-description: "Learn best practices to protect your data using Micrsoft 365 Business Basic, Standard, or Premium. Protect devices, email, files, and accounts."

-For more information about what each plan includes, see [Microsoft 365 User Subscription Suites for Small and Medium-sized Businesses](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWR6bM).

-The following table summarizes recommendations by subscription for securing your business data:

-| Step | Recommendations |

-|||

-| [1. Use multi-factor authentication](#1-use-multi-factor-authentication). <br/><br/>*See [What MFA is and why it matters](#what-mfa-is-and-why-it-matters).* | Microsoft 365 Business Basic or Standard: [Use security defaults](/azure/active-directory/fundamentals/concept-fundamentals-security-defaults#enabling-security-defaults).<br/><br/>Microsoft 365 Business Premium: [Use either security defaults or Conditional Access](m365bp-turn-on-mfa.md). |

-| [2. Protect your administrator accounts](#2-protect-your-administrator-accounts).<br/><br/>*See [Why you should protect admin accounts](#why-you-should-protect-admin-accounts).* | Microsoft 365 Business Basic, Standard, or Premium: [Assign admin roles](/microsoft-365/admin/add-users/assign-admin-roles). |

-| [3. Use preset security policies](#3-use-preset-security-policies).<br/><br/>*See [How preset security policies help](#how-preset-security-policies-help).* | Microsoft 365 Business Basic, Standard, or Premium: [Assign Standard or Strict preset security policies to users](/microsoft-365/security/office-365-security/preset-security-policies#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users). |

-| [4. Protect all devices](#4-protect-all-devices).<br/><br/>*See [Why and how to protect devices](#why-and-how-to-protect-devices).* | Microsoft 365 Business Basic: [Turn on MFA](m365bp-turn-on-mfa.md) (for basic protection).<br/><br/>Microsoft 365 Business Standard:<br/>1. [Turn on MFA](m365bp-turn-on-mfa.md).<br/>2. [Install Microsoft 365 Apps on devices](m365bp-users-install-m365-apps.md).<br/><br/>Microsoft 365 Business Premium:<br/>1. [Turn on MFA](m365bp-turn-on-mfa.md). <br/>2. [Install Microsoft 365 Apps on devices](m365bp-users-install-m365-apps.md).<br/>3. [Secure both managed and unmanaged devices](m365bp-managed-unmanaged-devices.md). |

-| [5. Train everyone on email best practices](#5-train-everyone-on-email-best-practices).<br/><br/>*See [Why and how to protect email content](#why-and-how-to-protect-email-content).* | Microsoft 365 Basic, Standard, or Premium: <br/>1. Follow the guidance in [Protect against threats](/microsoft-365/security/office-365-security/protect-against-threats). <br/>2. Share [Protect yourself against phishing and other attacks](m365bp-avoid-phishing-and-attacks.md) with everyone. |

-| [6. Use Microsoft Teams for collaboration and sharing](#6-use-microsoft-teams-for-collaboration-and-sharing).<br/><br/>*See [How to collaborate and share more securely](#how-to-collaborate-and-share-more-securely).* | Microsoft 365 Business Basic or Standard: [Use Microsoft Teams for collaboration and sharing](create-teams-for-collaboration.md). <br/><br/>Microsoft 365 Business Premium: <br/>1. [Use Microsoft Teams for meetings and information sharing](create-teams-for-collaboration.md). <br/>2. [Use Safe Links & Safe Attachments with Microsoft Teams](/microsoft-365/security/office-365-security/mdo-support-teams-about). <br/>3. [Use sensitivity labels with meetings](/microsoft-365/compliance/sensitivity-labels-meetings) to protect calendar items, Microsoft Teams meetings, and chat. <br/>4. [Use the default DLP policy in Microsoft Teams](/microsoft-365/compliance/dlp-teams-default-policy). |

-| [7. Set sharing settings for SharePoint and OneDrive files and folders](#7-set-sharing-settings-for-sharepoint-and-onedrive-files-and-folders).<br/><br/>*See [Why and how to adjust sharing settings in SharePoint and OneDrive](#why-and-how-to-adjust-sharing-settings-for-files-and-folders-in-sharepoint-and-onedrive).* | Microsoft 365 Business Basic or Standard: <br/>1. Use SharePoint and OneDrive for storing and sharing files.<br/>2. [Set sharing settings for SharePoint and OneDrive](m365bp-protect-against-malware-cyberthreats.md#3-adjust-sharing-settings-for-sharepoint-and-onedrive-files-and-folders). <br/><br/>Microsoft 365 Business Premium: <br/>1. Use SharePoint and OneDrive for storing and sharing files. <br/>2. [Set sharing settings for SharePoint and OneDrive](m365bp-protect-against-malware-cyberthreats.md#3-adjust-sharing-settings-for-sharepoint-and-onedrive-files-and-folders). <br/>3. Use [Safe Links](/microsoft-365/security/office-365-security/safe-links-about) and [Safe Attachments](/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-about) with SharePoint and OneDrive. <br/>4. Use [sensitivity labels](/microsoft-365/compliance/get-started-with-sensitivity-labels) and [DLP](/microsoft-365/compliance/get-started-with-the-default-dlp-policy). |

-| [8. Use Microsoft 365 Apps on devices](#8-use-microsoft-365-apps-on-devices).<br/><br/>*See [Why users should use Microsoft 365 Apps](#why-users-should-use-microsoft-365-apps).* | Microsoft 365 Business Basic: Use Outlook and Web/mobile versions of Microsoft 365 Apps. <br/><br/>Microsoft 365 Business Standard or Premium: <br/>1. [Install Microsoft 365 Apps on all devices](m365bp-users-install-m365-apps.md). <br/>2. Share the [Employee quick setup guide with users](https://support.microsoft.com/office/7f34c318-e772-46a5-8c0a-ab86661542d1). |

-| [9. Manage calendar sharing for your business](#9-manage-calendar-sharing-for-your-business).<br/><br/>*See [How to prevent calendar oversharing](#how-to-prevent-calendar-oversharing).* | Microsoft 365 Business Basic or Standard: Use Outlook and Exchange Online for email and calendars.<br/><br/>Microsoft 365 Business Premium:<br/>1. Use Outlook and Exchange Online for email and calendars.<br/>2. [Get started using your default DLP policy](/microsoft-365/compliance/get-started-with-the-default-dlp-policy). |

-| [10. Maintain your environment](#10-maintain-your-environment).<br/><br/>*See [Why maintenance and operations matter](#why-maintenance-and-operations-matter).* | Microsoft 365 Basic or Standard: Use the [Microsoft 365 admin center](https://admin.microsoft.com) to view subscription information, updates, and other settings. <br/><br/>Microsoft 365 Business Premium: <br/>1. Use the [Microsoft 365 admin center](https://admin.microsoft.com) to view subscription information, updates, and other settings. <br/>2. Use the [Microsoft 365 admin center](https://admin.microsoft.com) or the [Microsoft Entra portal](https://entra.microsoft.com) for managing user accounts.<br/>3. Use the [Microsoft 365 Defender portal](https://security.microsoft.com) and the [Microsoft 365 Purview compliance portal](https://compliance.microsoft.com/) for viewing and managing security & compliance capabilities. If preferred, you can use the [Intune admin center](https://intune.microsoft.com) to view or manage devices. |

-The following sections describe each method in more detail, including why and how to implement our recommendations in your environment.

-## 1. Use multi-factor authentication

-| Subscription | Recommendation |

-|||

-| [Microsoft 365 Business Premium](index.md) | [Use either security defaults or Conditional Access](m365bp-turn-on-mfa.md). |

-| [Microsoft 365 Business Standard](../admin/setup/setup-business-standard.md)<br/>[Microsoft 365 Business Basic](../admin/setup/setup-business-basic.md) | [Use security defaults](/azure/active-directory/fundamentals/concept-fundamentals-security-defaults#enabling-security-defaults). |

-### What MFA is and why it matters

-[Multi-factor authentication](../admin/security-and-compliance/multi-factor-authentication-microsoft-365.md) (MFA), also known as two-step verification, requires people to use a code or authentication app on their phone to sign into Microsoft 365, and is a critical first step to protecting your business data. Using MFA can prevent bad actors from taking over your account if they know your password.

-To help simplify the process of enabling MFA, [security defaults in Azure Active Directory (Azure AD)](/azure/active-directory/fundamentals/concept-fundamentals-security-defaults) are available in Microsoft 365 Business Basic, Standard, and Premium.

-Microsoft 365 Business Premium also includes [Azure AD Premium P1](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses) for advanced administration. It enables you to set up and configure [Conditional Access](/azure/active-directory/conditional-access/overview) policies instead of security defaults, for more stringent requirements. See [Turn on multi-factor authentication](m365bp-turn-on-mfa.md).

-## 2. Protect your administrator accounts

-| Subscription | Recommendation |

-|||

-| [Microsoft 365 Business Premium](index.md) <br/>[Microsoft 365 Business Standard](../admin/setup/setup-business-standard.md) <br/>[Microsoft 365 Business Basic](../admin/setup/setup-business-basic.md) | [Assign admin roles](/microsoft-365/admin/add-users/assign-admin-roles). |

-### Why you should protect admin accounts

-Administrator accounts (also called admins) have elevated privileges, making these accounts more susceptible to cyberattacks. Make sure to set up and manage the right number of admin and user accounts for your business. We also recommend adhering to the information security principle of least privilege, which means that users and applications should be granted access only to the data and operations they require to perform their jobs.

-Microsoft 365 Business Basic, Standard, and Premium include the [Microsoft 365 admin center](https://admin.microsoft.com) and the [Microsoft Entra portal](https://entra.microsoft.com) to set up and manage your admin accounts. See [Protect your administrator accounts](m365bp-protect-admin-accounts.md).

-## 3. Use preset security policies

-| Subscription | Recommendation |

-|||

-| [Microsoft 365 Business Premium](index.md)<br/>[Microsoft 365 Business Standard](../admin/setup/setup-business-standard.md)<br/>[Microsoft 365 Business Basic](../admin/setup/setup-business-basic.md) | [Assign Standard or Strict preset security policies to users](/microsoft-365/security/office-365-security/preset-security-policies#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users). |

-### How preset security policies help

-[Preset security policies](/microsoft-365/security/office-365-security/preset-security-policies) save time by applying recommended spam, anti-malware, and anti-phishing policies to users all at once. Preset security policies take the guesswork out of implementing protection for email and collaboration content.

-Microsoft 365 Business Basic, Standard, and Premium include [Exchange Online Protection](../security/office-365-security/eop-about.md) (EOP). It includes preset security policies for anti-spam, anti-malware, and anti-phishing.

-Microsoft 365 Business Premium also includes [Microsoft Defender for Office 365 Plan 1](/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet). It includes preset security policies for advanced anti-phishing, spoof settings, impersonation settings, Safe Links, and Safe Attachments.

-See the following articles:

-## 4. Protect all devices

-| Subscription | Recommendations |

-|||

-| [Microsoft 365 Business Premium](index.md) | 1. [Turn on MFA](m365bp-turn-on-mfa.md).<br/>2. [Install Microsoft 365 Apps on devices](m365bp-users-install-m365-apps.md).<br/>3. [Secure managed and unmanaged devices](m365bp-managed-unmanaged-devices.md). |

-| [Microsoft 365 Business Standard](../admin/setup/setup-business-standard.md) | 1. [Turn on MFA](m365bp-turn-on-mfa.md).<br/>2. [Install Microsoft 365 Apps on devices](m365bp-users-install-m365-apps.md). |

-| [Microsoft 365 Business Basic](../admin/setup/setup-business-basic.md) | [Turn on MFA](m365bp-turn-on-mfa.md). |

-### Why and how to protect devices

-Every device is a possible attack avenue into your network and must be configured properly, even devices that are personally owned but used for work. Your security team and all employees can all take steps to protect devices. For example, all users can use MFA on their devices.

-Microsoft 365 Business Basic, Standard, and Premium enable users to use MFA on their devices.

-Microsoft 365 Business Premium also includes advanced device protection with [Microsoft Defender for Business](../security/defender-business/mdb-overview.md). Defender for Business includes threat and vulnerability management, attack surface reduction, next-generation protection, endpoint detection and response, and automated investigation capabilities.

-Microsoft 365 Business Premium also includes [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) for managing devices.

-See the following articles:

-## 5. Train everyone on email best practices

-| Subscription | Recommendations |

-|||

-| [Microsoft 365 Business Premium](index.md)<br/>[Microsoft 365 Business Standard](../admin/setup/setup-business-standard.md) <br/>[Microsoft 365 Business Basic](../admin/setup/setup-business-basic.md) | 1. Follow the guidance in [Protect against threats](/microsoft-365/security/office-365-security/protect-against-threats).<br/>2. Share [Protect yourself against phishing and other attacks](m365bp-avoid-phishing-and-attacks.md) with everyone. |

-### Why and how to protect email content

-Email can contain malicious attacks cloaked as harmless communications. Email systems are especially vulnerable, because email is handled by everyone in the organization, and safety relies on humans making consistently good decisions with those communications.

-Train everyone to know what to watch for spam or junk mail, phishing attempts, spoofing, and malware in their email.

-Microsoft 365 Basic, Standard, and Premium include [EOP](../security/office-365-security/eop-about.md), which provides anti-spam, anti-malware, and anti-phishing protection for email hosted in Exchange Online.

-Microsoft 365 Business Premium also includes [Defender for Office 365 Plan 1](/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet), which provides more advanced protection for email and collaboration, with advanced anti-phishing, anti-spam, and anti-malware protection, Safe Attachments, and Safe Links.

-See the following articles:

-## 6. Use Microsoft Teams for collaboration and sharing

-| Subscription | Recommendations |

-|||

-| [Microsoft 365 Business Premium](index.md) | 1. [Use Microsoft Teams for meetings and information sharing](create-teams-for-collaboration.md). <br/>2. [Use Safe Links & Safe Attachments with Microsoft Teams](/microsoft-365/security/office-365-security/mdo-support-teams-about). <br/>3. [Use sensitivity labels with meetings](/microsoft-365/compliance/sensitivity-labels-meetings) to protect calendar items, Microsoft Teams meetings, and chat. <br/>4. [Use the default DLP policy in Microsoft Teams](/microsoft-365/compliance/dlp-teams-default-policy). |

-| [Microsoft 365 Business Standard](../admin/setup/setup-business-standard.md)<br/>[Microsoft 365 Business Basic](../admin/setup/setup-business-basic.md) | [Use Microsoft Teams](create-teams-for-collaboration.md). |

-### How to collaborate and share more securely

-The best way to collaborate and share securely is to use Microsoft Teams. With Microsoft Teams, all your files and communications are in a protected environment and aren't being stored in unsafe ways outside of it.

-Microsoft 365 Business Basic, Standard, and Premium include Microsoft Teams.

-Microsoft 365 Business Premium also includes:

-See the following articles:

-## 7. Set sharing settings for SharePoint and OneDrive files and folders

-| Subscription | Recommendations |

-|||

-| [Microsoft 365 Business Premium](index.md) | 1. Use SharePoint and OneDrive for storing and sharing files. <br/>2. [Set sharing settings for SharePoint and OneDrive](m365bp-protect-against-malware-cyberthreats.md#3-adjust-sharing-settings-for-sharepoint-and-onedrive-files-and-folders). <br/>3. Use [Safe Links](/microsoft-365/security/office-365-security/safe-links-about) and [Safe Attachments](/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-about) with SharePoint and OneDrive. <br/>4. Use [sensitivity labels](/microsoft-365/compliance/get-started-with-sensitivity-labels) and [DLP](/microsoft-365/compliance/get-started-with-the-default-dlp-policy). |

-| [Microsoft 365 Business Standard](../admin/setup/setup-business-standard.md) <br/> [Microsoft 365 Business Basic](../admin/setup/setup-business-basic.md) |1. Use SharePoint and OneDrive for storing and sharing files.<br/>2. [Set sharing settings for SharePoint and OneDrive](m365bp-protect-against-malware-cyberthreats.md#3-adjust-sharing-settings-for-sharepoint-and-onedrive-files-and-folders). |

-### Why and how to adjust sharing settings for files and folders in SharePoint and OneDrive

-Your default sharing levels for SharePoint and OneDrive might be set to a more permissive level than you should use. We recommend reviewing and if necessary, changing the default settings to better protect your business. Grant people only the access they need to do their jobs.

-Microsoft 365 Business Basic, Standard, and Premium include OneDrive and SharePoint.

-Microsoft 365 Business Premium also includes:

-See the following resources:

-## 8. Use Microsoft 365 Apps on devices

-| Subscription | Recommendations |

-|||

-| [Microsoft 365 Business Premium](index.md)<br/> [Microsoft 365 Business Standard](../admin/setup/setup-business-standard.md) | 1. [Install Microsoft 365 Apps on all devices](m365bp-users-install-m365-apps.md). <br/>2. Share the [Employee quick setup guide with users](https://support.microsoft.com/office/7f34c318-e772-46a5-8c0a-ab86661542d1). |

-| [Microsoft 365 Business Basic](../admin/setup/setup-business-basic.md) | Use Outlook and Web/mobile versions of Microsoft 365 Apps. |

-### Why users should use Microsoft 365 Apps

-Outlook and Microsoft 365 Apps (also referred to as Office apps) enable people to work productively and more securely across devices. Start a document on one device, and pick it up later on another device. Instead of sending files as email attachments, you can share links to documents that are stored in SharePoint or OneDrive.

-Microsoft 365 Business Basic, Standard, and Premium include Outlook and Web/mobile versions of [Microsoft 365 Apps](/deployoffice/about-microsoft-365-apps) (such as Word, PowerPoint, and Excel).

-Microsoft 365 Business Standard and Premium include desktop versions of Microsoft 365 Apps that can be installed on computers, tablets, and phones. Installing the Microsoft 365 Apps helps ensure users get the latest features, new tools, security updates, and bug fixes. (PC users also get Access and Publisher.)

-Microsoft 365 Business Premium also includes:

-See the following articles:

-## 9. Manage calendar sharing for your business

-| Subscription | Recommendations |

-|||

-| [Microsoft 365 Business Premium](index.md) | 1. Use Outlook and Exchange Online for email and calendars.<br/>2. [Get started using your default DLP policy](/microsoft-365/compliance/get-started-with-the-default-dlp-policy). |

-| [Microsoft 365 Business Standard](../admin/setup/setup-business-standard.md)<br/>[Microsoft 365 Business Basic](../admin/setup/setup-business-basic.md) | Use Outlook and Exchange Online for email and calendars. |

-### How to prevent calendar oversharing

-You can help people in your organization share their calendars appropriately for better collaboration. You can manage what level of detail they can share, such as by limiting the details that are shared to free/busy times only, so that users don't accidentally overshare important information.

-Microsoft 365 Business Basic, Standard, and Premium include Outlook and Exchange Online.

-Microsoft 365 Business Premium also includes [Azure Information Protection Plan 1](/azure/information-protection/what-is-information-protection), and that includes DLP policies to protect sensitive information.

-See the following articles:

-## 10. Maintain your environment

-| Subscription | Recommendations |

-|||

-| [Microsoft 365 Business Premium](index.md) | 1. Use the [Microsoft 365 admin center](https://admin.microsoft.com) to view subscription information, updates, and other settings. <br/>2. Use the [Microsoft 365 admin center](https://admin.microsoft.com) or the [Microsoft Entra portal](https://entra.microsoft.com) for managing user accounts.<br/>3. Use the [Microsoft 365 Defender portal](https://security.microsoft.com) and the [Microsoft 365 Purview compliance portal](https://compliance.microsoft.com/) for viewing and managing security & compliance capabilities. If preferred, you can use the [Intune admin center](https://intune.microsoft.com) to view or manage devices. |

-| [Microsoft 365 Business Standard](../admin/setup/setup-business-standard.md)<br/> [Microsoft 365 Business Basic](../admin/setup/setup-business-basic.md) | Use the [Microsoft 365 admin center](https://admin.microsoft.com) to view subscription information, updates, and other settings. If preferred, you can use the [Microsoft Entra portal](https://entra.microsoft.com) to manage user accounts. |

-### Why maintenance and operations matter

-After your initial setup and configuration of Microsoft 365 for business is complete, your organization needs a maintenance and operations plan. As employees come and go, you'll need to add or remove users, reset passwords, and maybe even reset devices to factory settings. You'll also want to make sure people have only the access they need to do their jobs.

-Microsoft 365 Business Basic, Standard, and Premium include the [Microsoft 365 admin center](https://admin.microsoft.com) and the [Microsoft Entra portal](https://entra.microsoft.com) for managing user accounts.

-Microsoft 365 Business Premium also includes advanced security and compliance capabilities. You can use the [Microsoft 365 Defender portal](https://security.microsoft.com) or the [Microsoft 365 Purview compliance portal](https://compliance.microsoft.com/) for viewing and managing security & compliance capabilities.

-See the following articles:

-## See also

-> If you have a billing profile, you can only change the billing frequency when you buy or upgrade a subscription. To find out if you have a billing profile, see [View my billing profiles](manage-billing-profiles.md#view-my-billing-profiles).

-description: "Learn how billing profiles support invoices."

-# Understand billing profiles

-A billing profile contains a payment method, Bill-to information, and other invoice settings, such as purchase order number and email invoice preference. You use a billing profile to pay for the products that you buy from Microsoft. Billing profiles are automatically created, and each are invoiced separately.

-> Not all accounts have a billing profile. If you're not sure if you have a one, you can [view a list of your billing profiles](manage-billing-profiles.md#view-my-billing-profiles).

-## What are billing profile roles?

-Roles on billing profiles have permissions to control purchases, and view and manage invoices. Assign these roles to users who track, organize, and pay invoices. For example, members of the procurement team in your organization.

-| Role | Description |

-|-- | |

-| Billing profile owner | Manage everything for a billing profile |

-| Billing profile contributor | Manage everything except permissions in a billing profile |

-| Billing profile reader | Read-only view of everything in a billing profile |

-| Invoice manager | View and pay bills, and has a read-only view of everything in a billing profile |

-## View my billing profiles

-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">Bills & payments</a> page.

-2. Select the **Billing profile** tab, then select a billing profile from the list.

-Each billing profile includes the following information:

-## Need help? Contact support

-If you have questions or need help with your Azure charges, <a href="https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest" target="_blank">create a support request with Azure support</a>.

-If you have questions or need help with your billing profile in Microsoft 365 admin center, [contact support](../../admin/get-help-support.md).

-[How to pay for your subscription with a billing profile](pay-for-subscription-billing-profile.md) (article)\

-[Understand billing accounts](../manage-billing-accounts.md) (article)\

-description: "Learn about billing accounts and how they're used to manage account settings, invoices, payment methods, and purchases."

-# Understand your Microsoft billing accounts

-A billing account is created when you sign up to try or buy Microsoft products. You use your billing account to manage your account settings, invoices, payment methods, and purchases. You can have access to multiple billing accounts. For example, you signed up for Microsoft 365 directly, or you have access to your organization's Enterprise Agreement, Microsoft Product & Services Agreement or Microsoft Customer Agreement. For each of these scenarios, you would have a separate billing account.

-The <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a> currently supports the following type of billing accounts:

-The <a href="https://go.microsoft.com/fwlink/p/?linkid=2084771" target="_blank">Billing accounts</a> page provides a view of your commercial accounts with Microsoft. By default, your organization has at least one billing account associated with an agreement that is accepted either at the time of a direct purchase, or through a Volume Licensing arrangement.

-## Understand billing account details

-The top of the **Billing accounts** detail page is your account profile and contains legal and tax information about your organization. You can update your profile to change your legal address and phone number. This account is the legal entity that pays for the products that you purchase.

-The following table lists the important terms that you see in the **Billing accounts** detail page.

-| Field name | Description |

-|||

-| Sold-to address | The legal entity responsible for payment and identified on the invoice. The address provided here is used to determine your tax rate unless you opt to provide an alternative shipping address during your purchase. For more information, see [Tax information](billing-and-payments/tax-information.md). |

-| Segment | A read-only field that identifies the business segment of your organization (Commercial, Education, Government, or Non-profit). |

-| Account status | A read-only field that specifies the status of your commercial account with Microsoft. |

-| Tax ID | If you are outside the United States, you must provide a VAT or local equivalent. For more information, see [Tax information](billing-and-payments/tax-information.md). |

-| Agreement | When a billing account is created, either through a direct purchase or a Volume Licensing arrangement, a signatory for the organization accepts, or signs, an agreement that outlines the terms & conditions of the account. If applicable, this view lists an agreement history. If you're required to accept updated terms, a link for **Approve agreement** is displayed. |

-| Billing profiles | A billing profile defines properties of your invoice, like who receives the bill, how the bill is delivered, payment terms, and a PO number. To distribute billing across your organization, you can create multiple billing profiles and identify the appropriate billing profile at the time of purchase. For more information about billing profiles and how you can use them to build more flexible billing options for your organization, [Understand billing profiles](billing-and-payments/manage-billing-profiles.md). |

-> If you need to change the **Sold-to** name or address, but don't see an **Edit** link, you must [contact support](../admin/get-help-support.md) to change it. Requests for a **Sold-to** name change will require a credit check. Complete [this form](https://www.microsoft.com/download/details.aspx?id=102732), and be ready to share one of following documents with Microsoft when you contact support:

-> Support can help with name and address changes where only the customer name changes, but the entity remains the same. Documentation provided should clearly show that only the entity's name has changed. If the change is the result of a transaction, including the sale of business, a change of controls, or a divestiture or "spinoff" of a Customer Affiliate, please contact your Microsoft Seller.

-## Shipping addresses

-This section lists the shipping addresses associated with your billing account. When you make a purchase, you can use this address to identify where your purchase is shipped or used. The shipping address is editable. You can add a shipping address or update the existing address. This address is used to determine the tax rate for your purchase.

-## Understand access to billing accounts

-You can provide others with access to the billing account in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a> through roles and permissions. Only a billing account owner can grant access to a billing account. You can assign one of the following roles to users:

-> [!Note]

-> - Billing account roles only apply to billing accounts, and don't apply to other Microsoft 365 admin center scenarios.

-> - For billing accounts created inside of Microsoft 365 sign-up, new Global, Billing and Global Reader Administrators are automatically granted distinct levels of access. You can manage this access from the **Billing** > **Billing accounts** page by explicitly removing those users from the role assignment section at the bottom of the page.

-> Before you continue, [determine if you have a billing profile](../billing-and-payments/manage-billing-profiles.md#view-my-billing-profiles).

-> Before you continue, [determine if you have a billing profile](../billing-and-payments/manage-billing-profiles.md#view-my-billing-profiles).

-description: "Sign up for a free 30-day trial for Microsoft 365 Business Standard, Microsoft 365 Business Premium, or Microsoft 365 Apps for business."

-Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585).

-Check out [Microsoft 365 small business help](https://go.microsoft.com/fwlink/?linkid=2197659) on YouTube.

-Microsoft 365 for business is a subscription service that lets you run your organization in the cloud while Microsoft takes care of the IT for you. Microsoft manages devices, protects against real-world threats, and provides your organization with the latest in business software. You can sign up for a free trial subscription for Microsoft 365 Business Standard, Microsoft 365 Business Premium, or Microsoft 365 Apps for business and try it out for 30 days.

-> You must use a credit card when you sign up for a free trial. At the end of your free trial period, your trial subscription is automatically converted to a paid subscription. Your credit card isn't billed until the end of the trial period.

-> [!IMPORTANT]

-> **Payment options for Office 365 operated by 21Vianet in China**

-> International credit cards are not accepted. You can pay for your subscription by:

->

-> - Invoice

-> - Online payment using Alipay or China UnionPay

-> Proof of payment will be provided in the form of Fapiaos. You can submit your Fapiao request to our [Fapiao system](https://go.microsoft.com/fwlink/p/?LinkId=395314) about three (3) days after you have paid. For more information, see [Apply for a Fapiao for Office 365 operated by 21Vianet](../admin/services-in-chin).

-You don't need an existing Microsoft account to sign up for a free trial. For all other procedures in this article, you must be a Global or Billing admin for your organization. For more information, see [About admin roles](../admin/add-users/about-admin-roles.md).

-### Need help with choosing a plan?

-Deciding on a plan can depend on your specific business needs. The Microsoft 365 plan chooser is designed to help you with this. The chooser will make recommendations based on your answers to questions such as the size of your business, your field of work, the devices you use, and what kind of features, IT support, and security you're looking for. See [Help me find the right plan for my business](https://go.microsoft.com/fwlink/p/?linkid=2224446).

-Use these steps to create an account and sign up for a free trial subscription of Microsoft 365 Business Standard, Microsoft 365 Business Premium, or Microsoft 365 Apps for business.

-1. Go to the <a href="https://www.aka.ms/office365signup" target="_blank">Microsoft 365 Products site</a>.

-2. Select the plan that you want to sign up for, such as **Microsoft 365 Business Standard**, scroll down the page, and select **Try free for 1 month**.

-4. The sign-up process may take several minutes to complete. After it's complete, you're ready to start the setup wizard for your subscription. For more information about setting up your subscription, see [Next steps](#next-steps).

-## Buy a subscription from your free trial

-At the end of your free trial period, your trial subscription automatically converts to a paid subscription. The paid subscription defaults to the plan you currently have. You can buy a different plan by following the steps in [Buy a different subscription](#buy-a-different-subscription).

-If you want to buy your subscription before your trial is over, use these steps:

-1. In the Microsoft 365 admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.

-2. On the **Your products** page, find the subscription that you want to buy.

-3. In the **Licenses** section, select **Purchase subscription**.

-4. Choose a billing frequency for your subscription, then select **Checkout**.

-5. On the next page, verify the subscription, and select **Checkout**.

-6. On the next page, verify the **Sold to** address, the **Billed to** information, and **Items in this order**. If you need to make any changes, select **Change** next to the applicable section.

-7. When you\'re finished, select **Accept agreement & place order**.

-## Extend your trial

-Do you need more time to try out the features of Microsoft 365 for business before buying? If your trial subscription is within 15 days of expiring and the trial hasn't been extended before then you can extend your trial for another 30 day period. You can only do this one time.

-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.

-2. On the **Products** tab, select the trial subscription that you want to extend.

-3. On the subscription details page, in the **Subscriptions and payment settings** section, select **Extend end date**.

-4. In the **Extend end date** pane, review the extension information, and if necessary, select a payment method. When you're finished, select **Extend trial**.

-When you're ready to buy, see [Buy your trial version](#buy-a-subscription-from-your-free-trial).

-## Cancel your free trial subscription

-If you decide to cancel your trial subscription before the free trial period ends, go to the Microsoft 365 admin center and [turn off Recurring billing](subscriptions/renew-your-subscription.md#turn-recurring-billing-off-or-on). The trial will automatically expire when your month ends, and your credit card won't be charged.

-## Try a different subscription

-If you already have a Microsoft 365 for business subscription, you can use the Microsoft 365 admin center to try a different subscription.

-When you add a subscription through the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>], the new subscription is associated with the same organization (domain namespace) as your existing subscription. This association makes it easier to move users in your organization between subscriptions, or to assign them a license for the additional products they need.

-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=868433" target="_blank">Purchase services</a> page.

-2. On the **Purchase services** page, you see the plans that are available to your organization. Choose the Microsoft 365 plan that you want to try.

-3. On the next page, select **Get free trial**. The trial gives you 25 user licenses for a one-month term.

-4. Choose to receive a text or a call, enter your phone number, then choose **Text me** or **Call me**.

-5. Enter the verification code, then select **Start your free trial**.

-6. On the **Check out** page, select **Try now**.

-7. On the **order receipt** page, select **Continue**.

-## Buy a different subscription

-If you already have a Microsoft 365 for business subscription, you can go through the Microsoft 365 admin center to buy a different subscription for your organization.

-### Watch: Move users to a different subscription

-Check out this video and others on our [YouTube channel](https://go.microsoft.com/fwlink/?linkid=2198013).

-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE1SBE2?autoplay=false]

-As your users change roles, they may need features that aren't available in their current Microsoft 365 Business Premium subscription. When this happens, you can add a new subscription that includes those features, and assign licenses to the people who need them.

-> [!NOTE]

-> For some subscriptions, you can only cancel during a limited window of time after you buy or renew your subscription. If the cancellation window has passed, turn off recurring billing to cancel the subscription at the end of its term.

-When you buy another subscription through the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>, the new subscription is associated with the same organization (domain name space) as your existing subscription. This makes it easier to move users in your organization between subscriptions or assign them a license for the additional subscription they need.

-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=868433" target="_blank">Purchase services</a> page.

-2. On the **Purchase services** page, select the plan that you want to buy, select **Details**, then select **Buy**.

-3. Enter the number of licenses that you need and choose whether to pay each month or for the whole year. Choose whether you want to automatically assign licenses to everyone who does not currently have a license. Then select **Check out now**.

-4. Review the pricing information and select **Next**.

-5. Provide your payment information, and then select **Place order** \> **Go to Admin Home**.

-> You must move users from your free trial subscription to the new subscription before your 90-day grace period ends after your trial subscription expires. By doing this, you keep your data, accounts, and configuration. Otherwise, that information is deleted.

-## Payment options

-You can pay for your subscription by:

-Proof of payment will be provided in the form of Fapiaos. You can submit your Fapiao request to our [Fapiao system](https://go.microsoft.com/fwlink/p/?LinkId=395314) about three (3) days after you have paid. For more information, see [Apply for a Fapiao for Office 365 operated by 21Vianet](../admin/services-in-chin).

-> [!NOTE]

-> International credit cards are not accepted.

-[Microsoft 365 for business training videos](https://support.office.com/article/6ab4bbcd-79cf-4000-a0bd-d42ce4d12816) (video)\

-[Add users and assign licenses at the same time](../admin/add-users/add-users.md) (article)\

-[Assign licenses to users](../admin/manage/assign-licenses-to-users.md) (article)\

-[Upgrade to a different plan](subscriptions/upgrade-to-different-plan.md) (article)\

-[Buy or edit an add-on for Microsoft 365 for business](buy-or-edit-an-add-on.md) (article)\

-For more information about billing accounts, see [Manage billing accounts](manage-billing-accounts.md).

-For more information about billing account roles, see [Understand access to billing accounts](manage-billing-accounts.md#understand-access-to-billing-accounts).

-If this order is the first time your organization is establishing a commercial relationship with Microsoft, and you haven't yet signed an MCA, if the information under **Your organization** or **Lead organization** is incorrect, contact the representative to make changes for you. After you've accepted an MCA, you can review and change your organization's address and contact information on the [Billing accounts](https://go.microsoft.com/fwlink/p/?linkid=2084771) page in the Microsoft 365 admin center. If your organization name changes, open a support request to have it updated. [Learn how to open a support request](../admin/get-help-support.md).

-Other considerations for simulation mode for auto-apply retention policies:

-Example: Set-IrmConfiguration -EnablePortalTrackingLogs $true

-Incidents for Microsoft Purview Data Loss Prevention (DLP) can be managed in the Microsoft 365 Defender portal. See, [Investigate data loss incidents with Microsoft 365 Defender](../security/defender/investigate-dlp.md) for details. You can manage DLP incidents along with security incidents from **Incidents & alerts** > **Incidents** on the quick launch of the Microsoft 365 Defender portal.

-To get more details on the items that users are copying or moving outside of your organization (called egress activities, or exfiltration), select the **Learn more** link on the card to open a details pane. You can investigate incidents for Microsoft Purview Data Loss Prevention (DLP) from the Microsoft 365 Defender portal **Incidents & alerts** > **Incidents**. See [Investigate data loss incidents with Microsoft 365 Defender](../security/defender/investigate-dlp.md) and [Investigate alerts in Microsoft 365 Defender](../security/defender/investigate-alerts.md).

-Scoped admins can view all adaptive scopes across AUs using cmdlets

-|[Sensitivity bar](sensitivity-labels-office-apps.md#sensitivity-bar) |Current Channel: 2302+<br /><br> Monthly Enterprise Channel: 2303+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Under review |4.2326.0+ |4.2316.0+ |Under review |

-|[Display label color](sensitivity-labels-office-apps.md#label-colors) |Current Channel: 2302+ <br /><br> Monthly Enterprise Channel: 2303+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Preview: [Current Channel (Preview)](https://office.com/insider) ^\* |4.2316.0+ |4.2316.0+ |Under review |

-If you delete a sensitivity label from the admin portal, the label is't automatically removed from content, and any protection settings continue to be enforced on content that had that label applied.

-|24|**Network Connection Status Indicator**<p>Used by Windows 10 and 11 to determine if the computer is connected to the internet (does not apply to non-Windows clients). When this URL cannot be reached, Windows assumes it is not connected to the Internet and M365 Apps for Enterprise will not try to verify activation status, causing connections to Exchange and other services to fail.|www.msftconnecttest.com <br> 13.107.4.52<p>Also see [Manage connection endpoints for Windows 11 Enterprise](/windows/privacy/manage-windows-11-endpoints) and [Manage connection endpoints for Windows 10 Enterprise, version 21H2](/windows/privacy/manage-windows-21h2-endpoints).|Outbound server-only traffic|

-3. Country/regions included: Local Geographies, United States and the European Union.

-When Microsoft's data centers were launched in _Local Region Geographies_, it was possible for any _Tenant_ with the appropriate _Default Geography_ to opt in to move their data into the _Local Region Geographies_. This opt in period was open for six months after the Data Center was operational.

-EOP customer data migrates during the Exchange Online migration. MDO P1 does not have customer data to migrate.

-We are in the process of updating the actual data location in the _Tenant_ Admin Center. When this change is complete you will be able to see the actual data location, for committed workloads, by navigating to Admin|Settings|Org Settings|Organization Profile|Data Location. Until that change is visible, you can view the Exchange Online data location information in order to understand where your in scope customer data is stored for this service.

-We are in the process of updating the actual data location in _Tenant_ Admin Center. When this change is complete you will be able to see the actual data location, for committed data, by navigating to Admin->Settings->Org Settings->Organization Profile->Data Location. Until that change is visible, you can view the Exchange Online, SharePoint Online and Microsoft Teams data location information in order to understand where your committed data is stored for this service.

-We are in the process of updating the actual data location in _Tenant_ Admin Center. When this change is complete you will be able to see the actual data location, for committed data, by navigating to Admin->Settings->Org Settings->Organization Profile->Data Location. Until that change is visible, you can view the Exchange Online data location information in order to understand where your committed data is stored for this service.

-1. In Lighthouse, select the **?** icon at the top of the portal to open the **Help** pane, and then do one of the following:

-

- - If you're on the page of the portal where the issue occurred, select **Show diagnostics**.

- - If your issue isn't isolated to the current page of the portal, go to the next step.

-2. In the **Help** pane, select the **Help + support** button. This opens the **How can we help?** pane.

-3. In the **How can we help?** pane, enter a description of your issue, and then press **Enter**. We recommend including the full product name *Microsoft 365 Lighthouse* in your description to ensure the search results include relevant help articles.

-4. Check out the list of recommended articles to see if any of them help resolve your issue.

-5. If the recommended articles don't help, select **Contact Support**.

-6. Fill out the information in the form, attach any screenshots and the JSON file that you saved in step&nbsp;1 if applicable, and then select **Contact me**. The expected wait time is indicated in the pane.

-To manage tenant tags, you must:

-[Sign up for Microsoft 365 Lighthouse](m365-lighthouse-sign-up.md) (article)\

-[Overview of the Device compliance page in Microsoft 365 Lighthouse](m365-lighthouse-device-compliance-page-overview.md) (article)\

-[Exchange Online Protection (EOP) overview](../security/office-365-security/eop-about.md) (article)

-[Overview of using Microsoft 365 Lighthouse baselines to deploy standard tenant configurations](m365-lighthouse-deploy-standard-tenant-configurations-overview.md)

-The Multifactor Authentication page provides detailed information on the status of multifactor authentication (MFA) enablement across your tenants. Select any tenant in the list to see more details for that tenant, including which Conditional Access policies requiring MFA are already configured and which users haven't yet registered for MFA.

-[Microsoft 365 Lighthouse device compliance page overview](m365-lighthouse-device-compliance-page-overview.md) (article)\

-[Microsoft 365 Lighthouse FAQ](m365-lighthouse-faq.yml) (article)

-Note that in the preceding image, **Use Defender for Business configuration instead** refers to using the Microsoft 365 Defender portal, with a simplified configuration experience designed for small and medium-sized businesses. If you opt to use the Microsoft 365 Defender portal, you must delete any existing security policies in Intune to avoid policy conflicts. For more details, see [I need to resolve a policy conflict](/microsoft-365/security/defender-business/mdb-troubleshooting#i-need-to-resolve-a-policy-conflict).

->[!TIP]

->You can export your list of policies through the [Microsoft Intune admin center](https://intune.microsoft.com/).

-By enabling this feature, you can ensure that you're seeing the most accurate information about your devices by hiding potential duplicate device records. There are different reasons duplicate device records might occur, for example, the device discovery capability in Microsoft Defender for Endpoint might scan your network and discover a device that's already onboarded or a has recently been offboarded.

-During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. Bad actors like to disable your security features to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection essentially locks Microsoft Defender Antivirus and prevents your security settings from being changed through apps and methods.

-Endpoint Attack Notifications enable Microsoft to actively hunt for critical threats to be prioritized based on urgency and impact over your endpoint data.

-For proactive hunting across the full scope of Microsoft 365 DefenderΓÇöincluding threats that span email, collaboration, identity, cloud applications, as and endpointsΓÇö[learn more](https://aka.ms/DefenderExpertsForHuntingGetStarted) about Microsoft Defender Experts.

-keywords: vdi, hyper-v, vm, virtual machine, windows defender, antivirus, av, virtual desktop, rds, remote desktop

-ms.sitesec: library

-| Group Policy | <ol><li>On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure, and then select **Edit**.</li><li>In the Group Policy Management Editor, go to **Computer configuration**.</li><li>Select **Administrative templates**.</li><li>Expand the tree to **Windows components** \> **Microsoft Defender Antivirus** \> **Security Intelligence Updates**.</li><li>Double-click **Define security intelligence location for VDI clients**, and then set the option to **Enabled**. A field automatically appears.</li><li>Enter `\\<sharedlocation\>\wdav-update` (for help with this value, see [Download and unpackage](#download-and-unpackage-the-latest-updates)).</li><li>Select **OK**.</li><li>Deploy the GPO to the VMs you want to test.</li></ol> |

-| PowerShell | <ol><li>On each RDS or VDI device, use the following cmdlet to enable the feature: `Set-MpPreference -SharedSignaturesPath \\<shared location>\wdav-update`. </li><li>Push the update as you normally would push PowerShell-based configuration policies onto your VMs. (See the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what the \<shared location\> will be.) </li></ol> |

-keywords: malware, defender, antivirus, tamper protection

-ms.pagetype: security

-ms.sitesec: library

-This article also describes daily, weekly, monthly, and ad-hoc tasks required to be performed by the security operations personnel in your organization.

- - General

- - Permissions

- - Rules

- - Device management

- - Configure Microsoft Defender Security Center time zone settings

- In the action center, review the actions that have been taken in your environment, both automated and manual. This will help you validate that automated investigation and response (AIR) is performing as expected and identify any manual actions that need to be reviewed. See [Visit the Action center to see remediation actions.](auto-investigation-action-center.md)

- When Microsoft Defender for Endpoint (MDE) identifies Indicators of compromise (IOCs) or Indicators of attack (IOAs) and generates an alert, this alert will be included in an incident and displayed in the Incidents queue in the Microsoft 365 Defender console.

- Review these incidents to respond to any Microsoft Defender for Endpoint alerts and resolve once the incident has been remediated. See [Get incident notifications by email](../defender/incidents-overview.md#get-incident-notifications-by-email) and [View and organize the Microsoft Defender for Endpoint Incidents queue.](view-incidents-queue.md)

- Review the incident queue, identify false positive and false negative detections and submit them for review. This helps you effectively manage alerts in your environment and make your alerts more efficient. See [Address false positives/negatives in Microsoft Defender for Endpoint.](defender-endpoint-false-positives-negatives.md)

- The ΓÇ£High-impact threatsΓÇ¥ table lists the threats that have had the highest impact to the organization. This section ranks threats by the number of devices that have active alerts. See [Track and respond to emerging threats through threat analytics.](threat-analytics.md#view-the-threat-analytics-dashboard)

- Review health reports to identify any device health trends that need to be addressed. The device health reports cover Microsoft Defender for Endpoint AV signature, platform health, and EDR health. See [Device health reports in Microsoft Defender for Endpoint.](device-health-reports.md)

- EDR health is maintaining the connection to the EDR service to make sure that MDE is getting all the required signals to alert and identify vulnerabilities.

- Review unhealthy devices. See [Device health, Sensor health & OS report.](device-health-sensor-health-os.md)

- The Microsoft Defence Antivirus (MDAV) update status is critical for the best performance of your MDE environment and up-to-date detections. The device health page shows you the status of your fleet for platform, intelligence, and engine version. See [Device health, Microsoft Defender Antivirus health report.](device-health-microsoft-defender-antivirus-health.md)

- Review the Message center messages to understand any upcoming changes that will impact your environment.

- You can access this in the Microsoft 365 admin center under the Health tab. See [How to check Microsoft 365 service health.](../../enterprise/view-service-health.md)

- Review health reports to identify any device threat trends that need to be addressed. See [Threat protection report.](threat-protection-reports.md)

- Review threat analytics to identify any campaigns that are impacting your environment. See [Track and respond to emerging threats through threat analytics.](threat-analytics.md)

- Review ASR reporting to identify any files that are impacting your environment. See [Attack surface reduction (ASR) rules report.](attack-surface-reduction-rules-report.md)

- Review web defense reporting to identify any IP / URLs that are being blocked. See [Web protection.](web-protection-overview.md)

-Review the relevant WhatΓÇÖs new pages for your fleet to understand the recently released updates in the product.

- If any devices are excluded from the Microsoft Defender Endpoint policy for any reason, review whether the device still needs to be excluded from the policy.

- > Review the troubleshooting mode for troubleshooting. See [Get started with troubleshooting mode in Microsoft Defender for Endpoint.](enable-troubleshooting-mode.md)

- Review automation levels in automated investigation and remediation capabilities. See [Automation levels in automated investigation and remediation | Microsoft Learn](automation-levels.md)

- Periodically review whether the custom detections that have been created are still valid and effective. See [Review custom detection](../defender/custom-detection-rules.md)

- Periodically review any alert suppression rules that have been created to confirm they are still required and valid. See [Review alerts suppression](manage-alerts.md)

-Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques. Make sure to update your antivirus protection, even if Microsoft Defender Antivirus is running in [passive mode](microsoft-defender-antivirus-compatibility.md). There are two types of updates related to keeping Microsoft Defender Antivirus up to date:

-#### Known issues

-### March-2023 (Platform: 4.18.2303.8 | Engine: 1.1.20200.4)

-#### What's new

-ms.sitesec: library

-ms.pagetype: security

-<br>

-****

-|

-The CSP support string with approved USB printers via 'ApprovedUsbPrintDevices' property, example `<enabled><data id="ApprovedUsbPrintDevices_List" value="03F0/0853,0351/0872"/>`:

-description: Investigate data loss in Microsoft 365 Defender.

-keywords: Data Loss Prevention, incidents, alerts, investigate, analyze, response, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365

- - NOCSH

- - m365-security

- - tier2

- - MOE150

- - met150

-# Investigate data loss incidents with Microsoft 365 Defender

-**Applies to:**

-Incidents for Microsoft Purview Data Loss Prevention (DLP) can now be managed in the Microsoft 365 Defender portal. You can manage DLP incidents along with security incidents from **Incidents & alerts** \> **Incidents** on the quick launch of the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>. From this page, you can:

-You can also use the Microsoft 365 Defender connector in Microsoft Sentinel to pull DLP incidents along with events and evidence into Microsoft Sentinel for investigation and remediation.

-## Licensing requirements

-To investigate Microsoft Purview Data Loss Prevention incidents in the Microsoft 365 Defender portal, you need a license from one of the following subscriptions:

-> [!NOTE]

-> When you are licensed and eligible for this feature, DLP alerts will automatically flow into Microsoft 365 Defender. Open a support case if you want to disable this feature. If you disable this feature the behavior will be reverted to DLP alerts surfacing in the Defender portal as Microsoft Defender for Office alerts.

-## DLP investigation experience in the Microsoft 365 Defender portal

-Before you start, [turn on alerts for all your DLP policies](/microsoft-365/compliance/dlp-configure-view-alerts-policies#alert-configuration-experience) in the <a href="https://purview.microsoft.com" target="_blank">Microsoft Purview compliance portal</a>.

-1. Go to the Microsoft 365 Defender portal, and select **Incidents** in the left hand navigation menu to open the incidents page.

-2. Select **Filters** on the top right, and choose **Service Source : Data Loss Prevention** to view all incidents with DLP alerts.

-3. Search for the DLP policy name of the alerts and incidents you're interested in.

-4. To view the incident summary page, select the incident from the queue. Similarly, select the alert to view the DLP alert page.

-5. View the **Alert story** for details about policy and the sensitive information types detected in the alert. Select the event in the **Related Events** section to see the user activity details.

-6. View the matched sensitive content in the **Sensitive info types** tab and the file content in the **Source** tab if you have the required permission (See details <a href="/microsoft-365/compliance/dlp-alerts-dashboard-get-started#roles" target="_blank">here</a>).

-7. You can also use Advanced Hunting to search through audit logs of user, files, and site locations for your investigation. The **CloudAppEvents** table contains all audit logs across all locations like SharePoint, OneDrive, Exchange and Devices.

-8. You can also download the email by selecting **Actions** \> **Download email**.

-9. For remediation actions on files on SPO or ODB sites, you can see actions like:

- - Apply retention label

- - Apply sensitivity label

- - Unshare file

- - Delete

- For remediation actions, select the **User card** on the top of the alert page to open the user details.

- For Devices DLP alerts, select the device card on the top of the alert page to view the device details and take remediation actions on the device.

-10. Go to the incident summary page and select **Manage Incident** to add incident tags, assign, or resolve an incident.

-> [!IMPORTANT]

-> DLP supports associating DLP policies and alert management with administrative units in the Microsoft Purview compliance portal (preview). DLP alerts are only available to unrestricted DLP administrators in the Microsoft 365 Defender portal. Administrative unit restricted DLP administrator will not see DLP alerts. See [Administrative units](/microsoft-365/compliance/microsoft-365-compliance-center-permissions#administrative-units-preview) for implementation details. See [Policy scoping](/microsoft-365/compliance/dlp-policy-reference#policy-scoping) for details on administrative unit scoping.

-## DLP investigation experience in Microsoft Sentinel

-You can use the Microsoft 365 Defender connector in Microsoft Sentinel to import all DLP incidents into Sentinel to extend your correlation, detection, and investigation across other data sources and extend your automated orchestration flows using Sentinel's native SOAR capabilities.

-1. Follow instructions on Connect data from Microsoft 365 Defender to Microsoft Sentinel to import all incidents including DLP incidents and alerts into Sentinel. Enable `CloudAppEvents` event connector to pull all O365 audit logs into Sentinel.

- You should be able to see your DLP incidents in Sentinel once the above connector is set up.

-2. Select **Alerts** to view the alert page.

-3. You can use **AlertType**, **startTime**, and **endTime** to query the **CloudAppEvents** table to get all the user activities that contributed to the alert. Use this query to identify the underlying activities:

-```kusto

-let Alert = SecurityAlert

-| where TimeGenerated > ago(30d)

-| where SystemAlertId == ""; // insert the systemAlertID here

-CloudAppEvents

-| extend correlationId1 = parse_json(tostring(RawEventData.Data)).cid

-| extend correlationId = tostring(correlationId1)

-| join kind=inner Alert on $left.correlationId == $right.AlertType

-| where RawEventData.CreationTime > StartTime and RawEventData.CreationTime < EndTime

-```

-## Related articles

-This capability adds an extra layer of security protection against potential impersonation attacks, so we recommend that you turn it on.

-The first contact safety tip also replaces the need to create mail flow rules (also known as transport rules) that add the header named **X-MS-Exchange-EnableFirstContactSafetyTip** with the value **Enable** to messages (although this capability is still available).

-|_PermissionToViewHeader_┬╣|Γ£ö|Γ£ö|Γ£ö|

-To verify that Safe Attachments is scanning messages, check the available Defender for Office 365 reports. For more information, see [View reports for Defender for Office 365](reports-defender-for-office-365.md) and [Use Explorer in the Microsoft 365 Defender portal](threat-explorer-about.md).

-In organizations with Microsoft Defender for Office 365, Safe Links scanning protects your organization from malicious links that are used in phishing and other attacks. Specifically, Safe Links provides URL scanning and rewriting of inbound email messages during mail flow, and time-of-click verification of URLs and links in email messages, Teams, and supported Office 365 apps. Safe Links scanning occurs in addition to regular [anti-spam](anti-spam-protection-about.md) and [anti-malware](anti-malware-protection-about.md) protection.

-1. Add your specific DMARC value.

- - Users in the organization can't send email to these blocked domains and addresses. They'll receive the following non-delivery report (also known as an NDR or bounce message): '550 5.7.703 Your message can't be delivered because one or more recipients are blocked by your organization's tenant recipient block policy'. The entire message is blocked for all recipients of the message, even if only one recipient email address or domain is defined in a block entry.

-Microsoft Syntex has two types of product offerings to choose from: