+Microsoft 365 groups support nesting through [dynamic groups in Azure Active Directory](/azure/active-directory/enterprise-users/groups-dynamic-rule-member-of).

+You must be a member of the Global admin, Security admin, Application admin or Cloud Application admin roles to see the idle session timeout setting.

+Depending on the billing frequency you chose when you bought your subscription, you receive an invoice either monthly or annually. The amount of time since the last invoice date is called the *Billing Period* and is on page one of the invoice. This time represents the date range during which charges accrue for the current invoice. If you made a change to your subscription outside of this date range, like adding or removing licenses, the associated charges appear on the invoice for the next billing period.

+| Dynamics 365 Marketing | CFQ7TTC0LH3N |

+| Dynamics 365 Marketing Attach | CFQ7TTC0LHWP |

+| Dynamics 365 Marketing Additional Application | CFQ7TTC0LHVK |

+| Dynamics 365 Marketing Additional Non-Prod Application | CFQ7TTC0LHWM |

+A proposal is a formal offer from Microsoft for your organization to buy Microsoft products and services. Proposals represent large orders that your organizationΓÇÖs procurement or IT department place with Microsoft.

+Before the proposal workflow begins, your procurement department works directly with a designated Microsoft representative to determine the specific products and services your organization needs. Next, your Microsoft representative drafts a proposal and sends your procurement department an email with a link to accept the proposal in the Azure marketplace portal. The site contains the proposal prepared specifically for you and your organization.

+After you follow the link and sign in to the proposal site, you can start the proposal review process. After you complete the proposal review and check out, you receive an invoice for the purchased products as per the billing plan you selected. To learn how billing works for proposals, see [Understand invoicing](#understand-invoicing) below.

+You must be a billing account owner or billing account contributor to successfully sign an agreement or buy products and services. If youΓÇÖre a Global admin but donΓÇÖt have one of those roles, you can assign the roles to yourself. If youΓÇÖre not a Global admin, ask your Global admin, or billing account owner to assign one of the roles to you.

+ or

+- After checkout is finished, you're given more links to set up your products and services.

+| Existing agreements | Any agreement that your organization already has in place with Microsoft. The agreements can include, but aren't limited to, an Enterprise Agreement, Microsoft Product & Services Agreement, or Microsoft Customer Agreement. |

+If this order is the first time your organization is establishing a commercial relationship with Microsoft, and you haven't yet signed an MCA, if the information under **Your organization** or **Lead organization** is incorrect, contact the representative to make changes for you. After you've accepted an MCA, you can review and change your organization's address and contact information on the [Billing accounts](https://go.microsoft.com/fwlink/p/?linkid=2084771) page in the Microsoft 365 admin center. If your organization name changes, open a support request to have it updated. [Learn how to open a support request](../admin/get-help-support.md).

+[Microsoft 365 tax information](billing-and-payments/tax-information.md).

+This section shows a list of all items included in the proposal, which can include one or more of the following categories:

+- **Included** A list of items included as part of the proposal package at no extra charge. Some of these items might have a cost associated with them in the future.

+After you check out and complete your order, an initial invoice is sent within 24-48 hours. After that, you receive invoices around the fifth of every month. The monthly invoice contains charges from the previous month. If you have any credits for your account, they're deducted from your billing profile's monetary credits, and applied to your invoice balance. The remaining balance after credits are applied is the balance due. You have 30 days from the billing date to pay the invoice.

+<!--## Searchable sensitive data types

+<!--### Limitations for searching sensitive data types

+- You can't use sensitive information types and the `SensitiveType` search property to search for sensitive data at-rest in Exchange Online mailboxes. This includes 1:1 chat messages, 1:N group chat messages, and team channel conversations in Microsoft Teams because all of this content is stored in mailboxes. However, you can use data loss prevention (DLP) policies to protect sensitive email data in transit. For more information, see [Learn about data loss prevention](dlp-learn-about-dlp.md) and [Search for and find personal data](/compliance/regulatory/gdpr).-->

+For information regarding what licenses provide the rights for a user to benefit from eDiscovery (Premium) please see [Microsoft 365 guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-purview-ediscovery) and see the "eDiscovery and auditing" section in theΓÇ»[Microsoft 365 Comparison table](https://go.microsoft.com/fwlink/?linkid=2139145).

+For information about how to assign licenses, seeΓÇ»[Assign licenses to users](/microsoft-365/admin/manage/assign-licenses-to-users).

+1. **If a chat or channel message is edited or deleted** by a user during the retention period, the original message is copied (if edited) or moved (if deleted) to the SubstrateHolds folder. When a user deletes a Teams message, although the message disappears from the Teams app, the message doesn't go into the SubstrateHolds folder for 21 days. The message is stored in the SubstrateHolds folder for at least 1 day. When the retention period expires, the message is permanently deleted the next time the timer job runs (typically between 1-7 days).

+1. **If a chat or channel message is edited or deleted** by a user during the retention period: The original message is copied (if edited) or moved (if deleted) to the SubstrateHolds folder. When a user deletes a Teams message, although the message disappears from the Teams app, the message doesn't go into the SubstrateHolds folder for 21 days. The message is stored in the SubstrateHolds folder for at least 1 day. If the retention policy is configured to retain forever, the item remains there. If the retention policy has an end date for the retention period and it expires, the message is permanently deleted the next time the timer job runs (typically between 1-7 days).

+1. **If the chat or channel message is edited or deleted** by a user during the retention period: The original message is copied (if edited) or moved (if deleted) to the SubstrateHolds folder. When a user deletes a Teams message, although the message disappears from the Teams app, the message doesn't go into the SubstrateHolds folder for 21 days. The message is stored in the SubstrateHolds folder for at least 1 day and permanently deleted the next time the timer job runs (typically between 1-7 days).

+ - On day 30, the message is no longer displayed in the Teams app and moves to the SubstrateHolds folder after 21 days where it continues to be searchable with eDiscovery tools for a minimum of 7 years from day 1 (the retention period).

+If the user had deleted the current message after the specified retention period, instead of within the retention period, the message would still be moved to the SubstrateHolds folder after 21 days. However, now the retention period has expired, the message would be permanently deleted there after the minimum of 1 day and then typically within 1-7 days.

+ Title: "Learn about retention policies & labels to retain or delete"

+description: Learn about retention policies and retention labels to retain what you need and delete what you don't.

+This scope configuration lets you have sensitivity labels that are just for items such as documents and emails, and can't be selected for containers. And similarly, sensitivity labels that are just for containers and can't be selected for documents and emails. You can also select the scope for schematized data assets for Microsoft Purview Data Map:

+## Week of July 04, 2022

+| Published On |Topic title | Change |

+|||--|

+| 7/4/2022 | [Identify the available PowerShell cmdlets for retention](/microsoft-365/compliance/retention-cmdlets?view=o365-21vianet) | modified |

+| 7/4/2022 | [Manage Microsoft Defender Antivirus updates and apply baselines](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus?view=o365-21vianet) | modified |

+| 7/5/2022 | [Microsoft 365 Defender portal](/microsoft-365/security/defender/microsoft-365-defender-portal?view=o365-21vianet) | added |

+| 7/5/2022 | [Enable Microsoft Defender for IoT integration in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/enable-microsoft-defender-for-iot-integration?view=o365-21vianet) | modified |

+| 7/5/2022 | [Security recommendations](/microsoft-365/security/defender-vulnerability-management/tvm-security-recommendation?view=o365-21vianet) | modified |

+| 7/5/2022 | [What is Microsoft 365 Defender?](/microsoft-365/security/defender/microsoft-365-defender?view=o365-21vianet) | modified |

+| 7/5/2022 | [Onboard Microsoft Defender for IoT with Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/enable-microsoft-defender-for-iot-integration?view=o365-21vianet) | modified |

+| 7/5/2022 | [Data Loss Prevention policy reference](/microsoft-365/compliance/dlp-policy-reference?view=o365-21vianet) | modified |

+| 7/5/2022 | [Use network protection to help prevent connections to bad sites](/microsoft-365/security/defender-endpoint/network-protection?view=o365-21vianet) | modified |

+| 7/5/2022 | Infographic: Help protect your campaign | removed |

+| 7/5/2022 | Bump up security protection for your campaign or business | removed |

+| 7/5/2022 | [Setup overview for Microsoft 365 for Campaigns](/microsoft-365/business-premium/m365-campaigns-setup?view=o365-21vianet) | modified |

+| 7/5/2022 | Sign in to Microsoft 365 | removed |

+| 7/5/2022 | Sign up for Microsoft 365 for Campaigns | removed |

+| 7/5/2022 | How these security recommendations affect your users | removed |

+| 7/5/2022 | Customize sign-in page with a privacy and consent notice | removed |

+| 7/5/2022 | [How Microsoft 365 Business Premium helps your business](/microsoft-365/business-premium/m365bp-secure-users?view=o365-21vianet) | modified |

+| 7/5/2022 | [Configure privacy settings in Microsoft Whiteboard](/microsoft-365/whiteboard/configure-privacy-settings?view=o365-21vianet) | added |

+| 7/5/2022 | [Manage GDPR data subject requests in Microsoft Whiteboard](/microsoft-365/whiteboard/gdpr-requests?view=o365-21vianet) | added |

+| 7/5/2022 | [Microsoft 365 Business Premium overview](/microsoft-365/business-premium/index?view=o365-21vianet) | modified |

+| 7/5/2022 | [Collaborate and share securely in Microsoft 365 Business Premium](/microsoft-365/business-premium/m365bp-collaborate-share-securely?view=o365-21vianet) | modified |

+| 7/5/2022 | [Set Up unmanaged devices overview](/microsoft-365/business-premium/m365bp-devices-overview?view=o365-21vianet) | modified |

+| 7/5/2022 | [About Intune admin roles in the Microsoft 365 admin center](/microsoft-365/business-premium/m365bp-intune-admin-roles-in-the-mac?view=o365-21vianet) | modified |

+| 7/5/2022 | [Maintain environment](/microsoft-365/business-premium/m365bp-maintain-environment?view=o365-21vianet) | modified |

+| 7/5/2022 | [Protect your administrator accounts in Microsoft 365 Business Premium](/microsoft-365/business-premium/m365bp-protect-admin-accounts?view=o365-21vianet) | modified |

+| 7/5/2022 | [Set up and secure managed devices](/microsoft-365/business-premium/m365bp-protect-devices?view=o365-21vianet) | modified |

+| 7/5/2022 | [Protect email Overview](/microsoft-365/business-premium/m365bp-protect-email-overview?view=o365-21vianet) | modified |

+| 7/5/2022 | [Protect unmanaged Windows PCs and Macs in Microsoft 365 Business Premium](/microsoft-365/business-premium/m365bp-protect-pcs-macs?view=o365-21vianet) | modified |

+| 7/5/2022 | [Security incident management](/microsoft-365/business-premium/m365bp-security-incident-management?view=o365-21vianet) | modified |

+| 7/5/2022 | [A security operations guide for Microsoft 365 Business Premium](/microsoft-365/business-premium/m365bp-security-incident-quick-start?view=o365-21vianet) | modified |

+| 7/5/2022 | [Increase security in Microsoft 365 Business Premium](/microsoft-365/business-premium/m365bp-security-overview?view=o365-21vianet) | modified |

+| 7/5/2022 | [Welcome to Microsoft 365 Business Premium](/microsoft-365/business-premium/m365bp-setup-overview?view=o365-21vianet) | modified |

+| 7/5/2022 | [Deploy Microsoft Defender for Endpoint on Linux manually](/microsoft-365/security/defender-endpoint/linux-install-manually?view=o365-21vianet) | modified |

+| 7/5/2022 | [Submit malware and non-malware to Microsoft for analysis](/microsoft-365/security/office-365-security/submitting-malware-and-non-malware-to-microsoft-for-analysis?view=o365-21vianet) | modified |

+| 7/6/2022 | [Microsoft 365 feature descriptions](/microsoft-365/admin/m365-feature-descriptions?view=o365-21vianet) | added |

+| 7/6/2022 | [Assess the Microsoft 365 Active Users report](/microsoft-365/admin/activity-reports/active-users-ww?view=o365-21vianet) | modified |

+| 7/6/2022 | [Microsoft 365 admin center email activity reports](/microsoft-365/admin/activity-reports/email-activity-ww?view=o365-21vianet) | modified |

+| 7/6/2022 | [Microsoft 365 admin center email apps usage reports](/microsoft-365/admin/activity-reports/email-apps-usage-ww?view=o365-21vianet) | modified |

+| 7/6/2022 | [Microsoft 365 admin center forms activity reports](/microsoft-365/admin/activity-reports/forms-activity-ww?view=o365-21vianet) | modified |

+| 7/6/2022 | [Microsoft Dynamics 365 customer voice activity reports](/microsoft-365/admin/activity-reports/forms-pro-activity-ww?view=o365-21vianet) | modified |

+| 7/6/2022 | [Microsoft 365 admin center mailbox usage reports](/microsoft-365/admin/activity-reports/mailbox-usage?view=o365-21vianet) | modified |

+| 7/6/2022 | [Microsoft 365 admin center apps usage reports](/microsoft-365/admin/activity-reports/microsoft365-apps-usage-ww?view=o365-21vianet) | modified |

+| 7/6/2022 | [Microsoft 365 OneDrive for Business usage reports](/microsoft-365/admin/activity-reports/onedrive-for-business-usage-ww?view=o365-21vianet) | modified |

+| 7/6/2022 | [Microsoft 365 admin center Yammer activity reports](/microsoft-365/admin/activity-reports/yammer-activity-report-ww?view=o365-21vianet) | modified |

+| 7/6/2022 | [Microsoft 365 admin center Yammer device usage reports](/microsoft-365/admin/activity-reports/yammer-device-usage-report-ww?view=o365-21vianet) | modified |

+| 7/6/2022 | [Microsoft 365 admin center Yammer groups activity reports](/microsoft-365/admin/activity-reports/yammer-groups-activity-report-ww?view=o365-21vianet) | modified |

+| 7/6/2022 | [Microsoft 365 Business Premium overview](/microsoft-365/business-premium/index?view=o365-21vianet) | modified |

+| 7/6/2022 | [Apply encryption using sensitivity labels](/microsoft-365/compliance/encryption-sensitivity-labels?view=o365-21vianet) | modified |

+| 7/6/2022 | [Learn about the default labels and policies to protect your data](/microsoft-365/compliance/mip-easy-trials?view=o365-21vianet) | modified |

+| 7/6/2022 | [Protect macOS security settings with tamper protection](/microsoft-365/security/defender-endpoint/tamperprotection-macos?view=o365-21vianet) | modified |

+| 7/6/2022 | [Investigate alerts in Microsoft 365 Defender](/microsoft-365/security/defender/investigate-alerts?view=o365-21vianet) | modified |

+| 7/7/2022 | [Get started with communication compliance](/microsoft-365/compliance/communication-compliance-configure?view=o365-21vianet) | modified |

+| 7/7/2022 | [Plan for communication compliance](/microsoft-365/compliance/communication-compliance-plan?view=o365-21vianet) | modified |

+| 7/7/2022 | [Communication compliance policies](/microsoft-365/compliance/communication-compliance-policies?view=o365-21vianet) | modified |

+| 7/7/2022 | [Communication compliance](/microsoft-365/compliance/communication-compliance-solution-overview?view=o365-21vianet) | modified |

+| 7/7/2022 | [Learn about communication compliance](/microsoft-365/compliance/communication-compliance?view=o365-21vianet) | modified |

+| 7/7/2022 | [Start retention when an event occurs](/microsoft-365/compliance/event-driven-retention?view=o365-21vianet) | modified |

+| 7/7/2022 | [Learn about sensitivity labels](/microsoft-365/compliance/sensitivity-labels?view=o365-21vianet) | modified |

+| 7/7/2022 | [Manage multifactor authentication in Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-manage-mfa?view=o365-21vianet) | modified |

+| 7/7/2022 | [Case study - Contoso configures an inappropriate text policy](/microsoft-365/compliance/communication-compliance-case-study?view=o365-21vianet) | modified |

+| 7/7/2022 | [Create and manage communication compliance policies](/microsoft-365/compliance/communication-compliance-policies?view=o365-21vianet) | modified |

+| 7/7/2022 | [Microsoft Defender for Office 365 trial playbook](/microsoft-365/security/office-365-security/trial-playbook-defender-for-office-365?view=o365-21vianet) | modified |

+| 7/7/2022 | [Manage GDPR data subject requests in Microsoft Whiteboard](/microsoft-365/whiteboard/gdpr-requests?view=o365-21vianet) | modified |

+| 7/8/2022 | [Delete a model in Microsoft SharePoint Syntex](/microsoft-365/contentunderstanding/delete-a-model) | added |

+| 7/8/2022 | [Migrating servers from Microsoft Monitoring Agent to the unified solution](/microsoft-365/security/defender-endpoint/application-deployment-via-mecm?view=o365-21vianet) | added |

+| 7/8/2022 | [Cancel your business subscription](/microsoft-365/commerce/subscriptions/cancel-your-subscription?view=o365-21vianet) | modified |

+| 7/8/2022 | [Microsoft Purview solutions trial playbook](/microsoft-365/compliance/compliance-easy-trials-compliance-playbook?view=o365-21vianet) | modified |

+| 7/8/2022 | [Office TLS certificate changes](/microsoft-365/compliance/encryption-office-365-tls-certificates-changes?view=o365-21vianet) | modified |

+| 7/8/2022 | [Switch to Microsoft Defender for Endpoint - Setup](/microsoft-365/security/defender-endpoint/switch-to-mde-phase-2?view=o365-21vianet) | modified |

+Microsoft 365 Lighthouse lets you manage users across customer tenant accounts by selecting any of the links under **Users** in the left navigation pane. From Users page, you can search for users and assess and act on the security state of your user accounts. You can also view insights into risky users and the status of multifactor authentication and self-service password reset.

+From the Search users tab, you can quickly search across tenants for specific users and perform common user management tasks like updating user account information, resetting passwords, assigning licenses, and managing a user's groups, mailbox, or OneDrive.

+### [Trial playbook: Get the most out of your trial](defender-endpoint-trial-playbook.md)

+- [Cloud protection](cloud-protection-microsoft-defender-antivirus.md);

+> Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, such as [attack surface reduction (ASR) rules](attack-surface-reduction.md) and [controlled folder access](controlled-folders.md). Files that you exclude using the methods described in this article can still trigger endpoint detection and response (EDR) alerts and other detections.

+> To exclude files broadly, add them to the Microsoft Defender for Endpoint [custom indicators](manage-indicators.md).

+> Exclusions apply to [potentially unwanted apps (PUA) detections](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md) as well.

+You can use [audit mode](audit-windows-defender.md) to evaluate how controlled folder access would impact your organization if it were enabled.

+Microsoft Defender for Endpoint Plan 1 is available as a standalone user subscription license for commercial and education customers. It's also included as part of Microsoft 365 E3/A3.

+Microsoft Defender for Endpoint Plan 2, which was previously called Microsoft Defender for Endpoint, is available as a standalone license and as part of the following plans:

+- Windows 11 Enterprise E5/A5

+- Windows 10 Enterprise E5/A5

+- Microsoft 365 E5/A5/G5 (which includes Windows 10 or Windows 11 Enterprise E5)

+- Microsoft 365 E5/A5/G5/F5 Security

+- Microsoft 365 F5 Security & Compliance

+- [Microsoft Defender for Business](../defender-business/mdb-overview.md) (endpoint protection for small and medium-sized businesses)

+ Title: Trial playbook - Microsoft Defender for Endpoint

+description: Use this guide to get the most of your 90-day free trial. See how Defender for Endpoint can help prevent, detect, investigate, and respond to advanced threats.

+search.appverid: MET150

+audience: ITPro

+ms.technology: mde

+ms.localizationpriority: medium

+f1.keywords: NOCSH

+# Trial playbook: Microsoft Defender for Endpoint

+Welcome to the Microsoft Defender for Endpoint Plan 2 trial playbook!

+This playbook is a simple guide to help you make the most of your free trial. Using the suggested steps in this article from the Microsoft Defender team, you'll learn how Defender for Endpoint can help you to prevent, detect, investigate, and respond to advanced threats.

+## What is Defender for Endpoint?

+[Defender for Endpoint](microsoft-defender-endpoint.md) is an enterprise endpoint security platform that uses the following combination of technology built into Windows and Microsoft's robust cloud service:

+- **Endpoint behavioral sensors**: Embedded in Windows, these sensors collect and process behavioral signals from the operating system and send sensor data to your private, isolated, cloud instance of Defender for Endpoint.

+- **Cloud security analytics**: Using big data, device learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products (such as Microsoft 365), and online assets, behavioral signals are translated into insights, detections, and recommended responses to advanced threats.

+- **Threat intelligence**: Generated by Microsoft hunters and security teams, and augmented by threat intelligence provided by partners, threat intelligence enables Defender for Endpoint to identify attacker tools, techniques, and procedures, and generate alerts when they're observed in collected sensor data.

+<center><h2>Microsoft Defender for Endpoint</center></h2>

+<table>

+<tr>

+<td><a href="microsoft-defender-endpoint.md#tvm"><center><img src="images/logo-mdvm.png" alt="Vulnerability Management"> <br><b> Core Defender Vulnerability Management</b></center></a></td>

+<td><a href="microsoft-defender-endpoint.md#asr"><center><img src="images/asr-icon.png" alt="Attack surface reduction"><br><b>Attack surface reduction</b></center></a></td>

+<td><center><a href="microsoft-defender-endpoint.md#ngp"><img src="images/ngp-icon.png" alt="Next-generation protection"><br> <b>Next-generation protection</b></a></center></td>

+<td><center><a href="microsoft-defender-endpoint.md#edr"><img src="images/edr-icon.png" alt="Endpoint detection and response"><br> <b>Endpoint detection and response</b></a></center></td>

+<td><center><a href="microsoft-defender-endpoint.md#ai"><img src="images/air-icon.png" alt="Automated investigation and remediation"><br> <b>Automated investigation and remediation</b></a></center></td>

+<td><center><a href="microsoft-defender-endpoint.md#mte"><img src="images/mte-icon.png" alt="Microsoft Threat Experts"><br> <b>Microsoft Threat Experts</b></a></center></td>

+</tr>

+<tr>

+<td colspan="7">

+<a href="microsoft-defender-endpoint.md#apis"><center><b>Centralized configuration and administration, APIs</a></b></center></td>

+</tr>

+<tr>

+<td colspan="7"><a href="microsoft-defender-endpoint.md#mtp"><center><b>Microsoft 365 Defender</a></center></b></td>

+</tr>

+</table>

+<br>

+**Let's get started!**

+## Set up your trial

+1. [Confirm your license state](#step-1-confirm-your-license-state).

+2. [Set up role-based access control and grant permissions to your security team](#step-2-set-up-role-based-access-control-and-grant-permissions-to-your-security-team).

+3. [Visit the Microsoft 365 Defender portal](#step-3-visit-the-microsoft-365-defender-portal).

+4. [Onboard endpoints using any of the supported management tools](#step-4-onboard-endpoints-using-any-of-the-supported-management-tools).

+5. [Configure capabilities](#step-5-configure-capabilities).

+6. [Experience Microsoft Defender for Endpoint through simulated attacks](#step-6-experience-microsoft-defender-for-endpoint-through-simulated-attacks).

+7. [Set up the Microsoft Defender for Endpoint evaluation lab](#step-7-set-up-the-microsoft-defender-for-endpoint-evaluation-lab).

+## Step 1: Confirm your license state

+To make sure your Defender for Endpoint subscription is properly provisioned, you can check your license state in either the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com)) or Azure Active Directory ([https://portal.azure.com](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products)).

+[Check your license state](production-deployment.md#check-license-state).

+## Step 2: Set up role-based access control and grant permissions to your security team

+Microsoft recommends using the concept of least privileges. Defender for Endpoint uses built-in roles within Azure Active Directory. [Review the different roles that are available](/azure/active-directory/roles/permissions-reference) and choose appropriate roles for your security team. Some roles may need to be applied temporarily and removed after the trial has been completed.

+Use [Privileged Identity Management](/azure/active-directory/active-directory-privileged-identity-management-configure) to manage your roles to provide extra auditing, control, and access review for users with directory permissions.

+Defender for Endpoint supports two ways to manage permissions:

+- Basic permissions management: Set permissions to either full access or read-only. Users with Global Administrator or Security Administrator roles in Azure Active Directory have full access. The Security reader role has read-only access and doesn't grant access to view machines/device inventory.

+- Role-based access control (RBAC): Set granular permissions by defining roles, assigning Azure AD user groups to the roles, and granting the user groups access to device groups. For more information, see [Manage portal access using role-based access control](rbac.md).

+## Step 3: Visit the Microsoft 365 Defender portal

+The Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) is where you can access your Defender for Endpoint capabilities.

+1. [Review what to expect](../defender/microsoft-365-defender-portal.md) in the Microsoft 365 Defender portal.

+2. Go to [https://security.microsoft.com](https://security.microsoft.com) and sign in.

+3. In the navigation pane, see the **Endpoints** section to access your capabilities.

+## Step 4: Onboard endpoints using any of the supported management tools

+This section outlines the general steps you to onboard devices (endpoints).

+1. [Watch this video](https://www.microsoft.com/videoplayer/embed/RE4bGqr) for a quick overview of the onboarding process and learn about the available tools and methods.

+2. Review your [device onboarding tool options](onboarding.md) and select the most appropriate option for your environment.

+## Step 5: Configure capabilities

+After onboarding devices (endpoints), you'll configure the various capabilities, such as endpoint detection and response, next-generation protection, and attack surface reduction.

+Use [this table](onboarding.md) to choose components to configure. We recommend configuring all available capabilities, but you're able to skip the ones that don't apply.

+## Step 6: Experience Microsoft Defender for Endpoint through simulated attacks

+You might want to experience Defender for Endpoint before you onboard more than a few devices to the service. To do this, you can run controlled attack simulations on a few test devices. After running the simulated attacks, you can review how Defender for Endpoint surfaces malicious activity and explore how it enables an efficient response.

+To run any of the provided simulations, you need at least [one onboarded device](onboard-configure.md).

+1. Access the tutorials. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, under **Endpoints**, choose **Tutorials**.

+2. Read the walkthrough document provided with each attack scenario. Each document includes OS and application requirements and detailed instructions that are specific to an attack scenario.

+3. [Run a simulation](attack-simulations.md).

+## Step 7: Set up the Microsoft Defender for Endpoint evaluation lab

+The Microsoft Defender for Endpoint evaluation lab is designed to eliminate the complexities of device and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action. Using the simplified set-up experience in evaluation lab, you can focus on running your own test scenarios and the pre-made simulations to see how Defender for Endpoint performs.

+- [Watch the video overview](https://www.microsoft.com/videoplayer/embed/RE4qLUM) of the evaluation lab

+- [Get started with the lab](evaluation-lab.md)

+## See also

+- [Defender for Endpoint technical documentation](microsoft-defender-endpoint.md)

+- [Microsoft Security technical content library](https://www.microsoft.com/security/content-library/Home/Index)

+- [Defender for Endpoint demonstration](https://cdx.transform.microsoft.com/experience-detail/d5eca65d-13a3-464d-9171-c24cf9dd6050)

+Use this guide to determine how well Microsoft Defender Antivirus protects you from viruses, malware, and potentially unwanted applications. It explains the important next-generation protection features of Microsoft Defender Antivirus available for both small and large enterprises, and how they increase malware detection and protection across your network.

+## Add a domain controller

+You can use one of several methods, such as the Windows Security app or Windows PowerShell, to check the state of Microsoft Defender Antivirus on your device.

+### Use the Windows Security app to check the status of Microsoft Defender Antivirus

+1. On your Windows device, select the **Start** menu, and begin typing `Security`. Then open the Windows Security app in the results.

+3. Under **Who's protecting me?**, choose **Manage Providers**.

+You'll see the name of your antivirus/antimalware solution on the security providers page.

+### Use PowerShell to check the status of Microsoft Defender Antivirus

+1. Select the **Start** menu, and begin typing `PowerShell`. Then open Windows PowerShell in the results.

+It's important to keep Microsoft Defender Antivirus (or any antivirus/antimalware solution) up to date. Microsoft releases regular updates to help ensure that your devices have the latest technology to protect against new malware and attack techniques. To learn more, see [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).

+- Install the [February 2018 monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598) - Direct download link from the Windows Update catalog is available [here](https://www.catalog.update.microsoft.com/Search.aspx?q=KB4074598)

+- Install the [March 12, 2019 (or later) Servicing stack update](https://support.microsoft.com/topic/servicing-stack-update-for-windows-7-sp1-and-windows-server-2008-r2-sp1-march-12-2019-b4dc0cff-d4f2-a408-0cb1-cb8e918feeba) - Direct download link from the Windows Update catalog is available [here](https://www.catalog.update.microsoft.com/search.aspx?q=4490628)

+- Install the [SHA-2 code signing support update](https://support.microsoft.com/topic/sha-2-code-signing-support-update-for-windows-server-2008-r2-windows-7-and-windows-server-2008-september-23-2019-84a8aad5-d8d9-2d5c-6d78-34f9aa5f8339) - Direct download link from the Windows Update catalog is available [here](https://www.catalog.update.microsoft.com/search.aspx?q=kb4474419)

+- Install [Microsoft .Net Framework 4.5.2 or later](https://www.microsoft.com/en-US/download/details.aspx?id=42642)

+|Windows 10 or later<br/><br/>Windows Server 2022<br/><br/>Windows Server 2019<br/><br/>Windows Server, version 1803, or later<br/><br/>Windows Server 2016<br/><br/>Windows Server 2012 R2|See [Run a detection test](run-detection-test.md).|

+Now that you have onboarded to Defender for Endpoint, and you have uninstalled your former non-Microsoft solution, your next step is to make sure that Defender for Endpoint working correctly.

+1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.

+2. In the navigation pane, choose **Endpoints** > **Device inventory**. There, you'll be able to see protection status for devices.

+To learn more, see [Device inventory](machines-view-overview.md).

+- Customize and apply date ranges

+## July 2022

+- [Add domain controller devices - Evaluation lab enhancement (preview)](evaluation-lab.md#add-a-domain-controller)<br>Add a domain controller to run complex scenarios such as lateral movement and multistage attacks across multiple devices.

+ Title: Export incidents queue to CSV files

+description: Learn about the newly introduced Export button to migrate incidents queue-related data to CSV files

+keywords: incident, queue, export, csv

+search.product: eADQiWindows 10XVcnh

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+ - NOCSH

+ms.localizationpriority: medium

+audience: ITPro

+ - M365-security-compliance

+ - m365initiative-m365-defender

+search.appverid:

+ - MOE150

+ - MET150

+ms.technology: m365d

+# Export incidents queue to CSV files

+**Applies to:**

+- Microsoft 365 Defender

+The **Export** feature allows you to export the data in the incident queue that is displayed according to the applied filters and time ranges. It's available in the form of a button named **Export**, as displayed in the following screenshot:

+When you click the **Export** button, the data is exported to a CSV file. You can apply various filters and time ranges to the incidents queue (not just in the context of exporting the data, but in a generic context). When you select **Export**, whichever filters and/or time ranges are applied to the incidents queue, such data is exported to the CSV file.

+Once you export the incidents queue-related data onto the CSV file, you can analyze the data and filter it further, based on your requirements.

+For example, for the data on the CSV file, you can apply filters to view the following data:

+- Data regarding how many high-severity incidents you had in the last 30 days.

+- Data regarding who is your most productive analyst.

+If you have thoughts or suggestions about the new **Export** feature (the **Export** button) for the incident queue, contact Microsoft team or send your feedback through the Microsoft 365 Defender portal.

+ Title: Microsoft Defender for Identity in Microsoft 365 Defender

+description: Learn about changes from the Microsoft Defender for Identity to Microsoft 365 Defender

+keywords: Getting started with Microsoft 365 Defender, Microsoft Defender for Identity, NDI

+ms.mktglfcycl: deploy

+ms.localizationpriority: medium

+f1.keywords:

+- NOCSH

+audience: ITPro

+search.appverid:

+- MOE150

+- MET150

+- M365-security-compliance

+# Microsoft Defender for Identity in Microsoft 365 Defender

+**Applies to:**

+- [Microsoft 365 Defender](microsoft-365-defender.md)

+- [Microsoft Defender for Identity](/defender-for-identity/)

+Microsoft Defender for Identity is now part of Microsoft 365 Defender. The Microsoft 365 Defender portal allows security admins to perform their security tasks in one location. This will simplify workflows, and add the functionality of the other Microsoft 365 Defender services. Microsoft 365 Defender will be the home for monitoring and managing security across your Microsoft identities, data, devices, apps, and infrastructure.

+Microsoft Defender for Identity contributes identity focused information into the incidents and alerts that Microsoft 365 Defender presents. This information is key to providing context and correlating alerts from the other products within Microsoft 365 Defender.

+## Quick reference

+The table below lists the changes in navigation between Microsoft Defender for Identity and Microsoft 365 Defender.

+| **Defender for** Identity | **Microsoft 365 Defender** |

+| -- | |

+| Timeline | Microsoft 365 Defender Alerts/Incidents queue |

+| Reports | Will remain in the [classic Defender for Identity portal](/defender-for-identity/classic-workspace-portal). <br> Customized reports can be created in the Microsoft 365 Defender portal using [Advanced hunting](#advanced-hunting-new). |

+| User page | Microsoft 365 Defender User page |

+| Device page | Microsoft 365 Defender Device page |

+| Group page | Microsoft 365 Defender groups side pane |

+| Alert page | Microsoft 365 Defender Alert page |

+| Search | Microsoft 365 Defender Search |

+| Health center | Settings -> Identities -> Sensors |

+| Entity Activities | Advanced hunting |

+| Settings | Settings -> Identities |

+| Users and accounts | Assets -> Identities |

+| Identity security posture | [Microsoft Defender for Identity's security posture assessments](/defender-for-identity/security-assessment) |

+| Onboarding a new Workspace | Settings -> Identities (automatically) |

+## What's changed

+### Defender for Identity settings

+To access the Microsoft Defender for Identity configuration settings, in [Microsoft 365 Defender](https://security.microsoft.com), go to **Settings** and then **Identities**.

+### Defender for Identity security posture

+All the identity security posture management assessments that were previously accessible in Defender for Cloud Apps are now available in Microsoft Secure Score, which can be found at <https://security.microsoft.com/securescore> in the [Microsoft 365 Defender portal](https://security.microsoft.com). For more information, see [Microsoft Defender for Identity's security posture assessments](/defender-for-identity/security-assessment).

+### Global search

+Global search in Microsoft 365 Defender (using the search bar at the top of the page) allows security teams to look for any entity being monitored by Microsoft 365 Defender, be it identity, endpoint, Office 365 data, and more. Results can be interacted with directly from the search drop-down, or security teams can choose to select **All users** or **All devices** to see all entities associated with that search term.

+### Onboarding and administration

+The onboarding process is now automatic for new customers, with no need to manually configure a workspace. Additionally, all the admin features are available under the **Identities** menu in Microsoft 365 DefenderΓÇÖs Settings.

+### Alerting and incident correlation

+Defender for Identity alerts are now included in Microsoft 365 DefenderΓÇÖs alert queue, making them available to the auto incident correlation feature. This ensures that all alerts are available in one place, and that the scope of a breach can be determined quicker than before. For more information, see [Defender for Identity security alerts in Microsoft 365 Defender](/defender-for-identity/manage-security-alerts).

+### Advanced hunting (new)

+You can now proactively search for threats and malicious activity by using advanced hunting queries. These powerful queries can be used to locate and review threat indicators and entities for both known and potential threats.

+Custom detection rules can be built from advanced hunting queries to help you proactively watch for events that might be indicative of breach activity and misconfigured devices. For more information, see [Proactively hunt for threats with advanced hunting in Microsoft 365 Defender](advanced-hunting-overview.md).

+### Alert exclusions (updated)

+The alert interface is more user friendly, including adding a useful search function. Additionally, it now includes global exclusions. This means that any entity can be excluded from all alerts generated by Defender for Identity, helping with any testing scenarios you may have. For more information, see [Configure Defender for Identity detection exclusions in Microsoft 365 Defender](/defender-for-identity/exclusions).

+### Entity profiles

+Defender for Identity data is now included in the Microsoft 365 User and Device entity profiles.

+### Remediation actions (new)

+Defender for Identity remediation actions, such as disabling accounts or requiring password resets, can now be taken from the Microsoft 365 Defender User page. For more information, see [Remediation actions in Microsoft Defender for Identity](/defender-for-identity/remediation-actions).

+### Lateral movement paths

+In addition to the **Lateral movement paths** tab on the user page, lateral movement paths can also be discovered via the **Advanced hunting** feature and the Lateral Movement paths security assessment. For more information, see [Microsoft Defender for Identity Lateral Movement Paths (LMPs)](/defender-for-identity/understand-lateral-movement-paths).

+## Related videos

+- [New for Microsoft Defender for Identity](https://www.microsoft.com/videoplayer/embed/RE4HcEU)

+## Related information

+- [Microsoft 365 Defender](microsoft-365-defender.md)

+To make Microsoft Secure Score a better representative of your security posture, we continue to add new features and improvement actions.

+The more improvement actions you take, the higher your Secure Score will be. For more information, see [Microsoft Secure Score](microsoft-secure-score.md).

+## June 2022

+- New Microsoft Defender for Endpoint and Microsoft Defender Vulnerability Management recommendations are now available as a Secure Score improvement actions:

+ - Disallow offline access to shares

+ - Remove share write permission set to **Everyone**

+ - Remove shares from the root folder

+ - Set folder access-based enumeration for shares

+ - Update Microsoft Defender for Endpoint core components

+- A new Microsoft Defender for Identity recommendation is available as a Secure Score improvement action:

+ - Resolve unsecure domain configurations

+- A new [app governance](/defender-cloud-apps/app-governance-manage-app-governance) recommendation is now available as a Secure Score improvement action:

+ - Regulate apps with consent from priority accounts

+- New Salesforce and ServiceNow recommendations are now available as Secure Score improvement actions for Microsoft Defender for Cloud Apps customers. For more information, see [SaaS Security Posture Management overview](https://aka.ms/saas_security_posture_management).

+>[!Note]

+>Salesforce and ServiceNow controls are now available in public preview.

+ > There will be times when our filters will miss a message, you don't agree with the filtering verdict, or it takes time for our systems to catch up to it. In these cases, the allow list and block list are available to override the current filtering verdicts. But, you should use these lists sparingly and temporarily: longs lists can become unmanageable, and our filtering stack should be doing what it's supposed to be doing. If you're going to keep an allowed domain for an extended period of time, you should tell the sender to verify that their domain is authenticated and set to DMARC reject appropriately.

+ Title: Report spam, non-spam, phishing, suspicious emails and files to Microsoft

+description: How do I report a suspicious email or file to Microsoft? Report messages, URLs, email attachments and files to Microsoft for analysis. Learn to report spam email and phishing emails.

+# How do I report a suspicious email or file to Microsoft?

+Wondering what to do with suspicious emails or files? In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, *users* and *admins* have different ways to report a suspicious email message, URL, or email attachment to Microsoft.

+## Report a suspicious email to Microsoft

+> [!NOTE]

+> The ["Block the following URLs" list in Safe Links policies](safe-links.md#block-the-following-urls-list-for-safe-links) is in the process of being deprecated. You can now manage block URL entries in the Tenant Allow/Block List. We'll attempt to migrate existing entries from the "Block the following URLs" list to block URL entries in the Tenant Allow/Block List. Messages containing the blocked URL will be quarantined.

+ Title: "Create a more secure guest sharing environment"

+description: Learn about available options to create a more secure guest sharing environment in Microsoft 365, providing guest access for improved collaboration.

+# Create a more secure guest sharing environment

+In this article, we'll walk through a variety of options for creating a more secure guest sharing environment in Microsoft 365. These are examples to give you an idea of the options available. You can use these procedures in different combinations to meet the security and compliance needs of your organization.

+If the group was created via Planner, SharePoint, or any other app, the expiration notifications will always come via email.

+If the group was created via Teams, the group owner will receive an email and a notification to renew through the activity section. It's not recommended that you enable expiration on a group if your group owner doesn't have a valid email address.

+### On Windows

+On Windows, do the following steps:

+To delete a whiteboard file in OneDrive for Business, do the following steps:

+1. Navigate to the Whiteboards folder in OneDrive.

+2. Right-click the whiteboard file you want to delete.

+3. Select **Delete**.