Category | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
admin | Update Dns Records To Retain Current Hosting Provider | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/dns/update-dns-records-to-retain-current-hosting-provider.md | f1.keywords: Previously updated : 02/18/2020 Last updated : 07/10/2024 audience: Admin +- must-keep - VSBFY23 - AdminSurgePortfolio description: "Learn how to route traffic to an existing public website hosted ou Check out all of our small business content on [Small business help & learning](https://go.microsoft.com/fwlink/?linkid=2224585). - **If you manage your domain's Microsoft records at your DNS hosting provider**, you don't have to worry about the steps in this topic. Your website stays where it is and people can still get to it. + **If you manage your domain's Microsoft records at your DNS hosting provider**, you don't have to worry about the steps in this topic. Your website stays where it is and people can still get to it. - **If Microsoft manages your DNS records**, to route traffic to an existing public website hosted outside of Microsoft, after you add your domain to Microsoft, do the following: + **If Microsoft manages your DNS records**, to route traffic to an existing public website hosted outside of Microsoft, after you add your domain to Microsoft, do the following: ## Update DNS records in the Microsoft 365 admin center+ 1. In the admin center, go to the **Settings** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834818" target="_blank">Domains</a> page. 1. On the **Domains** page, select the domain and then choose **DNS Records**. -1. Select **+ Add record** and enter the following: +1. Select **+ Add record** and enter the following: - For **type** enter: **A (Address)** - For **Host name or Alias**, type the following: **@** - - For **IP Address**, type the static IP address for your website where it's currently hosted (for example, 172.16.140.1). + - For **IP Address**, type the static IP address for your website where it's currently hosted (for example, 172.16.140.1). - This must be a *static* IP address for the website, not a *dynamic* IP address. Check with site where your website is hosted to make sure you can get a static IP address for your public website. + This must be a *static* IP address for the website, not a *dynamic* IP address. Check with site where your website is hosted to make sure you can get a static IP address for your public website. -1. Select **Save**. +1. Select **Save**. In addition, you can create a CNAME record to help customers find your website. -1. Select **+ Add record** and enter the following: +1. Select **+ Add record** and enter the following: - For **type** enter: **CNAME (Alias)** - For **Host name or Alias**, type the following: **www** - - For **Points to address**, type the fully qualified domain name (FQDN) for your website (for example, contoso.com). + - For **Points to address**, type the fully qualified domain name (FQDN) for your website (for example, contoso.com). -2. Select **Save**. +1. Select **Save**. Finally, do the following: -[Update your domain's NS records](../setup/add-domain.md) to point to Microsoft. +[Update your domain's NS records](../setup/add-domain.md) to point to Microsoft. When the NS records have been updated to point to Microsoft, your domain is all set up. Email will be routed to Microsoft, and traffic to your website address will continue to go to your current website host. |
admin | Get Help Support | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/get-help-support.md | Severity B/C: 9:00 ~24:00 (Beijing Time) a day, 365 days. ### Open an online request -Save time by starting your service request online. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>, choose **Support** \> **New service request**. +Save time by starting your service request online. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">Microsoft 365 admin center</a>, choose **Support** \> **New service request**. ### Call support |
admin | Manage Domain Users | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/manage-domain-users.md | f1.keywords: Previously updated : 06/02/2020 Last updated : 07/10/2024 audience: Admin +- must-keep - Adm_O365 - Core_O365Admin_Migration description: "Synchronize domain-controlled users with Microsoft 365 for busines # Synchronize domain users to Microsoft 365 -## 1. Prepare for Directory Synchronization +## 1. Prepare for Directory Synchronization Before you synchronize your users and computers from the local Active Directory Domain, review [Prepare for directory synchronization to Microsoft 365](../../enterprise/prepare-for-directory-synchronization.md). In particular: Before you synchronize your users and computers from the local Active Directory - We recommend that you configure the **userPrincipalName** (UPN) attribute for each local user account to match the primary email address that corresponds to the licensed Microsoft 365 user. For example: *mary.shelley@contoso.com* rather than *mary@contoso.local*. -- If the Active Directory domain ends in a non-routable suffix like *.local* or *.lan*, instead of an internet routable suffix such as *.com* or *.org*, adjust the UPN suffix of the local user accounts first as described in [Prepare a non-routable domain for directory synchronization](../../enterprise/prepare-a-non-routable-domain-for-directory-synchronization.md). +- If the Active Directory domain ends in a non-routable suffix like *.local* or *.lan*, instead of an internet routable suffix such as *.com* or *.org*, adjust the UPN suffix of the local user accounts first as described in [Prepare a non-routable domain for directory synchronization](../../enterprise/prepare-a-non-routable-domain-for-directory-synchronization.md). The **Run IdFix** in the following steps makes sure that your on-premises Active Directory is ready for directory synchronization. To synchronize your users, groups, and contacts from the local Active Directory 1. In the [admin center](https://go.microsoft.com/fwlink/p/?linkid=2024339), select **Setup** in the left nav. - 2. Under **Sign-in and security**, select **Add or sync users to your Microsoft account**. + 2. Under **Sign-in and security**, select **Add or sync users to Microsoft Entra ID**. 3. On the **Add or sync users to your Microsoft account** page, choose **Get started**. See [Set up directory synchronization for Microsoft 365](../../enterprise/set-up As you configure your options for Microsoft Entra Connect, we recommend that you enable **Password Synchronization**, **Seamless Single Sign-On**, and the **password writeback** feature, which is also supported in Microsoft 365 for business. > [!NOTE]-> There are some additional steps for password writeback beyond the check box in Microsoft Entra Connect. For more information, see [How-to: configure password writeback](/azure/active-directory/authentication/howto-sspr-writeback). +> There are some additional steps for password writeback beyond the check box in Microsoft Entra Connect. For more information, see [How-to: configure password writeback](/azure/active-directory/authentication/howto-sspr-writeback). If you also want to manage domain-joined Windows 10 devices, see [Enable domain-joined Windows 10 devices to be managed by Microsoft 365 Business Premium](../../business-premium/m365bp-manage-windows-devices.md) to set up a Microsoft Entra hybrid join. |
bookings | Add Staff | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/bookings/add-staff.md | Title: "Add staff to Bookings" + Title: "Add team members to Bookings" -# Add staff to Bookings +# Add team members to Bookings -The Staff page in Bookings is where you create your staffing list and manage staff member details such as name, phone number, and email address. You can also set working hours for each staff member from here. +The Staff page in Bookings is where you create your staff list and manage staff member details such as name, phone number, and email address. You can also set working hours for each staff member from here. Note, a staff member is a team member. ++This article covers the key steps required to add staff members to a shared booking page. ## Before you begin Although Bookings is a feature of Microsoft 365, not all of your staff members a ## Steps -1. From the Bookings home page, choose your calendar from the homepage. +1. From the Bookings homepage, navigate to the Shared Bookings section, and select the booking page you wish to add team members to. 2. Go to staff option in left pane and select **Staff**, and then **Add new staff**. Although Bookings is a feature of Microsoft 365, not all of your staff members a > To add staff from outside of your organization, manually fill in their email and other information. Staff from outside your tenant will not be able to share free/busy information with Bookings. 4. For each staff member, select a role: Team member, Scheduler, Viewer, or Guest.- - **Team member** can manage bookings on their own calendar and their availability in the booking mailbox. When adding or editing a booking in their calendar, they'll be assigned as staff. - - **Scheduler** can manage bookings on the calendar and customer details. They have read-only access to settings, staff, and services. - - **Viewer** can see all the bookings on the calendar, but they canΓÇÖt modify or delete them. They have read-only access to settings. - - **Guest** can be assigned to bookings, but they canΓÇÖt open the booking mailbox. 5. Select **Notify all staff via email when a booking assigned to them is created or changed** to enable staff emails. The following is an example email: :::image type="content" source="media/bookings-notify-all-email.jpg" alt-text="A notification email from Bookings."::: -6. Select **Events on Microsoft 365 calendar affect availability** if you want the free/busy information from staff membersΓÇÖ calendars to impact availability for bookings services through Bookings. +6. Select **Events on Microsoft 365 calendar affect availability** if you want the free/busy information from staff membersΓÇÖ calendars to impact availability for booking services through Bookings. For example, if a staff member has a team meeting or a personal appointment scheduled for 3pm on a Wednesday, Bookings will show that staff member as unavailable to be booked in that time slot. That time will appear as busy or tentative in the Bookings Page view, as shown in the below example. :::image type="content" source="media/bookings-busy-tentative-view-2.png" alt-text="A view of a Bookings Page."::: > [!IMPORTANT]- > We highly recommend leaving this setting on (it is turned on by default) to avoid double-bookings and to optimize the availability of your staff members. + > This setting is turned on by default. We highly recommend leaving this setting on to avoid double-bookings and to optimize the availability of your staff members. 7. Select **Use business hours** to set all bookable times for your staff members to be only within the business hours that you set in the **Business hours** section on the Business Information page. |
bookings | Bookings In Outlook | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/bookings/bookings-in-outlook.md | description: "Steps to turn your Personal Bookings page on or off" # Turn your Personal Bookings page on or off - Bookings is a time management solution that provides a simple and powerful scheduling page with seamless integration with outlook. It lets people schedule a meeting or appointment with you through a booking page that integrates with the free/busy information from your Outlook calendar. You can create custom meeting types to share with others so they can easily schedule time with you based on your availability and preferences. You both get an email confirmation and attendees can update or cancel scheduled meetings with you from your Personal Bookings page. +Microsoft Bookings is a time management solution that provides a simple and powerful scheduling page with seamless integration with Outlook. It lets people schedule a meeting or appointment with you through a booking page that integrates with the free/busy information from your Outlook calendar. You can create custom meeting types to share with others so they can easily schedule time with you based on your availability and preferences. You both get an email confirmation and attendees can update or cancel scheduled meetings with you from your Personal Bookings page. ++>[!NOTE] +> Bookings with me and Personal Bookings are terms used interchangeably. Personal Bookings has two different views: -- **Organizer view**: An organizer is someone who creates meeting types and shares the booking page with others so that they can easily schedule meetings with them. A personal booking page is where you can create meeting types that others can book with you. Custom meeting types give you the ability to customize when you want to meet and how that meeting type is shared with others. You control whether each meeting type is public to your scheduling page or is private and can only be accessed by a select group of people. You can access your Bookings with me page through Outlook, web and Teams. After you set up your page and publish it, you can share it with others. For example, you can add it to your Outlook signature.+- **Organizer view**: An organizer is someone who creates meeting types and shares the booking page with others so that they can easily schedule meetings with them. A personal booking page is where you can create meeting types that others can book with you. You control whether each meeting type is public to your scheduling page or is private and can only be accessed by a select group of people. After you set up your personal booking page and publish it, you can share it with others. For example, you can add it to your Outlook signature. - **Attendee view**: An attendee is someone who uses the booking page to create or attend a meeting scheduled by an organizer. After the organizer shares their personal booking page with others, those visitors will see the attendee view. ## When to use Personal Bookings -Bookings with me is an ideal solution for enterprise, small business, and users in education to schedule 1:1 meetings with those outside and inside their organizations. Below are a few examples of how you can use Bookings with me. +Personal Bookings is an ideal solution for enterprise, small business, and users in education to schedule 1:1 meetings with those outside and inside their organizations. Below are a few examples of how you can use Bookings with me. - Schedule interviews with external candidates - Set up customer and client meetings Bookings with me is an ideal solution for enterprise, small business, and users - 1:1 meetings with direct reports - Lunch and coffee breaks -### End users - ## Before you begin Personal Bookings can be turned on or off for your entire organization or for specific users. When you turn on Bookings for users, they can create a Bookings page, share their page with others, and allow other people to book time with them. This article is for owners and administrators who manage Personal Bookings for their organizations. Personal Bookings is available in the following subscriptions: - Personal Bookings is available for G1, G3, G5 Personal Bookings is on by default for users with these subscriptions. -Personal Bookings needs the **Microsoft Bookings App (service plan)** assigned to users for them to be able to access Bookings. This service plan can be enabled/disabled by tenant admins. So, if **Microsoft Bookings** isn't assigned to them, Bookings access will be denied to users even if they are in one of the previously listed SKUs. +Personal Bookings needs the **Microsoft Bookings App (service plan)** assigned to users for them to be able to access Bookings. This service plan can be enabled or disabled by tenant admins. So, if **Microsoft Bookings** isn't assigned to them, Bookings access will be denied to users even if they are in one of the previously listed SKUs. For more information, see the [Bookings with me Microsoft 365 Roadmap item](https://go.microsoft.com/fwlink/?linkid=328648). Use the **Get-CASMailbox** and **Set-CASMailbox** commands to check user status ## Frequently asked questions -### What is the difference between Bookings and Bookings with me? +### What is the difference between Shared Bookings and Personal Bookings? -Bookings with me integrates with your Outlook calendar and can only be used for 1:1 meetings. Bookings with me is intended for scheduling meeting times with individual users. Bookings is intended for managing scheduling for a group of people. +Personal Bookings integrates with your Outlook calendar and can only be used for 1:1 meetings. It is intended for scheduling meeting times with individual users. -Also, Bookings with me won't create a new mailbox for each Bookings with me page. Note that Bookings with me and Personal Bookings are terms used interchangeably. +Shared Bookings is intended for managing scheduling for a group of people. Also, Personal Bookings won't create a new mailbox for each booking page. ### Who can access my public Bookings page? -Public meeting types can be accessed by anyone that has your Bookings with me page address. You decide who you share your Bookings with me page address with. +Public meeting types can be accessed by anyone that has your personal booking page link. You decide who you share your booking page with. ### What is the difference between public and private meeting types? -Meeting types can be public or private. Public meeting types are available to anyone that you share your Bookings page link with. Private meeting types are only available to people that you share the individual private meeting type with. +Meeting types can be public or private. Public meeting types are available to anyone that you share your Bookings page link with. Private meeting types are only available to people that you share the individual private meeting type with. Private meeting types can also generate single use links. Single use links expire after their first booking. ### Do people need to have a Microsoft account or Bookings license to schedule time with me? -No. Anyone or any attendee can schedule time with you using your Bookings with me page, even if they don't have a Microsoft account. You, as an organizer, need a Bookings license to create a Bookings with me page. +No. Anyone or any attendee can schedule time with you using your personal booking page, even if they don't have a Microsoft account. You, as an organizer, need a Bookings license to create a personal booking page. ## Privacy -### Where is Bookings with me data stored? +### Where is Personal Bookings data stored? -Bookings with me is a feature of Outlook powered by Bookings. All data is stored within the Microsoft 365 platform and in Exchange. Bookings with me follows data storage policies set by Microsoft, which are the same policies that all apps in Microsoft 365 follow. All customer data (including information provided by attendees when booking) is captured in Bookings and is stored within Exchange. For more information, check out [Privacy: It's all about you](https://www.microsoft.com/trust-center/privacy). +All data is stored within the Microsoft 365 platform and in Exchange. Personal Bookings follows data storage policies set by Microsoft, which are the same policies that all apps in Microsoft 365 follow. All customer data (including information provided by attendees when booking) is captured in Bookings and is stored within Exchange. For more information, check out [Privacy: It's all about you](https://www.microsoft.com/trust-center/privacy). |
bookings | Define Service Offerings | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/bookings/define-service-offerings.md | Title: "Define your Bookings service offerings" + Title: "Define your services in shared bookings" -# Define your service offerings in Bookings +# Define your services in shared bookings -When you define your service offerings in Microsoft Bookings, you set a service name, description, location (choose whether you want to meet in person or have an online meeting), duration, default reminders to customers and staff, internal notes about the service, and pricing. You can also tag the employees who are qualified to provide the service. Then, when customers come to your business web site to book an appointment, they can see exactly what types of appointments are available, choose the person they want to provide the service, and how much their service will cost. +When you define your service offerings in Microsoft Bookings, you set a service name, description, location (choose whether you want to meet in person or have an online meeting), duration, default reminders to customers and staff, internal notes about the service, and pricing. You can also tag the employees who are qualified to provide the service. Then, when customers come to your business website to book an appointment, they can see exactly what types of appointments are available, choose the person they want to provide the service, and see how much their service will cost. You can also add customized information and URLs to the email confirmation and reminders that you send when someone books a service through your booking page. You can also add customized information and URLs to the email confirmation and r ## Steps -Here are the steps to add a new service. +Here are the steps to add a new service: > [!NOTE] > Changes to business-related settings, like enabling or disabling one-time passwords (OTP) or sending meeting invites, may take up to 10 minutes to apply. -1. In Microsoft 365, select the App launcher, and then select **Bookings**. +A. Under **Shared booking pages** from the Bookings homepage, either select the page for which you want to create a new service, or create a new booking page and then select it from the available pages. -1. Under **Shared booking pages**, either select the page for which you want to create a new service, or create a new booking page and then select it from the available pages. +B. On the shared booking page, select **Services**, and then select **Add new service**. -1. On the shared booking page, select **Services**, and then select **Add new service**. -- The number of services should be limited to 50. +The number of services should be limited to 50. 1. On the **Basic details** page, add your selections. - **Service name**: enter the name of your service. This is the name that will appear in the drop-down menu on the Calendar page. This name will also appear when anyone manually adds an appointment on the Calendar page, and it will appear as a tile on the Self-service page. + **Service name**: Enter the name of your service. This is the name that will appear in the drop-down menu on the booking page. This name will also appear when anyone manually adds an appointment on the booking page, and it will appear as a tile on the Self-service page. **Description**: The description you enter is what will appear when a user selects the information icon on the Self-service page. Here are the steps to add a new service. **Buffer time**: Enabling this setting allows for the addition of extra time to the staffΓÇÖs calendar every time an appointment is booked. - The time will be blocked on the staffΓÇÖs calendar and impact free/busy information. This means if an appointment ends at 3:00 pm and 10 minutes of buffer time has been added to the end of the meeting, the staffΓÇÖs calendar will show as busy and nonbookable until 3:10pm. This can be useful if your staff needs time before a meeting to prepare, such as a doctor reviewing a patientΓÇÖs chart, or a financial advisor preparing relevant account information. It can also be useful after a meeting, such as when someone needs time to travel to another location. + The time will be blocked on the staffΓÇÖs calendar and impact free/busy information. This means if an appointment ends at 3:00 pm and 10 minutes of buffer time has been added to the end of the meeting, the staffΓÇÖs calendar will show as busy and non-bookable until 3:10pm. This can be useful if your staff needs time before a meeting to prepare, such as a doctor reviewing a patientΓÇÖs chart, or a financial advisor preparing relevant account information. It can also be useful after a meeting, such as when someone needs time to travel to another location. - **Price not set**: Select the price options that will display on the Self-Service page. If **Price not set** is selected, then no price or reference to cost or pricing will appear. + **Price not set**: Select the price options that will display on the Self-service page. If **Price not set** is selected, then no price or reference to cost or pricing will appear. **Notes**: This field appears in the booking event for booked staff, and on the event that appears on the Calendar tab in the Bookings web app. - **Maximum attendees per event**: This setting allows you to create services that require the ability for multiple people to book the same appointment time and the same staff (such as a fitness class). The appointment time slot for the selected service, staff, and time will be available to book until the maximum number of attendees, specified by you, has been reached. Current appointment capacity and attendees can be viewed in the Calendar tab in the Bookings Web app. We refer to this as 1:N booking service. + **Maximum attendees per event**: This setting allows you to create services that require the ability for multiple people to book the same appointment time and the same staff (such as a fitness class). The appointment time slot for the selected service, staff, and time will be available to book until the maximum number of attendees, specified by you, has been reached. Current appointment capacity and attendees can be viewed in the Calendar tab in the Bookings Web app. We refer to this as a 1:N booking service. :::image type="content" source="media/bookings-maximum-attendees.jpg" alt-text="Example of setting maximum attendees in Bookings"::: - **Let customers manage their appointment when it was booked by you or your staff on their behalf**: This setting determines whether or not the customer can modify or cancel their booking, provided it was booked through the Calendar tab on the Bookings Web app. -- - Enabled: -- The **Manage Booking** button appears on the customer confirmation email. When this button is selected by the customer, three options appear: -- - **Reschedule** Selecting this option brings the user to a service-specific Self-Service page, where they can select a new time and/or date for the same service and same staff member from the original booking. Note that even though the original staff member is attached to the rescheduled booking by default, the user does have the option of changing the staff member as well. - - **Cancel booking** This cancels the booking and removes it from the staff's calendar. - - **New booking** This option brings the user to the Self-Service page with all services and staff listed, for scheduling a new booking. -- :::image type="content" source="media/bookings-manage-booking-button.jpg" alt-text="The Manage Bookings button in Bookings."::: -- We only recommend leaving this setting enabled if you're comfortable with customers accessing the Self-Service page. -- - Disabled: -- The user will have no ability to reschedule or cancel their booking when they book through the Calendar tab on the Bookings Web app. When booking through the Self-Service page, however, customers will still have the **Manage Booking** button and all of its options, even when this setting is disabled. -- We recommend disabling this setting if you want to limit access to the Self-Service page. Additionally, we suggest adding text to your confirmation and reminder emails that tells your customers how to make changes to their booking through other means, such as by calling the office or emailing the help desk. - **Language**: Select the default language for the booking from the drop-down list. 1. On the **Availability options** page, you can see the options you've selected from your **Booking page** for your scheduling policy and availability for your staff. For more information, see [Set your scheduling policies](set-scheduling-policies.md). Here are the steps to add a new service. 1. **Custom fields** can be useful when collecting information that is needed every time the specific appointment is booked. Examples include insurance provider prior to a clinic visit, loan type for loan consultations, major of study for academic advising, or applicant ID for candidate interviews. These fields will appear on the Booking page when your customers book appointments with you and your staff. - Customer email, phone number, address, and notes are nonremovable fields, but you can make them optional by deselecting **Required** beside each field. + Customer email, phone number, address, and notes are non-removable fields, but you can make them optional by deselecting **Required** beside each field. 1. On the **Notifications** page, you can send SMS messages, set up reminders, and send notifications. Here are the steps to add a new service. :::image type="content" source="media/bookings-additional-info.jpg" alt-text="Additional information in a Bookings email." lightbox="media/bookings-additional-info.jpg"::: - Opt-in box on the manual booking and Self-Service Page: + Opt-in box on the manual booking and Self-service Page: :::image type="content" source="media/bookings-opt-In-boc.jpg" alt-text="The opt-in box in Bookings."::: Here are the steps to add a new service. 1. There are two more controls available to ease your Service creation journey: - **Default scheduling policy** is on by default. Turn the toggle off if you want to customize how customers book a particular staff member.- - **Publishing options** Choose whether to have this service appear as bookable on the Self-Service page, or to make the service bookable only on the Calendar tab within the Bookings Web app. + - **Publishing options** Choose whether to have this service appear as bookable on the Self-service page, or to make the service bookable only on the Calendar tab within the Bookings Web app. 1. Select **Save changes** to create the new service. |
bookings | Enter Business Information | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/bookings/enter-business-information.md | Title: "Enter your Bookings business information" + Title: "Set up your shared booking page" -# Enter your business information in Microsoft Bookings +# Set up your shared booking page in Microsoft Bookings -In Microsoft Bookings, the Business Information page within the web app contains all the details that you'd typically find on a business' "About us" page. These details include a relevant name, address, phone number, web site URL, privacy policy URL, logo, and business hours. +Microsoft Bookings is a powerful scheduling tool that allows businesses to manage appointments with ease. One of the key features of Microsoft Bookings is the ability to set up shared bookings. This functionality enables multiple staff members to handle appointments, ensuring greater flexibility and efficiency in managing customer interactions. In this article, we will walk you through the four essential steps required to set up shared bookings in Microsoft Bookings. ++## Steps to quickly create a shared booking page ++On the home page of Bookings, navigate to the Shared Bookings section and select **Create booking page**. You can either create a booking page from scratch or clone an existing booking page. Select **Create from scratch** to create a new shared booking page. ++1. Enter your business name, upload your business logo, and update your business hours. Note, business name is the only required field here. All the other details can be configured later from the Business Information page. This section is covered in detail in [Enter your business information in Microsoft Bookings](#enter-your-business-information-in-microsoft-bookings). +++2. Invite staff - Add your team members in this section. These people will be able to view and manage bookings for the team based on the team roles assigned. You can choose to configure this later as well. +++3. Add a service - You can add the list of services you wish to offer or customize the default service shown. You can choose to configure this later and proceed with the default service. +++4. Choose who can book appointments - Decide the level of control you want to give to your customers for booking appointments from your booking page. +++5. Select **Create** to finish setting up your booking page. If you quit at this stage, your progress will not be saved. +++6. Once your shared booking page is set up, you can share it or configure it further. Select **Get Started** to tailor your shared booking page to meet your business requirements. +++## Enter your business information in Microsoft Bookings ++In Microsoft Bookings, the Business Information page contains all the details that you'd typically find on a business' "About us" page. These details include a relevant name, address, phone number, web site URL, privacy policy URL, logo, and business hours. The information you provide here's displayed on the page customers and clients use to book appointments (known as the booking page) and in messages and reminders sent to them by Bookings. The information you provide here's displayed on the page customers and clients u ## Provide business name and contact information -1. In Microsoft 365, select the App launcher, and then select **Bookings**. --1. In the navigation pane, select **Your calendar** > **Business information** in the left pane. +1. Once you have created a shared booking page, select **Business information** in the left pane. 1. On the **Basic details** section, enter your business name, address, and phone number you would like to use for your booking page. |
business-premium | M365bp Mdb Whats New | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-mdb-whats-new.md | This article lists new features in the latest release of [Microsoft 365 Business ## July 2024 -- (GA) Learning hub resources, including Microsoft Defender XDR Ninja training, learning paths, and training modules have moved from the Microsoft Defender portal to [learn.microsoft.com](https://go.microsoft.com/fwlink/?linkid=2273118). Browse the [list of learning paths](/training/browse/?products=m365-ems-cloud-app-security%2Cdefender-for-cloud-apps%2Cdefender-identity%2Cm365-information-protection%2Cm365-threat-protection%2Cmdatp%2Cdefender-office365&expanded=m365%2Coffice-365), and filter by product, role, level, and subject. +- (GA) Learning hub resources have moved from the Microsoft Defender portal to [learn.microsoft.com](https://go.microsoft.com/fwlink/?linkid=2273118). Access Microsoft Defender XDR Ninja training, learning paths, training modules and more. Browse the [list of learning paths](/training/browse/?products=m365-ems-cloud-app-security%2Cdefender-for-cloud-apps%2Cdefender-identity%2Cm365-information-protection%2Cm365-threat-protection%2Cmdatp%2Cdefender-office365&expanded=m365%2Coffice-365), and filter by product, role, level, and subject. + ## March 2024 |
business-premium | M365bp Secure Copilot | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-secure-copilot.md | Title: Secure Copilot in Business Standard and Business Premium -description: "Learn how to secure Microsoft Copilot for Microsoft 365 Business Standard and Microsoft 365 Business Premium." + Title: Secure Copilot for small businesses +description: "Learn how to secure Microsoft Copilot for Microsoft 365 Business Basic, Microsoft 365 Business Standard, and Microsoft 365 Business Premium." search.appverid: MET150 -# Secure Microsoft Copilot for Microsoft 365 in Microsoft 365 Business Standard and Microsoft 365 Business Premium +# Secure Microsoft Copilot for Microsoft 365 for small businesses -This article explains the differences in security and compliance controls between Copilot for Microsoft 365 in Microsoft 365 Business Standard and Microsoft 365 Business Premium. This article doesn't attempt to describe the full capabilities of Copilot for Microsoft 365, or the full security and compliance features in Business Standard and Business Premium. +This article explains the differences in security and compliance controls between Copilot for Microsoft 365 in Microsoft 365 Business Basic, Microsoft 365 Business Standard, and Microsoft 365 Business Premium. This article doesn't attempt to describe the full capabilities of Copilot for Microsoft 365, or the full security and compliance features in Business Basic, Business Standard, and Business Premium. -The following sections contain scenarios to help you better understand how security features in Business Standard and Business Premium can help protect you when you're using Copilot for Microsoft 365. +The following sections contain scenarios to help you better understand how security features in Business Basic, Business Standard, and Business Premium can help protect you when you're using Copilot for Microsoft 365. ## Enable new levels of employee productivity while safeguarding company data and resources How can companies enable new levels of employee productivity with tools like Microsoft Copilot for Microsoft 365 while safeguarding company data and resources? -- Use the following capabilities in **Business Standard** to make sure that unauthorized employees can't use Copilot for Microsoft 365 to gain access to information or confidential data in files that they don't have access to:+- Use the following capabilities in **Business Basic** or **Business Standard** to make sure that unauthorized employees can't use Copilot for Microsoft 365 to gain access to information or confidential data in files that they don't have access to: - Sign in without a password using multifactor authentication and help ensure only authorized users have access to data. - Ensure only enrolled, compliant devices can access Microsoft 365 resources with device-based conditional access. - Wipe all work content, including content generated by Copilot if a device is lost, stolen, or compromised. How can companies enable new levels of employee productivity with tools like Mic How can companies ensure that sensitive or personal data isn't exposed when using Copilot for Microsoft 365? -- Use the following capabilities in **Business Standard** to make sure that unauthorized employees can't use Copilot for Microsoft 365 to gain access to information or confidential data in files that they don't have access to:+- Use the following capabilities in **Business Basic** or **Business Standard** to make sure that unauthorized employees can't use Copilot for Microsoft 365 to gain access to information or confidential data in files that they don't have access to: - Change default sharing options in SharePoint and OneDrive. - Prohibit Copilot for Microsoft 365 from including sensitive data that users don't have permissions to view in generated responses. - Exclude sensitive files that users don't have permissions to view from being processed by Copilot. How can companies ensure that sensitive or personal data isn't exposed when usin How can companies monitor interactions with Copilot for Microsoft 365 and support related regulatory compliance or eDiscovery requests? -- In **Business Standard**, companies can achieve the following results:+- In **Business Basic** or **Business Standard**, companies can achieve the following results: - Monitor, search, and export employee interactions with Copilot for Microsoft 365, and any content generated by Copilot for Microsoft 365. - Define how long content generated by Copilot for Microsoft 365 should be retained within Microsoft 365. - The following capabilities in **Business Standard** lead to these results: + The following capabilities in **Business Basic** or **Business Standard** lead to these results: - Search for and export Copilot interactions by content and keyword search. - Maintain a log of all Copilot for Microsoft 365 interactions within the organization. How can companies monitor interactions with Copilot for Microsoft 365 and suppor ## Appendix -The available security and compliance features related to Copilot for Microsoft 365 in Business Standard and Business Premium is summarized in the following tables: +The available security and compliance features related to Copilot for Microsoft 365 in Business Basic, Business Standard, and Business Premium is summarized in the following tables: - **Identity and Access Management (Microsoft Entra ID)**: - |Scenario|Business<br/>Standard|Business<br/>Premium| - ||::|::| - |Sign in to Copilot for Microsoft 365 with a single identity|Γ£ö|Γ£ö| - |Enforce MFA when accessing Microsoft 365 to use Copilot|Γ£ö|Γ£ö| - |Enable end-user password reset, change, and unlock when accessing Microsoft 365|Cloud users|Γ£ö| - |Implement Conditional Access policies based on identity, device, and location when accessing Microsoft 365 to use Copilot||Γ£ö| - |Enable near real-time access policies enforcement, evaluate critical events, and immediately revoke access to Microsoft 365||Γ£ö| - |Require employees or guests to accept terms of use policy before getting access||Γ£ö| + |Scenario|Business<br/>Basic|Business<br/>Standard|Business<br/>Premium| + ||::|::|::| + |Sign in to Copilot for Microsoft 365 with a single identity|Γ£ö|Γ£ö|Γ£ö| + |Enforce MFA when accessing Microsoft 365 to use Copilot|Γ£ö|Γ£ö|Γ£ö| + |Enable end-user password reset, change, and unlock when accessing Microsoft 365|Cloud users|Cloud users|Γ£ö| + |Implement Conditional Access policies based on identity, device, and location when accessing Microsoft 365 to use Copilot|||Γ£ö| + |Enable near real-time access policies enforcement, evaluate critical events, and immediately revoke access to Microsoft 365|||Γ£ö| + |Require employees or guests to accept terms of use policy before getting access|||Γ£ö| - **Endpoint Management (Basic Mobility and Security or Intune)**: - |Scenario|Business<br/>Standard|Business<br/>Premium| - ||::|::| - |Push/deploy Microsoft 365 apps to devices and grant access to Copilot in those apps||Γ£ö| - |Manage Microsoft 365 app updates||Γ£ö| - |Restrict the use of Microsoft 365 apps and Teams (and Copilot in those apps) on personal devices||Γ£ö| - |Prevent saving files (including files generated by Copilot) to unprotected apps||Γ£ö| - |Wipe all work content (including content generated by Copilot) if a device is lost, stolen, or compromised|Γ£ö|Γ£ö| - |Revoke work access on noncompliant devices|iOS, Android|Γ£ö| + |Scenario|Business<br/>Basic|Business<br/>Standard|Business<br/>Premium| + ||::|::|::| + |Push/deploy Microsoft 365 apps to devices and grant access to Copilot in those apps|||Γ£ö| + |Manage Microsoft 365 app updates|||Γ£ö| + |Restrict the use of Microsoft 365 apps and Teams (and Copilot in those apps) on personal devices|||Γ£ö| + |Prevent saving files (including files generated by Copilot) to unprotected apps|||Γ£ö| + |Wipe all work content (including content generated by Copilot) if a device is lost, stolen, or compromised|Γ£ö|Γ£ö|Γ£ö| + |Revoke work access on noncompliant devices||iOS, Android|Γ£ö| - **Data Security and Compliance (Information Protection)**: - |Scenario|Business<br/>Standard|Business<br/>Premium| - ||::|::| - |Search for Copilot generated data and interactions with eDiscovery capabilities|Search and export results|+ Case management and legal hold| - |Audit logs for Copilot interactions|Audit (Standard)|Audit (Standard)| - |Apply a manual retention policy for Copilot interactions|Γ£ö|Γ£ö| - |Data loss prevention (DLP) policies to protect sensitive data generated by Copilot and saved in Microsoft 365 locations from exfiltration||Files and email| - |Manually label and protect Microsoft 365 content used by Copilot||Files and email| - |Inherit sensitivity labels and cite sensitivity labels in output and references in Copilot||Γ£ö| - |Prohibit Copilot from including sensitive data that users have no extract permissions for|Γ£ö|Γ£ö| - |Exclude sensitive files that users have no permission to view from being processed by Copilot|Γ£ö|Γ£ö| + |Scenario|Business<br/>Basic|Business<br/>Standard|Business<br/>Premium| + ||::|::|::| + |Search for Copilot generated data and interactions with eDiscovery capabilities|Search and export results|Search and export results|+ Case management and legal hold| + |Audit logs for Copilot interactions|Audit (Standard)|Audit (Standard)|Audit (Standard)| + |Apply a manual retention policy for Copilot interactions|Γ£ö|Γ£ö|Γ£ö| + |Data loss prevention (DLP) policies to protect sensitive data generated by Copilot and saved in Microsoft 365 locations from exfiltration|||Files and email| + |Inherit sensitivity labels and cite sensitivity labels in output and references in Copilot|||Γ£ö| + |Prohibit Copilot from including sensitive data that users have no extract permissions for||Γ£ö|Γ£ö| + |Exclude sensitive files that users have no permission to view from being processed by Copilot|Γ£ö|Γ£ö|Γ£ö| + |Manually label and protect Microsoft 365 content used by Copilot|||Files and email| |
commerce | Move Users Different Subscription | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/move-users-different-subscription.md | |
enterprise | Microsoft 365 Inter Tenant Collaboration | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-inter-tenant-collaboration.md | Title: "Microsoft 365 inter-tenant collaboration" Previously updated : 09/25/2023 Last updated : 07/11/2024 audience: Admin +- must-keep search.appverid: - MET150 - MOE150 |
enterprise | Microsoft 365 Tenant To Tenant Migrations | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-tenant-to-tenant-migrations.md | Title: "Microsoft 365 tenant-to-tenant migrations" Previously updated : 08/28/2023 Last updated : 07/11/2024 audience: Admin +- must-keep search.appverid: - MET150 - MOE150-There are several architecture approaches for mergers, acquisitions, divestitures, and other scenarios that might lead you to migrate an existing Microsoft 365 tenant to a new tenant. Most customers work with Microsoft Consulting Services or a Microsoft partner to migrate tenants, including using third-party tools to migrate content. +There are several architecture approaches for mergers, acquisitions, divestitures, and other scenarios that might lead you to migrate an existing Microsoft 365 tenant to a new tenant. Most customers work with Microsoft Consulting Services or a Microsoft partner to migrate tenants, including using third-party tools to migrate content. Use the [Tenant-to-tenant migration architecture model](https://download.microsoft.com/download/b/a/1/ba19dfe7-96e2-4983-8783-4dcff9cebe7b/microsoft-365-tenant-to-tenant-migration.pdf) to understand how to plan for Microsoft 365 tenant-to-tenant migrations and the steps of a migration. -[![Tenant-to-tenant migration model.](../media/solutions-architecture-center/msft-tenant-to-tenant-migration-thumb.png)](https://download.microsoft.com/download/b/a/1/ba19dfe7-96e2-4983-8783-4dcff9cebe7b/microsoft-365-tenant-to-tenant-migration.pdf) +[![Tenant-to-tenant migration model.](../media/solutions-architecture-center/msft-tenant-to-tenant-migration-thumb.png)](https://download.microsoft.com/download/b/a/1/ba19dfe7-96e2-4983-8783-4dcff9cebe7b/microsoft-365-tenant-to-tenant-migration.pdf) You download this model in [PDF](https://download.microsoft.com/download/b/a/1/ba19dfe7-96e2-4983-8783-4dcff9cebe7b/microsoft-365-tenant-to-tenant-migration.pdf) format and print it on letter, legal, or tabloid (11 x 17 inches) size paper. |
frontline | Flw Devices | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-devices.md | Title: Manage devices for frontline workers + Title: Frontline device management overview -+ audience: admin ms.localizationpriority: high search.appverid: MET150-description: Get an overview of managing mobile shared and BYOD devices for frontline workers in your organization. +description: Get an overview of managing mobile shared and BYOD devices for frontline workers in your organization. Use the information and considerations in this article to help plan your frontline device deployment. - m365-frontline - highpri-# Manage devices for frontline workers --Across every industry, frontline workers make up a large segment of the workforce. Frontline worker roles include retail associates, factory workers, field and service technicians, healthcare personnel, and many more. +# Frontline device management overview ## Overview +Across every industry, frontline workers make up a large segment of the workforce. Frontline worker roles include retail associates, factory workers, field and service technicians, healthcare personnel, and many more. + Because the workforce is largely mobile and often shift-based, managing the devices that frontline workers use is a key fundamental. Some questions to consider: - Do workers use company-owned devices or their own personal devices? - Are company-owned devices shared between workers or assigned to an individual? - Do workers take devices home or leave them at the workplace? -ItΓÇÖs important to set a secure, compliant baseline to manage devices for your workforce, whether theyΓÇÖre shared devices or workersΓÇÖ own devices. This article gives you an overview of common frontline worker device scenarios and management capabilities to help empower your workforce while safeguarding company data. +ItΓÇÖs important to set a secure, compliant baseline to manage devices for your workforce, whether theyΓÇÖre shared devices or workersΓÇÖ own devices. -## Device types +This article gives you an overview of common frontline worker device scenarios and management capabilities to help empower your workforce while safeguarding company data. Use the information and considerations to help plan your frontline device deployment. -Shared, bring-your-own, and kiosk devices are the most common device types used by frontline workers. +## Device deployment -|Device type|Description|Why to use|Deployment considerations| -|--|--|-|--| -|Shared devices |Devices are owned and managed by your organization. Employees access devices while at work. |Worker productivity and customer experience are a top priority. <br><br> Workers can't access organization resources while not at work. <br><br> Local laws may prevent personal devices from being used for business purposes. |Sign in/out can add friction to worker experience. <br><br> Potential for inadvertent sharing of sensitive data. | -|Bring-your-own devices (BYOD) |Personal devices are owned by the user and managed by your organization. |Your existing mobile device management (MDM) solution prevents your organization from adopting a shared devices model. <br><br>Shared devices or dedicated devices may be impractical from a cost or business-readiness perspective. |Support complexity may not be feasible in field locations. <br><br> Personal devices vary in OS, storage, and connectivity. <br><br> Some workers may not have reliable access to a personal mobile device. <br><br> You could incur potential liability for wages if workers access resources while not clocked in. <br><br> Personal device use may be against union rules or government regulations. | -|Kiosk devices |Devices are owned and managed by your organization. Users don't need to sign in or out. |Device has a dedicated purpose. <br><br> Use case doesn't require user authentication.|Collaboration, communication, task, and workflow applications need a user identity to function. <br><br> Not possible to audit user activity. <br><br> Unable to use some security capabilities including multifactor authentication. | +A key step in planning is to determine how youΓÇÖll deploy mobile devices to your frontline and the operating systems to support. Make these decisions up front so that you can evaluate the feasibility of your implementation plan and IT infrastructure with these factors in mind. -Shared devices and BYOD are commonly adopted in frontline deployments. You can use capabilities discussed in subsequent sections of this article may resolve or mitigate your organizationΓÇÖs concerns over user experience, unauthorized worker access to data, and resources and ability to deploy and manage devices at scale. +### Deployment models -> [!NOTE] -> Kiosk device deployments arenΓÇÖt recommended because they donΓÇÖt allow user auditing and user-based security capabilities like multifactor authentication. [Learn more about kiosk devices](/windows/configuration/kiosk-methods). +Shared devices and bring-your-own-device (BYOD) are the most commonly adopted device types used in frontline organizations. The following table lists these deployment models, along with others, and related considerations. -### Shared devices --Many frontline workers use shared mobile devices to do work. Shared devices are company-owned devices that are shared between employees across tasks, shifts, or locations. --HereΓÇÖs an example of a typical scenario. An organization has a pool of devices in charging cradles to be shared across all employees. At the start of a shift, an employee picks up a device from the pool, and signs in to Teams and other business apps essential to their role. At the end of their shift, they sign out and return the device to the pool. Even within the same shift, a worker might return a device when they finish a task or clock out for lunch, and then pick up a different one when they clock back in. --Shared devices present unique security challenges. For example, employees may have access to company or customer data that shouldnΓÇÖt be available to others on the same device. +|Device type|Description|Why use|Deployment considerations| +|--|--|-|--| +|Shared devices |Devices owned and managed by your organization.<br><br>Employees access devices while at work. |Worker productivity and customer experience are a top priority. <br><br> Workers can't access organizational resources when not at work. <br><br>Local laws might prevent personal devices from being used for business purposes.|Define how your frontline sign in and out of the device.<br><br>Consider using Microsoft Entra Conditional Access policies to secure shared devices when multifactor authentication (MFA) isn't an option.| +|Bring-your-own device (BYOD) |Personal devices owned by the user and managed by your organization. |You want to give employees a convenient way to check shift schedules, chat with colleagues about shift swaps, or access HR resources like their paystub. <br><br>Shared devices or dedicated devices might be impractical from a cost or business-readiness perspective. |Personal devices vary in operating system, storage, and connectivity.<br><br>Personal device use might be against union rules or government regulations.<br><br>Some workers might not have reliable access to a personal mobile device. | +|Dedicated devices<sup>1</sup>|Devices owned and managed by your organization and issued to a single user.|Worker requires a dedicated phone number to receive calls and texts.<br><br>Organization requires full control over the device and how employees use it.|Cost of dedicated hardware.<br><br>Added effort for rollout and support complexity might not be feasible in field locations. | +|Kiosk devices<sup>2</sup> |Devices owned and managed by your organization. Users don't need to sign in or out. |Device has a dedicated purpose. <br><br> Use case doesn't require user authentication.|Collaboration, communication, task, and workflow apps need a user identity to function. <br><br>Not possible to audit user activity. <br><br>Unable to use some security capabilities including MFA. | -### Personal devices (BYOD) +<sup>1</sup>Dedicated devices are uncommon in frontline deployments primarily due to high cost and effort to manage in the context of high staff turnover.<br> +<sup>2</sup>Kiosk device deployments arenΓÇÖt recommended because they donΓÇÖt allow user auditing and user-based security capabilities like multifactor authentication. [Learn more about kiosk devices](/windows/configuration/assigned-access). -Some organizations use a bring-your-own-device (BYOD) model where frontline workers use their own mobile devices to access Teams and other business apps. Here's an overview of some ways to manage access and compliance on personal devices. +We focus on shared devices and BYOD as these are the deployment models that fit the practical needs of most frontline deployments. Read on for an overview of planning considerations and management capabilities. ### Device operating system -The deployment model you select will partly determine the device operating systems you support. For example, if you implement a BYOD model, youΓÇÖll need to support both Android and iOS devices. If you implement a shared devices model, the device OS you choose will determine the capabilities available. For example, Windows devices natively support the ability to store multiple user profiles for automated sign-on and easy authentication with Windows Hello. With Android and iOS, more steps and pre-requisites apply. +The deployment model you choose partly determines the device operating systems you support. For example: ++- If you implement a shared devices model, the device operating system you choose determines the capabilities available. For example, Windows devices natively support the ability to store multiple user profiles for automated sign in and easy authentication with Windows Hello. With Android and iOS, more steps and prerequisites apply. +- If you implement a BYOD model, youΓÇÖll need to support both Android and iOS devices. |Device OS|Considerations| ||--|-|Windows |Native support for storing multiple user profiles on the device. <br> Supports Windows Hello for passwordless authentication. <br> Simplified deployment and management capabilities when used with Microsoft Intune. | -|Android |[Limited native capabilities](https://source.android.com/docs/devices/admin/multi-user) for storing multiple user profiles on devices. <br> Android devices can be enrolled in shared device mode to automate single sign-on and sign out. <br> Robust management of controls and APIs. <br> Existing ecosystem of devices built for frontline use. | -|iOS and iPadOS |iOS devices can be enrolled in shared device mode to automate single sign-on and sign out. <br> Storing multiple user profiles on iPadOS devices is possible with Shared iPad for Business. Conditional access isn't available with Shared iPad for Business because of the way Apple partitions user profiles. | --In a shared devices deployment, the ability to store multiple user profiles on a device to simplify user sign on and the ability to clear app data from the previous user (single sign out) are practical requirements for frontline deployments. These capabilities are native on Windows devices and iPads using Shared iPad for Business. --## User identity --Microsoft 365 for frontline workers uses Microsoft Entra ID as the underlying identity service for delivering and securing all applications and resources. Users must have an identity that exists in Microsoft Entra ID to access Microsoft 365 cloud applications. --If you choose to manage frontline user identities with Active Directory Domain Services (AD DS) or a third-party identity provider, youΓÇÖll need to federate these identities to Microsoft Entra ID. [Learn how to integrate your third-party service with Microsoft Entra ID](flw-setup-microsoft-365.md#provision-users). --The possible implementation patterns for managing frontline identities include: +|Android |[Limited native capabilities](https://source.android.com/docs/devices/admin/multi-user) for storing multiple user profiles on devices. <br> Android devices can be enrolled in shared device mode to automate single sign-on and sign out, and targeting Conditional Access policies. <br>Robust management of controls and APIs. <br>Existing ecosystem of devices built for frontline use. | +|iOS and iPadOS |iOS devices can be enrolled in shared device mode to automate single sign-on and sign out. <br> Storing multiple user profiles on iPadOS devices is possible with Shared iPad for Business.| +|Windows |Native support for storing multiple user profiles on the device. <br>Supports Windows Hello for passwordless authentication.<br> Simplified deployment and management capabilities when used with Microsoft Intune. | -- **Microsoft Entra standalone:** Your organization creates and manages user, device, and application identities in Microsoft Entra ID as a standalone identity solution for your frontline workloads. This implementation pattern is recommended as it simplifies your frontline deployment architecture and maximizes performance during user sign-on.-- **Active Directory Domain Services (AD DS) integration with Microsoft Entra ID:** Microsoft provides Microsoft Entra Connect to join these two environments. Microsoft Entra Connect replicates AD user accounts to Microsoft Entra ID, allowing a user to have a single identity capable of accessing both local and cloud-based resources. Although both AD DS and Microsoft Entra ID can exist as independent directory environments, you can choose to create hybrid directories.-- **Third-party identity solution sync with Microsoft Entra ID:** Microsoft Entra ID supports integration with third-party identity providers such as Okta and Ping Identity through federation. [Learn more about using third-party identity providers](flw-setup-microsoft-365.md#provision-users).+## Device landscape -### HR-driven user provisioning +When you're planning your device deployment, there are considerations across multiple surface areas. This section describes the landscape and terms to be familiar with. -Automating user provisioning is a practical need for organizations that want frontline employees to be able to access applications and resources on day one. From a security perspective, itΓÇÖs also important to automate deprovisioning during employee offboarding to ensure that previous employees donΓÇÖt retain access to company resources. +### Mobile device management -Microsoft Entra user provisioning service integrates with cloud-based and on-premises HR applications, such as Workday and SAP SuccessFactors. You can configure the service to automate user provisioning and deprovisioning when an employee is created or disabled in the HR system. +Mobile device management (MDM) solutions, such as Microsoft Intune, simplify deployment, management, and monitoring of devices. -### My Staff +A device can only be enrolled in one MDM solution, but you can use multiple MDM solutions to manage separate pools of devices. For example, you could use VMware Workspace ONE or SOTI MobiControl for shared devices and Intune for BYOD. If you use multiple MDM solutions, keep in mind that some users might not be able to access shared devices because of a mismatch in +Conditional Access policies or mobile application management (MAM) policies. -With the [My Staff](/azure/active-directory/roles/my-staff-configure) feature in Microsoft Entra ID, you can delegate common user management tasks to frontline managers through the My Staff portal. Frontline managers can perform password resets or manage phone numbers for frontline workers directly from the store or factory floor, without having to route the requests to helpdesk, operations, or IT. +If youΓÇÖre using a third-party MDM solution, you can integrate with [Intune partner compliance](/mem/intune/protect/device-compliance-partners) to take advantage of Conditional Access for devices managed by third-party MDM solutions. -My Staff also enables frontline managers to register their team members' phone numbers for SMS sign-in. If [SMS-based authentication](/azure/active-directory/authentication/howto-authentication-sms-signin) is enabled in your organization, frontline workers can sign in to Teams and other apps using only their phone numbers and a one-time passcode sent via SMS. This makes signing in for frontline workers simple, secure, and fast. +### App launchers for Android devices -## Mobile device management +An app launcher is an app that lets you provide a focused experience for your frontline with a customized launch screen, such as apps, wallpaper, and icon positions. You can show only the relevant apps that your frontline workers need to use and widgets that highlight key information. -Mobile device management (MDM) solutions can simplify deployment, management and monitoring of devices. Microsoft Intune natively supports features important for deploying shared devices to frontline workers. These capabilities include: +Most MDM solutions provide their own app launcher. For example, Microsoft Intune provides Managed Home Screen. You can also build your own custom launcher. -- **Zero-touch provisioning:** IT admins can enroll and pre-configure mobile devices without physical custody of the devices (for manual configuration). This capability is useful when deploying shared devices at scale to field locations because devices can be shipped directly to the intended frontline location where automated configuration and provisioning steps can be completed remotely.-- **Single sign-out:** Stops background processes and automates user sign out across all applications and resources assigned to the previous user when a new user signs in. Android and iOS devices must be enrolled in shared device mode to use single sign out.-- **Microsoft Entra Conditional Access:** IT admins can implement automated access control decisions for cloud-based applications and resources through identity-driven signals. For example, itΓÇÖs possible to prevent access by a shared or BYOD device that doesnΓÇÖt have the latest security updates installed. [Learn more about how to secure your deployment](flw-setup-microsoft-365.md#step-6-configure-security).+The following table lists some of the most common app launchers available today for Android devices by Microsoft and third-party developers. -If youΓÇÖre using a third-party MDM solution for your shared devices deployment, such as VMwareΓÇÖs Workspace ONE or SOTI MobiControl, itΓÇÖs important to understand the associated capabilities, limitations and available workarounds. +|App launcher |Capabilities| +|-|| +|Managed Home Screen |Use Managed Home Screen when you want your users to have access to a specific set of apps on your Intune-enrolled dedicated devices. Because Managed Home Screen can be automatically launched as the default home screen on the device and appears to the user as the only home screen, itΓÇÖs useful in shared devices scenarios when a locked-down experience is required. [Learn more](/mem/intune/apps/app-configuration-managed-home-screen-app).| +|VMware Workspace ONE Launcher |If youΓÇÖre using VMware, the Workspace ONE Launcher is the best tool to curate a set of apps that your frontline needs to access. VMware Workspace ONE Launcher doesnΓÇÖt currently support shared device mode for global sign and global sign out from the launcher. Therefore, frontline workers need to sign in and sign out of Teams upon each use. [Learn more](https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2306/Launcher_Publication/GUID-AWLAUNCHERINTRO.html).| +|SOTI|If youΓÇÖre using SOTI, the SOTI app launcher is the best tool to curate a set of apps that your frontline needs to access. The SOTI app launcher supports shared device mode today.| +|BlueFletch|[BlueFletch Launcher](https://docs.bluefletch.com/bluefletch-enterprise/product-guides/bluefletch-launcher) can be used on devices, regardless of your MDM solution. BlueFletch supports shared device mode today. [Learn more](https://soti.net/mc/help/v2024.0/en/console/system/microsoft_365_integration/change_device_reg_to_shared_mode_in_azure.html). | +|Custom app launcher |If you want a fully customized experience, you can build out your own custom app launcher. You can integrate your launcher with shared device mode so that your users only need to sign in and out once. | -Some third-party MDMs can clear app data when a global sign out occurs on an Android device. However, app data clearing can miss data that is stored in a shared location, delete app settings, or cause first-run experiences to reappear. Android devices enrolled in shared device mode can selectively clear the necessary application data during device check-in or when the new user logs in to the device. [Learn more about authentication in shared device mode](#authentication). +### Identity management -You can manually configure shared device mode in third-party MDM solutions for iOS and Android devices, however, manual configuration steps donΓÇÖt mark the device compliant in Microsoft Entra ID, which means conditional access isnΓÇÖt supported in this scenario. If you choose to manually configure devices in shared device mode, youΓÇÖll need to take additional steps to re-enroll Android devices in shared device mode with zero-touch provisioning to get conditional access support when third-party MDM support is available by uninstalling and reinstalling Authenticator from the device. +Microsoft 365 for frontline workers uses Microsoft Entra ID as the underlying identity service for delivering and securing all apps and resources. Users must have an identity that exists in Microsoft Entra ID to access Microsoft 365 apps. -A device can only be enrolled in one MDM solution, but you can use multiple MDM solutions to manage separate pools of devices. For example, you could use Workspace ONE for shared devices and Intune for BYOD. If you use multiple MDM solutions, keep in mind that some users may not be able to access shared devices because of a mismatch in conditional access policies. +If you choose to manage frontline user identities with Active Directory Domain Services (AD DS) or a third-party identity provider, youΓÇÖll need to federate these identities to Microsoft Entra ID. [Learn how to integrate your third-party service with Microsoft Entra ID](flw-setup-microsoft-365.md#provision-users). -|MDM solution |Single sign out|Zero touch provisioning|Microsoft Entra Conditional Access| -|-||--|| -|Intune (Microsoft) |Supported for Android and iOS devices enrolled in shared device mode |Supported for Android and iOS devices enrolled in shared device mode |Supported for Android and iOS devices enrolled in shared device mode | -|Workspace ONE (VMware) |Supported with [Clear Android app data](https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/iOS_Platform/GUID-SharedDevicesOverview.html) capabilities. Unavailable for iOS |Currently unavailable for Android and iOS. |Currently unavailable for Android and iOS. | -|MobiControl (SOTI) |Supported with [Wipe program data](https://www.soti.net/mc/help/v14.4/en/console/applications/wipe_app_data.html) capabilities. Unavailable for iOS. |Currently unavailable for Android and iOS. |Currently unavailable for Android and iOS. | +The possible implementation patterns for managing frontline identities include: -Windows devices enrolled in Intune support single sign out, zero touch provisioning, and Microsoft Entra Conditional Access. You donΓÇÖt need to configure shared device mode on Windows devices. +- **Microsoft Entra standalone:** Your organization creates and manages user, device, and app identities in Microsoft Entra ID as a standalone identity solution for your frontline workloads. This implementation pattern is recommended as it simplifies your frontline deployment architecture and maximizes performance during user sign in. +- **Active Directory Domain Services (AD DS) integration with Microsoft Entra ID:** Microsoft provides Microsoft Entra Connect to join these two environments. Microsoft Entra Connect replicates Active Directory user accounts to Microsoft Entra ID, allowing a user to have a single identity capable of accessing both local and cloud-based resources. Although both AD DS and Microsoft Entra ID can exist as independent directory environments, you can choose to create hybrid directories. +- **Third-party identity solution sync with Microsoft Entra ID:** Microsoft Entra ID supports integration with third-party identity providers such as Okta and Ping Identity through federation. [Learn more about using third-party identity providers](flw-setup-microsoft-365.md#provision-users). -Intune is recommended for BYOD scenarios because it provides the best support and functionality out-of-the-box across device types. +#### HR-driven user provisioning -### Enroll Android and iOS personal devices +Automating user provisioning is a practical need for organizations that want frontline employees to be able to access apps and resources on day one. From a security perspective, itΓÇÖs also important to automate deprovisioning during employee offboarding to ensure that previous employees donΓÇÖt retain access to company resources. -In addition to your company-owned devices, you can [enroll](/mem/intune/enrollment/device-enrollment) users' personally owned devices into management in Intune. For BYOD enrollment, you add device users in the Microsoft Intune admin center, configure their enrollment experience, and set up Intune policies. Users complete enrollment themselves in the Intune Company Portal app that's installed on their device. +Microsoft Entra user provisioning service integrates with cloud-based and on-premises HR apps, such as Workday and SAP SuccessFactors. You can configure the service to automate user provisioning and deprovisioning when an employee is created or disabled in the HR system. -In some cases, users may be reluctant to enroll their personal devices into management. If device enrollment isn't an option, you can choose a mobile application management (MAM) approach and use [app protection policies](/mem/intune/apps/app-protection-policies) to manage apps that contain corporate data. For example, you can apply app protection policies to Teams and Office mobile apps to prevent company data from being copied to personal apps on the device. +To learn more, see: -To learn more, see ["Personal devices vs Organization-owned devices" in the Intune planning guide](/mem/intune/fundamentals/intune-planning-guide#personal-devices-vs-organization-owned-devices) and [Deployment guidance: Enroll devices in Microsoft Intune](/mem/intune/fundamentals/deployment-guide-enrollment). +- [What is HR-driven provisioning with Microsoft Entra ID?](/entra/identity/app-provisioning/what-is-hr-driven-provisioning) +- [Plan an automatic user provisioning deployment for Microsoft Entra ID](/entra/identity/app-provisioning/plan-auto-user-provisioning) -## Authentication +#### Delegate user management with My Staff -Authentication features control who or what uses an account to gain access to applications, data, and resources. Organizations deploying shared devices to frontline workers need authentication controls that donΓÇÖt impede worker productivity while preventing unauthorized or unintended access to applications and data when devices are transferred between authenticated users. +With the [My Staff](/entra/identity/role-based-access-control/my-staff-configure) feature in Microsoft Entra ID, you can delegate common user management tasks to frontline managers through the My Staff portal. Frontline managers can perform password resets or manage phone numbers for frontline workers directly from the store or factory floor, without having to route the requests to helpdesk, operations, or IT. -MicrosoftΓÇÖs frontline solution is delivered from the cloud and utilizes Microsoft Entra ID as the underlying identity service for securing Microsoft 365 applications and resources. These authentication features in Microsoft Entra ID address the unique considerations for shared devices deployments: automatic single sign-on, single sign out, and other strong authentication methods. +My Staff also enables frontline managers to register their team members' phone numbers for SMS sign-in. If [SMS-based authentication](/entra/identity/authentication/howto-authentication-sms-signin) is enabled in your organization, frontline workers can sign in to Teams and other apps using only their phone numbers and a one-time passcode sent via SMS. This makes signing in for frontline workers simple and fast. ### Shared device mode -[Shared device mode](/azure/active-directory/develop/msal-shared-devices) is a feature of Microsoft Entra ID that enables you to configure devices to be shared by employees. This feature enables single sign-on (SSO) and device-wide sign out for Microsoft Teams and all other apps that support shared device mode. You can integrate this capability into your line-of-business (LOB) apps using the Microsoft Authentication Library (MSAL). Once a device is in shared device mode, applications that leverage Microsoft Authentication Library (MSAL) can detect that theyΓÇÖre running on a shared device and determine who the current active user is. With this information, applications can accomplish these authentication controls: --- **Automatic single sign-on:** If a user has already signed into another MSAL application, the user will be logged into any application compatible with Shared Device Mode. This is an improvement to the previous single sign-on experience because it further reduces the time it takes to access applications after signing into the first application by removing the need for a user to select a previously signed in account.-- **Single sign-out:** Once a user signs out of an app using MSAL, all other applications integrated with shared device mode can stop background processes and commence sign out data clearing processes to prevent unauthorized or unintended access by the next user.--Here's how shared device mode works, using Teams as an example. When an employee signs in to Teams at the start of their shift, theyΓÇÖre automatically signed in to all other apps that support shared device mode on the device. At the end of their shift, when they sign out of Teams, they're signed out globally from all other apps that support shared device mode. After sign out, the employee's data and company data in Teams (including apps hosted within it) and in all other apps that support shared device mode can no longer be accessed. The device is ready for the next employee and can be safely handed off. --Shared device mode is an improvement to the app data clear functionality for Android because it allows application developers to selectively clear personal user data without impacting app settings or cached data. With shared device mode, the flags that allow an application to remember if a first run experience is shown aren't deleted so users donΓÇÖt see a first run experience every time they sign-on. --Shared device mode also allows a device to be enrolled into Microsoft Entra ID once for all users so that you can easily create profiles that secure app and data usage on the shared device. This allows you to support conditional access without having to re-enroll the device every time a new user authenticates into the device. --You use a mobile device management (MDM) solution like Microsoft Intune or Microsoft Configuration Manager to prepare a device to be shared by installing the [Microsoft Authenticator app](https://support.microsoft.com/account-billing/how-to-use-the-microsoft-authenticator-app-9783c865-0308-42fb-a519-8cf666fe0acc) and turning on shared mode. Teams and all other apps that support shared device mode use the shared mode setting to manage users on the device. The MDM solution you use should also perform a device cleanup when sign out occurs. --> [!NOTE] -> Shared device mode isnΓÇÖt a full data loss prevention solution. Shared device mode should be used in conjunction with Microsoft Application Manager (MAM) policies to ensure that data doesnΓÇÖt leak to areas of the device that arenΓÇÖt leveraging shared device mode (e.g., local file storage). --#### Prerequisites and considerations --YouΓÇÖll need to meet the following prerequisites to use shared device mode. --- The device must first have Microsoft Authenticator installed.-- The device must be enrolled in shared device mode.-- All the applications that need these benefits need to integrate with the shared device mode APIs in MSAL.+With the [shared device mode](/entra/identity-platform/msal-shared-devices) feature of Microsoft Entra ID, you can configure devices to be shared by employees. This feature enables single sign-on (SSO) and device-wide sign out for Teams and all other apps that support shared device mode. -MAM policies are required to prevent data from moving from shared device mode enabled applications to non-shared device mode enabled applications. +Here's how shared device mode works, using Teams as an example. When an employee signs in to Teams at the start of their shift, theyΓÇÖre automatically signed in to all other apps that support shared device mode on the device. When they sign out of Teams at the end of their shift, they're signed out from all other apps that support shared device mode. After sign out, the employee's data and company data in Teams and in all other apps that support shared device mode can no longer be accessed. The device is ready for the next employee to use. -Currently, zero-touch provisioning of shared device mode is only available with Intune. If youΓÇÖre using a third-party MDM solution, devices must be enrolled in shared device mode using the [manual configuration steps](/azure/active-directory/develop/tutorial-v2-shared-device-mode#set-up-an-android-device-in-shared-mode). +You can integrate this capability into your line-of-business (LOB) apps using the [Microsoft Authentication Library (MSAL)](/entra/identity-platform/msal-overview). -> [!NOTE] -> Conditional access isnΓÇÖt fully supported for devices that are configured manually. +### Authentication -Some Microsoft 365 applications donΓÇÖt currently support shared device mode. The table below summarizes what is available. If the application you need lacks shared device mode integration, itΓÇÖs recommended that you run a web-based version of your application in either Microsoft Teams or Microsoft Edge to get the benefits of shared device mode. +Authentication features control who or what uses an account to gain access to applications, data, and resources. -Shared device mode is currently supported on Android devices. Here's some resources to help you get started. +As previously mentioned, Microsoft 365 for frontline workers uses Microsoft Entra ID as the underlying identity service for securing Microsoft 365 apps and resources. To learn more about authentication in Microsoft Entra ID, see [What is Microsoft Entra authentication?](/entra/identity/authentication/overview-authentication) and [What authentication and verification methods are available in Microsoft Entra ID?](/entra/identity/authentication/concept-authentication-methods). -#### Enroll Android devices into shared device mode +#### Multifactor authentication -To manage and enroll Android devices into shared device mode using Intune, devices must be running Android OS version 8.0 or later, and have Google Mobile Services (GMS) connectivity. To learn more, see: +[Microsoft Entra multifactor authentication (MFA)](/entra/identity/authentication/concept-mfa-howitworks) works by requiring two or more of the following authentication methods at sign in: -- [Set up Intune enrollment for Android Enterprise dedicated devices](/mem/intune/enrollment/android-kiosk-enroll)-- [Enroll Android Enterprise dedicated devices into Microsoft Entra shared device mode](https://techcommunity.microsoft.com/t5/intune-customer-success/enroll-android-enterprise-dedicated-devices-into-azure-ad-shared/ba-p/1820093)+- Something the user knows, typically a password. +- Something the user has, such as a trusted device that's not easily duplicated, like a phone or hardware key. +- Something the user is - biometrics like a fingerprint or face scan. -You can also choose to deploy the Microsoft Managed Home Screen app to tailor the experience for users on their Intune-enrolled Android dedicated devices. Managed Home Screen acts as a launcher for other approved apps to run on top of it, and lets you customize devices and restrict what employees can access. For example, you can define how apps appear on the home screen, add your company logo, set custom wallpaper, and allow employees to set a session PIN. You can even configure sign out to happen automatically after a specified period of inactivity. To learn more, see: +MFA supports several forms of verification methods, including the Microsoft Authenticator app, FIDO2 keys, SMS, and voice calls. -- [Configure the Microsoft Managed Home Screen app for Android Enterprise](/mem/intune/apps/app-configuration-managed-home-screen-app)-- [How to set up Microsoft Managed Home Screen on dedicated devices in multi-app kiosk mode](https://techcommunity.microsoft.com/t5/intune-customer-success/how-to-setup-microsoft-managed-home-screen-on-dedicated-devices/ba-p/1388060)+MFA provides a high level of security for apps and data but adds friction to user sign in. For organizations that choose BYOD deployments, MFA might or might not be a practical option. It's highly recommended that business and technical teams validate the user experience with MFA before a broad rollout so that the user impact can be properly considered in change management and readiness efforts. -#### For developers creating apps for shared device mode +If MFA isn't feasible for your organization or deployment model, you should plan to use robust Conditional Access policies to reduce security risk. -If you're a developer, see the following resources for more information about how to integrate your app with shared device mode: --- [Shared device mode for Android devices](/azure/active-directory/develop/msal-android-shared-devices)-- [Shared device mode for iOS devices](/azure/active-directory/develop/msal-ios-shared-devices)--### Multifactor authentication --Microsoft Entra ID supports several forms of multifactor authentication with the Authenticator app, FIDO2 keys, SMS, voice calls, and more. --Due to higher cost and legal restrictions, the most secure authentication methods may not be practical for many organizations. For example, FIDO2 security keys are typically considered too expensive, biometric tools like Windows Hello may run against existing regulations or union rules, and SMS sign in may not be possible if frontline workers arenΓÇÖt permitted to bring their personal devices to work. --multifactor authentication provides a high level of security for applications and data but adds ongoing friction to user sign-on. For organizations that choose BYOD deployments, multifactor authentication may or may not be a practical option. It's highly recommended that business and technical teams validate the user experience with multifactor authentication before broad rollout so that the user impact can be properly considered in change management and readiness efforts. +#### Passwordless authentication -If multifactor authentication isn't feasible for your organization or deployment model, you should plan to leverage robust conditional access policies to reduce security risk. +To further simplify access for your frontline workforce, you can use passwordless authentication methods so that workers donΓÇÖt need to remember or enter their passwords. Passwordless authentication methods remove the use of a password at sign-in and replaces it with: -#### Passwordless authentication +- Something the user has, like a phone or security key. +- Something the user is or knows, like biometrics or a PIN. -To further simplify access for your frontline workforce, you can leverage passwordless authentication methods so that workers donΓÇÖt need to remember or type in their passwords. Passwordless authentication methods are also typically more secure, and many can satisfy MFA requirements if necessary. +Passwordless authentication methods are also typically more secure, and many can satisfy MFA requirements if necessary. -Before proceeding with a passwordless authentication method, youΓÇÖll need to determine if it can work in your existing environment. Considerations like cost, OS support, personal device requirement, and MFA support can impact whether an authentication method would work for your needs. For example, FIDO2 security keys are currently considered too expensive, and SMS and Authenticator sign in may not be possible if frontline workers aren't permitted to bring their personal devices to work. +Before proceeding with a passwordless authentication method, determine whether it can work in your existing environment. Considerations like cost, OS support, personal device requirement, and MFA support, can affect whether an authentication method would work for your needs. -Refer to the table to assess passwordless authentication methods for your frontline scenario. +See the following table to assess passwordless authentication methods for your frontline scenario. -|Method|OS support|Requires personal device|Supports multifactor authentication | -||-||-| +|Method|OS support|Requires personal device|Supports MFA| +||-|-|-| +|Microsoft Authenticator |All |Yes |Yes | |SMS sign in |Android and iOS |Yes |No | |Windows Hello |Windows |No |Yes |-|Microsoft Authenticator |All |Yes |Yes | -|FIDO2 Key |Windows |No |Yes | +|FIDO2 key |Windows |No |Yes | -If you're deploying with shared devices and the previous passwordless options aren't feasible, you can opt to disable strong password requirements so that users can provide simpler passwords while logging into managed devices. If you choose to disable strong password requirements, you should consider adding these strategies to your implementation plan. +To learn more, see [Passwordless authentication options for Microsoft Entra ID](/entra/identity/authentication/concept-authentication-passwordless) and [Configure and enable users for SMS-based authentication using Microsoft Entra ID](/entra/identity/authentication/howto-authentication-sms-signin). -- Only disable strong password requirements for users of shared devices.-- Create a conditional access policy that prevents these users from logging into non-shared devices on non-trusted networks.+### Authorization -## Authorization +Authorization features control what an authenticated user can do or access. In Microsoft 365, this is achieved through a combination of Microsoft Entra Conditional Access policies and app protection policies. -Authorization features control what an authenticated user can do or access. In Microsoft 365, this is achieved through a combination of Microsoft Entra Conditional Access policies and application protection policies. +Implementing robust authorization controls is a critical component of securing a frontline shared devices deployment, particularly if it isnΓÇÖt possible to implement strong authentication methods like MFA for cost or practicality reasons. -Implementing robust authorization controls is a critical component of securing a frontline shared devices deployment, particularly if it isn't possible to implement strong authentication methods like multifactor authentication (MFA) for cost or practicality reasons. +#### Microsoft Entra Conditional Access -<a name='azure-ad-conditional-access'></a> --### Microsoft Entra Conditional Access --With conditional access, you can create rules that limit access based on the following signals: +With Conditional Access, you can create rules that limit access based on the following signals: - User or group membership - IP location information - Device (only available if the device is enrolled in Microsoft Entra ID)-- Application+- App - Real-time and calculated risk detection -Conditional access policies can be used to block access when a user is on a non-compliant device or while theyΓÇÖre on an untrusted network. For example, you may want to use conditional access to prevent users from accessing an inventory application when they arenΓÇÖt on the work network or are using an unmanaged device, depending on your organizationΓÇÖs analysis of applicable laws. --For BYOD scenarios where it makes sense to access data outside of work, such as HR-related information or non-business-related applications, you may choose to implement more permissive conditional access policies alongside strong authentication methods like multifactor authentication. --Conditional access is supported for: --- Shared Windows devices managed in Intune.-- Shared Android and iOS devices enrolled in shared device mode with zero-touch provisioning.-- BYOD for Windows, Android, and iOS managed with Intune or third-party MDM solutions.--Conditional access **not** supported for: --- Devices manually configured with shared device mode, including Android and iOS devices managed with third-party MDM solutions.-- iPad devices that use Shared iPad for Business.--> [!NOTE] -> Conditional access for Android devices managed with select third-party MDM solutions is coming soon. +Conditional Access policies can be used to block access when a user is on a noncompliant device or while theyΓÇÖre on an untrusted network. For example, you might want to use Conditional Access to prevent users from accessing an inventory app when they arenΓÇÖt on the work network or are using an unmanaged device, depending on your organizationΓÇÖs analysis of applicable laws. -For more information on conditional access, see the [Microsoft Entra Conditional Access documentation](/azure/active-directory/conditional-access/). +For BYOD scenarios where it makes sense to access data outside of work, such as HR-related information, shift management, chat about swapping shifts, or non-business-related apps, you might choose to implement more permissive Conditional Access policies alongside strong authentication methods like MFA. -### App protection policies +To learn more, see the [Microsoft Entra Conditional Access documentation](/entra/identity/conditional-access). -With MAM from Intune, you can use app protection policies (APP) with applications that have integrated with IntuneΓÇÖs [APP SDK](/mem/intune/developer/app-sdk-get-started). This allows you to further protect your organization's data within an application. +#### App protection policies -With app protection policies you can add access control safeguards, such as: +With mobile application management (MAM) from Intune, you can use [app protection policies](/mem/intune/apps/app-protection-policy) with apps that are integrated with the Intune [App SDK](/mem/intune/developer/app-sdk-get-started). This allows you to further protect your organizationΓÇÖs data within an app. -- Require a PIN to open an app in a work context.-- Control the sharing of data between applications-- Prevent the saving of company app data to a personal storage location-- Ensure the deviceΓÇÖs operating system is up to date+With app protection policies, you can add access control safeguards, such as: -You can also use APPs to ensure that data doesnΓÇÖt leak to applications that don't support shared device mode. To prevent data loss, the following APPs must be enabled on shared devices: +- Control the sharing of data between apps. +- Prevent the saving of company app data to a personal storage location. +- Ensure the deviceΓÇÖs operating system is up to date. -- Disable copy/paste to non-shared device mode enabled applications.-- Disable local file saving.-- Disable data transfer capabilities to non-shared device mode enabled applications.--APPs are helpful in BYOD scenarios because they allow you to protect your data at the app level without having to manage the entire device. This is important in scenarios where employees may have a device managed by another tenant (for example, a university or another employer) and can't be managed by another company. --## Application management --Your deployment plan should include an inventory and assessment of the applications that frontline workers will need to do their jobs. This section covers considerations and necessary steps to ensure that users have access to required applications and that the experience is optimized in the context of your frontline implementation. --For the purposes of this assessment, applications are categorized in three groups: --- **Microsoft applications** are built and supported by Microsoft. Microsoft applications support Microsoft Entra ID and integrate with IntuneΓÇÖs APP SDK. However, not all Microsoft applications are supported with shared device mode. [See a list of supported applications and availability.](authentication bookmark)-- **Third-party applications** are built and sold commercially by a third-party provider. Some applications donΓÇÖt support Microsoft Entra ID, IntuneΓÇÖs APP SDK, or shared device mode. Work with the application provider and your Microsoft account team to confirm what the user experience will be.-- **Custom line-of-business applications** are developed by your organization to address internal business needs. If you build applications using Power Apps, your app will automatically be enabled with Microsoft Entra ID, Intune, and shared device mode.--The applications that frontline users access meet these requirements (as applicable) for global single-in and single sign out to be enabled. --- **Integrate custom and third-party applications with [MSAL](/azure/active-directory/develop/msal-overview):** Users can authenticate into your applications using Microsoft Entra ID, enable SSO, and conditional access policies can be applied.-- **Integrate applications with shared device mode (applies only to Android or iOS shared devices):** Applications can use the necessary shared device mode APIs in MSAL to perform automatic single sign-on and single sign out. Appropriately using these APIs allows you to integrate with shared device mode. This isnΓÇÖt necessary if youΓÇÖre running your application in Teams, Microsoft Edge, or PowerApps.-- **Integrate with IntuneΓÇÖs APP SDK (applies only to Android or iOS shared devices):** Applications can be managed in Intune to prevent unintended or unauthorized data exposure. This isnΓÇÖt necessary if your MDM performs app data clears that wipe any sensitive data during device check-in flows (single sign out).--Once youΓÇÖve successfully validated your applications, you can deploy them to managed devices using your MDM solution. This allows you to preinstall all the necessary applications during device enrollment so that users have everything they need on day one. --### App launchers for Android devices --On Android devices, the best way of providing a focused experience as soon as an employee opens a device is to provide a customized launch screen. With a customized launch screen, you can show only the relevant applications an employee needs to use and widgets that highlight key information. --Most MDM solutions provide their own app launcher that can be used. For example, Microsoft provides Managed Home Screen. If you want to build your own custom app launcher for shared devices, youΓÇÖll need to integrate it with shared device mode so that single sign-on and single sign out works on your devices. The following table highlights some of the most common app launchers available today by Microsoft and third-party developers. --|App launcher |Capabilities| -|-|| -|Managed Home Screen |Use Managed Home Screen when you want your end users to have access to a specific set of applications on your Intune-enrolled dedicated devices. Because Managed Home Screen can be automatically launched as the default home screen on the device and appears to the end user as the only home screen, it's useful in shared devices scenarios when a locked down experience is required. | -|Microsoft Launcher |Microsoft Launcher lets users personalize their phone, stay organized on the go, and transfer work from their phone to their PC. Microsoft Launcher differs from Managed Home Screen because it allows the end user access to their standard home screen. Microsoft Launcher is therefore useful in BYOD scenarios. | -|VMware Workspace ONE Launcher |For customers using VMware, the Workspace ONE Launcher is he best tool to curate a set of applications that your frontline workforce needs access to. The sign out option from this launcher is also what enables Android App Data Clear for single sign out on VMware devices. VMware Workspace ONE Launcher doesn't currently support shared device mode. | -|Custom app launcher |If you want a fully customized experience, you can build out your own custom app launcher. You can integrate your launcher with shared device mode so that your users only need to sign in and out once. | +In a shared devices deployment, you can use app protection policies to ensure that data doesn't leak to apps that don't support shared device mode. In BYOD scenarios, app protection policies are helpful because they allow you to protect your data at the app level without having to manage the entire device. ## Related articles +- [Manage shared devices for your frontline](flw-shared-devices.md) - [Frontline worker management](/azure/active-directory/fundamentals/frontline-worker-management) |
frontline | Flw Shared Devices | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-shared-devices.md | + + Title: Manage shared devices for frontline workers ++++++audience: admin ++ms.localizationpriority: high +search.appverid: MET150 +description: Get an overview of managing shared devices for frontline workers in your organization. ++ - m365-frontline + - highpri + - essentials-manage +appliesto: + - Microsoft Teams + - Microsoft 365 for frontline workers Last updated : 07/12/2024+++# Manage shared devices for frontline workers ++## Overview ++Many frontline workers use shared mobile devices to do work. Shared devices are company-owned devices that are shared between employees across tasks, shifts, or locations. ++HereΓÇÖs an example of a typical scenario. An organization has a pool of devices in charging cradles to be shared across all employees. At the start of a shift, an employee picks up a device from the pool, and signs in to Microsoft Teams and other business apps essential to their role. At the end of their shift, they sign out and return the device to the pool. Even within the same shift, a worker might return a device when they finish a task or clock out for lunch, and then pick up a different one when they clock back in. ++Shared devices present unique security challenges. For example, employees might have access to company or customer data that shouldnΓÇÖt be available to others on the same device. Organizations deploying shared devices must define the sign-in and sign-out experience and implement controls to prevent unauthorized or unintended access to apps and data when devices are handed off between employees. ++This article covers capabilities and considerations for deploying and managing shared devices to help empower your frontline workforce with the devices they need to get work done. Use this guidance to help plan and manage your frontline deployment. ++## Shared device mode ++We recommend using [shared device mode](/entra/identity-platform/msal-shared-devices) for your frontline worker shared devices, whenever possible. ++Shared device mode is a Microsoft Entra ID feature that allows organizations to configure an Android, iOS, or iPadOS device so that it can be easily shared by multiple employees. Employees can sign in once and get access to their data across all supported apps without having access to other employeesΓÇÖ data. When they finish their shift or task, they sign out once and get signed out of the device and all supported apps, making the device ready for the next employee to use. ++### Key benefits of enabling shared device mode on devices ++- **Single sign-on**: Allow users to sign in to one app that supports shared device mode once and gain seamless authentication into all other apps that support shared device mode without having to reenter credentials. Exempt users from first-run experience screens on shared devices. +- **Single sign-out**: Allow users an easy way to sign out from a device without needing to sign out individually from each app that supports shared device mode. Provide usersΓÇÖ assurances that their data isn't inappropriately shown to subsequent users, given that the apps ensure cleaning up of any cached user data and app protection policies are applied. +- **Support for enforcing security requirements using Conditional Access policies**: Provides admins with the ability to target specific Conditional Access policies on shared devices, ensuring that employees only have access to company data when their shared device meets internal compliance standards. ++### Get started with shared device mode ++You can set up devices for shared device mode manually or through your mobile device management (MDM) solution using zero-touch provisioning. To learn more, see [Overview of shared device mode](/entra/identity-platform/msal-shared-devices). ++Developers can add support for shared device mode to your apps using the Microsoft Authentication Library (MSAL). For more information about how to integrate your apps with shared device mode, see: ++- [Shared device mode for Android devices](/entra/identity-platform/msal-android-shared-devices) +- [Tutorial: Use shared device mode in your Android application](/entra/identity-platform/tutorial-v2-shared-device-mode) +- [Shared device mode for iOS devices](/entra/msal/objc/shared-devices-ios) ++## Multifactor authentication ++[Microsoft Entra multifactor authentication (MFA)](/entra/identity/authentication/concept-mfa-howitworks) adds additional security over only using a password when a user signs in. MFA is a great way to increase security, although it might add friction to the sign-in experience for some users with the extra layer of security on top of having to remember their passwords. ++ItΓÇÖs important to validate the user experience before your rollout so you can prepare for change management and readiness efforts. ++If MFA isnΓÇÖt feasible for your organization, you should plan to implement robust Conditional Access policies to reduce security risk. Some common Conditional Access policies to apply when MFA isnΓÇÖt used on shared devices include: ++- Device compliance +- Trusted network locations +- Device is managed ++Be sure to evaluate Conditional Access policies and app protection policies you want to apply to ensure they meet the needs of your organization. ++## Domain-less sign in ++You can simplify the sign-in experience on Teams for iOS and Android by prefilling the domain name on the sign-in screen for users on shared and managed devices. ++Users sign in by entering only the first part of their user principal name (UPN). For example, if the username is 123456@contoso.com or alexw@contoso.com, users can sign in by using only "123456" or "alexw", respectively, and their password. Signing in to Teams is faster and easier, especially for frontline workers on shared devices, who sign in and out regularly. ++You can also enable domain-less sign in for your custom line-of business (LOB) apps. ++[Learn more about domain-less sign-in](/microsoftteams/sign-in-teams?bc=%2Fmicrosoft-365%2Ffrontline%2Fbreadcrumb%2Ftoc.json&toc=%2Fmicrosoft-365%2Ffrontline%2Ftoc.json&view=o365-worldwide#enable-domain-less-sign-in-for-your-custom-apps). ++## Conditional Access ++Use [Conditional Access](/entra/identity/conditional-access/overview) policies to apply the right controls when needed to keep your organization secure. You can create rules that limit access based on identity-driven signals that include: ++- User or group membership +- IP location information +- Device (only available if the device is enrolled in Microsoft Entra ID) +- App +- Real-time and calculated risk detection ++For example, you can use a Conditional Access policy to restrict access so that only shared devices that are marked as compliant can access your organization's apps and services. Here are some resources to help you get started: ++- [Plan a Conditional Access deployment](/entra/identity/conditional-access/plan-conditional-access) +- [Build a Conditional Access policy](/entra/identity/conditional-access/concept-conditional-access-policies) ++## App protection policies ++With mobile application management (MAM) from Intune, you can use [app protection policies](/mem/intune/apps/app-protection-policy) to ensure that data doesnΓÇÖt leak to apps that donΓÇÖt support shared device mode. To help prevent data loss, enable the following app protection policies on shared devices: ++- Disable copy/paste to non-shared device mode enabled apps. +- Disable local file saving. +- Disable data transfer capabilities to non-shared device mode enabled apps. ++## Automatically grant consent to apps for device features ++On a shared device, itΓÇÖs important to remove unnecessary screens that could pop up when a user accesses an app the first time. These screens can include prompts to grant the app permission to use device features, such as the microphone or camera, or access location. You can use [app configuration policies in Intune](/mem/intune/apps/app-configuration-policies-use-android#preconfigure-the-permissions-grant-state-for-apps) on Android shared devices to preconfigure app permissions to access device features. ++If you're using a third-party MDM solution, check the documentation for options available to automatically grant consent to apps to access device features. ++## Related articles ++- [Frontline device management overview](flw-devices.md) |