ($sp -eq $null) { New-AzADServicePrincipal -ApplicationId $appId }
+ $sp=Get-AzureADServicePrincipal -Filter "appid eq '$($appid)'"
+ if ($sp -eq $null) { New-AzureADServicePrincipal -ApplicationId $appId }
Start-Process "https://login.microsoftonline.com/common/adminconsent?client_id=$appId" ```
compliance Retention Policies Yammer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-policies-yammer.md
For other workloads, see:
## What's included for retention and deletion
-The following Yammer items can be retained and deleted by using retention policies for Yammer: Community messages and private messages.
+The following Yammer items can be retained and deleted by using retention policies for Yammer: Community messages and user messages.
Reactions from others in the form of emoticons are not included in these messages. ## How retention works with Yammer
-You can use a retention policy to retain and delete community messages and private messages in Yammer. Private messages are stored in a hidden folder in the mailbox of each user included in the message, and community messages are stored in a similar hidden folder in the group mailbox for the community.
+Use this section to understand how your compliance requirements are met by backend storage and processes, and should be verified by eDiscovery tools rather than by messages that are currently visible in the Yammer app.
-Yammer messages are not affected by retention policies that are configured for user or group mailboxes. Even though Yammer messages are stored in Exchange, this Yammer data is included only by a retention policy that's configured for the **Yammer community messages** and **Yammer user messages** locations.
+You can use a retention policy to retain data from community messages and user messages in Yammer, and delete these messages. Behind the scenes, Exchange mailboxes are used to store data copied from these messages. Data from Yammer user messages is stored in a hidden folder in the mailbox of each user included in the user message, and a similar hidden folder in a group mailbox is used for community messages.
+
+Copies of community messages can also be stored in the hidden folder of user mailboxes when they @ mention users or notify the user of a reply. Although these messages originate as a community message, a retention policy for Yammer user messages will often include copies of community messages.
+
+These hidden folders are not designed to be directly accessible to users or administrators, but instead, store data that compliance administrators can search with eDiscovery tools.
+
+> [!IMPORTANT]
+> Because copies of community messages can also be stored in user mailboxes, a retention policy with a delete action for Yammer user messages can result in the original community message no longer visible to users in the Yammer app.
+>
+> However, a copy of the original message is still available in the hidden folder of the community group mailbox, and accessible with eDiscovery searches for compliance purposes.
+
+Yammer messages are not affected by retention policies that are configured for Exchange mailboxes. Even though Yammer messages are stored in Exchange, this Yammer data is included only by a retention policy that's configured for the **Yammer community messages** and **Yammer user messages** locations.
> [!NOTE] > If a user is included in an active retention policy that retains Yammer data and you a delete a mailbox of a user who is included in this policy, to retain the Yammer data, the mailbox is converted into an [inactive mailbox](inactive-mailboxes-in-office-365.md). If you don't need to retain this Yammer data for the user, exclude the user account from the retention policy before you delete their mailbox.
When the retention policy is retain-only, or delete-only, the content's paths ar
## Messages and external users
-By default, a retention policy for Yammer user messages applies to all users in your organization, but not external users. You can apply a retention policy to external users if you use the **Choose user** and specify their account.
+By default, a retention policy for Yammer user messages applies to all users in your organization, but not external users. You can apply a retention policy to external users if you use the **Edit** option for users included, and specify their account.
At this time, Azure B2B guest users are not supported.
If the user stored any files in Yammer, see the [equivalent section](retention-p
## Limitations
-Yammer retention policies are currently in preview and we're continuously working on optimizing retention functionality. In the meantime, be aware of the following limitation when you use retention for Yammer community messages and private messages:
+Yammer retention policies are currently in preview and we're continuously working on optimizing retention functionality. In the meantime, be aware of the following limitation when you use retention for Yammer community messages and user messages:
-- When you select **Choose users** for the **Yammer user messages** location, you might see guests and non-mailbox users. Retention policies aren't designed for these users, so don't select them.
+- When you select **Edit** for the **Yammer user messages** location, you might see guests and non-mailbox users. Retention policies aren't designed for these users, so don't select them.
## Configuration guidance
compliance Search The Audit Log In Security And Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance.md
The following table lists events that result from site administration tasks in S
|Added geo location admin|GeoAdminAdded|A SharePoint or global administrator added a user as a geo admin of a location.| |Allowed user to create groups|AllowGroupCreationSet|Site administrator or owner adds a permission level to a site that allows a user assigned that permission to create a group for that site.| |Canceled site geo move|SiteGeoMoveCancelled|A SharePoint or global administrator successfully cancels a SharePoint or OneDrive site geo move. The Multi-Geo capability lets an organization span multiple Microsoft datacenter geographies, which are called geos. For more information, see [Multi-Geo Capabilities in OneDrive and SharePoint Online](../enterprise/multi-geo-capabilities-in-onedrive-and-sharepoint-online-in-microsoft-365.md).|
-|Changed a sharing policy|SharingPolicyChanged|A SharePoint or global administrator changed a SharePoint sharing policy by using the Microsoft 365 admin portal, SharePoint admin portal, or SharePoint Online Management Shell. Any change to the settings in the sharing policy in your organization will be logged. The policy that was changed is identified in the **ModifiedProperties** field in the detailed properties of the event record.|
+|Changed a sharing policy|SharingPolicyChanged|A SharePoint or global administrator changed a SharePoint sharing policy by using the Microsoft 365 admin center, SharePoint admin center, or SharePoint Online Management Shell. Any change to the settings in the sharing policy in your organization will be logged. The policy that was changed is identified in the **ModifiedProperties** field in the detailed properties of the event record.|
|Changed device access policy|DeviceAccessPolicyChanged|A SharePoint or global administrator changed the unmanaged devices policy for your organization. This policy controls access to SharePoint, OneDrive, and Microsoft 365 from devices that aren't joined to your organization. Configuring this policy requires an Enterprise Mobility + Security subscription. For more information, see [Control access from unmanaged devices](/sharepoint/control-access-from-unmanaged-devices).| |Changed exempt user agents|CustomizeExemptUsers|A SharePoint or global administrator customized the list of exempt user agents in the SharePoint admin center. You can specify which user agents to exempt from receiving an entire web page to index. This means when a user agent you've specified as exempt encounters an InfoPath form, the form will be returned as an XML file, instead of an entire web page. This makes indexing InfoPath forms faster.| |Changed network access policy|NetworkAccessPolicyChanged|A SharePoint or global administrator changed the location-based access policy (also called a trusted network boundary) in the SharePoint admin center or by using SharePoint Online PowerShell. This type of policy controls who can access SharePoint and OneDrive resources in your organization based on authorized IP address ranges that you specify. For more information, see [Control access to SharePoint Online and OneDrive data based on network location](/sharepoint/control-access-based-on-network-location).|
enterprise Administering A Multi Geo Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/administering-a-multi-geo-environment.md
description: Admins can learn about how to administer SharePoint and OneDrive se
Here's a look at how Microsoft 365 services work in a multi-geo environment.
+## Administrator experience
+
+The [SharePoint admin center](https://admin.microsoft.com/sharepoint) has a **Geo locations** tab in the left navigation which features a geo locations map where you can view and manage your geo locations. Use this page to add or delete geo locations for your tenant.
+ ## Audit log search A unified [Audit log](https://support.office.com/article/0d4d0f35-390b-4518-800e-0c7ec95e946c) for all your satellite locations is available from the Microsoft 365 audit log search page. You can see all the audit log entries from across geo locations, for example, NAM & EUR users' activities will show up in one org view and then you can apply existing filters to see specific user's activities.
A unified [Audit log](https://support.office.com/article/0d4d0f35-390b-4518-800e
BCS, Secure Store, and Apps all have separate instances in each satellite location, therefore the SharePoint Online administrator should manage and configure these services separately from each satellite location.
-## eDiscovery
+## Compliance admin center
+
+There is one central compliance center for a multi-geo tenant: [Microsoft 365 Compliance admin center](https://compliance.microsoft.com/).
+
+## eDiscovery
By default, an eDiscovery Manager or Administrator of a multi-geo tenant will be able to conduct eDiscovery only in the central location of that tenant. The Office 365 global administrator must assign eDiscovery Manager permissions to allow others to perform eDiscovery and assign a "Region" parameter in their applicable Compliance Security Filter to specify the region for conducting eDiscovery as satellite location, otherwise no eDiscovery will be carried out for the satellite location. To configure the Compliance Security Filter for a Region, see [Configure Office 365 Multi-Geo eDiscovery](multi-geo-ediscovery-configuration.md).
By default, an eDiscovery Manager or Administrator of a multi-geo tenant will be
Users' Exchange mailboxes are moved automatically if their PDL is changed. When a new mailbox is created, it is provisioned to the user's PDL or to the central location if no value has been set for the user's PDL.
-## Information Protection (IP) Data Loss Prevention (DLP) Policy
+## Information Protection (IP) Data Loss Prevention (DLP) policy
You can set your IP DLP policies for OneDrive for Business, SharePoint, and Exchange in the Security and Compliance center, scoping policies as needed to the whole tenant or to applicable users. For example: If you wish to select a policy for a user in a satellite location, select to apply the policy to a specific OneDrive and enter the user's OneDrive url. See [Overview of data loss prevention policies](https://support.office.com/article/1966b2a7-d1e2-4d92-ab61-42efbb137f5e) for general guidance in creating DLP policies.
The DLP policies are automatically synchronized based on their applicability to
Implementing Information Protection and Data Loss prevention policies to all users in a geo location is not an option available in the UI, instead you must select the applicable accounts for the policy or apply the policy globally to all accounts.
-## Microsoft Flow
-
-Flows created for the satellite location will use the end point located in the default geo location for the tenant. Microsoft Flow is not a Multi-Geo service.
- ## Microsoft PowerApps PowerApps created for the satellite location will use the end point located in the central location for the tenant. Microsoft PowerApps is not a Multi-Geo service.
-## OneDrive Administrator Experience
-
-The [OneDrive admin center](https://admin.onedrive.com) has a **Geo locations** tab in the left navigation which features a geo locations map where you can view and manage your geo locations. Use this page to add or delete geo locations for your tenant.
-
-## Security and Compliance Admin Center
+## Power Automate
-There is one central compliance center for a multi-geo tenant: [Microsoft 365 Security & Compliance Center](https://protection.office.com/?rfr=AdminCenter\#/homepage).
+Flows created for the satellite location will use the end point located in the default geo location for the tenant. Power Automate is not a Multi-Geo service.
## SharePoint storage quota
By default, all geo locations of a multi-geo environment share the available ten
## Sharing
-Administrators can set and manage sharing policies for each of their locations. The OneDrive and SharePoint sites in each geo location will honor only the corresponding geo specific sharing settings. (For example, you can allow [external sharing](https://support.office.com/article/C8A462EB-0723-4B0B-8D0A-70FEAFE4BE85) for your central location, but not for your satellite location or vice versa.) Note that the sharing settings do not allow configuring sharing limitations between geo locations.
+Administrators can set and manage sharing policies for each of their locations. The OneDrive and SharePoint sites in each geo location will honor only the corresponding geo-specific sharing settings. (For example, you can allow [external sharing](https://support.office.com/article/C8A462EB-0723-4B0B-8D0A-70FEAFE4BE85) for your central location, but not for your satellite location or vice versa.) Note that the sharing settings do not allow configuring sharing limitations between geo locations.
+
+## Stream
+
+Videos uploaded to Stream in a 1:1 chat are stored in the OneDrive of the person uploading. Meeting recordings are stored in the OneDrive of each attendee who records the meeting.
## Taxonomy
-We support a unified [taxonomy](/sharepoint/managed-metadata) for enterprise managed metadata across geo locations, with the master being hosted in the central location for your company. We recommend that you manage your global taxonomy from the central location and only add location-specific terms to the satellite location's Taxonomy. Global taxonomy terms will synchronize to the satellite locations.
+We support a unified [taxonomy](/sharepoint/managed-metadata) for enterprise-managed metadata across geo locations, with the master being hosted in the central location for your company. We recommend that you manage your global taxonomy from the central location and only add location-specific terms to the satellite location's Taxonomy. Global taxonomy terms will synchronize to the satellite locations.
See [Manage metadata in a multi-geo tenant](/sharepoint/dev/solution-guidance/multigeo-managedmetadata) for additional details and for developer guidance.
If you have custom profile properties, then we recommend that you use the same p
See [Work with user profiles in a multi-geo tenant](/sharepoint/dev/solution-guidance/multigeo-userprofileexperience) for additional details and for developer guidance.
-## Video Portal
-
-In a multi-geo tenant, the O365 Video Portal is served only from default geo and all users will be redirected to that central portal url. Hence, the Remote Media Service (RMS) for that region will be used, as follows based on your central location.
-
-Stream is currently available in the following regions:
--- North America, hosted in the United States -- Europe-- Asia Pacific-
-However, Stream is not yet available in the following regions that are currently supported for Microsoft 365 Video, therefore for these local instances, we will use the RMS that is in the closest supported region.
--- Australia-- Canada-- India-- United Kingdom- ## Yammer
-Yammer is not a Multi-Geo workload. Yammer threads stored in Yammer will be placed in the tenantΓÇÖs central location. Yammer is rolling out a file storage change which will store Yammer files within SharePoint. Yammer files stored in SharePoint will be placed the SharePoint site associated with the Yammer group. SharePoint group sites are based on PDL logic as outlined in [SharePoint Sites and Groups](multi-geo-capabilities-in-onedrive-and-sharepoint-online-in-microsoft-365.md#sharepoint-sites-and-groups).
+Yammer is not a Multi-Geo workload. Yammer threads stored in Yammer will be placed in the tenantΓÇÖs central location. Yammer is rolling out a file storage change which will store Yammer files within SharePoint. Yammer files stored in SharePoint will be placed the SharePoint site associated with the Yammer group. SharePoint group sites are based on PDL logic as outlined in [SharePoint Sites and Groups](multi-geo-capabilities-in-onedrive-and-sharepoint-online-in-microsoft-365.md#sharepoint-sites-and-groups).
enterprise Configure Exchange Server For Hybrid Modern Authentication https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/configure-exchange-server-for-hybrid-modern-authentication.md
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
## Verify
-Once you enable HMA, a client's next login will use the new auth flow. Note that just turning on HMA won't trigger a reauthentication for any client. The clients reauthenticate based on the lifetime of the auth tokens and/or certs they have.
+Once you enable HMA, a client's next login will use the new auth flow. Note that just turning on HMA won't trigger a reauthentication for any client, and it might take a while for Exchange to pick up the new settings.
You should also hold down the CTRL key at the same time you right-click the icon for the Outlook client (also in the Windows Notifications tray) and click 'Connection Status'. Look for the client's SMTP address against an 'Authn' type of 'Bearer\*', which represents the bearer token used in OAuth.
enterprise Configure Search For Multi Geo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/configure-search-for-multi-geo.md
localization_priority: Normal f1.keywords: - NOCSH
-description: Learn how to configure search in a multi-geo environment. Only some clients, such as OneDrive for Business, can return results in a multi-geo environment.
+description: Learn how to configure search in a multi-geo environment. Only some clients, such as OneDrive, can return results in a multi-geo environment.
# Configure Search for Microsoft 365 Multi-Geo
For example, a user in one geo location can search for content stored in another
These clients can return results from all geo locations: -- OneDrive for Business
+- OneDrive
- Delve - The SharePoint home page - The Search Center - Custom search applications that use the SharePoint Search API
-### OneDrive for Business
+### OneDrive
As soon as the multi-geo environment has been set up, users that search in OneDrive get results from all geo locations.
Some search features you might be familiar with, work differently in a multi-geo
<table> <thead> <tr class="header">
-<th align="left"><strong>Feature</strong></th>
-<th align="left"><strong>How it works</strong></th>
-<th align="left"><strong>Workaround</strong></th>
+<th align="left">Feature</th>
+<th align="left">How it works</th>
+<th align="left">Workaround</th>
</tr> </thead> <tbody>
Some of the search features you might be familiar with, aren't supported in a mu
<table> <thead> <tr class="header">
-<th align="left"><strong>Search feature</strong></th>
-<th align="left"><strong>Note</strong></th>
+<th align="left">Search feature</th>
+<th align="left">Note</th>
</tr> </thead> <tbody>
Some of the search features you might be familiar with, aren't supported in a mu
<td align="left">App-only authentication (privileged access from services) isn't supported in multi-geo search.</td> </tr> <tr class="even">
-<td align="left">Guest users</td>
-<td align="left">Guest users only get results from the geo location that they're searching from.</td>
+<td align="left">Guests</td>
+<td align="left">Guests only get results from the geo location that they're searching from.</td>
</tr> </tbody> </table>
With a GET request, you specify the query parameters in the URL. With a POST req
#### Sample GET request that's fanned out to **all** geo locations
+```http
https:// \<tenant\>/\_api/search/query?querytext='sharepoint'&Properties='EnableMultiGeoSearch:true'&ClientType='my\_client\_id'
+```
#### Sample GET request to fan out to **some** geo locations
+```http
https:// \<tenant\>/\_api/search/query?querytext='site'&ClientType='my_client_id'&Properties='EnableMultiGeoSearch:true, MultiGeoSearchConfiguration:[{DataLocation\\:"NAM"\\,Endpoint\\:"https\\://contosoNAM.sharepoint.com"\\,SourceId\\:"B81EAB55-3140-4312-B0F4-9459D1B4FFEE"}\\,{DataLocation\\:"CAN"\\,Endpoint\\:"https\\://contosoCAN.sharepoint-df.com"}]'
+```
> [!NOTE] > Commas and colons in the list of geo locations for the MultiGeoSearchConfiguration property are preceded by the **backslash** character. This is because GET requests use colons to separate properties and commas to separate arguments of properties. Without the backslash as an escape character, the MultiGeoSearchConfiguration property is interpreted wrongly. #### Sample POST request that's fanned out to **all** geo locations
-```text
+```http
{ "request": { "__metadata": {
https:// \<tenant\>/\_api/search/query?querytext='site'&ClientType='my_client_id
#### Sample POST request that's fanned out to **some** geo locations
-```text
+```http
{ "request": { "Querytext": "SharePoint",
https:// \<tenant\>/\_api/search/query?querytext='site'&ClientType='my_client_id
Here's a sample CSOM query that's fanned out to **all** geo locations:
-```text
+```CSOM
var keywordQuery = new KeywordQuery(ctx); keywordQuery.QueryText = query.SearchQueryText; keywordQuery.ClientType = <enter a string here>;
enterprise Microsoft 365 Multi Geo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-multi-geo.md
Microsoft 365 Multi-Geo is available as an add-on to the following Microsoft 365
- OneDrive for Business Plan 1 or Plan 2 - SharePoint Online Plan 1 or Plan 2
+If a license is assigned to a user and later removed, Teams user chat data is queued to be moved back to the central location. SharePoint and Exchange data is not moved.
+ ## Microsoft 365 Multi-Geo availability Microsoft 365 Multi-Geo is currently offered in these regions and countries:
enterprise Move Onedrive Between Geo Locations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/move-onedrive-between-geo-locations.md
With OneDrive geo move, you can move a user's OneDrive to a different geo locati
The OneDrive service uses Azure Blob Storage to store content. The Storage blob associated with the user's OneDrive will be moved from the source to destination geo location within 40 days of destination OneDrive being available to the user. The access to the user's OneDrive will be restored as soon as the destination OneDrive is available.
-During OneDrive geo move window (about 2-6 hours) the user's OneDrive is set to read-only. The user can still access their files via the OneDrive sync client or their OneDrive site in SharePoint Online. After OneDrive geo move is complete, the user will be automatically connected to their OneDrive at the destination geo location when they navigate to OneDrive in the Microsoft 365 app launcher. The sync client will automatically begin syncing from the new location.
+During OneDrive geo move window (about 2-6 hours) the user's OneDrive is set to read-only. The user can still access their files via the OneDrive sync app or their OneDrive site in SharePoint Online. After OneDrive geo move is complete, the user will be automatically connected to their OneDrive at the destination geo location when they navigate to OneDrive in the Microsoft 365 app launcher. The sync app will automatically begin syncing from the new location.
The procedures in this article require the [Microsoft SharePoint Online PowerShell Module](https://www.microsoft.com/download/details.aspx?id=35588).
The move statuses are described in the following table.
<table> <thead> <tr class="header">
-<th align="left"><strong>Status</strong></th>
-<th align="left"><strong>Description</strong></th>
+<th align="left">Status</th>
+<th align="left">Description</th>
</tr> </thead> <tbody>
You can also add the `-Verbose` parameter for more verbose descriptions of the m
Users of OneDrive should notice minimal disruption if their OneDrive is moved to a different geo location. Aside from a brief read-only state during the move, existing links and permissions will continue to work as expected once the move is completed.
-### OneDrive for Business
+### User's OneDrive
While the move is in progress the user's OneDrive is set to read-only. Once the move is completed, the user is directed to their OneDrive in the new geo location when they navigate to OneDrive the Microsoft 365 app launcher or a web browser.
While the move is in progress the user's OneDrive is set to read-only. Once the
Users with permissions to OneDrive content will continue to have access to the content during the move and after it's complete.
-### OneDrive Sync Client
+### OneDrive sync app
-The OneDrive sync client will automatically detect and seamlessly transfer syncing to the new OneDrive location once the OneDrive geo move is complete. The user does not need to sign-in again or take any other action. (Version 17.3.6943.0625 or later of the sync client required.)
+The OneDrive sync app will automatically detect and seamlessly transfer syncing to the new OneDrive location once the OneDrive geo move is complete. The user does not need to sign-in again or take any other action. (Version 17.3.6943.0625 or later of the sync app required.)
-If a user updates a file while the OneDrive geo move is in progress, the sync client will notify them that file uploads are pending while the move is underway.
+If a user updates a file while the OneDrive geo move is in progress, the sync app will notify them that file uploads are pending while the move is underway.
### Sharing links
OneNote win32 client and UWP (Universal) App will automatically detect and seaml
Upon OneDrive geo move completion, users will have access to their OneDrive files on the Teams app. Additionally, files shared via Teams chat from their OneDrive prior to geo move will continue to work after move is complete.
-### OneDrive for Business Mobile App (iOS)
+### OneDrive Mobile App (iOS)
Upon OneDrive geo move completion, the user would need to sign out and sign in again on the iOS Mobile App to sync to the new OneDrive location.
enterprise Move Sharepoint Between Geo Locations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/move-sharepoint-between-geo-locations.md
With SharePoint site geo move, you can move SharePoint sites to other geo locati
The following types of site can be moved between geo locations: -- Microsoft 365 Group-connected sites
+- Microsoft 365 Group-connected sites, including those associated with Microsoft Teams
- Modern sites without a Microsoft 365 Group association - Classic SharePoint sites - Communication sites
While the move is in progress the site is set to read-only. Once the move is com
Users with permissions to site will continue to have access to the site during the move and after it's complete.
-### Sync Client
+### Sync app
-The sync client will automatically detect and seamlessly transfer syncing to the new site location once the site move is complete. The user does not need to sign in again or take any other action. (Version 17.3.6943.0625 or later of the sync client required.)
+The sync app will automatically detect and seamlessly transfer syncing to the new site location once the site move is complete. The user does not need to sign in again or take any other action. (Version 17.3.6943.0625 or later of the sync app required.)
-If a user updates a file while the move is in progress, the sync client will notify them that file uploads are pending while the move is underway.
+If a user updates a file while the move is in progress, the sync app will notify them that file uploads are pending while the move is underway.
### Sharing links
enterprise Ms Cloud Germany Transition Add Pre Work https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-add-pre-work.md
If you're using
Office 365 tenant and user identifiers are preserved during migration. Azure AD service calls are redirected from Microsoft Cloud Deutschland to Office 365 Global services and are transparent to Office 365 services. - General Data Protection Regulation (GDPR) Data Subject Requests (DSRs) are executed from the Azure Admin portal for future requests. Any legacy or non-customer diagnostic data that is resident in Microsoft Cloud Deutschland is deleted at or before 30 days elapse.+ - Multi-factor authentication (MFA) requests that use Microsoft Authenticator display as the user ObjectID (a GUID) while the tenant is copied to Office 365 services. MFA requests will perform as expected despite this display behavior. Microsoft Authenticator accounts that were activated by using Office 365 services endpoints will display the user principal name (UPN). Accounts added by using Microsoft Cloud Deutschland endpoints will display the user ObjectID but will work with both Microsoft Cloud Deutschland and Office 365 services endpoints. <br>
Office 365 tenant and user identifiers are preserved during migration. Azure AD
|Cancel any trial subscriptions.|Trial subscriptions will not be migrated and will block transfer of paid subscriptions.|Trial services are expired and non-functioning if accessed by users after cancellation.| |Analyze differences in license features between Microsoft Cloud Deutschland and the Office 365 Global Services.|Office 365 services include additional features and services not available in the current Microsoft Cloud Deutschland. During subscription transfer, new features will be available to users.|<ul><li>Analyze the different features provided by the licenses for Microsoft Cloud Deutschland and Office 365 Global Services. Start with the [Office 365 platform Service Description](/office365/servicedescriptions/office-365-platform-service-description/office-365-platform-service-description).</li><li>Determine if any new features of Office 365 services should be initially disabled to limit effects on users or on user change management, and alter user license assignments as needed.</li><li>Prepare users and help desk staff for new services and features provided by Office 365 services.</li></ul>| |Create organization-wide [retention policies](/microsoft-365/compliance/retention) to protect from inadvertent deletion of content during migration.|<ul><li>To ensure that content isn't inadvertently deleted by end users during the migration, customers may choose to enable an organization-wide retention policy.</li><li>Although retention isn't required, since holds placed at anytime during the migration should work as expected, having a retention policy is a back-up safety mechanism. At the same time, a retention policy might not be used by all customers, especially those who are concerned about over preservation.</li></ul>|Apply retention policy as described in [Learn about retention policies and retention labels](/microsoft-365/compliance/retention-policies). Failures of the service or client software can occur if this is not done before Phase 4 of 9.|
-|
+ ## DNS entries for custom domains
Read and apply the [ADFS Migration steps](ms-cloud-germany-transition-add-adfs.m
|Step(s)|Description|Impact| |||| |Limit SharePoint 2013 workflows, use during the SharePoint Online migration.|Reduce SharePoint 2013 workflows and complete in-flight workflows before transitions.|Inaction may result in user confusion and help desk calls.|
-|
+ ## Exchange Online
Read and apply the [ADFS Migration steps](ms-cloud-germany-transition-add-adfs.m
|||| |Notify external partners of the upcoming transition to Office 365 services.|Customers must notify their partners with whom they have enabled sharing calendar and availability address space configuration (allow sharing of free/busy information with Office 365). Availability configuration needs to transition to use the [Office 365 worldwide endpoints](/microsoft-365/enterprise/urls-and-ip-address-ranges) when Exchange Online migration is completed.|Failure to do so may result in service or client failure at a later phase of customer migration.| |Notify users of required IMAP4/POP3/SMTP client changes.|Users who have device connections to Microsoft Cloud Deutschland endpoints for client protocols IMAP4, POP3, SMTP are required to manually update their client devices to switch to the [Exchange Online server names](/exchange/clients-and-mobile-in-exchange-online/pop3-and-imap4/pop3-and-imap4#settings-users-use-to-set-up-pop3-or-imap4-access-to-their-exchange-online-mailboxes).|Pre-communicate this dependency to users of these protocols and ensure they either switch to use Outlook mobile or Outlook on the web during this migration. Failure to update client endpoints will result in client connection failures against Microsoft Cloud Deutschland when user mailboxes are migrated.|
-|
+ ### Exchange Online Hybrid customers
Directory attributes are synced between Office 365 and Azure AD with the on-prem
|||| |Re-run HCW using Office 365 Germany settings <p> _You may start this activity immediately after receiving the message center notification that your Office 365 tenant migration has begun (phase 1)._|Uninstalling and re-running HCW (17.0.5378.0 or higher) from <https://aka.ms/hybridwizard> before Phase 5 will ensure that your on-premises configuration is prepared to send and receive mail with both Microsoft Cloud Deutschland users and users who are migrated to Office 365 Germany region. <p> In the HCW, for the list box below **My Office 365 organization is hosted by**, select **Office 365 Germany.**|Failing to complete this task before Phase 5 [Exchange Migration] begins may result in NDRs for mail routed between your on-premises Exchange deployment and Office 365.| |Preserving Shared Mailbox settings|Some Hybrid customers have converted cloud user mailboxes to be 'shared' mailboxes using Exchange Online commands. This cloud mailbox configuration is written to the mailbox and local Exchange Online directory, however, it is not synced back to the customer's Active Directory via AAD Connect. The result is a discrepancy between the Active Directory representation of the mailbox RemoteRecipientType and RemoteDisplayType values and that in Exchange Online defining the mailbox as shared. <p> The customer is responsible to ensure that all Shared mailboxes are properly provisioned using `New-RemoteMailbox -Shared`, `Enable-RemoteMailbox -Shared`, or `Set-RemoteMailbox -Shared`. See this reference for how to [Convert a user's mailbox in a hybrid environment](/microsoft-365/admin/email/convert-user-mailbox-to-shared-mailbox).|Failing to complete this task before Phase 5 [Exchange Online Migration] may result in NDRs for Shared Mailboxes which convert back to unlicensed mailboxes and loss of shared access for affected mailboxes. [Shared mailboxes are unexpectedly converted to user mailboxes after directory synchronization runs in an Exchange hybrid deployment](/exchange/troubleshoot/user-and-shared-mailboxes/shared-mailboxes-unexpectedly-converted-to-user-mailboxes) outlines the impact of not addressing this before Exchange Online Migration completes.|
-|
+ ## Skype for Business Online
Directory attributes are synced between Office 365 and Azure AD with the on-prem
|Deploy Teams desktop client for users who access Skype for Business in Germany.|Migration moves Skype for Business users to Microsoft Teams for collaboration, calling, and chat. Either, deploy the Microsoft Teams desktop client or ensure that a supported browser is available.|Inaction will result in unavailability of Microsoft Teams collaboration services.| |Review and prepare for migration-related DNS changes.|Customer-owned DNS zone changes for Skype for Business Online.|<ul><li>We recommend that you update the Time-to-Live (TTL) for any customer-owned domain DNS records to 5 minutes to expedite the refreshing of DNS records. However, the Microsoft-managed cutover associated with this DNS change may occur anytime within the provided 24-hour change window.</li><li>Disruption of service is possible in the future. Users won't be able to log into Skype for Business and will be redirected to the migrated Teams experience in the Office 365 services.</li></ul>| |Prepare End User and Administration training and readiness for the transition to Microsoft Teams.|Be successful in your transition from Skype to Teams by planning user communication and readiness.|<ul><li>Clients need to be aware of the new services and how to use once their services are transitioned to the Office 365 services.</li><li>After DNS changes are made for both the customer vanity domains and the initial domain, users would sign into Skype for Business and see that they now are migrated to Teams. This would also download the desktop client for Teams in the background.</li></ul>|
-|
+ ## Mobile Device Management
Directory attributes are synced between Office 365 and Azure AD with the on-prem
||||| |Prepare end-user and administration training about users removing and re-adding their account to Microsoft Outlook for iOS and Android.|Microsoft Outlook for iOS and Android accounts configured with mailboxes in Microsoft Cloud Deutschland may have to be removed and added again to Outlook in order to properly synchronize the new Office 365 services configuration.|Microsoft Outlook for iOS and Android customers|Outlook mailboxes previously configured for Microsoft Cloud Deutschland may not pick up the new Office 365 Services configuration, leading to errors and degraded performance of other user experiences. IT admins are encouraged to provide documentation that proactively instructs users to remove and re-add their accounts to Microsoft Outlook for iOS and Android if issues with signing in or synchronizing mail occur after migration.| |Determine if any reconfiguration is required after migration.|Mobile Device Management (MDM) solutions may target `outlook.de` endpoints. In this transition to Office 365 Services, client profiles should update to the Office 365 services URL, `outlook.office365.com`.|Exchange Online and MDM customers|Clients may continue to function while the `outlook.de` endpoint is accessible, but they'll fail if Microsoft Cloud Deutschland endpoints are no longer available.|
-|
+ ## Line-of-business apps
Directory attributes are synced between Office 365 and Azure AD with the on-prem
If you're using a third-party service or line-of-business (LOB) apps that are integrated with Office 365, you must resolve any dependencies on endpoints provided by the Microsoft Cloud Deutschland instance. For example, if your LOB apps are connecting to `https://graph.microsoft.de/`, you must change the endpoint to `https://graph.microsoft.com/`. The endpoints of the Microsoft Office 365 Global service become available to your tenant after phase 2.
-<br>
+During the migration, while your organization is between phase 2 and phase 9, you cannot add any third-party multi-tenant applications (MTA) to your organization. When the migration completes phase 9, you can resume adding or consenting to MTA applications for your organization.
++
+| Step(s) | Description | Impact |
+|:-|:-|:-|
+| Determine if any reconfiguration is required after migration. | Third-party services and applications that integrate with Office 365 may be coded to expect Microsoft Cloud Deutschland IP addresses and URLs. | Required action. Inaction may result in failures of the service or client software. |
-****
|Step(s)|Description|Impact| |||| |Determine if any reconfiguration is required after migration.|Third-party services and applications that integrate with Office 365 may be coded to expect Microsoft Cloud Deutschland IP addresses and URLs.|Required action. Inaction may result in failures of the service or client software.|
-|
+ ## Dynamics 365
If you're using a third-party service or line-of-business (LOB) apps that are in
|Step(s)|Description|Impact| |||| |For Dynamics 365 sandbox subscriptions, be sure to download the production environment of the Dynamics SQL instance from your Dynamics 365 subscription in Microsoft Cloud Deutschland. The latest production backup should be restored to the sandbox before sandbox migration.|Migration of Dynamics 365 requires customers to ensure that the Sandbox environment is refreshed with the latest production database.|The FastTrack team will assist customers in performing dry runs to validate the version upgrade from 8.x to 9.1.x.|
-|
+ ## Power BI
If you're using a third-party service or line-of-business (LOB) apps that are in
|Step(s)|Description|Impact| |||| |Removal of objects from Power BI subscriptions that won't be migrated from Power BI Microsoft Cloud Deutschland to Office 365 services.|Migration of Power BI services will require customer action to delete certain artifacts, such as datasets and dashboards.|Admins may have to remove the following items from their subscription: <ul><li>Real-Time datasets (for example, streaming or push datasets)</li><li>Power BI on-premises Data Gateway configuration and data source </li></ul>|
-|
+ ## Microsoft Azure
Customers who use Office 365 and Azure resources (for example, networking, compu
|Step(s)|Description|Impact| |||| |Determine which Azure services are in use and prepare for future migration from Germany to the Office 365 services tenant by working with your partners. Follow the steps described in the [Azure migration playbook](/azure/germany/germany-migration-main).|<ul><li>Migration of Azure resources is a customer responsibility and requires manual effort following prescribed steps. Understanding what services are in use in the organization is key to successful migration of Azure services.</li><li>Office 365 Germany customers who have Azure subscriptions under the same identity partition (organization) must follow the Microsoft-prescribed order when they can begin subscription and services migration.</li></ul>|<ul><li>Customers may have multiple Azure subscriptions, each subscription containing infrastructure, services, and platform components.</li><li>Administrators should identify subscriptions and stakeholders to ensure prompt migration and validation is possible as part of this migration event.</li><li>Failing to successfully complete migration of these subscriptions and Azure components within the prescribed timeline will affect completion of the Office and Azure AD transition to Office 365 services and may result in data loss.</li><li>A Message center notification will signal the point at which customer-led migration can begin.</li></ul>|
-|
+ <!-- Reworked as text:
enterprise Ms Cloud Germany Transition Azure Ad https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-azure-ad.md
An application could be any of the following:
If you publish an application that is available to users who are outside of your tenant, you may need to change your application registration to ensure continuity. Other tenants that use your application may be moved at a different time than your tenant. To ensure that they never lose access to your application, you'll need to consent to your app being synchronized from Azure Germany to Azure public.
+**What about adding new multi-tenant applications during migration?**
+
+If you want to consume a new application that is published by another organization (multi-tenant application) you will be restricted from adding that application during the migration process (phases 2 through phase 9). You may execute this task when your organization completes phase 9 and is fully transitioned to the Azure public instance.
+ ## Additional considerations Here are some additional considerations for Azure AD:
Cloud apps:
- [Dynamics 365 migration program information](/dynamics365/get-started/migrate-data-german-region) - [Power BI migration program information](/power-bi/admin/service-admin-migrate-data-germany)-- [Getting started with your Microsoft Teams upgrade](/microsoftteams/upgrade-start-here)
+- [Getting started with your Microsoft Teams upgrade](/microsoftteams/upgrade-start-here)
enterprise Multi Geo Capabilities In Onedrive And Sharepoint Online In Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/multi-geo-capabilities-in-onedrive-and-sharepoint-online-in-microsoft-365.md
description: "Expand your Microsoft 365 presence to multiple geographic regions
# Multi-Geo Capabilities in OneDrive and SharePoint Online
-Multi-Geo capabilities in OneDrive and SharePoint Online enables control of shared resources like SharePoint team sites and Microsoft 365 Group mailboxes stored at rest in a country or region.
+Multi-Geo capabilities in OneDrive and SharePoint Online enables control of shared resources like SharePoint team sites and Microsoft 365 Group mailboxes stored at rest in a specified geo location.
Each user, Group mailbox, and SharePoint site has a Preferred Data Location (PDL) which denotes the geo location where related data is to be stored. Users' personal data (Exchange mailbox and OneDrive) along with any Microsoft 365 Groups or SharePoint sites that they create can be stored in the specified geo location to meet data residency requirements. You can [specify different administrators for each geo location](add-a-sharepoint-geo-admin.md).
Management of the Multi-Geo feature is available through the SharePoint admin ce
When a user creates a SharePoint group-connected site in a multi-geo environment, their PDL is used to determine the geo location where the site and its associated Group mailbox is created. (If the user's PDL value hasn't been set, or has been set to geo location that hasn't been configured as a satellite location, then the site and mailbox are created in the central location.)
-Microsoft 365 services other than Exchange, OneDrive, and SharePoint are not Multi-Geo. However, Microsoft 365 Groups that are created by these services will be stamped with the PDL of the creator and their Exchange Group mailbox and SharePoint O365 Group Site provisioned in the corresponding geo.
+Microsoft 365 services other than Exchange, OneDrive, SharePoint, and Teams are not Multi-Geo. However, Microsoft 365 Groups that are created by these services will be configured with the PDL of the creator and their Exchange Group mailbox, SharePoint site are provisioned in the corresponding geo.
## Managing the multi-geo environment
enterprise Multi Geo Capabilities In Teams In Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/multi-geo-capabilities-in-teams-in-microsoft-365.md
+
+ Title: "Multi-Geo Capabilities in Microsoft Teams"
++++
+audience: ITPro
++
+f1.keywords:
+- NOCSH
++
+- Strat_SP_gtc
+- SPO_Content
+- m365solution-scenario
+- m365solution-spintranet
+localization_priority: Normal
+description: "Learn about how Teams works with Microsoft 365 Multi-Geo."
++
+# Multi-Geo capabilities in Microsoft Teams
+
+Multi-Geo capabilities in Teams enables Teams chat data to be stored at rest in a specified geo location. Chat data consists of chat messages, including private messages, channel messages, and images used in chats.
+
+Teams uses the Preferred Data Location (PDL) for users and groups to determine where to store data. If the PDL is not set or is invalid, data is stored in the tenant's central location.
+
+## User chat
+
+User chat includes one-to-one, one-to-many, and private meeting messages.
+
+When a new user is created, Teams reads the user's PDL and stores all their chat data in that geo location.
+
+For existing users, if an administrator adds or modifies the PDL for a user, that user's chat data is added to a migration queue to be moved to the specified geo location.
+
+The storage location for a one-to-one or one-to-many chat is based on the PDL of the person who created the chat. If that user's PDL is changed, the chat will be migrated to the new geo location. The storage location for a meeting chat is based on the PDL of the meeting organizer.
+
+To find the current location of a user's Teams data, [connect to Teams PowerShell](/powershell/module/teams/connect-microsoftteams) and run the following command:
+
+```PowerShell
+Get-MultiGeoRegion -EntityType User -EntityId <UPN>
+```
+
+## Channel messages
+
+Each Microsoft 365 group has a Preferred Data Location (PDL) which denotes the geo location where related data is to be stored. Teams uses the PDL for the group associated with each team to determine where to store channel messaging data for that team. This includes chat that occurs within a channel meeting.
+
+When a user creates a new team, that user's PDL determines what PDL is assigned to the Microsoft 365 group. The group PDL determines where that team's data is stored. If that user's PDL later changes, the group's PDL is not changed.
+
+For existing teams, if an administrator adds or modifies the PDL for the Microsoft 365 group that backs a team, that team's channel messaging data is added to a migration queue to be moved to the specified geo location.
+
+Changing the PDL of the Microsoft 365 group queues the Teams data to migrate to the chosen location. However, this does not migrate the SharePoint site or files associated with the Group automatically. You must move the site separately by following the procedures in [Move a SharePoint site to a different geo location](/microsoft-365/enterprise/move-sharepoint-between-geo-locations). Be sure to do both steps to avoid Teams data and SharePoint data for one group in different locations.
+
+To find the current location of a team's data, [connect to Teams PowerShell](/powershell/module/teams/connect-microsoftteams) and run the following command:
+
+```PowerShell
+Get-MultiGeoRegion -EntityType Group -EntityId <GroupObjectId>
+```
+
+## User Experience
+
+Teams Multi-Geo is seamless to the end user. Once you change the PDL of a user or a group, the respective data will queue for migration and the migration will occur automatically with no impact to the user or their Teams client even if they are active while the migration occurs.
+
+## See also
+
+[Microsoft 365 Multi-Geo tenant configuration](/microsoft-365/enterprise/multi-geo-tenant-configuration)
+
+[Administering a multi-geo environment](administering-a-multi-geo-environment.md)
+
+[Administering Exchange Online mailboxes in a multi-geo environment](administering-exchange-online-multi-geo.md)
enterprise Multi Geo User Experience https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/multi-geo-user-experience.md
The app launcher is multi-geo aware and will direct each tile to the appropriate
## Office applications
-Office applications such as Word, Excel, and PowerPoint will automatically detect the correct OneDrive for Business geo-location for each user when they log in. Users do not need to enter the geo-specific URL for their OneDrive or SharePoint sites.
+Office applications such as Word, Excel, and PowerPoint will automatically detect the correct OneDrive geo-location for each user when they log in. Users do not need to enter the geo-specific URL for their OneDrive or SharePoint sites.
-## OneDrive for Business Sync Client
+## OneDrive sync app
-The OneDrive for Business Sync Client (version 17.3.6943.0625 and later) will automatically detect the correct OneDrive for Business geo location for the user. Sync client support includes the ability to sync groups-based sites regardless of their geo location. Note that the Groove sync client is not supported for multi-geo.
+The OneDrive sync app (version 17.3.6943.0625 and later) will automatically detect the correct OneDrive geo location for the user. Sync app support includes the ability to sync groups-based sites regardless of their geo location. Note that the Groove sync client is not supported for multi-geo.
-## OneDrive for Business location
+## OneDrive location
-Users will have their OneDrive for Business provisioned in their preferred data location. If a user navigates to a OneDrive URL that contains an incorrect geo location (such as a bookmark from a previous geo location), they are automatically redirected to the OneDrive in the appropriate geo location.
+Users will have their OneDrive provisioned in their preferred data location. If a user navigates to a OneDrive URL that contains an incorrect geo location (such as a bookmark from a previous geo location), they are automatically redirected to the OneDrive in the appropriate geo location.
## OneDrive iOS and Android
The OneDrive Mobile Client is multi-geo aware and will display pertinent content
## Search
-Each geo location has its own search index and Search Center. When a user searches, the query is sent to all the geo locations, and the returned results are merged and then ranked so the user gets unified results. Users get results from all geo locations regardless of their own geo location. See [Configure Search for OneDrive for Business Multi-Geo](configure-search-for-multi-geo.md) for specifics.
+Each geo location has its own search index and Search Center. When a user searches, the query is sent to all the geo locations, and the returned results are merged and then ranked so the user gets unified results. Users get results from all geo locations regardless of their own geo location. See [Configure Search for OneDrive Multi-Geo](configure-search-for-multi-geo.md) for specifics.
The following search clients are supported: -- OneDrive for Business
+- OneDrive
- Delve
The following search clients are supported:
## SharePoint Home
-In SharePoint Multi-Geo your SharePoint home is hosted in the location where the user resides as determined by their OneDrive for business location. For example: if the user has their OneDrive hosted in an European satellite location, their SharePoint Home will be rendered from Europe. SharePoint home includes all content relevant to the user regardless of its geo location.
+In SharePoint Multi-Geo your SharePoint home is hosted in the location where the user resides as determined by their OneDrive location. For example: if the user has their OneDrive hosted in an European satellite location, their SharePoint Home will be rendered from Europe. SharePoint home includes all content relevant to the user regardless of its geo location.
**Followed Sites, News from Sites, Recent Sites, Frequent Sites, and Suggested sites**
The SharePoint Mobile Client is multi-geo aware and will display pertinent conte
## Sharing
-The People Picker experience shows all users regardless of their geo location. This allows a user to share with another user in their same geo or in any other of your tenant's geo locations. Content from different geo locations will show up in the **Shared with Me** view in the user's OneDrive for Business and can be accessed with Single Sign-On experience regardless of which geo location it is hosted in.
+The People Picker experience shows all users regardless of their geo location. This allows a user to share with another user in their same geo or in any other of your tenant's geo locations. Content from different geo locations will show up in the **Shared with Me** view in the user's OneDrive and can be accessed with Single Sign-On experience regardless of which geo location it is hosted in.
## Teams Experience
-Teams is multi-geo aware. OneDrive files and recently viewed files are shown regardless of the user's geo location. @ mentions work with users from all geo-locations.
+Teams is a multi-geo service. OneDrive files and recently viewed files are shown regardless of the user's geo location. @ mentions work with users from all geo-locations.
## User profiles
enterprise Plan For Multi Geo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/plan-for-multi-geo.md
The administration of a multi-geo tenant can differ from a non-multi-geo tenant,
Read [User experience in a multi-geo environment](multi-geo-user-experience.md) for details about your end users' experience in a multi-geo environment.
-For details about the Teams experience in a Microsoft 365 Multi-Geo tenancy, see [Teams experience in a Microsoft 365 OneDrive and SharePoint Online Multi-Geo-enabled tenancy](/microsoftteams/teams-experience-o365odb-spo-multi-geo).
- To get started configuring Microsoft 365 Multi-Geo, see [Configure Microsoft 365 Multi-Geo](multi-geo-tenant-configuration.md). Once you've completed the configuration, remember to [migrate your users' OneDrive libraries](move-onedrive-between-geo-locations.md) as needed to get your users working from their preferred data locations.
includes Office 365 Worldwide Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-worldwide-endpoints.md
-<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.-->
+<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.-->
<!--Please contact the Office 365 Endpoints team with any questions.--> <!--Worldwide endpoints version 2021052800--> <!--File generated 2021-06-28 14:00:12.8981-->-
-## Exchange Online
+
+## Exchange Online
ID | Category | ER | Addresses | Ports | | | -- | --
ID | Category | ER | Addresses | Ports
9 | Allow<BR>Required | Yes | `*.protection.outlook.com`<BR>`40.92.0.0/15, 40.107.0.0/16, 52.100.0.0/14, 52.238.78.88/32, 104.47.0.0/17, 2a01:111:f403::/48` | **TCP:** 443 10 | Allow<BR>Required | Yes | `*.mail.protection.outlook.com`<BR>`40.92.0.0/15, 40.107.0.0/16, 52.100.0.0/14, 104.47.0.0/17, 2a01:111:f400::/48, 2a01:111:f403::/48` | **TCP:** 25 154 | Default<BR>Required | No | `autodiscover.<tenant>.onmicrosoft.com` | **TCP:** 443, 80-
-## SharePoint Online and OneDrive for Business
+
+## SharePoint Online and OneDrive for Business
ID | Category | ER | Addresses | Ports -- | -- | | - | -
ID | Category | ER | Addresses | Ports
37 | Default<BR>Required | No | `*.sharepointonline.com, cdn.sharepointonline.com, privatecdn.sharepointonline.com, publiccdn.sharepointonline.com, spoprod-a.akamaihd.net, static.sharepointonline.com` | **TCP:** 443, 80 38 | Default<BR>Optional<BR>**Notes:** SharePoint Online: auxiliary URLs | No | `prod.msocdn.com, watson.telemetry.microsoft.com` | **TCP:** 443, 80 39 | Default<BR>Required | No | `*.svc.ms, <tenant>-files.sharepoint.com, <tenant>-myfiles.sharepoint.com` | **TCP:** 443, 80-
-## Skype for Business Online and Microsoft Teams
+
+## Skype for Business Online and Microsoft Teams
ID | Category | ER | Addresses | Ports | - | | | -
ID | Category | ER | Addresses | Ports
27 | Default<BR>Required | No | `*.mstea.ms, *.secure.skypeassets.com, mlccdnprod.azureedge.net, videoplayercdn.osi.office.net` | **TCP:** 443 29 | Default<BR>Optional<BR>**Notes:** Yammer third-party integration | No | `*.tenor.com` | **TCP:** 443, 80 127 | Default<BR>Required | No | `*.skype.com` | **TCP:** 443, 80-
-## Microsoft 365 Common and Office Online
+
+## Microsoft 365 Common and Office Online
ID | Category | ER | Addresses | Ports | -- | | -- | -
ID | Category | ER | Addresses | Ports
148 | Default<BR>Required | No | `cdnprod.myanalytics.microsoft.com, myanalytics.microsoft.com, myanalytics-gcc.microsoft.com` | **TCP:** 443, 80 149 | Default<BR>Required | No | `workplaceanalytics.cdn.office.net` | **TCP:** 443, 80 150 | Default<BR>Optional<BR>**Notes:** Blocking these endpoints will affect the ability to access the Office 365 ProPlus deployment and management features via the portal. | No | `*.officeconfig.msocdn.com` | **TCP:** 443
-152 | Default<BR>Optional<BR>**Notes:** These endpoints enables the Office Scripts functionality in Office clients available through the Automate tab. This feature can also be disabled through the Office 365 Admin portal. | No | `*.microsoftusercontent.com` | **TCP:** 443
+152 | Default<BR>Optional<BR>**Notes:** These endpoints enables the Office Scripts functionality in Office clients available through the Automate tab. This feature can also be disabled through the Microsoft 365 admin center. | No | `*.microsoftusercontent.com` | **TCP:** 443
153 | Default<BR>Required | No | `*.azure-apim.net, *.flow.microsoft.com, *.powerapps.com` | **TCP:** 443 156 | Default<BR>Required | No | `activity.windows.com` | **TCP:** 443 157 | Default<BR>Required | No | `ocsp.int-x3.letsencrypt.org` | **TCP:** 80
managed-desktop Enable Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/enable-support.md
+
+ Title: Enable user support features
+description: How to enable elevation and escalation features for user support
+keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation
+++++
+ms.localizationpriority: normal
+++
+# Enable user support features
+
+Whether you are providing your own user support or working with a partner to provide it, follow these steps to enable the support provider to request elevated device access or escalate issues to Microsoft Managed Desktop, if needed.
+
+1. If they don't already have one, users need an account in same Azure Active Directory (AAD) domain as the Microsoft Managed Desktop devices.
+2. Add the user accounts from Step 1 to the **Modern Workplace Roles-Support Partner** security group in AAD.
+
+<!--when available, add link to downloadable articles at DLC-->
managed-desktop Get Started Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/get-started-devices.md
Title: Get your users ready to use devices
-description: Information to help you get your users ready to use devices.
+description: Information to help you get your users ready to use devices
keywords: Microsoft Managed Desktop, device, get started, Microsoft 365
# Get your users ready to use devices
-Once a Microsoft Managed Desktop device is in the hands of your user, getting started with it is fast and easy. Devices come pre-configured with the current version of Windows, and configurations and apps are installed from the cloud as the user completes setup.
+Once a Microsoft Managed Desktop device is in the hands of your user, getting started with it is fast and easy. Devices come pre-configured with the current version of Windows and configurations and apps are installed from the cloud as the user completes setup.
-To make this even easier, we offer a guide that walks your users through the initial setup and provides help resources both for the setup and for use later, if needed. You can customize this guide to include certain details specific to your organization. You then distribute the guide directly to your users along with their device. There are two versions, one for organizations using Microsoft's support system (the Get Help app), one for those providing alternative support for their users.
+To make this even easier, we offer a guide that walks your users through the initial setup and provides help resources both for the setup and for use later, if needed. You can customize this guide to include certain details specific to your organization. You then distribute the guide directly to your users along with their device.
## To prepare the guide
-1. Download the version appropriate to your organization:
-- [Microsoft Managed Desktop - Get started with your device (Get Help version)](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/managed-desktop/get-started/downloads/microsoft-managed-desktop-user-guide-help-custom-v3.pdf) - use this version if your users will use Microsoft's support system.-- [Microsoft Managed Desktop - Get started with your device](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/managed-desktop/get-started/downloads/microsoft-managed-desktop-user-guide-no-help-custom-v2.pdf) - use this version if your users will *not* use Microsoft's support system.
+1. Download the guide: [Microsoft Managed Desktop - Get started with your device](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/managed-desktop/get-started/downloads/microsoft-managed-desktop-user-guide-no-help-custom-v2.pdf).
2. Use any app capable of opening PDF files to fill in details relevant to your organization: - The name of the network your users should connect to in order to continue setup (Step 3 in the guide) - The name of your organization's Azure tenant account (Step 4 in the guide)
To make this even easier, we offer a guide that walks your users through the ini
## "Ready-to-use guide"
-We also provide a more generic version of the guide for those organizations that don't need to customize it. There are two versions, one for organizations using Microsoft's support system (the Get Help app), one for those providing alternative support for their users.
+We also provide a more generic version of the guide for those organizations that don't need to customize it.
-- [Microsoft Managed Desktop - Get started with your device (Get Help version - ready to use)](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/managed-desktop/get-started/downloads/microsoft-managed-desktop-user-guide-help-v3.pdf) - use this version if your users will use Microsoft's support system.-- [Microsoft Managed Desktop - Get started with your device (ready to use)](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/managed-desktop/get-started/downloads/microsoft-managed-desktop-user-guide-no-help-v2.pdf) - use this version if your users will *not* use Microsoft's support system.
+Just download the guide: [Microsoft Managed Desktop - Get started with your device (ready to use)](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/managed-desktop/get-started/downloads/microsoft-managed-desktop-user-guide-no-help-v2.pdf).
At this point, you're ready to move on to deploying apps:
managed-desktop Index https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/intro/index.md
Microsoft Managed Desktop is a cloud-based service that brings together [Microso
- User device deployment - IT service management and operations - Security monitoring and response-- User support Microsoft Managed Desktop offers a solution for several of the challenges facing businesses and their people today: - The transition to the agile world of software as a service is daunting.
Microsoft Managed Desktop offers a solution for several of the challenges facing
- Many current IT management and security processes are outdated, time-intensive, and expensive. - Businesses want to focus on what makes them uniquely successful, rather than maintaining digital infrastructure.
-Your users will enjoy the latest versions of Windows 10 and Microsoft 365 Apps for enterprise apps (and more besides), using devices and software that are curated and rigorously tested for best performance and reliability. Also, you'll never have to worry about keeping any of this software up to date because that happens automatically, following a careful rollout sequence that is monitored every step of the way. And registered devices are monitored 24x7 for technical and security issues, so if something goes wrong, help will be on the way.
+Your users will enjoy the latest versions of Windows 10 and Microsoft 365 Apps for enterprise apps (and more besides), using devices and software that are curated and rigorously tested for best performance and reliability. Also, you'll never have to worry about keeping any of this software up to date because that happens automatically, following a careful rollout sequence that is monitored every step of the way. And registered devices are monitored 24 hours a day, seven days a week for technical and security issues, so if something goes wrong, help will be on the way.
## Unique to Microsoft Managed Desktop
managed-desktop Roles And Responsibilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/intro/roles-and-responsibilities.md
Microsoft provides these key roles and responsibilities:
Role or responsibility | Description | MDM policy management | Microsoft will apply MDM policies according to best practices and consider requests for policy changes. We'll also make changes to your tenant as prescribed in [Device policies](../service-description/device-policies.md).
-user support | We provide user support for devices, Windows, and the Microsoft 365 Apps for enterprise product suite for all enrolled users through the Get Help app that's preinstalled on all Microsoft Managed Desktop devices.
+User support | We provide a mechanism for elevated access to devices and for issues to get escalated if necessary. For more information, see [User support](../service-description/user-support.md).
Microsoft Managed Desktop service support | Microsoft will provide support to your IT department through a Microsoft Managed Desktop Operations Team. This team will support technical troubleshooting, change requests, and incident management for the customerΓÇÖs Microsoft Managed Desktop environment. For more information, see [Admin support for Microsoft Managed Desktop](../working-with-managed-desktop/admin-support.md). Security monitoring | Microsoft will monitor your Microsoft Managed Desktop devices using Microsoft Defender for Endpoint. If the Microsoft Managed Desktop Security Operations Center (SOC) detects a threat, we will notify you, isolate the device, and rectify the issue remotely. For more information, see [Security](../service-description/security.md). Update monitoring and management | We actively monitor your Microsoft Managed Desktop devices to ensure that the latest quality and feature updates are installed for Microsoft Windows and Microsoft Office. For more information, see [How updates are handled](../service-description/updates.md).
Role or responsibility | Description
Change management | Microsoft will notify customers, in advance, when changes need to be made to their Microsoft Managed Desktop environment. For more information, see [service changes and communication](../service-description/servicechanges.md).<br><br>You must have your own change management process and have a contact established with Microsoft Managed Desktop Operations team. You also must have resources to review and approve these changes. For more information, see [Operations and monitoring](../service-description/operations-and-monitoring.md). Identity management | You are responsible for creating user accounts, assigning users to groups, and keeping metadata up to date. Microsoft 365 Apps for enterprise configuration and management | Microsoft is responsible for ensuring Office applications are deployed to users and those applications are kept up to date. <br><br> You are responsible for managing Microsoft 365 services and policies, including Exchange Online administration responsibilities:<br>- Email administration<br>- Mailbox and rule configuration<br>- Exchange on-premises management<br><br>You are also responsible for collaboration tools, SharePoint server administration, domain management, and security and information policies that are set in the Microsoft 365 admin center.
-User support | You must provide user support for: <br>- On-site infrastructure: all network and internet connectivity, VPN infrastructure and client configuration, local conference room equipment, printers, proxy server and configuration, and firewalls.<br><br>- Company-wide cloud resources: email, SharePoint, collaboration services, and other cloud infrastructure that relates to the company-wide technology footprint.<br><br>- Line of business and any other company-specific applications.
+User support | Providing all user support and technical assistance from first contact through to resolution for the user, either by you or through a designated support partner. You must either provide user support directly or work with a partner to provide support for these areas: <br><br>- On-site infrastructure: all network and internet connectivity, VPN infrastructure and client configuration, local conference room equipment, printers, proxy server and configuration, and firewalls.<br><br>- Company-wide cloud resources: email, SharePoint, collaboration services, and other cloud infrastructure that relates to the company-wide technology footprint.<br><br>- Line of business and any other company-specific applications.
Apps | Roles and responsibilities vary somewhat for the apps provided as part of Microsoft Managed Desktop versus the apps you provide. <br><br>For apps provided by Microsoft (Microsoft 365 Apps for enterprise comprising Word, Excel, PowerPoint, Outlook, Publisher, Access, Skype for Business, Teams, and OneNote), **Microsoft** will provide full service for the deployment, update, and support. **You** must obtain and assign licenses for these apps, add users to security groups, and manage end of life and deploy any add-ons you need.<br><br>For apps you provide (such as your line-of-business apps), whether you package them yourself or engage a non-Microsoft vendor to do so, **you** are responsible for these actions: <br><br>- Identifying applications needed for targeted user groups<br>- Creating and managing Azure AD groups for app deployment<br>- Packaging apps to meet Microsoft Intune deployment standards<br>- Uploading apps to Microsoft Intune<br>- Testing apps in Microsoft Managed Desktop environment<br>- Testing apps with your users<br>- Managing and assigning users to applications<br>- Identify and deploy application updates through Microsoft Intune<br>- Uninstalling and removing applications when they have been retired<br>- Procuring and assigning licenses<br>- Providing user support for line-of-business apps<br>- Managing app settings remotely<br><br>**Microsoft** will provide Microsoft Intune deployment tools to deliver the applications to remote clients.<br><br>For more information, see [Apps](../get-ready/apps.md). Security monitoring and response | You are responsible for investigating and resolving incidents for devices that aren't Microsoft Managed Desktop devices and ensuring that the Microsoft Managed Desktop Operations Team is informed of any issues that may impact the service. Operations support | You must provide a list of preferred contacts and subject matter experts in your organization. We need these contacts if there is an operational incident unrelated to Microsoft Managed Desktop. <br><br>You're also responsible for investigating and resolving incidents for devices and services that aren't in Microsoft Managed Desktop and ensuring that the Microsoft Managed Desktop Operations Team is always informed.
managed-desktop Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/support.md
Title: Support for Microsoft Managed Desktop
+ Title: Admin support
description: Describes proactive and reactive incident management for Microsoft Managed Desktop. keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation
ms.localizationpriority: normal
-# Support for Microsoft Managed Desktop
+# Admin support
Microsoft will provide proactive and reactive incident management. Microsoft tracks incidents in the Microsoft Managed Desktop admin portal. They are classified according to [severity definitions](../working-with-managed-desktop/admin-support.md#sev).
Supported products:
- Windows 10 with Microsoft Defender for Endpoint - These Microsoft 365 Apps for enterprise apps: Outlook, Word, PowerPoint, Excel, Skype for Business client, Microsoft Teams - Microsoft Store for Business -- OneDrive for Business client
+- OneDrive client
Support details:
managed-desktop User Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/user-support.md
+
+ Title: User support
+description: Explains the options for customer-led and partner-led support.
+keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation
+++++
+ms.localizationpriority: normal
+++
+# User support
+
+Your Microsoft Managed Desktop users can get support either from your organization (we call this "customer-led" support) or from a selected partner ("partner-led" support). We aim to provide a consistent experience for users while keeping devices secure with both support options. No matter which option you choose, these same principles apply:
+
+- Flexible integration of Microsoft Managed Desktop devices with your existing support processes .
+- Clear roles and responsibilities between the support provider, IT admins, and Microsoft Managed Desktop
+- [Defined escalation paths](#workflow-for-support-providers)
+- Documentation provided by Microsoft Managed Desktop, along with a portal where you can request elevated device access and escalation to our support staff, if needed.
+- Threat monitoring and mitigation provided by Microsoft Managed Desktop all day every day
+
+## Roles and responsibilities
+
+To ensure the quality of service without compromising security, the support provider, IT admins, and Microsoft Managed Desktop each have different roles and responsibilities.
+
+### Support provider
+
+Whoever provides support (either you for customer-led support or a partner for partner-led) is responsible for these items:
+
+- Providing all user support and technical assistance from first contact through to resolution for the user
+- Fulfilling all service level agreements for user support established by your organization or in partnership with your chosen support provider
+- Performing specific troubleshooting actions, such as requesting elevated device privileges as described in [Getting help for users](../working-with-managed-desktop/end-user-support.md)
+- Troubleshooting and remediating user problems, including:
+ - Operating system (Windows)
+ - Microsoft Apps for enterprise
+ - Browser features
+ - Device problems
+ - Problems with infrastructure, such as printers, drivers, and VPNs
+ - Line-of-business applications
+
+### IT admin
+
+Your IT admin is responsible for these items:
+
+- Working with the support provider to set and manage service level agreements for user support
+- Managing elevated access privileges for approved support staff. For more information, see [Enable user support features](../get-started/enable-support.md)
+- If there are device issues affecting multiple users, escalating those by using the Microsoft Managed Desktop admin support process. For more information, see [Admin support for Microsoft Managed Desktop](../working-with-managed-desktop/admin-support.md).
+- Route hardware-related issues to the appropriate vendor or supplier
+- Maintain and protect device security policy settings on Microsoft Managed Desktop devices by preventing the policies we set from being changed.
+
+### Microsoft Managed Desktop
+
+As the service provider, we are responsible for these items:
+
+- Providing the means for elevated device access and issue escalation, including documentation
+- Keeping this information about the roles and responsibilities current
+- Responding to admin support requests in accordance with the severity definitions
+- Providing threat monitoring and mitigation for all enrolled devices all day every day
+
+## Workflow for support providers
+
+Whether support is customer-led or partner-led, the flow of activity for a user support request follows this path:
++
+Integrating your existing processes with this workflow for Microsoft Managed Desktop devices is flexible, so the details could be different. Typically, the support provider follows an existing tier-based or handoff approach, designating specific users who have the ability to elevate permissions or escalate issues to Microsoft Managed Desktop Operations. It's best to keep this group smaller than the broader support team.
+
+If a user issue needs to be escalated to Microsoft Managed Desktop, it's helpful to identify which team the issue should be directed to. We can transfer cases appropriately, but it saves time to route them to the right place from the start.
+
+- Problems specific to Microsoft Managed Desktop (for example, a policy or setting that's deployed by the service itself): escalate directly to the Operations team. For more info, see [Getting help for users](../working-with-managed-desktop/end-user-support.md).
+- Hardware problems: direct to your hardware supplier or vendor
+- Other problems: escalate through existing support channels, whether that's a Unified or Premier subscription.
+
+## Provided support framework
++
+### Elevation portal
+
+Since Microsoft Managed Desktop devices run on standard user by default, some tasks require elevation of privileges. For more information about user account control, see [User account control](/windows/security/identity-protection/user-account-control/user-account-control-overview). In order for support staff to be able to [perform tasks](../working-with-managed-desktop/end-user-support.md#elevation-requests) while troubleshooting issues for users, we provide "just-in-time" access to an admin account. This password accessed securely by only those you designate, and rotates every couple hours.
+
+For steps on how to set up users for access to this portal, see [Enable user support features](../get-started/enable-support.md).
+
+For steps on submitting an elevation request, see [Elevation requests](../working-with-managed-desktop/end-user-support.md#elevation-requests).
+
+### Escalation portal
+
+If an issue requires escalation to Microsoft Managed Desktop Operations team, designated support staff might direct similar to an IT admin support request.
+
+> [!NOTE]
+> Only Sev C support requests can be filed in this manner. For an issue matching the description of other severities, itΓÇÖs recommended to contact the appropriate IT admin to file. For more info, see [Support request severity definitions](../working-with-managed-desktop/admin-support.md#support-request-severity-definitions).
+
+For steps on how to set up users for access to this portal, see [Enable user support features](../get-started/enable-support.md).
+
+For steps on submitting an escalation request, see [Escalation requests](../working-with-managed-desktop/end-user-support.md#escalation-requests).
managed-desktop End User Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/working-with-managed-desktop/end-user-support.md
# Getting help for users
-There are two ways that users in your organization can get help with their Microsoft Managed Desktop devices: **Get Help** app, or phone support. Both of these support options are available to users 24 hours a day, 7 days a week.
+If you've reached the point in the [workflow](../service-description/user-support.md) where you need to request elevated device access or escalation to Microsoft, follow these steps:
>[!NOTE] >These support options are not available for devices in the Test group.
-## Get Help app
+## Elevation requests
-The preferred method for providing support to your users is **Get Help**, an easy-to-use interface built into the user device.
+Before you request elevated access to a device, it's best to review which actions are best suited.
-![Get Help app icon](../../media/get-help.png)
+- **Typical actions** are what this process is intended for and would be performed routinely while troubleshooting problems with Microsoft Managed Desktop devices. Examples include:
+ - Elevating built-in system troubleshooters, the command prompt, or Windows PowerShell
+ - Troubleshooting line-of-business applications
+ - Using a workaround to correct something that should function by design (such as BitLocker activation or system time not updating)
+ - Elevating Device Manager to do things like update drivers, uninstall a device, or scan for new changes
-Get Help is an application thatΓÇÖs installed on all Microsoft Managed Desktop devices and is pinned to the task bar.
+- **Actions that aren't recommended** include the following:
+ - Installing software or browsers
+ - Installing drivers outside of Windows settings, including those for peripherals
+ - Installing .msi or .exe files
+ - Installing Windows features
-- Users can request a callback to a provided phone number, or chat online with a service rep.-- Requests that fall outside of Microsoft Managed Desktop support scope are redirected to the local IT helpdesk via phone call.
+- **Actions that aren't supported** include the following:
+ - Installing software or features that conflict with Microsoft Managed Desktop security or management capabilities or operations
+ - Disabling a Windows feature that is required for Microsoft Managed Desktop, such as BitLocker
+ - Modifying settings managed by your org
-> [!NOTE]
-> The display language for the Get Help app is English only, even if a user has selected a different language when setting up their device or in device settings.
-
-### Prerequisites
-For your users to be able to get help through the app, make sure these prerequisites are met:
--- The device must be registered with Microsoft Managed Desktop using one of the methods in [Set up Microsoft Managed Desktop devices](../get-started/set-up-devices.md), such as [Register new devices yourself](../get-started/register-devices-self.md).-- The display language for the device must be set to any of these English-language locales: en-us, en-gb, en-au, en-nz, or en-ca.-- The Get Help app should be up to date. To confirm its status, check for app updates in the Microsoft Store.-- Certain [endpoints](../get-ready/network.md#endpoints-allowed-that-are-necessary-for-microsoft-managed-desktop) must be accessible from the device.
+### To request elevation
-> [!NOTE]
-> The Get Help app can take up to one hour after a device is deployed to fully function.
+1. Go to the portal at [https://aka.ms/mmdelevationrequest](https://aka.ms/mmdelevationrequest) and sign in with your Azure Active Directory credentials.
+2. Select **New elevation request**.
+3. Provide these details:
+ - **Support ticket ID** from your own support ticketing system.
+ - **Device name**: enter the device serial number and then select the device from the menu.
+ - **Category**: Select the category that best fits your issue. If no option seems close, then select **Other** and provide more info in the **Title** and **Plan of action** fields. It's best to select a category if at all possible.
+ - **Subcategory**: Select the one that best fits the issue. If no option seems close, then select **Other** and provide a short description in **Title**. In **Plan of action**, provide the troubleshooting steps you plan to take once elevation is granted.
+4. Select **Submit**.
-If you've checked these prerequisites and the Get Help app still isn't working, you as an IT admin should file a [support request](admin-support.md).
-## Phone support
+## Escalation requests
-Users with Microsoft Managed Desktop devices also have access to toll-free phone numbers they can call. The numbers are meant to be used when Get Help isnΓÇÖt available. For example, if they canΓÇÖt sign in to the device, or the device is broken. Here are the phone numbers for phone support:
-- United States: +1 855 425 0216-- Canada (excluding Quebec): +1 855 425 0216-- United Kingdom: +44 800 026 0698-- Belgium: +32 800 58533-- Luxembourg: +352 800 40119-- Australia: +61 180 037 0619-- New Zealand: +64 988 44380-- Sweden: +46 20 120 3554-- Norway: +47 800 62584-- Iceland: +354 800 9006-- Ireland: +353 1 800 832272-- Denmark: +45 80 40 04 01-- Finland: +358 800 525088
+If you need to [escalate](../service-description/user-support.md#escalation-portal) an issue to Microsoft, follow these steps:
->[!NOTE]
->You'll need to have your organizational email address ready when you call to verify your identity.
+1. Go to the portal at [https://aka.ms/mmdelevationrequest](https://aka.ms/mmdelevationrequest) and sign in with your Azure Active Directory credentials.
+2. Select **Escalation requests**, and then select **New escalation request**.
+3. Provide these details:
+ - **Category**: Select the category that best fits your issue.
+ - **Title**: Provide a very brief description.
+ - **Description**: Add any additional details that could help our team understand the problem. If you need to attach files, you can do that by coming back to the request after you submit it.
+ - **Primary contact information**: Provide info about how to contact the main person responsible for working with our team.
+4. Select **Submit**.
+5. Revisit the ticket in the same portal to interact with our team.
-## More resources
-- [Admin support for Microsoft Managed Desktop](admin-support.md). -- [Support for Microsoft Managed Desktop](../service-description/support.md).-- If you already subscribe to Microsoft Managed Desktop, you can find detailed procedures, process flows, work instructions, and FAQs in the Microsoft Managed Desktop Admin Guide in the **Online resources** under the Microsoft Managed Desktop section of the **Tenant administration** menu in [Microsoft Endpoint Manager](https://endpoint.microsoft.com/).
+> [!NOTE]
+> Only Severity C issues can be escalated through this path. For other issues, contact your IT admin to file the request through the Admin portal.
scheduler Scheduler Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/scheduler/scheduler-setup.md
Get-mailbox | where {$_.PersistedCapabilities -Match "SchedulerAssistant"}
> It might take up to two hours for the Scheduler mailbox to complete full provisioning to set the SchedulerAssistant capability. ## Exchange Online mailbox
+A Scheduler license is an add-on to Microsoft 365, that enables the meeting organizer to delegate their meeting scheduling tasks to their Scheduler assistant. For the Scheduler to work, typically through Microsoft 365 license, meeting organizers require the following components:
-Scheduler is an add-on to Microsoft 365. Meeting organizers must have an Exchange Online mailbox and calendar for Scheduler to work.
+- A mailbox designated as Scheduler assistant mailbox
+- Scheduler license
+- Exchange Online mailbox and calendar
-## Exchange requirements
+The meeting attendees do not require Scheduler or Microsoft 365 license.
-In addition to licensing Scheduler, you must have one of the following licenses:
+## Scheduler end-user license requirements
+
+A Scheduler license requires one of the following licenses:
- Microsoft 365 E3, A3, E5, A5 - Business Basic, Business, Business Standard, Business Premium
In addition to licensing Scheduler, you must have one of the following licenses:
- Exchange Online Plan 1 or Plan 2 license. > [!Note]
-> **Scheduler for Microsoft 365** is currently available for worldwide multi-tenants, in English only.</br>
->
-> It is not available for users of Office 365 operated by 21Vianet in China or users of Microsoft 365 with the German cloud that uses the data trustee German Telekom. It is supported for users in Germany whose data location isn't in the German datacenter.
->
-> This feature is also not supported for users of the Government Cloud, including GCC, Consumer, GCC High, or DoD.
+
+> Scheduler for Microsoft 365 is available in worldwide multi-tenant environments in English only. **Scheduler for Microsoft 365** isn't available to users of:
+
+- Microsoft 365 operated by 21Vianet in China
+- Microsoft 365 with German cloud that uses the data trustee German Telekom
+- Government cloud including GCC, Consumer, GCC High, or DoD
+
+Scheduler does support users in Germany whose data location is not in the German datacenter.
security Mac Device Control Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-intune.md
ms.technology: mde
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) - This document contains examples of device control policies that you can customize for your own organization. These examples are applicable if you are using Intune to manage devices in your enterprise. ## Restrict access to all removable media
security Mac Device Control Jamf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-jamf.md
ms.technology: mde
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) - This document contains examples of device control policies that you can customize for your own organization. These examples are applicable if you are using JAMF to manage devices in your enterprise. ## Restrict access to all removable media
security Mac Device Control Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-overview.md
ms.technology: mde
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) - ## Requirements Device control for macOS has the following prerequisites: >[!div class="checklist"] > - Microsoft Defender for Endpoint entitlement (can be trial)
-> - Minimum OS version: macOS 10.15.4 or higher
-> - Minimum product version: 101.24.59
-> - Your device must be running with system extensions (this is the default on macOS 11 Big Sur).
->
-> You can check if your device is running on system extensions by running the following command and verify that it is printing `endpoint_security_extension` to the console:
->
-> ```bash
-> mdatp health --field real_time_protection_subsystem
-> ```
-> - Your device must be in `Beta` (previously called `InsiderFast`) Microsoft AutoUpdate update channel. For more information, seeΓÇ»[Deploy updates for Microsoft Defender for Endpoint on Mac](mac-updates.md).
->
-> You can check the update channel using the following command:
->
-> ```bash
-> mdatp health --field release_ring
-> ```
->
-> If the above command does not print either `Beta` or `InsiderFast`, execute the following command from the Terminal. The channel update takes effect next time the product starts (when the next product update is installed or when the device is rebooted).
->
-> ```bash
-> defaults write com.microsoft.autoupdate2 ChannelName -string Beta
-> ```
->
-> Alternatively, if you are in a managed environment (JAMF or Intune), you can configure the update channel remotely. For more information, seeΓÇ»[Deploy updates for Microsoft Defender for Endpoint on Mac](mac-updates.md).
+> - Minimum OS version: macOS 11 or higher
+> - Minimum product version: 101.34.20
## Device control policy
Under the removable media section, there is an option to set the enforcement lev
- `audit` - Under this enforcement level, if access to a device is restricted, a notification is displayed to the user, however the device can still be used. This enforcement level can be useful to evaluate the effectiveness of a policy. - `block` - Under this enforcement level, the operations that the user can perform on the device are limited to what is defined in the policy. Furthermore, a notification is raised to the user.
+> [!NOTE]
+> By default, the enforcement level is set to `audit`.
+ |Section|Value| |:|:| | **Domain** | `com.microsoft.wdav` |
security Mac Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-whatsnew.md
ms.technology: mde
## 101.34.20 (20.121051.13420.0)
+- [Device control for macOS](mac-device-control-overview.md) is now in general availability
- Addressed an issue where a quick scan could not be started from the status menu on macOS 11 (Big Sur) - Other bug fixes